add path to rbac filter #994
kozjanAnnotations
10 errors and 4 warnings
|
resilence_test
Process completed with exit code 1.
|
|
RBACFilterFactoryJwtTest.should generate RBAC rules for STRICT OAuth Policy:
envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/rbac/RBACFilterFactoryJwtTest.kt#L87
org.opentest4j.AssertionFailedError:
expected:
name: "envoy.filters.http.rbac"
typed_config {
type_url: "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC"
value: "\n\255\004\022\252\004\n\205\002IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[ClientWithSelector(name=client1, selector=null, negated=false)], unlistedClientsPolicy=BLOCKANDLOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=STRICT))\022\237\002\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\352\001\n\347\001\n|\nz\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\n2:0\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\005\n\003exp\032\002(\001\ng\022e\n\026\"\024\022\022\n\020spiffe://client1\nK\nI\n*2(\n\n:authority\"\032envoy-original-destination\n\0332\031\n\016x-service-name\"\aclient1\022\255\004\022\252\004\n\205\002IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[ClientWithSelector(name=client1, selector=null, negated=false)], unlistedClientsPolicy=BLOCKANDLOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=STRICT))\022\237\002\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\352\001\n\347\001\n|\nz\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\n2:0\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\005\n\003exp\032\002(\001\ng\022e\n\026\"\024\022\022\n\020spiffe://client1\nK\nI\n*2(\n\n:authority\"\032envoy-original-destination\n\0332\031\n\016x-service-name\"\aclient1"
}
but was:
name: "envoy.filters.http.rbac"
typed_config {
type_url: "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC"
value: "\n\305\004\022\302\004\n\205\002IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[ClientWithSelector(name=client1, selector=null, negated=false)], unlistedClientsPolicy=BLOCKANDLOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=STRICT))\022\267\002\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\202\002\n\377\001\n\223\001\n\220\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\nH:F\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\024\n\022jwt_failure_reason\022\005\n\003exp\032\002(\001\ng\022e\n\026\"\024\022\022\n\020spiffe://client1\nK\nI\n*2(\n\n:authority\"\032envoy-original-destination\n\0332\031\n\016x-service-name\"\aclient1\022\305\004\022\302\004\n\205\002IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[ClientWithSelector(name=client1, selector=null, negated=false)], unlistedClientsPolicy=BLOCKANDLOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=STRICT))\022\267\002\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\202\002\n\377\001\n\223\001\n\220\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\nH:F\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\024\n\022jwt_failure_reason\022\005\n\003exp\032\002(\001\ng\022e\n\026\"\024\022\022\n\020spiffe://client1\nK\nI\n*2(\n\n:authority\"\032envoy-original-destination\n\0332\031\n\016x-service-name\"\aclient1"
}
|
|
RBACFilterFactoryJwtTest.should generate RBAC rules for ALLOW_MISSING OAuth Policy:
envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/rbac/RBACFilterFactoryJwtTest.kt#L87
org.opentest4j.AssertionFailedError:
expected:
name: "envoy.filters.http.rbac"
typed_config {
type_url: "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC"
value: "\n\200\005\022\375\004\n\214\002IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[ClientWithSelector(name=client1, selector=null, negated=false)], unlistedClientsPolicy=BLOCKANDLOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=ALLOW_MISSING))\022\353\002\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\266\002\n\263\002\n\307\001\022\304\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\amissing\n|\nz\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\n2:0\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\005\n\003exp\032\002(\001\ng\022e\n\026\"\024\022\022\n\020spiffe://client1\nK\nI\n*2(\n\n:authority\"\032envoy-original-destination\n\0332\031\n\016x-service-name\"\aclient1\022\200\005\022\375\004\n\214\002IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[ClientWithSelector(name=client1, selector=null, negated=false)], unlistedClientsPolicy=BLOCKANDLOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=ALLOW_MISSING))\022\353\002\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\266\002\n\263\002\n\307\001\022\304\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\amissing\n|\nz\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\n2:0\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\005\n\003exp\032\002(\001\ng\022e\n\026\"\024\022\022\n\020spiffe://client1\nK\nI\n*2(\n\n:authority\"\032envoy-original-destination\n\0332\031\n\016x-service-name\"\aclient1"
}
but was:
name: "envoy.filters.http.rbac"
typed_config {
type_url: "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC"
value: "\n\230\005\022\225\005\n\214\002IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[ClientWithSelector(name=client1, selector=null, negated=false)], unlistedClientsPolicy=BLOCKANDLOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=ALLOW_MISSING))\022\203\003\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\316\002\n\313\002\n\337\001\022\334\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\amissing\n\223\001\n\220\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\nH:F\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\024\n\022jwt_failure_reason\022\005\n\003exp\032\002(\001\ng\022e\n\026\"\024\022\022\n\020spiffe://client1\nK\nI\n*2(\n\n:authority\"\032envoy-original-destination\n\0332\031\n\016x-service-name\"\aclient1\022\230\005\022\225\005\n\214\002IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[ClientWithSelector(name=client1, selector=null, negated=false)], unlistedClientsPolicy=BLOCKANDLOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=ALLOW_MISSING))\022\203\003\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\316\002\n\313\002\n\337\001\022\334\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\amissing\n\223\001\n\220\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\nH:F\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\024\n\022jwt_failure_reason\022\005\n\003exp\032\002(\001\ng\022e\n\026\"\024\022\022\n\020spiffe://client1\nK\nI\n*2(\n\n:authority\"\032envoy-original-destination\n\0332\031\n\016x-service-name\"\aclient1"
}
|
|
RBACFilterFactoryJwtTest.should generate RBAC rules for STRICT if no clients and unlisted clients policy is log:
envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/rbac/RBACFilterFactoryJwtTest.kt#L255
org.opentest4j.AssertionFailedError:
expected:
name: "envoy.filters.http.rbac"
typed_config {
type_url: "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC"
value: "\n\370\002\022\365\002\n\277\001IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[], unlistedClientsPolicy=LOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=STRICT))\022\260\001\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022|\nz\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\n2:0\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\005\n\003exp\032\002(\001\022\370\002\022\365\002\n\277\001IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[], unlistedClientsPolicy=LOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=STRICT))\022\260\001\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022|\nz\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\n2:0\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\005\n\003exp\032\002(\001"
}
but was:
name: "envoy.filters.http.rbac"
typed_config {
type_url: "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC"
value: "\n\220\003\022\215\003\n\277\001IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[], unlistedClientsPolicy=LOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=STRICT))\022\310\001\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\223\001\n\220\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\nH:F\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\024\n\022jwt_failure_reason\022\005\n\003exp\032\002(\001\022\220\003\022\215\003\n\277\001IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[], unlistedClientsPolicy=LOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=STRICT))\022\310\001\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\223\001\n\220\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\nH:F\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\024\n\022jwt_failure_reason\022\005\n\003exp\032\002(\001"
}
|
|
RBACFilterFactoryJwtTest.should generate RBAC rules for ALLOW_MISSING if no clients and unlisted clients policy is log:
envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/rbac/RBACFilterFactoryJwtTest.kt#L255
org.opentest4j.AssertionFailedError:
expected:
name: "envoy.filters.http.rbac"
typed_config {
type_url: "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC"
value: "\n\313\003\022\310\003\n\306\001IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[], unlistedClientsPolicy=LOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=ALLOW_MISSING))\022\374\001\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\307\001\022\304\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\amissing\n|\nz\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\n2:0\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\005\n\003exp\032\002(\001\022\313\003\022\310\003\n\306\001IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[], unlistedClientsPolicy=LOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=ALLOW_MISSING))\022\374\001\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\307\001\022\304\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\amissing\n|\nz\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\n2:0\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\005\n\003exp\032\002(\001"
}
but was:
name: "envoy.filters.http.rbac"
typed_config {
type_url: "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC"
value: "\n\343\003\022\340\003\n\306\001IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[], unlistedClientsPolicy=LOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=ALLOW_MISSING))\022\224\002\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\337\001\022\334\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\amissing\n\223\001\n\220\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\nH:F\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\024\n\022jwt_failure_reason\022\005\n\003exp\032\002(\001\022\343\003\022\340\003\n\306\001IncomingEndpoint(path=/oauth-protected, pathMatchingType=PATH, methods=[GET], clients=[], unlistedClientsPolicy=LOG, oauth=OAuth(provider=oauth-provider, verification=OFFLINE, policy=ALLOW_MISSING))\022\224\002\n0\n.\n\026R\024\n\022\n\020/oauth-protected\n\024\022\022\n\020\"\016\n\a:method\"\003GET\022\337\001\022\334\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\amissing\n\223\001\n\220\001\nD:B\n%envoy.filters.http.header_to_metadata\022\f\n\njwt-status\032\v\032\t\n\apresent\nH:F\n\034envoy.filters.http.jwt_authn\022\005\n\003jwt\022\024\n\022jwt_failure_reason\022\005\n\003exp\032\002(\001"
}
|
|
JWTFilterTest.should allow request with token from unlisted client when policy is strict, unlisted clients policy is log and there are other clients defined():
envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/JWTFilterTest.kt#L507
java.lang.AssertionError:
Expecting actual:
Response{protocol=http/1.1, code=403, message=Forbidden, url=http://localhost:32868/log-with-clients}
to match given predicate.
You can use 'matches(Predicate p, String description)' to have a better error message
For example:
assertThat(player).matches(p -> p.isRookie(), "is rookie");
will give an error message looking like:
Expecting actual:
player
to match 'is rookie' predicate
|
|
JWTFilterTest.should allow request with token when policy is strict, unlisted clients policy is log and there are no clients():
envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/JWTFilterTest.kt#L493
java.lang.AssertionError:
Expecting actual:
Response{protocol=http/1.1, code=403, message=Forbidden, url=http://localhost:32868/no-clients}
to match given predicate.
You can use 'matches(Predicate p, String description)' to have a better error message
For example:
assertThat(player).matches(p -> p.isRookie(), "is rookie");
will give an error message looking like:
Expecting actual:
player
to match 'is rookie' predicate
|
|
JWTFilterTest.should allow request with valid token when policy is allow missing():
envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/JWTFilterTest.kt#L375
java.lang.AssertionError:
Expecting actual:
Response{protocol=http/1.1, code=403, message=Forbidden, url=http://localhost:32872/oauth-or-tls}
to match given predicate.
You can use 'matches(Predicate p, String description)' to have a better error message
For example:
assertThat(player).matches(p -> p.isRookie(), "is rookie");
will give an error message looking like:
Expecting actual:
player
to match 'is rookie' predicate
|
|
JWTFilterTest.should allow requests with valid jwt when many providers are defined():
envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/JWTFilterTest.kt#L300
java.lang.AssertionError:
Expecting actual:
Response{protocol=http/1.1, code=403, message=Forbidden, url=http://localhost:32872/first-provider-protected}
to match given predicate.
You can use 'matches(Predicate p, String description)' to have a better error message
For example:
assertThat(player).matches(p -> p.isRookie(), "is rookie");
will give an error message looking like:
Expecting actual:
player
to match 'is rookie' predicate
|
|
JWTFilterTest.should allow request with valid jwt():
envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/JWTFilterTest.kt#L239
java.lang.AssertionError:
Expecting actual:
Response{protocol=http/1.1, code=403, message=Forbidden, url=http://localhost:32872/first-provider-protected}
to match given predicate.
You can use 'matches(Predicate p, String description)' to have a better error message
For example:
assertThat(player).matches(p -> p.isRookie(), "is rookie");
will give an error message looking like:
Expecting actual:
player
to match 'is rookie' predicate
|
|
resilence_test
The following actions uses node12 which is deprecated and will be forced to run on node16: mikepenz/action-junit-report@v2. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/
|
|
resilence_test
The following actions uses Node.js version which is deprecated and will be forced to run on node20: actions/checkout@v3, gradle/wrapper-validation-action@v1, actions/setup-java@v3, actions/cache@v3, mikepenz/action-junit-report@v2. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
|
|
resilence_test
The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
|
|
resilence_test
The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
|