bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity
Files
sprint39/cx-5-netpol-isolation
bluejay-infra/tests/bluejay-infra-lint/RemoteDesktopNetworkPolicyTests.cs
Andrew Stoltz 2896b60d3c Tighten RemoteDesktop network policies
2026-05-19 12:04:12 -05:00

94 lines
3.6 KiB
C#
Raw Permalink Blame History

using FluentAssertions;
using Xunit;
namespace BluejayInfraLint.Tests;
[Trait("Category", "Unit")]
public sealed class RemoteDesktopNetworkPolicyTests
{
private static readonly ManifestInventory Inventory = ManifestInventory.Load();
[Fact]
public void LiveDesktopIsolation_AllowsOnlyCoreDnsIntranetAndStepCaEgress()
{
var policy = NetworkPolicy("fc-desktop", "desktop-isolation");
var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal);
ports.Should().BeEquivalentTo("53", "5300", "9000", "9443");
policy.AllScalars().Should().Contain(new[]
{
"kube-system",
"kube-dns",
"intranet",
"intranet-web",
"10.0.56.10/32"
});
}
[Fact]
public void LiveDesktopIsolation_RemovesInternetNfsAndTraefikEgress()
{
var policy = NetworkPolicy("fc-desktop", "desktop-isolation");
var scalars = policy.AllScalars().ToList();
var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal);
scalars.Should().NotContain(new[] { "10.0.58.3/32", "10.0.56.200/32", "10.43.33.87/32", "traefik-system" });
ports.Should().NotContain(new[] { "80", "443", "445", "111", "2049", "8000", "8080", "8443" });
policy.MappingSequence("spec", "egress")
.Should()
.NotContain(rule => EgressRuleHasEmptyTo(rule), "desktop sessions must not use to: [] internet-style egress");
}
[Fact]
public void LiveGuacdIsolation_AllowsRawVncToDesktopPodsOnly()
{
var policy = NetworkPolicy("guacamole", "guacd-desktop-egress");
var scalars = policy.AllScalars().ToList();
var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal);
ports.Should().Contain("5901");
scalars.Should().Contain(new[] { "fc-desktop", "remote-desktop" });
ports.Should().NotContain(new[] { "3000", "3001", "3389", "80", "8080", "8443" });
}
[Fact]
public void LiveGuacdIsolation_KeepsGuacamoleWebIngressOnGuacdPort()
{
var policy = NetworkPolicy("guacamole", "guacd-desktop-egress");
policy.Scalar("spec", "podSelector", "matchLabels", "app").Should().Be("guacd");
policy.AllScalars().Should().Contain(new[] { "guacamole", "4822" });
}
[Fact]
public void HelperSmoke_FindsExpectedRemoteDesktopPolicies()
{
NetworkPolicy("fc-desktop", "desktop-isolation").Name.Should().Be("desktop-isolation");
NetworkPolicy("guacamole", "guacd-desktop-egress").Name.Should().Be("guacd-desktop-egress");
}
[Fact]
public void HelperSmoke_EgressPortExtractionKeepsDistinctPorts()
{
var ports = NetworkPolicy("fc-desktop", "desktop-isolation")
.EgressPorts()
.ToHashSet(StringComparer.Ordinal);
ports.Should().HaveCount(4);
ports.Should().Contain(new[] { "53", "5300", "9000", "9443" });
}
private static ManifestDocument NetworkPolicy(string ns, string name)
=> Inventory.Documents.Single(document =>
document.Kind == "NetworkPolicy"
&& string.Equals(document.Namespace, ns, StringComparison.Ordinal)
&& string.Equals(document.Name, name, StringComparison.Ordinal));
private static bool EgressRuleHasEmptyTo(YamlDotNet.RepresentationModel.YamlMappingNode rule)
=> rule.Children.Any(entry =>
entry.Key is YamlDotNet.RepresentationModel.YamlScalarNode key
&& string.Equals(key.Value, "to", StringComparison.Ordinal)
&& entry.Value is YamlDotNet.RepresentationModel.YamlSequenceNode sequence
&& sequence.Children.Count == 0);
}
Reference in New Issue View Git Blame Copy Permalink