@@ -10,6 +10,7 @@ import (
1010 "net/http"
1111 "strings"
1212 "testing"
13+ "time"
1314
1415 "github.com/google/uuid"
1516 "github.com/kong/go-kong/kong"
@@ -620,6 +621,13 @@ func TestPluginCrossNamespaceReference(t *testing.T) {
620621 return err == nil
621622 }, ingressWait , waitTick )
622623
624+ const (
625+ // negativeCheckWait is the duration used in `Never` for verifying that the plugin is not configured
626+ // without reference grant or with incorrect reference grant.
627+ // Set it to 1 minute since we have to wait until the end in each `Never` if the test is OK.
628+ negativeCheckWait = time .Minute
629+ )
630+
623631 t .Logf ("validating that plugin %s is not configured without a grant" , kongplugin .Name )
624632 assert .Never (t , func () bool {
625633 req := helpers .MustHTTPRequest (t , http .MethodGet , proxyHTTPURL .String (), "/test_plugin_reference?key=thirtytangas" , nil )
@@ -629,9 +637,9 @@ func TestPluginCrossNamespaceReference(t *testing.T) {
629637 }
630638 defer resp .Body .Close ()
631639 return resp .StatusCode == http .StatusTeapot
632- }, ingressWait , waitTick )
640+ }, negativeCheckWait , waitTick )
633641
634- t .Logf ("creating a ReferenceGrant that permits kongconsumer access from %s to kongplugins in %s" , remote . Name , ns . Name )
642+ t .Logf ("creating a ReferenceGrant that does not permit kongconsumer access to kongplugins" )
635643 grant := & gatewayapi.ReferenceGrant {
636644 ObjectMeta : metav1.ObjectMeta {
637645 Name : uuid .NewString (),
@@ -652,8 +660,46 @@ func TestPluginCrossNamespaceReference(t *testing.T) {
652660 },
653661 },
654662 }
663+ // Not the namespace as the plugin.
664+ _ , err = gatewayClient .GatewayV1beta1 ().ReferenceGrants (remote .Name ).Create (ctx , grant , metav1.CreateOptions {})
665+ require .NoError (t , err )
666+ cleaner .Add (grant )
667+
668+ t .Logf ("validating that plugin %s is not configured with an incorrectly configured referencegrant" , kongplugin .Name )
669+ assert .Never (t , func () bool {
670+ req := helpers .MustHTTPRequest (t , http .MethodGet , proxyHTTPURL .String (), "/test_plugin_reference?key=thirtytangas" , nil )
671+ resp , err := helpers .DefaultHTTPClient (helpers .WithResolveHostTo (proxyHTTPURL .Host )).Do (req )
672+ if err != nil {
673+ return false
674+ }
675+ defer resp .Body .Close ()
676+ return resp .StatusCode == http .StatusTeapot
677+ }, negativeCheckWait , waitTick )
678+
679+ t .Logf ("creating a ReferenceGrant that permits kongconsumer access from %s to kongplugins in %s" , remote .Name , ns .Name )
680+ grant = & gatewayapi.ReferenceGrant {
681+ ObjectMeta : metav1.ObjectMeta {
682+ Name : uuid .NewString (),
683+ },
684+ Spec : gatewayapi.ReferenceGrantSpec {
685+ From : []gatewayapi.ReferenceGrantFrom {
686+ {
687+ Group : gatewayapi .Group ("configuration.konghq.com" ),
688+ Kind : gatewayapi .Kind ("KongConsumer" ),
689+ Namespace : gatewayapi .Namespace (remote .Name ),
690+ },
691+ },
692+ To : []gatewayapi.ReferenceGrantTo {
693+ {
694+ Group : gatewayapi .Group ("configuration.konghq.com" ),
695+ Kind : gatewayapi .Kind ("KongPlugin" ),
696+ },
697+ },
698+ },
699+ }
655700 _ , err = gatewayClient .GatewayV1beta1 ().ReferenceGrants (ns .Name ).Create (ctx , grant , metav1.CreateOptions {})
656701 require .NoError (t , err )
702+ cleaner .Add (grant )
657703
658704 t .Logf ("validating that plugin %s was successfully configured" , kongplugin .Name )
659705 assert .EventuallyWithT (t , func (c * assert.CollectT ) {
0 commit comments