chore: add test to ensure fatal state on forbidden error (#756) (#302)

Signed-off-by: Alexandra Oberaigner <[email protected]>
Signed-off-by: alexandraoberaigner <[email protected]>
Co-authored-by: Todd Baert <[email protected]>

Author: alexandraoberaigner

docker-compose.yaml

@@ -24,6 +24,7 @@ services:
     image: envoyproxy/envoy:v1.35-latest
     ports:
       - 9211
+      - 9212
       - 9901
     command:
       - /bin/sh
@@ -37,7 +38,7 @@ services:
             socket_address:
               address: 0.0.0.0
               port_value: 9901
-
+        
         static_resources:
           listeners:
             - name: local-envoy
@@ -96,6 +97,39 @@ services:
                                     grpc: {}
                                   route:
                                     cluster: local-rpc-service
+            - name: permission-denied-listener
+              address:
+                socket_address:
+                  address: 0.0.0.0
+                  port_value: 9212
+              filter_chains:
+                - filters:
+                    - name: envoy.filters.network.http_connection_manager
+                      typed_config:
+                        "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                        stat_prefix: permission_denied
+                        access_log:
+                          - name: envoy.access_loggers.stdout
+                            typed_config:
+                              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+                        http_filters:
+                          - name: envoy.filters.http.router
+                            typed_config:
+                              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+                        route_config:
+                          name: permission_denied_route
+                          virtual_hosts:
+                            - name: permission-denied
+                              domains:
+                                - "*"
+                              routes:
+                                - match:
+                                    prefix: "/"
+                                    grpc: {}
+                                  direct_response:
+                                    status: 403
+                                    body:
+                                      inline_string: "PERMISSION_DENIED"
           clusters:
             - name: local-sync-service
               type: LOGICAL_DNS

gherkin/connection.feature

@@ -50,6 +50,14 @@ Feature: flagd provider disconnect and reconnect functionality
     And a error event handler
     Then the error event handler should have been executed within 3000ms
 
+  @rpc @in-process @file @forbidden
+  # This test ensures that a forbidden response from flagd results in a fatal client state
+  Scenario: Provider forbidden
+    Given a forbidden flagd provider
+    And a error event handler
+    Then the error event handler should have been executed within 5000ms
+    And the client is in fatal state
+
   @targetURI @rpc
   Scenario: Connection via TargetUri rpc
     Given an option "targetUri" of type "String" with value "envoy://localhost:<port>/rpc.service"