test: add limit_except context

Author: kjdev

t/auth_jwt.t

@@ -401,3 +401,42 @@ X-Jwt-Claim-Aud: test3.audience.example.com
 X-Jwt-Claim-Email: test3@example.com
 WWW-Authenticate: Bearer realm=""
 --- error_code: 200
+
+=== limit_except
+--- http_config
+include $TEST_NGINX_CONF_DIR/authorized_server.conf;
+map $http_x_id $jwt {
+  "test1" $test1_jwt;
+  "test2" $test2_jwt;
+  default "";
+}
+--- config
+include $TEST_NGINX_CONF_DIR/jwt.conf;
+location / {
+  limit_except GET {
+    auth_jwt "" token=$jwt;
+    auth_jwt_key_file $TEST_NGINX_DATA_DIR/jwks.json;
+  }
+  include $TEST_NGINX_CONF_DIR/authorized_proxy.conf;
+}
+--- request eval
+[
+  "GET /",
+  "GET /",
+  "POST /",
+  "POST /"
+]
+--- more_headers eval
+[
+  "X-Id: empty",
+  "X-Id: test1",
+  "X-Id: empty",
+  "X-Id: test2"
+]
+--- error_code eval
+[
+  200,
+  200,
+  401,
+  200
+]

t/auth_jwt_key_file.t

@@ -648,3 +648,42 @@ X-Jwt-Claim-Aud: test1.audience.example.com
 X-Jwt-Claim-Email: [email protected]
 --- error_code: 200
 --- error_log: auth_jwt: rejected due to signature validate failure: kid="test1"
+
+=== limit_except
+--- http_config
+include $TEST_NGINX_CONF_DIR/authorized_server.conf;
+map $http_x_id $jwt {
+  "test1" $test1_jwt;
+  "test2" $test2_jwt;
+}
+--- config
+include $TEST_NGINX_CONF_DIR/jwt.conf;
+location / {
+  auth_jwt "" token=$jwt;
+  auth_jwt_key_file $TEST_NGINX_DATA_DIR/test1.jwks;
+  limit_except GET {
+    auth_jwt_key_file $TEST_NGINX_DATA_DIR/test2.jwks;
+  }
+  include $TEST_NGINX_CONF_DIR/authorized_proxy.conf;
+}
+--- request eval
+[
+  "GET /",
+  "GET /",
+  "POST /",
+  "POST /"
+]
+--- more_headers eval
+[
+  "X-Id: test1",
+  "X-Id: test2",
+  "X-Id: test1",
+  "X-Id: test2"
+]
+--- error_code eval
+[
+  200,
+  401,
+  200,
+  200
+]

t/auth_jwt_key_request.t

@@ -725,3 +725,44 @@ X-Jwt-Claim-Aud: test1.audience.example.com
 X-Jwt-Claim-Email: [email protected]
 --- error_code: 200
 --- error_log: auth_jwt: rejected due to signature validate failure: kid="test1"
+
+=== limit_except
+--- http_config
+include $TEST_NGINX_CONF_DIR/authorized_server.conf;
+map $http_x_id $jwt {
+  "test1" $test1_jwt;
+  "test2" $test2_jwt;
+}
+--- config
+include $TEST_NGINX_CONF_DIR/jwt.conf;
+location / {
+  auth_jwt "" token=$jwt;
+  auth_jwt_key_request /test1.jwks;
+  limit_except GET {
+    auth_jwt_key_request /test2.jwks;
+  }
+  include $TEST_NGINX_CONF_DIR/authorized_proxy.conf;
+}
+set $data_dir $TEST_NGINX_DATA_DIR;
+include $TEST_NGINX_CONF_DIR/key.conf;
+--- request eval
+[
+  "GET /",
+  "GET /",
+  "POST /",
+  "POST /"
+]
+--- more_headers eval
+[
+  "X-Id: test1",
+  "X-Id: test2",
+  "X-Id: test1",
+  "X-Id: test2"
+]
+--- error_code eval
+[
+  200,
+  401,
+  200,
+  200
+]

t/auth_jwt_require.t

@@ -456,3 +456,50 @@ location / {
   auth_jwt_require "iss";
 }
 --- must_die
+
+=== limit_except
+--- http_config
+include $TEST_NGINX_CONF_DIR/authorized_server.conf;
+map $http_x_id $jwt {
+  "test1" $test1_jwt;
+  "test2" $test2_jwt;
+}
+map $jwt_claim_iss $valid_jwt_iss {
+  "https://test1.issuer.example.com" 1;
+  "https://test2.issuer.example.com" 1;
+}
+map $jwt_claim_sub $valid_jwt_sub {
+  "test2.identifier" 1;
+}
+--- config
+include $TEST_NGINX_CONF_DIR/jwt.conf;
+location / {
+  auth_jwt "" token=$jwt;
+  auth_jwt_key_file $TEST_NGINX_DATA_DIR/jwks.json;
+  auth_jwt_require $valid_jwt_iss;
+  limit_except GET {
+    auth_jwt_require $valid_jwt_sub;
+  }
+  include $TEST_NGINX_CONF_DIR/authorized_proxy.conf;
+}
+--- request eval
+[
+  "GET /",
+  "GET /",
+  "POST /",
+  "POST /"
+]
+--- more_headers eval
+[
+  "X-Id: test1",
+  "X-Id: test2",
+  "X-Id: test1",
+  "X-Id: test2"
+]
+--- error_code eval
+[
+  200,
+  200,
+  401,
+  200
+]

t/auth_jwt_require_claim.t

@@ -120,3 +120,43 @@ location / {
 auth_jwt: failed to json load claim requirement: exp
 --- log_level
 error
+
+=== limit_except
+--- http_config
+include $TEST_NGINX_CONF_DIR/authorized_server.conf;
+map $http_x_id $jwt {
+  "test1" $test1_jwt;
+  "test2" $test2_jwt;
+}
+--- config
+include $TEST_NGINX_CONF_DIR/jwt.conf;
+location / {
+  auth_jwt "" token=$jwt;
+  auth_jwt_key_file $TEST_NGINX_DATA_DIR/jwks.json;
+  auth_jwt_require_claim iss intersect json=["https://test1.issuer.example.com","https://test2.issuer.example.com"];
+  limit_except GET {
+    auth_jwt_require_claim sub eq "test2.identifier";
+  }
+  include $TEST_NGINX_CONF_DIR/authorized_proxy.conf;
+}
+--- request eval
+[
+  "GET /",
+  "GET /",
+  "POST /",
+  "POST /"
+]
+--- more_headers eval
+[
+  "X-Id: test1",
+  "X-Id: test2",
+  "X-Id: test1",
+  "X-Id: test2"
+]
+--- error_code eval
+[
+  200,
+  200,
+  401,
+  200
+]

t/auth_jwt_require_header.t

@@ -94,3 +94,43 @@ location / {
 auth_jwt: failed to json load header requirement: kid
 --- log_level
 error
+
+=== limit_except
+--- http_config
+include $TEST_NGINX_CONF_DIR/authorized_server.conf;
+map $http_x_id $jwt {
+  "test1" $test1_jwt;
+  "test2" $test2_jwt;
+}
+--- config
+include $TEST_NGINX_CONF_DIR/jwt.conf;
+location / {
+  auth_jwt "" token=$jwt;
+  auth_jwt_key_file $TEST_NGINX_DATA_DIR/jwks.json;
+  auth_jwt_require_header alg intersect json=["HS256","HS384"];
+  limit_except GET {
+    auth_jwt_require_header kid eq "test2";
+  }
+  include $TEST_NGINX_CONF_DIR/authorized_proxy.conf;
+}
+--- request eval
+[
+  "GET /",
+  "GET /",
+  "POST /",
+  "POST /"
+]
+--- more_headers eval
+[
+  "X-Id: test1",
+  "X-Id: test2",
+  "X-Id: test1",
+  "X-Id: test2"
+]
+--- error_code eval
+[
+  200,
+  200,
+  401,
+  200
+]

t/auth_jwt_revocation_list_kid.t

@@ -146,3 +146,43 @@ location / {
 --- error_code: 401
 --- error_log
 auth_jwt: rejected due to kid cannot be empty when revocation_kids set
+
+=== limit_except
+--- http_config
+include $TEST_NGINX_CONF_DIR/authorized_server.conf;
+map $http_x_id $jwt {
+  "test1" $test1_jwt;
+  "test2" $test2_jwt;
+}
+--- config
+include $TEST_NGINX_CONF_DIR/jwt.conf;
+location / {
+  auth_jwt "" token=$jwt;
+  auth_jwt_key_file $TEST_NGINX_DATA_DIR/jwks.json;
+  auth_jwt_revocation_list_kid $TEST_NGINX_DATA_DIR/revocation_kid_list/empty_revocation_kid_list.json;
+  limit_except GET {
+    auth_jwt_revocation_list_kid $TEST_NGINX_DATA_DIR/revocation_kid_list/revocation_kid_list.json;
+  }
+  include $TEST_NGINX_CONF_DIR/authorized_proxy.conf;
+}
+--- request eval
+[
+  "GET /",
+  "GET /",
+  "POST /",
+  "POST /"
+]
+--- more_headers eval
+[
+  "X-Id: test1",
+  "X-Id: test2",
+  "X-Id: test1",
+  "X-Id: test2"
+]
+--- error_code eval
+[
+  200,
+  200,
+  200,
+  401
+]

t/auth_jwt_revocation_list_sub.t

@@ -114,3 +114,43 @@ location / {
 --- error_code: 401
 --- error_log
 auth_jwt: rejected due to sub in revocation list: sub="test2.identifier"
+
+=== limit_except
+--- http_config
+include $TEST_NGINX_CONF_DIR/authorized_server.conf;
+map $http_x_id $jwt {
+  "test1" $test1_jwt;
+  "test2" $test2_jwt;
+}
+--- config
+include $TEST_NGINX_CONF_DIR/jwt.conf;
+location / {
+  auth_jwt "" token=$jwt;
+  auth_jwt_key_file $TEST_NGINX_DATA_DIR/jwks.json;
+  auth_jwt_revocation_list_sub $TEST_NGINX_DATA_DIR/revocation_list_sub/empty_revocation_list_sub.json;
+  limit_except GET {
+    auth_jwt_revocation_list_sub $TEST_NGINX_DATA_DIR/revocation_list_sub/revocation_list_sub.json;
+  }
+  include $TEST_NGINX_CONF_DIR/authorized_proxy.conf;
+}
+--- request eval
+[
+  "GET /",
+  "GET /",
+  "POST /",
+  "POST /"
+]
+--- more_headers eval
+[
+  "X-Id: test1",
+  "X-Id: test2",
+  "X-Id: test1",
+  "X-Id: test2"
+]
+--- error_code eval
+[
+  200,
+  200,
+  200,
+  401
+]

t/auth_jwt_validate_exp.t

@@ -134,3 +134,28 @@ X-Jwt-Claim-Email:
 --- error_code: 401
 --- error_log: auth_jwt: rejected due to exp claim could not be obtained
 --- log_level: info
+
+=== limit_except
+--- http_config
+include $TEST_NGINX_CONF_DIR/authorized_server.conf;
+--- config
+include $TEST_NGINX_CONF_DIR/jwt.conf;
+location / {
+  auth_jwt "" token=$test1_invalid_exp_jwt;
+  auth_jwt_key_file $TEST_NGINX_DATA_DIR/jwks.json;
+  auth_jwt_validate_exp off;
+  limit_except GET {
+    auth_jwt_validate_exp on;
+  }
+  include $TEST_NGINX_CONF_DIR/authorized_proxy.conf;
+}
+--- request eval
+[
+  "GET /",
+  "POST /"
+]
+--- error_code eval
+[
+  200,
+  401
+]