| #!/usr/bin/env bash |
| |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| |
| # 'make init' operates scripts and related configuration files in the current directory |
| # The 'apisix' command is a command in the /usr/local/apisix, |
| # and the configuration file for the operation is in the /usr/local/apisix/conf |
| |
| set -ex |
| |
| clean_up() { |
| git checkout conf/config.yaml |
| } |
| |
| trap clean_up EXIT |
| |
| unset APISIX_PROFILE |
| |
| git checkout conf/config.yaml |
| |
| # check 'Server: APISIX' is not in nginx.conf. We already added it in Lua code. |
| make init |
| |
| if grep "Server: APISIX" conf/nginx.conf > /dev/null; then |
| echo "failed: 'Server: APISIX' should not be added twice" |
| exit 1 |
| fi |
| |
| echo "passed: 'Server: APISIX' not in nginx.conf" |
| |
| #make init <- no need to re-run since we don't change the config yet. |
| |
| # check the error_log directive uses warn level by default. |
| if ! grep "error_log logs/error.log warn;" conf/nginx.conf > /dev/null; then |
| echo "failed: error_log directive doesn't use warn level by default" |
| exit 1 |
| fi |
| |
| echo "passed: error_log directive uses warn level by default" |
| |
| # check whether the 'reuseport' is in nginx.conf . |
| |
| grep -E "listen 9080.*reuseport" conf/nginx.conf > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: nginx.conf file is missing reuseport configuration" |
| exit 1 |
| fi |
| |
| echo "passed: nginx.conf file contains reuseport configuration" |
| |
| # check default ssl port |
| echo " |
| apisix: |
| ssl: |
| enable: true |
| ssl_cert: '../t/certs/apisix.crt' |
| ssl_cert_key: '../t/certs/apisix.key' |
| listen_port: 8443 |
| " > conf/config.yaml |
| |
| make init |
| |
| grep "listen 8443 ssl" conf/nginx.conf > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: failed to update ssl port" |
| exit 1 |
| fi |
| |
| grep "listen \[::\]:8443 ssl" conf/nginx.conf > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: failed to update ssl port" |
| exit 1 |
| fi |
| |
| echo "passed: change default ssl port" |
| |
| # check support multiple ports listen in http and https |
| |
| echo " |
| apisix: |
| node_listen: |
| - 9080 |
| - 9081 |
| - 9082 |
| ssl: |
| enable: true |
| ssl_cert: '../t/certs/apisix.crt' |
| ssl_cert_key: '../t/certs/apisix.key' |
| listen_port: |
| - 9443 |
| - 9444 |
| - 9445 |
| " > conf/config.yaml |
| |
| make init |
| |
| count_http_ipv4=`grep -c "listen 908." conf/nginx.conf || true` |
| if [ $count_http_ipv4 -ne 3 ]; then |
| echo "failed: failed to support multiple ports listen in http with ipv4" |
| exit 1 |
| fi |
| |
| count_http_ipv6=`grep -c "listen \[::\]:908." conf/nginx.conf || true` |
| if [ $count_http_ipv6 -ne 3 ]; then |
| echo "failed: failed to support multiple ports listen in http with ipv6" |
| exit 1 |
| fi |
| |
| count_https_ipv4=`grep -c "listen 944. ssl" conf/nginx.conf || true` |
| if [ $count_https_ipv4 -ne 3 ]; then |
| echo "failed: failed to support multiple ports listen in https with ipv4" |
| exit 1 |
| fi |
| |
| count_https_ipv6=`grep -c "listen \[::\]:944. ssl" conf/nginx.conf || true` |
| if [ $count_https_ipv6 -ne 3 ]; then |
| echo "failed: failed to support multiple ports listen in https with ipv6" |
| exit 1 |
| fi |
| |
| echo "passed: support multiple ports listen in http and https" |
| |
| # check default env |
| echo " |
| nginx_config: |
| envs: |
| - TEST |
| " > conf/config.yaml |
| |
| make init |
| |
| grep "env TEST;" conf/nginx.conf > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: failed to update env" |
| exit 1 |
| fi |
| |
| echo "passed: change default env" |
| |
| # support environment variables |
| echo ' |
| nginx_config: |
| envs: |
| - ${{var_test}}_${{FOO}} |
| ' > conf/config.yaml |
| |
| var_test=TEST FOO=bar make init |
| |
| if ! grep "env TEST_bar;" conf/nginx.conf > /dev/null; then |
| echo "failed: failed to resolve variables" |
| exit 1 |
| fi |
| |
| echo "passed: resolve variables" |
| |
| echo ' |
| nginx_config: |
| worker_rlimit_nofile: ${{nofile9}} |
| ' > conf/config.yaml |
| |
| nofile9=99999 make init |
| |
| if ! grep "worker_rlimit_nofile 99999;" conf/nginx.conf > /dev/null; then |
| echo "failed: failed to resolve variables as integer" |
| exit 1 |
| fi |
| |
| echo "passed: resolve variables as integer" |
| |
| echo ' |
| apisix: |
| enable_admin: ${{admin}} |
| ' > conf/config.yaml |
| |
| admin=false make init |
| |
| if grep "location /apisix/admin" conf/nginx.conf > /dev/null; then |
| echo "failed: failed to resolve variables as boolean" |
| exit 1 |
| fi |
| |
| echo "passed: resolve variables as boolean" |
| |
| echo ' |
| nginx_config: |
| envs: |
| - ${{ var_test}}_${{ FOO }} |
| ' > conf/config.yaml |
| |
| var_test=TEST FOO=bar make init |
| |
| if ! grep "env TEST_bar;" conf/nginx.conf > /dev/null; then |
| echo "failed: failed to resolve variables wrapped with whitespace" |
| exit 1 |
| fi |
| |
| echo "passed: resolve variables wrapped with whitespace" |
| |
| # check nameserver imported |
| git checkout conf/config.yaml |
| |
| make init |
| |
| i=`grep -E '^nameserver[[:space:]]+(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4]0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])[[:space:]]?$' /etc/resolv.conf | awk '{print $2}'` |
| for ip in $i |
| do |
| echo $ip |
| grep $ip conf/nginx.conf > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: system DNS "$ip" unimported" |
| exit 1 |
| fi |
| done |
| |
| echo "passed: system nameserver imported" |
| |
| # enable enable_dev_mode |
| git checkout conf/config.yaml |
| |
| echo " |
| apisix: |
| enable_dev_mode: true |
| " > conf/config.yaml |
| |
| make init |
| |
| count=`grep -c "worker_processes 1;" conf/nginx.conf` |
| if [ $count -ne 1 ]; then |
| echo "failed: worker_processes is not 1 when enable enable_dev_mode" |
| exit 1 |
| fi |
| |
| count=`grep -c "listen 9080.*reuseport" conf/nginx.conf || true` |
| if [ $count -ne 0 ]; then |
| echo "failed: reuseport should be disabled when enable enable_dev_mode" |
| exit 1 |
| fi |
| |
| echo "passed: enable enable_dev_mode" |
| |
| # check whether the 'worker_cpu_affinity' is in nginx.conf |
| |
| git checkout conf/config.yaml |
| |
| make init |
| |
| grep -E "worker_cpu_affinity" conf/nginx.conf > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: nginx.conf file is missing worker_cpu_affinity configuration" |
| exit 1 |
| fi |
| |
| echo "passed: nginx.conf file contains worker_cpu_affinity configuration" |
| |
| # check admin https enabled |
| |
| git checkout conf/config.yaml |
| |
| echo " |
| apisix: |
| ssl: |
| enable: true |
| ssl_cert: '../t/certs/apisix.crt' |
| ssl_cert_key: '../t/certs/apisix.key' |
| admin_api_mtls: |
| admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt' |
| admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key' |
| port_admin: 9180 |
| https_admin: true |
| " > conf/config.yaml |
| |
| make init |
| |
| grep "listen 9180 ssl" conf/nginx.conf > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: failed to enabled https for admin" |
| exit 1 |
| fi |
| |
| make run |
| |
| code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} https://127.0.0.1:9180/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1') |
| if [ ! $code -eq 200 ]; then |
| echo "failed: failed to enabled https for admin" |
| exit 1 |
| fi |
| |
| make stop |
| |
| echo "passed: admin https enabled" |
| |
| # rollback to the default |
| |
| git checkout conf/config.yaml |
| |
| make init |
| |
| set +ex |
| |
| grep "listen 9180 ssl" conf/nginx.conf > /dev/null |
| if [ ! $? -eq 1 ]; then |
| echo "failed: failed to rollback to the default admin config" |
| exit 1 |
| fi |
| |
| set -ex |
| |
| echo "passed: rollback to the default admin config" |
| |
| # check the 'worker_shutdown_timeout' in 'nginx.conf' . |
| |
| make init |
| |
| grep -E "worker_shutdown_timeout 240s" conf/nginx.conf > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: worker_shutdown_timeout in nginx.conf is required 240s" |
| exit 1 |
| fi |
| |
| echo "passed: worker_shutdown_timeout in nginx.conf is ok" |
| |
| # set allow_admin in conf/config.yaml |
| |
| echo " |
| apisix: |
| allow_admin: |
| - 127.0.0.9 |
| " > conf/config.yaml |
| |
| make init |
| |
| count=`grep -c "allow 127.0.0.9" conf/nginx.conf` |
| if [ $count -eq 0 ]; then |
| echo "failed: not found 'allow 127.0.0.9;' in conf/nginx.conf" |
| exit 1 |
| fi |
| |
| echo " |
| apisix: |
| allow_admin: ~ |
| " > conf/config.yaml |
| |
| make init |
| |
| count=`grep -c "allow all;" conf/nginx.conf` |
| if [ $count -eq 0 ]; then |
| echo "failed: not found 'allow all;' in conf/nginx.conf" |
| exit 1 |
| fi |
| |
| echo "passed: empty allow_admin in conf/config.yaml" |
| |
| # check the 'client_max_body_size' in 'nginx.conf' . |
| |
| git checkout conf/config.yaml |
| |
| echo ' |
| nginx_config: |
| http: |
| client_max_body_size: 512m |
| ' > conf/config.yaml |
| |
| make init |
| |
| if ! grep -E "client_max_body_size 512m" conf/nginx.conf > /dev/null; then |
| echo "failed: client_max_body_size in nginx.conf doesn't change" |
| exit 1 |
| fi |
| |
| echo "passed: client_max_body_size in nginx.conf is ok" |
| |
| # check worker processes number is configurable. |
| |
| git checkout conf/config.yaml |
| |
| echo " |
| nginx_config: |
| worker_processes: 2 |
| " > conf/config.yaml |
| |
| make init |
| |
| grep "worker_processes 2;" conf/nginx.conf > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: worker_processes in nginx.conf doesn't change" |
| exit 1 |
| fi |
| |
| sed -i 's/worker_processes: 2/worker_processes: auto/' conf/config.yaml |
| echo "passed: worker_processes number is configurable" |
| |
| # log format |
| |
| git checkout conf/config.yaml |
| |
| echo ' |
| nginx_config: |
| http: |
| access_log_format: "$remote_addr - $remote_user [$time_local] $http_host test_access_log_format" |
| ' > conf/config.yaml |
| |
| make init |
| |
| grep "test_access_log_format" conf/nginx.conf > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: access_log_format in nginx.conf doesn't change" |
| exit 1 |
| fi |
| |
| echo "passed: access_log_format in nginx.conf is ok" |
| |
| # check enable access log |
| |
| echo ' |
| nginx_config: |
| http: |
| enable_access_log: true |
| access_log_format: "$remote_addr - $remote_user [$time_local] $http_host test_enable_access_log_true" |
| ' > conf/config.yaml |
| |
| make init |
| |
| count_test_access_log=`grep -c "test_enable_access_log_true" conf/nginx.conf || true` |
| if [ $count_test_access_log -eq 0 ]; then |
| echo "failed: nginx.conf file doesn't find access_log_format when enable access log" |
| exit 1 |
| fi |
| |
| count_access_log_off=`grep -c "access_log off;" conf/nginx.conf || true` |
| if [ $count_access_log_off -eq 2 ]; then |
| echo "failed: nginx.conf file find access_log off; when enable access log" |
| exit 1 |
| fi |
| |
| make run |
| sleep 0.1 |
| curl http://127.0.0.1:9080/hi |
| sleep 4 |
| tail -n 1 logs/access.log > output.log |
| |
| count_grep=`grep -c "test_enable_access_log_true" output.log || true` |
| if [ $count_grep -eq 0 ]; then |
| echo "failed: not found test_enable_access_log in access.log " |
| exit 1 |
| fi |
| |
| make stop |
| |
| echo ' |
| nginx_config: |
| http: |
| enable_access_log: false |
| access_log_format: "$remote_addr - $remote_user [$time_local] $http_host test_enable_access_log_false" |
| ' > conf/config.yaml |
| |
| make init |
| |
| count_test_access_log=`grep -c "test_enable_access_log_false" conf/nginx.conf || true` |
| if [ $count_test_access_log -eq 1 ]; then |
| echo "failed: nginx.conf file find access_log_format when disable access log" |
| exit 1 |
| fi |
| |
| count_access_log_off=`grep -c "access_log off;" conf/nginx.conf || true` |
| if [ $count_access_log_off -ne 2 ]; then |
| echo "failed: nginx.conf file doesn't find access_log off; when disable access log" |
| exit 1 |
| fi |
| |
| make run |
| sleep 0.1 |
| curl http://127.0.0.1:9080/hi |
| sleep 4 |
| tail -n 1 logs/access.log > output.log |
| |
| count_grep=`grep -c "test_enable_access_log_false" output.log || true` |
| if [ $count_grep -eq 1 ]; then |
| echo "failed: found test_enable_access_log in access.log " |
| exit 1 |
| fi |
| |
| make stop |
| |
| echo "passed: enable_access_log is ok" |
| |
| # missing admin key, allow any IP to access admin api |
| |
| git checkout conf/config.yaml |
| |
| echo ' |
| apisix: |
| allow_admin: ~ |
| admin_key: ~ |
| ' > conf/config.yaml |
| |
| make init > output.log 2>&1 | true |
| |
| grep -E "ERROR: missing valid Admin API token." output.log > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: should show 'ERROR: missing valid Admin API token.'" |
| exit 1 |
| fi |
| |
| echo "pass: missing admin key and show ERROR message" |
| |
| # admin api, allow any IP but use default key |
| |
| echo ' |
| apisix: |
| allow_admin: ~ |
| admin_key: |
| - |
| name: "admin" |
| key: edd1c9f034335f136f87ad84b625c8f1 |
| role: admin |
| ' > conf/config.yaml |
| |
| make init > output.log 2>&1 | true |
| |
| grep -E "WARNING: using fixed Admin API token has security risk." output.log > /dev/null |
| if [ ! $? -eq 0 ]; then |
| echo "failed: need to show `WARNING: using fixed Admin API token has security risk`" |
| exit 1 |
| fi |
| |
| echo "pass: show WARNING message if the user used default token and allow any IP to access" |
| |
| # allow to merge configuration without middle layer |
| |
| git checkout conf/config.yaml |
| |
| echo ' |
| nginx_config: |
| http: |
| lua_shared_dicts: |
| my_dict: 1m |
| ' > conf/config.yaml |
| |
| make init |
| |
| if ! grep "lua_shared_dict my_dict 1m;" conf/nginx.conf > /dev/null; then |
| echo "failed: 'my_dict' not in nginx.conf" |
| exit 1 |
| fi |
| |
| echo "passed: found 'my_dict' in nginx.conf" |
| |
| # check disable cpu affinity |
| git checkout conf/config.yaml |
| |
| echo ' |
| nginx_config: |
| enable_cpu_affinity: false |
| ' > conf/config.yaml |
| |
| make init |
| |
| count=`grep -c "worker_cpu_affinity" conf/nginx.conf || true` |
| if [ $count -ne 0 ]; then |
| echo "failed: nginx.conf file found worker_cpu_affinity when disable it" |
| exit 1 |
| fi |
| |
| echo "passed: nginx.conf file disable cpu affinity" |
| |
| # set worker processes with env |
| git checkout conf/config.yaml |
| |
| export APISIX_WORKER_PROCESSES=8 |
| |
| make init |
| |
| count=`grep -c "worker_processes 8;" conf/nginx.conf || true` |
| if [ $count -ne 1 ]; then |
| echo "failed: worker_processes is not 8 when using env to set worker processes" |
| exit 1 |
| fi |
| |
| echo "passed: using env to set worker processes" |
| |
| # set worker processes with env |
| git checkout conf/config.yaml |
| |
| echo ' |
| apisix: |
| ssl: |
| enable: true |
| ssl_cert: "../t/certs/apisix.crt" |
| ssl_cert_key: "../t/certs/apisix.key" |
| ' > conf/config.yaml |
| |
| make init |
| |
| count=`grep -c "ssl_session_tickets off;" conf/nginx.conf || true ` |
| if [ $count -eq 0 ]; then |
| echo "failed: ssl_session_tickets is off when ssl.ssl_session_tickets is false." |
| exit 1 |
| fi |
| |
| echo ' |
| apisix: |
| ssl: |
| enable: true |
| ssl_cert: "../t/certs/apisix.crt" |
| ssl_cert_key: "../t/certs/apisix.key" |
| ssl_session_tickets: true |
| ' > conf/config.yaml |
| |
| make init |
| |
| count=`grep -c "ssl_session_tickets on;" conf/nginx.conf || true ` |
| if [ $count -eq 0 ]; then |
| echo "failed: ssl_session_tickets is on when ssl.ssl_session_tickets is true." |
| exit 1 |
| fi |
| |
| echo "passed: disable ssl_session_tickets by default" |
| |
| # access log with JSON format |
| |
| echo ' |
| nginx_config: |
| http: |
| access_log_format: |- |
| {"@timestamp": "$time_iso8601", "client_ip": "$remote_addr", "status": "$status"} |
| access_log_format_escape: json |
| ' > conf/config.yaml |
| |
| make init |
| make run |
| sleep 0.1 |
| curl http://127.0.0.1:9080/hello2 |
| sleep 4 |
| tail -n 1 logs/access.log > output.log |
| |
| if [ `grep -c '"client_ip": "127.0.0.1"' output.log` -eq '0' ]; then |
| echo "failed: invalid JSON log in access log" |
| exit 1 |
| fi |
| |
| if [ `grep -c 'main escape=json' conf/nginx.conf` -eq '0' ]; then |
| echo "failed: not found \"escape=json\" in conf/nginx.conf" |
| exit 1 |
| fi |
| |
| make stop |
| |
| echo "passed: access log with JSON format" |
| |
| # check etcd while enable auth |
| git checkout conf/config.yaml |
| |
| export ETCDCTL_API=3 |
| etcdctl version |
| etcdctl --endpoints=127.0.0.1:2379 user add "root:apache-api6" |
| etcdctl --endpoints=127.0.0.1:2379 role add root |
| etcdctl --endpoints=127.0.0.1:2379 user grant-role root root |
| etcdctl --endpoints=127.0.0.1:2379 user get root |
| etcdctl --endpoints=127.0.0.1:2379 auth enable |
| etcdctl --endpoints=127.0.0.1:2379 --user=root:apache-api6 del /apisix --prefix |
| |
| echo ' |
| etcd: |
| host: |
| - "http://127.0.0.1:2379" |
| prefix: "/apisix" |
| timeout: 30 |
| user: root |
| password: apache-api6 |
| ' > conf/config.yaml |
| |
| make init |
| cmd_res=`etcdctl --endpoints=127.0.0.1:2379 --user=root:apache-api6 get /apisix --prefix` |
| etcdctl --endpoints=127.0.0.1:2379 --user=root:apache-api6 auth disable |
| etcdctl --endpoints=127.0.0.1:2379 role delete root |
| etcdctl --endpoints=127.0.0.1:2379 user delete root |
| |
| init_kv=( |
| /apisix/consumers/ |
| init_dir |
| /apisix/global_rules/ |
| init_dir |
| /apisix/node_status/ |
| init_dir |
| /apisix/plugin_metadata/ |
| init_dir |
| /apisix/plugins/ |
| init_dir |
| /apisix/proto/ |
| init_dir |
| /apisix/routes/ |
| init_dir |
| /apisix/services/ |
| init_dir |
| /apisix/ssl/ |
| init_dir |
| /apisix/stream_routes/ |
| init_dir |
| /apisix/upstreams/ |
| init_dir |
| ) |
| i=0 |
| |
| for kv in $cmd_res |
| do |
| if [ "${init_kv[$i]}" != "$kv" ]; then |
| echo "failed: index=$i, $kv is not equal to ${init_kv[$i]}" |
| exit 1 |
| fi |
| let i=$i+1 |
| done |
| |
| echo "passed: etcd auth enabled and init kv has been set up correctly" |