#!/bin/bash # # Security Feature Testing Script # Tests authentication, rate limiting, and security headers # set -e # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color # Configuration API_URL="${API_URL:-http://127.0.0.1:8787}" API_KEY="${API_KEY:-test-api-key-12345}" echo -e "${YELLOW}=== Cloud Server Security Tests ===${NC}\n" # Test 1: Health endpoint (public, no auth required) echo -e "${YELLOW}Test 1: Health endpoint (public)${NC}" response=$(curl -s -w "\n%{http_code}" "$API_URL/health") http_code=$(echo "$response" | tail -n1) body=$(echo "$response" | head -n-1) if [ "$http_code" = "200" ]; then echo -e "${GREEN}✓ Health endpoint accessible without auth${NC}" else echo -e "${RED}✗ Health endpoint failed: HTTP $http_code${NC}" fi # Check security headers echo -e "\n${YELLOW}Test 2: Security headers${NC}" headers=$(curl -s -I "$API_URL/health") if echo "$headers" | grep -q "X-Content-Type-Options: nosniff"; then echo -e "${GREEN}✓ X-Content-Type-Options header present${NC}" else echo -e "${RED}✗ Missing X-Content-Type-Options header${NC}" fi if echo "$headers" | grep -q "X-Frame-Options: DENY"; then echo -e "${GREEN}✓ X-Frame-Options header present${NC}" else echo -e "${RED}✗ Missing X-Frame-Options header${NC}" fi if echo "$headers" | grep -q "Strict-Transport-Security"; then echo -e "${GREEN}✓ Strict-Transport-Security header present${NC}" else echo -e "${RED}✗ Missing Strict-Transport-Security header${NC}" fi # Test 3: Missing API key echo -e "\n${YELLOW}Test 3: Missing API key (should fail)${NC}" response=$(curl -s -w "\n%{http_code}" "$API_URL/instances") http_code=$(echo "$response" | tail -n1) if [ "$http_code" = "401" ]; then echo -e "${GREEN}✓ Correctly rejected request without API key${NC}" else echo -e "${RED}✗ Expected 401, got HTTP $http_code${NC}" fi # Test 4: Invalid API key echo -e "\n${YELLOW}Test 4: Invalid API key (should fail)${NC}" response=$(curl -s -w "\n%{http_code}" -H "X-API-Key: invalid-key" "$API_URL/instances") http_code=$(echo "$response" | tail -n1) if [ "$http_code" = "401" ]; then echo -e "${GREEN}✓ Correctly rejected request with invalid API key${NC}" else echo -e "${RED}✗ Expected 401, got HTTP $http_code${NC}" fi # Test 5: Valid API key echo -e "\n${YELLOW}Test 5: Valid API key (should succeed)${NC}" response=$(curl -s -w "\n%{http_code}" -H "X-API-Key: $API_KEY" "$API_URL/instances?limit=1") http_code=$(echo "$response" | tail -n1) if [ "$http_code" = "200" ]; then echo -e "${GREEN}✓ Successfully authenticated with valid API key${NC}" else echo -e "${RED}✗ Authentication failed: HTTP $http_code${NC}" fi # Test 6: Rate limiting (optional, commented out by default) # Uncomment to test rate limiting # echo -e "\n${YELLOW}Test 6: Rate limiting${NC}" # echo "Sending 101 requests to /instances..." # for i in {1..101}; do # response=$(curl -s -w "\n%{http_code}" -H "X-API-Key: $API_KEY" "$API_URL/instances?limit=1") # http_code=$(echo "$response" | tail -n1) # # if [ "$http_code" = "429" ]; then # echo -e "${GREEN}✓ Rate limit triggered after $i requests${NC}" # body=$(echo "$response" | head -n-1) # echo "Response: $body" # break # fi # # # Small delay to avoid overwhelming the server # sleep 0.1 # done echo -e "\n${YELLOW}=== Tests Complete ===${NC}" echo -e "\nTo test rate limiting, uncomment Test 6 in this script." echo -e "Rate limits: /instances=100req/min, /sync=10req/min"