Google Git
Sign in
apache / apisix / HEAD / . / t / plugin / security-warning2.t
blob: 886452a7b2d731180495c9ed19f02a682639f509 [file] [log] [blame]
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
use t::APISIX 'no_plan';
repeat_each(1);
no_long_string();
no_root_location();
add_block_preprocessor(sub {
my ($block) = @_;
if (!defined $block->request) {
$block->set_value("request", "GET /t");
}
});
run_tests();
__DATA__
=== TEST 1: opa with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.opa")
local ok, err = plugin.check_schema({host = "http://127.0.0.1:8181", policy = "example/allow"})
ngx.say(ok and "done" or err)
}
}
--- response_body
done
--- error_log
Using opa host with no TLS is a security risk
=== TEST 2: opa with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.opa")
local ok, err = plugin.check_schema({host = "https://127.0.0.1:8181", policy = "example/allow"})
ngx.say(ok and "done" or err)
}
}
--- response_body
done
--- no_error_log
Using opa host with no TLS is a security risk
=== TEST 3: openid-connect with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.openid-connect")
local ok, err = plugin.check_schema({
client_id = "a",
client_secret = "b",
discovery = "http://a.com",
introspection_endpoint = "http://b.com",
redirect_uri = "http://c.com",
post_logout_redirect_uri = "http://d.com",
proxy_opts = {
http_proxy = "http://e.com"
},
session = {
secret = "jwcE5v3pM9VhqLxmxFOH9uZaLo8u7KQK"
}
})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- error_log
Using openid-connect discovery with no TLS is a security risk
Using openid-connect introspection_endpoint with no TLS is a security risk
Using openid-connect redirect_uri with no TLS is a security risk
Using openid-connect post_logout_redirect_uri with no TLS is a security risk
Using openid-connect proxy_opts.http_proxy with no TLS is a security risk
=== TEST 4: openid-connect with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.openid-connect")
local ok, err = plugin.check_schema({
client_id = "a",
client_secret = "b",
discovery = "https://a.com",
introspection_endpoint = "https://b.com",
redirect_uri = "https://c.com",
post_logout_redirect_uri = "https://d.com",
proxy_opts = {
http_proxy = "https://e.com"
},
session = {
secret = "jwcE5v3pM9VhqLxmxFOH9uZaLo8u7KQK"
}
})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- no_error_log
Using openid-connect discovery with no TLS is a security risk
Using openid-connect introspection_endpoint with no TLS is a security risk
Using openid-connect redirect_uri with no TLS is a security risk
Using openid-connect post_logout_redirect_uri with no TLS is a security risk
Using openid-connect proxy_opts.http_proxy with no TLS is a security risk
=== TEST 5: opentelemetry with no TLS
--- extra_yaml_config
plugins:
- opentelemetry
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/plugin_metadata/opentelemetry',
ngx.HTTP_PUT,
[[{
"batch_span_processor": {
"max_export_batch_size": 1,
"inactive_timeout": 0.5
},
"trace_id_source": "x-request-id",
"collector": {
"address": "http://127.0.0.1:4318",
"request_timeout": 3,
"request_headers": {
"foo": "bar"
}
}
}]]
)
if code >= 300 then
ngx.status = code
end
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"opentelemetry": {
"sampler": {
"name": "always_on"
}
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/opentracing"
}]]
)
if code >= 300 then
ngx.status = code
end
--- deleting this data so this doesn't effect when metadata schema is validated
--- at init in next test.
local code, body = t('/apisix/admin/plugin_metadata/opentelemetry',
ngx.HTTP_DELETE)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- error_log
Using opentelemetry collector.address with no TLS is a security risk
=== TEST 6: opentelemetery with TLS
--- extra_yaml_config
plugins:
- opentelemetry
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/plugin_metadata/opentelemetry',
ngx.HTTP_PUT,
[[{
"batch_span_processor": {
"max_export_batch_size": 1,
"inactive_timeout": 0.5
},
"trace_id_source": "x-request-id",
"collector": {
"address": "https://127.0.0.1:4318",
"request_timeout": 3,
"request_headers": {
"foo": "bar"
}
}
}]]
)
if code >= 300 then
ngx.status = code
end
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"opentelemetry": {
"sampler": {
"name": "always_on"
}
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/opentracing"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- no_error_log
Using opentelemetry collector.address with no TLS is a security risk
=== TEST 7: openwhisk with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.openwhisk")
local ok, err = plugin.check_schema({
api_host = "http://127.0.0.1:3233",
service_token = "test:test",
namespace = "test",
action = "test"
})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- error_log
Using openwhisk api_host with no TLS is a security risk
=== TEST 8: openwhisk with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.openwhisk")
local ok, err = plugin.check_schema({api_host = "https://127.0.0.1:3233", service_token = "test:test", namespace = "test", action = "test"})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- no_error_log
Using openwhisk api_host with no TLS is a security risk
=== TEST 9: rocketmq with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.rocketmq-logger")
local ok, err = plugin.check_schema({
topic = "test",
key = "key1",
nameserver_list = {
"127.0.0.1:3"
},
use_tls = false
})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- error_log
Keeping use_tls disabled in rocketmq-logger configuration is a security risk
=== TEST 10: rocketmq with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.rocketmq-logger")
local ok, err = plugin.check_schema({
topic = "test",
key = "key1",
nameserver_list = {
"127.0.0.1:3"
},
use_tls = true
})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- no_error_log
Keeping use_tls disabled in rocketmq-logger configuration is a security risk
=== TEST 11: skywalking-logger with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.skywalking-logger")
local ok, err = plugin.check_schema({endpoint_addr = "http://127.0.0.1"})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- error_log
Using skywalking-logger endpoint_addr with no TLS is a security risk
=== TEST 12: skywalking-logger with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.skywalking-logger")
local ok, err = plugin.check_schema({endpoint_addr = "https://127.0.0.1"})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
--- no_error_log
Using skywalking-logger endpoint_addr with no TLS is a security risk
=== TEST 13: skywalking with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.skywalking")
local ok, err = plugin.check_schema({endpoint_addr = "http://127.0.0.1:12800"})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- request
GET /t
--- response_body
done
--- error_log
Using skywalking endpoint_addr with no TLS is a security risk
=== TEST 14: skywalking with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.skywalking")
local ok, err = plugin.check_schema({endpoint_addr = "https://127.0.0.1:12800"})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- request
GET /t
--- response_body
done
--- no_error_log
Using skywalking endpoint_addr with no TLS is a security risk
=== TEST 15: syslog with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.syslog")
local ok, err = plugin.check_schema({
host = "127.0.0.1",
port = 5140,
tls = false
})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- request
GET /t
--- response_body
done
--- error_log
Keeping tls disabled in syslog configuration is a security risk
=== TEST 16: syslog with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.syslog")
local ok, err = plugin.check_schema({
host = "127.0.0.1",
port = 5140,
tls = true
})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- request
GET /t
--- response_body
done
--- no_error_log
Keeping tls disabled in syslog configuration is a security risk
=== TEST 17: tcp-logger with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.tcp-logger")
local ok, err = plugin.check_schema({host = "127.0.0.1", port = 3000, tls = false})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- request
GET /t
--- response_body
done
--- error_log
Keeping tls disabled in tcp-logger configuration is a security risk
=== TEST 18: tcp-logger with TLS
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"tcp-logger": {
"host": "127.0.0.1",
"port": 3000,
"tls": true
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
Keeping tls disabled in tcp-logger configuration is a security risk
=== TEST 19: wolf-rbac with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.wolf-rbac")
local conf = {
server = "http://127.0.0.1:12180"
}
local ok, err = plugin.check_schema(conf)
if not ok then
ngx.say(err)
end
ngx.say(require("toolkit.json").encode(conf))
}
}
--- response_body_like eval
qr/\{"appid":"unset","header_prefix":"X-","server":"http:\/\/127\.0\.0\.1:12180"\}/
--- error_log
Using wolf-rbac server with no TLS is a security risk
=== TEST 20: wolf-rbac with TLS
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "wolf_rbac_unit_test",
"plugins": {
"wolf-rbac": {
"appid": "wolf-rbac-app",
"server": "https://127.0.0.1:1982"
}
}
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
--- no_error_log
Using wolf-rbac server with no TLS is a security risk
=== TEST 21: zipkin with no TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.zipkin")
local ok, err = plugin.check_schema({endpoint = 'http://127.0.0.1', sample_ratio = 0.001})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- request
GET /t
--- response_body
done
--- error_log
Using zipkin endpoint with no TLS is a security risk
=== TEST 22: zipkin with TLS
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.zipkin")
local ok, err = plugin.check_schema({endpoint = 'https://127.0.0.1', sample_ratio = 0.001})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- request
GET /t
--- response_body
done
--- no_error_log
Using zipkin endpoint with no TLS is a security risk