package agent import ( "bytes" "fmt" "io" "io/ioutil" "net/http" "net/http/httptest" "os" "reflect" "strings" "testing" "time" "github.com/hashicorp/consul/agent/consul/structs" "github.com/hashicorp/consul/api" "github.com/hashicorp/consul/logger" "github.com/hashicorp/consul/testutil/retry" "github.com/hashicorp/consul/types" "github.com/hashicorp/serf/serf" ) func makeReadOnlyAgentACL(t *testing.T, srv *HTTPServer) string { args := map[string]interface{}{ "Name": "User Token", "Type": "client", "Rules": `agent "" { policy = "read" }`, } req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args)) resp := httptest.NewRecorder() obj, err := srv.ACLCreate(resp, req) if err != nil { t.Fatalf("err: %v", err) } aclResp := obj.(aclCreateResponse) return aclResp.ID } func TestAgent_Services(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() srv1 := &structs.NodeService{ ID: "mysql", Service: "mysql", Tags: []string{"master"}, Port: 5000, } a.state.AddService(srv1, "") req, _ := http.NewRequest("GET", "/v1/agent/services", nil) obj, err := a.srv.AgentServices(nil, req) if err != nil { t.Fatalf("Err: %v", err) } val := obj.(map[string]*structs.NodeService) if len(val) != 2 { t.Fatalf("bad services: %v", obj) } if val["mysql"].Port != 5000 { t.Fatalf("bad service: %v", obj) } } func TestAgent_Services_ACLFilter(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/services", nil) obj, err := a.srv.AgentServices(nil, req) if err != nil { t.Fatalf("Err: %v", err) } val := obj.(map[string]*structs.NodeService) if len(val) != 0 { t.Fatalf("bad: %v", obj) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/services?token=root", nil) obj, err := a.srv.AgentServices(nil, req) if err != nil { t.Fatalf("Err: %v", err) } val := obj.(map[string]*structs.NodeService) if len(val) != 1 { t.Fatalf("bad: %v", obj) } }) } func TestAgent_Checks(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() chk1 := &structs.HealthCheck{ Node: a.Config.NodeName, CheckID: "mysql", Name: "mysql", Status: api.HealthPassing, } a.state.AddCheck(chk1, "") req, _ := http.NewRequest("GET", "/v1/agent/checks", nil) obj, err := a.srv.AgentChecks(nil, req) if err != nil { t.Fatalf("Err: %v", err) } val := obj.(map[types.CheckID]*structs.HealthCheck) if len(val) != 1 { t.Fatalf("bad checks: %v", obj) } if val["mysql"].Status != api.HealthPassing { t.Fatalf("bad check: %v", obj) } } func TestAgent_Checks_ACLFilter(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() chk1 := &structs.HealthCheck{ Node: a.Config.NodeName, CheckID: "mysql", Name: "mysql", Status: api.HealthPassing, } a.state.AddCheck(chk1, "") t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/checks", nil) obj, err := a.srv.AgentChecks(nil, req) if err != nil { t.Fatalf("Err: %v", err) } val := obj.(map[types.CheckID]*structs.HealthCheck) if len(val) != 0 { t.Fatalf("bad checks: %v", obj) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/checks?token=root", nil) obj, err := a.srv.AgentChecks(nil, req) if err != nil { t.Fatalf("Err: %v", err) } val := obj.(map[types.CheckID]*structs.HealthCheck) if len(val) != 1 { t.Fatalf("bad checks: %v", obj) } }) } func TestAgent_Self(t *testing.T) { t.Parallel() cfg := TestConfig() cfg.Meta = map[string]string{"somekey": "somevalue"} a := NewTestAgent(t.Name(), cfg) defer a.Shutdown() req, _ := http.NewRequest("GET", "/v1/agent/self", nil) obj, err := a.srv.AgentSelf(nil, req) if err != nil { t.Fatalf("err: %v", err) } val := obj.(Self) if int(val.Member.Port) != a.Config.Ports.SerfLan { t.Fatalf("incorrect port: %v", obj) } if int(val.Config.Ports.SerfLan) != a.Config.Ports.SerfLan { t.Fatalf("incorrect port: %v", obj) } c, err := a.GetLANCoordinate() if err != nil { t.Fatalf("err: %v", err) } if !reflect.DeepEqual(c, val.Coord) { t.Fatalf("coordinates are not equal: %v != %v", c, val.Coord) } if !reflect.DeepEqual(cfg.Meta, val.Meta) { t.Fatalf("meta fields are not equal: %v != %v", cfg.Meta, val.Meta) } // Make sure there's nothing called "token" that's leaked. raw, err := a.srv.marshalJSON(req, obj) if err != nil { t.Fatalf("err: %v", err) } if bytes.Contains(bytes.ToLower(raw), []byte("token")) { t.Fatalf("bad: %s", raw) } } func TestAgent_Self_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/self", nil) if _, err := a.srv.AgentSelf(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("agent master token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/self?token=towel", nil) if _, err := a.srv.AgentSelf(nil, req); err != nil { t.Fatalf("err: %v", err) } }) t.Run("read-only token", func(t *testing.T) { ro := makeReadOnlyAgentACL(t, a.srv) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/self?token=%s", ro), nil) if _, err := a.srv.AgentSelf(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_Reload(t *testing.T) { t.Parallel() cfg := TestConfig() cfg.ACLEnforceVersion8 = Bool(false) cfg.Services = []*ServiceDefinition{ &ServiceDefinition{Name: "redis"}, } a := NewTestAgent(t.Name(), cfg) defer a.Shutdown() if _, ok := a.state.services["redis"]; !ok { t.Fatalf("missing redis service") } cfg2 := TestConfig() cfg2.ACLEnforceVersion8 = Bool(false) cfg2.Services = []*ServiceDefinition{ &ServiceDefinition{Name: "redis-reloaded"}, } ok, err := a.ReloadConfig(cfg2) if err != nil { t.Fatalf("got error %v want nil", err) } if !ok { t.Fatalf("got ok %v want true") } if _, ok := a.state.services["redis-reloaded"]; !ok { t.Fatalf("missing redis-reloaded service") } } func TestAgent_Reload_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/reload", nil) if _, err := a.srv.AgentReload(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("read-only token", func(t *testing.T) { ro := makeReadOnlyAgentACL(t, a.srv) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/reload?token=%s", ro), nil) if _, err := a.srv.AgentReload(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) // This proves we call the ACL function, and we've got the other reload // test to prove we do the reload, which should be sufficient. // The reload logic is a little complex to set up so isn't worth // repeating again here. } func TestAgent_Members(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() req, _ := http.NewRequest("GET", "/v1/agent/members", nil) obj, err := a.srv.AgentMembers(nil, req) if err != nil { t.Fatalf("Err: %v", err) } val := obj.([]serf.Member) if len(val) == 0 { t.Fatalf("bad members: %v", obj) } if int(val[0].Port) != a.Config.Ports.SerfLan { t.Fatalf("not lan: %v", obj) } } func TestAgent_Members_WAN(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() req, _ := http.NewRequest("GET", "/v1/agent/members?wan=true", nil) obj, err := a.srv.AgentMembers(nil, req) if err != nil { t.Fatalf("Err: %v", err) } val := obj.([]serf.Member) if len(val) == 0 { t.Fatalf("bad members: %v", obj) } if int(val[0].Port) != a.Config.Ports.SerfWan { t.Fatalf("not wan: %v", obj) } } func TestAgent_Members_ACLFilter(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/members", nil) obj, err := a.srv.AgentMembers(nil, req) if err != nil { t.Fatalf("Err: %v", err) } val := obj.([]serf.Member) if len(val) != 0 { t.Fatalf("bad members: %v", obj) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/members?token=root", nil) obj, err := a.srv.AgentMembers(nil, req) if err != nil { t.Fatalf("Err: %v", err) } val := obj.([]serf.Member) if len(val) != 1 { t.Fatalf("bad members: %v", obj) } }) } func TestAgent_Join(t *testing.T) { t.Parallel() a1 := NewTestAgent(t.Name(), nil) defer a1.Shutdown() a2 := NewTestAgent(t.Name(), nil) defer a2.Shutdown() addr := fmt.Sprintf("127.0.0.1:%d", a2.Config.Ports.SerfLan) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/join/%s", addr), nil) obj, err := a1.srv.AgentJoin(nil, req) if err != nil { t.Fatalf("Err: %v", err) } if obj != nil { t.Fatalf("Err: %v", obj) } if len(a1.LANMembers()) != 2 { t.Fatalf("should have 2 members") } retry.Run(t, func(r *retry.R) { if got, want := len(a2.LANMembers()), 2; got != want { r.Fatalf("got %d LAN members want %d", got, want) } }) } func TestAgent_Join_WAN(t *testing.T) { t.Parallel() a1 := NewTestAgent(t.Name(), nil) defer a1.Shutdown() a2 := NewTestAgent(t.Name(), nil) defer a2.Shutdown() addr := fmt.Sprintf("127.0.0.1:%d", a2.Config.Ports.SerfWan) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/join/%s?wan=true", addr), nil) obj, err := a1.srv.AgentJoin(nil, req) if err != nil { t.Fatalf("Err: %v", err) } if obj != nil { t.Fatalf("Err: %v", obj) } if len(a1.WANMembers()) != 2 { t.Fatalf("should have 2 members") } retry.Run(t, func(r *retry.R) { if got, want := len(a2.WANMembers()), 2; got != want { r.Fatalf("got %d WAN members want %d", got, want) } }) } func TestAgent_Join_ACLDeny(t *testing.T) { t.Parallel() a1 := NewTestAgent(t.Name(), TestACLConfig()) defer a1.Shutdown() a2 := NewTestAgent(t.Name(), nil) defer a2.Shutdown() addr := fmt.Sprintf("127.0.0.1:%d", a2.Config.Ports.SerfLan) t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/join/%s", addr), nil) if _, err := a1.srv.AgentJoin(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("agent master token", func(t *testing.T) { req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/join/%s?token=towel", addr), nil) _, err := a1.srv.AgentJoin(nil, req) if err != nil { t.Fatalf("err: %v", err) } }) t.Run("read-only token", func(t *testing.T) { ro := makeReadOnlyAgentACL(t, a1.srv) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/join/%s?token=%s", addr, ro), nil) if _, err := a1.srv.AgentJoin(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) } func TestAgent_Leave(t *testing.T) { t.Parallel() a1 := NewTestAgent(t.Name(), nil) defer a1.Shutdown() cfg2 := TestConfig() cfg2.Server = false cfg2.Bootstrap = false a2 := NewTestAgent(t.Name(), cfg2) defer a2.Shutdown() // Join first addr := fmt.Sprintf("127.0.0.1:%d", a2.Config.Ports.SerfLan) _, err := a1.JoinLAN([]string{addr}) if err != nil { t.Fatalf("err: %v", err) } // Graceful leave now req, _ := http.NewRequest("PUT", "/v1/agent/leave", nil) obj, err := a2.srv.AgentLeave(nil, req) if err != nil { t.Fatalf("Err: %v", err) } if obj != nil { t.Fatalf("Err: %v", obj) } retry.Run(t, func(r *retry.R) { m := a1.LANMembers() if got, want := m[1].Status, serf.StatusLeft; got != want { r.Fatalf("got status %q want %q", got, want) } }) } func TestAgent_Leave_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/leave", nil) if _, err := a.srv.AgentLeave(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("read-only token", func(t *testing.T) { ro := makeReadOnlyAgentACL(t, a.srv) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/leave?token=%s", ro), nil) if _, err := a.srv.AgentLeave(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) // this sub-test will change the state so that there is no leader. // it must therefore be the last one in this list. t.Run("agent master token", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/leave?token=towel", nil) if _, err := a.srv.AgentLeave(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_ForceLeave(t *testing.T) { t.Parallel() a1 := NewTestAgent(t.Name(), nil) defer a1.Shutdown() a2 := NewTestAgent(t.Name(), nil) // Join first addr := fmt.Sprintf("127.0.0.1:%d", a2.Config.Ports.SerfLan) _, err := a1.JoinLAN([]string{addr}) if err != nil { t.Fatalf("err: %v", err) } // todo(fs): this test probably needs work a2.Shutdown() // Force leave now req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/force-leave/%s", a2.Config.NodeName), nil) obj, err := a1.srv.AgentForceLeave(nil, req) if err != nil { t.Fatalf("Err: %v", err) } if obj != nil { t.Fatalf("Err: %v", obj) } retry.Run(t, func(r *retry.R) { m := a1.LANMembers() if got, want := m[1].Status, serf.StatusLeft; got != want { r.Fatalf("got status %q want %q", got, want) } }) } func TestAgent_ForceLeave_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/force-leave/nope", nil) if _, err := a.srv.AgentForceLeave(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("agent master token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/force-leave/nope?token=towel", nil) if _, err := a.srv.AgentForceLeave(nil, req); err != nil { t.Fatalf("err: %v", err) } }) t.Run("read-only token", func(t *testing.T) { ro := makeReadOnlyAgentACL(t, a.srv) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/force-leave/nope?token=%s", ro), nil) if _, err := a.srv.AgentForceLeave(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) } func TestAgent_RegisterCheck(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() // Register node args := &CheckDefinition{ Name: "test", TTL: 15 * time.Second, } req, _ := http.NewRequest("GET", "/v1/agent/check/register?token=abc123", jsonReader(args)) obj, err := a.srv.AgentRegisterCheck(nil, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } // Ensure we have a check mapping checkID := types.CheckID("test") if _, ok := a.state.Checks()[checkID]; !ok { t.Fatalf("missing test check") } if _, ok := a.checkTTLs[checkID]; !ok { t.Fatalf("missing test check ttl") } // Ensure the token was configured if token := a.state.CheckToken(checkID); token == "" { t.Fatalf("missing token") } // By default, checks start in critical state. state := a.state.Checks()[checkID] if state.Status != api.HealthCritical { t.Fatalf("bad: %v", state) } } func TestAgent_RegisterCheck_Passing(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() // Register node args := &CheckDefinition{ Name: "test", TTL: 15 * time.Second, Status: api.HealthPassing, } req, _ := http.NewRequest("GET", "/v1/agent/check/register", jsonReader(args)) obj, err := a.srv.AgentRegisterCheck(nil, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } // Ensure we have a check mapping checkID := types.CheckID("test") if _, ok := a.state.Checks()[checkID]; !ok { t.Fatalf("missing test check") } if _, ok := a.checkTTLs[checkID]; !ok { t.Fatalf("missing test check ttl") } state := a.state.Checks()[checkID] if state.Status != api.HealthPassing { t.Fatalf("bad: %v", state) } } func TestAgent_RegisterCheck_BadStatus(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() // Register node args := &CheckDefinition{ Name: "test", TTL: 15 * time.Second, Status: "fluffy", } req, _ := http.NewRequest("GET", "/v1/agent/check/register", jsonReader(args)) resp := httptest.NewRecorder() if _, err := a.srv.AgentRegisterCheck(resp, req); err != nil { t.Fatalf("err: %v", err) } if resp.Code != 400 { t.Fatalf("accepted bad status") } } func TestAgent_RegisterCheck_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() args := &CheckDefinition{ Name: "test", TTL: 15 * time.Second, } t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/check/register", jsonReader(args)) if _, err := a.srv.AgentRegisterCheck(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/check/register?token=root", jsonReader(args)) if _, err := a.srv.AgentRegisterCheck(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_DeregisterCheck(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() chk := &structs.HealthCheck{Name: "test", CheckID: "test"} if err := a.AddCheck(chk, nil, false, ""); err != nil { t.Fatalf("err: %v", err) } // Register node req, _ := http.NewRequest("GET", "/v1/agent/check/deregister/test", nil) obj, err := a.srv.AgentDeregisterCheck(nil, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } // Ensure we have a check mapping if _, ok := a.state.Checks()["test"]; ok { t.Fatalf("have test check") } } func TestAgent_DeregisterCheckACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() chk := &structs.HealthCheck{Name: "test", CheckID: "test"} if err := a.AddCheck(chk, nil, false, ""); err != nil { t.Fatalf("err: %v", err) } t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/check/deregister/test", nil) if _, err := a.srv.AgentDeregisterCheck(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/check/deregister/test?token=root", nil) if _, err := a.srv.AgentDeregisterCheck(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_PassCheck(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() chk := &structs.HealthCheck{Name: "test", CheckID: "test"} chkType := &CheckType{TTL: 15 * time.Second} if err := a.AddCheck(chk, chkType, false, ""); err != nil { t.Fatalf("err: %v", err) } req, _ := http.NewRequest("GET", "/v1/agent/check/pass/test", nil) obj, err := a.srv.AgentCheckPass(nil, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } // Ensure we have a check mapping state := a.state.Checks()["test"] if state.Status != api.HealthPassing { t.Fatalf("bad: %v", state) } } func TestAgent_PassCheck_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() chk := &structs.HealthCheck{Name: "test", CheckID: "test"} chkType := &CheckType{TTL: 15 * time.Second} if err := a.AddCheck(chk, chkType, false, ""); err != nil { t.Fatalf("err: %v", err) } t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/check/pass/test", nil) if _, err := a.srv.AgentCheckPass(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/check/pass/test?token=root", nil) if _, err := a.srv.AgentCheckPass(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_WarnCheck(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() chk := &structs.HealthCheck{Name: "test", CheckID: "test"} chkType := &CheckType{TTL: 15 * time.Second} if err := a.AddCheck(chk, chkType, false, ""); err != nil { t.Fatalf("err: %v", err) } req, _ := http.NewRequest("GET", "/v1/agent/check/warn/test", nil) obj, err := a.srv.AgentCheckWarn(nil, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } // Ensure we have a check mapping state := a.state.Checks()["test"] if state.Status != api.HealthWarning { t.Fatalf("bad: %v", state) } } func TestAgent_WarnCheck_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() chk := &structs.HealthCheck{Name: "test", CheckID: "test"} chkType := &CheckType{TTL: 15 * time.Second} if err := a.AddCheck(chk, chkType, false, ""); err != nil { t.Fatalf("err: %v", err) } t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/check/warn/test", nil) if _, err := a.srv.AgentCheckWarn(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/check/warn/test?token=root", nil) if _, err := a.srv.AgentCheckWarn(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_FailCheck(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() chk := &structs.HealthCheck{Name: "test", CheckID: "test"} chkType := &CheckType{TTL: 15 * time.Second} if err := a.AddCheck(chk, chkType, false, ""); err != nil { t.Fatalf("err: %v", err) } req, _ := http.NewRequest("GET", "/v1/agent/check/fail/test", nil) obj, err := a.srv.AgentCheckFail(nil, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } // Ensure we have a check mapping state := a.state.Checks()["test"] if state.Status != api.HealthCritical { t.Fatalf("bad: %v", state) } } func TestAgent_FailCheck_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() chk := &structs.HealthCheck{Name: "test", CheckID: "test"} chkType := &CheckType{TTL: 15 * time.Second} if err := a.AddCheck(chk, chkType, false, ""); err != nil { t.Fatalf("err: %v", err) } t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/check/fail/test", nil) if _, err := a.srv.AgentCheckFail(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/check/fail/test?token=root", nil) if _, err := a.srv.AgentCheckFail(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_UpdateCheck(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() chk := &structs.HealthCheck{Name: "test", CheckID: "test"} chkType := &CheckType{TTL: 15 * time.Second} if err := a.AddCheck(chk, chkType, false, ""); err != nil { t.Fatalf("err: %v", err) } cases := []checkUpdate{ checkUpdate{api.HealthPassing, "hello-passing"}, checkUpdate{api.HealthCritical, "hello-critical"}, checkUpdate{api.HealthWarning, "hello-warning"}, } for _, c := range cases { t.Run(c.Status, func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/check/update/test", jsonReader(c)) resp := httptest.NewRecorder() obj, err := a.srv.AgentCheckUpdate(resp, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } if resp.Code != 200 { t.Fatalf("expected 200, got %d", resp.Code) } state := a.state.Checks()["test"] if state.Status != c.Status || state.Output != c.Output { t.Fatalf("bad: %v", state) } }) } t.Run("log output limit", func(t *testing.T) { args := checkUpdate{ Status: api.HealthPassing, Output: strings.Repeat("-= bad -=", 5*CheckBufSize), } req, _ := http.NewRequest("PUT", "/v1/agent/check/update/test", jsonReader(args)) resp := httptest.NewRecorder() obj, err := a.srv.AgentCheckUpdate(resp, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } if resp.Code != 200 { t.Fatalf("expected 200, got %d", resp.Code) } // Since we append some notes about truncating, we just do a // rough check that the output buffer was cut down so this test // isn't super brittle. state := a.state.Checks()["test"] if state.Status != api.HealthPassing || len(state.Output) > 2*CheckBufSize { t.Fatalf("bad: %v", state) } }) t.Run("bogus status", func(t *testing.T) { args := checkUpdate{Status: "itscomplicated"} req, _ := http.NewRequest("PUT", "/v1/agent/check/update/test", jsonReader(args)) resp := httptest.NewRecorder() obj, err := a.srv.AgentCheckUpdate(resp, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } if resp.Code != 400 { t.Fatalf("expected 400, got %d", resp.Code) } }) t.Run("bogus verb", func(t *testing.T) { args := checkUpdate{Status: api.HealthPassing} req, _ := http.NewRequest("POST", "/v1/agent/check/update/test", jsonReader(args)) resp := httptest.NewRecorder() obj, err := a.srv.AgentCheckUpdate(resp, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } if resp.Code != 405 { t.Fatalf("expected 405, got %d", resp.Code) } }) } func TestAgent_UpdateCheck_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() chk := &structs.HealthCheck{Name: "test", CheckID: "test"} chkType := &CheckType{TTL: 15 * time.Second} if err := a.AddCheck(chk, chkType, false, ""); err != nil { t.Fatalf("err: %v", err) } t.Run("no token", func(t *testing.T) { args := checkUpdate{api.HealthPassing, "hello-passing"} req, _ := http.NewRequest("PUT", "/v1/agent/check/update/test", jsonReader(args)) if _, err := a.srv.AgentCheckUpdate(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("root token", func(t *testing.T) { args := checkUpdate{api.HealthPassing, "hello-passing"} req, _ := http.NewRequest("PUT", "/v1/agent/check/update/test?token=root", jsonReader(args)) if _, err := a.srv.AgentCheckUpdate(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_RegisterService(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() args := &ServiceDefinition{ Name: "test", Tags: []string{"master"}, Port: 8000, Check: CheckType{ TTL: 15 * time.Second, }, Checks: CheckTypes{ &CheckType{ TTL: 20 * time.Second, }, &CheckType{ TTL: 30 * time.Second, }, }, } req, _ := http.NewRequest("GET", "/v1/agent/service/register?token=abc123", jsonReader(args)) obj, err := a.srv.AgentRegisterService(nil, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } // Ensure the servie if _, ok := a.state.Services()["test"]; !ok { t.Fatalf("missing test service") } // Ensure we have a check mapping checks := a.state.Checks() if len(checks) != 3 { t.Fatalf("bad: %v", checks) } if len(a.checkTTLs) != 3 { t.Fatalf("missing test check ttls: %v", a.checkTTLs) } // Ensure the token was configured if token := a.state.ServiceToken("test"); token == "" { t.Fatalf("missing token") } } func TestAgent_RegisterService_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() args := &ServiceDefinition{ Name: "test", Tags: []string{"master"}, Port: 8000, Check: CheckType{ TTL: 15 * time.Second, }, Checks: CheckTypes{ &CheckType{ TTL: 20 * time.Second, }, &CheckType{ TTL: 30 * time.Second, }, }, } t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/service/register", jsonReader(args)) if _, err := a.srv.AgentRegisterService(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/service/register?token=root", jsonReader(args)) if _, err := a.srv.AgentRegisterService(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_RegisterService_InvalidAddress(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() for _, addr := range []string{"0.0.0.0", "::", "[::]"} { t.Run("addr "+addr, func(t *testing.T) { args := &ServiceDefinition{ Name: "test", Address: addr, Port: 8000, } req, _ := http.NewRequest("GET", "/v1/agent/service/register?token=abc123", jsonReader(args)) resp := httptest.NewRecorder() _, err := a.srv.AgentRegisterService(resp, req) if err != nil { t.Fatalf("got error %v want nil", err) } if got, want := resp.Code, 400; got != want { t.Fatalf("got code %d want %d", got, want) } if got, want := resp.Body.String(), "Invalid service address"; got != want { t.Fatalf("got body %q want %q", got, want) } }) } } func TestAgent_DeregisterService(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() service := &structs.NodeService{ ID: "test", Service: "test", } if err := a.AddService(service, nil, false, ""); err != nil { t.Fatalf("err: %v", err) } req, _ := http.NewRequest("GET", "/v1/agent/service/deregister/test", nil) obj, err := a.srv.AgentDeregisterService(nil, req) if err != nil { t.Fatalf("err: %v", err) } if obj != nil { t.Fatalf("bad: %v", obj) } // Ensure we have a check mapping if _, ok := a.state.Services()["test"]; ok { t.Fatalf("have test service") } if _, ok := a.state.Checks()["test"]; ok { t.Fatalf("have test check") } } func TestAgent_DeregisterService_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() service := &structs.NodeService{ ID: "test", Service: "test", } if err := a.AddService(service, nil, false, ""); err != nil { t.Fatalf("err: %v", err) } t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/service/deregister/test", nil) if _, err := a.srv.AgentDeregisterService(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/service/deregister/test?token=root", nil) if _, err := a.srv.AgentDeregisterService(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_ServiceMaintenance_BadRequest(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() t.Run("not PUT", func(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/agent/service/maintenance/test?enable=true", nil) resp := httptest.NewRecorder() if _, err := a.srv.AgentServiceMaintenance(resp, req); err != nil { t.Fatalf("err: %s", err) } if resp.Code != 405 { t.Fatalf("expected 405, got %d", resp.Code) } }) t.Run("not enabled", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/service/maintenance/test", nil) resp := httptest.NewRecorder() if _, err := a.srv.AgentServiceMaintenance(resp, req); err != nil { t.Fatalf("err: %s", err) } if resp.Code != 400 { t.Fatalf("expected 400, got %d", resp.Code) } }) t.Run("no service id", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/service/maintenance/?enable=true", nil) resp := httptest.NewRecorder() if _, err := a.srv.AgentServiceMaintenance(resp, req); err != nil { t.Fatalf("err: %s", err) } if resp.Code != 400 { t.Fatalf("expected 400, got %d", resp.Code) } }) t.Run("bad service id", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/service/maintenance/_nope_?enable=true", nil) resp := httptest.NewRecorder() if _, err := a.srv.AgentServiceMaintenance(resp, req); err != nil { t.Fatalf("err: %s", err) } if resp.Code != 404 { t.Fatalf("expected 404, got %d", resp.Code) } }) } func TestAgent_ServiceMaintenance_Enable(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() // Register the service service := &structs.NodeService{ ID: "test", Service: "test", } if err := a.AddService(service, nil, false, ""); err != nil { t.Fatalf("err: %v", err) } // Force the service into maintenance mode req, _ := http.NewRequest("PUT", "/v1/agent/service/maintenance/test?enable=true&reason=broken&token=mytoken", nil) resp := httptest.NewRecorder() if _, err := a.srv.AgentServiceMaintenance(resp, req); err != nil { t.Fatalf("err: %s", err) } if resp.Code != 200 { t.Fatalf("expected 200, got %d", resp.Code) } // Ensure the maintenance check was registered checkID := serviceMaintCheckID("test") check, ok := a.state.Checks()[checkID] if !ok { t.Fatalf("should have registered maintenance check") } // Ensure the token was added if token := a.state.CheckToken(checkID); token != "mytoken" { t.Fatalf("expected 'mytoken', got '%s'", token) } // Ensure the reason was set in notes if check.Notes != "broken" { t.Fatalf("bad: %#v", check) } } func TestAgent_ServiceMaintenance_Disable(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() // Register the service service := &structs.NodeService{ ID: "test", Service: "test", } if err := a.AddService(service, nil, false, ""); err != nil { t.Fatalf("err: %v", err) } // Force the service into maintenance mode if err := a.EnableServiceMaintenance("test", "", ""); err != nil { t.Fatalf("err: %s", err) } // Leave maintenance mode req, _ := http.NewRequest("PUT", "/v1/agent/service/maintenance/test?enable=false", nil) resp := httptest.NewRecorder() if _, err := a.srv.AgentServiceMaintenance(resp, req); err != nil { t.Fatalf("err: %s", err) } if resp.Code != 200 { t.Fatalf("expected 200, got %d", resp.Code) } // Ensure the maintenance check was removed checkID := serviceMaintCheckID("test") if _, ok := a.state.Checks()[checkID]; ok { t.Fatalf("should have removed maintenance check") } } func TestAgent_ServiceMaintenance_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() // Register the service. service := &structs.NodeService{ ID: "test", Service: "test", } if err := a.AddService(service, nil, false, ""); err != nil { t.Fatalf("err: %v", err) } t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/service/maintenance/test?enable=true&reason=broken", nil) if _, err := a.srv.AgentServiceMaintenance(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/service/maintenance/test?enable=true&reason=broken&token=root", nil) if _, err := a.srv.AgentServiceMaintenance(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_NodeMaintenance_BadRequest(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() // Fails on non-PUT req, _ := http.NewRequest("GET", "/v1/agent/self/maintenance?enable=true", nil) resp := httptest.NewRecorder() if _, err := a.srv.AgentNodeMaintenance(resp, req); err != nil { t.Fatalf("err: %s", err) } if resp.Code != 405 { t.Fatalf("expected 405, got %d", resp.Code) } // Fails when no enable flag provided req, _ = http.NewRequest("PUT", "/v1/agent/self/maintenance", nil) resp = httptest.NewRecorder() if _, err := a.srv.AgentNodeMaintenance(resp, req); err != nil { t.Fatalf("err: %s", err) } if resp.Code != 400 { t.Fatalf("expected 400, got %d", resp.Code) } } func TestAgent_NodeMaintenance_Enable(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() // Force the node into maintenance mode req, _ := http.NewRequest("PUT", "/v1/agent/self/maintenance?enable=true&reason=broken&token=mytoken", nil) resp := httptest.NewRecorder() if _, err := a.srv.AgentNodeMaintenance(resp, req); err != nil { t.Fatalf("err: %s", err) } if resp.Code != 200 { t.Fatalf("expected 200, got %d", resp.Code) } // Ensure the maintenance check was registered check, ok := a.state.Checks()[structs.NodeMaint] if !ok { t.Fatalf("should have registered maintenance check") } // Check that the token was used if token := a.state.CheckToken(structs.NodeMaint); token != "mytoken" { t.Fatalf("expected 'mytoken', got '%s'", token) } // Ensure the reason was set in notes if check.Notes != "broken" { t.Fatalf("bad: %#v", check) } } func TestAgent_NodeMaintenance_Disable(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() // Force the node into maintenance mode a.EnableNodeMaintenance("", "") // Leave maintenance mode req, _ := http.NewRequest("PUT", "/v1/agent/self/maintenance?enable=false", nil) resp := httptest.NewRecorder() if _, err := a.srv.AgentNodeMaintenance(resp, req); err != nil { t.Fatalf("err: %s", err) } if resp.Code != 200 { t.Fatalf("expected 200, got %d", resp.Code) } // Ensure the maintenance check was removed if _, ok := a.state.Checks()[structs.NodeMaint]; ok { t.Fatalf("should have removed maintenance check") } } func TestAgent_NodeMaintenance_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() t.Run("no token", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/self/maintenance?enable=true&reason=broken", nil) if _, err := a.srv.AgentNodeMaintenance(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } }) t.Run("root token", func(t *testing.T) { req, _ := http.NewRequest("PUT", "/v1/agent/self/maintenance?enable=true&reason=broken&token=root", nil) if _, err := a.srv.AgentNodeMaintenance(nil, req); err != nil { t.Fatalf("err: %v", err) } }) } func TestAgent_RegisterCheck_Service(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), nil) defer a.Shutdown() args := &ServiceDefinition{ Name: "memcache", Port: 8000, Check: CheckType{ TTL: 15 * time.Second, }, } // First register the service req, _ := http.NewRequest("GET", "/v1/agent/service/register", jsonReader(args)) if _, err := a.srv.AgentRegisterService(nil, req); err != nil { t.Fatalf("err: %v", err) } // Now register an additional check checkArgs := &CheckDefinition{ Name: "memcache_check2", ServiceID: "memcache", TTL: 15 * time.Second, } req, _ = http.NewRequest("GET", "/v1/agent/check/register", jsonReader(checkArgs)) if _, err := a.srv.AgentRegisterCheck(nil, req); err != nil { t.Fatalf("err: %v", err) } // Ensure we have a check mapping result := a.state.Checks() if _, ok := result["service:memcache"]; !ok { t.Fatalf("missing memcached check") } if _, ok := result["memcache_check2"]; !ok { t.Fatalf("missing memcache_check2 check") } // Make sure the new check is associated with the service if result["memcache_check2"].ServiceID != "memcache" { t.Fatalf("bad: %#v", result["memcached_check2"]) } } func TestAgent_Monitor(t *testing.T) { t.Parallel() logWriter := logger.NewLogWriter(512) a := &TestAgent{ Name: t.Name(), LogWriter: logWriter, LogOutput: io.MultiWriter(os.Stderr, logWriter), } a.Start() defer a.Shutdown() // Try passing an invalid log level req, _ := http.NewRequest("GET", "/v1/agent/monitor?loglevel=invalid", nil) resp := newClosableRecorder() if _, err := a.srv.AgentMonitor(resp, req); err != nil { t.Fatalf("err: %v", err) } if resp.Code != 400 { t.Fatalf("bad: %v", resp.Code) } body, _ := ioutil.ReadAll(resp.Body) if !strings.Contains(string(body), "Unknown log level") { t.Fatalf("bad: %s", body) } // Try to stream logs until we see the expected log line retry.Run(t, func(r *retry.R) { req, _ = http.NewRequest("GET", "/v1/agent/monitor?loglevel=debug", nil) resp = newClosableRecorder() done := make(chan struct{}) go func() { if _, err := a.srv.AgentMonitor(resp, req); err != nil { t.Fatalf("err: %s", err) } close(done) }() resp.Close() <-done got := resp.Body.Bytes() want := []byte("raft: Initial configuration (index=1)") if !bytes.Contains(got, want) { r.Fatalf("got %q and did not find %q", got, want) } }) } type closableRecorder struct { *httptest.ResponseRecorder closer chan bool } func newClosableRecorder() *closableRecorder { r := httptest.NewRecorder() closer := make(chan bool) return &closableRecorder{r, closer} } func (r *closableRecorder) Close() { close(r.closer) } func (r *closableRecorder) CloseNotify() <-chan bool { return r.closer } func TestAgent_Monitor_ACLDeny(t *testing.T) { t.Parallel() a := NewTestAgent(t.Name(), TestACLConfig()) defer a.Shutdown() // Try without a token. req, _ := http.NewRequest("GET", "/v1/agent/monitor", nil) if _, err := a.srv.AgentMonitor(nil, req); !isPermissionDenied(err) { t.Fatalf("err: %v", err) } // This proves we call the ACL function, and we've got the other monitor // test to prove monitor works, which should be sufficient. The monitor // logic is a little complex to set up so isn't worth repeating again // here. }