github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/cli/interactive_tests/test_secure.tcl (about) 1 #! /usr/bin/env expect -f 2 3 source [file join [file dirname $argv0] common.tcl] 4 5 set python "python2.7" 6 set certs_dir "/certs" 7 set ::env(COCKROACH_INSECURE) "false" 8 set ::env(COCKROACH_HOST) "localhost" 9 10 spawn /bin/bash 11 send "PS1=':''/# '\r" 12 13 set prompt ":/# " 14 eexpect $prompt 15 16 start_test "Check that --insecure reports that the server is really insecure" 17 send "$argv start-single-node --host=localhost --insecure\r" 18 eexpect "WARNING: RUNNING IN INSECURE MODE" 19 eexpect "node starting" 20 interrupt 21 eexpect $prompt 22 end_test 23 24 25 proc start_secure_server {argv certs_dir extra} { 26 report "BEGIN START SECURE SERVER" 27 system "$argv start-single-node --host=localhost --socket-dir=. --certs-dir=$certs_dir --pid-file=server_pid -s=path=logs/db --background $extra >>expect-cmd.log 2>&1; 28 $argv sql --certs-dir=$certs_dir -e 'select 1'" 29 report "END START SECURE SERVER" 30 } 31 32 proc stop_secure_server {argv certs_dir} { 33 report "BEGIN STOP SECURE SERVER" 34 system "$argv quit --certs-dir=$certs_dir" 35 report "END STOP SECURE SERVER" 36 } 37 38 start_secure_server $argv $certs_dir "" 39 40 start_test "Check 'node ls' works with certificates." 41 send "$argv node ls --certs-dir=$certs_dir\r" 42 eexpect "id" 43 eexpect "1" 44 eexpect "1 row" 45 eexpect $prompt 46 end_test 47 48 49 start_test "Can create users without passwords." 50 send "$argv sql -e 'create user testuser' --certs-dir=$certs_dir\r" 51 eexpect $prompt 52 end_test 53 54 start_test "Passwords are not requested when a certificate for the user exists" 55 send "$argv sql --user=testuser --certs-dir=$certs_dir\r" 56 eexpect "testuser@" 57 send "\\q\r" 58 eexpect $prompt 59 end_test 60 61 start_test "Check that CREATE USER WITH PASSWORD can be used from transactions." 62 # Create a user from a transaction. 63 send "$argv sql --certs-dir=$certs_dir\r" 64 eexpect "root@" 65 send "BEGIN TRANSACTION;\r" 66 eexpect "root@" 67 send "CREATE USER eisen WITH PASSWORD 'hunter2';\r" 68 eexpect "root@" 69 send "COMMIT TRANSACTION;\r" 70 eexpect "root@" 71 send "\\q\r" 72 # Log in with the correct password. 73 eexpect $prompt 74 send "$argv sql --certs-dir=$certs_dir --user=eisen\r" 75 eexpect "Enter password:" 76 send "hunter2\r" 77 eexpect "eisen@" 78 send "\\q\r" 79 # Try to log in with an incorrect password. 80 eexpect $prompt 81 send "$argv sql --certs-dir=$certs_dir --user=eisen\r" 82 eexpect "Enter password:" 83 send "*****\r" 84 eexpect "ERROR: password authentication failed for user eisen" 85 eexpect "Failed running \"sql\"" 86 # Check that history is scrubbed. 87 send "$argv sql --certs-dir=$certs_dir\r" 88 eexpect "root@" 89 interrupt 90 end_test 91 92 # Terminate the shell with Ctrl+C. 93 interrupt 94 eexpect $prompt 95 96 start_test "Check that an auth cookie cannot be created for a user that does not exist." 97 send "$argv auth-session login nonexistent --certs-dir=$certs_dir\r" 98 eexpect "user \"nonexistent\" does not exist" 99 eexpect $prompt 100 end_test 101 102 set mywd [pwd] 103 104 start_test "Check that socket-based login works." 105 106 send "$argv sql --url 'postgres://eisen@?host=$mywd&port=26257&sslmode=require'\r" 107 eexpect "Enter password:" 108 send "hunter2\r" 109 eexpect "eisen@" 110 interrupt 111 eexpect $prompt 112 113 send "$argv sql --url 'postgres://eisen:hunter2@?host=$mywd&port=26257&sslmode=require'\r" 114 eexpect "eisen@" 115 interrupt 116 eexpect $prompt 117 118 end_test 119 120 start_test "Check that the auth cookie creation works and reports useful output." 121 send "$argv auth-session login eisen --certs-dir=$certs_dir\r" 122 eexpect "authentication cookie" 123 eexpect "session=" 124 eexpect "HttpOnly" 125 eexpect "Example uses:" 126 eexpect "curl" 127 eexpect "wget" 128 eexpect $prompt 129 end_test 130 131 start_test "Check that the auth cookie can be emitted standalone." 132 send "$argv auth-session login eisen --certs-dir=$certs_dir --only-cookie >cookie.txt\r" 133 eexpect $prompt 134 # we'll also need a root cookie for another test below. 135 send "$argv auth-session login root --certs-dir=$certs_dir --only-cookie >cookie_root.txt\r" 136 eexpect $prompt 137 system "grep HttpOnly cookie.txt" 138 system "grep HttpOnly cookie_root.txt" 139 end_test 140 141 start_test "Check that the session is visible in the output of list." 142 send "$argv auth-session list --certs-dir=$certs_dir\r" 143 eexpect username 144 eexpect eisen 145 eexpect eisen 146 eexpect root 147 eexpect "3 rows" 148 eexpect $prompt 149 end_test 150 151 set pyfile [file join [file dirname $argv0] test_auth_cookie.py] 152 153 start_test "Check that the auth cookie works." 154 send "$python $pyfile cookie.txt 'https://localhost:8080/_admin/v1/settings'\r" 155 eexpect "cluster.organization" 156 eexpect $prompt 157 end_test 158 159 160 start_test "Check that the cookie can be revoked." 161 send "$argv auth-session logout eisen --certs-dir=$certs_dir\r" 162 eexpect username 163 eexpect eisen 164 eexpect eisen 165 eexpect "2 rows" 166 eexpect $prompt 167 168 send "$python $pyfile cookie.txt 'https://localhost:8080/_admin/v1/settings'\r" 169 eexpect "HTTP Error 401" 170 eexpect $prompt 171 end_test 172 173 start_test "Check that a root cookie works." 174 send "$python $pyfile cookie_root.txt 'https://localhost:8080/_admin/v1/settings'\r" 175 eexpect "cluster.organization" 176 eexpect $prompt 177 end_test 178 179 # Now test the cookies with non-TLS http. 180 stop_secure_server $argv $certs_dir 181 182 start_secure_server $argv $certs_dir --unencrypted-localhost-http 183 184 start_test "Check that a root cookie works with non-TLS." 185 send "$python $pyfile cookie_root.txt 'http://localhost:8080/_admin/v1/settings'\r" 186 eexpect "cluster.organization" 187 eexpect $prompt 188 end_test 189 190 send "exit 0\r" 191 eexpect eof 192 193 stop_secure_server $argv $certs_dir