diff --git a/testsuite/tests/conftest.py b/testsuite/tests/conftest.py index b641dd12..a2f84422 100644 --- a/testsuite/tests/conftest.py +++ b/testsuite/tests/conftest.py @@ -166,7 +166,7 @@ def cfssl(testconfig, skip_or_fail): return client -@pytest.fixture(scope="module") +@pytest.fixture(scope="session") def mockserver(testconfig, skip_or_fail): """Returns mockserver""" try: diff --git a/testsuite/tests/singlecluster/authorino/authorization/opa/external_registry/test_auto_refresh_policy.py b/testsuite/tests/singlecluster/authorino/authorization/opa/external_registry/test_auto_refresh_policy.py deleted file mode 100644 index b1b756d3..00000000 --- a/testsuite/tests/singlecluster/authorino/authorization/opa/external_registry/test_auto_refresh_policy.py +++ /dev/null @@ -1,41 +0,0 @@ -""" -Tests for Open Policy Agent (OPA) policy pulled from external registry. -Registry is represented by Mockserver Expectation that returns Rego query. -""" - -import time - -import pytest - -from testsuite.utils import rego_allow_header - - -pytestmark = [pytest.mark.authorino] - - -@pytest.fixture(scope="module") -def updated_header(): - """Header for updated OPA policy""" - return "updated", "updated-value" - - -@pytest.fixture(scope="module", autouse=True) -def update_external_opa(mockserver, module_label, updated_header): - """Updates Expectation with updated header""" - mockserver.create_response_expectation(module_label, rego_allow_header(*updated_header)) - # Sleeps for 1 second to compensate auto-refresh cycle `authorization.opa.externalRegistry.ttl = 1` - time.sleep(1) - - -def test_auto_refresh(client, auth, updated_header): - """Tests auto-refresh of OPA policy from external registry.""" - key, value = updated_header - response = client.get("/get", auth=auth, headers={key: value}) - assert response.status_code == 200 - - -def test_previous(client, auth, header): - """Tests invalidation of previous OPA policy""" - key, value = header - response = client.get("/get", auth=auth, headers={key: value}) - assert response.status_code == 403 diff --git a/testsuite/tests/singlecluster/authorino/authorization/opa/external_registry/test_cache.py b/testsuite/tests/singlecluster/authorino/authorization/opa/external_registry/test_cache.py new file mode 100644 index 00000000..73c71905 --- /dev/null +++ b/testsuite/tests/singlecluster/authorino/authorization/opa/external_registry/test_cache.py @@ -0,0 +1,47 @@ +""" +Tests for Open Policy Agent (OPA) policy pulled from external registry. +Registry is represented by Mockserver Expectation that returns Rego query. +""" + +from time import sleep + +import pytest + +from testsuite.utils import rego_allow_header + + +pytestmark = [pytest.mark.authorino] + + +KEY = "test-key" +VALUE = "test-value" + + +@pytest.fixture(scope="function", autouse=True) +def reset_expectation(mockserver, module_label): + """Updates Expectation with updated header""" + mockserver.create_response_expectation(module_label, rego_allow_header(KEY, VALUE)) + sleep(2) # waits for cache to reset because of ttl=1 + + +def test_caching(client, auth, mockserver, blame, module_label): + """Tests that external policy is cached""" + response = client.get("/get", auth=auth, headers={KEY: VALUE}) + assert response.status_code == 200 + + mockserver.create_response_expectation(module_label, rego_allow_header(blame(KEY), blame(VALUE))) + + response = client.get("/get", auth=auth, headers={KEY: VALUE}) + assert response.status_code == 200 + + +def test_cache_refresh(client, auth, mockserver, blame, module_label): + """Tests that policy is pull again from external registry after ttl expiration""" + response = client.get("/get", auth=auth, headers={KEY: VALUE}) + assert response.status_code == 200 + + mockserver.create_response_expectation(module_label, rego_allow_header(blame(KEY), blame(VALUE))) + sleep(2) + + response = client.get("/get", auth=auth, headers={KEY: VALUE}) + assert response.status_code == 403 diff --git a/testsuite/utils.py b/testsuite/utils.py index 069ade02..dbf55de0 100644 --- a/testsuite/utils.py +++ b/testsuite/utils.py @@ -92,7 +92,7 @@ def cert_builder( def rego_allow_header(key, value): """Rego query that allows all requests that contain specific header with`key` and `value`""" - return f'allow {{ input.context.request.http.headers.{key} == "{value}" }}' + return f'allow {{ input.context.request.http.headers["{key}"] == "{value}" }}' def add_port(url_str: str, return_netloc=True) -> Union[ParseResult, str]: