From 40f19762afa3551ee07d3dc1326ff30780bf9e21 Mon Sep 17 00:00:00 2001
From: averevki <sandyverevkin@gmail.com>
Date: Mon, 4 Dec 2023 13:38:59 +0100
Subject: [PATCH] Add test for authpolicy attached directly to gateway

---
 .../objects/auth_config/auth_policy.py        |  9 ++-
 testsuite/tests/kuadrant/gateway/__init__.py  |  0
 testsuite/tests/kuadrant/gateway/conftest.py  | 15 +++++
 .../gateway/test_authpolicy_to_gateway.py     | 60 +++++++++++++++++++
 4 files changed, 79 insertions(+), 5 deletions(-)
 create mode 100644 testsuite/tests/kuadrant/gateway/__init__.py
 create mode 100644 testsuite/tests/kuadrant/gateway/conftest.py
 create mode 100644 testsuite/tests/kuadrant/gateway/test_authpolicy_to_gateway.py

diff --git a/testsuite/openshift/objects/auth_config/auth_policy.py b/testsuite/openshift/objects/auth_config/auth_policy.py
index d7ec82a1..463f4f0c 100644
--- a/testsuite/openshift/objects/auth_config/auth_policy.py
+++ b/testsuite/openshift/objects/auth_config/auth_policy.py
@@ -15,22 +15,21 @@ class AuthPolicy(AuthConfig):
     def auth_section(self):
         return self.model.spec.setdefault("rules", {})
 
-    # pylint: disable=unused-argument
     @classmethod
-    def create_instance(  # type: ignore
+    def create_instance(
         cls,
         openshift: OpenShiftClient,
         name,
-        route: Referencable,
+        targetRef: Referencable,
         labels: Dict[str, str] = None,
-    ):
+    ):  # pylint: disable=invalid-name,arguments-renamed
         """Creates base instance"""
         model: Dict = {
             "apiVersion": "kuadrant.io/v1beta2",
             "kind": "AuthPolicy",
             "metadata": {"name": name, "namespace": openshift.project, "labels": labels},
             "spec": {
-                "targetRef": route.reference,
+                "targetRef": targetRef.reference,
             },
         }
 
diff --git a/testsuite/tests/kuadrant/gateway/__init__.py b/testsuite/tests/kuadrant/gateway/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/testsuite/tests/kuadrant/gateway/conftest.py b/testsuite/tests/kuadrant/gateway/conftest.py
new file mode 100644
index 00000000..9dca7796
--- /dev/null
+++ b/testsuite/tests/kuadrant/gateway/conftest.py
@@ -0,0 +1,15 @@
+"""Conftest for gateway tests"""
+import pytest
+
+
+@pytest.fixture(scope="module", autouse=True)
+def gateway_wait_for_ready(gateway):
+    """Waits for gateway to be ready"""
+    gateway.wait_for_ready()
+
+
+@pytest.fixture(scope="module", autouse=True)
+def commit(request, authorization):
+    """Only commit authorization component"""
+    request.addfinalizer(authorization.delete)
+    authorization.commit()
diff --git a/testsuite/tests/kuadrant/gateway/test_authpolicy_to_gateway.py b/testsuite/tests/kuadrant/gateway/test_authpolicy_to_gateway.py
new file mode 100644
index 00000000..f03a9c09
--- /dev/null
+++ b/testsuite/tests/kuadrant/gateway/test_authpolicy_to_gateway.py
@@ -0,0 +1,60 @@
+"""Test for AuthPolicy attached directly to gateway"""
+from time import sleep
+import pytest
+
+from testsuite.openshift.objects.auth_config.auth_policy import AuthPolicy
+from testsuite.openshift.objects.gateway_api.route import HTTPRoute
+
+
+@pytest.fixture(scope="module")
+def gateway_httproute(request, gateway, wildcard_domain, module_label, blame):
+    """HTTPRoute with wildcard domain"""
+    route = HTTPRoute.create_instance(gateway.openshift, blame("gw-route"), gateway, {"app": module_label})
+    route.add_hostname(wildcard_domain)
+    route.set_path_match("/")
+
+    request.addfinalizer(route.delete)
+    route.commit()
+    return route
+
+
+@pytest.fixture(scope="module")
+def gateway_authorization(request, gateway, authorization_name, openshift, module_label):
+    """AuthPolicy attached straight to gateway"""
+    auth_policy = AuthPolicy.create_instance(
+        openshift, f"gw-{authorization_name}", gateway, labels={"testRun": module_label}
+    )
+    auth_policy.authorization.add_opa_policy("deny-all", "allow { false }")
+    request.addfinalizer(auth_policy.delete)
+    return auth_policy
+
+
+@pytest.fixture(scope="module")
+def client_to_deny(gateway, exposer, blame):
+    """Hostname that should be denied by AuthPolicy attached directly to gateway"""
+    hostname = exposer.expose_hostname(blame("not-accepted-hostname"), gateway)
+    client = hostname.client()
+    yield client
+    client.close()
+
+
+def test_authpolicy_attached_to_gateway(gateway_httproute, gateway_authorization, client, client_to_deny):
+    # pylint: disable=unused-argument
+    """
+    Test if AuthPolicy denying all requests sent to the undefined domains:
+        - send request to the hostname defined
+        - send request to the undefined domain without AuthPolicy attached to gateway
+        - commit deny-all AuthPolicy attached to gateway
+        - send request to the undefined domain with deny-all AuthPolicy attached to gateway
+    """
+    response = client.get("/get")
+    assert response.status_code == 200
+
+    response = client_to_deny.get("/get")
+    assert response.status_code == 500
+
+    gateway_authorization.commit()
+    sleep(5)
+
+    response = client_to_deny.get("/get")
+    assert response.status_code == 403