test: add e2e test for allow missing JWT

Signed-off-by: Ardika Bagus <me@ardikabs.com>
envoyproxy · Apr 12, 2024 · b95ff0a · b95ff0a
1 parent 760d934
commit b95ff0a
Show file tree

Hide file tree

Showing 2 changed files with 108 additions and 1 deletion.
diff --git a/test/e2e/testdata/jwt-allow-missing.yaml b/test/e2e/testdata/jwt-allow-missing.yaml
@@ -0,0 +1,42 @@
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: jwt-allow-missing
+  namespace: gateway-conformance-infra
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: jwt-allow-missing
+  jwt:
+    allowMissing: true
+    providers:
+      - name: example
+        claimToHeaders:
+          - claim: sub
+            header: x-sub
+          - claim: admin
+            header: x-admin
+          - claim: name
+            header: x-name
+        remoteJWKS:
+          uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: jwt-allow-missing
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+    - name: same-namespace
+  rules:
+    - backendRefs:
+        - kind: Service
+          name: infra-backend-v1
+          port: 8080
+          weight: 1
+      matches:
+        - path:
+            type: PathPrefix
+            value: /public
diff --git a/test/e2e/tests/jwt.go b/test/e2e/tests/jwt.go
@@ -18,7 +18,7 @@ import (
 )
 
 func init() {
-	ConformanceTests = append(ConformanceTests, JWTTest)
+	ConformanceTests = append(ConformanceTests, JWTTest, AllowMissingJWTTest)
 }
 
 const (
@@ -30,6 +30,8 @@ const (
 	v2Token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRvbSIsImFkbWluIjp0cnVlLCJpYXQiOjE1MTYyMzkwMjJ9.kyzDDSo7XpweSPU1lxoI9IHzhTBrRNlnmcW9lmCbloZELShg-8isBx4AFoM4unXZTHpS_Y24y0gmd4nDQxgUE-CgjVSnGCb0Xhy3WO1gm9iChoKDyyQ3kHp98EmKxTyxKG2X9GyKcDFNBDjH12OBD7TcJUaBEvLf6Jw1SG2A7FakUPWeK04DQ916-ROylzI6qKyaZ0OpfYIbijvyAQxlQRxxs2XHlAkLdJhfVcUqJBwsFTbwHYARC-WNgd2_etAk1GWdwwZ_NoTmRzZAMryrYJpHY9KPlbnZ93Ye3o9h2viBQ_XRb7JBkWnAGYO4_KswpJWE_7ROUVj8iOJo2jfY6w"
 	// nolint: gosec
 	anotherToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkplcnJ5IiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.VKLURpaPLWanwE5xoGTfuYKqT9a91Fg1tRBAOyFzNa5t9SbtK8As7-3iJg4f_VlBHj13OeKjfpDEvgLerIt5TKnU708YKERB45di_7TNURoiVZayq3_gFznMqoSarP3irLDzh0YKUjc7Vuh3MX99fueTdbeA-c4pMhG_nwiFeRJhZNQQDzzKtmL9C_L2uwP4bDupmcYz6FAA2EN_r67WoXCjPWQoRQmE435EVQ-FYKgAR7qZ5TdjoSN91ByRQ7Ior9srPl7gOvjuaRbu7fjC-LT7wRE26v2vu-BCM2PveJf2NMobNb8q0pcmpB1TWhSXp1MIZs9yxbqEAZLOumYfUw"
+	// nolint: gosec
+	invalidToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
 )
 
 var JWTTest = suite.ConformanceTest{
@@ -108,3 +110,66 @@ var JWTTest = suite.ConformanceTest{
 		})
 	},
 }
+
+var AllowMissingJWTTest = suite.ConformanceTest{
+	ShortName:   "AllowMissingJWT",
+	Description: "Test allow missing JWT",
+	Manifests:   []string{"testdata/jwt-allow-missing.yaml"},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		ns := "gateway-conformance-infra"
+		routeNN := types.NamespacedName{Name: "jwt-allow-missing", Namespace: ns}
+		gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns}
+		gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+
+		testCases := []http.ExpectedResponse{
+			{
+				TestCaseName: "with a valid JWT",
+				Request: http.Request{
+					Path: "/public",
+					Headers: map[string]string{
+						"Authorization": "Bearer " + v1Token,
+					},
+				},
+				Backend: "infra-backend-v1",
+				Response: http.Response{
+					StatusCode: 200,
+				},
+				Namespace: ns,
+			},
+			{
+				TestCaseName: "with an invalid JWT",
+				Request: http.Request{
+					Path: "/public",
+					Headers: map[string]string{
+						"Authorization": "Bearer " + invalidToken,
+					},
+				},
+				Backend: "infra-backend-v1",
+				Response: http.Response{
+					StatusCode: 401,
+				},
+				Namespace: ns,
+			},
+			{
+				TestCaseName: "omitting JWT",
+				Request: http.Request{
+					Path: "/public",
+				},
+				Backend: "infra-backend-v1",
+				Response: http.Response{
+					StatusCode: 200,
+				},
+				Namespace: ns,
+			},
+		}
+
+		for i := range testCases {
+			tc := testCases[i]
+			t.Run(tc.GetTestCaseName(i), func(t *testing.T) {
+				t.Parallel()
+				http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc)
+			})
+		}
+
+	},
+}