You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2020/06/02 22:28:35 UTC
[trafficserver] branch 9.0.x updated: Adding a basic ip_allow test.
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new d1ee8a1 Adding a basic ip_allow test.
d1ee8a1 is described below
commit d1ee8a11ace0b5991b1015402887cb45abc8a4e9
Author: bneradt <bn...@verizonmedia.com>
AuthorDate: Wed May 13 22:34:36 2020 +0000
Adding a basic ip_allow test.
(cherry picked from commit f73afd8757e5f489320e43271897afbe5570034e)
---
tests/gold_tests/ip_allow/gold/200.gold | 5 +
tests/gold_tests/ip_allow/gold/403.gold | 5 +
tests/gold_tests/ip_allow/gold/403_h2.gold | 5 +
tests/gold_tests/ip_allow/ip_allow.test.py | 179 +++++++++++++++++++++++++++++
tests/gold_tests/ip_allow/ssl/server.key | 15 +++
tests/gold_tests/ip_allow/ssl/server.pem | 32 ++++++
6 files changed, 241 insertions(+)
diff --git a/tests/gold_tests/ip_allow/gold/200.gold b/tests/gold_tests/ip_allow/gold/200.gold
new file mode 100644
index 0000000..e6da794
--- /dev/null
+++ b/tests/gold_tests/ip_allow/gold/200.gold
@@ -0,0 +1,5 @@
+``
+> GET /get HTTP/1.1
+``
+< HTTP/1.1 200 OK
+``
diff --git a/tests/gold_tests/ip_allow/gold/403.gold b/tests/gold_tests/ip_allow/gold/403.gold
new file mode 100644
index 0000000..d2164ab
--- /dev/null
+++ b/tests/gold_tests/ip_allow/gold/403.gold
@@ -0,0 +1,5 @@
+``
+> CONNECT /connect HTTP/1.1
+``
+< HTTP/1.1 403 Access Denied
+``
diff --git a/tests/gold_tests/ip_allow/gold/403_h2.gold b/tests/gold_tests/ip_allow/gold/403_h2.gold
new file mode 100644
index 0000000..af82fe2
--- /dev/null
+++ b/tests/gold_tests/ip_allow/gold/403_h2.gold
@@ -0,0 +1,5 @@
+``
+> PUSH /h2_push HTTP/2
+``
+< HTTP/2 403``
+``
diff --git a/tests/gold_tests/ip_allow/ip_allow.test.py b/tests/gold_tests/ip_allow/ip_allow.test.py
new file mode 100644
index 0000000..5e4b5d6
--- /dev/null
+++ b/tests/gold_tests/ip_allow/ip_allow.test.py
@@ -0,0 +1,179 @@
+'''
+Verify ip_allow filtering behavior.
+'''
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+Test.Summary = '''
+Verify ip_allow filtering behavior.
+'''
+
+Test.ContinueOnFail = True
+
+# Define default ATS
+ts = Test.MakeATSProcess("ts", command="traffic_manager", select_ports=True, enable_tls=True)
+server = Test.MakeOriginServer("server", ssl=True)
+
+testName = ""
+request = {
+ "headers":
+ "GET /get HTTP/1.1\r\n"
+ "Host: www.example.com:80\r\n\r\n",
+ "timestamp": "1469733493.993",
+ "body": ""}
+response = {
+ "headers":
+ "HTTP/1.1 200 OK\r\n"
+ "Content-Length: 3\r\n"
+ "Connection: close\r\n\r\n",
+ "timestamp":
+ "1469733493.993", "body": "xxx"}
+server.addResponse("sessionlog.json", request, response)
+
+# The following shouldn't come to the server, but in the event that there is a
+# bug in ip_allow and they are sent through, have them return a 200 OK. This
+# will fail the match with the gold file which expects a 403.
+request = {
+ "headers":
+ "CONNECT www.example.com:80/connect HTTP/1.1\r\n"
+ "Host: www.example.com:80\r\n\r\n",
+ "timestamp": "1469733493.993",
+ "body": ""}
+response = {
+ "headers":
+ "HTTP/1.1 200 OK\r\n"
+ "Content-Length: 3\r\n"
+ "Connection: close\r\n\r\n",
+ "timestamp":
+ "1469733493.993", "body": "xxx"}
+server.addResponse("sessionlog.json", request, response)
+request = {
+ "headers":
+ "PUSH www.example.com:80/h2_push HTTP/2\r\n"
+ "Host: www.example.com:80\r\n\r\n",
+ "timestamp": "1469733493.993",
+ "body": ""}
+response = {
+ "headers":
+ "HTTP/2 200 OK\r\n"
+ "Content-Length: 3\r\n"
+ "Connection: close\r\n\r\n",
+ "timestamp":
+ "1469733493.993", "body": "xxx"}
+server.addResponse("sessionlog.json", request, response)
+
+# Configure TLS for Traffic Server for HTTP/2.
+ts.addSSLfile("ssl/server.pem")
+ts.addSSLfile("ssl/server.key")
+
+ts.Disk.ssl_multicert_config.AddLine(
+ 'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
+)
+
+ts.Disk.records_config.update({
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ip-allow',
+ 'proxy.config.http.connect_ports': '{0}'.format(server.Variables.SSL_Port),
+ 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
+ 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
+ 'proxy.config.http.cache.http': 0,
+ 'proxy.config.ssl.client.verify.server': 0,
+ 'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
+ 'proxy.config.http2.active_timeout_in': 3,
+ 'proxy.config.http2.max_concurrent_streams_in': 65535,
+})
+
+format_string = ('%<cqtd>-%<cqtt> %<stms> %<ttms> %<chi> %<crc>/%<pssc> %<psql> '
+ '%<cqhm> %<cquc> %<phr>/%<pqsn> %<psct> %<{Y-RID}pqh> '
+ '%<{Y-YPCS}pqh> %<{Host}cqh> %<{CHAD}pqh> '
+ 'sftover=%<{x-safet-overlimit-rules}cqh> sftmat=%<{x-safet-matched-rules}cqh> '
+ 'sftcls=%<{x-safet-classification}cqh> '
+ 'sftbadclf=%<{x-safet-bad-classifiers}cqh> yra=%<{Y-RA}cqh> scheme=%<cqus>')
+
+ts.Disk.logging_yaml.AddLines(
+ ''' logging:
+ formats:
+ - name: custom
+ format: '{}'
+ logs:
+ - filename: squid.log
+ format: custom
+'''.format(format_string).split("\n")
+)
+
+ts.Disk.remap_config.AddLine(
+ 'map / https://127.0.0.1:{0}'.format(server.Variables.SSL_Port)
+)
+
+# Note that CONNECT is not in the allowed list.
+ts.Disk.ip_allow_yaml.AddLines(
+ '''ip_allow:
+ - apply: in
+ ip_addrs: 0/0
+ action: allow
+ methods: [GET, HEAD, POST ]
+ - apply: in
+ ip_addrs: ::/0
+ action: allow
+ methods: [GET, HEAD, POST ]
+
+'''.split("\n")
+)
+
+ts.Streams.stderr += Testers.ContainsExpression(
+ "Line 1 denial for 'CONNECT' from 127.0.0.1",
+ "The CONNECT request should be denied by ip_allow")
+ts.Streams.stderr += Testers.ContainsExpression(
+ "Line 1 denial for 'PUSH' from 127.0.0.1",
+ "The PUSH request should be denied by ip_allow")
+
+#
+# TEST 1: Perform a GET request. Should be allowed because GET is in the whitelist.
+#
+tr = Test.AddTestRun()
+tr.Processes.Default.StartBefore(server, ready=When.PortOpen(server.Variables.SSL_Port))
+tr.Processes.Default.StartBefore(Test.Processes.ts, ready=When.PortOpen(ts.Variables.port))
+
+tr.Processes.Default.Command = ('curl --verbose -H "Host: www.example.com" http://localhost:{ts_port}/get'.
+ format(ts_port=ts.Variables.port))
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stderr = 'gold/200.gold'
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+
+#
+# TEST 2: Perform a CONNECT request. Should not be allowed because CONNECT is
+# not in the whitelist.
+#
+tr = Test.AddTestRun()
+tr.Processes.Default.Command = ('curl --verbose -X CONNECT -H "Host: localhost" http://localhost:{ts_port}/connect'.
+ format(ts_port=ts.Variables.port))
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stderr = 'gold/403.gold'
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
+
+#
+# TEST 3: Perform a PUSH request over HTTP/2. Should not be allowed because
+# PUSH is not in the whitelist.
+#
+tr = Test.AddTestRun()
+tr.Processes.Default.Command = ('curl --http2 --verbose -k -X PUSH -H "Host: localhost" https://localhost:{ts_port}/h2_push'.
+ format(ts_port=ts.Variables.ssl_port))
+tr.Processes.Default.ReturnCode = 0
+tr.Processes.Default.Streams.stderr = 'gold/403_h2.gold'
+tr.StillRunningAfter = ts
+tr.StillRunningAfter = server
diff --git a/tests/gold_tests/ip_allow/ssl/server.key b/tests/gold_tests/ip_allow/ssl/server.key
new file mode 100644
index 0000000..4c7a661
--- /dev/null
+++ b/tests/gold_tests/ip_allow/ssl/server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDWMHOiUF+ORmZjAxI8MWE9dblb7gQSJ36WCXlPFiFx6ynF+S1E
+kXAYpIip5X0pzDUaIbLukxJUAAnOtMEO0PCgxJQUrEtRWh8wiJdbdQJF0Zs/9R+u
+SUgb61f+mdTQvhqefBGx+xrpfAcgtcWiZuSA9Q3fvpDj5WOWSPWXBUuxywIDAQAB
+AoGBAJPxRX2gjFAGWmQbU/YVmXfNH6navh8X/nx9sLeqrpE0AFeJI/ZPiqDKzMal
+B43eSfNxwVi+ZxN0L1ICUbL9KKZvHs/QBxWLA1fGVAXrz7sRplEVvakPpTfHoEnv
+sKaMWVKaK/S5WGbDhElb6zb/Lwo19DsIAPjGYqFvzFJBmobJAkEA9iSeTGkR9X26
+GywZoYrIMlRh34htOIRx1UUq88rFzdrCF21kQ4lhBIkX5OZMMy652i2gyak4OZTe
+YewIv8jw9QJBAN7EQNHG8jPwXfVp91/fqxVQEfumuP2i6uiWWYQgZCmla2+0xcLZ
+pMQ6sQEe10hhTrVnzHgAUVp50Ntn2jwBX78CQF09veGAI9d1Cxzj9cmmAvRd1r2Q
+tp8kPOLnUsALXib+6WtqewLCdcf8DtsdClyRJMIraq85tRzK8fryKNZNzkkCQEgA
+yS7FDj5JgCU15hZgFk1iPx3HCt44jZM2HaL+UUHAzRQjKxTLAl3G1rWVAWLMyQML
+lORoveLvotl4HOruSsMCQQCAx9dV9JUSFoyc1CWILp/FgUH/se4cjQCThGO0DoQQ
+vGTYmntY7j9WRJ9esQrjdD6Clw8zM/45GIBNwnXzqo7Z
+-----END RSA PRIVATE KEY-----
diff --git a/tests/gold_tests/ip_allow/ssl/server.pem b/tests/gold_tests/ip_allow/ssl/server.pem
new file mode 100644
index 0000000..3584a2e
--- /dev/null
+++ b/tests/gold_tests/ip_allow/ssl/server.pem
@@ -0,0 +1,32 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDWMHOiUF+ORmZjAxI8MWE9dblb7gQSJ36WCXlPFiFx6ynF+S1E
+kXAYpIip5X0pzDUaIbLukxJUAAnOtMEO0PCgxJQUrEtRWh8wiJdbdQJF0Zs/9R+u
+SUgb61f+mdTQvhqefBGx+xrpfAcgtcWiZuSA9Q3fvpDj5WOWSPWXBUuxywIDAQAB
+AoGBAJPxRX2gjFAGWmQbU/YVmXfNH6navh8X/nx9sLeqrpE0AFeJI/ZPiqDKzMal
+B43eSfNxwVi+ZxN0L1ICUbL9KKZvHs/QBxWLA1fGVAXrz7sRplEVvakPpTfHoEnv
+sKaMWVKaK/S5WGbDhElb6zb/Lwo19DsIAPjGYqFvzFJBmobJAkEA9iSeTGkR9X26
+GywZoYrIMlRh34htOIRx1UUq88rFzdrCF21kQ4lhBIkX5OZMMy652i2gyak4OZTe
+YewIv8jw9QJBAN7EQNHG8jPwXfVp91/fqxVQEfumuP2i6uiWWYQgZCmla2+0xcLZ
+pMQ6sQEe10hhTrVnzHgAUVp50Ntn2jwBX78CQF09veGAI9d1Cxzj9cmmAvRd1r2Q
+tp8kPOLnUsALXib+6WtqewLCdcf8DtsdClyRJMIraq85tRzK8fryKNZNzkkCQEgA
+yS7FDj5JgCU15hZgFk1iPx3HCt44jZM2HaL+UUHAzRQjKxTLAl3G1rWVAWLMyQML
+lORoveLvotl4HOruSsMCQQCAx9dV9JUSFoyc1CWILp/FgUH/se4cjQCThGO0DoQQ
+vGTYmntY7j9WRJ9esQrjdD6Clw8zM/45GIBNwnXzqo7Z
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICszCCAhwCCQCl0Y79KkYjpzANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAklMMRIwEAYDVQQHEwlDaGFtcGFpZ24xDjAMBgNVBAoTBVlh
+aG9vMQ0wCwYDVQQLEwRFZGdlMSgwJgYDVQQDEx9qdWljZXByb2R1Y2UuY29ycC5u
+ZTEueWFob28uY29tMSQwIgYJKoZIhvcNAQkBFhVwZXJzaWEuYXppekB5YWhvby5j
+b20wHhcNMTcwODI4MDI1MjI5WhcNMjcwODI2MDI1MjI5WjCBnTELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAklMMRIwEAYDVQQHEwlDaGFtcGFpZ24xDjAMBgNVBAoTBVlh
+aG9vMQ0wCwYDVQQLEwRFZGdlMSgwJgYDVQQDEx9qdWljZXByb2R1Y2UuY29ycC5u
+ZTEueWFob28uY29tMSQwIgYJKoZIhvcNAQkBFhVwZXJzaWEuYXppekB5YWhvby5j
+b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANYwc6JQX45GZmMDEjwxYT11
+uVvuBBInfpYJeU8WIXHrKcX5LUSRcBikiKnlfSnMNRohsu6TElQACc60wQ7Q8KDE
+lBSsS1FaHzCIl1t1AkXRmz/1H65JSBvrV/6Z1NC+Gp58EbH7Gul8ByC1xaJm5ID1
+Dd++kOPlY5ZI9ZcFS7HLAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAASZbz+d+DdI+
+ypesJrlBRosXh0w8sIjkUSSdT/OuKEVzfH/dRcb4VZDW/W2gmm0VEqSN2xYYVpW3
+hUsW2J+kByqFqX6selREwo8ui8kkyBJVo0y/MCrGM0C3qw1cSaiKoa5OqlOyO3hb
+ZC9IIyWmpBxRmJFfIwS6MoTpe0/ZTJQ=
+-----END CERTIFICATE-----