From 8134a777ac043361fd8813ea710658aa201dc413 Mon Sep 17 00:00:00 2001
From: Morgan Hoffman <hoffmanm@vt.edu>
Date: Thu, 14 Dec 2023 06:05:32 -0800
Subject: [PATCH] update rego testing for allow rollout restart
---
Chart.yaml | 2 +-
rego/allow_rollout_restart/policy_test.rego | 52 ++++++++++++++-------
2 files changed, 36 insertions(+), 18 deletions(-)
diff --git a/Chart.yaml b/Chart.yaml
index 26cf9bf..40073ea 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,4 +1,4 @@
apiVersion: v2
name: constraint-templates
-version: 1.5.0
+version: 1.5.1
appVersion: 1.0.0
diff --git a/rego/allow_rollout_restart/policy_test.rego b/rego/allow_rollout_restart/policy_test.rego
index ba82538..7dcd75d 100644
--- a/rego/allow_rollout_restart/policy_test.rego
+++ b/rego/allow_rollout_restart/policy_test.rego
@@ -1,7 +1,7 @@
package allow_rollout_restart
test_with_deployment_and_correct_annotation {
- input := review_deployment_patch_existing("kubectl.kubernetes.io.restartedAt","14oclock","randomuser","13oclock")
+ input := review_deployment_patch_existing("kubectl.kubernetes.io.restartedAt","14oclock","randomuser","randomgroup","13oclock")
results := violation
with input as input
@@ -10,7 +10,7 @@ test_with_deployment_and_correct_annotation {
}
test_with_deployment_and_incorrect_annotation {
- input := review_deployment_patch_existing("wrongAnnotation","wrong","randomuser","13oclock")
+ input := review_deployment_patch_existing("wrongAnnotation","wrong","randomuser","randomgroup","13oclock")
results := violation
with input as input
@@ -19,7 +19,16 @@ test_with_deployment_and_incorrect_annotation {
}
test_with_deployment_and_incorrect_annotation_with_flux {
- input := review_deployment_patch_existing("wrongAnnotation","wrong","flux","13oclock")
+ input := review_deployment_patch_existing("wrongAnnotation","wrong","flux","randomgroup","13oclock")
+
+ results := violation
+ with input as input
+
+ count(results) == 0
+}
+
+test_with_deployment_and_incorrect_annotation_with_platform_admin_group {
+ input := review_deployment_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock")
results := violation
with input as input
@@ -28,7 +37,7 @@ test_with_deployment_and_incorrect_annotation_with_flux {
}
test_with_deployment_and_too_many_annotations{
- input := review_deployment_patch_extra_annotations("kubectl.kubernetes.io.restartedAt","14oclock","randomuser","13oclock")
+ input := review_deployment_patch_extra_annotations("kubectl.kubernetes.io.restartedAt","14oclock","randomuser","randomgroup","13oclock")
results := violation
with input as input
@@ -37,7 +46,7 @@ test_with_deployment_and_too_many_annotations{
}
test_with_deployment_and_correct_annotation_no_existing_annotation {
- input := review_deployment_patch_absent("kubectl.kubernetes.io.restartedAt","14oclock","randomuser")
+ input := review_deployment_patch_absent("kubectl.kubernetes.io.restartedAt","14oclock","randomuser","randomgroup")
results := violation
with input as input
@@ -46,7 +55,7 @@ test_with_deployment_and_correct_annotation_no_existing_annotation {
}
test_with_deployment_and_incorrect_annotation_no_existing_annotation {
- input := review_deployment_patch_absent("wrongAnnotation","wrong","randomuser")
+ input := review_deployment_patch_absent("wrongAnnotation","wrong","randomuser","randomgroup")
results := violation
with input as input
@@ -54,19 +63,22 @@ test_with_deployment_and_incorrect_annotation_no_existing_annotation {
count(results) == 1
}
-review_deployment_patch_extra_annotations(annotationname,annotationvalue,username,previousrestarted) = out {
+review_deployment_patch_extra_annotations(annotationname,annotationvalue,username,groupname,previousrestarted) = out {
out = {
"review": {
"userInfo": {
- "username": username
+ "username": username,
+ "groups": [
+ groupname
+ ]
},
- "operation": "PATCH",
+ "operation": "UPDATE",
"kind": {
"kind": "Deployment"
},
"object": {
"spec": {
- "template: {
+ "template": {
"metadata": {
"annotations": {
"dreaded_gazebo": "indeed",
@@ -78,7 +90,7 @@ review_deployment_patch_extra_annotations(annotationname,annotationvalue,usernam
},
"oldObject": {
"spec": {
- "template: {
+ "template:" {
"metadata": {
"annotations": {
"kubectl.kubernetes.io.restartedAt": previousrestarted
@@ -91,13 +103,16 @@ review_deployment_patch_extra_annotations(annotationname,annotationvalue,usernam
}
}
-review_deployment_patch_existing(annotationname,annotationvalue,username,previousrestarted) = out {
+review_deployment_patch_existing(annotationname,annotationvalue,username,groupname,previousrestarted) = out {
out = {
"review": {
"userInfo": {
- "username": username
+ "username": username,
+ "groups": [
+ groupname
+ ]
},
- "operation": "PATCH",
+ "operation": "UPDATE",
"kind": {
"kind": "Deployment"
},
@@ -127,13 +142,16 @@ review_deployment_patch_existing(annotationname,annotationvalue,username,previou
}
}
-review_deployment_patch_absent(annotationname,annotationvalue,username) = out {
+review_deployment_patch_absent(annotationname,annotationvalue,username,groupname) = out {
out = {
"review": {
"userInfo": {
- "username": username
+ "username": username,
+ "groups": [
+ groupname
+ ]
},
- "operation": "PATCH",
+ "operation": "UPDATE",
"kind": {
"kind": "Deployment"
},
--
GitLab