Add custom 'deny with' test and code range assert

Kuadrant · Oct 30, 2023 · 9b1ec76 · 9b1ec76
1 parent 95ac311
commit 9b1ec76
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 1 deletion.
diff --git a/testsuite/openshift/objects/auth_config/sections.py b/testsuite/openshift/objects/auth_config/sections.py
@@ -267,7 +267,13 @@ def set_deny_with(
         headers: dict[str, ABCValue] = None,
         body: ABCValue = None,
     ):
-        """Set default deny code, message, headers, and body for 'unauthenticated' and 'unauthorized' error."""
+        """
+        Set default deny `code`, `message`, `headers`, and `body` for 'unauthenticated' and 'unauthorized' error.
+        `code` is integer range [300, 600)
+        """
+        if code:
+            assert 300 <= code < 600, "HTTP code should be in range [300, 600) for deny action."
+
         asdict_message = asdict(message) if message else None
         asdict_body = asdict(body) if body else None
         asdict_headers = None

diff --git a/testsuite/tests/kuadrant/authorino/response/test_deny_with.py b/testsuite/tests/kuadrant/authorino/response/test_deny_with.py
@@ -0,0 +1,63 @@
+"""Test for custom deny responses."""
+import pytest
+
+from testsuite.objects import Value, ValueFrom, Rule
+
+HEADERS = {
+    "x-string-header": Value("abc"),
+    "x-int-header": Value(16),
+    "x-list-header": Value([1, 2, 3]),
+    "x-dict-header": Value({"anything": "something"}),
+    "x-dynamic-header": ValueFrom("context.request.http.path"),
+}
+
+TESTING_PATH = "/deny"
+
+
+@pytest.fixture(scope="module")
+def authorization(authorization):
+    """Set custom deny responses and auth rule with only allowed path '/allow'"""
+    authorization.responses.set_deny_with(
+        "unauthenticated",
+        code=333,
+        headers=HEADERS,
+        message=Value("Unauthenticated message"),
+        body=Value("You are unauthenticated."),
+    )
+    authorization.responses.set_deny_with(
+        "unauthorized",
+        code=444,
+        headers=HEADERS,
+        message=ValueFrom("My path is: " + "{context.request.http.path}"),
+        body=ValueFrom("You are unauthorized from path: " + "{context.request.http.path}"),
+    )
+    # Authorize only when url path is "/allow"
+    authorization.authorization.add_auth_rules("Whitelist", [Rule("context.request.http.path", "eq", "/allow")])
+    return authorization
+
+
+def check_headers(response):
+    """Check deny headers with normalization between HTTP strings and Python strings."""
+    assert response.headers["x-string-header"] == HEADERS["x-string-header"].value
+    assert response.headers["x-int-header"] == str(HEADERS["x-int-header"].value)
+    assert response.headers["x-list-header"] == str(HEADERS["x-list-header"].value).replace(" ", "")
+    assert response.headers["x-dict-header"] == str(HEADERS["x-dict-header"].value).replace(" ", "").replace("'", '"')
+    assert response.headers["x-dynamic-header"] == TESTING_PATH
+
+
+def test_unauthenticated(client):
+    """Test when no auth is passed results in custom unauthenticated response."""
+    response = client.get("/deny", auth=None)
+    assert response.status_code == 333
+    check_headers(response)
+    assert response.headers["x-ext-auth-reason"] == "Unauthenticated message"
+    assert response.content.decode() == "You are unauthenticated."
+
+
+def test_unauthorized(client, auth):
+    """Test when not allowed path is passed results in custom unauthorized response."""
+    response = client.get("/deny", auth=auth)
+    assert response.status_code == 444
+    check_headers(response)
+    assert response.headers["x-ext-auth-reason"] == f"My path is: {TESTING_PATH}"
+    assert response.content.decode() == f"You are unauthorized from path: {TESTING_PATH}"