diff --git a/.github/workflows/golang-test-linux.yml b/.github/workflows/golang-test-linux.yml index c17f83222..6a77cb180 100644 --- a/.github/workflows/golang-test-linux.yml +++ b/.github/workflows/golang-test-linux.yml @@ -158,7 +158,7 @@ jobs: run: git --no-pager diff --exit-code - name: Test - run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -coverprofile=coverage.txt -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined) + run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -coverprofile=coverage.txt -tags devcert -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined) - name: Upload coverage reports to Codecov if: matrix.arch == 'amd64' @@ -229,7 +229,7 @@ jobs: sh -c ' \ apk update; apk add --no-cache \ ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \ - go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server) + go test -buildvcs=false -tags 'devcert privileged' -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server -e /client/testutil/privileged) ' test_relay: diff --git a/Makefile b/Makefile index 5d52b94fa..69e6a5de5 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: lint lint-all lint-install setup-hooks +.PHONY: lint lint-all lint-install setup-hooks test-unit test-privileged GOLANGCI_LINT := $(shell pwd)/bin/golangci-lint # Install golangci-lint locally if needed @@ -25,3 +25,13 @@ setup-hooks: @git config core.hooksPath .githooks @chmod +x .githooks/pre-push @echo "✅ Git hooks configured! Pre-push will now run 'make lint'" + +# Host-safe unit tests: excludes the privileged-tagged tests (root / system-mutating). +# Runs as a normal user with no sudo and leaves host networking untouched. +test-unit: + @go test -tags devcert -timeout 10m ./... + +# Privileged suite: runs the `privileged`-tagged tests inside a --privileged +# --cap-add=NET_ADMIN container via the ory/dockertest harness. Requires Docker. +test-privileged: + @go test -tags 'devcert privileged' -timeout 30m -run TestRunPrivilegedSuiteInDocker -v ./client/testutil/privileged/... diff --git a/client/cmd/service_privileged_test.go b/client/cmd/service_privileged_test.go new file mode 100644 index 000000000..075d7f378 --- /dev/null +++ b/client/cmd/service_privileged_test.go @@ -0,0 +1,196 @@ +//go:build privileged + +package cmd + +import ( + "context" + "fmt" + "os" + "runtime" + "testing" + "time" + + "github.com/kardianos/service" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +const ( + serviceStartTimeout = 10 * time.Second + serviceStopTimeout = 5 * time.Second + statusPollInterval = 500 * time.Millisecond +) + +// waitForServiceStatus waits for service to reach expected status with timeout +func waitForServiceStatus(expectedStatus service.Status, timeout time.Duration) (bool, error) { + cfg, err := newSVCConfig() + if err != nil { + return false, err + } + + ctxSvc, cancel := context.WithCancel(context.Background()) + defer cancel() + + s, err := newSVC(newProgram(ctxSvc, cancel), cfg) + if err != nil { + return false, err + } + + ctx, timeoutCancel := context.WithTimeout(context.Background(), timeout) + defer timeoutCancel() + + ticker := time.NewTicker(statusPollInterval) + defer ticker.Stop() + + for { + select { + case <-ctx.Done(): + return false, fmt.Errorf("timeout waiting for service status %v", expectedStatus) + case <-ticker.C: + status, err := s.Status() + if err != nil { + // Continue polling on transient errors + continue + } + if status == expectedStatus { + return true, nil + } + } + } +} + +// TestServiceLifecycle tests the complete service lifecycle +func TestServiceLifecycle(t *testing.T) { + // TODO: Add support for Windows and macOS + if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" { + t.Skipf("Skipping service lifecycle test on unsupported OS: %s", runtime.GOOS) + } + + if os.Getenv("CONTAINER") == "true" { + t.Skip("Skipping service lifecycle test in container environment") + } + + originalServiceName := serviceName + serviceName = "netbirdtest" + fmt.Sprintf("%d", time.Now().Unix()) + defer func() { + serviceName = originalServiceName + }() + + tempDir := t.TempDir() + configPath = fmt.Sprintf("%s/netbird-test-config.json", tempDir) + logLevel = "info" + daemonAddr = fmt.Sprintf("unix://%s/netbird-test.sock", tempDir) + + // Ensure cleanup even if a subtest fails and Stop/Uninstall subtests don't run. + t.Cleanup(func() { + cfg, err := newSVCConfig() + if err != nil { + t.Errorf("cleanup: create service config: %v", err) + return + } + ctxSvc, cancel := context.WithCancel(context.Background()) + defer cancel() + s, err := newSVC(newProgram(ctxSvc, cancel), cfg) + if err != nil { + t.Errorf("cleanup: create service: %v", err) + return + } + + // If the subtests already cleaned up, there's nothing to do. + if _, err := s.Status(); err != nil { + return + } + + if err := s.Stop(); err != nil { + t.Errorf("cleanup: stop service: %v", err) + } + if err := s.Uninstall(); err != nil { + t.Errorf("cleanup: uninstall service: %v", err) + } + }) + + ctx := context.Background() + + t.Run("Install", func(t *testing.T) { + installCmd.SetContext(ctx) + err := installCmd.RunE(installCmd, []string{}) + require.NoError(t, err) + + cfg, err := newSVCConfig() + require.NoError(t, err) + + ctxSvc, cancel := context.WithCancel(context.Background()) + defer cancel() + + s, err := newSVC(newProgram(ctxSvc, cancel), cfg) + require.NoError(t, err) + + status, err := s.Status() + assert.NoError(t, err) + assert.NotEqual(t, service.StatusUnknown, status) + }) + + t.Run("Start", func(t *testing.T) { + startCmd.SetContext(ctx) + err := startCmd.RunE(startCmd, []string{}) + require.NoError(t, err) + + running, err := waitForServiceStatus(service.StatusRunning, serviceStartTimeout) + require.NoError(t, err) + assert.True(t, running) + }) + + t.Run("Restart", func(t *testing.T) { + restartCmd.SetContext(ctx) + err := restartCmd.RunE(restartCmd, []string{}) + require.NoError(t, err) + + running, err := waitForServiceStatus(service.StatusRunning, serviceStartTimeout) + require.NoError(t, err) + assert.True(t, running) + }) + + t.Run("Reconfigure", func(t *testing.T) { + originalLogLevel := logLevel + logLevel = "debug" + defer func() { + logLevel = originalLogLevel + }() + + reconfigureCmd.SetContext(ctx) + err := reconfigureCmd.RunE(reconfigureCmd, []string{}) + require.NoError(t, err) + + running, err := waitForServiceStatus(service.StatusRunning, serviceStartTimeout) + require.NoError(t, err) + assert.True(t, running) + }) + + t.Run("Stop", func(t *testing.T) { + stopCmd.SetContext(ctx) + err := stopCmd.RunE(stopCmd, []string{}) + require.NoError(t, err) + + stopped, err := waitForServiceStatus(service.StatusStopped, serviceStopTimeout) + require.NoError(t, err) + assert.True(t, stopped) + }) + + t.Run("Uninstall", func(t *testing.T) { + uninstallCmd.SetContext(ctx) + err := uninstallCmd.RunE(uninstallCmd, []string{}) + require.NoError(t, err) + + cfg, err := newSVCConfig() + require.NoError(t, err) + + ctxSvc, cancel := context.WithCancel(context.Background()) + defer cancel() + + s, err := newSVC(newProgram(ctxSvc, cancel), cfg) + require.NoError(t, err) + + _, err = s.Status() + assert.Error(t, err) + }) +} diff --git a/client/cmd/service_test.go b/client/cmd/service_test.go index ce6f71550..22eba206d 100644 --- a/client/cmd/service_test.go +++ b/client/cmd/service_test.go @@ -1,16 +1,12 @@ package cmd import ( - "context" - "fmt" "os" "os/signal" "runtime" "syscall" "testing" - "time" - "github.com/kardianos/service" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -31,186 +27,6 @@ func TestMain(m *testing.M) { os.Exit(m.Run()) } -const ( - serviceStartTimeout = 10 * time.Second - serviceStopTimeout = 5 * time.Second - statusPollInterval = 500 * time.Millisecond -) - -// waitForServiceStatus waits for service to reach expected status with timeout -func waitForServiceStatus(expectedStatus service.Status, timeout time.Duration) (bool, error) { - cfg, err := newSVCConfig() - if err != nil { - return false, err - } - - ctxSvc, cancel := context.WithCancel(context.Background()) - defer cancel() - - s, err := newSVC(newProgram(ctxSvc, cancel), cfg) - if err != nil { - return false, err - } - - ctx, timeoutCancel := context.WithTimeout(context.Background(), timeout) - defer timeoutCancel() - - ticker := time.NewTicker(statusPollInterval) - defer ticker.Stop() - - for { - select { - case <-ctx.Done(): - return false, fmt.Errorf("timeout waiting for service status %v", expectedStatus) - case <-ticker.C: - status, err := s.Status() - if err != nil { - // Continue polling on transient errors - continue - } - if status == expectedStatus { - return true, nil - } - } - } -} - -// TestServiceLifecycle tests the complete service lifecycle -func TestServiceLifecycle(t *testing.T) { - // TODO: Add support for Windows and macOS - if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" { - t.Skipf("Skipping service lifecycle test on unsupported OS: %s", runtime.GOOS) - } - - if os.Getenv("CONTAINER") == "true" { - t.Skip("Skipping service lifecycle test in container environment") - } - - originalServiceName := serviceName - serviceName = "netbirdtest" + fmt.Sprintf("%d", time.Now().Unix()) - defer func() { - serviceName = originalServiceName - }() - - tempDir := t.TempDir() - configPath = fmt.Sprintf("%s/netbird-test-config.json", tempDir) - logLevel = "info" - daemonAddr = fmt.Sprintf("unix://%s/netbird-test.sock", tempDir) - - // Ensure cleanup even if a subtest fails and Stop/Uninstall subtests don't run. - t.Cleanup(func() { - cfg, err := newSVCConfig() - if err != nil { - t.Errorf("cleanup: create service config: %v", err) - return - } - ctxSvc, cancel := context.WithCancel(context.Background()) - defer cancel() - s, err := newSVC(newProgram(ctxSvc, cancel), cfg) - if err != nil { - t.Errorf("cleanup: create service: %v", err) - return - } - - // If the subtests already cleaned up, there's nothing to do. - if _, err := s.Status(); err != nil { - return - } - - if err := s.Stop(); err != nil { - t.Errorf("cleanup: stop service: %v", err) - } - if err := s.Uninstall(); err != nil { - t.Errorf("cleanup: uninstall service: %v", err) - } - }) - - ctx := context.Background() - - t.Run("Install", func(t *testing.T) { - installCmd.SetContext(ctx) - err := installCmd.RunE(installCmd, []string{}) - require.NoError(t, err) - - cfg, err := newSVCConfig() - require.NoError(t, err) - - ctxSvc, cancel := context.WithCancel(context.Background()) - defer cancel() - - s, err := newSVC(newProgram(ctxSvc, cancel), cfg) - require.NoError(t, err) - - status, err := s.Status() - assert.NoError(t, err) - assert.NotEqual(t, service.StatusUnknown, status) - }) - - t.Run("Start", func(t *testing.T) { - startCmd.SetContext(ctx) - err := startCmd.RunE(startCmd, []string{}) - require.NoError(t, err) - - running, err := waitForServiceStatus(service.StatusRunning, serviceStartTimeout) - require.NoError(t, err) - assert.True(t, running) - }) - - t.Run("Restart", func(t *testing.T) { - restartCmd.SetContext(ctx) - err := restartCmd.RunE(restartCmd, []string{}) - require.NoError(t, err) - - running, err := waitForServiceStatus(service.StatusRunning, serviceStartTimeout) - require.NoError(t, err) - assert.True(t, running) - }) - - t.Run("Reconfigure", func(t *testing.T) { - originalLogLevel := logLevel - logLevel = "debug" - defer func() { - logLevel = originalLogLevel - }() - - reconfigureCmd.SetContext(ctx) - err := reconfigureCmd.RunE(reconfigureCmd, []string{}) - require.NoError(t, err) - - running, err := waitForServiceStatus(service.StatusRunning, serviceStartTimeout) - require.NoError(t, err) - assert.True(t, running) - }) - - t.Run("Stop", func(t *testing.T) { - stopCmd.SetContext(ctx) - err := stopCmd.RunE(stopCmd, []string{}) - require.NoError(t, err) - - stopped, err := waitForServiceStatus(service.StatusStopped, serviceStopTimeout) - require.NoError(t, err) - assert.True(t, stopped) - }) - - t.Run("Uninstall", func(t *testing.T) { - uninstallCmd.SetContext(ctx) - err := uninstallCmd.RunE(uninstallCmd, []string{}) - require.NoError(t, err) - - cfg, err := newSVCConfig() - require.NoError(t, err) - - ctxSvc, cancel := context.WithCancel(context.Background()) - defer cancel() - - s, err := newSVC(newProgram(ctxSvc, cancel), cfg) - require.NoError(t, err) - - _, err = s.Status() - assert.Error(t, err) - }) -} - // TestServiceEnvVars tests environment variable parsing func TestServiceEnvVars(t *testing.T) { tests := []struct { diff --git a/client/firewall/iptables/manager_linux_test.go b/client/firewall/iptables/manager_linux_test.go index cc4bda0e0..7b0989f6c 100644 --- a/client/firewall/iptables/manager_linux_test.go +++ b/client/firewall/iptables/manager_linux_test.go @@ -1,3 +1,5 @@ +//go:build privileged + package iptables import ( diff --git a/client/firewall/iptables/router_linux_test.go b/client/firewall/iptables/router_linux_test.go index 6707573be..9ca6b9f7e 100644 --- a/client/firewall/iptables/router_linux_test.go +++ b/client/firewall/iptables/router_linux_test.go @@ -1,4 +1,4 @@ -//go:build !android +//go:build !android && privileged package iptables diff --git a/client/firewall/nftables/manager_linux_test.go b/client/firewall/nftables/manager_linux_test.go index be4f65881..4eb466281 100644 --- a/client/firewall/nftables/manager_linux_test.go +++ b/client/firewall/nftables/manager_linux_test.go @@ -1,3 +1,5 @@ +//go:build privileged + package nftables import ( diff --git a/client/firewall/nftables/router_linux_test.go b/client/firewall/nftables/router_linux_test.go index c5d6729d9..2fc664d51 100644 --- a/client/firewall/nftables/router_linux_test.go +++ b/client/firewall/nftables/router_linux_test.go @@ -1,4 +1,4 @@ -//go:build !android +//go:build !android && privileged package nftables diff --git a/client/iface/iface_test.go b/client/iface/iface_test.go index dbeb69bc6..8ff2bbb54 100644 --- a/client/iface/iface_test.go +++ b/client/iface/iface_test.go @@ -1,3 +1,5 @@ +//go:build privileged + package iface import ( diff --git a/client/iface/wgproxy/proxy_linux_test.go b/client/iface/wgproxy/proxy_linux_test.go index dd24d1cdc..148e62dd7 100644 --- a/client/iface/wgproxy/proxy_linux_test.go +++ b/client/iface/wgproxy/proxy_linux_test.go @@ -1,4 +1,4 @@ -//go:build linux && !android +//go:build linux && !android && privileged package wgproxy diff --git a/client/iface/wgproxy/proxy_seed_test.go b/client/iface/wgproxy/proxy_seed_test.go index ad375ccde..19c3d1a96 100644 --- a/client/iface/wgproxy/proxy_seed_test.go +++ b/client/iface/wgproxy/proxy_seed_test.go @@ -1,4 +1,4 @@ -//go:build !linux +//go:build !linux || !privileged package wgproxy diff --git a/client/iface/wgproxy/redirect_test.go b/client/iface/wgproxy/redirect_test.go index b52eead25..135970838 100644 --- a/client/iface/wgproxy/redirect_test.go +++ b/client/iface/wgproxy/redirect_test.go @@ -1,4 +1,4 @@ -//go:build linux && !android +//go:build linux && !android && privileged package wgproxy @@ -26,64 +26,6 @@ func compareUDPAddr(addr1, addr2 net.Addr) bool { return udpAddr1.IP.Equal(udpAddr2.IP) && udpAddr1.Port == udpAddr2.Port } -// TestRedirectAs_eBPF_IPv4 tests RedirectAs with eBPF proxy using IPv4 addresses -func TestRedirectAs_eBPF_IPv4(t *testing.T) { - wgPort := 51850 - ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, 1280) - if err := ebpfProxy.Listen(); err != nil { - t.Fatalf("failed to initialize ebpf proxy: %v", err) - } - defer func() { - if err := ebpfProxy.Free(); err != nil { - t.Errorf("failed to free ebpf proxy: %v", err) - } - }() - - proxy := ebpf.NewProxyWrapper(ebpfProxy) - - // NetBird UDP address of the remote peer - nbAddr := &net.UDPAddr{ - IP: net.ParseIP("100.108.111.177"), - Port: 38746, - } - - p2pEndpoint := &net.UDPAddr{ - IP: net.ParseIP("192.168.0.56"), - Port: 51820, - } - - testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint) -} - -// TestRedirectAs_eBPF_IPv6 tests RedirectAs with eBPF proxy using IPv6 addresses -func TestRedirectAs_eBPF_IPv6(t *testing.T) { - wgPort := 51851 - ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, 1280) - if err := ebpfProxy.Listen(); err != nil { - t.Fatalf("failed to initialize ebpf proxy: %v", err) - } - defer func() { - if err := ebpfProxy.Free(); err != nil { - t.Errorf("failed to free ebpf proxy: %v", err) - } - }() - - proxy := ebpf.NewProxyWrapper(ebpfProxy) - - // NetBird UDP address of the remote peer - nbAddr := &net.UDPAddr{ - IP: net.ParseIP("100.108.111.177"), - Port: 38746, - } - - p2pEndpoint := &net.UDPAddr{ - IP: net.ParseIP("fe80::56"), - Port: 51820, - } - - testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint) -} - // TestRedirectAs_UDP_IPv4 tests RedirectAs with UDP proxy using IPv4 addresses func TestRedirectAs_UDP_IPv4(t *testing.T) { wgPort := 51852 @@ -256,6 +198,64 @@ func testRedirectAs(t *testing.T, proxy Proxy, wgPort int, nbAddr, p2pEndpoint * } } +// TestRedirectAs_eBPF_IPv4 tests RedirectAs with eBPF proxy using IPv4 addresses +func TestRedirectAs_eBPF_IPv4(t *testing.T) { + wgPort := 51850 + ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, 1280) + if err := ebpfProxy.Listen(); err != nil { + t.Fatalf("failed to initialize ebpf proxy: %v", err) + } + defer func() { + if err := ebpfProxy.Free(); err != nil { + t.Errorf("failed to free ebpf proxy: %v", err) + } + }() + + proxy := ebpf.NewProxyWrapper(ebpfProxy) + + // NetBird UDP address of the remote peer + nbAddr := &net.UDPAddr{ + IP: net.ParseIP("100.108.111.177"), + Port: 38746, + } + + p2pEndpoint := &net.UDPAddr{ + IP: net.ParseIP("192.168.0.56"), + Port: 51820, + } + + testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint) +} + +// TestRedirectAs_eBPF_IPv6 tests RedirectAs with eBPF proxy using IPv6 addresses +func TestRedirectAs_eBPF_IPv6(t *testing.T) { + wgPort := 51851 + ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, 1280) + if err := ebpfProxy.Listen(); err != nil { + t.Fatalf("failed to initialize ebpf proxy: %v", err) + } + defer func() { + if err := ebpfProxy.Free(); err != nil { + t.Errorf("failed to free ebpf proxy: %v", err) + } + }() + + proxy := ebpf.NewProxyWrapper(ebpfProxy) + + // NetBird UDP address of the remote peer + nbAddr := &net.UDPAddr{ + IP: net.ParseIP("100.108.111.177"), + Port: 38746, + } + + p2pEndpoint := &net.UDPAddr{ + IP: net.ParseIP("fe80::56"), + Port: 51820, + } + + testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint) +} + // TestRedirectAs_Multiple_Switches tests switching between multiple endpoints func TestRedirectAs_Multiple_Switches(t *testing.T) { wgPort := 51856 diff --git a/client/internal/dns/server_privileged_test.go b/client/internal/dns/server_privileged_test.go new file mode 100644 index 000000000..81f9b76cb --- /dev/null +++ b/client/internal/dns/server_privileged_test.go @@ -0,0 +1,487 @@ +//go:build privileged + +package dns + +import ( + "context" + "fmt" + "net/netip" + "os" + "testing" + + "github.com/golang/mock/gomock" + "github.com/miekg/dns" + "github.com/stretchr/testify/assert" + "golang.zx2c4.com/wireguard/wgctrl/wgtypes" + + "github.com/netbirdio/netbird/client/iface" + pfmock "github.com/netbirdio/netbird/client/iface/mocks" + "github.com/netbirdio/netbird/client/iface/wgaddr" + "github.com/netbirdio/netbird/client/internal/dns/local" + "github.com/netbirdio/netbird/client/internal/dns/test" + "github.com/netbirdio/netbird/client/internal/peer" + "github.com/netbirdio/netbird/client/internal/stdnet" + nbdns "github.com/netbirdio/netbird/dns" +) + +func TestUpdateDNSServer(t *testing.T) { + + nameServers := []nbdns.NameServer{ + { + IP: netip.MustParseAddr("8.8.8.8"), + NSType: nbdns.UDPNameServerType, + Port: 53, + }, + { + IP: netip.MustParseAddr("8.8.4.4"), + NSType: nbdns.UDPNameServerType, + Port: 53, + }, + } + + dummyHandler := local.NewResolver() + + testCases := []struct { + name string + initUpstreamMap registeredHandlerMap + initLocalZones []nbdns.CustomZone + initSerial uint64 + inputSerial uint64 + inputUpdate nbdns.Config + shouldFail bool + expectedUpstreamMap registeredHandlerMap + expectedLocalQs []dns.Question + }{ + { + name: "Initial Config Should Succeed", + initUpstreamMap: make(registeredHandlerMap), + initSerial: 0, + inputSerial: 1, + inputUpdate: nbdns.Config{ + ServiceEnable: true, + CustomZones: []nbdns.CustomZone{ + { + Domain: "netbird.cloud", + Records: zoneRecords, + }, + }, + NameServerGroups: []*nbdns.NameServerGroup{ + { + Domains: []string{"netbird.io"}, + NameServers: nameServers, + }, + { + NameServers: nameServers, + Primary: true, + }, + }, + }, + expectedUpstreamMap: registeredHandlerMap{ + generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{ + domain: "netbird.io", + handler: dummyHandler, + priority: PriorityUpstream, + }, + dummyHandler.ID(): handlerWrapper{ + domain: "netbird.cloud", + handler: dummyHandler, + priority: PriorityLocal, + }, + generateDummyHandler(".", nameServers).ID(): handlerWrapper{ + domain: nbdns.RootZone, + handler: dummyHandler, + priority: PriorityDefault, + }, + }, + expectedLocalQs: []dns.Question{{Name: "peera.netbird.cloud.", Qtype: dns.TypeA, Qclass: dns.ClassINET}}, + }, + { + name: "New Config Should Succeed", + initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: 1, Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}}, + initUpstreamMap: registeredHandlerMap{ + generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{ + domain: "netbird.cloud", + handler: dummyHandler, + priority: PriorityUpstream, + }, + }, + initSerial: 0, + inputSerial: 1, + inputUpdate: nbdns.Config{ + ServiceEnable: true, + CustomZones: []nbdns.CustomZone{ + { + Domain: "netbird.cloud", + Records: zoneRecords, + }, + }, + NameServerGroups: []*nbdns.NameServerGroup{ + { + Domains: []string{"netbird.io"}, + NameServers: nameServers, + }, + }, + }, + expectedUpstreamMap: registeredHandlerMap{ + generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{ + domain: "netbird.io", + handler: dummyHandler, + priority: PriorityUpstream, + }, + "local-resolver": handlerWrapper{ + domain: "netbird.cloud", + handler: dummyHandler, + priority: PriorityLocal, + }, + }, + expectedLocalQs: []dns.Question{{Name: zoneRecords[0].Name, Qtype: 1, Qclass: 1}}, + }, + { + name: "Smaller Config Serial Should Be Skipped", + initLocalZones: []nbdns.CustomZone{}, + initUpstreamMap: make(registeredHandlerMap), + initSerial: 2, + inputSerial: 1, + shouldFail: true, + }, + { + name: "Empty NS Group Domain Or Not Primary Element Should Fail", + initLocalZones: []nbdns.CustomZone{}, + initUpstreamMap: make(registeredHandlerMap), + initSerial: 0, + inputSerial: 1, + inputUpdate: nbdns.Config{ + ServiceEnable: true, + CustomZones: []nbdns.CustomZone{ + { + Domain: "netbird.cloud", + Records: zoneRecords, + }, + }, + NameServerGroups: []*nbdns.NameServerGroup{ + { + NameServers: nameServers, + }, + }, + }, + shouldFail: true, + }, + { + name: "Invalid NS Group Nameservers list Should Fail", + initLocalZones: []nbdns.CustomZone{}, + initUpstreamMap: make(registeredHandlerMap), + initSerial: 0, + inputSerial: 1, + inputUpdate: nbdns.Config{ + ServiceEnable: true, + CustomZones: []nbdns.CustomZone{ + { + Domain: "netbird.cloud", + Records: zoneRecords, + }, + }, + NameServerGroups: []*nbdns.NameServerGroup{ + { + NameServers: nameServers, + }, + }, + }, + shouldFail: true, + }, + { + name: "Invalid Custom Zone Records list Should Skip", + initLocalZones: []nbdns.CustomZone{}, + initUpstreamMap: make(registeredHandlerMap), + initSerial: 0, + inputSerial: 1, + inputUpdate: nbdns.Config{ + ServiceEnable: true, + CustomZones: []nbdns.CustomZone{ + { + Domain: "netbird.cloud", + }, + }, + NameServerGroups: []*nbdns.NameServerGroup{ + { + NameServers: nameServers, + Primary: true, + }, + }, + }, + expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).ID(): handlerWrapper{ + domain: ".", + handler: dummyHandler, + priority: PriorityDefault, + }}, + }, + { + name: "Empty Config Should Succeed and Clean Maps", + initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}}, + initUpstreamMap: registeredHandlerMap{ + generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{ + domain: zoneRecords[0].Name, + handler: dummyHandler, + priority: PriorityUpstream, + }, + }, + initSerial: 0, + inputSerial: 1, + inputUpdate: nbdns.Config{ServiceEnable: true}, + expectedUpstreamMap: make(registeredHandlerMap), + expectedLocalQs: []dns.Question{}, + }, + { + name: "Disabled Service Should clean map", + initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}}, + initUpstreamMap: registeredHandlerMap{ + generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{ + domain: zoneRecords[0].Name, + handler: dummyHandler, + priority: PriorityUpstream, + }, + }, + initSerial: 0, + inputSerial: 1, + inputUpdate: nbdns.Config{ServiceEnable: false}, + expectedUpstreamMap: make(registeredHandlerMap), + expectedLocalQs: []dns.Question{}, + }, + } + + for n, testCase := range testCases { + t.Run(testCase.name, func(t *testing.T) { + privKey, _ := wgtypes.GenerateKey() + newNet, err := stdnet.NewNet(context.Background(), nil) + if err != nil { + t.Fatal(err) + } + + opts := iface.WGIFaceOpts{ + IFaceName: fmt.Sprintf("utun230%d", n), + Address: wgaddr.MustParseWGAddress(fmt.Sprintf("100.66.100.%d/32", n+1)), + WGPort: 33100, + WGPrivKey: privKey.String(), + MTU: iface.DefaultMTU, + TransportNet: newNet, + } + + wgIface, err := iface.NewWGIFace(opts) + if err != nil { + t.Fatal(err) + } + err = wgIface.Create() + if err != nil { + t.Fatal(err) + } + defer func() { + err = wgIface.Close() + if err != nil { + t.Log(err) + } + }() + dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{ + WgInterface: wgIface, + CustomAddress: "", + StatusRecorder: peer.NewRecorder("mgm"), + StateManager: nil, + DisableSys: false, + }) + if err != nil { + t.Fatal(err) + } + err = dnsServer.Initialize() + if err != nil { + t.Fatal(err) + } + defer func() { + err = dnsServer.hostManager.restoreHostDNS() + if err != nil { + t.Log(err) + } + }() + + dnsServer.dnsMuxMap = testCase.initUpstreamMap + dnsServer.localResolver.Update(testCase.initLocalZones) + dnsServer.updateSerial = testCase.initSerial + + err = dnsServer.UpdateDNSServer(testCase.inputSerial, testCase.inputUpdate) + if err != nil { + if testCase.shouldFail { + return + } + t.Fatalf("update dns server should not fail, got error: %v", err) + } + + if len(dnsServer.dnsMuxMap) != len(testCase.expectedUpstreamMap) { + t.Fatalf("update upstream failed, map size is different than expected, want %d, got %d", len(testCase.expectedUpstreamMap), len(dnsServer.dnsMuxMap)) + } + + for key := range testCase.expectedUpstreamMap { + _, found := dnsServer.dnsMuxMap[key] + if !found { + t.Fatalf("update upstream failed, key %s was not found in the dnsMuxMap: %#v", key, dnsServer.dnsMuxMap) + } + } + + var responseMSG *dns.Msg + responseWriter := &test.MockResponseWriter{ + WriteMsgFunc: func(m *dns.Msg) error { + responseMSG = m + return nil + }, + } + for _, q := range testCase.expectedLocalQs { + dnsServer.localResolver.ServeDNS(responseWriter, &dns.Msg{ + Question: []dns.Question{q}, + }) + } + + if len(testCase.expectedLocalQs) > 0 { + assert.NotNil(t, responseMSG, "response message should not be nil") + assert.Equal(t, dns.RcodeSuccess, responseMSG.Rcode, "response code should be success") + assert.NotEmpty(t, responseMSG.Answer, "response message should have answers") + } + }) + } +} + +func TestDNSFakeResolverHandleUpdates(t *testing.T) { + ov := os.Getenv("NB_WG_KERNEL_DISABLED") + defer t.Setenv("NB_WG_KERNEL_DISABLED", ov) + + t.Setenv("NB_WG_KERNEL_DISABLED", "true") + newNet, err := stdnet.NewNet(context.Background(), []string{"utun2301"}) + if err != nil { + t.Errorf("create stdnet: %v", err) + return + } + + privKey, _ := wgtypes.GeneratePrivateKey() + opts := iface.WGIFaceOpts{ + IFaceName: "utun2301", + Address: wgaddr.MustParseWGAddress("100.66.100.1/32"), + WGPort: 33100, + WGPrivKey: privKey.String(), + MTU: iface.DefaultMTU, + TransportNet: newNet, + } + wgIface, err := iface.NewWGIFace(opts) + if err != nil { + t.Errorf("build interface wireguard: %v", err) + return + } + + err = wgIface.Create() + if err != nil { + t.Errorf("create and init wireguard interface: %v", err) + return + } + defer func() { + if err = wgIface.Close(); err != nil { + t.Logf("close wireguard interface: %v", err) + } + }() + + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + packetfilter := pfmock.NewMockPacketFilter(ctrl) + packetfilter.EXPECT().FilterOutbound(gomock.Any(), gomock.Any()).AnyTimes() + packetfilter.EXPECT().SetUDPPacketHook(gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes() + packetfilter.EXPECT().SetTCPPacketHook(gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes() + + if err := wgIface.SetFilter(packetfilter); err != nil { + t.Errorf("set packet filter: %v", err) + return + } + + dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{ + WgInterface: wgIface, + CustomAddress: "", + StatusRecorder: peer.NewRecorder("mgm"), + StateManager: nil, + DisableSys: false, + }) + if err != nil { + t.Errorf("create DNS server: %v", err) + return + } + + err = dnsServer.Initialize() + if err != nil { + t.Errorf("run DNS server: %v", err) + return + } + defer func() { + if err = dnsServer.hostManager.restoreHostDNS(); err != nil { + t.Logf("restore DNS settings on the host: %v", err) + return + } + }() + + dnsServer.dnsMuxMap = registeredHandlerMap{ + "id1": handlerWrapper{ + domain: zoneRecords[0].Name, + handler: &local.Resolver{}, + priority: PriorityUpstream, + }, + } + dnsServer.localResolver.Update([]nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}}) + dnsServer.updateSerial = 0 + + nameServers := []nbdns.NameServer{ + { + IP: netip.MustParseAddr("8.8.8.8"), + NSType: nbdns.UDPNameServerType, + Port: 53, + }, + { + IP: netip.MustParseAddr("8.8.4.4"), + NSType: nbdns.UDPNameServerType, + Port: 53, + }, + } + + update := nbdns.Config{ + ServiceEnable: true, + CustomZones: []nbdns.CustomZone{ + { + Domain: "netbird.cloud", + Records: zoneRecords, + }, + }, + NameServerGroups: []*nbdns.NameServerGroup{ + { + Domains: []string{"netbird.io"}, + NameServers: nameServers, + }, + { + NameServers: nameServers, + Primary: true, + }, + }, + } + + // Start the server with regular configuration + if err := dnsServer.UpdateDNSServer(1, update); err != nil { + t.Fatalf("update dns server should not fail, got error: %v", err) + return + } + + update2 := update + update2.ServiceEnable = false + // Disable the server, stop the listener + if err := dnsServer.UpdateDNSServer(2, update2); err != nil { + t.Fatalf("update dns server should not fail, got error: %v", err) + return + } + + update3 := update2 + update3.NameServerGroups = update3.NameServerGroups[:1] + // But service still get updates and we checking that we handle + // internal state in the right way + if err := dnsServer.UpdateDNSServer(3, update3); err != nil { + t.Fatalf("update dns server should not fail, got error: %v", err) + return + } +} diff --git a/client/internal/dns/server_test.go b/client/internal/dns/server_test.go index 722c2abd7..7d050fa67 100644 --- a/client/internal/dns/server_test.go +++ b/client/internal/dns/server_test.go @@ -10,7 +10,6 @@ import ( "testing" "time" - "github.com/golang/mock/gomock" "github.com/miekg/dns" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" @@ -23,7 +22,6 @@ import ( "github.com/netbirdio/netbird/client/iface" "github.com/netbirdio/netbird/client/iface/configurer" "github.com/netbirdio/netbird/client/iface/device" - pfmock "github.com/netbirdio/netbird/client/iface/mocks" "github.com/netbirdio/netbird/client/iface/wgaddr" "github.com/netbirdio/netbird/client/internal/dns/local" "github.com/netbirdio/netbird/client/internal/dns/test" @@ -117,468 +115,6 @@ func generateDummyHandler(d string, servers []nbdns.NameServer) *upstreamResolve return u } -func TestUpdateDNSServer(t *testing.T) { - - nameServers := []nbdns.NameServer{ - { - IP: netip.MustParseAddr("8.8.8.8"), - NSType: nbdns.UDPNameServerType, - Port: 53, - }, - { - IP: netip.MustParseAddr("8.8.4.4"), - NSType: nbdns.UDPNameServerType, - Port: 53, - }, - } - - dummyHandler := local.NewResolver() - - testCases := []struct { - name string - initUpstreamMap registeredHandlerMap - initLocalZones []nbdns.CustomZone - initSerial uint64 - inputSerial uint64 - inputUpdate nbdns.Config - shouldFail bool - expectedUpstreamMap registeredHandlerMap - expectedLocalQs []dns.Question - }{ - { - name: "Initial Config Should Succeed", - initUpstreamMap: make(registeredHandlerMap), - initSerial: 0, - inputSerial: 1, - inputUpdate: nbdns.Config{ - ServiceEnable: true, - CustomZones: []nbdns.CustomZone{ - { - Domain: "netbird.cloud", - Records: zoneRecords, - }, - }, - NameServerGroups: []*nbdns.NameServerGroup{ - { - Domains: []string{"netbird.io"}, - NameServers: nameServers, - }, - { - NameServers: nameServers, - Primary: true, - }, - }, - }, - expectedUpstreamMap: registeredHandlerMap{ - generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{ - domain: "netbird.io", - handler: dummyHandler, - priority: PriorityUpstream, - }, - dummyHandler.ID(): handlerWrapper{ - domain: "netbird.cloud", - handler: dummyHandler, - priority: PriorityLocal, - }, - generateDummyHandler(".", nameServers).ID(): handlerWrapper{ - domain: nbdns.RootZone, - handler: dummyHandler, - priority: PriorityDefault, - }, - }, - expectedLocalQs: []dns.Question{{Name: "peera.netbird.cloud.", Qtype: dns.TypeA, Qclass: dns.ClassINET}}, - }, - { - name: "New Config Should Succeed", - initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: 1, Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}}, - initUpstreamMap: registeredHandlerMap{ - generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{ - domain: "netbird.cloud", - handler: dummyHandler, - priority: PriorityUpstream, - }, - }, - initSerial: 0, - inputSerial: 1, - inputUpdate: nbdns.Config{ - ServiceEnable: true, - CustomZones: []nbdns.CustomZone{ - { - Domain: "netbird.cloud", - Records: zoneRecords, - }, - }, - NameServerGroups: []*nbdns.NameServerGroup{ - { - Domains: []string{"netbird.io"}, - NameServers: nameServers, - }, - }, - }, - expectedUpstreamMap: registeredHandlerMap{ - generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{ - domain: "netbird.io", - handler: dummyHandler, - priority: PriorityUpstream, - }, - "local-resolver": handlerWrapper{ - domain: "netbird.cloud", - handler: dummyHandler, - priority: PriorityLocal, - }, - }, - expectedLocalQs: []dns.Question{{Name: zoneRecords[0].Name, Qtype: 1, Qclass: 1}}, - }, - { - name: "Smaller Config Serial Should Be Skipped", - initLocalZones: []nbdns.CustomZone{}, - initUpstreamMap: make(registeredHandlerMap), - initSerial: 2, - inputSerial: 1, - shouldFail: true, - }, - { - name: "Empty NS Group Domain Or Not Primary Element Should Fail", - initLocalZones: []nbdns.CustomZone{}, - initUpstreamMap: make(registeredHandlerMap), - initSerial: 0, - inputSerial: 1, - inputUpdate: nbdns.Config{ - ServiceEnable: true, - CustomZones: []nbdns.CustomZone{ - { - Domain: "netbird.cloud", - Records: zoneRecords, - }, - }, - NameServerGroups: []*nbdns.NameServerGroup{ - { - NameServers: nameServers, - }, - }, - }, - shouldFail: true, - }, - { - name: "Invalid NS Group Nameservers list Should Fail", - initLocalZones: []nbdns.CustomZone{}, - initUpstreamMap: make(registeredHandlerMap), - initSerial: 0, - inputSerial: 1, - inputUpdate: nbdns.Config{ - ServiceEnable: true, - CustomZones: []nbdns.CustomZone{ - { - Domain: "netbird.cloud", - Records: zoneRecords, - }, - }, - NameServerGroups: []*nbdns.NameServerGroup{ - { - NameServers: nameServers, - }, - }, - }, - shouldFail: true, - }, - { - name: "Invalid Custom Zone Records list Should Skip", - initLocalZones: []nbdns.CustomZone{}, - initUpstreamMap: make(registeredHandlerMap), - initSerial: 0, - inputSerial: 1, - inputUpdate: nbdns.Config{ - ServiceEnable: true, - CustomZones: []nbdns.CustomZone{ - { - Domain: "netbird.cloud", - }, - }, - NameServerGroups: []*nbdns.NameServerGroup{ - { - NameServers: nameServers, - Primary: true, - }, - }, - }, - expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).ID(): handlerWrapper{ - domain: ".", - handler: dummyHandler, - priority: PriorityDefault, - }}, - }, - { - name: "Empty Config Should Succeed and Clean Maps", - initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}}, - initUpstreamMap: registeredHandlerMap{ - generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{ - domain: zoneRecords[0].Name, - handler: dummyHandler, - priority: PriorityUpstream, - }, - }, - initSerial: 0, - inputSerial: 1, - inputUpdate: nbdns.Config{ServiceEnable: true}, - expectedUpstreamMap: make(registeredHandlerMap), - expectedLocalQs: []dns.Question{}, - }, - { - name: "Disabled Service Should clean map", - initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}}, - initUpstreamMap: registeredHandlerMap{ - generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{ - domain: zoneRecords[0].Name, - handler: dummyHandler, - priority: PriorityUpstream, - }, - }, - initSerial: 0, - inputSerial: 1, - inputUpdate: nbdns.Config{ServiceEnable: false}, - expectedUpstreamMap: make(registeredHandlerMap), - expectedLocalQs: []dns.Question{}, - }, - } - - for n, testCase := range testCases { - t.Run(testCase.name, func(t *testing.T) { - privKey, _ := wgtypes.GenerateKey() - newNet, err := stdnet.NewNet(context.Background(), nil) - if err != nil { - t.Fatal(err) - } - - opts := iface.WGIFaceOpts{ - IFaceName: fmt.Sprintf("utun230%d", n), - Address: wgaddr.MustParseWGAddress(fmt.Sprintf("100.66.100.%d/32", n+1)), - WGPort: 33100, - WGPrivKey: privKey.String(), - MTU: iface.DefaultMTU, - TransportNet: newNet, - } - - wgIface, err := iface.NewWGIFace(opts) - if err != nil { - t.Fatal(err) - } - err = wgIface.Create() - if err != nil { - t.Fatal(err) - } - defer func() { - err = wgIface.Close() - if err != nil { - t.Log(err) - } - }() - dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{ - WgInterface: wgIface, - CustomAddress: "", - StatusRecorder: peer.NewRecorder("mgm"), - StateManager: nil, - DisableSys: false, - }) - if err != nil { - t.Fatal(err) - } - err = dnsServer.Initialize() - if err != nil { - t.Fatal(err) - } - defer func() { - err = dnsServer.hostManager.restoreHostDNS() - if err != nil { - t.Log(err) - } - }() - - dnsServer.dnsMuxMap = testCase.initUpstreamMap - dnsServer.localResolver.Update(testCase.initLocalZones) - dnsServer.updateSerial = testCase.initSerial - - err = dnsServer.UpdateDNSServer(testCase.inputSerial, testCase.inputUpdate) - if err != nil { - if testCase.shouldFail { - return - } - t.Fatalf("update dns server should not fail, got error: %v", err) - } - - if len(dnsServer.dnsMuxMap) != len(testCase.expectedUpstreamMap) { - t.Fatalf("update upstream failed, map size is different than expected, want %d, got %d", len(testCase.expectedUpstreamMap), len(dnsServer.dnsMuxMap)) - } - - for key := range testCase.expectedUpstreamMap { - _, found := dnsServer.dnsMuxMap[key] - if !found { - t.Fatalf("update upstream failed, key %s was not found in the dnsMuxMap: %#v", key, dnsServer.dnsMuxMap) - } - } - - var responseMSG *dns.Msg - responseWriter := &test.MockResponseWriter{ - WriteMsgFunc: func(m *dns.Msg) error { - responseMSG = m - return nil - }, - } - for _, q := range testCase.expectedLocalQs { - dnsServer.localResolver.ServeDNS(responseWriter, &dns.Msg{ - Question: []dns.Question{q}, - }) - } - - if len(testCase.expectedLocalQs) > 0 { - assert.NotNil(t, responseMSG, "response message should not be nil") - assert.Equal(t, dns.RcodeSuccess, responseMSG.Rcode, "response code should be success") - assert.NotEmpty(t, responseMSG.Answer, "response message should have answers") - } - }) - } -} - -func TestDNSFakeResolverHandleUpdates(t *testing.T) { - ov := os.Getenv("NB_WG_KERNEL_DISABLED") - defer t.Setenv("NB_WG_KERNEL_DISABLED", ov) - - t.Setenv("NB_WG_KERNEL_DISABLED", "true") - newNet, err := stdnet.NewNet(context.Background(), []string{"utun2301"}) - if err != nil { - t.Errorf("create stdnet: %v", err) - return - } - - privKey, _ := wgtypes.GeneratePrivateKey() - opts := iface.WGIFaceOpts{ - IFaceName: "utun2301", - Address: wgaddr.MustParseWGAddress("100.66.100.1/32"), - WGPort: 33100, - WGPrivKey: privKey.String(), - MTU: iface.DefaultMTU, - TransportNet: newNet, - } - wgIface, err := iface.NewWGIFace(opts) - if err != nil { - t.Errorf("build interface wireguard: %v", err) - return - } - - err = wgIface.Create() - if err != nil { - t.Errorf("create and init wireguard interface: %v", err) - return - } - defer func() { - if err = wgIface.Close(); err != nil { - t.Logf("close wireguard interface: %v", err) - } - }() - - ctrl := gomock.NewController(t) - defer ctrl.Finish() - - packetfilter := pfmock.NewMockPacketFilter(ctrl) - packetfilter.EXPECT().FilterOutbound(gomock.Any(), gomock.Any()).AnyTimes() - packetfilter.EXPECT().SetUDPPacketHook(gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes() - packetfilter.EXPECT().SetTCPPacketHook(gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes() - - if err := wgIface.SetFilter(packetfilter); err != nil { - t.Errorf("set packet filter: %v", err) - return - } - - dnsServer, err := NewDefaultServer(context.Background(), DefaultServerConfig{ - WgInterface: wgIface, - CustomAddress: "", - StatusRecorder: peer.NewRecorder("mgm"), - StateManager: nil, - DisableSys: false, - }) - if err != nil { - t.Errorf("create DNS server: %v", err) - return - } - - err = dnsServer.Initialize() - if err != nil { - t.Errorf("run DNS server: %v", err) - return - } - defer func() { - if err = dnsServer.hostManager.restoreHostDNS(); err != nil { - t.Logf("restore DNS settings on the host: %v", err) - return - } - }() - - dnsServer.dnsMuxMap = registeredHandlerMap{ - "id1": handlerWrapper{ - domain: zoneRecords[0].Name, - handler: &local.Resolver{}, - priority: PriorityUpstream, - }, - } - dnsServer.localResolver.Update([]nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}}) - dnsServer.updateSerial = 0 - - nameServers := []nbdns.NameServer{ - { - IP: netip.MustParseAddr("8.8.8.8"), - NSType: nbdns.UDPNameServerType, - Port: 53, - }, - { - IP: netip.MustParseAddr("8.8.4.4"), - NSType: nbdns.UDPNameServerType, - Port: 53, - }, - } - - update := nbdns.Config{ - ServiceEnable: true, - CustomZones: []nbdns.CustomZone{ - { - Domain: "netbird.cloud", - Records: zoneRecords, - }, - }, - NameServerGroups: []*nbdns.NameServerGroup{ - { - Domains: []string{"netbird.io"}, - NameServers: nameServers, - }, - { - NameServers: nameServers, - Primary: true, - }, - }, - } - - // Start the server with regular configuration - if err := dnsServer.UpdateDNSServer(1, update); err != nil { - t.Fatalf("update dns server should not fail, got error: %v", err) - return - } - - update2 := update - update2.ServiceEnable = false - // Disable the server, stop the listener - if err := dnsServer.UpdateDNSServer(2, update2); err != nil { - t.Fatalf("update dns server should not fail, got error: %v", err) - return - } - - update3 := update2 - update3.NameServerGroups = update3.NameServerGroups[:1] - // But service still get updates and we checking that we handle - // internal state in the right way - if err := dnsServer.UpdateDNSServer(3, update3); err != nil { - t.Fatalf("update dns server should not fail, got error: %v", err) - return - } -} - func TestDNSServerStartStop(t *testing.T) { testCases := []struct { name string diff --git a/client/internal/engine_privileged_test.go b/client/internal/engine_privileged_test.go new file mode 100644 index 000000000..1773ed721 --- /dev/null +++ b/client/internal/engine_privileged_test.go @@ -0,0 +1,343 @@ +//go:build privileged + +package internal + +import ( + "context" + "fmt" + "strings" + "sync" + "testing" + "time" + + "github.com/google/uuid" + log "github.com/sirupsen/logrus" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "golang.zx2c4.com/wireguard/wgctrl/wgtypes" + + "github.com/netbirdio/netbird/client/iface" + "github.com/netbirdio/netbird/client/iface/device" + "github.com/netbirdio/netbird/client/iface/wgaddr" + "github.com/netbirdio/netbird/client/internal/dns" + "github.com/netbirdio/netbird/client/internal/peer" + nbssh "github.com/netbirdio/netbird/client/ssh" + "github.com/netbirdio/netbird/client/system" + nbdns "github.com/netbirdio/netbird/dns" + mgmt "github.com/netbirdio/netbird/shared/management/client" + mgmtProto "github.com/netbirdio/netbird/shared/management/proto" + relayClient "github.com/netbirdio/netbird/shared/relay/client" + signal "github.com/netbirdio/netbird/shared/signal/client" +) + +func TestEngine_SSH(t *testing.T) { + key, err := wgtypes.GeneratePrivateKey() + if err != nil { + t.Fatal(err) + return + } + + sshKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519) + if err != nil { + t.Fatal(err) + return + } + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU) + engine := NewEngine( + ctx, cancel, + &EngineConfig{ + WgIfaceName: "utun101", + WgAddr: wgaddr.MustParseWGAddress("100.64.0.1/24"), + WgPrivateKey: key, + WgPort: 33100, + ServerSSHAllowed: true, + MTU: iface.DefaultMTU, + SSHKey: sshKey, + }, + EngineServices{ + SignalClient: &signal.MockClient{}, + MgmClient: &mgmt.MockClient{}, + RelayManager: relayMgr, + StatusRecorder: peer.NewRecorder("https://mgm"), + }, + MobileDependency{}, + ) + + engine.dnsServer = &dns.MockServer{ + UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil }, + } + + err = engine.Start(nil, nil) + require.NoError(t, err) + + defer func() { + err := engine.Stop() + if err != nil { + return + } + }() + + peerWithSSH := &mgmtProto.RemotePeerConfig{ + WgPubKey: "MNHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=", + AllowedIps: []string{"100.64.0.21/24"}, + SshConfig: &mgmtProto.SSHConfig{ + SshPubKey: []byte("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFATYCqaQw/9id1Qkq3n16JYhDhXraI6Pc1fgB8ynEfQ"), + }, + } + + // SSH server is not enabled so SSH config of a remote peer should be ignored + networkMap := &mgmtProto.NetworkMap{ + Serial: 6, + PeerConfig: nil, + RemotePeers: []*mgmtProto.RemotePeerConfig{peerWithSSH}, + RemotePeersIsEmpty: false, + } + + err = engine.updateNetworkMap(networkMap) + require.NoError(t, err) + + assert.Nil(t, engine.sshServer) + + // SSH server is enabled, therefore SSH config should be applied + networkMap = &mgmtProto.NetworkMap{ + Serial: 7, + PeerConfig: &mgmtProto.PeerConfig{Address: "100.64.0.1/24", + SshConfig: &mgmtProto.SSHConfig{ + SshEnabled: true, + JwtConfig: &mgmtProto.JWTConfig{ + Issuer: "test-issuer", + Audience: "test-audience", + KeysLocation: "test-keys", + MaxTokenAge: 3600, + }, + }}, + RemotePeers: []*mgmtProto.RemotePeerConfig{peerWithSSH}, + RemotePeersIsEmpty: false, + } + + err = engine.updateNetworkMap(networkMap) + require.NoError(t, err) + + time.Sleep(250 * time.Millisecond) + assert.NotNil(t, engine.sshServer) + + // now remove peer + networkMap = &mgmtProto.NetworkMap{ + Serial: 8, + RemotePeers: []*mgmtProto.RemotePeerConfig{}, + RemotePeersIsEmpty: false, + } + + err = engine.updateNetworkMap(networkMap) + require.NoError(t, err) + + // time.Sleep(250 * time.Millisecond) + assert.NotNil(t, engine.sshServer) + + // now disable SSH server + networkMap = &mgmtProto.NetworkMap{ + Serial: 9, + PeerConfig: &mgmtProto.PeerConfig{Address: "100.64.0.1/24", + SshConfig: &mgmtProto.SSHConfig{SshEnabled: false}}, + RemotePeers: []*mgmtProto.RemotePeerConfig{peerWithSSH}, + RemotePeersIsEmpty: false, + } + + err = engine.updateNetworkMap(networkMap) + require.NoError(t, err) + + assert.Nil(t, engine.sshServer) +} + +func TestEngine_Sync(t *testing.T) { + key, err := wgtypes.GeneratePrivateKey() + if err != nil { + t.Fatal(err) + return + } + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + // feed updates to Engine via mocked Management client + updates := make(chan *mgmtProto.SyncResponse) + defer close(updates) + syncFunc := func(ctx context.Context, info *system.Info, msgHandler func(msg *mgmtProto.SyncResponse) error) error { + for msg := range updates { + err := msgHandler(msg) + if err != nil { + t.Fatal(err) + } + } + return nil + } + relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU) + engine := NewEngine(ctx, cancel, &EngineConfig{ + WgIfaceName: "utun103", + WgAddr: wgaddr.MustParseWGAddress("100.64.0.1/24"), + WgPrivateKey: key, + WgPort: 33100, + MTU: iface.DefaultMTU, + }, EngineServices{ + SignalClient: &signal.MockClient{}, + MgmClient: &mgmt.MockClient{SyncFunc: syncFunc}, + RelayManager: relayMgr, + StatusRecorder: peer.NewRecorder("https://mgm"), + }, MobileDependency{}) + engine.ctx = ctx + + engine.dnsServer = &dns.MockServer{ + UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil }, + } + + defer func() { + err := engine.Stop() + if err != nil { + return + } + }() + + err = engine.Start(nil, nil) + if err != nil { + t.Fatal(err) + return + } + + peer1 := &mgmtProto.RemotePeerConfig{ + WgPubKey: "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=", + AllowedIps: []string{"100.64.0.10/24"}, + } + peer2 := &mgmtProto.RemotePeerConfig{ + WgPubKey: "LLHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=", + AllowedIps: []string{"100.64.0.11/24"}, + } + peer3 := &mgmtProto.RemotePeerConfig{ + WgPubKey: "GGHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=", + AllowedIps: []string{"100.64.0.12/24"}, + } + // 1st update with just 1 peer and serial larger than the current serial of the engine => apply update + updates <- &mgmtProto.SyncResponse{ + NetworkMap: &mgmtProto.NetworkMap{ + Serial: 10, + PeerConfig: nil, + RemotePeers: []*mgmtProto.RemotePeerConfig{peer1, peer2, peer3}, + RemotePeersIsEmpty: false, + }, + } + + timeout := time.After(time.Second * 2) + for { + select { + case <-timeout: + t.Fatalf("timeout while waiting for test to finish") + return + default: + } + + if getPeers(engine) == 3 && engine.networkSerial == 10 { + break + } + } +} + +func TestEngine_MultiplePeers(t *testing.T) { + // log.SetLevel(log.DebugLevel) + + ctx, cancel := context.WithCancel(CtxInitState(context.Background())) + defer cancel() + + sigServer, signalAddr, err := startSignal(t) + if err != nil { + t.Fatal(err) + return + } + defer sigServer.Stop() + mgmtServer, mgmtAddr, err := startManagement(t, t.TempDir(), "../testdata/store.sql") + if err != nil { + t.Fatal(err) + return + } + defer mgmtServer.GracefulStop() + + setupKey := "A2C8E62B-38F5-4553-B31E-DD66C696CEBB" + + mu := sync.Mutex{} + engines := []*Engine{} + numPeers := 10 + wg := sync.WaitGroup{} + wg.Add(numPeers) + // create and start peers + for i := 0; i < numPeers; i++ { + j := i + go func() { + engine, err := createEngine(ctx, cancel, setupKey, j, mgmtAddr, signalAddr) + if err != nil { + wg.Done() + t.Errorf("unable to create the engine for peer %d with error %v", j, err) + return + } + engine.dnsServer = &dns.MockServer{} + mu.Lock() + defer mu.Unlock() + guid := fmt.Sprintf("{%s}", uuid.New().String()) + device.CustomWindowsGUIDString = strings.ToLower(guid) + err = engine.Start(nil, nil) + if err != nil { + t.Errorf("unable to start engine for peer %d with error %v", j, err) + wg.Done() + return + } + engines = append(engines, engine) + wg.Done() + }() + } + + // wait until all have been created and started + wg.Wait() + if len(engines) != numPeers { + t.Fatal("not all peers was started") + } + // check whether all the peer have expected peers connected + + expectedConnected := numPeers * (numPeers - 1) + + // adjust according to timeouts + timeout := 50 * time.Second + timeoutChan := time.After(timeout) + ticker := time.NewTicker(time.Second) + defer ticker.Stop() +loop: + for { + select { + case <-timeoutChan: + t.Fatalf("waiting for expected connections timeout after %s", timeout.String()) + break loop + case <-ticker.C: + totalConnected := 0 + for _, engine := range engines { + totalConnected += getConnectedPeers(engine) + } + if totalConnected == expectedConnected { + log.Infof("total connected=%d", totalConnected) + break loop + } + log.Infof("total connected=%d", totalConnected) + } + } + // cleanup test + for n, peerEngine := range engines { + t.Logf("stopping peer with interface %s from multipeer test, loopIndex %d", peerEngine.wgInterface.Name(), n) + errStop := peerEngine.mgmClient.Close() + if errStop != nil { + log.Infoln("got error trying to close management clients from engine: ", errStop) + } + errStop = peerEngine.Stop() + if errStop != nil { + log.Infoln("got error trying to close testing peers engine: ", errStop) + } + } +} diff --git a/client/internal/engine_test.go b/client/internal/engine_test.go index 289f1906f..b74edc3e4 100644 --- a/client/internal/engine_test.go +++ b/client/internal/engine_test.go @@ -13,7 +13,6 @@ import ( "time" "github.com/golang/mock/gomock" - "github.com/google/uuid" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -50,7 +49,6 @@ import ( icemaker "github.com/netbirdio/netbird/client/internal/peer/ice" "github.com/netbirdio/netbird/client/internal/profilemanager" "github.com/netbirdio/netbird/client/internal/routemanager" - nbssh "github.com/netbirdio/netbird/client/ssh" "github.com/netbirdio/netbird/client/system" nbdns "github.com/netbirdio/netbird/dns" "github.com/netbirdio/netbird/management/server" @@ -234,129 +232,6 @@ func TestMain(m *testing.M) { os.Exit(code) } -func TestEngine_SSH(t *testing.T) { - key, err := wgtypes.GeneratePrivateKey() - if err != nil { - t.Fatal(err) - return - } - - sshKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519) - if err != nil { - t.Fatal(err) - return - } - - ctx, cancel := context.WithCancel(context.Background()) - defer cancel() - - relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU) - engine := NewEngine( - ctx, cancel, - &EngineConfig{ - WgIfaceName: "utun101", - WgAddr: wgaddr.MustParseWGAddress("100.64.0.1/24"), - WgPrivateKey: key, - WgPort: 33100, - ServerSSHAllowed: true, - MTU: iface.DefaultMTU, - SSHKey: sshKey, - }, - EngineServices{ - SignalClient: &signal.MockClient{}, - MgmClient: &mgmt.MockClient{}, - RelayManager: relayMgr, - StatusRecorder: peer.NewRecorder("https://mgm"), - }, - MobileDependency{}, - ) - - engine.dnsServer = &dns.MockServer{ - UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil }, - } - - err = engine.Start(nil, nil) - require.NoError(t, err) - - defer func() { - err := engine.Stop() - if err != nil { - return - } - }() - - peerWithSSH := &mgmtProto.RemotePeerConfig{ - WgPubKey: "MNHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=", - AllowedIps: []string{"100.64.0.21/24"}, - SshConfig: &mgmtProto.SSHConfig{ - SshPubKey: []byte("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFATYCqaQw/9id1Qkq3n16JYhDhXraI6Pc1fgB8ynEfQ"), - }, - } - - // SSH server is not enabled so SSH config of a remote peer should be ignored - networkMap := &mgmtProto.NetworkMap{ - Serial: 6, - PeerConfig: nil, - RemotePeers: []*mgmtProto.RemotePeerConfig{peerWithSSH}, - RemotePeersIsEmpty: false, - } - - err = engine.updateNetworkMap(networkMap) - require.NoError(t, err) - - assert.Nil(t, engine.sshServer) - - // SSH server is enabled, therefore SSH config should be applied - networkMap = &mgmtProto.NetworkMap{ - Serial: 7, - PeerConfig: &mgmtProto.PeerConfig{Address: "100.64.0.1/24", - SshConfig: &mgmtProto.SSHConfig{ - SshEnabled: true, - JwtConfig: &mgmtProto.JWTConfig{ - Issuer: "test-issuer", - Audience: "test-audience", - KeysLocation: "test-keys", - MaxTokenAge: 3600, - }, - }}, - RemotePeers: []*mgmtProto.RemotePeerConfig{peerWithSSH}, - RemotePeersIsEmpty: false, - } - - err = engine.updateNetworkMap(networkMap) - require.NoError(t, err) - - time.Sleep(250 * time.Millisecond) - assert.NotNil(t, engine.sshServer) - - // now remove peer - networkMap = &mgmtProto.NetworkMap{ - Serial: 8, - RemotePeers: []*mgmtProto.RemotePeerConfig{}, - RemotePeersIsEmpty: false, - } - - err = engine.updateNetworkMap(networkMap) - require.NoError(t, err) - - // time.Sleep(250 * time.Millisecond) - assert.NotNil(t, engine.sshServer) - - // now disable SSH server - networkMap = &mgmtProto.NetworkMap{ - Serial: 9, - PeerConfig: &mgmtProto.PeerConfig{Address: "100.64.0.1/24", - SshConfig: &mgmtProto.SSHConfig{SshEnabled: false}}, - RemotePeers: []*mgmtProto.RemotePeerConfig{peerWithSSH}, - RemotePeersIsEmpty: false, - } - - err = engine.updateNetworkMap(networkMap) - require.NoError(t, err) - - assert.Nil(t, engine.sshServer) -} - func TestEngine_SSHUpdateLogic(t *testing.T) { // Test that SSH server start/stop logic works based on config engine := &Engine{ @@ -631,97 +506,6 @@ func TestEngine_UpdateNetworkMap(t *testing.T) { } } -func TestEngine_Sync(t *testing.T) { - key, err := wgtypes.GeneratePrivateKey() - if err != nil { - t.Fatal(err) - return - } - - ctx, cancel := context.WithCancel(context.Background()) - defer cancel() - - // feed updates to Engine via mocked Management client - updates := make(chan *mgmtProto.SyncResponse) - defer close(updates) - syncFunc := func(ctx context.Context, info *system.Info, msgHandler func(msg *mgmtProto.SyncResponse) error) error { - for msg := range updates { - err := msgHandler(msg) - if err != nil { - t.Fatal(err) - } - } - return nil - } - relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU) - engine := NewEngine(ctx, cancel, &EngineConfig{ - WgIfaceName: "utun103", - WgAddr: wgaddr.MustParseWGAddress("100.64.0.1/24"), - WgPrivateKey: key, - WgPort: 33100, - MTU: iface.DefaultMTU, - }, EngineServices{ - SignalClient: &signal.MockClient{}, - MgmClient: &mgmt.MockClient{SyncFunc: syncFunc}, - RelayManager: relayMgr, - StatusRecorder: peer.NewRecorder("https://mgm"), - }, MobileDependency{}) - engine.ctx = ctx - - engine.dnsServer = &dns.MockServer{ - UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil }, - } - - defer func() { - err := engine.Stop() - if err != nil { - return - } - }() - - err = engine.Start(nil, nil) - if err != nil { - t.Fatal(err) - return - } - - peer1 := &mgmtProto.RemotePeerConfig{ - WgPubKey: "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=", - AllowedIps: []string{"100.64.0.10/24"}, - } - peer2 := &mgmtProto.RemotePeerConfig{ - WgPubKey: "LLHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=", - AllowedIps: []string{"100.64.0.11/24"}, - } - peer3 := &mgmtProto.RemotePeerConfig{ - WgPubKey: "GGHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=", - AllowedIps: []string{"100.64.0.12/24"}, - } - // 1st update with just 1 peer and serial larger than the current serial of the engine => apply update - updates <- &mgmtProto.SyncResponse{ - NetworkMap: &mgmtProto.NetworkMap{ - Serial: 10, - PeerConfig: nil, - RemotePeers: []*mgmtProto.RemotePeerConfig{peer1, peer2, peer3}, - RemotePeersIsEmpty: false, - }, - } - - timeout := time.After(time.Second * 2) - for { - select { - case <-timeout: - t.Fatalf("timeout while waiting for test to finish") - return - default: - } - - if getPeers(engine) == 3 && engine.networkSerial == 10 { - break - } - } -} - func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) { testCases := []struct { name string @@ -1105,104 +889,6 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) { } } -func TestEngine_MultiplePeers(t *testing.T) { - // log.SetLevel(log.DebugLevel) - - ctx, cancel := context.WithCancel(CtxInitState(context.Background())) - defer cancel() - - sigServer, signalAddr, err := startSignal(t) - if err != nil { - t.Fatal(err) - return - } - defer sigServer.Stop() - mgmtServer, mgmtAddr, err := startManagement(t, t.TempDir(), "../testdata/store.sql") - if err != nil { - t.Fatal(err) - return - } - defer mgmtServer.GracefulStop() - - setupKey := "A2C8E62B-38F5-4553-B31E-DD66C696CEBB" - - mu := sync.Mutex{} - engines := []*Engine{} - numPeers := 10 - wg := sync.WaitGroup{} - wg.Add(numPeers) - // create and start peers - for i := 0; i < numPeers; i++ { - j := i - go func() { - engine, err := createEngine(ctx, cancel, setupKey, j, mgmtAddr, signalAddr) - if err != nil { - wg.Done() - t.Errorf("unable to create the engine for peer %d with error %v", j, err) - return - } - engine.dnsServer = &dns.MockServer{} - mu.Lock() - defer mu.Unlock() - guid := fmt.Sprintf("{%s}", uuid.New().String()) - device.CustomWindowsGUIDString = strings.ToLower(guid) - err = engine.Start(nil, nil) - if err != nil { - t.Errorf("unable to start engine for peer %d with error %v", j, err) - wg.Done() - return - } - engines = append(engines, engine) - wg.Done() - }() - } - - // wait until all have been created and started - wg.Wait() - if len(engines) != numPeers { - t.Fatal("not all peers was started") - } - // check whether all the peer have expected peers connected - - expectedConnected := numPeers * (numPeers - 1) - - // adjust according to timeouts - timeout := 50 * time.Second - timeoutChan := time.After(timeout) - ticker := time.NewTicker(time.Second) - defer ticker.Stop() -loop: - for { - select { - case <-timeoutChan: - t.Fatalf("waiting for expected connections timeout after %s", timeout.String()) - break loop - case <-ticker.C: - totalConnected := 0 - for _, engine := range engines { - totalConnected += getConnectedPeers(engine) - } - if totalConnected == expectedConnected { - log.Infof("total connected=%d", totalConnected) - break loop - } - log.Infof("total connected=%d", totalConnected) - } - } - // cleanup test - for n, peerEngine := range engines { - t.Logf("stopping peer with interface %s from multipeer test, loopIndex %d", peerEngine.wgInterface.Name(), n) - errStop := peerEngine.mgmClient.Close() - if errStop != nil { - log.Infoln("got error trying to close management clients from engine: ", errStop) - } - errStop = peerEngine.Stop() - if errStop != nil { - log.Infoln("got error trying to close testing peers engine: ", errStop) - } - } -} - func Test_ParseNATExternalIPMappings(t *testing.T) { ifaceList, err := net.Interfaces() if err != nil { diff --git a/client/internal/routemanager/manager_test.go b/client/internal/routemanager/manager_test.go index 926f06bc9..18b44820a 100644 --- a/client/internal/routemanager/manager_test.go +++ b/client/internal/routemanager/manager_test.go @@ -1,3 +1,5 @@ +//go:build privileged + package routemanager import ( diff --git a/client/internal/routemanager/systemops/rt_tables_linux_test.go b/client/internal/routemanager/systemops/rt_tables_linux_test.go new file mode 100644 index 000000000..bc9cca8b1 --- /dev/null +++ b/client/internal/routemanager/systemops/rt_tables_linux_test.go @@ -0,0 +1,69 @@ +//go:build linux && !android + +package systemops + +import ( + "fmt" + "os" + "strings" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestEntryExists(t *testing.T) { + tempDir := t.TempDir() + tempFilePath := fmt.Sprintf("%s/rt_tables", tempDir) + + content := []string{ + "1000 reserved", + fmt.Sprintf("%d %s", NetbirdVPNTableID, NetbirdVPNTableName), + "9999 other_table", + } + require.NoError(t, os.WriteFile(tempFilePath, []byte(strings.Join(content, "\n")), 0644)) + + file, err := os.Open(tempFilePath) + require.NoError(t, err) + defer func() { + assert.NoError(t, file.Close()) + }() + + tests := []struct { + name string + id int + shouldExist bool + err error + }{ + { + name: "ExistsWithNetbirdPrefix", + id: 7120, + shouldExist: true, + err: nil, + }, + { + name: "ExistsWithDifferentName", + id: 1000, + shouldExist: true, + err: ErrTableIDExists, + }, + { + name: "DoesNotExist", + id: 1234, + shouldExist: false, + err: nil, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + exists, err := entryExists(file, tc.id) + if tc.err != nil { + assert.ErrorIs(t, err, tc.err) + } else { + assert.NoError(t, err) + } + assert.Equal(t, tc.shouldExist, exists) + }) + } +} diff --git a/client/internal/routemanager/systemops/systemops_bsd_privileged_test.go b/client/internal/routemanager/systemops/systemops_bsd_privileged_test.go new file mode 100644 index 000000000..d45028c19 --- /dev/null +++ b/client/internal/routemanager/systemops/systemops_bsd_privileged_test.go @@ -0,0 +1,191 @@ +//go:build (darwin || dragonfly || freebsd || netbsd || openbsd) && privileged + +package systemops + +import ( + "fmt" + "net" + "net/netip" + "os/exec" + "regexp" + "runtime" + "strings" + "sync" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func init() { + testCases = append(testCases, []testCase{ + { + name: "To more specific route without custom dialer via vpn", + expectedInterface: expectedVPNint, + dialer: &net.Dialer{}, + expectedPacket: createPacketExpectation("100.64.0.1", 12345, "10.10.0.2", 53), + }, + }...) +} + +func TestConcurrentRoutes(t *testing.T) { + baseIP := netip.MustParseAddr("192.0.2.0") + + var intf *net.Interface + var nexthop Nexthop + + _, intf = setupDummyInterface(t) + nexthop = Nexthop{netip.Addr{}, intf} + + r := New(nil, nil) + + var wg sync.WaitGroup + for i := 0; i < 1024; i++ { + wg.Add(1) + go func(ip netip.Addr) { + defer wg.Done() + prefix := netip.PrefixFrom(ip, 32) + if err := r.addToRouteTable(prefix, nexthop); err != nil { + t.Errorf("Failed to add route for %s: %v", prefix, err) + } + }(baseIP) + baseIP = baseIP.Next() + } + + wg.Wait() + + baseIP = netip.MustParseAddr("192.0.2.0") + + for i := 0; i < 1024; i++ { + wg.Add(1) + go func(ip netip.Addr) { + defer wg.Done() + prefix := netip.PrefixFrom(ip, 32) + if err := r.removeFromRouteTable(prefix, nexthop); err != nil { + t.Errorf("Failed to remove route for %s: %v", prefix, err) + } + }(baseIP) + baseIP = baseIP.Next() + } + + wg.Wait() +} + +func createAndSetupDummyInterface(t *testing.T, intf string, ipAddressCIDR string) string { + t.Helper() + + if runtime.GOOS == "darwin" { + err := exec.Command("ifconfig", intf, "alias", ipAddressCIDR).Run() + require.NoError(t, err, "Failed to create loopback alias") + + t.Cleanup(func() { + err := exec.Command("ifconfig", intf, ipAddressCIDR, "-alias").Run() + assert.NoError(t, err, "Failed to remove loopback alias") + }) + + return intf + } + + prefix, err := netip.ParsePrefix(ipAddressCIDR) + require.NoError(t, err, "Failed to parse prefix") + + netIntf, err := net.InterfaceByName(intf) + require.NoError(t, err, "Failed to get interface by name") + + nexthop := Nexthop{netip.Addr{}, netIntf} + + r := New(nil, nil) + err = r.addToRouteTable(prefix, nexthop) + require.NoError(t, err, "Failed to add route to table") + + t.Cleanup(func() { + err := r.removeFromRouteTable(prefix, nexthop) + assert.NoError(t, err, "Failed to remove route from table") + }) + + return intf +} + +func addDummyRoute(t *testing.T, dstCIDR string, gw netip.Addr, _ string) { + t.Helper() + + var originalNexthop net.IP + if dstCIDR == "0.0.0.0/0" { + var err error + originalNexthop, err = fetchOriginalGateway() + if err != nil { + t.Logf("Failed to fetch original gateway: %v", err) + } + + if output, err := exec.Command("route", "delete", "-net", dstCIDR).CombinedOutput(); err != nil { + t.Logf("Failed to delete route: %v, output: %s", err, output) + } + } + + t.Cleanup(func() { + if originalNexthop != nil { + err := exec.Command("route", "add", "-net", dstCIDR, originalNexthop.String()).Run() + assert.NoError(t, err, "Failed to restore original route") + } + }) + + err := exec.Command("route", "add", "-net", dstCIDR, gw.String()).Run() + require.NoError(t, err, "Failed to add route") + + t.Cleanup(func() { + err := exec.Command("route", "delete", "-net", dstCIDR).Run() + assert.NoError(t, err, "Failed to remove route") + }) +} + +func fetchOriginalGateway() (net.IP, error) { + output, err := exec.Command("route", "-n", "get", "default").CombinedOutput() + if err != nil { + return nil, err + } + + matches := regexp.MustCompile(`gateway: (\S+)`).FindStringSubmatch(string(output)) + if len(matches) == 0 { + return nil, fmt.Errorf("gateway not found") + } + + return net.ParseIP(matches[1]), nil +} + +// setupDummyInterface creates a dummy tun interface for FreeBSD route testing +func setupDummyInterface(t *testing.T) (netip.Addr, *net.Interface) { + t.Helper() + + if runtime.GOOS == "darwin" { + return netip.AddrFrom4([4]byte{192, 168, 1, 2}), &net.Interface{Name: "lo0"} + } + + output, err := exec.Command("ifconfig", "tun", "create").CombinedOutput() + require.NoError(t, err, "Failed to create tun interface: %s", string(output)) + + tunName := strings.TrimSpace(string(output)) + + output, err = exec.Command("ifconfig", tunName, "192.168.1.1", "netmask", "255.255.0.0", "192.168.1.2", "up").CombinedOutput() + require.NoError(t, err, "Failed to configure tun interface: %s", string(output)) + + intf, err := net.InterfaceByName(tunName) + require.NoError(t, err, "Failed to get interface by name") + + t.Cleanup(func() { + if err := exec.Command("ifconfig", tunName, "destroy").Run(); err != nil { + t.Logf("Failed to destroy tun interface %s: %v", tunName, err) + } + }) + + return netip.AddrFrom4([4]byte{192, 168, 1, 2}), intf +} + +func setupDummyInterfacesAndRoutes(t *testing.T) { + t.Helper() + + defaultDummy := createAndSetupDummyInterface(t, expectedExternalInt, "192.168.0.1/24") + addDummyRoute(t, "0.0.0.0/0", netip.AddrFrom4([4]byte{192, 168, 0, 1}), defaultDummy) + + otherDummy := createAndSetupDummyInterface(t, expectedInternalInt, "192.168.1.1/24") + addDummyRoute(t, "10.0.0.0/8", netip.AddrFrom4([4]byte{192, 168, 1, 1}), otherDummy) +} diff --git a/client/internal/routemanager/systemops/systemops_bsd_test.go b/client/internal/routemanager/systemops/systemops_bsd_test.go index ec4fc406e..f9d989812 100644 --- a/client/internal/routemanager/systemops/systemops_bsd_test.go +++ b/client/internal/routemanager/systemops/systemops_bsd_test.go @@ -3,18 +3,9 @@ package systemops import ( - "fmt" - "net" - "net/netip" - "os/exec" - "regexp" - "runtime" - "strings" - "sync" "testing" "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" "golang.org/x/net/route" ) @@ -22,60 +13,6 @@ var expectedVPNint = "utun100" var expectedExternalInt = "lo0" var expectedInternalInt = "lo0" -func init() { - testCases = append(testCases, []testCase{ - { - name: "To more specific route without custom dialer via vpn", - expectedInterface: expectedVPNint, - dialer: &net.Dialer{}, - expectedPacket: createPacketExpectation("100.64.0.1", 12345, "10.10.0.2", 53), - }, - }...) -} - -func TestConcurrentRoutes(t *testing.T) { - baseIP := netip.MustParseAddr("192.0.2.0") - - var intf *net.Interface - var nexthop Nexthop - - _, intf = setupDummyInterface(t) - nexthop = Nexthop{netip.Addr{}, intf} - - r := New(nil, nil) - - var wg sync.WaitGroup - for i := 0; i < 1024; i++ { - wg.Add(1) - go func(ip netip.Addr) { - defer wg.Done() - prefix := netip.PrefixFrom(ip, 32) - if err := r.addToRouteTable(prefix, nexthop); err != nil { - t.Errorf("Failed to add route for %s: %v", prefix, err) - } - }(baseIP) - baseIP = baseIP.Next() - } - - wg.Wait() - - baseIP = netip.MustParseAddr("192.0.2.0") - - for i := 0; i < 1024; i++ { - wg.Add(1) - go func(ip netip.Addr) { - defer wg.Done() - prefix := netip.PrefixFrom(ip, 32) - if err := r.removeFromRouteTable(prefix, nexthop); err != nil { - t.Errorf("Failed to remove route for %s: %v", prefix, err) - } - }(baseIP) - baseIP = baseIP.Next() - } - - wg.Wait() -} - func TestBits(t *testing.T) { tests := []struct { name string @@ -122,122 +59,3 @@ func TestBits(t *testing.T) { }) } } - -func createAndSetupDummyInterface(t *testing.T, intf string, ipAddressCIDR string) string { - t.Helper() - - if runtime.GOOS == "darwin" { - err := exec.Command("ifconfig", intf, "alias", ipAddressCIDR).Run() - require.NoError(t, err, "Failed to create loopback alias") - - t.Cleanup(func() { - err := exec.Command("ifconfig", intf, ipAddressCIDR, "-alias").Run() - assert.NoError(t, err, "Failed to remove loopback alias") - }) - - return intf - } - - prefix, err := netip.ParsePrefix(ipAddressCIDR) - require.NoError(t, err, "Failed to parse prefix") - - netIntf, err := net.InterfaceByName(intf) - require.NoError(t, err, "Failed to get interface by name") - - nexthop := Nexthop{netip.Addr{}, netIntf} - - r := New(nil, nil) - err = r.addToRouteTable(prefix, nexthop) - require.NoError(t, err, "Failed to add route to table") - - t.Cleanup(func() { - err := r.removeFromRouteTable(prefix, nexthop) - assert.NoError(t, err, "Failed to remove route from table") - }) - - return intf -} - -func addDummyRoute(t *testing.T, dstCIDR string, gw netip.Addr, _ string) { - t.Helper() - - var originalNexthop net.IP - if dstCIDR == "0.0.0.0/0" { - var err error - originalNexthop, err = fetchOriginalGateway() - if err != nil { - t.Logf("Failed to fetch original gateway: %v", err) - } - - if output, err := exec.Command("route", "delete", "-net", dstCIDR).CombinedOutput(); err != nil { - t.Logf("Failed to delete route: %v, output: %s", err, output) - } - } - - t.Cleanup(func() { - if originalNexthop != nil { - err := exec.Command("route", "add", "-net", dstCIDR, originalNexthop.String()).Run() - assert.NoError(t, err, "Failed to restore original route") - } - }) - - err := exec.Command("route", "add", "-net", dstCIDR, gw.String()).Run() - require.NoError(t, err, "Failed to add route") - - t.Cleanup(func() { - err := exec.Command("route", "delete", "-net", dstCIDR).Run() - assert.NoError(t, err, "Failed to remove route") - }) -} - -func fetchOriginalGateway() (net.IP, error) { - output, err := exec.Command("route", "-n", "get", "default").CombinedOutput() - if err != nil { - return nil, err - } - - matches := regexp.MustCompile(`gateway: (\S+)`).FindStringSubmatch(string(output)) - if len(matches) == 0 { - return nil, fmt.Errorf("gateway not found") - } - - return net.ParseIP(matches[1]), nil -} - -// setupDummyInterface creates a dummy tun interface for FreeBSD route testing -func setupDummyInterface(t *testing.T) (netip.Addr, *net.Interface) { - t.Helper() - - if runtime.GOOS == "darwin" { - return netip.AddrFrom4([4]byte{192, 168, 1, 2}), &net.Interface{Name: "lo0"} - } - - output, err := exec.Command("ifconfig", "tun", "create").CombinedOutput() - require.NoError(t, err, "Failed to create tun interface: %s", string(output)) - - tunName := strings.TrimSpace(string(output)) - - output, err = exec.Command("ifconfig", tunName, "192.168.1.1", "netmask", "255.255.0.0", "192.168.1.2", "up").CombinedOutput() - require.NoError(t, err, "Failed to configure tun interface: %s", string(output)) - - intf, err := net.InterfaceByName(tunName) - require.NoError(t, err, "Failed to get interface by name") - - t.Cleanup(func() { - if err := exec.Command("ifconfig", tunName, "destroy").Run(); err != nil { - t.Logf("Failed to destroy tun interface %s: %v", tunName, err) - } - }) - - return netip.AddrFrom4([4]byte{192, 168, 1, 2}), intf -} - -func setupDummyInterfacesAndRoutes(t *testing.T) { - t.Helper() - - defaultDummy := createAndSetupDummyInterface(t, expectedExternalInt, "192.168.0.1/24") - addDummyRoute(t, "0.0.0.0/0", netip.AddrFrom4([4]byte{192, 168, 0, 1}), defaultDummy) - - otherDummy := createAndSetupDummyInterface(t, expectedInternalInt, "192.168.1.1/24") - addDummyRoute(t, "10.0.0.0/8", netip.AddrFrom4([4]byte{192, 168, 1, 1}), otherDummy) -} diff --git a/client/internal/routemanager/systemops/systemops_dialer_test.go b/client/internal/routemanager/systemops/systemops_dialer_test.go new file mode 100644 index 000000000..f00f9099c --- /dev/null +++ b/client/internal/routemanager/systemops/systemops_dialer_test.go @@ -0,0 +1,17 @@ +//go:build !android && !ios + +package systemops + +import ( + "context" + "net" +) + +// dialer is shared by the per-platform routing test cases. Kept untagged (no +// privileged build tag) so the non-privileged test files compile on every platform. +// +//nolint:unused // consumed by the privileged-tagged routing tests +type dialer interface { + Dial(network, address string) (net.Conn, error) + DialContext(ctx context.Context, network, address string) (net.Conn, error) +} diff --git a/client/internal/routemanager/systemops/systemops_generic_test.go b/client/internal/routemanager/systemops/systemops_generic_test.go index 5695c40c3..c4f739c30 100644 --- a/client/internal/routemanager/systemops/systemops_generic_test.go +++ b/client/internal/routemanager/systemops/systemops_generic_test.go @@ -1,4 +1,4 @@ -//go:build !android && !ios +//go:build !android && !ios && privileged package systemops @@ -26,11 +26,6 @@ import ( nbnet "github.com/netbirdio/netbird/client/net" ) -type dialer interface { - Dial(network, address string) (net.Conn, error) - DialContext(ctx context.Context, network, address string) (net.Conn, error) -} - func TestAddVPNRoute(t *testing.T) { testCases := []struct { name string @@ -515,125 +510,3 @@ func setupTestEnv(t *testing.T) { // unique route in vpn table setupRouteAndCleanup(t, r, netip.MustParsePrefix("172.16.0.0/12"), intf) } - -func TestIsVpnRoute(t *testing.T) { - tests := []struct { - name string - addr string - vpnRoutes []string - localRoutes []string - expectedVpn bool - expectedPrefix netip.Prefix - }{ - { - name: "Match in VPN routes", - addr: "192.168.1.1", - vpnRoutes: []string{"192.168.1.0/24"}, - localRoutes: []string{"10.0.0.0/8"}, - expectedVpn: true, - expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"), - }, - { - name: "Match in local routes", - addr: "10.1.1.1", - vpnRoutes: []string{"192.168.1.0/24"}, - localRoutes: []string{"10.0.0.0/8"}, - expectedVpn: false, - expectedPrefix: netip.MustParsePrefix("10.0.0.0/8"), - }, - { - name: "No match", - addr: "172.16.0.1", - vpnRoutes: []string{"192.168.1.0/24"}, - localRoutes: []string{"10.0.0.0/8"}, - expectedVpn: false, - expectedPrefix: netip.Prefix{}, - }, - { - name: "Default route ignored", - addr: "192.168.1.1", - vpnRoutes: []string{"0.0.0.0/0", "192.168.1.0/24"}, - localRoutes: []string{"10.0.0.0/8"}, - expectedVpn: true, - expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"), - }, - { - name: "Default route matches but ignored", - addr: "172.16.1.1", - vpnRoutes: []string{"0.0.0.0/0", "192.168.1.0/24"}, - localRoutes: []string{"10.0.0.0/8"}, - expectedVpn: false, - expectedPrefix: netip.Prefix{}, - }, - { - name: "Longest prefix match local", - addr: "192.168.1.1", - vpnRoutes: []string{"192.168.0.0/16"}, - localRoutes: []string{"192.168.1.0/24"}, - expectedVpn: false, - expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"), - }, - { - name: "Longest prefix match local multiple", - addr: "192.168.0.1", - vpnRoutes: []string{"192.168.0.0/16", "192.168.0.0/25", "192.168.0.0/27"}, - localRoutes: []string{"192.168.0.0/24", "192.168.0.0/26", "192.168.0.0/28"}, - expectedVpn: false, - expectedPrefix: netip.MustParsePrefix("192.168.0.0/28"), - }, - { - name: "Longest prefix match vpn", - addr: "192.168.1.1", - vpnRoutes: []string{"192.168.1.0/24"}, - localRoutes: []string{"192.168.0.0/16"}, - expectedVpn: true, - expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"), - }, - { - name: "Longest prefix match vpn multiple", - addr: "192.168.0.1", - vpnRoutes: []string{"192.168.0.0/16", "192.168.0.0/25", "192.168.0.0/27"}, - localRoutes: []string{"192.168.0.0/24", "192.168.0.0/26"}, - expectedVpn: true, - expectedPrefix: netip.MustParsePrefix("192.168.0.0/27"), - }, - { - name: "Duplicate prefix in both", - addr: "192.168.1.1", - vpnRoutes: []string{"192.168.1.0/24"}, - localRoutes: []string{"192.168.1.0/24"}, - expectedVpn: false, - expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"), - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - addr, err := netip.ParseAddr(tt.addr) - if err != nil { - t.Fatalf("Failed to parse address %s: %v", tt.addr, err) - } - - var vpnRoutes, localRoutes []netip.Prefix - for _, route := range tt.vpnRoutes { - prefix, err := netip.ParsePrefix(route) - if err != nil { - t.Fatalf("Failed to parse VPN route %s: %v", route, err) - } - vpnRoutes = append(vpnRoutes, prefix) - } - - for _, route := range tt.localRoutes { - prefix, err := netip.ParsePrefix(route) - if err != nil { - t.Fatalf("Failed to parse local route %s: %v", route, err) - } - localRoutes = append(localRoutes, prefix) - } - - isVpn, matchedPrefix := isVpnRoute(addr, vpnRoutes, localRoutes) - assert.Equal(t, tt.expectedVpn, isVpn, "isVpnRoute should return expectedVpn value") - assert.Equal(t, tt.expectedPrefix, matchedPrefix, "isVpnRoute should return expectedVpn prefix") - }) - } -} diff --git a/client/internal/routemanager/systemops/systemops_isvpnroute_test.go b/client/internal/routemanager/systemops/systemops_isvpnroute_test.go new file mode 100644 index 000000000..677fe1287 --- /dev/null +++ b/client/internal/routemanager/systemops/systemops_isvpnroute_test.go @@ -0,0 +1,132 @@ +//go:build !android && !ios + +package systemops + +import ( + "net/netip" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestIsVpnRoute(t *testing.T) { + tests := []struct { + name string + addr string + vpnRoutes []string + localRoutes []string + expectedVpn bool + expectedPrefix netip.Prefix + }{ + { + name: "Match in VPN routes", + addr: "192.168.1.1", + vpnRoutes: []string{"192.168.1.0/24"}, + localRoutes: []string{"10.0.0.0/8"}, + expectedVpn: true, + expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"), + }, + { + name: "Match in local routes", + addr: "10.1.1.1", + vpnRoutes: []string{"192.168.1.0/24"}, + localRoutes: []string{"10.0.0.0/8"}, + expectedVpn: false, + expectedPrefix: netip.MustParsePrefix("10.0.0.0/8"), + }, + { + name: "No match", + addr: "172.16.0.1", + vpnRoutes: []string{"192.168.1.0/24"}, + localRoutes: []string{"10.0.0.0/8"}, + expectedVpn: false, + expectedPrefix: netip.Prefix{}, + }, + { + name: "Default route ignored", + addr: "192.168.1.1", + vpnRoutes: []string{"0.0.0.0/0", "192.168.1.0/24"}, + localRoutes: []string{"10.0.0.0/8"}, + expectedVpn: true, + expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"), + }, + { + name: "Default route matches but ignored", + addr: "172.16.1.1", + vpnRoutes: []string{"0.0.0.0/0", "192.168.1.0/24"}, + localRoutes: []string{"10.0.0.0/8"}, + expectedVpn: false, + expectedPrefix: netip.Prefix{}, + }, + { + name: "Longest prefix match local", + addr: "192.168.1.1", + vpnRoutes: []string{"192.168.0.0/16"}, + localRoutes: []string{"192.168.1.0/24"}, + expectedVpn: false, + expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"), + }, + { + name: "Longest prefix match local multiple", + addr: "192.168.0.1", + vpnRoutes: []string{"192.168.0.0/16", "192.168.0.0/25", "192.168.0.0/27"}, + localRoutes: []string{"192.168.0.0/24", "192.168.0.0/26", "192.168.0.0/28"}, + expectedVpn: false, + expectedPrefix: netip.MustParsePrefix("192.168.0.0/28"), + }, + { + name: "Longest prefix match vpn", + addr: "192.168.1.1", + vpnRoutes: []string{"192.168.1.0/24"}, + localRoutes: []string{"192.168.0.0/16"}, + expectedVpn: true, + expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"), + }, + { + name: "Longest prefix match vpn multiple", + addr: "192.168.0.1", + vpnRoutes: []string{"192.168.0.0/16", "192.168.0.0/25", "192.168.0.0/27"}, + localRoutes: []string{"192.168.0.0/24", "192.168.0.0/26"}, + expectedVpn: true, + expectedPrefix: netip.MustParsePrefix("192.168.0.0/27"), + }, + { + name: "Duplicate prefix in both", + addr: "192.168.1.1", + vpnRoutes: []string{"192.168.1.0/24"}, + localRoutes: []string{"192.168.1.0/24"}, + expectedVpn: false, + expectedPrefix: netip.MustParsePrefix("192.168.1.0/24"), + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + addr, err := netip.ParseAddr(tt.addr) + if err != nil { + t.Fatalf("Failed to parse address %s: %v", tt.addr, err) + } + + var vpnRoutes, localRoutes []netip.Prefix + for _, route := range tt.vpnRoutes { + prefix, err := netip.ParsePrefix(route) + if err != nil { + t.Fatalf("Failed to parse VPN route %s: %v", route, err) + } + vpnRoutes = append(vpnRoutes, prefix) + } + + for _, route := range tt.localRoutes { + prefix, err := netip.ParsePrefix(route) + if err != nil { + t.Fatalf("Failed to parse local route %s: %v", route, err) + } + localRoutes = append(localRoutes, prefix) + } + + isVpn, matchedPrefix := isVpnRoute(addr, vpnRoutes, localRoutes) + assert.Equal(t, tt.expectedVpn, isVpn, "isVpnRoute should return expectedVpn value") + assert.Equal(t, tt.expectedPrefix, matchedPrefix, "isVpnRoute should return expectedVpn prefix") + }) + } +} diff --git a/client/internal/routemanager/systemops/systemops_linux_test.go b/client/internal/routemanager/systemops/systemops_linux_test.go index 880296d91..2d6fd5fea 100644 --- a/client/internal/routemanager/systemops/systemops_linux_test.go +++ b/client/internal/routemanager/systemops/systemops_linux_test.go @@ -1,13 +1,10 @@ -//go:build !android +//go:build !android && privileged package systemops import ( "errors" - "fmt" "net" - "os" - "strings" "syscall" "testing" @@ -18,10 +15,6 @@ import ( "github.com/netbirdio/netbird/client/internal/routemanager/vars" ) -var expectedVPNint = "wgtest0" -var expectedExternalInt = "dummyext0" -var expectedInternalInt = "dummyint0" - func init() { testCases = append(testCases, []testCase{ { @@ -33,62 +26,6 @@ func init() { }...) } -func TestEntryExists(t *testing.T) { - tempDir := t.TempDir() - tempFilePath := fmt.Sprintf("%s/rt_tables", tempDir) - - content := []string{ - "1000 reserved", - fmt.Sprintf("%d %s", NetbirdVPNTableID, NetbirdVPNTableName), - "9999 other_table", - } - require.NoError(t, os.WriteFile(tempFilePath, []byte(strings.Join(content, "\n")), 0644)) - - file, err := os.Open(tempFilePath) - require.NoError(t, err) - defer func() { - assert.NoError(t, file.Close()) - }() - - tests := []struct { - name string - id int - shouldExist bool - err error - }{ - { - name: "ExistsWithNetbirdPrefix", - id: 7120, - shouldExist: true, - err: nil, - }, - { - name: "ExistsWithDifferentName", - id: 1000, - shouldExist: true, - err: ErrTableIDExists, - }, - { - name: "DoesNotExist", - id: 1234, - shouldExist: false, - err: nil, - }, - } - - for _, tc := range tests { - t.Run(tc.name, func(t *testing.T) { - exists, err := entryExists(file, tc.id) - if tc.err != nil { - assert.ErrorIs(t, err, tc.err) - } else { - assert.NoError(t, err) - } - assert.Equal(t, tc.shouldExist, exists) - }) - } -} - func createAndSetupDummyInterface(t *testing.T, interfaceName, ipAddressCIDR string) string { t.Helper() diff --git a/client/internal/routemanager/systemops/systemops_routing_data_linux_test.go b/client/internal/routemanager/systemops/systemops_routing_data_linux_test.go new file mode 100644 index 000000000..9be267980 --- /dev/null +++ b/client/internal/routemanager/systemops/systemops_routing_data_linux_test.go @@ -0,0 +1,15 @@ +//go:build linux && !android + +package systemops + +// Interface names used by the shared routing test fixtures. Kept untagged (no +// privileged build tag) so the non-privileged test files in this package compile. +// +//nolint:unused // consumed by the privileged-tagged routing tests +var expectedVPNint = "wgtest0" + +//nolint:unused // consumed by the privileged-tagged routing tests +var expectedExternalInt = "dummyext0" + +//nolint:unused // consumed by the privileged-tagged routing tests +var expectedInternalInt = "dummyint0" diff --git a/client/internal/routemanager/systemops/systemops_routing_data_test.go b/client/internal/routemanager/systemops/systemops_routing_data_test.go new file mode 100644 index 000000000..16f17f5b9 --- /dev/null +++ b/client/internal/routemanager/systemops/systemops_routing_data_test.go @@ -0,0 +1,83 @@ +//go:build (linux && !android) || (darwin && !ios) || freebsd || openbsd || netbsd || dragonfly + +package systemops + +import ( + "net" + + nbnet "github.com/netbirdio/netbird/client/net" +) + +// Shared, non-privileged routing test fixtures. The privileged TestRouting (and its +// per-platform init() appenders) consume these; they live here so the unprivileged +// BSD/darwin test files compile without the privileged build tag. + +type PacketExpectation struct { + SrcIP net.IP + DstIP net.IP + SrcPort int + DstPort int + UDP bool + TCP bool +} + +//nolint:unused // consumed by the privileged-tagged routing tests +type testCase struct { + name string + expectedInterface string + dialer dialer + expectedPacket PacketExpectation +} + +//nolint:unused // consumed by the privileged-tagged routing tests +var testCases = []testCase{ + { + name: "To external host without custom dialer via vpn", + expectedInterface: expectedVPNint, + dialer: &net.Dialer{}, + expectedPacket: createPacketExpectation("100.64.0.1", 12345, "192.0.2.1", 53), + }, + { + name: "To external host with custom dialer via physical interface", + expectedInterface: expectedExternalInt, + dialer: nbnet.NewDialer(), + expectedPacket: createPacketExpectation("192.168.0.1", 12345, "192.0.2.1", 53), + }, + + { + name: "To duplicate internal route with custom dialer via physical interface", + expectedInterface: expectedInternalInt, + dialer: nbnet.NewDialer(), + expectedPacket: createPacketExpectation("192.168.1.1", 12345, "10.0.0.2", 53), + }, + { + name: "To duplicate internal route without custom dialer via physical interface", // local route takes precedence + expectedInterface: expectedInternalInt, + dialer: &net.Dialer{}, + expectedPacket: createPacketExpectation("192.168.1.1", 12345, "10.0.0.2", 53), + }, + + { + name: "To unique vpn route with custom dialer via physical interface", + expectedInterface: expectedExternalInt, + dialer: nbnet.NewDialer(), + expectedPacket: createPacketExpectation("192.168.0.1", 12345, "172.16.0.2", 53), + }, + { + name: "To unique vpn route without custom dialer via vpn", + expectedInterface: expectedVPNint, + dialer: &net.Dialer{}, + expectedPacket: createPacketExpectation("100.64.0.1", 12345, "172.16.0.2", 53), + }, +} + +//nolint:unused // consumed by the privileged-tagged routing tests +func createPacketExpectation(srcIP string, srcPort int, dstIP string, dstPort int) PacketExpectation { + return PacketExpectation{ + SrcIP: net.ParseIP(srcIP), + DstIP: net.ParseIP(dstIP), + SrcPort: srcPort, + DstPort: dstPort, + UDP: true, + } +} diff --git a/client/internal/routemanager/systemops/systemops_unix_test.go b/client/internal/routemanager/systemops/systemops_unix_test.go index 959c697e4..efb0ae4e4 100644 --- a/client/internal/routemanager/systemops/systemops_unix_test.go +++ b/client/internal/routemanager/systemops/systemops_unix_test.go @@ -1,4 +1,4 @@ -//go:build (linux && !android) || (darwin && !ios) || freebsd || openbsd || netbsd || dragonfly +//go:build ((linux && !android) || (darwin && !ios) || freebsd || openbsd || netbsd || dragonfly) && privileged package systemops @@ -20,63 +20,6 @@ import ( nbnet "github.com/netbirdio/netbird/client/net" ) -type PacketExpectation struct { - SrcIP net.IP - DstIP net.IP - SrcPort int - DstPort int - UDP bool - TCP bool -} - -type testCase struct { - name string - expectedInterface string - dialer dialer - expectedPacket PacketExpectation -} - -var testCases = []testCase{ - { - name: "To external host without custom dialer via vpn", - expectedInterface: expectedVPNint, - dialer: &net.Dialer{}, - expectedPacket: createPacketExpectation("100.64.0.1", 12345, "192.0.2.1", 53), - }, - { - name: "To external host with custom dialer via physical interface", - expectedInterface: expectedExternalInt, - dialer: nbnet.NewDialer(), - expectedPacket: createPacketExpectation("192.168.0.1", 12345, "192.0.2.1", 53), - }, - - { - name: "To duplicate internal route with custom dialer via physical interface", - expectedInterface: expectedInternalInt, - dialer: nbnet.NewDialer(), - expectedPacket: createPacketExpectation("192.168.1.1", 12345, "10.0.0.2", 53), - }, - { - name: "To duplicate internal route without custom dialer via physical interface", // local route takes precedence - expectedInterface: expectedInternalInt, - dialer: &net.Dialer{}, - expectedPacket: createPacketExpectation("192.168.1.1", 12345, "10.0.0.2", 53), - }, - - { - name: "To unique vpn route with custom dialer via physical interface", - expectedInterface: expectedExternalInt, - dialer: nbnet.NewDialer(), - expectedPacket: createPacketExpectation("192.168.0.1", 12345, "172.16.0.2", 53), - }, - { - name: "To unique vpn route without custom dialer via vpn", - expectedInterface: expectedVPNint, - dialer: &net.Dialer{}, - expectedPacket: createPacketExpectation("100.64.0.1", 12345, "172.16.0.2", 53), - }, -} - func TestRouting(t *testing.T) { nbnet.Init() for _, tc := range testCases { @@ -102,16 +45,6 @@ func TestRouting(t *testing.T) { } } -func createPacketExpectation(srcIP string, srcPort int, dstIP string, dstPort int) PacketExpectation { - return PacketExpectation{ - SrcIP: net.ParseIP(srcIP), - DstIP: net.ParseIP(dstIP), - SrcPort: srcPort, - DstPort: dstPort, - UDP: true, - } -} - func startPacketCapture(t *testing.T, intf, filter string) *pcap.Handle { t.Helper() diff --git a/client/internal/routemanager/systemops/systemops_windows_test.go b/client/internal/routemanager/systemops/systemops_windows_test.go index 3561adec4..d7674e77e 100644 --- a/client/internal/routemanager/systemops/systemops_windows_test.go +++ b/client/internal/routemanager/systemops/systemops_windows_test.go @@ -1,3 +1,5 @@ +//go:build privileged + package systemops import ( diff --git a/client/internal/routemanager/systemops/v6route_linux_test.go b/client/internal/routemanager/systemops/v6route_linux_test.go index 0b17cefff..449d4cbd2 100644 --- a/client/internal/routemanager/systemops/v6route_linux_test.go +++ b/client/internal/routemanager/systemops/v6route_linux_test.go @@ -1,4 +1,4 @@ -//go:build linux && !android +//go:build linux && !android && privileged package systemops diff --git a/client/server/server_privileged_test.go b/client/server/server_privileged_test.go new file mode 100644 index 000000000..549631073 --- /dev/null +++ b/client/server/server_privileged_test.go @@ -0,0 +1,235 @@ +//go:build privileged + +package server + +import ( + "context" + "net" + "os/user" + "testing" + "time" + + "github.com/golang/mock/gomock" + "github.com/stretchr/testify/require" + "go.opentelemetry.io/otel" + + "github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator" + + "github.com/netbirdio/netbird/management/internals/controllers/network_map/controller" + "github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel" + "github.com/netbirdio/netbird/management/internals/modules/peers" + "github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager" + nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc" + "github.com/netbirdio/netbird/management/server/job" + + "github.com/netbirdio/netbird/management/internals/server/config" + "github.com/netbirdio/netbird/management/server/groups" + + log "github.com/sirupsen/logrus" + "google.golang.org/grpc" + "google.golang.org/grpc/keepalive" + + "github.com/netbirdio/netbird/client/internal" + "github.com/netbirdio/netbird/client/internal/peer" + "github.com/netbirdio/netbird/client/internal/profilemanager" + "github.com/netbirdio/netbird/management/server" + "github.com/netbirdio/netbird/management/server/activity" + nbcache "github.com/netbirdio/netbird/management/server/cache" + "github.com/netbirdio/netbird/management/server/integrations/port_forwarding" + "github.com/netbirdio/netbird/management/server/permissions" + "github.com/netbirdio/netbird/management/server/settings" + "github.com/netbirdio/netbird/management/server/store" + "github.com/netbirdio/netbird/management/server/telemetry" + mgmtProto "github.com/netbirdio/netbird/shared/management/proto" + "github.com/netbirdio/netbird/shared/signal/proto" + signalServer "github.com/netbirdio/netbird/signal/server" +) + +var ( + kaep = keepalive.EnforcementPolicy{ + MinTime: 15 * time.Second, + PermitWithoutStream: true, + } + + kasp = keepalive.ServerParameters{ + MaxConnectionIdle: 15 * time.Second, + MaxConnectionAgeGrace: 5 * time.Second, + Time: 5 * time.Second, + Timeout: 2 * time.Second, + } +) + +// TestConnectWithRetryRuns checks that the connectWithRetry function runs and runs the retries according to the times specified via environment variables +// we will use a management server started via to simulate the server and capture the number of retries +func TestConnectWithRetryRuns(t *testing.T) { + // start the signal server + _, signalAddr, err := startSignal(t) + if err != nil { + t.Fatalf("failed to start signal server: %v", err) + } + + counter := 0 + // start the management server + _, mgmtAddr, err := startManagement(t, signalAddr, &counter) + if err != nil { + t.Fatalf("failed to start management server: %v", err) + } + + ctx := internal.CtxInitState(context.Background()) + + ctx, cancel := context.WithDeadline(ctx, time.Now().Add(30*time.Second)) + defer cancel() + // create new server + ic := profilemanager.ConfigInput{ + ManagementURL: "http://" + mgmtAddr, + ConfigPath: t.TempDir() + "/test-profile.json", + } + + config, err := profilemanager.UpdateOrCreateConfig(ic) + if err != nil { + t.Fatalf("failed to create config: %v", err) + } + + currUser, err := user.Current() + require.NoError(t, err) + + pm := profilemanager.ServiceManager{} + err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{ + Name: "test-profile", + Username: currUser.Username, + }) + if err != nil { + t.Fatalf("failed to set active profile state: %v", err) + } + + s := New(ctx, "debug", "", false, false, false, false) + + s.config = config + + s.statusRecorder = peer.NewRecorder(config.ManagementURL.String()) + t.Setenv(retryInitialIntervalVar, "1s") + t.Setenv(maxRetryIntervalVar, "2s") + t.Setenv(maxRetryTimeVar, "5s") + t.Setenv(retryMultiplierVar, "1") + + s.connectWithRetryRuns(ctx, config, s.statusRecorder, nil, nil) + if counter < 3 { + t.Fatalf("expected counter > 2, got %d", counter) + } +} + +type mockServer struct { + mgmtProto.ManagementServiceServer + counter *int +} + +func (m *mockServer) Login(ctx context.Context, req *mgmtProto.EncryptedMessage) (*mgmtProto.EncryptedMessage, error) { + *m.counter++ + return m.ManagementServiceServer.Login(ctx, req) +} + +func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Server, string, error) { + t.Helper() + dataDir := t.TempDir() + + config := &config.Config{ + Stuns: []*config.Host{}, + TURNConfig: &config.TURNConfig{}, + Signal: &config.Host{ + Proto: "http", + URI: signalAddr, + }, + Datadir: dataDir, + HttpConfig: nil, + } + + lis, err := net.Listen("tcp", "localhost:0") + if err != nil { + return nil, "", err + } + s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp)) + store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "", config.Datadir) + if err != nil { + return nil, "", err + } + t.Cleanup(cleanUp) + + eventStore := &activity.InMemoryEventStore{} + if err != nil { + return nil, "", err + } + + ctrl := gomock.NewController(t) + t.Cleanup(ctrl.Finish) + + permissionsManagerMock := permissions.NewMockManager(ctrl) + peersManager := peers.NewManager(store, permissionsManagerMock) + settingsManagerMock := settings.NewMockManager(ctrl) + + jobManager := job.NewJobManager(nil, store, peersManager) + + cacheStore, err := nbcache.NewStore(context.Background(), 100*time.Millisecond, 300*time.Millisecond, 100) + if err != nil { + return nil, "", err + } + + ia, _ := validator.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore, cacheStore) + + metrics, err := telemetry.NewDefaultAppMetrics(context.Background()) + require.NoError(t, err) + + settingsMockManager := settings.NewMockManager(ctrl) + groupsManager := groups.NewManagerMock() + + requestBuffer := server.NewAccountRequestBuffer(context.Background(), store) + peersUpdateManager := update_channel.NewPeersUpdateManager(metrics) + networkMapController := controller.NewController(context.Background(), store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersManager), config) + accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false, cacheStore) + if err != nil { + return nil, "", err + } + + secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager) + if err != nil { + return nil, "", err + } + mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil) + if err != nil { + return nil, "", err + } + mock := &mockServer{ + ManagementServiceServer: mgmtServer, + counter: counter, + } + mgmtProto.RegisterManagementServiceServer(s, mock) + go func() { + if err = s.Serve(lis); err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + return s, lis.Addr().String(), nil +} + +func startSignal(t *testing.T) (*grpc.Server, string, error) { + t.Helper() + + s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp)) + + lis, err := net.Listen("tcp", "localhost:0") + if err != nil { + log.Fatalf("failed to listen: %v", err) + } + + srv, err := signalServer.NewServer(context.Background(), otel.Meter("")) + require.NoError(t, err) + proto.RegisterSignalExchangeServer(s, srv) + + go func() { + if err = s.Serve(lis); err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + return s, lis.Addr().String(), nil +} diff --git a/client/server/server_test.go b/client/server/server_test.go index 66e0fcc4c..31421a029 100644 --- a/client/server/server_test.go +++ b/client/server/server_test.go @@ -2,124 +2,22 @@ package server import ( "context" - "net" "net/url" "os/user" "path/filepath" "testing" "time" - "github.com/golang/mock/gomock" - "github.com/stretchr/testify/require" - "go.opentelemetry.io/otel" - - "github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator" - - "github.com/netbirdio/netbird/management/internals/controllers/network_map/controller" - "github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel" - "github.com/netbirdio/netbird/management/internals/modules/peers" - "github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager" - nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc" - "github.com/netbirdio/netbird/management/server/job" - - "github.com/netbirdio/netbird/management/internals/server/config" - "github.com/netbirdio/netbird/management/server/groups" - log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "google.golang.org/grpc" - "google.golang.org/grpc/keepalive" "github.com/netbirdio/netbird/client/internal" - "github.com/netbirdio/netbird/client/internal/peer" "github.com/netbirdio/netbird/client/internal/profilemanager" daemonProto "github.com/netbirdio/netbird/client/proto" - "github.com/netbirdio/netbird/management/server" - "github.com/netbirdio/netbird/management/server/activity" - nbcache "github.com/netbirdio/netbird/management/server/cache" - "github.com/netbirdio/netbird/management/server/integrations/port_forwarding" - "github.com/netbirdio/netbird/management/server/permissions" - "github.com/netbirdio/netbird/management/server/settings" - "github.com/netbirdio/netbird/management/server/store" - "github.com/netbirdio/netbird/management/server/telemetry" - mgmtProto "github.com/netbirdio/netbird/shared/management/proto" - "github.com/netbirdio/netbird/shared/signal/proto" - signalServer "github.com/netbirdio/netbird/signal/server" ) -var ( - kaep = keepalive.EnforcementPolicy{ - MinTime: 15 * time.Second, - PermitWithoutStream: true, - } - - kasp = keepalive.ServerParameters{ - MaxConnectionIdle: 15 * time.Second, - MaxConnectionAgeGrace: 5 * time.Second, - Time: 5 * time.Second, - Timeout: 2 * time.Second, - } -) - -// TestConnectWithRetryRuns checks that the connectWithRetry function runs and runs the retries according to the times specified via environment variables -// we will use a management server started via to simulate the server and capture the number of retries -func TestConnectWithRetryRuns(t *testing.T) { - // start the signal server - _, signalAddr, err := startSignal(t) - if err != nil { - t.Fatalf("failed to start signal server: %v", err) - } - - counter := 0 - // start the management server - _, mgmtAddr, err := startManagement(t, signalAddr, &counter) - if err != nil { - t.Fatalf("failed to start management server: %v", err) - } - - ctx := internal.CtxInitState(context.Background()) - - ctx, cancel := context.WithDeadline(ctx, time.Now().Add(30*time.Second)) - defer cancel() - // create new server - ic := profilemanager.ConfigInput{ - ManagementURL: "http://" + mgmtAddr, - ConfigPath: t.TempDir() + "/test-profile.json", - } - - config, err := profilemanager.UpdateOrCreateConfig(ic) - if err != nil { - t.Fatalf("failed to create config: %v", err) - } - - currUser, err := user.Current() - require.NoError(t, err) - - pm := profilemanager.ServiceManager{} - err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{ - Name: "test-profile", - Username: currUser.Username, - }) - if err != nil { - t.Fatalf("failed to set active profile state: %v", err) - } - - s := New(ctx, "debug", "", false, false, false, false) - - s.config = config - - s.statusRecorder = peer.NewRecorder(config.ManagementURL.String()) - t.Setenv(retryInitialIntervalVar, "1s") - t.Setenv(maxRetryIntervalVar, "2s") - t.Setenv(maxRetryTimeVar, "5s") - t.Setenv(retryMultiplierVar, "1") - - s.connectWithRetryRuns(ctx, config, s.statusRecorder, nil, nil) - if counter < 3 { - t.Fatalf("expected counter > 2, got %d", counter) - } -} - func TestServer_Up(t *testing.T) { tempDir := t.TempDir() origDefaultProfileDir := profilemanager.DefaultConfigPathDir @@ -259,119 +157,3 @@ func TestServer_SubcribeEvents(t *testing.T) { assert.NoError(t, err) } - -type mockServer struct { - mgmtProto.ManagementServiceServer - counter *int -} - -func (m *mockServer) Login(ctx context.Context, req *mgmtProto.EncryptedMessage) (*mgmtProto.EncryptedMessage, error) { - *m.counter++ - return m.ManagementServiceServer.Login(ctx, req) -} - -func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Server, string, error) { - t.Helper() - dataDir := t.TempDir() - - config := &config.Config{ - Stuns: []*config.Host{}, - TURNConfig: &config.TURNConfig{}, - Signal: &config.Host{ - Proto: "http", - URI: signalAddr, - }, - Datadir: dataDir, - HttpConfig: nil, - } - - lis, err := net.Listen("tcp", "localhost:0") - if err != nil { - return nil, "", err - } - s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp)) - store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "", config.Datadir) - if err != nil { - return nil, "", err - } - t.Cleanup(cleanUp) - - eventStore := &activity.InMemoryEventStore{} - if err != nil { - return nil, "", err - } - - ctrl := gomock.NewController(t) - t.Cleanup(ctrl.Finish) - - permissionsManagerMock := permissions.NewMockManager(ctrl) - peersManager := peers.NewManager(store, permissionsManagerMock) - settingsManagerMock := settings.NewMockManager(ctrl) - - jobManager := job.NewJobManager(nil, store, peersManager) - - cacheStore, err := nbcache.NewStore(context.Background(), 100*time.Millisecond, 300*time.Millisecond, 100) - if err != nil { - return nil, "", err - } - - ia, _ := validator.NewIntegratedValidator(context.Background(), peersManager, settingsManagerMock, eventStore, cacheStore) - - metrics, err := telemetry.NewDefaultAppMetrics(context.Background()) - require.NoError(t, err) - - settingsMockManager := settings.NewMockManager(ctrl) - groupsManager := groups.NewManagerMock() - - requestBuffer := server.NewAccountRequestBuffer(context.Background(), store) - peersUpdateManager := update_channel.NewPeersUpdateManager(metrics) - networkMapController := controller.NewController(context.Background(), store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersManager), config) - accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false, cacheStore) - if err != nil { - return nil, "", err - } - - secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager) - if err != nil { - return nil, "", err - } - mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil) - if err != nil { - return nil, "", err - } - mock := &mockServer{ - ManagementServiceServer: mgmtServer, - counter: counter, - } - mgmtProto.RegisterManagementServiceServer(s, mock) - go func() { - if err = s.Serve(lis); err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - return s, lis.Addr().String(), nil -} - -func startSignal(t *testing.T) (*grpc.Server, string, error) { - t.Helper() - - s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp)) - - lis, err := net.Listen("tcp", "localhost:0") - if err != nil { - log.Fatalf("failed to listen: %v", err) - } - - srv, err := signalServer.NewServer(context.Background(), otel.Meter("")) - require.NoError(t, err) - proto.RegisterSignalExchangeServer(s, srv) - - go func() { - if err = s.Serve(lis); err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - return s, lis.Addr().String(), nil -} diff --git a/client/ssh/client/client_privileged_test.go b/client/ssh/client/client_privileged_test.go new file mode 100644 index 000000000..12edbbc06 --- /dev/null +++ b/client/ssh/client/client_privileged_test.go @@ -0,0 +1,118 @@ +//go:build privileged + +package client + +import ( + "context" + "errors" + "runtime" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + cryptossh "golang.org/x/crypto/ssh" + + "github.com/netbirdio/netbird/client/ssh/testutil" +) + +func TestSSHClient_CommandExecution(t *testing.T) { + if runtime.GOOS == "windows" && testutil.IsCI() { + t.Skip("Skipping Windows command execution tests in CI due to S4U authentication issues") + } + + server, _, client := setupTestSSHServerAndClient(t) + defer func() { + err := server.Stop() + require.NoError(t, err) + }() + defer func() { + err := client.Close() + assert.NoError(t, err) + }() + + ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second) + defer cancel() + + t.Run("ExecuteCommand captures output", func(t *testing.T) { + output, err := client.ExecuteCommand(ctx, "echo hello") + assert.NoError(t, err) + assert.Contains(t, string(output), "hello") + }) + + t.Run("ExecuteCommandWithIO streams output", func(t *testing.T) { + err := client.ExecuteCommandWithIO(ctx, "echo world") + assert.NoError(t, err) + }) + + t.Run("commands with flags work", func(t *testing.T) { + output, err := client.ExecuteCommand(ctx, "echo -n test_flag") + assert.NoError(t, err) + assert.Equal(t, "test_flag", strings.TrimSpace(string(output))) + }) + + t.Run("non-zero exit codes don't return errors", func(t *testing.T) { + var testCmd string + if runtime.GOOS == "windows" { + testCmd = "echo hello | Select-String notfound" + } else { + testCmd = "echo 'hello' | grep 'notfound'" + } + _, err := client.ExecuteCommand(ctx, testCmd) + assert.NoError(t, err) + }) +} + +func TestSSHClient_ContextCancellation(t *testing.T) { + server, serverAddr, _ := setupTestSSHServerAndClient(t) + defer func() { + err := server.Stop() + require.NoError(t, err) + }() + + t.Run("connection with short timeout", func(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), 1*time.Millisecond) + defer cancel() + + currentUser := testutil.GetTestUsername(t) + _, err := Dial(ctx, serverAddr, currentUser, DialOptions{ + InsecureSkipVerify: true, + }) + if err != nil { + // Check for actual timeout-related errors rather than string matching + assert.True(t, + errors.Is(err, context.DeadlineExceeded) || + errors.Is(err, context.Canceled) || + strings.Contains(err.Error(), "timeout"), + "Expected timeout-related error, got: %v", err) + } + }) + + t.Run("command execution cancellation", func(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + currentUser := testutil.GetTestUsername(t) + client, err := Dial(ctx, serverAddr, currentUser, DialOptions{ + InsecureSkipVerify: true, + }) + require.NoError(t, err) + defer func() { + if err := client.Close(); err != nil { + t.Logf("client close error: %v", err) + } + }() + + cmdCtx, cmdCancel := context.WithTimeout(context.Background(), 100*time.Millisecond) + defer cmdCancel() + + err = client.ExecuteCommandWithPTY(cmdCtx, "sleep 10") + if err != nil { + var exitMissingErr *cryptossh.ExitMissingError + isValidCancellation := errors.Is(err, context.DeadlineExceeded) || + errors.Is(err, context.Canceled) || + errors.As(err, &exitMissingErr) + assert.True(t, isValidCancellation, "Should handle command cancellation properly") + } + }) +} diff --git a/client/ssh/client/client_test.go b/client/ssh/client/client_test.go index e38e02a86..191362940 100644 --- a/client/ssh/client/client_test.go +++ b/client/ssh/client/client_test.go @@ -15,7 +15,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - cryptossh "golang.org/x/crypto/ssh" "github.com/netbirdio/netbird/client/ssh" sshserver "github.com/netbirdio/netbird/client/ssh/server" @@ -78,53 +77,6 @@ func TestSSHClient_DialWithKey(t *testing.T) { assert.NotNil(t, client.client) } -func TestSSHClient_CommandExecution(t *testing.T) { - if runtime.GOOS == "windows" && testutil.IsCI() { - t.Skip("Skipping Windows command execution tests in CI due to S4U authentication issues") - } - - server, _, client := setupTestSSHServerAndClient(t) - defer func() { - err := server.Stop() - require.NoError(t, err) - }() - defer func() { - err := client.Close() - assert.NoError(t, err) - }() - - ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second) - defer cancel() - - t.Run("ExecuteCommand captures output", func(t *testing.T) { - output, err := client.ExecuteCommand(ctx, "echo hello") - assert.NoError(t, err) - assert.Contains(t, string(output), "hello") - }) - - t.Run("ExecuteCommandWithIO streams output", func(t *testing.T) { - err := client.ExecuteCommandWithIO(ctx, "echo world") - assert.NoError(t, err) - }) - - t.Run("commands with flags work", func(t *testing.T) { - output, err := client.ExecuteCommand(ctx, "echo -n test_flag") - assert.NoError(t, err) - assert.Equal(t, "test_flag", strings.TrimSpace(string(output))) - }) - - t.Run("non-zero exit codes don't return errors", func(t *testing.T) { - var testCmd string - if runtime.GOOS == "windows" { - testCmd = "echo hello | Select-String notfound" - } else { - testCmd = "echo 'hello' | grep 'notfound'" - } - _, err := client.ExecuteCommand(ctx, testCmd) - assert.NoError(t, err) - }) -} - func TestSSHClient_ConnectionHandling(t *testing.T) { server, serverAddr, _ := setupTestSSHServerAndClient(t) defer func() { @@ -154,59 +106,6 @@ func TestSSHClient_ConnectionHandling(t *testing.T) { } } -func TestSSHClient_ContextCancellation(t *testing.T) { - server, serverAddr, _ := setupTestSSHServerAndClient(t) - defer func() { - err := server.Stop() - require.NoError(t, err) - }() - - t.Run("connection with short timeout", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), 1*time.Millisecond) - defer cancel() - - currentUser := testutil.GetTestUsername(t) - _, err := Dial(ctx, serverAddr, currentUser, DialOptions{ - InsecureSkipVerify: true, - }) - if err != nil { - // Check for actual timeout-related errors rather than string matching - assert.True(t, - errors.Is(err, context.DeadlineExceeded) || - errors.Is(err, context.Canceled) || - strings.Contains(err.Error(), "timeout"), - "Expected timeout-related error, got: %v", err) - } - }) - - t.Run("command execution cancellation", func(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) - defer cancel() - currentUser := testutil.GetTestUsername(t) - client, err := Dial(ctx, serverAddr, currentUser, DialOptions{ - InsecureSkipVerify: true, - }) - require.NoError(t, err) - defer func() { - if err := client.Close(); err != nil { - t.Logf("client close error: %v", err) - } - }() - - cmdCtx, cmdCancel := context.WithTimeout(context.Background(), 100*time.Millisecond) - defer cmdCancel() - - err = client.ExecuteCommandWithPTY(cmdCtx, "sleep 10") - if err != nil { - var exitMissingErr *cryptossh.ExitMissingError - isValidCancellation := errors.Is(err, context.DeadlineExceeded) || - errors.Is(err, context.Canceled) || - errors.As(err, &exitMissingErr) - assert.True(t, isValidCancellation, "Should handle command cancellation properly") - } - }) -} - func TestSSHClient_NoAuthMode(t *testing.T) { hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519) require.NoError(t, err) diff --git a/client/ssh/proxy/proxy_privileged_test.go b/client/ssh/proxy/proxy_privileged_test.go new file mode 100644 index 000000000..d76c40e8c --- /dev/null +++ b/client/ssh/proxy/proxy_privileged_test.go @@ -0,0 +1,419 @@ +//go:build privileged + +package proxy + +import ( + "bytes" + "context" + "crypto/rand" + "crypto/rsa" + "encoding/base64" + "encoding/json" + "io" + "math/big" + "net" + "net/http" + "net/http/httptest" + "os" + "runtime" + "strconv" + "testing" + "time" + + "github.com/golang-jwt/jwt/v5" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + cryptossh "golang.org/x/crypto/ssh" + + nbssh "github.com/netbirdio/netbird/client/ssh" + sshauth "github.com/netbirdio/netbird/client/ssh/auth" + "github.com/netbirdio/netbird/client/ssh/server" + "github.com/netbirdio/netbird/client/ssh/testutil" + nbjwt "github.com/netbirdio/netbird/shared/auth/jwt" + sshuserhash "github.com/netbirdio/netbird/shared/sshauth" +) + +func TestSSHProxy_Connect(t *testing.T) { + if testing.Short() { + t.Skip("Skipping integration test in short mode") + } + + // TODO: Windows test times out - user switching and command execution tested on Linux + if runtime.GOOS == "windows" { + t.Skip("Skipping on Windows - covered by Linux tests") + } + + const ( + issuer = "https://test-issuer.example.com" + audience = "test-audience" + ) + + jwksServer, privateKey, jwksURL := setupJWKSServer(t) + defer jwksServer.Close() + + hostKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519) + require.NoError(t, err) + hostPubKey, err := nbssh.GeneratePublicKey(hostKey) + require.NoError(t, err) + + serverConfig := &server.Config{ + HostKeyPEM: hostKey, + JWT: &server.JWTConfig{ + Issuer: issuer, + Audiences: []string{audience}, + KeysLocation: jwksURL, + }, + } + sshServer := server.New(serverConfig) + sshServer.SetAllowRootLogin(true) + + // Configure SSH authorization for the test user + testUsername := testutil.GetTestUsername(t) + testJWTUser := "test-username" + testUserHash, err := sshuserhash.HashUserID(testJWTUser) + require.NoError(t, err) + + authConfig := &sshauth.Config{ + UserIDClaim: sshauth.DefaultUserIDClaim, + AuthorizedUsers: []sshuserhash.UserIDHash{testUserHash}, + MachineUsers: map[string][]uint32{ + testUsername: {0}, // Index 0 in AuthorizedUsers + }, + } + sshServer.UpdateSSHAuth(authConfig) + + sshServerAddr := server.StartTestServer(t, sshServer) + defer func() { _ = sshServer.Stop() }() + + mockDaemon := startMockDaemon(t) + defer mockDaemon.stop() + + host, portStr, err := net.SplitHostPort(sshServerAddr) + require.NoError(t, err) + port, err := strconv.Atoi(portStr) + require.NoError(t, err) + + mockDaemon.setHostKey(host, hostPubKey) + + validToken := generateValidJWT(t, privateKey, issuer, audience, testJWTUser) + mockDaemon.setJWTToken(validToken) + + proxyInstance, err := New(mockDaemon.addr, host, port, io.Discard, nil) + require.NoError(t, err) + + clientConn, proxyConn := net.Pipe() + defer func() { _ = clientConn.Close() }() + + origStdin := os.Stdin + origStdout := os.Stdout + defer func() { + os.Stdin = origStdin + os.Stdout = origStdout + }() + + stdinReader, stdinWriter, err := os.Pipe() + require.NoError(t, err) + stdoutReader, stdoutWriter, err := os.Pipe() + require.NoError(t, err) + + os.Stdin = stdinReader + os.Stdout = stdoutWriter + + go func() { + _, _ = io.Copy(stdinWriter, proxyConn) + }() + go func() { + _, _ = io.Copy(proxyConn, stdoutReader) + }() + + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + + connectErrCh := make(chan error, 1) + go func() { + connectErrCh <- proxyInstance.Connect(ctx) + }() + + sshConfig := &cryptossh.ClientConfig{ + User: testutil.GetTestUsername(t), + Auth: []cryptossh.AuthMethod{}, + HostKeyCallback: cryptossh.InsecureIgnoreHostKey(), + Timeout: 3 * time.Second, + } + + sshClientConn, chans, reqs, err := cryptossh.NewClientConn(clientConn, "test", sshConfig) + require.NoError(t, err, "Should connect to proxy server") + defer func() { _ = sshClientConn.Close() }() + + sshClient := cryptossh.NewClient(sshClientConn, chans, reqs) + + session, err := sshClient.NewSession() + require.NoError(t, err, "Should create session through full proxy to backend") + + outputCh := make(chan []byte, 1) + errCh := make(chan error, 1) + go func() { + output, err := session.Output("echo hello-from-proxy") + outputCh <- output + errCh <- err + }() + + select { + case output := <-outputCh: + err := <-errCh + require.NoError(t, err, "Command should execute successfully through proxy") + assert.Contains(t, string(output), "hello-from-proxy", "Should receive command output through proxy") + case <-time.After(3 * time.Second): + t.Fatal("Command execution timed out") + } + + _ = session.Close() + _ = sshClient.Close() + _ = clientConn.Close() + cancel() +} + +// TestSSHProxy_CommandQuoting verifies that the proxy preserves shell quoting +// when forwarding commands to the backend. This is critical for tools like +// Ansible that send commands such as: +// +// /bin/sh -c '( umask 77 && mkdir -p ... ) && sleep 0' +// +// The single quotes must be preserved so the backend shell receives the +// subshell expression as a single argument to -c. +func TestSSHProxy_CommandQuoting(t *testing.T) { + if testing.Short() { + t.Skip("Skipping integration test in short mode") + } + + sshClient, cleanup := setupProxySSHClient(t) + defer cleanup() + + // These commands simulate what the SSH protocol delivers as exec payloads. + // When a user types: ssh host '/bin/sh -c "( echo hello )"' + // the local shell strips the outer single quotes, and the SSH exec request + // contains the raw string: /bin/sh -c "( echo hello )" + // + // The proxy must forward this string verbatim. Using session.Command() + // (shlex.Split + strings.Join) strips the inner double quotes, breaking + // the command on the backend. + tests := []struct { + name string + command string + expect string + }{ + { + name: "subshell_in_double_quotes", + command: `/bin/sh -c "( echo from-subshell ) && echo outer"`, + expect: "from-subshell\nouter\n", + }, + { + name: "printf_with_special_chars", + command: `/bin/sh -c "printf '%s\n' 'hello world'"`, + expect: "hello world\n", + }, + { + name: "nested_command_substitution", + command: `/bin/sh -c "echo $(echo nested)"`, + expect: "nested\n", + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + session, err := sshClient.NewSession() + require.NoError(t, err) + defer func() { _ = session.Close() }() + + var stderrBuf bytes.Buffer + session.Stderr = &stderrBuf + + outputCh := make(chan []byte, 1) + errCh := make(chan error, 1) + go func() { + output, err := session.Output(tc.command) + outputCh <- output + errCh <- err + }() + + select { + case output := <-outputCh: + err := <-errCh + if stderrBuf.Len() > 0 { + t.Logf("stderr: %s", stderrBuf.String()) + } + require.NoError(t, err, "command should succeed: %s", tc.command) + assert.Equal(t, tc.expect, string(output), "output mismatch for: %s", tc.command) + case <-time.After(5 * time.Second): + t.Fatalf("command timed out: %s", tc.command) + } + }) + } +} + +// setupProxySSHClient creates a full proxy test environment and returns +// an SSH client connected through the proxy to a backend NetBird SSH server. +func setupProxySSHClient(t *testing.T) (*cryptossh.Client, func()) { + t.Helper() + + const ( + issuer = "https://test-issuer.example.com" + audience = "test-audience" + ) + + jwksServer, privateKey, jwksURL := setupJWKSServer(t) + + hostKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519) + require.NoError(t, err) + hostPubKey, err := nbssh.GeneratePublicKey(hostKey) + require.NoError(t, err) + + serverConfig := &server.Config{ + HostKeyPEM: hostKey, + JWT: &server.JWTConfig{ + Issuer: issuer, + Audiences: []string{audience}, + KeysLocation: jwksURL, + }, + } + sshServer := server.New(serverConfig) + sshServer.SetAllowRootLogin(true) + + testUsername := testutil.GetTestUsername(t) + testJWTUser := "test-username" + testUserHash, err := sshuserhash.HashUserID(testJWTUser) + require.NoError(t, err) + + authConfig := &sshauth.Config{ + UserIDClaim: sshauth.DefaultUserIDClaim, + AuthorizedUsers: []sshuserhash.UserIDHash{testUserHash}, + MachineUsers: map[string][]uint32{ + testUsername: {0}, + }, + } + sshServer.UpdateSSHAuth(authConfig) + + sshServerAddr := server.StartTestServer(t, sshServer) + + mockDaemon := startMockDaemon(t) + + host, portStr, err := net.SplitHostPort(sshServerAddr) + require.NoError(t, err) + port, err := strconv.Atoi(portStr) + require.NoError(t, err) + + mockDaemon.setHostKey(host, hostPubKey) + + validToken := generateValidJWT(t, privateKey, issuer, audience, testJWTUser) + mockDaemon.setJWTToken(validToken) + + proxyInstance, err := New(mockDaemon.addr, host, port, io.Discard, nil) + require.NoError(t, err) + + origStdin := os.Stdin + origStdout := os.Stdout + + stdinReader, stdinWriter, err := os.Pipe() + require.NoError(t, err) + stdoutReader, stdoutWriter, err := os.Pipe() + require.NoError(t, err) + + os.Stdin = stdinReader + os.Stdout = stdoutWriter + + clientConn, proxyConn := net.Pipe() + + go func() { _, _ = io.Copy(stdinWriter, proxyConn) }() + go func() { _, _ = io.Copy(proxyConn, stdoutReader) }() + + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + + go func() { + _ = proxyInstance.Connect(ctx) + }() + + sshConfig := &cryptossh.ClientConfig{ + User: testutil.GetTestUsername(t), + Auth: []cryptossh.AuthMethod{}, + HostKeyCallback: cryptossh.InsecureIgnoreHostKey(), + Timeout: 5 * time.Second, + } + + sshClientConn, chans, reqs, err := cryptossh.NewClientConn(clientConn, "test", sshConfig) + require.NoError(t, err) + + client := cryptossh.NewClient(sshClientConn, chans, reqs) + + cleanupFn := func() { + _ = client.Close() + _ = clientConn.Close() + cancel() + os.Stdin = origStdin + os.Stdout = origStdout + _ = sshServer.Stop() + mockDaemon.stop() + jwksServer.Close() + } + + return client, cleanupFn +} + +func setupJWKSServer(t *testing.T) (*httptest.Server, *rsa.PrivateKey, string) { + t.Helper() + privateKey, jwksJSON := generateTestJWKS(t) + + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + if _, err := w.Write(jwksJSON); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + } + })) + + return server, privateKey, server.URL +} + +func generateTestJWKS(t *testing.T) (*rsa.PrivateKey, []byte) { + t.Helper() + privateKey, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err) + + publicKey := &privateKey.PublicKey + n := publicKey.N.Bytes() + e := publicKey.E + + jwk := nbjwt.JSONWebKey{ + Kty: "RSA", + Kid: "test-key-id", + Use: "sig", + N: base64.RawURLEncoding.EncodeToString(n), + E: base64.RawURLEncoding.EncodeToString(big.NewInt(int64(e)).Bytes()), + } + + jwks := nbjwt.Jwks{ + Keys: []nbjwt.JSONWebKey{jwk}, + } + + jwksJSON, err := json.Marshal(jwks) + require.NoError(t, err) + + return privateKey, jwksJSON +} + +func generateValidJWT(t *testing.T, privateKey *rsa.PrivateKey, issuer, audience string, user string) string { + t.Helper() + claims := jwt.MapClaims{ + "iss": issuer, + "aud": audience, + "sub": user, + "exp": time.Now().Add(time.Hour).Unix(), + "iat": time.Now().Unix(), + } + + token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims) + token.Header["kid"] = "test-key-id" + + tokenString, err := token.SignedString(privateKey) + require.NoError(t, err) + + return tokenString +} diff --git a/client/ssh/proxy/proxy_test.go b/client/ssh/proxy/proxy_test.go index b33d5f8f4..bb11208b4 100644 --- a/client/ssh/proxy/proxy_test.go +++ b/client/ssh/proxy/proxy_test.go @@ -1,25 +1,12 @@ package proxy import ( - "bytes" "context" - "crypto/rand" - "crypto/rsa" - "encoding/base64" - "encoding/json" "fmt" - "io" - "math/big" "net" - "net/http" - "net/http/httptest" "os" - "runtime" - "strconv" "testing" - "time" - "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" cryptossh "golang.org/x/crypto/ssh" @@ -28,11 +15,7 @@ import ( "github.com/netbirdio/netbird/client/proto" nbssh "github.com/netbirdio/netbird/client/ssh" - sshauth "github.com/netbirdio/netbird/client/ssh/auth" - "github.com/netbirdio/netbird/client/ssh/server" "github.com/netbirdio/netbird/client/ssh/testutil" - nbjwt "github.com/netbirdio/netbird/shared/auth/jwt" - sshuserhash "github.com/netbirdio/netbird/shared/sshauth" ) func TestMain(m *testing.M) { @@ -106,331 +89,6 @@ func TestSSHProxy_verifyHostKey(t *testing.T) { }) } -func TestSSHProxy_Connect(t *testing.T) { - if testing.Short() { - t.Skip("Skipping integration test in short mode") - } - - // TODO: Windows test times out - user switching and command execution tested on Linux - if runtime.GOOS == "windows" { - t.Skip("Skipping on Windows - covered by Linux tests") - } - - const ( - issuer = "https://test-issuer.example.com" - audience = "test-audience" - ) - - jwksServer, privateKey, jwksURL := setupJWKSServer(t) - defer jwksServer.Close() - - hostKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519) - require.NoError(t, err) - hostPubKey, err := nbssh.GeneratePublicKey(hostKey) - require.NoError(t, err) - - serverConfig := &server.Config{ - HostKeyPEM: hostKey, - JWT: &server.JWTConfig{ - Issuer: issuer, - Audiences: []string{audience}, - KeysLocation: jwksURL, - }, - } - sshServer := server.New(serverConfig) - sshServer.SetAllowRootLogin(true) - - // Configure SSH authorization for the test user - testUsername := testutil.GetTestUsername(t) - testJWTUser := "test-username" - testUserHash, err := sshuserhash.HashUserID(testJWTUser) - require.NoError(t, err) - - authConfig := &sshauth.Config{ - UserIDClaim: sshauth.DefaultUserIDClaim, - AuthorizedUsers: []sshuserhash.UserIDHash{testUserHash}, - MachineUsers: map[string][]uint32{ - testUsername: {0}, // Index 0 in AuthorizedUsers - }, - } - sshServer.UpdateSSHAuth(authConfig) - - sshServerAddr := server.StartTestServer(t, sshServer) - defer func() { _ = sshServer.Stop() }() - - mockDaemon := startMockDaemon(t) - defer mockDaemon.stop() - - host, portStr, err := net.SplitHostPort(sshServerAddr) - require.NoError(t, err) - port, err := strconv.Atoi(portStr) - require.NoError(t, err) - - mockDaemon.setHostKey(host, hostPubKey) - - validToken := generateValidJWT(t, privateKey, issuer, audience, testJWTUser) - mockDaemon.setJWTToken(validToken) - - proxyInstance, err := New(mockDaemon.addr, host, port, io.Discard, nil) - require.NoError(t, err) - - clientConn, proxyConn := net.Pipe() - defer func() { _ = clientConn.Close() }() - - origStdin := os.Stdin - origStdout := os.Stdout - defer func() { - os.Stdin = origStdin - os.Stdout = origStdout - }() - - stdinReader, stdinWriter, err := os.Pipe() - require.NoError(t, err) - stdoutReader, stdoutWriter, err := os.Pipe() - require.NoError(t, err) - - os.Stdin = stdinReader - os.Stdout = stdoutWriter - - go func() { - _, _ = io.Copy(stdinWriter, proxyConn) - }() - go func() { - _, _ = io.Copy(proxyConn, stdoutReader) - }() - - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) - defer cancel() - - connectErrCh := make(chan error, 1) - go func() { - connectErrCh <- proxyInstance.Connect(ctx) - }() - - sshConfig := &cryptossh.ClientConfig{ - User: testutil.GetTestUsername(t), - Auth: []cryptossh.AuthMethod{}, - HostKeyCallback: cryptossh.InsecureIgnoreHostKey(), - Timeout: 3 * time.Second, - } - - sshClientConn, chans, reqs, err := cryptossh.NewClientConn(clientConn, "test", sshConfig) - require.NoError(t, err, "Should connect to proxy server") - defer func() { _ = sshClientConn.Close() }() - - sshClient := cryptossh.NewClient(sshClientConn, chans, reqs) - - session, err := sshClient.NewSession() - require.NoError(t, err, "Should create session through full proxy to backend") - - outputCh := make(chan []byte, 1) - errCh := make(chan error, 1) - go func() { - output, err := session.Output("echo hello-from-proxy") - outputCh <- output - errCh <- err - }() - - select { - case output := <-outputCh: - err := <-errCh - require.NoError(t, err, "Command should execute successfully through proxy") - assert.Contains(t, string(output), "hello-from-proxy", "Should receive command output through proxy") - case <-time.After(3 * time.Second): - t.Fatal("Command execution timed out") - } - - _ = session.Close() - _ = sshClient.Close() - _ = clientConn.Close() - cancel() -} - -// TestSSHProxy_CommandQuoting verifies that the proxy preserves shell quoting -// when forwarding commands to the backend. This is critical for tools like -// Ansible that send commands such as: -// -// /bin/sh -c '( umask 77 && mkdir -p ... ) && sleep 0' -// -// The single quotes must be preserved so the backend shell receives the -// subshell expression as a single argument to -c. -func TestSSHProxy_CommandQuoting(t *testing.T) { - if testing.Short() { - t.Skip("Skipping integration test in short mode") - } - - sshClient, cleanup := setupProxySSHClient(t) - defer cleanup() - - // These commands simulate what the SSH protocol delivers as exec payloads. - // When a user types: ssh host '/bin/sh -c "( echo hello )"' - // the local shell strips the outer single quotes, and the SSH exec request - // contains the raw string: /bin/sh -c "( echo hello )" - // - // The proxy must forward this string verbatim. Using session.Command() - // (shlex.Split + strings.Join) strips the inner double quotes, breaking - // the command on the backend. - tests := []struct { - name string - command string - expect string - }{ - { - name: "subshell_in_double_quotes", - command: `/bin/sh -c "( echo from-subshell ) && echo outer"`, - expect: "from-subshell\nouter\n", - }, - { - name: "printf_with_special_chars", - command: `/bin/sh -c "printf '%s\n' 'hello world'"`, - expect: "hello world\n", - }, - { - name: "nested_command_substitution", - command: `/bin/sh -c "echo $(echo nested)"`, - expect: "nested\n", - }, - } - - for _, tc := range tests { - t.Run(tc.name, func(t *testing.T) { - session, err := sshClient.NewSession() - require.NoError(t, err) - defer func() { _ = session.Close() }() - - var stderrBuf bytes.Buffer - session.Stderr = &stderrBuf - - outputCh := make(chan []byte, 1) - errCh := make(chan error, 1) - go func() { - output, err := session.Output(tc.command) - outputCh <- output - errCh <- err - }() - - select { - case output := <-outputCh: - err := <-errCh - if stderrBuf.Len() > 0 { - t.Logf("stderr: %s", stderrBuf.String()) - } - require.NoError(t, err, "command should succeed: %s", tc.command) - assert.Equal(t, tc.expect, string(output), "output mismatch for: %s", tc.command) - case <-time.After(5 * time.Second): - t.Fatalf("command timed out: %s", tc.command) - } - }) - } -} - -// setupProxySSHClient creates a full proxy test environment and returns -// an SSH client connected through the proxy to a backend NetBird SSH server. -func setupProxySSHClient(t *testing.T) (*cryptossh.Client, func()) { - t.Helper() - - const ( - issuer = "https://test-issuer.example.com" - audience = "test-audience" - ) - - jwksServer, privateKey, jwksURL := setupJWKSServer(t) - - hostKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519) - require.NoError(t, err) - hostPubKey, err := nbssh.GeneratePublicKey(hostKey) - require.NoError(t, err) - - serverConfig := &server.Config{ - HostKeyPEM: hostKey, - JWT: &server.JWTConfig{ - Issuer: issuer, - Audiences: []string{audience}, - KeysLocation: jwksURL, - }, - } - sshServer := server.New(serverConfig) - sshServer.SetAllowRootLogin(true) - - testUsername := testutil.GetTestUsername(t) - testJWTUser := "test-username" - testUserHash, err := sshuserhash.HashUserID(testJWTUser) - require.NoError(t, err) - - authConfig := &sshauth.Config{ - UserIDClaim: sshauth.DefaultUserIDClaim, - AuthorizedUsers: []sshuserhash.UserIDHash{testUserHash}, - MachineUsers: map[string][]uint32{ - testUsername: {0}, - }, - } - sshServer.UpdateSSHAuth(authConfig) - - sshServerAddr := server.StartTestServer(t, sshServer) - - mockDaemon := startMockDaemon(t) - - host, portStr, err := net.SplitHostPort(sshServerAddr) - require.NoError(t, err) - port, err := strconv.Atoi(portStr) - require.NoError(t, err) - - mockDaemon.setHostKey(host, hostPubKey) - - validToken := generateValidJWT(t, privateKey, issuer, audience, testJWTUser) - mockDaemon.setJWTToken(validToken) - - proxyInstance, err := New(mockDaemon.addr, host, port, io.Discard, nil) - require.NoError(t, err) - - origStdin := os.Stdin - origStdout := os.Stdout - - stdinReader, stdinWriter, err := os.Pipe() - require.NoError(t, err) - stdoutReader, stdoutWriter, err := os.Pipe() - require.NoError(t, err) - - os.Stdin = stdinReader - os.Stdout = stdoutWriter - - clientConn, proxyConn := net.Pipe() - - go func() { _, _ = io.Copy(stdinWriter, proxyConn) }() - go func() { _, _ = io.Copy(proxyConn, stdoutReader) }() - - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) - - go func() { - _ = proxyInstance.Connect(ctx) - }() - - sshConfig := &cryptossh.ClientConfig{ - User: testutil.GetTestUsername(t), - Auth: []cryptossh.AuthMethod{}, - HostKeyCallback: cryptossh.InsecureIgnoreHostKey(), - Timeout: 5 * time.Second, - } - - sshClientConn, chans, reqs, err := cryptossh.NewClientConn(clientConn, "test", sshConfig) - require.NoError(t, err) - - client := cryptossh.NewClient(sshClientConn, chans, reqs) - - cleanupFn := func() { - _ = client.Close() - _ = clientConn.Close() - cancel() - os.Stdin = origStdin - os.Stdout = origStdout - _ = sshServer.Stop() - mockDaemon.stop() - jwksServer.Close() - } - - return client, cleanupFn -} - type mockDaemonServer struct { proto.UnimplementedDaemonServiceServer hostKeys map[string][]byte @@ -508,63 +166,3 @@ func mustParsePublicKey(t *testing.T, pubKeyBytes []byte) cryptossh.PublicKey { require.NoError(t, err) return pubKey } - -func setupJWKSServer(t *testing.T) (*httptest.Server, *rsa.PrivateKey, string) { - t.Helper() - privateKey, jwksJSON := generateTestJWKS(t) - - server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "application/json") - if _, err := w.Write(jwksJSON); err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - } - })) - - return server, privateKey, server.URL -} - -func generateTestJWKS(t *testing.T) (*rsa.PrivateKey, []byte) { - t.Helper() - privateKey, err := rsa.GenerateKey(rand.Reader, 2048) - require.NoError(t, err) - - publicKey := &privateKey.PublicKey - n := publicKey.N.Bytes() - e := publicKey.E - - jwk := nbjwt.JSONWebKey{ - Kty: "RSA", - Kid: "test-key-id", - Use: "sig", - N: base64.RawURLEncoding.EncodeToString(n), - E: base64.RawURLEncoding.EncodeToString(big.NewInt(int64(e)).Bytes()), - } - - jwks := nbjwt.Jwks{ - Keys: []nbjwt.JSONWebKey{jwk}, - } - - jwksJSON, err := json.Marshal(jwks) - require.NoError(t, err) - - return privateKey, jwksJSON -} - -func generateValidJWT(t *testing.T, privateKey *rsa.PrivateKey, issuer, audience string, user string) string { - t.Helper() - claims := jwt.MapClaims{ - "iss": issuer, - "aud": audience, - "sub": user, - "exp": time.Now().Add(time.Hour).Unix(), - "iat": time.Now().Unix(), - } - - token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims) - token.Header["kid"] = "test-key-id" - - tokenString, err := token.SignedString(privateKey) - require.NoError(t, err) - - return tokenString -} diff --git a/client/testutil/privileged/runner_test.go b/client/testutil/privileged/runner_test.go new file mode 100644 index 000000000..cd226b5b4 --- /dev/null +++ b/client/testutil/privileged/runner_test.go @@ -0,0 +1,155 @@ +//go:build privileged && linux + +// Package privileged provides a self-hosting harness that runs the repo's +// privileged-tagged test suite inside a --privileged --cap-add=NET_ADMIN +// container, so developers can exercise the root/system-mutating tests on a +// non-root host with a single `go test` invocation. +package privileged + +import ( + "bytes" + "context" + "fmt" + "os" + "os/exec" + "path/filepath" + "strings" + "testing" + "time" + + "github.com/moby/moby/api/types/container" + "github.com/ory/dockertest/v4" +) + +// containerImage / containerTag match the image used by the CI privileged job +// (.github/workflows/golang-test-linux.yml, test_client_on_docker). +const ( + containerImage = "golang" + containerTag = "1.25-alpine" +) + +const ( + containerWorkdir = "/app" + containerGoCache = "/root/.cache/go-build" + containerGoModache = "/go/pkg/mod" +) + +// alpinePackages are the build/runtime deps the privileged tests need, mirroring +// the CI container setup. +const alpinePackages = "ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base" + +// privilegedTestPackages is the package list the suite runs, excluding the +// server-side trees and UI/upload helpers, matching the CI Docker job's filter. +const privilegedTestPackages = `go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server` + +// testWriter forwards container output to the test log line by line. +type testWriter struct{ t *testing.T } + +func (w testWriter) Write(p []byte) (int, error) { + for _, line := range strings.Split(strings.TrimRight(string(p), "\n"), "\n") { + w.t.Log(line) + } + return len(p), nil +} + +// TestRunPrivilegedSuiteInDocker spins up a privileged container, mounts the repo, +// and runs `go test -tags 'devcert privileged'` inside it. When already running +// inside that container (DOCKER_CI=true) it returns immediately so the real +// privileged tests in the suite execute in place instead of recursing. +func TestRunPrivilegedSuiteInDocker(t *testing.T) { + if os.Getenv("DOCKER_CI") == "true" { + t.Skip("inside privileged container, skipping container spawn; privileged tests run in place") + } + + repoRoot, err := findRepoRoot() + if err != nil { + t.Fatalf("locate repo root: %v", err) + } + goCache, goModCache := hostGoCaches(t) + + // NewPoolT registers container cleanup via t.Cleanup automatically. + pool := dockertest.NewPoolT(t, "", dockertest.WithMaxWait(30*time.Minute)) + + // Keep the container alive so the suite runs via Exec, which yields a clean + // exit code (the v4 Resource API exposes no container wait/exit-code). + resource := pool.RunT(t, containerImage, + dockertest.WithTag(containerTag), + dockertest.WithWorkingDir(containerWorkdir), + dockertest.WithMounts([]string{ + repoRoot + ":" + containerWorkdir, + goCache + ":" + containerGoCache, + goModCache + ":" + containerGoModache, + }), + dockertest.WithEnv([]string{ + "CGO_ENABLED=1", + "CI=true", + "DOCKER_CI=true", + "CONTAINER=true", + "GOCACHE=" + containerGoCache, + "GOMODCACHE=" + containerGoModache, + }), + dockertest.WithCmd([]string{"sleep", "infinity"}), + dockertest.WithHostConfig(func(hc *container.HostConfig) { + hc.Privileged = true + hc.CapAdd = []string{"NET_ADMIN"} + }), + dockertest.WithoutReuse(), + ) + + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Minute) + defer cancel() + + script := fmt.Sprintf( + "apk update >/dev/null && apk add --no-cache %s >/dev/null && %s | xargs go test -buildvcs=false -tags 'devcert privileged' -v -timeout 20m -p 1", + alpinePackages, privilegedTestPackages, + ) + + result, err := resource.Exec(ctx, []string{"sh", "-c", script}) + if err != nil { + t.Fatalf("run privileged suite in container: %v", err) + } + + w := testWriter{t} + _, _ = w.Write([]byte(result.StdOut)) + _, _ = w.Write([]byte(result.StdErr)) + + if result.ExitCode != 0 { + t.Fatalf("privileged test suite failed in container (exit code %d)", result.ExitCode) + } +} + +// findRepoRoot walks up from the test's working directory to the module root. +func findRepoRoot() (string, error) { + dir, err := os.Getwd() + if err != nil { + return "", err + } + for { + if _, statErr := os.Stat(filepath.Join(dir, "go.mod")); statErr == nil { + return dir, nil + } + parent := filepath.Dir(dir) + if parent == dir { + return "", fmt.Errorf("go.mod not found above %s", dir) + } + dir = parent + } +} + +// hostGoCaches resolves the host GOCACHE/GOMODCACHE so the container reuses the +// existing build/module cache for speed. +func hostGoCaches(t *testing.T) (string, string) { + t.Helper() + return goEnv(t, "GOCACHE"), goEnv(t, "GOMODCACHE") +} + +func goEnv(t *testing.T, key string) string { + t.Helper() + var out bytes.Buffer + cmd := exec.Command("go", "env", key) + cmd.Stdout = &out + if err := cmd.Run(); err != nil { + t.Fatalf("go env %s: %v", key, err) + } + return strings.TrimSpace(out.String()) +} diff --git a/docs/testing-privileged.md b/docs/testing-privileged.md new file mode 100644 index 000000000..df17ae82e --- /dev/null +++ b/docs/testing-privileged.md @@ -0,0 +1,72 @@ +# Privileged tests + +Some tests in this repo need `root` or mutate host network state: they create +TUN/WireGuard interfaces, open netlink/raw sockets, run eBPF programs, or shell +out to `ip`/`iptables`/`nft`/`ifconfig`/`route`. Running them on a developer +machine would require `sudo` and could leave stray interfaces or routes behind. + +These tests are gated behind the **`privileged` build tag** so the default test +run is host-safe. + +## Running tests + +```bash +# Host-safe: excludes privileged tests. Runs as a normal user, no sudo. +make test-unit +# equivalently: +go test -tags devcert ./... + +# Privileged suite: runs the privileged-tagged tests inside a +# --privileged --cap-add=NET_ADMIN container (requires Docker). +make test-privileged +``` + +`make test-privileged` invokes the `ory/dockertest` harness in +`client/testutil/privileged/`. The harness: + +1. Skips immediately when it detects it is already inside the container + (`DOCKER_CI=true`), so the privileged tests run in place instead of recursing. +2. Otherwise spins up a `golang:1.25-alpine` container (matching CI), + bind-mounts the repo and the host Go build/module caches, installs the + required packages, and runs `go test -tags 'devcert privileged'` over the + client packages. +3. Streams the container's output to the test log and fails if the suite fails. + +## Adding a privileged test + +A test is privileged if it does any of: + +- creates a real interface via `iface.NewWGIFace(...).Create()`, +- opens a netlink or raw socket that hard-fails without `CAP_NET_ADMIN`, +- runs an eBPF program (`ebpf.*.Listen()`), +- shells out to `ip`, `iptables`, `nft`, `ifconfig`, or `route` to change state. + +Add the tag to the **top** of the file, combined with any existing platform +constraint: + +```go +//go:build privileged && linux + +package foo +``` + +If a file mixes privileged and pure-logic tests, **split it**: keep the pure +tests (and any shared data — type/var declarations, table-driven `testCases`, +helper interfaces) in an untagged file, and move the privileged tests into a +`*_privileged_test.go` file with the tag. Shared declarations must stay untagged, +otherwise the unprivileged files in the package will not compile. + +Always verify both build modes compile on every target platform: + +```bash +go vet -tags devcert ./... +go vet -tags 'devcert privileged' ./... +``` + +## CI + +- The `Client / Unit` job runs `go test -tags devcert` with **no** `sudo` — only + host-safe tests. +- The `Client (Docker) / Unit` job runs `go test -tags 'devcert privileged'` + inside a `--privileged --cap-add=NET_ADMIN` container, which is where the + privileged tests actually execute. diff --git a/go.mod b/go.mod index 0b9cc9f29..0058e5f94 100644 --- a/go.mod +++ b/go.mod @@ -77,10 +77,12 @@ require ( github.com/mdp/qrterminal/v3 v3.2.1 github.com/miekg/dns v1.1.72 github.com/mitchellh/hashstructure/v2 v2.0.2 + github.com/moby/moby/api v1.54.1 github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 github.com/oapi-codegen/runtime v1.1.2 github.com/okta/okta-sdk-golang/v2 v2.18.0 + github.com/ory/dockertest/v4 v4.0.0 github.com/oschwald/maxminddb-golang v1.12.0 github.com/patrickmn/go-cache v2.1.0+incompatible github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203 @@ -144,7 +146,7 @@ require ( dario.cat/mergo v1.0.1 // indirect filippo.io/edwards25519 v1.1.1 // indirect github.com/AppsFlyer/go-sundheit v0.6.0 // indirect - github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect + github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect github.com/Azure/go-ntlmssp v0.1.0 // indirect github.com/BurntSushi/toml v1.5.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect @@ -176,6 +178,8 @@ require ( github.com/caddyserver/zerossl v0.1.3 // indirect github.com/cenkalti/backoff/v5 v5.0.3 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/containerd/errdefs v1.0.0 // indirect + github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/cpuguy83/dockercfg v0.3.2 // indirect @@ -268,11 +272,12 @@ require ( github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect + github.com/moby/moby/client v0.4.0 // indirect github.com/moby/patternmatcher v0.6.0 // indirect github.com/moby/sys/sequential v0.5.0 // indirect github.com/moby/sys/user v0.3.0 // indirect github.com/moby/sys/userns v0.1.0 // indirect - github.com/moby/term v0.5.0 // indirect + github.com/moby/term v0.5.2 // indirect github.com/morikuni/aec v1.0.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect diff --git a/go.sum b/go.sum index bc78d17e5..6f63e139a 100644 --- a/go.sum +++ b/go.sum @@ -23,8 +23,8 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/AppsFlyer/go-sundheit v0.6.0 h1:d2hBvCjBSb2lUsEWGfPigr4MCOt04sxB+Rppl0yUMSk= github.com/AppsFlyer/go-sundheit v0.6.0/go.mod h1:LDdBHD6tQBtmHsdW+i1GwdTt6Wqc0qazf5ZEJVTbTME= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A= github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk= github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= @@ -117,6 +117,10 @@ github.com/cilium/ebpf v0.19.0 h1:Ro/rE64RmFBeA9FGjcTc+KmCeY6jXmryu6FfnzPRIao= github.com/cilium/ebpf v0.19.0/go.mod h1:fLCgMo3l8tZmAdM3B2XqdFzXBpwkcSTroaVqN08OWVY= github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g= github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg= +github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= +github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= +github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= +github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= @@ -474,6 +478,10 @@ github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zx github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= +github.com/moby/moby/api v1.54.1 h1:TqVzuJkOLsgLDDwNLmYqACUuTehOHRGKiPhvH8V3Nn4= +github.com/moby/moby/api v1.54.1/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs= +github.com/moby/moby/client v0.4.0 h1:S+2XegzHQrrvTCvF6s5HFzcrywWQmuVnhOXe2kiWjIw= +github.com/moby/moby/client v0.4.0/go.mod h1:QWPbvWchQbxBNdaLSpoKpCdf5E+WxFAgNHogCWDoa7g= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= @@ -482,8 +490,8 @@ github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo= github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= -github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= -github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ= +github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= @@ -536,6 +544,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= +github.com/ory/dockertest/v4 v4.0.0 h1:i19aFsO/VXE0VrMk4ifnKW4G/KIJ93PCjLOslxXoPME= +github.com/ory/dockertest/v4 v4.0.0/go.mod h1:b5Ofu8VIxWNhXFvQcLu17pRNQdoUBKtXBW74G4Ygzx8= github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq50AS6wALUMYs= github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY= github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc= @@ -966,11 +976,13 @@ gorm.io/driver/sqlite v1.5.7/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDa gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8= gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8= gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ= -gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= -gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= +gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q= +gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA= gvisor.dev/gvisor v0.0.0-20260219192049-0f2374377e89 h1:mGJaeA61P8dEHTqdvAgc70ZIV3QoUoJcXCRyyjO26OA= gvisor.dev/gvisor v0.0.0-20260219192049-0f2374377e89/go.mod h1:QkHjoMIBaYtpVufgwv3keYAbln78mBoCuShZrPrer1Q= howett.net/plist v1.0.1 h1:37GdZ8tP09Q35o9ych3ehygcsL+HqKSwzctveSlarvM= howett.net/plist v1.0.1/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g= +pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk= +pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04= rsc.io/qr v0.2.0 h1:6vBLea5/NRMVTz8V66gipeLycZMl/+UlFmk8DvqQ6WY= rsc.io/qr v0.2.0/go.mod h1:IF+uZjkb9fqyeF/4tlBoynqmQxUoPfWEKh921coOuXs=