From eeeb6c11d157872b76109a65a348f2dca983f618 Mon Sep 17 00:00:00 2001
From: Tharsanan1 <tharsanan.15@cse.mrt.ac.lk>
Date: Mon, 19 Feb 2024 10:15:57 +0530
Subject: [PATCH] Add integration test for audience validation

---
 .../ballerina/TokenUtil.bal                   |  3 +-
 .../tests/jwt-resource-level-security-test.go | 42 +++++++++++-
 .../tests/jwt-resource-level-security.yaml    | 66 +++++++++++++++++++
 3 files changed, 109 insertions(+), 2 deletions(-)

diff --git a/idp/idp-domain-service/ballerina/TokenUtil.bal b/idp/idp-domain-service/ballerina/TokenUtil.bal
index 38e480164..902acd34b 100644
--- a/idp/idp-domain-service/ballerina/TokenUtil.bal
+++ b/idp/idp-domain-service/ballerina/TokenUtil.bal
@@ -114,7 +114,8 @@ public class TokenUtil {
             keyId: issuerConfiguration.keyId,
             signatureConfig: {
                 config: {keyFile: idpConfiguration.keyStores.signing.keyFile}
-            }
+            }, 
+            audience: "aud1"
         };
         if username is string {
             issuerConfig.username = username;
diff --git a/test/integration/integration/tests/jwt-resource-level-security-test.go b/test/integration/integration/tests/jwt-resource-level-security-test.go
index 679e6018b..62c9eb2b0 100644
--- a/test/integration/integration/tests/jwt-resource-level-security-test.go
+++ b/test/integration/integration/tests/jwt-resource-level-security-test.go
@@ -92,7 +92,47 @@ var ResourceLevelJWT = suite.IntegrationTest{
 				},
 				Backend:   "infra-backend-v1",
 				Namespace: ns,
-				Response: http.Response{StatusCode: 401},
+				Response:  http.Response{StatusCode: 401},
+			},
+			// Test wrong audience
+			{
+				Request: http.Request{
+					Host: "resource-level-jwt.test.gw.wso2.com",
+					Path: "/resource-level-jwt/v1.0.0/v2/echo-1",
+					Headers: map[string]string{
+						"content-type": "application/json",
+						"internal-key": token,
+					},
+					Method: "GET",
+				},
+				ExpectedRequest: &http.ExpectedRequest{
+					Request: http.Request{
+						Path: "/v2/echo-1",
+					},
+				},
+				Backend:   "infra-backend-v1",
+				Namespace: ns,
+				Response:  http.Response{StatusCode: 401},
+			},
+			// Test correct audience
+			{
+				Request: http.Request{
+					Host: "resource-level-jwt.test.gw.wso2.com",
+					Path: "/resource-level-jwt/v1.0.0/v2/echo-2",
+					Headers: map[string]string{
+						"content-type": "application/json",
+						"internal-key": token,
+					},
+					Method: "GET",
+				},
+				ExpectedRequest: &http.ExpectedRequest{
+					Request: http.Request{
+						Path: "/v2/echo-2",
+					},
+				},
+				Backend:   "infra-backend-v1",
+				Namespace: ns,
+				Response:  http.Response{StatusCode: 200},
 			},
 		}
 		for i := range testCases {
diff --git a/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml b/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml
index 889b12c4c..529b48aa5 100644
--- a/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml
+++ b/test/integration/integration/tests/resources/tests/jwt-resource-level-security.yaml
@@ -60,6 +60,34 @@ spec:
         group: dp.wso2.com
         kind: Authentication
         name: resource-level-jwt-authentication
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /v2/echo-1
+    backendRefs:
+    - group: dp.wso2.com
+      kind: Backend
+      name: infra-backend-v1
+    filters:
+    - type: ExtensionRef
+      extensionRef:
+        group: dp.wso2.com
+        kind: Authentication
+        name: resource-level-jwt-authentication-1
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /v2/echo-2
+    backendRefs:
+    - group: dp.wso2.com
+      kind: Backend
+      name: infra-backend-v1
+    filters:
+    - type: ExtensionRef
+      extensionRef:
+        group: dp.wso2.com
+        kind: Authentication
+        name: resource-level-jwt-authentication-2
 ---
 apiVersion: dp.wso2.com/v1alpha2
 kind: Authentication
@@ -78,6 +106,44 @@ spec:
     group: gateway.networking.k8s.io
     namespace: gateway-integration-test-infra
 ---
+apiVersion: dp.wso2.com/v1alpha2
+kind: Authentication
+metadata:
+  name: resource-level-jwt-authentication-1
+  namespace: gateway-integration-test-infra
+spec:
+  override:
+    disabled: false
+    authTypes:
+      jwt:
+        disabled: false
+        audience:
+          - "test"
+  targetRef:
+    kind: Resource
+    name: resource-level-jwt
+    group: gateway.networking.k8s.io
+    namespace: gateway-integration-test-infra
+---
+apiVersion: dp.wso2.com/v1alpha2
+kind: Authentication
+metadata:
+  name: resource-level-jwt-authentication-2
+  namespace: gateway-integration-test-infra
+spec:
+  override:
+    disabled: false
+    authTypes:
+      jwt:
+        disabled: false
+        audience:
+          - "aud1"
+  targetRef:
+    kind: Resource
+    name: resource-level-jwt
+    group: gateway.networking.k8s.io
+    namespace: gateway-integration-test-infra
+---
 apiVersion: dp.wso2.com/v1alpha1
 kind: Backend
 metadata: