apisix/t/cli/test_admin.sh

#!/usr/bin/env bash

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

. ./t/cli/common.sh

# check admin https enabled

git checkout conf/config.yaml

echo "
apisix:
    admin_api_mtls:
        admin_ssl_cert: '../t/certs/apisix_admin_ssl.crt'
        admin_ssl_cert_key: '../t/certs/apisix_admin_ssl.key'
    port_admin: 9180
    https_admin: true
" > conf/config.yaml

make init

grep "listen 0.0.0.0:9180 ssl" conf/nginx.conf > /dev/null
if [ ! $? -eq 0 ]; then
    echo "failed: failed to enable https for admin"
    exit 1
fi

make run

code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} https://127.0.0.1:9180/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1')
if [ ! $code -eq 200 ]; then
    echo "failed: failed to enable https for admin"
    exit 1
fi

make stop

echo "passed: admin https enabled"

echo '
apisix:
  enable_admin: true
  admin_listen:
    ip: 127.0.0.2
    port: 9181
' > conf/config.yaml

make init

if ! grep "listen 127.0.0.2:9181;" conf/nginx.conf > /dev/null; then
    echo "failed: customize address for admin server"
    exit 1
fi

make run

code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} http://127.0.0.2:9181/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1')

if [ ! $code -eq 200 ]; then
    echo "failed: failed to access admin"
    exit 1
fi

make stop

# rollback to the default

git checkout conf/config.yaml

make init

set +ex

grep "listen 0.0.0.0:9080 ssl" conf/nginx.conf > /dev/null
if [ ! $? -eq 1 ]; then
    echo "failed: failed to rollback to the default admin config"
    exit 1
fi

set -ex

echo "passed: rollback to the default admin config"

# set allow_admin in conf/config.yaml

echo "
apisix:
    allow_admin:
        - 127.0.0.9
" > conf/config.yaml

make init

count=`grep -c "allow 127.0.0.9" conf/nginx.conf`
if [ $count -eq 0 ]; then
    echo "failed: not found 'allow 127.0.0.9;' in conf/nginx.conf"
    exit 1
fi

echo "
apisix:
    allow_admin: ~
" > conf/config.yaml

make init

count=`grep -c "allow all;" conf/nginx.conf`
if [ $count -eq 0 ]; then
    echo "failed: not found 'allow all;' in conf/nginx.conf"
    exit 1
fi

echo "passed: empty allow_admin in conf/config.yaml"

# missing admin key, allow any IP to access admin api

git checkout conf/config.yaml

echo '
apisix:
  allow_admin: ~
  admin_key: ~
' > conf/config.yaml

make init > output.log 2>&1 | true

grep -E "ERROR: missing valid Admin API token." output.log > /dev/null
if [ ! $? -eq 0 ]; then
    echo "failed: should show 'ERROR: missing valid Admin API token.'"
    exit 1
fi

echo "pass: missing admin key and show ERROR message"

# admin api, allow any IP but use default key

echo '
apisix:
  allow_admin: ~
  admin_key:
    -
      name: "admin"
      key: edd1c9f034335f136f87ad84b625c8f1
      role: admin
' > conf/config.yaml

make init > output.log 2>&1 | true

grep -E "WARNING: using fixed Admin API token has security risk." output.log > /dev/null
if [ ! $? -eq 0 ]; then
    echo "failed: need to show `WARNING: using fixed Admin API token has security risk`"
    exit 1
fi

echo "pass: show WARNING message if the user used default token and allow any IP to access"

# port_admin set
echo '
apisix:
  port_admin: 9180
' > conf/config.yaml

rm logs/error.log
make init
make run

code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} http://127.0.0.1:9180/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1')
make stop

if [ ! $code -eq 200 ]; then
    echo "failed: failed to access admin"
    exit 1
fi

if grep -E 'using uninitialized ".+" variable while logging request' logs/error.log; then
    echo "failed: uninitialized variable found during writing access log"
    exit 1
fi

echo "pass: uninitialized variable not found during writing access log (port_admin set)"

# Admin API can only be used with etcd config_center
echo '
apisix:
    enable_admin: true
    config_center: yaml
' > conf/config.yaml

out=$(make init 2>&1 || true)
if ! echo "$out" | grep "Admin API can only be used with etcd config_center"; then
    echo "failed: Admin API can only be used with etcd config_center"
    exit 1
fi

echo "passed: Admin API can only be used with etcd config_center"

# disable Admin API and init plugins syncer
echo '
apisix:
  enable_admin: false
' > conf/config.yaml

rm logs/error.log
make init
make run

make init

if grep -E "failed to fetch data from etcd" logs/error.log; then
    echo "failed: should sync /apisix/plugins from etcd when disabling admin normal"
    exit 1
fi

make stop

echo "pass: sync /apisix/plugins from etcd when disabling admin successfully"



# ignore changes to /apisix/plugins/ due to init_etcd
echo '
apisix:
  enable_admin: true
plugins:
  - public-api
  - node-status
nginx_config:
  error_log_level:  info
' > conf/config.yaml

rm logs/error.log
make init
make run

# initialize node-status public API routes #1
code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} -X PUT http://127.0.0.1:9080/apisix/admin/routes/node-status \
    -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
    -d "{
        \"uri\": \"/apisix/status\",
        \"plugins\": {
            \"public-api\": {}
        }
    }")
if [ ! $code -eq 201 ]; then
    echo "failed: initialize node status public API failed #1"
    exit 1
fi

sleep 0.5

# first time check node status api
code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} http://127.0.0.1:9080/apisix/status)
if [ ! $code -eq 200 ]; then
    echo "failed: first time check node status api failed #1"
    exit 1
fi

# mock another instance init etcd dir
make init
sleep 1

# initialize node-status public API routes #2
code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} -X PUT http://127.0.0.1:9080/apisix/admin/routes/node-status \
    -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" \
    -d "{
        \"uri\": \"/apisix/status\",
        \"plugins\": {
            \"public-api\": {}
        }
    }")
if [ ! $code -eq 200 ]; then
    echo "failed: initialize node status public API failed #2"
    exit 1
fi

sleep 0.5

# second time check node status api
code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} http://127.0.0.1:9080/apisix/status)
if [ ! $code -eq 200 ]; then
    echo "failed: second time check node status api failed #1"
    exit 1
fi

make stop

echo "pass: ignore changes to /apisix/plugins/ due to init_etcd successfully"


# accept changes to /apisix/plugins when enable_admin is false
echo '
apisix:
  enable_admin: false
plugins:
  - public-api
  - node-status
stream_plugins:
' > conf/config.yaml

rm logs/error.log
make init
make run

# first time check node status api
code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} http://127.0.0.1:9080/apisix/status)
if [ ! $code -eq 200 ]; then
    echo "failed: first time check node status api failed #2"
    exit 1
fi

sleep 0.5

# check http plugins load list
if ! grep -E 'new plugins: {"public-api":true,"node-status":true}' logs/error.log; -o \
   ! grep -E 'new plugins: {"node-status":true,"public-api":true}' logs/error.log; then
    echo "failed: first time load http plugins list failed"
    exit 1
fi

# check stream plugins(no plugins under stream, it will be added below)
if ! grep -E 'failed to read stream plugin list from local file' logs/error.log; then
    echo "failed: first time load stream plugins list failed"
    exit 1
fi

# mock another instance add /apisix/plugins
res=$(etcdctl put "/apisix/plugins" '[{"name":"node-status"},{"name":"example-plugin"},{"name":"public-api"},{"stream":true,"name":"mqtt-proxy"}]')
if [[ $res != "OK" ]]; then
    echo "failed: failed to set /apisix/plugins to add more plugins"
    exit 1
fi

sleep 0.5

# second time check node status api
code=$(curl -v -k -i -m 20 -o /dev/null -s -w %{http_code} http://127.0.0.1:9080/apisix/status)
if [ ! $code -eq 200 ]; then
    echo "failed: second time check node status api failed #2"
    exit 1
fi

# check http plugins load list
if ! grep -E 'new plugins: {"public-api":true,"node-status":true}' logs/error.log; -o \
   ! grep -E 'new plugins: {"node-status":true,"public-api":true}' logs/error.log; then
    echo "failed: second time load http plugins list failed"
    exit 1
fi

# check stream plugins load list
if ! grep -E 'new plugins: {.*example-plugin' logs/error.log; then
    echo "failed: second time load stream plugins list failed"
    exit 1
fi


if grep -E 'new plugins: {}' logs/error.log; then
    echo "failed: second time load plugins list failed"
    exit 1
fi

make stop

echo "pass: accept changes to /apisix/plugins successfully"