// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 package http import ( "testing" "time" "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/armon/go-metrics" "github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/internalshared/configutil" "github.com/hashicorp/vault/vault" ) func TestSysMetricsUnauthenticated(t *testing.T) { inm := metrics.NewInmemSink(10*time.Second, time.Minute) metrics.DefaultInmemSignal(inm) conf := &vault.CoreConfig{ BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(), MetricsHelper: metricsutil.NewMetricsHelper(inm, true), } core, _, token := vault.TestCoreUnsealedWithConfig(t, conf) ln, addr := TestServer(t, core) TestServerAuth(t, addr, token) // Default: Only authenticated access resp := testHttpGet(t, "", addr+"/v1/sys/metrics") testResponseStatus(t, resp, 403) resp = testHttpGet(t, token, addr+"/v1/sys/metrics") testResponseStatus(t, resp, 200) // Close listener ln.Close() // Setup new custom listener with unauthenticated metrics access ln, addr = TestListener(t) props := &vault.HandlerProperties{ Core: core, ListenerConfig: &configutil.Listener{ Telemetry: configutil.ListenerTelemetry{ UnauthenticatedMetricsAccess: true, }, }, } TestServerWithListenerAndProperties(t, ln, addr, core, props) defer ln.Close() TestServerAuth(t, addr, token) // Test without token resp = testHttpGet(t, "", addr+"/v1/sys/metrics") testResponseStatus(t, resp, 200) // Should also work with token resp = testHttpGet(t, token, addr+"/v1/sys/metrics") testResponseStatus(t, resp, 200) // Test if prometheus response is correct resp = testHttpGet(t, "", addr+"/v1/sys/metrics?format=prometheus") testResponseStatus(t, resp, 200) } func TestSysPProfUnauthenticated(t *testing.T) { conf := &vault.CoreConfig{} core, _, token := vault.TestCoreUnsealedWithConfig(t, conf) ln, addr := TestServer(t, core) TestServerAuth(t, addr, token) // Default: Only authenticated access resp := testHttpGet(t, "", addr+"/v1/sys/pprof/cmdline") testResponseStatus(t, resp, 403) resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline") testResponseStatus(t, resp, 200) // Close listener ln.Close() // Setup new custom listener with unauthenticated metrics access ln, addr = TestListener(t) props := &vault.HandlerProperties{ Core: core, ListenerConfig: &configutil.Listener{ Profiling: configutil.ListenerProfiling{ UnauthenticatedPProfAccess: true, }, }, } TestServerWithListenerAndProperties(t, ln, addr, core, props) defer ln.Close() TestServerAuth(t, addr, token) // Test without token resp = testHttpGet(t, "", addr+"/v1/sys/pprof/cmdline") testResponseStatus(t, resp, 200) // Should also work with token resp = testHttpGet(t, token, addr+"/v1/sys/pprof/cmdline") testResponseStatus(t, resp, 200) }