Add unit tests for sni

Author: javorszky

internal/configs/version2/templates_test.go

@@ -737,6 +737,15 @@ func TestExecuteVirtualServerTemplateWithJWKSWithToken(t *testing.T) {
 	if !bytes.Contains(got, []byte("proxy_cache_valid 200 12h;")) {
 		t.Error("want `proxy_cache_valid 200 12h;` in generated template")
 	}
+
+	if !bytes.Contains(got, []byte("proxy_ssl_server_name on;")) {
+		t.Error("want `proxy_ssl_server_name on;` in generated template")
+	}
+
+	if !bytes.Contains(got, []byte("proxy_ssl_name sni.idp.spec.example.com;")) {
+		t.Error("want `proxy_ssl_name sni.idp.spec.example.com;` in generated template")
+	}
+
 	snaps.MatchSnapshot(t, string(got))
 	t.Log(string(got))
 }
@@ -2340,10 +2349,12 @@ var (
 		Server: Server{
 			JWTAuthList: map[string]*JWTAuth{
 				"default/jwt-policy": {
-					Key:      "default/jwt-policy",
-					Realm:    "Spec Realm API",
-					Token:    "$http_token",
-					KeyCache: "1h",
+					Key:            "default/jwt-policy",
+					Realm:          "Spec Realm API",
+					Token:          "$http_token",
+					KeyCache:       "1h",
+					JwksSNIEnabled: true,
+					JwksSNIName:    "sni.idp.spec.example.com",
 					JwksURI: JwksURI{
 						JwksScheme: "https",
 						JwksHost:   "idp.spec.example.com",

internal/configs/virtualserver_test.go

@@ -5641,9 +5641,11 @@ func TestGenerateVirtualServerConfigJWKSPolicy(t *testing.T) {
 				},
 				Spec: conf_v1.PolicySpec{
 					JWTAuth: &conf_v1.JWTAuth{
-						Realm:    "Spec Realm API",
-						JwksURI:  "https://idp.spec.example.com:443/spec-keys",
-						KeyCache: "1h",
+						Realm:         "Spec Realm API",
+						JwksURI:       "https://idp.spec.example.com:443/spec-keys",
+						KeyCache:      "1h",
+						SNIEnabled:    true,
+						SNIServerName: "idp.spec.example.com",
 					},
 				},
 			},
@@ -5709,9 +5711,11 @@ func TestGenerateVirtualServerConfigJWKSPolicy(t *testing.T) {
 		Server: version2.Server{
 			JWTAuthList: map[string]*version2.JWTAuth{
 				"default/jwt-policy": {
-					Key:      "default/jwt-policy",
-					Realm:    "Spec Realm API",
-					KeyCache: "1h",
+					Key:            "default/jwt-policy",
+					Realm:          "Spec Realm API",
+					KeyCache:       "1h",
+					JwksSNIEnabled: true,
+					JwksSNIName:    "idp.spec.example.com",
 					JwksURI: version2.JwksURI{
 						JwksScheme: "https",
 						JwksHost:   "idp.spec.example.com",
@@ -5732,9 +5736,11 @@ func TestGenerateVirtualServerConfigJWKSPolicy(t *testing.T) {
 				},
 			},
 			JWTAuth: &version2.JWTAuth{
-				Key:      "default/jwt-policy",
-				Realm:    "Spec Realm API",
-				KeyCache: "1h",
+				Key:            "default/jwt-policy",
+				Realm:          "Spec Realm API",
+				KeyCache:       "1h",
+				JwksSNIName:    "idp.spec.example.com",
+				JwksSNIEnabled: true,
 				JwksURI: version2.JwksURI{
 					JwksScheme: "https",
 					JwksHost:   "idp.spec.example.com",

pkg/apis/configuration/validation/policy_test.go

@@ -95,6 +95,33 @@ func TestValidatePolicy_JWTIsNotValidOn(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "SNI server name passed, but SNI not enabled",
+			policy: &v1.Policy{
+				Spec: v1.PolicySpec{
+					JWTAuth: &v1.JWTAuth{
+						Realm:         "My Product API",
+						JwksURI:       "https://myjwksuri.com",
+						KeyCache:      "1h",
+						SNIServerName: "ipd.org",
+					},
+				},
+			},
+		},
+		{
+			name: "SNI server name passed, SNI enabled, bad SNI server name",
+			policy: &v1.Policy{
+				Spec: v1.PolicySpec{
+					JWTAuth: &v1.JWTAuth{
+						Realm:         "My Product API",
+						JwksURI:       "https://myjwksuri.com",
+						KeyCache:      "1h",
+						SNIEnabled:    true,
+						SNIServerName: "msql://ipd.org",
+					},
+				},
+			},
+		},
 	}
 
 	for _, tc := range tt {
@@ -164,6 +191,33 @@ func TestValidatePolicy_IsValidOnJWTPolicy(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "with SNI and without SNI server name",
+			policy: &v1.Policy{
+				Spec: v1.PolicySpec{
+					JWTAuth: &v1.JWTAuth{
+						Realm:      "My Product API",
+						KeyCache:   "1h",
+						JwksURI:    "https://login.mydomain.com/keys",
+						SNIEnabled: true,
+					},
+				},
+			},
+		},
+		{
+			name: "with SNI and with SNI server name",
+			policy: &v1.Policy{
+				Spec: v1.PolicySpec{
+					JWTAuth: &v1.JWTAuth{
+						Realm:         "My Product API",
+						KeyCache:      "1h",
+						JwksURI:       "https://login.mydomain.com/keys",
+						SNIEnabled:    true,
+						SNIServerName: "https://example.org",
+					},
+				},
+			},
+		},
 	}
 
 	for _, tc := range tt {
@@ -787,6 +841,27 @@ func TestValidateJWT_PassesOnValidInput(t *testing.T) {
 			},
 			msg: "jwt with jwksURI",
 		},
+		{
+			jwt: &v1.JWTAuth{
+				Realm:         "My Product API",
+				Token:         "$cookie_auth_token",
+				JwksURI:       "https://idp.com/token",
+				KeyCache:      "1h",
+				SNIEnabled:    true,
+				SNIServerName: "https://ipd.com:9999",
+			},
+			msg: "SNI enabled and valid SNI server name",
+		},
+		{
+			jwt: &v1.JWTAuth{
+				Realm:      "My Product API",
+				Token:      "$cookie_auth_token",
+				JwksURI:    "https://idp.com/token",
+				KeyCache:   "1h",
+				SNIEnabled: true,
+			},
+			msg: "SNI enabled and no server name passed",
+		},
 	}
 	for _, test := range tests {
 		allErrs := validateJWT(test.jwt, field.NewPath("jwt"))
@@ -890,6 +965,35 @@ func TestValidateJWT_FailsOnInvalidInput(t *testing.T) {
 			},
 			msg: "invalid JwksURI",
 		},
+		{
+			jwt: &v1.JWTAuth{
+				Realm:         "My Product api",
+				JwksURI:       "https://idp.com/token",
+				KeyCache:      "1h",
+				SNIEnabled:    true,
+				SNIServerName: "msql://not-\\\\a-valid-sni",
+			},
+			msg: "invalid SNI server name",
+		},
+		{
+			jwt: &v1.JWTAuth{
+				Realm:         "My Product api",
+				JwksURI:       "https://idp.com/token",
+				KeyCache:      "1h",
+				SNIEnabled:    false,
+				SNIServerName: "https://idp.com",
+			},
+			msg: "SNI server name passed, SNI not enabled",
+		},
+		{
+			jwt: &v1.JWTAuth{
+				Realm:         "My Product api",
+				JwksURI:       "https://idp.com/token",
+				KeyCache:      "1h",
+				SNIServerName: "https://idp.com",
+			},
+			msg: "SNI server name passed, SNI not passed",
+		},
 	}
 	for _, test := range tests {
 		test := test