Test nginz zauth_timestamp

changelog.d/5-internal/test-z-timestamp

@@ -0,0 +1 @@
+Assert the value of nginz's `zauth_timestamp` in test.

integration/default.nix

@@ -81,6 +81,7 @@
 , transformers
 , transformers-base
 , unix
+, unix-time
 , unliftio
 , uuid
 , vector
@@ -183,6 +184,7 @@ mkDerivation {
     transformers
     transformers-base
     unix
+    unix-time
     unliftio
     uuid
     vector

integration/integration.cabal

@@ -293,6 +293,7 @@ library
     , transformers
     , transformers-base
     , unix
+    , unix-time
     , unliftio
     , uuid
     , vector

integration/test/Test/NginxZAuthModule.hs

@@ -7,6 +7,7 @@ import Control.Monad.Reader
 import qualified Data.ByteString as BS
 import Data.List.Extra
 import Data.Streaming.Network
+import Data.UnixTime
 import qualified Network.HTTP.Client as HTTP
 import Network.HTTP.Types
 import Network.Socket (Socket)
@@ -49,6 +50,10 @@ testBearerToken = do
       resp.status `shouldMatchInt` 200
       resp.json %. "user" `shouldMatch` (alice %. "qualified_id.id")
       resp.json %. "timestamp" `shouldNotMatch` ""
+      timestampI <- (resp.json %. "timestamp" >>= asString)
+      let timestampUnix = UnixTime ((fromInteger . read) timestampI) 0
+      now <- liftIO $ getUnixTime
+      assertBool "not in future" (timestampUnix > now)
 
 -- Happy flow (zauth token encoded in AWS4_HMAC_SHA256)
 --

services/nginz/integration-test/conf/nginz/common_response.conf

@@ -13,6 +13,7 @@
       proxy_set_header   Z-Provider     $zauth_provider;
       proxy_set_header   Z-Bot          $zauth_bot;
       proxy_set_header   Z-Conversation $zauth_conversation;
+      proxy_set_header   Z-Timestamp    $zauth_timestamp;
       proxy_set_header   Request-Id     $request_id;
 
       # NOTE: This should only be used on endpoints where credentials are needed