Refactor remotes and handshaking to give every address a fair shot (#437)

2025-11-24 01:14:25 +01:00 · 2021-04-14 13:50:09 -05:00
parent 20bef975cd
commit 710df6a876
25 changed files with 1561 additions and 1385 deletions
--- a/e2e/handshakes_test.go
+++ b/e2e/handshakes_test.go
@@ -9,6 +9,7 @@ import (

 	"github.com/slackhq/nebula"
 	"github.com/slackhq/nebula/e2e/router"
+	"github.com/stretchr/testify/assert"
 )

 func TestGoodHandshake(t *testing.T) {
@@ -23,35 +24,35 @@ func TestGoodHandshake(t *testing.T) {
 	myControl.Start()
 	theirControl.Start()

-	// Send a udp packet through to begin standing up the tunnel, this should come out the other side
+	t.Log("Send a udp packet through to begin standing up the tunnel, this should come out the other side")
 	myControl.InjectTunUDPPacket(theirVpnIp, 80, 80, []byte("Hi from me"))

-	// Have them consume my stage 0 packet. They have a tunnel now
+	t.Log("Have them consume my stage 0 packet. They have a tunnel now")
 	theirControl.InjectUDPPacket(myControl.GetFromUDP(true))

-	// Get their stage 1 packet so that we can play with it
+	t.Log("Get their stage 1 packet so that we can play with it")
 	stage1Packet := theirControl.GetFromUDP(true)

-	// I consume a garbage packet with a proper nebula header for our tunnel
+	t.Log("I consume a garbage packet with a proper nebula header for our tunnel")
 	// this should log a statement and get ignored, allowing the real handshake packet to complete the tunnel
 	badPacket := stage1Packet.Copy()
 	badPacket.Data = badPacket.Data[:len(badPacket.Data)-nebula.HeaderLen]
 	myControl.InjectUDPPacket(badPacket)

-	// Have me consume their real stage 1 packet. I have a tunnel now
+	t.Log("Have me consume their real stage 1 packet. I have a tunnel now")
 	myControl.InjectUDPPacket(stage1Packet)

-	// Wait until we see my cached packet come through
+	t.Log("Wait until we see my cached packet come through")
 	myControl.WaitForType(1, 0, theirControl)

-	// Make sure our host infos are correct
+	t.Log("Make sure our host infos are correct")
 	assertHostInfoPair(t, myUdpAddr, theirUdpAddr, myVpnIp, theirVpnIp, myControl, theirControl)

-	// Get that cached packet and make sure it looks right
+	t.Log("Get that cached packet and make sure it looks right")
 	myCachedPacket := theirControl.GetFromTun(true)
 	assertUdpPacket(t, []byte("Hi from me"), myCachedPacket, myVpnIp, theirVpnIp, 80, 80)

-	// Do a bidirectional tunnel test
+	t.Log("Do a bidirectional tunnel test")
 	assertTunnel(t, myVpnIp, theirVpnIp, myControl, theirControl, router.NewR(myControl, theirControl))

 	myControl.Stop()
@@ -62,14 +63,17 @@ func TestGoodHandshake(t *testing.T) {
 func TestWrongResponderHandshake(t *testing.T) {
 	ca, _, caKey, _ := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{})

-	myControl, myVpnIp, myUdpAddr := newSimpleServer(ca, caKey, "me", net.IP{10, 0, 0, 1})
-	theirControl, theirVpnIp, theirUdpAddr := newSimpleServer(ca, caKey, "them", net.IP{10, 0, 0, 2})
-	evilControl, evilVpnIp, evilUdpAddr := newSimpleServer(ca, caKey, "evil", net.IP{10, 0, 0, 99})
+	// The IPs here are chosen on purpose:
+	// The current remote handling will sort by preference, public, and then lexically.
+	// So we need them to have a higher address than evil (we could apply a preference though)
+	myControl, myVpnIp, myUdpAddr := newSimpleServer(ca, caKey, "me", net.IP{10, 0, 0, 100})
+	theirControl, theirVpnIp, theirUdpAddr := newSimpleServer(ca, caKey, "them", net.IP{10, 0, 0, 99})
+	evilControl, evilVpnIp, evilUdpAddr := newSimpleServer(ca, caKey, "evil", net.IP{10, 0, 0, 2})

-	// Add their real udp addr, which should be tried after evil. Doing this first because learned addresses are prepended
+	// Add their real udp addr, which should be tried after evil.
 	myControl.InjectLightHouseAddr(theirVpnIp, theirUdpAddr)

-	// Put the evil udp addr in for their vpn Ip, this is a case of being lied to by the lighthouse. This will now be the first attempted ip
+	// Put the evil udp addr in for their vpn Ip, this is a case of being lied to by the lighthouse.
 	myControl.InjectLightHouseAddr(theirVpnIp, evilUdpAddr)

 	// Build a router so we don't have to reason who gets which packet
@@ -80,137 +84,98 @@ func TestWrongResponderHandshake(t *testing.T) {
 	theirControl.Start()
 	evilControl.Start()

-	t.Log("Stand up the tunnel with evil (because the lighthouse cache is lying to us about who it is)")
+	t.Log("Start the handshake process, we will route until we see our cached packet get sent to them")
 	myControl.InjectTunUDPPacket(theirVpnIp, 80, 80, []byte("Hi from me"))
-	r.OnceFrom(myControl)
-	r.OnceFrom(evilControl)
+	r.RouteForAllExitFunc(func(p *nebula.UdpPacket, c *nebula.Control) router.ExitType {
+		h := &nebula.Header{}
+		err := h.Parse(p.Data)
+		if err != nil {
+			panic(err)
+		}

-	t.Log("I should have a tunnel with evil now and there should not be a cached packet waiting for us")
-	assertTunnel(t, myVpnIp, evilVpnIp, myControl, evilControl, r)
-	assertHostInfoPair(t, myUdpAddr, evilUdpAddr, myVpnIp, evilVpnIp, myControl, evilControl)
+		if p.ToIp.Equal(theirUdpAddr.IP) && p.ToPort == uint16(theirUdpAddr.Port) && h.Type == 1 {
+			return router.RouteAndExit
+		}
+
+		return router.KeepRouting
+	})

 	//TODO: Assert pending hostmap - I should have a correct hostinfo for them now

-	t.Log("Lets let the messages fly, this time we should have a tunnel with them")
-	r.OnceFrom(myControl)
-	r.OnceFrom(theirControl)
-
-	t.Log("I should now have a tunnel with them now and my original packet should get there")
-	r.RouteUntilAfterMsgType(myControl, 1, 0)
+	t.Log("My cached packet should be received by them")
 	myCachedPacket := theirControl.GetFromTun(true)
 	assertUdpPacket(t, []byte("Hi from me"), myCachedPacket, myVpnIp, theirVpnIp, 80, 80)

-	t.Log("I should now have a proper tunnel with them")
+	t.Log("Test the tunnel with them")
 	assertHostInfoPair(t, myUdpAddr, theirUdpAddr, myVpnIp, theirVpnIp, myControl, theirControl)
 	assertTunnel(t, myVpnIp, theirVpnIp, myControl, theirControl, r)

-	t.Log("Lets make sure evil is still good")
-	assertTunnel(t, myVpnIp, evilVpnIp, myControl, evilControl, r)
+	t.Log("Flush all packets from all controllers")
+	r.FlushAll()
+
+	t.Log("Ensure ensure I don't have any hostinfo artifacts from evil")
+	assert.Nil(t, myControl.GetHostInfoByVpnIP(ip2int(evilVpnIp), true), "My pending hostmap should not contain evil")
+	assert.Nil(t, myControl.GetHostInfoByVpnIP(ip2int(evilVpnIp), false), "My main hostmap should not contain evil")
+	//NOTE: if evil lost the handshake race it may still have a tunnel since me would reject the handshake since the tunnel is complete

 	//TODO: assert hostmaps for everyone
 	t.Log("Success!")
-	//TODO: myControl is attempting to shut down 2 tunnels but is blocked on the udp txChan after the first close message
-	// what we really need here is a way to exit all the go routines loops (there are many)
-	//myControl.Stop()
-	//theirControl.Stop()
+	myControl.Stop()
+	theirControl.Stop()
 }

-////TODO: We need to test lies both as the race winner and race loser
-//func TestManyWrongResponderHandshake(t *testing.T) {
-//	ca, _, caKey, _ := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{})
-//
-//	myControl, myVpnIp, myUdpAddr := newSimpleServer(ca, caKey, "me", net.IP{10, 0, 0, 99})
-//	theirControl, theirVpnIp, theirUdpAddr := newSimpleServer(ca, caKey, "them", net.IP{10, 0, 0, 2})
-//	evilControl, evilVpnIp, evilUdpAddr := newSimpleServer(ca, caKey, "evil", net.IP{10, 0, 0, 1})
-//
-//	t.Log("Build a router so we don't have to reason who gets which packet")
-//	r := newRouter(myControl, theirControl, evilControl)
-//
-//	t.Log("Lets add more than 10 evil addresses, this exceeds the hostinfo remotes limit")
-//	for i := 0; i < 10; i++ {
-//		addr := net.UDPAddr{IP: evilUdpAddr.IP, Port: evilUdpAddr.Port + i}
-//		myControl.InjectLightHouseAddr(theirVpnIp, &addr)
-//		// We also need to tell our router about it
-//		r.AddRoute(addr.IP, uint16(addr.Port), evilControl)
-//	}
-//
-//	// Start the servers
-//	myControl.Start()
-//	theirControl.Start()
-//	evilControl.Start()
-//
-//	t.Log("Stand up the tunnel with evil (because the lighthouse cache is lying to us about who it is)")
-//	myControl.InjectTunUDPPacket(theirVpnIp, 80, 80, []byte("Hi from me"))
-//
-//	t.Log("We need to spin until we get to the right remote for them")
-//	getOut := false
-//	injected := false
-//	for {
-//		t.Log("Routing for me and evil while we work through the bad ips")
-//		r.RouteExitFunc(myControl, func(packet *nebula.UdpPacket, receiver *nebula.Control) exitType {
-//			// We should stop routing right after we see a packet coming from us to them
-//			if *receiver == *theirControl {
-//				getOut = true
-//				return drainAndExit
-//			}
-//
-//			// We need to poke our real ip in at some point, this is a well protected check looking for that moment
-//			if *receiver == *evilControl {
-//				hi := myControl.GetHostInfoByVpnIP(ip2int(theirVpnIp), true)
-//				if !injected && len(hi.RemoteAddrs) == 1 {
-//					t.Log("I am on my last ip for them, time to inject the real one into my lighthouse")
-//					myControl.InjectLightHouseAddr(theirVpnIp, theirUdpAddr)
-//					injected = true
-//				}
-//				return drainAndExit
-//			}
-//
-//			return keepRouting
-//		})
-//
-//		if getOut {
-//			break
-//		}
-//
-//		r.RouteForUntilAfterToAddr(evilControl, myUdpAddr, drainAndExit)
-//	}
-//
-//	t.Log("I should have a tunnel with evil and them, evil should not have a cached packet")
-//	assertTunnel(t, myVpnIp, evilVpnIp, myControl, evilControl, r)
-//	evilHostInfo := myControl.GetHostInfoByVpnIP(ip2int(evilVpnIp), false)
-//	realEvilUdpAddr := &net.UDPAddr{IP: evilHostInfo.CurrentRemote.IP, Port: int(evilHostInfo.CurrentRemote.Port)}
-//
-//	t.Log("Assert mine and evil's host pairs", evilUdpAddr, realEvilUdpAddr)
-//	assertHostInfoPair(t, myUdpAddr, realEvilUdpAddr, myVpnIp, evilVpnIp, myControl, evilControl)
-//
-//	//t.Log("Draining everyones packets")
-//	//r.Drain(theirControl)
-//	//r.DrainAll(myControl, theirControl, evilControl)
-//	//
-//	//go func() {
-//	//	for {
-//	//		time.Sleep(10 * time.Millisecond)
-//	//		t.Log(len(theirControl.GetUDPTxChan()))
-//	//		t.Log(len(theirControl.GetTunTxChan()))
-//	//		t.Log(len(myControl.GetUDPTxChan()))
-//	//		t.Log(len(evilControl.GetUDPTxChan()))
-//	//		t.Log("=====")
-//	//	}
-//	//}()
-//
-//	t.Log("I should have a tunnel with them now and my original packet should get there")
-//	r.RouteUntilAfterMsgType(myControl, 1, 0)
-//	myCachedPacket := theirControl.GetFromTun(true)
-//
-//	t.Log("Got the cached packet, lets test the tunnel")
-//	assertUdpPacket(t, []byte("Hi from me"), myCachedPacket, myVpnIp, theirVpnIp, 80, 80)
-//
-//	t.Log("Testing tunnels with them")
-//	assertHostInfoPair(t, myUdpAddr, theirUdpAddr, myVpnIp, theirVpnIp, myControl, theirControl)
-//	assertTunnel(t, myVpnIp, theirVpnIp, myControl, theirControl, r)
-//
-//	t.Log("Testing tunnels with evil")
-//	assertTunnel(t, myVpnIp, evilVpnIp, myControl, evilControl, r)
-//
-//	//TODO: assert hostmaps for everyone
-//}
+func Test_Case1_Stage1Race(t *testing.T) {
+	ca, _, caKey, _ := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{})
+	myControl, myVpnIp, myUdpAddr := newSimpleServer(ca, caKey, "me  ", net.IP{10, 0, 0, 1})
+	theirControl, theirVpnIp, theirUdpAddr := newSimpleServer(ca, caKey, "them", net.IP{10, 0, 0, 2})
+
+	// Put their info in our lighthouse and vice versa
+	myControl.InjectLightHouseAddr(theirVpnIp, theirUdpAddr)
+	theirControl.InjectLightHouseAddr(myVpnIp, myUdpAddr)
+
+	// Build a router so we don't have to reason who gets which packet
+	r := router.NewR(myControl, theirControl)
+
+	// Start the servers
+	myControl.Start()
+	theirControl.Start()
+
+	t.Log("Trigger a handshake to start on both me and them")
+	myControl.InjectTunUDPPacket(theirVpnIp, 80, 80, []byte("Hi from me"))
+	theirControl.InjectTunUDPPacket(myVpnIp, 80, 80, []byte("Hi from them"))
+
+	t.Log("Get both stage 1 handshake packets")
+	myHsForThem := myControl.GetFromUDP(true)
+	theirHsForMe := theirControl.GetFromUDP(true)
+
+	t.Log("Now inject both stage 1 handshake packets")
+	myControl.InjectUDPPacket(theirHsForMe)
+	theirControl.InjectUDPPacket(myHsForThem)
+	//TODO: they should win, grab their index for me and make sure I use it in the end.
+
+	t.Log("They should not have a stage 2 (won the race) but I should send one")
+	theirControl.InjectUDPPacket(myControl.GetFromUDP(true))
+
+	t.Log("Route for me until I send a message packet to them")
+	myControl.WaitForType(1, 0, theirControl)
+
+	t.Log("My cached packet should be received by them")
+	myCachedPacket := theirControl.GetFromTun(true)
+	assertUdpPacket(t, []byte("Hi from me"), myCachedPacket, myVpnIp, theirVpnIp, 80, 80)
+
+	t.Log("Route for them until I send a message packet to me")
+	theirControl.WaitForType(1, 0, myControl)
+
+	t.Log("Their cached packet should be received by me")
+	theirCachedPacket := myControl.GetFromTun(true)
+	assertUdpPacket(t, []byte("Hi from them"), theirCachedPacket, theirVpnIp, myVpnIp, 80, 80)
+
+	t.Log("Do a bidirectional tunnel test")
+	assertTunnel(t, myVpnIp, theirVpnIp, myControl, theirControl, r)
+
+	myControl.Stop()
+	theirControl.Stop()
+	//TODO: assert hostmaps
+}
+
+//TODO: add a test with many lies