github.com/fafucoder/cilium@v1.6.11/proxylib/r2d2/r2d2parser_test.go (about) 1 // Copyright 2018 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // +build !privileged_tests 16 17 package r2d2 18 19 import ( 20 "testing" 21 22 "github.com/cilium/cilium/proxylib/accesslog" 23 "github.com/cilium/cilium/proxylib/proxylib" 24 "github.com/cilium/cilium/proxylib/test" 25 26 // log "github.com/sirupsen/logrus" 27 . "gopkg.in/check.v1" 28 ) 29 30 // Hook up gocheck into the "go test" runner. 31 func Test(t *testing.T) { 32 // logging.ToggleDebugLogs(true) 33 // log.SetLevel(log.DebugLevel) 34 35 TestingT(t) 36 } 37 38 type R2d2Suite struct { 39 logServer *test.AccessLogServer 40 ins *proxylib.Instance 41 } 42 43 var _ = Suite(&R2d2Suite{}) 44 45 // Set up access log server and Library instance for all the test cases 46 func (s *R2d2Suite) SetUpSuite(c *C) { 47 s.logServer = test.StartAccessLogServer("access_log.sock", 10) 48 c.Assert(s.logServer, Not(IsNil)) 49 s.ins = proxylib.NewInstance("node1", accesslog.NewClient(s.logServer.Path)) 50 c.Assert(s.ins, Not(IsNil)) 51 } 52 53 func (s *R2d2Suite) checkAccessLogs(c *C, expPasses, expDrops int) { 54 passes, drops := s.logServer.Clear() 55 c.Check(passes, Equals, expPasses, Commentf("Unxpected number of passed access log messages")) 56 c.Check(drops, Equals, expDrops, Commentf("Unxpected number of passed access log messages")) 57 } 58 59 func (s *R2d2Suite) TearDownTest(c *C) { 60 s.logServer.Clear() 61 } 62 63 func (s *R2d2Suite) TearDownSuite(c *C) { 64 s.logServer.Close() 65 } 66 67 func (s *R2d2Suite) TestR2d2OnDataIncomplete(c *C) { 68 conn := s.ins.CheckNewConnectionOK(c, "r2d2", true, 1, 2, "1.1.1.1:34567", "2.2.2.2:80", "no-policy") 69 data := [][]byte{[]byte("READ xssss")} 70 conn.CheckOnDataOK(c, false, false, &data, []byte{}, proxylib.MORE, 1) 71 } 72 73 func (s *R2d2Suite) TestR2d2OnDataBasicPass(c *C) { 74 75 // allow all rule 76 s.ins.CheckInsertPolicyText(c, "1", []string{` 77 name: "cp1" 78 policy: 2 79 ingress_per_port_policies: < 80 port: 80 81 rules: < 82 l7_proto: "r2d2" 83 > 84 > 85 `}) 86 conn := s.ins.CheckNewConnectionOK(c, "r2d2", true, 1, 2, "1.1.1.1:34567", "2.2.2.2:80", "cp1") 87 msg1 := "READ sssss\r\n" 88 msg2 := "WRITE sssss\r\n" 89 msg3 := "HALT\r\n" 90 msg4 := "RESET\r\n" 91 data := [][]byte{[]byte(msg1 + msg2 + msg3 + msg4)} 92 conn.CheckOnDataOK(c, false, false, &data, []byte{}, 93 proxylib.PASS, len(msg1), 94 proxylib.PASS, len(msg2), 95 proxylib.PASS, len(msg3), 96 proxylib.PASS, len(msg4), 97 proxylib.MORE, 1) 98 } 99 100 func (s *R2d2Suite) TestR2d2OnDataMultipleReq(c *C) { 101 102 // allow all rule 103 s.ins.CheckInsertPolicyText(c, "1", []string{` 104 name: "cp1" 105 policy: 2 106 ingress_per_port_policies: < 107 port: 80 108 rules: < 109 l7_proto: "r2d2" 110 > 111 > 112 `}) 113 conn := s.ins.CheckNewConnectionOK(c, "r2d2", true, 1, 2, "1.1.1.1:34567", "2.2.2.2:80", "cp1") 114 msg1Part1 := "RE" 115 msg1Part2 := "SET\r\n" 116 data := [][]byte{[]byte(msg1Part1), []byte(msg1Part2)} 117 conn.CheckOnDataOK(c, false, false, &data, []byte{}, 118 proxylib.PASS, len(msg1Part1+msg1Part2), 119 proxylib.MORE, 1) 120 } 121 122 func (s *R2d2Suite) TestR2d2OnDataAllowDenyCmd(c *C) { 123 124 s.ins.CheckInsertPolicyText(c, "1", []string{` 125 name: "cp2" 126 policy: 2 127 ingress_per_port_policies: < 128 port: 80 129 rules: < 130 l7_proto: "r2d2" 131 l7_rules: < 132 l7_rules: < 133 rule: < 134 key: "cmd" 135 value: "READ" 136 > 137 > 138 > 139 > 140 > 141 `}) 142 conn := s.ins.CheckNewConnectionOK(c, "r2d2", true, 1, 2, "1.1.1.1:34567", "2.2.2.2:80", "cp2") 143 msg1 := "READ xssss\r\n" 144 msg2 := "WRITE xssss\r\n" 145 data := [][]byte{[]byte(msg1 + msg2)} 146 conn.CheckOnDataOK(c, false, false, &data, []byte("ERROR\r\n"), 147 proxylib.PASS, len(msg1), 148 proxylib.DROP, len(msg2), 149 proxylib.MORE, 1) 150 } 151 152 func (s *R2d2Suite) TestR2d2OnDataAllowDenyRegex(c *C) { 153 154 s.ins.CheckInsertPolicyText(c, "1", []string{` 155 name: "cp3" 156 policy: 2 157 ingress_per_port_policies: < 158 port: 80 159 rules: < 160 l7_proto: "r2d2" 161 l7_rules: < 162 l7_rules: < 163 rule: < 164 key: "file" 165 value: "s.*" 166 > 167 > 168 > 169 > 170 > 171 `}) 172 conn := s.ins.CheckNewConnectionOK(c, "r2d2", true, 1, 2, "1.1.1.1:34567", "2.2.2.2:80", "cp3") 173 msg1 := "READ ssss\r\n" 174 msg2 := "WRITE yyyyy\r\n" 175 data := [][]byte{[]byte(msg1 + msg2)} 176 conn.CheckOnDataOK(c, false, false, &data, []byte("ERROR\r\n"), 177 proxylib.PASS, len(msg1), 178 proxylib.DROP, len(msg2), 179 proxylib.MORE, 1) 180 }