headscale/acls_test.go

189 lines
5.4 KiB
Go
Raw Normal View History

2021-07-03 09:55:32 +00:00
package headscale
import (
"gopkg.in/check.v1"
)
func (s *Suite) TestWrongPath(c *check.C) {
2021-07-04 11:23:31 +00:00
err := h.LoadAclPolicy("asdfg")
2021-07-03 09:55:32 +00:00
c.Assert(err, check.NotNil)
}
func (s *Suite) TestBrokenHuJson(c *check.C) {
2021-07-04 11:23:31 +00:00
err := h.LoadAclPolicy("./tests/acls/broken.hujson")
2021-07-03 09:55:32 +00:00
c.Assert(err, check.NotNil)
}
func (s *Suite) TestInvalidPolicyHuson(c *check.C) {
2021-07-04 11:23:31 +00:00
err := h.LoadAclPolicy("./tests/acls/invalid.hujson")
2021-07-03 09:55:32 +00:00
c.Assert(err, check.NotNil)
2021-07-03 15:31:32 +00:00
c.Assert(err, check.Equals, errorEmptyPolicy)
2021-07-03 09:55:32 +00:00
}
2021-07-03 15:31:32 +00:00
func (s *Suite) TestParseHosts(c *check.C) {
var hs Hosts
err := hs.UnmarshalJSON([]byte(`{"example-host-1": "100.100.100.100","example-host-2": "100.100.101.100/24"}`))
c.Assert(hs, check.NotNil)
2021-07-03 09:55:32 +00:00
c.Assert(err, check.IsNil)
2021-07-03 15:31:32 +00:00
}
func (s *Suite) TestParseInvalidCIDR(c *check.C) {
var hs Hosts
err := hs.UnmarshalJSON([]byte(`{"example-host-1": "100.100.100.100/42"}`))
c.Assert(hs, check.IsNil)
c.Assert(err, check.NotNil)
}
func (s *Suite) TestCheckLoaded(c *check.C) {
2021-07-04 11:23:31 +00:00
err := h.LoadAclPolicy("./tests/acls/acl_policy_1.hujson")
2021-07-03 15:31:32 +00:00
c.Assert(err, check.IsNil)
c.Assert(h.aclPolicy, check.NotNil)
}
func (s *Suite) TestValidCheckParsedHosts(c *check.C) {
2021-07-04 11:23:31 +00:00
err := h.LoadAclPolicy("./tests/acls/acl_policy_1.hujson")
2021-07-03 15:31:32 +00:00
c.Assert(err, check.IsNil)
c.Assert(h.aclPolicy, check.NotNil)
c.Assert(h.aclPolicy.IsZero(), check.Equals, false)
c.Assert(h.aclPolicy.Hosts, check.HasLen, 2)
}
2021-07-03 09:55:32 +00:00
2021-07-03 15:31:32 +00:00
func (s *Suite) TestRuleInvalidGeneration(c *check.C) {
2021-07-04 11:23:31 +00:00
err := h.LoadAclPolicy("./tests/acls/acl_policy_invalid.hujson")
2021-07-03 09:55:32 +00:00
c.Assert(err, check.IsNil)
2021-07-03 15:31:32 +00:00
rules, err := h.generateACLRules()
c.Assert(err, check.NotNil)
c.Assert(rules, check.IsNil)
}
func (s *Suite) TestBasicRule(c *check.C) {
2021-07-04 11:23:31 +00:00
err := h.LoadAclPolicy("./tests/acls/acl_policy_basic_1.hujson")
2021-07-03 15:31:32 +00:00
c.Assert(err, check.IsNil)
rules, err := h.generateACLRules()
c.Assert(err, check.IsNil)
2021-07-04 11:01:41 +00:00
c.Assert(rules, check.NotNil)
}
func (s *Suite) TestPortRange(c *check.C) {
2021-07-04 11:23:31 +00:00
err := h.LoadAclPolicy("./tests/acls/acl_policy_basic_range.hujson")
2021-07-04 11:01:41 +00:00
c.Assert(err, check.IsNil)
rules, err := h.generateACLRules()
c.Assert(err, check.IsNil)
c.Assert(rules, check.NotNil)
c.Assert(*rules, check.HasLen, 1)
c.Assert((*rules)[0].DstPorts, check.HasLen, 1)
c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(5400))
c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(5500))
}
func (s *Suite) TestPortWildcard(c *check.C) {
2021-07-04 11:23:31 +00:00
err := h.LoadAclPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
2021-07-04 11:01:41 +00:00
c.Assert(err, check.IsNil)
rules, err := h.generateACLRules()
c.Assert(err, check.IsNil)
c.Assert(rules, check.NotNil)
c.Assert(*rules, check.HasLen, 1)
c.Assert((*rules)[0].DstPorts, check.HasLen, 1)
c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
c.Assert((*rules)[0].SrcIPs, check.HasLen, 1)
c.Assert((*rules)[0].SrcIPs[0], check.Equals, "*")
}
func (s *Suite) TestPortNamespace(c *check.C) {
n, err := h.CreateNamespace("testnamespace")
c.Assert(err, check.IsNil)
pak, err := h.CreatePreAuthKey(n.Name, false, false, nil)
c.Assert(err, check.IsNil)
db, err := h.db()
if err != nil {
c.Fatal(err)
}
_, err = h.GetMachine("testnamespace", "testmachine")
c.Assert(err, check.NotNil)
ip, _ := h.getAvailableIP()
m := Machine{
ID: 0,
MachineKey: "foo",
NodeKey: "bar",
DiscoKey: "faa",
Name: "testmachine",
NamespaceID: n.ID,
Registered: true,
RegisterMethod: "authKey",
IPAddress: ip.String(),
AuthKeyID: uint(pak.ID),
}
db.Save(&m)
2021-07-04 11:23:31 +00:00
err = h.LoadAclPolicy("./tests/acls/acl_policy_basic_namespace_as_user.hujson")
2021-07-04 11:01:41 +00:00
c.Assert(err, check.IsNil)
rules, err := h.generateACLRules()
c.Assert(err, check.IsNil)
c.Assert(rules, check.NotNil)
c.Assert(*rules, check.HasLen, 1)
c.Assert((*rules)[0].DstPorts, check.HasLen, 1)
c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
c.Assert((*rules)[0].SrcIPs, check.HasLen, 1)
c.Assert((*rules)[0].SrcIPs[0], check.Not(check.Equals), "not an ip")
c.Assert((*rules)[0].SrcIPs[0], check.Equals, ip.String())
2021-07-03 09:55:32 +00:00
}
2021-07-04 11:23:31 +00:00
func (s *Suite) TestPortGroup(c *check.C) {
n, err := h.CreateNamespace("testnamespace")
c.Assert(err, check.IsNil)
pak, err := h.CreatePreAuthKey(n.Name, false, false, nil)
c.Assert(err, check.IsNil)
db, err := h.db()
if err != nil {
c.Fatal(err)
}
_, err = h.GetMachine("testnamespace", "testmachine")
c.Assert(err, check.NotNil)
ip, _ := h.getAvailableIP()
m := Machine{
ID: 0,
MachineKey: "foo",
NodeKey: "bar",
DiscoKey: "faa",
Name: "testmachine",
NamespaceID: n.ID,
Registered: true,
RegisterMethod: "authKey",
IPAddress: ip.String(),
AuthKeyID: uint(pak.ID),
}
db.Save(&m)
2021-07-04 11:23:31 +00:00
err = h.LoadAclPolicy("./tests/acls/acl_policy_basic_groups.hujson")
c.Assert(err, check.IsNil)
rules, err := h.generateACLRules()
c.Assert(err, check.IsNil)
c.Assert(rules, check.NotNil)
2021-07-04 11:23:31 +00:00
c.Assert(*rules, check.HasLen, 1)
c.Assert((*rules)[0].DstPorts, check.HasLen, 1)
c.Assert((*rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
c.Assert((*rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
c.Assert((*rules)[0].SrcIPs, check.HasLen, 1)
c.Assert((*rules)[0].SrcIPs[0], check.Not(check.Equals), "not an ip")
c.Assert((*rules)[0].SrcIPs[0], check.Equals, ip.String())
}