consul/connect/proxy/proxy_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package proxy

import (
	"context"
	"crypto/tls"
	"net"
	"path/filepath"
	"runtime"
	"strconv"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"github.com/hashicorp/consul/agent"
	agConnect "github.com/hashicorp/consul/agent/connect"
	"github.com/hashicorp/consul/api"
	"github.com/hashicorp/consul/connect"
	"github.com/hashicorp/consul/sdk/freeport"
	"github.com/hashicorp/consul/sdk/testutil"
	"github.com/hashicorp/consul/sdk/testutil/retry"
	"github.com/hashicorp/consul/testrpc"
)

func TestProxy_public(t *testing.T) {
	if testing.Short() {
		t.Skip("too slow for testing.Short")
	}

	ports := freeport.GetN(t, 2)

	a := agent.NewTestAgent(t, "")
	defer a.Shutdown()
	testrpc.WaitForTestAgent(t, a.RPC, "dc1")
	client := a.Client()

	// Register the service so we can get a leaf cert
	_, err := client.Catalog().Register(&api.CatalogRegistration{
		Datacenter: "dc1",
		Node:       "local",
		Address:    "127.0.0.1",
		Service: &api.AgentService{
			Service: "echo",
		},
	}, nil)
	require.NoError(t, err)

	// Start the backend service that is being proxied
	testApp := NewTestTCPServer(t)
	defer testApp.Close()

	upstreams := []UpstreamConfig{
		{
			DestinationName: "just-a-port",
			LocalBindPort:   ports[1],
		},
	}

	var unixSocket string
	if runtime.GOOS != "windows" {
		tempDir := testutil.TempDir(t, "consul")
		unixSocket = filepath.Join(tempDir, "test.sock")

		upstreams = append(upstreams, UpstreamConfig{
			DestinationName:     "just-a-unix-domain-socket",
			LocalBindSocketPath: unixSocket,
			LocalBindSocketMode: "0600",
		})
	}

	// Start the proxy
	p, err := New(client, NewStaticConfigWatcher(&Config{
		ProxiedServiceName: "echo",
		PublicListener: PublicListenerConfig{
			BindAddress:         "127.0.0.1",
			BindPort:            ports[0],
			LocalServiceAddress: testApp.Addr().String(),
		},
		Upstreams: upstreams,
	}), testutil.Logger(t))
	require.NoError(t, err)
	defer p.Close()
	go p.Serve()

	// We create this client with an explicit ServerNextProtos here which will use `h2`
	// if the proxy supports it. This is so we can verify below that the proxy _doesn't_
	// advertise `h2` support as it's only a L4 proxy.
	svc, err := connect.NewServiceWithConfig("echo", connect.Config{Client: client, ServerNextProtos: []string{"h2"}})
	require.NoError(t, err)

	// Create a test connection to the proxy. We retry here a few times
	// since this is dependent on the agent actually starting up and setting
	// up the CA.
	var conn net.Conn
	retry.Run(t, func(r *retry.R) {
		conn, err = svc.Dial(context.Background(), &connect.StaticResolver{
			Addr:    TestLocalAddr(ports[0]),
			CertURI: agConnect.TestSpiffeIDService(r, "echo"),
		})
		if err != nil {
			r.Fatalf("err: %s", err)
		}
	})

	// Verify that we did not select h2 via ALPN since the proxy is layer 4 only
	tlsConn := conn.(*tls.Conn)
	require.Equal(t, "", tlsConn.ConnectionState().NegotiatedProtocol)

	// Connection works, test it is the right one
	TestEchoConn(t, conn, "")

	t.Run("verify port upstream is configured", func(t *testing.T) {
		// Verify that it is listening by doing a simple TCP dial.
		addr := net.JoinHostPort("127.0.0.1", strconv.Itoa(ports[1]))
		conn, err := net.DialTimeout("tcp", addr, 100*time.Millisecond)
		require.NoError(t, err)
		_ = conn.Close()
	})

	t.Run("verify unix domain socket upstream will never work", func(t *testing.T) {
		if runtime.GOOS == "windows" {
			t.SkipNow()
		}

		// Ensure the socket was not created
		require.NoFileExists(t, unixSocket)
	})
}
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2 years ago			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 1 year ago			`// SPDX-License-Identifier: BUSL-1.1`
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2 years ago
connect/proxy: add a full proxy test, parallel 7 years ago			`package proxy`

			`import (`
			`"context"`
Allow passing ALPN next protocols down to connect services. Fixes #4466. (#9920) * Allow passing ALPN next protocols down to connect services. Fixes #4466. * Update connect/proxy/proxy_test.go Co-authored-by: Paul Banks <banks@banksco.de> Co-authored-by: Paul Banks <banks@banksco.de> 4 years ago			`"crypto/tls"`
connect/proxy: add a full proxy test, parallel 7 years ago			`"net"`
connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 3 years ago			`"path/filepath"`
			`"runtime"`
			`"strconv"`
connect/proxy: add a full proxy test, parallel 7 years ago			`"testing"`
connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 3 years ago			`"time"`
connect/proxy: add a full proxy test, parallel 7 years ago
ci: go-test-race switch to exclude list Most packages should pass the race detector. An exclude list ensures that new packages are automatically tested with -race. Also fix a couple small test races to allow more packages to be tested. Returning readyCh requires a lock because it can be set to nil, and setting it to nil will race without the lock. Move the TestServer.Listening calls around so that they properly guard setting TestServer.l. Otherwise it races. Remove t.Parallel in a small package. The entire package tests run in a few seconds, so t.Parallel does very little. In auto-config, wait for the AutoConfig.run goroutine to stop before calling readPersistedAutoConfig. Without this change there was a data race on reading ac.config. 4 years ago			`"github.com/stretchr/testify/require"`
Fixed unstable test TestProxy_public (#4587) 6 years ago
connect/proxy: add a full proxy test, parallel 7 years ago			`"github.com/hashicorp/consul/agent"`
			`agConnect "github.com/hashicorp/consul/agent/connect"`
			`"github.com/hashicorp/consul/api"`
			`"github.com/hashicorp/consul/connect"`
Move internal/ to sdk/ (#5568) * Move internal/ to sdk/ * Add a readme to the SDK folder 6 years ago			`"github.com/hashicorp/consul/sdk/freeport"`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 5 years ago			`"github.com/hashicorp/consul/sdk/testutil"`
Move internal/ to sdk/ (#5568) * Move internal/ to sdk/ * Add a readme to the SDK folder 6 years ago			`"github.com/hashicorp/consul/sdk/testutil/retry"`
ci: go-test-race switch to exclude list Most packages should pass the race detector. An exclude list ensures that new packages are automatically tested with -race. Also fix a couple small test races to allow more packages to be tested. Returning readyCh requires a lock because it can be set to nil, and setting it to nil will race without the lock. Move the TestServer.Listening calls around so that they properly guard setting TestServer.l. Otherwise it races. Remove t.Parallel in a small package. The entire package tests run in a few seconds, so t.Parallel does very little. In auto-config, wait for the AutoConfig.run goroutine to stop before calling readPersistedAutoConfig. Without this change there was a data race on reading ac.config. 4 years ago			`"github.com/hashicorp/consul/testrpc"`
connect/proxy: add a full proxy test, parallel 7 years ago			`)`

			`func TestProxy_public(t *testing.T) {`
testing: skip slow tests with -short Add a skip condition to all tests slower than 100ms. This change was made using `gotestsum tool slowest` with data from the last 3 CI runs of master. See https://github.com/gotestyourself/gotestsum#finding-and-skipping-slow-tests With this change: ``` $ time go test -count=1 -short ./agent ok github.com/hashicorp/consul/agent 0.743s real 0m4.791s $ time go test -count=1 -short ./agent/consul ok github.com/hashicorp/consul/agent/consul 4.229s real 0m8.769s ``` 4 years ago			`if testing.Short() {`
			`t.Skip("too slow for testing.Short")`
			`}`

testing: use the new freeport interfaces 3 years ago			`ports := freeport.GetN(t, 2)`
connect/proxy: add a full proxy test, parallel 7 years ago
Remove name from NewTestAgent Using: git grep -l 'NewTestAgent(t, t.Name(),' \| \ xargs sed -i -e 's/NewTestAgent(t, t.Name(),/NewTestAgent(t,/g' 5 years ago			`a := agent.NewTestAgent(t, "")`
connect/proxy: add a full proxy test, parallel 7 years ago			`defer a.Shutdown()`
Fixed flaky tests (#4626) 6 years ago			`testrpc.WaitForTestAgent(t, a.RPC, "dc1")`
connect/proxy: add a full proxy test, parallel 7 years ago			`client := a.Client()`

			`// Register the service so we can get a leaf cert`
			`_, err := client.Catalog().Register(&api.CatalogRegistration{`
			`Datacenter: "dc1",`
			`Node: "local",`
			`Address: "127.0.0.1",`
			`Service: &api.AgentService{`
			`Service: "echo",`
			`},`
			`}, nil)`
connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 3 years ago			`require.NoError(t, err)`
connect/proxy: add a full proxy test, parallel 7 years ago
			`// Start the backend service that is being proxied`
			`testApp := NewTestTCPServer(t)`
			`defer testApp.Close()`

connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 3 years ago			`upstreams := []UpstreamConfig{`
			`{`
			`DestinationName: "just-a-port",`
			`LocalBindPort: ports[1],`
			`},`
			`}`

			`var unixSocket string`
			`if runtime.GOOS != "windows" {`
			`tempDir := testutil.TempDir(t, "consul")`
			`unixSocket = filepath.Join(tempDir, "test.sock")`

			`upstreams = append(upstreams, UpstreamConfig{`
			`DestinationName: "just-a-unix-domain-socket",`
			`LocalBindSocketPath: unixSocket,`
			`LocalBindSocketMode: "0600",`
			`})`
			`}`

connect/proxy: add a full proxy test, parallel 7 years ago			`// Start the proxy`
			`p, err := New(client, NewStaticConfigWatcher(&Config{`
			`ProxiedServiceName: "echo",`
			`PublicListener: PublicListenerConfig{`
			`BindAddress: "127.0.0.1",`
			`BindPort: ports[0],`
			`LocalServiceAddress: testApp.Addr().String(),`
			`},`
connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 3 years ago			`Upstreams: upstreams,`
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging 5 years ago			`}), testutil.Logger(t))`
connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 3 years ago			`require.NoError(t, err)`
connect/proxy: add a full proxy test, parallel 7 years ago			`defer p.Close()`
			`go p.Serve()`

Allow passing ALPN next protocols down to connect services. Fixes #4466. (#9920) * Allow passing ALPN next protocols down to connect services. Fixes #4466. * Update connect/proxy/proxy_test.go Co-authored-by: Paul Banks <banks@banksco.de> Co-authored-by: Paul Banks <banks@banksco.de> 4 years ago			// We create this client with an explicit ServerNextProtos here which will use `h2`
			`// if the proxy supports it. This is so we can verify below that the proxy _doesn't_`
			// advertise `h2` support as it's only a L4 proxy.
			`svc, err := connect.NewServiceWithConfig("echo", connect.Config{Client: client, ServerNextProtos: []string{"h2"}})`
connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 3 years ago			`require.NoError(t, err)`
Allow passing ALPN next protocols down to connect services. Fixes #4466. (#9920) * Allow passing ALPN next protocols down to connect services. Fixes #4466. * Update connect/proxy/proxy_test.go Co-authored-by: Paul Banks <banks@banksco.de> Co-authored-by: Paul Banks <banks@banksco.de> 4 years ago
connect/proxy: add a full proxy test, parallel 7 years ago			`// Create a test connection to the proxy. We retry here a few times`
			`// since this is dependent on the agent actually starting up and setting`
			`// up the CA.`
			`var conn net.Conn`
			`retry.Run(t, func(r *retry.R) {`
			`conn, err = svc.Dial(context.Background(), &connect.StaticResolver{`
			`Addr: TestLocalAddr(ports[0]),`
Retry lint fixes (#19151) * Add a make target to run lint-consul-retry on all the modules * Cleanup sdk/testutil/retry * Fix a bunch of retry.Run* usage to not use the outer testing.T * Fix some more recent retry lint issues and pin to v1.4.0 of lint-consul-retry * Fix codegen copywrite lint issues * Don’t perform cleanup after each retry attempt by default. * Use the common testutil.TestingTB interface in test-integ/tenancy * Fix retry tests * Update otel access logging extension test to perform requests within the retry block 12 months ago			`CertURI: agConnect.TestSpiffeIDService(r, "echo"),`
connect/proxy: add a full proxy test, parallel 7 years ago			`})`
			`if err != nil {`
			`r.Fatalf("err: %s", err)`
			`}`
			`})`

Allow passing ALPN next protocols down to connect services. Fixes #4466. (#9920) * Allow passing ALPN next protocols down to connect services. Fixes #4466. * Update connect/proxy/proxy_test.go Co-authored-by: Paul Banks <banks@banksco.de> Co-authored-by: Paul Banks <banks@banksco.de> 4 years ago			`// Verify that we did not select h2 via ALPN since the proxy is layer 4 only`
			`tlsConn := conn.(*tls.Conn)`
connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 3 years ago			`require.Equal(t, "", tlsConn.ConnectionState().NegotiatedProtocol)`
Allow passing ALPN next protocols down to connect services. Fixes #4466. (#9920) * Allow passing ALPN next protocols down to connect services. Fixes #4466. * Update connect/proxy/proxy_test.go Co-authored-by: Paul Banks <banks@banksco.de> Co-authored-by: Paul Banks <banks@banksco.de> 4 years ago
connect/proxy: add a full proxy test, parallel 7 years ago			`// Connection works, test it is the right one`
			`TestEchoConn(t, conn, "")`
connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486) Fixes #10480 Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix. 3 years ago
			`t.Run("verify port upstream is configured", func(t *testing.T) {`
			`// Verify that it is listening by doing a simple TCP dial.`
			`addr := net.JoinHostPort("127.0.0.1", strconv.Itoa(ports[1]))`
			`conn, err := net.DialTimeout("tcp", addr, 100*time.Millisecond)`
			`require.NoError(t, err)`
			`_ = conn.Close()`
			`})`

			`t.Run("verify unix domain socket upstream will never work", func(t *testing.T) {`
			`if runtime.GOOS == "windows" {`
			`t.SkipNow()`
			`}`

			`// Ensure the socket was not created`
			`require.NoFileExists(t, unixSocket)`
			`})`
connect/proxy: add a full proxy test, parallel 7 years ago			`}`