Additional unit tests for EventPolicy (#8405)

* Setting a different default authorization mode
* Using glob style expressions to select source Subject

pkg/reconciler/broker/broker_test.go

@@ -857,6 +857,52 @@ func TestReconcile(t *testing.T) {
 				feature.AuthorizationDefaultMode: feature.AuthorizationAllowSameNamespace,
 			}),
 		},
+		{
+			Name: "Should respect setting default authorization mode",
+			Key:  testKey,
+			Objects: []runtime.Object{
+				makeDLSServiceAsUnstructured(),
+				NewBroker(brokerName, testNS,
+					WithBrokerClass(eventing.MTChannelBrokerClassValue),
+					WithBrokerConfig(config()),
+					WithDeadLeaderSink(sinkSVCDest),
+					WithInitBrokerConditions),
+				createChannel(withChannelReady, withChannelDeadLetterSink(sinkSVCDest)),
+				imcConfigMap(),
+				NewEndpoints(filterServiceName, systemNS,
+					WithEndpointsLabels(FilterLabels()),
+					WithEndpointsAddresses(corev1.EndpointAddress{IP: "127.0.0.1"})),
+				NewEndpoints(ingressServiceName, systemNS,
+					WithEndpointsLabels(IngressLabels()),
+					WithEndpointsAddresses(corev1.EndpointAddress{IP: "127.0.0.1"})),
+			},
+			WantErr: false,
+			WantCreates: []runtime.Object{
+				makeEventPolicy(),
+			},
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: NewBroker(brokerName, testNS,
+					WithBrokerClass(eventing.MTChannelBrokerClassValue),
+					WithBrokerConfig(config()),
+					WithBrokerReadyWithDLS,
+					WithDeadLeaderSink(sinkSVCDest),
+					WithBrokerAddress(&duckv1.Addressable{
+						URL:      brokerAddress,
+						Audience: &brokerAudience,
+					}),
+					WithBrokerStatusDLS(dls),
+					WithChannelAddressAnnotation(triggerChannelURL),
+					WithChannelAPIVersionAnnotation(triggerChannelAPIVersion),
+					WithChannelKindAnnotation(triggerChannelKind),
+					WithChannelNameAnnotation(triggerChannelName),
+					WithBrokerEventPoliciesReadyAndDefaultAuthorizationMode(string(feature.AuthorizationDenyAll)),
+				),
+			}},
+			Ctx: feature.ToContext(context.Background(), feature.Flags{
+				feature.OIDCAuthentication:       feature.Enabled,
+				feature.AuthorizationDefaultMode: feature.AuthorizationDenyAll,
+			}),
+		},
 		{
 			Name: "Should list applying EventPolicies",
 			Key:  testKey,

pkg/reconciler/eventpolicy/eventpolicy_test.go

@@ -195,6 +195,35 @@ func TestReconcile(t *testing.T) {
 			},
 			WantErr: false,
 		},
+		{
+			Name: "Multiple subjects found using glob style expression, status set to Ready",
+			Ctx: feature.ToContext(context.TODO(), feature.Flags{
+				feature.OIDCAuthentication: feature.Enabled,
+			}),
+			Key: testNS + "/" + eventPolicyName,
+			Objects: []runtime.Object{
+				apiServerSourceWithServiceAccount,
+				pingSourceWithServiceAccount,
+				NewEventPolicy(eventPolicyName, testNS,
+					WithInitEventPolicyConditions,
+					WithEventPolicyFromSub(fmt.Sprintf("system:serviceaccount:%s*", testNS)),
+				),
+			},
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{
+				{
+					Object: NewEventPolicy(eventPolicyName, testNS,
+						WithEventPolicyFromSub(fmt.Sprintf("system:serviceaccount:%s*", testNS)),
+						WithEventPolicyStatusFromSub([]string{
+							fmt.Sprintf("system:serviceaccount:%s*", testNS),
+						}),
+						WithEventPolicyAuthenticationEnabledCondition,
+						WithReadyEventPolicyCondition,
+						WithEventPolicySubjectsResolvedSucceeded,
+					),
+				},
+			},
+			WantErr: false,
+		},
 
 		// test cases for authentication-oidc feature disabled afterwards
 		{

pkg/reconciler/testing/v1/broker.go

@@ -336,3 +336,9 @@ func WithBrokerEventPoliciesReadyBecauseNoPolicyAndOIDCEnabled() BrokerOption {
 		b.Status.MarkEventPoliciesTrueWithReason("DefaultAuthorizationMode", "Default authz mode is %q", feature.AuthorizationAllowSameNamespace)
 	}
 }
+
+func WithBrokerEventPoliciesReadyAndDefaultAuthorizationMode(authMode string) BrokerOption {
+	return func(b *v1.Broker) {
+		b.Status.MarkEventPoliciesTrueWithReason("DefaultAuthorizationMode", "Default authz mode is %q", authMode)
+	}
+}