From d7be6cd243e6d16dc2302c9a2e7cd48147cc9f2d Mon Sep 17 00:00:00 2001 From: "jan.kozlowski" Date: Fri, 13 Dec 2024 13:27:30 +0100 Subject: [PATCH] wip fix tests --- .../assertions/EnvoyAssertions.kt | 11 +++++++++- .../IncomingPermissionsAllowedClientTest.kt | 6 +++++ .../IncomingPermissionsEmptyClientsTest.kt | 4 ++++ .../IncomingPermissionsEmptyEndpointsTest.kt | 1 + .../IncomingPermissionsLoggingModeTest.kt | 22 +++++++++++++++++++ ...omingPermissionsOriginalDestinationTest.kt | 1 + .../IncomingPermissionsRbacActionTest.kt | 2 ++ .../IncomingPermissionsRequestIdTest.kt | 2 ++ 8 files changed, 48 insertions(+), 1 deletion(-) diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt index cb717e2d0..343259ec4 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt @@ -9,6 +9,7 @@ import java.util.function.Consumer private class RbacLog( val protocol: String, + val rule: String, val path: String? = null, val method: String? = null, val clientName: String? = null, @@ -41,6 +42,7 @@ fun ObjectAssert.hasNoRBACDenials(): ObjectAssert.hasOneAccessDenialWithActionBlock( protocol: String, + rule: String, path: String, method: String, clientName: String, @@ -53,6 +55,7 @@ fun ObjectAssert.hasOneAccessDenialWithActionBlock( protocol = protocol, logPredicate = RbacLog( protocol = protocol, + rule = rule, path = path, method = method, clientName = clientName, @@ -67,6 +70,7 @@ fun ObjectAssert.hasOneAccessDenialWithActionBlock( fun ObjectAssert.hasOneAccessAllowedWithActionLog( protocol: String, + rule: String, path: String? = null, method: String? = null, clientName: String? = null, @@ -81,6 +85,7 @@ fun ObjectAssert.hasOneAccessAllowedWithActionLog( shadowDenied = false, logPredicate = RbacLog( protocol = protocol, + rule = rule, path = path, method = method, clientIp = clientIp, @@ -95,6 +100,7 @@ fun ObjectAssert.hasOneAccessAllowedWithActionLog( fun ObjectAssert.hasOneAccessDenialWithActionLog( protocol: String, + rule: String, path: String? = null, method: String? = null, clientName: String? = null, @@ -109,6 +115,7 @@ fun ObjectAssert.hasOneAccessDenialWithActionLog( shadowDenied = false, logPredicate = RbacLog( protocol = protocol, + rule = rule, path = path, method = method, clientIp = clientIp, @@ -123,7 +130,7 @@ fun ObjectAssert.hasOneAccessDenialWithActionLog( fun ObjectAssert.hasOneAccessDenialWithActionLog( protocol: String, - path: String? = null, + rule: String,path: String? = null, method: String? = null, clientName: String? = null, trustedClient: Boolean? = null, @@ -138,6 +145,7 @@ fun ObjectAssert.hasOneAccessDenialWithActionLog( protocol = protocol, logPredicate = RbacLog( protocol = protocol, + rule = rule, path = path, method = method, clientIp = clientIp, @@ -181,6 +189,7 @@ private fun ObjectAssert.matchesRbacAccessDeniedLog(logPredicate: RbacLo assertThat(parsed.protocol).isEqualTo(logPredicate.protocol) assertEqualProperty(parsed, logPredicate, RbacLog::protocol) assertEqualProperty(parsed, logPredicate, RbacLog::method) + assertEqualProperty(parsed, logPredicate, RbacLog::rule) assertEqualProperty(parsed, logPredicate, RbacLog::path) assertEqualProperty(parsed, logPredicate, RbacLog::clientIp) assertEqualProperty(parsed, logPredicate, RbacLog::clientName) diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsAllowedClientTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsAllowedClientTest.kt index 820bc1568..e33e3114d 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsAllowedClientTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsAllowedClientTest.kt @@ -121,6 +121,7 @@ internal class IncomingPermissionsAllowedClientTest { assertThat(echoResponse).isOk().isFrom(service) assertThat(echoEnvoy.container).hasOneAccessAllowedWithActionLog( protocol = "https", + rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"echo\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", path = "/log-unlisted-clients", method = "GET", clientName = "echo3", @@ -150,6 +151,7 @@ internal class IncomingPermissionsAllowedClientTest { assertThat(echoResponse).isOk().isFrom(service) assertThat(echoEnvoy.container).hasOneAccessAllowedWithActionLog( protocol = "https", + rule = "{\"path\":\"/block-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"echo\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/block-unlisted-clients", method = "GET", clientName = "echo3", @@ -179,6 +181,7 @@ internal class IncomingPermissionsAllowedClientTest { assertThat(echoResponse).isOk().isFrom(service) assertThat(echoEnvoy.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"echo\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", path = "/log-unlisted-clients", method = "GET", clientName = "echo3", @@ -208,6 +211,7 @@ internal class IncomingPermissionsAllowedClientTest { assertThat(echoResponse).isForbidden() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock( protocol = "http", + rule = "{\"path\":\"/block-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"echo\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/block-unlisted-clients", method = "GET", clientName = "echo3", @@ -232,6 +236,7 @@ internal class IncomingPermissionsAllowedClientTest { assertThat(echo2Envoy.container.ingressTlsRequests()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog( protocol = "https", + rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"echo\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}", path = "/log-unlisted-endpoint", method = "GET", clientName = "echo3 (not trusted)", @@ -255,6 +260,7 @@ internal class IncomingPermissionsAllowedClientTest { assertThat(echoEnvoy.container.ingressTlsRequests()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock( protocol = "https", + rule = "", path = "/block-and-log-unlisted-endpoint", method = "GET", clientName = "echo3 (not trusted)", diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsEmptyClientsTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsEmptyClientsTest.kt index 5b9b3317a..116cca842 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsEmptyClientsTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsEmptyClientsTest.kt @@ -87,6 +87,7 @@ internal class IncomingPermissionsEmptyClientsTest { assertThat(echoResponse).isForbidden() assertThat(envoy1.container).hasOneAccessDenialWithActionBlock( protocol = "http", + rule = "{\"path\":\"/blocked-for-all\",\"pathMatchingType\":\"PATH\"}", path = "/blocked-for-all", method = "GET", clientName = "", @@ -105,6 +106,7 @@ internal class IncomingPermissionsEmptyClientsTest { assertThat(echoResponse).isOk().isFrom(echo) assertThat(envoy1.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "ALLOW_UNLISTED_POLICY", path = "/unlisted", method = "GET", clientName = "", @@ -121,6 +123,7 @@ internal class IncomingPermissionsEmptyClientsTest { assertThat(echo2Response).isOk().isFrom(echo2) assertThat(envoy2.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "{\"path\":\"/logged-for-all\",\"pathMatchingType\":\"PATH\", \"unlistedClientsPolicy\":\"LOG\"}", path = "/logged-for-all", method = "GET", clientName = "", @@ -137,6 +140,7 @@ internal class IncomingPermissionsEmptyClientsTest { assertThat(echo2Response).isForbidden() assertThat(envoy2.container).hasOneAccessDenialWithActionBlock( protocol = "http", + rule = "?", path = "/unlisted", method = "GET", clientName = "", diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsEmptyEndpointsTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsEmptyEndpointsTest.kt index 828cda0ce..d3cad2ef4 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsEmptyEndpointsTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsEmptyEndpointsTest.kt @@ -60,6 +60,7 @@ internal class IncomingPermissionsEmptyEndpointsTest { assertThat(echoResponse).isOk().isFrom(echo) assertThat(envoy.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "ALLOW_LOGGED_POLICY", path = "/some-endpoint", method = "GET", clientName = "", diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt index b1b889281..6ba716687 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt @@ -265,6 +265,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock( protocol = "https", + rule = "{\"path\":\"/block-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/block-unlisted-clients", method = "GET", clientName = "echo2", @@ -284,6 +285,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionBlock( protocol = "https", + rule = "{\"path\":\"/block-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/block-unlisted-clients", method = "GET", clientName = "echo", @@ -325,6 +327,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echoEnvoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock( protocol = "http", + rule = "{\"path\":\"/block-unlisted-clients-by-default\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}]}", path = "/block-unlisted-clients-by-default", method = "GET", clientName = "", @@ -344,6 +347,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionBlock( protocol = "http", + rule = "{\"path\":\"/block-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/block-unlisted-clients", method = "GET", clientName = "", @@ -386,6 +390,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionLog( protocol = "https", + rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/log-unlisted-clients", method = "GET", clientName = "echo2", @@ -405,6 +410,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog( protocol = "https", + rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/log-unlisted-clients", method = "GET", clientName = "echo", @@ -444,6 +450,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echoEnvoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/log-unlisted-clients", method = "GET", clientName = "", @@ -461,6 +468,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/log-unlisted-clients", method = "GET", clientName = "", @@ -505,6 +513,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock( protocol = "https", + rule = "{\"path\":\"/block-unlisted-clients-by-default\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}]}", path = "/block-unlisted-clients-by-default", method = "GET", clientName = "echo2", @@ -524,6 +533,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionBlock( protocol = "http", + rule = "{\"path\":\"/block-unlisted-clients-by-default\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}]}", path = "/block-unlisted-clients-by-default", method = "GET", clientName = "", @@ -543,6 +553,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock( protocol = "https", + rule = "?", path = "/unlisted-endpoint", method = "GET", clientName = "echo3", @@ -562,6 +573,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog( protocol = "https", + rule = "ALLOW_LOGGED_POLICY", path = "/unlisted-endpoint", method = "GET", clientName = "echo3", @@ -581,6 +593,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock( protocol = "https", + rule = "?", path = "/unlisted-endpoint", method = "GET", clientName = "echo2", @@ -601,6 +614,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog( protocol = "https", + rule = "ALLOW_LOGGED_POLICY", path = "/unlisted-endpoint", method = "GET", clientName = "echo", @@ -620,6 +634,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echoEnvoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock( protocol = "http", + rule = "?", path = "/unlisted-endpoint", method = "GET", clientName = "", @@ -639,6 +654,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "ALLOW_LOGGED_POLICY", path = "/unlisted-endpoint", method = "GET", clientName = "", @@ -657,6 +673,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echoEnvoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock( protocol = "http", + rule = "?", path = "/unlisted-endpoint", method = "GET", clientName = "", @@ -676,6 +693,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "ALLOW_UNLISTED_POLICY", path = "/unlisted-endpoint", method = "GET", clientName = "", @@ -699,6 +717,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock( protocol = "https", + rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/log-unlisted-clients", method = "POST", clientName = "echo3", @@ -723,6 +742,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog( protocol = "https", + rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/log-unlisted-clients", method = "POST", clientName = "echo3", @@ -746,6 +766,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog( protocol = "https", + rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/log-unlisted-clients", method = "GET", clientName = "service-name-from-header (not trusted)", @@ -766,6 +787,7 @@ class IncomingPermissionsLoggingModeTest { assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne() assertThat(echo2Envoy.container).hasOneAccessDenialWithActionBlock( protocol = "https", + rule = "{\"path\":\"/block-unlisted-clients-by-default\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}]}", path = "/block-unlisted-clients-by-default", method = "GET", clientName = "echo", diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsOriginalDestinationTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsOriginalDestinationTest.kt index 54035bffc..d02721cab 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsOriginalDestinationTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsOriginalDestinationTest.kt @@ -138,6 +138,7 @@ class IncomingPermissionsOriginalDestinationTest { assertThat(echo2Envoy.container).hasOneAccessDenialWithActionBlock( protocol = "http", + rule = "{\"path\":\"/blocked-echo\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"echo2\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}", path = "/blocked-echo", method = "GET", clientName = "echo", diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsRbacActionTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsRbacActionTest.kt index 6b776f5f4..2f3b421cd 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsRbacActionTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsRbacActionTest.kt @@ -84,6 +84,7 @@ class IncomingPermissionsRbacActionTest { assertThat(response).isOk() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "?", rbacAction = "shadow_denied" ) } @@ -97,6 +98,7 @@ class IncomingPermissionsRbacActionTest { assertThat(response).isUnreachable() assertThat(failingEchoEnvoy.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "?", rbacAction = "shadow_denied", statusCode = "503" ) diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsRequestIdTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsRequestIdTest.kt index 83a11fc4f..24e77425f 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsRequestIdTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsRequestIdTest.kt @@ -78,6 +78,7 @@ class IncomingPermissionsRequestIdTest { // then assertThat(response).isOk() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionLog( + rule = "?", protocol = "http", requestId = "123" ) @@ -94,6 +95,7 @@ class IncomingPermissionsRequestIdTest { assertThat(response).isOk() assertThat(echoEnvoy.container).hasOneAccessDenialWithActionLog( protocol = "http", + rule = "?", requestId = "\"" ) }