package metrics import ( "context" "crypto/rand" "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "fmt" "io" "math/big" "net" "net/http" "os" "testing" "time" "github.com/coredns/coredns/plugin" "github.com/coredns/coredns/plugin/pkg/dnstest" "github.com/coredns/coredns/plugin/test" "github.com/miekg/dns" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" ) const ( serverCertFile = "test_data/server.crt" serverKeyFile = "test_data/server.key" clientCertFile = "test_data/client_selfsigned.crt" clientKeyFile = "test_data/client_selfsigned.key" tlsCaChainFile = "test_data/tls-ca-chain.pem" ) func createTestCertFiles(t *testing.T) error { t.Helper() // Generate CA certificate caCert, caKey, err := generateCA() if err != nil { t.Fatalf("Failed to generate CA certificate: %v", err) return err } // Generate server certificate signed by CA cert, key, err := generateCert(caCert, caKey) if err != nil { t.Fatalf("Failed to generate server certificate: %v", err) return err } // Generate client CA certificate clientCaCert, clientCaKey, err := generateCA() if err != nil { t.Fatalf("Failed to generate client CA certificate: %v", err) return err } // Generate client certificate signed by CA clientCert, clientKey, err := generateCert(clientCaCert, clientCaKey) if err != nil { t.Fatalf("Failed to generate client certificate: %v", err) return err } // Create ca chain file caChain := append(caCert, clientCaCert...) // Write certificates to temporary files err = writeFile(t, string(cert), serverCertFile) if err != nil { t.Fatalf("Failed to write server certificate: %v", err) return err } err = writeFile(t, string(key), serverKeyFile) if err != nil { t.Fatalf("Failed to write server key: %v", err) return err } err = writeFile(t, string(clientCert), clientCertFile) if err != nil { t.Fatalf("Failed to write client certificate: %v", err) return err } err = writeFile(t, string(clientKey), clientKeyFile) if err != nil { t.Fatalf("Failed to write client key: %v", err) return err } err = writeFile(t, string(caChain), tlsCaChainFile) if err != nil { t.Fatalf("Failed to write CA certificate: %v", err) return err } return nil } func generateCA() ([]byte, []byte, error) { ca := &x509.Certificate{ SerialNumber: big.NewInt(2023), Subject: pkix.Name{ Organization: []string{"Test CA"}, }, NotBefore: time.Now(), NotAfter: time.Now().AddDate(1, 0, 0), IsCA: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, } caPrivKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { return nil, nil, err } caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey) if err != nil { return nil, nil, err } caPEM := pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", Bytes: caBytes, }) caPrivKeyPEM := pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey), }) return caPEM, caPrivKeyPEM, nil } func generateCert(caCertPEM, caKeyPEM []byte) ([]byte, []byte, error) { caCertBlock, _ := pem.Decode(caCertPEM) caCert, err := x509.ParseCertificate(caCertBlock.Bytes) if err != nil { return nil, nil, err } caKeyBlock, _ := pem.Decode(caKeyPEM) caKey, err := x509.ParsePKCS1PrivateKey(caKeyBlock.Bytes) if err != nil { return nil, nil, err } cert := &x509.Certificate{ SerialNumber: big.NewInt(2023), Subject: pkix.Name{ Organization: []string{"Test Server"}, }, DNSNames: []string{"localhost"}, IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback}, NotBefore: time.Now(), NotAfter: time.Now().AddDate(1, 0, 0), ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, } certPrivKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { return nil, nil, err } certBytes, err := x509.CreateCertificate(rand.Reader, cert, caCert, &certPrivKey.PublicKey, caKey) if err != nil { return nil, nil, err } certPEM := pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", Bytes: certBytes, }) certPrivKeyPEM := pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey), }) return certPEM, certPrivKeyPEM, nil } func cleanupTestCertFiles() { os.Remove(serverCertFile) os.Remove(serverKeyFile) os.Remove(clientCertFile) os.Remove(clientKeyFile) os.Remove(tlsCaChainFile) } func writeFile(t *testing.T, content, path string) error { t.Helper() if err := os.WriteFile(path, []byte(content), 0600); err != nil { return err } return nil } func getTLSClient(clientCertName bool) *http.Client { cert, err := os.ReadFile(tlsCaChainFile) if err != nil { panic("Unable to start TLS client. Check cert path") } var clientCertficate tls.Certificate if clientCertName { clientCertficate, err = tls.LoadX509KeyPair( clientCertFile, clientKeyFile, ) if err != nil { panic(fmt.Sprintf("failed to load client certificate: %v", err)) } } client := &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ RootCAs: func() *x509.CertPool { caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(cert) return caCertPool }(), GetClientCertificate: func(_req *tls.CertificateRequestInfo) (*tls.Certificate, error) { return &clientCertficate, nil }, }, }, } return client } func TestMetricsTLS(t *testing.T) { err := createTestCertFiles(t) if err != nil { t.Fatalf("Failed to create test certificate files: %v", err) } defer cleanupTestCertFiles() tests := []struct { name string tlsConfigPath string UseTLSClient bool clientCertificate bool caFile string expectStartupError bool expectRequestError bool }{ { name: "No TLS config: starts a HTTP server, connect successfully with default client", tlsConfigPath: "", }, { name: "No TLS config: starts HTTP server, connection fails with TLS client", tlsConfigPath: "", UseTLSClient: true, expectRequestError: true, }, { name: "Empty TLS config: starts a HTTP server", tlsConfigPath: "test_data/configs/empty.yml", }, { name: "Valid TLS config, no client cert, successful connection with TLS client", tlsConfigPath: "test_data/configs/valid_verifyclientcertifgiven.yml", UseTLSClient: true, }, { name: `Valid TLS config, connection fails with default client`, tlsConfigPath: "test_data/configs/valid_verifyclientcertifgiven.yml", expectRequestError: true, }, { name: `Valid TLS config with RequireAnyClientCert, connection succeeds with TLS client presenting (valid) certificate`, tlsConfigPath: "test_data/configs/valid_requireanyclientcert.yml", UseTLSClient: true, clientCertificate: true, }, { name: "Wrong path to TLS config file fails to start server", tlsConfigPath: "test_data/configs/this-does-not-exist.yml", UseTLSClient: true, expectStartupError: true, }, { name: `TLS config hasinvalid structure, fails to start server`, tlsConfigPath: "test_data/configs/junk.yml", UseTLSClient: true, expectStartupError: true, }, { name: "Missing key file, fails to start server", tlsConfigPath: "test_data/configs/keyPath_empty.yml", UseTLSClient: true, expectStartupError: true, }, { name: "Missing cert file, fails to start server", tlsConfigPath: "test_data/configs/certPath_empty.yml", UseTLSClient: true, expectStartupError: true, }, { name: "Wrong key file path, fails to start server", tlsConfigPath: "test_data/configs/keyPath_invalid.yml", UseTLSClient: true, expectStartupError: true, }, { name: "Wrong cert file path, fails to start server", tlsConfigPath: "test_data/configs/certPath_invalid.yml", UseTLSClient: true, expectStartupError: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { met := New("localhost:0") met.tlsConfigPath = tt.tlsConfigPath // Start server err := met.OnStartup() if tt.expectStartupError { if err == nil { t.Error("Expected error but got none") } return } if err != nil { t.Fatalf("Failed to start metrics handler: %s", err) } defer met.OnFinalShutdown() // Wait for server to be ready select { case <-time.After(2 * time.Second): t.Fatal("timeout waiting for server to start") case <-func() chan struct{} { ch := make(chan struct{}) go func() { for { conn, err := net.DialTimeout("tcp", ListenAddr, 100*time.Millisecond) if err == nil { conn.Close() close(ch) return } time.Sleep(100 * time.Millisecond) } }() return ch }(): } // Create appropriate client and protocol var client *http.Client var protocol string if tt.UseTLSClient { client = getTLSClient(tt.clientCertificate) protocol = "https" } else { client = http.DefaultClient protocol = "http" } // Try multiple times to account for server startup time var resp *http.Response var err2 error for i := range 10 { url := fmt.Sprintf("%s://%s/metrics", protocol, ListenAddr) t.Logf("Attempt %d: Connecting to %s", i+1, url) resp, err2 = client.Get(url) if err2 == nil { t.Logf("Successfully connected to metrics server") break } t.Logf("Connection attempt failed: %v", err2) time.Sleep(200 * time.Millisecond) } if err2 != nil { if tt.expectRequestError { return } t.Fatalf("Failed to connect to metrics server: %v", err2) } if resp != nil { defer resp.Body.Close() } if tt.expectRequestError { // If we expect a request error but got a response, check if it's a bad status code // which indicates the connection succeeded but the request was invalid (e.g., HTTP to HTTPS server) if resp.StatusCode == http.StatusBadRequest { // Got expected error response return } // Got unexpected response status t.Fatalf("Expected request error with status %d but got response with status %d", http.StatusBadRequest, resp.StatusCode) } if resp.StatusCode != http.StatusOK { t.Errorf("Expected status 200, got %d", resp.StatusCode) } }) } } func TestMetrics(t *testing.T) { met := New("localhost:0") if err := met.OnStartup(); err != nil { t.Fatalf("Failed to start metrics handler: %s", err) } defer met.OnFinalShutdown() met.AddZone("example.org.") tests := []struct { next plugin.Handler qname string qtype uint16 metric string expectedValue string }{ // This all works because 1 bucket (1 zone, 1 type) { next: test.NextHandler(dns.RcodeSuccess, nil), qname: "example.org.", metric: "coredns_dns_requests_total", expectedValue: "1", }, { next: test.NextHandler(dns.RcodeSuccess, nil), qname: "example.org.", metric: "coredns_dns_requests_total", expectedValue: "2", }, { next: test.NextHandler(dns.RcodeSuccess, nil), qname: "example.org.", metric: "coredns_dns_requests_total", expectedValue: "3", }, { next: test.NextHandler(dns.RcodeSuccess, nil), qname: "example.org.", metric: "coredns_dns_responses_total", expectedValue: "4", }, } ctx := context.TODO() for i, tc := range tests { req := new(dns.Msg) if tc.qtype == 0 { tc.qtype = dns.TypeA } req.SetQuestion(tc.qname, tc.qtype) met.Next = tc.next rec := dnstest.NewRecorder(&test.ResponseWriter{}) _, err := met.ServeDNS(ctx, rec, req) if err != nil { t.Fatalf("Test %d: Expected no error, but got %s", i, err) } result := test.Scrape("http://" + ListenAddr + "/metrics") if tc.expectedValue != "" { got, _ := test.MetricValue(tc.metric, result) if got != tc.expectedValue { t.Errorf("Test %d: Expected value %s for metrics %s, but got %s", i, tc.expectedValue, tc.metric, got) } } } } func TestMetricsHTTPTimeout(t *testing.T) { met := New("localhost:0") if err := met.OnStartup(); err != nil { t.Fatalf("Failed to start metrics handler: %s", err) } defer met.OnFinalShutdown() // Use context with timeout to prevent test from hanging indefinitely ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) defer cancel() done := make(chan error, 1) go func() { conn, err := net.Dial("tcp", ListenAddr) if err != nil { done <- err return } defer conn.Close() // Send partial HTTP request and then stop sending data // This will cause the server to wait for more data and hit ReadTimeout partialRequest := "GET /metrics HTTP/1.1\r\nHost: " + ListenAddr + "\r\nContent-Length: 100\r\n\r\n" _, err = conn.Write([]byte(partialRequest)) if err != nil { done <- err return } // Now just wait - server should timeout trying to read the remaining data // If server has no ReadTimeout, this will hang indefinitely buffer := make([]byte, 1024) _, err = conn.Read(buffer) done <- err }() select { case <-done: t.Log("HTTP request timed out by server") case <-ctx.Done(): t.Error("HTTP request did not time out") } } func TestMustRegister_DuplicateOK(_t *testing.T) { met := New("localhost:0") met.Reg = prometheus.NewRegistry() g := promauto.NewGaugeVec(prometheus.GaugeOpts{Namespace: "test", Name: "dup"}, []string{"l"}) met.MustRegister(g) // registering the same collector again should yield AlreadyRegisteredError internally and be ignored met.MustRegister(g) } func TestRemoveZone(t *testing.T) { met := New("localhost:0") met.AddZone("example.org.") met.AddZone("example.net.") met.RemoveZone("example.net.") zones := met.ZoneNames() for _, z := range zones { if z == "example.net." { t.Fatalf("zone %q still present after RemoveZone", z) } } } func TestOnRestartStopsServer(t *testing.T) { met := New("localhost:0") if err := met.OnStartup(); err != nil { t.Fatalf("startup failed: %v", err) } // server should respond before restart resp, err := http.Get("http://" + ListenAddr + "/metrics") if err != nil { t.Fatalf("pre-restart GET failed: %v", err) } if resp != nil { io.Copy(io.Discard, resp.Body) resp.Body.Close() } if err := met.OnRestart(); err != nil { t.Fatalf("restart failed: %v", err) } // after restart, the listener should be closed and request should fail if _, err := http.Get("http://" + ListenAddr + "/metrics"); err == nil { t.Fatalf("expected GET to fail after restart, but it succeeded") } } func TestRegistryGetOrSet(t *testing.T) { r := newReg() addr := "localhost:12345" pr1 := prometheus.NewRegistry() got1 := r.getOrSet(addr, pr1) if got1 != pr1 { t.Fatalf("first getOrSet should return provided registry") } pr2 := prometheus.NewRegistry() got2 := r.getOrSet(addr, pr2) if got2 != pr1 { t.Fatalf("second getOrSet should return original registry, got different one") } } func TestOnRestartNoop(t *testing.T) { met := New("localhost:0") // without OnStartup, OnRestart should be a no-op if err := met.OnRestart(); err != nil { t.Fatalf("OnRestart returned error on no-op: %v", err) } } func TestContextHelpersEmpty(t *testing.T) { if got := WithServer(context.TODO()); got != "" { t.Fatalf("WithServer(nil) = %q, want empty", got) } if got := WithView(context.TODO()); got != "" { t.Fatalf("WithView(nil) = %q, want empty", got) } }