mirror of
https://github.com/status-im/consul.git
synced 2025-01-12 06:44:41 +00:00
2af6bc434a
* # This is a combination of 9 commits. # This is the 1st commit message: init without tests # This is the commit message #2: change log # This is the commit message #3: fix tests # This is the commit message #4: fix tests # This is the commit message #5: added tests # This is the commit message #6: change log breaking change # This is the commit message #7: removed breaking change # This is the commit message #8: fix test # This is the commit message #9: keeping the test behaviour same * # This is a combination of 12 commits. # This is the 1st commit message: init without tests # This is the commit message #2: change log # This is the commit message #3: fix tests # This is the commit message #4: fix tests # This is the commit message #5: added tests # This is the commit message #6: change log breaking change # This is the commit message #7: removed breaking change # This is the commit message #8: fix test # This is the commit message #9: keeping the test behaviour same # This is the commit message #10: made enable debug atomic bool # This is the commit message #11: fix lint # This is the commit message #12: fix test true enable debug * parent 10f500e895d92cc3691ade7b74a33db755d22039 author absolutelightning <ashesh.vidyut@hashicorp.com> 1687352587 +0530 committer absolutelightning <ashesh.vidyut@hashicorp.com> 1687352592 +0530 init without tests change log fix tests fix tests added tests change log breaking change removed breaking change fix test keeping the test behaviour same made enable debug atomic bool fix lint fix test true enable debug using enable debug in agent as atomic bool test fixes fix tests fix tests added update on correct locaiton fix tests fix reloadable config enable debug fix tests fix init and acl 403 * revert commit
171 lines
4.8 KiB
Go
171 lines
4.8 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
//go:build !consulent
|
|
// +build !consulent
|
|
|
|
package agent
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"sync/atomic"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
"github.com/hashicorp/consul/testrpc"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestUIEndpoint_MetricsProxy_ACLDeny(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("too slow for testing.Short")
|
|
}
|
|
|
|
t.Parallel()
|
|
|
|
var (
|
|
lastHeadersSent atomic.Value
|
|
backendCalled atomic.Value
|
|
)
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
backendCalled.Store(true)
|
|
lastHeadersSent.Store(r.Header)
|
|
if r.URL.Path == "/some/prefix/ok" {
|
|
w.Write([]byte("OK"))
|
|
return
|
|
}
|
|
http.Error(w, "not found on backend", http.StatusNotFound)
|
|
}))
|
|
defer backend.Close()
|
|
|
|
backendURL := backend.URL + "/some/prefix"
|
|
|
|
a := NewTestAgent(t, TestACLConfig()+fmt.Sprintf(`
|
|
ui_config {
|
|
enabled = true
|
|
metrics_proxy {
|
|
base_url = %q
|
|
}
|
|
}
|
|
http_config {
|
|
response_headers {
|
|
"Access-Control-Allow-Origin" = "*"
|
|
}
|
|
}
|
|
`, backendURL))
|
|
defer a.Shutdown()
|
|
|
|
a.enableDebug.Store(true)
|
|
|
|
h := a.srv.handler()
|
|
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
const endpointPath = "/v1/internal/ui/metrics-proxy"
|
|
|
|
// create some ACL things
|
|
for name, rules := range map[string]string{
|
|
"one-service": `service "foo" { policy = "read" }`,
|
|
"all-services": `service_prefix "" { policy = "read" }`,
|
|
"one-node": `node "bar" { policy = "read" }`,
|
|
"all-nodes": `node_prefix "" { policy = "read" }`,
|
|
} {
|
|
req := structs.ACLPolicySetRequest{
|
|
Policy: structs.ACLPolicy{
|
|
Name: name,
|
|
Rules: rules,
|
|
},
|
|
Datacenter: "dc1",
|
|
WriteRequest: structs.WriteRequest{Token: "root"},
|
|
}
|
|
var policy structs.ACLPolicy
|
|
require.NoError(t, a.RPC(context.Background(), "ACL.PolicySet", &req, &policy))
|
|
}
|
|
|
|
makeToken := func(t *testing.T, policyNames []string) string {
|
|
req := structs.ACLTokenSetRequest{
|
|
ACLToken: structs.ACLToken{},
|
|
Datacenter: "dc1",
|
|
WriteRequest: structs.WriteRequest{Token: "root"},
|
|
}
|
|
for _, name := range policyNames {
|
|
req.ACLToken.Policies = append(req.ACLToken.Policies, structs.ACLTokenPolicyLink{Name: name})
|
|
}
|
|
require.Len(t, req.ACLToken.Policies, len(policyNames))
|
|
|
|
var token structs.ACLToken
|
|
require.NoError(t, a.RPC(context.Background(), "ACL.TokenSet", &req, &token))
|
|
return token.SecretID
|
|
}
|
|
|
|
type testcase struct {
|
|
name string
|
|
token string
|
|
policies []string
|
|
expect int
|
|
}
|
|
|
|
for _, tc := range []testcase{
|
|
{name: "no token", token: "", expect: http.StatusForbidden},
|
|
{name: "root token", token: "root", expect: http.StatusOK},
|
|
//
|
|
{name: "one node", policies: []string{"one-node"}, expect: http.StatusForbidden},
|
|
{name: "all nodes", policies: []string{"all-nodes"}, expect: http.StatusForbidden},
|
|
//
|
|
{name: "one service", policies: []string{"one-service"}, expect: http.StatusForbidden},
|
|
{name: "all services", policies: []string{"all-services"}, expect: http.StatusForbidden},
|
|
//
|
|
{name: "one service one node", policies: []string{"one-service", "one-node"}, expect: http.StatusForbidden},
|
|
{name: "all services one node", policies: []string{"all-services", "one-node"}, expect: http.StatusForbidden},
|
|
//
|
|
{name: "one service all nodes", policies: []string{"one-service", "one-node"}, expect: http.StatusForbidden},
|
|
{name: "all services all nodes", policies: []string{"all-services", "all-nodes"}, expect: http.StatusOK},
|
|
} {
|
|
tc := tc
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
if tc.token == "" {
|
|
tc.token = makeToken(t, tc.policies)
|
|
}
|
|
|
|
t.Run("via query param should not work", func(t *testing.T) {
|
|
req := httptest.NewRequest("GET", endpointPath+"/ok?token="+tc.token, nil)
|
|
rec := httptest.NewRecorder()
|
|
backendCalled.Store(false)
|
|
h.ServeHTTP(rec, req)
|
|
require.Equal(t, http.StatusForbidden, rec.Code)
|
|
|
|
require.False(t, backendCalled.Load().(bool))
|
|
})
|
|
|
|
for _, headerName := range []string{"x-consul-token", "authorization"} {
|
|
headerVal := tc.token
|
|
if headerName == "authorization" {
|
|
headerVal = "bearer " + tc.token
|
|
}
|
|
|
|
t.Run("via header "+headerName, func(t *testing.T) {
|
|
req := httptest.NewRequest("GET", endpointPath+"/ok", nil)
|
|
req.Header.Set(headerName, headerVal)
|
|
rec := httptest.NewRecorder()
|
|
backendCalled.Store(false)
|
|
h.ServeHTTP(rec, req)
|
|
require.Equal(t, tc.expect, rec.Code)
|
|
|
|
headersSent, _ := lastHeadersSent.Load().(http.Header)
|
|
if tc.expect == http.StatusOK {
|
|
require.True(t, backendCalled.Load().(bool))
|
|
// Ensure we didn't accidentally ship our consul token to the proxy.
|
|
require.Empty(t, headersSent.Get("X-Consul-Token"))
|
|
require.Empty(t, headersSent.Get("Authorization"))
|
|
} else {
|
|
require.False(t, backendCalled.Load().(bool))
|
|
}
|
|
})
|
|
}
|
|
})
|
|
}
|
|
}
|