Commit graph

36 commits

Author SHA1 Message Date
Michael Schurter e903501e65 test: improve error messages when failing 2020-02-07 15:50:53 -08:00
Michael Schurter 9905dec6a3 test: workaround limits race 2020-02-07 15:50:53 -08:00
Michael Schurter 19a1932bbb test: wait longer than timeout
The 1s timeout raced with the 1s deadline it was trying to detect.
2020-02-07 15:50:53 -08:00
Michael Schurter c82b14b0c4 core: add limits to unauthorized connections
Introduce limits to prevent unauthorized users from exhausting all
ephemeral ports on agents:

 * `{https,rpc}_handshake_timeout`
 * `{http,rpc}_max_conns_per_client`

The handshake timeout closes connections that have not completed the TLS
handshake by the deadline (5s by default). For RPC connections this
timeout also separately applies to first byte being read so RPC
connections with TLS enabled have `rpc_handshake_time * 2` as their
deadline.

The connection limit per client prevents a single remote TCP peer from
exhausting all ephemeral ports. The default is 100, but can be lowered
to a minimum of 26. Since streaming RPC connections create a new TCP
connection (until MultiplexV2 is used), 20 connections are reserved for
Raft and non-streaming RPCs to prevent connection exhaustion due to
streaming RPCs.

All limits are configurable and may be disabled by setting them to `0`.

This also includes a fix that closes connections that attempt to create
TLS RPC connections recursively. While only users with valid mTLS
certificates could perform such an operation, it was added as a
safeguard to prevent programming errors before they could cause resource
exhaustion.
2020-01-30 10:38:25 -08:00
Drew Bailey 4ced73875b
leave acl checking to rpc endpoints
fix test expectation

test wrapNonJSON
2020-01-09 15:15:08 -05:00
Drew Bailey acd97d0731
Merge pull request #6670 from hashicorp/api/fallthrough-test
test rootfallthrough handler
2019-11-13 10:51:31 -05:00
Lars Lehtonen 1dbf44bc40 command/agent: Prune Dead Code (#6682)
* remove unused MockPeriodicJob() from tests
* remove unused getIndex() from tests
* remove unused checkIndex() from tests
* remove unused assertIndex() from tests
* remove unused Agent.findLoopbackDevice()
2019-11-13 08:20:01 -05:00
Drew Bailey f5310ff63f
fix so assertions are test case driven 2019-11-12 14:28:21 -05:00
Drew Bailey f989f38594
test /ui/ path 2019-11-11 12:12:42 -05:00
Drew Bailey a0548824f3
test rootfallthrough handler 2019-11-11 12:08:44 -05:00
Michael Schurter 9f179e9fab Fix HTTP code for permission denied errors
Fixes #3697

The existing code and test case only covered the leader behavior. When
querying against non-leaders the error has an "rpc error: " prefix.

To provide consistency in HTTP error response I also strip the "rpc
error: " prefix for 403 responses as they offer no beneficial additional
information (and in theory disclose a tiny bit of data to unauthorized
users, but it would be a pretty weird bit of data to use in a malicious
way).
2018-01-09 15:25:53 -08:00
Chelsea Komlo 2dfda33703 Nomad agent reload TLS configuration on SIGHUP (#3479)
* Allow server TLS configuration to be reloaded via SIGHUP

* dynamic tls reloading for nomad agents

* code cleanup and refactoring

* ensure keyloader is initialized, add comments

* allow downgrading from TLS

* initalize keyloader if necessary

* integration test for tls reload

* fix up test to assert success on reloaded TLS configuration

* failure in loading a new TLS config should remain at current

Reload only the config if agent is already using TLS

* reload agent configuration before specific server/client

lock keyloader before loading/caching a new certificate

* introduce a get-or-set method for keyloader

* fixups from code review

* fix up linting errors

* fixups from code review

* add lock for config updates; improve copy of tls config

* GetCertificate only reloads certificates dynamically for the server

* config updates/copies should be on agent

* improve http integration test

* simplify agent reloading storing a local copy of config

* reuse the same keyloader when reloading

* Test that server and client get reloaded but keep keyloader

* Keyloader exposes GetClientCertificate as well for outgoing connections

* Fix spelling

* correct changelog style
2017-11-14 17:53:23 -08:00
Alex Dadgar dbc014b360 Standardize retrieving a free port into a helper package 2017-10-23 16:48:20 -07:00
Alex Dadgar d6b970eec9 Handle invalid token as well 2017-10-12 15:39:05 -07:00
Alex Dadgar 0b538ded83 403 instead of 500 for permission denied 2017-10-12 14:10:20 -07:00
Armon Dadgar 5c94e7e99f agent: thread through token for ACL endpoint tests 2017-09-04 13:05:53 -07:00
Armon Dadgar 4107335cb2 agent: Adding X-Nomad-Token header parsing 2017-09-04 13:05:53 -07:00
Armon Dadgar 4bda2fa9e9 nomad: ACL endpoints check support enabled and redirect to authority 2017-09-04 13:05:53 -07:00
Alex Dadgar 828b9bfae4 fix http test 2017-08-16 11:01:12 -07:00
Alex Dadgar 4e90d56098 More parallel 2017-07-20 09:36:34 -07:00
Alex Dadgar 9037693436 New test agent 2017-07-19 22:14:36 -07:00
Michael Schurter 749406e50b Remove extra Travis logging 2017-05-04 17:35:54 -07:00
Michael Schurter 24c8434368 Adding logging for Travis 2017-05-03 15:18:48 -07:00
Michael Schurter 4dc897a664 Don't reuse transport/client 2017-05-03 13:26:55 -07:00
Michael Schurter d42bad098a Extensively test verify_https_client behavior
verify_https_client support added in #2587
2017-05-02 16:48:16 -07:00
Adam Stankiewicz 4daf4cb8c9
Remove unnecessary parameter from NewHTTPServer 2017-04-10 16:24:49 +02:00
Alex Dadgar d82747bd33 Benchmark 2016-12-09 14:44:50 -08:00
Alex Dadgar 636f886e30 Use codegen for json marshalling: 20% faster, 12% less bytes allocated, 85% less allocations 2016-05-18 09:45:46 -07:00
Sean Chittenden 7b8a5dcc15
Fix the unit tests for TestPrettyPrintOff
A different failing test masked that this wasn't even being run.

Pointy Hat: sean- for testing first on Travis in a branch vs verifying locally
2016-05-11 15:48:43 -07:00
Sean Chittenden 693e1c6ea9
Fix unit tests for TestPrettyPrintBare 2016-05-11 15:20:57 -07:00
Sean Chittenden 36a50e0f15
Update tests for pretty printing that includes a newline.
Add a test verifying that pretty printing can be disabled, too.
2016-05-11 10:55:01 -07:00
Diptanu Choudhury b86e60b9de Allow users to configure arbitrary headers in config 2016-01-22 11:00:43 -08:00
Armon Dadgar 2ff133c0e6 nomad: rename region1 to global. Fixes #41 2015-09-13 18:18:40 -07:00
Armon Dadgar 327368d763 http/job: adding update endpoint 2015-09-05 19:08:47 -07:00
Armon Dadgar f858c31426 http: framework jobs endpoints 2015-09-05 18:00:30 -07:00
Armon Dadgar 4bf257e951 http: basic framework 2015-09-05 17:06:05 -07:00