empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
38bf87b0a0
fleet/server/service/base_client_test.go
Lucas Manuel Rodriguez 7dadec3ecf
Add mTLS support to fleetd (#11319) 
#7970

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [x] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-04-27 08:44:39 -03:00

239 lines
8.0 KiB
Go
Raw Blame History

package service
import (
"bytes"
"crypto/tls"
"io"
"net/http"
"net/http/httptest"
"path/filepath"
"strings"
"testing"
"github.com/fleetdm/fleet/v4/pkg/certificate"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/stretchr/testify/require"
)
func TestUrlGeneration(t *testing.T) {
t.Run("without prefix", func(t *testing.T) {
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
require.NoError(t, err)
require.Equal(t, "https://test.com/test/path", bc.url("test/path", "").String())
require.Equal(t, "https://test.com/test/path?raw=query", bc.url("test/path", "raw=query").String())
})
t.Run("with prefix", func(t *testing.T) {
bc, err := newBaseClient("https://test.com", true, "", "prefix/", nil, fleet.CapabilityMap{})
require.NoError(t, err)
require.Equal(t, "https://test.com/prefix/test/path", bc.url("test/path", "").String())
require.Equal(t, "https://test.com/prefix/test/path?raw=query", bc.url("test/path", "raw=query").String())
})
}
func TestParseResponseKnownErrors(t *testing.T) {
cases := []struct {
message string
code int
out error
}{
{"not found errors", http.StatusNotFound, notFoundErr{}},
{"unauthenticated errors", http.StatusUnauthorized, ErrUnauthenticated},
{"license errors", http.StatusPaymentRequired, ErrMissingLicense},
}
for _, c := range cases {
t.Run(c.message, func(t *testing.T) {
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
require.NoError(t, err)
response := &http.Response{
StatusCode: c.code,
Body: io.NopCloser(bytes.NewBufferString(`{"test": "ok"}`)),
}
err = bc.parseResponse("GET", "", response, &struct{}{})
require.ErrorIs(t, err, c.out)
})
}
}
func TestParseResponseOK(t *testing.T) {
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
require.NoError(t, err)
response := &http.Response{
StatusCode: http.StatusOK,
Body: io.NopCloser(bytes.NewBufferString(`{"test": "ok"}`)),
}
var resDest struct{ Test string }
err = bc.parseResponse("", "", response, &resDest)
require.NoError(t, err)
require.Equal(t, "ok", resDest.Test)
}
func TestParseResponseGeneralErrors(t *testing.T) {
t.Run("general HTTP errors", func(t *testing.T) {
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
require.NoError(t, err)
response := &http.Response{
StatusCode: http.StatusBadRequest,
Body: io.NopCloser(bytes.NewBufferString(`{"test": "ok"}`)),
}
err = bc.parseResponse("GET", "", response, &struct{}{})
require.Error(t, err)
})
t.Run("parse errors", func(t *testing.T) {
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
require.NoError(t, err)
response := &http.Response{
StatusCode: http.StatusBadRequest,
Body: io.NopCloser(bytes.NewBufferString(`invalid json`)),
}
err = bc.parseResponse("GET", "", response, &struct{}{})
require.Error(t, err)
})
}
func TestNewBaseClient(t *testing.T) {
t.Run("invalid addresses are an error", func(t *testing.T) {
_, err := newBaseClient("http://foo\x7f.com/", true, "", "", nil, fleet.CapabilityMap{})
require.Error(t, err)
})
t.Run("http is only valid in development", func(t *testing.T) {
cases := []struct {
name string
address string
insecureSkipVerify bool
expectedErr error
}{
{"http non-local URL without insecureSkipVerify", "http://test.com", false, errInvalidScheme},
{"http non-local URL with insecureSkipVerify", "http://test.com", true, nil},
{"https", "https://test.com", false, nil},
{"http localhost with insecureSkipVerify", "http://localhost:8080", true, nil},
{"http localhost without insecureSkipVerify", "http://localhost:8080", false, nil},
{"http local ip with insecureSkipVerify", "http://127.0.0.1:8080", true, nil},
{"http local ip without insecureSkipVerify", "http://127.0.0.1:8080", false, nil},
}
for _, c := range cases {
_, err := newBaseClient(c.address, c.insecureSkipVerify, "", "", nil, fleet.CapabilityMap{})
require.Equal(t, c.expectedErr, err, c.name)
}
})
}
func TestClientCapabilities(t *testing.T) {
cases := []struct {
name string
capabilities fleet.CapabilityMap
expected string
}{
{"no capabilities", fleet.CapabilityMap{}, ""},
{"one capability", fleet.CapabilityMap{fleet.Capability("test_capability"): {}}, "test_capability"},
{
"multiple capabilities",
fleet.CapabilityMap{
fleet.Capability("test_capability"): {},
fleet.Capability("test_capability_2"): {},
},
"test_capability,test_capability_2",
},
}
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
bc, err := newBaseClient("https://test.com", true, "", "", nil, c.capabilities)
require.NoError(t, err)
var req http.Request
bc.setClientCapabilitiesHeader(&req)
require.ElementsMatch(t, strings.Split(c.expected, ","), strings.Split(req.Header.Get(fleet.CapabilitiesHeader), ","))
})
}
}
func TestServerCapabilities(t *testing.T) {
// initial response has a single capability
response := &http.Response{
StatusCode: http.StatusOK,
Body: io.NopCloser(bytes.NewBufferString(`{}`)),
Header: http.Header{fleet.CapabilitiesHeader: []string{"test_capability"}},
}
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
require.NoError(t, err)
testCapability := fleet.Capability("test_capability")
err = bc.parseResponse("", "", response, &struct{}{})
require.NoError(t, err)
require.True(t, bc.GetServerCapabilities().Has(testCapability))
// later on, the server is downgraded and no longer has the capability
response = &http.Response{
StatusCode: http.StatusOK,
Body: io.NopCloser(bytes.NewBufferString(`{}`)),
Header: http.Header{},
}
err = bc.parseResponse("", "", response, &struct{}{})
require.NoError(t, err)
require.Equal(t, fleet.CapabilityMap{}, bc.serverCapabilities)
require.False(t, bc.GetServerCapabilities().Has(testCapability))
// after an upgrade, the server has many capabilities
response = &http.Response{
StatusCode: http.StatusOK,
Body: io.NopCloser(bytes.NewBufferString(`{}`)),
Header: http.Header{fleet.CapabilitiesHeader: []string{"test_capability,test_capability_2"}},
}
err = bc.parseResponse("", "", response, &struct{}{})
require.NoError(t, err)
require.Equal(t, fleet.CapabilityMap{
testCapability: {},
fleet.Capability("test_capability_2"): {},
}, bc.serverCapabilities)
require.True(t, bc.GetServerCapabilities().Has(testCapability))
require.True(t, bc.GetServerCapabilities().Has(fleet.Capability("test_capability")))
}
func TestClientCertificateAuth(t *testing.T) {
httpRequestReceived := false
clientCAs, err := certificate.LoadPEM(filepath.Join("testdata", "client-ca.crt"))
require.NoError(t, err)
ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
httpRequestReceived = true
}))
ts.TLS = &tls.Config{
MinVersion: tls.VersionTLS12,
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCAs,
}
ts.StartTLS()
t.Cleanup(func() {
ts.Close()
})
// Try connecting without setting TLS client certificates.
bc, err := newBaseClient(ts.URL, true, "", "", nil, fleet.CapabilityMap{})
require.NoError(t, err)
request, err := http.NewRequest("GET", ts.URL, nil)
require.NoError(t, err)
_, err = bc.http.Do(request)
require.Error(t, err)
require.False(t, httpRequestReceived)
// Now try connecting by setting the correct TLS client certificates.
clientCrt, err := certificate.LoadClientCertificateFromFiles(filepath.Join("testdata", "client.crt"), filepath.Join("testdata", "client.key"))
require.NoError(t, err)
require.NotNil(t, clientCrt)
bc, err = newBaseClient(ts.URL, true, "", "", &clientCrt.Crt, fleet.CapabilityMap{})
require.NoError(t, err)
request, err = http.NewRequest("GET", ts.URL, nil)
require.NoError(t, err)
_, err = bc.http.Do(request)
require.NoError(t, err)
require.True(t, httpRequestReceived)
}
Reference in New Issue View Git Blame Copy Permalink