aboutsummaryrefslogtreecommitdiffstats
path: root/fnet/src/tests/frt/rpc/invoke.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'fnet/src/tests/frt/rpc/invoke.cpp')
-rw-r--r--fnet/src/tests/frt/rpc/invoke.cpp10
1 files changed, 10 insertions, 0 deletions
diff --git a/fnet/src/tests/frt/rpc/invoke.cpp b/fnet/src/tests/frt/rpc/invoke.cpp
index 38f260dd202..e930c1252bf 100644
--- a/fnet/src/tests/frt/rpc/invoke.cpp
+++ b/fnet/src/tests/frt/rpc/invoke.cpp
@@ -2,6 +2,7 @@
#include <vespa/vespalib/testkit/test_kit.h>
#include <vespa/vespalib/net/socket_spec.h>
#include <vespa/vespalib/net/tls/capability_env_config.h>
+#include <vespa/vespalib/net/tls/statistics.h>
#include <vespa/vespalib/util/benchmark_timer.h>
#include <vespa/vespalib/util/latch.h>
#include <vespa/fnet/frt/supervisor.h>
@@ -16,6 +17,7 @@
using vespalib::SocketSpec;
using vespalib::BenchmarkTimer;
+using vespalib::net::tls::CapabilityStatistics;
using namespace vespalib::net::tls;
constexpr double timeout = 60.0;
@@ -486,6 +488,7 @@ TEST_F("request allowed by access filter invokes server method as usual", Fixtur
}
TEST_F("capability checking filter is enforced under mTLS unless overridden by env var", Fixture()) {
+ const auto cap_stats_before = CapabilityStatistics::get().snapshot();
MyReq req("capabilityRestricted"); // Requires content node cap set; disallowed
f1.target().InvokeSync(req.borrow(), timeout);
auto cap_mode = capability_enforcement_mode_from_env();
@@ -494,6 +497,9 @@ TEST_F("capability checking filter is enforced under mTLS unless overridden by e
// Default authz rule does not give required capabilities; must fail.
EXPECT_EQUAL(req.get().GetErrorCode(), FRTE_RPC_PERMISSION_DENIED);
EXPECT_FALSE(f1.server_instance().restricted_method_was_invoked());
+ // Permission denied should bump capability check failure statistic
+ const auto cap_stats = CapabilityStatistics::get().snapshot().subtract(cap_stats_before);
+ EXPECT_EQUAL(cap_stats.rpc_capability_checks_failed, 1u);
} else {
// Either no mTLS configured (implicit full capability set) or capabilities not enforced.
ASSERT_FALSE(req.get().IsError());
@@ -502,11 +508,15 @@ TEST_F("capability checking filter is enforced under mTLS unless overridden by e
}
TEST_F("access is allowed by capability filter when peer is granted the required capability", Fixture()) {
+ const auto cap_stats_before = CapabilityStatistics::get().snapshot();
MyReq req("capabilityAllowed"); // Requires telemetry cap set; allowed
f1.target().InvokeSync(req.borrow(), timeout);
// Should always be allowed, regardless of mTLS mode or capability enforcement
ASSERT_FALSE(req.get().IsError());
EXPECT_TRUE(f1.server_instance().restricted_method_was_invoked());
+ // Should _not_ bump capability check failure statistic
+ const auto cap_stats = CapabilityStatistics::get().snapshot().subtract(cap_stats_before);
+ EXPECT_EQUAL(cap_stats.rpc_capability_checks_failed, 0u);
}
TEST_F("access is allowed by capability filter when required capability set is empty", Fixture()) {