ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

firewall: increase test coverage to 1.0.0 and older spec versions

Browse Source 
Signed-off-by: Dan Williams <dcbw@redhat.com>
This commit is contained in:
Dan Williams 2021-02-11 20:30:37 -06:00
parent da52be35bc
commit f33eedb6eb
2 changed files with 296 additions and 465 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
plugins/meta/firewall/firewall_firewalld_test.go
View File

@ -34,30 +34,7 @@ import (
. "github.com/onsi/gomega"
)
const (
confTmpl = `{
"cniVersion": "0.3.1",
"name": "firewalld-test",
"type": "firewall",
"backend": "firewalld",
"zone": "trusted",
"prevResult": {
"cniVersion": "0.3.0",
"interfaces": [
{"name": "%s", "sandbox": "%s"}
],
"ips": [
{
"version": "4",
"address": "10.0.0.2/24",
"gateway": "10.0.0.1",
"interface": 0
}
]
}
}`
ifname = "eth0"
)
const ifname = "eth0"
type fakeFirewalld struct {
zone string
@ -125,6 +102,30 @@ func spawnSessionDbus(wg *sync.WaitGroup) (string, *exec.Cmd) {
return busAddr, cmd
}
func makeFirewalldConf(ver, ifname string, ns ns.NetNS) []byte {
return []byte(fmt.Sprintf(`{
"cniVersion": "%s",
"name": "firewalld-test",
"type": "firewall",
"backend": "firewalld",
"zone": "trusted",
"prevResult": {
"cniVersion": "%s",
"interfaces": [
{"name": "%s", "sandbox": "%s"}
],
"ips": [
{
"version": "4",
"address": "10.0.0.2/24",
"gateway": "10.0.0.1",
"interface": 0
}
]
}
}`, ver, ver, ifname, ns.Path()))
}
var _ = Describe("firewalld test", func() {
var (
targetNs ns.NetNS
@ -177,12 +178,22 @@ var _ = Describe("firewalld test", func() {
Expect(err).NotTo(HaveOccurred())
wg.Wait()
Expect(targetNs.Close()).To(Succeed())
Expect(testutils.UnmountNS(targetNs)).To(Succeed())
})
It("works with a 0.3.1 config", func() {
// firewall plugin requires a prevResult and thus only supports 0.3.0
// and later CNI versions
for _, ver := range []string{"0.3.0", "0.3.1", "0.4.0", "1.0.0"} {
// Redefine ver inside for scope so real value is picked up by each dynamically defined It()
// See Gingkgo's "Patterns for dynamically generating tests" documentation.
ver := ver
It(fmt.Sprintf("[%s] works with a config", ver), func() {
Expect(isFirewalldRunning()).To(BeTrue())
conf := fmt.Sprintf(confTmpl, ifname, targetNs.Path())
conf := makeFirewalldConf(ver, ifname, targetNs)
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNs.Path(),
@ -205,30 +216,10 @@ var _ = Describe("firewalld test", func() {
Expect(fwd.source).To(Equal("10.0.0.2/32"))
})
It("defaults to the firewalld backend", func() {
conf := `{
"cniVersion": "0.3.1",
"name": "firewalld-test",
"type": "firewall",
"zone": "trusted",
"prevResult": {
"cniVersion": "0.3.0",
"interfaces": [
{"name": "eth0", "sandbox": "/foobar"}
],
"ips": [
{
"version": "4",
"address": "10.0.0.2/24",
"gateway": "10.0.0.1",
"interface": 0
}
]
}
}`
It(fmt.Sprintf("[%s] defaults to the firewalld backend", ver), func() {
Expect(isFirewalldRunning()).To(BeTrue())
conf := makeFirewalldConf(ver, ifname, targetNs)
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNs.Path(),
@ -243,30 +234,10 @@ var _ = Describe("firewalld test", func() {
Expect(fwd.source).To(Equal("10.0.0.2/32"))
})
It("passes through the prevResult", func() {
conf := `{
"cniVersion": "0.3.1",
"name": "firewalld-test",
"type": "firewall",
"zone": "trusted",
"prevResult": {
"cniVersion": "0.3.0",
"interfaces": [
{"name": "eth0", "sandbox": "/foobar"}
],
"ips": [
{
"version": "4",
"address": "10.0.0.2/24",
"gateway": "10.0.0.1",
"interface": 0
}
]
}
}`
It(fmt.Sprintf("[%s] passes through the prevResult", ver), func() {
Expect(isFirewalldRunning()).To(BeTrue())
conf := makeFirewalldConf(ver, ifname, targetNs)
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNs.Path(),
@ -287,31 +258,10 @@ var _ = Describe("firewalld test", func() {
Expect(result.IPs[0].Address.String()).To(Equal("10.0.0.2/24"))
})
It("works with a 0.4.0 config, including Check", func() {
It(fmt.Sprintf("[%s] works with Check", ver), func() {
Expect(isFirewalldRunning()).To(BeTrue())
conf := `{
"cniVersion": "0.4.0",
"name": "firewalld-test",
"type": "firewall",
"backend": "firewalld",
"zone": "trusted",
"prevResult": {
"cniVersion": "0.4.0",
"interfaces": [
{"name": "eth0", "sandbox": "/foobar"}
],
"ips": [
{
"version": "4",
"address": "10.0.0.2/24",
"gateway": "10.0.0.1",
"interface": 0
}
]
}
}`
conf := makeFirewalldConf(ver, ifname, targetNs)
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNs.Path(),
@ -325,6 +275,7 @@ var _ = Describe("firewalld test", func() {
Expect(fwd.zone).To(Equal("trusted"))
Expect(fwd.source).To(Equal("10.0.0.2/32"))
if testutils.SpecVersionHasCHECK(ver) {
_, err = current.GetResult(r)
Expect(err).NotTo(HaveOccurred())
@ -332,6 +283,7 @@ var _ = Describe("firewalld test", func() {
return cmdCheck(args)
})
Expect(err).NotTo(HaveOccurred())
}
err = testutils.CmdDelWithArgs(args, func() error {
return cmdDel(args)
@ -340,4 +292,5 @@ var _ = Describe("firewalld test", func() {
Expect(fwd.zone).To(Equal("trusted"))
Expect(fwd.source).To(Equal("10.0.0.2/32"))
})
}
})

174
plugins/meta/firewall/firewall_iptables_test.go
View File

@ -166,11 +166,8 @@ func validateCleanedUp(bytes []byte) {
}
}
var _ = Describe("firewall plugin iptables backend", func() {
var originalNS, targetNS ns.NetNS
const IFNAME string = "dummy0"
fullConf := []byte(fmt.Sprintf(`{
func makeIptablesConf(ver string) []byte {
return []byte(fmt.Sprintf(`{
"name": "test",
"type": "firewall",
"backend": "iptables",
@ -194,7 +191,12 @@ var _ = Describe("firewall plugin iptables backend", func() {
}
]
}
}`, current.ImplementedSpecVersion, current.ImplementedSpecVersion))
}`, ver, ver))
}
var _ = Describe("firewall plugin iptables backend", func() {
var originalNS, targetNS ns.NetNS
const IFNAME string = "dummy0"
BeforeEach(func() {
// Create a new NetNS so we don't modify the host
@ -226,7 +228,15 @@ var _ = Describe("firewall plugin iptables backend", func() {
Expect(targetNS.Close()).To(Succeed())
})
It("passes prevResult through unchanged", func() {
// firewall plugin requires a prevResult and thus only supports 0.3.0
// and later CNI versions
for _, ver := range []string{"0.3.0", "0.3.1", "0.4.0", "1.0.0"} {
// Redefine ver inside for scope so real value is picked up by each dynamically defined It()
// See Gingkgo's "Patterns for dynamically generating tests" documentation.
ver := ver
It(fmt.Sprintf("[%s] passes prevResult through unchanged", ver), func() {
fullConf := makeIptablesConf(ver)
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNS.Path(),
@ -255,7 +265,8 @@ var _ = Describe("firewall plugin iptables backend", func() {
Expect(err).NotTo(HaveOccurred())
})
It("installs the right iptables rules on the host", func() {
It(fmt.Sprintf("[%s] installs the right iptables rules on the host", ver), func() {
fullConf := makeIptablesConf(ver)
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNS.Path(),
@ -284,7 +295,7 @@ var _ = Describe("firewall plugin iptables backend", func() {
Expect(err).NotTo(HaveOccurred())
})
It("correctly handles a custom IptablesAdminChainName", func() {
It(fmt.Sprintf("[%s] correctly handles a custom IptablesAdminChainName", ver), func() {
conf := []byte(fmt.Sprintf(`{
"name": "test",
"type": "firewall",
@ -310,7 +321,7 @@ var _ = Describe("firewall plugin iptables backend", func() {
}
]
}
}`, current.ImplementedSpecVersion, current.ImplementedSpecVersion))
}`, ver, ver))
args := &skel.CmdArgs{
ContainerID: "dummy",
@ -349,144 +360,8 @@ var _ = Describe("firewall plugin iptables backend", func() {
Expect(err).NotTo(HaveOccurred())
})
It("cleans up on delete", func() {
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNS.Path(),
IfName: IFNAME,
StdinData: fullConf,
}
err := originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
_, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error {
return cmdAdd(args)
})
Expect(err).NotTo(HaveOccurred())
validateFullRuleset(fullConf)
err = testutils.CmdDel(targetNS.Path(), args.ContainerID, IFNAME, func() error {
return cmdDel(args)
})
Expect(err).NotTo(HaveOccurred())
validateCleanedUp(fullConf)
return nil
})
Expect(err).NotTo(HaveOccurred())
})
It("installs the right iptables rules on the host v4.0.x and check is successful", func() {
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNS.Path(),
IfName: IFNAME,
StdinData: fullConf,
}
err := originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
_, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error {
return cmdAdd(args)
})
Expect(err).NotTo(HaveOccurred())
validateFullRuleset(fullConf)
return nil
})
Expect(err).NotTo(HaveOccurred())
})
It("cleans up on delete v4.0.x", func() {
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNS.Path(),
IfName: IFNAME,
StdinData: fullConf,
}
err := originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
_, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error {
return cmdAdd(args)
})
Expect(err).NotTo(HaveOccurred())
validateFullRuleset(fullConf)
err = testutils.CmdDel(targetNS.Path(), args.ContainerID, IFNAME, func() error {
return cmdDel(args)
})
Expect(err).NotTo(HaveOccurred())
validateCleanedUp(fullConf)
return nil
})
Expect(err).NotTo(HaveOccurred())
})
})
var _ = Describe("firewall plugin iptables backend v0.4.x", func() {
var originalNS, targetNS ns.NetNS
const IFNAME string = "dummy0"
fullConf := []byte(`{
"name": "test",
"type": "firewall",
"backend": "iptables",
"ifName": "dummy0",
"cniVersion": "0.4.0",
"prevResult": {
"cniVersion": "0.4.0",
"interfaces": [
{"name": "dummy0"}
],
"ips": [
{
"version": "4",
"address": "10.0.0.2/24",
"interface": 0
},
{
"version": "6",
"address": "2001:db8:1:2::1/64",
"interface": 0
}
]
}
}`)
BeforeEach(func() {
// Create a new NetNS so we don't modify the host
var err error
originalNS, err = testutils.NewNS()
Expect(err).NotTo(HaveOccurred())
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
err = netlink.LinkAdd(&netlink.Dummy{
LinkAttrs: netlink.LinkAttrs{
Name: IFNAME,
},
})
Expect(err).NotTo(HaveOccurred())
_, err = netlink.LinkByName(IFNAME)
Expect(err).NotTo(HaveOccurred())
return nil
})
Expect(err).NotTo(HaveOccurred())
targetNS, err = testutils.NewNS()
Expect(err).NotTo(HaveOccurred())
})
AfterEach(func() {
Expect(originalNS.Close()).To(Succeed())
Expect(targetNS.Close()).To(Succeed())
})
It("installs iptables rules, Check rules then cleans up on delete using v4.0.x", func() {
It(fmt.Sprintf("[%s] installs iptables rules, checks rules, then cleans up on delete", ver), func() {
fullConf := makeIptablesConf(ver)
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNS.Path(),
@ -505,11 +380,13 @@ var _ = Describe("firewall plugin iptables backend v0.4.x", func() {
_, err = types040.GetResult(r)
Expect(err).NotTo(HaveOccurred())
if testutils.SpecVersionHasCHECK(ver) {
err = testutils.CmdCheckWithArgs(args, func() error {
return cmdCheck(args)
})
Expect(err).NotTo(HaveOccurred())
validateFullRuleset(fullConf)
}
err = testutils.CmdDelWithArgs(args, func() error {
return cmdDel(args)
@ -520,4 +397,5 @@ var _ = Describe("firewall plugin iptables backend v0.4.x", func() {
})
Expect(err).NotTo(HaveOccurred())
})
}
})