// Copyright (c) Tailscale Inc & AUTHORS // SPDX-License-Identifier: BSD-3-Clause package main import ( "context" "encoding/json" "flag" "fmt" "log" "net" "net/http/httptest" "net/netip" "os" "path/filepath" "strings" "testing" "time" "github.com/google/go-cmp/cmp" "tailscale.com/ipn/store/mem" "tailscale.com/net/netns" "tailscale.com/tailcfg" "tailscale.com/tsnet" "tailscale.com/tstest/integration" "tailscale.com/tstest/integration/testcontrol" "tailscale.com/tstest/nettest" "tailscale.com/types/appctype" "tailscale.com/types/ipproto" "tailscale.com/types/key" "tailscale.com/types/logger" ) func TestPortForwardingArguments(t *testing.T) { tests := []struct { in string wanterr string want *portForward }{ {"", "", nil}, {"bad port specifier", "cannot parse", nil}, {"tcp/xyz/example.com", "bad forwarding port", nil}, {"tcp//example.com", "bad forwarding port", nil}, {"tcp/2112/", "bad destination", nil}, {"udp/53/example.com", "unsupported forwarding protocol", nil}, {"tcp/22/github.com", "", &portForward{Proto: "tcp", Port: 22, Destination: "github.com"}}, } for _, tt := range tests { got, goterr := parseForward(tt.in) if tt.wanterr != "" { if !strings.Contains(goterr.Error(), tt.wanterr) { t.Errorf("f(%q).err = %v; want %v", tt.in, goterr, tt.wanterr) } } else if diff := cmp.Diff(got, tt.want); diff != "" { t.Errorf("Parsed forward (-got, +want):\n%s", diff) } } } var verboseDERP = flag.Bool("verbose-derp", false, "if set, print DERP and STUN logs") var verboseNodes = flag.Bool("verbose-nodes", false, "if set, print tsnet.Server logs") func startControl(t *testing.T) (control *testcontrol.Server, controlURL string) { // Corp#4520: don't use netns for tests. netns.SetEnabled(false) t.Cleanup(func() { netns.SetEnabled(true) }) derpLogf := logger.Discard if *verboseDERP { derpLogf = t.Logf } derpMap := integration.RunDERPAndSTUN(t, derpLogf, "127.0.0.1") control = &testcontrol.Server{ DERPMap: derpMap, DNSConfig: &tailcfg.DNSConfig{ Proxied: true, }, MagicDNSDomain: "tail-scale.ts.net", } control.HTTPTestServer = httptest.NewUnstartedServer(control) control.HTTPTestServer.Start() t.Cleanup(control.HTTPTestServer.Close) controlURL = control.HTTPTestServer.URL t.Logf("testcontrol listening on %s", controlURL) return control, controlURL } func startNode(t *testing.T, ctx context.Context, controlURL, hostname string) (*tsnet.Server, key.NodePublic, netip.Addr) { t.Helper() tmp := filepath.Join(t.TempDir(), hostname) os.MkdirAll(tmp, 0755) s := &tsnet.Server{ Dir: tmp, ControlURL: controlURL, Hostname: hostname, Store: new(mem.Store), Ephemeral: true, } if *verboseNodes { s.Logf = log.Printf } t.Cleanup(func() { s.Close() }) status, err := s.Up(ctx) if err != nil { t.Fatal(err) } return s, status.Self.PublicKey, status.TailscaleIPs[0] } func TestSNIProxyWithNetmapConfig(t *testing.T) { nettest.SkipIfNoNetwork(t) c, controlURL := startControl(t) ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() // Create a listener to proxy connections to. ln, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { t.Fatal(err) } defer ln.Close() // Start sniproxy sni, nodeKey, ip := startNode(t, ctx, controlURL, "snitest") go run(ctx, sni, 0, sni.Hostname, false, 0, "", "") // Configure the mock coordination server to send down app connector config. config := &appctype.AppConnectorConfig{ DNAT: map[appctype.ConfigID]appctype.DNATConfig{ "nic_test": { Addrs: []netip.Addr{ip}, To: []string{"127.0.0.1"}, IP: []tailcfg.ProtoPortRange{ { Proto: int(ipproto.TCP), Ports: tailcfg.PortRange{First: uint16(ln.Addr().(*net.TCPAddr).Port), Last: uint16(ln.Addr().(*net.TCPAddr).Port)}, }, }, }, }, } b, err := json.Marshal(config) if err != nil { t.Fatal(err) } c.SetNodeCapMap(nodeKey, tailcfg.NodeCapMap{ configCapKey: []tailcfg.RawMessage{tailcfg.RawMessage(b)}, }) // Lets spin up a second node (to represent the client). client, _, _ := startNode(t, ctx, controlURL, "client") // Make sure that the sni node has received its config. l, err := sni.LocalClient() if err != nil { t.Fatal(err) } gotConfigured := false for range 100 { s, err := l.StatusWithoutPeers(ctx) if err != nil { t.Fatal(err) } if len(s.Self.CapMap) > 0 { gotConfigured = true break // we got it } time.Sleep(10 * time.Millisecond) } if !gotConfigured { t.Error("sni node never received its configuration from the coordination server!") } // Lets make the client open a connection to the sniproxy node, and // make sure it results in a connection to our test listener. w, err := client.Dial(ctx, "tcp", fmt.Sprintf("%s:%d", ip, ln.Addr().(*net.TCPAddr).Port)) if err != nil { t.Fatal(err) } defer w.Close() r, err := ln.Accept() if err != nil { t.Fatal(err) } r.Close() } func TestSNIProxyWithFlagConfig(t *testing.T) { nettest.SkipIfNoNetwork(t) _, controlURL := startControl(t) ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() // Create a listener to proxy connections to. ln, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { t.Fatal(err) } defer ln.Close() // Start sniproxy sni, _, ip := startNode(t, ctx, controlURL, "snitest") go run(ctx, sni, 0, sni.Hostname, false, 0, "", fmt.Sprintf("tcp/%d/localhost", ln.Addr().(*net.TCPAddr).Port)) // Lets spin up a second node (to represent the client). client, _, _ := startNode(t, ctx, controlURL, "client") // Lets make the client open a connection to the sniproxy node, and // make sure it results in a connection to our test listener. w, err := client.Dial(ctx, "tcp", fmt.Sprintf("%s:%d", ip, ln.Addr().(*net.TCPAddr).Port)) if err != nil { t.Fatal(err) } defer w.Close() r, err := ln.Accept() if err != nil { t.Fatal(err) } r.Close() }