From 0d959459996ab983be354960a5d26fe83ab2dc5a Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Wed, 26 Feb 2025 19:19:15 +0100 Subject: [PATCH] use polivyv1 definitions in integration tests These can be marshalled back into JSON, which the new format might not be able to. Also, just dont change it all to JSON strings for now. Signed-off-by: Kristoffer Dalby --- integration/acl_test.go | 102 ++++++++++++++++++------------------ integration/cli_test.go | 28 +++++----- integration/general_test.go | 6 ++- integration/hsic/hsic.go | 7 +-- integration/route_test.go | 28 +++++----- integration/ssh_test.go | 34 ++++++------ 6 files changed, 106 insertions(+), 99 deletions(-) diff --git a/integration/acl_test.go b/integration/acl_test.go index fb6fef93..4bbf7157 100644 --- a/integration/acl_test.go +++ b/integration/acl_test.go @@ -8,7 +8,7 @@ import ( "testing" "github.com/google/go-cmp/cmp" - "github.com/juanfont/headscale/hscontrol/policy" + policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1" "github.com/juanfont/headscale/integration/hsic" "github.com/juanfont/headscale/integration/tsic" "github.com/stretchr/testify/assert" @@ -50,7 +50,7 @@ var veryLargeDestination = []string{ func aclScenario( t *testing.T, - policy *policy.ACLPolicy, + policy *policyv1.ACLPolicy, clientsPerUser int, ) *Scenario { t.Helper() @@ -77,6 +77,8 @@ func aclScenario( }, hsic.WithACLPolicy(policy), hsic.WithTestName("acl"), + hsic.WithEmbeddedDERPServerOnly(), + hsic.WithTLS(), ) require.NoError(t, err) @@ -100,7 +102,7 @@ func TestACLHostsInNetMapTable(t *testing.T) { // they can access minus one (them self). tests := map[string]struct { users map[string]int - policy policy.ACLPolicy + policy policyv1.ACLPolicy want map[string]int }{ // Test that when we have no ACL, each client netmap has @@ -110,8 +112,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -131,8 +133,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -157,8 +159,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -194,8 +196,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -222,8 +224,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -250,8 +252,8 @@ func TestACLHostsInNetMapTable(t *testing.T) { "user1": 2, "user2": 2, }, - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -306,8 +308,8 @@ func TestACLAllowUser80Dst(t *testing.T) { IntegrationSkip(t) scenario := aclScenario(t, - &policy.ACLPolicy{ - ACLs: []policy.ACL{ + &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -360,11 +362,11 @@ func TestACLDenyAllPort80(t *testing.T) { IntegrationSkip(t) scenario := aclScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:integration-acl-test": {"user1", "user2"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"group:integration-acl-test"}, @@ -407,8 +409,8 @@ func TestACLAllowUserDst(t *testing.T) { IntegrationSkip(t) scenario := aclScenario(t, - &policy.ACLPolicy{ - ACLs: []policy.ACL{ + &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -463,8 +465,8 @@ func TestACLAllowStarDst(t *testing.T) { IntegrationSkip(t) scenario := aclScenario(t, - &policy.ACLPolicy{ - ACLs: []policy.ACL{ + &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, @@ -520,11 +522,11 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) { IntegrationSkip(t) scenario := aclScenario(t, - &policy.ACLPolicy{ - Hosts: policy.Hosts{ + &policyv1.ACLPolicy{ + Hosts: policyv1.Hosts{ "all": netip.MustParsePrefix("100.64.0.0/24"), }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ // Everyone can curl test3 { Action: "accept", @@ -617,16 +619,16 @@ func TestACLNamedHostsCanReach(t *testing.T) { IntegrationSkip(t) tests := map[string]struct { - policy policy.ACLPolicy + policy policyv1.ACLPolicy }{ "ipv4": { - policy: policy.ACLPolicy{ - Hosts: policy.Hosts{ + policy: policyv1.ACLPolicy{ + Hosts: policyv1.Hosts{ "test1": netip.MustParsePrefix("100.64.0.1/32"), "test2": netip.MustParsePrefix("100.64.0.2/32"), "test3": netip.MustParsePrefix("100.64.0.3/32"), }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ // Everyone can curl test3 { Action: "accept", @@ -643,13 +645,13 @@ func TestACLNamedHostsCanReach(t *testing.T) { }, }, "ipv6": { - policy: policy.ACLPolicy{ - Hosts: policy.Hosts{ + policy: policyv1.ACLPolicy{ + Hosts: policyv1.Hosts{ "test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"), "test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"), "test3": netip.MustParsePrefix("fd7a:115c:a1e0::3/128"), }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ // Everyone can curl test3 { Action: "accept", @@ -866,11 +868,11 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) { IntegrationSkip(t) tests := map[string]struct { - policy policy.ACLPolicy + policy policyv1.ACLPolicy }{ "ipv4": { - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"100.64.0.1"}, @@ -880,8 +882,8 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) { }, }, "ipv6": { - policy: policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"fd7a:115c:a1e0::1"}, @@ -891,12 +893,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) { }, }, "hostv4cidr": { - policy: policy.ACLPolicy{ - Hosts: policy.Hosts{ + policy: policyv1.ACLPolicy{ + Hosts: policyv1.Hosts{ "test1": netip.MustParsePrefix("100.64.0.1/32"), "test2": netip.MustParsePrefix("100.64.0.2/32"), }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"test1"}, @@ -906,12 +908,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) { }, }, "hostv6cidr": { - policy: policy.ACLPolicy{ - Hosts: policy.Hosts{ + policy: policyv1.ACLPolicy{ + Hosts: policyv1.Hosts{ "test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"), "test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"), }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"test1"}, @@ -921,12 +923,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) { }, }, "group": { - policy: policy.ACLPolicy{ + policy: policyv1.ACLPolicy{ Groups: map[string][]string{ "group:one": {"user1"}, "group:two": {"user2"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"group:one"}, @@ -1085,15 +1087,15 @@ func TestPolicyUpdateWhileRunningWithCLIInDatabase(t *testing.T) { headscale, err := scenario.Headscale() require.NoError(t, err) - p := policy.ACLPolicy{ - ACLs: []policy.ACL{ + p := policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"user1"}, Destinations: []string{"user2:*"}, }, }, - Hosts: policy.Hosts{}, + Hosts: policyv1.Hosts{}, } pBytes, _ := json.Marshal(p) @@ -1118,7 +1120,7 @@ func TestPolicyUpdateWhileRunningWithCLIInDatabase(t *testing.T) { // Get the current policy and check // if it is the same as the one we set. - var output *policy.ACLPolicy + var output *policyv1.ACLPolicy err = executeAndUnmarshal( headscale, []string{ diff --git a/integration/cli_test.go b/integration/cli_test.go index 17c8870d..ba680d54 100644 --- a/integration/cli_test.go +++ b/integration/cli_test.go @@ -11,7 +11,7 @@ import ( tcmp "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" v1 "github.com/juanfont/headscale/gen/go/headscale/v1" - "github.com/juanfont/headscale/hscontrol/policy" + policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1" "github.com/juanfont/headscale/hscontrol/types" "github.com/juanfont/headscale/integration/hsic" "github.com/juanfont/headscale/integration/tsic" @@ -915,7 +915,7 @@ func TestNodeAdvertiseTagCommand(t *testing.T) { tests := []struct { name string - policy *policy.ACLPolicy + policy *policyv1.ACLPolicy wantTag bool }{ { @@ -924,8 +924,8 @@ func TestNodeAdvertiseTagCommand(t *testing.T) { }, { name: "with-policy-email", - policy: &policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -940,8 +940,8 @@ func TestNodeAdvertiseTagCommand(t *testing.T) { }, { name: "with-policy-username", - policy: &policy.ACLPolicy{ - ACLs: []policy.ACL{ + policy: &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -956,11 +956,11 @@ func TestNodeAdvertiseTagCommand(t *testing.T) { }, { name: "with-policy-groups", - policy: &policy.ACLPolicy{ - Groups: policy.Groups{ + policy: &policyv1.ACLPolicy{ + Groups: policyv1.Groups{ "group:admins": []string{"user1"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -1742,8 +1742,8 @@ func TestPolicyCommand(t *testing.T) { headscale, err := scenario.Headscale() assertNoErr(t, err) - p := policy.ACLPolicy{ - ACLs: []policy.ACL{ + p := policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -1778,7 +1778,7 @@ func TestPolicyCommand(t *testing.T) { // Get the current policy and check // if it is the same as the one we set. - var output *policy.ACLPolicy + var output *policyv1.ACLPolicy err = executeAndUnmarshal( headscale, []string{ @@ -1822,8 +1822,8 @@ func TestPolicyBrokenConfigCommand(t *testing.T) { headscale, err := scenario.Headscale() assertNoErr(t, err) - p := policy.ACLPolicy{ - ACLs: []policy.ACL{ + p := policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { // This is an unknown action, so it will return an error // and the config will not be applied. diff --git a/integration/general_test.go b/integration/general_test.go index 3bdce469..d6d9e7e1 100644 --- a/integration/general_test.go +++ b/integration/general_test.go @@ -365,7 +365,11 @@ func TestTaildrop(t *testing.T) { "taildrop": len(MustTestVersions), } - err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("taildrop")) + err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, + hsic.WithTestName("taildrop"), + hsic.WithEmbeddedDERPServerOnly(), + hsic.WithTLS(), + ) assertNoErrHeadscaleEnv(t, err) allClients, err := scenario.ListTailscaleClients() diff --git a/integration/hsic/hsic.go b/integration/hsic/hsic.go index b75d9c08..02ec0fed 100644 --- a/integration/hsic/hsic.go +++ b/integration/hsic/hsic.go @@ -12,6 +12,7 @@ import ( "net/netip" "os" "path" + "regexp" "sort" "strconv" "strings" @@ -19,7 +20,7 @@ import ( "github.com/davecgh/go-spew/spew" v1 "github.com/juanfont/headscale/gen/go/headscale/v1" - "github.com/juanfont/headscale/hscontrol/policy" + policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1" "github.com/juanfont/headscale/hscontrol/types" "github.com/juanfont/headscale/hscontrol/util" "github.com/juanfont/headscale/integration/dockertestutil" @@ -64,7 +65,7 @@ type HeadscaleInContainer struct { extraPorts []string caCerts [][]byte hostPortBindings map[string][]string - aclPolicy *policy.ACLPolicy + aclPolicy *policyv1.ACLPolicy env map[string]string tlsCert []byte tlsKey []byte @@ -78,7 +79,7 @@ type Option = func(c *HeadscaleInContainer) // WithACLPolicy adds a hscontrol.ACLPolicy policy to the // HeadscaleInContainer instance. -func WithACLPolicy(acl *policy.ACLPolicy) Option { +func WithACLPolicy(acl *policyv1.ACLPolicy) Option { return func(hsic *HeadscaleInContainer) { if acl == nil { return diff --git a/integration/route_test.go b/integration/route_test.go index e6f6b5d6..e92a4c37 100644 --- a/integration/route_test.go +++ b/integration/route_test.go @@ -8,7 +8,7 @@ import ( "github.com/google/go-cmp/cmp" v1 "github.com/juanfont/headscale/gen/go/headscale/v1" - "github.com/juanfont/headscale/hscontrol/policy" + policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1" "github.com/juanfont/headscale/hscontrol/util" "github.com/juanfont/headscale/integration/hsic" "github.com/juanfont/headscale/integration/tsic" @@ -29,7 +29,7 @@ func TestEnablingRoutes(t *testing.T) { IntegrationSkip(t) t.Parallel() - user := "enable-routing" + user := "user6" scenario, err := NewScenario(dockertestMaxWait()) require.NoErrorf(t, err, "failed to create scenario: %s", err) @@ -203,7 +203,7 @@ func TestHASubnetRouterFailover(t *testing.T) { IntegrationSkip(t) t.Parallel() - user := "enable-routing" + user := "user9" scenario, err := NewScenario(dockertestMaxWait()) require.NoErrorf(t, err, "failed to create scenario: %s", err) @@ -528,7 +528,7 @@ func TestEnableDisableAutoApprovedRoute(t *testing.T) { expectedRoutes := "172.0.0.0/24" - user := "enable-disable-routing" + user := "user2" scenario, err := NewScenario(dockertestMaxWait()) require.NoErrorf(t, err, "failed to create scenario: %s", err) @@ -539,8 +539,8 @@ func TestEnableDisableAutoApprovedRoute(t *testing.T) { } err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{tsic.WithTags([]string{"tag:approve"})}, hsic.WithTestName("clienableroute"), hsic.WithACLPolicy( - &policy.ACLPolicy{ - ACLs: []policy.ACL{ + &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -550,7 +550,7 @@ func TestEnableDisableAutoApprovedRoute(t *testing.T) { TagOwners: map[string][]string{ "tag:approve": {user}, }, - AutoApprovers: policy.AutoApprovers{ + AutoApprovers: policyv1.AutoApprovers{ Routes: map[string][]string{ expectedRoutes: {"tag:approve"}, }, @@ -640,8 +640,8 @@ func TestAutoApprovedSubRoute2068(t *testing.T) { hsic.WithEmbeddedDERPServerOnly(), hsic.WithTLS(), hsic.WithACLPolicy( - &policy.ACLPolicy{ - ACLs: []policy.ACL{ + &policyv1.ACLPolicy{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, @@ -651,7 +651,7 @@ func TestAutoApprovedSubRoute2068(t *testing.T) { TagOwners: map[string][]string{ "tag:approve": {user}, }, - AutoApprovers: policy.AutoApprovers{ + AutoApprovers: policyv1.AutoApprovers{ Routes: map[string][]string{ "10.42.0.0/16": {"tag:approve"}, }, @@ -696,7 +696,7 @@ func TestSubnetRouteACL(t *testing.T) { IntegrationSkip(t) t.Parallel() - user := "subnet-route-acl" + user := "user4" scenario, err := NewScenario(dockertestMaxWait()) require.NoErrorf(t, err, "failed to create scenario: %s", err) @@ -707,11 +707,11 @@ func TestSubnetRouteACL(t *testing.T) { } err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clienableroute"), hsic.WithACLPolicy( - &policy.ACLPolicy{ - Groups: policy.Groups{ + &policyv1.ACLPolicy{ + Groups: policyv1.Groups{ "group:admins": {user}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"group:admins"}, diff --git a/integration/ssh_test.go b/integration/ssh_test.go index d060831d..ade119d3 100644 --- a/integration/ssh_test.go +++ b/integration/ssh_test.go @@ -7,7 +7,7 @@ import ( "testing" "time" - "github.com/juanfont/headscale/hscontrol/policy" + policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1" "github.com/juanfont/headscale/integration/hsic" "github.com/juanfont/headscale/integration/tsic" "github.com/stretchr/testify/assert" @@ -48,7 +48,7 @@ var retry = func(times int, sleepInterval time.Duration, return result, stderr, err } -func sshScenario(t *testing.T, policy *policy.ACLPolicy, clientsPerUser int) *Scenario { +func sshScenario(t *testing.T, policy *policyv1.ACLPolicy, clientsPerUser int) *Scenario { t.Helper() scenario, err := NewScenario(dockertestMaxWait()) assertNoErr(t, err) @@ -92,18 +92,18 @@ func TestSSHOneUserToAll(t *testing.T) { t.Parallel() scenario := sshScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:integration-test": {"user1"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, Destinations: []string{"*:*"}, }, }, - SSHs: []policy.SSH{ + SSHs: []policyv1.SSH{ { Action: "accept", Sources: []string{"group:integration-test"}, @@ -157,18 +157,18 @@ func TestSSHMultipleUsersAllToAll(t *testing.T) { t.Parallel() scenario := sshScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:integration-test": {"user1", "user2"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, Destinations: []string{"*:*"}, }, }, - SSHs: []policy.SSH{ + SSHs: []policyv1.SSH{ { Action: "accept", Sources: []string{"group:integration-test"}, @@ -210,18 +210,18 @@ func TestSSHNoSSHConfigured(t *testing.T) { t.Parallel() scenario := sshScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:integration-test": {"user1"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, Destinations: []string{"*:*"}, }, }, - SSHs: []policy.SSH{}, + SSHs: []policyv1.SSH{}, }, len(MustTestVersions), ) @@ -252,18 +252,18 @@ func TestSSHIsBlockedInACL(t *testing.T) { t.Parallel() scenario := sshScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:integration-test": {"user1"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, Destinations: []string{"*:80"}, }, }, - SSHs: []policy.SSH{ + SSHs: []policyv1.SSH{ { Action: "accept", Sources: []string{"group:integration-test"}, @@ -301,19 +301,19 @@ func TestSSHUserOnlyIsolation(t *testing.T) { t.Parallel() scenario := sshScenario(t, - &policy.ACLPolicy{ + &policyv1.ACLPolicy{ Groups: map[string][]string{ "group:ssh1": {"user1"}, "group:ssh2": {"user2"}, }, - ACLs: []policy.ACL{ + ACLs: []policyv1.ACL{ { Action: "accept", Sources: []string{"*"}, Destinations: []string{"*:*"}, }, }, - SSHs: []policy.SSH{ + SSHs: []policyv1.SSH{ { Action: "accept", Sources: []string{"group:ssh1"},