forked from cilium/cilium
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsql-proxy.sh
executable file
·132 lines (105 loc) · 3.44 KB
/
sql-proxy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/bin/bash
dir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source "${dir}/helpers.bash"
# dir might have been overwritten by helpers.bash
dir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
TEST_NAME=$(get_filename_without_extension $0)
LOGS_DIR="${dir}/cilium-files/${TEST_NAME}/logs"
redirect_debug_logs ${LOGS_DIR}
set -ex
function cleanup {
monitor_stop
cilium policy delete --all 2> /dev/null || true
docker rm -f mysql-server mysql-client 2> /dev/null || true
}
function finish_test {
echo cleanup
}
trap finish_test EXIT
SERVER_LABEL="mysql-server"
CLIENT_LABEL="mysql-client"
TAG="5.5"
CLIENT_RUN="docker run --rm -t --net=cilium --name mysql-client -l mysql-client mysql:$TAG mysql -ucilium -pcilium --disable-ssl"
cleanup
logs_clear
function proxy_init {
log "beginning proxy_init"
create_cilium_docker_network
docker run -dt --net=cilium --name mysql-server -l $SERVER_LABEL -e MYSQL_ROOT_PASSWORD=cilium --publish 6603:3306 mysql:$TAG --disable-ssl
wait_for_docker_ipv6_addr mysql-server
log "waiting for all 3 endpoints to get an identity"
while ! cilium endpoint list -o jsonpath='{range [*]}{.status.identity.id}{" "}{.status.identity.labels}{"\n"}' | grep '^[0-9].*mysql-server' ; do
log "waiting..."
sleep 1
done
echo "probing until mysql-server is responsive"
until docker exec -i mysql-server mysql -uroot -pcilium -e "SHOW DATABASES" 2>/dev/null >/dev/null; do
echo "."
sleep 1
done
echo "Creating user"
docker exec -i mysql-server mysql -uroot -pcilium -e "CREATE USER 'cilium'@'%' IDENTIFIED BY 'cilium';"
echo "Granting privileges"
docker exec -i mysql-server mysql -uroot -pcilium -e "GRANT ALL ON *.* TO 'cilium'@'%'; FLUSH PRIVILEGES;"
SERVER_IP4=$(docker inspect --format '{{ .NetworkSettings.Networks.cilium.IPAddress }}' mysql-server)
echo "Testing client without policy"
$CLIENT_RUN -h$SERVER_IP4 -e "SELECT host FROM mysql.user WHERE User = 'cilium';"
monitor_start
log "finished proxy_init"
}
function policy_single_egress {
cilium policy delete --all
cat <<EOF | policy_import_and_wait -
[{
"endpointSelector": {"matchLabels":{"id.server":""}},
"ingress": [{
"fromEndpoints": [
{"matchLabels":{"reserved:host":""}},
{"matchLabels":{"mysql-server":""}}
]
}]
},{
"endpointSelector": {"matchLabels":{"mysql-client":""}},
"egress": [{
"toPorts": [{
"ports": [{"port": "3306", "protocol": "TCP"}],
"rules": {
"l7proto": "envoy.filters.network.mysql_proxy",
"l7": [{
"action": "deny",
"user.mysql": "select"
}]
}
}]
}]
}]
EOF
}
function proxy_test {
log "beginning MySQL proxy test"
monitor_clear
log "trying to reach MySQL server at $SERVER_IP4 from client"
if $CLIENT_RUN -h$SERVER_IP4 -e "SHOW DATABASES;"; then
echo "Success"
else
abort "MySQL query failed"
fi
log "trying to select denied table at $SERVER_IP4 from client"
if $CLIENT_RUN -h$SERVER_IP4 -e "SELECT host FROM mysql.user;"; then
abort "MySQL query should have failed, but it succeeded"
else
echo "MySQL query failed as expected"
fi
monitor_dump
log "finished MySQL proxy test"
}
proxy_init
policy_single_egress
proxy_test
# Leave test setup behind for manual testing
#
# log "deleting all policies from Cilium"
# cilium policy delete --all 2> /dev/null || true
# log "removing containers"
# docker rm -f mysql-server mysql-client 2> /dev/null || true
test_succeeded "${TEST_NAME}"