ci: add 3 plugin test cases for e2e (#965)

* consumer-restriction plugin
* csrf plugin
* client-control plugin

Co-authored-by: rongxin <rongxin@api7.ai>

test/e2e/scaffold/consumer.go

@@ -0,0 +1,33 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package scaffold
+
+import "fmt"
+
+func (s *Scaffold) ApisixConsumerBasicAuthCreated(name, username, password string) error {
+	ac := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixConsumer
+metadata:
+  name: %s
+spec:
+  authParameter:
+    basicAuth:
+      value:
+        username: %s
+        password: %s
+`, name, username, password)
+	return s.CreateResourceFromString(ac)
+}

test/e2e/suite-plugins/client-control.go

@@ -0,0 +1,131 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package plugins
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/onsi/ginkgo"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/apache/apisix-ingress-controller/test/e2e/scaffold"
+)
+
+var _ = ginkgo.Describe("suite-plugins: client-control plugin", func() {
+	opts := &scaffold.Options{
+		Name:                  "default",
+		Kubeconfig:            scaffold.GetKubeconfig(),
+		APISIXConfigPath:      "testdata/apisix-gw-config.yaml",
+		IngressAPISIXReplicas: 1,
+		HTTPBinServicePort:    80,
+		APISIXRouteVersion:    "apisix.apache.org/v2beta3",
+	}
+	s := scaffold.NewScaffold(opts)
+	ginkgo.It("Limit requset body size", func() {
+		backendSvc, backendPorts := s.DefaultHTTPBackend()
+		ar := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixRoute
+metadata:
+ name: httpbin-route
+spec:
+ http:
+ - name: rule1
+   match:
+     hosts:
+     - httpbin.org
+     paths:
+       - /anything
+   backends:
+   - serviceName: %s
+     servicePort: %d
+   plugins:
+   - name: client-control
+     enable: true
+     config:
+       max_body_size: 1
+`, backendSvc, backendPorts[0])
+
+		assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ar))
+
+		err := s.EnsureNumApisixUpstreamsCreated(1)
+		assert.Nil(ginkgo.GinkgoT(), err, "Checking number of upstreams")
+		err = s.EnsureNumApisixRoutesCreated(1)
+		assert.Nil(ginkgo.GinkgoT(), err, "Checking number of routes")
+
+		_ = s.NewAPISIXClient().
+			GET("/anything").
+			WithHeader("Host", "httpbin.org").
+			Expect().
+			Status(http.StatusOK)
+
+		msg413 := s.NewAPISIXClient().
+			POST("/anything").
+			WithHeader("Host", "httpbin.org").
+			WithBytes([]byte("char number cannot be greater than 10")).
+			Expect().
+			Status(http.StatusRequestEntityTooLarge).
+			Body().
+			Raw()
+		assert.Contains(ginkgo.GinkgoT(), msg413, "Request Entity Too Large")
+	})
+
+	ginkgo.It("disable plugin", func() {
+		backendSvc, backendPorts := s.DefaultHTTPBackend()
+		ar := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixRoute
+metadata:
+ name: httpbin-route
+spec:
+ http:
+ - name: rule1
+   match:
+     hosts:
+     - httpbin.org
+     paths:
+       - /anything
+   backends:
+   - serviceName: %s
+     servicePort: %d
+   plugins:
+   - name: client-control
+     enable: false
+     config:
+       max_body_size: 1
+`, backendSvc, backendPorts[0])
+
+		assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ar))
+
+		err := s.EnsureNumApisixUpstreamsCreated(1)
+		assert.Nil(ginkgo.GinkgoT(), err, "Checking number of upstreams")
+		err = s.EnsureNumApisixRoutesCreated(1)
+		assert.Nil(ginkgo.GinkgoT(), err, "Checking number of routes")
+
+		_ = s.NewAPISIXClient().
+			GET("/anything").
+			WithHeader("Host", "httpbin.org").
+			Expect().
+			Status(http.StatusOK)
+
+		_ = s.NewAPISIXClient().
+			POST("/anything").
+			WithHeader("Host", "httpbin.org").
+			WithBytes([]byte("char number can be greater than 10")).
+			Expect().
+			Status(http.StatusOK)
+	})
+})

test/e2e/suite-plugins/consumer-restriction.go

@@ -0,0 +1,230 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package plugins
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/onsi/ginkgo"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/apache/apisix-ingress-controller/test/e2e/scaffold"
+)
+
+var _ = ginkgo.Describe("suite-plugins: consumer-restriction plugin", func() {
+	opts := &scaffold.Options{
+		Name:                  "default",
+		Kubeconfig:            scaffold.GetKubeconfig(),
+		APISIXConfigPath:      "testdata/apisix-gw-config.yaml",
+		IngressAPISIXReplicas: 1,
+		HTTPBinServicePort:    80,
+		APISIXRouteVersion:    "apisix.apache.org/v2beta3",
+	}
+	s := scaffold.NewScaffold(opts)
+
+	ginkgo.It("restrict consumer_name", func() {
+		err := s.ApisixConsumerBasicAuthCreated("jack1", "jack1-username", "jack1-password")
+		assert.Nil(ginkgo.GinkgoT(), err, "creating basicAuth ApisixConsumer")
+
+		err = s.ApisixConsumerBasicAuthCreated("jack2", "jack2-username", "jack2-password")
+		assert.Nil(ginkgo.GinkgoT(), err, "creating basicAuth ApisixConsumer")
+
+		// Wait until the ApisixConsumer create event was delivered.
+		time.Sleep(6 * time.Second)
+
+		grs, err := s.ListApisixConsumers()
+		assert.Nil(ginkgo.GinkgoT(), err, "listing consumer")
+		assert.Len(ginkgo.GinkgoT(), grs, 2)
+
+		assert.Len(ginkgo.GinkgoT(), grs[0].Plugins, 1)
+		assert.Len(ginkgo.GinkgoT(), grs[1].Plugins, 1)
+
+		username := grs[0].Username
+		basicAuth := grs[0].Plugins["basic-auth"]
+		assert.Equal(ginkgo.GinkgoT(), basicAuth, map[string]interface{}{
+			"username": "jack1-username",
+			"password": "jack1-password",
+		})
+
+		basicAuth2 := grs[1].Plugins["basic-auth"]
+		assert.Equal(ginkgo.GinkgoT(), basicAuth2, map[string]interface{}{
+			"username": "jack2-username",
+			"password": "jack2-password",
+		})
+
+		backendSvc, backendPorts := s.DefaultHTTPBackend()
+
+		ar := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixRoute
+metadata:
+ name: httpbin-route
+spec:
+ http:
+ - name: rule1
+   match:
+     hosts:
+     - httpbin.org
+     paths:
+       - /anything
+   backends:
+   - serviceName: %s
+     servicePort: %d
+   authentication:
+     enable: true
+     type: basicAuth
+   plugins:
+   - name: consumer-restriction
+     enable: true
+     config:
+       whitelist:
+       - "%s"
+`, backendSvc, backendPorts[0], username)
+		assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ar), "creating ApisixRoute with basicAuth")
+		assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixRoutesCreated(1), "Checking number of routes")
+		assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixUpstreamsCreated(1), "Checking number of upstreams")
+
+		_ = s.NewAPISIXClient().GET("/anything").
+			WithHeader("Host", "httpbin.org").
+			WithHeader("Authorization", "Basic amFjazEtdXNlcm5hbWU6amFjazEtcGFzc3dvcmQ=").
+			Expect().
+			Status(http.StatusOK)
+
+		msg401 := s.NewAPISIXClient().GET("/anything").
+			WithHeader("Host", "httpbin.org").
+			Expect().
+			Status(http.StatusUnauthorized).
+			Body().
+			Raw()
+		assert.Contains(ginkgo.GinkgoT(), msg401, "Missing authorization in request")
+
+		msg403 := s.NewAPISIXClient().GET("/anything").
+			WithHeader("Host", "httpbin.org").
+			WithHeader("Authorization", "Basic amFjazItdXNlcm5hbWU6amFjazItcGFzc3dvcmQ=").
+			Expect().
+			Status(http.StatusForbidden).
+			Body().
+			Raw()
+
+		assert.Contains(ginkgo.GinkgoT(), msg403, "The consumer_name is forbidden")
+	})
+
+	ginkgo.It("restrict allowed_by_methods", func() {
+		err := s.ApisixConsumerBasicAuthCreated("jack1", "jack1-username", "jack1-password")
+		assert.Nil(ginkgo.GinkgoT(), err, "creating basicAuth ApisixConsumer")
+
+		err = s.ApisixConsumerBasicAuthCreated("jack2", "jack2-username", "jack2-password")
+		assert.Nil(ginkgo.GinkgoT(), err, "creating basicAuth ApisixConsumer")
+
+		// Wait until the ApisixConsumer create event was delivered.
+		time.Sleep(6 * time.Second)
+
+		grs, err := s.ListApisixConsumers()
+		assert.Nil(ginkgo.GinkgoT(), err, "listing consumer")
+		assert.Len(ginkgo.GinkgoT(), grs, 2)
+
+		assert.Len(ginkgo.GinkgoT(), grs[0].Plugins, 1)
+		assert.Len(ginkgo.GinkgoT(), grs[1].Plugins, 1)
+
+		username := grs[0].Username
+		basicAuth := grs[0].Plugins["basic-auth"]
+		assert.Equal(ginkgo.GinkgoT(), basicAuth, map[string]interface{}{
+			"username": "jack1-username",
+			"password": "jack1-password",
+		})
+
+		username2 := grs[1].Username
+		basicAuth2 := grs[1].Plugins["basic-auth"]
+		assert.Equal(ginkgo.GinkgoT(), basicAuth2, map[string]interface{}{
+			"username": "jack2-username",
+			"password": "jack2-password",
+		})
+
+		backendSvc, backendPorts := s.DefaultHTTPBackend()
+
+		ar := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixRoute
+metadata:
+ name: httpbin-route
+spec:
+ http:
+ - name: rule1
+   match:
+     hosts:
+     - httpbin.org
+     paths:
+       - /anything
+   backends:
+   - serviceName: %s
+     servicePort: %d
+   authentication:
+     enable: true
+     type: basicAuth
+   plugins:
+   - name: consumer-restriction
+     enable: true
+     config:
+       allowed_by_methods:
+       - user: "%s"
+         methods:
+         - "POST"
+         - "GET"
+       - user: "%s"
+         methods:
+         - "GET"
+`, backendSvc, backendPorts[0], username, username2)
+		assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ar), "creating ApisixRoute with basicAuth")
+		assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixRoutesCreated(1), "Checking number of routes")
+		assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixUpstreamsCreated(1), "Checking number of upstreams")
+
+		_ = s.NewAPISIXClient().GET("/anything").
+			WithHeader("Host", "httpbin.org").
+			WithHeader("Authorization", "Basic amFjazEtdXNlcm5hbWU6amFjazEtcGFzc3dvcmQ=").
+			Expect().
+			Status(http.StatusOK)
+
+		_ = s.NewAPISIXClient().POST("/anything").
+			WithHeader("Host", "httpbin.org").
+			WithHeader("Authorization", "Basic amFjazEtdXNlcm5hbWU6amFjazEtcGFzc3dvcmQ=").
+			Expect().
+			Status(http.StatusOK)
+
+		_ = s.NewAPISIXClient().GET("/anything").
+			WithHeader("Host", "httpbin.org").
+			WithHeader("Authorization", "Basic amFjazItdXNlcm5hbWU6amFjazItcGFzc3dvcmQ=").
+			Expect().
+			Status(http.StatusOK)
+
+		msg403 := s.NewAPISIXClient().POST("/anything").
+			WithHeader("Host", "httpbin.org").
+			WithHeader("Authorization", "Basic amFjazItdXNlcm5hbWU6amFjazItcGFzc3dvcmQ=").
+			Expect().
+			Status(http.StatusForbidden).
+			Body().
+			Raw()
+		assert.Contains(ginkgo.GinkgoT(), msg403, "The consumer_name is forbidden")
+
+		msg401 := s.NewAPISIXClient().GET("/anything").
+			WithHeader("Host", "httpbin.org").
+			Expect().
+			Status(http.StatusUnauthorized).
+			Body().
+			Raw()
+		assert.Contains(ginkgo.GinkgoT(), msg401, "Missing authorization in request")
+	})
+})