mirror of
https://github.com/slackhq/nebula.git
synced 2025-11-22 08:24:25 +01:00
a89f95182c
* firewall can distinguish if the host connecting has an overlapping network, is a VPN peer without an overlapping network, or is a unsafe network * Cross stack subnet stuff (#1512) * experiment with not filtering out non-common addresses in hostinfo.networks * allow handshakes without overlaps * unsafe network test * change HostInfo.buildNetworks argument to reference the cert
368 lines
14 KiB
Go
368 lines
14 KiB
Go
//go:build e2e_testing
|
|
// +build e2e_testing
|
|
|
|
package e2e
|
|
|
|
import (
|
|
"fmt"
|
|
"net/netip"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/slackhq/nebula/cert"
|
|
"github.com/slackhq/nebula/cert_test"
|
|
"github.com/slackhq/nebula/e2e/router"
|
|
"github.com/stretchr/testify/assert"
|
|
"gopkg.in/yaml.v3"
|
|
)
|
|
|
|
func TestDropInactiveTunnels(t *testing.T) {
|
|
// The goal of this test is to ensure the shortest inactivity timeout will close the tunnel on both sides
|
|
// under ideal conditions
|
|
ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
|
|
myControl, myVpnIpNet, myUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "me", "10.128.0.1/24", m{"tunnels": m{"drop_inactive": true, "inactivity_timeout": "5s"}})
|
|
theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServer(cert.Version1, ca, caKey, "them", "10.128.0.2/24", m{"tunnels": m{"drop_inactive": true, "inactivity_timeout": "10m"}})
|
|
|
|
// Share our underlay information
|
|
myControl.InjectLightHouseAddr(theirVpnIpNet[0].Addr(), theirUdpAddr)
|
|
theirControl.InjectLightHouseAddr(myVpnIpNet[0].Addr(), myUdpAddr)
|
|
|
|
// Start the servers
|
|
myControl.Start()
|
|
theirControl.Start()
|
|
|
|
r := router.NewR(t, myControl, theirControl)
|
|
|
|
r.Log("Assert the tunnel between me and them works")
|
|
assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
|
|
|
|
r.Log("Go inactive and wait for the tunnels to get dropped")
|
|
waitStart := time.Now()
|
|
for {
|
|
myIndexes := len(myControl.GetHostmap().Indexes)
|
|
theirIndexes := len(theirControl.GetHostmap().Indexes)
|
|
if myIndexes == 0 && theirIndexes == 0 {
|
|
break
|
|
}
|
|
|
|
since := time.Since(waitStart)
|
|
r.Logf("my tunnels: %v; their tunnels: %v; duration: %v", myIndexes, theirIndexes, since)
|
|
if since > time.Second*30 {
|
|
t.Fatal("Tunnel should have been declared inactive after 5 seconds and before 30 seconds")
|
|
}
|
|
|
|
time.Sleep(1 * time.Second)
|
|
r.FlushAll()
|
|
}
|
|
|
|
r.Logf("Inactive tunnels were dropped within %v", time.Since(waitStart))
|
|
myControl.Stop()
|
|
theirControl.Stop()
|
|
}
|
|
|
|
func TestCertUpgrade(t *testing.T) {
|
|
// The goal of this test is to ensure the shortest inactivity timeout will close the tunnel on both sides
|
|
// under ideal conditions
|
|
ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
|
|
caB, err := ca.MarshalPEM()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
ca2, _, caKey2, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
|
|
|
|
ca2B, err := ca2.MarshalPEM()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
caStr := fmt.Sprintf("%s\n%s", caB, ca2B)
|
|
|
|
myCert, _, myPrivKey, _ := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "me", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.1/24")}, nil, []string{})
|
|
_, myCert2Pem := cert_test.NewTestCertDifferentVersion(myCert, cert.Version2, ca2, caKey2)
|
|
|
|
theirCert, _, theirPrivKey, _ := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "them", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.2/24")}, nil, []string{})
|
|
theirCert2, _ := cert_test.NewTestCertDifferentVersion(theirCert, cert.Version2, ca2, caKey2)
|
|
|
|
myControl, myVpnIpNet, myUdpAddr, myC := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{myCert}, myPrivKey, m{})
|
|
theirControl, theirVpnIpNet, theirUdpAddr, _ := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{theirCert, theirCert2}, theirPrivKey, m{})
|
|
|
|
// Share our underlay information
|
|
myControl.InjectLightHouseAddr(theirVpnIpNet[0].Addr(), theirUdpAddr)
|
|
theirControl.InjectLightHouseAddr(myVpnIpNet[0].Addr(), myUdpAddr)
|
|
|
|
// Start the servers
|
|
myControl.Start()
|
|
theirControl.Start()
|
|
|
|
r := router.NewR(t, myControl, theirControl)
|
|
defer r.RenderFlow()
|
|
|
|
r.Log("Assert the tunnel between me and them works")
|
|
assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
|
|
r.Log("yay")
|
|
//todo ???
|
|
time.Sleep(1 * time.Second)
|
|
r.FlushAll()
|
|
|
|
mc := m{
|
|
"pki": m{
|
|
"ca": caStr,
|
|
"cert": string(myCert2Pem),
|
|
"key": string(myPrivKey),
|
|
},
|
|
//"tun": m{"disabled": true},
|
|
"firewall": myC.Settings["firewall"],
|
|
//"handshakes": m{
|
|
// "try_interval": "1s",
|
|
//},
|
|
"listen": myC.Settings["listen"],
|
|
"logging": myC.Settings["logging"],
|
|
"timers": myC.Settings["timers"],
|
|
}
|
|
|
|
cb, err := yaml.Marshal(mc)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
r.Logf("reload new v2-only config")
|
|
err = myC.ReloadConfigString(string(cb))
|
|
assert.NoError(t, err)
|
|
r.Log("yay, spin until their sees it")
|
|
waitStart := time.Now()
|
|
for {
|
|
assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
|
|
c := theirControl.GetHostInfoByVpnAddr(myVpnIpNet[0].Addr(), false)
|
|
if c == nil {
|
|
r.Log("nil")
|
|
} else {
|
|
version := c.Cert.Version()
|
|
r.Logf("version %d", version)
|
|
if version == cert.Version2 {
|
|
break
|
|
}
|
|
}
|
|
since := time.Since(waitStart)
|
|
if since > time.Second*10 {
|
|
t.Fatal("Cert should be new by now")
|
|
}
|
|
time.Sleep(time.Second)
|
|
}
|
|
|
|
r.RenderHostmaps("Final hostmaps", myControl, theirControl)
|
|
|
|
myControl.Stop()
|
|
theirControl.Stop()
|
|
}
|
|
|
|
func TestCertDowngrade(t *testing.T) {
|
|
// The goal of this test is to ensure the shortest inactivity timeout will close the tunnel on both sides
|
|
// under ideal conditions
|
|
ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
|
|
caB, err := ca.MarshalPEM()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
ca2, _, caKey2, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
|
|
|
|
ca2B, err := ca2.MarshalPEM()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
caStr := fmt.Sprintf("%s\n%s", caB, ca2B)
|
|
|
|
myCert, _, myPrivKey, myCertPem := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "me", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.1/24")}, nil, []string{})
|
|
myCert2, _ := cert_test.NewTestCertDifferentVersion(myCert, cert.Version2, ca2, caKey2)
|
|
|
|
theirCert, _, theirPrivKey, _ := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "them", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.2/24")}, nil, []string{})
|
|
theirCert2, _ := cert_test.NewTestCertDifferentVersion(theirCert, cert.Version2, ca2, caKey2)
|
|
|
|
myControl, myVpnIpNet, myUdpAddr, myC := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{myCert2}, myPrivKey, m{})
|
|
theirControl, theirVpnIpNet, theirUdpAddr, _ := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{theirCert, theirCert2}, theirPrivKey, m{})
|
|
|
|
// Share our underlay information
|
|
myControl.InjectLightHouseAddr(theirVpnIpNet[0].Addr(), theirUdpAddr)
|
|
theirControl.InjectLightHouseAddr(myVpnIpNet[0].Addr(), myUdpAddr)
|
|
|
|
// Start the servers
|
|
myControl.Start()
|
|
theirControl.Start()
|
|
|
|
r := router.NewR(t, myControl, theirControl)
|
|
defer r.RenderFlow()
|
|
|
|
r.Log("Assert the tunnel between me and them works")
|
|
//assertTunnel(t, theirVpnIpNet[0].Addr(), myVpnIpNet[0].Addr(), theirControl, myControl, r)
|
|
//r.Log("yay")
|
|
assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
|
|
r.Log("yay")
|
|
//todo ???
|
|
time.Sleep(1 * time.Second)
|
|
r.FlushAll()
|
|
|
|
mc := m{
|
|
"pki": m{
|
|
"ca": caStr,
|
|
"cert": string(myCertPem),
|
|
"key": string(myPrivKey),
|
|
},
|
|
"firewall": myC.Settings["firewall"],
|
|
"listen": myC.Settings["listen"],
|
|
"logging": myC.Settings["logging"],
|
|
"timers": myC.Settings["timers"],
|
|
}
|
|
|
|
cb, err := yaml.Marshal(mc)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
r.Logf("reload new v1-only config")
|
|
err = myC.ReloadConfigString(string(cb))
|
|
assert.NoError(t, err)
|
|
r.Log("yay, spin until their sees it")
|
|
waitStart := time.Now()
|
|
for {
|
|
assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
|
|
c := theirControl.GetHostInfoByVpnAddr(myVpnIpNet[0].Addr(), false)
|
|
c2 := myControl.GetHostInfoByVpnAddr(theirVpnIpNet[0].Addr(), false)
|
|
if c == nil || c2 == nil {
|
|
r.Log("nil")
|
|
} else {
|
|
version := c.Cert.Version()
|
|
theirVersion := c2.Cert.Version()
|
|
r.Logf("version %d,%d", version, theirVersion)
|
|
if version == cert.Version1 {
|
|
break
|
|
}
|
|
}
|
|
since := time.Since(waitStart)
|
|
if since > time.Second*5 {
|
|
r.Log("it is unusual that the cert is not new yet, but not a failure yet")
|
|
}
|
|
if since > time.Second*10 {
|
|
r.Log("wtf")
|
|
t.Fatal("Cert should be new by now")
|
|
}
|
|
time.Sleep(time.Second)
|
|
}
|
|
|
|
r.RenderHostmaps("Final hostmaps", myControl, theirControl)
|
|
|
|
myControl.Stop()
|
|
theirControl.Stop()
|
|
}
|
|
|
|
func TestCertMismatchCorrection(t *testing.T) {
|
|
// The goal of this test is to ensure the shortest inactivity timeout will close the tunnel on both sides
|
|
// under ideal conditions
|
|
ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version1, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
|
|
ca2, _, caKey2, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
|
|
|
|
myCert, _, myPrivKey, _ := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "me", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.1/24")}, nil, []string{})
|
|
myCert2, _ := cert_test.NewTestCertDifferentVersion(myCert, cert.Version2, ca2, caKey2)
|
|
|
|
theirCert, _, theirPrivKey, _ := cert_test.NewTestCert(cert.Version1, cert.Curve_CURVE25519, ca, caKey, "them", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{netip.MustParsePrefix("10.128.0.2/24")}, nil, []string{})
|
|
theirCert2, _ := cert_test.NewTestCertDifferentVersion(theirCert, cert.Version2, ca2, caKey2)
|
|
|
|
myControl, myVpnIpNet, myUdpAddr, _ := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{myCert2}, myPrivKey, m{})
|
|
theirControl, theirVpnIpNet, theirUdpAddr, _ := newServer([]cert.Certificate{ca, ca2}, []cert.Certificate{theirCert, theirCert2}, theirPrivKey, m{})
|
|
|
|
// Share our underlay information
|
|
myControl.InjectLightHouseAddr(theirVpnIpNet[0].Addr(), theirUdpAddr)
|
|
theirControl.InjectLightHouseAddr(myVpnIpNet[0].Addr(), myUdpAddr)
|
|
|
|
// Start the servers
|
|
myControl.Start()
|
|
theirControl.Start()
|
|
|
|
r := router.NewR(t, myControl, theirControl)
|
|
defer r.RenderFlow()
|
|
|
|
r.Log("Assert the tunnel between me and them works")
|
|
//assertTunnel(t, theirVpnIpNet[0].Addr(), myVpnIpNet[0].Addr(), theirControl, myControl, r)
|
|
//r.Log("yay")
|
|
assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
|
|
r.Log("yay")
|
|
//todo ???
|
|
time.Sleep(1 * time.Second)
|
|
r.FlushAll()
|
|
|
|
waitStart := time.Now()
|
|
for {
|
|
assertTunnel(t, myVpnIpNet[0].Addr(), theirVpnIpNet[0].Addr(), myControl, theirControl, r)
|
|
c := theirControl.GetHostInfoByVpnAddr(myVpnIpNet[0].Addr(), false)
|
|
c2 := myControl.GetHostInfoByVpnAddr(theirVpnIpNet[0].Addr(), false)
|
|
if c == nil || c2 == nil {
|
|
r.Log("nil")
|
|
} else {
|
|
version := c.Cert.Version()
|
|
theirVersion := c2.Cert.Version()
|
|
r.Logf("version %d,%d", version, theirVersion)
|
|
if version == theirVersion {
|
|
break
|
|
}
|
|
}
|
|
since := time.Since(waitStart)
|
|
if since > time.Second*5 {
|
|
r.Log("wtf")
|
|
}
|
|
if since > time.Second*10 {
|
|
r.Log("wtf")
|
|
t.Fatal("Cert should be new by now")
|
|
}
|
|
time.Sleep(time.Second)
|
|
}
|
|
|
|
r.RenderHostmaps("Final hostmaps", myControl, theirControl)
|
|
|
|
myControl.Stop()
|
|
theirControl.Stop()
|
|
}
|
|
|
|
func TestCrossStackRelaysWork(t *testing.T) {
|
|
ca, _, caKey, _ := cert_test.NewTestCaCert(cert.Version2, cert.Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{})
|
|
myControl, myVpnIpNet, _, _ := newSimpleServer(cert.Version2, ca, caKey, "me ", "10.128.0.1/24,fc00::1/64", m{"relay": m{"use_relays": true}})
|
|
relayControl, relayVpnIpNet, relayUdpAddr, _ := newSimpleServer(cert.Version2, ca, caKey, "relay ", "10.128.0.128/24,fc00::128/64", m{"relay": m{"am_relay": true}})
|
|
theirUdp := netip.MustParseAddrPort("10.0.0.2:4242")
|
|
theirControl, theirVpnIpNet, theirUdpAddr, _ := newSimpleServerWithUdp(cert.Version2, ca, caKey, "them ", "fc00::2/64", theirUdp, m{"relay": m{"use_relays": true}})
|
|
|
|
//myVpnV4 := myVpnIpNet[0]
|
|
myVpnV6 := myVpnIpNet[1]
|
|
relayVpnV4 := relayVpnIpNet[0]
|
|
relayVpnV6 := relayVpnIpNet[1]
|
|
theirVpnV6 := theirVpnIpNet[0]
|
|
|
|
// Teach my how to get to the relay and that their can be reached via the relay
|
|
myControl.InjectLightHouseAddr(relayVpnV4.Addr(), relayUdpAddr)
|
|
myControl.InjectLightHouseAddr(relayVpnV6.Addr(), relayUdpAddr)
|
|
myControl.InjectRelays(theirVpnV6.Addr(), []netip.Addr{relayVpnV6.Addr()})
|
|
relayControl.InjectLightHouseAddr(theirVpnV6.Addr(), theirUdpAddr)
|
|
|
|
// Build a router so we don't have to reason who gets which packet
|
|
r := router.NewR(t, myControl, relayControl, theirControl)
|
|
defer r.RenderFlow()
|
|
|
|
// Start the servers
|
|
myControl.Start()
|
|
relayControl.Start()
|
|
theirControl.Start()
|
|
|
|
t.Log("Trigger a handshake from me to them via the relay")
|
|
myControl.InjectTunUDPPacket(theirVpnV6.Addr(), 80, myVpnV6.Addr(), 80, []byte("Hi from me"))
|
|
|
|
p := r.RouteForAllUntilTxTun(theirControl)
|
|
r.Log("Assert the tunnel works")
|
|
assertUdpPacket(t, []byte("Hi from me"), p, myVpnV6.Addr(), theirVpnV6.Addr(), 80, 80)
|
|
|
|
t.Log("reply?")
|
|
theirControl.InjectTunUDPPacket(myVpnV6.Addr(), 80, theirVpnV6.Addr(), 80, []byte("Hi from them"))
|
|
p = r.RouteForAllUntilTxTun(myControl)
|
|
assertUdpPacket(t, []byte("Hi from them"), p, theirVpnV6.Addr(), myVpnV6.Addr(), 80, 80)
|
|
|
|
r.RenderHostmaps("Final hostmaps", myControl, relayControl, theirControl)
|
|
//t.Log("finish up")
|
|
//myControl.Stop()
|
|
//theirControl.Stop()
|
|
//relayControl.Stop()
|
|
}
|