From 566aa308be95a4eef59be7a9c4d0ac3789cc4f21 Mon Sep 17 00:00:00 2001 From: Ardika Bagus Date: Tue, 9 Apr 2024 23:20:20 +0700 Subject: [PATCH] test: add e2e test for allow missing JWT Signed-off-by: Ardika Bagus --- test/e2e/testdata/jwt-allow-missing.yaml | 42 +++++++++++++++ test/e2e/tests/jwt.go | 67 +++++++++++++++++++++++- 2 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 test/e2e/testdata/jwt-allow-missing.yaml diff --git a/test/e2e/testdata/jwt-allow-missing.yaml b/test/e2e/testdata/jwt-allow-missing.yaml new file mode 100644 index 00000000000..d5a91db4b88 --- /dev/null +++ b/test/e2e/testdata/jwt-allow-missing.yaml @@ -0,0 +1,42 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: jwt-allow-missing + namespace: gateway-conformance-infra +spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: jwt-allow-missing + jwt: + allowMissing: true + providers: + - name: example + claimToHeaders: + - claim: sub + header: x-sub + - claim: admin + header: x-admin + - claim: name + header: x-name + remoteJWKS: + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: jwt-allow-missing + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - backendRefs: + - kind: Service + name: infra-backend-v1 + port: 8080 + weight: 1 + matches: + - path: + type: PathPrefix + value: /public diff --git a/test/e2e/tests/jwt.go b/test/e2e/tests/jwt.go index 89de5fa60dc..49b7cb29637 100644 --- a/test/e2e/tests/jwt.go +++ b/test/e2e/tests/jwt.go @@ -18,7 +18,7 @@ import ( ) func init() { - ConformanceTests = append(ConformanceTests, JWTTest) + ConformanceTests = append(ConformanceTests, JWTTest, AllowMissingJWTTest) } const ( @@ -30,6 +30,8 @@ const ( v2Token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRvbSIsImFkbWluIjp0cnVlLCJpYXQiOjE1MTYyMzkwMjJ9.kyzDDSo7XpweSPU1lxoI9IHzhTBrRNlnmcW9lmCbloZELShg-8isBx4AFoM4unXZTHpS_Y24y0gmd4nDQxgUE-CgjVSnGCb0Xhy3WO1gm9iChoKDyyQ3kHp98EmKxTyxKG2X9GyKcDFNBDjH12OBD7TcJUaBEvLf6Jw1SG2A7FakUPWeK04DQ916-ROylzI6qKyaZ0OpfYIbijvyAQxlQRxxs2XHlAkLdJhfVcUqJBwsFTbwHYARC-WNgd2_etAk1GWdwwZ_NoTmRzZAMryrYJpHY9KPlbnZ93Ye3o9h2viBQ_XRb7JBkWnAGYO4_KswpJWE_7ROUVj8iOJo2jfY6w" // nolint: gosec anotherToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkplcnJ5IiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.VKLURpaPLWanwE5xoGTfuYKqT9a91Fg1tRBAOyFzNa5t9SbtK8As7-3iJg4f_VlBHj13OeKjfpDEvgLerIt5TKnU708YKERB45di_7TNURoiVZayq3_gFznMqoSarP3irLDzh0YKUjc7Vuh3MX99fueTdbeA-c4pMhG_nwiFeRJhZNQQDzzKtmL9C_L2uwP4bDupmcYz6FAA2EN_r67WoXCjPWQoRQmE435EVQ-FYKgAR7qZ5TdjoSN91ByRQ7Ior9srPl7gOvjuaRbu7fjC-LT7wRE26v2vu-BCM2PveJf2NMobNb8q0pcmpB1TWhSXp1MIZs9yxbqEAZLOumYfUw" + // nolint: gosec + invalidToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" ) var JWTTest = suite.ConformanceTest{ @@ -108,3 +110,66 @@ var JWTTest = suite.ConformanceTest{ }) }, } + +var AllowMissingJWTTest = suite.ConformanceTest{ + ShortName: "AllowMissingJWT", + Description: "Test allow missing JWT", + Manifests: []string{"testdata/jwt-allow-missing.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "jwt-allow-missing", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + testCases := []http.ExpectedResponse{ + { + TestCaseName: "with a valid JWT", + Request: http.Request{ + Path: "/public", + Headers: map[string]string{ + "Authorization": "Bearer " + v1Token, + }, + }, + Backend: "infra-backend-v1", + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + }, + { + TestCaseName: "with an invalid JWT", + Request: http.Request{ + Path: "/public", + Headers: map[string]string{ + "Authorization": "Bearer " + invalidToken, + }, + }, + Backend: "infra-backend-v1", + Response: http.Response{ + StatusCode: 401, + }, + Namespace: ns, + }, + { + TestCaseName: "omitting JWT", + Request: http.Request{ + Path: "/public", + }, + Backend: "infra-backend-v1", + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + }, + } + + for i := range testCases { + tc := testCases[i] + t.Run(tc.GetTestCaseName(i), func(t *testing.T) { + t.Parallel() + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc) + }) + } + + }, +}