diff --git a/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go index 89e8f3de50..20d6f3bf29 100644 --- a/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go +++ b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go @@ -63,7 +63,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { msg: "Allow Requests with spaces in path", filterName: "opaAuthorizeRequest", bundleName: "somebundle.tar.gz", - regoQuery: "envoy/authz/allow", + regoQuery: "envoy/authz/allow_with_space_in_path", requestPath: "/my%20path", requestMethod: "GET", contextExtensions: "", @@ -106,7 +106,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { msg: "Allow Requests with query parameters", filterName: "opaAuthorizeRequest", bundleName: "somebundle.tar.gz", - regoQuery: "envoy/authz/allow", + regoQuery: "envoy/authz/allow_with_query", requestPath: "/allow-with-query?pass=yes&id=1&id=2&msg=help%20me", requestMethod: "GET", contextExtensions: "", @@ -173,8 +173,8 @@ func TestAuthorizeRequestFilter(t *testing.T) { msg: "Simple Forbidden with Query Parameters", filterName: "opaAuthorizeRequest", bundleName: "somebundle.tar.gz", - regoQuery: "envoy/authz/allow", - requestPath: "/allow-with-query?tofail=true", + regoQuery: "envoy/authz/deny_with_query", + requestPath: "/allow-me?tofail=true", requestMethod: "GET", contextExtensions: "", expectedStatus: http.StatusForbidden, @@ -384,6 +384,20 @@ func TestAuthorizeRequestFilter(t *testing.T) { backendHeaders: make(http.Header), removeHeaders: make(http.Header), }, + { + msg: "Allow Requests ignoring fragment", + filterName: "opaAuthorizeRequest", + bundleName: "somebundle.tar.gz", + regoQuery: "envoy/authz/allow_with_path_having_fragment", + requestPath: "/path-with-empty-query#fragment?", + requestMethod: "GET", + contextExtensions: "", + expectedStatus: http.StatusOK, + expectedBody: "Welcome!", + expectedHeaders: make(http.Header), + backendHeaders: make(http.Header), + removeHeaders: make(http.Header), + }, } { t.Run(ti.msg, func(t *testing.T) { t.Logf("Running test for %v", ti) @@ -405,33 +419,44 @@ func TestAuthorizeRequestFilter(t *testing.T) { "main.rego": ` package envoy.authz - default allow = false + default allow := false + default deny_with_query := false allow { - input.parsed_path = [ "allow" ] - input.parsed_query = {} + input.parsed_path == [ "allow" ] + input.parsed_query == {} } allow_with_http_path { input.attributes.request.http.path == "/some/api/path?q1=v1&msg=help%20me" } - allow { - input.parsed_path = [ "my path" ] + allow_with_space_in_path { + input.parsed_path == [ "my path" ] } allow_with_path_having_empty_query { - input.parsed_path = [ "path-with-empty-query" ] - input.parsed_query = {} + input.parsed_path == [ "path-with-empty-query" ] + input.parsed_query == {} } - allow { - input.parsed_path = [ "allow-with-query" ] + allow_with_query { + input.parsed_path == [ "allow-with-query" ] input.parsed_query.pass == ["yes"] input.parsed_query.id == ["1", "2"] input.parsed_query.msg == ["help me"] } + deny_with_query { + input.attributes.request.http.path == "/allow-me?tofail=true" + not input.parsed_query.tofail == ["true"] + } + + allow_with_path_having_fragment { + input.parsed_path == [ "path-with-empty-query" ] + input.attributes.request.http.path == "/path-with-empty-query" + } + allow_context_extensions { input.attributes.contextExtensions["com.mycompany.myprop"] == "myvalue" } @@ -440,15 +465,15 @@ func TestAuthorizeRequestFilter(t *testing.T) { opa.runtime().config.labels.environment == "test" } - default allow_object = { + default allow_object := { "allowed": false, "headers": {"x-ext-auth-allow": "no"}, "body": "Unauthorized Request", "http_status": 401 } - allow_object = response { - input.parsed_path = [ "allow", "structured" ] + allow_object := response { + input.parsed_path == [ "allow", "structured" ] response := { "allowed": true, "headers": { @@ -477,7 +502,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { "headers": "bogus string instead of object" } - default allow_body = false + default allow_body := false allow_body { input.parsed_body.target_id == "123456" @@ -485,7 +510,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { decision_id := input.attributes.metadataContext.filterMetadata.open_policy_agent.decision_id - allow_object_decision_id_in_header = response { + allow_object_decision_id_in_header := response { input.parsed_path = ["allow", "structured"] decision_id response := { diff --git a/filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go b/filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go index 89c4e611d8..6809ceb9b3 100644 --- a/filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go +++ b/filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go @@ -77,7 +77,7 @@ func TestServerResponseFilter(t *testing.T) { regoQuery: "envoy/authz/allow_object", requestPath: "/allow/structured/with-empty-query-string?", expectedStatus: http.StatusOK, - expectedBody: "Welcome from policy!", + expectedBody: "Welcome from policy with empty query string!", expectedHeaders: map[string][]string{"X-Ext-Auth-Allow": {"yes"}}, }, { @@ -87,7 +87,7 @@ func TestServerResponseFilter(t *testing.T) { regoQuery: "envoy/authz/allow_object", requestPath: "/allow/structured/with-query?pass=yes", expectedStatus: http.StatusOK, - expectedBody: "Welcome from policy!", + expectedBody: "Welcome from policy with query params!", expectedHeaders: map[string][]string{"X-Ext-Auth-Allow": {"yes"}}, }, { @@ -172,21 +172,21 @@ func TestServerResponseFilter(t *testing.T) { "main.rego": ` package envoy.authz - default allow = false + default allow := false allow { - input.parsed_path = [ "allow" ] + input.parsed_path == [ "allow" ] } - default allow_object = { + default allow_object := { "allowed": false, "headers": {"x-ext-auth-allow": "no"}, "body": "Unauthorized Request", "http_status": 403 } - allow_object = response { - input.parsed_path = [ "allow", "structured" ] + allow_object := response { + input.parsed_path == [ "allow", "structured" ] response := { "allowed": true, "headers": {"x-ext-auth-allow": "yes"}, @@ -195,30 +195,30 @@ func TestServerResponseFilter(t *testing.T) { } } - allow_object = response { - input.parsed_path = [ "allow", "structured", "with-empty-query-string" ] + allow_object := response { + input.parsed_path == [ "allow", "structured", "with-empty-query-string" ] input.parsed_query == {} response := { "allowed": true, "headers": {"x-ext-auth-allow": "yes"}, - "body": "Welcome from policy!", + "body": "Welcome from policy with empty query string!", "http_status": 200 } } - allow_object = response { - input.parsed_path = [ "allow", "structured", "with-query" ] + allow_object := response { + input.parsed_path == [ "allow", "structured", "with-query" ] input.parsed_query.pass == ["yes"] response := { "allowed": true, "headers": {"x-ext-auth-allow": "yes"}, - "body": "Welcome from policy!", + "body": "Welcome from policy with query params!", "http_status": 200 } } - allow_object = response { - input.parsed_path = [ "allow", "production" ] + allow_object := response { + input.parsed_path == [ "allow", "production" ] opa.runtime().config.labels.environment == "production" response := { "allowed": true, @@ -228,8 +228,8 @@ func TestServerResponseFilter(t *testing.T) { } } - allow_object = response { - input.parsed_path = [ "allow", "test" ] + allow_object := response { + input.parsed_path == [ "allow", "test" ] opa.runtime().config.labels.environment == "test" response := { "allowed": true, @@ -239,8 +239,8 @@ func TestServerResponseFilter(t *testing.T) { } } - allow_object_structured_body = response { - input.parsed_path = [ "allow", "structured" ] + allow_object_structured_body := response { + input.parsed_path == [ "allow", "structured" ] response := { "allowed": true, "headers": {"x-ext-auth-allow": "yes"}, @@ -249,8 +249,8 @@ func TestServerResponseFilter(t *testing.T) { } } - allow_object_contextextensions = response { - input.parsed_path = [ "allow", "structured" ] + allow_object_contextextensions := response { + input.parsed_path == [ "allow", "structured" ] response := { "allowed": true, "headers": {"x-ext-auth-allow": "yes"}, @@ -259,7 +259,7 @@ func TestServerResponseFilter(t *testing.T) { } } - allow_object_req_body = response { + allow_object_req_body := response { response := { "allowed": true, "headers": {},