open-consul/agent/http_oss_test.go

package agent

import (
	"fmt"
	"net"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"github.com/hashicorp/consul/testrpc"

	"github.com/hashicorp/consul/logger"
)

// extra endpoints that should be tested, and their allowed methods
var extraTestEndpoints = map[string][]string{
	"/v1/query":             []string{"GET", "POST"},
	"/v1/query/":            []string{"GET", "PUT", "DELETE"},
	"/v1/query/xxx/execute": []string{"GET"},
	"/v1/query/xxx/explain": []string{"GET"},
}

// These endpoints are ignored in unit testing for response codes
var ignoredEndpoints = []string{"/v1/status/peers", "/v1/agent/monitor", "/v1/agent/reload"}

// These have custom logic
var customEndpoints = []string{"/v1/query", "/v1/query/"}

// includePathInTest returns whether this path should be ignored for the purpose of testing its response code
func includePathInTest(path string) bool {
	ignored := false
	for _, p := range ignoredEndpoints {
		if p == path {
			ignored = true
			break
		}
	}
	for _, p := range customEndpoints {
		if p == path {
			ignored = true
			break
		}
	}

	return !ignored
}

func newHttpClient(timeout time.Duration) *http.Client {
	return &http.Client{
		Timeout: timeout,
		Transport: &http.Transport{
			Dial: (&net.Dialer{
				Timeout: timeout,
			}).Dial,
			TLSHandshakeTimeout: timeout,
		},
	}
}

func TestHTTPAPI_MethodNotAllowed_OSS(t *testing.T) {
	// To avoid actually triggering RPCs that are allowed, lock everything down
	// with default-deny ACLs. This drops the test runtime from 11s to 0.6s.
	a := NewTestAgent(t.Name(), `
	primary_datacenter = "dc1"
	acl {
		enabled        = true
		default_policy = "deny"
		tokens {
			master  = "sekrit"
			agent   = "sekrit"
		}
	}
	`)
	a.Agent.LogWriter = logger.NewLogWriter(512)
	defer a.Shutdown()
	// Use the master token here so the wait actually works.
	testrpc.WaitForTestAgent(t, a.RPC, "dc1", testrpc.WithToken("sekrit"))

	all := []string{"GET", "PUT", "POST", "DELETE", "HEAD", "OPTIONS"}

	client := newHttpClient(15 * time.Second)

	testMethodNotAllowed := func(t *testing.T, method string, path string, allowedMethods []string) {
		t.Run(method+" "+path, func(t *testing.T) {
			uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)
			req, _ := http.NewRequest(method, uri, nil)
			resp, err := client.Do(req)
			if err != nil {
				t.Fatal("client.Do failed: ", err)
			}
			defer resp.Body.Close()

			allowed := method == "OPTIONS"
			for _, allowedMethod := range allowedMethods {
				if allowedMethod == method {
					allowed = true
					break
				}
			}

			if allowed && resp.StatusCode == http.StatusMethodNotAllowed {
				t.Fatalf("method allowed: got status code %d want any other code", resp.StatusCode)
			}
			if !allowed && resp.StatusCode != http.StatusMethodNotAllowed {
				t.Fatalf("method not allowed: got status code %d want %d", resp.StatusCode, http.StatusMethodNotAllowed)
			}
		})
	}

	for path, methods := range extraTestEndpoints {
		for _, method := range all {
			testMethodNotAllowed(t, method, path, methods)
		}
	}

	for path, methods := range allowedMethods {
		if includePathInTest(path) {
			for _, method := range all {
				testMethodNotAllowed(t, method, path, methods)
			}
		}
	}
}

func TestHTTPAPI_OptionMethod_OSS(t *testing.T) {
	a := NewTestAgent(t.Name(), `acl_datacenter = "dc1"`)
	a.Agent.LogWriter = logger.NewLogWriter(512)
	defer a.Shutdown()
	testrpc.WaitForTestAgent(t, a.RPC, "dc1")

	testOptionMethod := func(path string, methods []string) {
		t.Run("OPTIONS "+path, func(t *testing.T) {
			uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)
			req, _ := http.NewRequest("OPTIONS", uri, nil)
			resp := httptest.NewRecorder()
			a.srv.Handler.ServeHTTP(resp, req)
			allMethods := append([]string{"OPTIONS"}, methods...)

			if resp.Code != http.StatusOK {
				t.Fatalf("options request: got status code %d want %d", resp.Code, http.StatusOK)
			}

			optionsStr := resp.Header().Get("Allow")
			if optionsStr == "" {
				t.Fatalf("options request: got empty 'Allow' header")
			} else if optionsStr != strings.Join(allMethods, ",") {
				t.Fatalf("options request: got 'Allow' header value of %s want %s", optionsStr, allMethods)
			}
		})
	}

	for path, methods := range extraTestEndpoints {
		testOptionMethod(path, methods)
	}
	for path, methods := range allowedMethods {
		if includePathInTest(path) {
			testOptionMethod(path, methods)
		}
	}
}

func TestHTTPAPI_AllowedNets_OSS(t *testing.T) {
	a := NewTestAgent(t.Name(), `
		acl_datacenter = "dc1"
		http_config {
			allow_write_http_from = ["127.0.0.1/8"]
		}
	`)
	a.Agent.LogWriter = logger.NewLogWriter(512)
	defer a.Shutdown()
	testrpc.WaitForTestAgent(t, a.RPC, "dc1")

	testOptionMethod := func(path string, method string) {
		t.Run(method+" "+path, func(t *testing.T) {
			uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)
			req, _ := http.NewRequest(method, uri, nil)
			req.RemoteAddr = "192.168.1.2:5555"
			resp := httptest.NewRecorder()
			a.srv.Handler.ServeHTTP(resp, req)

			require.Equal(t, http.StatusForbidden, resp.Code, "%s %s", method, path)
		})
	}

	for path, methods := range extraTestEndpoints {
		if !includePathInTest(path) {
			continue
		}
		for _, method := range methods {
			if method == http.MethodGet {
				continue
			}

			testOptionMethod(path, method)
		}
	}
	for path, methods := range allowedMethods {
		if !includePathInTest(path) {
			continue
		}
		for _, method := range methods {
			if method == http.MethodGet {
				continue
			}

			testOptionMethod(path, method)
		}
	}
}
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`package agent`

			`import (`
			`"fmt"`
fix some test hangs (#4785) The default http.Client uses infinite timeouts, so if TestHTTPAPI_MethodNotAllowed_OSS experienced anything going wrong about setup it could hang forever. Switching to hard coding various http.Client timeouts to non-infinite values at least bounds the failure time. 2018-10-16 21:04:51 +00:00			`"net"`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`"net/http"`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`"net/http/httptest"`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`"strings"`
			`"testing"`
fix some test hangs (#4785) The default http.Client uses infinite timeouts, so if TestHTTPAPI_MethodNotAllowed_OSS experienced anything going wrong about setup it could hang forever. Switching to hard coding various http.Client timeouts to non-infinite values at least bounds the failure time. 2018-10-16 21:04:51 +00:00			`"time"`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00
[Security] Allow blocking Write endpoints on Agent using Network Addresses (#4719) * Add -write-allowed-nets option * Add documentation for the new write_allowed_nets option 2019-01-10 14:27:26 +00:00			`"github.com/stretchr/testify/require"`

Fixed another list of unstable unit tests in travis (#4915) * Fixed another list of unstable unit tests in travis Fixed failing tests in https://travis-ci.org/hashicorp/consul/jobs/451357061 * Fixed another list of unstable unit tests in travis. Fixed failing tests in https://travis-ci.org/hashicorp/consul/jobs/451357061 2018-11-20 11:27:26 +00:00			`"github.com/hashicorp/consul/testrpc"`

Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`"github.com/hashicorp/consul/logger"`
			`)`

Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`// extra endpoints that should be tested, and their allowed methods`
			`var extraTestEndpoints = map[string][]string{`
			`"/v1/query": []string{"GET", "POST"},`
			`"/v1/query/": []string{"GET", "PUT", "DELETE"},`
			`"/v1/query/xxx/execute": []string{"GET"},`
			`"/v1/query/xxx/explain": []string{"GET"},`
			`}`

cleanup unit test code a bit 2018-03-16 14:36:57 +00:00			`// These endpoints are ignored in unit testing for response codes`
Formatting update 2018-03-27 20:31:27 +00:00			`var ignoredEndpoints = []string{"/v1/status/peers", "/v1/agent/monitor", "/v1/agent/reload"}`

cleanup unit test code a bit 2018-03-16 14:36:57 +00:00			`// These have custom logic`
			`var customEndpoints = []string{"/v1/query", "/v1/query/"}`

			`// includePathInTest returns whether this path should be ignored for the purpose of testing its response code`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`func includePathInTest(path string) bool {`
cleanup unit test code a bit 2018-03-16 14:36:57 +00:00			`ignored := false`
			`for _, p := range ignoredEndpoints {`
			`if p == path {`
			`ignored = true`
			`break`
			`}`
			`}`
			`for _, p := range customEndpoints {`
			`if p == path {`
			`ignored = true`
			`break`
			`}`
			`}`

			`return !ignored`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`}`

fix some test hangs (#4785) The default http.Client uses infinite timeouts, so if TestHTTPAPI_MethodNotAllowed_OSS experienced anything going wrong about setup it could hang forever. Switching to hard coding various http.Client timeouts to non-infinite values at least bounds the failure time. 2018-10-16 21:04:51 +00:00			`func newHttpClient(timeout time.Duration) *http.Client {`
			`return &http.Client{`
			`Timeout: timeout,`
			`Transport: &http.Transport{`
			`Dial: (&net.Dialer{`
			`Timeout: timeout,`
			`}).Dial,`
			`TLSHandshakeTimeout: timeout,`
			`},`
			`}`
			`}`

Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`func TestHTTPAPI_MethodNotAllowed_OSS(t *testing.T) {`
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`// To avoid actually triggering RPCs that are allowed, lock everything down`
			`// with default-deny ACLs. This drops the test runtime from 11s to 0.6s.`
			a := NewTestAgent(t.Name(), `
			`primary_datacenter = "dc1"`
			`acl {`
			`enabled = true`
			`default_policy = "deny"`
			`tokens {`
			`master = "sekrit"`
			`agent = "sekrit"`
			`}`
			`}`
			`)
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`a.Agent.LogWriter = logger.NewLogWriter(512)`
			`defer a.Shutdown()`
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`// Use the master token here so the wait actually works.`
			`testrpc.WaitForTestAgent(t, a.RPC, "dc1", testrpc.WithToken("sekrit"))`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`all := []string{"GET", "PUT", "POST", "DELETE", "HEAD", "OPTIONS"}`
fix some test hangs (#4785) The default http.Client uses infinite timeouts, so if TestHTTPAPI_MethodNotAllowed_OSS experienced anything going wrong about setup it could hang forever. Switching to hard coding various http.Client timeouts to non-infinite values at least bounds the failure time. 2018-10-16 21:04:51 +00:00
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`client := newHttpClient(15 * time.Second)`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`testMethodNotAllowed := func(t *testing.T, method string, path string, allowedMethods []string) {`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`t.Run(method+" "+path, func(t *testing.T) {`
			`uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)`
			`req, _ := http.NewRequest(method, uri, nil)`
			`resp, err := client.Do(req)`
			`if err != nil {`
			`t.Fatal("client.Do failed: ", err)`
			`}`
Close HTTP response in Agent test (HTTPAPI_MethodNotAllowed_OSS) 2018-04-10 12:02:47 +00:00			`defer resp.Body.Close()`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`allowed := method == "OPTIONS"`
			`for _, allowedMethod := range allowedMethods {`
			`if allowedMethod == method {`
			`allowed = true`
			`break`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`}`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`}`

			`if allowed && resp.StatusCode == http.StatusMethodNotAllowed {`
			`t.Fatalf("method allowed: got status code %d want any other code", resp.StatusCode)`
			`}`
			`if !allowed && resp.StatusCode != http.StatusMethodNotAllowed {`
			`t.Fatalf("method not allowed: got status code %d want %d", resp.StatusCode, http.StatusMethodNotAllowed)`
			`}`
			`})`
			`}`

			`for path, methods := range extraTestEndpoints {`
			`for _, method := range all {`
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`testMethodNotAllowed(t, method, path, methods)`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`}`
			`}`

			`for path, methods := range allowedMethods {`
			`if includePathInTest(path) {`
			`for _, method := range all {`
speed up TestHTTPAPI_MethodNotAllowed_OSS from 11s -> 0.5s (#5268) 2019-01-25 16:01:21 +00:00			`testMethodNotAllowed(t, method, path, methods)`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`}`
Creates HTTP endpoint registry. 2017-11-29 00:06:26 +00:00			`}`
			`}`
			`}`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00
			`func TestHTTPAPI_OptionMethod_OSS(t *testing.T) {`
			a := NewTestAgent(t.Name(), `acl_datacenter = "dc1"`)
			`a.Agent.LogWriter = logger.NewLogWriter(512)`
			`defer a.Shutdown()`
Fixed another list of unstable unit tests in travis (#4915) * Fixed another list of unstable unit tests in travis Fixed failing tests in https://travis-ci.org/hashicorp/consul/jobs/451357061 * Fixed another list of unstable unit tests in travis. Fixed failing tests in https://travis-ci.org/hashicorp/consul/jobs/451357061 2018-11-20 11:27:26 +00:00			`testrpc.WaitForTestAgent(t, a.RPC, "dc1")`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`testOptionMethod := func(path string, methods []string) {`
			`t.Run("OPTIONS "+path, func(t *testing.T) {`
			`uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`req, _ := http.NewRequest("OPTIONS", uri, nil)`
			`resp := httptest.NewRecorder()`
			`a.srv.Handler.ServeHTTP(resp, req)`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`allMethods := append([]string{"OPTIONS"}, methods...)`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00
			`if resp.Code != http.StatusOK {`
			`t.Fatalf("options request: got status code %d want %d", resp.Code, http.StatusOK)`
			`}`

			`optionsStr := resp.Header().Get("Allow")`
			`if optionsStr == "" {`
			`t.Fatalf("options request: got empty 'Allow' header")`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00			`} else if optionsStr != strings.Join(allMethods, ",") {`
			`t.Fatalf("options request: got 'Allow' header value of %s want %s", optionsStr, allMethods)`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`}`
			`})`
			`}`
Re-use defined endpoints for tests 2018-03-03 19:19:18 +00:00
			`for path, methods := range extraTestEndpoints {`
			`testOptionMethod(path, methods)`
			`}`
			`for path, methods := range allowedMethods {`
			`if includePathInTest(path) {`
			`testOptionMethod(path, methods)`
			`}`
			`}`
Test every endpoint for OPTIONS/MethodNotFound 2018-02-18 01:33:38 +00:00			`}`
[Security] Allow blocking Write endpoints on Agent using Network Addresses (#4719) * Add -write-allowed-nets option * Add documentation for the new write_allowed_nets option 2019-01-10 14:27:26 +00:00
			`func TestHTTPAPI_AllowedNets_OSS(t *testing.T) {`
			a := NewTestAgent(t.Name(), `
			`acl_datacenter = "dc1"`
			`http_config {`
			`allow_write_http_from = ["127.0.0.1/8"]`
			`}`
			`)
			`a.Agent.LogWriter = logger.NewLogWriter(512)`
			`defer a.Shutdown()`
			`testrpc.WaitForTestAgent(t, a.RPC, "dc1")`

			`testOptionMethod := func(path string, method string) {`
			`t.Run(method+" "+path, func(t *testing.T) {`
			`uri := fmt.Sprintf("http://%s%s", a.HTTPAddr(), path)`
			`req, _ := http.NewRequest(method, uri, nil)`
			`req.RemoteAddr = "192.168.1.2:5555"`
			`resp := httptest.NewRecorder()`
			`a.srv.Handler.ServeHTTP(resp, req)`

			`require.Equal(t, http.StatusForbidden, resp.Code, "%s %s", method, path)`
			`})`
			`}`

			`for path, methods := range extraTestEndpoints {`
			`if !includePathInTest(path) {`
			`continue`
			`}`
			`for _, method := range methods {`
			`if method == http.MethodGet {`
			`continue`
			`}`

			`testOptionMethod(path, method)`
			`}`
			`}`
			`for path, methods := range allowedMethods {`
			`if !includePathInTest(path) {`
			`continue`
			`}`
			`for _, method := range methods {`
			`if method == http.MethodGet {`
			`continue`
			`}`

			`testOptionMethod(path, method)`
			`}`
			`}`
			`}`