mirror of
https://github.com/netbirdio/netbird.git
synced 2026-07-18 04:29:54 +00:00
* [client] categorize root/system-mutating tests behind a privileged build tag Tests that need root or mutate host state (nftables/iptables/DNS, TUN/WireGuard interfaces, routes, eBPF, SSH/service install) are now gated behind a //go:build privileged tag. The default `go test ./client/...` runs as a non-root user with no sudo and leaves host networking untouched; mixed files were split so pure-logic tests stay in the default suite. A self-hosting ory/dockertest/v4 harness (client/testutil/privileged) runs the privileged suite inside a --privileged --cap-add=NET_ADMIN container via `make test-privileged`; a DOCKER_CI=true guard skips the spawn when already inside the container. Added `make test-unit` for the host-safe run. * [client] add PRIV_RUN/PRIV_PKGS filters to the privileged test harness The dockertest harness now reads two optional env vars when building the in-container `go test` command: PRIV_RUN adds a -run test-name filter and PRIV_PKGS overrides the package list. Both empty reproduce the full privileged suite, so CI and `make test-privileged` behave as before. Lets a developer run a single privileged test in the container, e.g.: PRIV_RUN=TestNftablesManager PRIV_PKGS=./client/firewall/nftables/... make test-privileged * [client] fix unused-helper lint after the privileged test split Splitting privileged tests into *_privileged_test.go left their shared helpers in the untagged files, so in the default (no-tag) build they had no callers and golangci-lint flagged them as unused. Moved the privileged-only helpers into the privileged files next to their callers (generateDummyHandler; createEngine/startSignal/startManagement/getConnectedPeers/ getPeers + kaep/kasp; (*mockDaemon).setJWTToken). Annotated the shared routing-test fixtures that must stay untagged for cross-platform compilation with //nolint:unused (systemops_bsd expected* vars, ensureIPv6DefaultRoute on bsd/windows, loopbackIfaceWindows), matching the existing linux variant. * [client] fix privileged test CI failures and run the harness on macOS The host-safe unit run dropped sudo but two privileged test groups were never tagged, and the Docker privileged job silently never ran the suite: - Gate the ssh/server PrivilegeDropper command-construction tests behind the privileged tag (they require root to target a different UID); split them into executor_unix_privileged_test.go. - Tag sharedsock raw-socket tests privileged (need CAP_NET_RAW). - Fix the Docker job command: nested single quotes around the build tags closed the sh -c wrapper early, dropping the go list package set and the privileged tag, so go test ran on the empty repo root. Use double quotes. Make the self-hosting harness usable from a dev Mac: - Build it on darwin as well as linux; it only drives Docker. - Resolve the active docker context endpoint into DOCKER_HOST when the default /var/run/docker.sock is absent (Docker Desktop, Colima, OrbStack). - Rename the misspelled containerGoModache constant to containerGoModCache. * Update client/internal/engine_privileged_test.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update client/internal/routemanager/systemops/systemops_linux_test.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update client/internal/routemanager/systemops/systemops_windows_test.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update client/server/server_privileged_test.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * [ci] Run privileged-tagged tests on darwin, windows and freebsd The privileged build tag split moved root/system-mutating tests behind //go:build privileged, but only the linux docker job was given the tag. The native darwin (sudo), windows (PsExec64 -s) and freebsd VM runners already have the required privileges, so add the privileged tag there too to keep CI running the same set of tests as before the split. * [ci] Exclude dockertest harness from the darwin privileged run The privileged tag now compiles client/testutil/privileged on darwin, whose TestRunPrivilegedSuiteInDocker spawns a container the macOS runner has no Docker for. Exclude the harness package from the darwin list, matching the linux job, so the privileged tests run in place without a container spawn. --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
412 lines
11 KiB
Go
412 lines
11 KiB
Go
package client
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"os"
|
|
"os/user"
|
|
"runtime"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/netbirdio/netbird/client/ssh"
|
|
sshserver "github.com/netbirdio/netbird/client/ssh/server"
|
|
"github.com/netbirdio/netbird/client/ssh/testutil"
|
|
)
|
|
|
|
// TestMain handles package-level setup and cleanup
|
|
func TestMain(m *testing.M) {
|
|
// Guard against infinite recursion when test binary is called as "netbird ssh exec"
|
|
// This happens when running tests as non-privileged user with fallback
|
|
if len(os.Args) > 2 && os.Args[1] == "ssh" && os.Args[2] == "exec" {
|
|
// Just exit with error to break the recursion
|
|
fmt.Fprintf(os.Stderr, "Test binary called as 'ssh exec' - preventing infinite recursion\n")
|
|
os.Exit(1)
|
|
}
|
|
|
|
// Run tests
|
|
code := m.Run()
|
|
|
|
// Cleanup any created test users
|
|
testutil.CleanupTestUsers()
|
|
|
|
os.Exit(code)
|
|
}
|
|
|
|
func TestSSHClient_DialWithKey(t *testing.T) {
|
|
// Generate host key for server
|
|
hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
|
|
require.NoError(t, err)
|
|
|
|
// Create and start server
|
|
serverConfig := &sshserver.Config{
|
|
HostKeyPEM: hostKey,
|
|
JWT: nil,
|
|
}
|
|
server := sshserver.New(serverConfig)
|
|
server.SetAllowRootLogin(true) // Allow root/admin login for tests
|
|
|
|
serverAddr := sshserver.StartTestServer(t, server)
|
|
defer func() {
|
|
err := server.Stop()
|
|
require.NoError(t, err)
|
|
}()
|
|
|
|
// Test Dial
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
defer cancel()
|
|
|
|
currentUser := testutil.GetTestUsername(t)
|
|
client, err := Dial(ctx, serverAddr, currentUser, DialOptions{
|
|
InsecureSkipVerify: true,
|
|
})
|
|
require.NoError(t, err)
|
|
defer func() {
|
|
err := client.Close()
|
|
assert.NoError(t, err)
|
|
}()
|
|
|
|
// Verify client is connected
|
|
assert.NotNil(t, client.client)
|
|
}
|
|
|
|
func TestSSHClient_ConnectionHandling(t *testing.T) {
|
|
server, serverAddr, _ := setupTestSSHServerAndClient(t)
|
|
defer func() {
|
|
err := server.Stop()
|
|
require.NoError(t, err)
|
|
}()
|
|
|
|
// Generate client key for multiple connections
|
|
|
|
const numClients = 3
|
|
clients := make([]*Client, numClients)
|
|
|
|
currentUser := testutil.GetTestUsername(t)
|
|
for i := 0; i < numClients; i++ {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
client, err := Dial(ctx, serverAddr, currentUser, DialOptions{
|
|
InsecureSkipVerify: true,
|
|
})
|
|
cancel()
|
|
require.NoError(t, err, "Client %d should connect successfully", i)
|
|
clients[i] = client
|
|
}
|
|
|
|
for i, client := range clients {
|
|
err := client.Close()
|
|
assert.NoError(t, err, "Client %d should close without error", i)
|
|
}
|
|
}
|
|
|
|
func TestSSHClient_NoAuthMode(t *testing.T) {
|
|
hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
|
|
require.NoError(t, err)
|
|
|
|
serverConfig := &sshserver.Config{
|
|
HostKeyPEM: hostKey,
|
|
JWT: nil,
|
|
}
|
|
server := sshserver.New(serverConfig)
|
|
server.SetAllowRootLogin(true) // Allow root/admin login for tests
|
|
|
|
serverAddr := sshserver.StartTestServer(t, server)
|
|
defer func() {
|
|
err := server.Stop()
|
|
require.NoError(t, err)
|
|
}()
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
defer cancel()
|
|
|
|
currentUser := testutil.GetTestUsername(t)
|
|
|
|
t.Run("any key succeeds in no-auth mode", func(t *testing.T) {
|
|
client, err := Dial(ctx, serverAddr, currentUser, DialOptions{
|
|
InsecureSkipVerify: true,
|
|
})
|
|
assert.NoError(t, err)
|
|
if client != nil {
|
|
require.NoError(t, client.Close(), "Client should close without error")
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestSSHClient_TerminalState(t *testing.T) {
|
|
server, _, client := setupTestSSHServerAndClient(t)
|
|
defer func() {
|
|
err := server.Stop()
|
|
require.NoError(t, err)
|
|
}()
|
|
defer func() {
|
|
err := client.Close()
|
|
assert.NoError(t, err)
|
|
}()
|
|
|
|
assert.Nil(t, client.terminalState)
|
|
assert.Equal(t, 0, client.terminalFd)
|
|
|
|
client.restoreTerminal()
|
|
assert.Nil(t, client.terminalState)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 50*time.Millisecond)
|
|
defer cancel()
|
|
|
|
err := client.OpenTerminal(ctx)
|
|
// In test environment without a real terminal, this may complete quickly or timeout
|
|
// Both behaviors are acceptable for testing terminal state management
|
|
if err != nil {
|
|
if runtime.GOOS == "windows" {
|
|
assert.True(t,
|
|
strings.Contains(err.Error(), "context deadline exceeded") ||
|
|
strings.Contains(err.Error(), "console"),
|
|
"Should timeout or have console error on Windows")
|
|
} else {
|
|
// On Unix systems in test environment, we may get various errors
|
|
// including timeouts or terminal-related errors
|
|
assert.True(t,
|
|
strings.Contains(err.Error(), "context deadline exceeded") ||
|
|
strings.Contains(err.Error(), "terminal") ||
|
|
strings.Contains(err.Error(), "pty"),
|
|
"Expected timeout or terminal-related error, got: %v", err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func setupTestSSHServerAndClient(t *testing.T) (*sshserver.Server, string, *Client) {
|
|
hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
|
|
require.NoError(t, err)
|
|
|
|
serverConfig := &sshserver.Config{
|
|
HostKeyPEM: hostKey,
|
|
JWT: nil,
|
|
}
|
|
server := sshserver.New(serverConfig)
|
|
server.SetAllowRootLogin(true) // Allow root/admin login for tests
|
|
|
|
serverAddr := sshserver.StartTestServer(t, server)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
defer cancel()
|
|
|
|
currentUser := testutil.GetTestUsername(t)
|
|
client, err := Dial(ctx, serverAddr, currentUser, DialOptions{
|
|
InsecureSkipVerify: true,
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
return server, serverAddr, client
|
|
}
|
|
|
|
func TestSSHClient_PortForwarding(t *testing.T) {
|
|
server, _, client := setupTestSSHServerAndClient(t)
|
|
defer func() {
|
|
err := server.Stop()
|
|
require.NoError(t, err)
|
|
}()
|
|
defer func() {
|
|
err := client.Close()
|
|
assert.NoError(t, err)
|
|
}()
|
|
|
|
t.Run("local forwarding times out gracefully", func(t *testing.T) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
|
|
defer cancel()
|
|
|
|
err := client.LocalPortForward(ctx, "127.0.0.1:0", "127.0.0.1:8080")
|
|
assert.Error(t, err)
|
|
assert.True(t,
|
|
errors.Is(err, context.DeadlineExceeded) ||
|
|
errors.Is(err, context.Canceled) ||
|
|
strings.Contains(err.Error(), "connection"),
|
|
"Expected context or connection error")
|
|
})
|
|
|
|
t.Run("remote forwarding denied", func(t *testing.T) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
|
|
defer cancel()
|
|
|
|
err := client.RemotePortForward(ctx, "127.0.0.1:0", "127.0.0.1:8080")
|
|
assert.Error(t, err)
|
|
assert.True(t,
|
|
strings.Contains(err.Error(), "denied") ||
|
|
strings.Contains(err.Error(), "disabled"),
|
|
"Should be denied by default")
|
|
})
|
|
|
|
t.Run("invalid addresses fail", func(t *testing.T) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
|
|
defer cancel()
|
|
|
|
err := client.LocalPortForward(ctx, "invalid:address", "127.0.0.1:8080")
|
|
assert.Error(t, err)
|
|
|
|
err = client.LocalPortForward(ctx, "127.0.0.1:0", "invalid:address")
|
|
assert.Error(t, err)
|
|
})
|
|
}
|
|
|
|
func TestSSHClient_PortForwardingDataTransfer(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("Skipping data transfer test in short mode")
|
|
}
|
|
|
|
hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
|
|
require.NoError(t, err)
|
|
|
|
serverConfig := &sshserver.Config{
|
|
HostKeyPEM: hostKey,
|
|
JWT: nil,
|
|
}
|
|
server := sshserver.New(serverConfig)
|
|
server.SetAllowLocalPortForwarding(true)
|
|
server.SetAllowRootLogin(true) // Allow root/admin login for tests
|
|
|
|
serverAddr := sshserver.StartTestServer(t, server)
|
|
defer func() {
|
|
err := server.Stop()
|
|
require.NoError(t, err)
|
|
}()
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
defer cancel()
|
|
|
|
// Port forwarding requires the actual current user, not test user
|
|
realUser, err := getRealCurrentUser()
|
|
require.NoError(t, err)
|
|
|
|
// Skip if running as system account that can't do port forwarding
|
|
if testutil.IsSystemAccount(realUser) {
|
|
t.Skipf("Skipping port forwarding test - running as system account: %s", realUser)
|
|
}
|
|
|
|
client, err := Dial(ctx, serverAddr, realUser, DialOptions{
|
|
InsecureSkipVerify: true, // Skip host key verification for test
|
|
})
|
|
require.NoError(t, err)
|
|
defer func() {
|
|
if err := client.Close(); err != nil {
|
|
t.Logf("client close error: %v", err)
|
|
}
|
|
}()
|
|
|
|
testServer, err := net.Listen("tcp", "127.0.0.1:0")
|
|
require.NoError(t, err)
|
|
defer func() {
|
|
if err := testServer.Close(); err != nil {
|
|
t.Logf("test server close error: %v", err)
|
|
}
|
|
}()
|
|
|
|
testServerAddr := testServer.Addr().String()
|
|
expectedResponse := "Hello, World!"
|
|
|
|
go func() {
|
|
for {
|
|
conn, err := testServer.Accept()
|
|
if err != nil {
|
|
return
|
|
}
|
|
go func(c net.Conn) {
|
|
defer func() {
|
|
if err := c.Close(); err != nil {
|
|
t.Logf("connection close error: %v", err)
|
|
}
|
|
}()
|
|
buf := make([]byte, 1024)
|
|
if _, err := c.Read(buf); err != nil {
|
|
t.Logf("connection read error: %v", err)
|
|
return
|
|
}
|
|
if _, err := c.Write([]byte(expectedResponse)); err != nil {
|
|
t.Logf("connection write error: %v", err)
|
|
}
|
|
}(conn)
|
|
}
|
|
}()
|
|
|
|
localListener, err := net.Listen("tcp", "127.0.0.1:0")
|
|
require.NoError(t, err)
|
|
localAddr := localListener.Addr().String()
|
|
if err := localListener.Close(); err != nil {
|
|
t.Logf("local listener close error: %v", err)
|
|
}
|
|
|
|
ctx, cancel = context.WithTimeout(context.Background(), 5*time.Second)
|
|
defer cancel()
|
|
|
|
go func() {
|
|
err := client.LocalPortForward(ctx, localAddr, testServerAddr)
|
|
if err != nil && !errors.Is(err, context.Canceled) {
|
|
if isWindowsPrivilegeError(err) {
|
|
t.Logf("Port forward failed due to Windows privilege restrictions: %v", err)
|
|
} else {
|
|
t.Logf("Port forward error: %v", err)
|
|
}
|
|
}
|
|
}()
|
|
|
|
time.Sleep(100 * time.Millisecond)
|
|
|
|
conn, err := net.DialTimeout("tcp", localAddr, 2*time.Second)
|
|
require.NoError(t, err)
|
|
defer func() {
|
|
if err := conn.Close(); err != nil {
|
|
t.Logf("connection close error: %v", err)
|
|
}
|
|
}()
|
|
|
|
_, err = conn.Write([]byte("test"))
|
|
require.NoError(t, err)
|
|
|
|
if err := conn.SetReadDeadline(time.Now().Add(2 * time.Second)); err != nil {
|
|
t.Logf("set read deadline error: %v", err)
|
|
}
|
|
response := make([]byte, len(expectedResponse))
|
|
n, err := io.ReadFull(conn, response)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, len(expectedResponse), n)
|
|
assert.Equal(t, expectedResponse, string(response))
|
|
}
|
|
|
|
// getRealCurrentUser returns the actual current user (not test user) for features like port forwarding
|
|
func getRealCurrentUser() (string, error) {
|
|
if runtime.GOOS == "windows" {
|
|
if currentUser, err := user.Current(); err == nil {
|
|
return currentUser.Username, nil
|
|
}
|
|
}
|
|
|
|
if username := os.Getenv("USER"); username != "" {
|
|
return username, nil
|
|
}
|
|
|
|
if currentUser, err := user.Current(); err == nil {
|
|
return currentUser.Username, nil
|
|
}
|
|
|
|
return "", fmt.Errorf("unable to determine current user")
|
|
}
|
|
|
|
// isWindowsPrivilegeError checks if an error is related to Windows privilege restrictions
|
|
func isWindowsPrivilegeError(err error) bool {
|
|
if err == nil {
|
|
return false
|
|
}
|
|
|
|
errStr := strings.ToLower(err.Error())
|
|
return strings.Contains(errStr, "ntstatus=0xc0000062") || // STATUS_PRIVILEGE_NOT_HELD
|
|
strings.Contains(errStr, "0xc0000041") || // STATUS_PRIVILEGE_NOT_HELD (LsaRegisterLogonProcess)
|
|
strings.Contains(errStr, "0xc0000062") || // STATUS_PRIVILEGE_NOT_HELD (LsaLogonUser)
|
|
strings.Contains(errStr, "privilege") ||
|
|
strings.Contains(errStr, "access denied") ||
|
|
strings.Contains(errStr, "user authentication failed")
|
|
}
|