From 6d969d2aebaf3e7fc3f41704760795f4a9f90bbd Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Sat, 8 Feb 2025 00:04:48 +0100
Subject: [PATCH] Add an integration test

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
---
 source/common/tcp_proxy/tcp_proxy.cc          |  3 +-
 .../http/injected_credentials/generic/BUILD   |  1 +
 test/integration/BUILD                        |  1 +
 .../tcp_tunneling_integration_test.cc         | 47 +++++++++++++++++++
 4 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/source/common/tcp_proxy/tcp_proxy.cc b/source/common/tcp_proxy/tcp_proxy.cc
index 4c6e7c5e9b36..13142b9c6ff8 100644
--- a/source/common/tcp_proxy/tcp_proxy.cc
+++ b/source/common/tcp_proxy/tcp_proxy.cc
@@ -799,7 +799,8 @@ void TunnelingConfigHelperImpl::propagateResponseTrailers(
       StreamInfo::FilterState::StateType::ReadOnly, StreamInfo::FilterState::LifeSpan::Connection);
 }
 
-absl::Status TunnelingConfigHelperImpl::injectCredentials(Http::RequestHeaderMapPtr& headers) const {
+absl::Status
+TunnelingConfigHelperImpl::injectCredentials(Http::RequestHeaderMapPtr& headers) const {
   if (credential_injector_ != nullptr) {
     const auto status = credential_injector_->inject(*headers, true);
     if (!status.ok()) {
diff --git a/source/extensions/http/injected_credentials/generic/BUILD b/source/extensions/http/injected_credentials/generic/BUILD
index 932fe7db3b76..15664d03e9d7 100644
--- a/source/extensions/http/injected_credentials/generic/BUILD
+++ b/source/extensions/http/injected_credentials/generic/BUILD
@@ -23,6 +23,7 @@ envoy_cc_extension(
     name = "config",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
+    visibility = ["//visibility:public"],
     deps = [
         ":generic_lib",
         "//source/common/http:headers_lib",
diff --git a/test/integration/BUILD b/test/integration/BUILD
index 490f951b0b75..2403563b5e74 100644
--- a/test/integration/BUILD
+++ b/test/integration/BUILD
@@ -1956,6 +1956,7 @@ envoy_cc_test(
         ":http_protocol_integration_lib",
         ":tcp_tunneling_integration_lib",
         "//source/extensions/filters/network/tcp_proxy:config",
+        "//source/extensions/http/injected_credentials/generic:config",
         "//source/extensions/upstreams/http/tcp:config",
         "//test/integration/filters:add_header_filter_config_lib",
         "//test/integration/filters:add_header_filter_proto_cc_proto",
diff --git a/test/integration/tcp_tunneling_integration_test.cc b/test/integration/tcp_tunneling_integration_test.cc
index 9c0292ecbac1..e252fd8cfc32 100644
--- a/test/integration/tcp_tunneling_integration_test.cc
+++ b/test/integration/tcp_tunneling_integration_test.cc
@@ -2325,6 +2325,53 @@ TEST_P(TcpTunnelingIntegrationTest,
   EXPECT_THAT(waitForAccessLog(access_log_filename), testing::HasSubstr(expected_log));
 }
 
+TEST_P(TcpTunnelingIntegrationTest, InjectProxyAuthorizationBasic) {
+  auto credential_config = std::make_unique<envoy::config::core::v3::TypedExtensionConfig>();
+  TestUtility::loadFromYaml(R"EOF(
+name: envoy.http.injected_credentials.generic
+typed_config:
+  "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
+  credential:
+    name: proxy_authorization
+  header: Proxy-Authorization
+)EOF",
+                            *credential_config.get());
+
+  config_helper_.addConfigModifier([&](envoy::config::bootstrap::v3::Bootstrap& bootstrap) -> void {
+    envoy::extensions::filters::network::tcp_proxy::v3::TcpProxy proxy_config;
+    proxy_config.set_stat_prefix("tcp_stats");
+    proxy_config.set_cluster("cluster_0");
+    proxy_config.mutable_tunneling_config()->set_hostname("foo.lyft.com:80");
+    proxy_config.mutable_tunneling_config()->set_allocated_credential(credential_config.release());
+
+    auto* listeners = bootstrap.mutable_static_resources()->mutable_listeners();
+    for (auto& listener : *listeners) {
+      if (listener.name() != "tcp_proxy") {
+        continue;
+      }
+      auto* filter_chain = listener.mutable_filter_chains(0);
+      auto* filter = filter_chain->mutable_filters(0);
+      filter->mutable_typed_config()->PackFrom(proxy_config);
+      break;
+    }
+
+    auto* secret = bootstrap.mutable_static_resources()->add_secrets();
+    secret->set_name("proxy_authorization");
+    auto* generic = secret->mutable_generic_secret();
+    generic->mutable_secret()->set_inline_string("Basic base64EncodedUsernamePassword");
+  });
+  initialize();
+
+  setUpConnection(fake_upstream_connection_);
+  sendBidiData(fake_upstream_connection_);
+  EXPECT_EQ("Basic base64EncodedUsernamePassword",
+            upstream_request_->headers()
+                .get(Http::LowerCaseString("Proxy-Authorization"))[0]
+                ->value()
+                .getStringView());
+  closeConnection(fake_upstream_connection_);
+}
+
 INSTANTIATE_TEST_SUITE_P(
     IpAndHttpVersions, TcpTunnelingIntegrationTest,
     testing::ValuesIn(BaseTcpTunnelingIntegrationTest::getProtocolTestParams(