mirror of https://github.com/status-im/consul.git
130 lines
5.2 KiB
Bash
130 lines
5.2 KiB
Bash
#!/usr/bin/env bats
|
|
|
|
load helpers
|
|
|
|
@test "s1 proxy admin is up on :19000" {
|
|
retry_default curl -f -s localhost:19000/stats -o /dev/null
|
|
}
|
|
|
|
@test "s2 proxy admin is up on :19001" {
|
|
retry_default curl -f -s localhost:19001/stats -o /dev/null
|
|
}
|
|
|
|
@test "s1 proxy listener should be up and have right cert" {
|
|
assert_proxy_presents_cert_uri localhost:21000 s1
|
|
}
|
|
|
|
@test "s2 proxy listener should be up and have right cert" {
|
|
assert_proxy_presents_cert_uri localhost:21001 s2
|
|
}
|
|
|
|
@test "s2 proxies should be healthy" {
|
|
assert_service_has_healthy_instances s2 1
|
|
}
|
|
|
|
@test "s1 upstream should have healthy endpoints for s2" {
|
|
assert_upstream_has_endpoints_in_status 127.0.0.1:19000 s2.default.primary HEALTHY 1
|
|
}
|
|
|
|
@test "s2 should have http rbac rules loaded from xDS" {
|
|
retry_default assert_envoy_http_rbac_policy_count localhost:19001 1
|
|
}
|
|
|
|
# The following tests assert one of two things: that the request was
|
|
# rejected by L7 intentions as expected due to normalization, or that the
|
|
# request was allowed, and the request received by the upstream matched the
|
|
# expected normalized form.
|
|
|
|
@test "test allowed path" {
|
|
retry_default must_pass_http_request GET localhost:5000/foo
|
|
retry_default must_pass_http_request GET localhost:5000/value/foo
|
|
retry_default must_pass_http_request GET localhost:5000/foo/supersecret
|
|
}
|
|
|
|
@test "test disallowed path" {
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value/supersecret'
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value/supersecret#foo'
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value/supersecret?'
|
|
}
|
|
|
|
@test "test disallowed path with repeat slashes" {
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value//supersecret'
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value///supersecret'
|
|
}
|
|
|
|
@test "test path with repeat slashes normalized" {
|
|
# After each request, verify that the request path observed by fortio matches the expected normalized path.
|
|
retry_default must_pass_http_request GET 'localhost:5000/value//foo'
|
|
get_echo_request_path | grep -Fx '/value/foo'
|
|
retry_default must_pass_http_request GET 'localhost:5000/value///foo'
|
|
get_echo_request_path | grep -Fx '/value/foo'
|
|
}
|
|
|
|
@test "test disallowed path with escaped characters" {
|
|
# escaped '/' (HTTP reserved)
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value%2Fsupersecret'
|
|
# escaped 'v' (not HTTP reserved)
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value/%73upersecret'
|
|
}
|
|
|
|
@test "test path with escaped characters normalized" {
|
|
# escaped '/' (HTTP reserved)
|
|
retry_default must_pass_http_request GET 'localhost:5000/value%2Ffoo'
|
|
get_echo_request_path | grep -Fx '/value/foo'
|
|
# escaped 'v' (not HTTP reserved)
|
|
retry_default must_pass_http_request GET 'localhost:5000/value/%66oo'
|
|
get_echo_request_path | grep -Fx '/value/foo'
|
|
}
|
|
|
|
@test "test disallowed path with backward slashes" {
|
|
# URLs must be quoted due to backslashes, otherwise shell erases them
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value\supersecret'
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value\\supersecret'
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value\/supersecret'
|
|
retry_default must_fail_http_request 403 GET 'localhost:5000/value/\/supersecret'
|
|
}
|
|
|
|
@test "test path with backward slashes normalized" {
|
|
retry_default must_pass_http_request GET 'localhost:5000/value\foo'
|
|
get_echo_request_path | grep -Fx '/value/foo'
|
|
retry_default must_pass_http_request GET 'localhost:5000/value\\foo'
|
|
get_echo_request_path | grep -Fx '/value/foo'
|
|
retry_default must_pass_http_request GET 'localhost:5000/value\/foo'
|
|
get_echo_request_path | grep -Fx '/value/foo'
|
|
retry_default must_pass_http_request GET 'localhost:5000/value/\/foo'
|
|
get_echo_request_path | grep -Fx '/value/foo'
|
|
}
|
|
|
|
@test "test disallowed underscore in header key" {
|
|
# Envoy responds with 400 when configured to reject underscore headers.
|
|
retry_default must_fail_http_request 400 GET localhost:5000/foo x_poison:anything
|
|
retry_default must_fail_http_request 400 GET localhost:5000/foo x_check:bad
|
|
retry_default must_fail_http_request 400 GET localhost:5000/foo x_check:good-sufbad
|
|
retry_default must_fail_http_request 400 GET localhost:5000/foo x_check:prebad-good
|
|
}
|
|
|
|
@test "test disallowed contains header" {
|
|
retry_default must_fail_http_request 403 GET localhost:5000/foo x-check:thiscontainsbadinit
|
|
}
|
|
|
|
@test "test disallowed ignore case header" {
|
|
retry_default must_fail_http_request 403 GET localhost:5000/foo x-check:exactBaD
|
|
retry_default must_fail_http_request 403 GET localhost:5000/foo x-check:good-SuFBaD
|
|
retry_default must_fail_http_request 403 GET localhost:5000/foo x-check:PrEBaD-good
|
|
retry_default must_fail_http_request 403 GET localhost:5000/foo x-check:thiscontainsBaDinit
|
|
retry_default must_fail_http_request 403 GET localhost:5000/foo Host:foo.BaD.com
|
|
}
|
|
|
|
@test "test case-insensitive disallowed header" {
|
|
retry_default must_fail_http_request 403 GET localhost:5000/foo Host:foo.BAD.com
|
|
}
|
|
|
|
|
|
# @test "s1 upstream should NOT be able to connect to s2" {
|
|
# run retry_default must_fail_tcp_connection localhost:5000
|
|
|
|
# echo "OUTPUT $output"
|
|
|
|
# [ "$status" == "0" ]
|
|
# }
|