Skip to content

Commit

Permalink
test: add e2e test for allow missing JWT
Browse files Browse the repository at this point in the history
Signed-off-by: Ardika Bagus <me@ardikabs.com>
  • Loading branch information
ardikabs committed Apr 17, 2024
1 parent 1af6608 commit 566aa30
Show file tree
Hide file tree
Showing 2 changed files with 108 additions and 1 deletion.
42 changes: 42 additions & 0 deletions test/e2e/testdata/jwt-allow-missing.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: jwt-allow-missing
namespace: gateway-conformance-infra
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: jwt-allow-missing
jwt:
allowMissing: true
providers:
- name: example
claimToHeaders:
- claim: sub
header: x-sub
- claim: admin
header: x-admin
- claim: name
header: x-name
remoteJWKS:
uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: jwt-allow-missing
namespace: gateway-conformance-infra
spec:
parentRefs:
- name: same-namespace
rules:
- backendRefs:
- kind: Service
name: infra-backend-v1
port: 8080
weight: 1
matches:
- path:
type: PathPrefix
value: /public
67 changes: 66 additions & 1 deletion test/e2e/tests/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import (
)

func init() {
ConformanceTests = append(ConformanceTests, JWTTest)
ConformanceTests = append(ConformanceTests, JWTTest, AllowMissingJWTTest)
}

const (
Expand All @@ -30,6 +30,8 @@ const (
v2Token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRvbSIsImFkbWluIjp0cnVlLCJpYXQiOjE1MTYyMzkwMjJ9.kyzDDSo7XpweSPU1lxoI9IHzhTBrRNlnmcW9lmCbloZELShg-8isBx4AFoM4unXZTHpS_Y24y0gmd4nDQxgUE-CgjVSnGCb0Xhy3WO1gm9iChoKDyyQ3kHp98EmKxTyxKG2X9GyKcDFNBDjH12OBD7TcJUaBEvLf6Jw1SG2A7FakUPWeK04DQ916-ROylzI6qKyaZ0OpfYIbijvyAQxlQRxxs2XHlAkLdJhfVcUqJBwsFTbwHYARC-WNgd2_etAk1GWdwwZ_NoTmRzZAMryrYJpHY9KPlbnZ93Ye3o9h2viBQ_XRb7JBkWnAGYO4_KswpJWE_7ROUVj8iOJo2jfY6w"
// nolint: gosec
anotherToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkplcnJ5IiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.VKLURpaPLWanwE5xoGTfuYKqT9a91Fg1tRBAOyFzNa5t9SbtK8As7-3iJg4f_VlBHj13OeKjfpDEvgLerIt5TKnU708YKERB45di_7TNURoiVZayq3_gFznMqoSarP3irLDzh0YKUjc7Vuh3MX99fueTdbeA-c4pMhG_nwiFeRJhZNQQDzzKtmL9C_L2uwP4bDupmcYz6FAA2EN_r67WoXCjPWQoRQmE435EVQ-FYKgAR7qZ5TdjoSN91ByRQ7Ior9srPl7gOvjuaRbu7fjC-LT7wRE26v2vu-BCM2PveJf2NMobNb8q0pcmpB1TWhSXp1MIZs9yxbqEAZLOumYfUw"
// nolint: gosec
invalidToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
)

var JWTTest = suite.ConformanceTest{
Expand Down Expand Up @@ -108,3 +110,66 @@ var JWTTest = suite.ConformanceTest{
})
},
}

var AllowMissingJWTTest = suite.ConformanceTest{
ShortName: "AllowMissingJWT",
Description: "Test allow missing JWT",
Manifests: []string{"testdata/jwt-allow-missing.yaml"},
Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
ns := "gateway-conformance-infra"
routeNN := types.NamespacedName{Name: "jwt-allow-missing", Namespace: ns}
gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)

testCases := []http.ExpectedResponse{
{
TestCaseName: "with a valid JWT",
Request: http.Request{
Path: "/public",
Headers: map[string]string{
"Authorization": "Bearer " + v1Token,
},
},
Backend: "infra-backend-v1",
Response: http.Response{
StatusCode: 200,
},
Namespace: ns,
},
{
TestCaseName: "with an invalid JWT",
Request: http.Request{
Path: "/public",
Headers: map[string]string{
"Authorization": "Bearer " + invalidToken,
},
},
Backend: "infra-backend-v1",
Response: http.Response{
StatusCode: 401,
},
Namespace: ns,
},
{
TestCaseName: "omitting JWT",
Request: http.Request{
Path: "/public",
},
Backend: "infra-backend-v1",
Response: http.Response{
StatusCode: 200,
},
Namespace: ns,
},
}

for i := range testCases {
tc := testCases[i]
t.Run(tc.GetTestCaseName(i), func(t *testing.T) {
t.Parallel()
http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc)
})
}

},
}

0 comments on commit 566aa30

Please sign in to comment.