mirror of https://github.com/tailscale/tailscale/
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3610 lines
90 KiB
Go
3610 lines
90 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package ipnlocal
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"math"
|
|
"net"
|
|
"net/http"
|
|
"net/netip"
|
|
"os"
|
|
"reflect"
|
|
"slices"
|
|
"sync"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/google/go-cmp/cmp"
|
|
"go4.org/netipx"
|
|
"golang.org/x/net/dns/dnsmessage"
|
|
"tailscale.com/appc"
|
|
"tailscale.com/appc/appctest"
|
|
"tailscale.com/clientupdate"
|
|
"tailscale.com/control/controlclient"
|
|
"tailscale.com/drive"
|
|
"tailscale.com/drive/driveimpl"
|
|
"tailscale.com/health"
|
|
"tailscale.com/hostinfo"
|
|
"tailscale.com/ipn"
|
|
"tailscale.com/ipn/store/mem"
|
|
"tailscale.com/net/netcheck"
|
|
"tailscale.com/net/netmon"
|
|
"tailscale.com/net/tsaddr"
|
|
"tailscale.com/tailcfg"
|
|
"tailscale.com/tsd"
|
|
"tailscale.com/tstest"
|
|
"tailscale.com/types/dnstype"
|
|
"tailscale.com/types/key"
|
|
"tailscale.com/types/logger"
|
|
"tailscale.com/types/logid"
|
|
"tailscale.com/types/netmap"
|
|
"tailscale.com/types/opt"
|
|
"tailscale.com/types/ptr"
|
|
"tailscale.com/types/views"
|
|
"tailscale.com/util/dnsname"
|
|
"tailscale.com/util/mak"
|
|
"tailscale.com/util/must"
|
|
"tailscale.com/util/set"
|
|
"tailscale.com/util/syspolicy"
|
|
"tailscale.com/wgengine"
|
|
"tailscale.com/wgengine/filter"
|
|
"tailscale.com/wgengine/wgcfg"
|
|
)
|
|
|
|
func fakeStoreRoutes(*appc.RouteInfo) error { return nil }
|
|
|
|
func inRemove(ip netip.Addr) bool {
|
|
for _, pfx := range removeFromDefaultRoute {
|
|
if pfx.Contains(ip) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func TestShrinkDefaultRoute(t *testing.T) {
|
|
tests := []struct {
|
|
route string
|
|
in []string
|
|
out []string
|
|
localIPFn func(netip.Addr) bool // true if this machine's local IP address should be "in" after shrinking.
|
|
}{
|
|
{
|
|
route: "0.0.0.0/0",
|
|
in: []string{"1.2.3.4", "25.0.0.1"},
|
|
out: []string{
|
|
"10.0.0.1",
|
|
"10.255.255.255",
|
|
"192.168.0.1",
|
|
"192.168.255.255",
|
|
"172.16.0.1",
|
|
"172.31.255.255",
|
|
"100.101.102.103",
|
|
"224.0.0.1",
|
|
"169.254.169.254",
|
|
// Some random IPv6 stuff that shouldn't be in a v4
|
|
// default route.
|
|
"fe80::",
|
|
"2601::1",
|
|
},
|
|
localIPFn: func(ip netip.Addr) bool { return !inRemove(ip) && ip.Is4() },
|
|
},
|
|
{
|
|
route: "::/0",
|
|
in: []string{"::1", "2601::1"},
|
|
out: []string{
|
|
"fe80::1",
|
|
"ff00::1",
|
|
tsaddr.TailscaleULARange().Addr().String(),
|
|
},
|
|
localIPFn: func(ip netip.Addr) bool { return !inRemove(ip) && ip.Is6() },
|
|
},
|
|
}
|
|
|
|
// Construct a fake local network environment to make this test hermetic.
|
|
// localInterfaceRoutes and hostIPs would normally come from calling interfaceRoutes,
|
|
// and localAddresses would normally come from calling interfaces.LocalAddresses.
|
|
var b netipx.IPSetBuilder
|
|
for _, c := range []string{"127.0.0.0/8", "192.168.9.0/24", "fe80::/32"} {
|
|
p := netip.MustParsePrefix(c)
|
|
b.AddPrefix(p)
|
|
}
|
|
localInterfaceRoutes, err := b.IPSet()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
hostIPs := []netip.Addr{
|
|
netip.MustParseAddr("127.0.0.1"),
|
|
netip.MustParseAddr("192.168.9.39"),
|
|
netip.MustParseAddr("fe80::1"),
|
|
netip.MustParseAddr("fe80::437d:feff:feca:49a7"),
|
|
}
|
|
localAddresses := []netip.Addr{
|
|
netip.MustParseAddr("192.168.9.39"),
|
|
}
|
|
|
|
for _, test := range tests {
|
|
def := netip.MustParsePrefix(test.route)
|
|
got, err := shrinkDefaultRoute(def, localInterfaceRoutes, hostIPs)
|
|
if err != nil {
|
|
t.Fatalf("shrinkDefaultRoute(%q): %v", test.route, err)
|
|
}
|
|
for _, ip := range test.in {
|
|
if !got.Contains(netip.MustParseAddr(ip)) {
|
|
t.Errorf("shrink(%q).Contains(%v) = false, want true", test.route, ip)
|
|
}
|
|
}
|
|
for _, ip := range test.out {
|
|
if got.Contains(netip.MustParseAddr(ip)) {
|
|
t.Errorf("shrink(%q).Contains(%v) = true, want false", test.route, ip)
|
|
}
|
|
}
|
|
for _, ip := range localAddresses {
|
|
want := test.localIPFn(ip)
|
|
if gotContains := got.Contains(ip); gotContains != want {
|
|
t.Errorf("shrink(%q).Contains(%v) = %v, want %v", test.route, ip, gotContains, want)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestPeerRoutes(t *testing.T) {
|
|
pp := netip.MustParsePrefix
|
|
tests := []struct {
|
|
name string
|
|
peers []wgcfg.Peer
|
|
want []netip.Prefix
|
|
}{
|
|
{
|
|
name: "small_v4",
|
|
peers: []wgcfg.Peer{
|
|
{
|
|
AllowedIPs: []netip.Prefix{
|
|
pp("100.101.102.103/32"),
|
|
},
|
|
},
|
|
},
|
|
want: []netip.Prefix{
|
|
pp("100.101.102.103/32"),
|
|
},
|
|
},
|
|
{
|
|
name: "big_v4",
|
|
peers: []wgcfg.Peer{
|
|
{
|
|
AllowedIPs: []netip.Prefix{
|
|
pp("100.101.102.103/32"),
|
|
pp("100.101.102.104/32"),
|
|
pp("100.101.102.105/32"),
|
|
},
|
|
},
|
|
},
|
|
want: []netip.Prefix{
|
|
pp("100.64.0.0/10"),
|
|
},
|
|
},
|
|
{
|
|
name: "has_1_v6",
|
|
peers: []wgcfg.Peer{
|
|
{
|
|
AllowedIPs: []netip.Prefix{
|
|
pp("fd7a:115c:a1e0:ab12:4843:cd96:6258:b240/128"),
|
|
},
|
|
},
|
|
},
|
|
want: []netip.Prefix{
|
|
pp("fd7a:115c:a1e0::/48"),
|
|
},
|
|
},
|
|
{
|
|
name: "has_2_v6",
|
|
peers: []wgcfg.Peer{
|
|
{
|
|
AllowedIPs: []netip.Prefix{
|
|
pp("fd7a:115c:a1e0:ab12:4843:cd96:6258:b240/128"),
|
|
pp("fd7a:115c:a1e0:ab12:4843:cd96:6258:b241/128"),
|
|
},
|
|
},
|
|
},
|
|
want: []netip.Prefix{
|
|
pp("fd7a:115c:a1e0::/48"),
|
|
},
|
|
},
|
|
{
|
|
name: "big_v4_big_v6",
|
|
peers: []wgcfg.Peer{
|
|
{
|
|
AllowedIPs: []netip.Prefix{
|
|
pp("100.101.102.103/32"),
|
|
pp("100.101.102.104/32"),
|
|
pp("100.101.102.105/32"),
|
|
pp("fd7a:115c:a1e0:ab12:4843:cd96:6258:b240/128"),
|
|
pp("fd7a:115c:a1e0:ab12:4843:cd96:6258:b241/128"),
|
|
},
|
|
},
|
|
},
|
|
want: []netip.Prefix{
|
|
pp("100.64.0.0/10"),
|
|
pp("fd7a:115c:a1e0::/48"),
|
|
},
|
|
},
|
|
{
|
|
name: "output-should-be-sorted",
|
|
peers: []wgcfg.Peer{
|
|
{
|
|
AllowedIPs: []netip.Prefix{
|
|
pp("100.64.0.2/32"),
|
|
pp("10.0.0.0/16"),
|
|
},
|
|
},
|
|
{
|
|
AllowedIPs: []netip.Prefix{
|
|
pp("100.64.0.1/32"),
|
|
pp("10.0.0.0/8"),
|
|
},
|
|
},
|
|
},
|
|
want: []netip.Prefix{
|
|
pp("10.0.0.0/8"),
|
|
pp("10.0.0.0/16"),
|
|
pp("100.64.0.1/32"),
|
|
pp("100.64.0.2/32"),
|
|
},
|
|
},
|
|
{
|
|
name: "skip-unmasked-prefixes",
|
|
peers: []wgcfg.Peer{
|
|
{
|
|
PublicKey: key.NewNode().Public(),
|
|
AllowedIPs: []netip.Prefix{
|
|
pp("100.64.0.2/32"),
|
|
pp("10.0.0.100/16"),
|
|
},
|
|
},
|
|
},
|
|
want: []netip.Prefix{
|
|
pp("100.64.0.2/32"),
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got := peerRoutes(t.Logf, tt.peers, 2)
|
|
if !reflect.DeepEqual(got, tt.want) {
|
|
t.Errorf("got = %v; want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestPeerAPIBase(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
nm *netmap.NetworkMap
|
|
peer *tailcfg.Node
|
|
want string
|
|
}{
|
|
{
|
|
name: "nil_netmap",
|
|
peer: new(tailcfg.Node),
|
|
want: "",
|
|
},
|
|
{
|
|
name: "nil_peer",
|
|
nm: new(netmap.NetworkMap),
|
|
want: "",
|
|
},
|
|
{
|
|
name: "self_only_4_them_both",
|
|
nm: &netmap.NetworkMap{
|
|
SelfNode: (&tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.1.1/32"),
|
|
},
|
|
}).View(),
|
|
},
|
|
peer: &tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.1.2/32"),
|
|
netip.MustParsePrefix("fe70::2/128"),
|
|
},
|
|
Hostinfo: (&tailcfg.Hostinfo{
|
|
Services: []tailcfg.Service{
|
|
{Proto: "peerapi4", Port: 444},
|
|
{Proto: "peerapi6", Port: 666},
|
|
},
|
|
}).View(),
|
|
},
|
|
want: "http://100.64.1.2:444",
|
|
},
|
|
{
|
|
name: "self_only_6_them_both",
|
|
nm: &netmap.NetworkMap{
|
|
SelfNode: (&tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("fe70::1/128"),
|
|
},
|
|
}).View(),
|
|
},
|
|
peer: &tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.1.2/32"),
|
|
netip.MustParsePrefix("fe70::2/128"),
|
|
},
|
|
Hostinfo: (&tailcfg.Hostinfo{
|
|
Services: []tailcfg.Service{
|
|
{Proto: "peerapi4", Port: 444},
|
|
{Proto: "peerapi6", Port: 666},
|
|
},
|
|
}).View(),
|
|
},
|
|
want: "http://[fe70::2]:666",
|
|
},
|
|
{
|
|
name: "self_both_them_only_4",
|
|
nm: &netmap.NetworkMap{
|
|
SelfNode: (&tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.1.1/32"),
|
|
netip.MustParsePrefix("fe70::1/128"),
|
|
},
|
|
}).View(),
|
|
},
|
|
peer: &tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.1.2/32"),
|
|
netip.MustParsePrefix("fe70::2/128"),
|
|
},
|
|
Hostinfo: (&tailcfg.Hostinfo{
|
|
Services: []tailcfg.Service{
|
|
{Proto: "peerapi4", Port: 444},
|
|
},
|
|
}).View(),
|
|
},
|
|
want: "http://100.64.1.2:444",
|
|
},
|
|
{
|
|
name: "self_both_them_only_6",
|
|
nm: &netmap.NetworkMap{
|
|
SelfNode: (&tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.1.1/32"),
|
|
netip.MustParsePrefix("fe70::1/128"),
|
|
},
|
|
}).View(),
|
|
},
|
|
peer: &tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.1.2/32"),
|
|
netip.MustParsePrefix("fe70::2/128"),
|
|
},
|
|
Hostinfo: (&tailcfg.Hostinfo{
|
|
Services: []tailcfg.Service{
|
|
{Proto: "peerapi6", Port: 666},
|
|
},
|
|
}).View(),
|
|
},
|
|
want: "http://[fe70::2]:666",
|
|
},
|
|
{
|
|
name: "self_both_them_no_peerapi_service",
|
|
nm: &netmap.NetworkMap{
|
|
SelfNode: (&tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.1.1/32"),
|
|
netip.MustParsePrefix("fe70::1/128"),
|
|
},
|
|
}).View(),
|
|
},
|
|
peer: &tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.1.2/32"),
|
|
netip.MustParsePrefix("fe70::2/128"),
|
|
},
|
|
},
|
|
want: "",
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got := peerAPIBase(tt.nm, tt.peer.View())
|
|
if got != tt.want {
|
|
t.Errorf("got %q; want %q", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
type panicOnUseTransport struct{}
|
|
|
|
func (panicOnUseTransport) RoundTrip(*http.Request) (*http.Response, error) {
|
|
panic("unexpected HTTP request")
|
|
}
|
|
|
|
func newTestLocalBackend(t testing.TB) *LocalBackend {
|
|
var logf logger.Logf = logger.Discard
|
|
sys := new(tsd.System)
|
|
store := new(mem.Store)
|
|
sys.Set(store)
|
|
eng, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set, sys.HealthTracker())
|
|
if err != nil {
|
|
t.Fatalf("NewFakeUserspaceEngine: %v", err)
|
|
}
|
|
t.Cleanup(eng.Close)
|
|
sys.Set(eng)
|
|
lb, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
|
|
if err != nil {
|
|
t.Fatalf("NewLocalBackend: %v", err)
|
|
}
|
|
return lb
|
|
}
|
|
|
|
// Issue 1573: don't generate a machine key if we don't want to be running.
|
|
func TestLazyMachineKeyGeneration(t *testing.T) {
|
|
tstest.Replace(t, &panicOnMachineKeyGeneration, func() bool { return true })
|
|
|
|
lb := newTestLocalBackend(t)
|
|
lb.SetHTTPTestClient(&http.Client{
|
|
Transport: panicOnUseTransport{}, // validate we don't send HTTP requests
|
|
})
|
|
|
|
if err := lb.Start(ipn.Options{}); err != nil {
|
|
t.Fatalf("Start: %v", err)
|
|
}
|
|
|
|
// Give the controlclient package goroutines (if they're
|
|
// accidentally started) extra time to schedule and run (and thus
|
|
// hit panicOnUseTransport).
|
|
time.Sleep(500 * time.Millisecond)
|
|
}
|
|
|
|
func TestZeroExitNodeViaLocalAPI(t *testing.T) {
|
|
lb := newTestLocalBackend(t)
|
|
|
|
// Give it an initial exit node in use.
|
|
if _, err := lb.EditPrefs(&ipn.MaskedPrefs{
|
|
ExitNodeIDSet: true,
|
|
Prefs: ipn.Prefs{
|
|
ExitNodeID: "foo",
|
|
},
|
|
}); err != nil {
|
|
t.Fatalf("enabling first exit node: %v", err)
|
|
}
|
|
|
|
// SetUseExitNodeEnabled(false) "remembers" the prior exit node.
|
|
if _, err := lb.SetUseExitNodeEnabled(false); err != nil {
|
|
t.Fatal("expected failure")
|
|
}
|
|
|
|
// Zero the exit node
|
|
pv, err := lb.EditPrefs(&ipn.MaskedPrefs{
|
|
ExitNodeIDSet: true,
|
|
Prefs: ipn.Prefs{
|
|
ExitNodeID: "",
|
|
},
|
|
})
|
|
|
|
if err != nil {
|
|
t.Fatalf("enabling first exit node: %v", err)
|
|
}
|
|
|
|
// We just set the internal exit node to the empty string, so InternalExitNodePrior should
|
|
// also be zero'd
|
|
if got, want := pv.InternalExitNodePrior(), tailcfg.StableNodeID(""); got != want {
|
|
t.Fatalf("unexpected InternalExitNodePrior %q, want: %q", got, want)
|
|
}
|
|
|
|
}
|
|
|
|
func TestSetUseExitNodeEnabled(t *testing.T) {
|
|
lb := newTestLocalBackend(t)
|
|
|
|
// Can't turn it on if it never had an old value.
|
|
if _, err := lb.SetUseExitNodeEnabled(true); err == nil {
|
|
t.Fatal("expected success")
|
|
}
|
|
|
|
// But we can turn it off when it's already off.
|
|
if _, err := lb.SetUseExitNodeEnabled(false); err != nil {
|
|
t.Fatal("expected failure")
|
|
}
|
|
|
|
// Give it an initial exit node in use.
|
|
if _, err := lb.EditPrefs(&ipn.MaskedPrefs{
|
|
ExitNodeIDSet: true,
|
|
Prefs: ipn.Prefs{
|
|
ExitNodeID: "foo",
|
|
},
|
|
}); err != nil {
|
|
t.Fatalf("enabling first exit node: %v", err)
|
|
}
|
|
|
|
// Now turn off that exit node.
|
|
if prefs, err := lb.SetUseExitNodeEnabled(false); err != nil {
|
|
t.Fatal("expected failure")
|
|
} else {
|
|
if g, w := prefs.ExitNodeID(), tailcfg.StableNodeID(""); g != w {
|
|
t.Fatalf("unexpected exit node ID %q; want %q", g, w)
|
|
}
|
|
if g, w := prefs.InternalExitNodePrior(), tailcfg.StableNodeID("foo"); g != w {
|
|
t.Fatalf("unexpected exit node prior %q; want %q", g, w)
|
|
}
|
|
}
|
|
|
|
// And turn it back on.
|
|
if prefs, err := lb.SetUseExitNodeEnabled(true); err != nil {
|
|
t.Fatal("expected failure")
|
|
} else {
|
|
if g, w := prefs.ExitNodeID(), tailcfg.StableNodeID("foo"); g != w {
|
|
t.Fatalf("unexpected exit node ID %q; want %q", g, w)
|
|
}
|
|
if g, w := prefs.InternalExitNodePrior(), tailcfg.StableNodeID("foo"); g != w {
|
|
t.Fatalf("unexpected exit node prior %q; want %q", g, w)
|
|
}
|
|
}
|
|
|
|
// Verify we block setting an Internal field.
|
|
if _, err := lb.EditPrefs(&ipn.MaskedPrefs{
|
|
InternalExitNodePriorSet: true,
|
|
}); err == nil {
|
|
t.Fatalf("unexpected success; want an error trying to set an internal field")
|
|
}
|
|
}
|
|
|
|
func TestFileTargets(t *testing.T) {
|
|
b := new(LocalBackend)
|
|
_, err := b.FileTargets()
|
|
if got, want := fmt.Sprint(err), "not connected to the tailnet"; got != want {
|
|
t.Errorf("before connect: got %q; want %q", got, want)
|
|
}
|
|
|
|
b.netMap = new(netmap.NetworkMap)
|
|
_, err = b.FileTargets()
|
|
if got, want := fmt.Sprint(err), "not connected to the tailnet"; got != want {
|
|
t.Errorf("non-running netmap: got %q; want %q", got, want)
|
|
}
|
|
|
|
b.state = ipn.Running
|
|
_, err = b.FileTargets()
|
|
if got, want := fmt.Sprint(err), "file sharing not enabled by Tailscale admin"; got != want {
|
|
t.Errorf("without cap: got %q; want %q", got, want)
|
|
}
|
|
|
|
b.capFileSharing = true
|
|
got, err := b.FileTargets()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if len(got) != 0 {
|
|
t.Fatalf("unexpected %d peers", len(got))
|
|
}
|
|
|
|
var peerMap map[tailcfg.NodeID]tailcfg.NodeView
|
|
mak.NonNil(&peerMap)
|
|
var nodeID tailcfg.NodeID
|
|
nodeID = 1234
|
|
peer := &tailcfg.Node{
|
|
ID: 1234,
|
|
Hostinfo: (&tailcfg.Hostinfo{OS: "tvOS"}).View(),
|
|
}
|
|
peerMap[nodeID] = peer.View()
|
|
b.peers = peerMap
|
|
got, err = b.FileTargets()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if len(got) != 0 {
|
|
t.Fatalf("unexpected %d peers", len(got))
|
|
}
|
|
// (other cases handled by TestPeerAPIBase above)
|
|
}
|
|
|
|
func TestInternalAndExternalInterfaces(t *testing.T) {
|
|
type interfacePrefix struct {
|
|
i netmon.Interface
|
|
pfx netip.Prefix
|
|
}
|
|
|
|
masked := func(ips ...interfacePrefix) (pfxs []netip.Prefix) {
|
|
for _, ip := range ips {
|
|
pfxs = append(pfxs, ip.pfx.Masked())
|
|
}
|
|
return pfxs
|
|
}
|
|
iList := func(ips ...interfacePrefix) (il netmon.InterfaceList) {
|
|
for _, ip := range ips {
|
|
il = append(il, ip.i)
|
|
}
|
|
return il
|
|
}
|
|
newInterface := func(name, pfx string, wsl2, loopback bool) interfacePrefix {
|
|
ippfx := netip.MustParsePrefix(pfx)
|
|
ip := netmon.Interface{
|
|
Interface: &net.Interface{},
|
|
AltAddrs: []net.Addr{
|
|
netipx.PrefixIPNet(ippfx),
|
|
},
|
|
}
|
|
if loopback {
|
|
ip.Flags = net.FlagLoopback
|
|
}
|
|
if wsl2 {
|
|
ip.HardwareAddr = []byte{0x00, 0x15, 0x5d, 0x00, 0x00, 0x00}
|
|
}
|
|
return interfacePrefix{i: ip, pfx: ippfx}
|
|
}
|
|
var (
|
|
en0 = newInterface("en0", "10.20.2.5/16", false, false)
|
|
en1 = newInterface("en1", "192.168.1.237/24", false, false)
|
|
wsl = newInterface("wsl", "192.168.5.34/24", true, false)
|
|
loopback = newInterface("lo0", "127.0.0.1/8", false, true)
|
|
)
|
|
|
|
tests := []struct {
|
|
name string
|
|
goos string
|
|
il netmon.InterfaceList
|
|
wantInt []netip.Prefix
|
|
wantExt []netip.Prefix
|
|
}{
|
|
{
|
|
name: "single-interface",
|
|
goos: "linux",
|
|
il: iList(
|
|
en0,
|
|
loopback,
|
|
),
|
|
wantInt: masked(loopback),
|
|
wantExt: masked(en0),
|
|
},
|
|
{
|
|
name: "multiple-interfaces",
|
|
goos: "linux",
|
|
il: iList(
|
|
en0,
|
|
en1,
|
|
wsl,
|
|
loopback,
|
|
),
|
|
wantInt: masked(loopback),
|
|
wantExt: masked(en0, en1, wsl),
|
|
},
|
|
{
|
|
name: "wsl2",
|
|
goos: "windows",
|
|
il: iList(
|
|
en0,
|
|
en1,
|
|
wsl,
|
|
loopback,
|
|
),
|
|
wantInt: masked(loopback, wsl),
|
|
wantExt: masked(en0, en1),
|
|
},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
gotInt, gotExt, err := internalAndExternalInterfacesFrom(tc.il, tc.goos)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if !reflect.DeepEqual(gotInt, tc.wantInt) {
|
|
t.Errorf("unexpected internal prefixes\ngot %v\nwant %v", gotInt, tc.wantInt)
|
|
}
|
|
if !reflect.DeepEqual(gotExt, tc.wantExt) {
|
|
t.Errorf("unexpected external prefixes\ngot %v\nwant %v", gotExt, tc.wantExt)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestPacketFilterPermitsUnlockedNodes(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
peers []*tailcfg.Node
|
|
filter []filter.Match
|
|
want bool
|
|
}{
|
|
{
|
|
name: "empty",
|
|
want: false,
|
|
},
|
|
{
|
|
name: "no-unsigned",
|
|
peers: []*tailcfg.Node{
|
|
{ID: 1},
|
|
},
|
|
want: false,
|
|
},
|
|
{
|
|
name: "unsigned-good",
|
|
peers: []*tailcfg.Node{
|
|
{ID: 1, UnsignedPeerAPIOnly: true},
|
|
},
|
|
want: false,
|
|
},
|
|
{
|
|
name: "unsigned-bad",
|
|
peers: []*tailcfg.Node{
|
|
{
|
|
ID: 1,
|
|
UnsignedPeerAPIOnly: true,
|
|
AllowedIPs: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.0.0/32"),
|
|
},
|
|
},
|
|
},
|
|
filter: []filter.Match{
|
|
{
|
|
Srcs: []netip.Prefix{netip.MustParsePrefix("100.64.0.0/32")},
|
|
Dsts: []filter.NetPortRange{
|
|
{
|
|
Net: netip.MustParsePrefix("100.99.0.0/32"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
want: true,
|
|
},
|
|
{
|
|
name: "unsigned-bad-src-is-superset",
|
|
peers: []*tailcfg.Node{
|
|
{
|
|
ID: 1,
|
|
UnsignedPeerAPIOnly: true,
|
|
AllowedIPs: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.0.0/32"),
|
|
},
|
|
},
|
|
},
|
|
filter: []filter.Match{
|
|
{
|
|
Srcs: []netip.Prefix{netip.MustParsePrefix("100.64.0.0/24")},
|
|
Dsts: []filter.NetPortRange{
|
|
{
|
|
Net: netip.MustParsePrefix("100.99.0.0/32"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
want: true,
|
|
},
|
|
{
|
|
name: "unsigned-okay-because-no-dsts",
|
|
peers: []*tailcfg.Node{
|
|
{
|
|
ID: 1,
|
|
UnsignedPeerAPIOnly: true,
|
|
AllowedIPs: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.0.0/32"),
|
|
},
|
|
},
|
|
},
|
|
filter: []filter.Match{
|
|
{
|
|
Srcs: []netip.Prefix{netip.MustParsePrefix("100.64.0.0/32")},
|
|
Caps: []filter.CapMatch{
|
|
{
|
|
Dst: netip.MustParsePrefix("100.99.0.0/32"),
|
|
Cap: "foo",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
want: false,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if got := packetFilterPermitsUnlockedNodes(peersMap(nodeViews(tt.peers)), tt.filter); got != tt.want {
|
|
t.Errorf("got %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestStatusPeerCapabilities(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
peers []tailcfg.NodeView
|
|
expectedPeerCapabilities map[tailcfg.StableNodeID][]tailcfg.NodeCapability
|
|
expectedPeerCapMap map[tailcfg.StableNodeID]tailcfg.NodeCapMap
|
|
}{
|
|
{
|
|
name: "peers-with-capabilities",
|
|
peers: []tailcfg.NodeView{
|
|
(&tailcfg.Node{
|
|
ID: 1,
|
|
StableID: "foo",
|
|
IsWireGuardOnly: true,
|
|
Hostinfo: (&tailcfg.Hostinfo{}).View(),
|
|
Capabilities: []tailcfg.NodeCapability{tailcfg.CapabilitySSH},
|
|
CapMap: (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
|
|
tailcfg.CapabilitySSH: nil,
|
|
}),
|
|
}).View(),
|
|
(&tailcfg.Node{
|
|
ID: 2,
|
|
StableID: "bar",
|
|
Hostinfo: (&tailcfg.Hostinfo{}).View(),
|
|
Capabilities: []tailcfg.NodeCapability{tailcfg.CapabilityAdmin},
|
|
CapMap: (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
|
|
tailcfg.CapabilityAdmin: {`{"test": "true}`},
|
|
}),
|
|
}).View(),
|
|
},
|
|
expectedPeerCapabilities: map[tailcfg.StableNodeID][]tailcfg.NodeCapability{
|
|
tailcfg.StableNodeID("foo"): {tailcfg.CapabilitySSH},
|
|
tailcfg.StableNodeID("bar"): {tailcfg.CapabilityAdmin},
|
|
},
|
|
expectedPeerCapMap: map[tailcfg.StableNodeID]tailcfg.NodeCapMap{
|
|
tailcfg.StableNodeID("foo"): (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
|
|
tailcfg.CapabilitySSH: nil,
|
|
}),
|
|
tailcfg.StableNodeID("bar"): (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
|
|
tailcfg.CapabilityAdmin: {`{"test": "true}`},
|
|
}),
|
|
},
|
|
},
|
|
{
|
|
name: "peers-without-capabilities",
|
|
peers: []tailcfg.NodeView{
|
|
(&tailcfg.Node{
|
|
ID: 1,
|
|
StableID: "foo",
|
|
IsWireGuardOnly: true,
|
|
Hostinfo: (&tailcfg.Hostinfo{}).View(),
|
|
}).View(),
|
|
(&tailcfg.Node{
|
|
ID: 2,
|
|
StableID: "bar",
|
|
Hostinfo: (&tailcfg.Hostinfo{}).View(),
|
|
}).View(),
|
|
},
|
|
},
|
|
}
|
|
b := newTestLocalBackend(t)
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
b.setNetMapLocked(&netmap.NetworkMap{
|
|
SelfNode: (&tailcfg.Node{
|
|
MachineAuthorized: true,
|
|
Addresses: ipps("100.101.101.101"),
|
|
}).View(),
|
|
Peers: tt.peers,
|
|
})
|
|
got := b.Status()
|
|
for _, peer := range got.Peer {
|
|
if !reflect.DeepEqual(peer.Capabilities, tt.expectedPeerCapabilities[peer.ID]) {
|
|
t.Errorf("peer capabilities: expected %v got %v", tt.expectedPeerCapabilities, peer.Capabilities)
|
|
}
|
|
if !reflect.DeepEqual(peer.CapMap, tt.expectedPeerCapMap[peer.ID]) {
|
|
t.Errorf("peer capmap: expected %v got %v", tt.expectedPeerCapMap, peer.CapMap)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// legacyBackend was the interface between Tailscale frontends
|
|
// (e.g. cmd/tailscale, iOS/MacOS/Windows GUIs) and the tailscale
|
|
// backend (e.g. cmd/tailscaled) running on the same machine.
|
|
// (It has nothing to do with the interface between the backends
|
|
// and the cloud control plane.)
|
|
type legacyBackend interface {
|
|
// SetNotifyCallback sets the callback to be called on updates
|
|
// from the backend to the client.
|
|
SetNotifyCallback(func(ipn.Notify))
|
|
// Start starts or restarts the backend, typically when a
|
|
// frontend client connects.
|
|
Start(ipn.Options) error
|
|
}
|
|
|
|
// Verify that LocalBackend still implements the legacyBackend interface
|
|
// for now, at least until the macOS and iOS clients move off of it.
|
|
var _ legacyBackend = (*LocalBackend)(nil)
|
|
|
|
func TestWatchNotificationsCallbacks(t *testing.T) {
|
|
b := new(LocalBackend)
|
|
n := new(ipn.Notify)
|
|
b.WatchNotifications(context.Background(), 0, func() {
|
|
b.mu.Lock()
|
|
defer b.mu.Unlock()
|
|
|
|
// Ensure a watcher has been installed.
|
|
if len(b.notifyWatchers) != 1 {
|
|
t.Fatalf("unexpected number of watchers in new LocalBackend, want: 1 got: %v", len(b.notifyWatchers))
|
|
}
|
|
// Send a notification. Range over notifyWatchers to get the channel
|
|
// because WatchNotifications doesn't expose the handle for it.
|
|
for _, sess := range b.notifyWatchers {
|
|
select {
|
|
case sess.ch <- n:
|
|
default:
|
|
t.Fatalf("could not send notification")
|
|
}
|
|
}
|
|
}, func(roNotify *ipn.Notify) bool {
|
|
if roNotify != n {
|
|
t.Fatalf("unexpected notification received. want: %v got: %v", n, roNotify)
|
|
}
|
|
return false
|
|
})
|
|
|
|
// Ensure watchers have been cleaned up.
|
|
b.mu.Lock()
|
|
defer b.mu.Unlock()
|
|
if len(b.notifyWatchers) != 0 {
|
|
t.Fatalf("unexpected number of watchers in new LocalBackend, want: 0 got: %v", len(b.notifyWatchers))
|
|
}
|
|
}
|
|
|
|
// tests LocalBackend.updateNetmapDeltaLocked
|
|
func TestUpdateNetmapDelta(t *testing.T) {
|
|
b := newTestLocalBackend(t)
|
|
if b.updateNetmapDeltaLocked(nil) {
|
|
t.Errorf("updateNetmapDeltaLocked() = true, want false with nil netmap")
|
|
}
|
|
|
|
b.netMap = &netmap.NetworkMap{}
|
|
for i := range 5 {
|
|
b.netMap.Peers = append(b.netMap.Peers, (&tailcfg.Node{ID: (tailcfg.NodeID(i) + 1)}).View())
|
|
}
|
|
b.updatePeersFromNetmapLocked(b.netMap)
|
|
|
|
someTime := time.Unix(123, 0)
|
|
muts, ok := netmap.MutationsFromMapResponse(&tailcfg.MapResponse{
|
|
PeersChangedPatch: []*tailcfg.PeerChange{
|
|
{
|
|
NodeID: 1,
|
|
DERPRegion: 1,
|
|
},
|
|
{
|
|
NodeID: 2,
|
|
Online: ptr.To(true),
|
|
},
|
|
{
|
|
NodeID: 3,
|
|
Online: ptr.To(false),
|
|
},
|
|
{
|
|
NodeID: 4,
|
|
LastSeen: ptr.To(someTime),
|
|
},
|
|
},
|
|
}, someTime)
|
|
if !ok {
|
|
t.Fatal("netmap.MutationsFromMapResponse failed")
|
|
}
|
|
|
|
if !b.updateNetmapDeltaLocked(muts) {
|
|
t.Fatalf("updateNetmapDeltaLocked() = false, want true with new netmap")
|
|
}
|
|
|
|
wants := []*tailcfg.Node{
|
|
{
|
|
ID: 1,
|
|
DERP: "127.3.3.40:1",
|
|
},
|
|
{
|
|
ID: 2,
|
|
Online: ptr.To(true),
|
|
},
|
|
{
|
|
ID: 3,
|
|
Online: ptr.To(false),
|
|
},
|
|
{
|
|
ID: 4,
|
|
LastSeen: ptr.To(someTime),
|
|
},
|
|
}
|
|
for _, want := range wants {
|
|
gotv, ok := b.peers[want.ID]
|
|
if !ok {
|
|
t.Errorf("netmap.Peer %v missing from b.peers", want.ID)
|
|
continue
|
|
}
|
|
got := gotv.AsStruct()
|
|
if !reflect.DeepEqual(got, want) {
|
|
t.Errorf("netmap.Peer %v wrong.\n got: %v\nwant: %v", want.ID, logger.AsJSON(got), logger.AsJSON(want))
|
|
}
|
|
}
|
|
}
|
|
|
|
// tests WhoIs and indirectly that setNetMapLocked updates b.nodeByAddr correctly.
|
|
func TestWhoIs(t *testing.T) {
|
|
b := newTestLocalBackend(t)
|
|
b.setNetMapLocked(&netmap.NetworkMap{
|
|
SelfNode: (&tailcfg.Node{
|
|
ID: 1,
|
|
User: 10,
|
|
Addresses: []netip.Prefix{netip.MustParsePrefix("100.101.102.103/32")},
|
|
}).View(),
|
|
Peers: []tailcfg.NodeView{
|
|
(&tailcfg.Node{
|
|
ID: 2,
|
|
User: 20,
|
|
Addresses: []netip.Prefix{netip.MustParsePrefix("100.200.200.200/32")},
|
|
}).View(),
|
|
},
|
|
UserProfiles: map[tailcfg.UserID]tailcfg.UserProfile{
|
|
10: {
|
|
DisplayName: "Myself",
|
|
},
|
|
20: {
|
|
DisplayName: "Peer",
|
|
},
|
|
},
|
|
})
|
|
tests := []struct {
|
|
q string
|
|
want tailcfg.NodeID // 0 means want ok=false
|
|
wantName string
|
|
}{
|
|
{"100.101.102.103:0", 1, "Myself"},
|
|
{"100.101.102.103:123", 1, "Myself"},
|
|
{"100.200.200.200:0", 2, "Peer"},
|
|
{"100.200.200.200:123", 2, "Peer"},
|
|
{"100.4.0.4:404", 0, ""},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.q, func(t *testing.T) {
|
|
nv, up, ok := b.WhoIs("", netip.MustParseAddrPort(tt.q))
|
|
var got tailcfg.NodeID
|
|
if ok {
|
|
got = nv.ID()
|
|
}
|
|
if got != tt.want {
|
|
t.Errorf("got nodeID %v; want %v", got, tt.want)
|
|
}
|
|
if up.DisplayName != tt.wantName {
|
|
t.Errorf("got name %q; want %q", up.DisplayName, tt.wantName)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestWireguardExitNodeDNSResolvers(t *testing.T) {
|
|
type tc struct {
|
|
name string
|
|
id tailcfg.StableNodeID
|
|
peers []*tailcfg.Node
|
|
wantOK bool
|
|
wantResolvers []*dnstype.Resolver
|
|
}
|
|
|
|
tests := []tc{
|
|
{
|
|
name: "no peers",
|
|
id: "1",
|
|
wantOK: false,
|
|
wantResolvers: nil,
|
|
},
|
|
{
|
|
name: "non wireguard peer",
|
|
id: "1",
|
|
peers: []*tailcfg.Node{
|
|
{
|
|
ID: 1,
|
|
StableID: "1",
|
|
IsWireGuardOnly: false,
|
|
ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns.example.com"}},
|
|
},
|
|
},
|
|
wantOK: false,
|
|
wantResolvers: nil,
|
|
},
|
|
{
|
|
name: "no matching IDs",
|
|
id: "2",
|
|
peers: []*tailcfg.Node{
|
|
{
|
|
ID: 1,
|
|
StableID: "1",
|
|
IsWireGuardOnly: true,
|
|
ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns.example.com"}},
|
|
},
|
|
},
|
|
wantOK: false,
|
|
wantResolvers: nil,
|
|
},
|
|
{
|
|
name: "wireguard peer",
|
|
id: "1",
|
|
peers: []*tailcfg.Node{
|
|
{
|
|
ID: 1,
|
|
StableID: "1",
|
|
IsWireGuardOnly: true,
|
|
ExitNodeDNSResolvers: []*dnstype.Resolver{{Addr: "dns.example.com"}},
|
|
},
|
|
},
|
|
wantOK: true,
|
|
wantResolvers: []*dnstype.Resolver{{Addr: "dns.example.com"}},
|
|
},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
peers := peersMap(nodeViews(tc.peers))
|
|
nm := &netmap.NetworkMap{}
|
|
gotResolvers, gotOK := wireguardExitNodeDNSResolvers(nm, peers, tc.id)
|
|
|
|
if gotOK != tc.wantOK || !resolversEqual(t, gotResolvers, tc.wantResolvers) {
|
|
t.Errorf("case: %s: got %v, %v, want %v, %v", tc.name, gotOK, gotResolvers, tc.wantOK, tc.wantResolvers)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestDNSConfigForNetmapForExitNodeConfigs(t *testing.T) {
|
|
type tc struct {
|
|
name string
|
|
exitNode tailcfg.StableNodeID
|
|
peers []tailcfg.NodeView
|
|
dnsConfig *tailcfg.DNSConfig
|
|
wantDefaultResolvers []*dnstype.Resolver
|
|
wantRoutes map[dnsname.FQDN][]*dnstype.Resolver
|
|
}
|
|
|
|
defaultResolvers := []*dnstype.Resolver{{Addr: "default.example.com"}}
|
|
wgResolvers := []*dnstype.Resolver{{Addr: "wg.example.com"}}
|
|
peers := []tailcfg.NodeView{
|
|
(&tailcfg.Node{
|
|
ID: 1,
|
|
StableID: "wg",
|
|
IsWireGuardOnly: true,
|
|
ExitNodeDNSResolvers: wgResolvers,
|
|
Hostinfo: (&tailcfg.Hostinfo{}).View(),
|
|
}).View(),
|
|
// regular tailscale exit node with DNS capabilities
|
|
(&tailcfg.Node{
|
|
Cap: 26,
|
|
ID: 2,
|
|
StableID: "ts",
|
|
Hostinfo: (&tailcfg.Hostinfo{}).View(),
|
|
}).View(),
|
|
}
|
|
exitDOH := peerAPIBase(&netmap.NetworkMap{Peers: peers}, peers[0]) + "/dns-query"
|
|
routes := map[dnsname.FQDN][]*dnstype.Resolver{
|
|
"route.example.com.": {{Addr: "route.example.com"}},
|
|
}
|
|
stringifyRoutes := func(routes map[dnsname.FQDN][]*dnstype.Resolver) map[string][]*dnstype.Resolver {
|
|
if routes == nil {
|
|
return nil
|
|
}
|
|
m := make(map[string][]*dnstype.Resolver)
|
|
for k, v := range routes {
|
|
m[string(k)] = v
|
|
}
|
|
return m
|
|
}
|
|
|
|
tests := []tc{
|
|
{
|
|
name: "noExit/noRoutes/noResolver",
|
|
exitNode: "",
|
|
peers: peers,
|
|
dnsConfig: &tailcfg.DNSConfig{},
|
|
wantDefaultResolvers: nil,
|
|
wantRoutes: nil,
|
|
},
|
|
{
|
|
name: "tsExit/noRoutes/noResolver",
|
|
exitNode: "ts",
|
|
peers: peers,
|
|
dnsConfig: &tailcfg.DNSConfig{},
|
|
wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
|
|
wantRoutes: nil,
|
|
},
|
|
{
|
|
name: "tsExit/noRoutes/defaultResolver",
|
|
exitNode: "ts",
|
|
peers: peers,
|
|
dnsConfig: &tailcfg.DNSConfig{Resolvers: defaultResolvers},
|
|
wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
|
|
wantRoutes: nil,
|
|
},
|
|
|
|
// The following two cases may need to be revisited. For a shared-in
|
|
// exit node split-DNS may effectively break, furthermore in the future
|
|
// if different nodes observe different DNS configurations, even a
|
|
// tailnet local exit node may present a different DNS configuration,
|
|
// which may not meet expectations in some use cases.
|
|
// In the case where a default resolver is set, the default resolver
|
|
// should also perhaps take precedence also.
|
|
{
|
|
name: "tsExit/routes/noResolver",
|
|
exitNode: "ts",
|
|
peers: peers,
|
|
dnsConfig: &tailcfg.DNSConfig{Routes: stringifyRoutes(routes)},
|
|
wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
|
|
wantRoutes: nil,
|
|
},
|
|
{
|
|
name: "tsExit/routes/defaultResolver",
|
|
exitNode: "ts",
|
|
peers: peers,
|
|
dnsConfig: &tailcfg.DNSConfig{Routes: stringifyRoutes(routes), Resolvers: defaultResolvers},
|
|
wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
|
|
wantRoutes: nil,
|
|
},
|
|
|
|
// WireGuard exit nodes with DNS capabilities provide a "fallback" type
|
|
// behavior, they have a lower precedence than a default resolver, but
|
|
// otherwise allow split-DNS to operate as normal, and are used when
|
|
// there is no default resolver.
|
|
{
|
|
name: "wgExit/noRoutes/noResolver",
|
|
exitNode: "wg",
|
|
peers: peers,
|
|
dnsConfig: &tailcfg.DNSConfig{},
|
|
wantDefaultResolvers: wgResolvers,
|
|
wantRoutes: nil,
|
|
},
|
|
{
|
|
name: "wgExit/noRoutes/defaultResolver",
|
|
exitNode: "wg",
|
|
peers: peers,
|
|
dnsConfig: &tailcfg.DNSConfig{Resolvers: defaultResolvers},
|
|
wantDefaultResolvers: defaultResolvers,
|
|
wantRoutes: nil,
|
|
},
|
|
{
|
|
name: "wgExit/routes/defaultResolver",
|
|
exitNode: "wg",
|
|
peers: peers,
|
|
dnsConfig: &tailcfg.DNSConfig{Routes: stringifyRoutes(routes), Resolvers: defaultResolvers},
|
|
wantDefaultResolvers: defaultResolvers,
|
|
wantRoutes: routes,
|
|
},
|
|
{
|
|
name: "wgExit/routes/noResolver",
|
|
exitNode: "wg",
|
|
peers: peers,
|
|
dnsConfig: &tailcfg.DNSConfig{Routes: stringifyRoutes(routes)},
|
|
wantDefaultResolvers: wgResolvers,
|
|
wantRoutes: routes,
|
|
},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
nm := &netmap.NetworkMap{
|
|
Peers: tc.peers,
|
|
DNS: *tc.dnsConfig,
|
|
}
|
|
|
|
prefs := &ipn.Prefs{ExitNodeID: tc.exitNode, CorpDNS: true}
|
|
got := dnsConfigForNetmap(nm, peersMap(tc.peers), prefs.View(), t.Logf, "")
|
|
if !resolversEqual(t, got.DefaultResolvers, tc.wantDefaultResolvers) {
|
|
t.Errorf("DefaultResolvers: got %#v, want %#v", got.DefaultResolvers, tc.wantDefaultResolvers)
|
|
}
|
|
if !routesEqual(t, got.Routes, tc.wantRoutes) {
|
|
t.Errorf("Routes: got %#v, want %#v", got.Routes, tc.wantRoutes)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestOfferingAppConnector(t *testing.T) {
|
|
for _, shouldStore := range []bool{false, true} {
|
|
b := newTestBackend(t)
|
|
if b.OfferingAppConnector() {
|
|
t.Fatal("unexpected offering app connector")
|
|
}
|
|
if shouldStore {
|
|
b.appConnector = appc.NewAppConnector(t.Logf, nil, &appc.RouteInfo{}, fakeStoreRoutes)
|
|
} else {
|
|
b.appConnector = appc.NewAppConnector(t.Logf, nil, nil, nil)
|
|
}
|
|
if !b.OfferingAppConnector() {
|
|
t.Fatal("unexpected not offering app connector")
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestRouteAdvertiser(t *testing.T) {
|
|
b := newTestBackend(t)
|
|
testPrefix := netip.MustParsePrefix("192.0.0.8/32")
|
|
|
|
ra := appc.RouteAdvertiser(b)
|
|
must.Do(ra.AdvertiseRoute(testPrefix))
|
|
|
|
routes := b.Prefs().AdvertiseRoutes()
|
|
if routes.Len() != 1 || routes.At(0) != testPrefix {
|
|
t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
|
|
}
|
|
|
|
must.Do(ra.UnadvertiseRoute(testPrefix))
|
|
|
|
routes = b.Prefs().AdvertiseRoutes()
|
|
if routes.Len() != 0 {
|
|
t.Fatalf("got routes %v, want none", routes)
|
|
}
|
|
}
|
|
|
|
func TestRouterAdvertiserIgnoresContainedRoutes(t *testing.T) {
|
|
b := newTestBackend(t)
|
|
testPrefix := netip.MustParsePrefix("192.0.0.0/24")
|
|
ra := appc.RouteAdvertiser(b)
|
|
must.Do(ra.AdvertiseRoute(testPrefix))
|
|
|
|
routes := b.Prefs().AdvertiseRoutes()
|
|
if routes.Len() != 1 || routes.At(0) != testPrefix {
|
|
t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
|
|
}
|
|
|
|
must.Do(ra.AdvertiseRoute(netip.MustParsePrefix("192.0.0.8/32")))
|
|
|
|
// the above /32 is not added as it is contained within the /24
|
|
routes = b.Prefs().AdvertiseRoutes()
|
|
if routes.Len() != 1 || routes.At(0) != testPrefix {
|
|
t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
|
|
}
|
|
}
|
|
|
|
func TestObserveDNSResponse(t *testing.T) {
|
|
for _, shouldStore := range []bool{false, true} {
|
|
b := newTestBackend(t)
|
|
|
|
// ensure no error when no app connector is configured
|
|
b.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
|
|
|
|
rc := &appctest.RouteCollector{}
|
|
if shouldStore {
|
|
b.appConnector = appc.NewAppConnector(t.Logf, rc, &appc.RouteInfo{}, fakeStoreRoutes)
|
|
} else {
|
|
b.appConnector = appc.NewAppConnector(t.Logf, rc, nil, nil)
|
|
}
|
|
b.appConnector.UpdateDomains([]string{"example.com"})
|
|
b.appConnector.Wait(context.Background())
|
|
|
|
b.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
|
|
b.appConnector.Wait(context.Background())
|
|
wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
|
|
if !slices.Equal(rc.Routes(), wantRoutes) {
|
|
t.Fatalf("got routes %v, want %v", rc.Routes(), wantRoutes)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestCoveredRouteRangeNoDefault(t *testing.T) {
|
|
tests := []struct {
|
|
existingRoute netip.Prefix
|
|
newRoute netip.Prefix
|
|
want bool
|
|
}{
|
|
{
|
|
existingRoute: netip.MustParsePrefix("192.0.0.1/32"),
|
|
newRoute: netip.MustParsePrefix("192.0.0.1/32"),
|
|
want: true,
|
|
},
|
|
{
|
|
existingRoute: netip.MustParsePrefix("192.0.0.1/32"),
|
|
newRoute: netip.MustParsePrefix("192.0.0.2/32"),
|
|
want: false,
|
|
},
|
|
{
|
|
existingRoute: netip.MustParsePrefix("192.0.0.0/24"),
|
|
newRoute: netip.MustParsePrefix("192.0.0.1/32"),
|
|
want: true,
|
|
},
|
|
{
|
|
existingRoute: netip.MustParsePrefix("192.0.0.0/16"),
|
|
newRoute: netip.MustParsePrefix("192.0.0.0/24"),
|
|
want: true,
|
|
},
|
|
{
|
|
existingRoute: netip.MustParsePrefix("0.0.0.0/0"),
|
|
newRoute: netip.MustParsePrefix("192.0.0.0/24"),
|
|
want: false,
|
|
},
|
|
{
|
|
existingRoute: netip.MustParsePrefix("::/0"),
|
|
newRoute: netip.MustParsePrefix("2001:db8::/32"),
|
|
want: false,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
got := coveredRouteRangeNoDefault([]netip.Prefix{tt.existingRoute}, tt.newRoute)
|
|
if got != tt.want {
|
|
t.Errorf("coveredRouteRange(%v, %v) = %v, want %v", tt.existingRoute, tt.newRoute, got, tt.want)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestReconfigureAppConnector(t *testing.T) {
|
|
b := newTestBackend(t)
|
|
b.reconfigAppConnectorLocked(b.netMap, b.pm.prefs)
|
|
if b.appConnector != nil {
|
|
t.Fatal("unexpected app connector")
|
|
}
|
|
|
|
b.EditPrefs(&ipn.MaskedPrefs{
|
|
Prefs: ipn.Prefs{
|
|
AppConnector: ipn.AppConnectorPrefs{
|
|
Advertise: true,
|
|
},
|
|
},
|
|
AppConnectorSet: true,
|
|
})
|
|
b.reconfigAppConnectorLocked(b.netMap, b.pm.prefs)
|
|
if b.appConnector == nil {
|
|
t.Fatal("expected app connector")
|
|
}
|
|
|
|
appCfg := `{
|
|
"name": "example",
|
|
"domains": ["example.com"],
|
|
"connectors": ["tag:example"]
|
|
}`
|
|
|
|
b.netMap.SelfNode = (&tailcfg.Node{
|
|
Name: "example.ts.net",
|
|
Tags: []string{"tag:example"},
|
|
CapMap: (tailcfg.NodeCapMap)(map[tailcfg.NodeCapability][]tailcfg.RawMessage{
|
|
"tailscale.com/app-connectors": {tailcfg.RawMessage(appCfg)},
|
|
}),
|
|
}).View()
|
|
|
|
b.reconfigAppConnectorLocked(b.netMap, b.pm.prefs)
|
|
b.appConnector.Wait(context.Background())
|
|
|
|
want := []string{"example.com"}
|
|
if !slices.Equal(b.appConnector.Domains().AsSlice(), want) {
|
|
t.Fatalf("got domains %v, want %v", b.appConnector.Domains(), want)
|
|
}
|
|
if v, _ := b.hostinfo.AppConnector.Get(); !v {
|
|
t.Fatalf("expected app connector service")
|
|
}
|
|
|
|
// disable the connector in order to assert that the service is removed
|
|
b.EditPrefs(&ipn.MaskedPrefs{
|
|
Prefs: ipn.Prefs{
|
|
AppConnector: ipn.AppConnectorPrefs{
|
|
Advertise: false,
|
|
},
|
|
},
|
|
AppConnectorSet: true,
|
|
})
|
|
b.reconfigAppConnectorLocked(b.netMap, b.pm.prefs)
|
|
if b.appConnector != nil {
|
|
t.Fatal("expected no app connector")
|
|
}
|
|
if v, _ := b.hostinfo.AppConnector.Get(); v {
|
|
t.Fatalf("expected no app connector service")
|
|
}
|
|
}
|
|
|
|
func resolversEqual(t *testing.T, a, b []*dnstype.Resolver) bool {
|
|
if a == nil && b == nil {
|
|
return true
|
|
}
|
|
if a == nil || b == nil {
|
|
t.Errorf("resolversEqual: a == nil || b == nil : %#v != %#v", a, b)
|
|
return false
|
|
}
|
|
if len(a) != len(b) {
|
|
t.Errorf("resolversEqual: len(a) != len(b) : %#v != %#v", a, b)
|
|
return false
|
|
}
|
|
for i := range a {
|
|
if !a[i].Equal(b[i]) {
|
|
t.Errorf("resolversEqual: a != b [%d]: %v != %v", i, *a[i], *b[i])
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func routesEqual(t *testing.T, a, b map[dnsname.FQDN][]*dnstype.Resolver) bool {
|
|
if len(a) != len(b) {
|
|
t.Logf("routes: len(a) != len(b): %d != %d", len(a), len(b))
|
|
return false
|
|
}
|
|
for name := range a {
|
|
if !resolversEqual(t, a[name], b[name]) {
|
|
t.Logf("routes: a != b [%s]: %v != %v", name, a[name], b[name])
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
// dnsResponse is a test helper that creates a DNS response buffer for the given domain and address
|
|
func dnsResponse(domain, address string) []byte {
|
|
addr := netip.MustParseAddr(address)
|
|
b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
|
|
b.EnableCompression()
|
|
b.StartAnswers()
|
|
switch addr.BitLen() {
|
|
case 32:
|
|
b.AResource(
|
|
dnsmessage.ResourceHeader{
|
|
Name: dnsmessage.MustNewName(domain),
|
|
Type: dnsmessage.TypeA,
|
|
Class: dnsmessage.ClassINET,
|
|
TTL: 0,
|
|
},
|
|
dnsmessage.AResource{
|
|
A: addr.As4(),
|
|
},
|
|
)
|
|
case 128:
|
|
b.AAAAResource(
|
|
dnsmessage.ResourceHeader{
|
|
Name: dnsmessage.MustNewName(domain),
|
|
Type: dnsmessage.TypeAAAA,
|
|
Class: dnsmessage.ClassINET,
|
|
TTL: 0,
|
|
},
|
|
dnsmessage.AAAAResource{
|
|
AAAA: addr.As16(),
|
|
},
|
|
)
|
|
default:
|
|
panic("invalid address length")
|
|
}
|
|
return must.Get(b.Finish())
|
|
}
|
|
|
|
type errorSyspolicyHandler struct {
|
|
t *testing.T
|
|
err error
|
|
key syspolicy.Key
|
|
allowKeys map[syspolicy.Key]*string
|
|
}
|
|
|
|
func (h *errorSyspolicyHandler) ReadString(key string) (string, error) {
|
|
sk := syspolicy.Key(key)
|
|
if _, ok := h.allowKeys[sk]; !ok {
|
|
h.t.Errorf("ReadString: %q is not in list of permitted keys", h.key)
|
|
}
|
|
if sk == h.key {
|
|
return "", h.err
|
|
}
|
|
return "", syspolicy.ErrNoSuchKey
|
|
}
|
|
|
|
func (h *errorSyspolicyHandler) ReadUInt64(key string) (uint64, error) {
|
|
h.t.Errorf("ReadUInt64(%q) unexpectedly called", key)
|
|
return 0, syspolicy.ErrNoSuchKey
|
|
}
|
|
|
|
func (h *errorSyspolicyHandler) ReadBoolean(key string) (bool, error) {
|
|
h.t.Errorf("ReadBoolean(%q) unexpectedly called", key)
|
|
return false, syspolicy.ErrNoSuchKey
|
|
}
|
|
|
|
func (h *errorSyspolicyHandler) ReadStringArray(key string) ([]string, error) {
|
|
h.t.Errorf("ReadStringArray(%q) unexpectedly called", key)
|
|
return nil, syspolicy.ErrNoSuchKey
|
|
}
|
|
|
|
type mockSyspolicyHandler struct {
|
|
t *testing.T
|
|
// stringPolicies is the collection of policies that we expect to see
|
|
// queried by the current test. If the policy is expected but unset, then
|
|
// use nil, otherwise use a string equal to the policy's desired value.
|
|
stringPolicies map[syspolicy.Key]*string
|
|
// stringArrayPolicies is the collection of policies that we expected to see
|
|
// queries by the current test, that return policy string arrays.
|
|
stringArrayPolicies map[syspolicy.Key][]string
|
|
// failUnknownPolicies is set if policies other than those in stringPolicies
|
|
// (uint64 or bool policies are not supported by mockSyspolicyHandler yet)
|
|
// should be considered a test failure if they are queried.
|
|
failUnknownPolicies bool
|
|
}
|
|
|
|
func (h *mockSyspolicyHandler) ReadString(key string) (string, error) {
|
|
if s, ok := h.stringPolicies[syspolicy.Key(key)]; ok {
|
|
if s == nil {
|
|
return "", syspolicy.ErrNoSuchKey
|
|
}
|
|
return *s, nil
|
|
}
|
|
if h.failUnknownPolicies {
|
|
h.t.Errorf("ReadString(%q) unexpectedly called", key)
|
|
}
|
|
return "", syspolicy.ErrNoSuchKey
|
|
}
|
|
|
|
func (h *mockSyspolicyHandler) ReadUInt64(key string) (uint64, error) {
|
|
if h.failUnknownPolicies {
|
|
h.t.Errorf("ReadUInt64(%q) unexpectedly called", key)
|
|
}
|
|
return 0, syspolicy.ErrNoSuchKey
|
|
}
|
|
|
|
func (h *mockSyspolicyHandler) ReadBoolean(key string) (bool, error) {
|
|
if h.failUnknownPolicies {
|
|
h.t.Errorf("ReadBoolean(%q) unexpectedly called", key)
|
|
}
|
|
return false, syspolicy.ErrNoSuchKey
|
|
}
|
|
|
|
func (h *mockSyspolicyHandler) ReadStringArray(key string) ([]string, error) {
|
|
if h.failUnknownPolicies {
|
|
h.t.Errorf("ReadStringArray(%q) unexpectedly called", key)
|
|
}
|
|
if s, ok := h.stringArrayPolicies[syspolicy.Key(key)]; ok {
|
|
if s == nil {
|
|
return []string{}, syspolicy.ErrNoSuchKey
|
|
}
|
|
return s, nil
|
|
}
|
|
return nil, syspolicy.ErrNoSuchKey
|
|
}
|
|
|
|
func TestSetExitNodeIDPolicy(t *testing.T) {
|
|
pfx := netip.MustParsePrefix
|
|
tests := []struct {
|
|
name string
|
|
exitNodeIPKey bool
|
|
exitNodeIDKey bool
|
|
exitNodeID string
|
|
exitNodeIP string
|
|
prefs *ipn.Prefs
|
|
exitNodeIPWant string
|
|
exitNodeIDWant string
|
|
prefsChanged bool
|
|
nm *netmap.NetworkMap
|
|
}{
|
|
{
|
|
name: "ExitNodeID key is set",
|
|
exitNodeIDKey: true,
|
|
exitNodeID: "123",
|
|
exitNodeIDWant: "123",
|
|
prefsChanged: true,
|
|
},
|
|
{
|
|
name: "ExitNodeID key not set",
|
|
exitNodeIDKey: true,
|
|
exitNodeIDWant: "",
|
|
prefsChanged: false,
|
|
},
|
|
{
|
|
name: "ExitNodeID key set, ExitNodeIP preference set",
|
|
exitNodeIDKey: true,
|
|
exitNodeID: "123",
|
|
prefs: &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
|
|
exitNodeIDWant: "123",
|
|
prefsChanged: true,
|
|
},
|
|
{
|
|
name: "ExitNodeID key not set, ExitNodeIP key set",
|
|
exitNodeIPKey: true,
|
|
exitNodeIP: "127.0.0.1",
|
|
prefs: &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
|
|
exitNodeIPWant: "127.0.0.1",
|
|
prefsChanged: false,
|
|
},
|
|
{
|
|
name: "ExitNodeIP key set, existing ExitNodeIP pref",
|
|
exitNodeIPKey: true,
|
|
exitNodeIP: "127.0.0.1",
|
|
prefs: &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
|
|
exitNodeIPWant: "127.0.0.1",
|
|
prefsChanged: false,
|
|
},
|
|
{
|
|
name: "existing preferences match policy",
|
|
exitNodeIDKey: true,
|
|
exitNodeID: "123",
|
|
prefs: &ipn.Prefs{ExitNodeID: tailcfg.StableNodeID("123")},
|
|
exitNodeIDWant: "123",
|
|
prefsChanged: false,
|
|
},
|
|
{
|
|
name: "ExitNodeIP set if net map does not have corresponding node",
|
|
exitNodeIPKey: true,
|
|
prefs: &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
|
|
exitNodeIP: "127.0.0.1",
|
|
exitNodeIPWant: "127.0.0.1",
|
|
prefsChanged: false,
|
|
nm: &netmap.NetworkMap{
|
|
Name: "foo.tailnet",
|
|
SelfNode: (&tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
pfx("100.102.103.104/32"),
|
|
pfx("100::123/128"),
|
|
},
|
|
}).View(),
|
|
Peers: []tailcfg.NodeView{
|
|
(&tailcfg.Node{
|
|
Name: "a.tailnet",
|
|
Addresses: []netip.Prefix{
|
|
pfx("100.0.0.201/32"),
|
|
pfx("100::201/128"),
|
|
},
|
|
}).View(),
|
|
(&tailcfg.Node{
|
|
Name: "b.tailnet",
|
|
Addresses: []netip.Prefix{
|
|
pfx("100::202/128"),
|
|
},
|
|
}).View(),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "ExitNodeIP cleared if net map has corresponding node - policy matches prefs",
|
|
prefs: &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
|
|
exitNodeIPKey: true,
|
|
exitNodeIP: "127.0.0.1",
|
|
exitNodeIPWant: "",
|
|
exitNodeIDWant: "123",
|
|
prefsChanged: true,
|
|
nm: &netmap.NetworkMap{
|
|
Name: "foo.tailnet",
|
|
SelfNode: (&tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
pfx("100.102.103.104/32"),
|
|
pfx("100::123/128"),
|
|
},
|
|
}).View(),
|
|
Peers: []tailcfg.NodeView{
|
|
(&tailcfg.Node{
|
|
Name: "a.tailnet",
|
|
StableID: tailcfg.StableNodeID("123"),
|
|
Addresses: []netip.Prefix{
|
|
pfx("127.0.0.1/32"),
|
|
pfx("100::201/128"),
|
|
},
|
|
}).View(),
|
|
(&tailcfg.Node{
|
|
Name: "b.tailnet",
|
|
Addresses: []netip.Prefix{
|
|
pfx("100::202/128"),
|
|
},
|
|
}).View(),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "ExitNodeIP cleared if net map has corresponding node - no policy set",
|
|
prefs: &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
|
|
exitNodeIPWant: "",
|
|
exitNodeIDWant: "123",
|
|
prefsChanged: true,
|
|
nm: &netmap.NetworkMap{
|
|
Name: "foo.tailnet",
|
|
SelfNode: (&tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
pfx("100.102.103.104/32"),
|
|
pfx("100::123/128"),
|
|
},
|
|
}).View(),
|
|
Peers: []tailcfg.NodeView{
|
|
(&tailcfg.Node{
|
|
Name: "a.tailnet",
|
|
StableID: tailcfg.StableNodeID("123"),
|
|
Addresses: []netip.Prefix{
|
|
pfx("127.0.0.1/32"),
|
|
pfx("100::201/128"),
|
|
},
|
|
}).View(),
|
|
(&tailcfg.Node{
|
|
Name: "b.tailnet",
|
|
Addresses: []netip.Prefix{
|
|
pfx("100::202/128"),
|
|
},
|
|
}).View(),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "ExitNodeIP cleared if net map has corresponding node - different exit node IP in policy",
|
|
exitNodeIPKey: true,
|
|
prefs: &ipn.Prefs{ExitNodeIP: netip.MustParseAddr("127.0.0.1")},
|
|
exitNodeIP: "100.64.5.6",
|
|
exitNodeIPWant: "",
|
|
exitNodeIDWant: "123",
|
|
prefsChanged: true,
|
|
nm: &netmap.NetworkMap{
|
|
Name: "foo.tailnet",
|
|
SelfNode: (&tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
pfx("100.102.103.104/32"),
|
|
pfx("100::123/128"),
|
|
},
|
|
}).View(),
|
|
Peers: []tailcfg.NodeView{
|
|
(&tailcfg.Node{
|
|
Name: "a.tailnet",
|
|
StableID: tailcfg.StableNodeID("123"),
|
|
Addresses: []netip.Prefix{
|
|
pfx("100.64.5.6/32"),
|
|
pfx("100::201/128"),
|
|
},
|
|
}).View(),
|
|
(&tailcfg.Node{
|
|
Name: "b.tailnet",
|
|
Addresses: []netip.Prefix{
|
|
pfx("100::202/128"),
|
|
},
|
|
}).View(),
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, test := range tests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
b := newTestBackend(t)
|
|
msh := &mockSyspolicyHandler{
|
|
t: t,
|
|
stringPolicies: map[syspolicy.Key]*string{
|
|
syspolicy.ExitNodeID: nil,
|
|
syspolicy.ExitNodeIP: nil,
|
|
},
|
|
}
|
|
if test.exitNodeIDKey {
|
|
msh.stringPolicies[syspolicy.ExitNodeID] = &test.exitNodeID
|
|
}
|
|
if test.exitNodeIPKey {
|
|
msh.stringPolicies[syspolicy.ExitNodeIP] = &test.exitNodeIP
|
|
}
|
|
syspolicy.SetHandlerForTest(t, msh)
|
|
if test.nm == nil {
|
|
test.nm = new(netmap.NetworkMap)
|
|
}
|
|
if test.prefs == nil {
|
|
test.prefs = ipn.NewPrefs()
|
|
}
|
|
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, new(health.Tracker)))
|
|
pm.prefs = test.prefs.View()
|
|
b.netMap = test.nm
|
|
b.pm = pm
|
|
changed := setExitNodeID(b.pm.prefs.AsStruct(), test.nm)
|
|
b.SetPrefsForTest(pm.CurrentPrefs().AsStruct())
|
|
|
|
if got := b.pm.prefs.ExitNodeID(); got != tailcfg.StableNodeID(test.exitNodeIDWant) {
|
|
t.Errorf("got %v want %v", got, test.exitNodeIDWant)
|
|
}
|
|
if got := b.pm.prefs.ExitNodeIP(); test.exitNodeIPWant == "" {
|
|
if got.String() != "invalid IP" {
|
|
t.Errorf("got %v want invalid IP", got)
|
|
}
|
|
} else if got.String() != test.exitNodeIPWant {
|
|
t.Errorf("got %v want %v", got, test.exitNodeIPWant)
|
|
}
|
|
|
|
if changed != test.prefsChanged {
|
|
t.Errorf("wanted prefs changed %v, got prefs changed %v", test.prefsChanged, changed)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestApplySysPolicy(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
prefs ipn.Prefs
|
|
wantPrefs ipn.Prefs
|
|
wantAnyChange bool
|
|
stringPolicies map[syspolicy.Key]string
|
|
}{
|
|
{
|
|
name: "empty prefs without policies",
|
|
},
|
|
{
|
|
name: "prefs set without policies",
|
|
prefs: ipn.Prefs{
|
|
ControlURL: "1",
|
|
ShieldsUp: true,
|
|
ForceDaemon: true,
|
|
ExitNodeAllowLANAccess: true,
|
|
CorpDNS: true,
|
|
RouteAll: true,
|
|
},
|
|
wantPrefs: ipn.Prefs{
|
|
ControlURL: "1",
|
|
ShieldsUp: true,
|
|
ForceDaemon: true,
|
|
ExitNodeAllowLANAccess: true,
|
|
CorpDNS: true,
|
|
RouteAll: true,
|
|
},
|
|
},
|
|
{
|
|
name: "empty prefs with policies",
|
|
wantPrefs: ipn.Prefs{
|
|
ControlURL: "1",
|
|
ShieldsUp: true,
|
|
ForceDaemon: true,
|
|
ExitNodeAllowLANAccess: true,
|
|
CorpDNS: true,
|
|
RouteAll: true,
|
|
},
|
|
wantAnyChange: true,
|
|
stringPolicies: map[syspolicy.Key]string{
|
|
syspolicy.ControlURL: "1",
|
|
syspolicy.EnableIncomingConnections: "never",
|
|
syspolicy.EnableServerMode: "always",
|
|
syspolicy.ExitNodeAllowLANAccess: "always",
|
|
syspolicy.EnableTailscaleDNS: "always",
|
|
syspolicy.EnableTailscaleSubnets: "always",
|
|
},
|
|
},
|
|
{
|
|
name: "prefs set with matching policies",
|
|
prefs: ipn.Prefs{
|
|
ControlURL: "1",
|
|
ShieldsUp: true,
|
|
ForceDaemon: true,
|
|
},
|
|
wantPrefs: ipn.Prefs{
|
|
ControlURL: "1",
|
|
ShieldsUp: true,
|
|
ForceDaemon: true,
|
|
},
|
|
stringPolicies: map[syspolicy.Key]string{
|
|
syspolicy.ControlURL: "1",
|
|
syspolicy.EnableIncomingConnections: "never",
|
|
syspolicy.EnableServerMode: "always",
|
|
syspolicy.ExitNodeAllowLANAccess: "never",
|
|
syspolicy.EnableTailscaleDNS: "never",
|
|
syspolicy.EnableTailscaleSubnets: "never",
|
|
},
|
|
},
|
|
{
|
|
name: "prefs set with conflicting policies",
|
|
prefs: ipn.Prefs{
|
|
ControlURL: "1",
|
|
ShieldsUp: true,
|
|
ForceDaemon: true,
|
|
ExitNodeAllowLANAccess: false,
|
|
CorpDNS: true,
|
|
RouteAll: false,
|
|
},
|
|
wantPrefs: ipn.Prefs{
|
|
ControlURL: "2",
|
|
ShieldsUp: false,
|
|
ForceDaemon: false,
|
|
ExitNodeAllowLANAccess: true,
|
|
CorpDNS: false,
|
|
RouteAll: true,
|
|
},
|
|
wantAnyChange: true,
|
|
stringPolicies: map[syspolicy.Key]string{
|
|
syspolicy.ControlURL: "2",
|
|
syspolicy.EnableIncomingConnections: "always",
|
|
syspolicy.EnableServerMode: "never",
|
|
syspolicy.ExitNodeAllowLANAccess: "always",
|
|
syspolicy.EnableTailscaleDNS: "never",
|
|
syspolicy.EnableTailscaleSubnets: "always",
|
|
},
|
|
},
|
|
{
|
|
name: "prefs set with neutral policies",
|
|
prefs: ipn.Prefs{
|
|
ControlURL: "1",
|
|
ShieldsUp: true,
|
|
ForceDaemon: true,
|
|
ExitNodeAllowLANAccess: false,
|
|
CorpDNS: true,
|
|
RouteAll: true,
|
|
},
|
|
wantPrefs: ipn.Prefs{
|
|
ControlURL: "1",
|
|
ShieldsUp: true,
|
|
ForceDaemon: true,
|
|
ExitNodeAllowLANAccess: false,
|
|
CorpDNS: true,
|
|
RouteAll: true,
|
|
},
|
|
stringPolicies: map[syspolicy.Key]string{
|
|
syspolicy.EnableIncomingConnections: "user-decides",
|
|
syspolicy.EnableServerMode: "user-decides",
|
|
syspolicy.ExitNodeAllowLANAccess: "user-decides",
|
|
syspolicy.EnableTailscaleDNS: "user-decides",
|
|
syspolicy.EnableTailscaleSubnets: "user-decides",
|
|
},
|
|
},
|
|
{
|
|
name: "ControlURL",
|
|
wantPrefs: ipn.Prefs{
|
|
ControlURL: "set",
|
|
},
|
|
wantAnyChange: true,
|
|
stringPolicies: map[syspolicy.Key]string{
|
|
syspolicy.ControlURL: "set",
|
|
},
|
|
},
|
|
{
|
|
name: "enable AutoUpdate apply does not unset check",
|
|
prefs: ipn.Prefs{
|
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
|
Check: true,
|
|
Apply: opt.NewBool(false),
|
|
},
|
|
},
|
|
wantPrefs: ipn.Prefs{
|
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
|
Check: true,
|
|
Apply: opt.NewBool(true),
|
|
},
|
|
},
|
|
wantAnyChange: true,
|
|
stringPolicies: map[syspolicy.Key]string{
|
|
syspolicy.ApplyUpdates: "always",
|
|
},
|
|
},
|
|
{
|
|
name: "disable AutoUpdate apply does not unset check",
|
|
prefs: ipn.Prefs{
|
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
|
Check: true,
|
|
Apply: opt.NewBool(true),
|
|
},
|
|
},
|
|
wantPrefs: ipn.Prefs{
|
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
|
Check: true,
|
|
Apply: opt.NewBool(false),
|
|
},
|
|
},
|
|
wantAnyChange: true,
|
|
stringPolicies: map[syspolicy.Key]string{
|
|
syspolicy.ApplyUpdates: "never",
|
|
},
|
|
},
|
|
{
|
|
name: "enable AutoUpdate check does not unset apply",
|
|
prefs: ipn.Prefs{
|
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
|
Check: false,
|
|
Apply: opt.NewBool(true),
|
|
},
|
|
},
|
|
wantPrefs: ipn.Prefs{
|
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
|
Check: true,
|
|
Apply: opt.NewBool(true),
|
|
},
|
|
},
|
|
wantAnyChange: true,
|
|
stringPolicies: map[syspolicy.Key]string{
|
|
syspolicy.CheckUpdates: "always",
|
|
},
|
|
},
|
|
{
|
|
name: "disable AutoUpdate check does not unset apply",
|
|
prefs: ipn.Prefs{
|
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
|
Check: true,
|
|
Apply: opt.NewBool(true),
|
|
},
|
|
},
|
|
wantPrefs: ipn.Prefs{
|
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
|
Check: false,
|
|
Apply: opt.NewBool(true),
|
|
},
|
|
},
|
|
wantAnyChange: true,
|
|
stringPolicies: map[syspolicy.Key]string{
|
|
syspolicy.CheckUpdates: "never",
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
msh := &mockSyspolicyHandler{
|
|
t: t,
|
|
stringPolicies: make(map[syspolicy.Key]*string, len(tt.stringPolicies)),
|
|
}
|
|
for p, v := range tt.stringPolicies {
|
|
v := v // construct a unique pointer for each policy value
|
|
msh.stringPolicies[p] = &v
|
|
}
|
|
syspolicy.SetHandlerForTest(t, msh)
|
|
|
|
t.Run("unit", func(t *testing.T) {
|
|
prefs := tt.prefs.Clone()
|
|
|
|
gotAnyChange := applySysPolicy(prefs)
|
|
|
|
if gotAnyChange && prefs.Equals(&tt.prefs) {
|
|
t.Errorf("anyChange but prefs is unchanged: %v", prefs.Pretty())
|
|
}
|
|
if !gotAnyChange && !prefs.Equals(&tt.prefs) {
|
|
t.Errorf("!anyChange but prefs changed from %v to %v", tt.prefs.Pretty(), prefs.Pretty())
|
|
}
|
|
if gotAnyChange != tt.wantAnyChange {
|
|
t.Errorf("anyChange=%v, want %v", gotAnyChange, tt.wantAnyChange)
|
|
}
|
|
if !prefs.Equals(&tt.wantPrefs) {
|
|
t.Errorf("prefs=%v, want %v", prefs.Pretty(), tt.wantPrefs.Pretty())
|
|
}
|
|
})
|
|
|
|
t.Run("status update", func(t *testing.T) {
|
|
// Profile manager fills in blank ControlURL but it's not set
|
|
// in most test cases to avoid cluttering them, so adjust for
|
|
// that.
|
|
usePrefs := tt.prefs.Clone()
|
|
if usePrefs.ControlURL == "" {
|
|
usePrefs.ControlURL = ipn.DefaultControlURL
|
|
}
|
|
wantPrefs := tt.wantPrefs.Clone()
|
|
if wantPrefs.ControlURL == "" {
|
|
wantPrefs.ControlURL = ipn.DefaultControlURL
|
|
}
|
|
|
|
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, new(health.Tracker)))
|
|
pm.prefs = usePrefs.View()
|
|
|
|
b := newTestBackend(t)
|
|
b.mu.Lock()
|
|
b.pm = pm
|
|
b.mu.Unlock()
|
|
|
|
b.SetControlClientStatus(b.cc, controlclient.Status{})
|
|
if !b.Prefs().Equals(wantPrefs.View()) {
|
|
t.Errorf("prefs=%v, want %v", b.Prefs().Pretty(), wantPrefs.Pretty())
|
|
}
|
|
})
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestPreferencePolicyInfo(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
initialValue bool
|
|
wantValue bool
|
|
wantChange bool
|
|
policyValue string
|
|
policyError error
|
|
}{
|
|
{
|
|
name: "force enable modify",
|
|
initialValue: false,
|
|
wantValue: true,
|
|
wantChange: true,
|
|
policyValue: "always",
|
|
},
|
|
{
|
|
name: "force enable unchanged",
|
|
initialValue: true,
|
|
wantValue: true,
|
|
policyValue: "always",
|
|
},
|
|
{
|
|
name: "force disable modify",
|
|
initialValue: true,
|
|
wantValue: false,
|
|
wantChange: true,
|
|
policyValue: "never",
|
|
},
|
|
{
|
|
name: "force disable unchanged",
|
|
initialValue: false,
|
|
wantValue: false,
|
|
policyValue: "never",
|
|
},
|
|
{
|
|
name: "unforced enabled",
|
|
initialValue: true,
|
|
wantValue: true,
|
|
policyValue: "user-decides",
|
|
},
|
|
{
|
|
name: "unforced disabled",
|
|
initialValue: false,
|
|
wantValue: false,
|
|
policyValue: "user-decides",
|
|
},
|
|
{
|
|
name: "blank enabled",
|
|
initialValue: true,
|
|
wantValue: true,
|
|
policyValue: "",
|
|
},
|
|
{
|
|
name: "blank disabled",
|
|
initialValue: false,
|
|
wantValue: false,
|
|
policyValue: "",
|
|
},
|
|
{
|
|
name: "unset enabled",
|
|
initialValue: true,
|
|
wantValue: true,
|
|
policyError: syspolicy.ErrNoSuchKey,
|
|
},
|
|
{
|
|
name: "unset disabled",
|
|
initialValue: false,
|
|
wantValue: false,
|
|
policyError: syspolicy.ErrNoSuchKey,
|
|
},
|
|
{
|
|
name: "error enabled",
|
|
initialValue: true,
|
|
wantValue: true,
|
|
policyError: errors.New("test error"),
|
|
},
|
|
{
|
|
name: "error disabled",
|
|
initialValue: false,
|
|
wantValue: false,
|
|
policyError: errors.New("test error"),
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
for _, pp := range preferencePolicies {
|
|
t.Run(string(pp.key), func(t *testing.T) {
|
|
var h syspolicy.Handler
|
|
|
|
allPolicies := make(map[syspolicy.Key]*string, len(preferencePolicies)+1)
|
|
allPolicies[syspolicy.ControlURL] = nil
|
|
for _, pp := range preferencePolicies {
|
|
allPolicies[pp.key] = nil
|
|
}
|
|
|
|
if tt.policyError != nil {
|
|
h = &errorSyspolicyHandler{
|
|
t: t,
|
|
err: tt.policyError,
|
|
key: pp.key,
|
|
allowKeys: allPolicies,
|
|
}
|
|
} else {
|
|
msh := &mockSyspolicyHandler{
|
|
t: t,
|
|
stringPolicies: allPolicies,
|
|
failUnknownPolicies: true,
|
|
}
|
|
msh.stringPolicies[pp.key] = &tt.policyValue
|
|
h = msh
|
|
}
|
|
syspolicy.SetHandlerForTest(t, h)
|
|
|
|
prefs := defaultPrefs.AsStruct()
|
|
pp.set(prefs, tt.initialValue)
|
|
|
|
gotAnyChange := applySysPolicy(prefs)
|
|
|
|
if gotAnyChange != tt.wantChange {
|
|
t.Errorf("anyChange=%v, want %v", gotAnyChange, tt.wantChange)
|
|
}
|
|
got := pp.get(prefs.View())
|
|
if got != tt.wantValue {
|
|
t.Errorf("pref=%v, want %v", got, tt.wantValue)
|
|
}
|
|
})
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestOnTailnetDefaultAutoUpdate(t *testing.T) {
|
|
tests := []struct {
|
|
before, after opt.Bool
|
|
container opt.Bool
|
|
tailnetDefault bool
|
|
}{
|
|
{
|
|
before: opt.Bool(""),
|
|
tailnetDefault: true,
|
|
after: opt.NewBool(true),
|
|
},
|
|
{
|
|
before: opt.Bool(""),
|
|
tailnetDefault: false,
|
|
after: opt.NewBool(false),
|
|
},
|
|
{
|
|
before: opt.Bool("unset"),
|
|
tailnetDefault: true,
|
|
after: opt.NewBool(true),
|
|
},
|
|
{
|
|
before: opt.Bool("unset"),
|
|
tailnetDefault: false,
|
|
after: opt.NewBool(false),
|
|
},
|
|
{
|
|
before: opt.NewBool(false),
|
|
tailnetDefault: true,
|
|
after: opt.NewBool(false),
|
|
},
|
|
{
|
|
before: opt.NewBool(true),
|
|
tailnetDefault: false,
|
|
after: opt.NewBool(true),
|
|
},
|
|
{
|
|
before: opt.Bool(""),
|
|
container: opt.NewBool(true),
|
|
tailnetDefault: true,
|
|
after: opt.Bool(""),
|
|
},
|
|
{
|
|
before: opt.NewBool(false),
|
|
container: opt.NewBool(true),
|
|
tailnetDefault: true,
|
|
after: opt.NewBool(false),
|
|
},
|
|
{
|
|
before: opt.NewBool(true),
|
|
container: opt.NewBool(true),
|
|
tailnetDefault: false,
|
|
after: opt.NewBool(true),
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(fmt.Sprintf("before=%s,after=%s", tt.before, tt.after), func(t *testing.T) {
|
|
b := newTestBackend(t)
|
|
b.hostinfo = hostinfo.New()
|
|
b.hostinfo.Container = tt.container
|
|
p := ipn.NewPrefs()
|
|
p.AutoUpdate.Apply = tt.before
|
|
if err := b.pm.setPrefsLocked(p.View()); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
b.onTailnetDefaultAutoUpdate(tt.tailnetDefault)
|
|
want := tt.after
|
|
// On platforms that don't support auto-update we can never
|
|
// transition to auto-updates being enabled. The value should
|
|
// remain unchanged after onTailnetDefaultAutoUpdate.
|
|
if !clientupdate.CanAutoUpdate() && want.EqualBool(true) {
|
|
want = tt.before
|
|
}
|
|
if got := b.pm.CurrentPrefs().AutoUpdate().Apply; got != want {
|
|
t.Errorf("got: %q, want %q", got, want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestTCPHandlerForDst(t *testing.T) {
|
|
b := newTestBackend(t)
|
|
|
|
tests := []struct {
|
|
desc string
|
|
dst string
|
|
intercept bool
|
|
}{
|
|
{
|
|
desc: "intercept port 80 (Web UI) on quad100 IPv4",
|
|
dst: "100.100.100.100:80",
|
|
intercept: true,
|
|
},
|
|
{
|
|
desc: "intercept port 80 (Web UI) on quad100 IPv6",
|
|
dst: "[fd7a:115c:a1e0::53]:80",
|
|
intercept: true,
|
|
},
|
|
{
|
|
desc: "don't intercept port 80 on local ip",
|
|
dst: "100.100.103.100:80",
|
|
intercept: false,
|
|
},
|
|
{
|
|
desc: "intercept port 8080 (Taildrive) on quad100 IPv4",
|
|
dst: "100.100.100.100:8080",
|
|
intercept: true,
|
|
},
|
|
{
|
|
desc: "intercept port 8080 (Taildrive) on quad100 IPv6",
|
|
dst: "[fd7a:115c:a1e0::53]:8080",
|
|
intercept: true,
|
|
},
|
|
{
|
|
desc: "don't intercept port 8080 on local ip",
|
|
dst: "100.100.103.100:8080",
|
|
intercept: false,
|
|
},
|
|
{
|
|
desc: "don't intercept port 9080 on quad100 IPv4",
|
|
dst: "100.100.100.100:9080",
|
|
intercept: false,
|
|
},
|
|
{
|
|
desc: "don't intercept port 9080 on quad100 IPv6",
|
|
dst: "[fd7a:115c:a1e0::53]:9080",
|
|
intercept: false,
|
|
},
|
|
{
|
|
desc: "don't intercept port 9080 on local ip",
|
|
dst: "100.100.103.100:9080",
|
|
intercept: false,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.dst, func(t *testing.T) {
|
|
t.Log(tt.desc)
|
|
src := netip.MustParseAddrPort("100.100.102.100:51234")
|
|
h, _ := b.TCPHandlerForDst(src, netip.MustParseAddrPort(tt.dst))
|
|
if !tt.intercept && h != nil {
|
|
t.Error("intercepted traffic we shouldn't have")
|
|
} else if tt.intercept && h == nil {
|
|
t.Error("failed to intercept traffic we should have")
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestDriveManageShares(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
disabled bool
|
|
existing []*drive.Share
|
|
add *drive.Share
|
|
remove string
|
|
rename [2]string
|
|
expect any
|
|
}{
|
|
{
|
|
name: "append",
|
|
existing: []*drive.Share{
|
|
{Name: "b"},
|
|
{Name: "d"},
|
|
},
|
|
add: &drive.Share{Name: " E "},
|
|
expect: []*drive.Share{
|
|
{Name: "b"},
|
|
{Name: "d"},
|
|
{Name: "e"},
|
|
},
|
|
},
|
|
{
|
|
name: "prepend",
|
|
existing: []*drive.Share{
|
|
{Name: "b"},
|
|
{Name: "d"},
|
|
},
|
|
add: &drive.Share{Name: " A "},
|
|
expect: []*drive.Share{
|
|
{Name: "a"},
|
|
{Name: "b"},
|
|
{Name: "d"},
|
|
},
|
|
},
|
|
{
|
|
name: "insert",
|
|
existing: []*drive.Share{
|
|
{Name: "b"},
|
|
{Name: "d"},
|
|
},
|
|
add: &drive.Share{Name: " C "},
|
|
expect: []*drive.Share{
|
|
{Name: "b"},
|
|
{Name: "c"},
|
|
{Name: "d"},
|
|
},
|
|
},
|
|
{
|
|
name: "replace",
|
|
existing: []*drive.Share{
|
|
{Name: "b", Path: "i"},
|
|
{Name: "d"},
|
|
},
|
|
add: &drive.Share{Name: " B ", Path: "ii"},
|
|
expect: []*drive.Share{
|
|
{Name: "b", Path: "ii"},
|
|
{Name: "d"},
|
|
},
|
|
},
|
|
{
|
|
name: "add_bad_name",
|
|
add: &drive.Share{Name: "$"},
|
|
expect: drive.ErrInvalidShareName,
|
|
},
|
|
{
|
|
name: "add_disabled",
|
|
disabled: true,
|
|
add: &drive.Share{Name: "a"},
|
|
expect: drive.ErrDriveNotEnabled,
|
|
},
|
|
{
|
|
name: "remove",
|
|
existing: []*drive.Share{
|
|
{Name: "a"},
|
|
{Name: "b"},
|
|
{Name: "c"},
|
|
},
|
|
remove: "b",
|
|
expect: []*drive.Share{
|
|
{Name: "a"},
|
|
{Name: "c"},
|
|
},
|
|
},
|
|
{
|
|
name: "remove_non_existing",
|
|
existing: []*drive.Share{
|
|
{Name: "a"},
|
|
{Name: "b"},
|
|
{Name: "c"},
|
|
},
|
|
remove: "D",
|
|
expect: os.ErrNotExist,
|
|
},
|
|
{
|
|
name: "remove_disabled",
|
|
disabled: true,
|
|
remove: "b",
|
|
expect: drive.ErrDriveNotEnabled,
|
|
},
|
|
{
|
|
name: "rename",
|
|
existing: []*drive.Share{
|
|
{Name: "a"},
|
|
{Name: "b"},
|
|
},
|
|
rename: [2]string{"a", " C "},
|
|
expect: []*drive.Share{
|
|
{Name: "b"},
|
|
{Name: "c"},
|
|
},
|
|
},
|
|
{
|
|
name: "rename_not_exist",
|
|
existing: []*drive.Share{
|
|
{Name: "a"},
|
|
{Name: "b"},
|
|
},
|
|
rename: [2]string{"d", "c"},
|
|
expect: os.ErrNotExist,
|
|
},
|
|
{
|
|
name: "rename_exists",
|
|
existing: []*drive.Share{
|
|
{Name: "a"},
|
|
{Name: "b"},
|
|
},
|
|
rename: [2]string{"a", "b"},
|
|
expect: os.ErrExist,
|
|
},
|
|
{
|
|
name: "rename_bad_name",
|
|
rename: [2]string{"a", "$"},
|
|
expect: drive.ErrInvalidShareName,
|
|
},
|
|
{
|
|
name: "rename_disabled",
|
|
disabled: true,
|
|
rename: [2]string{"a", "c"},
|
|
expect: drive.ErrDriveNotEnabled,
|
|
},
|
|
}
|
|
|
|
drive.DisallowShareAs = true
|
|
t.Cleanup(func() {
|
|
drive.DisallowShareAs = false
|
|
})
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
b := newTestBackend(t)
|
|
b.mu.Lock()
|
|
if tt.existing != nil {
|
|
b.driveSetSharesLocked(tt.existing)
|
|
}
|
|
if !tt.disabled {
|
|
self := b.netMap.SelfNode.AsStruct()
|
|
self.CapMap = tailcfg.NodeCapMap{tailcfg.NodeAttrsTaildriveShare: nil}
|
|
b.netMap.SelfNode = self.View()
|
|
b.sys.Set(driveimpl.NewFileSystemForRemote(b.logf))
|
|
}
|
|
b.mu.Unlock()
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
|
|
t.Cleanup(cancel)
|
|
|
|
result := make(chan views.SliceView[*drive.Share, drive.ShareView], 1)
|
|
|
|
var wg sync.WaitGroup
|
|
wg.Add(1)
|
|
go b.WatchNotifications(
|
|
ctx,
|
|
0,
|
|
func() { wg.Done() },
|
|
func(n *ipn.Notify) bool {
|
|
select {
|
|
case result <- n.DriveShares:
|
|
default:
|
|
//
|
|
}
|
|
return false
|
|
},
|
|
)
|
|
wg.Wait()
|
|
|
|
var err error
|
|
switch {
|
|
case tt.add != nil:
|
|
err = b.DriveSetShare(tt.add)
|
|
case tt.remove != "":
|
|
err = b.DriveRemoveShare(tt.remove)
|
|
default:
|
|
err = b.DriveRenameShare(tt.rename[0], tt.rename[1])
|
|
}
|
|
|
|
switch e := tt.expect.(type) {
|
|
case error:
|
|
if !errors.Is(err, e) {
|
|
t.Errorf("expected error, want: %v got: %v", e, err)
|
|
}
|
|
case []*drive.Share:
|
|
if err != nil {
|
|
t.Errorf("unexpected error: %v", err)
|
|
} else {
|
|
r := <-result
|
|
|
|
got, err := json.MarshalIndent(r, "", " ")
|
|
if err != nil {
|
|
t.Fatalf("can't marshal got: %v", err)
|
|
}
|
|
want, err := json.MarshalIndent(e, "", " ")
|
|
if err != nil {
|
|
t.Fatalf("can't marshal want: %v", err)
|
|
}
|
|
if diff := cmp.Diff(string(got), string(want)); diff != "" {
|
|
t.Errorf("wrong shares; (-got+want):%v", diff)
|
|
}
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestValidPopBrowserURL(t *testing.T) {
|
|
b := newTestBackend(t)
|
|
tests := []struct {
|
|
desc string
|
|
controlURL string
|
|
popBrowserURL string
|
|
want bool
|
|
}{
|
|
{"saas_login", "https://login.tailscale.com", "https://login.tailscale.com/a/foo", true},
|
|
{"saas_controlplane", "https://controlplane.tailscale.com", "https://controlplane.tailscale.com/a/foo", true},
|
|
{"saas_root", "https://login.tailscale.com", "https://tailscale.com/", true},
|
|
{"saas_bad_hostname", "https://login.tailscale.com", "https://example.com/a/foo", false},
|
|
{"localhost", "http://localhost", "http://localhost/a/foo", true},
|
|
{"custom_control_url_https", "https://example.com", "https://example.com/a/foo", true},
|
|
{"custom_control_url_https_diff_domain", "https://example.com", "https://other.com/a/foo", true},
|
|
{"custom_control_url_http", "http://example.com", "http://example.com/a/foo", true},
|
|
{"custom_control_url_http_diff_domain", "http://example.com", "http://other.com/a/foo", true},
|
|
{"bad_scheme", "https://example.com", "http://example.com/a/foo", false},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.desc, func(t *testing.T) {
|
|
if _, err := b.EditPrefs(&ipn.MaskedPrefs{
|
|
ControlURLSet: true,
|
|
Prefs: ipn.Prefs{
|
|
ControlURL: tt.controlURL,
|
|
},
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
got := b.validPopBrowserURL(tt.popBrowserURL)
|
|
if got != tt.want {
|
|
t.Errorf("got %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestRoundTraffic(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
bytes int64
|
|
want float64
|
|
}{
|
|
{name: "under 5 bytes", bytes: 4, want: 4},
|
|
{name: "under 1000 bytes", bytes: 987, want: 990},
|
|
{name: "under 10_000 bytes", bytes: 8875, want: 8900},
|
|
{name: "under 100_000 bytes", bytes: 77777, want: 78000},
|
|
{name: "under 1_000_000 bytes", bytes: 666523, want: 670000},
|
|
{name: "under 10_000_000 bytes", bytes: 22556677, want: 23000000},
|
|
{name: "under 1_000_000_000 bytes", bytes: 1234234234, want: 1200000000},
|
|
{name: "under 1_000_000_000 bytes", bytes: 123423423499, want: 123400000000},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if result := roundTraffic(tt.bytes); result != tt.want {
|
|
t.Errorf("unexpected rounding got %v want %v", result, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func (b *LocalBackend) SetPrefsForTest(newp *ipn.Prefs) {
|
|
if newp == nil {
|
|
panic("SetPrefsForTest got nil prefs")
|
|
}
|
|
unlock := b.lockAndGetUnlock()
|
|
defer unlock()
|
|
b.setPrefsLockedOnEntry(newp, unlock)
|
|
}
|
|
|
|
type peerOptFunc func(*tailcfg.Node)
|
|
|
|
func makePeer(id tailcfg.NodeID, opts ...peerOptFunc) tailcfg.NodeView {
|
|
node := &tailcfg.Node{
|
|
ID: id,
|
|
StableID: tailcfg.StableNodeID(fmt.Sprintf("stable%d", id)),
|
|
Name: fmt.Sprintf("peer%d", id),
|
|
DERP: fmt.Sprintf("127.3.3.40:%d", id),
|
|
}
|
|
for _, opt := range opts {
|
|
opt(node)
|
|
}
|
|
return node.View()
|
|
}
|
|
|
|
func withName(name string) peerOptFunc {
|
|
return func(n *tailcfg.Node) {
|
|
n.Name = name
|
|
}
|
|
}
|
|
|
|
func withDERP(region int) peerOptFunc {
|
|
return func(n *tailcfg.Node) {
|
|
n.DERP = fmt.Sprintf("127.3.3.40:%d", region)
|
|
}
|
|
}
|
|
|
|
func withoutDERP() peerOptFunc {
|
|
return func(n *tailcfg.Node) {
|
|
n.DERP = ""
|
|
}
|
|
}
|
|
|
|
func withLocation(loc tailcfg.LocationView) peerOptFunc {
|
|
return func(n *tailcfg.Node) {
|
|
var hi *tailcfg.Hostinfo
|
|
if n.Hostinfo.Valid() {
|
|
hi = n.Hostinfo.AsStruct()
|
|
} else {
|
|
hi = new(tailcfg.Hostinfo)
|
|
}
|
|
hi.Location = loc.AsStruct()
|
|
|
|
n.Hostinfo = hi.View()
|
|
}
|
|
}
|
|
|
|
func withExitRoutes() peerOptFunc {
|
|
return func(n *tailcfg.Node) {
|
|
n.AllowedIPs = append(n.AllowedIPs, tsaddr.ExitRoutes()...)
|
|
}
|
|
}
|
|
|
|
func withSuggest() peerOptFunc {
|
|
return func(n *tailcfg.Node) {
|
|
mak.Set(&n.CapMap, tailcfg.NodeAttrSuggestExitNode, []tailcfg.RawMessage{})
|
|
}
|
|
}
|
|
|
|
func deterministicRegionForTest(t testing.TB, want views.Slice[int], use int) selectRegionFunc {
|
|
t.Helper()
|
|
|
|
if !views.SliceContains(want, use) {
|
|
t.Errorf("invalid test: use %v is not in want %v", use, want)
|
|
}
|
|
|
|
return func(got views.Slice[int]) int {
|
|
if !views.SliceEqualAnyOrder(got, want) {
|
|
t.Errorf("candidate regions = %v, want %v", got, want)
|
|
}
|
|
return use
|
|
}
|
|
}
|
|
|
|
func deterministicNodeForTest(t testing.TB, want views.Slice[tailcfg.StableNodeID], wantLast tailcfg.StableNodeID, use tailcfg.StableNodeID) selectNodeFunc {
|
|
t.Helper()
|
|
|
|
if !views.SliceContains(want, use) {
|
|
t.Errorf("invalid test: use %v is not in want %v", use, want)
|
|
}
|
|
|
|
return func(got views.Slice[tailcfg.NodeView], last tailcfg.StableNodeID) tailcfg.NodeView {
|
|
var ret tailcfg.NodeView
|
|
|
|
gotIDs := make([]tailcfg.StableNodeID, got.Len())
|
|
for i := range got.Len() {
|
|
nv := got.At(i)
|
|
if !nv.Valid() {
|
|
t.Fatalf("invalid node at index %v", i)
|
|
}
|
|
|
|
gotIDs[i] = nv.StableID()
|
|
if nv.StableID() == use {
|
|
ret = nv
|
|
}
|
|
}
|
|
if !views.SliceEqualAnyOrder(views.SliceOf(gotIDs), want) {
|
|
t.Errorf("candidate nodes = %v, want %v", gotIDs, want)
|
|
}
|
|
if last != wantLast {
|
|
t.Errorf("last node = %v, want %v", last, wantLast)
|
|
}
|
|
if !ret.Valid() {
|
|
t.Fatalf("did not find matching node in %v, want %v", gotIDs, use)
|
|
}
|
|
|
|
return ret
|
|
}
|
|
}
|
|
|
|
func TestSuggestExitNode(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
defaultDERPMap := &tailcfg.DERPMap{
|
|
Regions: map[int]*tailcfg.DERPRegion{
|
|
1: {
|
|
Latitude: 32,
|
|
Longitude: -97,
|
|
},
|
|
2: {},
|
|
3: {},
|
|
},
|
|
}
|
|
|
|
preferred1Report := &netcheck.Report{
|
|
RegionLatency: map[int]time.Duration{
|
|
1: 10 * time.Millisecond,
|
|
2: 20 * time.Millisecond,
|
|
3: 30 * time.Millisecond,
|
|
},
|
|
PreferredDERP: 1,
|
|
}
|
|
noLatency1Report := &netcheck.Report{
|
|
RegionLatency: map[int]time.Duration{
|
|
1: 0,
|
|
2: 0,
|
|
3: 0,
|
|
},
|
|
PreferredDERP: 1,
|
|
}
|
|
preferredNoneReport := &netcheck.Report{
|
|
RegionLatency: map[int]time.Duration{
|
|
1: 10 * time.Millisecond,
|
|
2: 20 * time.Millisecond,
|
|
3: 30 * time.Millisecond,
|
|
},
|
|
PreferredDERP: 0,
|
|
}
|
|
|
|
dallas := tailcfg.Location{
|
|
Latitude: 32.779167,
|
|
Longitude: -96.808889,
|
|
Priority: 100,
|
|
}
|
|
sanJose := tailcfg.Location{
|
|
Latitude: 37.3382082,
|
|
Longitude: -121.8863286,
|
|
Priority: 20,
|
|
}
|
|
fortWorth := tailcfg.Location{
|
|
Latitude: 32.756389,
|
|
Longitude: -97.3325,
|
|
Priority: 150,
|
|
}
|
|
fortWorthLowPriority := tailcfg.Location{
|
|
Latitude: 32.756389,
|
|
Longitude: -97.3325,
|
|
Priority: 100,
|
|
}
|
|
|
|
peer1 := makePeer(1,
|
|
withExitRoutes(),
|
|
withSuggest())
|
|
peer2DERP1 := makePeer(2,
|
|
withDERP(1),
|
|
withExitRoutes(),
|
|
withSuggest())
|
|
peer3 := makePeer(3,
|
|
withExitRoutes(),
|
|
withSuggest())
|
|
peer4DERP3 := makePeer(4,
|
|
withDERP(3),
|
|
withExitRoutes(),
|
|
withSuggest())
|
|
dallasPeer5 := makePeer(5,
|
|
withName("Dallas"),
|
|
withoutDERP(),
|
|
withExitRoutes(),
|
|
withSuggest(),
|
|
withLocation(dallas.View()))
|
|
sanJosePeer6 := makePeer(6,
|
|
withName("San Jose"),
|
|
withoutDERP(),
|
|
withExitRoutes(),
|
|
withSuggest(),
|
|
withLocation(sanJose.View()))
|
|
fortWorthPeer7 := makePeer(7,
|
|
withName("Fort Worth"),
|
|
withoutDERP(),
|
|
withExitRoutes(),
|
|
withSuggest(),
|
|
withLocation(fortWorth.View()))
|
|
fortWorthPeer8LowPriority := makePeer(8,
|
|
withName("Fort Worth Low"),
|
|
withoutDERP(),
|
|
withExitRoutes(),
|
|
withSuggest(),
|
|
withLocation(fortWorthLowPriority.View()))
|
|
|
|
selfNode := tailcfg.Node{
|
|
Addresses: []netip.Prefix{
|
|
netip.MustParsePrefix("100.64.1.1/32"),
|
|
netip.MustParsePrefix("fe70::1/128"),
|
|
},
|
|
}
|
|
|
|
defaultNetmap := &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
peer2DERP1,
|
|
peer3,
|
|
},
|
|
}
|
|
locationNetmap := &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
dallasPeer5,
|
|
sanJosePeer6,
|
|
},
|
|
}
|
|
largeNetmap := &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
peer1,
|
|
peer2DERP1,
|
|
peer3,
|
|
peer4DERP3,
|
|
dallasPeer5,
|
|
sanJosePeer6,
|
|
fortWorthPeer7,
|
|
},
|
|
}
|
|
|
|
tests := []struct {
|
|
name string
|
|
|
|
lastReport *netcheck.Report
|
|
netMap *netmap.NetworkMap
|
|
lastSuggestion tailcfg.StableNodeID
|
|
|
|
allowPolicy []tailcfg.StableNodeID
|
|
|
|
wantRegions []int
|
|
useRegion int
|
|
|
|
wantNodes []tailcfg.StableNodeID
|
|
|
|
wantID tailcfg.StableNodeID
|
|
wantName string
|
|
wantLocation tailcfg.LocationView
|
|
|
|
wantError error
|
|
}{
|
|
{
|
|
name: "2 exit nodes in same region",
|
|
lastReport: preferred1Report,
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
peer1,
|
|
peer2DERP1,
|
|
},
|
|
},
|
|
wantNodes: []tailcfg.StableNodeID{
|
|
"stable1",
|
|
"stable2",
|
|
},
|
|
wantName: "peer1",
|
|
wantID: "stable1",
|
|
},
|
|
{
|
|
name: "2 exit nodes different regions unknown latency",
|
|
lastReport: noLatency1Report,
|
|
netMap: defaultNetmap,
|
|
wantRegions: []int{1, 3}, // the only regions with peers
|
|
useRegion: 1,
|
|
wantName: "peer2",
|
|
wantID: "stable2",
|
|
},
|
|
{
|
|
name: "2 derp based exit nodes, different regions, equal latency",
|
|
lastReport: &netcheck.Report{
|
|
RegionLatency: map[int]time.Duration{
|
|
1: 10,
|
|
2: 20,
|
|
3: 10,
|
|
},
|
|
PreferredDERP: 1,
|
|
},
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
peer1,
|
|
peer3,
|
|
},
|
|
},
|
|
wantRegions: []int{1, 2},
|
|
useRegion: 1,
|
|
wantName: "peer1",
|
|
wantID: "stable1",
|
|
},
|
|
{
|
|
name: "mullvad nodes, no derp based exit nodes",
|
|
lastReport: noLatency1Report,
|
|
netMap: locationNetmap,
|
|
wantID: "stable5",
|
|
wantLocation: dallas.View(),
|
|
wantName: "Dallas",
|
|
},
|
|
{
|
|
name: "nearby mullvad nodes with different priorities",
|
|
lastReport: noLatency1Report,
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
dallasPeer5,
|
|
sanJosePeer6,
|
|
fortWorthPeer7,
|
|
},
|
|
},
|
|
wantID: "stable7",
|
|
wantLocation: fortWorth.View(),
|
|
wantName: "Fort Worth",
|
|
},
|
|
{
|
|
name: "nearby mullvad nodes with same priorities",
|
|
lastReport: noLatency1Report,
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
dallasPeer5,
|
|
sanJosePeer6,
|
|
fortWorthPeer8LowPriority,
|
|
},
|
|
},
|
|
wantNodes: []tailcfg.StableNodeID{"stable5", "stable8"},
|
|
wantID: "stable5",
|
|
wantLocation: dallas.View(),
|
|
wantName: "Dallas",
|
|
},
|
|
{
|
|
name: "mullvad nodes, remaining node is not in preferred derp",
|
|
lastReport: noLatency1Report,
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
dallasPeer5,
|
|
sanJosePeer6,
|
|
peer4DERP3,
|
|
},
|
|
},
|
|
useRegion: 3,
|
|
wantID: "stable4",
|
|
wantName: "peer4",
|
|
},
|
|
{
|
|
name: "no peers",
|
|
lastReport: noLatency1Report,
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
},
|
|
},
|
|
{
|
|
name: "no preferred derp region",
|
|
lastReport: preferredNoneReport,
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
},
|
|
wantError: ErrNoPreferredDERP,
|
|
},
|
|
{
|
|
name: "missing suggestion capability",
|
|
lastReport: noLatency1Report,
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
makePeer(1, withExitRoutes()),
|
|
makePeer(2, withLocation(dallas.View()), withExitRoutes()),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "prefer last node",
|
|
lastReport: preferred1Report,
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
peer1,
|
|
peer2DERP1,
|
|
},
|
|
},
|
|
lastSuggestion: "stable2",
|
|
wantNodes: []tailcfg.StableNodeID{
|
|
"stable1",
|
|
"stable2",
|
|
},
|
|
wantName: "peer2",
|
|
wantID: "stable2",
|
|
},
|
|
{
|
|
name: "found better derp node",
|
|
lastSuggestion: "stable3",
|
|
lastReport: preferred1Report,
|
|
netMap: defaultNetmap,
|
|
wantID: "stable2",
|
|
wantName: "peer2",
|
|
},
|
|
{
|
|
name: "prefer last mullvad node",
|
|
lastSuggestion: "stable2",
|
|
lastReport: preferred1Report,
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
dallasPeer5,
|
|
sanJosePeer6,
|
|
fortWorthPeer8LowPriority,
|
|
},
|
|
},
|
|
wantNodes: []tailcfg.StableNodeID{"stable5", "stable8"},
|
|
wantID: "stable5",
|
|
wantName: "Dallas",
|
|
wantLocation: dallas.View(),
|
|
},
|
|
{
|
|
name: "prefer better mullvad node",
|
|
lastSuggestion: "stable2",
|
|
lastReport: preferred1Report,
|
|
netMap: &netmap.NetworkMap{
|
|
SelfNode: selfNode.View(),
|
|
DERPMap: defaultDERPMap,
|
|
Peers: []tailcfg.NodeView{
|
|
dallasPeer5,
|
|
sanJosePeer6,
|
|
fortWorthPeer7,
|
|
},
|
|
},
|
|
wantNodes: []tailcfg.StableNodeID{"stable7"},
|
|
wantID: "stable7",
|
|
wantName: "Fort Worth",
|
|
wantLocation: fortWorth.View(),
|
|
},
|
|
{
|
|
name: "large netmap",
|
|
lastReport: preferred1Report,
|
|
netMap: largeNetmap,
|
|
wantNodes: []tailcfg.StableNodeID{"stable1", "stable2"},
|
|
wantID: "stable2",
|
|
wantName: "peer2",
|
|
},
|
|
{
|
|
name: "no allowed suggestions",
|
|
lastReport: preferred1Report,
|
|
netMap: largeNetmap,
|
|
allowPolicy: []tailcfg.StableNodeID{},
|
|
},
|
|
{
|
|
name: "only derp suggestions",
|
|
lastReport: preferred1Report,
|
|
netMap: largeNetmap,
|
|
allowPolicy: []tailcfg.StableNodeID{"stable1", "stable2", "stable3"},
|
|
wantNodes: []tailcfg.StableNodeID{"stable1", "stable2"},
|
|
wantID: "stable2",
|
|
wantName: "peer2",
|
|
},
|
|
{
|
|
name: "only mullvad suggestions",
|
|
lastReport: preferred1Report,
|
|
netMap: largeNetmap,
|
|
allowPolicy: []tailcfg.StableNodeID{"stable5", "stable6", "stable7"},
|
|
wantID: "stable7",
|
|
wantName: "Fort Worth",
|
|
wantLocation: fortWorth.View(),
|
|
},
|
|
{
|
|
name: "only worst derp",
|
|
lastReport: preferred1Report,
|
|
netMap: largeNetmap,
|
|
allowPolicy: []tailcfg.StableNodeID{"stable3"},
|
|
wantID: "stable3",
|
|
wantName: "peer3",
|
|
},
|
|
{
|
|
name: "only worst mullvad",
|
|
lastReport: preferred1Report,
|
|
netMap: largeNetmap,
|
|
allowPolicy: []tailcfg.StableNodeID{"stable6"},
|
|
wantID: "stable6",
|
|
wantName: "San Jose",
|
|
wantLocation: sanJose.View(),
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
wantRegions := tt.wantRegions
|
|
if wantRegions == nil {
|
|
wantRegions = []int{tt.useRegion}
|
|
}
|
|
selectRegion := deterministicRegionForTest(t, views.SliceOf(wantRegions), tt.useRegion)
|
|
|
|
wantNodes := tt.wantNodes
|
|
if wantNodes == nil {
|
|
wantNodes = []tailcfg.StableNodeID{tt.wantID}
|
|
}
|
|
selectNode := deterministicNodeForTest(t, views.SliceOf(wantNodes), tt.lastSuggestion, tt.wantID)
|
|
|
|
var allowList set.Set[tailcfg.StableNodeID]
|
|
if tt.allowPolicy != nil {
|
|
allowList = set.SetOf(tt.allowPolicy)
|
|
}
|
|
|
|
got, err := suggestExitNode(tt.lastReport, tt.netMap, tt.lastSuggestion, selectRegion, selectNode, allowList)
|
|
if got.Name != tt.wantName {
|
|
t.Errorf("name=%v, want %v", got.Name, tt.wantName)
|
|
}
|
|
if got.ID != tt.wantID {
|
|
t.Errorf("ID=%v, want %v", got.ID, tt.wantID)
|
|
}
|
|
if tt.wantError == nil && err != nil {
|
|
t.Errorf("err=%v, want no error", err)
|
|
}
|
|
if tt.wantError != nil && !errors.Is(err, tt.wantError) {
|
|
t.Errorf("err=%v, want %v", err, tt.wantError)
|
|
}
|
|
if !reflect.DeepEqual(got.Location, tt.wantLocation) {
|
|
t.Errorf("location=%v, want %v", got.Location, tt.wantLocation)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSuggestExitNodePickWeighted(t *testing.T) {
|
|
location10 := tailcfg.Location{
|
|
Priority: 10,
|
|
}
|
|
location20 := tailcfg.Location{
|
|
Priority: 20,
|
|
}
|
|
|
|
tests := []struct {
|
|
name string
|
|
candidates []tailcfg.NodeView
|
|
wantIDs []tailcfg.StableNodeID
|
|
}{
|
|
{
|
|
name: "different priorities",
|
|
candidates: []tailcfg.NodeView{
|
|
makePeer(2, withExitRoutes(), withLocation(location20.View())),
|
|
makePeer(3, withExitRoutes(), withLocation(location10.View())),
|
|
},
|
|
wantIDs: []tailcfg.StableNodeID{"stable2"},
|
|
},
|
|
{
|
|
name: "same priorities",
|
|
candidates: []tailcfg.NodeView{
|
|
makePeer(2, withExitRoutes(), withLocation(location10.View())),
|
|
makePeer(3, withExitRoutes(), withLocation(location10.View())),
|
|
},
|
|
wantIDs: []tailcfg.StableNodeID{"stable2", "stable3"},
|
|
},
|
|
{
|
|
name: "<1 candidates",
|
|
candidates: []tailcfg.NodeView{},
|
|
},
|
|
{
|
|
name: "1 candidate",
|
|
candidates: []tailcfg.NodeView{
|
|
makePeer(2, withExitRoutes(), withLocation(location20.View())),
|
|
},
|
|
wantIDs: []tailcfg.StableNodeID{"stable2"},
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got := pickWeighted(tt.candidates)
|
|
gotIDs := make([]tailcfg.StableNodeID, 0, len(got))
|
|
for _, n := range got {
|
|
if !n.Valid() {
|
|
gotIDs = append(gotIDs, "<invalid>")
|
|
continue
|
|
}
|
|
gotIDs = append(gotIDs, n.StableID())
|
|
}
|
|
if !views.SliceEqualAnyOrder(views.SliceOf(gotIDs), views.SliceOf(tt.wantIDs)) {
|
|
t.Errorf("node IDs = %v, want %v", gotIDs, tt.wantIDs)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSuggestExitNodeLongLatDistance(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
fromLat float64
|
|
fromLong float64
|
|
toLat float64
|
|
toLong float64
|
|
want float64
|
|
}{
|
|
{
|
|
name: "zero values",
|
|
fromLat: 0,
|
|
fromLong: 0,
|
|
toLat: 0,
|
|
toLong: 0,
|
|
want: 0,
|
|
},
|
|
{
|
|
name: "valid values",
|
|
fromLat: 40.73061,
|
|
fromLong: -73.935242,
|
|
toLat: 37.3382082,
|
|
toLong: -121.8863286,
|
|
want: 4117266.873301274,
|
|
},
|
|
{
|
|
name: "valid values, locations in north and south of equator",
|
|
fromLat: 40.73061,
|
|
fromLong: -73.935242,
|
|
toLat: -33.861481,
|
|
toLong: 151.205475,
|
|
want: 15994089.144368416,
|
|
},
|
|
}
|
|
// The wanted values are computed using a more precise algorithm using the WGS84 model but
|
|
// longLatDistance uses a spherical approximation for simplicity. To account for this, we allow for
|
|
// 10km of error.
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got := longLatDistance(tt.fromLat, tt.fromLong, tt.toLat, tt.toLong)
|
|
const maxError = 10000 // 10km
|
|
if math.Abs(got-tt.want) > maxError {
|
|
t.Errorf("distance=%vm, want within %vm of %vm", got, maxError, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestMinLatencyDERPregion(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
regions []int
|
|
report *netcheck.Report
|
|
wantRegion int
|
|
}{
|
|
{
|
|
name: "regions, no latency values",
|
|
regions: []int{1, 2, 3},
|
|
wantRegion: 0,
|
|
report: &netcheck.Report{},
|
|
},
|
|
{
|
|
name: "regions, different latency values",
|
|
regions: []int{1, 2, 3},
|
|
wantRegion: 2,
|
|
report: &netcheck.Report{
|
|
RegionLatency: map[int]time.Duration{
|
|
1: 10 * time.Millisecond,
|
|
2: 5 * time.Millisecond,
|
|
3: 30 * time.Millisecond,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "regions, same values",
|
|
regions: []int{1, 2, 3},
|
|
wantRegion: 1,
|
|
report: &netcheck.Report{
|
|
RegionLatency: map[int]time.Duration{
|
|
1: 10 * time.Millisecond,
|
|
2: 10 * time.Millisecond,
|
|
3: 10 * time.Millisecond,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got := minLatencyDERPRegion(tt.regions, tt.report)
|
|
if got != tt.wantRegion {
|
|
t.Errorf("got region %v want region %v", got, tt.wantRegion)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestEnableAutoUpdates(t *testing.T) {
|
|
lb := newTestLocalBackend(t)
|
|
|
|
_, err := lb.EditPrefs(&ipn.MaskedPrefs{
|
|
AutoUpdateSet: ipn.AutoUpdatePrefsMask{
|
|
ApplySet: true,
|
|
},
|
|
Prefs: ipn.Prefs{
|
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
|
Apply: opt.NewBool(true),
|
|
},
|
|
},
|
|
})
|
|
// Enabling may fail, depending on which environment we are running this
|
|
// test in.
|
|
wantErr := !clientupdate.CanAutoUpdate()
|
|
gotErr := err != nil
|
|
if gotErr != wantErr {
|
|
t.Fatalf("enabling auto-updates: got error: %v (%v); want error: %v", gotErr, err, wantErr)
|
|
}
|
|
|
|
// Disabling should always succeed.
|
|
if _, err := lb.EditPrefs(&ipn.MaskedPrefs{
|
|
AutoUpdateSet: ipn.AutoUpdatePrefsMask{
|
|
ApplySet: true,
|
|
},
|
|
Prefs: ipn.Prefs{
|
|
AutoUpdate: ipn.AutoUpdatePrefs{
|
|
Apply: opt.NewBool(false),
|
|
},
|
|
},
|
|
}); err != nil {
|
|
t.Fatalf("disabling auto-updates: got error: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestReadWriteRouteInfo(t *testing.T) {
|
|
// set up a backend with more than one profile
|
|
b := newTestBackend(t)
|
|
prof1 := ipn.LoginProfile{ID: "id1", Key: "key1"}
|
|
prof2 := ipn.LoginProfile{ID: "id2", Key: "key2"}
|
|
b.pm.knownProfiles["id1"] = &prof1
|
|
b.pm.knownProfiles["id2"] = &prof2
|
|
b.pm.currentProfile = &prof1
|
|
|
|
// set up routeInfo
|
|
ri1 := &appc.RouteInfo{}
|
|
ri1.Wildcards = []string{"1"}
|
|
|
|
ri2 := &appc.RouteInfo{}
|
|
ri2.Wildcards = []string{"2"}
|
|
|
|
// read before write
|
|
readRi, err := b.readRouteInfoLocked()
|
|
if readRi != nil {
|
|
t.Fatalf("read before writing: want nil, got %v", readRi)
|
|
}
|
|
if err != ipn.ErrStateNotExist {
|
|
t.Fatalf("read before writing: want %v, got %v", ipn.ErrStateNotExist, err)
|
|
}
|
|
|
|
// write the first routeInfo
|
|
if err := b.storeRouteInfo(ri1); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// write the other routeInfo as the other profile
|
|
if err := b.pm.SwitchProfile("id2"); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := b.storeRouteInfo(ri2); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// read the routeInfo of the first profile
|
|
if err := b.pm.SwitchProfile("id1"); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
readRi, err = b.readRouteInfoLocked()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if !slices.Equal(readRi.Wildcards, ri1.Wildcards) {
|
|
t.Fatalf("read prof1 routeInfo wildcards: want %v, got %v", ri1.Wildcards, readRi.Wildcards)
|
|
}
|
|
|
|
// read the routeInfo of the second profile
|
|
if err := b.pm.SwitchProfile("id2"); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
readRi, err = b.readRouteInfoLocked()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if !slices.Equal(readRi.Wildcards, ri2.Wildcards) {
|
|
t.Fatalf("read prof2 routeInfo wildcards: want %v, got %v", ri2.Wildcards, readRi.Wildcards)
|
|
}
|
|
}
|
|
|
|
func TestFillAllowedSuggestions(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
allowPolicy []string
|
|
want []tailcfg.StableNodeID
|
|
}{
|
|
{
|
|
name: "unset",
|
|
},
|
|
{
|
|
name: "zero",
|
|
allowPolicy: []string{},
|
|
want: []tailcfg.StableNodeID{},
|
|
},
|
|
{
|
|
name: "one",
|
|
allowPolicy: []string{"one"},
|
|
want: []tailcfg.StableNodeID{"one"},
|
|
},
|
|
{
|
|
name: "many",
|
|
allowPolicy: []string{"one", "two", "three", "four"},
|
|
want: []tailcfg.StableNodeID{"one", "three", "four", "two"}, // order should not matter
|
|
},
|
|
{
|
|
name: "preserve case",
|
|
allowPolicy: []string{"ABC", "def", "gHiJ"},
|
|
want: []tailcfg.StableNodeID{"ABC", "def", "gHiJ"},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
mh := mockSyspolicyHandler{
|
|
t: t,
|
|
}
|
|
if tt.allowPolicy != nil {
|
|
mh.stringArrayPolicies = map[syspolicy.Key][]string{
|
|
syspolicy.AllowedSuggestedExitNodes: tt.allowPolicy,
|
|
}
|
|
}
|
|
syspolicy.SetHandlerForTest(t, &mh)
|
|
|
|
got := fillAllowedSuggestions()
|
|
if got == nil {
|
|
if tt.want == nil {
|
|
return
|
|
}
|
|
t.Errorf("got nil, want %v", tt.want)
|
|
}
|
|
if tt.want == nil {
|
|
t.Errorf("got %v, want nil", got)
|
|
}
|
|
|
|
if !got.Equal(set.SetOf(tt.want)) {
|
|
t.Errorf("got %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|