diff options
author | toby <smorgrav@yahoo-inc.com> | 2018-04-11 09:20:02 +0200 |
---|---|---|
committer | toby <smorgrav@yahoo-inc.com> | 2018-04-11 09:20:02 +0200 |
commit | cd2e83e88e86903d227f9022e5bb93f9f20c8f59 (patch) | |
tree | 579f133ead3f50a8e36bf5a98364a80fc1df7468 /node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl | |
parent | 79ac96bddc0fdd4e39d9bef25af112941c3456d5 (diff) |
tokenize arguments to docker exec, simplyfy ports for iptables
Diffstat (limited to 'node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl')
-rw-r--r-- | node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java | 52 |
1 files changed, 30 insertions, 22 deletions
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java index 7972d44d9e4..852b21aceb5 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java @@ -14,9 +14,11 @@ import org.junit.Test; import java.net.InetAddress; import java.util.ArrayList; +import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.stream.Collectors; import static org.mockito.Matchers.any; import static org.mockito.Matchers.eq; @@ -24,7 +26,7 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; -import static org.mockito.Mockito.startsWith; +import static org.mockito.Mockito.anyVararg; public class AclMaintainerTest { @@ -46,27 +48,28 @@ public class AclMaintainerTest { @Test public void configures_container_acl_when_iptables_differs() { Container container = addContainer("container1", Container.State.RUNNING); - Map<String, Acl> acls = makeAcl(container.name.asString(), 4321, "2001::1"); + Map<String, Acl> acls = makeAcl(container.name.asString(), "4321", "2001::1"); when(nodeRepository.getAcl(NODE_ADMIN_HOSTNAME, containers.keySet())).thenReturn(acls); when(dockerOperations.executeCommandInNetworkNamespace( eq(container.name), - eq("ip6tables -S -t filter"))).thenReturn(new ProcessResult(0, "", "")); + eq("ip6tables"), eq("-S"), eq("-t"), eq("filter"))) + .thenReturn(new ProcessResult(0, "", "")); when(dockerOperations.executeCommandInNetworkNamespace( eq(container.name), - startsWith("ip6tables-restore"))).thenReturn(new ProcessResult(0, "", "")); + eq("ip6tables-restore"), anyVararg())).thenReturn(new ProcessResult(0, "", "")); aclMaintainer.run(); - verify(dockerOperations, times(2)).executeCommandInNetworkNamespace(any(), any()); + verify(dockerOperations, times(2)).executeCommandInNetworkNamespace(any(), anyVararg()); } @Test public void does_not_configure_acl_if_iptables_v6_are_ok() { Container container = addContainer("container1", Container.State.RUNNING); - Map<String, Acl> acls = makeAcl(container.name.asString(), 4321, "2001::1"); + Map<String, Acl> acls = makeAcl(container.name.asString(), "4321,2345,22", "2001::1", "fd01:1234::4321"); when(nodeRepository.getAcl(NODE_ADMIN_HOSTNAME, containers.keySet())).thenReturn(acls); @@ -76,25 +79,26 @@ public class AclMaintainerTest { "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + "-A INPUT -i lo -j ACCEPT\n" + "-A INPUT -p ipv6-icmp -j ACCEPT\n" + - "-A INPUT -p tcp --dport 4321 -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 4321,2345,22 -j ACCEPT\n" + "-A INPUT -s 2001::1/128 -j ACCEPT\n" + + "-A INPUT -s fd01:1234::4321/128 -j ACCEPT\n" + "-A INPUT -j REJECT\n" + "-A OUTPUT -d 3001::1 -j REDIRECT"; when(dockerOperations.executeCommandInNetworkNamespace( eq(container.name), - eq("ip6tables -S -t filter"))) + eq("ip6tables"), eq("-S"), eq("-t"), eq("filter"))) .thenReturn(new ProcessResult(0, ONE_CONTAINER_IPV6, "")); aclMaintainer.run(); - verify(dockerOperations, times(1)).executeCommandInNetworkNamespace(any(), any()); + verify(dockerOperations, times(1)).executeCommandInNetworkNamespace(any(), anyVararg()); } @Test public void does_not_configure_acl_if_iptables_dualstack_are_ok() { Container container = addContainer("container1", Container.State.RUNNING); - Map<String, Acl> acls = makeAcl(container.name.asString(), 4321, "2001::1"); + Map<String, Acl> acls = makeAcl(container.name.asString(), "22,4443,2222", "2001::1"); when(nodeRepository.getAcl(NODE_ADMIN_HOSTNAME, containers.keySet())).thenReturn(acls); @@ -104,39 +108,40 @@ public class AclMaintainerTest { "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + "-A INPUT -i lo -j ACCEPT\n" + "-A INPUT -p ipv6-icmp -j ACCEPT\n" + - "-A INPUT -p tcp --dport 4321 -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 22,4443,2222 -j ACCEPT\n" + "-A INPUT -s 2001::1/128 -j ACCEPT\n" + "-A INPUT -j REJECT\n" + "-A OUTPUT -d 3001::1 -j REDIRECT"; when(dockerOperations.executeCommandInNetworkNamespace( eq(container.name), - eq("ip6tables -S -t filter"))) + eq("ip6tables"), eq("-S"), eq("-t"), eq("filter"))) .thenReturn(new ProcessResult(0, ONE_CONTAINER_IPV6, "")); aclMaintainer.run(); - verify(dockerOperations, times(1)).executeCommandInNetworkNamespace(any(), any()); + verify(dockerOperations, times(1)).executeCommandInNetworkNamespace(any(), anyVararg()); } @Test public void rollback_is_attempted_when_applying_acl_fail() { Container container = addContainer("container1", Container.State.RUNNING); - Map<String, Acl> acls = makeAcl(container.name.asString(), 4321, "2001::1"); + Map<String, Acl> acls = makeAcl(container.name.asString(), "4321", "2001::1"); when(nodeRepository.getAcl(NODE_ADMIN_HOSTNAME, containers.keySet())).thenReturn(acls); when(dockerOperations.executeCommandInNetworkNamespace( eq(container.name), - eq("ip6tables -S -t filter"))).thenReturn(new ProcessResult(0, "", "")); + eq("ip6tables"), eq("-S"), eq("-t"), eq("filter"))) + .thenReturn(new ProcessResult(0, "", "")); when(dockerOperations.executeCommandInNetworkNamespace( eq(container.name), - startsWith("ip6tables-restore"))).thenThrow(new RuntimeException("iptables restore failed")); + eq("ip6tables-restore"), anyVararg())).thenThrow(new RuntimeException("iptables restore failed")); aclMaintainer.run(); - verify(dockerOperations, times(1)).executeCommandInNetworkNamespace(eq(container.name), eq("ip6tables -F")); + verify(dockerOperations, times(1)).executeCommandInNetworkNamespace(eq(container.name), eq("ip6tables"), eq("-F")); } private Container addContainer(String name, Container.State state) { @@ -149,13 +154,16 @@ public class AclMaintainerTest { return container; } - private Map<String, Acl> makeAcl(String containerName, int port, String address) { + private Map<String, Acl> makeAcl(String containerName, String portsCommaSeparated, String... addresses) { Map<String, Acl> map = new HashMap<>(); - List<Integer> ports = new ArrayList<>(); - ports.add(port); - List<InetAddress> hosts = new ArrayList<>(); - hosts.add(InetAddresses.forString(address)); + List<Integer> ports = Arrays.stream(portsCommaSeparated.split(",")) + .map(Integer::valueOf) + .collect(Collectors.toList()); + + List<InetAddress> hosts = Arrays.stream(addresses) + .map(InetAddresses::forString) + .collect(Collectors.toList()); Acl acl = new Acl(ports, hosts); map.put(containerName, acl); |