2019-11-19 18:00:20 +01:00
|
|
|
package nebula
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"io/ioutil"
|
|
|
|
|
"os"
|
|
|
|
|
"path/filepath"
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
2020-07-01 00:53:30 +02:00
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
2019-11-19 18:00:20 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestConfig_Load(t *testing.T) {
|
2021-03-26 15:46:30 +01:00
|
|
|
l := NewTestLogger()
|
2019-11-19 18:00:20 +01:00
|
|
|
dir, err := ioutil.TempDir("", "config-test")
|
|
|
|
|
// invalid yaml
|
2021-03-26 15:46:30 +01:00
|
|
|
c := NewConfig(l)
|
2019-11-19 18:00:20 +01:00
|
|
|
ioutil.WriteFile(filepath.Join(dir, "01.yaml"), []byte(" invalid yaml"), 0644)
|
|
|
|
|
assert.EqualError(t, c.Load(dir), "yaml: unmarshal errors:\n line 1: cannot unmarshal !!str `invalid...` into map[interface {}]interface {}")
|
|
|
|
|
|
|
|
|
|
// simple multi config merge
|
2021-03-26 15:46:30 +01:00
|
|
|
c = NewConfig(l)
|
2019-11-19 18:00:20 +01:00
|
|
|
os.RemoveAll(dir)
|
|
|
|
|
os.Mkdir(dir, 0755)
|
|
|
|
|
|
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
|
|
|
|
|
ioutil.WriteFile(filepath.Join(dir, "01.yaml"), []byte("outer:\n inner: hi"), 0644)
|
|
|
|
|
ioutil.WriteFile(filepath.Join(dir, "02.yml"), []byte("outer:\n inner: override\nnew: hi"), 0644)
|
|
|
|
|
assert.Nil(t, c.Load(dir))
|
|
|
|
|
expected := map[interface{}]interface{}{
|
|
|
|
|
"outer": map[interface{}]interface{}{
|
|
|
|
|
"inner": "override",
|
|
|
|
|
},
|
|
|
|
|
"new": "hi",
|
|
|
|
|
}
|
|
|
|
|
assert.Equal(t, expected, c.Settings)
|
|
|
|
|
|
|
|
|
|
//TODO: test symlinked file
|
|
|
|
|
//TODO: test symlinked directory
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestConfig_Get(t *testing.T) {
|
2021-03-26 15:46:30 +01:00
|
|
|
l := NewTestLogger()
|
2019-11-19 18:00:20 +01:00
|
|
|
// test simple type
|
2021-03-26 15:46:30 +01:00
|
|
|
c := NewConfig(l)
|
2019-11-19 18:00:20 +01:00
|
|
|
c.Settings["firewall"] = map[interface{}]interface{}{"outbound": "hi"}
|
|
|
|
|
assert.Equal(t, "hi", c.Get("firewall.outbound"))
|
|
|
|
|
|
|
|
|
|
// test complex type
|
|
|
|
|
inner := []map[interface{}]interface{}{{"port": "1", "code": "2"}}
|
|
|
|
|
c.Settings["firewall"] = map[interface{}]interface{}{"outbound": inner}
|
|
|
|
|
assert.EqualValues(t, inner, c.Get("firewall.outbound"))
|
|
|
|
|
|
|
|
|
|
// test missing
|
|
|
|
|
assert.Nil(t, c.Get("firewall.nope"))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestConfig_GetStringSlice(t *testing.T) {
|
2021-03-26 15:46:30 +01:00
|
|
|
l := NewTestLogger()
|
|
|
|
|
c := NewConfig(l)
|
2019-11-19 18:00:20 +01:00
|
|
|
c.Settings["slice"] = []interface{}{"one", "two"}
|
|
|
|
|
assert.Equal(t, []string{"one", "two"}, c.GetStringSlice("slice", []string{}))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestConfig_GetBool(t *testing.T) {
|
2021-03-26 15:46:30 +01:00
|
|
|
l := NewTestLogger()
|
|
|
|
|
c := NewConfig(l)
|
2019-11-19 18:00:20 +01:00
|
|
|
c.Settings["bool"] = true
|
|
|
|
|
assert.Equal(t, true, c.GetBool("bool", false))
|
|
|
|
|
|
|
|
|
|
c.Settings["bool"] = "true"
|
|
|
|
|
assert.Equal(t, true, c.GetBool("bool", false))
|
|
|
|
|
|
|
|
|
|
c.Settings["bool"] = false
|
|
|
|
|
assert.Equal(t, false, c.GetBool("bool", true))
|
|
|
|
|
|
|
|
|
|
c.Settings["bool"] = "false"
|
|
|
|
|
assert.Equal(t, false, c.GetBool("bool", true))
|
|
|
|
|
|
|
|
|
|
c.Settings["bool"] = "Y"
|
|
|
|
|
assert.Equal(t, true, c.GetBool("bool", false))
|
|
|
|
|
|
|
|
|
|
c.Settings["bool"] = "yEs"
|
|
|
|
|
assert.Equal(t, true, c.GetBool("bool", false))
|
|
|
|
|
|
|
|
|
|
c.Settings["bool"] = "N"
|
|
|
|
|
assert.Equal(t, false, c.GetBool("bool", true))
|
|
|
|
|
|
|
|
|
|
c.Settings["bool"] = "nO"
|
|
|
|
|
assert.Equal(t, false, c.GetBool("bool", true))
|
|
|
|
|
}
|
|
|
|
|
|
Add lighthouse.{remoteAllowList,localAllowList} (#217)
These settings make it possible to blacklist / whitelist IP addresses
that are used for remote connections.
`lighthouse.remoteAllowList` filters which remote IPs are allow when
fetching from the lighthouse (or, if you are the lighthouse, which IPs
you store and forward to querying hosts). By default, any remote IPs are
allowed. You can provide CIDRs here with `true` to allow and `false` to
deny. The most specific CIDR rule applies to each remote. If all rules
are "allow", the default will be "deny", and vice-versa. If both "allow"
and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0"
as the default.
lighthouse:
remoteAllowList:
# Example to block IPs from this subnet from being used for remote IPs.
"172.16.0.0/12": false
# A more complicated example, allow public IPs but only private IPs from a specific subnet
"0.0.0.0/0": true
"10.0.0.0/8": false
"10.42.42.0/24": true
`lighthouse.localAllowList` has the same logic as above, but it applies
to the local addresses we advertise to the lighthouse. Additionally, you
can specify an `interfaces` map of regular expressions to match against
interface names. The regexp must match the entire name. All interface
rules must be either true or false (and the default rule will be the
inverse). CIDR rules are matched after interface name rules.
Default is all local IP addresses.
lighthouse:
localAllowList:
# Example to blacklist docker interfaces.
interfaces:
'docker.*': false
# Example to only advertise IPs in this subnet to the lighthouse.
"10.0.0.0/8": true
2020-04-08 21:36:43 +02:00
|
|
|
func TestConfig_GetAllowList(t *testing.T) {
|
2021-03-26 15:46:30 +01:00
|
|
|
l := NewTestLogger()
|
|
|
|
|
c := NewConfig(l)
|
Add lighthouse.{remoteAllowList,localAllowList} (#217)
These settings make it possible to blacklist / whitelist IP addresses
that are used for remote connections.
`lighthouse.remoteAllowList` filters which remote IPs are allow when
fetching from the lighthouse (or, if you are the lighthouse, which IPs
you store and forward to querying hosts). By default, any remote IPs are
allowed. You can provide CIDRs here with `true` to allow and `false` to
deny. The most specific CIDR rule applies to each remote. If all rules
are "allow", the default will be "deny", and vice-versa. If both "allow"
and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0"
as the default.
lighthouse:
remoteAllowList:
# Example to block IPs from this subnet from being used for remote IPs.
"172.16.0.0/12": false
# A more complicated example, allow public IPs but only private IPs from a specific subnet
"0.0.0.0/0": true
"10.0.0.0/8": false
"10.42.42.0/24": true
`lighthouse.localAllowList` has the same logic as above, but it applies
to the local addresses we advertise to the lighthouse. Additionally, you
can specify an `interfaces` map of regular expressions to match against
interface names. The regexp must match the entire name. All interface
rules must be either true or false (and the default rule will be the
inverse). CIDR rules are matched after interface name rules.
Default is all local IP addresses.
lighthouse:
localAllowList:
# Example to blacklist docker interfaces.
interfaces:
'docker.*': false
# Example to only advertise IPs in this subnet to the lighthouse.
"10.0.0.0/8": true
2020-04-08 21:36:43 +02:00
|
|
|
c.Settings["allowlist"] = map[interface{}]interface{}{
|
|
|
|
|
"192.168.0.0": true,
|
|
|
|
|
}
|
|
|
|
|
r, err := c.GetAllowList("allowlist", false)
|
|
|
|
|
assert.EqualError(t, err, "config `allowlist` has invalid CIDR: 192.168.0.0")
|
|
|
|
|
assert.Nil(t, r)
|
|
|
|
|
|
|
|
|
|
c.Settings["allowlist"] = map[interface{}]interface{}{
|
|
|
|
|
"192.168.0.0/16": "abc",
|
|
|
|
|
}
|
|
|
|
|
r, err = c.GetAllowList("allowlist", false)
|
|
|
|
|
assert.EqualError(t, err, "config `allowlist` has invalid value (type string): abc")
|
|
|
|
|
|
|
|
|
|
c.Settings["allowlist"] = map[interface{}]interface{}{
|
|
|
|
|
"192.168.0.0/16": true,
|
|
|
|
|
"10.0.0.0/8": false,
|
|
|
|
|
}
|
|
|
|
|
r, err = c.GetAllowList("allowlist", false)
|
|
|
|
|
assert.EqualError(t, err, "config `allowlist` contains both true and false rules, but no default set for 0.0.0.0/0")
|
|
|
|
|
|
2021-03-19 02:37:24 +01:00
|
|
|
c.Settings["allowlist"] = map[interface{}]interface{}{
|
|
|
|
|
"0.0.0.0/0": true,
|
|
|
|
|
"10.0.0.0/8": false,
|
|
|
|
|
"10.42.42.0/24": true,
|
|
|
|
|
"fd00::/8": true,
|
|
|
|
|
"fd00:fd00::/16": false,
|
|
|
|
|
}
|
|
|
|
|
r, err = c.GetAllowList("allowlist", false)
|
|
|
|
|
assert.EqualError(t, err, "config `allowlist` contains both true and false rules, but no default set for ::/0")
|
|
|
|
|
|
Add lighthouse.{remoteAllowList,localAllowList} (#217)
These settings make it possible to blacklist / whitelist IP addresses
that are used for remote connections.
`lighthouse.remoteAllowList` filters which remote IPs are allow when
fetching from the lighthouse (or, if you are the lighthouse, which IPs
you store and forward to querying hosts). By default, any remote IPs are
allowed. You can provide CIDRs here with `true` to allow and `false` to
deny. The most specific CIDR rule applies to each remote. If all rules
are "allow", the default will be "deny", and vice-versa. If both "allow"
and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0"
as the default.
lighthouse:
remoteAllowList:
# Example to block IPs from this subnet from being used for remote IPs.
"172.16.0.0/12": false
# A more complicated example, allow public IPs but only private IPs from a specific subnet
"0.0.0.0/0": true
"10.0.0.0/8": false
"10.42.42.0/24": true
`lighthouse.localAllowList` has the same logic as above, but it applies
to the local addresses we advertise to the lighthouse. Additionally, you
can specify an `interfaces` map of regular expressions to match against
interface names. The regexp must match the entire name. All interface
rules must be either true or false (and the default rule will be the
inverse). CIDR rules are matched after interface name rules.
Default is all local IP addresses.
lighthouse:
localAllowList:
# Example to blacklist docker interfaces.
interfaces:
'docker.*': false
# Example to only advertise IPs in this subnet to the lighthouse.
"10.0.0.0/8": true
2020-04-08 21:36:43 +02:00
|
|
|
c.Settings["allowlist"] = map[interface{}]interface{}{
|
|
|
|
|
"0.0.0.0/0": true,
|
|
|
|
|
"10.0.0.0/8": false,
|
|
|
|
|
"10.42.42.0/24": true,
|
|
|
|
|
}
|
|
|
|
|
r, err = c.GetAllowList("allowlist", false)
|
|
|
|
|
if assert.NoError(t, err) {
|
|
|
|
|
assert.NotNil(t, r)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-19 02:37:24 +01:00
|
|
|
c.Settings["allowlist"] = map[interface{}]interface{}{
|
|
|
|
|
"0.0.0.0/0": true,
|
|
|
|
|
"10.0.0.0/8": false,
|
|
|
|
|
"10.42.42.0/24": true,
|
|
|
|
|
"::/0": false,
|
|
|
|
|
"fd00::/8": true,
|
|
|
|
|
"fd00:fd00::/16": false,
|
|
|
|
|
}
|
|
|
|
|
r, err = c.GetAllowList("allowlist", false)
|
|
|
|
|
if assert.NoError(t, err) {
|
|
|
|
|
assert.NotNil(t, r)
|
|
|
|
|
}
|
|
|
|
|
|
Add lighthouse.{remoteAllowList,localAllowList} (#217)
These settings make it possible to blacklist / whitelist IP addresses
that are used for remote connections.
`lighthouse.remoteAllowList` filters which remote IPs are allow when
fetching from the lighthouse (or, if you are the lighthouse, which IPs
you store and forward to querying hosts). By default, any remote IPs are
allowed. You can provide CIDRs here with `true` to allow and `false` to
deny. The most specific CIDR rule applies to each remote. If all rules
are "allow", the default will be "deny", and vice-versa. If both "allow"
and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0"
as the default.
lighthouse:
remoteAllowList:
# Example to block IPs from this subnet from being used for remote IPs.
"172.16.0.0/12": false
# A more complicated example, allow public IPs but only private IPs from a specific subnet
"0.0.0.0/0": true
"10.0.0.0/8": false
"10.42.42.0/24": true
`lighthouse.localAllowList` has the same logic as above, but it applies
to the local addresses we advertise to the lighthouse. Additionally, you
can specify an `interfaces` map of regular expressions to match against
interface names. The regexp must match the entire name. All interface
rules must be either true or false (and the default rule will be the
inverse). CIDR rules are matched after interface name rules.
Default is all local IP addresses.
lighthouse:
localAllowList:
# Example to blacklist docker interfaces.
interfaces:
'docker.*': false
# Example to only advertise IPs in this subnet to the lighthouse.
"10.0.0.0/8": true
2020-04-08 21:36:43 +02:00
|
|
|
// Test interface names
|
|
|
|
|
|
|
|
|
|
c.Settings["allowlist"] = map[interface{}]interface{}{
|
|
|
|
|
"interfaces": map[interface{}]interface{}{
|
|
|
|
|
`docker.*`: false,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
r, err = c.GetAllowList("allowlist", false)
|
|
|
|
|
assert.EqualError(t, err, "config `allowlist` does not support `interfaces`")
|
|
|
|
|
|
|
|
|
|
c.Settings["allowlist"] = map[interface{}]interface{}{
|
|
|
|
|
"interfaces": map[interface{}]interface{}{
|
|
|
|
|
`docker.*`: "foo",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
r, err = c.GetAllowList("allowlist", true)
|
|
|
|
|
assert.EqualError(t, err, "config `allowlist.interfaces` has invalid value (type string): foo")
|
|
|
|
|
|
|
|
|
|
c.Settings["allowlist"] = map[interface{}]interface{}{
|
|
|
|
|
"interfaces": map[interface{}]interface{}{
|
|
|
|
|
`docker.*`: false,
|
|
|
|
|
`eth.*`: true,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
r, err = c.GetAllowList("allowlist", true)
|
|
|
|
|
assert.EqualError(t, err, "config `allowlist.interfaces` values must all be the same true/false value")
|
|
|
|
|
|
|
|
|
|
c.Settings["allowlist"] = map[interface{}]interface{}{
|
|
|
|
|
"interfaces": map[interface{}]interface{}{
|
|
|
|
|
`docker.*`: false,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
r, err = c.GetAllowList("allowlist", true)
|
|
|
|
|
if assert.NoError(t, err) {
|
|
|
|
|
assert.NotNil(t, r)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-19 18:00:20 +01:00
|
|
|
func TestConfig_HasChanged(t *testing.T) {
|
2021-03-26 15:46:30 +01:00
|
|
|
l := NewTestLogger()
|
2019-11-19 18:00:20 +01:00
|
|
|
// No reload has occurred, return false
|
2021-03-26 15:46:30 +01:00
|
|
|
c := NewConfig(l)
|
2019-11-19 18:00:20 +01:00
|
|
|
c.Settings["test"] = "hi"
|
|
|
|
|
assert.False(t, c.HasChanged(""))
|
|
|
|
|
|
|
|
|
|
// Test key change
|
2021-03-26 15:46:30 +01:00
|
|
|
c = NewConfig(l)
|
2019-11-19 18:00:20 +01:00
|
|
|
c.Settings["test"] = "hi"
|
|
|
|
|
c.oldSettings = map[interface{}]interface{}{"test": "no"}
|
|
|
|
|
assert.True(t, c.HasChanged("test"))
|
|
|
|
|
assert.True(t, c.HasChanged(""))
|
|
|
|
|
|
|
|
|
|
// No key change
|
2021-03-26 15:46:30 +01:00
|
|
|
c = NewConfig(l)
|
2019-11-19 18:00:20 +01:00
|
|
|
c.Settings["test"] = "hi"
|
|
|
|
|
c.oldSettings = map[interface{}]interface{}{"test": "hi"}
|
|
|
|
|
assert.False(t, c.HasChanged("test"))
|
|
|
|
|
assert.False(t, c.HasChanged(""))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestConfig_ReloadConfig(t *testing.T) {
|
2021-03-26 15:46:30 +01:00
|
|
|
l := NewTestLogger()
|
2019-11-19 18:00:20 +01:00
|
|
|
done := make(chan bool, 1)
|
|
|
|
|
dir, err := ioutil.TempDir("", "config-test")
|
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
ioutil.WriteFile(filepath.Join(dir, "01.yaml"), []byte("outer:\n inner: hi"), 0644)
|
|
|
|
|
|
2021-03-26 15:46:30 +01:00
|
|
|
c := NewConfig(l)
|
2019-11-19 18:00:20 +01:00
|
|
|
assert.Nil(t, c.Load(dir))
|
|
|
|
|
|
|
|
|
|
assert.False(t, c.HasChanged("outer.inner"))
|
|
|
|
|
assert.False(t, c.HasChanged("outer"))
|
|
|
|
|
assert.False(t, c.HasChanged(""))
|
|
|
|
|
|
|
|
|
|
ioutil.WriteFile(filepath.Join(dir, "01.yaml"), []byte("outer:\n inner: ho"), 0644)
|
|
|
|
|
|
|
|
|
|
c.RegisterReloadCallback(func(c *Config) {
|
|
|
|
|
done <- true
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
c.ReloadConfig()
|
|
|
|
|
assert.True(t, c.HasChanged("outer.inner"))
|
|
|
|
|
assert.True(t, c.HasChanged("outer"))
|
|
|
|
|
assert.True(t, c.HasChanged(""))
|
|
|
|
|
|
|
|
|
|
// Make sure we call the callbacks
|
|
|
|
|
select {
|
|
|
|
|
case <-done:
|
|
|
|
|
case <-time.After(1 * time.Second):
|
|
|
|
|
panic("timeout")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|