0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2025-01-06 22:40:28 -05:00
zot/test/blackbox/metrics.bats
Alexei Dodon a345ba0823
fix: metrics should be protected behind authZ (#1895)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-10-20 10:33:26 +03:00

113 lines
3 KiB
Bash

# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
# Makefile target installs & checks all necessary tooling
# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
load helpers_zot
load helpers_metrics
function verify_prerequisites() {
if [ ! $(command -v curl) ]; then
echo "you need to install curl as a prerequisite to running the tests" >&3
return 1
fi
if [ ! $(command -v htpasswd) ]; then
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
return 1
fi
return 0
}
function setup_file() {
# verify prerequisites are available
if ! $(verify_prerequisites); then
exit 1
fi
# Setup zot server
zot_root_dir=${BATS_FILE_TMPDIR}/zot
echo ${zot_root_dir} >&3
zot_log_file=${zot_root_dir}/zot-log.json
zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
htpasswd -Bbn ${METRICS_USER} ${METRICS_PASS} >> ${zot_htpasswd_file}
mkdir -p ${zot_root_dir}
touch ${zot_log_file}
cat >${zot_config_file} <<EOF
{
"distSpecVersion": "1.1.0-dev",
"storage": {
"rootDirectory": "${zot_root_dir}"
},
"http": {
"address": "0.0.0.0",
"port": "8080",
"auth": {
"htpasswd": {
"path": "${zot_htpasswd_file}"
}
},
"accessControl": {
"metrics":{
"users": ["${METRICS_USER}"]
},
"repositories": {
"**": {
"anonymousPolicy": [
"read"
],
"defaultPolicy": ["read","create"]
}
}
}
},
"log": {
"level": "debug",
"output": "${zot_log_file}"
},
"extensions": {
"metrics": {
"enable": true,
"prometheus": {
"path": "/metrics"
}
}
}
}
EOF
zot_serve ${ZOT_PATH} ${zot_config_file}
wait_zot_reachable 8080
}
function teardown() {
# conditionally printing on failure is possible from teardown but not from from teardown_file
cat ${BATS_FILE_TMPDIR}/zot/zot-log.json
}
function teardown_file() {
zot_stop_all
}
@test "unauthorized request to metrics" {
# anonymous policy: metrics endpoint should not be available
# 401 - http.StatusUnauthorized
run metrics_route_check 8080 "" 401
[ "$status" -eq 0 ]
# user is not in htpasswd
run metrics_route_check 8080 "-u unlucky:wrongpass" 401
[ "$status" -eq 0 ]
# proper user/pass tuple from htpasswd, but user not allowed to access metrics
# 403 - http.StatusForbidden
run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 403
[ "$status" -eq 0 ]
}
@test "authorized request: metrics enabled" {
run metrics_route_check 8080 "-u ${METRICS_USER}:${METRICS_PASS}" 200
[ "$status" -eq 0 ]
}