Add test for authpolicy attached directly to gateway

Kuadrant · Nov 29, 2023 · fe86b94 · fe86b94
1 parent 024bbb1
commit fe86b94
Show file tree

Hide file tree

Showing 9 changed files with 90 additions and 19 deletions.
diff --git a/testsuite/openshift/objects/auth_config/auth_policy.py b/testsuite/openshift/objects/auth_config/auth_policy.py
@@ -15,22 +15,21 @@ class AuthPolicy(AuthConfig):
     def auth_section(self):
         return self.model.spec.setdefault("rules", {})
 
-    # pylint: disable=unused-argument
     @classmethod
-    def create_instance(  # type: ignore
+    def create_instance(
         cls,
         openshift: OpenShiftClient,
         name,
-        route: Referencable,
+        targetRef: Referencable,
         labels: Dict[str, str] = None,
-    ):
+    ):  # pylint: disable=invalid-name,arguments-renamed
         """Creates base instance"""
         model: Dict = {
             "apiVersion": "kuadrant.io/v1beta2",
             "kind": "AuthPolicy",
             "metadata": {"name": name, "namespace": openshift.project, "labels": labels},
             "spec": {
-                "targetRef": route.reference,
+                "targetRef": targetRef.reference,
             },
         }
 

diff --git a/testsuite/openshift/objects/gateway_api/route.py b/testsuite/openshift/objects/gateway_api/route.py
@@ -73,8 +73,13 @@ def remove_all_hostnames(self):
         self.model.spec.hostnames = []
 
     @modify
-    def set_match(self, backend: "Httpbin", path_prefix: str = None):
+    def set_path_match(self, path_prefix: str):
         """Limits HTTPRoute to a certain path"""
+        self.model.spec.rules.append({"matches": [{"path": {"value": path_prefix, "type": "PathPrefix"}}]})
+
+    @modify
+    def set_backend_match(self, backend: "Httpbin", path_prefix: str = None):
+        """Limits HTTPRoute to a certain path to backend"""
         match = {}
         if path_prefix:
             match["path"] = {"value": path_prefix, "type": "PathPrefix"}

diff --git a/testsuite/tests/kuadrant/conftest.py b/testsuite/tests/kuadrant/conftest.py
@@ -39,9 +39,7 @@ def authorization_name(blame):
 def authorization(authorino, kuadrant, oidc_provider, route, authorization_name, openshift, module_label):
     """Authorization object (In case of Kuadrant AuthPolicy)"""
     if kuadrant:
-        policy = AuthPolicy.create_instance(openshift, authorization_name, route, labels={"testRun": module_label})
-        policy.identity.add_oidc("rhsso", oidc_provider.well_known["issuer"])
-        return policy
+        return AuthPolicy.create_instance(openshift, authorization_name, route, labels={"testRun": module_label})
     return None
 
 

diff --git a/testsuite/tests/kuadrant/gateway/__init__.py b/testsuite/tests/kuadrant/gateway/__init__.py
diff --git a/testsuite/tests/kuadrant/gateway/conftest.py b/testsuite/tests/kuadrant/gateway/conftest.py
@@ -0,0 +1,15 @@
+"""Conftest for gateway tests"""
+import pytest
+
+
+@pytest.fixture(scope="module", autouse=True)
+def gateway_wait_for_ready(gateway):
+    """Waits for gateway to be ready"""
+    gateway.wait_for_ready()
+
+
+@pytest.fixture(scope="module", autouse=True)
+def commit(request, authorization):
+    """Only commit authorization component"""
+    request.addfinalizer(authorization.delete)
+    authorization.commit()
diff --git a/testsuite/tests/kuadrant/gateway/test_authpolicy_to_gateway.py b/testsuite/tests/kuadrant/gateway/test_authpolicy_to_gateway.py
@@ -0,0 +1,60 @@
+"""Test for AuthPolicy attached directly to gateway"""
+from time import sleep
+import pytest
+
+from testsuite.openshift.objects.auth_config.auth_policy import AuthPolicy
+from testsuite.openshift.objects.gateway_api.route import HTTPRoute
+
+
+@pytest.fixture(scope="module")
+def gateway_httproute(request, gateway, wildcard_domain, module_label, blame):
+    """HTTPRoute with wildcard domain"""
+    route = HTTPRoute.create_instance(gateway.openshift, blame("gw-route"), gateway, {"app": module_label})
+    route.add_hostname(wildcard_domain)
+    route.set_path_match("/")
+
+    request.addfinalizer(route.delete)
+    route.commit()
+    return route
+
+
+@pytest.fixture(scope="module")
+def gateway_authorization(request, gateway, authorization_name, openshift, module_label):
+    """AuthPolicy attached straight to gateway"""
+    auth_policy = AuthPolicy.create_instance(
+        openshift, f"gw-{authorization_name}", gateway, labels={"testRun": module_label}
+    )
+    auth_policy.authorization.add_opa_policy("deny-all", "allow { false }")
+    request.addfinalizer(auth_policy.delete)
+    return auth_policy
+
+
+@pytest.fixture(scope="module")
+def client_to_deny(gateway, exposer, blame):
+    """Hostname that should be denied by AuthPolicy attached directly to gateway"""
+    hostname = exposer.expose_hostname(blame("not-accepted-hostname"), gateway)
+    client = hostname.client()
+    yield client
+    client.close()
+
+
+def test_authpolicy_attached_to_gateway(gateway_httproute, gateway_authorization, client, client_to_deny):
+    # pylint: disable=unused-argument
+    """
+    Test if AuthPolicy denying all requests sent to the undefined domains:
+        - send request to the hostname defined
+        - send request to the undefined domain without AuthPolicy attached to gateway
+        - commit deny-all AuthPolicy attached to gateway
+        - send request to the undefined domain with deny-all AuthPolicy attached to gateway
+    """
+    response = client.get("/get")
+    assert response.status_code == 200
+
+    response = client_to_deny.get("/get")
+    assert response.status_code == 500
+
+    gateway_authorization.commit()
+    sleep(5)
+
+    response = client_to_deny.get("/get")
+    assert response.status_code == 403
diff --git a/testsuite/tests/kuadrant/reconciliation/conftest.py b/testsuite/tests/kuadrant/reconciliation/conftest.py
@@ -3,13 +3,6 @@
 import pytest
 
 
-@pytest.fixture(scope="module")
-def authorization(authorization):
-    """Add anonymous identity"""
-    authorization.identity.add_anonymous("anonymous")
-    return authorization
-
-
 @pytest.fixture(scope="module", autouse=True)
 def commit(request, authorization):
     """Only commit authorization"""

diff --git a/testsuite/tests/kuadrant/reconciliation/test_httproute_matches.py b/testsuite/tests/kuadrant/reconciliation/test_httproute_matches.py
@@ -12,7 +12,7 @@ def test_matches(client, backend, route, resilient_request):
     response = client.get("/get")
     assert response.status_code == 200
 
-    route.set_match(backend, path_prefix="/anything")
+    route.set_backend_match(backend, path_prefix="/anything")
 
     response = resilient_request("/get", expected_status=404)
     assert response.status_code == 404, "Matches were not reconciled"

diff --git a/testsuite/tests/kuadrant/test_rate_limit_authz.py b/testsuite/tests/kuadrant/test_rate_limit_authz.py
@@ -25,8 +25,9 @@ def rate_limit(rate_limit):
 
 
 @pytest.fixture(scope="module")
-def authorization(authorization):
-    """Adds JSON injection, that wraps the response as Envoy Dynamic Metadata for rate limit"""
+def authorization(authorization, oidc_provider):
+    """Adds rhsso identity and JSON injection, that wraps the response as Envoy Dynamic Metadata for rate limit"""
+    authorization.identity.add_oidc("rhsso", oidc_provider.well_known["issuer"])
     authorization.responses.add_success_dynamic(
         "identity", JsonResponse({"user": ValueFrom("auth.identity.preferred_username")})
     )