test: add test cases for monitor mode

Author: wu-cl

pkg/agent/datapath/multiBridgeDatapath_test.go

@@ -28,6 +28,8 @@ import (
 
 	log "github.com/Sirupsen/logrus"
 	. "github.com/onsi/gomega"
+
+	"github.com/everoute/everoute/pkg/apis/security/v1alpha1"
 )
 
 const (
@@ -110,6 +112,7 @@ func TestDpManager(t *testing.T) {
 
 	testLocalEndpoint(t)
 	testERPolicyRule(t)
+	testMonitorRule(t)
 	testFlowReplay(t)
 	testRoundNumFlip(t)
 }
@@ -171,6 +174,34 @@ func testERPolicyRule(t *testing.T) {
 	})
 }
 
+func testMonitorRule(t *testing.T) {
+	t.Run("test ER policy rule with monitor mode", func(t *testing.T) {
+		if err := datapathManager.AddEveroutePolicyRule(rule1, "rule1", POLICY_DIRECTION_IN, POLICY_TIER2, v1alpha1.MonitorMode.String()); err != nil {
+			t.Errorf("Failed to add ER policy rule: %v, error: %v", rule1, err)
+		}
+		if _, ok := datapathManager.Rules[rule1.RuleID]; !ok {
+			t.Errorf("Failed to add ER policy rule, not found %v in cache", rule1)
+		}
+
+		if err := datapathManager.RemoveEveroutePolicyRule(rule1.RuleID, "rule1"); err != nil {
+			t.Errorf("Failed to remove ER policy rule: %v, error: %v", rule1, err)
+		}
+		if _, ok := datapathManager.Rules[rule1.RuleID]; ok {
+			t.Errorf("Failed to remove ER policy rule, rule %v in cache", rule1)
+		}
+
+		if err := datapathManager.AddEveroutePolicyRule(rule2, "rule2", POLICY_DIRECTION_OUT, POLICY_TIER1, v1alpha1.MonitorMode.String()); err != nil {
+			t.Errorf("Failed to add ER policy rule: %v, error: %v", rule2, err)
+		}
+		if _, ok := datapathManager.Rules[rule2.RuleID]; !ok {
+			t.Errorf("Failed to add ER policy rule, not found %v in cache", rule2)
+		}
+		if err := datapathManager.AddEveroutePolicyRule(rule2, "rule2", POLICY_DIRECTION_OUT, POLICY_TIER1, v1alpha1.MonitorMode.String()); err != nil {
+			t.Errorf("Failed to add ER policy rule: %v, error: %v", rule2, err)
+		}
+	})
+}
+
 func testFlowReplay(t *testing.T) {
 	RegisterTestingT(t)
 

tests/e2e/cases/security_test.go

@@ -224,6 +224,35 @@ var _ = Describe("SecurityPolicy", func() {
 			})
 		})
 
+		When("create monitor mode security policies", func() {
+			var nginxPolicy, serverPolicy, dbPolicy *securityv1alpha1.SecurityPolicy
+
+			BeforeEach(func() {
+				nginxPolicy = newPolicy("nginx-policy", constants.Tier2, securityv1alpha1.DefaultRuleDrop, nginxSelector)
+				nginxPolicy.Spec.SecurityPolicyEnforcementMode = securityv1alpha1.MonitorMode
+				addIngressRule(nginxPolicy, "TCP", nginxPort) // allow all connection with nginx port
+				addEngressRule(nginxPolicy, "TCP", serverPort, serverSelector)
+
+				serverPolicy = newPolicy("server-policy", constants.Tier2, securityv1alpha1.DefaultRuleDrop, serverSelector)
+				serverPolicy.Spec.SecurityPolicyEnforcementMode = securityv1alpha1.MonitorMode
+				addIngressRule(serverPolicy, "TCP", serverPort, nginxSelector)
+				addEngressRule(serverPolicy, "TCP", dbPort, dbSelector)
+
+				dbPolicy = newPolicy("db-policy", constants.Tier2, securityv1alpha1.DefaultRuleDrop, dbSelector)
+				dbPolicy.Spec.SecurityPolicyEnforcementMode = securityv1alpha1.MonitorMode
+				addIngressRule(dbPolicy, "TCP", dbPort, dbSelector, serverSelector)
+				addEngressRule(dbPolicy, "TCP", dbPort, dbSelector)
+
+				Expect(e2eEnv.SetupObjects(ctx, nginxPolicy, serverPolicy, dbPolicy)).Should(Succeed())
+			})
+
+			It("should allow all packets", func() {
+				assertReachable([]*model.Endpoint{nginx, client, server01, server02, db01, db02},
+					[]*model.Endpoint{nginx, client, server01, server02, db01, db02}, "TCP", true)
+			})
+
+		})
+
 		When("limits icmp packets between components", func() {
 			var icmpAllowPolicy, icmpDropPolicy *securityv1alpha1.SecurityPolicy