mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
7dadec3ecf
#7970 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
239 lines
8.0 KiB
Go
239 lines
8.0 KiB
Go
package service
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/tls"
|
|
"io"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/fleetdm/fleet/v4/pkg/certificate"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestUrlGeneration(t *testing.T) {
|
|
t.Run("without prefix", func(t *testing.T) {
|
|
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
|
|
require.NoError(t, err)
|
|
require.Equal(t, "https://test.com/test/path", bc.url("test/path", "").String())
|
|
require.Equal(t, "https://test.com/test/path?raw=query", bc.url("test/path", "raw=query").String())
|
|
})
|
|
|
|
t.Run("with prefix", func(t *testing.T) {
|
|
bc, err := newBaseClient("https://test.com", true, "", "prefix/", nil, fleet.CapabilityMap{})
|
|
require.NoError(t, err)
|
|
require.Equal(t, "https://test.com/prefix/test/path", bc.url("test/path", "").String())
|
|
require.Equal(t, "https://test.com/prefix/test/path?raw=query", bc.url("test/path", "raw=query").String())
|
|
})
|
|
}
|
|
|
|
func TestParseResponseKnownErrors(t *testing.T) {
|
|
cases := []struct {
|
|
message string
|
|
code int
|
|
out error
|
|
}{
|
|
{"not found errors", http.StatusNotFound, notFoundErr{}},
|
|
{"unauthenticated errors", http.StatusUnauthorized, ErrUnauthenticated},
|
|
{"license errors", http.StatusPaymentRequired, ErrMissingLicense},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.message, func(t *testing.T) {
|
|
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
|
|
require.NoError(t, err)
|
|
response := &http.Response{
|
|
StatusCode: c.code,
|
|
Body: io.NopCloser(bytes.NewBufferString(`{"test": "ok"}`)),
|
|
}
|
|
err = bc.parseResponse("GET", "", response, &struct{}{})
|
|
require.ErrorIs(t, err, c.out)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestParseResponseOK(t *testing.T) {
|
|
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
|
|
require.NoError(t, err)
|
|
response := &http.Response{
|
|
StatusCode: http.StatusOK,
|
|
Body: io.NopCloser(bytes.NewBufferString(`{"test": "ok"}`)),
|
|
}
|
|
|
|
var resDest struct{ Test string }
|
|
err = bc.parseResponse("", "", response, &resDest)
|
|
require.NoError(t, err)
|
|
require.Equal(t, "ok", resDest.Test)
|
|
}
|
|
|
|
func TestParseResponseGeneralErrors(t *testing.T) {
|
|
t.Run("general HTTP errors", func(t *testing.T) {
|
|
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
|
|
require.NoError(t, err)
|
|
response := &http.Response{
|
|
StatusCode: http.StatusBadRequest,
|
|
Body: io.NopCloser(bytes.NewBufferString(`{"test": "ok"}`)),
|
|
}
|
|
err = bc.parseResponse("GET", "", response, &struct{}{})
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("parse errors", func(t *testing.T) {
|
|
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
|
|
require.NoError(t, err)
|
|
response := &http.Response{
|
|
StatusCode: http.StatusBadRequest,
|
|
Body: io.NopCloser(bytes.NewBufferString(`invalid json`)),
|
|
}
|
|
err = bc.parseResponse("GET", "", response, &struct{}{})
|
|
require.Error(t, err)
|
|
})
|
|
}
|
|
|
|
func TestNewBaseClient(t *testing.T) {
|
|
t.Run("invalid addresses are an error", func(t *testing.T) {
|
|
_, err := newBaseClient("http://foo\x7f.com/", true, "", "", nil, fleet.CapabilityMap{})
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("http is only valid in development", func(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
address string
|
|
insecureSkipVerify bool
|
|
expectedErr error
|
|
}{
|
|
{"http non-local URL without insecureSkipVerify", "http://test.com", false, errInvalidScheme},
|
|
{"http non-local URL with insecureSkipVerify", "http://test.com", true, nil},
|
|
{"https", "https://test.com", false, nil},
|
|
{"http localhost with insecureSkipVerify", "http://localhost:8080", true, nil},
|
|
{"http localhost without insecureSkipVerify", "http://localhost:8080", false, nil},
|
|
{"http local ip with insecureSkipVerify", "http://127.0.0.1:8080", true, nil},
|
|
{"http local ip without insecureSkipVerify", "http://127.0.0.1:8080", false, nil},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
_, err := newBaseClient(c.address, c.insecureSkipVerify, "", "", nil, fleet.CapabilityMap{})
|
|
require.Equal(t, c.expectedErr, err, c.name)
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestClientCapabilities(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
capabilities fleet.CapabilityMap
|
|
expected string
|
|
}{
|
|
{"no capabilities", fleet.CapabilityMap{}, ""},
|
|
{"one capability", fleet.CapabilityMap{fleet.Capability("test_capability"): {}}, "test_capability"},
|
|
{
|
|
"multiple capabilities",
|
|
fleet.CapabilityMap{
|
|
fleet.Capability("test_capability"): {},
|
|
fleet.Capability("test_capability_2"): {},
|
|
},
|
|
"test_capability,test_capability_2",
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.name, func(t *testing.T) {
|
|
bc, err := newBaseClient("https://test.com", true, "", "", nil, c.capabilities)
|
|
require.NoError(t, err)
|
|
|
|
var req http.Request
|
|
bc.setClientCapabilitiesHeader(&req)
|
|
require.ElementsMatch(t, strings.Split(c.expected, ","), strings.Split(req.Header.Get(fleet.CapabilitiesHeader), ","))
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestServerCapabilities(t *testing.T) {
|
|
// initial response has a single capability
|
|
response := &http.Response{
|
|
StatusCode: http.StatusOK,
|
|
Body: io.NopCloser(bytes.NewBufferString(`{}`)),
|
|
Header: http.Header{fleet.CapabilitiesHeader: []string{"test_capability"}},
|
|
}
|
|
bc, err := newBaseClient("https://test.com", true, "", "", nil, fleet.CapabilityMap{})
|
|
require.NoError(t, err)
|
|
testCapability := fleet.Capability("test_capability")
|
|
|
|
err = bc.parseResponse("", "", response, &struct{}{})
|
|
require.NoError(t, err)
|
|
require.True(t, bc.GetServerCapabilities().Has(testCapability))
|
|
|
|
// later on, the server is downgraded and no longer has the capability
|
|
response = &http.Response{
|
|
StatusCode: http.StatusOK,
|
|
Body: io.NopCloser(bytes.NewBufferString(`{}`)),
|
|
Header: http.Header{},
|
|
}
|
|
err = bc.parseResponse("", "", response, &struct{}{})
|
|
require.NoError(t, err)
|
|
require.Equal(t, fleet.CapabilityMap{}, bc.serverCapabilities)
|
|
require.False(t, bc.GetServerCapabilities().Has(testCapability))
|
|
|
|
// after an upgrade, the server has many capabilities
|
|
response = &http.Response{
|
|
StatusCode: http.StatusOK,
|
|
Body: io.NopCloser(bytes.NewBufferString(`{}`)),
|
|
Header: http.Header{fleet.CapabilitiesHeader: []string{"test_capability,test_capability_2"}},
|
|
}
|
|
err = bc.parseResponse("", "", response, &struct{}{})
|
|
require.NoError(t, err)
|
|
require.Equal(t, fleet.CapabilityMap{
|
|
testCapability: {},
|
|
fleet.Capability("test_capability_2"): {},
|
|
}, bc.serverCapabilities)
|
|
require.True(t, bc.GetServerCapabilities().Has(testCapability))
|
|
require.True(t, bc.GetServerCapabilities().Has(fleet.Capability("test_capability")))
|
|
}
|
|
|
|
func TestClientCertificateAuth(t *testing.T) {
|
|
httpRequestReceived := false
|
|
|
|
clientCAs, err := certificate.LoadPEM(filepath.Join("testdata", "client-ca.crt"))
|
|
require.NoError(t, err)
|
|
|
|
ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
httpRequestReceived = true
|
|
}))
|
|
ts.TLS = &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
ClientAuth: tls.RequireAndVerifyClientCert,
|
|
ClientCAs: clientCAs,
|
|
}
|
|
|
|
ts.StartTLS()
|
|
t.Cleanup(func() {
|
|
ts.Close()
|
|
})
|
|
|
|
// Try connecting without setting TLS client certificates.
|
|
bc, err := newBaseClient(ts.URL, true, "", "", nil, fleet.CapabilityMap{})
|
|
require.NoError(t, err)
|
|
request, err := http.NewRequest("GET", ts.URL, nil)
|
|
require.NoError(t, err)
|
|
_, err = bc.http.Do(request)
|
|
require.Error(t, err)
|
|
require.False(t, httpRequestReceived)
|
|
|
|
// Now try connecting by setting the correct TLS client certificates.
|
|
clientCrt, err := certificate.LoadClientCertificateFromFiles(filepath.Join("testdata", "client.crt"), filepath.Join("testdata", "client.key"))
|
|
require.NoError(t, err)
|
|
require.NotNil(t, clientCrt)
|
|
bc, err = newBaseClient(ts.URL, true, "", "", &clientCrt.Crt, fleet.CapabilityMap{})
|
|
require.NoError(t, err)
|
|
request, err = http.NewRequest("GET", ts.URL, nil)
|
|
require.NoError(t, err)
|
|
_, err = bc.http.Do(request)
|
|
require.NoError(t, err)
|
|
require.True(t, httpRequestReceived)
|
|
}
|