Skip to content

Commit 11f845c

Browse files
mjudeikis-botOpenClaw Botmjudeikis
authored
test: unauthenticated requests to edges proxy return 401 (#77) (#95)
Add e2e test ProxyUnauthenticated that verifies requests without a Bearer token are rejected with 401/403 by the edges proxy handler. The handler (pkg/virtual/builder/edges_proxy_builder.go) checks for a valid bearer token as the very first step, before any path parsing or cluster lookup. The test hits the /services/edges-proxy/ path without an Authorization header and asserts the response is 401 or 403. The test is registered in the standalone suite so it runs without any OIDC or agent infrastructure — only a reachable hub is required. Closes #77 Co-authored-by: OpenClaw Bot <bot@openclaw.ai> Co-authored-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
1 parent 05dec71 commit 11f845c

2 files changed

Lines changed: 34 additions & 0 deletions

File tree

test/e2e/cases/auth.go

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,39 @@ func fakeBearerJWT() string {
8282
return "Bearer " + header + "." + payload + "." + sig
8383
}
8484

85+
// ProxyUnauthenticated verifies that a request to the edges proxy without a
86+
// Bearer token is rejected with HTTP 401 Unauthorized.
87+
//
88+
// The edges proxy handler (pkg/virtual/builder/edges_proxy_builder.go) checks
89+
// for a valid bearer token as its very first step — before any path parsing or
90+
// cluster lookup — so this test does not require a running agent or edge
91+
// resource: it only needs a reachable hub.
92+
func ProxyUnauthenticated() features.Feature {
93+
return features.New("Auth/ProxyUnauthenticated").
94+
Assess("no_token_returns_401", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
95+
clusterEnv := framework.ClusterEnvFrom(ctx)
96+
if clusterEnv == nil {
97+
t.Fatal("cluster environment not found in context")
98+
}
99+
100+
// Hit the edges proxy with no Authorization header.
101+
// The handler rejects requests with an empty bearer token with 401
102+
// before any path parsing or cluster lookup occurs, so the cluster
103+
// and edge name here are arbitrary placeholders.
104+
proxyURL := clusterEnv.HubURL + "/services/edges-proxy/clusters/test/apis/kedge.faros.sh/v1alpha1/edges/nonexistent/k8s"
105+
code, err := framework.HTTPGet(ctx, proxyURL)
106+
if err != nil {
107+
t.Fatalf("HTTP GET to edges proxy failed: %v", err)
108+
}
109+
if code != http.StatusUnauthorized && code != http.StatusForbidden {
110+
t.Fatalf("expected 401 or 403 for unauthenticated edges proxy request, got %d", code)
111+
}
112+
t.Logf("edges proxy correctly rejected unauthenticated request with HTTP %d", code)
113+
return ctx
114+
}).
115+
Feature()
116+
}
117+
85118
// ProxyInvalidToken verifies that the edges-proxy handler rejects requests
86119
// carrying invalid Bearer tokens with HTTP 401 or 403.
87120
//

test/e2e/suites/standalone/standalone_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ func TestK8sProxyAccess(t *testing.T) { testenv.Test(t, cases.K8sProxyAcce
3535
func TestK8sProxyWrite(t *testing.T) { testenv.Test(t, cases.K8sProxyWrite()) }
3636
func TestK8sProxyExec(t *testing.T) { testenv.Test(t, cases.K8sProxyExec()) }
3737
func TestWorkloadDeployment(t *testing.T) { testenv.Test(t, cases.WorkloadDeployment()) }
38+
func TestProxyUnauthenticated(t *testing.T) { testenv.Test(t, cases.ProxyUnauthenticated()) }
3839

3940
// Multi-edge tests — require 2 agent clusters (DefaultAgentCount=2).
4041
func TestTwoAgentsJoin(t *testing.T) { testenv.Test(t, cases.TwoAgentsJoin()) }

0 commit comments

Comments
 (0)