traefik/integration/routing_test.go

package integration

import (
	"net"
	"net/http"
	"strings"
	"testing"
	"time"

	"github.com/stretchr/testify/require"
	"github.com/stretchr/testify/suite"
	"github.com/traefik/traefik/v3/integration/try"
)

// RoutingSuite tests multi-layer routing with authentication middleware.
type RoutingSuite struct{ BaseSuite }

func TestRoutingSuite(t *testing.T) {
	suite.Run(t, new(RoutingSuite))
}

func (s *RoutingSuite) SetupSuite() {
	s.BaseSuite.SetupSuite()

	s.createComposeProject("routing")
	s.composeUp()
}

func (s *RoutingSuite) TearDownSuite() {
	s.BaseSuite.TearDownSuite()
}

// authHandler implements the ForwardAuth protocol.
// It validates Bearer tokens and adds X-User-Role and X-User-Name headers.
func authHandler(w http.ResponseWriter, r *http.Request) {
	authHeader := r.Header.Get("Authorization")
	if authHeader == "" {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	if !strings.HasPrefix(authHeader, "Bearer ") {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	token := strings.TrimPrefix(authHeader, "Bearer ")
	role, username, ok := getUserByToken(token)
	if !ok {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	// Set headers that will be forwarded by Traefik
	w.Header().Set("X-User-Role", role)
	w.Header().Set("X-User-Name", username)
	w.WriteHeader(http.StatusOK)
}

// getUserByToken returns the role and username for a given token.
func getUserByToken(token string) (role, username string, ok bool) {
	users := map[string]struct {
		role     string
		username string
	}{
		"bob-token":   {role: "admin", username: "bob"},
		"jack-token":  {role: "developer", username: "jack"},
		"alice-token": {role: "guest", username: "alice"},
	}

	u, exists := users[token]
	return u.role, u.username, exists
}

// TestMultiLayerRoutingWithAuth tests the complete multi layer routing scenario:
// - Parent router matches path and applies authentication middleware
// - Auth middleware validates token and adds role header
// - Child routers route based on the role header added by the middleware
func (s *RoutingSuite) TestMultiLayerRoutingWithAuth() {
	listener, err := net.Listen("tcp", "127.0.0.1:0")
	require.NoError(s.T(), err)
	defer listener.Close()

	_, authPort, err := net.SplitHostPort(listener.Addr().String())
	require.NoError(s.T(), err)

	go func() {
		_ = http.Serve(listener, http.HandlerFunc(authHandler))
	}()

	adminIP := s.getComposeServiceIP("whoami-admin")
	require.NotEmpty(s.T(), adminIP)

	developerIP := s.getComposeServiceIP("whoami-developer")
	require.NotEmpty(s.T(), developerIP)

	file := s.adaptFile("fixtures/routing/multi_layer_auth.toml", struct {
		AuthPort    string
		AdminIP     string
		DeveloperIP string
	}{
		AuthPort:    authPort,
		AdminIP:     adminIP,
		DeveloperIP: developerIP,
	})

	s.traefikCmd(withConfigFile(file))

	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("parent-router"))
	require.NoError(s.T(), err)

	// Test 1: bob (admin role) routes to admin-service
	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
	require.NoError(s.T(), err)
	req.Header.Set("Authorization", "Bearer bob-token")

	err = try.Request(req, 2*time.Second,
		try.StatusCodeIs(http.StatusOK),
		try.BodyContains("whoami-admin"))
	require.NoError(s.T(), err)

	// Test 2: jack (developer role) routes to developer-service
	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
	require.NoError(s.T(), err)
	req.Header.Set("Authorization", "Bearer jack-token")

	err = try.Request(req, 2*time.Second,
		try.StatusCodeIs(http.StatusOK),
		try.BodyContains("whoami-developer"))
	require.NoError(s.T(), err)

	// Test 3: Invalid token returns 401
	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
	require.NoError(s.T(), err)
	req.Header.Set("Authorization", "Bearer invalid-token")

	err = try.Request(req, 2*time.Second, try.StatusCodeIs(http.StatusUnauthorized))
	require.NoError(s.T(), err)

	// Test 4: Missing token returns 401
	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
	require.NoError(s.T(), err)

	err = try.Request(req, 2*time.Second, try.StatusCodeIs(http.StatusUnauthorized))
	require.NoError(s.T(), err)

	// Test 5: Valid auth but role has no matching child router returns 404
	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
	require.NoError(s.T(), err)
	req.Header.Set("Authorization", "Bearer alice-token")

	err = try.Request(req, 2*time.Second, try.StatusCodeIs(http.StatusNotFound))
	require.NoError(s.T(), err)
}