chore: add e2e tests

Signed-off-by: Arjun Raja Yogidas <[email protected]>

Author: coderbirju

.github/workflows/ci.yaml

@@ -109,3 +109,13 @@ jobs:
         run: sudo bin/finch-daemon  --debug --socket-owner $UID &
       - name: Run e2e test
         run: sudo make test-e2e
+      - name: Clean up Daemon socket
+        run: sudo rm /var/run/finch.sock && sudo rm /run/finch.pid
+      - name: Verify Rego file presence
+        run: ls -l ${{ github.workspace }}/sample.rego
+      - name: Set Rego file path
+        run: echo "REGO_FILE_PATH=${{ github.workspace }}/sample.rego" >> $GITHUB_ENV
+      - name: Start finch-daemon with opa Authz
+        run: sudo bin/finch-daemon --debug --enable-opa --rego-file ${{ github.workspace }}/sample.rego --socket-owner $UID &
+      - name: Run opa e2e tests
+        run: sudo -E make test-e2e-opa

Makefile

@@ -114,6 +114,14 @@ test-e2e: linux
 	TEST_E2E=1 \
 	$(GINKGO) $(GFLAGS) ./e2e/...
 
+.PHONY: test-e2e-opa
+test-e2e-opa: linux
+	DOCKER_HOST="unix:///run/finch.sock" \
+	DOCKER_API_VERSION="v1.43" \
+	OPA_E2E=1 \
+	TEST_E2E=1 \
+	$(GINKGO) $(GFLAGS) ./e2e/...
+
 .PHONY: licenses
 licenses:
 	PATH=$(BIN):$(PATH) go-licenses report --template="scripts/third-party-license.tpl" --ignore github.com/runfinch ./... > THIRD_PARTY_LICENSES

cmd/finch-daemon/main.go

@@ -200,11 +200,16 @@ func run(options *DaemonOptions) error {
 
 	defer func() {
 		if options.regoFileLock != nil {
+			// unlock the rego file upon daemon exit
 			if err := options.regoFileLock.Unlock(); err != nil {
 				logrus.Errorf("failed to unlock Rego file: %v", err)
 			}
 			logger.Infof("rego file unlocked")
-			// todo : chmod to read-write permissions
+
+			// make rego file editable upon daemon exit
+			if err := os.Chmod(options.regoFilePath, 0600); err != nil {
+				logrus.Errorf("failed to change file permissions of rego file: %v", err)
+			}
 		}
 	}()
 
@@ -293,39 +298,26 @@ func defineDockerConfig(uid int) error {
 	})
 }
 
+// checkRegoFileValidity verifies that the given rego file exists and has the right file extension
 func checkRegoFileValidity(filePath string) error {
-	fmt.Println("checking file validity.....")
 	if _, err := os.Stat(filePath); os.IsNotExist(err) {
 		return fmt.Errorf("provided Rego file path does not exist: %s", filePath)
 	}
 
-	// Check if the file has a valid extension (.rego, .yaml, or .json)
-	// validExtensions := []string{".rego", ".yaml", ".yml", ".json"}
+	// Check if the file has a valid extension (.rego)
 	fileExt := strings.ToLower(filepath.Ext(options.regoFilePath))
 
 	if fileExt != ".rego" {
 		return fmt.Errorf("invalid file extension for Rego file. Only .rego files are supported")
 	}
 
-	// isValidExtension := false
-	// for _, ext := range validExtensions {
-	//     if fileExt == ext {
-	//         isValidExtension = true
-	//         break
-	//     }
-	// }
-
-	// if !isValidExtension {
-	//     return fmt.Errorf("Invalid file extension for Rego file. Allowed extensions are: %v", validExtensions)
-	// }
-
-	fmt.Println(" file valid!")
 	return nil
 }
 
-// todo : rename this function to be more descriptve
+// sanitizeRegoFile validates and prepares the Rego policy file for use.
+// It checks validates the file, acquires a file lock,
+// and sets rego file to be read-only.
 func sanitizeRegoFile(options *DaemonOptions) (string, error) {
-	fmt.Println("sanitizeRegoFile called.....")
 	if options.regoFilePath != "" {
 		if !options.enableOpa {
 			return "", fmt.Errorf("rego file path was provided without the --enable-opa flag, please provide the --enable-opa flag") // todo, can we default to setting this flag ourselves is this better UX?
@@ -351,7 +343,7 @@ func sanitizeRegoFile(options *DaemonOptions) (string, error) {
 	}
 
 	// Change file permissions to read-only
-	err = os.Chmod(options.regoFilePath, 0444) // read-only for all users
+	err = os.Chmod(options.regoFilePath, 0400)
 	if err != nil {
 		fileLock.Unlock()
 		return "", fmt.Errorf("error changing rego file permissions: %v", err)

e2e/e2e_test.go

@@ -5,6 +5,7 @@ package e2e
 
 import (
 	"flag"
+	"fmt"
 	"log"
 	"os"
 	"strings"
@@ -25,8 +26,12 @@ var SubjectPrefix = flag.String("daemon-context-subject-prefix", "", `A string w
 var PrefixedSubjectEnv = flag.String("daemon-context-subject-env", "", `Environment to add when running a prefixed subject, in the form of a string like "EXAMPLE=foo EXAMPLE2=bar"`)
 
 func TestRun(t *testing.T) {
-	if os.Getenv("TEST_E2E") != "1" {
-		t.Skip("E2E tests skipped. Set TEST_E2E=1 to run these tests")
+	if os.Getenv("OPA_E2E") == "1" {
+		runOPATests(t)
+	} else if os.Getenv("TEST_E2E") == "1" {
+		runE2ETests(t)
+	} else {
+		t.Skip("E2E tests skipped. Set TEST_E2E=1 to run regular E2E tests or OPA_E2E=1 to run OPA middleware tests")
 	}
 
 	if err := parseTestFlags(); err != nil {
@@ -35,6 +40,34 @@ func TestRun(t *testing.T) {
 	}
 
 	opt, _ := option.New([]string{*Subject, "--namespace", "finch"})
+}
+
+func runOPATests(t *testing.T) {
+	opt, _ := option.New([]string{*Subject, "--namespace", "finch"})
+
+	ginkgo.SynchronizedBeforeSuite(func() []byte {
+		tests.SetupLocalRegistry(opt)
+		return nil
+	}, func(bytes []byte) {})
+
+	ginkgo.SynchronizedAfterSuite(func() {
+		tests.CleanupLocalRegistry(opt)
+		// clean up everything after the local registry is cleaned up
+		command.RemoveAll(opt)
+	}, func() {})
+
+	const description = "Finch Daemon OPA E2E Tests"
+	ginkgo.Describe(description, func() {
+		tests.OpaMiddlewareTest(opt)
+		fmt.Print(opt)
+	})
+
+	gomega.RegisterFailHandler(ginkgo.Fail)
+	ginkgo.RunSpecs(t, description)
+}
+
+func runE2ETests(t *testing.T) {
+	opt, _ := option.New([]string{*Subject, "--namespace", "finch"})
 
 	ginkgo.SynchronizedBeforeSuite(func() []byte {
 		tests.SetupLocalRegistry(opt)

e2e/tests/opa_middleware.go

@@ -0,0 +1,102 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package tests
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/runfinch/common-tests/command"
+	"github.com/runfinch/common-tests/option"
+
+	"github.com/runfinch/finch-daemon/api/types"
+	"github.com/runfinch/finch-daemon/e2e/client"
+)
+
+// OpaMiddlewareTest tests the OPA functionality.
+func OpaMiddlewareTest(opt *option.Option) {
+	Describe("test opa middleware functionality", func() {
+		var (
+			uClient           *http.Client
+			version           string
+			wantContainerName string
+			options           types.ContainerCreateRequest
+			createUrl         string
+		)
+		BeforeEach(func() {
+			// create a custom client to use http over unix sockets
+			uClient = client.NewClient(GetDockerHostUrl())
+			// get the docker api version that will be tested
+			version = GetDockerApiVersion()
+			wantContainerName = fmt.Sprintf("/%s", testContainerName)
+			// set default container options
+			options = types.ContainerCreateRequest{}
+			options.Image = defaultImage
+			createUrl = client.ConvertToFinchUrl(version, "/containers/create")
+		})
+		AfterEach(func() {
+			command.RemoveAll(opt)
+		})
+		It("should allow GET version API request", func() {
+			res, err := uClient.Get(client.ConvertToFinchUrl("", "/version"))
+			Expect(err).ShouldNot(HaveOccurred())
+			jd := json.NewDecoder(res.Body)
+			var v types.VersionInfo
+			err = jd.Decode(&v)
+			Expect(err).ShouldNot(HaveOccurred())
+			Expect(v.Version).ShouldNot(BeNil())
+			Expect(v.ApiVersion).Should(Equal("1.43"))
+			fmt.Println(version)
+		})
+
+		It("shold allow GET containers API request", func() {
+			id := command.StdoutStr(opt, "run", "-d", "--name", testContainerName, defaultImage, "sleep", "infinity")
+			want := []types.ContainerListItem{
+				{
+					Id:    id[:12],
+					Names: []string{wantContainerName},
+				},
+			}
+
+			res, err := uClient.Get(client.ConvertToFinchUrl(version, "/containers/json"))
+			Expect(err).Should(BeNil())
+			Expect(res.StatusCode).Should(Equal(http.StatusOK))
+			var got []types.ContainerListItem
+			err = json.NewDecoder(res.Body).Decode(&got)
+			Expect(err).Should(BeNil())
+			Expect(len(got)).Should(Equal(2))
+			got = filterContainerList(got)
+			Expect(got).Should(ContainElements(want))
+		})
+
+		It("shold disallow POST containers/create API request", func() {
+			options.Cmd = []string{"echo", "hello world"}
+
+			reqBody, err := json.Marshal(options)
+			Expect(err).Should(BeNil())
+
+			fmt.Println("createUrl = ", createUrl)
+			res, _ := uClient.Post(createUrl, "application/json", bytes.NewReader(reqBody))
+
+			Expect(res.StatusCode).Should(Equal(http.StatusForbidden))
+		})
+
+		It("should not allow updates to the rego file", func() {
+			regoFilePath := os.Getenv("REGO_FILE_PATH")
+			Expect(regoFilePath).NotTo(BeEmpty(), "REGO_FILE_PATH environment variable should be set")
+
+			fileInfo, err := os.Stat(regoFilePath)
+			Expect(err).NotTo(HaveOccurred(), "Failed to get Rego file info")
+
+			// Check file permissions
+			mode := fileInfo.Mode()
+			Expect(mode.Perm()).To(Equal(os.FileMode(0400)), "Rego file should be read-only (0400)")
+		})
+	})
+}