add vsr test to rate limit by JWT claim

Author: pdabelf5

tests/data/rate-limit/route-subroute/virtual-server-route-jwt-claim-sub.yaml

@@ -0,0 +1,22 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServerRoute
+metadata:
+  name: backends
+spec:
+  host: virtual-server-route.example.com
+  upstreams:
+  - name: backend1
+    service: backend1-svc
+    port: 80
+  - name: backend3
+    service: backend3-svc
+    port: 80
+  subroutes:
+  - path: "/backends/backend1"
+    policies:
+    - name: rate-limit-jwt-claim-sub
+    action:
+      pass: backend1
+  - path: "/backends/backend3"
+    action:
+      pass: backend3

tests/requirements.txt

@@ -332,7 +332,9 @@ greenlet==3.1.1 \
     --hash=sha256:f1d4aeb8891338e60d1ab6127af1fe45def5259def8094b9c7e34690c8858803 \
     --hash=sha256:f406b22b7c9a9b4f8aa9d2ab13d6ae0ac3e85c9a809bd590ad53fed2bf70dc79 \
     --hash=sha256:f6ff3b14f2df4c41660a7dec01045a045653998784bf8cfcb5a525bdffffbc8f
-    # via playwright
+    # via
+    #   -r requirements.in
+    #   playwright
 grpcio==1.68.1 \
     --hash=sha256:025f790c056815b3bf53da850dd70ebb849fd755a4b1ac822cb65cd631e37d43 \
     --hash=sha256:04cfd68bf4f38f5bb959ee2361a7546916bd9a50f78617a346b3aeb2b42e2161 \
@@ -614,7 +616,13 @@ pycparser==2.22 \
 pyee==12.0.0 \
     --hash=sha256:7b14b74320600049ccc7d0e0b1becd3b4bd0a03c745758225e31a59f4095c990 \
     --hash=sha256:c480603f4aa2927d4766eb41fa82793fe60a82cbfdb8d688e0d08c55a534e145
-    # via playwright
+    # via
+    #   -r requirements.in
+    #   playwright
+pyjwt==2.10.1 \
+    --hash=sha256:3cc5772eb20009233caf06e9d8a0577824723b44e6648ee0a2aedb6cf9381953 \
+    --hash=sha256:dcdd193e30abefd5debf142f9adfcdd2b58004e644f25406ffaebd50bd98dacb
+    # via -r requirements.in
 pyopenssl==24.3.0 \
     --hash=sha256:49f7a019577d834746bc55c5fce6ecbcec0f2b4ec5ce1cf43a9a173b8138bb36 \
     --hash=sha256:e474f5a473cd7f92221cc04976e48f4d11502804657a08a989fb3be5514c904a
@@ -733,7 +741,9 @@ six==1.17.0 \
 typing-extensions==4.12.2 \
     --hash=sha256:04e5ca0351e0f3f85c6853954072df659d0d13fac324d0072316b67d7794700d \
     --hash=sha256:1a7ead55c7e559dd4dee8856e3a88b41225abfe1ce8df57b7c13915fe121ffb8
-    # via pyee
+    # via
+    #   -r requirements.in
+    #   pyee
 urllib3==2.2.3 \
     --hash=sha256:ca899ca043dcb1bafa3e262d73aa25c465bfb49e0bd9dd5d59f1d0acba2f8fac \
     --hash=sha256:e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9

tests/suite/test_rl_policies.py

@@ -1,5 +1,6 @@
 import time
 
+import jwt
 import pytest
 import requests
 from settings import TEST_DATA
@@ -26,7 +27,6 @@
 rl_vs_override_spec_route = f"{TEST_DATA}/rate-limit/route-subroute/virtual-server-override-spec-route.yaml"
 rl_vs_jwt_claim_sub = f"{TEST_DATA}/rate-limit/spec/virtual-server-jwt-claim-sub.yaml"
 rl_pol_jwt_claim_sub = f"{TEST_DATA}/rate-limit/policies/rate-limit-jwt-claim-sub.yaml"
-token = f"{TEST_DATA}/jwt-policy/token.jwt"
 
 
 @pytest.mark.policies
@@ -387,19 +387,25 @@ def test_rl_policy_jwt_claim_sub(
         wait_before_test()
 
         policy_info = read_custom_resource(kube_apis.custom_objects, test_namespace, "policies", pol_name)
+        jwt_token = jwt.encode(
+            {"sub": "client1"},
+            "nginx",
+            algorithm="HS256",
+        )
         occur = []
         t_end = time.perf_counter() + 1
+
         resp = requests.get(
             virtual_server_setup.backend_1_url,
-            headers={"host": virtual_server_setup.vs_host, "Authorization": f"Bearer {token}"},
+            headers={"host": virtual_server_setup.vs_host, "Authorization": f"Bearer {jwt_token}"},
         )
         print(resp.status_code)
         wait_before_test()
         assert resp.status_code == 200
         while time.perf_counter() < t_end:
             resp = requests.get(
                 virtual_server_setup.backend_1_url,
-                headers={"host": virtual_server_setup.vs_host, "Authorization": f"Bearer {token}"},
+                headers={"host": virtual_server_setup.vs_host, "Authorization": f"Bearer {jwt_token}"},
             )
             occur.append(resp.status_code)
         delete_policy(kube_apis.custom_objects, pol_name, test_namespace)

tests/suite/test_rl_policies_vsr.py

@@ -1,5 +1,6 @@
 import time
 
+import jwt
 import pytest
 import requests
 from settings import TEST_DATA
@@ -24,6 +25,8 @@
 rl_vsr_override_src = f"{TEST_DATA}/rate-limit/route-subroute/virtual-server-route-override-subroute.yaml"
 rl_vsr_override_vs_spec_src = f"{TEST_DATA}/rate-limit/route-subroute/virtual-server-vsr-spec-override.yaml"
 rl_vsr_override_vs_route_src = f"{TEST_DATA}/rate-limit/route-subroute/virtual-server-vsr-route-override.yaml"
+rl_vsr_jwt_claim_sub_src = f"{TEST_DATA}/rate-limit/route-subroute/virtual-server-route-jwt-claim-sub.yaml"
+rl_pol_jwt_claim_sub_src = f"{TEST_DATA}/rate-limit/policies/rate-limit-jwt-claim-sub.yaml"
 
 
 @pytest.mark.policies
@@ -416,3 +419,89 @@ def test_rl_policy_scaled_vsr(
             and policy_info["status"]["reason"] == "AddedOrUpdated"
             and policy_info["status"]["state"] == "Valid"
         )
+
+    @pytest.mark.smoke
+    @pytest.mark.parametrize("src", [rl_vsr_jwt_claim_sub_src])
+    def test_rl_policy_jwt_claim_sub_vsr(
+        self,
+        kube_apis,
+        ingress_controller_prerequisites,
+        crd_ingress_controller,
+        v_s_route_app_setup,
+        v_s_route_setup,
+        test_namespace,
+        src,
+    ):
+        """
+        Test if rate-limiting policy is working with 1 rps using $jwt_claim_sub as the rate limit key in vsr:subroute
+        """
+
+        req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
+        print(f"Create rl policy")
+        pol_name = create_policy_from_yaml(
+            kube_apis.custom_objects, rl_pol_jwt_claim_sub_src, v_s_route_setup.route_m.namespace
+        )
+        wait_before_test(1)
+        policy_info = read_custom_resource(
+            kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name
+        )
+        assert (
+            policy_info["status"]
+            and policy_info["status"]["reason"] == "AddedOrUpdated"
+            and policy_info["status"]["state"] == "Valid"
+        )
+
+        print(f"Patch vsr with policy: {src}")
+        patch_v_s_route_from_yaml(
+            kube_apis.custom_objects,
+            v_s_route_setup.route_m.name,
+            src,
+            v_s_route_setup.route_m.namespace,
+        )
+        wait_before_test(1)
+        vsr_info = read_custom_resource(
+            kube_apis.custom_objects,
+            v_s_route_setup.route_m.namespace,
+            "virtualserverroutes",
+            v_s_route_setup.route_m.name,
+        )
+        assert (
+            vsr_info["status"]
+            and vsr_info["status"]["reason"] == "AddedOrUpdated"
+            and vsr_info["status"]["state"] == "Valid"
+        )
+
+        vs_info = read_custom_resource(
+            kube_apis.custom_objects, v_s_route_setup.namespace, "virtualservers", v_s_route_setup.vs_name
+        )
+        assert (
+            vs_info["status"]
+            and vs_info["status"]["reason"] == "AddedOrUpdated"
+            and vs_info["status"]["state"] == "Valid"
+        )
+
+        wait_before_test()
+        jwt_token = jwt.encode(
+            {"sub": "client1"},
+            "nginx",
+            algorithm="HS256",
+        )
+        occur = []
+        t_end = time.perf_counter() + 1
+        resp = requests.get(
+            f"{req_url}{v_s_route_setup.route_m.paths[0]}",
+            headers={"host": v_s_route_setup.vs_host, "Authorization": f"Bearer {jwt_token}"},
+        )
+
+        print(resp.status_code)
+        assert resp.status_code == 200
+        while time.perf_counter() < t_end:
+            resp = requests.get(
+                f"{req_url}{v_s_route_setup.route_m.paths[0]}",
+                headers={"host": v_s_route_setup.vs_host, "Authorization": f"Bearer {jwt_token}"},
+            )
+            occur.append(resp.status_code)
+        delete_policy(kube_apis.custom_objects, pol_name, v_s_route_setup.route_m.namespace)
+        self.restore_default_vsr(kube_apis, v_s_route_setup)
+
+        assert occur.count(200) <= 1