Mirrors/juanfont.headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-09-06 17:54:31 +02:00
Code Issues Projects Releases Wiki Activity

use polivyv1 definitions in integration tests

Browse Source 
These can be marshalled back into JSON, which the
new format might not be able to.

Also, just dont change it all to JSON strings for now.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby 2025-02-26 19:19:15 +01:00
parent e9ffc4f2df
commit 0d95945999
No known key found for this signature in database
6 changed files with 106 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
integration/acl_test.go
View File

@ -8,7 +8,7 @@ import (
"testing"
"github.com/google/go-cmp/cmp"
"github.com/juanfont/headscale/hscontrol/policy"
policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1"
"github.com/juanfont/headscale/integration/hsic"
"github.com/juanfont/headscale/integration/tsic"
"github.com/stretchr/testify/assert"
@ -50,7 +50,7 @@ var veryLargeDestination = []string{
func aclScenario(
t *testing.T,
policy *policy.ACLPolicy,
policy *policyv1.ACLPolicy,
clientsPerUser int,
) *Scenario {
t.Helper()
@ -77,6 +77,8 @@ func aclScenario(
},
hsic.WithACLPolicy(policy),
hsic.WithTestName("acl"),
hsic.WithEmbeddedDERPServerOnly(),
hsic.WithTLS(),
)
require.NoError(t, err)
@ -100,7 +102,7 @@ func TestACLHostsInNetMapTable(t *testing.T) {
// they can access minus one (them self).
tests := map[string]struct {
users map[string]int
policy policy.ACLPolicy
policy policyv1.ACLPolicy
want map[string]int
}{
// Test that when we have no ACL, each client netmap has
@ -110,8 +112,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
policy: policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
@ -131,8 +133,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
policy: policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -157,8 +159,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
policy: policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -194,8 +196,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
policy: policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -222,8 +224,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
policy: policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -250,8 +252,8 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user1": 2,
"user2": 2,
},
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
policy: policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
@ -306,8 +308,8 @@ func TestACLAllowUser80Dst(t *testing.T) {
IntegrationSkip(t)
scenario := aclScenario(t,
&policy.ACLPolicy{
ACLs: []policy.ACL{
&policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -360,11 +362,11 @@ func TestACLDenyAllPort80(t *testing.T) {
IntegrationSkip(t)
scenario := aclScenario(t,
&policy.ACLPolicy{
&policyv1.ACLPolicy{
Groups: map[string][]string{
"group:integration-acl-test": {"user1", "user2"},
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"group:integration-acl-test"},
@ -407,8 +409,8 @@ func TestACLAllowUserDst(t *testing.T) {
IntegrationSkip(t)
scenario := aclScenario(t,
&policy.ACLPolicy{
ACLs: []policy.ACL{
&policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -463,8 +465,8 @@ func TestACLAllowStarDst(t *testing.T) {
IntegrationSkip(t)
scenario := aclScenario(t,
&policy.ACLPolicy{
ACLs: []policy.ACL{
&policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"user1"},
@ -520,11 +522,11 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
IntegrationSkip(t)
scenario := aclScenario(t,
&policy.ACLPolicy{
Hosts: policy.Hosts{
&policyv1.ACLPolicy{
Hosts: policyv1.Hosts{
"all": netip.MustParsePrefix("100.64.0.0/24"),
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
// Everyone can curl test3
{
Action: "accept",
@ -617,16 +619,16 @@ func TestACLNamedHostsCanReach(t *testing.T) {
IntegrationSkip(t)
tests := map[string]struct {
policy policy.ACLPolicy
policy policyv1.ACLPolicy
}{
"ipv4": {
policy: policy.ACLPolicy{
Hosts: policy.Hosts{
policy: policyv1.ACLPolicy{
Hosts: policyv1.Hosts{
"test1": netip.MustParsePrefix("100.64.0.1/32"),
"test2": netip.MustParsePrefix("100.64.0.2/32"),
"test3": netip.MustParsePrefix("100.64.0.3/32"),
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
// Everyone can curl test3
{
Action: "accept",
@ -643,13 +645,13 @@ func TestACLNamedHostsCanReach(t *testing.T) {
},
},
"ipv6": {
policy: policy.ACLPolicy{
Hosts: policy.Hosts{
policy: policyv1.ACLPolicy{
Hosts: policyv1.Hosts{
"test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
"test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
"test3": netip.MustParsePrefix("fd7a:115c:a1e0::3/128"),
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
// Everyone can curl test3
{
Action: "accept",
@ -866,11 +868,11 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
IntegrationSkip(t)
tests := map[string]struct {
policy policy.ACLPolicy
policy policyv1.ACLPolicy
}{
"ipv4": {
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
policy: policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"100.64.0.1"},
@ -880,8 +882,8 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
},
},
"ipv6": {
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
policy: policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"fd7a:115c:a1e0::1"},
@ -891,12 +893,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
},
},
"hostv4cidr": {
policy: policy.ACLPolicy{
Hosts: policy.Hosts{
policy: policyv1.ACLPolicy{
Hosts: policyv1.Hosts{
"test1": netip.MustParsePrefix("100.64.0.1/32"),
"test2": netip.MustParsePrefix("100.64.0.2/32"),
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"test1"},
@ -906,12 +908,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
},
},
"hostv6cidr": {
policy: policy.ACLPolicy{
Hosts: policy.Hosts{
policy: policyv1.ACLPolicy{
Hosts: policyv1.Hosts{
"test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
"test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"test1"},
@ -921,12 +923,12 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
},
},
"group": {
policy: policy.ACLPolicy{
policy: policyv1.ACLPolicy{
Groups: map[string][]string{
"group:one": {"user1"},
"group:two": {"user2"},
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"group:one"},
@ -1085,15 +1087,15 @@ func TestPolicyUpdateWhileRunningWithCLIInDatabase(t *testing.T) {
headscale, err := scenario.Headscale()
require.NoError(t, err)
p := policy.ACLPolicy{
ACLs: []policy.ACL{
p := policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"user1"},
Destinations: []string{"user2:*"},
},
},
Hosts: policy.Hosts{},
Hosts: policyv1.Hosts{},
}
pBytes, _ := json.Marshal(p)
@ -1118,7 +1120,7 @@ func TestPolicyUpdateWhileRunningWithCLIInDatabase(t *testing.T) {
// Get the current policy and check
// if it is the same as the one we set.
var output *policy.ACLPolicy
var output *policyv1.ACLPolicy
err = executeAndUnmarshal(
headscale,
[]string{

28
integration/cli_test.go
View File

@ -11,7 +11,7 @@ import (
tcmp "github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
"github.com/juanfont/headscale/hscontrol/policy"
policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1"
"github.com/juanfont/headscale/hscontrol/types"
"github.com/juanfont/headscale/integration/hsic"
"github.com/juanfont/headscale/integration/tsic"
@ -915,7 +915,7 @@ func TestNodeAdvertiseTagCommand(t *testing.T) {
tests := []struct {
name string
policy *policy.ACLPolicy
policy *policyv1.ACLPolicy
wantTag bool
}{
{
@ -924,8 +924,8 @@ func TestNodeAdvertiseTagCommand(t *testing.T) {
},
{
name: "with-policy-email",
policy: &policy.ACLPolicy{
ACLs: []policy.ACL{
policy: &policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
@ -940,8 +940,8 @@ func TestNodeAdvertiseTagCommand(t *testing.T) {
},
{
name: "with-policy-username",
policy: &policy.ACLPolicy{
ACLs: []policy.ACL{
policy: &policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
@ -956,11 +956,11 @@ func TestNodeAdvertiseTagCommand(t *testing.T) {
},
{
name: "with-policy-groups",
policy: &policy.ACLPolicy{
Groups: policy.Groups{
policy: &policyv1.ACLPolicy{
Groups: policyv1.Groups{
"group:admins": []string{"user1"},
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
@ -1742,8 +1742,8 @@ func TestPolicyCommand(t *testing.T) {
headscale, err := scenario.Headscale()
assertNoErr(t, err)
p := policy.ACLPolicy{
ACLs: []policy.ACL{
p := policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
@ -1778,7 +1778,7 @@ func TestPolicyCommand(t *testing.T) {
// Get the current policy and check
// if it is the same as the one we set.
var output *policy.ACLPolicy
var output *policyv1.ACLPolicy
err = executeAndUnmarshal(
headscale,
[]string{
@ -1822,8 +1822,8 @@ func TestPolicyBrokenConfigCommand(t *testing.T) {
headscale, err := scenario.Headscale()
assertNoErr(t, err)
p := policy.ACLPolicy{
ACLs: []policy.ACL{
p := policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
// This is an unknown action, so it will return an error
// and the config will not be applied.

6
integration/general_test.go
View File

@ -365,7 +365,11 @@ func TestTaildrop(t *testing.T) {
"taildrop": len(MustTestVersions),
}
err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("taildrop"))
err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{},
hsic.WithTestName("taildrop"),
hsic.WithEmbeddedDERPServerOnly(),
hsic.WithTLS(),
)
assertNoErrHeadscaleEnv(t, err)
allClients, err := scenario.ListTailscaleClients()

7
integration/hsic/hsic.go
View File

@ -12,6 +12,7 @@ import (
"net/netip"
"os"
"path"
"regexp"
"sort"
"strconv"
"strings"
@ -19,7 +20,7 @@ import (
"github.com/davecgh/go-spew/spew"
v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
"github.com/juanfont/headscale/hscontrol/policy"
policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1"
"github.com/juanfont/headscale/hscontrol/types"
"github.com/juanfont/headscale/hscontrol/util"
"github.com/juanfont/headscale/integration/dockertestutil"
@ -64,7 +65,7 @@ type HeadscaleInContainer struct {
extraPorts []string
caCerts [][]byte
hostPortBindings map[string][]string
aclPolicy *policy.ACLPolicy
aclPolicy *policyv1.ACLPolicy
env map[string]string
tlsCert []byte
tlsKey []byte
@ -78,7 +79,7 @@ type Option = func(c *HeadscaleInContainer)
// WithACLPolicy adds a hscontrol.ACLPolicy policy to the
// HeadscaleInContainer instance.
func WithACLPolicy(acl *policy.ACLPolicy) Option {
func WithACLPolicy(acl *policyv1.ACLPolicy) Option {
return func(hsic *HeadscaleInContainer) {
if acl == nil {
return

28
integration/route_test.go
View File

@ -8,7 +8,7 @@ import (
"github.com/google/go-cmp/cmp"
v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
"github.com/juanfont/headscale/hscontrol/policy"
policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1"
"github.com/juanfont/headscale/hscontrol/util"
"github.com/juanfont/headscale/integration/hsic"
"github.com/juanfont/headscale/integration/tsic"
@ -29,7 +29,7 @@ func TestEnablingRoutes(t *testing.T) {
IntegrationSkip(t)
t.Parallel()
user := "enable-routing"
user := "user6"
scenario, err := NewScenario(dockertestMaxWait())
require.NoErrorf(t, err, "failed to create scenario: %s", err)
@ -203,7 +203,7 @@ func TestHASubnetRouterFailover(t *testing.T) {
IntegrationSkip(t)
t.Parallel()
user := "enable-routing"
user := "user9"
scenario, err := NewScenario(dockertestMaxWait())
require.NoErrorf(t, err, "failed to create scenario: %s", err)
@ -528,7 +528,7 @@ func TestEnableDisableAutoApprovedRoute(t *testing.T) {
expectedRoutes := "172.0.0.0/24"
user := "enable-disable-routing"
user := "user2"
scenario, err := NewScenario(dockertestMaxWait())
require.NoErrorf(t, err, "failed to create scenario: %s", err)
@ -539,8 +539,8 @@ func TestEnableDisableAutoApprovedRoute(t *testing.T) {
}
err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{tsic.WithTags([]string{"tag:approve"})}, hsic.WithTestName("clienableroute"), hsic.WithACLPolicy(
&policy.ACLPolicy{
ACLs: []policy.ACL{
&policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
@ -550,7 +550,7 @@ func TestEnableDisableAutoApprovedRoute(t *testing.T) {
TagOwners: map[string][]string{
"tag:approve": {user},
},
AutoApprovers: policy.AutoApprovers{
AutoApprovers: policyv1.AutoApprovers{
Routes: map[string][]string{
expectedRoutes: {"tag:approve"},
},
@ -640,8 +640,8 @@ func TestAutoApprovedSubRoute2068(t *testing.T) {
hsic.WithEmbeddedDERPServerOnly(),
hsic.WithTLS(),
hsic.WithACLPolicy(
&policy.ACLPolicy{
ACLs: []policy.ACL{
&policyv1.ACLPolicy{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
@ -651,7 +651,7 @@ func TestAutoApprovedSubRoute2068(t *testing.T) {
TagOwners: map[string][]string{
"tag:approve": {user},
},
AutoApprovers: policy.AutoApprovers{
AutoApprovers: policyv1.AutoApprovers{
Routes: map[string][]string{
"10.42.0.0/16": {"tag:approve"},
},
@ -696,7 +696,7 @@ func TestSubnetRouteACL(t *testing.T) {
IntegrationSkip(t)
t.Parallel()
user := "subnet-route-acl"
user := "user4"
scenario, err := NewScenario(dockertestMaxWait())
require.NoErrorf(t, err, "failed to create scenario: %s", err)
@ -707,11 +707,11 @@ func TestSubnetRouteACL(t *testing.T) {
}
err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clienableroute"), hsic.WithACLPolicy(
&policy.ACLPolicy{
Groups: policy.Groups{
&policyv1.ACLPolicy{
Groups: policyv1.Groups{
"group:admins": {user},
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"group:admins"},

34
integration/ssh_test.go
View File

@ -7,7 +7,7 @@ import (
"testing"
"time"
"github.com/juanfont/headscale/hscontrol/policy"
policyv1 "github.com/juanfont/headscale/hscontrol/policy/v1"
"github.com/juanfont/headscale/integration/hsic"
"github.com/juanfont/headscale/integration/tsic"
"github.com/stretchr/testify/assert"
@ -48,7 +48,7 @@ var retry = func(times int, sleepInterval time.Duration,
return result, stderr, err
}
func sshScenario(t *testing.T, policy *policy.ACLPolicy, clientsPerUser int) *Scenario {
func sshScenario(t *testing.T, policy *policyv1.ACLPolicy, clientsPerUser int) *Scenario {
t.Helper()
scenario, err := NewScenario(dockertestMaxWait())
assertNoErr(t, err)
@ -92,18 +92,18 @@ func TestSSHOneUserToAll(t *testing.T) {
t.Parallel()
scenario := sshScenario(t,
&policy.ACLPolicy{
&policyv1.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1"},
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []policy.SSH{
SSHs: []policyv1.SSH{
{
Action: "accept",
Sources: []string{"group:integration-test"},
@ -157,18 +157,18 @@ func TestSSHMultipleUsersAllToAll(t *testing.T) {
t.Parallel()
scenario := sshScenario(t,
&policy.ACLPolicy{
&policyv1.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1", "user2"},
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []policy.SSH{
SSHs: []policyv1.SSH{
{
Action: "accept",
Sources: []string{"group:integration-test"},
@ -210,18 +210,18 @@ func TestSSHNoSSHConfigured(t *testing.T) {
t.Parallel()
scenario := sshScenario(t,
&policy.ACLPolicy{
&policyv1.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1"},
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []policy.SSH{},
SSHs: []policyv1.SSH{},
},
len(MustTestVersions),
)
@ -252,18 +252,18 @@ func TestSSHIsBlockedInACL(t *testing.T) {
t.Parallel()
scenario := sshScenario(t,
&policy.ACLPolicy{
&policyv1.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1"},
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:80"},
},
},
SSHs: []policy.SSH{
SSHs: []policyv1.SSH{
{
Action: "accept",
Sources: []string{"group:integration-test"},
@ -301,19 +301,19 @@ func TestSSHUserOnlyIsolation(t *testing.T) {
t.Parallel()
scenario := sshScenario(t,
&policy.ACLPolicy{
&policyv1.ACLPolicy{
Groups: map[string][]string{
"group:ssh1": {"user1"},
"group:ssh2": {"user2"},
},
ACLs: []policy.ACL{
ACLs: []policyv1.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []policy.SSH{
SSHs: []policyv1.SSH{
{
Action: "accept",
Sources: []string{"group:ssh1"},