mirror of
https://github.com/status-im/consul.git
synced 2025-02-20 17:38:24 +00:00
d9206fc7e2
mesh: add options for HTTP incoming request normalization Expose global mesh configuration to enforce inbound HTTP request normalization on mesh traffic via Envoy xDS config. mesh: enable inbound URL path normalization by default mesh: add support for L7 header match contains and ignore_case Enable partial string and case-insensitive matching in L7 intentions header match rules. ui: support L7 header match contains and ignore_case Co-authored-by: Phil Renaud <phil@riotindustries.com> test: add request normalization integration bats tests Add both "positive" and "negative" test suites, showing normalization in action as well as expected results when it is not enabled, for the same set of test cases. Also add some alternative service container test helpers for verifying raw HTTP request paths, which is difficult to do with Fortio. docs: update security and reference docs for L7 intentions bypass prevention - Update security docs with best practices for service intentions configuration - Update configuration entry references for mesh and intentions to reflect new values and add guidance on usage
124 lines
5.2 KiB
Bash
124 lines
5.2 KiB
Bash
#!/usr/bin/env bats
|
|
|
|
load helpers
|
|
|
|
@test "s1 proxy admin is up on :19000" {
|
|
retry_default curl -f -s localhost:19000/stats -o /dev/null
|
|
}
|
|
|
|
@test "s2 proxy admin is up on :19001" {
|
|
retry_default curl -f -s localhost:19001/stats -o /dev/null
|
|
}
|
|
|
|
@test "s1 proxy listener should be up and have right cert" {
|
|
assert_proxy_presents_cert_uri localhost:21000 s1
|
|
}
|
|
|
|
@test "s2 proxy listener should be up and have right cert" {
|
|
assert_proxy_presents_cert_uri localhost:21001 s2
|
|
}
|
|
|
|
@test "s2 proxies should be healthy" {
|
|
assert_service_has_healthy_instances s2 1
|
|
}
|
|
|
|
@test "s1 upstream should have healthy endpoints for s2" {
|
|
assert_upstream_has_endpoints_in_status 127.0.0.1:19000 s2.default.primary HEALTHY 1
|
|
}
|
|
|
|
@test "s2 should have http rbac rules loaded from xDS" {
|
|
retry_default assert_envoy_http_rbac_policy_count localhost:19001 1
|
|
}
|
|
|
|
# these all use the same context: "s1 upstream should be able to connect to s2 via upstream s2"
|
|
|
|
@test "test exact path" {
|
|
retry_default must_pass_http_request GET localhost:5000/exact
|
|
retry_default must_fail_http_request 403 GET localhost:5000/exact-nope
|
|
}
|
|
|
|
@test "test prefix path" {
|
|
retry_default must_pass_http_request GET localhost:5000/prefix
|
|
retry_default must_fail_http_request 403 GET localhost:5000/nope-prefix
|
|
}
|
|
|
|
@test "test regex path" {
|
|
retry_default must_pass_http_request GET localhost:5000/regex
|
|
retry_default must_fail_http_request 403 GET localhost:5000/reggex
|
|
}
|
|
|
|
@test "test present header" {
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-present x-test-debug:anything
|
|
retry_default must_fail_http_request 403 GET localhost:5000/hdr-present x-test-debug:
|
|
}
|
|
|
|
@test "test exact header" {
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-exact x-test-debug:exact
|
|
retry_default must_fail_http_request 403 GET localhost:5000/hdr-exact x-test-debug:exact-nope
|
|
}
|
|
|
|
@test "test prefix header" {
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-prefix x-test-debug:prefix
|
|
retry_default must_fail_http_request 403 GET localhost:5000/hdr-prefix x-test-debug:nope-prefix
|
|
}
|
|
|
|
@test "test suffix header" {
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-suffix x-test-debug:suffix
|
|
retry_default must_fail_http_request 403 GET localhost:5000/hdr-suffix x-test-debug:suffix-nope
|
|
}
|
|
|
|
@test "test contains header" {
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-contains x-test-debug:contains
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-contains x-test-debug:ccontainss
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-contains x-test-debug:still-contains-value
|
|
retry_default must_fail_http_request 403 GET localhost:5000/hdr-contains x-test-debug:conntains
|
|
}
|
|
|
|
@test "test regex header" {
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-regex x-test-debug:regex
|
|
retry_default must_fail_http_request 403 GET localhost:5000/hdr-regex x-test-debug:reggex
|
|
}
|
|
|
|
@test "test exact ignore case header" {
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-exact-ignore-case x-test-debug:foo.bar.com
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-exact-ignore-case x-test-debug:foo.BAR.com
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-exact-ignore-case x-test-debug:fOo.bAr.coM
|
|
retry_default must_fail_http_request 403 GET localhost:5000/hdr-exact-ignore-case x-test-debug:fOo.bAr.coM.nope
|
|
}
|
|
|
|
@test "test prefix ignore case header" {
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-prefix-ignore-case x-test-debug:foo.bar.com
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-prefix-ignore-case x-test-debug:foo.BAR.com
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-prefix-ignore-case x-test-debug:fOo.bAr.coM
|
|
retry_default must_fail_http_request 403 GET localhost:5000/hdr-prefix-ignore-case x-test-debug:nope.fOo.bAr.coM
|
|
}
|
|
|
|
@test "test suffix ignore case header" {
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-suffix-ignore-case x-test-debug:foo.bar.com
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-suffix-ignore-case x-test-debug:foo.BAR.com
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-suffix-ignore-case x-test-debug:fOo.bAr.coM
|
|
retry_default must_fail_http_request 403 GET localhost:5000/hdr-suffix-ignore-case x-test-debug:fOo.bAr.coM.nope
|
|
}
|
|
|
|
@test "test contains ignore case header" {
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-contains-ignore-case x-test-debug:cOntAins
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-contains-ignore-case x-test-debug:CconTainsS
|
|
retry_default must_pass_http_request GET localhost:5000/hdr-contains-ignore-case x-test-debug:still-cOntAins-value
|
|
retry_default must_fail_http_request 403 GET localhost:5000/hdr-contains-ignore-case x-test-debug:cOnntAins
|
|
}
|
|
|
|
@test "test method match" {
|
|
retry_default must_pass_http_request GET localhost:5000/method-match
|
|
retry_default must_pass_http_request PUT localhost:5000/method-match
|
|
retry_default must_fail_http_request 403 POST localhost:5000/method-match
|
|
retry_default must_fail_http_request 403 HEAD localhost:5000/method-match
|
|
}
|
|
|
|
# @test "s1 upstream should NOT be able to connect to s2" {
|
|
# run retry_default must_fail_tcp_connection localhost:5000
|
|
|
|
# echo "OUTPUT $output"
|
|
|
|
# [ "$status" == "0" ]
|
|
# }
|