You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2017/11/30 00:04:24 UTC
[13/13] mesos git commit: Added a test in ContainerDaemon for testing
failed authorization.
Added a test in ContainerDaemon for testing failed authorization.
Review: https://reviews.apache.org/r/64177
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/f9b076ce
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/f9b076ce
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/f9b076ce
Branch: refs/heads/master
Commit: f9b076ce0eded4b9f0676212dc90687181abffb0
Parents: e861c0e
Author: Jie Yu <yu...@gmail.com>
Authored: Wed Nov 29 14:02:38 2017 -0800
Committer: Jie Yu <yu...@gmail.com>
Committed: Wed Nov 29 16:03:29 2017 -0800
----------------------------------------------------------------------
src/tests/container_daemon_tests.cpp | 84 +++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/f9b076ce/src/tests/container_daemon_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/container_daemon_tests.cpp b/src/tests/container_daemon_tests.cpp
index 3d88390..9b1cd16 100644
--- a/src/tests/container_daemon_tests.cpp
+++ b/src/tests/container_daemon_tests.cpp
@@ -179,6 +179,90 @@ TEST_F(ContainerDaemonTest, RestartOnTermination)
EXPECT_TRUE(wait.isPending());
}
+
+#ifdef USE_SSL_SOCKET
+// This test verifies that the container daemon will terminate itself
+// if the agent operator API does not authorize the container launch.
+TEST_F(ContainerDaemonTest, FailedAuthorization)
+{
+ Try<Owned<cluster::Master>> master = StartMaster();
+ ASSERT_SOME(master);
+
+ Owned<MasterDetector> detector = master.get()->createDetector();
+
+ slave::Flags slaveFlags = CreateSlaveFlags();
+
+ ASSERT_SOME(slaveFlags.jwt_secret_key);
+
+ Try<string> jwtSecretKey = os::read(slaveFlags.jwt_secret_key.get());
+ ASSERT_SOME(jwtSecretKey);
+
+ Owned<SecretGenerator> secretGenerator(
+ new JWTSecretGenerator(jwtSecretKey.get()));
+
+ Future<Nothing> recover = FUTURE_DISPATCH(_, &Slave::__recover);
+
+ Try<Owned<cluster::Slave>> slave = StartSlave(
+ detector.get(),
+ secretGenerator.get(),
+ slaveFlags);
+
+ ASSERT_SOME(slave);
+
+ PID<Slave> slavePid = slave.get()->pid;
+
+ // Ensure slave has finished recovery.
+ AWAIT_READY(recover);
+
+ string scheme = "http";
+ if (openssl::flags().enabled) {
+ scheme = "https";
+ }
+
+ http::URL url(
+ scheme,
+ slavePid.address.ip,
+ slavePid.address.port,
+ strings::join("/", slavePid.id, "api/v1"));
+
+ // NOTE: The current implicit authorization for creating standalone
+ // containers is to check if the container ID prefix in the claims
+ // of the principal is indeed a prefix of the container ID that is
+ // specified in the API call.
+ //
+ // Using two random UUIDs here guarantees that one is not a prefix
+ // of another. Therefore, the authorization will fail.
+ ContainerID containerId;
+ containerId.set_value(UUID::random().toString());
+
+ Principal principal(
+ None(),
+ {{"cid_prefix", UUID::random().toString()}});
+
+ Future<Secret> secret = secretGenerator->generate(principal);
+ AWAIT_READY(secret);
+
+ ASSERT_NONE(validateSecret(secret.get()));
+ ASSERT_EQ(Secret::VALUE, secret->type());
+
+ string authToken = secret->value().data();
+
+ Try<Owned<ContainerDaemon>> daemon = ContainerDaemon::create(
+ url,
+ authToken,
+ containerId,
+ createCommandInfo("sleep 1000"),
+ None(),
+ None(),
+ []() -> Future<Nothing> { return Nothing(); },
+ []() -> Future<Nothing> { return Nothing(); });
+
+ ASSERT_SOME(daemon);
+
+ AWAIT_FAILED(daemon.get()->wait());
+}
+#endif // USE_SSL_SOCKET
+
} // namespace tests {
} // namespace internal {
} // namespace mesos {