Add test for gateway attached to AuthPolicy

Kuadrant · Nov 27, 2023 · 48a22ff · 48a22ff
1 parent 024bbb1
commit 48a22ff
Show file tree

Hide file tree

Showing 7 changed files with 91 additions and 8 deletions.
diff --git a/testsuite/openshift/objects/auth_config/auth_policy.py b/testsuite/openshift/objects/auth_config/auth_policy.py
@@ -21,16 +21,16 @@ def create_instance(  # type: ignore
         cls,
         openshift: OpenShiftClient,
         name,
-        route: Referencable,
+        targetRef: Referencable,
         labels: Dict[str, str] = None,
-    ):
+    ):  # pylint: disable=invalid-name
         """Creates base instance"""
         model: Dict = {
             "apiVersion": "kuadrant.io/v1beta2",
             "kind": "AuthPolicy",
             "metadata": {"name": name, "namespace": openshift.project, "labels": labels},
             "spec": {
-                "targetRef": route.reference,
+                "targetRef": targetRef.reference,
             },
         }
 

diff --git a/testsuite/openshift/objects/gateway_api/route.py b/testsuite/openshift/objects/gateway_api/route.py
@@ -73,7 +73,14 @@ def remove_all_hostnames(self):
         self.model.spec.hostnames = []
 
     @modify
-    def set_match(self, backend: "Httpbin", path_prefix: str = None):
+    def set_path_match(self, path_prefix: str):
+        """TODO"""
+        self.model.spec.rules.append(
+            {"matches": [{"path": {"value": path_prefix, "type": "PathPrefix"}}]}
+        )
+
+    @modify
+    def set_backend_match(self, backend: "Httpbin", path_prefix: str = None):
         """Limits HTTPRoute to a certain path"""
         match = {}
         if path_prefix:

diff --git a/testsuite/tests/kuadrant/conftest.py b/testsuite/tests/kuadrant/conftest.py
@@ -39,9 +39,7 @@ def authorization_name(blame):
 def authorization(authorino, kuadrant, oidc_provider, route, authorization_name, openshift, module_label):
     """Authorization object (In case of Kuadrant AuthPolicy)"""
     if kuadrant:
-        policy = AuthPolicy.create_instance(openshift, authorization_name, route, labels={"testRun": module_label})
-        policy.identity.add_oidc("rhsso", oidc_provider.well_known["issuer"])
-        return policy
+        return AuthPolicy.create_instance(openshift, authorization_name, route, labels={"testRun": module_label})
     return None
 
 

diff --git a/testsuite/tests/kuadrant/gateway/__init__.py b/testsuite/tests/kuadrant/gateway/__init__.py
diff --git a/testsuite/tests/kuadrant/gateway/conftest.py b/testsuite/tests/kuadrant/gateway/conftest.py
@@ -0,0 +1,15 @@
+"""TODO"""
+import pytest
+
+
+@pytest.fixture(scope="module", autouse=True)
+def gateway_wait_for_ready(gateway):
+    """Waits for gateway to be ready"""
+    gateway.wait_for_ready()
+
+
+@pytest.fixture(scope="module", autouse=True)
+def commit(request, authorization):
+    """TODO"""
+    request.addfinalizer(authorization.delete)
+    authorization.commit()
diff --git a/testsuite/tests/kuadrant/gateway/test_authpolicy_to_gateway.py b/testsuite/tests/kuadrant/gateway/test_authpolicy_to_gateway.py
@@ -0,0 +1,63 @@
+"""TODO"""
+import pytest
+
+from testsuite.openshift.objects.auth_config.auth_policy import AuthPolicy
+from testsuite.openshift.objects.gateway_api.route import HTTPRoute
+
+
+@pytest.fixture(scope="module")
+def gateway_httproute(request, gateway, wildcard_domain, module_label, blame):
+    """TODO"""
+    route = HTTPRoute.create_instance(gateway.openshift, blame("gw-route"), gateway, {"app": module_label})
+    route.add_hostname(wildcard_domain)
+    route.set_path_match("/")
+
+    request.addfinalizer(route.delete)
+    route.commit()
+    return route
+
+
+@pytest.fixture(scope="module")
+def gateway_authorization(request, gateway, authorization_name, openshift, module_label):
+    """TODO"""
+    auth_policy = AuthPolicy.create_instance(
+        openshift, f"gw-{authorization_name}", gateway, labels={"testRun": module_label}
+    )
+    auth_policy.authorization.add_opa_policy("deny-all", "allow { false }")
+    request.addfinalizer(auth_policy.delete)
+    return auth_policy
+
+
+@pytest.fixture(scope="module")
+def nonexistent_hostname_client(gateway, exposer, blame):
+    """TODO"""
+    hostname = exposer.expose_hostname(blame("nonexistent-hostname"), gateway)
+    client = hostname.client()
+    yield client
+    client.close()
+
+
+@pytest.fixture(scope="module")
+def sub_nonexistent_hostname_client(gateway, exposer, blame):
+    """TODO"""
+    hostname = exposer.expose_hostname(blame("sub.nonexistent-hostname"), gateway)
+    client = hostname.client()
+    yield client
+    client.close()
+
+
+def test_authpolicy_attached_to_gateway(client, gateway_httproute, gateway_authorization, nonexistent_hostname_client, sub_nonexistent_hostname_client):
+    """TODO"""
+    response = client.get("/get")
+    assert response.status_code == 200
+
+    response = nonexistent_hostname_client.get("/get")
+    assert response.status_code == 500
+
+    gateway_authorization.commit()
+
+    response = nonexistent_hostname_client.get("/get")
+    assert response.status_code == 403
+
+    response = sub_nonexistent_hostname_client.get("/get")
+    assert response.status_code == 403
diff --git a/testsuite/tests/kuadrant/reconciliation/test_httproute_matches.py b/testsuite/tests/kuadrant/reconciliation/test_httproute_matches.py
@@ -12,7 +12,7 @@ def test_matches(client, backend, route, resilient_request):
     response = client.get("/get")
     assert response.status_code == 200
 
-    route.set_match(backend, path_prefix="/anything")
+    route.set_backend_match(backend, path_prefix="/anything")
 
     response = resilient_request("/get", expected_status=404)
     assert response.status_code == 404, "Matches were not reconciled"