Use http-echo to log the returned tokens in e2e tests

istio-ecosystem · Feb 23, 2024 · d463e3c · d463e3c
1 parent f014b3d
commit d463e3c
Show file tree

Hide file tree

Showing 9 changed files with 83 additions and 29 deletions.
diff --git a/e2e/istio/cluster/manifests/authservice.yaml b/e2e/istio/cluster/manifests/authservice.yaml
@@ -120,7 +120,10 @@ data:
                 "cookie_name_prefix": "authservice",
                 "id_token": {
                   "preamble": "Bearer",
-                  "header": "Authorization"
+                  "header": "authorization"
+                },
+                "access_token": {
+                  "header": "x-access-token"
                 },
                 "redis_session_store_config": {
                   "server_uri": "redis://redis.redis.svc.cluster.local:6379"

diff --git a/e2e/keycloak/authz-config.json b/e2e/keycloak/authz-config.json
@@ -18,6 +18,9 @@
               "preamble": "Bearer",
               "header": "authorization"
             },
+            "access_token": {
+              "header": "x-access-token"
+            },
             "logout": {
               "path": "/logout",
               "redirect_uri": "https://host.docker.internal:9443/realms/master/protocol/openid-connect/logout"

diff --git a/e2e/keycloak/docker-compose.yaml b/e2e/keycloak/docker-compose.yaml
@@ -15,9 +15,8 @@
 version: "3.9"
 
 services:
-  # This is the main backend service. It returns a fixed HTTP 200 response.
-  # It is configured to serve on port 443, and to use the ext-authz filter
-  # to intercept all requests.
+  # This is a proxy that intercepts requests to the target application and calls the authservice to
+  # perform the OIDC authorization check.
   envoy:
     depends_on:
       ext-authz:
@@ -35,6 +34,12 @@ services:
         source: certs
         target: /etc/envoy/certs
 
+  # This is a simple HTTP server that will be used as the target application for the tests.
+  http-echo:
+    image: jmalloc/echo-server:0.3.6
+    platform: linux/${ARCH:-amd64}
+    hostname: http-echo
+
   # idp-proxy is a proxy that will be used to forward traffic to the external authorization server
   # Set the OIDC config `proxy_url` to `http://idp-proxy:9000` in the `authservice` config to use this proxy.
   idp-proxy:

diff --git a/e2e/keycloak/envoy-config.yaml b/e2e/keycloak/envoy-config.yaml
@@ -37,10 +37,8 @@ static_resources:
                       routes:
                         - match:
                             prefix: "/"
-                          direct_response:
-                            status: 200
-                            body:
-                              inline_string: "Access allowed\n"
+                          route:
+                            cluster: http_echo
                 http_filters:
                   - name: envoy.filters.http.ext_authz
                     typed_config:
@@ -86,3 +84,21 @@ static_resources:
                     socket_address:
                       address: ext-authz
                       port_value: 10003
+    - name: http_echo
+      connect_timeout: 0.25s
+      type: LOGICAL_DNS
+      lb_policy: ROUND_ROBIN
+      typed_extension_protocol_options:
+        envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+          "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+          explicit_http_config:
+            http2_protocol_options: {}
+      load_assignment:
+        cluster_name: http_echo
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: http-echo
+                      port_value: 8080
diff --git a/e2e/keycloak/keycloak_test.go b/e2e/keycloak/keycloak_test.go
@@ -45,6 +45,7 @@ var (
 	}
 
 	idpProxyService = "idp-proxy"
+	okPayload       = "Request served by http-echo"
 )
 
 func TestOIDCUsesTheConfiguredProxy(t *testing.T) {
@@ -101,7 +102,7 @@ func TestOIDC(t *testing.T) {
 	body, err := io.ReadAll(res.Body)
 	require.NoError(t, err)
 	require.Equal(t, http.StatusOK, res.StatusCode)
-	require.Contains(t, string(body), "Access allowed")
+	require.Contains(t, string(body), okPayload)
 }
 
 func TestOIDCRefreshTokens(t *testing.T) {
@@ -128,7 +129,7 @@ func TestOIDCRefreshTokens(t *testing.T) {
 	body, err := io.ReadAll(res.Body)
 	require.NoError(t, err)
 	require.Equal(t, http.StatusOK, res.StatusCode)
-	require.Contains(t, string(body), "Access allowed")
+	require.Contains(t, string(body), okPayload)
 
 	// Access tokens should expire in 10 seconds (tried with 5, but keycloak setup fails)
 	// Let's perform a request now and after 10 seconds to verify that the access token is refreshed
@@ -140,7 +141,7 @@ func TestOIDCRefreshTokens(t *testing.T) {
 		body, err = io.ReadAll(res.Body)
 		require.NoError(t, err)
 		require.Equal(t, http.StatusOK, res.StatusCode)
-		require.Contains(t, string(body), "Access allowed")
+		require.Contains(t, string(body), okPayload)
 	})
 
 	t.Log("waiting for access token to expire...")
@@ -153,7 +154,7 @@ func TestOIDCRefreshTokens(t *testing.T) {
 		body, err = io.ReadAll(res.Body)
 		require.NoError(t, err)
 		require.Equal(t, http.StatusOK, res.StatusCode)
-		require.Contains(t, string(body), "Access allowed")
+		require.Contains(t, string(body), okPayload)
 	})
 }
 
@@ -184,7 +185,7 @@ func TestOIDCLogout(t *testing.T) {
 		body, err := io.ReadAll(res.Body)
 		require.NoError(t, err)
 		require.Equal(t, http.StatusOK, res.StatusCode)
-		require.Contains(t, string(body), "Access allowed")
+		require.Contains(t, string(body), okPayload)
 	})
 
 	t.Run("second request works without login redirect", func(t *testing.T) {
@@ -195,7 +196,7 @@ func TestOIDCLogout(t *testing.T) {
 		body, err := io.ReadAll(res.Body)
 		require.NoError(t, err)
 		require.Equal(t, http.StatusOK, res.StatusCode)
-		require.Contains(t, string(body), "Access allowed")
+		require.Contains(t, string(body), okPayload)
 	})
 
 	t.Run("logout", func(t *testing.T) {
@@ -233,6 +234,6 @@ func TestOIDCLogout(t *testing.T) {
 		body, err := io.ReadAll(res.Body)
 		require.NoError(t, err)
 		require.Equal(t, http.StatusOK, res.StatusCode)
-		require.Contains(t, string(body), "Access allowed")
+		require.Contains(t, string(body), okPayload)
 	})
 }
diff --git a/e2e/legacy/authz-config.json b/e2e/legacy/authz-config.json
@@ -23,6 +23,9 @@
               "preamble": "Bearer",
               "header": "authorization"
             },
+            "access_token": {
+              "header": "x-access-token"
+            },
             "logout": {
               "path": "/logout",
               "redirect_uri": "https://host.docker.internal:9443/realms/master/protocol/openid-connect/logout"

diff --git a/e2e/legacy/docker-compose.yaml b/e2e/legacy/docker-compose.yaml
@@ -15,9 +15,8 @@
 version: "3.9"
 
 services:
-  # This is the main backend service. It returns a fixed HTTP 200 response.
-  # It is configured to serve on port 443, and to use the ext-authz filter
-  # to intercept all requests.
+  # This is a proxy that intercepts requests to the target application and calls the authservice to
+  # perform the OIDC authorization check.
   envoy:
     depends_on:
       ext-authz:
@@ -35,6 +34,12 @@ services:
         source: certs
         target: /etc/envoy/certs
 
+  # This is a simple HTTP server that will be used as the target application for the tests.
+  http-echo:
+    image: jmalloc/echo-server:0.3.6
+    platform: linux/${ARCH:-amd64}
+    hostname: http-echo
+
   # This is the `authservice` image that should be up-to-date when running the tests.
   ext-authz:
     depends_on:

diff --git a/e2e/legacy/envoy-config.yaml b/e2e/legacy/envoy-config.yaml
@@ -37,10 +37,8 @@ static_resources:
                       routes:
                         - match:
                             prefix: "/"
-                          direct_response:
-                            status: 200
-                            body:
-                              inline_string: "Access allowed\n"
+                          route:
+                            cluster: http_echo
                 http_filters:
                   - name: envoy.filters.http.ext_authz
                     typed_config:
@@ -86,3 +84,21 @@ static_resources:
                     socket_address:
                       address: ext-authz
                       port_value: 10003
+    - name: http_echo
+      connect_timeout: 0.25s
+      type: LOGICAL_DNS
+      lb_policy: ROUND_ROBIN
+      typed_extension_protocol_options:
+        envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+          "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+          explicit_http_config:
+            http2_protocol_options: {}
+      load_assignment:
+        cluster_name: http_echo
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: http-echo
+                      port_value: 8080
diff --git a/e2e/legacy/legacy_test.go b/e2e/legacy/legacy_test.go
@@ -43,6 +43,8 @@ var (
 		"host.docker.internal:9443": "localhost:9443", // Keycloak
 		"host.docker.internal:8443": "localhost:8443", // Target application
 	}
+
+	okPayload = "Request served by http-echo"
 )
 
 func TestOIDC(t *testing.T) {
@@ -69,7 +71,7 @@ func TestOIDC(t *testing.T) {
 	body, err := io.ReadAll(res.Body)
 	require.NoError(t, err)
 	require.Equal(t, http.StatusOK, res.StatusCode)
-	require.Contains(t, string(body), "Access allowed")
+	require.Contains(t, string(body), okPayload)
 }
 
 func TestOIDCRefreshTokens(t *testing.T) {
@@ -96,7 +98,7 @@ func TestOIDCRefreshTokens(t *testing.T) {
 	body, err := io.ReadAll(res.Body)
 	require.NoError(t, err)
 	require.Equal(t, http.StatusOK, res.StatusCode)
-	require.Contains(t, string(body), "Access allowed")
+	require.Contains(t, string(body), okPayload)
 
 	// Access tokens should expire in 10 seconds (tried with 5, but keycloak setup fails)
 	// Let's perform a request now and after 10 seconds to verify that the access token is refreshed
@@ -108,7 +110,7 @@ func TestOIDCRefreshTokens(t *testing.T) {
 		body, err = io.ReadAll(res.Body)
 		require.NoError(t, err)
 		require.Equal(t, http.StatusOK, res.StatusCode)
-		require.Contains(t, string(body), "Access allowed")
+		require.Contains(t, string(body), okPayload)
 	})
 
 	t.Log("waiting for access token to expire...")
@@ -121,7 +123,7 @@ func TestOIDCRefreshTokens(t *testing.T) {
 		body, err = io.ReadAll(res.Body)
 		require.NoError(t, err)
 		require.Equal(t, http.StatusOK, res.StatusCode)
-		require.Contains(t, string(body), "Access allowed")
+		require.Contains(t, string(body), okPayload)
 	})
 }
 
@@ -151,7 +153,7 @@ func TestOIDCLogout(t *testing.T) {
 		body, err := io.ReadAll(res.Body)
 		require.NoError(t, err)
 		require.Equal(t, http.StatusOK, res.StatusCode)
-		require.Contains(t, string(body), "Access allowed")
+		require.Contains(t, string(body), okPayload)
 	})
 
 	t.Run("second request works without login redirect", func(t *testing.T) {
@@ -162,7 +164,7 @@ func TestOIDCLogout(t *testing.T) {
 		body, err := io.ReadAll(res.Body)
 		require.NoError(t, err)
 		require.Equal(t, http.StatusOK, res.StatusCode)
-		require.Contains(t, string(body), "Access allowed")
+		require.Contains(t, string(body), okPayload)
 	})
 
 	t.Run("logout", func(t *testing.T) {
@@ -200,6 +202,6 @@ func TestOIDCLogout(t *testing.T) {
 		body, err := io.ReadAll(res.Body)
 		require.NoError(t, err)
 		require.Equal(t, http.StatusOK, res.StatusCode)
-		require.Contains(t, string(body), "Access allowed")
+		require.Contains(t, string(body), okPayload)
 	})
 }