ON_CALL(SECRET_MANAGER, findOrCreate##PROVIDER_TYPE##Provider(_, _, _, _))                       \

      .WillByDefault(Invoke([](const envoy::config::core::v3::ConfigSource& sds_config_source,     \

                               const std::string& config_name,                                     \

                               Server::Configuration::ServerFactoryContext& server_context,        \

                               Init::Manager& init_manager) {                                      \

        auto secret_provider = Secret::API_TYPE##SdsApi::create(server_context, sds_config_source, \

                                                                config_name, []() {});             \

        init_manager.add(*secret_provider->initTarget());                                          \

        return secret_provider;                                                                    \

      }))

  CiliumNetworkPolicyTest() {

    for (Logger::Logger& logger : Logger::Registry::loggers()) {

      logger.setLevel(spdlog::level::trace);

    }

  }

  ~CiliumNetworkPolicyTest() override = default;

  void SetUp() override {

    ON_CALL(factory_context_.server_factory_context_, secretManager())

        .WillByDefault(ReturnRef(secret_manager_));

    ON_CALL_SDS_SECRET_PROVIDER(secret_manager_, TlsCertificate, TlsCertificate);

    ON_CALL_SDS_SECRET_PROVIDER(secret_manager_, CertificateValidationContext,

                                CertificateValidationContext);

    ON_CALL_SDS_SECRET_PROVIDER(secret_manager_, TlsSessionTicketKeysContext, TlsSessionTicketKeys);

    ON_CALL_SDS_SECRET_PROVIDER(secret_manager_, GenericSecret, GenericSecret);

    policy_map_ = std::make_shared<NetworkPolicyMap>(factory_context_);

  }

  void TearDown() override {

    ASSERT(policy_map_.use_count() == 1);

    policy_map_.reset();

  }

  std::string updateFromYaml(const std::string& config) {

    envoy::service::discovery::v3::DiscoveryResponse message;

    MessageUtil::loadFromYaml(config, message, ProtobufMessage::getNullValidationVisitor());

    NetworkPolicyDecoder network_policy_decoder;

    const auto decoded_resources_or_error = Config::DecodedResourcesWrapper::create(

        network_policy_decoder, message.resources(), message.version_info());

    THROW_IF_NOT_OK_REF(decoded_resources_or_error.status());

    const auto decoded_resources = std::move(decoded_resources_or_error.value().get());

    EXPECT_TRUE(policy_map_->getImpl()

                    .onConfigUpdate(decoded_resources->refvec_, message.version_info())

                    .ok());

    return message.version_info();

  }

  testing::AssertionResult validate(const std::string& pod_ip, const std::string& expected) {

    const auto& policy = policy_map_->getPolicyInstance(pod_ip, false);

    auto str = policy.string();

    if (str != expected) {

      return testing::AssertionFailure() << "Policy:\n"

                                         << str << "Does not match expected:\n"

                                         << expected;

    }

    return testing::AssertionSuccess();

  }

                                   uint16_t port, Http::TestRequestHeaderMapImpl&& headers) {

    const auto& policy = policy_map_->getPolicyInstance(pod_ip, false);

    if (!policy.allowed(ingress, proxy_id_, remote_id, "", port)) {

      return testing::AssertionFailure();

    }

    Cilium::AccessLog::Entry log_entry;

    return policy.allowed(ingress, proxy_id_, remote_id, port, headers, log_entry)

               ? testing::AssertionSuccess()

               : testing::AssertionFailure();

  }

                                          Http::TestRequestHeaderMapImpl&& headers = {}) {

    return allowed(true, pod_ip, remote_id, port, std::move(headers));

  }

                                         Http::TestRequestHeaderMapImpl&& headers = {}) {

    return allowed(false, pod_ip, remote_id, port, std::move(headers));

  }

                                      bool& tls_socket_required, bool& raw_socket_allowed) {

    const auto& policy = policy_map_->getPolicyInstance(pod_ip, false);

    auto port_policy = policy.findPortPolicy(ingress, port);

    const Envoy::Ssl::ContextConfig* config = nullptr;

    tls_socket_required = false;

    raw_socket_allowed = false;

    Envoy::Ssl::ContextSharedPtr ctx =

        !ingress ? port_policy.getClientTlsContext(proxy_id_, remote_id, sni, &config,

                                                   raw_socket_allowed)

                 : port_policy.getServerTlsContext(proxy_id_, remote_id, sni, &config,

                                                   raw_socket_allowed);

    bool allowed = policy.allowed(ingress, proxy_id_, remote_id, sni, port);

    if (raw_socket_allowed) {

      EXPECT_TRUE(ctx == nullptr && config == nullptr);

      tls_socket_required = false;

    }

    if (ctx != nullptr || config != nullptr) {

      EXPECT_FALSE(raw_socket_allowed);

      tls_socket_required = true;

    }

    if (ctx != nullptr) {

    EXPECT_TRUE(allowed == (tls_socket_required || raw_socket_allowed));

    if (!allowed) {

      return testing::AssertionFailure() << pod_ip << " policy not allowing id " << remote_id

                                         << " on port " << port << " with SNI \"" << sni << "\"";

    }

    EXPECT_TRUE(!(tls_socket_required && raw_socket_allowed) &&

                (tls_socket_required || raw_socket_allowed));

    if (raw_socket_allowed) {

      return testing::AssertionSuccess()

             << pod_ip << " policy allows id " << remote_id << " on port " << port << " with SNI \""

             << sni << "\" without TLS socket";

    }

    if (tls_socket_required && ctx != nullptr) {

    if (tls_socket_required && ctx == nullptr) {

      return testing::AssertionSuccess()

             << pod_ip << " policy allows id " << remote_id << " on port " << port << " with SNI \""

             << sni << "\" but missing TLS context";

    }

  }

                                             bool& tls_socket_required, bool& raw_socket_allowed) {

    return tlsAllowed(true, pod_ip, remote_id, port, sni, tls_socket_required, raw_socket_allowed);

  }

                                            bool& tls_socket_required, bool& raw_socket_allowed) {

    return tlsAllowed(false, pod_ip, remote_id, port, sni, tls_socket_required, raw_socket_allowed);

  }

  std::string updatesRejectedStatName() {

    return policy_map_->getImpl().stats_.updates_rejected_.name();

  }

TEST_F(CiliumNetworkPolicyTest, UpdatesRejectedStatName) {

  EXPECT_EQ("cilium.policy.updates_rejected", updatesRejectedStatName());

}

TEST_F(CiliumNetworkPolicyTest, EmptyPolicyUpdate) {

  EXPECT_TRUE(policy_map_->getImpl().onConfigUpdate({}, "1").ok());

  EXPECT_FALSE(validate("10.1.2.3", "")); // Policy not found

}

TEST_F(CiliumNetworkPolicyTest, SimplePolicyUpdate) {

  std::string version;

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "0"

)EOF"));

  EXPECT_EQ(version, "0");

  EXPECT_FALSE(validate("10.1.2.3", "")); // Policy not found

}

TEST_F(CiliumNetworkPolicyTest, OverlappingPortRange) {

  EXPECT_NO_THROW(updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 23

    rules:

    - remote_policies: [ 42 ]

    - remote_policies: [ 45 ]

  - port: 80

    rules:

    - remote_policies: [ 44 ]

  - port: 92

    rules:

    - deny: true

  - port: 40

    end_port: 99

    rules:

    - remote_policies: [ 43 ]

)EOF"));

  std::string expected = R"EOF(ingress:

  rules:

    [23-23]:

    - rules:

      - remotes: [45]

      - remotes: [42]

    [40-79]:

    - rules:

      - remotes: [43]

    [80-80]:

    - rules:

      - remotes: [44]

      - remotes: [43]

    [81-91]:

    - rules:

      - remotes: [43]

    [92-92]:

    - rules:

      - remotes: []

        deny: true

      - remotes: [43]

    [93-99]:

    - rules:

      - remotes: [43]

egress:

  rules: []

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 42, 23));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 23));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 23));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 42, 92));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 92));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 92));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 39));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 40));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 79));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 81));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 99));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 100));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 39));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 40));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 79));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 44, 80));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 81));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 99));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 100));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 8080));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 44, 8080));

  EXPECT_NO_THROW(updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 40

    end_port: 99

    rules:

    - remote_policies: [ 43 ]

  - port: 92

    rules:

    - deny: true

  - port: 80

    rules:

    - remote_policies: [ 44 ]

  - port: 23

    rules:

    - remote_policies: [ 42 ]

    - remote_policies: [ 45 ]

)EOF"));

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 42, 23));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 23));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 23));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 42, 92));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 92));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 92));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 39));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 40));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 79));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 81));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 99));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 100));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 39));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 40));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 79));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 44, 80));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 81));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 99));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 100));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 8080));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 44, 8080));

}

TEST_F(CiliumNetworkPolicyTest, OverlappingPortRanges) {

  EXPECT_NO_THROW(updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    end_port: 8080

    rules:

    - remote_policies: [ 43 ]

  - port: 4040

    end_port: 9999

    rules:

    - remote_policies: [ 44 ]

)EOF"));

  std::string expected = R"EOF(ingress:

  rules:

    [80-4039]:

    - rules:

      - remotes: [43]

    [4040-8080]:

    - rules:

      - remotes: [43]

      - remotes: [44]

    [8081-9999]:

    - rules:

      - remotes: [44]

egress:

  rules: []

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 79));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 81));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 4039));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 4040));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 4041));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 8079));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 8080));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8081));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 9998));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 9999));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 10000));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 8080));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 44, 8080));

  EXPECT_NO_THROW(updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 4040

    end_port: 9999

    rules:

    - remote_policies: [ 44 ]

  - port: 80

    end_port: 8080

    rules:

    - remote_policies: [ 43 ]

)EOF"));

  expected = R"EOF(ingress:

  rules:

    [80-4039]:

    - rules:

      - remotes: [43]

    [4040-8080]:

    - rules:

      - remotes: [44]

      - remotes: [43]

    [8081-9999]:

    - rules:

      - remotes: [44]

egress:

  rules: []

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 79));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 81));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 4039));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 4040));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 4041));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 8079));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 8080));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8081));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 9998));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 9999));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 10000));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 8080));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 44, 8080));

}

TEST_F(CiliumNetworkPolicyTest, DuplicatePorts) {

  EXPECT_NO_THROW(updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43 ]

  - port: 80

    rules:

    - remote_policies: [ 43 ]

)EOF"));

  std::string expected = R"EOF(ingress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43]

      - remotes: [43]

egress:

  rules: []

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8080));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 8080));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 44, 80));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 8080));

}

TEST_F(CiliumNetworkPolicyTest, DuplicatePortRange) {

  EXPECT_NO_THROW(updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    end_port: 8080

    rules:

    - remote_policies: [ 43 ]

  - port: 80

    rules:

    - remote_policies: [ 43 ]

)EOF"));

  std::string expected = R"EOF(ingress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43]

      - remotes: [43]

    [81-8080]:

    - rules:

      - remotes: [43]

egress:

  rules: []

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 79));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 81));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 8079));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 8080));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8081));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 8080));

}

TEST_F(CiliumNetworkPolicyTest, InvalidPortRange) {

  EXPECT_THROW_WITH_MESSAGE(

      updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    end_port: 60

    rules:

    - remote_policies: [ 43 ]

  - port: 4040

    end_port: 9999

    rules:

    - remote_policies: [ 43 ]

)EOF"),

      EnvoyException,

      "PortNetworkPolicy: Invalid port range, end port is less than start port 80-60");

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 8080));

}

TEST_F(CiliumNetworkPolicyTest, InvalidWildcardPortRange) {

  EXPECT_THROW_WITH_MESSAGE(

      updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 0

    end_port: 80

    rules:

    - remote_policies: [ 43 ]

  - port: 4040

    end_port: 9999

    rules:

    - remote_policies: [ 43 ]

)EOF"),

      EnvoyException,

      "PortNetworkPolicy: Invalid port range including the wildcard zero port 0-80");

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 8080));

}

TEST_F(CiliumNetworkPolicyTest, ZeroPortRange) {

  std::string version;

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    end_port: 0

    rules:

    - remote_policies: [ 43 ]

  - port: 4040

    end_port: 9999

    rules:

    - remote_policies: [ 43 ]

)EOF"));

  EXPECT_EQ(version, "1");

  EXPECT_TRUE(policy_map_->exists("10.1.2.3"));

  std::string expected = R"EOF(ingress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43]

    [4040-9999]:

    - rules:

      - remotes: [43]

egress:

  rules: []

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 40, 80));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 80));

}

TEST_F(CiliumNetworkPolicyTest, HttpPolicyUpdate) {

  std::string version;

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "0"

)EOF"));

  EXPECT_EQ(version, "0");

  EXPECT_FALSE(policy_map_->exists("10.1.2.3"));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}}));

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            exact_match: '/allowed'

)EOF"));

  EXPECT_EQ(version, "1");

  EXPECT_TRUE(policy_map_->exists("10.1.2.3"));

  std::string expected = R"EOF(ingress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

egress:

  rules: []

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 80, {{":path", "/public"}}));

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "2"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            exact_match: '/allowed'

  egress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43, 44 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            safe_regex_match:

              google_re2: {}

              regex: '.*public$'

)EOF"));

  EXPECT_EQ(version, "2");

  EXPECT_TRUE(policy_map_->exists("10.1.2.3"));

  expected = R"EOF(ingress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

egress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43,44]

        http_rules:

        - headers:

          - name: ":path"

            regex: <hidden>

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}}));

  EXPECT_TRUE(egressAllowed("10.1.2.3", 43, 80, {{":path", "/public"}}));

  EXPECT_TRUE(egressAllowed("10.1.2.3", 44, 80, {{":path", "/public"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 40, 80, {{":path", "/public"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 8080, {{":path", "/public"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 80, {{":path", "/publicz"}}));

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "2"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            exact_match: '/allowed'

  - port: 80

    end_port: 10000

    rules:

    - deny: true

  egress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43, 44 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            safe_regex_match:

              google_re2: {}

              regex: '.*public$'

)EOF"));

  EXPECT_EQ(version, "2");

  EXPECT_TRUE(policy_map_->exists("10.1.2.3"));

  expected = R"EOF(ingress:

  rules:

    [80-80]:

    - rules:

      - remotes: []

        deny: true

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

    [81-10000]:

    - rules:

      - remotes: []

        deny: true

egress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43,44]

        http_rules:

        - headers:

          - name: ":path"

            regex: <hidden>

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}}));

  EXPECT_TRUE(egressAllowed("10.1.2.3", 43, 80, {{":path", "/public"}}));

  EXPECT_TRUE(egressAllowed("10.1.2.3", 44, 80, {{":path", "/public"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 40, 80, {{":path", "/public"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 8080, {{":path", "/public"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 80, {{":path", "/publicz"}}));

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "2"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            exact_match: '/allowed'

  - port: 80

    end_port: 10000

    rules:

    - proxy_id: 42

  egress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43, 44 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            safe_regex_match:

              google_re2: {}

              regex: '.*public$'

)EOF"));

  EXPECT_EQ(version, "2");

  EXPECT_TRUE(policy_map_->exists("10.1.2.3"));

  expected = R"EOF(ingress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

      - remotes: []

        proxy_id: 42

    [81-10000]:

    - rules:

      - remotes: []

        proxy_id: 42

egress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43,44]

        http_rules:

        - headers:

          - name: ":path"

            regex: <hidden>

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 79, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 10001, {{":path", "/notallowed"}}));

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "2"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            exact_match: '/allowed'

  - port: 80

    end_port: 10000

    rules:

    - proxy_id: 99

  egress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43, 44 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            safe_regex_match:

              google_re2: {}

              regex: '.*public$'

)EOF"));

  EXPECT_EQ(version, "2");

  EXPECT_TRUE(policy_map_->exists("10.1.2.3"));

  expected = R"EOF(ingress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

      - remotes: []

        proxy_id: 99

    [81-10000]:

    - rules:

      - remotes: []

        proxy_id: 99

egress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43,44]

        http_rules:

        - headers:

          - name: ":path"

            regex: <hidden>

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 79, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 10001, {{":path", "/notallowed"}}));

}

TEST_F(CiliumNetworkPolicyTest, HttpOverlappingPortRanges) {

  std::string version;

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "0"

)EOF"));

  EXPECT_EQ(version, "0");

  EXPECT_FALSE(policy_map_->exists("10.1.2.3"));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}}));

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            exact_match: '/allowed'

  - port: 80

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':method'

            exact_match: 'GET'

)EOF"));

  EXPECT_EQ(version, "1");

  EXPECT_TRUE(policy_map_->exists("10.1.2.3"));

  std::string expected = R"EOF(ingress:

  rules:

    [80-80]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":method"

            value: "GET"

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

egress:

  rules: []

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":method", "PUSH"}, {":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":method", "GET"}, {":path", "/also_allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 80, {{":path", "/public"}}));

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "2"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 70

    end_port: 90

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            exact_match: '/allowed'

  - port: 80

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':method'

            exact_match: 'GET'

)EOF"));

  EXPECT_EQ(version, "2");

  EXPECT_TRUE(policy_map_->exists("10.1.2.3"));

  expected = R"EOF(ingress:

  rules:

    [70-79]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

    [80-80]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":method"

            value: "GET"

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

    [81-90]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

egress:

  rules: []

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 70, {{":method", "PUSH"}, {":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":method", "PUSH"}, {":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 90, {{":method", "PUSH"}, {":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":method", "GET"}, {":path", "/also_allowed"}}));

  EXPECT_FALSE(

      ingressAllowed("10.1.2.3", 43, 70, {{":method", "GET"}, {":path", "/also_allowed"}}));

  EXPECT_FALSE(

      ingressAllowed("10.1.2.3", 43, 90, {{":method", "GET"}, {":path", "/also_allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 80, {{":path", "/public"}}));

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "2"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 70

    end_port: 90

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':path'

            exact_match: '/allowed'

  - port: 80

    end_port: 8080

    rules:

    - remote_policies: [ 43 ]

      http_rules:

        http_rules:

        - headers:

          - name: ':method'

            exact_match: 'GET'

)EOF"));

  EXPECT_EQ(version, "2");

  EXPECT_TRUE(policy_map_->exists("10.1.2.3"));

  expected = R"EOF(ingress:

  rules:

    [70-79]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

    [80-90]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":path"

            value: "/allowed"

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":method"

            value: "GET"

    [91-8080]:

    - rules:

      - remotes: [43]

        http_rules:

        - headers:

          - name: ":method"

            value: "GET"

egress:

  rules: []

)EOF";

  EXPECT_TRUE(validate("10.1.2.3", expected));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 70, {{":method", "PUSH"}, {":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":method", "PUSH"}, {":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 90, {{":method", "PUSH"}, {":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":method", "GET"}, {":path", "/also_allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 90, {{":method", "GET"}, {":path", "/also_allowed"}}));

  EXPECT_TRUE(

      ingressAllowed("10.1.2.3", 43, 8080, {{":method", "GET"}, {":path", "/also_allowed"}}));

  EXPECT_FALSE(

      ingressAllowed("10.1.2.3", 43, 70, {{":method", "GET"}, {":path", "/also_allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 80, {{":path", "/public"}}));

}

TEST_F(CiliumNetworkPolicyTest, TcpPolicyUpdate) {

  std::string version;

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "0"

)EOF"));

  EXPECT_EQ(version, "0");

  EXPECT_FALSE(policy_map_->exists("10.1.2.3"));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}}));

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "1"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43 ]

)EOF"));

  EXPECT_EQ(version, "1");

  EXPECT_TRUE(policy_map_->exists("10.1.2.3"));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}}));

  EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}}));

  EXPECT_TRUE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}}));

  EXPECT_FALSE(egressAllowed("10.1.2.3", 43, 80, {{":path", "/public"}}));

  EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "2"

resources:

- "@type": type.googleapis.com/cilium.NetworkPolicy

  endpoint_ips:

  - "10.1.2.3"

  endpoint_id: 42

  ingress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43 ]

  egress_per_port_policies:

  - port: 80

    rules:

    - remote_policies: [ 43, 44 ]

)EOF"));