Skip to content

Commit

Permalink
add: testcases for SNI in JWT provider
Browse files Browse the repository at this point in the history
  • Loading branch information
@sreeram77
sreeram77 committed Feb 19, 2025
1 parent 53580d6 commit 6800d79
Show file tree
Hide file tree
Showing 11 changed files with 192 additions and 19 deletions.
34 changes: 25 additions & 9 deletions agent/xds/clusters_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,29 +230,44 @@ func TestMakeJWTProviderCluster(t *testing.T) {
},
expectedError: "cannot create JWKS cluster for non remote JWKS. Provider Name: okta",
},
"https-provider-with-hostname-no-port-with-sni": {
provider: makeTestProviderWithJWKS("https://example-okta.com/.well-known/jwks.json", true),
},
"https-provider-with-hostname-no-port": {
provider: makeTestProviderWithJWKS("https://example-okta.com/.well-known/jwks.json"),
provider: makeTestProviderWithJWKS("https://example-okta.com/.well-known/jwks.json", false),
},
"http-provider-with-hostname-no-port": {
provider: makeTestProviderWithJWKS("http://example-okta.com/.well-known/jwks.json"),
provider: makeTestProviderWithJWKS("http://example-okta.com/.well-known/jwks.json", true),
},
"http-provider-with-hostname-no-port-with-sni": {
provider: makeTestProviderWithJWKS("http://example-okta.com/.well-known/jwks.json", true),
},
"https-provider-with-hostname-and-port": {
provider: makeTestProviderWithJWKS("https://example-okta.com:90/.well-known/jwks.json"),
provider: makeTestProviderWithJWKS("https://example-okta.com:90/.well-known/jwks.json", false),
},
"http-provider-with-hostname-and-port": {
provider: makeTestProviderWithJWKS("http://example-okta.com:90/.well-known/jwks.json"),
provider: makeTestProviderWithJWKS("http://example-okta.com:90/.well-known/jwks.json", false),
},
"http-provider-with-hostname-and-port-with-sni": {
provider: makeTestProviderWithJWKS("http://example-okta.com:90/.well-known/jwks.json", true),
},
"https-provider-with-ip-no-port-with-sni": {
provider: makeTestProviderWithJWKS("https://127.0.0.1", true),
},
"https-provider-with-ip-no-port": {
provider: makeTestProviderWithJWKS("https://127.0.0.1"),
provider: makeTestProviderWithJWKS("https://127.0.0.1", false),
},
"http-provider-with-ip-no-port": {
provider: makeTestProviderWithJWKS("http://127.0.0.1"),
provider: makeTestProviderWithJWKS("http://127.0.0.1", false),
},
"https-provider-with-ip-and-port-with-sni": {
provider: makeTestProviderWithJWKS("https://127.0.0.1:9091", true),
},
"https-provider-with-ip-and-port": {
provider: makeTestProviderWithJWKS("https://127.0.0.1:9091"),
provider: makeTestProviderWithJWKS("https://127.0.0.1:9091", false),
},
"http-provider-with-ip-and-port": {
provider: makeTestProviderWithJWKS("http://127.0.0.1:9091"),
provider: makeTestProviderWithJWKS("http://127.0.0.1:9091", true),
},
}

Expand All @@ -272,11 +287,12 @@ func TestMakeJWTProviderCluster(t *testing.T) {
}
}

func makeTestProviderWithJWKS(uri string) *structs.JWTProviderConfigEntry {
func makeTestProviderWithJWKS(uri string, useSNI bool) *structs.JWTProviderConfigEntry {
return &structs.JWTProviderConfigEntry{
Kind: "jwt-provider",
Name: "okta",
Issuer: "test-issuer",
UseSNI: useSNI,
JSONWebKeySet: &structs.JSONWebKeySet{
Remote: &structs.RemoteJWKS{
RequestTimeoutMs: 1000,
Expand Down
3 changes: 1 addition & 2 deletions .../xds/testdata/clusters/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,8 +138,7 @@
"filename": "mycert.crt"
}
}
},
"sni": "test.test.com"
}
}
},
"type": "STATIC"
Expand Down
24 changes: 24 additions & 0 deletions agent/xds/testdata/jwt_authn_clusters/http-provider-with-hostname-and-port-with-sni.golden
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"connectTimeout": "5s",
"loadAssignment": {
"clusterName": "jwks_cluster_okta",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"socketAddress": {
"address": "example-okta.com",
"portValue": 90
}
}
}
}
]
}
]
},
"name": "jwks_cluster_okta",
"type": "STATIC"
}
24 changes: 24 additions & 0 deletions agent/xds/testdata/jwt_authn_clusters/http-provider-with-hostname-no-port-with-sni.golden
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"connectTimeout": "5s",
"loadAssignment": {
"clusterName": "jwks_cluster_okta",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"socketAddress": {
"address": "example-okta.com",
"portValue": 80
}
}
}
}
]
}
]
},
"name": "jwks_cluster_okta",
"type": "STATIC"
}
3 changes: 1 addition & 2 deletions agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,7 @@
"filename": "mycert.crt"
}
}
},
"sni": "example-okta.com"
}
}
},
"type": "STATIC"
Expand Down
38 changes: 38 additions & 0 deletions agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port-with-sni.golden
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
"connectTimeout": "5s",
"loadAssignment": {
"clusterName": "jwks_cluster_okta",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"socketAddress": {
"address": "example-okta.com",
"portValue": 443
}
}
}
}
]
}
]
},
"name": "jwks_cluster_okta",
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
"commonTlsContext": {
"validationContext": {
"trustedCa": {
"filename": "mycert.crt"
}
}
},
"sni": "example-okta.com"
}
},
"type": "STATIC"
}
3 changes: 1 addition & 2 deletions agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,7 @@
"filename": "mycert.crt"
}
}
},
"sni": "example-okta.com"
}
}
},
"type": "STATIC"
Expand Down
38 changes: 38 additions & 0 deletions agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port-with-sni.golden
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
"connectTimeout": "5s",
"loadAssignment": {
"clusterName": "jwks_cluster_okta",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"socketAddress": {
"address": "127.0.0.1",
"portValue": 9091
}
}
}
}
]
}
]
},
"name": "jwks_cluster_okta",
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
"commonTlsContext": {
"validationContext": {
"trustedCa": {
"filename": "mycert.crt"
}
}
},
"sni": "127.0.0.1"
}
},
"type": "STATIC"
}
3 changes: 1 addition & 2 deletions agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,7 @@
"filename": "mycert.crt"
}
}
},
"sni": "127.0.0.1"
}
}
},
"type": "STATIC"
Expand Down
38 changes: 38 additions & 0 deletions agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port-with-sni.golden
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
"connectTimeout": "5s",
"loadAssignment": {
"clusterName": "jwks_cluster_okta",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"socketAddress": {
"address": "127.0.0.1",
"portValue": 443
}
}
}
}
]
}
]
},
"name": "jwks_cluster_okta",
"transportSocket": {
"name": "tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
"commonTlsContext": {
"validationContext": {
"trustedCa": {
"filename": "mycert.crt"
}
}
},
"sni": "127.0.0.1"
}
},
"type": "STATIC"
}
3 changes: 1 addition & 2 deletions agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,7 @@
"filename": "mycert.crt"
}
}
},
"sni": "127.0.0.1"
}
}
},
"type": "STATIC"
Expand Down

0 comments on commit 6800d79

Please sign in to comment.