mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-06 10:21:05 +02:00
test fixes
This commit is contained in:
Joe Kralicky
parent
ec1566187a
commit
99770f7ab0
5 changed files with 67 additions and 24 deletions
|
|
@ -47,6 +47,12 @@ func TestBuilder_BuildBootstrapLayeredRuntime(t *testing.T) {
|
|||
"error_level": 1048576,
|
||||
"warn_level": 1024
|
||||
}
|
||||
},
|
||||
"tracing": {
|
||||
"opentelemetry": {
|
||||
"flush_interval_ms": 5000,
|
||||
"min_flush_spans": 3
|
||||
}
|
||||
}
|
||||
}
|
||||
}] }
|
||||
|
|
|
|||
|
|
@ -67,7 +67,8 @@ func TestBuilder_buildMainRouteConfiguration(t *testing.T) {
|
|||
{
|
||||
"name": "policy-0",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"headers": [
|
||||
|
|
@ -123,7 +124,8 @@ func TestBuilder_buildMainRouteConfiguration(t *testing.T) {
|
|||
{
|
||||
"name": "policy-0",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"headers": [
|
||||
|
|
|
|||
|
|
@ -416,7 +416,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-1",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/"
|
||||
|
|
@ -489,7 +490,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-2",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"path": "/some/path"
|
||||
|
|
@ -563,7 +565,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-3",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/some/prefix/"
|
||||
|
|
@ -636,7 +639,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-4",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"safeRegex": {
|
||||
|
|
@ -711,7 +715,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-5",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/some/prefix/"
|
||||
|
|
@ -785,7 +790,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-6",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"path": "/some/path"
|
||||
|
|
@ -858,7 +864,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-7",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"path": "/some/path"
|
||||
|
|
@ -932,7 +939,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-8",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"path": "/websocket-timeout"
|
||||
|
|
@ -1028,7 +1036,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-0",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/"
|
||||
|
|
@ -1120,7 +1129,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-0",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"connectMatcher": {}
|
||||
|
|
@ -1195,7 +1205,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-1",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"connectMatcher": {}
|
||||
|
|
@ -1295,7 +1306,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-0",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/"
|
||||
|
|
@ -1393,7 +1405,8 @@ func Test_buildPolicyRoutes(t *testing.T) {
|
|||
{
|
||||
"name": "policy-0",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/"
|
||||
|
|
@ -1544,7 +1557,8 @@ func Test_buildPolicyRoutesRewrite(t *testing.T) {
|
|||
{
|
||||
"name": "policy-0",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/"
|
||||
|
|
@ -1618,7 +1632,8 @@ func Test_buildPolicyRoutesRewrite(t *testing.T) {
|
|||
{
|
||||
"name": "policy-1",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/"
|
||||
|
|
@ -1692,7 +1707,8 @@ func Test_buildPolicyRoutesRewrite(t *testing.T) {
|
|||
{
|
||||
"name": "policy-2",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/"
|
||||
|
|
@ -1771,7 +1787,8 @@ func Test_buildPolicyRoutesRewrite(t *testing.T) {
|
|||
{
|
||||
"name": "policy-3",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/"
|
||||
|
|
@ -1845,7 +1862,8 @@ func Test_buildPolicyRoutesRewrite(t *testing.T) {
|
|||
{
|
||||
"name": "policy-4",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/"
|
||||
|
|
@ -1919,7 +1937,8 @@ func Test_buildPolicyRoutesRewrite(t *testing.T) {
|
|||
{
|
||||
"name": "policy-5",
|
||||
"decorator": {
|
||||
"operation": "ingress: ${method} ${host}${path}"
|
||||
"operation": "ingress: ${method} ${host}${path}",
|
||||
"propagate": false
|
||||
},
|
||||
"match": {
|
||||
"prefix": "/"
|
||||
|
|
|
|||
|
|
@ -23,13 +23,21 @@
|
|||
"commonHttpProtocolOptions": {
|
||||
"idleTimeout": "300s"
|
||||
},
|
||||
"earlyHeaderMutationExtensions": [
|
||||
{
|
||||
"name": "envoy.http.early_header_mutation.trace_context",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/pomerium.extensions.TraceContext"
|
||||
}
|
||||
}
|
||||
],
|
||||
"httpFilters": [
|
||||
{
|
||||
"name": "envoy.filters.http.lua",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua",
|
||||
"defaultSourceCode": {
|
||||
"inlineString": "function envoy_on_request(request_handle)\n local headers = request_handle:headers()\n local path = headers:get(\":path\")\n\n if path:find(\"#\") ~= nil then\n return\n end\n\n local function substitute_query_param(query_param_name, header_name)\n local i, j = path:find(query_param_name .. \"=\")\n if i ~= nil and (path:sub(i - 1, i - 1) == \"\u0026\" or path:sub(i - 1, i - 1) == \"?\") then\n local k = path:find(\"\u0026\", j + 1)\n if k ~= nil then\n k = k - 1\n else\n k = #path\n end\n local value = path:sub(j + 1, k)\n if value ~= nil then\n headers:replace(header_name, value)\n return true\n end\n end\n return false\n end\n\n if substitute_query_param(\"pomerium_traceparent\", \"x-pomerium-traceparent\") then\n substitute_query_param(\"pomerium_tracestate\", \"x-pomerium-tracestate\")\n end\n local traceparent = headers:get(\"traceparent\")\n if traceparent ~= nil and #traceparent == 55 and headers:get(\"x-pomerium-traceparent\") == nil then\n headers:replace(\"x-pomerium-external-parent-span\", traceparent:sub(37, 52))\n end\nend\n\nfunction envoy_on_response(response_handle)\nend\n"
|
||||
"inlineString": "function envoy_on_request(request_handle)\n local headers = request_handle:headers()\n local path = headers:get(\":path\")\n\n if path:find(\"#\") ~= nil then\n return\n end\n\n local function substitute_query_param(query_param_name, header_name)\n local i, j = path:find(query_param_name .. \"=\")\n if i ~= nil and (path:sub(i - 1, i - 1) == \"\u0026\" or path:sub(i - 1, i - 1) == \"?\") then\n local k = path:find(\"\u0026\", j + 1)\n if k ~= nil then\n k = k - 1\n else\n k = #path\n end\n local value = path:sub(j + 1, k)\n if value ~= nil then\n headers:replace(header_name, value)\n return true\n end\n end\n return false\n end\n\n if substitute_query_param(\"pomerium_traceparent\", \"x-pomerium-traceparent\") then\n substitute_query_param(\"pomerium_tracestate\", \"x-pomerium-tracestate\")\n end\n --[[\n NB: Sampling\n ------------\n The goal here is to ensure a consistent sampling decision across multiple\n redirects within a single logical request. The decision made on the client's\n initial request (to envoy) should carry forward through redirects, even\n though those subsequent requests are completely separate from envoy's\n point of view; they carry separate request IDs, separate trace IDs (until\n they are joined by pomerium), and - crucially - separate trace decisions.\n On each new request, envoy will decide whether or not to sample it, and\n that decision will be encoded into the traceparent header of the request.\n Envoy will always send the traceparent header if tracing is enabled. \u003c-- TODO: verify this\n\n The sampled bit (0x1) of the flags segment (4th) contains the sampling\n decision made by envoy. If there is an x-pomerium-traceparent header\n present, it will encode the original sampling decision in the same place.\n\n If the x-pomerium-traceparent header is present and indicates the original\n trace was sampled:\n - If envoy's traceparent header also has the sampled bit set, continue\n as normal.\n - If envoy's traceparent header does NOT have the sampled bit set, force\n it to sample the request by setting the x-envoy-force-trace header.\n\n If the x-pomerium-traceparent header is present and indicates the original\n trace was NOT sampled:\n - If envoy's traceparent header also does NOT have the sampled bit set,\n continue as normal.\n - If envoy's traceparent header DOES have the sampled bit set, this is\n a bit more complicated. We can propagate the x-pomerium-traceparent\n header which will make sure the spans on the pomerium side do not get\n sampled, but there is no mechanism for forcing envoy to un-sample its\n own spans, meaning it will always export spans from this trace which we\n will need to intentionally drop in our exporter. To do this, we detect\n the presence of the pomerium.traceparent span attribute and if it has\n the sampled bit set to 0, the entire trace is dropped.\n ]] --\n local traceparent = headers:get(\"traceparent\")\n local x_pomerium_traceparent = headers:get(\"x-pomerium-traceparent\")\n if traceparent ~= nil and #traceparent == 55 then\n if x_pomerium_traceparent == nil then\n headers:replace(\"x-pomerium-external-parent-span\", traceparent:sub(37, 52))\n -- elseif #x_pomerium_traceparent == 55 then\n -- if traceparent:sub(-1) == \"0\" and x_pomerium_traceparent:sub(-1) == \"1\" then\n -- headers:replace(\"x-envoy-force-trace\", \"1\")\n -- end\n end\n end\nend\n\nfunction envoy_on_response(response_handle)\nend\n"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
@ -231,6 +239,13 @@
|
|||
}
|
||||
]
|
||||
},
|
||||
"requestIdExtension": {
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/pomerium.extensions.UuidxRequestIdConfig",
|
||||
"packTraceReason": true,
|
||||
"useRequestIdForTraceSampling": true
|
||||
}
|
||||
},
|
||||
"requestTimeout": "30s",
|
||||
"normalizePath": true,
|
||||
"rds": {
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package cryptutil
|
|||
|
||||
import (
|
||||
"testing"
|
||||
"unsafe"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
|
@ -49,10 +50,10 @@ func TestKeyEncryptionKey(t *testing.T) {
|
|||
private, err := GenerateKeyEncryptionKey()
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, private.data[:], private.KeyBytes())
|
||||
assert.NotSame(t, private.data[:], private.KeyBytes())
|
||||
assert.NotSame(t, unsafe.SliceData(private.data[:]), unsafe.SliceData(private.KeyBytes()))
|
||||
public := private.Public()
|
||||
assert.Equal(t, public.data[:], public.KeyBytes())
|
||||
assert.NotSame(t, public.data[:], public.KeyBytes())
|
||||
assert.NotSame(t, unsafe.SliceData(public.data[:]), unsafe.SliceData(public.KeyBytes()))
|
||||
})
|
||||
t.Run("GetKeyEncryptionKeyID", func(t *testing.T) {
|
||||
id := GetKeyEncryptionKeyID([]byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue