Added a LoggingTest with authorization.

A new test, `LoggingTest.ToggleAuthorizationEnabled`, was added which checks that the '/logging/toggle' endpoint correctly rejects unauthorized requests. Review: https://reviews.apache.org/r/46882/
markeijsermans · May 12, 2016 · a5ce87b · a5ce87b
1 parent 1140f6e
commit a5ce87b
Showing 1 changed file with 49 additions and 0 deletions.
diff --git a/src/tests/logging_tests.cpp b/src/tests/logging_tests.cpp
@@ -18,12 +18,16 @@
 
 #include <mesos/authentication/http/basic_authenticator_factory.hpp>
 
+#include <mesos/authorizer/authorizer.hpp>
+
 #include <process/future.hpp>
 #include <process/gtest.hpp>
 #include <process/http.hpp>
 #include <process/pid.hpp>
 #include <process/process.hpp>
 
+#include "common/http.hpp"
+
 #include "logging/logging.hpp"
 
 #include "tests/mesos.hpp"
@@ -33,6 +37,7 @@ namespace authentication = process::http::authentication;
 using mesos::http::authentication::BasicAuthenticatorFactory;
 
 using process::http::BadRequest;
+using process::http::Forbidden;
 using process::http::OK;
 using process::http::Response;
 using process::http::Unauthorized;
@@ -72,6 +77,10 @@ class LoggingTest : public mesos::internal::tests::MesosTest
 
     realms.clear();
 
+    // In case libprocess-level authorization was enabled in the test, we unset
+    // the libprocess authorization callbacks.
+    process::http::authorization::unsetCallbacks();
+
     MesosTest::TearDown();
   }
 
@@ -147,6 +156,46 @@ TEST_F(LoggingTest, ToggleAuthenticationEnabled)
   AWAIT_EXPECT_RESPONSE_STATUS_EQ(Unauthorized({}).status, response);
 }
 
+
+// Tests that the `/logging/toggle` endpoint rejects unauthorized requests when
+// authorization is enabled.
+TEST_F(LoggingTest, ToggleAuthorizationEnabled)
+{
+  Credentials credentials;
+  credentials.add_credentials()->CopyFrom(DEFAULT_CREDENTIAL);
+
+  // Create a basic HTTP authenticator with the specified credentials and set it
+  // as the authenticator for `DEFAULT_HTTP_AUTHENTICATION_REALM`.
+  setBasicHttpAuthenticator(DEFAULT_HTTP_AUTHENTICATION_REALM, credentials);
+
+  ACLs acls;
+
+  // This ACL asserts that the principal of `DEFAULT_CREDENTIAL` can GET any
+  // HTTP endpoints that are authorized with the `GetEndpoint` ACL.
+  mesos::ACL::GetEndpoint* acl = acls.add_get_endpoints();
+  acl->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());
+  acl->mutable_paths()->set_type(mesos::ACL::Entity::NONE);
+
+  Result<Authorizer*> authorizer = Authorizer::create(acls);
+  ASSERT_SOME(authorizer);
+
+  // Set authorization callbacks for libprocess-level HTTP endpoints.
+  process::http::authorization::setCallbacks(
+      createAuthorizationCallbacks(authorizer.get()));
+
+  process::PID<> pid;
+  pid.id = "logging";
+  pid.address = process::address();
+
+  process::Future<Response> response = process::http::get(
+      pid,
+      "toggle",
+      None(),
+      createBasicAuthHeaders(DEFAULT_CREDENTIAL));
+
+  AWAIT_EXPECT_RESPONSE_STATUS_EQ(Forbidden().status, response);
+}
+
 } // namespace tests {
 } // namespace internal {
 } // namespace mesos {