/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.nifi.cluster.firewall.impl;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assume.assumeTrue;
import java.io.File;
import java.net.InetAddress;
import java.net.UnknownHostException;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
public class FileBasedClusterNodeFirewallTest {
private FileBasedClusterNodeFirewall ipsFirewall;
private FileBasedClusterNodeFirewall acceptAllFirewall;
private File ipsConfig;
private File emptyConfig;
private File restoreDirectory;
@Rule
public final TemporaryFolder temp = new TemporaryFolder();
private static final String NONEXISTENT_HOSTNAME = "abc";
private static boolean badHostsDoNotResolve = false;
/**
* We have tests that rely on known bad host/ip parameters; make sure DNS doesn't resolve them.
* This can be a problem i.e. on residential ISPs in the USA because the provider will often
* wildcard match all possible DNS names in an attempt to serve advertising.
*/
@BeforeClass
public static void ensureBadHostsDoNotWork() {
final InetAddress ip;
try {
ip = InetAddress.getByName(NONEXISTENT_HOSTNAME);
} catch (final UnknownHostException uhe) {
badHostsDoNotResolve = true;
}
}
@Before
public void setup() throws Exception {
ipsConfig = new File(getClass().getResource("/org/apache/nifi/cluster/firewall/impl/ips.txt").toURI());
emptyConfig = new File(getClass().getResource("/org/apache/nifi/cluster/firewall/impl/empty.txt").toURI());
restoreDirectory = temp.newFolder("firewall_restore");
ipsFirewall = new FileBasedClusterNodeFirewall(ipsConfig, restoreDirectory);
acceptAllFirewall = new FileBasedClusterNodeFirewall(emptyConfig);
}
/**
* We have two garbage lines in our test config file, ensure they didn't get turned into hosts.
*/
@Test
public void ensureBadDataWasIgnored() {
assumeTrue(badHostsDoNotResolve);
assertFalse("firewall treated our malformed data as a host. If " +
"`host \"bad data should be skipped\"` works locally, this test should have been " +
"skipped.",
ipsFirewall.isPermissible("bad data should be skipped"));
assertFalse("firewall treated our malformed data as a host. If " +
"`host \"more bad data\"` works locally, this test should have been " +
"skipped.",
ipsFirewall.isPermissible("more bad data"));
}
@Test
public void testSyncWithRestore() {
assertEquals(ipsConfig.length(), new File(restoreDirectory, ipsConfig.getName()).length());
}
@Test
public void testIsPermissibleWithExactMatch() {
assertTrue(ipsFirewall.isPermissible("2.2.2.2"));
}
@Test
public void testIsPermissibleWithSubnetMatch() {
assertTrue(ipsFirewall.isPermissible("3.3.3.255"));
}
@Test
public void testIsPermissibleWithNoMatch() {
assertFalse(ipsFirewall.isPermissible("255.255.255.255"));
}
@Test
public void testIsPermissibleWithMalformedData() {
assumeTrue(badHostsDoNotResolve);
assertFalse("firewall allowed host '" + NONEXISTENT_HOSTNAME + "' rather than rejecting as malformed. If `host " + NONEXISTENT_HOSTNAME + "` "
+ "works locally, this test should have been skipped.",
ipsFirewall.isPermissible(NONEXISTENT_HOSTNAME));
}
@Test
public void testIsPermissibleWithEmptyConfig() {
assertTrue(acceptAllFirewall.isPermissible("1.1.1.1"));
}
@Test
public void testIsPermissibleWithEmptyConfigWithMalformedData() {
assumeTrue(badHostsDoNotResolve);
assertTrue("firewall did not allow malformed host '" + NONEXISTENT_HOSTNAME + "' under permissive configs. If " +
"`host " + NONEXISTENT_HOSTNAME + "` works locally, this test should have been skipped.",
acceptAllFirewall.isPermissible(NONEXISTENT_HOSTNAME));
}
}