2 files changed, 42 insertions, 4 deletions

diff --git a/test/integration/container.go b/test/integration/container.go
index 0a210dd..6c346a5 100644
--- a/test/integration/container.go
+++ b/test/integration/container.go
@@ -27,13 +27,14 @@ func NewContainer(t *testing.T, ctx context.Context, envVars map[string]string)
 		testcontainers.WithWaitStrategy(
 			wait.ForLog("Listening on"),
 			wait.ForListeningPort(x.Must(nat.NewPort("tcp", "10000"))),
+			wait.ForListeningPort(x.Must(nat.NewPort("tcp", "10003"))),
 			wait.ForListeningPort(x.Must(nat.NewPort("tcp", "8080"))),
 			wait.ForListeningPort(x.Must(nat.NewPort("tcp", "9901"))),
 		),
 		testcontainers.WithHostConfigModifier(func(cfg *xcontainer.HostConfig) {
 			cfg.NetworkMode = xcontainer.NetworkMode(network.NetworkHost)
 		}),
-		// testcontainers.WithExposedPorts("8080/tcp", "9901/tcp", "10000/tcp"),
+		// testcontainers.WithExposedPorts("8080/tcp", "9901/tcp", "10000/tcp", "10003/tcp"),
 		// testcontainers.WithHostPortAccess(port),
 	)
 	require.NoError(t, err)
diff --git a/test/integration/container_test.go b/test/integration/container_test.go
index c51c5e0..68aef6d 100644
--- a/test/integration/container_test.go
+++ b/test/integration/container_test.go
@@ -6,15 +6,20 @@ package test
 import (
 	"context"
 	"net/http"
+	"strconv"
 	"testing"
 	"time"
 
+	auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/oauth2-proxy/mockoidc"
 	playwright "github.com/playwright-community/playwright-go"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/xlgmokha/x/pkg/env"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
 )
 
 func environmentVariables(srv *web.OIDCServer) map[string]string {
@@ -49,6 +54,9 @@ func TestContainer(t *testing.T) {
 	envoyAdminEndpoint, err := container.PortEndpoint(ctx, "9901", "http")
 	require.NoError(t, err)
 
+	authzdEndpoint, err := container.PortEndpoint(ctx, "10003", "")
+	require.NoError(t, err)
+
 	for _, publicPath := range []string{
 		envoyAdminEndpoint + "/",
 		envoyEndpoint + "/",
@@ -76,6 +84,29 @@ func TestContainer(t *testing.T) {
 		assert.NotEmpty(t, "listener_0", body["configs"])
 	})
 
+	t.Run("authzd", func(t *testing.T) {
+		t.Run("responds to a GRPC request", func(t *testing.T) {
+			connection, err := grpc.NewClient(authzdEndpoint, grpc.WithTransportCredentials(insecure.NewCredentials()))
+			require.NoError(t, err)
+			defer connection.Close()
+
+			client := auth.NewAuthorizationClient(connection)
+
+			response, err := client.Check(t.Context(), &auth.CheckRequest{
+				Attributes: &auth.AttributeContext{
+					Request: &auth.AttributeContext_Request{
+						Http: &auth.AttributeContext_HttpRequest{
+							Method: "GET",
+							Path:   "/",
+						},
+					},
+				},
+			})
+			require.NoError(t, err)
+			assert.NotNil(t, response.GetOkResponse())
+		})
+	})
+
 	WithUI(t, func(browser playwright.Browser) {
 		page, err := browser.NewPage()
 		require.NoError(t, err)
@@ -89,10 +120,16 @@ func TestContainer(t *testing.T) {
 			t.Run("redirects to the OpenID Connect Provider", func(t *testing.T) {
 				t.Skip()
 
+				code := strconv.FormatInt(time.Now().Unix(), 10)
+				srv.MockOIDC.QueueUser(mockoidc.DefaultUser())
+				srv.MockOIDC.QueueCode(code)
+
 				require.NoError(t, page.GetByText("Login").Click())
-				// The envoy.yaml configuration has a hardcoded path that doesn't match the one provided by mockoidc
-				// because the oauth2 envoy filter doesn't support the OIDC discovery endpoint.
-				assert.Contains(t, page.URL(), srv.AuthorizationEndpoint()+"?client_id="+srv.MockOIDC.ClientID)
+				assert.Contains(t, page.URL(), envoyEndpoint+"/callback?code="+code)
+
+				content, err := page.Content()
+				require.NoError(t, err)
+				assert.Contains(t, content, "Share your gratitude")
 			})
 		})
 	})