tetrateio · sergicastro · Feb 28, 2024 · Feb 28, 2024
diff --git a/e2e/istio/cluster/istiogw-config.yaml b/e2e/istio/cluster/istiogw-config.yaml
@@ -25,6 +25,11 @@ service:
       nodePort: 30000  # Make it accessible form the host without having to install MetalLB or others
       protocol: TCP
       targetPort: 443
+    - name: http
+      port: 80
+      nodePort: 30002
+      protocol: TCP
+      targetPort: 80
 
 # Clear the default resources to allow it to run in very constrained local environments
 # without explicitly requesting more memory than the one that might be available in the

diff --git a/e2e/istio/cluster/kind-config.yaml b/e2e/istio/cluster/kind-config.yaml
@@ -23,3 +23,5 @@ nodes:
         hostPort: 30000
       - containerPort: 30001
         hostPort: 30001
+      - containerPort: 30002
+        hostPort: 30002
diff --git a/e2e/istio/cluster/manifests/ingress-gateway.yaml b/e2e/istio/cluster/manifests/ingress-gateway.yaml
@@ -30,6 +30,14 @@ spec:
       tls:
         mode: SIMPLE
         credentialName: http-echo-certs
+    - hosts:
+      - "http-echo.authservice.internal"
+      port:
+        number: 80
+        name: http
+        protocol: HTTP
+      tls:
+        httpsRedirect: true
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService

diff --git a/e2e/istio/istio_test.go b/e2e/istio/istio_test.go
@@ -22,40 +22,54 @@ import (
 )
 
 const (
-	testURL             = "https://http-echo.authservice.internal"
+	testURLTLS          = "https://http-echo.authservice.internal"
+	testURLPlain        = "http://http-echo.authservice.internal"
 	testCAFile          = "certs/ca.crt"
 	keyCloakLoginFormID = "kc-form-login"
 	username            = "authservice"
 	password            = "authservice"
 )
 
 func (i *IstioSuite) TestIstioEnforcement() {
-	// Initialize the test OIDC client that will keep track of the state of the OIDC login process
-	client, err := e2e.NewOIDCTestClient(
-		e2e.WithLoggingOptions(i.T().Log, true),
-		e2e.WithCustomCA(testCAFile),
-		// Map the keycloak cluster DNS name to the local address where the service is exposed
-		e2e.WithCustomAddressMappings(map[string]string{
-			"http-echo.authservice.internal:443": "localhost:30000",
-			"keycloak.keycloak:8080":             "localhost:30001",
-		}),
-	)
-	i.Require().NoError(err)
-
-	// Send a request to the test server. It will be redirected to the IdP login page
-	res, err := client.Get(testURL)
-	i.Require().NoError(err)
-
-	// Parse the response body to get the URL where the login page would post the user-entered credentials
-	i.Require().NoError(client.ParseLoginForm(res.Body, keyCloakLoginFormID))
-
-	// Submit the login form to the IdP. This will authenticate and redirect back to the application
-	res, err = client.Login(map[string]string{"username": username, "password": password, "credentialId": ""})
-	i.Require().NoError(err)
-
-	// Verify that we get the expected response from the application
-	body, err := io.ReadAll(res.Body)
-	i.Require().NoError(err)
-	i.Require().Equal(http.StatusOK, res.StatusCode)
-	i.Require().Contains(string(body), "Request served by http-echo")
+	for name, uri := range map[string]string{
+		"client requests TLS":                              testURLTLS,
+		"client requests plain text, is redirected to TLS": testURLPlain,
+	} {
+		i.Run(name, func() {
+			// Initialize the test OIDC client that will keep track of the state of the OIDC login process
+			// Initialize it for each test to not reuse the session between them
+			client, err := e2e.NewOIDCTestClient(
+				e2e.WithLoggingOptions(i.T().Log, true),
+				e2e.WithCustomCA(testCAFile),
+				// Map the keycloak cluster DNS name to the local address where the service is exposed
+				e2e.WithCustomAddressMappings(map[string]string{
+					"http-echo.authservice.internal:80":  "localhost:30002",
+					"http-echo.authservice.internal:443": "localhost:30000",
+					"keycloak.keycloak:8080":             "localhost:30001",
+				}),
+			)
+			i.Require().NoError(err)
+
+			// Send a request to the test server. It will be redirected to the IdP login page
+			res, err := client.Get(uri)
+			i.Require().NoError(err)
+
+			// Parse the response body to get the URL where the login page would post the user-entered credentials
+			i.Require().NoError(client.ParseLoginForm(res.Body, keyCloakLoginFormID))
+
+			// Submit the login form to the IdP. This will authenticate and redirect back to the application
+			res, err = client.Login(map[string]string{"username": username, "password": password, "credentialId": ""})
+			i.Require().NoError(err)
+
+			// Verify that we get the expected response from the application
+			body, err := io.ReadAll(res.Body)
+			i.Require().NoError(err)
+			i.Require().Equal(http.StatusOK, res.StatusCode)
+			i.Require().Contains(string(body), "Request served by http-echo")
+			// as the destination app is an echo server that returns the received request in the body, we can verify this
+			// received contained the proper tokens
+			i.Require().Contains(string(body), "Authorization: Bearer")
+			i.Require().Contains(string(body), "X-Access-Token:")
+		})
+	}
 }