vitess.io/vitess@v0.16.2/go/test/endtoend/tabletmanager/tablet_security_policy_test.go (about) 1 /* 2 Copyright 2019 The Vitess Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 package tabletmanager 17 18 import ( 19 "context" 20 "fmt" 21 "io" 22 "net/http" 23 "testing" 24 25 "github.com/stretchr/testify/assert" 26 "github.com/stretchr/testify/require" 27 28 "vitess.io/vitess/go/test/endtoend/cluster" 29 ) 30 31 func TestFallbackSecurityPolicy(t *testing.T) { 32 defer cluster.PanicHandler(t) 33 ctx := context.Background() 34 mTablet := clusterInstance.NewVttabletInstance("replica", 0, "") 35 36 // Start Mysql Processes 37 err := cluster.StartMySQL(ctx, mTablet, username, clusterInstance.TmpDirectory) 38 require.NoError(t, err) 39 40 // Requesting an unregistered security_policy should fallback to deny-all. 41 clusterInstance.VtTabletExtraArgs = []string{"--security_policy", "bogus"} 42 err = clusterInstance.StartVttablet(mTablet, "SERVING", false, cell, keyspaceName, hostname, shardName) 43 require.NoError(t, err) 44 45 // It should deny ADMIN role. 46 url := fmt.Sprintf("http://localhost:%d/livequeryz/terminate", mTablet.HTTPPort) 47 assertNotAllowedURLTest(t, url) 48 49 // It should deny MONITORING role. 50 url = fmt.Sprintf("http://localhost:%d/debug/health", mTablet.HTTPPort) 51 assertNotAllowedURLTest(t, url) 52 53 // It should deny DEBUGGING role. 54 url = fmt.Sprintf("http://localhost:%d/queryz", mTablet.HTTPPort) 55 assertNotAllowedURLTest(t, url) 56 57 // Reset the VtTabletExtraArgs 58 clusterInstance.VtTabletExtraArgs = []string{} 59 // Tear down custom processes 60 killTablets(t, mTablet) 61 } 62 63 func assertNotAllowedURLTest(t *testing.T, url string) { 64 resp, err := http.Get(url) 65 require.NoError(t, err) 66 67 body, err := io.ReadAll(resp.Body) 68 require.NoError(t, err) 69 defer resp.Body.Close() 70 71 assert.True(t, resp.StatusCode > 400) 72 assert.Contains(t, string(body), "Access denied: not allowed") 73 } 74 75 func assertAllowedURLTest(t *testing.T, url string) { 76 resp, err := http.Get(url) 77 require.NoError(t, err) 78 79 body, err := io.ReadAll(resp.Body) 80 require.NoError(t, err) 81 defer resp.Body.Close() 82 83 assert.NotContains(t, string(body), "Access denied: not allowed") 84 } 85 86 func TestDenyAllSecurityPolicy(t *testing.T) { 87 defer cluster.PanicHandler(t) 88 ctx := context.Background() 89 mTablet := clusterInstance.NewVttabletInstance("replica", 0, "") 90 91 // Start Mysql Processes 92 err := cluster.StartMySQL(ctx, mTablet, username, clusterInstance.TmpDirectory) 93 require.NoError(t, err) 94 95 // Requesting a deny-all security_policy. 96 clusterInstance.VtTabletExtraArgs = []string{"--security_policy", "deny-all"} 97 err = clusterInstance.StartVttablet(mTablet, "SERVING", false, cell, keyspaceName, hostname, shardName) 98 require.NoError(t, err) 99 100 // It should deny ADMIN role. 101 url := fmt.Sprintf("http://localhost:%d/livequeryz/terminate", mTablet.HTTPPort) 102 assertNotAllowedURLTest(t, url) 103 104 // It should deny MONITORING role. 105 url = fmt.Sprintf("http://localhost:%d/debug/health", mTablet.HTTPPort) 106 assertNotAllowedURLTest(t, url) 107 108 // It should deny DEBUGGING role. 109 url = fmt.Sprintf("http://localhost:%d/queryz", mTablet.HTTPPort) 110 assertNotAllowedURLTest(t, url) 111 112 // Reset the VtTabletExtraArgs 113 clusterInstance.VtTabletExtraArgs = []string{} 114 // Tear down custom processes 115 killTablets(t, mTablet) 116 } 117 118 func TestReadOnlySecurityPolicy(t *testing.T) { 119 defer cluster.PanicHandler(t) 120 ctx := context.Background() 121 mTablet := clusterInstance.NewVttabletInstance("replica", 0, "") 122 123 // Start Mysql Processes 124 err := cluster.StartMySQL(ctx, mTablet, username, clusterInstance.TmpDirectory) 125 require.NoError(t, err) 126 127 // Requesting a read-only security_policy. 128 clusterInstance.VtTabletExtraArgs = []string{"--security_policy", "read-only"} 129 err = clusterInstance.StartVttablet(mTablet, "SERVING", false, cell, keyspaceName, hostname, shardName) 130 require.NoError(t, err) 131 132 // It should deny ADMIN role. 133 url := fmt.Sprintf("http://localhost:%d/livequeryz/terminate", mTablet.HTTPPort) 134 assertNotAllowedURLTest(t, url) 135 136 // It should deny MONITORING role. 137 url = fmt.Sprintf("http://localhost:%d/debug/health", mTablet.HTTPPort) 138 assertAllowedURLTest(t, url) 139 140 // It should deny DEBUGGING role. 141 url = fmt.Sprintf("http://localhost:%d/queryz", mTablet.HTTPPort) 142 assertAllowedURLTest(t, url) 143 144 // Reset the VtTabletExtraArgs 145 clusterInstance.VtTabletExtraArgs = []string{} 146 // Tear down custom processes 147 killTablets(t, mTablet) 148 }