authorize: add test for denied response (#1197)

2025-05-30 01:17:21 +02:00 · 2020-08-04 21:20:30 +07:00 · 2020-08-04 21:20:30 +07:00 · 351a449023
commit 351a449023
parent 79b5ae7d98
2 changed files with 91 additions and 7 deletions
--- a/authorize/check_response_test.go
+++ b/authorize/check_response_test.go
@ -1,6 +1,7 @@
 package authorize
 import (
 	"html/template"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@ -9,12 +10,15 @@ import (
 	envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
 	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
 	envoy_type "github.com/envoyproxy/go-control-plane/envoy/type"
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc/codes"
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/frontend"
 )
 func TestAuthorize_okResponse(t *testing.T) {
@ -141,7 +145,6 @@ func TestAuthorize_okResponse(t *testing.T) {
 	}
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			got := a.okResponse(tc.reply)
 			assert.Equal(t, tc.want.Status.Code, got.Status.Code)
@ -150,3 +153,88 @@ func TestAuthorize_okResponse(t *testing.T) {
 		})
 	}
 }
 func TestAuthorize_deniedResponse(t *testing.T) {
 	a := new(Authorize)
 	encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "")
 	a.currentEncoder.Store(encoder)
 	a.currentOptions.Store(&config.Options{
 		Policies: []config.Policy{{
 			Source: &config.StringURL{URL: &url.URL{Host: "example.com"}},
 			SubPolicies: []config.SubPolicy{{
 				Rego: []string{"allow = true"},
 			}},
 		}},
 	})
 	a.templates = template.Must(frontend.NewTemplates())
 	tests := []struct {
 		name    string
 		in      *envoy_service_auth_v2.CheckRequest
 		code    int32
 		reason  string
 		headers map[string]string
 		want    *envoy_service_auth_v2.CheckResponse
 	}{
 		{
 			"html denied",
 			nil,
 			http.StatusBadRequest,
 			"Access Denied",
 			nil,
 			&envoy_service_auth_v2.CheckResponse{
 				Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
 				HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{
 					DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{
 						Status: &envoy_type.HttpStatus{
 							Code: envoy_type.StatusCode(codes.InvalidArgument),
 						},
 						Headers: []*envoy_api_v2_core.HeaderValueOption{
 							mkHeader("Content-Type", "text/html", false),
 						},
 						Body: "Access Denied",
 					},
 				},
 			},
 		},
 		{
 			"plain text denied",
 			&envoy_service_auth_v2.CheckRequest{
 				Attributes: &envoy_service_auth_v2.AttributeContext{
 					Request: &envoy_service_auth_v2.AttributeContext_Request{
 						Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
 							Headers: map[string]string{},
 						},
 					},
 				},
 			},
 			http.StatusBadRequest,
 			"Access Denied",
 			map[string]string{},
 			&envoy_service_auth_v2.CheckResponse{
 				Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
 				HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{
 					DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{
 						Status: &envoy_type.HttpStatus{
 							Code: envoy_type.StatusCode(codes.InvalidArgument),
 						},
 						Headers: []*envoy_api_v2_core.HeaderValueOption{
 							mkHeader("Content-Type", "text/plain", false),
 						},
 						Body: "Access Denied",
 					},
 				},
 			},
 		},
 	}
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			got := a.deniedResponse(tc.in, tc.code, tc.reason, tc.headers)
 			assert.Equal(t, tc.want.Status.Code, got.Status.Code)
 			assert.Equal(t, tc.want.Status.Message, got.Status.Message)
 			assert.Equal(t, tc.want.GetDeniedResponse().GetHeaders(), got.GetDeniedResponse().GetHeaders())
 		})
 	}
 }
--- a/go.sum
+++ b/go.sum
@ -28,8 +28,6 @@ contrib.go.opencensus.io/exporter/jaeger v0.2.1/go.mod h1:Y8IsLgdxqh1QxYxPC5IgXV
 contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA=
 contrib.go.opencensus.io/exporter/prometheus v0.2.0 h1:9PUk0/8V0LGoPqVCrf8fQZJkFGBxudu8jOjQSMwoD6w=
 contrib.go.opencensus.io/exporter/prometheus v0.2.0/go.mod h1:TYmVAyE8Tn1lyPcltF5IYYfWp2KHu7lQGIZnj8iZMys=
 contrib.go.opencensus.io/exporter/zipkin v0.1.1 h1:PR+1zWqY8ceXs1qDQQIlgXe+sdiwCf0n32bH4+Epk8g=
 contrib.go.opencensus.io/exporter/zipkin v0.1.1/go.mod h1:GMvdSl3eJ2gapOaLKzTKE3qDgUkJ86k9k3yY2eqwkzc=
 contrib.go.opencensus.io/exporter/zipkin v0.1.2 h1:YqE293IZrKtqPnpwDPH/lOqTWD/s3Iwabycam74JV3g=
 contrib.go.opencensus.io/exporter/zipkin v0.1.2/go.mod h1:mP5xM3rrgOjpn79MM8fZbj3gsxcuytSqtH0dxSWW1RE=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
@ -815,8 +813,7 @@ google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200726014623-da3ae01ef02d h1:HJaAqDnKreMkv+AQyf1Mcw0jEmL9kKBNL07RDJu1N/k=
+google.golang.org/genproto v0.0.0-20200731012542-8145dea6a485 h1:wTk5DQB3+1darAz4Ldomo0r5bUOCKX7gilxQ4sb2kno=
 google.golang.org/genproto v0.0.0-20200726014623-da3ae01ef02d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200731012542-8145dea6a485/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@ -831,8 +828,7 @@ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.30.0 h1:M5a8xTlYTxwMn5ZFkwhRabsygDY5G8TYLyQDBxJNAxE=
+google.golang.org/grpc v1.31.0 h1:T7P4R73V3SSDPhH7WW7ATbfViLtmamH0DKrP3f9AuDI=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=