diff --git a/agent/connect/authz_test.go b/agent/connect/authz_test.go index faebd09ce..cad97646d 100644 --- a/agent/connect/authz_test.go +++ b/agent/connect/authz_test.go @@ -19,50 +19,20 @@ func TestAuthorizeIntentionTarget(t *testing.T) { }{ // Source match type { - name: "matching source target and namespace, but not partition", - target: "db", - targetNS: structs.IntentionDefaultNamespace, - targetAP: "foo", - ixn: &structs.Intention{ - SourceName: "db", - SourceNS: structs.IntentionDefaultNamespace, - SourcePartition: "not-foo", - }, - matchType: structs.IntentionMatchSource, - auth: false, - match: false, - }, - { - name: "match exact source, not matching namespace", - target: "web", - targetNS: structs.IntentionDefaultNamespace, + name: "match exact source, not matching name", + target: "web", ixn: &structs.Intention{ SourceName: "db", - SourceNS: "different", }, matchType: structs.IntentionMatchSource, auth: false, match: false, }, { - name: "match exact source, not matching name", - target: "web", - targetNS: structs.IntentionDefaultNamespace, - ixn: &structs.Intention{ - SourceName: "db", - SourceNS: structs.IntentionDefaultNamespace, - }, - matchType: structs.IntentionMatchSource, - auth: false, - match: false, - }, - { - name: "match exact source, allow", - target: "web", - targetNS: structs.IntentionDefaultNamespace, + name: "match exact source, allow", + target: "web", ixn: &structs.Intention{ SourceName: "web", - SourceNS: structs.IntentionDefaultNamespace, Action: structs.IntentionActionAllow, }, matchType: structs.IntentionMatchSource, @@ -70,20 +40,17 @@ func TestAuthorizeIntentionTarget(t *testing.T) { match: true, }, { - name: "match exact source, deny", - target: "web", - targetNS: structs.IntentionDefaultNamespace, + name: "match exact source, deny", + target: "web", ixn: &structs.Intention{ SourceName: "web", - SourceNS: structs.IntentionDefaultNamespace, - Action: structs.IntentionActionDeny, }, matchType: structs.IntentionMatchSource, auth: false, match: true, }, { - name: "match exact sourceNS for wildcard service, deny", + name: "match wildcard service, deny", target: "web", targetNS: structs.IntentionDefaultNamespace, ixn: &structs.Intention{ @@ -96,12 +63,10 @@ func TestAuthorizeIntentionTarget(t *testing.T) { match: true, }, { - name: "match exact sourceNS for wildcard service, allow", - target: "web", - targetNS: structs.IntentionDefaultNamespace, + name: "match wildcard service, allow", + target: "web", ixn: &structs.Intention{ SourceName: structs.WildcardSpecifier, - SourceNS: structs.IntentionDefaultNamespace, Action: structs.IntentionActionAllow, }, matchType: structs.IntentionMatchSource, @@ -111,50 +76,20 @@ func TestAuthorizeIntentionTarget(t *testing.T) { // Destination match type { - name: "matching destination target and namespace, but not partition", - target: "db", - targetNS: structs.IntentionDefaultNamespace, - targetAP: "foo", - ixn: &structs.Intention{ - SourceName: "db", - SourceNS: structs.IntentionDefaultNamespace, - SourcePartition: "not-foo", - }, - matchType: structs.IntentionMatchDestination, - auth: false, - match: false, - }, - { - name: "match exact destination, not matching namespace", - target: "web", - targetNS: structs.IntentionDefaultNamespace, + name: "match exact destination, not matching name", + target: "web", ixn: &structs.Intention{ DestinationName: "db", - DestinationNS: "different", }, matchType: structs.IntentionMatchDestination, auth: false, match: false, }, { - name: "match exact destination, not matching name", - target: "web", - targetNS: structs.IntentionDefaultNamespace, - ixn: &structs.Intention{ - DestinationName: "db", - DestinationNS: structs.IntentionDefaultNamespace, - }, - matchType: structs.IntentionMatchDestination, - auth: false, - match: false, - }, - { - name: "match exact destination, allow", - target: "web", - targetNS: structs.IntentionDefaultNamespace, + name: "match exact destination, allow", + target: "web", ixn: &structs.Intention{ DestinationName: "web", - DestinationNS: structs.IntentionDefaultNamespace, Action: structs.IntentionActionAllow, }, matchType: structs.IntentionMatchDestination, @@ -162,12 +97,10 @@ func TestAuthorizeIntentionTarget(t *testing.T) { match: true, }, { - name: "match exact destination, deny", - target: "web", - targetNS: structs.IntentionDefaultNamespace, + name: "match exact destination, deny", + target: "web", ixn: &structs.Intention{ DestinationName: "web", - DestinationNS: structs.IntentionDefaultNamespace, Action: structs.IntentionActionDeny, }, matchType: structs.IntentionMatchDestination, @@ -175,12 +108,10 @@ func TestAuthorizeIntentionTarget(t *testing.T) { match: true, }, { - name: "match exact destinationNS for wildcard service, deny", - target: "web", - targetNS: structs.IntentionDefaultNamespace, + name: "match wildcard service, deny", + target: "web", ixn: &structs.Intention{ DestinationName: structs.WildcardSpecifier, - DestinationNS: structs.IntentionDefaultNamespace, Action: structs.IntentionActionDeny, }, matchType: structs.IntentionMatchDestination, @@ -188,12 +119,10 @@ func TestAuthorizeIntentionTarget(t *testing.T) { match: true, }, { - name: "match exact destinationNS for wildcard service, allow", - target: "web", - targetNS: structs.IntentionDefaultNamespace, + name: "match wildcard service, allow", + target: "web", ixn: &structs.Intention{ DestinationName: structs.WildcardSpecifier, - DestinationNS: structs.IntentionDefaultNamespace, Action: structs.IntentionActionAllow, }, matchType: structs.IntentionMatchDestination, @@ -201,12 +130,10 @@ func TestAuthorizeIntentionTarget(t *testing.T) { match: true, }, { - name: "unknown match type", - target: "web", - targetNS: structs.IntentionDefaultNamespace, + name: "unknown match type", + target: "web", ixn: &structs.Intention{ DestinationName: structs.WildcardSpecifier, - DestinationNS: structs.IntentionDefaultNamespace, Action: structs.IntentionActionAllow, }, matchType: structs.IntentionMatchType("unknown"),