vitess.io/vitess@v0.16.2/go/test/endtoend/tabletmanager/tablet_security_policy_test.go (about)

     1  /*
     2  Copyright 2019 The Vitess Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8  	http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  package tabletmanager
    17  
    18  import (
    19  	"context"
    20  	"fmt"
    21  	"io"
    22  	"net/http"
    23  	"testing"
    24  
    25  	"github.com/stretchr/testify/assert"
    26  	"github.com/stretchr/testify/require"
    27  
    28  	"vitess.io/vitess/go/test/endtoend/cluster"
    29  )
    30  
    31  func TestFallbackSecurityPolicy(t *testing.T) {
    32  	defer cluster.PanicHandler(t)
    33  	ctx := context.Background()
    34  	mTablet := clusterInstance.NewVttabletInstance("replica", 0, "")
    35  
    36  	// Start Mysql Processes
    37  	err := cluster.StartMySQL(ctx, mTablet, username, clusterInstance.TmpDirectory)
    38  	require.NoError(t, err)
    39  
    40  	// Requesting an unregistered security_policy should fallback to deny-all.
    41  	clusterInstance.VtTabletExtraArgs = []string{"--security_policy", "bogus"}
    42  	err = clusterInstance.StartVttablet(mTablet, "SERVING", false, cell, keyspaceName, hostname, shardName)
    43  	require.NoError(t, err)
    44  
    45  	// It should deny ADMIN role.
    46  	url := fmt.Sprintf("http://localhost:%d/livequeryz/terminate", mTablet.HTTPPort)
    47  	assertNotAllowedURLTest(t, url)
    48  
    49  	// It should deny MONITORING role.
    50  	url = fmt.Sprintf("http://localhost:%d/debug/health", mTablet.HTTPPort)
    51  	assertNotAllowedURLTest(t, url)
    52  
    53  	// It should deny DEBUGGING role.
    54  	url = fmt.Sprintf("http://localhost:%d/queryz", mTablet.HTTPPort)
    55  	assertNotAllowedURLTest(t, url)
    56  
    57  	// Reset the VtTabletExtraArgs
    58  	clusterInstance.VtTabletExtraArgs = []string{}
    59  	// Tear down custom processes
    60  	killTablets(t, mTablet)
    61  }
    62  
    63  func assertNotAllowedURLTest(t *testing.T, url string) {
    64  	resp, err := http.Get(url)
    65  	require.NoError(t, err)
    66  
    67  	body, err := io.ReadAll(resp.Body)
    68  	require.NoError(t, err)
    69  	defer resp.Body.Close()
    70  
    71  	assert.True(t, resp.StatusCode > 400)
    72  	assert.Contains(t, string(body), "Access denied: not allowed")
    73  }
    74  
    75  func assertAllowedURLTest(t *testing.T, url string) {
    76  	resp, err := http.Get(url)
    77  	require.NoError(t, err)
    78  
    79  	body, err := io.ReadAll(resp.Body)
    80  	require.NoError(t, err)
    81  	defer resp.Body.Close()
    82  
    83  	assert.NotContains(t, string(body), "Access denied: not allowed")
    84  }
    85  
    86  func TestDenyAllSecurityPolicy(t *testing.T) {
    87  	defer cluster.PanicHandler(t)
    88  	ctx := context.Background()
    89  	mTablet := clusterInstance.NewVttabletInstance("replica", 0, "")
    90  
    91  	// Start Mysql Processes
    92  	err := cluster.StartMySQL(ctx, mTablet, username, clusterInstance.TmpDirectory)
    93  	require.NoError(t, err)
    94  
    95  	// Requesting a deny-all security_policy.
    96  	clusterInstance.VtTabletExtraArgs = []string{"--security_policy", "deny-all"}
    97  	err = clusterInstance.StartVttablet(mTablet, "SERVING", false, cell, keyspaceName, hostname, shardName)
    98  	require.NoError(t, err)
    99  
   100  	// It should deny ADMIN role.
   101  	url := fmt.Sprintf("http://localhost:%d/livequeryz/terminate", mTablet.HTTPPort)
   102  	assertNotAllowedURLTest(t, url)
   103  
   104  	// It should deny MONITORING role.
   105  	url = fmt.Sprintf("http://localhost:%d/debug/health", mTablet.HTTPPort)
   106  	assertNotAllowedURLTest(t, url)
   107  
   108  	// It should deny DEBUGGING role.
   109  	url = fmt.Sprintf("http://localhost:%d/queryz", mTablet.HTTPPort)
   110  	assertNotAllowedURLTest(t, url)
   111  
   112  	// Reset the VtTabletExtraArgs
   113  	clusterInstance.VtTabletExtraArgs = []string{}
   114  	// Tear down custom processes
   115  	killTablets(t, mTablet)
   116  }
   117  
   118  func TestReadOnlySecurityPolicy(t *testing.T) {
   119  	defer cluster.PanicHandler(t)
   120  	ctx := context.Background()
   121  	mTablet := clusterInstance.NewVttabletInstance("replica", 0, "")
   122  
   123  	// Start Mysql Processes
   124  	err := cluster.StartMySQL(ctx, mTablet, username, clusterInstance.TmpDirectory)
   125  	require.NoError(t, err)
   126  
   127  	// Requesting a read-only security_policy.
   128  	clusterInstance.VtTabletExtraArgs = []string{"--security_policy", "read-only"}
   129  	err = clusterInstance.StartVttablet(mTablet, "SERVING", false, cell, keyspaceName, hostname, shardName)
   130  	require.NoError(t, err)
   131  
   132  	// It should deny ADMIN role.
   133  	url := fmt.Sprintf("http://localhost:%d/livequeryz/terminate", mTablet.HTTPPort)
   134  	assertNotAllowedURLTest(t, url)
   135  
   136  	// It should deny MONITORING role.
   137  	url = fmt.Sprintf("http://localhost:%d/debug/health", mTablet.HTTPPort)
   138  	assertAllowedURLTest(t, url)
   139  
   140  	// It should deny DEBUGGING role.
   141  	url = fmt.Sprintf("http://localhost:%d/queryz", mTablet.HTTPPort)
   142  	assertAllowedURLTest(t, url)
   143  
   144  	// Reset the VtTabletExtraArgs
   145  	clusterInstance.VtTabletExtraArgs = []string{}
   146  	// Tear down custom processes
   147  	killTablets(t, mTablet)
   148  }