Merge remote-tracking branch 'origin/master' into PROM-5262-x-service…

…-tag-preference-debug

CHANGELOG.md

@@ -3,6 +3,10 @@
 Lists all changes with user impact.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
+## [0.22.8]
+### Changed
+- added tests for missing and malformed JWT token scenarios
+
 ## [0.22.7]
 ### Changed
 - fixed running e2e tests locally on MacOS

envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/JWTFilterTest.kt

@@ -4,7 +4,7 @@ import okhttp3.FormBody
 import okhttp3.Headers.Companion.headersOf
 import okhttp3.OkHttpClient
 import okhttp3.Request
-import okhttp3.RequestBody
+import okhttp3.RequestBody.Companion.toRequestBody
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Test
@@ -93,6 +93,9 @@ class JWTFilterTest {
                   incoming:
                     unlistedEndpointsPolicy: blockAndLog
                     endpoints: 
+                    - path: '/unprotected'
+                      clients: ['echo2']
+                      unlistedClientsPolicy: blockAndLog
                     - path: '/first-provider-protected'
                       clients: ['echo2']
                       unlistedClientsPolicy: blockAndLog
@@ -205,6 +208,56 @@ class JWTFilterTest {
         envoy.waitForReadyServices("oauth")
     }
 
+    @Test
+    fun `should allow request without jwt for unprotected endpoint`() {
+
+        // given
+        registerEnvoyServiceAndWait()
+
+        // when
+        val response = echo2Envoy.egressOperations.callService(
+            service = "echo",
+            pathAndQuery = "/unprotected"
+        )
+
+        // then
+        assertThat(response).isOk().isFrom(service)
+    }
+
+    @Test
+    fun `should allow request with expired token for unprotected endpoint`() {
+        // given
+        val invalidToken = this::class.java.classLoader
+            .getResource("oauth/invalid_jwks_token")!!.readText()
+        registerEnvoyServiceAndWait()
+
+        // when
+        val response = echo2Envoy.egressOperations.callService(
+            service = "echo",
+            pathAndQuery = "/unprotected",
+            headers = mapOf("Authorization" to "Bearer $invalidToken")
+        )
+
+        // then
+        assertThat(response).isOk().isFrom(service)
+    }
+
+    @Test
+    fun `should allow request with malformed token for unprotected endpoint`() {
+        // given
+        registerEnvoyServiceAndWait()
+
+        // when
+        val response = echo2Envoy.egressOperations.callService(
+            service = "echo",
+            pathAndQuery = "/unprotected",
+            headers = mapOf("Authorization" to "Bearer malformed_token")
+        )
+
+        // then
+        assertThat(response).isOk().isFrom(service)
+    }
+
     @Test
     fun `should reject request without jwt`() {
 
@@ -545,7 +598,7 @@ class JWTFilterTest {
              "authorities":["$authority"]
         }"""
         return OkHttpClient().newCall(
-            Request.Builder().put(RequestBody.create(MediaType.JSON_MEDIA_TYPE, body))
+            Request.Builder().put(body.toRequestBody(MediaType.JSON_MEDIA_TYPE))
                 .url("http://localhost:${oAuthServer.container().port()}/$provider/client").build()
         )
             .execute().close()