Skip to content

Commit

Permalink
Refactor the tests for better readability on rules.
Browse files Browse the repository at this point in the history
  • Loading branch information
Pushpalanka committed Dec 6, 2024
1 parent d8d1bbf commit 6ebdb9e
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 40 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ func TestAuthorizeRequestFilter(t *testing.T) {
msg: "Allow Requests with spaces in path",
filterName: "opaAuthorizeRequest",
bundleName: "somebundle.tar.gz",
regoQuery: "envoy/authz/allow",
regoQuery: "envoy/authz/allow_with_space_in_path",
requestPath: "/my%20path",
requestMethod: "GET",
contextExtensions: "",
Expand Down Expand Up @@ -106,7 +106,7 @@ func TestAuthorizeRequestFilter(t *testing.T) {
msg: "Allow Requests with query parameters",
filterName: "opaAuthorizeRequest",
bundleName: "somebundle.tar.gz",
regoQuery: "envoy/authz/allow",
regoQuery: "envoy/authz/allow_with_query",
requestPath: "/allow-with-query?pass=yes&id=1&id=2&msg=help%20me",
requestMethod: "GET",
contextExtensions: "",
Expand Down Expand Up @@ -173,8 +173,8 @@ func TestAuthorizeRequestFilter(t *testing.T) {
msg: "Simple Forbidden with Query Parameters",
filterName: "opaAuthorizeRequest",
bundleName: "somebundle.tar.gz",
regoQuery: "envoy/authz/allow",
requestPath: "/allow-with-query?tofail=true",
regoQuery: "envoy/authz/deny_with_query",
requestPath: "/allow-me?tofail=true",
requestMethod: "GET",
contextExtensions: "",
expectedStatus: http.StatusForbidden,
Expand Down Expand Up @@ -384,6 +384,20 @@ func TestAuthorizeRequestFilter(t *testing.T) {
backendHeaders: make(http.Header),
removeHeaders: make(http.Header),
},
{
msg: "Allow Requests ignoring fragment",
filterName: "opaAuthorizeRequest",
bundleName: "somebundle.tar.gz",
regoQuery: "envoy/authz/allow_with_path_having_fragment",
requestPath: "/path-with-empty-query#fragment?",
requestMethod: "GET",
contextExtensions: "",
expectedStatus: http.StatusOK,
expectedBody: "Welcome!",
expectedHeaders: make(http.Header),
backendHeaders: make(http.Header),
removeHeaders: make(http.Header),
},
} {
t.Run(ti.msg, func(t *testing.T) {
t.Logf("Running test for %v", ti)
Expand All @@ -405,33 +419,44 @@ func TestAuthorizeRequestFilter(t *testing.T) {
"main.rego": `
package envoy.authz
default allow = false
default allow := false
default deny_with_query := false
allow {
input.parsed_path = [ "allow" ]
input.parsed_query = {}
input.parsed_path == [ "allow" ]
input.parsed_query == {}
}
allow_with_http_path {
input.attributes.request.http.path == "/some/api/path?q1=v1&msg=help%20me"
}
allow {
input.parsed_path = [ "my path" ]
allow_with_space_in_path {
input.parsed_path == [ "my path" ]
}
allow_with_path_having_empty_query {
input.parsed_path = [ "path-with-empty-query" ]
input.parsed_query = {}
input.parsed_path == [ "path-with-empty-query" ]
input.parsed_query == {}
}
allow {
input.parsed_path = [ "allow-with-query" ]
allow_with_query {
input.parsed_path == [ "allow-with-query" ]
input.parsed_query.pass == ["yes"]
input.parsed_query.id == ["1", "2"]
input.parsed_query.msg == ["help me"]
}
deny_with_query {
input.attributes.request.http.path == "/allow-me?tofail=true"
not input.parsed_query.tofail == ["true"]
}
allow_with_path_having_fragment {
input.parsed_path == [ "path-with-empty-query" ]
input.attributes.request.http.path == "/path-with-empty-query"
}
allow_context_extensions {
input.attributes.contextExtensions["com.mycompany.myprop"] == "myvalue"
}
Expand All @@ -440,15 +465,15 @@ func TestAuthorizeRequestFilter(t *testing.T) {
opa.runtime().config.labels.environment == "test"
}
default allow_object = {
default allow_object := {
"allowed": false,
"headers": {"x-ext-auth-allow": "no"},
"body": "Unauthorized Request",
"http_status": 401
}
allow_object = response {
input.parsed_path = [ "allow", "structured" ]
allow_object := response {
input.parsed_path == [ "allow", "structured" ]
response := {
"allowed": true,
"headers": {
Expand Down Expand Up @@ -477,15 +502,15 @@ func TestAuthorizeRequestFilter(t *testing.T) {
"headers": "bogus string instead of object"
}
default allow_body = false
default allow_body := false
allow_body {
input.parsed_body.target_id == "123456"
}
decision_id := input.attributes.metadataContext.filterMetadata.open_policy_agent.decision_id
allow_object_decision_id_in_header = response {
allow_object_decision_id_in_header := response {
input.parsed_path = ["allow", "structured"]
decision_id
response := {
Expand Down
44 changes: 22 additions & 22 deletions filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ func TestServerResponseFilter(t *testing.T) {
regoQuery: "envoy/authz/allow_object",
requestPath: "/allow/structured/with-empty-query-string?",
expectedStatus: http.StatusOK,
expectedBody: "Welcome from policy!",
expectedBody: "Welcome from policy with empty query string!",
expectedHeaders: map[string][]string{"X-Ext-Auth-Allow": {"yes"}},
},
{
Expand All @@ -87,7 +87,7 @@ func TestServerResponseFilter(t *testing.T) {
regoQuery: "envoy/authz/allow_object",
requestPath: "/allow/structured/with-query?pass=yes",
expectedStatus: http.StatusOK,
expectedBody: "Welcome from policy!",
expectedBody: "Welcome from policy with query params!",
expectedHeaders: map[string][]string{"X-Ext-Auth-Allow": {"yes"}},
},
{
Expand Down Expand Up @@ -172,21 +172,21 @@ func TestServerResponseFilter(t *testing.T) {
"main.rego": `
package envoy.authz
default allow = false
default allow := false
allow {
input.parsed_path = [ "allow" ]
input.parsed_path == [ "allow" ]
}
default allow_object = {
default allow_object := {
"allowed": false,
"headers": {"x-ext-auth-allow": "no"},
"body": "Unauthorized Request",
"http_status": 403
}
allow_object = response {
input.parsed_path = [ "allow", "structured" ]
allow_object := response {
input.parsed_path == [ "allow", "structured" ]
response := {
"allowed": true,
"headers": {"x-ext-auth-allow": "yes"},
Expand All @@ -195,30 +195,30 @@ func TestServerResponseFilter(t *testing.T) {
}
}
allow_object = response {
input.parsed_path = [ "allow", "structured", "with-empty-query-string" ]
allow_object := response {
input.parsed_path == [ "allow", "structured", "with-empty-query-string" ]
input.parsed_query == {}
response := {
"allowed": true,
"headers": {"x-ext-auth-allow": "yes"},
"body": "Welcome from policy!",
"body": "Welcome from policy with empty query string!",
"http_status": 200
}
}
allow_object = response {
input.parsed_path = [ "allow", "structured", "with-query" ]
allow_object := response {
input.parsed_path == [ "allow", "structured", "with-query" ]
input.parsed_query.pass == ["yes"]
response := {
"allowed": true,
"headers": {"x-ext-auth-allow": "yes"},
"body": "Welcome from policy!",
"body": "Welcome from policy with query params!",
"http_status": 200
}
}
allow_object = response {
input.parsed_path = [ "allow", "production" ]
allow_object := response {
input.parsed_path == [ "allow", "production" ]
opa.runtime().config.labels.environment == "production"
response := {
"allowed": true,
Expand All @@ -228,8 +228,8 @@ func TestServerResponseFilter(t *testing.T) {
}
}
allow_object = response {
input.parsed_path = [ "allow", "test" ]
allow_object := response {
input.parsed_path == [ "allow", "test" ]
opa.runtime().config.labels.environment == "test"
response := {
"allowed": true,
Expand All @@ -239,8 +239,8 @@ func TestServerResponseFilter(t *testing.T) {
}
}
allow_object_structured_body = response {
input.parsed_path = [ "allow", "structured" ]
allow_object_structured_body := response {
input.parsed_path == [ "allow", "structured" ]
response := {
"allowed": true,
"headers": {"x-ext-auth-allow": "yes"},
Expand All @@ -249,8 +249,8 @@ func TestServerResponseFilter(t *testing.T) {
}
}
allow_object_contextextensions = response {
input.parsed_path = [ "allow", "structured" ]
allow_object_contextextensions := response {
input.parsed_path == [ "allow", "structured" ]
response := {
"allowed": true,
"headers": {"x-ext-auth-allow": "yes"},
Expand All @@ -259,7 +259,7 @@ func TestServerResponseFilter(t *testing.T) {
}
}
allow_object_req_body = response {
allow_object_req_body := response {
response := {
"allowed": true,
"headers": {},
Expand Down

0 comments on commit 6ebdb9e

Please sign in to comment.