2 files changed, 49 insertions, 0 deletions

diff --git a/tests/authorization/check_service_test.rs b/tests/authorization/check_service_test.rs
new file mode 100644
index 00000000..23655ffb
--- /dev/null
+++ b/tests/authorization/check_service_test.rs
@@ -0,0 +1,48 @@
+#[cfg(test)]
+mod tests {
+    use crate::common::create_request;
+    use crate::common::create_token;
+    use authzd::CedarAuthorizer;
+    use authzd::CheckService;
+    use envoy_types::ext_authz::v3::pb::Authorization;
+    use envoy_types::pb::envoy::service::auth::v3::attribute_context::HttpRequest;
+    use std::collections::HashMap;
+    use std::sync::Arc;
+
+    #[tokio::test]
+    async fn test_check_allows_valid_bearer_token() {
+        let token = create_token();
+        let server = CheckService::new(Arc::new(CedarAuthorizer::new()));
+
+        let mut headers = HashMap::new();
+        headers.insert("authorization".to_string(), format!("Bearer {}", token));
+        let request = tonic::Request::new(create_request(|item: &mut HttpRequest| {
+            item.headers = headers;
+        }));
+
+        let response = server.check(request).await;
+
+        assert!(response.is_ok());
+        let check_response = response.unwrap().into_inner();
+        assert!(check_response.status.is_some());
+        let status = check_response.status.unwrap();
+        assert_eq!(status.code, tonic::Code::Ok as i32);
+    }
+
+    #[tokio::test]
+    async fn test_check_denies_invalid_bearer_token() {
+        let authorizer = Arc::new(CedarAuthorizer::new());
+        let server = CheckService::new(authorizer);
+        let request = tonic::Request::new(create_request(|item: &mut HttpRequest| {
+            item.headers = HashMap::new();
+        }));
+
+        let response = server.check(request).await;
+
+        assert!(response.is_ok());
+        let check_response = response.unwrap().into_inner();
+        assert!(check_response.status.is_some());
+        let status = check_response.status.unwrap();
+        assert_eq!(status.code, tonic::Code::Unauthenticated as i32);
+    }
+}
diff --git a/tests/authorization/mod.rs b/tests/authorization/mod.rs
index a8aab73a..a4ece924 100644
--- a/tests/authorization/mod.rs
+++ b/tests/authorization/mod.rs
@@ -1 +1,2 @@
 mod cedar_authorizer_test;
+mod check_service_test;