From 844356d7c571160fa63f0f6968e31aaf784a9e3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Peliz=C3=A4us?= Date: Thu, 22 Aug 2024 16:05:40 +0200 Subject: [PATCH 1/2] tests/suites/clustering: Extend cluster member join tests if name is 'none' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julian Pelizäus (cherry picked from commit c49ef5f1c599c9c6883b20527387a7e8057b8155) --- test/suites/clustering.sh | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/test/suites/clustering.sh b/test/suites/clustering.sh index b780f6d46f7e..f67d37c8f495 100644 --- a/test/suites/clustering.sh +++ b/test/suites/clustering.sh @@ -1709,7 +1709,22 @@ test_clustering_join_api() { ns2="${prefix}2" LXD_NETNS="${ns2}" spawn_lxd "${LXD_TWO_DIR}" false - op=$(curl --unix-socket "${LXD_TWO_DIR}/unix.socket" -X PUT "lxd/1.0/cluster" -d "{\"server_name\":\"node2\",\"enabled\":true,\"member_config\":[{\"entity\": \"storage-pool\",\"name\":\"data\",\"key\":\"source\",\"value\":\"\"}],\"server_address\":\"10.1.1.102:8443\",\"cluster_address\":\"10.1.1.101:8443\",\"cluster_certificate\":\"${cert}\",\"cluster_password\":\"sekret\"}" | jq -r .operation) + # Check a join token cannot be created for the reserved name 'none' + ! lxc cluster add none --quiet || false + + # Check a server with the name 'valid' cannot be joined when modifying the token. + # Therefore replace the valid name in the token with 'none'. + malicious_token="$(lxc cluster add valid --quiet | base64 -d | jq '.server_name |= "none"' | base64 --wrap=0)" + op=$(curl --unix-socket "${LXD_TWO_DIR}/unix.socket" -X PUT "lxd/1.0/cluster" -d "{\"server_name\":\"valid\",\"enabled\":true,\"member_config\":[{\"entity\": \"storage-pool\",\"name\":\"data\",\"key\":\"source\",\"value\":\"\"}],\"server_address\":\"10.1.1.102:8443\",\"cluster_address\":\"10.1.1.101:8443\",\"cluster_certificate\":\"${cert}\",\"cluster_token\":\"${malicious_token}\"}" | jq -r .operation) + [ "$(curl --unix-socket "${LXD_TWO_DIR}/unix.socket" "lxd${op}/wait" | jq '.error_code')" = "403" ] + + # Check that the server cannot be joined using a valid token by changing it's name to 'none'. + token="$(lxc cluster add valid2 --quiet)" + [ "$(curl --unix-socket "${LXD_TWO_DIR}/unix.socket" -X PUT "lxd/1.0/cluster" -d "{\"server_name\":\"none\",\"enabled\":true,\"member_config\":[{\"entity\": \"storage-pool\",\"name\":\"data\",\"key\":\"source\",\"value\":\"\"}],\"server_address\":\"10.1.1.102:8443\",\"cluster_address\":\"10.1.1.101:8443\",\"cluster_certificate\":\"${cert}\",\"cluster_token\":\"${token}\"}" | jq -r '.error_code')" = "400" ] + + # Check the server can be joined. + token="$(lxc cluster add node2 --quiet)" + op=$(curl --unix-socket "${LXD_TWO_DIR}/unix.socket" -X PUT "lxd/1.0/cluster" -d "{\"server_name\":\"node2\",\"enabled\":true,\"member_config\":[{\"entity\": \"storage-pool\",\"name\":\"data\",\"key\":\"source\",\"value\":\"\"}],\"server_address\":\"10.1.1.102:8443\",\"cluster_address\":\"10.1.1.101:8443\",\"cluster_certificate\":\"${cert}\",\"cluster_token\":\"${token}\"}" | jq -r .operation) curl --unix-socket "${LXD_TWO_DIR}/unix.socket" "lxd${op}/wait" LXD_DIR="${LXD_ONE_DIR}" lxc cluster show node2 | grep -q "message: Fully operational" From b5a90af1cb03478699d650a1c04c3620af0285b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Peliz=C3=A4us?= Date: Mon, 2 Sep 2024 10:27:10 +0200 Subject: [PATCH 2/2] test/suites/clustering: Check server can be joined using password and valid name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julian Pelizäus --- test/suites/clustering.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/test/suites/clustering.sh b/test/suites/clustering.sh index f67d37c8f495..891c15d34ef2 100644 --- a/test/suites/clustering.sh +++ b/test/suites/clustering.sh @@ -1729,15 +1729,33 @@ test_clustering_join_api() { LXD_DIR="${LXD_ONE_DIR}" lxc cluster show node2 | grep -q "message: Fully operational" + setup_clustering_netns 3 + LXD_THREE_DIR=$(mktemp -d -p "${TEST_DIR}" XXX) + chmod +x "${LXD_THREE_DIR}" + ns3="${prefix}3" + LXD_NETNS="${ns3}" spawn_lxd "${LXD_THREE_DIR}" false + + # Check the server cannot be joined using password by changing it's name to 'none'. + [ "$(curl --unix-socket "${LXD_THREE_DIR}/unix.socket" -X PUT "lxd/1.0/cluster" -d "{\"server_name\":\"none\",\"enabled\":true,\"member_config\":[{\"entity\": \"storage-pool\",\"name\":\"data\",\"key\":\"source\",\"value\":\"\"}],\"server_address\":\"10.1.1.103:8443\",\"cluster_address\":\"10.1.1.101:8443\",\"cluster_certificate\":\"${cert}\",\"cluster_password\":\"sekret\"}" | jq -r '.error_code')" = "400" ] + + # Check the server can be joined using password. + op=$(curl --unix-socket "${LXD_THREE_DIR}/unix.socket" -X PUT "lxd/1.0/cluster" -d "{\"server_name\":\"node3\",\"enabled\":true,\"member_config\":[{\"entity\": \"storage-pool\",\"name\":\"data\",\"key\":\"source\",\"value\":\"\"}],\"server_address\":\"10.1.1.103:8443\",\"cluster_address\":\"10.1.1.101:8443\",\"cluster_certificate\":\"${cert}\",\"cluster_password\":\"sekret\"}" | jq -r .operation) + curl --unix-socket "${LXD_THREE_DIR}/unix.socket" "lxd${op}/wait" + + LXD_DIR="${LXD_ONE_DIR}" lxc cluster show node3 | grep -q "message: Fully operational" + + LXD_DIR="${LXD_THREE_DIR}" lxd shutdown LXD_DIR="${LXD_TWO_DIR}" lxd shutdown LXD_DIR="${LXD_ONE_DIR}" lxd shutdown sleep 0.5 + rm -f "${LXD_THREE_DIR}/unix.socket" rm -f "${LXD_TWO_DIR}/unix.socket" rm -f "${LXD_ONE_DIR}/unix.socket" teardown_clustering_netns teardown_clustering_bridge + kill_lxd "${LXD_THREE_DIR}" kill_lxd "${LXD_TWO_DIR}" kill_lxd "${LXD_ONE_DIR}" }