Roberto Jiménez Sánchez
02464c19b8
* Validate Job Specs * Add comprehensive unit test coverage for job validator - Added 8 new test cases to improve coverage from 88.9% to ~100% - Tests for migrate action without options - Tests for delete/move actions with resources (missing kind) - Tests for move action with valid resources - Tests for move/delete with both paths and resources - Tests for move action with invalid source paths - Tests for push action with valid paths Now covers all validation paths including resource validation and edge cases for all job action types. * Add integration tests for job validation Added comprehensive integration tests that verify the job validator properly rejects invalid job specifications via the API: - Test job without action (required field) - Test job with invalid action - Test pull job without pull options - Test push job without push options - Test push job with invalid branch name (consecutive dots) - Test push job with path traversal attempt - Test delete job without paths or resources - Test delete job with invalid path (path traversal) - Test move job without target path - Test move job without paths or resources - Test move job with invalid target path (path traversal) - Test migrate job without migrate options - Test valid pull job to ensure validation doesn't block legitimate requests These tests verify that the admission controller properly validates job specs before they are persisted, ensuring security (path traversal prevention) and data integrity (required fields/options). * Remove valid job test case from integration tests Removed the positive test case as it's not necessary for validation testing. The integration tests now focus solely on verifying that invalid job specs are properly rejected by the admission controller. * Fix movejob_test to expect validation error at creation time Updated the 'move without target path' test to expect the job creation to fail with a validation error, rather than expecting the job to be created and then fail during execution. This aligns with the new job validation logic which rejects invalid job specs at the API admission control level (422 Unprocessable Entity) before they can be persisted. This is better behavior as it prevents invalid jobs from being created in the first place, rather than allowing them to be created and then failing during execution. * Simplify action validation using slices.Contains Replaced manual loop with slices.Contains for cleaner, more idiomatic Go code. This reduces code complexity while maintaining the same validation logic. - Added import for 'slices' package - Replaced 8-line loop with 1-line slices.Contains call - All unit tests pass * Refactor job action validation in ValidateJob function Removed the hardcoded valid actions array and simplified the validation logic. The function now directly appends an error for invalid actions, improving code clarity and maintainability. This change aligns with the recent updates to job validation, ensuring that invalid job specifications are properly handled.
183 lines
5.5 KiB
Go
183 lines
5.5 KiB
Go
package provisioning
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
|
|
provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
|
|
"github.com/grafana/grafana/pkg/util/testutil"
|
|
)
|
|
|
|
func TestIntegrationProvisioning_JobValidation(t *testing.T) {
|
|
testutil.SkipIntegrationTestInShortMode(t)
|
|
|
|
helper := runGrafana(t)
|
|
ctx := context.Background()
|
|
|
|
// Create a test repository first
|
|
const repo = "job-validation-test-repo"
|
|
testRepo := TestRepo{
|
|
Name: repo,
|
|
Target: "instance",
|
|
Copies: map[string]string{},
|
|
ExpectedDashboards: 0,
|
|
ExpectedFolders: 0,
|
|
}
|
|
helper.CreateRepo(t, testRepo)
|
|
|
|
tests := []struct {
|
|
name string
|
|
jobSpec map[string]interface{}
|
|
expectedErr string
|
|
}{
|
|
{
|
|
name: "job without action",
|
|
jobSpec: map[string]interface{}{
|
|
"repository": repo,
|
|
},
|
|
expectedErr: "spec.action: Required value: action must be specified",
|
|
},
|
|
{
|
|
name: "job with invalid action",
|
|
jobSpec: map[string]interface{}{
|
|
"action": "invalid-action",
|
|
"repository": repo,
|
|
},
|
|
expectedErr: "spec.action: Invalid value: \"invalid-action\": invalid action",
|
|
},
|
|
{
|
|
name: "pull job without pull options",
|
|
jobSpec: map[string]interface{}{
|
|
"action": string(provisioning.JobActionPull),
|
|
"repository": repo,
|
|
},
|
|
expectedErr: "spec.pull: Required value: pull options required for pull action",
|
|
},
|
|
{
|
|
name: "push job without push options",
|
|
jobSpec: map[string]interface{}{
|
|
"action": string(provisioning.JobActionPush),
|
|
"repository": repo,
|
|
},
|
|
expectedErr: "spec.push: Required value: push options required for push action",
|
|
},
|
|
{
|
|
name: "push job with invalid branch name",
|
|
jobSpec: map[string]interface{}{
|
|
"action": string(provisioning.JobActionPush),
|
|
"repository": repo,
|
|
"push": map[string]interface{}{
|
|
"branch": "feature..branch", // Invalid: consecutive dots
|
|
"message": "Test commit",
|
|
},
|
|
},
|
|
expectedErr: "spec.push.branch: Invalid value: \"feature..branch\": invalid git branch name",
|
|
},
|
|
{
|
|
name: "push job with path traversal",
|
|
jobSpec: map[string]interface{}{
|
|
"action": string(provisioning.JobActionPush),
|
|
"repository": repo,
|
|
"push": map[string]interface{}{
|
|
"path": "../../etc/passwd", // Invalid: path traversal
|
|
"message": "Test commit",
|
|
},
|
|
},
|
|
expectedErr: "spec.push.path: Invalid value: \"../../etc/passwd\"",
|
|
},
|
|
{
|
|
name: "delete job without paths or resources",
|
|
jobSpec: map[string]interface{}{
|
|
"action": string(provisioning.JobActionDelete),
|
|
"repository": repo,
|
|
"delete": map[string]interface{}{},
|
|
},
|
|
expectedErr: "spec.delete: Required value: at least one path or resource must be specified",
|
|
},
|
|
{
|
|
name: "delete job with invalid path",
|
|
jobSpec: map[string]interface{}{
|
|
"action": string(provisioning.JobActionDelete),
|
|
"repository": repo,
|
|
"delete": map[string]interface{}{
|
|
"paths": []string{"../invalid/path"},
|
|
},
|
|
},
|
|
expectedErr: "spec.delete.paths[0]: Invalid value: \"../invalid/path\"",
|
|
},
|
|
{
|
|
name: "move job without target path",
|
|
jobSpec: map[string]interface{}{
|
|
"action": string(provisioning.JobActionMove),
|
|
"repository": repo,
|
|
"move": map[string]interface{}{
|
|
"paths": []string{"dashboard.json"},
|
|
},
|
|
},
|
|
expectedErr: "spec.move.targetPath: Required value: target path is required",
|
|
},
|
|
{
|
|
name: "move job without paths or resources",
|
|
jobSpec: map[string]interface{}{
|
|
"action": string(provisioning.JobActionMove),
|
|
"repository": repo,
|
|
"move": map[string]interface{}{
|
|
"targetPath": "new-location/",
|
|
},
|
|
},
|
|
expectedErr: "spec.move: Required value: at least one path or resource must be specified",
|
|
},
|
|
{
|
|
name: "move job with invalid target path",
|
|
jobSpec: map[string]interface{}{
|
|
"action": string(provisioning.JobActionMove),
|
|
"repository": repo,
|
|
"move": map[string]interface{}{
|
|
"paths": []string{"dashboard.json"},
|
|
"targetPath": "../../../etc/", // Invalid: path traversal
|
|
},
|
|
},
|
|
expectedErr: "spec.move.targetPath: Invalid value: \"../../../etc/\"",
|
|
},
|
|
{
|
|
name: "migrate job without migrate options",
|
|
jobSpec: map[string]interface{}{
|
|
"action": string(provisioning.JobActionMigrate),
|
|
"repository": repo,
|
|
},
|
|
expectedErr: "spec.migrate: Required value: migrate options required for migrate action",
|
|
},
|
|
}
|
|
|
|
for i, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
// Create the job object directly
|
|
jobObj := &unstructured.Unstructured{
|
|
Object: map[string]interface{}{
|
|
"apiVersion": "provisioning.grafana.app/v0alpha1",
|
|
"kind": "Job",
|
|
"metadata": map[string]interface{}{
|
|
"name": fmt.Sprintf("test-job-validation-%d", i),
|
|
"namespace": "default",
|
|
},
|
|
"spec": tt.jobSpec,
|
|
},
|
|
}
|
|
|
|
// Try to create the job - should fail with validation error
|
|
_, err := helper.Jobs.Resource.Create(ctx, jobObj, metav1.CreateOptions{})
|
|
require.Error(t, err, "expected validation error for invalid job spec")
|
|
|
|
// Verify it's a validation error with correct status code
|
|
statusError := helper.RequireApiErrorStatus(err, metav1.StatusReasonInvalid, http.StatusUnprocessableEntity)
|
|
require.Contains(t, statusError.Message, tt.expectedErr, "error message should contain expected validation message")
|
|
})
|
|
}
|
|
}
|