diff --git a/enterprise/e2e/auth-path/hurl/jwt.all.hurl b/enterprise/e2e/auth-path/hurl/jwt.all.hurl index f26f2ba47..500695486 100644 --- a/enterprise/e2e/auth-path/hurl/jwt.all.hurl +++ b/enterprise/e2e/auth-path/hurl/jwt.all.hurl @@ -124,3 +124,28 @@ POST {{base}}/registry/self/v1/api/schemas/evaluate/self/v1/schemas/api/error HTTP 200 [Asserts] jsonpath "$.valid" == true + +# The unreachable policy has no explicit key set, so its issuer's discovery +# endpoint is fetched and fails, denying rather than admitting on the failure +GET {{base}}/registry/unreachable/record.json +Authorization: Bearer {{access_token}} +HTTP 401 +Content-Type: application/problem+json +Cache-Control: no-store +WWW-Authenticate: Bearer realm="registry" +Link: ; rel="describedby" +Access-Control-Allow-Origin: * +Access-Control-Expose-Headers: Link, ETag +[Captures] +discovery_failure_denied: body +[Asserts] +jsonpath "$.type" == "urn:sourcemeta:one:authentication-required" +jsonpath "$.status" == 401 + +POST {{base}}/registry/self/v1/api/schemas/evaluate/self/v1/schemas/api/error +``` +{{discovery_failure_denied}} +``` +HTTP 200 +[Asserts] +jsonpath "$.valid" == true diff --git a/enterprise/e2e/auth-path/one.json b/enterprise/e2e/auth-path/one.json index a219fa30f..d80bee7f2 100644 --- a/enterprise/e2e/auth-path/one.json +++ b/enterprise/e2e/auth-path/one.json @@ -35,12 +35,21 @@ "audience": "https://schemas.example.com", "jwksUri": "http://hydra:4444/.well-known/jwks.json", "algorithms": [ "RS256" ] + }, + { + "type": "jwt", + "name": "unreachable", + "paths": [ "/unreachable" ], + "issuer": "https://unreachable.example.invalid", + "audience": "https://schemas.example.com", + "algorithms": [ "RS256" ] } ], "contents": { "public": { "path": "./schemas/public" }, "private": { "path": "./schemas/private" }, "machine": { "path": "./schemas/machine" }, - "foreign": { "path": "./schemas/foreign" } + "foreign": { "path": "./schemas/foreign" }, + "unreachable": { "path": "./schemas/unreachable" } } } diff --git a/enterprise/e2e/auth-path/schemas/unreachable/record.json b/enterprise/e2e/auth-path/schemas/unreachable/record.json new file mode 100644 index 000000000..b0750cfe1 --- /dev/null +++ b/enterprise/e2e/auth-path/schemas/unreachable/record.json @@ -0,0 +1,11 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "type": "object", + "required": [ "identifier" ], + "properties": { + "identifier": { + "type": "string" + } + }, + "additionalProperties": false +}