open-consul/agent/http_oss_test.go

package agent

import (
	"fmt"
	"net"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"github.com/hashicorp/consul/testrpc"
)

// extra endpoints that should be tested, and their allowed methods
var extraTestEndpoints = map[string][]string{
	"/v1/query":             {"GET", "POST"},
	"/v1/query/":            {"GET", "PUT", "DELETE"},
	"/v1/query/xxx/execute": {"GET"},
	"/v1/query/xxx/explain": {"GET"},
}

// These endpoints are ignored in unit testing for response codes
var ignoredEndpoints = []string{"/v1/status/peers", "/v1/agent/monitor", "/v1/agent/reload"}

// These have custom logic
var customEndpoints = []string{"/v1/query", "/v1/query/"}

// includePathInTest returns whether this path should be ignored for the purpose of testing its response code
func includePathInTest(path string) bool {
	ignored := false
	for _, p := range ignoredEndpoints {
		if p == path {
			ignored = true
			break
		}
	}
	for _, p := range customEndpoints {
		if p == path {
			ignored = true
			break
		}
	}

	return !ignored
}

func newHttpClient(timeout time.Duration) *http.Client {
	return &http.Client{
		Timeout: timeout,
		Transport: &http.Transport{
			Dial: (&net.Dialer{
				Timeout: timeout,
			}).Dial,
			TLSHandshakeTimeout: timeout,
		},
	}
}

func TestHTTPAPI_MethodNotAllowed_OSS(t *testing.T) {
	if testing.Short() {
		t.Skip("too slow for testing.Short")
	}

	// To avoid actually triggering RPCs that are allowed, lock everything down
	// with default-deny ACLs. This drops the test runtime from 11s to 0.6s.
	a := NewTestAgent(t, `
	primary_datacenter = "dc1"
	acl {
		enabled        = true
		default_policy = "deny"
		tokens {
			master  = "sekrit"
			agent   = "sekrit"
		}
	}
	`)
	defer a.Shutdown()
	// Use the master token here so the wait actually works.
	testrpc.WaitForTestAgent(t, a.RPC, "dc1", testrpc.WithToken("sekrit"))

	all := []string{"GET", "PUT", "POST", "DELETE", "HEAD", "OPTIONS"}

	client := newHttpClient(15 * time.Second)

	testMethodNotAllowed := func(t *testing.T, method string, path string, allowedMethods []string) {
		t.Run(method+" "+path, func(t *testing.T) {
			uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)
			req, _ := http.NewRequest(method, uri, nil)
			resp, err := client.Do(req)
			if err != nil {
				t.Fatal("client.Do failed: ", err)
			}
			defer resp.Body.Close()

			allowed := method == "OPTIONS"
			for _, allowedMethod := range allowedMethods {
				if allowedMethod == method {
					allowed = true
					break
				}
			}

			if allowed && resp.StatusCode == http.StatusMethodNotAllowed {
				t.Fatalf("method allowed: got status code %d want any other code", resp.StatusCode)
			}
			if !allowed && resp.StatusCode != http.StatusMethodNotAllowed {
				t.Fatalf("method not allowed: got status code %d want %d", resp.StatusCode, http.StatusMethodNotAllowed)
			}
		})
	}

	for path, methods := range extraTestEndpoints {
		for _, method := range all {
			testMethodNotAllowed(t, method, path, methods)
		}
	}

	for path, methods := range allowedMethods {
		if includePathInTest(path) {
			for _, method := range all {
				testMethodNotAllowed(t, method, path, methods)
			}
		}
	}
}

func TestHTTPAPI_OptionMethod_OSS(t *testing.T) {
	if testing.Short() {
		t.Skip("too slow for testing.Short")
	}

	a := NewTestAgent(t, `acl_datacenter = "dc1"`)
	defer a.Shutdown()
	testrpc.WaitForTestAgent(t, a.RPC, "dc1")

	testOptionMethod := func(path string, methods []string) {
		t.Run("OPTIONS "+path, func(t *testing.T) {
			uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)
			req, _ := http.NewRequest("OPTIONS", uri, nil)
			resp := httptest.NewRecorder()
			a.srv.handler(true).ServeHTTP(resp, req)
			allMethods := append([]string{"OPTIONS"}, methods...)

			if resp.Code != http.StatusOK {
				t.Fatalf("options request: got status code %d want %d", resp.Code, http.StatusOK)
			}

			optionsStr := resp.Header().Get("Allow")
			if optionsStr == "" {
				t.Fatalf("options request: got empty 'Allow' header")
			} else if optionsStr != strings.Join(allMethods, ",") {
				t.Fatalf("options request: got 'Allow' header value of %s want %s", optionsStr, allMethods)
			}
		})
	}

	for path, methods := range extraTestEndpoints {
		testOptionMethod(path, methods)
	}
	for path, methods := range allowedMethods {
		if includePathInTest(path) {
			testOptionMethod(path, methods)
		}
	}
}

func TestHTTPAPI_AllowedNets_OSS(t *testing.T) {
	if testing.Short() {
		t.Skip("too slow for testing.Short")
	}

	a := NewTestAgent(t, `
		acl_datacenter = "dc1"
		http_config {
			allow_write_http_from = ["127.0.0.1/8"]
		}
	`)
	defer a.Shutdown()
	testrpc.WaitForTestAgent(t, a.RPC, "dc1")

	testOptionMethod := func(path string, method string) {
		t.Run(method+" "+path, func(t *testing.T) {
			uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)
			req, _ := http.NewRequest(method, uri, nil)
			req.RemoteAddr = "192.168.1.2:5555"
			resp := httptest.NewRecorder()
			a.srv.handler(true).ServeHTTP(resp, req)

			require.Equal(t, http.StatusForbidden, resp.Code, "%s %s", method, path)
		})
	}

	for path, methods := range extraTestEndpoints {
		if !includePathInTest(path) {
			continue
		}
		for _, method := range methods {
			if method == http.MethodGet {
				continue
			}

			testOptionMethod(path, method)
		}
	}
	for path, methods := range allowedMethods {
		if !includePathInTest(path) {
			continue
		}
		for _, method := range methods {
			if method == http.MethodGet {
				continue
			}

			testOptionMethod(path, method)
		}
	}
}
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`package agent`

			`import (`
			`"fmt"`
fix some test hangs (#4785) The default http.Client uses infinite timeouts, so if TestHTTPAPI_MethodNotAllowed_OSS experienced anything going wrong about setup it could hang forever. Switching to hard coding various http.Client timeouts to non-infinite values at least bounds the failure time. 2018-10-16 21:04:51 +00:00			`"net"`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`"net/http"`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`"net/http/httptest"`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`"strings"`
			`"testing"`
fix some test hangs (#4785) The default http.Client uses infinite timeouts, so if TestHTTPAPI_MethodNotAllowed_OSS experienced anything going wrong about setup it could hang forever. Switching to hard coding various http.Client timeouts to non-infinite values at least bounds the failure time. 2018-10-16 21:04:51 +00:00			`"time"`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00
[Security] Allow blocking Write endpoints on Agent using Network Addresses (#4719) * Add -write-allowed-nets option * Add documentation for the new write_allowed_nets option 2019-01-10 14:27:26 +00:00			`"github.com/stretchr/testify/require"`

Fixed another list of unstable unit tests in travis (#4915) * Fixed another list of unstable unit tests in travis Fixed failing tests in https://travis-ci.org/hashicorp/consul/jobs/451357061 * Fixed another list of unstable unit tests in travis. Fixed failing tests in https://travis-ci.org/hashicorp/consul/jobs/451357061 2018-11-20 11:27:26 +00:00			`"github.com/hashicorp/consul/testrpc"`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`)`

Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`// extra endpoints that should be tested, and their allowed methods`
			`var extraTestEndpoints = map[string][]string{`
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w' 2020-06-16 17:19:31 +00:00			`"/v1/query": {"GET", "POST"},`
			`"/v1/query/": {"GET", "PUT", "DELETE"},`
			`"/v1/query/xxx/execute": {"GET"},`
			`"/v1/query/xxx/explain": {"GET"},`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`}`

cleanup unit test code a bit 2018-03-16 14:36:57 +00:00			`// These endpoints are ignored in unit testing for response codes`
Formatting update 2018-03-27 20:31:27 +00:00			`var ignoredEndpoints = []string{"/v1/status/peers", "/v1/agent/monitor", "/v1/agent/reload"}`

cleanup unit test code a bit 2018-03-16 14:36:57 +00:00			`// These have custom logic`
			`var customEndpoints = []string{"/v1/query", "/v1/query/"}`

			`// includePathInTest returns whether this path should be ignored for the purpose of testing its response code`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`func includePathInTest(path string) bool {`
cleanup unit test code a bit 2018-03-16 14:36:57 +00:00			`ignored := false`
			`for _, p := range ignoredEndpoints {`
			`if p == path {`
			`ignored = true`
			`break`
			`}`
			`}`
			`for _, p := range customEndpoints {`
			`if p == path {`
			`ignored = true`
			`break`
			`}`
			`}`

			`return !ignored`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`}`

fix some test hangs (#4785) The default http.Client uses infinite timeouts, so if TestHTTPAPI_MethodNotAllowed_OSS experienced anything going wrong about setup it could hang forever. Switching to hard coding various http.Client timeouts to non-infinite values at least bounds the failure time. 2018-10-16 21:04:51 +00:00			`func newHttpClient(timeout time.Duration) *http.Client {`
			`return &http.Client{`
			`Timeout: timeout,`
			`Transport: &http.Transport{`
			`Dial: (&net.Dialer{`
			`Timeout: timeout,`
			`}).Dial,`
			`TLSHandshakeTimeout: timeout,`
			`},`
			`}`
			`}`

Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`func TestHTTPAPI_MethodNotAllowed_OSS(t *testing.T) {`
testing: skip slow tests with -short Add a skip condition to all tests slower than 100ms. This change was made using `gotestsum tool slowest` with data from the last 3 CI runs of master. See https://github.com/gotestyourself/gotestsum#finding-and-skipping-slow-tests With this change: ``` $ time go test -count=1 -short ./agent ok github.com/hashicorp/consul/agent 0.743s real 0m4.791s $ time go test -count=1 -short ./agent/consul ok github.com/hashicorp/consul/agent/consul 4.229s real 0m8.769s ``` 2020-12-07 18:42:55 +00:00			`if testing.Short() {`
			`t.Skip("too slow for testing.Short")`
			`}`

speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`// To avoid actually triggering RPCs that are allowed, lock everything down`
			`// with default-deny ACLs. This drops the test runtime from 11s to 0.6s.`
Remove name from NewTestAgent Using: git grep -l 'NewTestAgent(t, t.Name(),' \| \ xargs sed -i -e 's/NewTestAgent(t, t.Name(),/NewTestAgent(t,/g' 2020-03-31 19:59:56 +00:00			a := NewTestAgent(t, `
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`primary_datacenter = "dc1"`
			`acl {`
			`enabled = true`
			`default_policy = "deny"`
			`tokens {`
			`master = "sekrit"`
			`agent = "sekrit"`
			`}`
			`}`
			`)
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`defer a.Shutdown()`
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`// Use the master token here so the wait actually works.`
			`testrpc.WaitForTestAgent(t, a.RPC, "dc1", testrpc.WithToken("sekrit"))`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`all := []string{"GET", "PUT", "POST", "DELETE", "HEAD", "OPTIONS"}`
fix some test hangs (#4785) The default http.Client uses infinite timeouts, so if TestHTTPAPI_MethodNotAllowed_OSS experienced anything going wrong about setup it could hang forever. Switching to hard coding various http.Client timeouts to non-infinite values at least bounds the failure time. 2018-10-16 21:04:51 +00:00
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`client := newHttpClient(15 * time.Second)`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`testMethodNotAllowed := func(t *testing.T, method string, path string, allowedMethods []string) {`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`t.Run(method+" "+path, func(t *testing.T) {`
			`uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)`
			`req, _ := http.NewRequest(method, uri, nil)`
			`resp, err := client.Do(req)`
			`if err != nil {`
			`t.Fatal("client.Do failed: ", err)`
			`}`
Close HTTP response in Agent test (HTTPAPI_MethodNotAllowed_OSS) 2018-04-10 12:02:47 +00:00			`defer resp.Body.Close()`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`allowed := method == "OPTIONS"`
			`for _, allowedMethod := range allowedMethods {`
			`if allowedMethod == method {`
			`allowed = true`
			`break`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`}`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`}`

			`if allowed && resp.StatusCode == http.StatusMethodNotAllowed {`
			`t.Fatalf("method allowed: got status code %d want any other code", resp.StatusCode)`
			`}`
			`if !allowed && resp.StatusCode != http.StatusMethodNotAllowed {`
			`t.Fatalf("method not allowed: got status code %d want %d", resp.StatusCode, http.StatusMethodNotAllowed)`
			`}`
			`})`
			`}`

			`for path, methods := range extraTestEndpoints {`
			`for _, method := range all {`
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`testMethodNotAllowed(t, method, path, methods)`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`}`
			`}`

			`for path, methods := range allowedMethods {`
			`if includePathInTest(path) {`
			`for _, method := range all {`
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`testMethodNotAllowed(t, method, path, methods)`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`}`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`}`
			`}`
			`}`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00
			`func TestHTTPAPI_OptionMethod_OSS(t *testing.T) {`
testing: skip slow tests with -short Add a skip condition to all tests slower than 100ms. This change was made using `gotestsum tool slowest` with data from the last 3 CI runs of master. See https://github.com/gotestyourself/gotestsum#finding-and-skipping-slow-tests With this change: ``` $ time go test -count=1 -short ./agent ok github.com/hashicorp/consul/agent 0.743s real 0m4.791s $ time go test -count=1 -short ./agent/consul ok github.com/hashicorp/consul/agent/consul 4.229s real 0m8.769s ``` 2020-12-07 18:42:55 +00:00			`if testing.Short() {`
			`t.Skip("too slow for testing.Short")`
			`}`

Remove name from NewTestAgent Using: git grep -l 'NewTestAgent(t, t.Name(),' \| \ xargs sed -i -e 's/NewTestAgent(t, t.Name(),/NewTestAgent(t,/g' 2020-03-31 19:59:56 +00:00			a := NewTestAgent(t, `acl_datacenter = "dc1"`)
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`defer a.Shutdown()`
Fixed another list of unstable unit tests in travis (#4915) * Fixed another list of unstable unit tests in travis Fixed failing tests in https://travis-ci.org/hashicorp/consul/jobs/451357061 * Fixed another list of unstable unit tests in travis. Fixed failing tests in https://travis-ci.org/hashicorp/consul/jobs/451357061 2018-11-20 11:27:26 +00:00			`testrpc.WaitForTestAgent(t, a.RPC, "dc1")`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`testOptionMethod := func(path string, methods []string) {`
			`t.Run("OPTIONS "+path, func(t *testing.T) {`
			`uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`req, _ := http.NewRequest("OPTIONS", uri, nil)`
			`resp := httptest.NewRecorder()`
agent/http: un-embed the HTTPServer The embedded HTTPServer struct is not used by the large HTTPServer struct. It is used by tests and the agent. This change is a small first step in the process of removing that field. The eventual goal is to reduce the scope of HTTPServer making it easier to test, and split into separate packages. 2020-07-02 20:47:54 +00:00			`a.srv.handler(true).ServeHTTP(resp, req)`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`allMethods := append([]string{"OPTIONS"}, methods...)`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00
			`if resp.Code != http.StatusOK {`
			`t.Fatalf("options request: got status code %d want %d", resp.Code, http.StatusOK)`
			`}`

			`optionsStr := resp.Header().Get("Allow")`
			`if optionsStr == "" {`
			`t.Fatalf("options request: got empty 'Allow' header")`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`} else if optionsStr != strings.Join(allMethods, ",") {`
			`t.Fatalf("options request: got 'Allow' header value of %s want %s", optionsStr, allMethods)`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`}`
			`})`
			`}`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00
			`for path, methods := range extraTestEndpoints {`
			`testOptionMethod(path, methods)`
			`}`
			`for path, methods := range allowedMethods {`
			`if includePathInTest(path) {`
			`testOptionMethod(path, methods)`
			`}`
			`}`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`}`
[Security] Allow blocking Write endpoints on Agent using Network Addresses (#4719) * Add -write-allowed-nets option * Add documentation for the new write_allowed_nets option 2019-01-10 14:27:26 +00:00
			`func TestHTTPAPI_AllowedNets_OSS(t *testing.T) {`
testing: skip slow tests with -short Add a skip condition to all tests slower than 100ms. This change was made using `gotestsum tool slowest` with data from the last 3 CI runs of master. See https://github.com/gotestyourself/gotestsum#finding-and-skipping-slow-tests With this change: ``` $ time go test -count=1 -short ./agent ok github.com/hashicorp/consul/agent 0.743s real 0m4.791s $ time go test -count=1 -short ./agent/consul ok github.com/hashicorp/consul/agent/consul 4.229s real 0m8.769s ``` 2020-12-07 18:42:55 +00:00			`if testing.Short() {`
			`t.Skip("too slow for testing.Short")`
			`}`

Remove name from NewTestAgent Using: git grep -l 'NewTestAgent(t, t.Name(),' \| \ xargs sed -i -e 's/NewTestAgent(t, t.Name(),/NewTestAgent(t,/g' 2020-03-31 19:59:56 +00:00			a := NewTestAgent(t, `
[Security] Allow blocking Write endpoints on Agent using Network Addresses (#4719) * Add -write-allowed-nets option * Add documentation for the new write_allowed_nets option 2019-01-10 14:27:26 +00:00			`acl_datacenter = "dc1"`
			`http_config {`
			`allow_write_http_from = ["127.0.0.1/8"]`
			`}`
			`)
			`defer a.Shutdown()`
			`testrpc.WaitForTestAgent(t, a.RPC, "dc1")`

			`testOptionMethod := func(path string, method string) {`
			`t.Run(method+" "+path, func(t *testing.T) {`
			`uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)`
			`req, _ := http.NewRequest(method, uri, nil)`
			`req.RemoteAddr = "192.168.1.2:5555"`
			`resp := httptest.NewRecorder()`
agent/http: un-embed the HTTPServer The embedded HTTPServer struct is not used by the large HTTPServer struct. It is used by tests and the agent. This change is a small first step in the process of removing that field. The eventual goal is to reduce the scope of HTTPServer making it easier to test, and split into separate packages. 2020-07-02 20:47:54 +00:00			`a.srv.handler(true).ServeHTTP(resp, req)`
[Security] Allow blocking Write endpoints on Agent using Network Addresses (#4719) * Add -write-allowed-nets option * Add documentation for the new write_allowed_nets option 2019-01-10 14:27:26 +00:00
			`require.Equal(t, http.StatusForbidden, resp.Code, "%s %s", method, path)`
			`})`
			`}`

			`for path, methods := range extraTestEndpoints {`
			`if !includePathInTest(path) {`
			`continue`
			`}`
			`for _, method := range methods {`
			`if method == http.MethodGet {`
			`continue`
			`}`

			`testOptionMethod(path, method)`
			`}`
			`}`
			`for path, methods := range allowedMethods {`
			`if !includePathInTest(path) {`
			`continue`
			`}`
			`for _, method := range methods {`
			`if method == http.MethodGet {`
			`continue`
			`}`

			`testOptionMethod(path, method)`
			`}`
			`}`
			`}`