NIFI-144: Skip firewall tests that require known bad host names on permissive DNS setups.

Signed-off-by: Mark Payne <markap14@hotmail.com>
2015-04-29 21:25:22 -05:00 · 2015-04-29 21:25:22 -05:00 · 8ed131b635
parent 21c5c48cab
commit 8ed131b635
2 changed files with 47 additions and 2 deletions
--- a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/main/java/org/apache/nifi/cluster/firewall/impl/FileBasedClusterNodeFirewall.java
+++ b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/main/java/org/apache/nifi/cluster/firewall/impl/FileBasedClusterNodeFirewall.java
@ -113,9 +113,11 @@ public class FileBasedClusterNodeFirewall implements ClusterNodeFirewall {
            }

            // no match
+            logger.debug("Blocking host '{}' because it does not match our allowed list.", hostOrIp);
            return false;

        } catch (final IllegalArgumentException iae) {
+            logger.debug("Blocking requested host, '{}', because it is malformed.", hostOrIp, iae);
            return false;
        }
    }
--- a/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/test/java/org/apache/nifi/cluster/firewall/impl/FileBasedClusterNodeFirewallTest.java
+++ b/nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/src/test/java/org/apache/nifi/cluster/firewall/impl/FileBasedClusterNodeFirewallTest.java
@ -18,12 +18,16 @@ package org.apache.nifi.cluster.firewall.impl;

 import java.io.File;
 import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
 import org.apache.nifi.util.file.FileUtils;
 import org.junit.After;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeTrue;
 import org.junit.Before;
+import org.junit.BeforeClass;
 import org.junit.Test;

 public class FileBasedClusterNodeFirewallTest {
@ -38,6 +42,23 @@ public class FileBasedClusterNodeFirewallTest {

    private File restoreDirectory;

+    private static boolean badHostsDoNotResolve = false;
+
+    /**
+     * We have tests that rely on known bad host/ip parameters; make sure DNS doesn't resolve them.
+     * This can be a problem i.e. on residential ISPs in the USA because the provider will often
+     * wildcard match all possible DNS names in an attempt to serve advertising.
+     */
+    @BeforeClass
+    public static void ensureBadHostsDoNotWork() {
+        final InetAddress ip;
+        try {
+            ip = InetAddress.getByName("I typed a search term and my browser expected a host.");
+        } catch (final UnknownHostException uhe) {
+            badHostsDoNotResolve = true;
+        }
+    }
+
    @Before
    public void setup() throws Exception {

@ -55,6 +76,22 @@ public class FileBasedClusterNodeFirewallTest {
        deleteFile(restoreDirectory);
    }

+    /**
+     * We have two garbage lines in our test config file, ensure they didn't get turned into hosts.
+     */
+    @Test
+    public void ensureBadDataWasIgnored() {
+        assumeTrue(badHostsDoNotResolve);
+        assertFalse("firewall treated our malformed data as a host. If " +
+            "`host \"bad data should be skipped\"` works locally, this test should have been " +
+            "skipped.",
+            ipsFirewall.isPermissible("bad data should be skipped"));
+        assertFalse("firewall treated our malformed data as a host. If " +
+            "`host \"more bad data\"` works locally, this test should have been " +
+            "skipped.",
+            ipsFirewall.isPermissible("more bad data"));
+    }
+
    @Test
    public void testSyncWithRestore() {
        assertEquals(ipsConfig.length(), new File(restoreDirectory, ipsConfig.getName()).length());
@ -77,7 +114,10 @@ public class FileBasedClusterNodeFirewallTest {

    @Test
    public void testIsPermissibleWithMalformedData() {
-        assertFalse(ipsFirewall.isPermissible("abc"));
+        assumeTrue(badHostsDoNotResolve);
+        assertFalse("firewall allowed host 'abc' rather than rejecting as malformed. If `host abc` "
+            + "works locally, this test should have been skipped.",
+            ipsFirewall.isPermissible("abc"));
    }

    @Test
@ -87,7 +127,10 @@ public class FileBasedClusterNodeFirewallTest {

    @Test
    public void testIsPermissibleWithEmptyConfigWithMalformedData() {
-        assertTrue(acceptAllFirewall.isPermissible("abc"));
+        assumeTrue(badHostsDoNotResolve);
+        assertTrue("firewall did not allow malformed host 'abc' under permissive configs. If " +
+            "`host abc` works locally, this test should have been skipped.",
+            acceptAllFirewall.isPermissible("abc"));
    }

    private boolean deleteFile(final File file) {