forked from cloudfoundry/cf-networking-release
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathasg_test.go
129 lines (103 loc) · 3.92 KB
/
asg_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
package acceptance_test
import (
"fmt"
"io"
"net/http"
"time"
"github.com/cloudfoundry/cf-test-helpers/v2/cf"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
"github.com/onsi/gomega/gexec"
)
var _ = Describe("Application Security Groups", func() {
var (
orgName string
asgName string
)
AfterEach(func() {
By("deleting the asg")
removeASG(asgName)
By("adding back all the original running ASGs")
for _, sg := range testConfig.DefaultSecurityGroups {
Expect(cf.Cf("bind-running-security-group", sg).Wait(Timeout_Short)).To(gexec.Exit(0))
}
By("deleting the org")
Expect(cf.Cf("delete-org", orgName, "-f").Wait(Timeout_Push)).To(gexec.Exit(0))
})
var (
appName string
spaceName string
)
BeforeEach(func() {
By("unbinding all running ASGs")
for _, sg := range testConfig.DefaultSecurityGroups {
Expect(cf.Cf("unbind-running-security-group", sg).Wait(Timeout_Short)).To(gexec.Exit(0))
}
By("creating the org and space")
orgName = testConfig.Prefix + "dynamic-asg-org"
spaceName = testConfig.Prefix + "dyanmic-asg-space"
setupOrgAndSpace(orgName, spaceName)
By("Pushing an app")
appName = fmt.Sprintf("%s-%s-%d", testConfig.Prefix, "proxy", randomGenerator.Int31())
pushProxy(appName)
})
It("applies security group changes", func() {
internalCCPort := 9024
proxyRequestURL := fmt.Sprintf("http://%s.%s/proxy/cloud-controller-ng.service.cf.internal:%d/v2/info?protocol=https", appName, testConfig.AppsDomain, internalCCPort)
By("checking that our app can't initially reach cloud controller over internal address")
resp, err := http.Get(proxyRequestURL)
Expect(err).NotTo(HaveOccurred())
respBytes, err := io.ReadAll(resp.Body)
Expect(err).ToNot(HaveOccurred())
resp.Body.Close()
Expect(respBytes).To(MatchRegexp("refused"))
By("creating and binding a security group that allows access to bosh vms for the cc port")
asgName = "ccAllow"
createASG(asgName, fmt.Sprintf(`[{"destination":"10.0.0.0/0","protocol":"tcp","ports": "%d"}]`, internalCCPort))
Expect(cfCLI.BindSecurityGroup(asgName, orgName, spaceName)).To(Succeed())
if !testConfig.DynamicASGsEnabled {
By("if dynamic asgs are not enabled, validating an app restart is required")
Consistently(func() string {
resp, err = http.Get(proxyRequestURL)
Expect(err).NotTo(HaveOccurred())
respBytes, err = io.ReadAll(resp.Body)
Expect(err).ToNot(HaveOccurred())
resp.Body.Close()
return string(respBytes)
}).Should(MatchRegexp("refused"))
Expect(cf.Cf("restart", appName).Wait(Timeout_Push)).To(gexec.Exit(0))
}
By("checking that our app can now reach cloud controller over internal address")
Eventually(func() string {
resp, err = http.Get(proxyRequestURL)
Expect(err).NotTo(HaveOccurred())
respBytes, err = io.ReadAll(resp.Body)
Expect(err).ToNot(HaveOccurred())
resp.Body.Close()
return string(respBytes)
}).WithTimeout(180 * time.Second).Should(MatchRegexp("api_version"))
By("unbinding the security group")
Expect(cfCLI.UnbindSecurityGroup(asgName, orgName, spaceName)).To(Succeed())
if !testConfig.DynamicASGsEnabled {
By("if dynamic asgs are not enabled, validating an app restart is required")
time.Sleep(10 * time.Second)
resp, err = http.Get(proxyRequestURL)
Expect(err).NotTo(HaveOccurred())
respBytes, err = io.ReadAll(resp.Body)
Expect(err).ToNot(HaveOccurred())
resp.Body.Close()
response := string(respBytes)
Expect(response).To(MatchRegexp("api_version"))
Expect(cf.Cf("restart", appName).Wait(Timeout_Push)).To(gexec.Exit(0))
}
By("checking that our app can no longer reach cloud controller over internal address")
Eventually(func() string {
resp, err = http.Get(proxyRequestURL)
Expect(err).NotTo(HaveOccurred())
respBytes, err = io.ReadAll(resp.Body)
Expect(err).ToNot(HaveOccurred())
resp.Body.Close()
return string(respBytes)
}).WithTimeout(180 * time.Second).Should(MatchRegexp("refused"))
})
})