istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/https_jwt/https_jwt_test.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/https_jwt/https_jwt_test.go (about)

     1  //go:build integ
     2  // +build integ
     3  
     4  // Copyright Istio Authors
     5  //
     6  // Licensed under the Apache License, Version 2.0 (the "License");
     7  // you may not use this file except in compliance with the License.
     8  // You may obtain a copy of the License at
     9  //
    10  //     http://www.apache.org/licenses/LICENSE-2.0
    11  //
    12  // Unless required by applicable law or agreed to in writing, software
    13  // distributed under the License is distributed on an "AS IS" BASIS,
    14  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15  // See the License for the specific language governing permissions and
    16  // limitations under the License.
    17  
    18  package security
    19  
    20  import (
    21  	"strings"
    22  	"testing"
    23  
    24  	"istio.io/istio/pkg/http/headers"
    25  	"istio.io/istio/pkg/test/framework"
    26  	"istio.io/istio/pkg/test/framework/components/echo"
    27  	"istio.io/istio/pkg/test/framework/components/echo/check"
    28  	"istio.io/istio/pkg/test/framework/components/echo/echotest"
    29  	"istio.io/istio/pkg/test/framework/resource/config/apply"
    30  	"istio.io/istio/tests/common/jwt"
    31  	"istio.io/istio/tests/integration/security/util"
    32  )
    33  
    34  // TestJWTHTTPS tests the requestauth policy with https jwks server.
    35  func TestJWTHTTPS(t *testing.T) {
    36  	payload1 := strings.Split(jwt.TokenIssuer1, ".")[1]
    37  	framework.NewTest(t).
    38  		Run(func(t framework.TestContext) {
    39  			ns := apps.EchoNamespace.Namespace
    40  
    41  			cases := []struct {
    42  				name          string
    43  				policyFile    string
    44  				customizeCall func(t framework.TestContext, from echo.Instance, opts *echo.CallOptions)
    45  			}{
    46  				{
    47  					name:       "valid-token-forward-remote-jwks",
    48  					policyFile: "./testdata/remotehttps.yaml.tmpl",
    49  					customizeCall: func(t framework.TestContext, from echo.Instance, opts *echo.CallOptions) {
    50  						opts.HTTP.Path = "/valid-token-forward-remote-jwks"
    51  						opts.HTTP.Headers = headers.New().WithAuthz(jwt.TokenIssuer1).Build()
    52  						opts.Check = check.And(
    53  							check.OK(),
    54  							check.ReachedTargetClusters(t),
    55  							check.RequestHeaders(map[string]string{
    56  								headers.Authorization: "Bearer " + jwt.TokenIssuer1,
    57  								"X-Test-Payload":      payload1,
    58  							}))
    59  					},
    60  				},
    61  			}
    62  
    63  			for _, c := range cases {
    64  				t.NewSubTest(c.name).Run(func(t framework.TestContext) {
    65  					echotest.New(t, apps.All.Instances()).
    66  						SetupForDestination(func(t framework.TestContext, to echo.Target) error {
    67  							args := map[string]string{
    68  								"Namespace": ns.Name(),
    69  								"dst":       to.Config().Service,
    70  							}
    71  							return t.ConfigIstio().EvalFile(ns.Name(), args, c.policyFile).Apply(apply.Wait)
    72  						}).
    73  						FromMatch(
    74  							// TODO(JimmyCYJ): enable VM for all test cases.
    75  							util.SourceMatcher(ns, true)).
    76  						ConditionallyTo(echotest.ReachableDestinations).
    77  						ToMatch(util.DestMatcher(ns, true)).
    78  						Run(func(t framework.TestContext, from echo.Instance, to echo.Target) {
    79  							opts := echo.CallOptions{
    80  								To: to,
    81  								Port: echo.Port{
    82  									Name: "http",
    83  								},
    84  							}
    85  
    86  							c.customizeCall(t, from, &opts)
    87  
    88  							from.CallOrFail(t, opts)
    89  						})
    90  				})
    91  			}
    92  		})
    93  }