Merge pull request #1962 from AmaliMatharaarachchi/gql-test-r2

Add GQL go integration tests

adapter/internal/discovery/xds/server.go

@@ -393,13 +393,19 @@ func GenerateEnvoyResoucesForGateway(gatewayName string) ([]types.Resource,
 	}
 
 	envoyGatewayConfig, gwFound := gatewayLabelConfigMap[gatewayName]
+	// gwFound means that the gateway is configured in the gateway cr.
 	listeners := envoyGatewayConfig.listeners
 	if !gwFound || listeners == nil || len(listeners) == 0 {
 		return nil, nil, nil, nil, nil
 	}
 	routeConfigs := make([]*routev3.RouteConfiguration, 0)
+	// TODO(amali) Revisit the following
+	// Find the matching listener for each vhost and then only add the routes to the routeConfigs
 	for _, listener := range listeners {
 		for vhost, routes := range vhostToRouteArrayMap {
+			// listener match pass in the following cases
+			// 1. vhost matches to a hostname in gateway
+			// 2. listener name matches
 			matchedListener, found := common.FindElement(dataholder.GetAllGatewayListeners(), func(listenerLocal gwapiv1b1.Listener) bool {
 				if listenerLocal.Hostname != nil && common.MatchesHostname(vhost, string(*listenerLocal.Hostname)) {
 					if listener.Name == common.GetEnvoyListenerName(string(listenerLocal.Protocol), uint32(listenerLocal.Port)) {
@@ -414,19 +420,16 @@ func GenerateEnvoyResoucesForGateway(gatewayName string) ([]types.Resource,
 				routesConfig := oasParser.GetRouteConfigs(map[string][]*routev3.Route{vhost: routes}, routeConfigName, envoyGatewayConfig.customRateLimitPolicies)
 
 				routeConfigMatched, alreadyExistsInRouteConfigList := common.FindElement(routeConfigs, func(routeConf *routev3.RouteConfiguration) bool {
-					if routeConf.Name == routesConfig.Name {
-						return true
-					}
-					return false
+					return routeConf.Name == routesConfig.Name
 				})
 				if alreadyExistsInRouteConfigList {
-					logger.LoggerAPKOperator.Debugf("Route already exists. %+v", routesConfig.Name)
+					logger.LoggerAPKOperator.Debugf("Route already exists. %v", routesConfig.Name)
 					routeConfigMatched.VirtualHosts = append(routeConfigMatched.VirtualHosts, routesConfig.VirtualHosts...)
 				} else {
 					routeConfigs = append(routeConfigs, routesConfig)
 				}
 			} else {
-				logger.LoggerAPKOperator.Errorf("Failed to find a matching gateway listener for this vhost: %s", vhost)
+				logger.LoggerAPKOperator.Errorf("Failed to find a matching gateway listener for this vhost: %s in %v", vhost, listener.Name)
 			}
 		}
 	}

adapter/internal/oasparser/model/adapter_internal_api.go

@@ -926,7 +926,6 @@ func (adapterInternalAPI *AdapterInternalAPI) SetInfoGQLRouteCR(gqlRoute *dpv1al
 		resourceAuthScheme = concatAuthSchemes(resourceAuthScheme, nil)
 		resourceRatelimitPolicy = concatRateLimitPolicies(resourceRatelimitPolicy, nil)
 
-		loggers.LoggerOasparser.Debugf("Calculating auths for API ..., API_UUID = %v", adapterInternalAPI.UUID)
 		apiAuth := getSecurity(resourceAuthScheme)
 
 		for _, match := range rule.Matches {

adapter/internal/operator/synchronizer/gql_api.go

@@ -19,7 +19,6 @@ package synchronizer
 
 import (
 	"errors"
-	"fmt"
 
 	"github.com/wso2/apk/adapter/config"
 	"github.com/wso2/apk/adapter/internal/dataholder"
@@ -49,7 +48,7 @@ func generateGQLAdapterInternalAPI(apiState APIState, gqlRoute *GQLRouteState, e
 		environment = conf.Adapter.Environment
 	}
 	adapterInternalAPI.SetEnvironment(environment)
-
+	adapterInternalAPI.SetXWso2RequestBodyPass(true)
 	resourceParams := model.ResourceParams{
 		AuthSchemes:               apiState.Authentications,
 		ResourceAuthSchemes:       apiState.ResourceAuthentications,
@@ -66,10 +65,6 @@ func generateGQLAdapterInternalAPI(apiState APIState, gqlRoute *GQLRouteState, e
 		loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2631, logging.MAJOR, "Error setting GQLRoute CR info to adapterInternalAPI. %v", err))
 		return nil, nil, err
 	}
-	if err := adapterInternalAPI.Validate(); err != nil {
-		loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2632, logging.MAJOR, "Error validating adapterInternalAPI intermediate representation. %v", err))
-		return nil, nil, err
-	}
 	vHosts := getVhostsForGQLAPI(gqlRoute.GQLRouteCombined)
 	labels := getLabelsForGQLAPI(gqlRoute.GQLRouteCombined)
 	listeners, relativeSectionNames := getListenersForGQLAPI(gqlRoute.GQLRouteCombined, adapterInternalAPI.UUID)
@@ -104,7 +99,6 @@ func getVhostsForGQLAPI(gqlRoute *v1alpha2.GQLRoute) []string {
 	for _, hostName := range gqlRoute.Spec.Hostnames {
 		vHosts = append(vHosts, string(hostName))
 	}
-	fmt.Println("vhosts size: ", len(vHosts))
 	return vHosts
 }
 

adapter/internal/operator/synchronizer/rest_api.go

@@ -19,7 +19,6 @@ package synchronizer
 
 import (
 	"errors"
-	"fmt"
 
 	"github.com/wso2/apk/adapter/config"
 	"github.com/wso2/apk/adapter/internal/dataholder"
@@ -131,7 +130,6 @@ func getVhostsForAPI(httpRoute *gwapiv1b1.HTTPRoute) []string {
 	for _, hostName := range httpRoute.Spec.Hostnames {
 		vHosts = append(vHosts, string(hostName))
 	}
-	fmt.Println("vhosts size: ", len(vHosts))
 	return vHosts
 }
 
@@ -166,10 +164,7 @@ func getListenersForAPI(httpRoute *gwapiv1b1.HTTPRoute, apiUUID string) ([]strin
 		if found {
 			// find the matching listener
 			matchedListener, listenerFound := common.FindElement(gateway.Spec.Listeners, func(listener gwapiv1b1.Listener) bool {
-				if string(listener.Name) == string(*parentRef.SectionName) {
-					return true
-				}
-				return false
+				return string(listener.Name) == string(*parentRef.SectionName)
 			})
 			if listenerFound {
 				sectionNames = append(sectionNames, string(matchedListener.Name))

common-go-libs/go.mod

@@ -2,8 +2,6 @@ module github.com/wso2/apk/common-go-libs
 
 go 1.19
 
-replace github.com/wso2/apk/adapter => ../adapter
-
 require (
 	github.com/envoyproxy/go-control-plane v0.11.2-0.20230802074621-eea0b3bd0f81
 	github.com/onsi/ginkgo/v2 v2.9.5

developer/tryout/samples/sample-api-policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: dp.wso2.com/v1alpha1
+apiVersion: dp.wso2.com/v1alpha2
 kind: APIPolicy
 metadata:
   name: backend-jwt-token-policy

gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/GraphQLAPI.java

@@ -31,7 +31,6 @@
 import org.wso2.apk.enforcer.config.EnforcerConfig;
 import org.wso2.apk.enforcer.discovery.api.Api;
 import org.wso2.apk.enforcer.discovery.api.BackendJWTTokenInfo;
-import org.wso2.apk.enforcer.discovery.api.Certificate;
 import org.wso2.apk.enforcer.discovery.api.Claim;
 import org.wso2.apk.enforcer.discovery.api.Operation;
 import org.wso2.apk.enforcer.discovery.api.Resource;

gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/api/RestAPI.java

@@ -28,13 +28,11 @@
 import org.wso2.apk.enforcer.commons.model.ResourceConfig;
 import org.wso2.apk.enforcer.config.ConfigHolder;
 import org.wso2.apk.enforcer.config.EnforcerConfig;
-import org.wso2.apk.enforcer.config.dto.FilterDTO;
 import org.wso2.apk.enforcer.constants.APIConstants;
 import org.wso2.apk.enforcer.constants.HttpConstants;
 import org.wso2.apk.enforcer.cors.CorsFilter;
 import org.wso2.apk.enforcer.discovery.api.Api;
 import org.wso2.apk.enforcer.discovery.api.BackendJWTTokenInfo;
-import org.wso2.apk.enforcer.discovery.api.Certificate;
 import org.wso2.apk.enforcer.discovery.api.Claim;
 import org.wso2.apk.enforcer.discovery.api.Operation;
 import org.wso2.apk.enforcer.discovery.api.Resource;
@@ -48,12 +46,9 @@
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Comparator;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.ServiceLoader;
 
 /**
  * Specific implementation for a Rest API type APIs.

gateway/enforcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java

@@ -35,7 +35,6 @@
 import org.wso2.apk.enforcer.commons.exception.EnforcerException;
 import org.wso2.apk.enforcer.commons.model.APIConfig;
 import org.wso2.apk.enforcer.commons.model.AuthenticationContext;
-import org.wso2.apk.enforcer.commons.model.JWTAuthenticationConfig;
 import org.wso2.apk.enforcer.commons.model.RequestContext;
 import org.wso2.apk.enforcer.commons.model.ResourceConfig;
 import org.wso2.apk.enforcer.config.ConfigHolder;
@@ -86,12 +85,10 @@ public JWTAuthenticator(final JWTConfigurationDto jwtConfigurationDto, final boo
 
     @Override
     public boolean canAuthenticate(RequestContext requestContext) {
-        // only getting first operation is enough as all matched resource configs have the same security schemes
-        // i.e. graphQL apis do not support resource level security yet
-        JWTAuthenticationConfig jwtAuthenticationConfig =
-                requestContext.getMatchedResourcePaths().get(0).getAuthenticationConfig().getJwtAuthenticationConfig();
-        if (jwtAuthenticationConfig != null) {
-            String authHeaderValue = retrieveAuthHeaderValue(requestContext, jwtAuthenticationConfig);
+        String authHeader = getTokenHeader(requestContext.getMatchedResourcePaths());
+
+        if (!StringUtils.equals(authHeader, "")) {
+            String authHeaderValue = retrieveAuthHeaderValue(requestContext, authHeader);
 
             // Check keyword bearer in header to prevent conflicts with custom authentication
             // (that maybe added with custom filters / interceptors / opa)
@@ -122,8 +119,8 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws
                 Utils.setTag(jwtAuthenticatorInfoSpan, APIConstants.LOG_TRACE_ID,
                         ThreadContext.get(APIConstants.LOG_TRACE_ID));
             }
-            String jwtToken = retrieveAuthHeaderValue(requestContext,
-                    requestContext.getMatchedResourcePaths().get(0).getAuthenticationConfig().getJwtAuthenticationConfig());
+            String authHeader = getTokenHeader(requestContext.getMatchedResourcePaths());
+            String jwtToken = retrieveAuthHeaderValue(requestContext, authHeader);
             String[] splitToken = jwtToken.split("\\s");
             // Extract the token when it is sent as bearer token. i.e Authorization: Bearer <token>
             if (splitToken.length > 1) {
@@ -267,6 +264,16 @@ public AuthenticationContext authenticate(RequestContext requestContext) throws
 
     }
 
+    private String getTokenHeader(ArrayList<ResourceConfig> matchedResourceConfigs) {
+        for (ResourceConfig resourceConfig : matchedResourceConfigs) {
+            if (resourceConfig.getAuthenticationConfig() != null &&
+                    resourceConfig.getAuthenticationConfig().getJwtAuthenticationConfig() != null) {
+                return resourceConfig.getAuthenticationConfig().getJwtAuthenticationConfig().getHeader();
+            }
+        }
+        return "";
+    }
+
     @Override
     public String getChallengeString() {
 
@@ -285,11 +292,9 @@ public int getPriority() {
         return 10;
     }
 
-    private String retrieveAuthHeaderValue(RequestContext requestContext,
-                                           JWTAuthenticationConfig jwtAuthenticationConfig) {
-
+    private String retrieveAuthHeaderValue(RequestContext requestContext, String header) {
         Map<String, String> headers = requestContext.getHeaders();
-        return headers.get(jwtAuthenticationConfig.getHeader());
+        return headers.get(header);
     }
 
     /**

helm-charts/templates/data-plane/config-deployer/config-api-apipolicy.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.wso2.apk.dp.enabled .Values.wso2.apk.dp.configdeployer.enabled }}
-apiVersion: dp.wso2.com/v1alpha1
+apiVersion: dp.wso2.com/v1alpha2
 kind: APIPolicy
 metadata:
   name: "{{ template "apk-helm.resource.prefix" . }}-config-api-api-policy"

samples/custom-ratelimit-interceptor-service/api-interceptor/interceptor-policy.yaml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # -----------------------------------------------------------------------
-apiVersion: dp.wso2.com/v1alpha1
+apiVersion: dp.wso2.com/v1alpha2
 kind: APIPolicy
 metadata:
   name: interceptor-policy-api-level

samples/custom-ratelimit-interceptor-service/gateway-interceptor/interceptor-policy.yaml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # -----------------------------------------------------------------------
-apiVersion: dp.wso2.com/v1alpha1
+apiVersion: dp.wso2.com/v1alpha2
 kind: APIPolicy
 metadata:
   name: interceptor-policy-gateway-level

samples/custom-ratelimit-interceptor-service/resource-interceptor/interceptor-policy.yaml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # -----------------------------------------------------------------------
-apiVersion: dp.wso2.com/v1alpha1
+apiVersion: dp.wso2.com/v1alpha2
 kind: APIPolicy
 metadata:
   name: interceptor-policy-resource-level

samples/request-response-mediation-interceptors/k8s-resources/api-policy.yaml

@@ -14,7 +14,7 @@
 # limitations under the License.
 # -----------------------------------------------------------------------
 
-apiVersion: dp.wso2.com/v1alpha1
+apiVersion: dp.wso2.com/v1alpha2
 kind: APIPolicy
 metadata:
   name: sample-api-policy

test/cucumber-tests/CRs/artifacts.yaml

@@ -222,7 +222,7 @@ spec:
           configMap:
             name: "interceptor-service-config-toml" 
 ---
-apiVersion: dp.wso2.com/v1alpha1
+apiVersion: dp.wso2.com/v1alpha2
 kind: APIPolicy
 metadata:
   name: interceptor-policy-gateway-level

test/integration/integration/tests/gql-api.go

@@ -0,0 +1,100 @@
+/*
+ *  Copyright (c) 2023, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package tests
+
+import (
+	"testing"
+
+	"github.com/wso2/apk/test/integration/integration/utils/http"
+	"github.com/wso2/apk/test/integration/integration/utils/suite"
+)
+
+func init() {
+	IntegrationTests = append(IntegrationTests, GQLAPI)
+}
+
+// DisableAPISecurity test
+var GQLAPI = suite.IntegrationTest{
+	ShortName:   "GQLAPI",
+	Description: "Tests GraphQL API",
+	Manifests:   []string{"tests/gql-api.yaml"},
+	Test: func(t *testing.T, suite *suite.IntegrationTestSuite) {
+		gwAddr := "gql.test.gw.wso2.com:9095"
+		token := http.GetTestToken(t)
+
+		testCases := []http.ExpectedResponse{
+			{
+				Request: http.Request{
+					Host:   "gql.test.gw.wso2.com",
+					Path:   "/gql/v1",
+					Method: "POST",
+					Headers: map[string]string{
+						"Content-Type": "application/json",
+					},
+					Body: `{"query":"query{\n    human(id:1000){\n        id\n        name\n    }\n}","variables":{}}`,
+				},
+				ExpectedRequest: &http.ExpectedRequest{
+					Request: http.Request{
+						Method: ""},
+				},
+				Response: http.Response{StatusCode: 200},
+			},
+			{
+				Request: http.Request{
+					Host:   "gql.test.gw.wso2.com",
+					Path:   "/gql/v1",
+					Method: "POST",
+					Headers: map[string]string{
+						"Content-Type": "application/json",
+					},
+					Body: `{"query":"query{\n    human(id:1000){\n        id\n        name\n    }\n    droid(id:2000){\n        name\n        friends{\n            name\n            appearsIn\n        }\n    }\n}","variables":{}}`,
+				},
+				ExpectedRequest: &http.ExpectedRequest{
+					Request: http.Request{
+						Method: "",
+					},
+				},
+				Response: http.Response{StatusCode: 401},
+			}, {
+				Request: http.Request{
+					Host:   "gql.test.gw.wso2.com",
+					Path:   "/gql/v1",
+					Method: "POST",
+					Headers: map[string]string{
+						"Content-Type":  "application/json",
+						"Authorization": "Bearer " + token,
+					},
+					Body: `{"query":"query{\n    human(id:1000){\n        id\n        name\n    }\n    droid(id:2000){\n        name\n        friends{\n            name\n            appearsIn\n        }\n    }\n}","variables":{}}`,
+				},
+				ExpectedRequest: &http.ExpectedRequest{
+					Request: http.Request{
+						Method: "",
+					},
+				},
+				Response: http.Response{StatusCode: 200},
+			},
+		}
+		for i := range testCases {
+			tc := testCases[i]
+			t.Run(tc.GetTestCaseName(i), func(t *testing.T) {
+				t.Parallel()
+				http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc)
+			})
+		}
+	},
+}