velero/pkg/util/collections/includes_excludes_test.go

/*
Copyright The Velero Contributors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package collections

import (
	"testing"

	"github.com/vmware-tanzu/velero/internal/resourcepolicies"

	"github.com/pkg/errors"
	"github.com/sirupsen/logrus"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime/schema"
	"k8s.io/apimachinery/pkg/util/sets"

	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
	"github.com/vmware-tanzu/velero/pkg/builder"
	"github.com/vmware-tanzu/velero/pkg/test"
)

func TestShouldInclude(t *testing.T) {
	tests := []struct {
		name     string
		includes []string
		excludes []string
		item     string
		want     bool
	}{
		{
			name: "empty string should include every item",
			item: "foo",
			want: true,
		},
		{
			name:     "include * should include every item",
			includes: []string{"*"},
			item:     "foo",
			want:     true,
		},
		{
			name:     "item in includes list should include item",
			includes: []string{"foo", "bar", "baz"},
			item:     "foo",
			want:     true,
		},
		{
			name:     "item not in includes list should not include item",
			includes: []string{"foo", "baz"},
			item:     "bar",
			want:     false,
		},
		{
			name:     "include *, excluded item should not include item",
			includes: []string{"*"},
			excludes: []string{"foo"},
			item:     "foo",
			want:     false,
		},
		{
			name:     "include *, exclude foo, bar should be included",
			includes: []string{"*"},
			excludes: []string{"foo"},
			item:     "bar",
			want:     true,
		},
		{
			name:     "an item both included and excluded should not be included",
			includes: []string{"foo"},
			excludes: []string{"foo"},
			item:     "foo",
			want:     false,
		},
		{
			name:     "wildcard should include item",
			includes: []string{"*.bar"},
			item:     "foo.bar",
			want:     true,
		},
		{
			name:     "wildcard mismatch should not include item",
			includes: []string{"*.bar"},
			item:     "bar.foo",
			want:     false,
		},
		{
			name:     "wildcard exclude should not include item",
			includes: []string{"*"},
			excludes: []string{"*.bar"},
			item:     "foo.bar",
			want:     false,
		},
		{
			name:     "wildcard mismatch should include item",
			includes: []string{"*"},
			excludes: []string{"*.bar"},
			item:     "bar.foo",
			want:     true,
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			includesExcludes := NewIncludesExcludes().Includes(tc.includes...).Excludes(tc.excludes...)

			if got := includesExcludes.ShouldInclude((tc.item)); got != tc.want {
				t.Errorf("want %t, got %t", tc.want, got)
			}
		})
	}
}

func TestValidateIncludesExcludes(t *testing.T) {
	tests := []struct {
		name     string
		includes []string
		excludes []string
		want     []error
	}{
		{
			name:     "empty includes (everything) is allowed",
			includes: []string{},
		},
		{
			name:     "include everything",
			includes: []string{"*"},
		},
		{
			name:     "include everything not allowed with other includes",
			includes: []string{"*", "foo"},
			want:     []error{errors.New("includes list must either contain '*' only, or a non-empty list of items")},
		},
		{
			name:     "exclude everything not allowed",
			includes: []string{"foo"},
			excludes: []string{"*"},
			want:     []error{errors.New("excludes list cannot contain '*'")},
		},
		{
			name:     "excludes cannot contain items in includes",
			includes: []string{"foo", "bar"},
			excludes: []string{"bar"},
			want:     []error{errors.New("excludes list cannot contain an item in the includes list: bar")},
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			errs := ValidateIncludesExcludes(tc.includes, tc.excludes)

			require.Len(t, errs, len(tc.want))

			for i := 0; i < len(tc.want); i++ {
				assert.Equal(t, tc.want[i].Error(), errs[i].Error())
			}
		})
	}
}

func TestIncludeExcludeString(t *testing.T) {
	tests := []struct {
		name         string
		includes     []string
		excludes     []string
		wantIncludes string
		wantExcludes string
	}{
		{
			name:         "unspecified includes/excludes should return '*'/'<none>'",
			includes:     nil,
			excludes:     nil,
			wantIncludes: "*",
			wantExcludes: "<none>",
		},
		{
			name:         "specific resources should result in sorted joined string",
			includes:     []string{"foo", "bar"},
			excludes:     []string{"baz", "xyz"},
			wantIncludes: "bar, foo",
			wantExcludes: "baz, xyz",
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			includesExcludes := NewIncludesExcludes().Includes(tc.includes...).Excludes(tc.excludes...)
			assert.Equal(t, tc.wantIncludes, includesExcludes.IncludesString())
			assert.Equal(t, tc.wantExcludes, includesExcludes.ExcludesString())
		})
	}
}

func TestValidateNamespaceIncludesExcludes(t *testing.T) {
	tests := []struct {
		name     string
		includes []string
		excludes []string
		wantErr  bool
	}{
		{
			name:     "empty slice doesn't return error",
			includes: []string{},
			wantErr:  false,
		},
		{
			name:     "asterisk by itself is valid",
			includes: []string{"*"},
			wantErr:  false,
		},
		{
			name:     "alphanumeric names with optional dash inside are valid",
			includes: []string{"foobar", "bar-321", "foo123bar"},
			excludes: []string{"123bar", "barfoo", "foo-321", "bar123foo"},
			wantErr:  false,
		},
		{
			name:     "not starting or ending with an alphanumeric character is invalid",
			includes: []string{"-123foo"},
			excludes: []string{"foo321-", "foo321-"},
			wantErr:  true,
		},
		{
			name:     "special characters in name is invalid",
			includes: []string{"foo?", "foo.bar", "bar_321"},
			excludes: []string{"$foo", "foo>bar", "bar=321"},
			wantErr:  true,
		},
		{
			name:     "empty includes (everything) is valid",
			includes: []string{},
			wantErr:  false,
		},
		{
			name:     "empty string includes is valid (includes nothing)",
			includes: []string{""},
			wantErr:  false,
		},
		{
			name:     "empty string excludes is valid (excludes nothing)",
			excludes: []string{""},
			wantErr:  false,
		},
		{
			name:     "include everything using asterisk is valid",
			includes: []string{"*"},
			wantErr:  false,
		},
		{
			name:     "excludes can contain wildcard",
			includes: []string{"foo", "bar"},
			excludes: []string{"nginx-ingress-*", "*-bar", "*-ingress-*"},
			wantErr:  false,
		},
		{
			name:     "includes can contain wildcard",
			includes: []string{"*-foo", "kube-*", "*kube*"},
			excludes: []string{"bar"},
			wantErr:  false,
		},
		{
			name:     "include everything not allowed with other includes",
			includes: []string{"*", "foo"},
			wantErr:  true,
		},
		{
			name:     "exclude everything not allowed",
			includes: []string{"foo"},
			excludes: []string{"*"},
			wantErr:  true,
		},
		{
			name:     "excludes cannot contain items in includes",
			includes: []string{"foo", "bar"},
			excludes: []string{"bar"},
			wantErr:  true,
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			errs := ValidateNamespaceIncludesExcludes(tc.includes, tc.excludes)

			if tc.wantErr && len(errs) == 0 {
				t.Errorf("%s: wanted errors but got none", tc.name)
			}

			if !tc.wantErr && len(errs) != 0 {
				t.Errorf("%s: wanted no errors but got: %v", tc.name, errs)
			}
		})
	}
}

func TestValidateScopedIncludesExcludes(t *testing.T) {
	tests := []struct {
		name     string
		includes []string
		excludes []string
		wantErr  []error
	}{
		// includes testing
		{
			name:     "empty includes is valid",
			includes: []string{},
			wantErr:  []error{},
		},
		{
			name:     "asterisk includes is valid",
			includes: []string{"*"},
			wantErr:  []error{},
		},
		{
			name:     "include everything not allowed with other includes",
			includes: []string{"*", "foo"},
			wantErr:  []error{errors.New("includes list must either contain '*' only, or a non-empty list of items")},
		},
		// excludes testing
		{
			name:     "empty excludes is valid",
			excludes: []string{},
			wantErr:  []error{},
		},
		{
			name:     "asterisk excludes is valid",
			excludes: []string{"*"},
			wantErr:  []error{},
		},
		{
			name:     "exclude everything not allowed with other excludes",
			excludes: []string{"*", "foo"},
			wantErr:  []error{errors.New("excludes list must either contain '*' only, or a non-empty list of items")},
		},
		// includes and excludes combination testing
		{
			name:     "asterisk excludes doesn't work with non-empty includes",
			includes: []string{"foo"},
			excludes: []string{"*"},
			wantErr:  []error{errors.New("when exclude is '*', include cannot have value")},
		},
		{
			name:     "excludes cannot contain items in includes",
			includes: []string{"foo", "bar"},
			excludes: []string{"bar"},
			wantErr:  []error{errors.New("excludes list cannot contain an item in the includes list: bar")},
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			errs := ValidateScopedIncludesExcludes(tc.includes, tc.excludes)

			require.Len(t, errs, len(tc.wantErr))

			for i := 0; i < len(tc.wantErr); i++ {
				assert.Equal(t, tc.wantErr[i].Error(), errs[i].Error())
			}
		})
	}
}

func TestNamespaceScopedShouldInclude(t *testing.T) {
	tests := []struct {
		name                    string
		namespaceScopedIncludes []string
		namespaceScopedExcludes []string
		item                    string
		want                    bool
		apiResources            []*test.APIResource
	}{
		{
			name: "empty string should include every item",
			item: "pods",
			want: true,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "include * should include every item",
			namespaceScopedIncludes: []string{"*"},
			item:                    "pods",
			want:                    true,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "item in includes list should include item",
			namespaceScopedIncludes: []string{"foo", "bar", "pods"},
			item:                    "pods",
			want:                    true,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "item not in includes list should not include item",
			namespaceScopedIncludes: []string{"foo", "baz"},
			item:                    "pods",
			want:                    false,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "include *, excluded item should not include item",
			namespaceScopedIncludes: []string{"*"},
			namespaceScopedExcludes: []string{"pods"},
			item:                    "pods",
			want:                    false,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "include *, exclude foo, bar should be included",
			namespaceScopedIncludes: []string{"*"},
			namespaceScopedExcludes: []string{"foo"},
			item:                    "pods",
			want:                    true,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "an item both included and excluded should not be included",
			namespaceScopedIncludes: []string{"pods"},
			namespaceScopedExcludes: []string{"pods"},
			item:                    "pods",
			want:                    false,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "wildcard should include item",
			namespaceScopedIncludes: []string{"*s"},
			item:                    "pods",
			want:                    true,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "wildcard mismatch should not include item",
			namespaceScopedIncludes: []string{"*.bar"},
			item:                    "pods",
			want:                    false,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "exclude * should include nothing",
			namespaceScopedExcludes: []string{"*"},
			item:                    "pods",
			want:                    false,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "wildcard exclude should not include item",
			namespaceScopedIncludes: []string{"*"},
			namespaceScopedExcludes: []string{"*s"},
			item:                    "pods",
			want:                    false,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name:                    "wildcard exclude mismatch should include item",
			namespaceScopedExcludes: []string{"*.bar"},
			item:                    "pods",
			want:                    true,
			apiResources: []*test.APIResource{
				test.Pods(),
			},
		},
		{
			name: "resource cannot be found by discovery client should not be include",
			item: "pods",
			want: false,
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			discoveryHelper := setupDiscoveryClientWithResources(tc.apiResources)
			logger := logrus.StandardLogger()
			scopeIncludesExcludes := GetScopeResourceIncludesExcludes(discoveryHelper, logger, tc.namespaceScopedIncludes, tc.namespaceScopedExcludes, []string{}, []string{}, *NewNamespaceIncludesExcludes())

			if got := scopeIncludesExcludes.ShouldInclude((tc.item)); got != tc.want {
				t.Errorf("want %t, got %t", tc.want, got)
			}
		})
	}
}

func TestClusterScopedShouldInclude(t *testing.T) {
	tests := []struct {
		name                  string
		clusterScopedIncludes []string
		clusterScopedExcludes []string
		nsIncludes            []string
		item                  string
		want                  bool
		apiResources          []*test.APIResource
	}{
		{
			name:       "empty string should include nothing",
			nsIncludes: []string{"default"},
			item:       "persistentvolumes",
			want:       false,
			apiResources: []*test.APIResource{
				test.PVs(),
			},
		},
		{
			name:                  "include * should include every item",
			clusterScopedIncludes: []string{"*"},
			item:                  "persistentvolumes",
			want:                  true,
			apiResources: []*test.APIResource{
				test.PVs(),
			},
		},
		{
			name:                  "item in includes list should include item",
			clusterScopedIncludes: []string{"namespaces", "bar", "baz"},
			item:                  "namespaces",
			want:                  true,
			apiResources: []*test.APIResource{
				test.Namespaces(),
			},
		},
		{
			name:                  "item not in includes list should not include item",
			clusterScopedIncludes: []string{"foo", "baz"},
			nsIncludes:            []string{"default"},
			item:                  "persistentvolumes",
			want:                  false,
			apiResources: []*test.APIResource{
				test.PVs(),
			},
		},
		{
			name:                  "include *, excluded item should not include item",
			clusterScopedIncludes: []string{"*"},
			clusterScopedExcludes: []string{"namespaces"},
			item:                  "namespaces",
			want:                  false,
			apiResources: []*test.APIResource{
				test.Namespaces(),
			},
		},
		{
			name:                  "include *, exclude foo, bar should be included",
			clusterScopedIncludes: []string{"*"},
			clusterScopedExcludes: []string{"foo"},
			item:                  "namespaces",
			want:                  true,
			apiResources: []*test.APIResource{
				test.Namespaces(),
			},
		},
		{
			name:                  "an item both included and excluded should not be included",
			clusterScopedIncludes: []string{"namespaces"},
			clusterScopedExcludes: []string{"namespaces"},
			item:                  "namespaces",
			want:                  false,
			apiResources: []*test.APIResource{
				test.Namespaces(),
			},
		},
		{
			name:                  "wildcard should include item",
			clusterScopedIncludes: []string{"*spaces"},
			item:                  "namespaces",
			want:                  true,
			apiResources: []*test.APIResource{
				test.Namespaces(),
			},
		},
		{
			name:                  "wildcard mismatch should not include item",
			clusterScopedIncludes: []string{"*.bar"},
			nsIncludes:            []string{"default"},
			item:                  "persistentvolumes",
			want:                  false,
			apiResources: []*test.APIResource{
				test.PVs(),
			},
		},
		{
			name:                  "exclude * should include nothing",
			clusterScopedExcludes: []string{"*"},
			item:                  "namespaces",
			want:                  false,
			apiResources: []*test.APIResource{
				test.Namespaces(),
			},
		},
		{
			name:                  "wildcard exclude should not include item",
			clusterScopedIncludes: []string{"*"},
			clusterScopedExcludes: []string{"*spaces"},
			item:                  "namespaces",
			want:                  false,
			apiResources: []*test.APIResource{
				test.Namespaces(),
			},
		},
		{
			name:                  "wildcard exclude mismatch should not include item",
			clusterScopedExcludes: []string{"*spaces"},
			item:                  "namespaces",
			want:                  false,
			apiResources: []*test.APIResource{
				test.Namespaces(),
			},
		},
		{
			name: "resource cannot be found by discovery client should not be include",
			item: "namespaces",
			want: false,
		},
		{
			name:                  "even namespaces is not in the include list, it should also be involved.",
			clusterScopedIncludes: []string{"foo", "baz"},
			item:                  "namespaces",
			want:                  true,
			apiResources: []*test.APIResource{
				test.Namespaces(),
			},
		},
		{
			name:                  "When all namespaces and namespace scope resources are included, cluster resource should be included.",
			clusterScopedIncludes: []string{},
			nsIncludes:            []string{"*"},
			item:                  "persistentvolumes",
			want:                  true,
			apiResources: []*test.APIResource{
				test.PVs(),
			},
		},
		{
			name:                  "When all namespaces and namespace scope resources are included, but cluster resource is excluded.",
			clusterScopedIncludes: []string{},
			clusterScopedExcludes: []string{"persistentvolumes"},
			nsIncludes:            []string{"*"},
			item:                  "persistentvolumes",
			want:                  false,
			apiResources: []*test.APIResource{
				test.PVs(),
			},
		},
	}
	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			discoveryHelper := setupDiscoveryClientWithResources(tc.apiResources)
			logger := logrus.StandardLogger()
			nsIncludeExclude := NewNamespaceIncludesExcludes().Includes(tc.nsIncludes...)
			scopeIncludesExcludes := GetScopeResourceIncludesExcludes(discoveryHelper, logger, []string{}, []string{}, tc.clusterScopedIncludes, tc.clusterScopedExcludes, *nsIncludeExclude)

			if got := scopeIncludesExcludes.ShouldInclude((tc.item)); got != tc.want {
				t.Errorf("want %t, got %t", tc.want, got)
			}
		})
	}
}

func TestGetScopedResourceIncludesExcludes(t *testing.T) {
	tests := []struct {
		name                            string
		namespaceScopedIncludes         []string
		namespaceScopedExcludes         []string
		clusterScopedIncludes           []string
		clusterScopedExcludes           []string
		expectedNamespaceScopedIncludes []string
		expectedNamespaceScopedExcludes []string
		expectedClusterScopedIncludes   []string
		expectedClusterScopedExcludes   []string
		apiResources                    []*test.APIResource
	}{
		{
			name:                            "only include namespace-scoped resources in IncludesExcludes",
			namespaceScopedIncludes:         []string{"deployments.apps", "persistentvolumes"},
			namespaceScopedExcludes:         []string{"pods", "persistentvolumes"},
			expectedNamespaceScopedIncludes: []string{"deployments.apps"},
			expectedNamespaceScopedExcludes: []string{"pods"},
			expectedClusterScopedIncludes:   []string{},
			expectedClusterScopedExcludes:   []string{},
			apiResources: []*test.APIResource{
				test.Deployments(),
				test.PVs(),
				test.Pods(),
			},
		},
		{
			name:                            "only include cluster-scoped resources in IncludesExcludes",
			clusterScopedIncludes:           []string{"deployments.apps", "persistentvolumes"},
			clusterScopedExcludes:           []string{"pods", "persistentvolumes"},
			expectedNamespaceScopedIncludes: []string{},
			expectedNamespaceScopedExcludes: []string{},
			expectedClusterScopedIncludes:   []string{"persistentvolumes"},
			expectedClusterScopedExcludes:   []string{"persistentvolumes"},
			apiResources: []*test.APIResource{
				test.Deployments(),
				test.PVs(),
				test.Pods(),
			},
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			logger := logrus.StandardLogger()
			nsIncludeExclude := NewNamespaceIncludesExcludes()
			resources := GetScopeResourceIncludesExcludes(setupDiscoveryClientWithResources(tc.apiResources), logger, tc.namespaceScopedIncludes, tc.namespaceScopedExcludes, tc.clusterScopedIncludes, tc.clusterScopedExcludes, *nsIncludeExclude)

			assert.Equal(t, tc.expectedNamespaceScopedIncludes, resources.namespaceScopedResourceFilter.includes.List())
			assert.Equal(t, tc.expectedNamespaceScopedExcludes, resources.namespaceScopedResourceFilter.excludes.List())
			assert.Equal(t, tc.expectedClusterScopedIncludes, resources.clusterScopedResourceFilter.includes.List())
			assert.Equal(t, tc.expectedClusterScopedExcludes, resources.clusterScopedResourceFilter.excludes.List())
		})
	}
}

func TestScopeIncludesExcludes_CombineWithPolicy(t *testing.T) {
	apiResources := []*test.APIResource{test.Deployments(), test.Pods(), test.ConfigMaps(), test.Secrets(), test.PVs(), test.CRDs(), test.ServiceAccounts()}
	tests := []struct {
		name                    string
		namespaceScopedIncludes []string
		namespaceScopedExcludes []string
		clusterScopedIncludes   []string
		clusterScopedExcludes   []string
		policy                  *resourcepolicies.IncludeExcludePolicy
		verify                  func(sie ScopeIncludesExcludes) bool
	}{
		{
			name:                    "When policy is nil, the original includes excludes filters should not change",
			namespaceScopedIncludes: []string{"deployments", "pods"},
			namespaceScopedExcludes: []string{"configmaps"},
			clusterScopedIncludes:   []string{"persistentvolumes"},
			clusterScopedExcludes:   []string{"crds"},
			policy:                  nil,
			verify: func(sie ScopeIncludesExcludes) bool {
				return sie.clusterScopedResourceFilter.ShouldInclude("persistentvolumes") &&
					!sie.clusterScopedResourceFilter.ShouldInclude("crds") &&
					sie.namespaceScopedResourceFilter.ShouldInclude("deployments") &&
					!sie.namespaceScopedResourceFilter.ShouldInclude("configmaps")
			},
		},
		{
			name:                    "policy includes excludes should be merged to the original includes excludes when there's no conflict",
			namespaceScopedIncludes: []string{"pods"},
			namespaceScopedExcludes: []string{"configmaps"},
			clusterScopedIncludes:   []string{},
			clusterScopedExcludes:   []string{"crds"},
			policy: &resourcepolicies.IncludeExcludePolicy{
				IncludedNamespaceScopedResources: []string{"deployments"},
				ExcludedNamespaceScopedResources: []string{"secrets"},
				IncludedClusterScopedResources:   []string{"persistentvolumes"},
				ExcludedClusterScopedResources:   []string{},
			},
			verify: func(sie ScopeIncludesExcludes) bool {
				return sie.clusterScopedResourceFilter.ShouldInclude("persistentvolumes") &&
					!sie.clusterScopedResourceFilter.ShouldInclude("crds") &&
					sie.namespaceScopedResourceFilter.ShouldInclude("deployments") &&
					!sie.namespaceScopedResourceFilter.ShouldInclude("configmaps") &&
					!sie.namespaceScopedResourceFilter.ShouldInclude("secrets")
			},
		},
		{
			name:                    "when there are conflicts, the existing includes excludes filters have higher priorities",
			namespaceScopedIncludes: []string{"pods", "deployments"},
			namespaceScopedExcludes: []string{"configmaps"},
			clusterScopedIncludes:   []string{"crds"},
			clusterScopedExcludes:   []string{"persistentvolumes"},
			policy: &resourcepolicies.IncludeExcludePolicy{
				IncludedNamespaceScopedResources: []string{"configmaps"},
				ExcludedNamespaceScopedResources: []string{"pods", "secrets"},
				IncludedClusterScopedResources:   []string{"persistentvolumes"},
				ExcludedClusterScopedResources:   []string{"crds"},
			},
			verify: func(sie ScopeIncludesExcludes) bool {
				return sie.clusterScopedResourceFilter.ShouldInclude("crds") &&
					!sie.clusterScopedResourceFilter.ShouldInclude("persistentvolumes") &&
					sie.namespaceScopedResourceFilter.ShouldInclude("pods") &&
					!sie.namespaceScopedResourceFilter.ShouldInclude("configmaps") &&
					!sie.namespaceScopedResourceFilter.ShouldInclude("secrets")
			},
		},
		{
			name:                    "verify the case when there's '*' in the original include filter",
			namespaceScopedIncludes: []string{"*"},
			namespaceScopedExcludes: []string{},
			clusterScopedIncludes:   []string{},
			clusterScopedExcludes:   []string{},
			policy: &resourcepolicies.IncludeExcludePolicy{
				IncludedNamespaceScopedResources: []string{"deployments", "pods"},
				ExcludedNamespaceScopedResources: []string{"configmaps", "secrets"},
				IncludedClusterScopedResources:   []string{},
				ExcludedClusterScopedResources:   []string{},
			},
			verify: func(sie ScopeIncludesExcludes) bool {
				return sie.namespaceScopedResourceFilter.ShouldInclude("configmaps") &&
					sie.namespaceScopedResourceFilter.ShouldInclude("secrets")
			},
		},
	}
	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			logger := logrus.StandardLogger()
			discoveryHelper := setupDiscoveryClientWithResources(apiResources)
			sie := GetScopeResourceIncludesExcludes(discoveryHelper, logger, tc.namespaceScopedIncludes, tc.namespaceScopedExcludes, tc.clusterScopedIncludes, tc.clusterScopedExcludes, *NewNamespaceIncludesExcludes())
			sie.CombineWithPolicy(tc.policy)
			assert.True(t, tc.verify(*sie))
		})
	}
}

func TestUseOldResourceFilters(t *testing.T) {
	tests := []struct {
		name                  string
		backup                velerov1api.Backup
		useOldResourceFilters bool
	}{
		{
			name:                  "backup with no filters should use new filters",
			backup:                *defaultBackup().Result(),
			useOldResourceFilters: false,
		},
		{
			name:                  "backup with only old filters should use old filters",
			backup:                *defaultBackup().IncludeClusterResources(true).Result(),
			useOldResourceFilters: true,
		},
		{
			name:                  "backup with only new filters should use new filters",
			backup:                *defaultBackup().IncludedClusterScopedResources("StorageClass").Result(),
			useOldResourceFilters: false,
		},
		{
			// This case should not happen in Velero workflow, because filter validation not old and new
			// filters used together. So this is only used for UT checking, and I assume old filters
			// have higher priority, because old parameter should be the default one.
			name:                  "backup with both old and new filters should use old filters",
			backup:                *defaultBackup().IncludeClusterResources(true).IncludedClusterScopedResources("StorageClass").Result(),
			useOldResourceFilters: true,
		},
	}

	for _, test := range tests {
		t.Run(test.name, func(t *testing.T) {
			assert.Equal(t, test.useOldResourceFilters, UseOldResourceFilters(test.backup.Spec))
		})
	}
}

func defaultBackup() *builder.BackupBuilder {
	return builder.ForBackup(velerov1api.DefaultNamespace, "backup-1").DefaultVolumesToFsBackup(false)
}

func TestShouldExcluded(t *testing.T) {
	falseBoolean := false
	trueBoolean := true
	tests := []struct {
		name                    string
		clusterIncludes         []string
		clusterExcludes         []string
		includeClusterResources *bool
		filterType              string
		resourceName            string
		apiResources            []*test.APIResource
		resourceIsExcluded      bool
	}{
		{
			name:                    "GlobalResourceIncludesExcludes: filters are all default",
			clusterIncludes:         []string{},
			clusterExcludes:         []string{},
			includeClusterResources: nil,
			filterType:              "global",
			resourceName:            "persistentvolumes",
			apiResources: []*test.APIResource{
				test.PVs(),
			},
			resourceIsExcluded: false,
		},
		{
			name:                    "GlobalResourceIncludesExcludes: IncludeClusterResources is set to true",
			clusterIncludes:         []string{},
			clusterExcludes:         []string{},
			includeClusterResources: &trueBoolean,
			filterType:              "global",
			resourceName:            "persistentvolumes",
			apiResources: []*test.APIResource{
				test.PVs(),
			},
			resourceIsExcluded: false,
		},
		{
			name:                    "GlobalResourceIncludesExcludes: IncludeClusterResources is set to false",
			clusterIncludes:         []string{"persistentvolumes"},
			clusterExcludes:         []string{},
			includeClusterResources: &falseBoolean,
			filterType:              "global",
			resourceName:            "persistentvolumes",
			apiResources: []*test.APIResource{
				test.PVs(),
			},
			resourceIsExcluded: true,
		},
		{
			name:                    "GlobalResourceIncludesExcludes: resource is in the include list",
			clusterIncludes:         []string{"persistentvolumes"},
			clusterExcludes:         []string{},
			includeClusterResources: nil,
			filterType:              "global",
			resourceName:            "persistentvolumes",
			apiResources: []*test.APIResource{
				test.PVs(),
			},
			resourceIsExcluded: false,
		},
		{
			name:            "ScopeResourceIncludesExcludes: resource is in the include list",
			clusterIncludes: []string{"persistentvolumes"},
			clusterExcludes: []string{},
			filterType:      "scope",
			resourceName:    "persistentvolumes",
			apiResources: []*test.APIResource{
				test.PVs(),
			},
			resourceIsExcluded: false,
		},
		{
			name:            "ScopeResourceIncludesExcludes: filters are all default",
			clusterIncludes: []string{},
			clusterExcludes: []string{},
			filterType:      "scope",
			resourceName:    "persistentvolumes",
			apiResources: []*test.APIResource{
				test.PVs(),
			},
			resourceIsExcluded: false,
		},
		{
			name:            "ScopeResourceIncludesExcludes: resource is not in the exclude list",
			clusterIncludes: []string{},
			clusterExcludes: []string{"namespaces"},
			filterType:      "scope",
			resourceName:    "persistentvolumes",
			apiResources: []*test.APIResource{
				test.PVs(),
			},
			resourceIsExcluded: false,
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			logger := logrus.StandardLogger()

			var ie IncludesExcludesInterface
			if tc.filterType == "global" {
				ie = GetGlobalResourceIncludesExcludes(setupDiscoveryClientWithResources(tc.apiResources), logger, tc.clusterIncludes, tc.clusterExcludes, tc.includeClusterResources, *NewNamespaceIncludesExcludes())
			} else if tc.filterType == "scope" {
				ie = GetScopeResourceIncludesExcludes(setupDiscoveryClientWithResources(tc.apiResources), logger, []string{}, []string{}, tc.clusterIncludes, tc.clusterExcludes, *NewNamespaceIncludesExcludes())
			}
			assert.Equal(t, tc.resourceIsExcluded, ie.ShouldExclude(tc.resourceName))
		})
	}
}

func TestExpandIncludesExcludes(t *testing.T) {
	tests := []struct {
		name                     string
		includes                 []string
		excludes                 []string
		activeNamespaces         []string
		expectedIncludes         []string
		expectedExcludes         []string
		expectedWildcardExpanded bool
		expectError              bool
	}{
		{
			name:                     "no wildcards - should not expand",
			includes:                 []string{"default", "kube-system"},
			excludes:                 []string{"kube-public"},
			activeNamespaces:         []string{"default", "kube-system", "kube-public", "test"},
			expectedIncludes:         []string{"default", "kube-system"},
			expectedExcludes:         []string{"kube-public"},
			expectedWildcardExpanded: false,
			expectError:              false,
		},
		{
			name:                     "asterisk alone - should not expand",
			includes:                 []string{"*"},
			excludes:                 []string{},
			activeNamespaces:         []string{"default", "kube-system", "test"},
			expectedIncludes:         []string{"*"},
			expectedExcludes:         []string{},
			expectedWildcardExpanded: false,
			expectError:              false,
		},
		{
			name:                     "wildcard in includes - should expand",
			includes:                 []string{"kube-*"},
			excludes:                 []string{},
			activeNamespaces:         []string{"default", "kube-system", "kube-public", "test"},
			expectedIncludes:         []string{"kube-system", "kube-public"},
			expectedExcludes:         []string{},
			expectedWildcardExpanded: true,
			expectError:              false,
		},
		{
			name:                     "wildcard in excludes - should expand",
			includes:                 []string{"default"},
			excludes:                 []string{"*-test"},
			activeNamespaces:         []string{"default", "kube-test", "app-test", "prod"},
			expectedIncludes:         []string{"default"},
			expectedExcludes:         []string{"kube-test", "app-test"},
			expectedWildcardExpanded: true,
			expectError:              false,
		},
		{
			name:                     "wildcards in both includes and excludes",
			includes:                 []string{"kube-*", "app-*"},
			excludes:                 []string{"*-test"},
			activeNamespaces:         []string{"kube-system", "kube-test", "app-prod", "app-test", "default"},
			expectedIncludes:         []string{"kube-system", "kube-test", "app-prod", "app-test"},
			expectedExcludes:         []string{"kube-test", "app-test"},
			expectedWildcardExpanded: true,
			expectError:              false,
		},
		{
			name:                     "wildcard pattern matches nothing",
			includes:                 []string{"nonexistent-*"},
			excludes:                 []string{},
			activeNamespaces:         []string{"default", "kube-system"},
			expectedIncludes:         []string{},
			expectedExcludes:         []string{},
			expectedWildcardExpanded: true,
			expectError:              false,
		},
		{
			name:                     "mix of wildcards and non-wildcards in includes",
			includes:                 []string{"default", "kube-*"},
			excludes:                 []string{},
			activeNamespaces:         []string{"default", "kube-system", "kube-public", "test"},
			expectedIncludes:         []string{"default", "kube-system", "kube-public"},
			expectedExcludes:         []string{},
			expectedWildcardExpanded: true,
			expectError:              false,
		},
		{
			name:                     "question mark wildcard",
			includes:                 []string{"test-?"},
			excludes:                 []string{},
			activeNamespaces:         []string{"test-1", "test-2", "test-10", "default"},
			expectedIncludes:         []string{"test-1", "test-2"},
			expectedExcludes:         []string{},
			expectedWildcardExpanded: true,
			expectError:              false,
		},
		{
			name:                     "brace wildcard pattern",
			includes:                 []string{"app-{prod,dev}"},
			excludes:                 []string{},
			activeNamespaces:         []string{"app-prod", "app-dev", "app-test", "default"},
			expectedIncludes:         []string{"app-prod", "app-dev"},
			expectedExcludes:         []string{},
			expectedWildcardExpanded: true,
			expectError:              false,
		},
		{
			name:                     "empty activeNamespaces with wildcards",
			includes:                 []string{"kube-*"},
			excludes:                 []string{},
			activeNamespaces:         []string{},
			expectedIncludes:         []string{},
			expectedExcludes:         []string{},
			expectedWildcardExpanded: true,
			expectError:              false,
		},
		{
			name:                     "invalid wildcard pattern - consecutive asterisks",
			includes:                 []string{"kube-**"},
			excludes:                 []string{},
			activeNamespaces:         []string{"default"},
			expectedIncludes:         []string{"kube-**"},
			expectedExcludes:         []string{},
			expectedWildcardExpanded: false,
			expectError:              true,
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			nie := NewNamespaceIncludesExcludes().
				ActiveNamespaces(tc.activeNamespaces).
				Includes(tc.includes...).
				Excludes(tc.excludes...)

			err := nie.ExpandIncludesExcludes()

			if tc.expectError {
				assert.Error(t, err)
				return
			}

			require.NoError(t, err)
			assert.Equal(t, tc.expectedWildcardExpanded, nie.IsWildcardExpanded())

			// Check includes - convert to sets for order-independent comparison
			actualIncludes := sets.NewString(nie.GetIncludes()...)
			expectedIncludes := sets.NewString(tc.expectedIncludes...)
			assert.True(t, actualIncludes.Equal(expectedIncludes),
				"includes mismatch: expected %v, got %v", tc.expectedIncludes, nie.GetIncludes())

			// Check excludes
			actualExcludes := sets.NewString(nie.GetExcludes()...)
			expectedExcludes := sets.NewString(tc.expectedExcludes...)
			assert.True(t, actualExcludes.Equal(expectedExcludes),
				"excludes mismatch: expected %v, got %v", tc.expectedExcludes, nie.GetExcludes())
		})
	}
}

func TestResolveNamespaceList(t *testing.T) {
	tests := []struct {
		name               string
		includes           []string
		excludes           []string
		activeNamespaces   []string
		expectedNamespaces []string
		preExpandWildcards bool
	}{
		{
			name:               "no includes/excludes - all active namespaces",
			includes:           []string{},
			excludes:           []string{},
			activeNamespaces:   []string{"default", "kube-system", "test"},
			expectedNamespaces: []string{"default", "kube-system", "test"},
		},
		{
			name:               "asterisk includes - all active namespaces",
			includes:           []string{"*"},
			excludes:           []string{},
			activeNamespaces:   []string{"default", "kube-system", "test"},
			expectedNamespaces: []string{"default", "kube-system", "test"},
		},
		{
			name:               "specific includes - only those namespaces",
			includes:           []string{"default", "test"},
			excludes:           []string{},
			activeNamespaces:   []string{"default", "kube-system", "test"},
			expectedNamespaces: []string{"default", "test"},
		},
		{
			name:               "includes with excludes",
			includes:           []string{"*"},
			excludes:           []string{"kube-system"},
			activeNamespaces:   []string{"default", "kube-system", "test"},
			expectedNamespaces: []string{"default", "test"},
		},
		{
			name:               "wildcard includes - expands and filters",
			includes:           []string{"kube-*"},
			excludes:           []string{},
			activeNamespaces:   []string{"default", "kube-system", "kube-public", "test"},
			expectedNamespaces: []string{"kube-system", "kube-public"},
		},
		{
			name:               "wildcard includes with wildcard excludes",
			includes:           []string{"app-*"},
			excludes:           []string{"*-test"},
			activeNamespaces:   []string{"app-prod", "app-dev", "app-test", "default"},
			expectedNamespaces: []string{"app-prod", "app-dev"},
		},
		{
			name:               "wildcard matches nothing - empty result",
			includes:           []string{"nonexistent-*"},
			excludes:           []string{},
			activeNamespaces:   []string{"default", "kube-system"},
			expectedNamespaces: []string{},
		},
		{
			name:               "empty active namespaces",
			includes:           []string{"*"},
			excludes:           []string{},
			activeNamespaces:   []string{},
			expectedNamespaces: []string{},
		},
		{
			name:               "includes namespace not in active namespaces",
			includes:           []string{"default", "nonexistent"},
			excludes:           []string{},
			activeNamespaces:   []string{"default", "test"},
			expectedNamespaces: []string{"default"},
		},
		{
			name:               "excludes all namespaces from includes",
			includes:           []string{"default", "test"},
			excludes:           []string{"default", "test"},
			activeNamespaces:   []string{"default", "test", "prod"},
			expectedNamespaces: []string{},
		},
		{
			name:               "pre-expanded wildcards - should not expand again",
			includes:           []string{"kube-*"},
			excludes:           []string{},
			activeNamespaces:   []string{"default", "kube-system", "kube-public"},
			expectedNamespaces: []string{"kube-system", "kube-public"},
			preExpandWildcards: true,
		},
		{
			name:               "complex wildcard pattern",
			includes:           []string{"app-{prod,dev}", "kube-*"},
			excludes:           []string{"*-test"},
			activeNamespaces:   []string{"app-prod", "app-dev", "app-test", "kube-system", "kube-test", "default"},
			expectedNamespaces: []string{"app-prod", "app-dev", "kube-system"},
		},
		{
			name:               "question mark wildcard pattern",
			includes:           []string{"ns-?"},
			excludes:           []string{},
			activeNamespaces:   []string{"ns-1", "ns-2", "ns-10", "default"},
			expectedNamespaces: []string{"ns-1", "ns-2"},
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			nie := NewNamespaceIncludesExcludes().
				ActiveNamespaces(tc.activeNamespaces).
				Includes(tc.includes...).
				Excludes(tc.excludes...)

			// Pre-expand wildcards if requested
			if tc.preExpandWildcards {
				err := nie.ExpandIncludesExcludes()
				require.NoError(t, err)
			}

			namespaces, err := nie.ResolveNamespaceList()
			require.NoError(t, err)

			// Convert to sets for order-independent comparison
			actualNs := sets.NewString(namespaces...)
			expectedNs := sets.NewString(tc.expectedNamespaces...)
			assert.True(t, actualNs.Equal(expectedNs),
				"namespaces mismatch: expected %v, got %v", tc.expectedNamespaces, namespaces)
		})
	}
}

func TestResolveNamespaceListError(t *testing.T) {
	tests := []struct {
		name             string
		includes         []string
		excludes         []string
		activeNamespaces []string
	}{
		{
			name:             "invalid wildcard pattern in includes",
			includes:         []string{"kube-**"},
			excludes:         []string{},
			activeNamespaces: []string{"default"},
		},
		{
			name:             "invalid wildcard pattern in excludes",
			includes:         []string{"default"},
			excludes:         []string{"test-**"},
			activeNamespaces: []string{"default"},
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			nie := NewNamespaceIncludesExcludes().
				ActiveNamespaces(tc.activeNamespaces).
				Includes(tc.includes...).
				Excludes(tc.excludes...)

			_, err := nie.ResolveNamespaceList()
			assert.Error(t, err)
		})
	}
}

func TestNamespaceIncludesExcludesShouldIncludeAfterWildcardExpansion(t *testing.T) {
	tests := []struct {
		name             string
		includes         []string
		excludes         []string
		activeNamespaces []string
		testNamespace    string
		expectedResult   bool
	}{
		{
			name:             "wildcard expanded to empty includes - should not include anything",
			includes:         []string{"nonexistent-*"},
			excludes:         []string{},
			activeNamespaces: []string{"default", "kube-system"},
			testNamespace:    "default",
			expectedResult:   false,
		},
		{
			name:             "wildcard expanded with matches - should include matched namespace",
			includes:         []string{"kube-*"},
			excludes:         []string{},
			activeNamespaces: []string{"default", "kube-system", "kube-public"},
			testNamespace:    "kube-system",
			expectedResult:   true,
		},
		{
			name:             "wildcard expanded with matches - should not include unmatched namespace",
			includes:         []string{"kube-*"},
			excludes:         []string{},
			activeNamespaces: []string{"default", "kube-system", "kube-public"},
			testNamespace:    "default",
			expectedResult:   false,
		},
		{
			name:             "no wildcard expansion - empty includes means include all",
			includes:         []string{},
			excludes:         []string{},
			activeNamespaces: []string{"default", "kube-system"},
			testNamespace:    "default",
			expectedResult:   true,
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			nie := NewNamespaceIncludesExcludes().
				ActiveNamespaces(tc.activeNamespaces).
				Includes(tc.includes...).
				Excludes(tc.excludes...)

			err := nie.ExpandIncludesExcludes()
			require.NoError(t, err)

			result := nie.ShouldInclude(tc.testNamespace)
			assert.Equal(t, tc.expectedResult, result)
		})
	}
}

func setupDiscoveryClientWithResources(APIResources []*test.APIResource) *test.FakeDiscoveryHelper {
	resourcesMap := make(map[schema.GroupVersionResource]schema.GroupVersionResource)
	resourceList := make([]*metav1.APIResourceList, 0)

	for _, resource := range APIResources {
		gvr := schema.GroupVersionResource{
			Group:    resource.Group,
			Version:  resource.Version,
			Resource: resource.Name,
		}
		resourcesMap[gvr] = gvr

		resourceList = append(resourceList,
			&metav1.APIResourceList{
				GroupVersion: gvr.GroupVersion().String(),
				APIResources: []metav1.APIResource{
					{
						Name:       resource.Name,
						Kind:       resource.Name,
						Namespaced: resource.Namespaced,
					},
				},
			},
		)
	}

	discoveryHelper := test.NewFakeDiscoveryHelper(false, resourcesMap)
	discoveryHelper.ResourceList = resourceList
	return discoveryHelper
}