var noRestraintQSF … // genPL creates a valid PriorityLevelConfiguration with the given // name and randomly generated spec. The given name must not be one // of the mandatory ones. func genPL(rng *rand.Rand, name string) *flowcontrol.PriorityLevelConfiguration { … } type fsTestingRecord … func (ftr *fsTestingRecord) addDigest(digest RequestDigest, matches bool) { … } func (ftr *fsTestingRecord) addDigests(digests []RequestDigest, matches bool) { … } var flowDistinguisherMethodTypes … var mandFTRExempt … var mandFTRCatchAll … // genFS creates a valid FlowSchema with the given name and randomly // generated spec, along with characteristics relevant to testing. // When all the FlowSchemas in a collection are generated with // different names: (a) the matching digests match only the schema for // which they were generated, and (b) the non-matching digests do not // match any schema in the collection. The generated spec is // relatively likely to be well formed but might not be. An ill // formed spec references a priority level drawn from badPLNames. // goodPLNames may be empty, but badPLNames may not. func genFS(t *testing.T, rng *rand.Rand, name string, mayMatchClusterScope bool, goodPLNames, badPLNames sets.String) *fsTestingRecord { … } var noextra … // Generate one valid PolicyRulesWithSubjects. Also returns: matching // resource-style digests, matching non-resource-style digests, // skipping (i.e., not matching the generated rule) resource-style // digests, skipping non-resource-style digests. When a collection of // rules is generated with unique prefixes, the skipping digests for // each rule match no rules in the collection. The // someMatchesAllResourceRequests and // someMatchesAllNonResourceRequests parameters indicate whether any // rule in the collection matches all of the relevant sort of request; // these imply the respective returned slice of counterexamples will // be empty. The matchAllResourceRequests and // matchAllNonResourceRequests parameters indicate whether the // generated rule should match all of the relevant sort. The // cross-rule exclusion is based on using names that start with the // given prefix --- which can not be done for the namespace of a // cluster-scoped request. Thus, these are normally excluded. When // mayMatchClusterScope==true the generated rule may be cluster-scoped // and there is no promise of cross-rule exclusion. func genPolicyRuleWithSubjects(t *testing.T, rng *rand.Rand, pfx string, mayMatchClusterScope, someMatchesAllResourceRequests, someMatchesAllNonResourceRequests, matchAllResourceRequests, matchAllNonResourceRequests bool) (flowcontrol.PolicyRulesWithSubjects, []RequestDigest, []RequestDigest, []RequestDigest, []RequestDigest) { … } func cross(uis []user.Info, ris []*request.RequestInfo) []RequestDigest { … } func shuffleAndTakeDigests(t *testing.T, rng *rand.Rand, rule *flowcontrol.PolicyRulesWithSubjects, toMatch bool, digests []RequestDigest, n int) []RequestDigest { … } var uCounter … func uniqify(in RequestDigest) RequestDigest { … } // genSubject returns a randomly generated valid Subject that matches // on some name(s) starting with the given prefix. The first returned // list contains members that match the generated Subject and involve // names that begin with the given prefix. The second returned list // contains members that mismatch the generated Subject and involve // names that begin with the given prefix. func genSubject(rng *rand.Rand, pfx string) (flowcontrol.Subject, []user.Info, []user.Info) { … } func genUser(rng *rand.Rand, pfx string) (*flowcontrol.UserSubject, []user.Info, []user.Info) { … } var groupCover … func mg(rng *rand.Rand) string { … } func mkUserSubject(username string) flowcontrol.Subject { … } func mkGroupSubject(group string) flowcontrol.Subject { … } func genGroup(rng *rand.Rand, pfx string) (*flowcontrol.GroupSubject, []user.Info, []user.Info) { … } func genServiceAccount(rng *rand.Rand, pfx string) (*flowcontrol.ServiceAccountSubject, []user.Info, []user.Info) { … } // genResourceRule randomly generates a valid ResourcePolicyRule and lists // of matching and non-matching `*request.RequestInfo`. func genResourceRule(rng *rand.Rand, pfx string, mayMatchClusterScope, matchAllResources, someMatchesAllResources bool) (flowcontrol.ResourcePolicyRule, []*request.RequestInfo, []*request.RequestInfo) { … } func genRRIs(rng *rand.Rand, m int, verbs, apiGroups, resources, namespaces []string) []*request.RequestInfo { … } func genNRRIs(rng *rand.Rand, m int, verbs, urls []string) []*request.RequestInfo { … } func chooseInts(rng *rand.Rand, n, m int) []int { … } // genNonResourceRule returns a randomly generated valid // NonResourcePolicyRule and lists of matching and non-matching // `*request.RequestInfo`. func genNonResourceRule(rng *rand.Rand, pfx string, matchAllNonResources, someMatchesAllNonResources bool) (flowcontrol.NonResourcePolicyRule, []*request.RequestInfo, []*request.RequestInfo) { … } func pickSetString(rng *rand.Rand, set sets.String) string { … }