in_forward: tests: Add fail-close around test cases for authentication

cosmo0920 · edsiper · commit 67ae3b047258 · 2025-10-04T08:33:21.000-06:00
Signed-off-by: Hiroshi Hatake &lt;hiroshi@chronosphere.io&gt;
diff --git a/tests/runtime/in_forward.c b/tests/runtime/in_forward.c
@@ -903,6 +903,148 @@ void flb_test_threaded_forward_issue_10946()
     flb_destroy(ctx);
 }
 
+static flb_ctx_t *fw_make_ctx_with_forward(int *in_ffd_out, int *out_ffd_out)
+{
+    struct flb_lib_out_cb cb = {0};
+    flb_ctx_t *ctx;
+    int in_ffd, out_ffd, ret;
+
+    ctx = flb_create();
+    TEST_CHECK(ctx != NULL);
+    if (!ctx) { return NULL; }
+
+    flb_service_set(ctx,
+                    "Flush", "0.200000000",
+                    "Grace", "1",
+                    "Log_Level", "error",
+                    NULL);
+
+    /* forward input */
+    in_ffd = flb_input(ctx, (char *) "forward", NULL);
+    TEST_CHECK(in_ffd >= 0);
+    if (in_ffd < 0) { flb_destroy(ctx); return NULL; }
+
+    /* lib output: count only (no payload check) */
+    cb.cb   = cb_count_only;
+    cb.data = NULL;
+    out_ffd = flb_output(ctx, (char *) "lib", (void *) &cb);
+    TEST_CHECK(out_ffd >= 0);
+    if (out_ffd < 0) {
+        flb_destroy(ctx);
+        return NULL;
+    }
+    ret = flb_output_set(ctx, out_ffd,
+                         "match", "*",
+                         "format", "json",
+                         NULL);
+    TEST_CHECK(ret == 0);
+
+    if (in_ffd_out)  *in_ffd_out  = in_ffd;
+    if (out_ffd_out) *out_ffd_out = out_ffd;
+    return ctx;
+}
+
+/* 1) users-only => must fail to start (fail-close) */
+void flb_test_fw_auth_users_only_fail_start()
+{
+    flb_ctx_t *ctx;
+    int in_ffd, out_ffd, ret;
+
+    ctx = fw_make_ctx_with_forward(&in_ffd, &out_ffd);
+    TEST_CHECK(ctx != NULL);
+    if (!ctx) {
+        return;
+    }
+
+    ret = flb_input_set(ctx, in_ffd,
+                        "tag", "test",
+                        "security.users", "alice s3cr3t",
+                        NULL);
+    TEST_CHECK(ret == 0);
+
+    ret = flb_start(ctx);
+    TEST_CHECK(ret != 0);
+    if (ret == 0) {
+        TEST_MSG("users-only config unexpectedly started; fail-close not enforced");
+        flb_stop(ctx);
+    }
+    flb_destroy(ctx);
+}
+
+/* 2) empty_shared_key + users => start OK */
+void flb_test_fw_auth_empty_shared_key_plus_users_start_ok()
+{
+    flb_ctx_t *ctx;
+    int in_ffd, out_ffd, ret;
+
+    ctx = fw_make_ctx_with_forward(&in_ffd, &out_ffd);
+    TEST_CHECK(ctx != NULL);
+    if (!ctx) { return; }
+
+    ret = flb_input_set(ctx, in_ffd,
+                        "tag", "test",
+                        "empty_shared_key", "true",
+                        "security.users", "alice s3cr3t",
+                        NULL);
+    TEST_CHECK(ret == 0);
+
+    ret = flb_start(ctx);
+    TEST_CHECK(ret == 0);
+    if (ret == 0) {
+        flb_stop(ctx);
+    }
+    flb_destroy(ctx);
+}
+
+/* 3) shared_key only => start OK (backward compatible) */
+void flb_test_fw_auth_shared_key_only_start_ok()
+{
+    flb_ctx_t *ctx;
+    int in_ffd, out_ffd, ret;
+
+    ctx = fw_make_ctx_with_forward(&in_ffd, &out_ffd);
+    TEST_CHECK(ctx != NULL);
+    if (!ctx) { return; }
+
+    ret = flb_input_set(ctx, in_ffd,
+                        "tag", "test",
+                        "shared_key", "k",
+                        NULL);
+    TEST_CHECK(ret == 0);
+
+    ret = flb_start(ctx);
+    TEST_CHECK(ret == 0);
+    if (ret == 0) {
+        flb_stop(ctx);
+    }
+    flb_destroy(ctx);
+}
+
+/* 4) shared_key + users => start OK (both checks) */
+void flb_test_fw_auth_shared_key_plus_users_start_ok()
+{
+    flb_ctx_t *ctx;
+    int in_ffd, out_ffd, ret;
+
+    ctx = fw_make_ctx_with_forward(&in_ffd, &out_ffd);
+    TEST_CHECK(ctx != NULL);
+    if (!ctx) { return; }
+
+    ret = flb_input_set(ctx, in_ffd,
+                        "tag", "test",
+                        "shared_key", "k",
+                        "security.users", "alice s3cr3t",
+                        NULL);
+    TEST_CHECK(ret == 0);
+
+    ret = flb_start(ctx);
+    TEST_CHECK(ret == 0);
+    if (ret == 0) {
+        flb_stop(ctx);
+    }
+    flb_destroy(ctx);
+}
+
 TEST_LIST = {
     {"forward", flb_test_forward},
     {"forward_port", flb_test_forward_port},
@@ -914,5 +1056,9 @@ TEST_LIST = {
     {"forward_gzip", flb_test_forward_gzip},
     {"forward_zstd", flb_test_forward_zstd},
     {"issue_10946", flb_test_threaded_forward_issue_10946},
+    {"fw_auth_users_only_fail_start", flb_test_fw_auth_users_only_fail_start},
+    {"fw_auth_empty_shared_key_plus_users_start_ok", flb_test_fw_auth_empty_shared_key_plus_users_start_ok},
+    {"fw_auth_shared_key_only_start_ok", flb_test_fw_auth_shared_key_only_start_ok},
+    {"fw_auth_shared_key_plus_users_start_ok", flb_test_fw_auth_shared_key_plus_users_start_ok},
     {NULL, NULL}
 };
