using FluentAssertions; using Xunit; namespace BluejayInfraLint.Tests; [Trait("Category", "Unit")] public sealed class RemoteDesktopNetworkPolicyTests { private static readonly ManifestInventory Inventory = ManifestInventory.Load(); [Fact] public void LiveDesktopIsolation_AllowsOnlyCoreDnsIntranetAndStepCaEgress() { var policy = NetworkPolicy("fc-desktop", "desktop-isolation"); var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal); ports.Should().BeEquivalentTo("53", "5300", "9000", "9443"); policy.AllScalars().Should().Contain(new[] { "kube-system", "kube-dns", "intranet", "intranet-web", "10.0.56.10/32" }); } [Fact] public void LiveDesktopIsolation_RemovesInternetNfsAndTraefikEgress() { var policy = NetworkPolicy("fc-desktop", "desktop-isolation"); var scalars = policy.AllScalars().ToList(); var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal); scalars.Should().NotContain(new[] { "10.0.58.3/32", "10.0.56.200/32", "10.43.33.87/32", "traefik-system" }); ports.Should().NotContain(new[] { "80", "443", "445", "111", "2049", "8000", "8080", "8443" }); policy.MappingSequence("spec", "egress") .Should() .NotContain(rule => EgressRuleHasEmptyTo(rule), "desktop sessions must not use to: [] internet-style egress"); } [Fact] public void LiveGuacdIsolation_AllowsRawVncToDesktopPodsOnly() { var policy = NetworkPolicy("guacamole", "guacd-desktop-egress"); var scalars = policy.AllScalars().ToList(); var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal); ports.Should().Contain("5901"); scalars.Should().Contain(new[] { "fc-desktop", "remote-desktop" }); ports.Should().NotContain(new[] { "3000", "3001", "3389", "80", "8080", "8443" }); } [Fact] public void LiveGuacdIsolation_KeepsGuacamoleWebIngressOnGuacdPort() { var policy = NetworkPolicy("guacamole", "guacd-desktop-egress"); policy.Scalar("spec", "podSelector", "matchLabels", "app").Should().Be("guacd"); policy.AllScalars().Should().Contain(new[] { "guacamole", "4822" }); } [Fact] public void HelperSmoke_FindsExpectedRemoteDesktopPolicies() { NetworkPolicy("fc-desktop", "desktop-isolation").Name.Should().Be("desktop-isolation"); NetworkPolicy("guacamole", "guacd-desktop-egress").Name.Should().Be("guacd-desktop-egress"); } [Fact] public void HelperSmoke_EgressPortExtractionKeepsDistinctPorts() { var ports = NetworkPolicy("fc-desktop", "desktop-isolation") .EgressPorts() .ToHashSet(StringComparer.Ordinal); ports.Should().HaveCount(4); ports.Should().Contain(new[] { "53", "5300", "9000", "9443" }); } private static ManifestDocument NetworkPolicy(string ns, string name) => Inventory.Documents.Single(document => document.Kind == "NetworkPolicy" && string.Equals(document.Namespace, ns, StringComparison.Ordinal) && string.Equals(document.Name, name, StringComparison.Ordinal)); private static bool EgressRuleHasEmptyTo(YamlDotNet.RepresentationModel.YamlMappingNode rule) => rule.Children.Any(entry => entry.Key is YamlDotNet.RepresentationModel.YamlScalarNode key && string.Equals(key.Value, "to", StringComparison.Ordinal) && entry.Value is YamlDotNet.RepresentationModel.YamlSequenceNode sequence && sequence.Children.Count == 0); }