add auth_jwt_claim_set in nginx plus virtualserver template (#7205)

* add auth_jwt_claim_set in nginx plus virtualserver template

internal/configs/version2/__snapshots__/templates_test.snap

@@ -2257,6 +2257,53 @@ server {
 
 
 
+}
+
+---
+
+[TestExecuteVirtualServerTemplate_RendersTemplateWithRateLimitJWTClaim - 1]
+
+auth_jwt_claim_set $jwt_default_webapp_group_consumer_group_type consumer_group type
+map $jwt_default_webapp_group_consumer_group_type $rate_limit_default_webapp_group_consumer_group_type {
+    default Group3;
+    Gold Group1;
+    Silver Group2;
+    Bronze Group3;
+}
+map $rate_limit_default_webapp_group_consumer_group_type $http_gold {
+    default '';
+    Group1 $jwt_claim_sub;
+}
+map $rate_limit_default_webapp_group_consumer_group_type $http_silver {
+    default '';
+    Group2 $jwt_claim_sub;
+}
+map $rate_limit_default_webapp_group_consumer_group_type $http_bronze {
+    default '';
+    Group3 $jwt_claim_sub;
+}
+# HTTP snippet
+limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s;
+
+server {
+    listen 80;
+    listen [::]:80;
+
+
+    server_name example.com;
+    status_zone example.com;
+    set $resource_type "virtualserver";
+    set $resource_name "";
+    set $resource_namespace "";
+
+    server_tokens "off";
+    limit_req_log_level error;
+    limit_req_status 503;
+    limit_req zone=pol_rl_test_test_test burst=5 delay=10;
+
+
+
+
 }
 
 ---

internal/configs/version2/http.go

@@ -18,6 +18,7 @@ type VirtualServerConfig struct {
 	KeyVals                 []KeyVal
 	LimitReqZones           []LimitReqZone
 	Maps                    []Map
+	AuthJwtClaimSet         []AuthJwtClaimSet
 	Server                  Server
 	SpiffeCerts             bool
 	SpiffeClientCerts       bool
@@ -28,6 +29,12 @@ type VirtualServerConfig struct {
 	StaticSSLPath           string
 }
 
+// AuthJwtClaimSet defines the values for the `auth_jwt_claim_set` directive
+type AuthJwtClaimSet struct {
+	Variable string
+	Claims   string
+}
+
 // Upstream defines an upstream.
 type Upstream struct {
 	Name             string

internal/configs/version2/nginx-plus.virtualserver.tmpl

@@ -50,6 +50,10 @@ split_clients {{ $sc.Source }} {{ $sc.Variable }} {
 }
 {{- end }}
 
+{{- range $claim := .AuthJwtClaimSet }}
+auth_jwt_claim_set {{ $claim.Variable }} {{ $claim.Claims}}
+{{- end }}
+
 {{- range $m := .Maps }}
 map {{ $m.Source }} {{ $m.Variable }} {
     {{- range $p := $m.Parameters }}

internal/configs/version2/templates_test.go

@@ -93,6 +93,34 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipNotSet(t *t
 	t.Log(string(got))
 }
 
+func TestExecuteVirtualServerTemplate_RendersTemplateWithRateLimitJWTClaim(t *testing.T) {
+	t.Parallel()
+	executor := newTmplExecutorNGINXPlus(t)
+	got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfgWithRateLimitJWTClaim)
+	if err != nil {
+		t.Error(err)
+	}
+	wantedStrings := []string{
+		"auth_jwt_claim_set",
+		"$rate_limit_default_webapp_group_consumer_group_type",
+		"$jwt_default_webapp_group_consumer_group_type",
+		"Group1",
+		"Group2",
+		"Group3",
+		"$http_bronze",
+		"$http_silver",
+		"$http_gold",
+	}
+	for _, value := range wantedStrings {
+		if !bytes.Contains(got, []byte(value)) {
+			t.Errorf("didn't get `%s`", value)
+		}
+	}
+
+	snaps.MatchSnapshot(t, string(got))
+	t.Log(string(got))
+}
+
 func TestExecuteVirtualServerTemplate_RendersTemplateWithSessionCookieSameSite(t *testing.T) {
 	t.Parallel()
 	executor := newTmplExecutorNGINXPlus(t)
@@ -1539,6 +1567,104 @@ var (
 		},
 	}
 
+	virtualServerCfgWithRateLimitJWTClaim = VirtualServerConfig{
+		LimitReqZones: []LimitReqZone{
+			{
+				ZoneName: "pol_rl_test_test_test", Rate: "10r/s", ZoneSize: "10m", Key: "$url",
+			},
+		},
+		Upstreams: []Upstream{},
+		AuthJwtClaimSet: []AuthJwtClaimSet{
+			{
+				Variable: "$jwt_default_webapp_group_consumer_group_type",
+				Claims:   "consumer_group type",
+			},
+		},
+		Maps: []Map{
+			{
+				Source:   "$jwt_default_webapp_group_consumer_group_type",
+				Variable: "$rate_limit_default_webapp_group_consumer_group_type",
+				Parameters: []Parameter{
+					{
+						Value:  "default",
+						Result: "Group3",
+					},
+					{
+						Value:  "Gold",
+						Result: "Group1",
+					},
+					{
+						Value:  "Silver",
+						Result: "Group2",
+					},
+					{
+						Value:  "Bronze",
+						Result: "Group3",
+					},
+				},
+			},
+			{
+				Source:   "$rate_limit_default_webapp_group_consumer_group_type",
+				Variable: "$http_gold",
+				Parameters: []Parameter{
+					{
+						Value:  "default",
+						Result: "''",
+					},
+					{
+						Value:  "Group1",
+						Result: "$jwt_claim_sub",
+					},
+				},
+			},
+			{
+				Source:   "$rate_limit_default_webapp_group_consumer_group_type",
+				Variable: "$http_silver",
+				Parameters: []Parameter{
+					{
+						Value:  "default",
+						Result: "''",
+					},
+					{
+						Value:  "Group2",
+						Result: "$jwt_claim_sub",
+					},
+				},
+			},
+			{
+				Source:   "$rate_limit_default_webapp_group_consumer_group_type",
+				Variable: "$http_bronze",
+				Parameters: []Parameter{
+					{
+						Value:  "default",
+						Result: "''",
+					},
+					{
+						Value:  "Group3",
+						Result: "$jwt_claim_sub",
+					},
+				},
+			},
+		},
+		HTTPSnippets: []string{"# HTTP snippet"},
+		Server: Server{
+			ServerName:   "example.com",
+			StatusZone:   "example.com",
+			ServerTokens: "off",
+			LimitReqs: []LimitReq{
+				{
+					ZoneName: "pol_rl_test_test_test",
+					Delay:    10,
+					Burst:    5,
+				},
+			},
+			LimitReqOptions: LimitReqOptions{
+				LogLevel:   "error",
+				RejectCode: 503,
+			},
+		},
+	}
+
 	virtualServerCfgWithWAFApBundle = VirtualServerConfig{
 		Server: Server{
 			ServerName: "example.com",