mirror of
https://github.com/juanfont/headscale.git
synced 2025-08-14 13:51:01 +02:00
integration: correct route reduce test, now failing
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby
parent
c38667e105
commit
8b11ab319d
@ -24,6 +24,7 @@ import (
|
|||||||
"tailscale.com/net/tsaddr"
|
"tailscale.com/net/tsaddr"
|
||||||
"tailscale.com/types/ipproto"
|
"tailscale.com/types/ipproto"
|
||||||
"tailscale.com/types/views"
|
"tailscale.com/types/views"
|
||||||
|
"tailscale.com/util/must"
|
||||||
"tailscale.com/util/slicesx"
|
"tailscale.com/util/slicesx"
|
||||||
"tailscale.com/wgengine/filter"
|
"tailscale.com/wgengine/filter"
|
||||||
)
|
)
|
||||||
@ -1604,9 +1605,9 @@ func TestAutoApproveMultiNetwork(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
for _, dbMode := range []types.PolicyMode{types.PolicyModeDB, types.PolicyModeFile} {
|
for _, polMode := range []types.PolicyMode{types.PolicyModeDB, types.PolicyModeFile} {
|
||||||
for _, advertiseDuringUp := range []bool{false, true} {
|
for _, advertiseDuringUp := range []bool{false, true} {
|
||||||
name := fmt.Sprintf("%s-advertiseduringup-%t-pol-%s", tt.name, advertiseDuringUp, dbMode)
|
name := fmt.Sprintf("%s-advertiseduringup-%t-pol-%s", tt.name, advertiseDuringUp, polMode)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
scenario, err := NewScenario(tt.spec)
|
scenario, err := NewScenario(tt.spec)
|
||||||
require.NoErrorf(t, err, "failed to create scenario: %s", err)
|
require.NoErrorf(t, err, "failed to create scenario: %s", err)
|
||||||
@ -1617,7 +1618,7 @@ func TestAutoApproveMultiNetwork(t *testing.T) {
|
|||||||
hsic.WithEmbeddedDERPServerOnly(),
|
hsic.WithEmbeddedDERPServerOnly(),
|
||||||
hsic.WithTLS(),
|
hsic.WithTLS(),
|
||||||
hsic.WithACLPolicy(tt.pol),
|
hsic.WithACLPolicy(tt.pol),
|
||||||
hsic.WithPolicyMode(dbMode),
|
hsic.WithPolicyMode(polMode),
|
||||||
}
|
}
|
||||||
|
|
||||||
tsOpts := []tsic.Option{
|
tsOpts := []tsic.Option{
|
||||||
@ -2033,6 +2034,15 @@ func TestSubnetRouteACLFiltering(t *testing.T) {
|
|||||||
spec := ScenarioSpec{
|
spec := ScenarioSpec{
|
||||||
NodesPerUser: 1,
|
NodesPerUser: 1,
|
||||||
Users: []string{routerUser, nodeUser},
|
Users: []string{routerUser, nodeUser},
|
||||||
|
Networks: map[string][]string{
|
||||||
|
"usernet1": {routerUser, nodeUser},
|
||||||
|
},
|
||||||
|
ExtraService: map[string][]extraServiceFunc{
|
||||||
|
"usernet1": {Webservice},
|
||||||
|
},
|
||||||
|
// We build the head image with curl and traceroute, so only use
|
||||||
|
// that for this test.
|
||||||
|
Versions: []string{"head"},
|
||||||
}
|
}
|
||||||
|
|
||||||
scenario, err := NewScenario(spec)
|
scenario, err := NewScenario(spec)
|
||||||
@ -2052,7 +2062,7 @@ func TestSubnetRouteACLFiltering(t *testing.T) {
|
|||||||
"*"
|
"*"
|
||||||
],
|
],
|
||||||
"dst": [
|
"dst": [
|
||||||
"router:0"
|
"router:8000"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -2060,13 +2070,26 @@ func TestSubnetRouteACLFiltering(t *testing.T) {
|
|||||||
"src": [
|
"src": [
|
||||||
"node"
|
"node"
|
||||||
],
|
],
|
||||||
"dst": [
|
"dst": []
|
||||||
"10.10.10.0/24:*"
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}`)
|
}`)
|
||||||
|
|
||||||
|
route, err := scenario.SubnetOfNetwork("usernet1")
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
services, err := scenario.Services("usernet1")
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Len(t, services, 1)
|
||||||
|
|
||||||
|
usernet1, err := scenario.Network("usernet1")
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
web := services[0]
|
||||||
|
webip := netip.MustParseAddr(web.GetIPInNetwork(usernet1))
|
||||||
|
weburl := fmt.Sprintf("http://%s/etc/hostname", webip)
|
||||||
|
t.Logf("webservice: %s, %s", webip.String(), weburl)
|
||||||
|
|
||||||
// Create ACL policy
|
// Create ACL policy
|
||||||
aclPolicy := &policyv1.ACLPolicy{}
|
aclPolicy := &policyv1.ACLPolicy{}
|
||||||
err = json.Unmarshal([]byte(aclPolicyStr), aclPolicy)
|
err = json.Unmarshal([]byte(aclPolicyStr), aclPolicy)
|
||||||
@ -2074,7 +2097,10 @@ func TestSubnetRouteACLFiltering(t *testing.T) {
|
|||||||
|
|
||||||
err = scenario.CreateHeadscaleEnv([]tsic.Option{
|
err = scenario.CreateHeadscaleEnv([]tsic.Option{
|
||||||
tsic.WithAcceptRoutes(),
|
tsic.WithAcceptRoutes(),
|
||||||
}, hsic.WithTestName("routeaclfilter"), hsic.WithACLPolicy(aclPolicy))
|
}, hsic.WithTestName("routeaclfilter"),
|
||||||
|
hsic.WithACLPolicy(aclPolicy),
|
||||||
|
hsic.WithPolicyMode(types.PolicyModeDB),
|
||||||
|
)
|
||||||
assertNoErrHeadscaleEnv(t, err)
|
assertNoErrHeadscaleEnv(t, err)
|
||||||
|
|
||||||
allClients, err := scenario.ListTailscaleClients()
|
allClients, err := scenario.ListTailscaleClients()
|
||||||
@ -2095,9 +2121,19 @@ func TestSubnetRouteACLFiltering(t *testing.T) {
|
|||||||
routerClient := allClients[0]
|
routerClient := allClients[0]
|
||||||
nodeClient := allClients[1]
|
nodeClient := allClients[1]
|
||||||
|
|
||||||
|
aclPolicy.Hosts = policyv1.Hosts{
|
||||||
|
routerUser: must.Get(routerClient.MustIPv4().Prefix(32)),
|
||||||
|
nodeUser: must.Get(nodeClient.MustIPv4().Prefix(32)),
|
||||||
|
}
|
||||||
|
aclPolicy.ACLs[1].Destinations = []string{
|
||||||
|
route.String() + ":*",
|
||||||
|
}
|
||||||
|
|
||||||
|
require.NoError(t, headscale.SetPolicy(aclPolicy))
|
||||||
|
|
||||||
// Set up the subnet routes for the router
|
// Set up the subnet routes for the router
|
||||||
routes := []string{
|
routes := []string{
|
||||||
"10.10.10.0/24", // This should be accessible by the client
|
route.String(), // This should be accessible by the client
|
||||||
"10.10.11.0/24", // These should NOT be accessible
|
"10.10.11.0/24", // These should NOT be accessible
|
||||||
"10.10.12.0/24",
|
"10.10.12.0/24",
|
||||||
}
|
}
|
||||||
@ -2162,7 +2198,15 @@ func TestSubnetRouteACLFiltering(t *testing.T) {
|
|||||||
// Check that the node can see the subnet routes from the router
|
// Check that the node can see the subnet routes from the router
|
||||||
routerPeerStatus := nodeStatus.Peer[routerStatus.Self.PublicKey]
|
routerPeerStatus := nodeStatus.Peer[routerStatus.Self.PublicKey]
|
||||||
|
|
||||||
// The node should only have 1 subnet route (10.10.10.0/24)
|
// The node should only have 1 subnet route
|
||||||
expectedRoutes := []netip.Prefix{netip.MustParsePrefix("10.10.10.0/24")}
|
requirePeerSubnetRoutes(t, routerPeerStatus, []netip.Prefix{*route})
|
||||||
requirePeerSubnetRoutes(t, routerPeerStatus, expectedRoutes)
|
|
||||||
|
result, err := nodeClient.Curl(weburl)
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.Len(t, result, 13)
|
||||||
|
|
||||||
|
tr, err := nodeClient.Traceroute(webip)
|
||||||
|
require.NoError(t, err)
|
||||||
|
assertTracerouteViaIP(t, tr, routerClient.MustIPv4())
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user