test: add tag unit tests

TylerGillson · TylerGillson · commit b137ce86ef4d · 2023-09-01T12:17:48.000-06:00
diff --git a/internal/controller/awsvalidator_controller.go b/internal/controller/awsvalidator_controller.go
@@ -91,7 +91,6 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	}
 	iamRuleService := iam.NewIAMRuleService(r.Log, aws_utils.IAMService(session))
 	svcQuotaService := servicequota.NewServiceQuotaRuleService(r.Log, session)
-	tagRuleService := tag.NewTagRuleService(r.Log, session)
 
 	// Get the active validator's validation result
 	vr := &v8or.ValidationResult{}
@@ -157,7 +156,8 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 
 	// Tag rules
 	for _, rule := range validator.Spec.TagRules {
-		validationResult, err := tagRuleService.ReconcileTagRule(nn, rule)
+		tagRuleService := tag.NewTagRuleService(r.Log, aws_utils.EC2Service(session, rule.Region))
+		validationResult, err := tagRuleService.ReconcileTagRule(rule)
 		if err != nil {
 			r.Log.V(0).Error(err, "failed to reconcile Tag rule")
 		}
diff --git a/internal/utils/test/test.go b/internal/utils/test/test.go
@@ -0,0 +1,36 @@
+package test
+
+import (
+	"errors"
+	"reflect"
+	"testing"
+
+	"github.com/spectrocloud-labs/valid8or/pkg/types"
+)
+
+func CheckTestCase(t *testing.T, res *types.ValidationResult, expectedResult types.ValidationResult, err, expectedError error) {
+	if !reflect.DeepEqual(res.State, expectedResult.State) {
+		t.Errorf("expected state (%+v), got (%+v)", expectedResult.State, res.State)
+	}
+	if !reflect.DeepEqual(res.Condition.ValidationType, expectedResult.Condition.ValidationType) {
+		t.Errorf("expected validation type (%s), got (%s)", expectedResult.Condition.ValidationType, res.Condition.ValidationType)
+	}
+	if !reflect.DeepEqual(res.Condition.ValidationRule, expectedResult.Condition.ValidationRule) {
+		t.Errorf("expected validation rule (%s), got (%s)", expectedResult.Condition.ValidationRule, res.Condition.ValidationRule)
+	}
+	if !reflect.DeepEqual(res.Condition.Message, expectedResult.Condition.Message) {
+		t.Errorf("expected message (%s), got (%s)", expectedResult.Condition.Message, res.Condition.Message)
+	}
+	if !reflect.DeepEqual(res.Condition.Details, expectedResult.Condition.Details) {
+		t.Errorf("expected details (%s), got (%s)", expectedResult.Condition.Details, res.Condition.Details)
+	}
+	if !reflect.DeepEqual(res.Condition.Failures, expectedResult.Condition.Failures) {
+		t.Errorf("expected failures (%s), got (%s)", expectedResult.Condition.Failures, res.Condition.Failures)
+	}
+	if !reflect.DeepEqual(res.Condition.Status, expectedResult.Condition.Status) {
+		t.Errorf("expected status (%s), got (%s)", expectedResult.Condition.Status, res.Condition.Status)
+	}
+	if !errors.Is(err, expectedError) {
+		t.Errorf("expected error (%v), got (%v)", expectedError, err)
+	}
+}
diff --git a/internal/validators/iam/iam_validator_test.go b/internal/validators/iam/iam_validator_test.go
@@ -2,14 +2,14 @@ package iam
 
 import (
 	"net/url"
-	"reflect"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/spectrocloud-labs/valid8or-plugin-aws/api/v1alpha1"
+	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/utils/test"
 	v8or "github.com/spectrocloud-labs/valid8or/api/v1alpha1"
 	"github.com/spectrocloud-labs/valid8or/pkg/types"
 	"github.com/spectrocloud-labs/valid8or/pkg/util/ptr"
@@ -76,7 +76,7 @@ const (
 
 var iamService = NewIAMRuleService(logr.Logger{}, iamApiMock{
 	attachedGroupPolicies: map[string]*iam.ListAttachedGroupPoliciesOutput{
-		"iamGroup": &iam.ListAttachedGroupPoliciesOutput{
+		"iamGroup": {
 			AttachedPolicies: []*iam.AttachedPolicy{
 				{
 					PolicyArn:  ptr.Ptr("iamRoleArn1"),
@@ -86,15 +86,15 @@ var iamService = NewIAMRuleService(logr.Logger{}, iamApiMock{
 		},
 	},
 	attachedRolePolicies: map[string]*iam.ListAttachedRolePoliciesOutput{
-		"iamRole1": &iam.ListAttachedRolePoliciesOutput{
+		"iamRole1": {
 			AttachedPolicies: []*iam.AttachedPolicy{
 				{
 					PolicyArn:  ptr.Ptr("iamRoleArn1"),
 					PolicyName: ptr.Ptr("iamPolicy"),
 				},
 			},
 		},
-		"iamRole2": &iam.ListAttachedRolePoliciesOutput{
+		"iamRole2": {
 			AttachedPolicies: []*iam.AttachedPolicy{
 				{
 					PolicyArn:  ptr.Ptr("iamRoleArn2"),
@@ -104,19 +104,19 @@ var iamService = NewIAMRuleService(logr.Logger{}, iamApiMock{
 		},
 	},
 	policyArns: map[string]*iam.GetPolicyOutput{
-		"iamRoleArn1": &iam.GetPolicyOutput{
+		"iamRoleArn1": {
 			Policy: ptr.Ptr(iam.Policy{
 				DefaultVersionId: ptr.Ptr("1"),
 			}),
 		},
-		"iamRoleArn2": &iam.GetPolicyOutput{
+		"iamRoleArn2": {
 			Policy: ptr.Ptr(iam.Policy{
 				DefaultVersionId: ptr.Ptr("1"),
 			}),
 		},
 	},
 	attachedUserPolicies: map[string]*iam.ListAttachedUserPoliciesOutput{
-		"iamUser": &iam.ListAttachedUserPoliciesOutput{
+		"iamUser": {
 			AttachedPolicies: []*iam.AttachedPolicy{
 				{
 					PolicyArn:  ptr.Ptr("iamRoleArn1"),
@@ -126,12 +126,12 @@ var iamService = NewIAMRuleService(logr.Logger{}, iamApiMock{
 		},
 	},
 	policyVersions: map[string]*iam.GetPolicyVersionOutput{
-		"iamRoleArn1": &iam.GetPolicyVersionOutput{
+		"iamRoleArn1": {
 			PolicyVersion: ptr.Ptr(iam.PolicyVersion{
 				Document: ptr.Ptr(url.QueryEscape(policyDocumentOutput1)),
 			}),
 		},
-		"iamRoleArn2": &iam.GetPolicyVersionOutput{
+		"iamRoleArn2": {
 			PolicyVersion: ptr.Ptr(iam.PolicyVersion{
 				Document: ptr.Ptr(url.QueryEscape(policyDocumentOutput2)),
 			}),
@@ -146,33 +146,6 @@ type testCase struct {
 	expectedError  error
 }
 
-func checkTestCase(t *testing.T, c testCase, res *types.ValidationResult, err error) {
-	if !reflect.DeepEqual(res.State, c.expectedResult.State) {
-		t.Errorf("expected state (%+v), got (%+v)", c.expectedResult.State, res.State)
-	}
-	if !reflect.DeepEqual(res.Condition.ValidationType, c.expectedResult.Condition.ValidationType) {
-		t.Errorf("expected validation type (%s), got (%s)", c.expectedResult.Condition.ValidationType, res.Condition.ValidationType)
-	}
-	if !reflect.DeepEqual(res.Condition.ValidationRule, c.expectedResult.Condition.ValidationRule) {
-		t.Errorf("expected validation rule (%s), got (%s)", c.expectedResult.Condition.ValidationRule, res.Condition.ValidationRule)
-	}
-	if !reflect.DeepEqual(res.Condition.Message, c.expectedResult.Condition.Message) {
-		t.Errorf("expected message (%s), got (%s)", c.expectedResult.Condition.Message, res.Condition.Message)
-	}
-	if !reflect.DeepEqual(res.Condition.Details, c.expectedResult.Condition.Details) {
-		t.Errorf("expected details (%s), got (%s)", c.expectedResult.Condition.Details, res.Condition.Details)
-	}
-	if !reflect.DeepEqual(res.Condition.Failures, c.expectedResult.Condition.Failures) {
-		t.Errorf("expected failures (%s), got (%s)", c.expectedResult.Condition.Failures, res.Condition.Failures)
-	}
-	if !reflect.DeepEqual(res.Condition.Status, c.expectedResult.Condition.Status) {
-		t.Errorf("expected status (%s), got (%s)", c.expectedResult.Condition.Status, res.Condition.Status)
-	}
-	if !reflect.DeepEqual(err, c.expectedError) {
-		t.Errorf("expected error (%v), got (%v)", c.expectedError, err)
-	}
-}
-
 func TestIAMGroupValidation(t *testing.T) {
 	cs := []testCase{
 		{
@@ -240,7 +213,7 @@ func TestIAMGroupValidation(t *testing.T) {
 	}
 	for _, c := range cs {
 		result, err := iamService.ReconcileIAMGroupRule(c.rule)
-		checkTestCase(t, c, result, err)
+		test.CheckTestCase(t, result, c.expectedResult, err, c.expectedError)
 	}
 }
 
@@ -341,7 +314,7 @@ func TestIAMRoleValidation(t *testing.T) {
 	}
 	for _, c := range cs {
 		result, err := iamService.ReconcileIAMRoleRule(c.rule)
-		checkTestCase(t, c, result, err)
+		test.CheckTestCase(t, result, c.expectedResult, err, c.expectedError)
 	}
 }
 
@@ -412,7 +385,7 @@ func TestIAMUserValidation(t *testing.T) {
 	}
 	for _, c := range cs {
 		result, err := iamService.ReconcileIAMUserRule(c.rule)
-		checkTestCase(t, c, result, err)
+		test.CheckTestCase(t, result, c.expectedResult, err, c.expectedError)
 	}
 }
 
@@ -483,6 +456,6 @@ func TestIAMPolicyValidation(t *testing.T) {
 	}
 	for _, c := range cs {
 		result, err := iamService.ReconcileIAMPolicyRule(c.rule)
-		checkTestCase(t, c, result, err)
+		test.CheckTestCase(t, result, c.expectedResult, err, c.expectedError)
 	}
 }
diff --git a/internal/validators/tag/tag_validator.go b/internal/validators/tag/tag_validator.go
@@ -3,36 +3,36 @@ package tag
 import (
 	"fmt"
 
-	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
-	ktypes "k8s.io/apimachinery/pkg/types"
 
 	"github.com/spectrocloud-labs/valid8or-plugin-aws/api/v1alpha1"
 	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/constants"
-	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/utils/aws"
 	v8or "github.com/spectrocloud-labs/valid8or/api/v1alpha1"
 	v8orconstants "github.com/spectrocloud-labs/valid8or/pkg/constants"
 	v8ortypes "github.com/spectrocloud-labs/valid8or/pkg/types"
 	"github.com/spectrocloud-labs/valid8or/pkg/util/ptr"
 )
 
+type tagApi interface {
+	DescribeSubnets(input *ec2.DescribeSubnetsInput) (*ec2.DescribeSubnetsOutput, error)
+}
+
 type TagRuleService struct {
-	log     logr.Logger
-	session *session.Session
+	log    logr.Logger
+	tagSvc tagApi
 }
 
-func NewTagRuleService(log logr.Logger, s *session.Session) *TagRuleService {
+func NewTagRuleService(log logr.Logger, tagSvc tagApi) *TagRuleService {
 	return &TagRuleService{
-		log:     log,
-		session: s,
+		log:    log,
+		tagSvc: tagSvc,
 	}
 }
 
 // ReconcileTagRule reconciles an EC2 tagging validation rule from the AWSValidator config
-func (s *TagRuleService) ReconcileTagRule(nn ktypes.NamespacedName, rule v1alpha1.TagRule) (*v8ortypes.ValidationResult, error) {
-	ec2Svc := aws.EC2Service(s.session, rule.Region)
+func (s *TagRuleService) ReconcileTagRule(rule v1alpha1.TagRule) (*v8ortypes.ValidationResult, error) {
 
 	// Build the default latest condition for this tag rule
 	state := v8or.ValidationSucceeded
@@ -47,7 +47,7 @@ func (s *TagRuleService) ReconcileTagRule(nn ktypes.NamespacedName, rule v1alpha
 		// match the tag rule's list of ARNs against the subnets with tag 'rule.Key=rule.ExpectedValue'
 		failures := make([]string, 0)
 		foundArns := make(map[string]bool)
-		subnets, err := ec2Svc.DescribeSubnets(&ec2.DescribeSubnetsInput{
+		subnets, err := s.tagSvc.DescribeSubnets(&ec2.DescribeSubnetsInput{
 			Filters: []*ec2.Filter{
 				{
 					Name:   ptr.Ptr(fmt.Sprintf("tag:%s", rule.Key)),
diff --git a/internal/validators/tag/tag_validator_test.go b/internal/validators/tag/tag_validator_test.go
@@ -0,0 +1,95 @@
+package tag
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/spectrocloud-labs/valid8or-plugin-aws/api/v1alpha1"
+	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/utils/test"
+	v8or "github.com/spectrocloud-labs/valid8or/api/v1alpha1"
+	"github.com/spectrocloud-labs/valid8or/pkg/types"
+	"github.com/spectrocloud-labs/valid8or/pkg/util/ptr"
+)
+
+type tagApiMock struct {
+	subnetsByTagValue map[string]*ec2.DescribeSubnetsOutput
+}
+
+func (m tagApiMock) DescribeSubnets(input *ec2.DescribeSubnetsInput) (*ec2.DescribeSubnetsOutput, error) {
+	key := fmt.Sprintf("%s=%s", *input.Filters[0].Name, *input.Filters[0].Values[0])
+	return m.subnetsByTagValue[key], nil
+}
+
+var tagService = NewTagRuleService(logr.Logger{}, tagApiMock{
+	subnetsByTagValue: map[string]*ec2.DescribeSubnetsOutput{
+		"tag:kubernetes.io/role/elb=1": {
+			Subnets: []*ec2.Subnet{
+				{
+					SubnetArn: ptr.Ptr("subnetArn2"),
+				},
+			},
+		},
+	},
+})
+
+type testCase struct {
+	name           string
+	rule           v1alpha1.TagRule
+	expectedResult types.ValidationResult
+	expectedError  error
+}
+
+func TestTagValidation(t *testing.T) {
+	cs := []testCase{
+		{
+			name: "Fail (missing tag)",
+			rule: v1alpha1.TagRule{
+				Key:           "kubernetes.io/role/elb",
+				ExpectedValue: "1",
+				Region:        "us-west-1",
+				ResourceType:  "subnet",
+				ARNs:          []string{"subnetArn1"},
+			},
+			expectedResult: types.ValidationResult{
+				Condition: &v8or.ValidationCondition{
+					ValidationType: "aws-tag",
+					ValidationRule: "validation-subnet-kubernetes.io/role/elb",
+					Message:        "One or more required subnet tags was not found",
+					Details:        []string{},
+					Failures:       []string{"Subnet with ARN subnetArn1 missing tag kubernetes.io/role/elb=1"},
+					Status:         corev1.ConditionFalse,
+				},
+				State: ptr.Ptr(v8or.ValidationFailed),
+			},
+		},
+		{
+			name: "Pass",
+			rule: v1alpha1.TagRule{
+				Key:           "kubernetes.io/role/elb",
+				ExpectedValue: "1",
+				Region:        "us-west-1",
+				ResourceType:  "subnet",
+				ARNs:          []string{"subnetArn2"},
+			},
+			expectedResult: types.ValidationResult{
+				Condition: &v8or.ValidationCondition{
+					ValidationType: "aws-tag",
+					ValidationRule: "validation-subnet-kubernetes.io/role/elb",
+					Message:        "All required subnet tags were found",
+					Details:        []string{},
+					Failures:       nil,
+					Status:         corev1.ConditionTrue,
+				},
+				State: ptr.Ptr(v8or.ValidationSucceeded),
+			},
+		},
+	}
+	for _, c := range cs {
+		result, err := tagService.ReconcileTagRule(c.rule)
+		test.CheckTestCase(t, result, c.expectedResult, err, c.expectedError)
+	}
+}
