tests/integration/security/https_jwt/https_jwt_test.go - dubbo-go-pixiu - Git at Google

 //go:build integ
 // +build integ

 // Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package security

 import (
 	"path/filepath"
 	"strings"
 	"testing"
 )

 import (
 	"github.com/apache/dubbo-go-pixiu/pkg/http/headers"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/env"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/framework"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo/check"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo/echotest"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/istio"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/resource"
 	"github.com/apache/dubbo-go-pixiu/pkg/test/kube"
 	"github.com/apache/dubbo-go-pixiu/tests/common/jwt"
 	"github.com/apache/dubbo-go-pixiu/tests/integration/security/util"
 	"github.com/apache/dubbo-go-pixiu/tests/integration/security/util/scheck"
 )

 // TestJWTHTTPS tests the requestauth policy with https jwks server.
 func TestJWTHTTPS(t *testing.T) {
 	payload1 := strings.Split(jwt.TokenIssuer1, ".")[1]

 	framework.NewTest(t).
 		Features("security.authentication.jwt").
 		Run(func(t framework.TestContext) {
 			if t.Clusters().IsMulticluster() {
 				t.Skip("https://github.com/istio/istio/issues/37307")
 			}

 			ns := apps.Namespace1
 			istioSystemNS := istio.ClaimSystemNamespaceOrFail(t, t)

 			t.ConfigKube().EvalFile(istioSystemNS.Name(), map[string]string{
 				"Namespace": istioSystemNS.Name(),
 			}, filepath.Join(env.IstioSrc, "samples/jwt-server", "jwt-server.yaml")).ApplyOrFail(t)

 			for _, cluster := range t.AllClusters() {
 				fetchFn := kube.NewSinglePodFetch(cluster, istioSystemNS.Name(), "app=jwt-server")
 				_, err := kube.WaitUntilPodsAreReady(fetchFn)
 				if err != nil {
 					t.Fatalf("pod is not getting ready : %v", err)
 				}
 			}

 			for _, cluster := range t.AllClusters() {
 				if _, _, err := kube.WaitUntilServiceEndpointsAreReady(cluster, istioSystemNS.Name(), "jwt-server"); err != nil {
 					t.Fatalf("Wait for jwt-server server failed: %v", err)
 				}
 			}

 			cases := []struct {
 				name          string
 				policyFile    string
 				customizeCall func(t resource.Context, from echo.Instance, opts *echo.CallOptions)
 			}{
 				{
 					name:       "valid-token-forward-remote-jwks",
 					policyFile: "./testdata/remotehttps.yaml.tmpl",
 					customizeCall: func(t resource.Context, from echo.Instance, opts *echo.CallOptions) {
 						opts.HTTP.Path = "/valid-token-forward-remote-jwks"
 						opts.HTTP.Headers = headers.New().WithAuthz(jwt.TokenIssuer1).Build()
 						opts.Check = check.And(
 							check.OK(),
 							scheck.ReachedClusters(t.AllClusters(), opts),
 							check.RequestHeaders(map[string]string{
 								headers.Authorization: "Bearer " + jwt.TokenIssuer1,
 								"X-Test-Payload":      payload1,
 							}))
 					},
 				},
 			}

 			for _, c := range cases {
 				t.NewSubTest(c.name).Run(func(t framework.TestContext) {
 					echotest.New(t, apps.All).
 						SetupForDestination(func(t framework.TestContext, to echo.Target) error {
 							args := map[string]string{
 								"Namespace": ns.Name(),
 								"dst":       to.Config().Service,
 							}
 							return t.ConfigIstio().EvalFile(ns.Name(), args, c.policyFile).
 								Apply(resource.Wait)
 						}).
 						FromMatch(
 							// TODO(JimmyCYJ): enable VM for all test cases.
 							util.SourceMatcher(ns, true)).
 						ConditionallyTo(echotest.ReachableDestinations).
 						ToMatch(util.DestMatcher(ns, true)).
 						Run(func(t framework.TestContext, from echo.Instance, to echo.Target) {
 							opts := echo.CallOptions{
 								To: to,
 								Port: echo.Port{
 									Name: "http",
 								},
 								Count: util.CallsPerCluster * to.WorkloadsOrFail(t).Len(),
 							}

 							c.customizeCall(t, from, &opts)

 							from.CallOrFail(t, opts)
 						})
 				})
 			}
 		})
 }
	//go:build integ
	// +build integ

	// Copyright Istio Authors
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package security

	import (
	"path/filepath"
	"strings"
	"testing"
	)

	import (
	"github.com/apache/dubbo-go-pixiu/pkg/http/headers"
	"github.com/apache/dubbo-go-pixiu/pkg/test/env"
	"github.com/apache/dubbo-go-pixiu/pkg/test/framework"
	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo"
	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo/check"
	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/echo/echotest"
	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/components/istio"
	"github.com/apache/dubbo-go-pixiu/pkg/test/framework/resource"
	"github.com/apache/dubbo-go-pixiu/pkg/test/kube"
	"github.com/apache/dubbo-go-pixiu/tests/common/jwt"
	"github.com/apache/dubbo-go-pixiu/tests/integration/security/util"
	"github.com/apache/dubbo-go-pixiu/tests/integration/security/util/scheck"
	)

	// TestJWTHTTPS tests the requestauth policy with https jwks server.
	func TestJWTHTTPS(t *testing.T) {
	payload1 := strings.Split(jwt.TokenIssuer1, ".")[1]

	framework.NewTest(t).
	Features("security.authentication.jwt").
	Run(func(t framework.TestContext) {
	if t.Clusters().IsMulticluster() {
	t.Skip("https://github.com/istio/istio/issues/37307")
	}

	ns := apps.Namespace1
	istioSystemNS := istio.ClaimSystemNamespaceOrFail(t, t)

	t.ConfigKube().EvalFile(istioSystemNS.Name(), map[string]string{
	"Namespace": istioSystemNS.Name(),
	}, filepath.Join(env.IstioSrc, "samples/jwt-server", "jwt-server.yaml")).ApplyOrFail(t)

	for _, cluster := range t.AllClusters() {
	fetchFn := kube.NewSinglePodFetch(cluster, istioSystemNS.Name(), "app=jwt-server")
	_, err := kube.WaitUntilPodsAreReady(fetchFn)
	if err != nil {
	t.Fatalf("pod is not getting ready : %v", err)
	}
	}

	for _, cluster := range t.AllClusters() {
	if _, _, err := kube.WaitUntilServiceEndpointsAreReady(cluster, istioSystemNS.Name(), "jwt-server"); err != nil {
	t.Fatalf("Wait for jwt-server server failed: %v", err)
	}
	}

	cases := []struct {
	name string
	policyFile string
	customizeCall func(t resource.Context, from echo.Instance, opts *echo.CallOptions)
	}{
	{
	name: "valid-token-forward-remote-jwks",
	policyFile: "./testdata/remotehttps.yaml.tmpl",
	customizeCall: func(t resource.Context, from echo.Instance, opts *echo.CallOptions) {
	opts.HTTP.Path = "/valid-token-forward-remote-jwks"
	opts.HTTP.Headers = headers.New().WithAuthz(jwt.TokenIssuer1).Build()
	opts.Check = check.And(
	check.OK(),
	scheck.ReachedClusters(t.AllClusters(), opts),
	check.RequestHeaders(map[string]string{
	headers.Authorization: "Bearer " + jwt.TokenIssuer1,
	"X-Test-Payload": payload1,
	}))
	},
	},
	}

	for _, c := range cases {
	t.NewSubTest(c.name).Run(func(t framework.TestContext) {
	echotest.New(t, apps.All).
	SetupForDestination(func(t framework.TestContext, to echo.Target) error {
	args := map[string]string{
	"Namespace": ns.Name(),
	"dst": to.Config().Service,
	}
	return t.ConfigIstio().EvalFile(ns.Name(), args, c.policyFile).
	Apply(resource.Wait)
	}).
	FromMatch(
	// TODO(JimmyCYJ): enable VM for all test cases.
	util.SourceMatcher(ns, true)).
	ConditionallyTo(echotest.ReachableDestinations).
	ToMatch(util.DestMatcher(ns, true)).
	Run(func(t framework.TestContext, from echo.Instance, to echo.Target) {
	opts := echo.CallOptions{
	To: to,
	Port: echo.Port{
	Name: "http",
	},
	Count: util.CallsPerCluster * to.WorkloadsOrFail(t).Len(),
	}

	c.customizeCall(t, from, &opts)

	from.CallOrFail(t, opts)
	})
	})
	}
	})
	}