498b235461
Build and test / Build and test AMD64 Ubuntu 22.04 (push) Failing after 0s
Publish Builder / amazonlinux2023 (push) Failing after 1s
Build and test / UT for Go (push) Has been skipped
Publish KRTE Images / KRTE (push) Failing after 1s
Build and test / Integration Test (push) Has been skipped
Build and test / Upload Code Coverage (push) Has been skipped
Publish Builder / rockylinux9 (push) Failing after 1s
Publish Builder / ubuntu22.04 (push) Failing after 0s
Publish Builder / ubuntu24.04 (push) Failing after 0s
Publish Gpu Builder / publish-gpu-builder (push) Failing after 1s
Publish Test Images / PyTest (push) Failing after 0s
Build and test / UT for Cpp (push) Has been cancelled
611 lines
22 KiB
Go
611 lines
22 KiB
Go
// Licensed to the LF AI & Data foundation under one
|
|
// or more contributor license agreements. See the NOTICE file
|
|
// distributed with this work for additional information
|
|
// regarding copyright ownership. The ASF licenses this file
|
|
// to you under the Apache License, Version 2.0 (the
|
|
// "License"); you may not use this file except in compliance
|
|
// with the License. You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package http
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/suite"
|
|
|
|
"github.com/milvus-io/milvus-proto/go-api/v3/commonpb"
|
|
"github.com/milvus-io/milvus/internal/http/healthz"
|
|
"github.com/milvus-io/milvus/internal/json"
|
|
"github.com/milvus-io/milvus/internal/proxy/privilege"
|
|
"github.com/milvus-io/milvus/pkg/v3/mlog"
|
|
"github.com/milvus-io/milvus/pkg/v3/util"
|
|
"github.com/milvus-io/milvus/pkg/v3/util/expr"
|
|
"github.com/milvus-io/milvus/pkg/v3/util/funcutil"
|
|
"github.com/milvus-io/milvus/pkg/v3/util/paramtable"
|
|
)
|
|
|
|
type HTTPServerTestSuite struct {
|
|
suite.Suite
|
|
}
|
|
|
|
func (suite *HTTPServerTestSuite) SetupSuite() {
|
|
paramtable.Init()
|
|
ServeHTTP()
|
|
conn, err := net.DialTimeout("tcp", "localhost:"+DefaultListenPort, time.Second*5)
|
|
if err != nil {
|
|
time.Sleep(time.Second)
|
|
conn, err = net.DialTimeout("tcp", "localhost:"+DefaultListenPort, time.Second*5)
|
|
}
|
|
suite.Equal(nil, err)
|
|
conn.Close()
|
|
}
|
|
|
|
func (suite *HTTPServerTestSuite) TearDownSuite() {
|
|
defer server.Close()
|
|
metricsServer = nil
|
|
}
|
|
|
|
func (suite *HTTPServerTestSuite) TestGetHTTPAddr() {
|
|
suite.Equal(getHTTPAddr(), ":"+DefaultListenPort)
|
|
testPort := "9092"
|
|
os.Setenv(ListenPortEnvKey, testPort)
|
|
suite.Equal(getHTTPAddr(), ":"+testPort)
|
|
}
|
|
|
|
func (suite *HTTPServerTestSuite) TestDefaultLogHandler() {
|
|
mlog.SetLevel(mlog.DebugLevel)
|
|
suite.Equal(mlog.DebugLevel, mlog.GetLevel())
|
|
|
|
// replace global logger, log change will not be affected.
|
|
conf := &mlog.Config{Level: "info", File: mlog.FileLogConfig{}, DisableTimestamp: true}
|
|
logger, p, _ := mlog.InitLogger(conf)
|
|
mlog.ReplaceGlobals(logger, p)
|
|
suite.Equal(mlog.InfoLevel, mlog.GetLevel())
|
|
|
|
// change log level through http
|
|
payload, err := json.Marshal(map[string]any{"level": "error"})
|
|
suite.Require().NoError(err)
|
|
|
|
url := "http://localhost:" + DefaultListenPort + "/log/level"
|
|
req, err := http.NewRequest(http.MethodPut, url, bytes.NewBuffer(payload))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
suite.Require().NoError(err)
|
|
|
|
client := http.Client{}
|
|
resp, err := client.Do(req)
|
|
suite.Require().NoError(err)
|
|
defer resp.Body.Close()
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
suite.Require().NoError(err)
|
|
suite.Equal("{\"level\":\"error\"}\n", string(body))
|
|
suite.Equal(mlog.ErrorLevel, mlog.GetLevel())
|
|
}
|
|
|
|
func (suite *HTTPServerTestSuite) TestHealthzHandler() {
|
|
url := "http://localhost:" + DefaultListenPort + "/healthz"
|
|
client := http.Client{}
|
|
|
|
healthz.SetComponentNum(1)
|
|
healthz.Register(&MockIndicator{"m1", commonpb.StateCode_Healthy})
|
|
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
body, _ := io.ReadAll(resp.Body)
|
|
suite.Equal("OK", string(body))
|
|
|
|
req, _ = http.NewRequest(http.MethodGet, url, nil)
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, err = client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
body, _ = io.ReadAll(resp.Body)
|
|
suite.Equal("{\"state\":\"OK\",\"detail\":[{\"name\":\"m1\",\"code\":1}]}", string(body))
|
|
|
|
healthz.SetComponentNum(2)
|
|
healthz.Register(&MockIndicator{"m2", commonpb.StateCode_Abnormal})
|
|
req, _ = http.NewRequest(http.MethodGet, url, nil)
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, err = client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
body, _ = io.ReadAll(resp.Body)
|
|
respObj := &healthz.HealthResponse{}
|
|
err = json.Unmarshal(body, respObj)
|
|
suite.NoError(err)
|
|
suite.NotEqual("OK", respObj.State)
|
|
}
|
|
|
|
func (suite *HTTPServerTestSuite) TestEventlogHandler() {
|
|
url := "http://localhost:" + DefaultListenPort + EventLogRouterPath
|
|
client := http.Client{}
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
body, _ := io.ReadAll(resp.Body)
|
|
suite.True(strings.HasPrefix(string(body), "{\"status\":200,\"port\":"))
|
|
}
|
|
|
|
func (suite *HTTPServerTestSuite) TestPprofHandler() {
|
|
client := http.Client{}
|
|
testCases := []struct {
|
|
enable bool
|
|
path string
|
|
statusCode int
|
|
resp []byte
|
|
}{
|
|
{true, "/debug/pprof/<script>scripty<script>", http.StatusNotFound, []byte("Unknown profile\n")},
|
|
{true, "/debug/pprof/heap", http.StatusOK, nil},
|
|
{true, "/debug/pprof/heap?debug=1", http.StatusOK, nil},
|
|
{true, "/debug/pprof/cmdline", http.StatusOK, nil},
|
|
{true, "/debug/pprof/profile?seconds=1", http.StatusOK, nil},
|
|
{true, "/debug/pprof/symbol", http.StatusOK, nil},
|
|
{true, "/debug/pprof/trace", http.StatusOK, nil},
|
|
{true, "/debug/pprof/mutex", http.StatusOK, nil},
|
|
{true, "/debug/pprof/block?seconds=1", http.StatusOK, nil},
|
|
{true, "/debug/pprof/goroutine?seconds=1", http.StatusOK, nil},
|
|
{true, "/debug/pprof/", http.StatusOK, []byte("Types of profiles available:")},
|
|
{false, "/debug/pprof/<script>scripty<script>", http.StatusNotFound, []byte("404 page not found\n")},
|
|
{false, "/debug/pprof/heap", http.StatusNotFound, []byte("404 page not found\n")},
|
|
{false, "/debug/pprof/heap?debug=1", http.StatusNotFound, []byte("404 page not found\n")},
|
|
{false, "/debug/pprof/cmdline", http.StatusNotFound, []byte("404 page not found\n")},
|
|
{false, "/debug/pprof/profile?seconds=1", http.StatusNotFound, []byte("404 page not found\n")},
|
|
{false, "/debug/pprof/symbol", http.StatusNotFound, []byte("404 page not found\n")},
|
|
{false, "/debug/pprof/trace", http.StatusNotFound, []byte("404 page not found\n")},
|
|
{false, "/debug/pprof/mutex", http.StatusNotFound, []byte("404 page not found\n")},
|
|
{false, "/debug/pprof/block?seconds=1", http.StatusNotFound, []byte("404 page not found\n")},
|
|
{false, "/debug/pprof/goroutine?seconds=1", http.StatusNotFound, []byte("404 page not found\n")},
|
|
{false, "/debug/pprof/", http.StatusNotFound, []byte("404 page not found\n")},
|
|
}
|
|
for _, tc := range testCases {
|
|
if tc.enable != paramtable.Get().HTTPCfg.EnablePprof.GetAsBool() {
|
|
continue
|
|
}
|
|
req, _ := http.NewRequest(http.MethodGet, "http://localhost:"+DefaultListenPort+tc.path, nil)
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
if err == nil {
|
|
defer resp.Body.Close()
|
|
suite.Equal(tc.statusCode, resp.StatusCode)
|
|
body, err := io.ReadAll(resp.Body)
|
|
suite.Nil(err)
|
|
if resp.StatusCode != http.StatusOK {
|
|
suite.True(bytes.Equal(tc.resp, body))
|
|
}
|
|
} else {
|
|
fmt.Println(err.Error())
|
|
}
|
|
}
|
|
}
|
|
|
|
func (suite *HTTPServerTestSuite) TestExprHandler() {
|
|
expr.Init()
|
|
expr.Register("foo", "hello")
|
|
|
|
suite.Run("disabled_by_default", func() {
|
|
// By default, exprEnabled is false, should return 403
|
|
paramtable.Get().Save("common.security.exprEnabled", "false")
|
|
url := "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo&auth=by-dev"
|
|
client := http.Client{}
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusForbidden, resp.StatusCode)
|
|
body, _ := io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "expr endpoint is disabled"))
|
|
})
|
|
|
|
suite.Run("disabled_on_non_proxy_nodes", func() {
|
|
// When enabled but not on Proxy node (no proxy registered, no passwordVerifyFunc),
|
|
// it should return 403 Forbidden
|
|
paramtable.Get().Save("common.security.exprEnabled", "true")
|
|
|
|
// Should be forbidden on non-Proxy nodes
|
|
url := "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo&auth=by-dev"
|
|
client := http.Client{}
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusForbidden, resp.StatusCode)
|
|
body, _ := io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "only available on Proxy nodes"))
|
|
})
|
|
|
|
suite.Run("root_only_requires_root_when_authorization_disabled", func() {
|
|
paramtable.Get().Save("common.security.exprEnabled", "true")
|
|
paramtable.Get().Save("common.security.exprAuthMode", ExprAuthModeRootOnly)
|
|
paramtable.Get().Save("common.security.authorizationEnabled", "false")
|
|
expr.Register("proxy", "mock_proxy")
|
|
|
|
RegisterPasswordVerifyFunc(func(ctx context.Context, username, password string) bool {
|
|
return (username == "root" && password == "Milvus") ||
|
|
(username == "admin" && password == "admin123")
|
|
})
|
|
|
|
url := "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo"
|
|
client := http.Client{}
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
req.SetBasicAuth("admin", "admin123")
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusForbidden, resp.StatusCode)
|
|
body, _ := io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "only root user can access"))
|
|
|
|
req, _ = http.NewRequest(http.MethodGet, url, nil)
|
|
req.SetBasicAuth("root", "Milvus")
|
|
resp, err = client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusOK, resp.StatusCode)
|
|
body, _ = io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "hello"))
|
|
})
|
|
|
|
suite.Run("rbac_mode_requires_authorization_enabled", func() {
|
|
paramtable.Get().Save("common.security.exprEnabled", "true")
|
|
paramtable.Get().Save("common.security.exprAuthMode", ExprAuthModeRBAC)
|
|
paramtable.Get().Save("common.security.authorizationEnabled", "false")
|
|
expr.Register("proxy", "mock_proxy")
|
|
|
|
RegisterPasswordVerifyFunc(func(ctx context.Context, username, password string) bool {
|
|
return username == "root" && password == "Milvus"
|
|
})
|
|
|
|
url := "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo"
|
|
client := http.Client{}
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
req.SetBasicAuth("root", "Milvus")
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusForbidden, resp.StatusCode)
|
|
body, _ := io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "authorization must be enabled"))
|
|
})
|
|
|
|
suite.Run("enabled_on_proxy_with_rbac_root_bypass", func() {
|
|
// When authorization is enabled but RootShouldBindRole is false,
|
|
// root user should be able to access via bypass
|
|
paramtable.Get().Save("common.security.exprEnabled", "true")
|
|
paramtable.Get().Save("common.security.exprAuthMode", ExprAuthModeRBAC)
|
|
paramtable.Get().Save("common.security.authorizationEnabled", "true")
|
|
paramtable.Get().Save("common.security.rootShouldBindRole", "false")
|
|
expr.Register("proxy", "mock_proxy")
|
|
|
|
// Register mock functions
|
|
RegisterPasswordVerifyFunc(func(ctx context.Context, username, password string) bool {
|
|
return (username == "root" && password == "Milvus") ||
|
|
(username == "admin" && password == "admin123")
|
|
})
|
|
|
|
// Without auth header - should fail with 401
|
|
url := "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo"
|
|
client := http.Client{}
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusUnauthorized, resp.StatusCode)
|
|
body, _ := io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "authentication required"))
|
|
|
|
// With non-root user (without Expr privilege) - should fail with 401 (invalid credentials)
|
|
url = "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo"
|
|
req, _ = http.NewRequest(http.MethodGet, url, nil)
|
|
req.SetBasicAuth("admin", "wrong_password")
|
|
resp, err = client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusUnauthorized, resp.StatusCode)
|
|
body, _ = io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "invalid credentials"))
|
|
|
|
// With root user but wrong password - should fail with 401
|
|
url = "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo"
|
|
req, _ = http.NewRequest(http.MethodGet, url, nil)
|
|
req.SetBasicAuth("root", "wrong_password")
|
|
resp, err = client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusUnauthorized, resp.StatusCode)
|
|
body, _ = io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "invalid credentials"))
|
|
|
|
// With correct root credentials - should succeed via root bypass
|
|
url = "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo"
|
|
req, _ = http.NewRequest(http.MethodGet, url, nil)
|
|
req.SetBasicAuth("root", "Milvus")
|
|
resp, err = client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusOK, resp.StatusCode)
|
|
body, _ = io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "hello"))
|
|
})
|
|
|
|
suite.Run("invalid_auth_mode_returns_valid_json", func() {
|
|
paramtable.Get().Save("common.security.exprEnabled", "true")
|
|
paramtable.Get().Save("common.security.exprAuthMode", "rbca")
|
|
paramtable.Get().Save("common.security.authorizationEnabled", "true")
|
|
paramtable.Get().Save("common.security.rootShouldBindRole", "false")
|
|
expr.Register("proxy", "mock_proxy")
|
|
|
|
RegisterPasswordVerifyFunc(func(ctx context.Context, username, password string) bool {
|
|
return (username == "root" && password == "Milvus") ||
|
|
(username == "admin" && password == "admin123")
|
|
})
|
|
|
|
url := "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo"
|
|
client := http.Client{}
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
req.SetBasicAuth("root", "Milvus")
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusForbidden, resp.StatusCode)
|
|
|
|
body, _ := io.ReadAll(resp.Body)
|
|
var parsed map[string]string
|
|
err = json.Unmarshal(body, &parsed)
|
|
suite.NoError(err)
|
|
suite.Contains(parsed["msg"], "rbca")
|
|
})
|
|
|
|
suite.Run("exec_error_returns_valid_json", func() {
|
|
paramtable.Get().Save("common.security.exprEnabled", "true")
|
|
paramtable.Get().Save("common.security.exprAuthMode", ExprAuthModeRootOnly)
|
|
paramtable.Get().Save("common.security.authorizationEnabled", "false")
|
|
paramtable.Get().Save("common.security.rootShouldBindRole", "false")
|
|
expr.Register("proxy", "mock_proxy")
|
|
|
|
RegisterPasswordVerifyFunc(func(ctx context.Context, username, password string) bool {
|
|
return (username == "root" && password == "Milvus") ||
|
|
(username == "admin" && password == "admin123")
|
|
})
|
|
|
|
url := "http://localhost:" + DefaultListenPort + ExprPath + "?code=1%2B"
|
|
client := http.Client{}
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
req.SetBasicAuth("root", "Milvus")
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusInternalServerError, resp.StatusCode)
|
|
|
|
body, _ := io.ReadAll(resp.Body)
|
|
var parsed map[string]string
|
|
err = json.Unmarshal(body, &parsed)
|
|
suite.NoError(err)
|
|
suite.Contains(parsed["msg"], "failed to execute expression")
|
|
suite.Contains(parsed["msg"], "unexpected token EOF")
|
|
})
|
|
|
|
suite.Run("enabled_on_proxy_non_root_user_without_privilege", func() {
|
|
// Non-root user with valid credentials but without PrivilegeExpr privilege
|
|
// should get 403 Forbidden
|
|
paramtable.Get().Save("common.security.exprEnabled", "true")
|
|
paramtable.Get().Save("common.security.exprAuthMode", ExprAuthModeRBAC)
|
|
paramtable.Get().Save("common.security.authorizationEnabled", "true")
|
|
paramtable.Get().Save("common.security.rootShouldBindRole", "false")
|
|
expr.Register("proxy", "mock_proxy")
|
|
privilege.InitPrivilegeGroups()
|
|
|
|
// Register mock password verify function
|
|
RegisterPasswordVerifyFunc(func(ctx context.Context, username, password string) bool {
|
|
return (username == "root" && password == "Milvus") ||
|
|
(username == "admin" && password == "admin123")
|
|
})
|
|
|
|
// Register mock getUserRoleFunc - admin has role1 but no PrivilegeExpr
|
|
RegisterGetUserRoleFunc(func(username string) ([]string, error) {
|
|
if username == "admin" {
|
|
return []string{"role1"}, nil
|
|
}
|
|
return []string{}, nil
|
|
})
|
|
|
|
loadPrivilegePoliciesForTest(suite.T(), []string{
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Collection.String(), "col1", commonpb.ObjectPrivilege_PrivilegeLoad.String(), "default"),
|
|
})
|
|
defer privilege.CleanPrivilegeCache()
|
|
|
|
// Non-root user with valid credentials but without PrivilegeExpr - should fail with 403
|
|
url := "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo"
|
|
client := http.Client{}
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
req.SetBasicAuth("admin", "admin123")
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusForbidden, resp.StatusCode)
|
|
body, _ := io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "permission denied"))
|
|
})
|
|
|
|
suite.Run("enabled_on_proxy_non_root_user_with_privilege", func() {
|
|
// Non-root user with valid credentials and PrivilegeExpr privilege
|
|
// should get 200 OK
|
|
paramtable.Get().Save("common.security.exprEnabled", "true")
|
|
paramtable.Get().Save("common.security.exprAuthMode", ExprAuthModeRBAC)
|
|
paramtable.Get().Save("common.security.authorizationEnabled", "true")
|
|
paramtable.Get().Save("common.security.rootShouldBindRole", "false")
|
|
expr.Register("proxy", "mock_proxy")
|
|
privilege.InitPrivilegeGroups()
|
|
|
|
// Register mock password verify function
|
|
RegisterPasswordVerifyFunc(func(ctx context.Context, username, password string) bool {
|
|
return (username == "root" && password == "Milvus") ||
|
|
(username == "admin" && password == "admin123")
|
|
})
|
|
|
|
// Register mock getUserRoleFunc - admin has role1 with PrivilegeExpr
|
|
RegisterGetUserRoleFunc(func(username string) ([]string, error) {
|
|
if username == "admin" {
|
|
return []string{"role1"}, nil
|
|
}
|
|
return []string{}, nil
|
|
})
|
|
|
|
loadPrivilegePoliciesForTest(suite.T(), []string{
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", util.PrivilegeExpr, "default"),
|
|
})
|
|
defer privilege.CleanPrivilegeCache()
|
|
|
|
// Non-root user with valid credentials and PrivilegeExpr - should succeed with 200
|
|
url := "http://localhost:" + DefaultListenPort + ExprPath + "?code=foo"
|
|
client := http.Client{}
|
|
req, _ := http.NewRequest(http.MethodGet, url, nil)
|
|
req.SetBasicAuth("admin", "admin123")
|
|
resp, err := client.Do(req)
|
|
suite.Nil(err)
|
|
defer resp.Body.Close()
|
|
suite.Equal(http.StatusOK, resp.StatusCode)
|
|
body, _ := io.ReadAll(resp.Body)
|
|
suite.True(strings.Contains(string(body), "hello"))
|
|
})
|
|
|
|
// Reset config
|
|
paramtable.Get().Save("common.security.exprEnabled", "false")
|
|
paramtable.Get().Save("common.security.exprAuthMode", ExprAuthModeRootOnly)
|
|
paramtable.Get().Save("common.security.authorizationEnabled", "false")
|
|
paramtable.Get().Save("common.security.rootShouldBindRole", "false")
|
|
}
|
|
|
|
func TestHTTPServerSuite(t *testing.T) {
|
|
suite.Run(t, new(HTTPServerTestSuite))
|
|
}
|
|
|
|
type MockIndicator struct {
|
|
name string
|
|
code commonpb.StateCode
|
|
}
|
|
|
|
func (m *MockIndicator) Health(ctx context.Context) commonpb.StateCode {
|
|
return m.code
|
|
}
|
|
|
|
func (m *MockIndicator) GetName() string {
|
|
return m.name
|
|
}
|
|
|
|
func TestRegisterWebUIHandler(t *testing.T) {
|
|
// Initialize the HTTP server
|
|
func() {
|
|
defer func() {
|
|
if err := recover(); err != nil {
|
|
fmt.Println("May the handler has been registered!", err)
|
|
}
|
|
}()
|
|
RegisterWebUIHandler()
|
|
}()
|
|
|
|
// Create a test server
|
|
ts := httptest.NewServer(http.DefaultServeMux)
|
|
defer ts.Close()
|
|
|
|
// Test cases
|
|
tests := []struct {
|
|
url string
|
|
expectedCode int
|
|
expectedBody string
|
|
}{
|
|
{"/webui/", http.StatusOK, "<!doctype html>"},
|
|
{"/webui/index.html", http.StatusOK, "<!doctype html>"},
|
|
{"/webui/unknown", http.StatusOK, "<!doctype html>"},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.url, func(t *testing.T) {
|
|
req, err := http.NewRequest("GET", ts.URL+tt.url, nil)
|
|
assert.NoError(t, err)
|
|
req.Header.Set("Accept", "text/html")
|
|
resp, err := ts.Client().Do(req)
|
|
assert.NoError(t, err)
|
|
defer resp.Body.Close()
|
|
|
|
assert.Equal(t, tt.expectedCode, resp.StatusCode)
|
|
|
|
body := make([]byte, len(tt.expectedBody))
|
|
_, err = resp.Body.Read(body)
|
|
assert.NoError(t, err)
|
|
assert.Contains(t, strings.ToLower(string(body)), tt.expectedBody)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestHandleNotFound(t *testing.T) {
|
|
mainHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
http.NotFound(w, r)
|
|
})
|
|
fallbackHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write([]byte("Fallback"))
|
|
})
|
|
|
|
handler := handleNotFound(mainHandler, fallbackHandler)
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.ServeHTTP(w, req)
|
|
resp := w.Result()
|
|
body := make([]byte, 8)
|
|
resp.Body.Read(body)
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
assert.Equal(t, "Fallback", string(body))
|
|
}
|
|
|
|
func TestServeFile(t *testing.T) {
|
|
fs := http.FS(staticFiles)
|
|
handler := serveFile("unknown", fs)
|
|
|
|
// No Accept in http header
|
|
{
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.ServeHTTP(w, req)
|
|
resp := w.Result()
|
|
assert.Equal(t, http.StatusNotFound, resp.StatusCode)
|
|
}
|
|
|
|
// unknown request file
|
|
{
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
req.Header.Set("Accept", "text/html")
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.ServeHTTP(w, req)
|
|
resp := w.Result()
|
|
assert.Equal(t, http.StatusNotFound, resp.StatusCode)
|
|
}
|
|
}
|