2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2019-10-04 07:29:51 +00:00
|
|
|
package http
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2023-02-01 13:33:16 +00:00
|
|
|
"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
|
|
|
|
|
2019-10-04 07:29:51 +00:00
|
|
|
"github.com/armon/go-metrics"
|
2020-10-13 23:38:21 +00:00
|
|
|
"github.com/hashicorp/vault/helper/metricsutil"
|
|
|
|
"github.com/hashicorp/vault/internalshared/configutil"
|
2019-10-04 07:29:51 +00:00
|
|
|
"github.com/hashicorp/vault/vault"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestSysMetricsUnauthenticated(t *testing.T) {
|
|
|
|
inm := metrics.NewInmemSink(10*time.Second, time.Minute)
|
|
|
|
metrics.DefaultInmemSignal(inm)
|
|
|
|
conf := &vault.CoreConfig{
|
2023-02-01 13:33:16 +00:00
|
|
|
BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(),
|
2019-10-08 12:55:25 +00:00
|
|
|
MetricsHelper: metricsutil.NewMetricsHelper(inm, true),
|
2019-10-04 07:29:51 +00:00
|
|
|
}
|
|
|
|
core, _, token := vault.TestCoreUnsealedWithConfig(t, conf)
|
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
TestServerAuth(t, addr, token)
|
|
|
|
|
|
|
|
// Default: Only authenticated access
|
|
|
|
resp := testHttpGet(t, "", addr+"/v1/sys/metrics")
|
2021-11-23 01:06:59 +00:00
|
|
|
testResponseStatus(t, resp, 403)
|
2019-10-04 07:29:51 +00:00
|
|
|
resp = testHttpGet(t, token, addr+"/v1/sys/metrics")
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
|
|
|
|
// Close listener
|
|
|
|
ln.Close()
|
|
|
|
|
|
|
|
// Setup new custom listener with unauthenticated metrics access
|
|
|
|
ln, addr = TestListener(t)
|
|
|
|
props := &vault.HandlerProperties{
|
2020-05-14 13:19:27 +00:00
|
|
|
Core: core,
|
|
|
|
ListenerConfig: &configutil.Listener{
|
|
|
|
Telemetry: configutil.ListenerTelemetry{
|
|
|
|
UnauthenticatedMetricsAccess: true,
|
|
|
|
},
|
|
|
|
},
|
2019-10-04 07:29:51 +00:00
|
|
|
}
|
|
|
|
TestServerWithListenerAndProperties(t, ln, addr, core, props)
|
|
|
|
defer ln.Close()
|
|
|
|
TestServerAuth(t, addr, token)
|
|
|
|
|
|
|
|
// Test without token
|
|
|
|
resp = testHttpGet(t, "", addr+"/v1/sys/metrics")
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
|
|
|
|
// Should also work with token
|
|
|
|
resp = testHttpGet(t, token, addr+"/v1/sys/metrics")
|
|
|
|
testResponseStatus(t, resp, 200)
|
2019-10-08 12:55:25 +00:00
|
|
|
|
|
|
|
// Test if prometheus response is correct
|
|
|
|
resp = testHttpGet(t, "", addr+"/v1/sys/metrics?format=prometheus")
|
|
|
|
testResponseStatus(t, resp, 200)
|
2019-10-04 07:29:51 +00:00
|
|
|
}
|
2021-04-19 18:30:59 +00:00
|
|
|
|
|
|
|
func TestSysPProfUnauthenticated(t *testing.T) {
|
|
|
|
conf := &vault.CoreConfig{}
|
|
|
|
core, _, token := vault.TestCoreUnsealedWithConfig(t, conf)
|
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
TestServerAuth(t, addr, token)
|
|
|
|
|
|
|
|
// Default: Only authenticated access
|
|
|
|
resp := testHttpGet(t, "", addr+"/v1/sys/pprof/cmdline")
|
2021-11-23 01:06:59 +00:00
|
|
|
testResponseStatus(t, resp, 403)
|
2021-04-19 18:30:59 +00:00
|
|
|
resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline")
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
|
|
|
|
// Close listener
|
|
|
|
ln.Close()
|
|
|
|
|
|
|
|
// Setup new custom listener with unauthenticated metrics access
|
|
|
|
ln, addr = TestListener(t)
|
|
|
|
props := &vault.HandlerProperties{
|
|
|
|
Core: core,
|
|
|
|
ListenerConfig: &configutil.Listener{
|
|
|
|
Profiling: configutil.ListenerProfiling{
|
|
|
|
UnauthenticatedPProfAccess: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
TestServerWithListenerAndProperties(t, ln, addr, core, props)
|
|
|
|
defer ln.Close()
|
|
|
|
TestServerAuth(t, addr, token)
|
|
|
|
|
|
|
|
// Test without token
|
|
|
|
resp = testHttpGet(t, "", addr+"/v1/sys/pprof/cmdline")
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
|
|
|
|
// Should also work with token
|
|
|
|
resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline")
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
}
|