Add JWT authentication integration tests

[Tharsanan1]

Summary

This PR introduces comprehensive integration tests for JWT authentication.

Summary by CodeRabbit

• Tests

  • Added comprehensive JWT authentication test scenarios covering token validation, header formats, issuer/audience checks, multiple key managers, and edge cases; integrated steps to fetch tokens from a mock JWKS server.

• Chores

  • Updated CI workflow to build the mock JWKS image before integration tests and added orchestration for the mock server.

• Documentation

  • Added developer guidance for Copilot, integration testing workflows, and policy/test configuration examples (JWT and rate-limiting).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds JWT authentication integration tests: mock JWKS service, BDD feature file, Go step definitions and test wiring, Docker Compose and test config updates, and CI/workflow changes including a Copilot guidance doc and build steps for the mock-jwks image.

Changes

Cohort / File(s)	Summary
Copilot docs & setup workflow /.github/copilot-instructions.md, /.github/workflows/copilot-setup-steps.yml	New Copilot guidance doc and a GitHub Actions workflow to provision Go, Docker Buildx, Helm, kubectl, fetch Go deps across gateway components, and build gateway images.
Integration workflow update /.github/workflows/gateway-integration-test.yml	Adds a pre-test step to build the mock-jwks Docker image before running integration tests.
Docker Compose test services gateway/it/docker-compose.test.yaml	Adds mock-jwks service (build context ../../tests/mock-servers/mock-jwks) with port mapping 8082:8080 and network attachment.
BDD feature specs gateway/it/features/jwt-auth.feature	New feature file with multiple scenarios exercising JWT flows (valid token, missing/malformed headers, issuer/audience checks, multi-key-manager cases, unprotected endpoints, edge cases).
Test state & ports gateway/it/setup.go, gateway/it/state.go	Adds MockJWKSPort ("8082"), MockJWKSURL field to Config, initializes default MockJWKSURL, and includes port 8082 in port-availability checks.
JWT test steps implementation gateway/it/steps_jwt.go, gateway/it/suite_test.go	New exported JWTSteps type with constructors and step registrations to fetch tokens from mock JWKS, attach tokens to requests, reset between scenarios, and register features into the test suite.
Test policy config gateway/it/test-config.yaml	Adds jwtauth_v010 policy configuration (key managers, JWKS URIs, issuer/audience, caching, timeouts, algorithms, header settings) and updates ratelimit_v010 fields.

Sequence Diagram(s)

sequenceDiagram
    participant TestSuite as Test Suite
    participant MockJWKS as Mock JWKS Server
    participant Gateway as API Gateway
    participant Backend as Backend Service

    TestSuite->>MockJWKS: GET /token?issuer=...
    MockJWKS-->>TestSuite: 200 OK with JWT
    TestSuite->>TestSuite: store JWT
    TestSuite->>Gateway: HTTP request with Authorization: Bearer {JWT}
    Gateway->>MockJWKS: Fetch/validate keys (JWKS URI)
    MockJWKS-->>Gateway: JWKS (keys)
    Gateway->>Gateway: Validate JWT (issuer/audience/alg)
    Gateway->>Backend: Forward request (on success)
    Backend-->>Gateway: Response
    Gateway-->>TestSuite: 200 OK / 401 Unauthorized

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I fetched a token with a hop and a twirl,
From mock JWKS across the testing world.
BDD hops, steps align, tests run true,
Gateway checks, keys dance — hooray anew!
nibbles a carrot and bounces off

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is minimal and only includes a summary statement. Required sections from the template (Purpose, Goals, Approach, User stories, Documentation, Automation tests, Security checks, etc.) are missing or incomplete.	Provide a complete description following the repository template, including Purpose (why), Goals (what), Approach (how), Documentation, and details about the integration tests being added.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add JWT authentication integration tests' directly and clearly summarizes the main change: adding integration tests for JWT authentication.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/copilot-instructions.md:
- Around line 26-28: Avoid hardcoded line numbers; instead open
gateway/it/docker-compose.test.yaml, locate the gateway-controller service's
image entry (the line containing
ghcr.io/wso2/api-platform/gateway-controller-coverage:<version>) and remove the
"-coverage" suffix so it becomes
ghcr.io/wso2/api-platform/gateway-controller:<version>; repeat the same
pattern-based replacement for any other occurrences (e.g., the ones referenced
around lines 47–49) rather than pointing to specific line numbers.

In `@gateway/it/docker-compose.test.yaml`:
- Around line 125-135: Add a Docker healthcheck for the mock-jwks service
(container_name it-mock-jwks) in docker-compose.test.yaml so test runs wait
until the JWKS endpoint is reachable; implement a healthcheck that queries the
JWKS endpoint (e.g., GET / .well-known/jwks.json) with a short timeout and
conservative retries/interval/start_period to avoid flakes, and ensure any
test-suite waiting logic uses the container health status if applicable.

🧹 Nitpick comments (4)

.github/workflows/copilot-setup-steps.yml (1)

40-48: Consider pinning Helm and kubectl versions for reproducibility.

Using version: 'latest' for both Helm and kubectl can cause unexpected build failures when new versions are released with breaking changes. Pinning to specific versions ensures consistent behavior across runs.

♻️ Suggested improvement

      - name: Install Helm
        uses: azure/setup-helm@v4
        with:
-          version: 'latest'
+          version: 'v3.14.0'  # Pin to a specific stable version

      - name: Install kubectl
        uses: azure/setup-kubectl@v4
        with:
-          version: 'latest'
+          version: 'v1.29.0'  # Pin to a specific stable version

.github/copilot-instructions.md (1)

19-41: Consider automating the image switching workflow.

The manual edit-test-revert workflow for switching between coverage and non-coverage images is error-prone. Consider these alternatives:

• Use an environment variable or make target that overrides the image name dynamically
• Create separate docker-compose files (e.g., docker-compose.test.yaml for CI with coverage, docker-compose.local.yaml for local testing)
• Add a pre-commit git hook to prevent accidentally committing the non-coverage image reference
• Use docker-compose override files (docker-compose.override.yaml) for local customization

gateway/it/steps_jwt.go (2)

68-73: Harden token URL construction to avoid path/query edge cases.

String concatenation can yield double slashes or drop existing query parts. Using url.JoinPath + url.Values is safer and more idiomatic.

♻️ Proposed refactor

-	tokenURL := j.mockJWKSURL + "/token"
-	if issuer != "" {
-		tokenURL = tokenURL + "?issuer=" + url.QueryEscape(issuer)
-	}
+	tokenURL, err := url.JoinPath(j.mockJWKSURL, "token")
+	if err != nil {
+		return fmt.Errorf("invalid mock JWKS URL: %w", err)
+	}
+	if issuer != "" {
+		u, err := url.Parse(tokenURL)
+		if err != nil {
+			return fmt.Errorf("invalid token URL: %w", err)
+		}
+		q := u.Query()
+		q.Set("issuer", issuer)
+		u.RawQuery = q.Encode()
+		tokenURL = u.String()
+	}

---

99-107: Verify HTTP helper consistency for GET requests.

iSendGETRequestWithJWTToken uses SendGETRequest, while the other helpers use ISendGETRequest/ISendPOSTRequest. If these differ in response-state handling, the subsequent assertions may read stale state. Please confirm or align to the same helper.

🔧 Suggested alignment

-	return j.httpSteps.SendGETRequest(url)
+	return j.httpSteps.ISendGETRequest(url)