gost/tests/e2e/admission_test.go

112 lines
3.6 KiB
Go

package e2e
import (
"context"
"fmt"
"io"
"testing"
"github.com/stretchr/testify/suite"
"github.com/testcontainers/testcontainers-go"
)
// AdmissionSuite verifies service-level admission control, which gates
// connections by the client's source address. It contrasts a loopback client
// (curl run inside the gost container, source 127.0.0.1) against an external
// client (curl run inside the echo container, source = its container IP).
type AdmissionSuite struct {
suite.Suite
ctx context.Context
echoC testcontainers.Container
echoIP string
}
func (s *AdmissionSuite) SetupSuite() {
s.ctx = context.Background()
echoC, err := RunEchoContainer(s.ctx, SharedNetworkName)
s.Require().NoError(err)
s.echoC = echoC
echoIP, err := echoC.ContainerIP(s.ctx)
s.Require().NoError(err)
s.echoIP = echoIP
}
func (s *AdmissionSuite) TearDownSuite() {
if s.echoC != nil {
s.echoC.Terminate(s.ctx)
}
}
// curlIn runs curl inside the given container, proxying through the gost proxy
// at proxyAddr to the echo server, and returns the response body. An admitted
// request returns "hello-gost"; a denied connection returns an empty body.
func (s *AdmissionSuite) curlIn(c testcontainers.Container, proxyAddr string) string {
cmd := []string{
"curl", "-s",
"-x", fmt.Sprintf("http://%s", proxyAddr),
fmt.Sprintf("http://%s:5678", s.echoIP),
}
_, out, err := c.Exec(s.ctx, cmd)
s.Require().NoError(err)
body, err := io.ReadAll(out)
s.Require().NoError(err)
return string(body)
}
// TestWhitelistAdmitLoopback verifies that a whitelisted source (127.0.0.1,
// a loopback client inside the gost container) is admitted and reaches the
// echo server.
func (s *AdmissionSuite) TestWhitelistAdmitLoopback() {
gostC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
"testdata/admission/whitelist.yaml", []string{"gost-proxy"}, []string{"8080/tcp"})
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
body := s.curlIn(gostC, "127.0.0.1:8080")
s.Require().Contains(body, "hello-gost")
}
// TestWhitelistDenyExternal verifies that a non-whitelisted source (an external
// container, not 127.0.0.1) is denied, so the request never reaches the echo
// server.
func (s *AdmissionSuite) TestWhitelistDenyExternal() {
gostC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
"testdata/admission/whitelist.yaml", []string{"gost-proxy"}, []string{"8080/tcp"})
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
body := s.curlIn(s.echoC, "gost-proxy:8080")
s.Require().NotContains(body, "hello-gost")
}
// TestBlacklistDenyLoopback verifies that a blacklisted source (127.0.0.1,
// a loopback client inside the gost container) is denied.
func (s *AdmissionSuite) TestBlacklistDenyLoopback() {
gostC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
"testdata/admission/blacklist.yaml", []string{"gost-proxy"}, []string{"8080/tcp"})
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
body := s.curlIn(gostC, "127.0.0.1:8080")
s.Require().NotContains(body, "hello-gost")
}
// TestBlacklistAdmitExternal verifies that a source outside the blacklist (an
// external container, not 127.0.0.1) is admitted and reaches the echo server.
func (s *AdmissionSuite) TestBlacklistAdmitExternal() {
gostC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
"testdata/admission/blacklist.yaml", []string{"gost-proxy"}, []string{"8080/tcp"})
s.Require().NoError(err)
defer gostC.Terminate(s.ctx)
body := s.curlIn(s.echoC, "gost-proxy:8080")
s.Require().Contains(body, "hello-gost")
}
func TestAdmissionSuite(t *testing.T) {
suite.Run(t, new(AdmissionSuite))
}