wwweww
169 lines
4.9 KiB
Bash
169 lines
4.9 KiB
Bash
#!/usr/bin/env bash
|
||
# 测试 Envoy Lua 双 Cookie XSRF + 登录接口 + 限流头
|
||
# 用法:
|
||
# ./test-login-xsrf-rl.sh [BASE_URL] [WARM_PATH] [LOGIN_PATH] [COUNT] [INTERVAL]
|
||
# 环境变量:
|
||
# INSECURE=1 # https 自签时跳过校验
|
||
# TOKEN_HEADER=xsrf-token
|
||
# USERNAME=testUser
|
||
# PASSWORD=string
|
||
# PHONE=string
|
||
# REMEMBER=true # true/false
|
||
# DATA='{"username":"..."}' # 直接提供完整 JSON,将覆盖上面四项
|
||
#
|
||
# 例子:
|
||
# ./test-login-xsrf-rl.sh http://127.0.0.1:8080 /healthz /api/v1/auth/login 25 0.1
|
||
|
||
set -euo pipefail
|
||
|
||
BASE_URL="${1:-http://127.0.0.1:8080}"
|
||
WARM_PATH="${2:-/healthz}"
|
||
LOGIN_PATH="${3:-/api/v1/auth/login}"
|
||
COUNT="${4:-20}"
|
||
INTERVAL="${5:-0.05}"
|
||
|
||
METHOD="POST"
|
||
CONTENT_TYPE="application/json"
|
||
|
||
TOKEN_HEADER="${TOKEN_HEADER:-xsrf-token}"
|
||
TOKEN_COOKIE="__Host-XSRF-TOKEN"
|
||
GUARD_COOKIE="__Host-XSRF-GUARD"
|
||
|
||
USERNAME="${USERNAME:-testUser}"
|
||
PASSWORD="${PASSWORD:-string}"
|
||
PHONE="${PHONE:-string}"
|
||
REMEMBER="${REMEMBER:-true}"
|
||
|
||
INSECURE="${INSECURE:-}"
|
||
|
||
CURL_COMMON=(-sS -L)
|
||
[[ -n "${INSECURE}" ]] && CURL_COMMON+=(-k)
|
||
|
||
tmpdir="$(mktemp -d)"
|
||
trap 'rm -rf "$tmpdir"' EXIT
|
||
hdr="$tmpdir/hdr"
|
||
|
||
echo "# Base=${BASE_URL} Warm=${WARM_PATH} Login=${LOGIN_PATH} Count=${COUNT} Interval=${INTERVAL}s"
|
||
|
||
# 构造请求体(优先使用 DATA;否则用变量拼装)
|
||
build_data() {
|
||
if [[ -n "${DATA:-}" ]]; then
|
||
DATA_PAYLOAD="${DATA}"
|
||
return
|
||
fi
|
||
|
||
# 规范化 REMEMBER 为 true/false
|
||
case "${REMEMBER,,}" in
|
||
true) REMEMBER=true ;;
|
||
false) REMEMBER=false ;;
|
||
*) REMEMBER=true ;;
|
||
esac
|
||
|
||
if command -v jq >/dev/null 2>&1; then
|
||
DATA_PAYLOAD="$(
|
||
jq -n \
|
||
--arg username "$USERNAME" \
|
||
--arg password "$PASSWORD" \
|
||
--arg phone "$PHONE" \
|
||
--argjson remember "$REMEMBER" \
|
||
'{username:$username,password:$password,phone:$phone,remember:$remember}'
|
||
)"
|
||
else
|
||
# 无 jq 的简易拼装(注意变量里如含双引号会破坏 JSON,生产建议安装 jq)
|
||
DATA_PAYLOAD=$(cat <<JSON
|
||
{"username":"$USERNAME","password":"$PASSWORD","phone":"$PHONE","remember":$REMEMBER}
|
||
JSON
|
||
)
|
||
fi
|
||
}
|
||
|
||
warm_set_cookies() {
|
||
local url="${BASE_URL}${WARM_PATH}"
|
||
echo "# 预热: GET ${url} 以获得 CSRF 双 Cookie"
|
||
curl "${CURL_COMMON[@]}" -X GET -D "$hdr" -o /dev/null "$url" || true
|
||
|
||
# 解析 Set-Cookie
|
||
local out
|
||
out=$(awk '
|
||
{
|
||
line=$0; gsub("\r","",line);
|
||
low=tolower(line);
|
||
if (index(low,"set-cookie:")==1) {
|
||
sub(/^[Ss]et-[Cc]ookie:[ ]*/, "", line);
|
||
split(line, p, /;/); split(p[1], kv, /=/);
|
||
name=tolower(kv[1]); val=kv[2];
|
||
if (name=="__host-xsrf-token") token=val;
|
||
if (name=="__host-xsrf-guard") guard=val;
|
||
}
|
||
}
|
||
END{
|
||
if (token) printf("TOKEN=%s\n", token);
|
||
if (guard) printf("GUARD=%s\n", guard);
|
||
}' "$hdr" || true)
|
||
|
||
eval "$out" || true
|
||
if [[ -z "${TOKEN:-}" || -z "${GUARD:-}" ]]; then
|
||
echo "!! 未从响应中解析到 CSRF Cookie,检查 Lua 过滤器是否生效或是否命中过滤链。"
|
||
echo "响应头预览:"; head -n 50 "$hdr"
|
||
exit 1
|
||
fi
|
||
|
||
COOKIE_HEADER="${TOKEN_COOKIE}=${TOKEN}; ${GUARD_COOKIE}=${GUARD}"
|
||
echo "# 已获取 Cookie: ${COOKIE_HEADER}"
|
||
}
|
||
|
||
extract_rl_headers() {
|
||
local LIMIT REMAIN RESET RLED
|
||
LIMIT=$(grep -i '^x-ratelimit-limit:' "$hdr" 2>/dev/null | head -n1 | awk '{print $2}' | tr -d '\r' || true)
|
||
REMAIN=$(grep -i '^x-ratelimit-remaining:' "$hdr" 2>/dev/null | head -n1 | awk '{print $2}' | tr -d '\r' || true)
|
||
RESET=$(grep -i '^x-ratelimit-reset:' "$hdr" 2>/dev/null | head -n1 | awk '{print $2}' | tr -d '\r' || true)
|
||
RLED=$(grep -i '^x-envoy-ratelimited:' "$hdr" 2>/dev/null | head -n1 | awk '{print $2}' | tr -d '\r' || true)
|
||
printf "limit=%s remaining=%s reset=%s ratelimited=%s" "${LIMIT:--}" "${REMAIN:--}" "${RESET:--}" "${RLED:-no}"
|
||
}
|
||
|
||
do_request() {
|
||
local with_header="$1" # yes/no
|
||
local url="${BASE_URL}${LOGIN_PATH}"
|
||
rm -f "$hdr"
|
||
|
||
if [[ "$with_header" == "yes" ]]; then
|
||
CODE=$(curl "${CURL_COMMON[@]}" -X "$METHOD" \
|
||
-H "Content-Type: ${CONTENT_TYPE}" \
|
||
-H "Cookie: ${COOKIE_HEADER}" \
|
||
-H "${TOKEN_HEADER}: ${TOKEN}" \
|
||
--data "$DATA_PAYLOAD" \
|
||
-D "$hdr" -o /dev/null -w "%{http_code}" \
|
||
"$url")
|
||
else
|
||
CODE=$(curl "${CURL_COMMON[@]}" -X "$METHOD" \
|
||
-H "Content-Type: ${CONTENT_TYPE}" \
|
||
-H "Cookie: ${COOKIE_HEADER}" \
|
||
--data "$DATA_PAYLOAD" \
|
||
-D "$hdr" -o /dev/null -w "%{http_code}" \
|
||
"$url")
|
||
fi
|
||
|
||
printf "%s code=%s " "$(date '+%H:%M:%S')" "${CODE}"
|
||
extract_rl_headers
|
||
printf "\n"
|
||
}
|
||
|
||
# 1) 构造登录请求体
|
||
build_data
|
||
echo "# 登录请求体: ${DATA_PAYLOAD}"
|
||
|
||
# 2) 预热拿 Cookie
|
||
warm_set_cookies
|
||
|
||
# 3) 负例:不带 xsrf-token 头(应 403)
|
||
echo "# 负例:不带 XSRF 头,预期 403"
|
||
do_request "no"
|
||
|
||
# 4) 正例:带齐 Cookie + xsrf-token,循环观察限流头
|
||
echo "# 正例:带齐 Cookie 与 XSRF 头,开始压测以观测限流头"
|
||
for i in $(seq 1 "${COUNT}"); do
|
||
printf "#%02d " "$i"
|
||
do_request "yes"
|
||
sleep "${INTERVAL}"
|
||
done
|