diff --git a/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go index 89e8f3de50..d8bb1a9ddb 100644 --- a/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go +++ b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go @@ -63,7 +63,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { msg: "Allow Requests with spaces in path", filterName: "opaAuthorizeRequest", bundleName: "somebundle.tar.gz", - regoQuery: "envoy/authz/allow", + regoQuery: "envoy/authz/allow_with_space_in_path", requestPath: "/my%20path", requestMethod: "GET", contextExtensions: "", @@ -106,7 +106,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { msg: "Allow Requests with query parameters", filterName: "opaAuthorizeRequest", bundleName: "somebundle.tar.gz", - regoQuery: "envoy/authz/allow", + regoQuery: "envoy/authz/allow_with_query", requestPath: "/allow-with-query?pass=yes&id=1&id=2&msg=help%20me", requestMethod: "GET", contextExtensions: "", @@ -173,8 +173,8 @@ func TestAuthorizeRequestFilter(t *testing.T) { msg: "Simple Forbidden with Query Parameters", filterName: "opaAuthorizeRequest", bundleName: "somebundle.tar.gz", - regoQuery: "envoy/authz/allow", - requestPath: "/allow-with-query?tofail=true", + regoQuery: "envoy/authz/deny_with_query", + requestPath: "/allow-me?tofail=true", requestMethod: "GET", contextExtensions: "", expectedStatus: http.StatusForbidden, @@ -406,32 +406,38 @@ func TestAuthorizeRequestFilter(t *testing.T) { package envoy.authz default allow = false + default deny_with_query = false allow { - input.parsed_path = [ "allow" ] - input.parsed_query = {} + input.parsed_path == [ "allow" ] + input.parsed_query == {} } allow_with_http_path { input.attributes.request.http.path == "/some/api/path?q1=v1&msg=help%20me" } - allow { - input.parsed_path = [ "my path" ] + allow_with_space_in_path { + input.parsed_path == [ "my path" ] } allow_with_path_having_empty_query { - input.parsed_path = [ "path-with-empty-query" ] - input.parsed_query = {} + input.parsed_path == [ "path-with-empty-query" ] + input.parsed_query == {} } - allow { - input.parsed_path = [ "allow-with-query" ] + allow_with_query { + input.parsed_path == [ "allow-with-query" ] input.parsed_query.pass == ["yes"] input.parsed_query.id == ["1", "2"] input.parsed_query.msg == ["help me"] } + deny_with_query { + input.attributes.request.http.path == "/allow-me?tofail=true" + not input.parsed_query.tofail == ["true"] + } + allow_context_extensions { input.attributes.contextExtensions["com.mycompany.myprop"] == "myvalue" } @@ -447,8 +453,8 @@ func TestAuthorizeRequestFilter(t *testing.T) { "http_status": 401 } - allow_object = response { - input.parsed_path = [ "allow", "structured" ] + allow_object := response { + input.parsed_path == [ "allow", "structured" ] response := { "allowed": true, "headers": { @@ -485,7 +491,7 @@ func TestAuthorizeRequestFilter(t *testing.T) { decision_id := input.attributes.metadataContext.filterMetadata.open_policy_agent.decision_id - allow_object_decision_id_in_header = response { + allow_object_decision_id_in_header := response { input.parsed_path = ["allow", "structured"] decision_id response := {