From 7c35858981f52ec595d8f63506548c379a99ff6a Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Mon, 6 Jan 2025 20:29:12 +0530
Subject: [PATCH] feat: add chainsaw test for policy ordering in authz server
 (#297)

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .../policy-ordering/chainsaw-test.yaml        | 41 ++++++++++++++++
 .../policy-ordering/istio-policy.yaml         | 14 ++++++
 .../policy-ordering/policy-a.yaml             | 13 +++++
 .../policy-ordering/policy-b.yaml             | 13 +++++
 .../authz-server/policy-ordering/shell.yaml   | 48 +++++++++++++++++++
 5 files changed, 129 insertions(+)
 create mode 100644 tests/e2e/authz-server/policy-ordering/chainsaw-test.yaml
 create mode 100644 tests/e2e/authz-server/policy-ordering/istio-policy.yaml
 create mode 100644 tests/e2e/authz-server/policy-ordering/policy-a.yaml
 create mode 100644 tests/e2e/authz-server/policy-ordering/policy-b.yaml
 create mode 100644 tests/e2e/authz-server/policy-ordering/shell.yaml

diff --git a/tests/e2e/authz-server/policy-ordering/chainsaw-test.yaml b/tests/e2e/authz-server/policy-ordering/chainsaw-test.yaml
new file mode 100644
index 0000000..e23f3d2
--- /dev/null
+++ b/tests/e2e/authz-server/policy-ordering/chainsaw-test.yaml
@@ -0,0 +1,41 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: policy-ordering
+spec:
+  namespace: app
+  steps: 
+  - try:
+    - create:
+        file: ./istio-policy.yaml
+    - create:
+        file: ./policy-b.yaml
+    - create:
+        file: ./shell.yaml
+    - wait:
+        apiVersion: v1
+        kind: Pod
+        timeout: 1m
+        for:
+          condition:
+            name: Ready
+            value: 'true'
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get -H "x-force-authorized: true"
+        check:
+          ($stdout): |-
+            Unauthorized Request from Policy B
+            http_code=403
+    - create:
+        file: ./policy-a.yaml
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get -H "x-force-authorized: true"
+        check:
+          ($stdout): |-
+            Unauthorized Request from Policy A
+            http_code=403
+    finally:
+    - sleep:
+        duration: 10s
diff --git a/tests/e2e/authz-server/policy-ordering/istio-policy.yaml b/tests/e2e/authz-server/policy-ordering/istio-policy.yaml
new file mode 100644
index 0000000..e8dadd0
--- /dev/null
+++ b/tests/e2e/authz-server/policy-ordering/istio-policy.yaml
@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      ext-authz: enabled
+  action: CUSTOM
+  provider:
+    name: kyverno-authz-server
+  rules:
+  - {}
diff --git a/tests/e2e/authz-server/policy-ordering/policy-a.yaml b/tests/e2e/authz-server/policy-ordering/policy-a.yaml
new file mode 100644
index 0000000..2981221
--- /dev/null
+++ b/tests/e2e/authz-server/policy-ordering/policy-a.yaml
@@ -0,0 +1,13 @@
+# yaml-language-server: $schema=../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy-a
+spec:
+  deny:
+  - response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request from Policy A")
+        .Response()
+
diff --git a/tests/e2e/authz-server/policy-ordering/policy-b.yaml b/tests/e2e/authz-server/policy-ordering/policy-b.yaml
new file mode 100644
index 0000000..7dd808b
--- /dev/null
+++ b/tests/e2e/authz-server/policy-ordering/policy-b.yaml
@@ -0,0 +1,13 @@
+# yaml-language-server: $schema=../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy-b
+spec:
+  deny:
+  - response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request from Policy B")
+        .Response()
+
diff --git a/tests/e2e/authz-server/policy-ordering/shell.yaml b/tests/e2e/authz-server/policy-ordering/shell.yaml
new file mode 100644
index 0000000..febda25
--- /dev/null
+++ b/tests/e2e/authz-server/policy-ordering/shell.yaml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: curl
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: curl
+  labels:
+    app: curl
+    service: curl
+spec:
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: curl
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: curl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: curl
+  template:
+    metadata:
+      labels:
+        app: curl
+    spec:
+      terminationGracePeriodSeconds: 0
+      serviceAccountName: curl
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command: ["/bin/sleep", "infinity"]
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - mountPath: /etc/curl/tls
+          name: secret-volume
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: curl-secret
+          optional: true