--- test case: No rules (all allowed) in: rules: [] out: number_of_rules: 1 metrics: - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'system.run[echo 1]' result: ZBX_KEY_ACCESS_DENY --- test case: No allowed keys in: rules: - pattern: '*' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 1 metrics: - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_DENY - metric: 'system.run[echo 1]' result: ZBX_KEY_ACCESS_DENY - metric: 'system.localtime[utc]' result: ZBX_KEY_ACCESS_DENY --- test case: No arguments in: rules: - pattern: 'vfs.file.contents' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Empty parameter list in: rules: - pattern: 'vfs.file.contents[]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[""]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents' result: ZBX_KEY_ACCESS_ALLOW - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Any arguments in: rules: - pattern: 'vfs.file.contents[*]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/path/to/file]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents' result: ZBX_KEY_ACCESS_ALLOW --- test case: Any arguments double asterisk in: rules: - pattern: 'vfs.file.contents[**]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/path/to/file]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/path/to/file,UTF8]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents' result: ZBX_KEY_ACCESS_ALLOW --- test case: Specific first parameter in: rules: - pattern: 'vfs.file.contents[/etc/passwd,*]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[/etc/passwd,]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/etc/passwd,utf8]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/var/log/zabbix_server.log]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'vfs.file.contents[]' result: ZBX_KEY_ACCESS_ALLOW --- test case: First argument pattern in: rules: - pattern: 'vfs.file.contents[*passwd*]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/etc/passwd,]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'vfs.file.contents[/etc/passwd,utf8]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Any second parameter value in: rules: - pattern: 'test[a,*]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'test[a]' result: ZBX_KEY_ACCESS_DENY - metric: 'test[a,]' result: ZBX_KEY_ACCESS_DENY - metric: 'test[a,anything]' result: ZBX_KEY_ACCESS_DENY - metric: 'test[]' result: ZBX_KEY_ACCESS_ALLOW --- test case: First argument pattern and any following arguments in: rules: - pattern: 'vfs.file.contents[*passwd*,*]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[/etc/passwd,]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/etc/passwd,utf8]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/tmp/test]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Any first parameter value in: rules: - pattern: 'test[*,b]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'test[anything,c]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'test[anything,b]' result: ZBX_KEY_ACCESS_DENY - metric: 'test[anything,b,c]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'test[anything,b,]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Empty second parameter value in: rules: - pattern: 'test[a,,c]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'test[a,,c]' result: ZBX_KEY_ACCESS_DENY - metric: 'test[a,b,c]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Any second parameter value in: rules: - pattern: 'vfs.file.contents[/var/log/zabbix_server.log,*,abc]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[/var/log/zabbix_server.log,,abc]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/var/log/zabbix_server.log,utf8,abc]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/var/log/zabbix_server.log,,abc,def]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Specific parameters in: rules: - pattern: 'vfs.file.contents[/etc/passwd,utf8]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[/etc/passwd,utf8]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/etc/passwd,]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'vfs.file.contents[/etc/passwd,utf16]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Quoted parameters in: rules: - pattern: 'vfs.file.contents[/etc/passwd,utf8]' type: ZBX_KEY_ACCESS_DENY - pattern: 'system.run[*]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents["/etc/passwd","utf8"]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents["/etc/passwd",""]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'vfs.file.contents["/etc/passwd","utf16"]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'system.run["echo 1"]' result: ZBX_KEY_ACCESS_DENY --- test case: Key pattern without arguments in: rules: - pattern: 'vfs.file.*' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.size' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'vfs.file.size[/var/log/zabbix_server.log]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Key pattern with any arguments in: rules: - pattern: 'vfs.file.*[*]' type: ZBX_KEY_ACCESS_DENY - pattern: 'vfs.*.contents' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 3 metrics: - metric: 'vfs.file.size.bytes[]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.size[/var/log/zabbix_server.log, utf8]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.size.bytes' result: ZBX_KEY_ACCESS_ALLOW - metric: 'vfs.mount.point.file.contents' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs..contents' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.contents' result: ZBX_KEY_ACCESS_ALLOW --- test case: Whitelist in: rules: - pattern: 'vfs.file.*[/var/log/*]' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'system.localtime[*]' type: ZBX_KEY_ACCESS_ALLOW - pattern: '*' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 3 metrics: - metric: 'vfs.file.size[/var/log/zabbix_server.log]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'vfs.file.contents[/var/log/zabbix_server.log]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'system.localtime[]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'system.localtime[utc]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'system.localtime' result: ZBX_KEY_ACCESS_DENY --- test case: Blacklist in: rules: - pattern: 'vfs.file.contents[/etc/passwd,*]' type: ZBX_KEY_ACCESS_DENY - pattern: 'system.run[*]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/etc/passwd,]' result: ZBX_KEY_ACCESS_DENY - metric: 'system.run[]' result: ZBX_KEY_ACCESS_DENY - metric: 'system.run[echo 1]' result: ZBX_KEY_ACCESS_DENY - metric: 'system.run[echo 2,a]' result: ZBX_KEY_ACCESS_DENY - metric: 'system.localtime[utc]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Combined wildcard in key in: rules: - pattern: 't*t*[a]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'test1[a]' result: ZBX_KEY_ACCESS_DENY - metric: 'test_best2[a]' result: ZBX_KEY_ACCESS_DENY - metric: 'tests[a]' result: ZBX_KEY_ACCESS_DENY - metric: 'test[a]' result: ZBX_KEY_ACCESS_DENY - metric: 'best[a]' result: ZBX_KEY_ACCESS_ALLOW --- test case: Duplicate rules in: rules: - pattern: 'vfs.file.*' type: ZBX_KEY_ACCESS_DENY - pattern: 'vfs.file.*' type: ZBX_KEY_ACCESS_DENY - pattern: 'vfs.file.contents' type: ZBX_KEY_ACCESS_DENY - pattern: 'vfs.file.contents[]' type: ZBX_KEY_ACCESS_DENY - pattern: 'vfs.file.contents[/etc/passwd]' type: ZBX_KEY_ACCESS_DENY - pattern: 'vfs.file.contents[/etc/passwd,*]' type: ZBX_KEY_ACCESS_DENY - pattern: 'vfs.file.*' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'vfs.file.contents' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'vfs.file.contents[]' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'vfs.file.contents[/etc/passwd]' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'vfs.file.contents[/etc/passwd,*]' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'net.*.in' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'net.*.in' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'net.*.in[]' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'net.*.in[eth0]' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'net.*.in[eth0,*]' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'net.*.in' type: ZBX_KEY_ACCESS_DENY - pattern: 'net.*.in[]' type: ZBX_KEY_ACCESS_DENY - pattern: 'net.*.in[eth0]' type: ZBX_KEY_ACCESS_DENY - pattern: 'net.*.in[eth0,*]' type: ZBX_KEY_ACCESS_DENY - pattern: 'net.*.in[eth0,bytes]' type: ZBX_KEY_ACCESS_DENY - pattern: '*' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 11 metrics: - metric: 'vfs.file.size' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.contents[/etc/passwd,utf8]' result: ZBX_KEY_ACCESS_DENY - metric: 'net.if.in' result: ZBX_KEY_ACCESS_ALLOW - metric: 'net.if.in[]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'net.if.in[eth0]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'net.if.in[eth0,]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'net.if.in[eth0,packets]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'net.if.in[eth0,bytes]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'system.run[echo 1]' result: ZBX_KEY_ACCESS_DENY --- test case: No rules after AllowKey=* in: rules: - pattern: 'vfs.file.*[*]' type: ZBX_KEY_ACCESS_DENY - pattern: '*' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'system.run[*]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 1 metrics: - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.size[/etc/systemd.conf]' result: ZBX_KEY_ACCESS_DENY - metric: 'system.run[echo 1]' result: ZBX_KEY_ACCESS_ALLOW --- test case: No rules after DenyKey=* in: rules: - pattern: 'vfs.file.*[*]' type: ZBX_KEY_ACCESS_ALLOW - pattern: '*' type: ZBX_KEY_ACCESS_DENY - pattern: 'system.run[*]' type: ZBX_KEY_ACCESS_ALLOW out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'vfs.file.size[/etc/systemd.conf]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'system.run[echo 1]' result: ZBX_KEY_ACCESS_DENY - metric: 'system.localtime' result: ZBX_KEY_ACCESS_DENY --- test case: Incomplete whitelist (no deny all at the end) in: rules: - pattern: 'vfs.file.*[/var/log/*]' type: ZBX_KEY_ACCESS_ALLOW - pattern: 'system.localtime[*]' type: ZBX_KEY_ACCESS_ALLOW exit code: failure --- test case: No trailing AllowKey rules in: rules: - pattern: 'vfs.file.*[*]' type: ZBX_KEY_ACCESS_DENY - pattern: 'system.run[*]' type: ZBX_KEY_ACCESS_ALLOW - pattern: '*' type: ZBX_KEY_ACCESS_ALLOW out: number_of_rules: 2 metrics: - metric: 'vfs.file.contents[/etc/passwd]' result: ZBX_KEY_ACCESS_DENY - metric: 'vfs.file.size[/etc/systemd.conf]' result: ZBX_KEY_ACCESS_DENY - metric: 'system.run[echo 1]' result: ZBX_KEY_ACCESS_ALLOW - metric: 'system.localtime' result: ZBX_KEY_ACCESS_ALLOW --- test case: Empty parameters match in: rules: - pattern: 'web.page.get[localhost,*,*]' type: ZBX_KEY_ACCESS_DENY out: number_of_rules: 2 metrics: - metric: 'web.page.get[localhost]' result: ZBX_KEY_ACCESS_DENY - metric: 'web.page.get[localhost,]' result: ZBX_KEY_ACCESS_DENY - metric: 'web.page.get[localhost,/,80]' result: ZBX_KEY_ACCESS_DENY - metric: 'web.page.get[localhost,/]' result: ZBX_KEY_ACCESS_DENY - metric: 'web.page.get[localhost,,80]' result: ZBX_KEY_ACCESS_DENY - metric: 'web.page.get[127.0.0.1]' result: ZBX_KEY_ACCESS_ALLOW ...