diff --git a/lib/auth/machineid/workloadidentityv1/decision_test.go b/lib/auth/machineid/workloadidentityv1/decision_test.go index 5d00bf7595669..8af8bf3a22064 100644 --- a/lib/auth/machineid/workloadidentityv1/decision_test.go +++ b/lib/auth/machineid/workloadidentityv1/decision_test.go @@ -263,28 +263,40 @@ func Test_evaluateRules(t *testing.T) { User: &workloadidentityv1pb.UserAttrs{ Name: "foo", }, - } - wi := &workloadidentityv1pb.WorkloadIdentity{ - Kind: types.KindWorkloadIdentity, - Version: types.V1, - Metadata: &headerv1.Metadata{ - Name: "test", + Workload: &workloadidentityv1pb.WorkloadAttrs{ + Kubernetes: &workloadidentityv1pb.WorkloadAttrsKubernetes{ + PodName: "pod1", + Namespace: "default", + }, }, - Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ - Rules: &workloadidentityv1pb.WorkloadIdentityRules{ - Allow: []*workloadidentityv1pb.WorkloadIdentityRule{ - { - Conditions: []*workloadidentityv1pb.WorkloadIdentityCondition{ - { - Attribute: "user.name", - Equals: "foo", - }, - }, - }, + } + + tests := []struct { + name string + wid *workloadidentityv1pb.WorkloadIdentity + attrs *workloadidentityv1pb.Attrs + requireErr require.ErrorAssertionFunc + }{ + { + name: "pass, no rules", + wid: &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "test", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Rules: &workloadidentityv1pb.WorkloadIdentityRules{}, }, }, + attrs: attrs, + requireErr: require.NoError, }, } - err := evaluateRules(wi, attrs) - require.NoError(t, err) + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := evaluateRules(tt.wid, tt.attrs) + tt.requireErr(t, err) + }) + } } diff --git a/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go b/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go index e5f23dc96216c..1ddf63bcf28d1 100644 --- a/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go +++ b/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go @@ -187,7 +187,11 @@ func TestIssueWorkloadIdentityE2E(t *testing.T) { Conditions: []*workloadidentityv1pb.WorkloadIdentityCondition{ { Attribute: "join.kubernetes.service_account.namespace", - Equals: "my-namespace", + Operator: &workloadidentityv1pb.WorkloadIdentityCondition_Eq{ + Eq: &workloadidentityv1pb.WorkloadIdentityConditionEq{ + Value: "my-namespace", + }, + }, }, }, }, @@ -402,11 +406,19 @@ func TestIssueWorkloadIdentity(t *testing.T) { Conditions: []*workloadidentityv1pb.WorkloadIdentityCondition{ { Attribute: "user.name", - Equals: "dog", + Operator: &workloadidentityv1pb.WorkloadIdentityCondition_Eq{ + Eq: &workloadidentityv1pb.WorkloadIdentityConditionEq{ + Value: "dog", + }, + }, }, { Attribute: "workload.kubernetes.namespace", - Equals: "default", + Operator: &workloadidentityv1pb.WorkloadIdentityCondition_Eq{ + Eq: &workloadidentityv1pb.WorkloadIdentityConditionEq{ + Value: "default", + }, + }, }, }, }, @@ -768,7 +780,11 @@ func TestIssueWorkloadIdentities(t *testing.T) { Conditions: []*workloadidentityv1pb.WorkloadIdentityCondition{ { Attribute: "workload.kubernetes.namespace", - Equals: "default", + Operator: &workloadidentityv1pb.WorkloadIdentityCondition_Eq{ + Eq: &workloadidentityv1pb.WorkloadIdentityConditionEq{ + Value: "default", + }, + }, }, }, }, @@ -798,7 +814,11 @@ func TestIssueWorkloadIdentities(t *testing.T) { Conditions: []*workloadidentityv1pb.WorkloadIdentityCondition{ { Attribute: "workload.kubernetes.namespace", - Equals: "default", + Operator: &workloadidentityv1pb.WorkloadIdentityCondition_Eq{ + Eq: &workloadidentityv1pb.WorkloadIdentityConditionEq{ + Value: "default", + }, + }, }, }, },