github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21458 Commits
1703 Branches
457 Tags
697 MiB
Tree: 2d19cd5810
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2d19cd5810'
${ noResults }
consul/agent/ui_endpoint_ce_test.go

170 lines
4.8 KiB
Raw Normal View History Unescape

copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files
2 years ago
// Copyright (c) HashiCorp, Inc.
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
1 year ago
// SPDX-License-Identifier: BUSL-1.1
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files
2 years ago
re-run gofmt on 1.17 (#11579) This should let freshly recompiled golangci-lint binaries using Go 1.17 pass 'make lint'
3 years ago
//go:build !consulent
agent: protect the ui metrics proxy endpoint behind ACLs (#9099) This ensures the metrics proxy endpoint is ACL protected behind a wildcard `service:read` and `node:read` set of rules. For Consul Enterprise these will need to span all namespaces: ``` service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } namespace_prefix "" { service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } } ``` This PR contains just the backend changes. The frontend changes to actually pass the consul token header to the proxy through the JS plugin will come in another PR.
4 years ago
package agent
import (
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
"context"
agent: protect the ui metrics proxy endpoint behind ACLs (#9099) This ensures the metrics proxy endpoint is ACL protected behind a wildcard `service:read` and `node:read` set of rules. For Consul Enterprise these will need to span all namespaces: ``` service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } namespace_prefix "" { service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } } ``` This PR contains just the backend changes. The frontend changes to actually pass the consul token header to the proxy through the JS plugin will come in another PR.
4 years ago
"fmt"
"net/http"
"net/http/httptest"
"sync/atomic"
"testing"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/testrpc"
"github.com/stretchr/testify/require"
)
func TestUIEndpoint_MetricsProxy_ACLDeny(t *testing.T) {
testing: skip slow tests with -short Add a skip condition to all tests slower than 100ms. This change was made using `gotestsum tool slowest` with data from the last 3 CI runs of master. See https://github.com/gotestyourself/gotestsum#finding-and-skipping-slow-tests With this change: ``` $ time go test -count=1 -short ./agent ok github.com/hashicorp/consul/agent 0.743s real 0m4.791s $ time go test -count=1 -short ./agent/consul ok github.com/hashicorp/consul/agent/consul 4.229s real 0m8.769s ```
4 years ago
if testing.Short() {
t.Skip("too slow for testing.Short")
}
agent: protect the ui metrics proxy endpoint behind ACLs (#9099) This ensures the metrics proxy endpoint is ACL protected behind a wildcard `service:read` and `node:read` set of rules. For Consul Enterprise these will need to span all namespaces: ``` service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } namespace_prefix "" { service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } } ``` This PR contains just the backend changes. The frontend changes to actually pass the consul token header to the proxy through the JS plugin will come in another PR.
4 years ago
t.Parallel()
var (
lastHeadersSent atomic.Value
backendCalled atomic.Value
)
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
backendCalled.Store(true)
lastHeadersSent.Store(r.Header)
if r.URL.Path == "/some/prefix/ok" {
w.Write([]byte("OK"))
return
}
http.Error(w, "not found on backend", http.StatusNotFound)
}))
defer backend.Close()
backendURL := backend.URL + "/some/prefix"
a := NewTestAgent(t, TestACLConfig()+fmt.Sprintf(`
ui_config {
enabled = true
metrics_proxy {
base_url = %q
}
}
http_config {
response_headers {
"Access-Control-Allow-Origin" = "*"
}
}
`, backendURL))
defer a.Shutdown()
feature - [NET - 4005] - [Supportability] Reloadable Configuration - enable_debug (#17565) * # This is a combination of 9 commits. # This is the 1st commit message: init without tests # This is the commit message #2: change log # This is the commit message #3: fix tests # This is the commit message #4: fix tests # This is the commit message #5: added tests # This is the commit message #6: change log breaking change # This is the commit message #7: removed breaking change # This is the commit message #8: fix test # This is the commit message #9: keeping the test behaviour same * # This is a combination of 12 commits. # This is the 1st commit message: init without tests # This is the commit message #2: change log # This is the commit message #3: fix tests # This is the commit message #4: fix tests # This is the commit message #5: added tests # This is the commit message #6: change log breaking change # This is the commit message #7: removed breaking change # This is the commit message #8: fix test # This is the commit message #9: keeping the test behaviour same # This is the commit message #10: made enable debug atomic bool # This is the commit message #11: fix lint # This is the commit message #12: fix test true enable debug * parent 10f500e895d92cc3691ade7b74a33db755d22039 author absolutelightning <ashesh.vidyut@hashicorp.com> 1687352587 +0530 committer absolutelightning <ashesh.vidyut@hashicorp.com> 1687352592 +0530 init without tests change log fix tests fix tests added tests change log breaking change removed breaking change fix test keeping the test behaviour same made enable debug atomic bool fix lint fix test true enable debug using enable debug in agent as atomic bool test fixes fix tests fix tests added update on correct locaiton fix tests fix reloadable config enable debug fix tests fix init and acl 403 * revert commit
1 year ago
a.enableDebug.Store(true)
h := a.srv.handler()
agent: protect the ui metrics proxy endpoint behind ACLs (#9099) This ensures the metrics proxy endpoint is ACL protected behind a wildcard `service:read` and `node:read` set of rules. For Consul Enterprise these will need to span all namespaces: ``` service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } namespace_prefix "" { service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } } ``` This PR contains just the backend changes. The frontend changes to actually pass the consul token header to the proxy through the JS plugin will come in another PR.
4 years ago
testrpc.WaitForLeader(t, a.RPC, "dc1")
const endpointPath = "/v1/internal/ui/metrics-proxy"
// create some ACL things
for name, rules := range map[string]string{
"one-service": `service "foo" { policy = "read" }`,
"all-services": `service_prefix "" { policy = "read" }`,
"one-node": `node "bar" { policy = "read" }`,
"all-nodes": `node_prefix "" { policy = "read" }`,
} {
req := structs.ACLPolicySetRequest{
Policy: structs.ACLPolicy{
Name: name,
Rules: rules,
},
Datacenter: "dc1",
WriteRequest: structs.WriteRequest{Token: "root"},
}
var policy structs.ACLPolicy
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
require.NoError(t, a.RPC(context.Background(), "ACL.PolicySet", &req, &policy))
agent: protect the ui metrics proxy endpoint behind ACLs (#9099) This ensures the metrics proxy endpoint is ACL protected behind a wildcard `service:read` and `node:read` set of rules. For Consul Enterprise these will need to span all namespaces: ``` service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } namespace_prefix "" { service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } } ``` This PR contains just the backend changes. The frontend changes to actually pass the consul token header to the proxy through the JS plugin will come in another PR.
4 years ago
}
makeToken := func(t *testing.T, policyNames []string) string {
req := structs.ACLTokenSetRequest{
ACLToken: structs.ACLToken{},
Datacenter: "dc1",
WriteRequest: structs.WriteRequest{Token: "root"},
}
for _, name := range policyNames {
req.ACLToken.Policies = append(req.ACLToken.Policies, structs.ACLTokenPolicyLink{Name: name})
}
require.Len(t, req.ACLToken.Policies, len(policyNames))
var token structs.ACLToken
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700)
2 years ago
require.NoError(t, a.RPC(context.Background(), "ACL.TokenSet", &req, &token))
agent: protect the ui metrics proxy endpoint behind ACLs (#9099) This ensures the metrics proxy endpoint is ACL protected behind a wildcard `service:read` and `node:read` set of rules. For Consul Enterprise these will need to span all namespaces: ``` service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } namespace_prefix "" { service_prefix "" { policy = "read" } node_prefix "" { policy = "read" } } ``` This PR contains just the backend changes. The frontend changes to actually pass the consul token header to the proxy through the JS plugin will come in another PR.
4 years ago
return token.SecretID
}
type testcase struct {
name string
token string
policies []string
expect int
}
for _, tc := range []testcase{
{name: "no token", token: "", expect: http.StatusForbidden},
{name: "root token", token: "root", expect: http.StatusOK},
//
{name: "one node", policies: []string{"one-node"}, expect: http.StatusForbidden},
{name: "all nodes", policies: []string{"all-nodes"}, expect: http.StatusForbidden},
//
{name: "one service", policies: []string{"one-service"}, expect: http.StatusForbidden},
{name: "all services", policies: []string{"all-services"}, expect: http.StatusForbidden},
//
{name: "one service one node", policies: []string{"one-service", "one-node"}, expect: http.StatusForbidden},
{name: "all services one node", policies: []string{"all-services", "one-node"}, expect: http.StatusForbidden},
//
{name: "one service all nodes", policies: []string{"one-service", "one-node"}, expect: http.StatusForbidden},
{name: "all services all nodes", policies: []string{"all-services", "all-nodes"}, expect: http.StatusOK},
} {
tc := tc
t.Run(tc.name, func(t *testing.T) {
if tc.token == "" {
tc.token = makeToken(t, tc.policies)
}
t.Run("via query param should not work", func(t *testing.T) {
req := httptest.NewRequest("GET", endpointPath+"/ok?token="+tc.token, nil)
rec := httptest.NewRecorder()
backendCalled.Store(false)
h.ServeHTTP(rec, req)
require.Equal(t, http.StatusForbidden, rec.Code)
require.False(t, backendCalled.Load().(bool))
})
for _, headerName := range []string{"x-consul-token", "authorization"} {
headerVal := tc.token
if headerName == "authorization" {
headerVal = "bearer " + tc.token
}
t.Run("via header "+headerName, func(t *testing.T) {
req := httptest.NewRequest("GET", endpointPath+"/ok", nil)
req.Header.Set(headerName, headerVal)
rec := httptest.NewRecorder()
backendCalled.Store(false)
h.ServeHTTP(rec, req)
require.Equal(t, tc.expect, rec.Code)
headersSent, _ := lastHeadersSent.Load().(http.Header)
if tc.expect == http.StatusOK {
require.True(t, backendCalled.Load().(bool))
// Ensure we didn't accidentally ship our consul token to the proxy.
require.Empty(t, headersSent.Get("X-Consul-Token"))
require.Empty(t, headersSent.Get("Authorization"))
} else {
require.False(t, backendCalled.Load().(bool))
}
})
}
})
}
}