diff options
| author | mo khan <mo@mokhan.ca> | 2025-05-23 14:54:24 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-05-23 14:54:24 -0600 |
| commit | 3d6cdf0b3d6fa23509208e2355a7b7d26400a8ea (patch) | |
| tree | 039bdf57b99061844aeb0fe55ad0bc1c864166af /pkg/authz/server_test.go | |
| parent | 0ba49bfbde242920d8675a193d7af89420456fc0 (diff) | |
| parent | 4beee46dc6c7642316e118a4d3aa51e4b407256e (diff) | |
Merge branch 'envoy-jwt-authn' into 'main'
Add External Authorization Service with Envoy Integration
See merge request gitlab-org/software-supply-chain-security/authorization/sparkled!9
Diffstat (limited to 'pkg/authz/server_test.go')
| -rw-r--r-- | pkg/authz/server_test.go | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/pkg/authz/server_test.go b/pkg/authz/server_test.go new file mode 100644 index 0000000..6fa4eee --- /dev/null +++ b/pkg/authz/server_test.go @@ -0,0 +1,86 @@ +package authz + +import ( + "context" + "net" + "strings" + "testing" + + auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/credentials/insecure" + "google.golang.org/grpc/test/bufconn" +) + +func TestServer(t *testing.T) { + socket := bufconn.Listen(1024 * 1024) + srv := New(t.Context()) + + defer srv.GracefulStop() + go func() { + require.NoError(t, srv.Serve(socket)) + }() + + connection, err := grpc.DialContext( + t.Context(), + "bufnet", + grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) { + return socket.Dial() + }), + grpc.WithTransportCredentials(insecure.NewCredentials()), + ) + require.NoError(t, err) + defer connection.Close() + + client := auth.NewAuthorizationClient(connection) + idToken := "eyJ0eXAiOiJKV1QiLCJraWQiOiJ0ZDBTbWRKUTRxUGg1cU5Lek0yNjBDWHgyVWgtd2hHLU1Eam9PS1dmdDhFIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMCIsInN1YiI6IjEiLCJhdWQiOiJlMzFlMWRhMGI4ZjZiNmUzNWNhNzBjNzkwYjEzYzA0MDZlNDRhY2E2YjJiZjY3ZjU1ZGU3MzU1YTk3OWEyMjRmIiwiZXhwIjoxNzQ3OTM3OTgzLCJpYXQiOjE3NDc5Mzc4NjMsImF1dGhfdGltZSI6MTc0Nzc3NDA2Nywic3ViX2xlZ2FjeSI6IjI0NzRjZjBiMjIxMTY4OGE1NzI5N2FjZTBlMjYwYTE1OTQ0NzU0ZDE2YjFiZDQyYzlkNjc3OWM5MDAzNjc4MDciLCJuYW1lIjoiQWRtaW5pc3RyYXRvciIsIm5pY2tuYW1lIjoicm9vdCIsInByZWZlcnJlZF91c2VybmFtZSI6InJvb3QiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByb2ZpbGUiOiJodHRwOi8vZ2RrLnRlc3Q6MzAwMC9yb290IiwicGljdHVyZSI6Imh0dHBzOi8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMjU4ZDhkYzkxNmRiOGNlYTJjYWZiNmMzY2QwY2IwMjQ2ZWZlMDYxNDIxZGJkODNlYzNhMzUwNDI4Y2FiZGE0Zj9zPTgwJmQ9aWRlbnRpY29uIiwiZ3JvdXBzX2RpcmVjdCI6WyJnaXRsYWItb3JnIiwidG9vbGJveCIsIm1hc3NfaW5zZXJ0X2dyb3VwX18wXzEwMCIsImN1c3RvbS1yb2xlcy1yb290LWdyb3VwL2FhIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAvYWEvYWFhIiwiZ251d2dldCIsIkNvbW1pdDQ1MSIsImphc2hrZW5hcyIsImZsaWdodGpzIiwidHdpdHRlciIsImdpdGxhYi1leGFtcGxlcyIsImdpdGxhYi1leGFtcGxlcy9zZWN1cml0eSIsIjQxMjcwOCIsImdpdGxhYi1leGFtcGxlcy9kZW1vLWdyb3VwIiwiY3VzdG9tLXJvbGVzLXJvb3QtZ3JvdXAiLCI0MzQwNDQtZ3JvdXAtMSIsIjQzNDA0NC1ncm91cC0yIiwiZ2l0bGFiLW9yZzEiLCJnaXRsYWItb3JnL3NlY3VyZSIsImdpdGxhYi1vcmcvc2VjdXJlL21hbmFnZXJzIiwiZ2l0bGFiLW9yZy9zZWN1cml0eS1wcm9kdWN0cyIsImdpdGxhYi1vcmcvc2VjdXJpdHktcHJvZHVjdHMvYW5hbHl6ZXJzIl19.TjTrGS5FjfPoY0HWkSLvgjogBxB27jX2beosOZAkwXi_gO3q9DTnL0csOgxjoF1UR8baPNfMFBqL1ipLxBdY9vvDxZve-sOhoSptjzLGkCi7uQKeu7r8wNyFWNWhcLwmbinZyENGSZqIDSkHy0lGdo9oj7qqnH6sYqU46jtWACDGSHTFjNNuo1s_P2SZgkaq4c4v4jdlVV_C_Qlvtl7-eaWV1LzTpB4Mz0VWGsRx1pk3-KnS24crhBjxSE383z4Nar4ZhrsrTK-bOj33l6U32gRKNb4g6GxrPXaRQ268n37spQmbQn0aDwmUOABv-aBRy203bCCZca8BJ0XBur8t6w" + accessToken := "f88f60df11e458b594c80b299aee05f8e5805c65c3e779cc6fbc606c4ac36227" + refreshToken := "0847d325d6e4f021c4baaae0ddb425dbd8795807a4751cd2131bec8e8a9aee24" + + cookies := []string{ + "bearer_token=" + accessToken + ";", + "id_token=" + idToken + ";", + "refresh_token=" + refreshToken, + } + loggedInHeaders := map[string]string{"cookie": strings.Join(cookies, "; ")} + + t.Run("CheckRequest", func(t *testing.T) { + tt := []struct { + http *auth.AttributeContext_HttpRequest + status codes.Code + }{ + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/application.js"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/callback"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/dashboard", Headers: loggedInHeaders}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/dashboard/nav"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/favicon.ico"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/favicon.png"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/health"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/index.html"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/logo.png"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/signout"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/sparkles"}}, + {status: codes.OK, http: &auth.AttributeContext_HttpRequest{Method: "POST", Path: "/sparkles/restore"}}, + {status: codes.PermissionDenied, http: &auth.AttributeContext_HttpRequest{Method: "GET", Path: "/dashboard"}}, + {status: codes.PermissionDenied, http: &auth.AttributeContext_HttpRequest{Method: "POST", Path: "/sparkles"}}, + } + + for _, example := range tt { + t.Run(example.http.Path, func(t *testing.T) { + response, err := client.Check(t.Context(), &auth.CheckRequest{ + Attributes: &auth.AttributeContext{ + Request: &auth.AttributeContext_Request{ + Http: example.http, + }, + }, + }) + require.NoError(t, err) + assert.Equal(t, int32(example.status), response.Status.Code) + }) + } + }) +} |