Refactor opa filter tests to use specific rules

filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go

@@ -63,7 +63,7 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 			msg:               "Allow Requests with spaces in path",
 			filterName:        "opaAuthorizeRequest",
 			bundleName:        "somebundle.tar.gz",
-			regoQuery:         "envoy/authz/allow",
+			regoQuery:         "envoy/authz/allow_with_space_in_path",
 			requestPath:       "/my%20path",
 			requestMethod:     "GET",
 			contextExtensions: "",
@@ -106,7 +106,7 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 			msg:               "Allow Requests with query parameters",
 			filterName:        "opaAuthorizeRequest",
 			bundleName:        "somebundle.tar.gz",
-			regoQuery:         "envoy/authz/allow",
+			regoQuery:         "envoy/authz/allow_with_query",
 			requestPath:       "/allow-with-query?pass=yes&id=1&id=2&msg=help%20me",
 			requestMethod:     "GET",
 			contextExtensions: "",
@@ -173,8 +173,8 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 			msg:               "Simple Forbidden with Query Parameters",
 			filterName:        "opaAuthorizeRequest",
 			bundleName:        "somebundle.tar.gz",
-			regoQuery:         "envoy/authz/allow",
-			requestPath:       "/allow-with-query?tofail=true",
+			regoQuery:         "envoy/authz/deny_with_query",
+			requestPath:       "/allow-me?tofail=true",
 			requestMethod:     "GET",
 			contextExtensions: "",
 			expectedStatus:    http.StatusForbidden,
@@ -384,6 +384,20 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 			backendHeaders:    make(http.Header),
 			removeHeaders:     make(http.Header),
 		},
+		{
+			msg:               "Allow Requests ignoring fragment",
+			filterName:        "opaAuthorizeRequest",
+			bundleName:        "somebundle.tar.gz",
+			regoQuery:         "envoy/authz/allow_with_path_having_fragment",
+			requestPath:       "/path-with-empty-query#fragment?",
+			requestMethod:     "GET",
+			contextExtensions: "",
+			expectedStatus:    http.StatusOK,
+			expectedBody:      "Welcome!",
+			expectedHeaders:   make(http.Header),
+			backendHeaders:    make(http.Header),
+			removeHeaders:     make(http.Header),
+		},
 	} {
 		t.Run(ti.msg, func(t *testing.T) {
 			t.Logf("Running test for %v", ti)
@@ -405,33 +419,44 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 					"main.rego": `
 						package envoy.authz
 
-						default allow = false
+						default allow := false
+						default deny_with_query := false
 
 						allow {
-							input.parsed_path = [ "allow" ]
-							input.parsed_query = {}
+							input.parsed_path == [ "allow" ]
+							input.parsed_query == {}
 						}
 
 						allow_with_http_path {
 							input.attributes.request.http.path == "/some/api/path?q1=v1&msg=help%20me"
 						}
 
-						allow {
-							input.parsed_path = [ "my path" ]
+						allow_with_space_in_path {
+							input.parsed_path == [ "my path" ]
 						}
 
 						allow_with_path_having_empty_query {
-							input.parsed_path = [ "path-with-empty-query" ]
-							input.parsed_query = {}
+							input.parsed_path == [ "path-with-empty-query" ]
+							input.parsed_query == {}
 						}
 
-						allow {
-							input.parsed_path = [ "allow-with-query" ]
+						allow_with_query {
+							input.parsed_path == [ "allow-with-query" ]
 							input.parsed_query.pass == ["yes"]
 							input.parsed_query.id == ["1", "2"]
 							input.parsed_query.msg == ["help me"]
 						}
 
+						deny_with_query {
+							input.attributes.request.http.path == "/allow-me?tofail=true"
+							not input.parsed_query.tofail == ["true"]
+						}
+
+						allow_with_path_having_fragment {
+							input.parsed_path == [ "path-with-empty-query" ]
+							input.attributes.request.http.path == "/path-with-empty-query"
+						}
+
 						allow_context_extensions {
 							input.attributes.contextExtensions["com.mycompany.myprop"] == "myvalue"
 						}
@@ -440,15 +465,15 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 							opa.runtime().config.labels.environment == "test"
 						}
 
-						default allow_object = {
+						default allow_object := {
 							"allowed": false,
 							"headers": {"x-ext-auth-allow": "no"},
 							"body": "Unauthorized Request",
 							"http_status": 401
 						}
 
-						allow_object = response {
-							input.parsed_path = [ "allow", "structured" ]
+						allow_object := response {
+							input.parsed_path == [ "allow", "structured" ]
 							response := {
 								"allowed": true,
 								"headers": {
@@ -477,15 +502,15 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 							"headers": "bogus string instead of object"
 						}
 
-						default allow_body = false
+						default allow_body := false
 
 						allow_body {
 							input.parsed_body.target_id == "123456"
 						}	
 
 						decision_id := input.attributes.metadataContext.filterMetadata.open_policy_agent.decision_id
 
-						allow_object_decision_id_in_header = response {
+						allow_object_decision_id_in_header := response {
 						    input.parsed_path = ["allow", "structured"]
 						    decision_id 
 						    response := {

filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go

@@ -77,7 +77,7 @@ func TestServerResponseFilter(t *testing.T) {
 			regoQuery:       "envoy/authz/allow_object",
 			requestPath:     "/allow/structured/with-empty-query-string?",
 			expectedStatus:  http.StatusOK,
-			expectedBody:    "Welcome from policy!",
+			expectedBody:    "Welcome from policy with empty query string!",
 			expectedHeaders: map[string][]string{"X-Ext-Auth-Allow": {"yes"}},
 		},
 		{
@@ -87,7 +87,7 @@ func TestServerResponseFilter(t *testing.T) {
 			regoQuery:       "envoy/authz/allow_object",
 			requestPath:     "/allow/structured/with-query?pass=yes",
 			expectedStatus:  http.StatusOK,
-			expectedBody:    "Welcome from policy!",
+			expectedBody:    "Welcome from policy with query params!",
 			expectedHeaders: map[string][]string{"X-Ext-Auth-Allow": {"yes"}},
 		},
 		{
@@ -172,21 +172,21 @@ func TestServerResponseFilter(t *testing.T) {
 					"main.rego": `
 						package envoy.authz
 
-						default allow = false
+						default allow := false
 
 						allow {
-							input.parsed_path = [ "allow" ]
+							input.parsed_path == [ "allow" ]
 						}	
 
-						default allow_object = {
+						default allow_object := {
 							"allowed": false,
 							"headers": {"x-ext-auth-allow": "no"},
 							"body": "Unauthorized Request",
 							"http_status": 403
 						}
 
-						allow_object = response {
-							input.parsed_path = [ "allow", "structured" ]
+						allow_object := response {
+							input.parsed_path == [ "allow", "structured" ]
 							response := {
 								"allowed": true,
 								"headers": {"x-ext-auth-allow": "yes"},
@@ -195,30 +195,30 @@ func TestServerResponseFilter(t *testing.T) {
 							}
 						}
 
-						allow_object = response {
-							input.parsed_path = [ "allow", "structured", "with-empty-query-string" ]
+						allow_object := response {
+							input.parsed_path == [ "allow", "structured", "with-empty-query-string" ]
 							input.parsed_query == {}
 							response := {
 								"allowed": true,
 								"headers": {"x-ext-auth-allow": "yes"},
-								"body": "Welcome from policy!",
+								"body": "Welcome from policy with empty query string!",
 								"http_status": 200
 							}
 						}
 
-						allow_object = response {
-							input.parsed_path = [ "allow", "structured", "with-query" ]
+						allow_object := response {
+							input.parsed_path == [ "allow", "structured", "with-query" ]
 							input.parsed_query.pass == ["yes"]
 							response := {
 								"allowed": true,
 								"headers": {"x-ext-auth-allow": "yes"},
-								"body": "Welcome from policy!",
+								"body": "Welcome from policy with query params!",
 								"http_status": 200
 							}
 						}
 
-						allow_object = response {
-							input.parsed_path = [ "allow", "production" ]
+						allow_object := response {
+							input.parsed_path == [ "allow", "production" ]
 							opa.runtime().config.labels.environment == "production"
 							response := {
 								"allowed": true,
@@ -228,8 +228,8 @@ func TestServerResponseFilter(t *testing.T) {
 							}
 						}
 
-						allow_object = response {
-							input.parsed_path = [ "allow", "test" ]
+						allow_object := response {
+							input.parsed_path == [ "allow", "test" ]
 							opa.runtime().config.labels.environment == "test"
 							response := {
 								"allowed": true,
@@ -239,8 +239,8 @@ func TestServerResponseFilter(t *testing.T) {
 							}
 						}
 
-						allow_object_structured_body = response {
-							input.parsed_path = [ "allow", "structured" ]
+						allow_object_structured_body := response {
+							input.parsed_path == [ "allow", "structured" ]
 							response := {
 								"allowed": true,
 								"headers": {"x-ext-auth-allow": "yes"},
@@ -249,8 +249,8 @@ func TestServerResponseFilter(t *testing.T) {
 							}
 						}
 
-						allow_object_contextextensions = response {
-							input.parsed_path = [ "allow", "structured" ]
+						allow_object_contextextensions := response {
+							input.parsed_path == [ "allow", "structured" ]
 							response := {
 								"allowed": true,
 								"headers": {"x-ext-auth-allow": "yes"},
@@ -259,7 +259,7 @@ func TestServerResponseFilter(t *testing.T) {
 							}
 						}
 
-						allow_object_req_body = response {
+						allow_object_req_body := response {
 							response := {
 								"allowed": true,
 								"headers": {},