itest: add test for Status server endpoint

ellemouton · ellemouton · commit c2d26c59396d · 2023-06-20T09:18:40.000+02:00
diff --git a/itest/litd_mode_integrated_test.go b/itest/litd_mode_integrated_test.go
@@ -138,6 +138,9 @@ var (
 	loopMacaroonFn = func(cfg *LitNodeConfig) string {
 		return cfg.LoopMacPath
 	}
+	emptyMacaroonFn = func(_ *LitNodeConfig) string {
+		return ""
+	}
 	poolRequestFn = func(ctx context.Context,
 		c grpc.ClientConnInterface) (proto.Message, error) {
 
@@ -182,6 +185,14 @@ var (
 		litConn := litrpc.NewProxyClient(c)
 		return litConn.GetInfo(ctx, &litrpc.GetInfoRequest{})
 	}
+	statusRequestFn = func(ctx context.Context,
+		c grpc.ClientConnInterface) (proto.Message, error) {
+
+		litConn := litrpc.NewStatusClient(c)
+		return litConn.SubServerStatus(
+			ctx, &litrpc.SubServerStatusReq{},
+		)
+	}
 	litMacaroonFn = func(cfg *LitNodeConfig) string {
 		return cfg.LitMacPath
 	}
@@ -197,6 +208,7 @@ var (
 		restPOST          bool
 		canDisable        bool
 		litOnly           bool
+		noAuth            bool
 	}{{
 		name:              "lnrpc",
 		macaroonFn:        lndMacaroonFn,
@@ -294,6 +306,16 @@ var (
 		grpcWebURI:        "/litrpc.Proxy/GetInfo",
 		restWebURI:        "/v1/proxy/info",
 		litOnly:           true,
+	}, {
+		name:              "litrpc-status",
+		macaroonFn:        emptyMacaroonFn,
+		requestFn:         statusRequestFn,
+		successPattern:    "\"sub_servers\":",
+		allowedThroughLNC: false,
+		grpcWebURI:        "/litrpc.Status/SubServerStatus",
+		restWebURI:        "/v1/status",
+		litOnly:           true,
+		noAuth:            true,
 	}}
 
 	// customURIs is a map of endpoint URIs that we want to allow via a
@@ -416,6 +438,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runGRPCAuthTest(
 					ttt, cfg.RPCAddr(), cfg.TLSCertPath,
 					endpoint.macaroonFn(cfg),
+					endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointDisabled || endpoint.litOnly,
@@ -427,6 +450,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runGRPCAuthTest(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
 					endpoint.macaroonFn(cfg),
+					endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointDisabled,
@@ -448,7 +472,8 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runUIPasswordCheck(
 					ttt, cfg.RPCAddr(), cfg.TLSCertPath,
 					cfg.UIPassword, endpoint.requestFn,
-					true, endpoint.successPattern,
+					endpoint.noAuth, true,
+					endpoint.successPattern,
 					endpointDisabled || endpoint.litOnly,
 					"Unimplemented desc = unknown service",
 				)
@@ -463,6 +488,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runUIPasswordCheck(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
 					cfg.UIPassword, endpoint.requestFn,
+					endpoint.noAuth,
 					shouldFailWithoutMacaroon,
 					endpoint.successPattern,
 					endpointDisabled,
@@ -492,6 +518,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					endpoint.grpcWebURI,
 					withoutUIPassword, endpointDisabled,
 					"unknown gRPC web request",
+					endpoint.noAuth,
 				)
 			})
 		}
@@ -515,7 +542,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 			tt.Run(endpoint.name+" lnd port", func(ttt *testing.T) {
 				runGRPCAuthTest(
 					ttt, cfg.RPCAddr(), cfg.TLSCertPath,
-					superMacFile,
+					superMacFile, endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointDisabled || endpoint.litOnly,
@@ -526,7 +553,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 			tt.Run(endpoint.name+" lit port", func(ttt *testing.T) {
 				runGRPCAuthTest(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
-					superMacFile,
+					superMacFile, endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointDisabled,
@@ -552,6 +579,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					endpoint.successPattern,
 					endpoint.restPOST,
 					withoutUIPassword, endpointDisabled,
+					endpoint.noAuth,
 				)
 			})
 		}
@@ -642,12 +670,18 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 			endpointDisabled := subServersDisabled &&
 				endpoint.canDisable
 
+			expectedErr := "permission denied"
+			if endpoint.noAuth {
+				expectedErr = "unknown service"
+			}
+
 			tt.Run(endpoint.name+" lit port", func(ttt *testing.T) {
 				allowed := customURIs[endpoint.grpcWebURI]
+
 				runLNCAuthTest(
 					ttt, rawLNCConn, endpoint.requestFn,
 					endpoint.successPattern,
-					allowed, "permission denied",
+					allowed, expectedErr,
 					endpointDisabled,
 				)
 			})
@@ -713,7 +747,7 @@ func runCertificateCheck(t *testing.T, node *HarnessNode) {
 
 // runGRPCAuthTest tests authentication of the given gRPC interface.
 func runGRPCAuthTest(t *testing.T, hostPort, tlsCertPath, macPath string,
-	makeRequest requestFn, successContent string, disabled bool,
+	noMac bool, makeRequest requestFn, successContent string, disabled bool,
 	disabledErr string) {
 
 	ctxb := context.Background()
@@ -724,6 +758,21 @@ func runGRPCAuthTest(t *testing.T, hostPort, tlsCertPath, macPath string,
 	require.NoError(t, err)
 	defer rawConn.Close()
 
+	if noMac {
+		resp, err := makeRequest(ctxt, rawConn)
+		if disabled {
+			require.ErrorContains(t, err, disabledErr)
+			return
+		}
+		require.NoError(t, err)
+
+		json, err := marshalOptions.Marshal(resp)
+		require.NoError(t, err)
+		require.Contains(t, string(json), successContent)
+
+		return
+	}
+
 	// We have a connection without any macaroon. A call should fail.
 	_, err = makeRequest(ctxt, rawConn)
 	if disabled {
@@ -765,9 +814,9 @@ func runGRPCAuthTest(t *testing.T, hostPort, tlsCertPath, macPath string,
 	resp, err := makeRequest(ctxm, rawConn)
 	if disabled {
 		require.ErrorContains(t, err, disabledErr)
-	} else {
-		require.NoError(t, err)
+		return
 	}
+	require.NoError(t, err)
 
 	json, err := marshalOptions.Marshal(resp)
 	require.NoError(t, err)
@@ -776,7 +825,7 @@ func runGRPCAuthTest(t *testing.T, hostPort, tlsCertPath, macPath string,
 
 // runUIPasswordCheck tests UI password authentication.
 func runUIPasswordCheck(t *testing.T, hostPort, tlsCertPath, uiPassword string,
-	makeRequest requestFn, shouldFailWithoutMacaroon bool,
+	makeRequest requestFn, noAuth, shouldFailWithoutMacaroon bool,
 	successContent string, disabled bool, disabledErr string) {
 
 	ctxb := context.Background()
@@ -787,11 +836,19 @@ func runUIPasswordCheck(t *testing.T, hostPort, tlsCertPath, uiPassword string,
 	require.NoError(t, err)
 	defer rawConn.Close()
 
-	// Make sure that a call without any metadata results in an error.
+	// Make sure that a call without any metadata results in an error unless
+	// this is a call that is allowed to be un-authenticated in which case
+	// we expect it to succeed.
 	_, err = makeRequest(ctxt, rawConn)
-	if disabled {
+	switch {
+	case disabled:
 		require.ErrorContains(t, err, disabledErr)
-	} else {
+	case noAuth:
+		require.NoError(t, err)
+
+		return
+
+	default:
 		require.ErrorContains(t, err, "expected 1 macaroon, got 0")
 	}
 
@@ -902,7 +959,8 @@ func runIndexPageCheck(t *testing.T, hostPort string, uiDisabled bool) {
 
 // runGRPCWebAuthTest tests authentication of the given gRPC interface.
 func runGRPCWebAuthTest(t *testing.T, hostPort, uiPassword, grpcWebURI string,
-	shouldFailWithUIPassword, disabled bool, disableErr string) {
+	shouldFailWithUIPassword, disabled bool, disableErr string,
+	noAuth bool) {
 
 	basicAuth := base64.StdEncoding.EncodeToString(
 		[]byte(fmt.Sprintf("%s:%s", uiPassword, uiPassword)),
@@ -915,15 +973,23 @@ func runGRPCWebAuthTest(t *testing.T, hostPort, uiPassword, grpcWebURI string,
 
 	url := fmt.Sprintf("https://%s%s", hostPort, grpcWebURI)
 
-	// First test a grpc-web call without authorization, which should fail.
+	// First test a grpc-web call without authorization, which should fail
+	// unless this call does not require authentication.
 	_, responseHeader, err := postURL(url, emptyGrpcWebRequest, header)
 	require.NoError(t, err)
 
-	if disabled {
+	switch {
+	case disabled:
 		require.Contains(
 			t, responseHeader.Get("grpc-message"), disableErr,
 		)
-	} else {
+
+	case noAuth:
+		require.Equal(t, "", responseHeader.Get("grpc-message"))
+
+		return
+
+	default:
 		require.Equal(
 			t, "expected 1 macaroon, got 0",
 			responseHeader.Get("grpc-message"),
@@ -972,7 +1038,7 @@ func runGRPCWebAuthTest(t *testing.T, hostPort, uiPassword, grpcWebURI string,
 // runRESTAuthTest tests authentication of the given REST interface.
 func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 	successPattern string, usePOST, shouldFailWithUIPassword,
-	disabled bool) {
+	disabled, noMac bool) {
 
 	basicAuth := base64.StdEncoding.EncodeToString(
 		[]byte(fmt.Sprintf("%s:%s", uiPassword, uiPassword)),
@@ -987,7 +1053,9 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 		method = "POST"
 	}
 
-	// First test a REST call without authorization, which should fail.
+	// First test a REST call without authorization, which should fail
+	// unless this is a call for an endpoint that does not require
+	// authorization.
 	body, responseHeader, err := callURL(url, method, nil, nil, false)
 	require.NoError(t, err)
 
@@ -996,6 +1064,11 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 		responseHeader.Get("content-type"),
 	)
 
+	if noMac {
+		require.Contains(t, body, successPattern)
+		return
+	}
+
 	if disabled {
 		require.Empty(
 			t, responseHeader.Get("grpc-metadata-content-type"),
@@ -1025,7 +1098,6 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 
 	default:
 		require.Contains(t, body, successPattern)
-
 	}
 
 	// And finally, try with the given macaroon.
diff --git a/itest/litd_mode_remote_test.go b/itest/litd_mode_remote_test.go
@@ -63,6 +63,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runGRPCAuthTest(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
 					endpoint.macaroonFn(cfg),
+					endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointEnabled,
@@ -89,6 +90,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runUIPasswordCheck(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
 					cfg.UIPassword, endpoint.requestFn,
+					endpoint.noAuth,
 					shouldFailWithoutMacaroon,
 					endpoint.successPattern,
 					endpointEnabled,
@@ -116,6 +118,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					endpoint.grpcWebURI, withoutUIPassword,
 					endpointEnabled,
 					"unknown gRPC web request",
+					endpoint.noAuth,
 				)
 			})
 		}
@@ -140,6 +143,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runGRPCAuthTest(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
 					superMacFile,
+					endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointEnabled,
@@ -165,6 +169,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					endpoint.successPattern,
 					endpoint.restPOST, withoutUIPassword,
 					endpointDisabled,
+					endpoint.noAuth,
 				)
 			})
 		}
@@ -234,12 +239,17 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 			endpointDisabled := subServersDisabled &&
 				endpoint.canDisable
 
+			expectedErr := "permission denied"
+			if endpoint.noAuth {
+				expectedErr = "unknown service"
+			}
+
 			tt.Run(endpoint.name+" lit port", func(ttt *testing.T) {
 				allowed := customURIs[endpoint.grpcWebURI]
 				runLNCAuthTest(
 					ttt, rawLNCConn, endpoint.requestFn,
 					endpoint.successPattern,
-					allowed, "permission denied",
+					allowed, expectedErr,
 					endpointDisabled,
 				)
 			})
