fleet/server/service/integration_sandbox_test.go

package service

import (
	"context"
	"fmt"
	"io"
	"net/http"
	"net/url"
	"os"
	"testing"

	"github.com/fleetdm/fleet/v4/server/config"
	"github.com/fleetdm/fleet/v4/server/datastore/s3"
	"github.com/fleetdm/fleet/v4/server/fleet"
	kitlog "github.com/go-kit/kit/log"
	"github.com/stretchr/testify/require"
	"github.com/stretchr/testify/suite"
)

const enrollSecret = "xyz/abc$@"

type integrationSandboxTestSuite struct {
	suite.Suite
	withServer
	installers []fleet.Installer
}

func (s *integrationSandboxTestSuite) SetupSuite() {
	s.withDS.SetupSuite("integrationSandboxTestSuite")
	t := s.T()

	// make sure sandbox is enabled
	cfg := config.TestConfig()
	cfg.Server.SandboxEnabled = true

	is := s3.SetupTestInstallerStore(t, "integration-tests", "")
	opts := &TestServerOpts{FleetConfig: &cfg, Is: is}
	if os.Getenv("FLEET_INTEGRATION_TESTS_DISABLE_LOG") != "" {
		opts.Logger = kitlog.NewNopLogger()
	}
	users, server := RunServerForTestsWithDS(t, s.ds, opts)
	s.server = server
	s.users = users
	s.token = s.getTestAdminToken()
	s.installers = s3.SeedTestInstallerStore(t, is, enrollSecret)

	err := s.ds.ApplyEnrollSecrets(context.TODO(), nil, []*fleet.EnrollSecret{{Secret: enrollSecret}})
	require.NoError(t, err)
}

func TestIntegrationsSandbox(t *testing.T) {
	testingSuite := new(integrationSandboxTestSuite)
	testingSuite.s = &testingSuite.Suite
	suite.Run(t, testingSuite)
}

func (s *integrationSandboxTestSuite) TestDemoLogin() {
	t := s.T()

	validEmail := testUsers["user1"].Email
	validPwd := testUsers["user1"].PlaintextPassword
	wrongPwd := "nope"
	hdrs := map[string]string{"Content-Type": "application/x-www-form-urlencoded"}

	formBody := make(url.Values)
	formBody.Set("email", validEmail)
	formBody.Set("password", wrongPwd)
	res := s.DoRawWithHeaders("POST", "/api/v1/fleet/demologin", []byte(formBody.Encode()), http.StatusUnauthorized, hdrs)
	require.Equal(t, http.StatusUnauthorized, res.StatusCode)

	formBody.Set("email", validEmail)
	formBody.Set("password", validPwd)
	res = s.DoRawWithHeaders("POST", "/api/v1/fleet/demologin", []byte(formBody.Encode()), http.StatusOK, hdrs)
	resBody, err := io.ReadAll(res.Body)
	require.NoError(t, err)
	require.Equal(t, http.StatusOK, res.StatusCode)
	require.Contains(t, string(resBody), `window.location = "/"`)
	require.Regexp(t, `window.localStorage.setItem\('FLEET::auth_token', '[^']+'\)`, string(resBody))
}

func (s *integrationSandboxTestSuite) TestInstallerGet() {
	t := s.T()

	validURL, formBody := installerPOSTReq(enrollSecret, "pkg", s.token, false)

	r := s.DoRaw("POST", validURL, formBody, http.StatusOK)
	body, err := io.ReadAll(r.Body)
	require.NoError(t, err)
	require.Equal(t, "mock", string(body))
	require.Equal(t, "application/octet-stream", r.Header.Get("Content-Type"))
	require.Equal(t, "4", r.Header.Get("Content-Length"))
	require.Equal(t, `attachment;filename="fleet-osquery.pkg"`, r.Header.Get("Content-Disposition"))
	require.Equal(t, `nosniff`, r.Header.Get("X-Content-Type-Options"))

	// unauthorized requests
	s.DoRawNoAuth("POST", validURL, nil, http.StatusUnauthorized)
	s.token = "invalid"
	s.Do("POST", validURL, nil, http.StatusUnauthorized)
	s.token = s.cachedAdminToken

	// wrong enroll secret
	wrongURL, wrongFormBody := installerPOSTReq("wrong-enroll", "pkg", s.token, false)
	s.Do("POST", wrongURL, wrongFormBody, http.StatusNotFound)

	// non-existent package
	wrongURL, wrongFormBody = installerPOSTReq(enrollSecret, "exe", s.token, false)
	s.Do("POST", wrongURL, wrongFormBody, http.StatusNotFound)
}

func (s *integrationSandboxTestSuite) TestInstallerHeadCheck() {
	validURL := installerURL(enrollSecret, "pkg", false)
	s.DoRaw("HEAD", validURL, nil, http.StatusOK)

	// unauthorized requests
	s.DoRawNoAuth("HEAD", validURL, nil, http.StatusUnauthorized)
	s.token = "invalid"
	s.DoRaw("HEAD", validURL, nil, http.StatusUnauthorized)
	s.token = s.cachedAdminToken

	// wrong enroll secret
	invalidURL := installerURL("wrong-enroll", "pkg", false)
	s.DoRaw("HEAD", invalidURL, nil, http.StatusNotFound)

	// non-existent package
	invalidURL = installerURL(enrollSecret, "exe", false)
	s.DoRaw("HEAD", invalidURL, nil, http.StatusNotFound)
}

func installerURL(secret, kind string, desktop bool) string {
	path := fmt.Sprintf("/api/latest/fleet/download_installer/%s?enroll_secret=%s", kind, secret)
	if desktop {
		path += "&desktop=1"
	}
	return path
}

func installerPOSTReq(secret, kind, token string, desktop bool) (string, []byte) {
	path := installerURL(secret, kind, desktop)
	d := "0"
	if desktop {
		d = "1"
	}
	formBody := make(url.Values)
	formBody.Set("token", token)
	formBody.Set("enroll_secret", secret)
	formBody.Set("desktop", d)
	return path, []byte(formBody.Encode())
}
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`package service`

			`import (`
			`"context"`
			`"fmt"`
			`"io"`
			`"net/http"`
consolidate sandbox env flags (#6917) Related to #6894, this entirely replaces FLEET_DEMO with the server config added in #6597 As part of this, I also implemented a small refactor to the integration test suite to allow setting a custom config when the server is initialized. 2022-07-27 19:47:39 +00:00			`"net/url"`
Recategorize MDM endpoints to new mdm-less paths (#17372) 2024-03-13 14:27:29 +00:00			`"os"`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`"testing"`

consolidate sandbox env flags (#6917) Related to #6894, this entirely replaces FLEET_DEMO with the server config added in #6597 As part of this, I also implemented a small refactor to the integration test suite to allow setting a custom config when the server is initialized. 2022-07-27 19:47:39 +00:00			`"github.com/fleetdm/fleet/v4/server/config"`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`"github.com/fleetdm/fleet/v4/server/datastore/s3"`
			`"github.com/fleetdm/fleet/v4/server/fleet"`
Recategorize MDM endpoints to new mdm-less paths (#17372) 2024-03-13 14:27:29 +00:00			`kitlog "github.com/go-kit/kit/log"`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`"github.com/stretchr/testify/require"`
			`"github.com/stretchr/testify/suite"`
			`)`

send enroll secret in query for installers (#7064) This changes how the enroll secret is sent to the server, as they might contain /, which was causing problems with our router. 2022-08-04 21:39:38 +00:00			`const enrollSecret = "xyz/abc$@"`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00
consolidate sandbox env flags (#6917) Related to #6894, this entirely replaces FLEET_DEMO with the server config added in #6597 As part of this, I also implemented a small refactor to the integration test suite to allow setting a custom config when the server is initialized. 2022-07-27 19:47:39 +00:00			`type integrationSandboxTestSuite struct {`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`suite.Suite`
			`withServer`
			`installers []fleet.Installer`
			`}`

consolidate sandbox env flags (#6917) Related to #6894, this entirely replaces FLEET_DEMO with the server config added in #6597 As part of this, I also implemented a small refactor to the integration test suite to allow setting a custom config when the server is initialized. 2022-07-27 19:47:39 +00:00			`func (s *integrationSandboxTestSuite) SetupSuite() {`
			`s.withDS.SetupSuite("integrationSandboxTestSuite")`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`t := s.T()`

consolidate sandbox env flags (#6917) Related to #6894, this entirely replaces FLEET_DEMO with the server config added in #6597 As part of this, I also implemented a small refactor to the integration test suite to allow setting a custom config when the server is initialized. 2022-07-27 19:47:39 +00:00			`// make sure sandbox is enabled`
			`cfg := config.TestConfig()`
			`cfg.Server.SandboxEnabled = true`

add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`is := s3.SetupTestInstallerStore(t, "integration-tests", "")`
Recategorize MDM endpoints to new mdm-less paths (#17372) 2024-03-13 14:27:29 +00:00			`opts := &TestServerOpts{FleetConfig: &cfg, Is: is}`
			`if os.Getenv("FLEET_INTEGRATION_TESTS_DISABLE_LOG") != "" {`
			`opts.Logger = kitlog.NewNopLogger()`
			`}`
			`users, server := RunServerForTestsWithDS(t, s.ds, opts)`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`s.server = server`
			`s.users = users`
			`s.token = s.getTestAdminToken()`
			`s.installers = s3.SeedTestInstallerStore(t, is, enrollSecret)`

			`err := s.ds.ApplyEnrollSecrets(context.TODO(), nil, []*fleet.EnrollSecret{{Secret: enrollSecret}})`
			`require.NoError(t, err)`
			`}`

consolidate sandbox env flags (#6917) Related to #6894, this entirely replaces FLEET_DEMO with the server config added in #6597 As part of this, I also implemented a small refactor to the integration test suite to allow setting a custom config when the server is initialized. 2022-07-27 19:47:39 +00:00			`func TestIntegrationsSandbox(t *testing.T) {`
			`testingSuite := new(integrationSandboxTestSuite)`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`testingSuite.s = &testingSuite.Suite`
			`suite.Run(t, testingSuite)`
			`}`

consolidate sandbox env flags (#6917) Related to #6894, this entirely replaces FLEET_DEMO with the server config added in #6597 As part of this, I also implemented a small refactor to the integration test suite to allow setting a custom config when the server is initialized. 2022-07-27 19:47:39 +00:00			`func (s *integrationSandboxTestSuite) TestDemoLogin() {`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`t := s.T()`

consolidate sandbox env flags (#6917) Related to #6894, this entirely replaces FLEET_DEMO with the server config added in #6597 As part of this, I also implemented a small refactor to the integration test suite to allow setting a custom config when the server is initialized. 2022-07-27 19:47:39 +00:00			`validEmail := testUsers["user1"].Email`
			`validPwd := testUsers["user1"].PlaintextPassword`
			`wrongPwd := "nope"`
			`hdrs := map[string]string{"Content-Type": "application/x-www-form-urlencoded"}`

			`formBody := make(url.Values)`
			`formBody.Set("email", validEmail)`
			`formBody.Set("password", wrongPwd)`
			`res := s.DoRawWithHeaders("POST", "/api/v1/fleet/demologin", []byte(formBody.Encode()), http.StatusUnauthorized, hdrs)`
			`require.Equal(t, http.StatusUnauthorized, res.StatusCode)`

			`formBody.Set("email", validEmail)`
			`formBody.Set("password", validPwd)`
			`res = s.DoRawWithHeaders("POST", "/api/v1/fleet/demologin", []byte(formBody.Encode()), http.StatusOK, hdrs)`
			`resBody, err := io.ReadAll(res.Body)`
			`require.NoError(t, err)`
			`require.Equal(t, http.StatusOK, res.StatusCode)`
			require.Contains(t, string(resBody), `window.location = "/"`)
			require.Regexp(t, `window.localStorage.setItem\('FLEET::auth_token', '[^']+'\)`, string(resBody))
			`}`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00
consolidate sandbox env flags (#6917) Related to #6894, this entirely replaces FLEET_DEMO with the server config added in #6597 As part of this, I also implemented a small refactor to the integration test suite to allow setting a custom config when the server is initialized. 2022-07-27 19:47:39 +00:00			`func (s *integrationSandboxTestSuite) TestInstallerGet() {`
			`t := s.T()`

adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			`validURL, formBody := installerPOSTReq(enrollSecret, "pkg", s.token, false)`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			`r := s.DoRaw("POST", validURL, formBody, http.StatusOK)`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`body, err := io.ReadAll(r.Body)`
			`require.NoError(t, err)`
			`require.Equal(t, "mock", string(body))`
			`require.Equal(t, "application/octet-stream", r.Header.Get("Content-Type"))`
			`require.Equal(t, "4", r.Header.Get("Content-Length"))`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			require.Equal(t, `attachment;filename="fleet-osquery.pkg"`, r.Header.Get("Content-Disposition"))
add browser-related security headers to HTML responses (#8180) related to #8031, this adds the following headers to HTML responses: - Strict-Transport-Security: informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. - X-Frames-Options: disallows embedding the UI in other sites via <frame>, <iframe>, <embed> or <object>, which can prevent attacks like clickjacking. - X-Content-Type-Options: prevents browsers from trying to guess the MIME type which can cause browsers to transform non-executable content into executable content. - Referrer-Policy: prevents leaking the origin of the referrer in the Referer. additionally, this ensures we set `X-Content-Type-Options` for CSV and installer responses. 2022-10-12 13:19:21 +00:00			require.Equal(t, `nosniff`, r.Header.Get("X-Content-Type-Options"))
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00
			`// unauthorized requests`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			`s.DoRawNoAuth("POST", validURL, nil, http.StatusUnauthorized)`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`s.token = "invalid"`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			`s.Do("POST", validURL, nil, http.StatusUnauthorized)`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`s.token = s.cachedAdminToken`

			`// wrong enroll secret`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			`wrongURL, wrongFormBody := installerPOSTReq("wrong-enroll", "pkg", s.token, false)`
Bug 10767: Don't return 500s if enroll secret not found (#11121) Return proper status code (401) on '/api/fleet/orbit/enroll' if secret is invalid. 2023-04-13 20:16:40 +00:00			`s.Do("POST", wrongURL, wrongFormBody, http.StatusNotFound)`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00
			`// non-existent package`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			`wrongURL, wrongFormBody = installerPOSTReq(enrollSecret, "exe", s.token, false)`
			`s.Do("POST", wrongURL, wrongFormBody, http.StatusNotFound)`
			`}`

			`func (s *integrationSandboxTestSuite) TestInstallerHeadCheck() {`
			`validURL := installerURL(enrollSecret, "pkg", false)`
fix flaky TestIntegrationsSandbox/TestInstallerHeadCheck (#7345) this adjusts the TestInstallerHeadCheck check to use `DoRaw` instead of `Do`, which sends a body with null when nil is passed for the params parameter. 2022-08-23 12:58:10 +00:00			`s.DoRaw("HEAD", validURL, nil, http.StatusOK)`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00
			`// unauthorized requests`
			`s.DoRawNoAuth("HEAD", validURL, nil, http.StatusUnauthorized)`
			`s.token = "invalid"`
fix flaky TestIntegrationsSandbox/TestInstallerHeadCheck (#7345) this adjusts the TestInstallerHeadCheck check to use `DoRaw` instead of `Do`, which sends a body with null when nil is passed for the params parameter. 2022-08-23 12:58:10 +00:00			`s.DoRaw("HEAD", validURL, nil, http.StatusUnauthorized)`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			`s.token = s.cachedAdminToken`

			`// wrong enroll secret`
			`invalidURL := installerURL("wrong-enroll", "pkg", false)`
Bug 10767: Don't return 500s if enroll secret not found (#11121) Return proper status code (401) on '/api/fleet/orbit/enroll' if secret is invalid. 2023-04-13 20:16:40 +00:00			`s.DoRaw("HEAD", invalidURL, nil, http.StatusNotFound)`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00
			`// non-existent package`
			`invalidURL = installerURL(enrollSecret, "exe", false)`
fix flaky TestIntegrationsSandbox/TestInstallerHeadCheck (#7345) this adjusts the TestInstallerHeadCheck check to use `DoRaw` instead of `Do`, which sends a body with null when nil is passed for the params parameter. 2022-08-23 12:58:10 +00:00			`s.DoRaw("HEAD", invalidURL, nil, http.StatusNotFound)`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`}`

			`func installerURL(secret, kind string, desktop bool) string {`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			`path := fmt.Sprintf("/api/latest/fleet/download_installer/%s?enroll_secret=%s", kind, secret)`
			`if desktop {`
			`path += "&desktop=1"`
			`}`
			`return path`
			`}`

			`func installerPOSTReq(secret, kind, token string, desktop bool) (string, []byte) {`
			`path := installerURL(secret, kind, desktop)`
			`d := "0"`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`if desktop {`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			`d = "1"`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`}`
adjust installers endpoint to avoid AJAX downloads (#7226) Related to #7206, this delegates the handling of the download to the browser 2022-08-16 15:54:41 +00:00			`formBody := make(url.Values)`
			`formBody.Set("token", token)`
			`formBody.Set("enroll_secret", secret)`
			`formBody.Set("desktop", d)`
			`return path, []byte(formBody.Encode())`
add API endpoints to retrieve pre-built installers (#6672) Rel: #6365, this adds a new endpoint to check and download pre-built installers. 2022-07-18 16:44:30 +00:00			`}`