github.com/cloudfoundry-attic/garden-linux@v0.333.2-candidate/integration/lifecycle/security_over_restart_test.go (about) 1 package lifecycle_test 2 3 import ( 4 "fmt" 5 "strings" 6 "time" 7 8 "github.com/cloudfoundry-incubator/garden" 9 10 . "github.com/onsi/ginkgo" 11 . "github.com/onsi/gomega" 12 ) 13 14 var _ = Describe("Denying access to network ranges", func() { 15 var ( 16 blockedListener garden.Container 17 blockedListenerIP string 18 19 unblockedListener garden.Container 20 unblockedListenerIP string 21 22 allowedListener garden.Container 23 allowedListenerIP string 24 25 sender garden.Container 26 ) 27 28 BeforeEach(func() { 29 client = startGarden() 30 31 var err error 32 33 // create a listener to which we deny network access 34 blockedListener, err = client.Create(garden.ContainerSpec{}) 35 Expect(err).ToNot(HaveOccurred()) 36 blockedListenerIP = containerIP(blockedListener) 37 38 // create a listener to which we do not deny access 39 unblockedListener, err = client.Create(garden.ContainerSpec{}) 40 Expect(err).ToNot(HaveOccurred()) 41 unblockedListenerIP = containerIP(unblockedListener) 42 43 // create a listener to which we exclicitly allow access 44 allowedListener, err = client.Create(garden.ContainerSpec{}) 45 Expect(err).ToNot(HaveOccurred()) 46 allowedListenerIP = containerIP(allowedListener) 47 48 restartGarden( 49 "-denyNetworks", strings.Join([]string{ 50 blockedListenerIP + "/32", 51 allowedListenerIP + "/32", 52 }, ","), 53 "-allowNetworks", allowedListenerIP+"/32", 54 ) 55 56 // check that the IPs were preserved over restart 57 Expect(containerIP(blockedListener)).To(Equal(blockedListenerIP)) 58 Expect(containerIP(unblockedListener)).To(Equal(unblockedListenerIP)) 59 Expect(containerIP(allowedListener)).To(Equal(allowedListenerIP)) 60 61 // create a container with the new deny network configuration 62 sender, err = client.Create(garden.ContainerSpec{}) 63 Expect(err).ToNot(HaveOccurred()) 64 }) 65 66 AfterEach(func() { 67 err := client.Destroy(sender.Handle()) 68 Expect(err).ToNot(HaveOccurred()) 69 70 err = client.Destroy(blockedListener.Handle()) 71 Expect(err).ToNot(HaveOccurred()) 72 73 err = client.Destroy(unblockedListener.Handle()) 74 Expect(err).ToNot(HaveOccurred()) 75 76 err = client.Destroy(allowedListener.Handle()) 77 Expect(err).ToNot(HaveOccurred()) 78 }) 79 80 runInContainer := func(container garden.Container, script string) garden.Process { 81 process, err := container.Run(garden.ProcessSpec{ 82 User: "alice", 83 Path: "sh", 84 Args: []string{"-c", script}, 85 }, garden.ProcessIO{ 86 Stdout: GinkgoWriter, 87 Stderr: GinkgoWriter, 88 }) 89 Expect(err).ToNot(HaveOccurred()) 90 91 return process 92 } 93 94 It("makes that block of ip addresses inaccessible to the container", func() { 95 runInContainer(blockedListener, "nc -l 0.0.0.0:12345") 96 runInContainer(unblockedListener, "nc -l 0.0.0.0:12345") 97 runInContainer(allowedListener, "nc -l 0.0.0.0:12345") 98 99 // a bit of time for the listeners to start, since they block 100 time.Sleep(time.Second) 101 102 process := runInContainer( 103 sender, 104 fmt.Sprintf("echo hello | nc -w 1 %s 12345", blockedListenerIP), 105 ) 106 Expect(process.Wait()).To(Equal(1)) 107 108 process = runInContainer( 109 sender, 110 fmt.Sprintf("echo hello | nc -w 1 %s 12345", unblockedListenerIP), 111 ) 112 Expect(process.Wait()).To(Equal(0)) 113 114 process = runInContainer( 115 sender, 116 fmt.Sprintf("echo hello | nc -w 1 %s 12345", allowedListenerIP), 117 ) 118 Expect(process.Wait()).To(Equal(0)) 119 }) 120 })