1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
|
# frozen_string_literal: true
require 'spec_helper'
require 'googleauth'
RSpec.describe Integrations::Prometheus, :use_clean_rails_memory_store_caching, :snowplow, feature_category: :observability do
include PrometheusHelpers
include ReactiveCachingHelpers
let_it_be_with_reload(:project) { create(:project, :with_prometheus_integration) }
let(:integration) { project.prometheus_integration }
it_behaves_like Integrations::BaseMonitoring
context 'redirects' do
it 'does not follow redirects' do
redirect_to = 'https://redirected.example.com'
redirect_req_stub = stub_prometheus_request(prometheus_query_url('1'), status: 302, headers: { location: redirect_to })
redirected_req_stub = stub_prometheus_request(redirect_to, body: { status: 'success' })
result = integration.test
# result = { success: false, result: error }
expect(result[:success]).to be_falsy
expect(result[:result]).to be_instance_of(Gitlab::PrometheusClient::UnexpectedResponseError)
expect(redirect_req_stub).to have_been_requested
expect(redirected_req_stub).not_to have_been_requested
end
end
describe 'Validations' do
context 'when manual_configuration is enabled' do
before do
integration.manual_configuration = true
end
it 'does not validates presence of api_url' do
expect(integration).not_to validate_presence_of(:api_url)
end
end
context 'when manual configuration is disabled' do
before do
integration.manual_configuration = false
end
it 'does not validate presence of api_url' do
expect(integration).not_to validate_presence_of(:api_url)
expect(integration.valid?).to eq(true)
end
context 'local connections allowed' do
before do
stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
end
it 'does not validate presence of api_url' do
expect(integration).not_to validate_presence_of(:api_url)
expect(integration.valid?).to eq(true)
end
end
end
context 'when the api_url domain points to localhost or local network' do
let(:domain) { Addressable::URI.parse(integration.api_url).hostname }
it 'cannot query' do
expect(integration.can_query?).to be true
aggregate_failures do
['127.0.0.1', '192.168.2.3'].each do |url|
allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([Addrinfo.tcp(url, 80)])
expect(integration.can_query?).to be false
end
end
end
it 'can query when local requests are allowed' do
stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
aggregate_failures do
['127.0.0.1', '192.168.2.3'].each do |url|
allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([Addrinfo.tcp(url, 80)])
expect(integration.can_query?).to be true
end
end
end
end
end
describe '#test' do
before do
integration.manual_configuration = true
end
let!(:req_stub) { stub_prometheus_request(prometheus_query_url('1'), body: prometheus_value_body('vector')) }
context 'success' do
it 'reads the discovery endpoint' do
expect(integration.test[:result]).to eq('Checked API endpoint')
expect(integration.test[:success]).to be_truthy
expect(req_stub).to have_been_requested.twice
end
end
context 'failure' do
let!(:req_stub) { stub_prometheus_request(prometheus_query_url('1'), status: 404) }
it 'fails to read the discovery endpoint' do
expect(integration.test[:success]).to be_falsy
expect(req_stub).to have_been_requested
end
end
context 'when configuration is not valid' do
before do
integration.manual_configuration = nil
end
it 'returns failure message' do
expect(integration.test[:success]).to be_falsy
expect(integration.test[:result]).to eq('Prometheus configuration error')
end
end
end
describe '#prometheus_client' do
let(:api_url) { 'http://some_url' }
before do
integration.active = true
integration.api_url = api_url
integration.manual_configuration = manual_configuration
end
context 'manual configuration is enabled' do
let(:manual_configuration) { true }
it 'calls valid?' do
allow(integration).to receive(:valid?).and_call_original
expect(integration.prometheus_client).not_to be_nil
expect(integration).to have_received(:valid?)
end
end
context 'manual configuration is disabled' do
let(:manual_configuration) { false }
it 'no client provided' do
expect(integration.prometheus_client).to be_nil
end
end
context 'when local requests are allowed' do
let(:manual_configuration) { true }
let(:api_url) { 'http://192.168.1.1:9090' }
before do
stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
stub_prometheus_request("#{api_url}/api/v1/query?query=1")
end
it 'allows local requests' do
expect(integration.prometheus_client).not_to be_nil
expect { integration.prometheus_client.ping }.not_to raise_error
end
end
context 'when local requests are blocked' do
let(:manual_configuration) { true }
let(:api_url) { 'http://192.168.1.1:9090' }
before do
stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
stub_prometheus_request("#{api_url}/api/v1/query?query=1")
end
it 'blocks local requests' do
expect(integration.prometheus_client).to be_nil
end
end
context 'behind IAP' do
let(:manual_configuration) { true }
let(:google_iap_service_account_json) { Gitlab::Json.generate(google_iap_service_account) }
let(:google_iap_service_account) do
{
type: "service_account",
# dummy private key generated only for this test to pass openssl validation
private_key: <<~KEY
-----BEGIN RSA PRIVATE KEY-----
MIIBOAIBAAJAU85LgUY5o6j6j/07GMLCNUcWJOBA1buZnNgKELayA6mSsHrIv31J
Y8kS+9WzGPQninea7DcM4hHA7smMgQD1BwIDAQABAkAqKxMy6PL3tn7dFL43p0ex
JyOtSmlVIiAZG1t1LXhE/uoLpYi5DnbYqGgu0oih+7nzLY/dXpNpXUmiRMOUEKmB
AiEAoTi2rBXbrLSi2C+H7M/nTOjMQQDuZ8Wr4uWpKcjYJTMCIQCFEskL565oFl/7
RRQVH+cARrAsAAoJSbrOBAvYZ0PI3QIgIEFwis10vgEF86rOzxppdIG/G+JL0IdD
9IluZuXAGPECIGUo7qSaLr75o2VEEgwtAFH5aptIPFjrL5LFCKwtdB4RAiAYZgFV
HCMmaooAw/eELuMoMWNYmujZ7VaAnOewGDW0uw==
-----END RSA PRIVATE KEY-----
KEY
}
end
def stub_iap_request
integration.google_iap_service_account_json = google_iap_service_account_json
integration.google_iap_audience_client_id = 'IAP_CLIENT_ID.apps.googleusercontent.com'
stub_request(:post, 'https://oauth2.googleapis.com/token')
.to_return(
status: 200,
body: '{"id_token": "FOO"}',
headers: { 'Content-Type': 'application/json; charset=UTF-8' }
)
end
it 'includes the authorization header' do
stub_iap_request
expect(integration.prometheus_client).not_to be_nil
expect(integration.prometheus_client.send(:options)).to have_key(:headers)
expect(integration.prometheus_client.send(:options)[:headers]).to eq(authorization: "Bearer FOO")
end
context 'with invalid IAP JSON' do
let(:google_iap_service_account_json) { 'invalid json' }
it 'does not include authorization header' do
stub_iap_request
expect(integration.prometheus_client).not_to be_nil
expect(integration.prometheus_client.send(:options)).not_to have_key(:headers)
end
end
context 'when passed with token_credential_uri', issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/284819' do
let(:malicious_host) { 'http://example.com' }
where(:param_name) do
[
:token_credential_uri,
:tokencredentialuri,
:Token_credential_uri,
:tokenCredentialUri
]
end
with_them do
it 'does not make any unexpected HTTP requests' do
google_iap_service_account[param_name] = malicious_host
stub_iap_request
stub_request(:any, malicious_host).to_raise('Making additional HTTP requests is forbidden!')
expect(integration.prometheus_client).not_to be_nil
end
end
end
end
end
describe '#prometheus_available?' do
context 'clusters with enabled prometheus' do
before do
create(:clusters_integrations_prometheus, cluster: cluster)
end
context 'cluster belongs to project' do
let_it_be(:cluster) { create(:cluster, projects: [project]) }
it 'returns true' do
expect(integration.prometheus_available?).to be(true)
end
end
context 'cluster belongs to projects group' do
let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, :with_prometheus_integration, group: group) }
let_it_be(:cluster) { create(:cluster_for_group, groups: [group]) }
it 'returns true' do
expect(integration.prometheus_available?).to be(true)
end
it 'avoids N+1 queries' do
integration
5.times do |i|
other_cluster = create(:cluster_for_group, groups: [group], environment_scope: i)
create(:clusters_integrations_prometheus, cluster: other_cluster)
end
expect { integration.prometheus_available? }.not_to exceed_query_limit(1)
end
end
context 'cluster belongs to gitlab instance' do
let(:cluster) { create(:cluster, :instance) }
it 'returns true' do
expect(integration.prometheus_available?).to be(true)
end
end
end
context 'clusters with prometheus disabled' do
let(:cluster) { create(:cluster, projects: [project]) }
let!(:prometheus) { create(:clusters_integrations_prometheus, :disabled, cluster: cluster) }
it 'returns false' do
expect(integration.prometheus_available?).to be(false)
end
end
context 'clusters without prometheus' do
let(:cluster) { create(:cluster, projects: [project]) }
it 'returns false' do
expect(integration.prometheus_available?).to be(false)
end
end
context 'no clusters' do
it 'returns false' do
expect(integration.prometheus_available?).to be(false)
end
end
end
describe '#synchronize_service_state before_save callback' do
context 'no clusters with prometheus are installed' do
context 'when integration is inactive' do
before do
integration.active = false
end
it 'activates integration when manual_configuration is enabled' do
expect { integration.update!(manual_configuration: true) }.to change { integration.active }.from(false).to(true)
end
it 'keeps integration inactive when manual_configuration is disabled' do
expect { integration.update!(manual_configuration: false) }.not_to change { integration.active }.from(false)
end
end
context 'when integration is active' do
before do
integration.active = true
end
it 'keeps the integration active when manual_configuration is enabled' do
expect { integration.update!(manual_configuration: true) }.not_to change { integration.active }.from(true)
end
it 'inactivates the integration when manual_configuration is disabled' do
expect { integration.update!(manual_configuration: false) }.to change { integration.active }.from(true).to(false)
end
end
end
context 'with prometheus installed in the cluster' do
before do
allow(integration).to receive(:prometheus_available?).and_return(true)
end
context 'when integration is inactive' do
before do
integration.active = false
end
it 'activates integration when manual_configuration is enabled' do
expect { integration.update!(manual_configuration: true) }.to change { integration.active }.from(false).to(true)
end
it 'activates integration when manual_configuration is disabled' do
expect { integration.update!(manual_configuration: false) }.to change { integration.active }.from(false).to(true)
end
end
context 'when integration is active' do
before do
integration.active = true
end
it 'keeps integration active when manual_configuration is enabled' do
expect { integration.update!(manual_configuration: true) }.not_to change { integration.active }.from(true)
end
it 'keeps integration active when manual_configuration is disabled' do
expect { integration.update!(manual_configuration: false) }.not_to change { integration.active }.from(true)
end
end
end
end
describe '#track_events after_commit callback' do
before do
allow(integration).to receive(:prometheus_available?).and_return(true)
end
context "enabling manual_configuration" do
it "tracks enable event" do
integration.update!(manual_configuration: false)
integration.update!(manual_configuration: true)
expect_snowplow_event(category: 'cluster:services:prometheus', action: 'enabled_manual_prometheus')
end
it "tracks disable event" do
integration.update!(manual_configuration: true)
integration.update!(manual_configuration: false)
expect_snowplow_event(category: 'cluster:services:prometheus', action: 'disabled_manual_prometheus')
end
end
end
describe '#sync_http_integration after_save callback' do
context 'with corresponding HTTP integration' do
let_it_be_with_reload(:http_integration) { create(:alert_management_prometheus_integration, :legacy, project: project) }
it 'syncs the attribute' do
expect { integration.update!(manual_configuration: false) }
.to change { http_integration.reload.active }
.from(true).to(false)
end
context 'when changing a different attribute' do
it 'does not sync the attribute or execute extra queries' do
expect { integration.update!(api_url: 'https://any.url') }
.to issue_fewer_queries_than { integration.update!(manual_configuration: false) }
end
end
end
context 'without corresponding HTTP integration' do
let_it_be(:other_http_integration) { create(:alert_management_prometheus_integration, project: project) }
it 'does not sync the attribute or execute extra queries' do
expect { integration.update!(manual_configuration: false) }
.not_to change { other_http_integration.reload.active }
end
end
end
describe '#editable?' do
it 'is editable' do
expect(integration.editable?).to be(true)
end
context 'when cluster exists with prometheus enabled' do
let(:cluster) { create(:cluster, projects: [project]) }
before do
integration.update!(manual_configuration: false)
create(:clusters_integrations_prometheus, cluster: cluster)
end
it 'remains editable' do
expect(integration.editable?).to be(true)
end
end
end
describe '#google_iap_service_account_json' do
subject(:iap_details) { integration.google_iap_service_account_json }
before do
integration.google_iap_service_account_json = value
end
context 'with valid JSON' do
let(:masked_value) { described_class::MASKED_VALUE }
let(:json) { Gitlab::Json.parse(iap_details) }
let(:value) do
Gitlab::Json.generate({
type: 'service_account',
private_key: 'SECRET',
foo: 'secret',
nested: {
key: 'value'
}
})
end
it 'masks all JSON values', issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/384580' do
expect(json).to eq(
'type' => masked_value,
'private_key' => masked_value,
'foo' => masked_value,
'nested' => masked_value
)
end
end
context 'with invalid JSON' do
where(:value) { [nil, '', ' ', 'invalid json'] }
with_them do
it { is_expected.to eq(value) }
end
end
end
end
|
