test: oauth2 http filter invalid params combination

Signed-off-by: Aleksandr Aleksandrov <aaleksandrov.cy@gmail.com>

Author: aa1ex

api/v1alpha1/httpfilter_webhook.go

@@ -19,7 +19,7 @@ package v1alpha1
 import (
 	"context"
 	"fmt"
-
+	oauth2v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/oauth2/v3"
 	hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	"github.com/kaasops/envoy-xds-controller/pkg/errors"
 	"github.com/kaasops/envoy-xds-controller/pkg/options"
@@ -33,9 +33,9 @@ func (h *HttpFilter) Validate(ctx context.Context) error {
 	}
 
 	for _, httpFilter := range h.Spec {
-		httpFilterv3 := &hcmv3.HttpFilter{}
-		if err := options.Unmarshaler.Unmarshal(httpFilter.Raw, httpFilterv3); err != nil {
-			return errors.Wrap(err, errors.UnmarshalMessage)
+		hf := &hcmv3.HttpFilter{}
+		if err := UnmarshalAndValidateHTTPFilter(httpFilter.Raw, hf); err != nil {
+			return err
 		}
 	}
 
@@ -68,3 +68,36 @@ func (h *HttpFilter) ValidateDelete(ctx context.Context, cl client.Client) error
 
 	return nil
 }
+
+func UnmarshalAndValidateHTTPFilter(raw []byte, httpFilter *hcmv3.HttpFilter) error {
+	if err := options.Unmarshaler.Unmarshal(raw, httpFilter); err != nil {
+		return errors.Wrap(err, errors.UnmarshalMessage)
+	}
+	if err := httpFilter.ValidateAll(); err != nil {
+		return errors.WrapUKS(err, errors.InvalidHTTPFilter)
+	}
+	switch v := httpFilter.ConfigType.(type) {
+	case *hcmv3.HttpFilter_TypedConfig:
+		switch v.TypedConfig.TypeUrl {
+		case "type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2":
+			if err := validateOAuth2Filter(v); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func validateOAuth2Filter(v *hcmv3.HttpFilter_TypedConfig) error {
+	var oauthCfg oauth2v3.OAuth2
+	if err := v.TypedConfig.UnmarshalTo(&oauthCfg); err != nil {
+		return errors.Wrap(err, errors.UnmarshalMessage)
+	}
+	if err := oauthCfg.ValidateAll(); err != nil {
+		return errors.WrapUKS(err, errors.InvalidHTTPFilter)
+	}
+	if oauthCfg.Config.PreserveAuthorizationHeader && oauthCfg.Config.ForwardBearerToken {
+		return errors.Newf("%s: preserve_authorization_header=true and forward_bearer_token=true", errors.InvalidParamsCombination)
+	}
+	return nil
+}

api/v1alpha1/virtualservice_webhook.go

@@ -76,8 +76,8 @@ func (vs *VirtualService) Validate(
 	if vs.Spec.HTTPFilters != nil {
 		for _, httpFilter := range vs.Spec.HTTPFilters {
 			hf := &hcmv3.HttpFilter{}
-			if err := options.Unmarshaler.Unmarshal(httpFilter.Raw, hf); err != nil {
-				return errors.Wrap(err, errors.UnmarshalMessage)
+			if err := UnmarshalAndValidateHTTPFilter(httpFilter.Raw, hf); err != nil {
+				return err
 			}
 		}
 	}
@@ -316,7 +316,7 @@ func validateAutoDiscovery(
 			wildcardDomain := utils.GetWildcardDomain(domain)
 			_, ok := index[wildcardDomain]
 			if !ok {
-				return errors.Newf("%s. Domain: %s", errors.DicoverNotFoundMessage, domain)
+				return errors.Newf("%s. Domain: %s", errors.DiscoverNotFoundMessage, domain)
 			}
 		}
 	}

pkg/errors/messages.go

@@ -29,6 +29,8 @@ var (
 	AccessLogConfigDeleteUsedMessage    = "cannot delete accesslogconfig, bc is used in Virtual Services: "
 	HTTPFilterCannotBeEmptyMessage      = "httpFilter could not be empty"
 	HTTPFilterDeleteUsed                = "cannot delete httpFilter, bc is used in Virtual Services: "
+	InvalidHTTPFilter                   = "invalid http_filter"
+	InvalidParamsCombination            = "invalid combination of parameters"
 	RouteCannotBeEmptyMessage           = "route could not be empty"
 	RouteDeleteUsed                     = "cannot delete route, bc is used in Virtual Services: "
 	ClusterCannotBeEmptyMessage         = "cluster could not be empty"
@@ -46,7 +48,7 @@ var (
 	CertManaferCRDNotExistMessage = "cert Manager CRDs not exist. Perhaps Cert Manager is not installed in the Kubernetes cluster"
 	TlsConfigManyParamMessage     = "сannot be installed Issuer and ClusterIssuer in 1 config"
 
-	DicoverNotFoundMessage   = "the secret with the certificate was not found for the domain"
+	DiscoverNotFoundMessage  = "the secret with the certificate was not found for the domain"
 	CreateCertificateMessage = "cannot create certificate for domain"
 	RegexDomainMessage       = "regex domains not supported"
 )

pkg/factory/virtualservice/tls/tls.go

@@ -101,7 +101,7 @@ func (tf *TlsFactory) provideAutoDiscovery(ctx context.Context, domains []string
 			wildcardDomain := utils.GetWildcardDomain(domain)
 			secret, ok = tf.CertificatesIndex[wildcardDomain]
 			if !ok {
-				return CertificatesWithDomains, errors.NewUKS(fmt.Sprintf("domain - %v: %v", domain, errors.DicoverNotFoundMessage))
+				return CertificatesWithDomains, errors.NewUKS(fmt.Sprintf("domain - %v: %v", domain, errors.DiscoverNotFoundMessage))
 			}
 		}
 

pkg/factory/virtualservice/virtualservice.go

@@ -229,14 +229,9 @@ func (f *VirtualServiceFactory) HttpFilters(ctx context.Context, name string) ([
 	httpFilters := []*hcmv3.HttpFilter{}
 	for _, httpFilter := range f.Spec.HTTPFilters {
 		hf := &hcmv3.HttpFilter{}
-		if err := options.Unmarshaler.Unmarshal(httpFilter.Raw, hf); err != nil {
-			return nil, errors.WrapUKS(err, errors.UnmarshalMessage)
+		if err := v1alpha1.UnmarshalAndValidateHTTPFilter(httpFilter.Raw, hf); err != nil {
+			return nil, err
 		}
-
-		if err := hf.ValidateAll(); err != nil {
-			return nil, errors.WrapUKS(err, errors.CannotValidateCacheResourceMessage)
-		}
-
 		httpFilters = append(httpFilters, hf)
 	}
 
@@ -250,8 +245,8 @@ func (f *VirtualServiceFactory) HttpFilters(ctx context.Context, name string) ([
 			}
 			for _, httpFilter := range hfSpec.Spec {
 				hf := &hcmv3.HttpFilter{}
-				if err := options.Unmarshaler.Unmarshal(httpFilter.Raw, hf); err != nil {
-					return nil, errors.WrapUKS(err, errors.UnmarshalMessage)
+				if err := v1alpha1.UnmarshalAndValidateHTTPFilter(httpFilter.Raw, hf); err != nil {
+					return nil, err
 				}
 				httpFilters = append(httpFilters, hf)
 			}

test/conformance/tests/httpFilter.go

@@ -19,6 +19,7 @@ func init() {
 		HttpFilter_CannotBeEmptyTest,
 		HttpFilter_HasInvalidSpec,
 		HttpFilter_DeleteUsed,
+		HttpFilter_OAuth2InvalidParamsCombination,
 	)
 }
 
@@ -55,3 +56,11 @@ var HttpFilter_DeleteUsed = utils.TestCase{
 		require.ErrorContains(t, err, fmt.Sprintf("%v%v%v", ValidationErrorMessage, errors.HTTPFilterDeleteUsed, []string{"virtual-service-used-hf"}))
 	},
 }
+
+var HttpFilter_OAuth2InvalidParamsCombination = utils.TestCase{
+	ShortName:          "HttpFilterOauth2InvalidParamsCombination",
+	Description:        "Test that the HttpFilter contains an invalid combination of parameters",
+	Manifests:          []string{"../testdata/conformance/httpfilter-oauth2-invalid-combination.yaml"},
+	ApplyErrorContains: fmt.Sprintf("%v%v", ValidationErrorMessage, errors.InvalidParamsCombination),
+	Test:               func(t *testing.T, suite *utils.TestSuite) {},
+}

test/testdata/conformance/httpfilter-oauth2-invalid-combination.yaml

@@ -0,0 +1,39 @@
+apiVersion: envoy.kaasops.io/v1alpha1
+kind: HttpFilter
+metadata:
+  name: invalid-combination
+spec:
+  - name: envoy.filters.http.oauth2
+    typed_config:
+      "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
+      config:
+        preserve_authorization_header: true
+        token_endpoint:
+          uri: "https://example.com/token"
+          cluster: oauth2
+          timeout: 10s
+        authorization_endpoint: "https://example.com/auth"
+        credentials:
+          client_id: "example-id"
+          token_secret:
+            name: token
+            sds_config:
+              path: "./oauth2-token.yaml"
+          hmac_secret:
+            name: hmac
+            sds_config:
+              path: "./oauth2-hmac.yaml"
+        redirect_uri: "https://%REQ(:authority)%/oauth/callback"
+        redirect_path_matcher:
+          path:
+            exact: "/oauth/callback"
+        signout_path:
+          path:
+            exact: "/oauth/signout"
+        forward_bearer_token: true
+        use_refresh_token: false
+        auth_scopes:
+          - "openid"
+          - "profile"
+          - "email"
+          - "offline_access"

tools/make/tests.mk

@@ -43,7 +43,7 @@ e2e-1.29-1.30: envoy-1.30
 	$(RUN_E2E)
 	$(CLEANUP_ENVOY)
 
-# E2E test on Kubernetes 1.30 for Envoy 1.31
+# E2E test on Kubernetes 1.29 for Envoy 1.31
 .PHONY: e2e-1.29-1.31
 e2e-1.29-1.31: envoy-1.31
 	$(RUN_E2E)
@@ -53,7 +53,7 @@ e2e-1.29-1.31: envoy-1.31
 .PHONY: e2e-1.30
 e2e-1.30: prepare-kind kind-with-registry-1.30 build-deploy-exc e2e-1.30-1.30 e2e-1.30-1.31 cleanup-kind-with-registry
 
-# E2E test on Kubernetes 1.29 for Envoy 1.30
+# E2E test on Kubernetes 1.30 for Envoy 1.30
 .PHONY: e2e-1.30-1.30
 e2e-1.30-1.30: envoy-1.30
 	$(RUN_E2E)
@@ -72,3 +72,6 @@ endef
 
 .PHONY: build-deploy-exc
 build-deploy-exc: image.build-local image.push-local kube-deploy-local
+
+.PHONY: run-local
+run-local: prepare-kind kind-with-registry-1.30 build-deploy-exc