mirror of
https://github.com/netbirdio/netbird.git
synced 2026-06-10 18:09:56 +00:00
fa1e241aea
* fix(proxy): gate tunnel-peer fast-path on inbound listener marker
forwardWithTunnelPeer previously accepted any RFC1918 / ULA / CGNAT
source IP, so a public client whose address happened to fall in those
ranges could bypass the configured operator auth scheme by colliding
with a known tunnel IP. The fast-path is now gated on
TunnelLookupFromContext(r.Context()) being present — that context value
is attached only by the per-account inbound (overlay) listener, so the
host-facing listener never enters this branch.
Tests updated to reflect the new requirement: requests that don't
carry the inbound marker now fall through to the regular auth flow.
* fix(proxy): harden inbound listener resource + startup-ctx handling
Three correctness fixes on the per-account inbound path, with tests:
- Close the logrus ErrorLog PipeWriter on tearDown. WriterLevel hands
back an *io.PipeWriter backed by a pipe + scanner goroutine that the
caller owns; the two writers per account (https + plain) were never
closed, leaking the pipe and goroutine on every teardown.
- Run the post-Start hooks on context.Background(). runClientStartup
is launched in a goroutine from AddPeer and was inheriting the
caller's request-scoped ctx, so a cancelled request could abort the
inbound bring-up or fail the management status notification. The
tail is split into notifyClientReady so the contract is testable.
Tests cover the PipeWriter close behaviour and assert the readyHandler
+ NotifyStatus calls receive a non-cancelled background context.
* feat(proxy): short-circuit peer-own-target loops with 421
When a peer that hosts the target of a private service dials its own
service URL the request was being looped through the proxy and back
over WireGuard to the same peer — twice the WG round-trip for no
benefit, with no signal to the caller that something was wrong.
Add isSelfTargetLoop to ReverseProxy.ServeHTTP: when the request
arrived on the per-account overlay listener (IsOverlayOrigin) and the
source tunnel IP matches the target host, refuse the request with 421
Misdirected Request and a body pointing the operator at the backend
directly.
The gate is scoped to overlay origin so requests on the public
listener that happen to share a source IP with the target host are
forwarded normally.
* fix(management): private-service validation + tunnel-IP lookup semantics
- Require an explicit port for L4 cluster targets. validateL4Target
exempted TargetTypeCluster from the port check, but buildPathMappings
serializes every L4 target via net.JoinHostPort(host, port) — port=0
shipped a ":0" upstream. Cluster targets use the same Host/Port
fields, so the same requirement applies.
- GetPeerByIP returns NotFound on a tunnel-IP miss instead of mapping
every error to Internal. The proxy's ValidateTunnelPeer probes IPs
that legitimately aren't in the roster; the miss is expected and now
distinguishable from a real store failure.
- Thread ctx into getClusterCapability's gorm query so a cancelled
request doesn't keep the store busy.
Tests updated for the L4-cluster port requirement and the GetPeerByIP
NotFound path.
* fix(client): include offlinePeers in PeerStateByIP lookup
ReplaceOfflinePeers moves peers into d.offlinePeers but PeerStateByIP
only scanned d.peers. Callers (the local DNS filter via
localPeerConnectivity, embed.Client.IdentityForIP used by the
proxy's tunnel-peer validator) were treating known-but-offline peers
as unknown, which:
- causes the DNS filter to keep returning records pointing at peers
that have no live tunnel, AND
- makes the proxy's local-roster check deny a request from such a
peer rather than letting the cached management RPC carry the
authorisation decision.
Search both slices in PeerStateByIP. Adds a unit test for the IPv4
and IPv6 offline-match paths.
* fix(rest): reject empty Delete path params in reverse-proxy clients
ReverseProxyClustersAPI.Delete and ReverseProxyTokensAPI.Delete passed
the path parameter into url.PathEscape without an empty check.
PathEscape("") returns "" which collapses the request onto the
collection endpoint ("/api/reverse-proxies/clusters/" /
"/api/reverse-proxies/proxy-tokens/"), so a caller bug delete with no
id reached a routable URL with surprising semantics (typically 405).
Short-circuit with a typed error before the request is built. Tests
mount a handler on the collection path that fails the test if hit, so
the regression is impossible to reintroduce silently.
* chore(api,ci,docs,test): private-service schema, proto-check, fixups
Non-functional cleanups and contract/CI hardening around the
private-service work:
API schema (openapi.yml):
- Require a non-empty access_groups and mode=http when private=true,
on both Service and ServiceRequest, mirroring
validatePrivateRequirements. mode stays optional-but-constrained
(empty defaults to http server-side), matching runtime.
CI (proto-version-check.yml):
- Cover renamed .pb.go files (read base via previous_filename).
- Match protoc-gen-go-grpc version headers (optional "- " prefix and
-gen-go-grpc suffix) so grpc-generated files are in scope.
Docs / comments:
- Reword Config field docs to say defaults are applied at Server.Start
(initDefaults), not New.
- Rename the obsolete --private-inbound flag to --private across
comments and the proto doc.
Pre-existing test fixups surfaced by review:
- Repair the integration-tagged validate_session_test.go (SignToken
signature growth + new Manager interface methods).
- Fix the CI-skip boolean precedence so Windows isn't skipped
unconditionally.
- Guard the router.HTTPListener type assertion with comma-ok.
* fix(proxy): background ctx for already-started AddPeer notification
The earlier ctx fix covered the async runClientStartup path but missed
the synchronous branch: when a service is added to an already-started
client, AddPeer called NotifyStatus with the caller's request-scoped
ctx. A cancelled request/stream could drop the connected notification
to management. Use context.Background() here too, matching
notifyClientReady.
Extends TestNetBird_AddPeer_ExistingStartedClient_NotifiesStatus to
pass a pre-cancelled caller ctx and assert the notification still ran
on a non-cancelled context.
* use the cmd context for roundtripper
536 lines
21 KiB
Go
536 lines
21 KiB
Go
package proxy
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"crypto/tls"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/netip"
|
|
"sync"
|
|
"sync/atomic"
|
|
"testing"
|
|
"time"
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/grpc"
|
|
|
|
"github.com/netbirdio/netbird/proxy/internal/auth"
|
|
"github.com/netbirdio/netbird/proxy/internal/roundtrip"
|
|
nbtcp "github.com/netbirdio/netbird/proxy/internal/tcp"
|
|
"github.com/netbirdio/netbird/proxy/internal/types"
|
|
"github.com/netbirdio/netbird/shared/management/proto"
|
|
)
|
|
|
|
// bufioReader wraps the connection in a buffered reader so http.ReadResponse
|
|
// can parse the response line + headers off the wire.
|
|
func bufioReader(conn net.Conn) *bufio.Reader {
|
|
return bufio.NewReader(conn)
|
|
}
|
|
|
|
// quietLogger returns a logger that emits nothing — keeps test output tidy.
|
|
func quietLogger() *log.Logger {
|
|
logger := log.New()
|
|
logger.SetLevel(log.PanicLevel)
|
|
return logger
|
|
}
|
|
|
|
func TestInboundManager_RouteScopedToAccount(t *testing.T) {
|
|
mgr := newInboundManager(quietLogger(), http.NotFoundHandler(), nil)
|
|
|
|
accountA := types.AccountID("acct-a")
|
|
accountB := types.AccountID("acct-b")
|
|
|
|
mgr.AddRoute(accountA, "shared.example", nbtcp.Route{Type: nbtcp.RouteHTTP, AccountID: accountA, ServiceID: "svc-a", Domain: "shared.example"})
|
|
mgr.AddRoute(accountB, "other.example", nbtcp.Route{Type: nbtcp.RouteHTTP, AccountID: accountB, ServiceID: "svc-b", Domain: "other.example"})
|
|
|
|
require.Equal(t, 1, mgr.PendingRouteCount(accountA), "account A should have one queued route")
|
|
require.Equal(t, 1, mgr.PendingRouteCount(accountB), "account B should have one queued route")
|
|
|
|
mgr.RemoveRoute(accountA, "shared.example", "svc-a")
|
|
mgr.RemoveRoute(accountB, "other.example", "svc-b")
|
|
|
|
assert.Equal(t, 0, mgr.PendingRouteCount(accountA), "queue should drain on remove")
|
|
assert.Equal(t, 0, mgr.PendingRouteCount(accountB), "queue should drain on remove")
|
|
}
|
|
|
|
func TestInboundManager_PendingThenFlush(t *testing.T) {
|
|
mgr := newInboundManager(quietLogger(), http.NotFoundHandler(), nil)
|
|
|
|
accountID := types.AccountID("acct-1")
|
|
host := nbtcp.SNIHost("example.test")
|
|
route := nbtcp.Route{Type: nbtcp.RouteHTTP, AccountID: accountID, ServiceID: "svc-1", Domain: "example.test"}
|
|
|
|
mgr.AddRoute(accountID, host, route)
|
|
require.Equal(t, 1, mgr.PendingRouteCount(accountID), "pending count before listener is up")
|
|
|
|
// Simulate listener up by registering a fake entry, then flushing.
|
|
router := nbtcp.NewRouter(quietLogger(), nil, &fakeAddr{addr: "127.0.0.1:0"})
|
|
entry := &inboundEntry{router: router}
|
|
mgr.muxLock.Lock()
|
|
mgr.entries[accountID] = entry
|
|
mgr.muxLock.Unlock()
|
|
|
|
mgr.flushPending(accountID, entry)
|
|
assert.Equal(t, 0, mgr.PendingRouteCount(accountID), "queue should be empty after flush")
|
|
}
|
|
|
|
// fakeAddr is a stub net.Addr for tests that don't actually bind sockets.
|
|
type fakeAddr struct {
|
|
addr string
|
|
}
|
|
|
|
func (a *fakeAddr) Network() string { return "tcp" }
|
|
func (a *fakeAddr) String() string { return a.addr }
|
|
|
|
// fakeMgmtClient implements roundtrip.managementClient for tests.
|
|
type fakeMgmtClient struct{}
|
|
|
|
func (fakeMgmtClient) CreateProxyPeer(_ context.Context, _ *proto.CreateProxyPeerRequest, _ ...grpc.CallOption) (*proto.CreateProxyPeerResponse, error) {
|
|
return &proto.CreateProxyPeerResponse{Success: true}, nil
|
|
}
|
|
|
|
// TestServer_PrivateInbound_NotEnabled_NoManager confirms that with
|
|
// --private off the inbound manager is nil and the standalone proxy
|
|
// keeps its zero-overhead default path.
|
|
func TestServer_PrivateInbound_NotEnabled_NoManager(t *testing.T) {
|
|
s := &Server{Logger: quietLogger(), Private: false}
|
|
s.initPrivateInbound(http.NotFoundHandler(), nil)
|
|
assert.Nil(t, s.inbound, "manager should remain nil when --private is off")
|
|
}
|
|
|
|
// TestServer_PrivateInbound_Enabled_WiresLifecycle confirms that
|
|
// --private alone wires the manager into the NetBird transport, so
|
|
// AddPeer / RemovePeer drive the lifecycle.
|
|
func TestServer_PrivateInbound_Enabled_WiresLifecycle(t *testing.T) {
|
|
s := &Server{Logger: quietLogger(), Private: true}
|
|
// Construct a NetBird transport. We can't actually start the embedded
|
|
// client here (that needs a real management server), but we can
|
|
// confirm that the lifecycle callbacks are registered.
|
|
s.netbird = roundtrip.NewNetBird(t.Context(), "test", "test", roundtrip.ClientConfig{
|
|
MgmtAddr: "http://invalid.test",
|
|
}, quietLogger(), nil, fakeMgmtClient{})
|
|
|
|
s.initPrivateInbound(http.NotFoundHandler(), &tls.Config{}) //nolint:gosec
|
|
require.NotNil(t, s.inbound, "manager should be set when --private is on")
|
|
assert.NotNil(t, s.inbound.handler, "handler should be set on manager")
|
|
assert.NotNil(t, s.inbound.tlsConfig, "tls config should be set on manager")
|
|
}
|
|
|
|
// TestInboundManager_AddRouteAfterReady_RegistersDirectly verifies that
|
|
// when the listener is already up, AddRoute writes straight to the
|
|
// router without queueing.
|
|
func TestInboundManager_AddRouteAfterReady_RegistersDirectly(t *testing.T) {
|
|
mgr := newInboundManager(quietLogger(), http.NotFoundHandler(), nil)
|
|
accountID := types.AccountID("acct-1")
|
|
router := nbtcp.NewRouter(quietLogger(), nil, &fakeAddr{addr: "127.0.0.1:0"})
|
|
|
|
mgr.muxLock.Lock()
|
|
mgr.entries[accountID] = &inboundEntry{router: router}
|
|
mgr.muxLock.Unlock()
|
|
|
|
host := nbtcp.SNIHost("ready.example")
|
|
mgr.AddRoute(accountID, host, nbtcp.Route{Type: nbtcp.RouteHTTP, AccountID: accountID, ServiceID: "svc-ready", Domain: string(host)})
|
|
assert.Equal(t, 0, mgr.PendingRouteCount(accountID), "no pending entries when listener is up")
|
|
}
|
|
|
|
// TestPrivateCapability_DerivedFromPrivateOnly tests that the capability
|
|
// bit reported upstream tracks --private exclusively. The previous
|
|
// --private flag has been folded into --private.
|
|
func TestPrivateCapability_DerivedFromPrivateOnly(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
private bool
|
|
expected bool
|
|
}{
|
|
{"off", false, false},
|
|
{"on", true, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
s := &Server{Private: tt.private}
|
|
assert.Equal(t, tt.expected, s.Private, "private capability bit should match --private")
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestInboundManager_RouteScopedToAccountB_DoesNotMatchA verifies that a
|
|
// service registered for account B is invisible to a router serving
|
|
// account A. We exercise the path through real per-account routers.
|
|
func TestInboundManager_RouteScopedToAccountB_DoesNotMatchA(t *testing.T) {
|
|
mgr := newInboundManager(quietLogger(), http.NotFoundHandler(), nil)
|
|
|
|
accountA := types.AccountID("acct-a")
|
|
accountB := types.AccountID("acct-b")
|
|
routerA := nbtcp.NewRouter(quietLogger(), nil, &fakeAddr{addr: "127.0.0.1:0"})
|
|
routerB := nbtcp.NewRouter(quietLogger(), nil, &fakeAddr{addr: "127.0.0.1:0"})
|
|
|
|
mgr.muxLock.Lock()
|
|
mgr.entries[accountA] = &inboundEntry{router: routerA}
|
|
mgr.entries[accountB] = &inboundEntry{router: routerB}
|
|
mgr.muxLock.Unlock()
|
|
|
|
host := nbtcp.SNIHost("shared.example")
|
|
mgr.AddRoute(accountB, host, nbtcp.Route{Type: nbtcp.RouteHTTP, AccountID: accountB, ServiceID: "svc-b", Domain: string(host)})
|
|
|
|
// Account A's router should have no routes; account B's should have one.
|
|
// We check via IsEmpty — true means no routes and no fallback.
|
|
assert.True(t, routerA.IsEmpty(), "account A router must not see account B's mappings")
|
|
assert.False(t, routerB.IsEmpty(), "account B router should hold its own mapping")
|
|
}
|
|
|
|
// TestInboundEntry_ShutdownIdempotent ensures that tearDown can run twice
|
|
// without panicking — callers may invoke it from RemovePeer + StopAll.
|
|
func TestInboundEntry_ShutdownIdempotent(t *testing.T) {
|
|
t.Skip("teardown requires real netstack listeners; covered by integration tests")
|
|
}
|
|
|
|
// TestRouter_PlainHTTP_ForwardedProtoIsHTTP exercises the full per-account
|
|
// router pipeline against a loopback listener (proxy of a netstack
|
|
// listener for test purposes): a plain HTTP request lands on the plain
|
|
// http.Server and the inner handler observes a nil r.TLS, which is what
|
|
// auth.ResolveProto translates to "http" in the real pipeline.
|
|
func TestRouter_PlainHTTP_ForwardedProtoIsHTTP(t *testing.T) {
|
|
logger := quietLogger()
|
|
|
|
var captured atomic.Value
|
|
captured.Store("")
|
|
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.TLS == nil {
|
|
captured.Store("http")
|
|
} else {
|
|
captured.Store("https")
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte("ok"))
|
|
})
|
|
|
|
hostListener, err := net.Listen("tcp", "127.0.0.1:0")
|
|
require.NoError(t, err, "loopback listener bind must succeed")
|
|
defer hostListener.Close()
|
|
|
|
router := nbtcp.NewRouter(logger, nil, hostListener.Addr(), nbtcp.WithPlainHTTP(hostListener.Addr()))
|
|
httpServer := &http.Server{Handler: handler, ReadHeaderTimeout: time.Second}
|
|
defer func() { _ = httpServer.Close() }()
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
go func() { _ = httpServer.Serve(router.HTTPListenerPlain()) }()
|
|
go func() { _ = router.Serve(ctx, hostListener) }()
|
|
|
|
conn, err := net.DialTimeout("tcp", hostListener.Addr().String(), 2*time.Second)
|
|
require.NoError(t, err, "plain HTTP dial must succeed")
|
|
defer conn.Close()
|
|
|
|
_, err = conn.Write([]byte("GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"))
|
|
require.NoError(t, err, "write must succeed")
|
|
|
|
resp, err := http.ReadResponse(bufioReader(conn), nil)
|
|
require.NoError(t, err, "must read response")
|
|
defer resp.Body.Close()
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
assert.Equal(t, "http", captured.Load(), "ForwardedProto must be http on plain path")
|
|
}
|
|
|
|
// TestWithTunnelLookup_AttachesLookupToContext verifies that requests
|
|
// flowing through the per-account handler wrapper carry the peerstore
|
|
// lookup function. Phase 3's local-first deny path depends on this.
|
|
func TestWithTunnelLookup_AttachesLookupToContext(t *testing.T) {
|
|
expected := auth.PeerIdentity{TunnelIP: netip.MustParseAddr("100.64.0.10"), FQDN: "peer.netbird"}
|
|
lookup := auth.TunnelLookupFunc(func(_ netip.Addr) (auth.PeerIdentity, bool) {
|
|
return expected, true
|
|
})
|
|
|
|
var observed auth.TunnelLookupFunc
|
|
inner := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
|
|
observed = auth.TunnelLookupFromContext(r.Context())
|
|
})
|
|
|
|
handler := withTunnelLookup(inner, lookup)
|
|
r := httptest.NewRequest(http.MethodGet, "https://svc.example/", nil)
|
|
handler.ServeHTTP(httptest.NewRecorder(), r)
|
|
|
|
require.NotNil(t, observed, "wrapper must inject the lookup into the request context")
|
|
got, ok := observed(netip.MustParseAddr("100.64.0.10"))
|
|
assert.True(t, ok, "lookup must round-trip through context")
|
|
assert.Equal(t, expected.FQDN, got.FQDN, "lookup must return the same identity it was constructed with")
|
|
}
|
|
|
|
// TestWithTunnelLookup_NilLookupIsNoop confirms the wrapper is a pure
|
|
// pass-through when no lookup is provided. Required for the host-level
|
|
// listener path to keep its byte-for-byte previous behaviour.
|
|
func TestWithTunnelLookup_NilLookupIsNoop(t *testing.T) {
|
|
var called bool
|
|
inner := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
|
|
called = true
|
|
assert.Nil(t, auth.TunnelLookupFromContext(r.Context()), "host-level path must not see a lookup function")
|
|
})
|
|
|
|
handler := withTunnelLookup(inner, nil)
|
|
r := httptest.NewRequest(http.MethodGet, "https://svc.example/", nil)
|
|
handler.ServeHTTP(httptest.NewRecorder(), r)
|
|
assert.True(t, called, "wrapper without lookup must still invoke next")
|
|
}
|
|
|
|
// fakeListener satisfies net.Listener for snapshot tests without binding
|
|
// a real socket on the netstack.
|
|
type fakeListener struct {
|
|
addr net.Addr
|
|
}
|
|
|
|
func (f *fakeListener) Accept() (net.Conn, error) { return nil, net.ErrClosed }
|
|
func (f *fakeListener) Close() error { return nil }
|
|
func (f *fakeListener) Addr() net.Addr { return f.addr }
|
|
|
|
// TestInboundManager_ListenerInfo confirms ListenerInfo and Snapshot
|
|
// surface the bound tunnel-IP and ports for live entries.
|
|
func TestInboundManager_ListenerInfo(t *testing.T) {
|
|
mgr := newInboundManager(quietLogger(), http.NotFoundHandler(), nil)
|
|
accountID := types.AccountID("acct-info")
|
|
|
|
tlsAddr := &net.TCPAddr{IP: net.ParseIP("100.64.0.5"), Port: privateInboundPortHTTPS}
|
|
plainAddr := &net.TCPAddr{IP: net.ParseIP("100.64.0.5"), Port: privateInboundPortHTTP}
|
|
mgr.muxLock.Lock()
|
|
mgr.entries[accountID] = &inboundEntry{
|
|
tlsListener: &fakeListener{addr: tlsAddr},
|
|
plainListener: &fakeListener{addr: plainAddr},
|
|
}
|
|
mgr.muxLock.Unlock()
|
|
|
|
info, ok := mgr.ListenerInfo(accountID)
|
|
require.True(t, ok, "ListenerInfo must report ok for live entry")
|
|
assert.Equal(t, "100.64.0.5", info.TunnelIP, "tunnel IP must come from listener address")
|
|
assert.Equal(t, uint16(privateInboundPortHTTPS), info.HTTPSPort, "TLS port must match bound port")
|
|
assert.Equal(t, uint16(privateInboundPortHTTP), info.HTTPPort, "HTTP port must match bound port")
|
|
|
|
snap := mgr.Snapshot()
|
|
require.Len(t, snap, 1, "snapshot must contain exactly one entry")
|
|
assert.Equal(t, info, snap[accountID], "snapshot entry must equal direct lookup")
|
|
|
|
_, ok = mgr.ListenerInfo(types.AccountID("missing"))
|
|
assert.False(t, ok, "ListenerInfo must report ok=false for unknown accounts")
|
|
}
|
|
|
|
// TestInboundManager_NilManagerSafe ensures the observability accessors
|
|
// are safe to call when --private is off (nil manager).
|
|
func TestInboundManager_NilManagerSafe(t *testing.T) {
|
|
var mgr *inboundManager
|
|
_, ok := mgr.ListenerInfo("anything")
|
|
assert.False(t, ok, "nil manager must return ok=false")
|
|
assert.Nil(t, mgr.Snapshot(), "nil manager must return nil snapshot")
|
|
}
|
|
|
|
// TestInboundManager_ConcurrentAddRemove pounds AddRoute / RemoveRoute
|
|
// from multiple goroutines to expose any locking gaps.
|
|
func TestInboundManager_ConcurrentAddRemove(t *testing.T) {
|
|
mgr := newInboundManager(quietLogger(), http.NotFoundHandler(), nil)
|
|
accountID := types.AccountID("acct-1")
|
|
const workers = 32
|
|
const iterations = 50
|
|
|
|
var wg sync.WaitGroup
|
|
wg.Add(workers)
|
|
for i := 0; i < workers; i++ {
|
|
go func(idx int) {
|
|
defer wg.Done()
|
|
host := nbtcp.SNIHost("example.test")
|
|
svc := types.ServiceID("svc")
|
|
route := nbtcp.Route{Type: nbtcp.RouteHTTP, AccountID: accountID, ServiceID: svc, Domain: "example.test"}
|
|
for j := 0; j < iterations; j++ {
|
|
mgr.AddRoute(accountID, host, route)
|
|
mgr.RemoveRoute(accountID, host, svc)
|
|
}
|
|
}(i)
|
|
}
|
|
done := make(chan struct{})
|
|
go func() {
|
|
wg.Wait()
|
|
close(done)
|
|
}()
|
|
|
|
select {
|
|
case <-done:
|
|
case <-time.After(10 * time.Second):
|
|
t.Fatal("concurrent add/remove timed out")
|
|
}
|
|
}
|
|
|
|
// TestFeedRouterFromListener_DeliversConnectionToHandler validates the
|
|
// per-account inbound chain end-to-end with a loopback listener
|
|
// substituted for the embedded netstack: a TCP connection arriving at
|
|
// the plain listener flows through feedRouterFromListener, the router's
|
|
// peek-and-dispatch, the wrapped HTTP server, and reaches the user
|
|
// handler. If the embedded netstack is delivering connections at all,
|
|
// this is the path they take. Failures localise to wiring bugs in the
|
|
// proxy, not the netstack.
|
|
func TestFeedRouterFromListener_DeliversConnectionToHandler(t *testing.T) {
|
|
logger := quietLogger()
|
|
|
|
hits := make(chan string, 1)
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
hits <- r.Host
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte("served"))
|
|
})
|
|
|
|
plainLn, err := net.Listen("tcp", "127.0.0.1:0")
|
|
require.NoError(t, err, "plain loopback bind must succeed")
|
|
t.Cleanup(func() { _ = plainLn.Close() })
|
|
|
|
router := nbtcp.NewRouter(logger, nil, &fakeAddr{addr: "127.0.0.1:0"}, nbtcp.WithPlainHTTP(plainLn.Addr()))
|
|
|
|
httpServer := &http.Server{Handler: handler, ReadHeaderTimeout: time.Second}
|
|
t.Cleanup(func() { _ = httpServer.Close() })
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
t.Cleanup(cancel)
|
|
|
|
go func() { _ = httpServer.Serve(router.HTTPListenerPlain()) }()
|
|
go feedRouterFromListener(ctx, plainLn, router, logger, types.AccountID("acct-1"))
|
|
|
|
conn, err := net.DialTimeout("tcp", plainLn.Addr().String(), 2*time.Second)
|
|
require.NoError(t, err, "must connect to the plain listener")
|
|
t.Cleanup(func() { _ = conn.Close() })
|
|
|
|
_, err = conn.Write([]byte("GET / HTTP/1.1\r\nHost: app.example\r\nConnection: close\r\n\r\n"))
|
|
require.NoError(t, err, "request write must succeed")
|
|
|
|
resp, err := http.ReadResponse(bufioReader(conn), nil)
|
|
require.NoError(t, err, "must read response from server")
|
|
t.Cleanup(func() { _ = resp.Body.Close() })
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode, "handler must be reached")
|
|
|
|
select {
|
|
case host := <-hits:
|
|
assert.Equal(t, "app.example", host, "handler must observe the request Host")
|
|
case <-time.After(2 * time.Second):
|
|
t.Fatal("handler was not invoked — connection did not flow through router → http server")
|
|
}
|
|
}
|
|
|
|
// TestFeedRouterFromListener_DispatchesTLSToTLSChannel verifies that a
|
|
// TLS ClientHello arriving on the plain listener is detected by the
|
|
// router peek and re-dispatched to the TLS channel — the cross-channel
|
|
// fallback the inbound stack relies on for HTTPS-on-:80 testing.
|
|
func TestFeedRouterFromListener_DispatchesTLSToTLSChannel(t *testing.T) {
|
|
logger := quietLogger()
|
|
|
|
hits := make(chan string, 1)
|
|
tlsHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
hits <- r.Host
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte("served-tls"))
|
|
})
|
|
|
|
plainLn, err := net.Listen("tcp", "127.0.0.1:0")
|
|
require.NoError(t, err, "plain loopback bind must succeed")
|
|
t.Cleanup(func() { _ = plainLn.Close() })
|
|
|
|
tlsLn, err := net.Listen("tcp", "127.0.0.1:0")
|
|
require.NoError(t, err, "tls loopback bind must succeed")
|
|
t.Cleanup(func() { _ = tlsLn.Close() })
|
|
|
|
router := nbtcp.NewRouter(logger, nil, tlsLn.Addr(), nbtcp.WithPlainHTTP(plainLn.Addr()))
|
|
|
|
tlsConfig := selfSignedTLSConfig(t)
|
|
httpsServer := &http.Server{
|
|
Handler: tlsHandler,
|
|
TLSConfig: tlsConfig,
|
|
ReadHeaderTimeout: time.Second,
|
|
}
|
|
t.Cleanup(func() { _ = httpsServer.Close() })
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
t.Cleanup(cancel)
|
|
|
|
go func() { _ = httpsServer.ServeTLS(router.HTTPListener(), "", "") }()
|
|
go feedRouterFromListener(ctx, plainLn, router, logger, types.AccountID("acct-tls"))
|
|
|
|
tlsConn, err := tls.Dial("tcp", plainLn.Addr().String(), &tls.Config{InsecureSkipVerify: true}) //nolint:gosec
|
|
require.NoError(t, err, "TLS dial against the plain listener must succeed (cross-channel)")
|
|
t.Cleanup(func() { _ = tlsConn.Close() })
|
|
|
|
req, err := http.NewRequest(http.MethodGet, "https://app.example/", nil)
|
|
require.NoError(t, err)
|
|
require.NoError(t, req.Write(tlsConn), "TLS request write must succeed")
|
|
|
|
resp, err := http.ReadResponse(bufioReader(tlsConn), req)
|
|
require.NoError(t, err, "must read TLS response")
|
|
t.Cleanup(func() { _ = resp.Body.Close() })
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode, "TLS handler must be reached")
|
|
|
|
select {
|
|
case host := <-hits:
|
|
assert.Equal(t, "app.example", host, "TLS handler must observe the request Host")
|
|
case <-time.After(2 * time.Second):
|
|
t.Fatal("TLS handler was not invoked — peek/dispatch path is broken")
|
|
}
|
|
}
|
|
|
|
func selfSignedTLSConfig(t *testing.T) *tls.Config {
|
|
t.Helper()
|
|
cert, err := tls.X509KeyPair(testCertPEM, testKeyPEM)
|
|
require.NoError(t, err, "load static self-signed cert")
|
|
return &tls.Config{Certificates: []tls.Certificate{cert}, MinVersion: tls.VersionTLS12} //nolint:gosec
|
|
}
|
|
|
|
// TestNewInboundErrorLog_WriterIsCloseable guards the close path on the
|
|
// logrus PipeWriter that backs each per-account http.Server's ErrorLog.
|
|
// logrus.Entry.WriterLevel returns an *io.PipeWriter that owns a pipe +
|
|
// scanner goroutine; the caller must Close() it on teardown or the
|
|
// resources leak per account. The contract is verified two ways:
|
|
//
|
|
// - the constructor returns a non-nil writer the caller can keep,
|
|
// - writing to the writer after Close() fails with io.ErrClosedPipe,
|
|
// which is the only externally observable sign that Close was wired.
|
|
//
|
|
// A leaking refactor (forgetting to thread the writer to tearDown, or
|
|
// dropping the Close call) would still pass this test individually but
|
|
// fail an integration goleak check; this unit test is the cheap first
|
|
// line of defence.
|
|
func TestNewInboundErrorLog_WriterIsCloseable(t *testing.T) {
|
|
logger := quietLogger()
|
|
stdLog, writer := newInboundErrorLog(logger, "https", types.AccountID("acct-1"))
|
|
|
|
require.NotNil(t, stdLog, "newInboundErrorLog must return a non-nil *log.Logger")
|
|
require.NotNil(t, writer, "newInboundErrorLog must return the underlying PipeWriter so tearDown can Close it")
|
|
|
|
// First Close succeeds.
|
|
require.NoError(t, writer.Close(), "PipeWriter.Close should succeed the first time")
|
|
|
|
// After Close, the writer must refuse new writes — that's the only
|
|
// behavioural signal that the pipe (and its scanner goroutine) has
|
|
// shut down.
|
|
_, err := writer.Write([]byte("post-close write\n"))
|
|
require.ErrorIs(t, err, io.ErrClosedPipe,
|
|
"writes after Close must surface io.ErrClosedPipe so callers know the writer is gone")
|
|
}
|
|
|
|
// testCertPEM / testKeyPEM are a minimal RSA self-signed cert for
|
|
// 127.0.0.1 — only used by tests that need a working TLS handshake.
|
|
var testCertPEM = []byte(`-----BEGIN CERTIFICATE-----
|
|
MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
|
|
DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
|
|
EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
|
|
7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
|
|
5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
|
|
BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
|
|
NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
|
|
Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
|
|
6MF9+Yw1Yy0t
|
|
-----END CERTIFICATE-----`)
|
|
var testKeyPEM = []byte(`-----BEGIN EC PRIVATE KEY-----
|
|
MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
|
|
AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
|
|
EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
|
|
-----END EC PRIVATE KEY-----`)
|