Commit graph

47 commits

Author SHA1 Message Date
Seth Hoenig 40d36fc0ec agent: revert use of http connlimit
https://github.com/hashicorp/nomad/pull/9608 introduced the use of the
built-in HTTP 429 response handler provided by go-connlimit. There is
concern though around plausible DOS attacks that need to be addressed,
so this PR reverts that functionality.

It keeps a fix in the tests around the use of an HTTPS enabled client
for when the server is listening on HTTPS. Previously, the tests would
fail deterministically with io.EOF because that's how the TLS server
terminates invalid connections.

Now, the result is much less deterministic. The state of the client
connection and the server socket depends on when the connection is
closed and how far along the handshake was.
2020-12-14 14:40:14 -06:00
Seth Hoenig a28cd45988 client: fix plumbing of testing object into helper 2020-12-10 11:04:38 -06:00
Seth Hoenig 2cc5787f97 client: fix https test cases in client rate limits 2020-12-10 09:20:28 -06:00
Dennis Schön a9c97d9257
use os.ErrDeadlineExceeded in tests 2020-12-07 10:40:28 -05:00
Michael Schurter 6890cffd7a unify boolean parameter parsing 2020-10-14 12:23:25 -07:00
Michael Schurter 8ccbd92cb6 api: add field filters to /v1/{allocations,nodes}
Fixes #9017

The ?resources=true query parameter includes resources in the object
stub listings. Specifically:

- For `/v1/nodes?resources=true` both the `NodeResources` and
  `ReservedResources` field are included.
- For `/v1/allocations?resources=true` the `AllocatedResources` field is
  included.

The ?task_states=false query parameter removes TaskStates from
/v1/allocations responses. (By default TaskStates are included.)
2020-10-14 10:35:22 -07:00
Mahmood Ali d4f385d6e1
Upgrade to golang 1.15 (#8858)
Upgrade to golang 1.15

Starting with golang 1.5, setting Ctty value result in `Setctty set but Ctty not valid in child` error, as part of https://github.com/golang/go/issues/29458 .
This commit lifts the fix in https://github.com/creack/pty/pull/97 .
2020-09-09 15:59:29 -04:00
James Rasell ae0fb98c6b
api: return custom error if API attempts to decode empty body. 2020-05-19 15:46:31 +02:00
Mahmood Ali b8fb32f5d2 http: adjust log level for request failure
Failed requests due to API client errors are to be marked as DEBUG.

The Error log level should be reserved to signal problems with the
cluster and are actionable for nomad system operators.  Logs due to
misbehaving API clients don't represent a system level problem and seem
spurius to nomad maintainers at best.  These log messages can also be
attack vectors for deniel of service attacks by filling servers disk
space with spurious log messages.
2020-04-22 16:19:59 -04:00
Yoan Blanc 225c9c1215 fixup! vendor: explicit use of hashicorp/go-msgpack
Signed-off-by: Yoan Blanc <yoan@dosimple.ch>
2020-03-31 09:48:07 -04:00
Yoan Blanc 761d014071 vendor: explicit use of hashicorp/go-msgpack
Signed-off-by: Yoan Blanc <yoan@dosimple.ch>
2020-03-31 09:45:21 -04:00
Michael Schurter e903501e65 test: improve error messages when failing 2020-02-07 15:50:53 -08:00
Michael Schurter 9905dec6a3 test: workaround limits race 2020-02-07 15:50:53 -08:00
Michael Schurter 19a1932bbb test: wait longer than timeout
The 1s timeout raced with the 1s deadline it was trying to detect.
2020-02-07 15:50:53 -08:00
Michael Schurter c82b14b0c4 core: add limits to unauthorized connections
Introduce limits to prevent unauthorized users from exhausting all
ephemeral ports on agents:

 * `{https,rpc}_handshake_timeout`
 * `{http,rpc}_max_conns_per_client`

The handshake timeout closes connections that have not completed the TLS
handshake by the deadline (5s by default). For RPC connections this
timeout also separately applies to first byte being read so RPC
connections with TLS enabled have `rpc_handshake_time * 2` as their
deadline.

The connection limit per client prevents a single remote TCP peer from
exhausting all ephemeral ports. The default is 100, but can be lowered
to a minimum of 26. Since streaming RPC connections create a new TCP
connection (until MultiplexV2 is used), 20 connections are reserved for
Raft and non-streaming RPCs to prevent connection exhaustion due to
streaming RPCs.

All limits are configurable and may be disabled by setting them to `0`.

This also includes a fix that closes connections that attempt to create
TLS RPC connections recursively. While only users with valid mTLS
certificates could perform such an operation, it was added as a
safeguard to prevent programming errors before they could cause resource
exhaustion.
2020-01-30 10:38:25 -08:00
Drew Bailey 4ced73875b
leave acl checking to rpc endpoints
fix test expectation

test wrapNonJSON
2020-01-09 15:15:08 -05:00
Drew Bailey acd97d0731
Merge pull request #6670 from hashicorp/api/fallthrough-test
test rootfallthrough handler
2019-11-13 10:51:31 -05:00
Lars Lehtonen 1dbf44bc40 command/agent: Prune Dead Code (#6682)
* remove unused MockPeriodicJob() from tests
* remove unused getIndex() from tests
* remove unused checkIndex() from tests
* remove unused assertIndex() from tests
* remove unused Agent.findLoopbackDevice()
2019-11-13 08:20:01 -05:00
Drew Bailey f5310ff63f
fix so assertions are test case driven 2019-11-12 14:28:21 -05:00
Drew Bailey f989f38594
test /ui/ path 2019-11-11 12:12:42 -05:00
Drew Bailey a0548824f3
test rootfallthrough handler 2019-11-11 12:08:44 -05:00
Michael Schurter 9f179e9fab Fix HTTP code for permission denied errors
Fixes #3697

The existing code and test case only covered the leader behavior. When
querying against non-leaders the error has an "rpc error: " prefix.

To provide consistency in HTTP error response I also strip the "rpc
error: " prefix for 403 responses as they offer no beneficial additional
information (and in theory disclose a tiny bit of data to unauthorized
users, but it would be a pretty weird bit of data to use in a malicious
way).
2018-01-09 15:25:53 -08:00
Chelsea Komlo 2dfda33703 Nomad agent reload TLS configuration on SIGHUP (#3479)
* Allow server TLS configuration to be reloaded via SIGHUP

* dynamic tls reloading for nomad agents

* code cleanup and refactoring

* ensure keyloader is initialized, add comments

* allow downgrading from TLS

* initalize keyloader if necessary

* integration test for tls reload

* fix up test to assert success on reloaded TLS configuration

* failure in loading a new TLS config should remain at current

Reload only the config if agent is already using TLS

* reload agent configuration before specific server/client

lock keyloader before loading/caching a new certificate

* introduce a get-or-set method for keyloader

* fixups from code review

* fix up linting errors

* fixups from code review

* add lock for config updates; improve copy of tls config

* GetCertificate only reloads certificates dynamically for the server

* config updates/copies should be on agent

* improve http integration test

* simplify agent reloading storing a local copy of config

* reuse the same keyloader when reloading

* Test that server and client get reloaded but keep keyloader

* Keyloader exposes GetClientCertificate as well for outgoing connections

* Fix spelling

* correct changelog style
2017-11-14 17:53:23 -08:00
Alex Dadgar dbc014b360 Standardize retrieving a free port into a helper package 2017-10-23 16:48:20 -07:00
Alex Dadgar d6b970eec9 Handle invalid token as well 2017-10-12 15:39:05 -07:00
Alex Dadgar 0b538ded83 403 instead of 500 for permission denied 2017-10-12 14:10:20 -07:00
Armon Dadgar 5c94e7e99f agent: thread through token for ACL endpoint tests 2017-09-04 13:05:53 -07:00
Armon Dadgar 4107335cb2 agent: Adding X-Nomad-Token header parsing 2017-09-04 13:05:53 -07:00
Armon Dadgar 4bda2fa9e9 nomad: ACL endpoints check support enabled and redirect to authority 2017-09-04 13:05:53 -07:00
Alex Dadgar 828b9bfae4 fix http test 2017-08-16 11:01:12 -07:00
Alex Dadgar 4e90d56098 More parallel 2017-07-20 09:36:34 -07:00
Alex Dadgar 9037693436 New test agent 2017-07-19 22:14:36 -07:00
Michael Schurter 749406e50b Remove extra Travis logging 2017-05-04 17:35:54 -07:00
Michael Schurter 24c8434368 Adding logging for Travis 2017-05-03 15:18:48 -07:00
Michael Schurter 4dc897a664 Don't reuse transport/client 2017-05-03 13:26:55 -07:00
Michael Schurter d42bad098a Extensively test verify_https_client behavior
verify_https_client support added in #2587
2017-05-02 16:48:16 -07:00
Adam Stankiewicz 4daf4cb8c9
Remove unnecessary parameter from NewHTTPServer 2017-04-10 16:24:49 +02:00
Alex Dadgar d82747bd33 Benchmark 2016-12-09 14:44:50 -08:00
Alex Dadgar 636f886e30 Use codegen for json marshalling: 20% faster, 12% less bytes allocated, 85% less allocations 2016-05-18 09:45:46 -07:00
Sean Chittenden 7b8a5dcc15
Fix the unit tests for TestPrettyPrintOff
A different failing test masked that this wasn't even being run.

Pointy Hat: sean- for testing first on Travis in a branch vs verifying locally
2016-05-11 15:48:43 -07:00
Sean Chittenden 693e1c6ea9
Fix unit tests for TestPrettyPrintBare 2016-05-11 15:20:57 -07:00
Sean Chittenden 36a50e0f15
Update tests for pretty printing that includes a newline.
Add a test verifying that pretty printing can be disabled, too.
2016-05-11 10:55:01 -07:00
Diptanu Choudhury b86e60b9de Allow users to configure arbitrary headers in config 2016-01-22 11:00:43 -08:00
Armon Dadgar 2ff133c0e6 nomad: rename region1 to global. Fixes #41 2015-09-13 18:18:40 -07:00
Armon Dadgar 327368d763 http/job: adding update endpoint 2015-09-05 19:08:47 -07:00
Armon Dadgar f858c31426 http: framework jobs endpoints 2015-09-05 18:00:30 -07:00
Armon Dadgar 4bf257e951 http: basic framework 2015-09-05 17:06:05 -07:00