Google Git
Sign in
apache / apisix / HEAD / . / t / plugin / security-warning.t
blob: f2d2e3ea6375ba672865fb0b75d17dc0ce52047e [file] [log] [blame]
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
use t::APISIX 'no_plan';
repeat_each(1);
no_long_string();
no_root_location();
add_block_preprocessor(sub {
my ($block) = @_;
if (!defined $block->request) {
$block->set_value("request", "GET /t");
}
});
run_tests();
__DATA__
=== TEST 1: authz-casdoor no https
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.authz-casdoor")
local fake_uri = "http://127.0.0.1:" .. ngx.var.server_port
local callback_url = "http://127.0.0.1:" .. ngx.var.server_port ..
"/anything/callback"
local conf = {
callback_url = callback_url,
endpoint_addr = fake_uri,
client_id = "7ceb9b7fda4a9061ec1c",
client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04"
}
local ok, err = plugin.check_schema(conf)
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- error_log
Using authz-casdoor endpoint_addr with no TLS is a security risk
Using authz-casdoor callback_url with no TLS is a security risk
=== TEST 2: authz-casdoor with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.authz-casdoor")
local fake_uri = "https://127.0.0.1:" .. ngx.var.server_port
local callback_url = "https://127.0.0.1:" .. ngx.var.server_port ..
"/anything/callback"
local conf = {
callback_url = callback_url,
endpoint_addr = fake_uri,
client_id = "7ceb9b7fda4a9061ec1c",
client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04"
}
local ok, err = plugin.check_schema(conf)
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- no_error_log
Using authz-casdoor endpoint_addr with no TLS is a security risk
Using authz-casdoor callback_url with no TLS is a security risk
=== TEST 3: authz keycloak with no TLS
--- config
location /t {
content_by_lua_block {
local check = {"discovery", "token_endpoint", "resource_registration_endpoint", "access_denied_redirect_uri"}
local plugin = require("apisix.plugins.authz-keycloak")
local ok, err = plugin.check_schema({
client_id = "foo",
discovery = "http://host.domain/realms/foo/protocol/openid-connect/token",
token_endpoint = "http://token_endpoint.domain",
resource_registration_endpoint = "http://resource_registration_endpoint.domain",
access_denied_redirect_uri = "http://access_denied_redirect_uri.domain"
})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- request
GET /t
--- response_body
done
--- error_log
Using authz-keycloak discovery with no TLS is a security risk
Using authz-keycloak token_endpoint with no TLS is a security risk
Using authz-keycloak resource_registration_endpoint with no TLS is a security
Using authz-keycloak access_denied_redirect_uri with no TLS is a security risk
=== TEST 4: authz keycloak with TLS
--- config
location /t {
content_by_lua_block {
local check = {"discovery", "token_endpoint", "resource_registration_endpoint", "access_denied_redirect_uri"}
local plugin = require("apisix.plugins.authz-keycloak")
local ok, err = plugin.check_schema({
client_id = "foo",
discovery = "https://host.domain/realms/foo/protocol/openid-connect/token",
token_endpoint = "https://token_endpoint.domain",
resource_registration_endpoint = "https://resource_registration_endpoint.domain",
access_denied_redirect_uri = "https://access_denied_redirect_uri.domain"
})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- request
GET /t
--- response_body
done
--- no_error_log
Using authz-keycloak discovery with no TLS is a security risk
Using authz-keycloak token_endpoint with no TLS is a security risk
Using authz-keycloak resource_registration_endpoint with no TLS is a security
Using authz-keycloak access_denied_redirect_uri with no TLS is a security risk
=== TEST 5: cas auth with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.cas-auth")
local ok, err = plugin.check_schema({
idp_uri = "http://a.com",
cas_callback_uri = "/a/b",
logout_uri = "/c/d"
})
if not ok then
ngx.say(err)
else
ngx.say("passed")
end
}
}
--- response_body
passed
--- error_log
risk
=== TEST 6: cas auth with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.cas-auth")
local ok, err = plugin.check_schema({
idp_uri = "https://a.com",
cas_callback_uri = "/a/b",
logout_uri = "/c/d"
})
if not ok then
ngx.say(err)
else
ngx.say("passed")
end
}
}
--- response_body
passed
--- no_error_log
risk
=== TEST 7: clickhouse logger with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.clickhouse-logger")
local ok, err = plugin.check_schema({
timeout = 3,
retry_delay = 1,
batch_max_size = 500,
user = "default",
password = "a",
database = "default",
logtable = "t",
endpoint_addrs = {
"http://127.0.0.1:1980/clickhouse_logger_server",
"http://127.0.0.2:1980/clickhouse_logger_server",
},
max_retry_count = 1,
name = "clickhouse logger",
ssl_verify = false
})
if not ok then
ngx.say(err)
else
ngx.say("passed")
end
}
}
--- response_body
passed
--- error_log
Using clickhouse-logger endpoint_addrs with no TLS is a security risk
=== TEST 8: clickhouse logger with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.clickhouse-logger")
local ok, err = plugin.check_schema({
timeout = 3,
retry_delay = 1,
batch_max_size = 500,
user = "default",
password = "a",
database = "default",
logtable = "t",
endpoint_addrs = {
"https://127.0.0.1:1980/clickhouse_logger_server",
"https://127.0.0.2:1980/clickhouse_logger_server",
},
max_retry_count = 1,
name = "clickhouse logger",
ssl_verify = false
})
if not ok then
ngx.say(err)
else
ngx.say("passed")
end
}
}
--- response_body
passed
--- no_error_log
Using clickhouse-logger endpoint_addrs with no TLS is a security risk
=== TEST 9: elastic search logger with no TLS
--- config
location /t {
content_by_lua_block {
local ok, err
local plugin = require("apisix.plugins.elasticsearch-logger")
ok, err = plugin.check_schema({
endpoint_addrs = {
"http://127.0.0.1:9200"
},
field = {
index = "services"
}
})
if err then
ngx.say(err)
else
ngx.say("passed")
end
}
}
--- response_body_like
passed
--- error_log
Using elasticsearch-logger endpoint_addrs with no TLS is a security risk
=== TEST 10: elastic search logger with TLS
--- config
location /t {
content_by_lua_block {
local ok, err
local plugin = require("apisix.plugins.elasticsearch-logger")
ok, err = plugin.check_schema({
endpoint_addrs = {
"https://127.0.0.1:9200"
},
field = {
index = "services"
}
})
if err then
ngx.say(err)
else
ngx.say("passed")
end
}
}
--- response_body_like
passed
--- no_error_log
Using elasticsearch-logger endpoint_addrs with no TLS is a security risk
=== TEST 11: error log logger with tcp.tls = false
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.error-log-logger")
local ok, err = plugin.check_schema({
tcp = {
host = "host.com",
port = "99",
tls = false,
},
skywalking = {
endpoint_addr = "http://a.bcd"
},
clickhouse = {
endpoint_addr = "http://some.com",
user = "user",
password = "secret",
database = "yes",
logtable = "some"
},
})
ngx.say(ok and "done" or err)
}
}
--- request
GET /t
--- response_body
done
--- error_log
Using error-log-logger skywalking.endpoint_addr with no TLS is a security risk
Using error-log-logger clickhouse.endpoint_addr with no TLS is a security risk
Keeping tcp.tls disabled in error-log-logger configuration is a security risk
=== TEST 12: error log logger with tcp.tls = true
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.error-log-logger")
local ok, err = plugin.check_schema({
tcp = {
host = "host.com",
port = "99",
tls = true,
},
skywalking = {
endpoint_addr = "https://a.bcd"
},
clickhouse = {
endpoint_addr = "https://some.com",
user = "user",
password = "secret",
database = "yes",
logtable = "some"
},
})
ngx.say(ok and "done" or err)
}
}
--- request
GET /t
--- response_body
done
--- no_error_log
Using error-log-logger skywalking.endpoint_addr with no TLS is a security risk
Using error-log-logger clickhouse.endpoint_addr with no TLS is a security risk
Keeping tcp.tls disabled in error-log-logger configuration is a security risk
=== TEST 13: forward auth with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.forward-auth")
local ok, err = plugin.check_schema({uri = "http://127.0.0.1:8199"})
ngx.say(ok and "done" or err)
}
}
--- response_body
done
--- error_log
Using forward-auth uri with no TLS is a security risk
Using forward-auth uri with no TLS is a security risk
=== TEST 14: forward auth with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.forward-auth")
local ok, err = plugin.check_schema({uri = "https://127.0.0.1:8199"})
ngx.say(ok and "done" or err)
}
}
--- response_body
done
--- no_error_log
Using forward-auth uri with no TLS is a security risk
=== TEST 15: http-logger with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.http-logger")
local ok, err = plugin.check_schema({uri = "http://127.0.0.1"})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- error_log
Using http-logger uri with no TLS is a security risk
=== TEST 16: http-logger with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.http-logger")
local ok, err = plugin.check_schema({uri = "https://127.0.0.1"})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- no_error_log
Using http-logger uri with no TLS is a security risk
=== TEST 17: ldap auth with no TLS
--- config
location /t {
content_by_lua_block {
local core = require("apisix.core")
local plugin = require("apisix.plugins.ldap-auth")
local ok, err = plugin.check_schema(
{
base_dn = "123",
ldap_uri = "127.0.0.1:1389",
tls_verify = false,
use_tls = false
})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- error_log
Keeping tls_verify disabled in ldap-auth configuration is a security risk
Keeping use_tls disabled in ldap-auth configuration is a security risk
=== TEST 18: ldap auth with TLS
--- config
location /t {
content_by_lua_block {
local core = require("apisix.core")
local plugin = require("apisix.plugins.ldap-auth")
local ok, err = plugin.check_schema({base_dn = "123", ldap_uri = "127.0.0.1:1389", use_tls = true})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- no_error_log
Using LDAP auth with TLS disabled is a security risk
=== TEST 19: loki-logger with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.loki-logger")
local ok, err = plugin.check_schema({endpoint_addrs = {"http://127.0.0.1:8199"}})
ngx.say(ok and "done" or err)
}
}
--- response_body
done
--- error_log
Using loki-logger endpoint_addrs with no TLS is a security risk
Using loki-logger endpoint_addrs with no TLS is a security risk
Using loki-logger endpoint_addrs with no TLS is a security risk
=== TEST 20: loki logger with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.loki-logger")
local ok, err = plugin.check_schema({endpoint_addrs = {"https://127.0.0.1:8199"}})
ngx.say(ok and "done" or err)
}
}
--- response_body
done
--- no_error_log
Using loki-logger endpoint_addrs with no TLS is a security risk