package nebula import ( "fmt" "net" "testing" "github.com/golang/protobuf/proto" "github.com/stretchr/testify/assert" ) //TODO: Add a test to ensure udpAddr is copied and not reused func TestOldIPv4Only(t *testing.T) { // This test ensures our new ipv6 enabled LH protobuf IpAndPorts works with the old style to enable backwards compatibility b := []byte{8, 129, 130, 132, 80, 16, 10} var m Ip4AndPort err := proto.Unmarshal(b, &m) assert.NoError(t, err) assert.Equal(t, "10.1.1.1", int2ip(m.GetIp()).String()) } func TestNewLhQuery(t *testing.T) { myIp := net.ParseIP("192.1.1.1") myIpint := ip2int(myIp) // Generating a new lh query should work a := NewLhQueryByInt(myIpint) // The result should be a nebulameta protobuf assert.IsType(t, &NebulaMeta{}, a) // It should also Marshal fine b, err := proto.Marshal(a) assert.Nil(t, err) // and then Unmarshal fine n := &NebulaMeta{} err = proto.Unmarshal(b, n) assert.Nil(t, err) } func Test_lhStaticMapping(t *testing.T) { l := NewTestLogger() lh1 := "10.128.0.2" lh1IP := net.ParseIP(lh1) udpServer, _ := NewListener(l, "0.0.0.0", 0, true) meh := NewLightHouse(l, true, &net.IPNet{IP: net.IP{0, 0, 0, 1}, Mask: net.IPMask{0, 0, 0, 0}}, []uint32{ip2int(lh1IP)}, 10, 10003, udpServer, false, 1, false) meh.AddRemote(ip2int(lh1IP), NewUDPAddr(lh1IP, uint16(4242)), true) err := meh.ValidateLHStaticEntries() assert.Nil(t, err) lh2 := "10.128.0.3" lh2IP := net.ParseIP(lh2) meh = NewLightHouse(l, true, &net.IPNet{IP: net.IP{0, 0, 0, 1}, Mask: net.IPMask{0, 0, 0, 0}}, []uint32{ip2int(lh1IP), ip2int(lh2IP)}, 10, 10003, udpServer, false, 1, false) meh.AddRemote(ip2int(lh1IP), NewUDPAddr(lh1IP, uint16(4242)), true) err = meh.ValidateLHStaticEntries() assert.EqualError(t, err, "Lighthouse 10.128.0.3 does not have a static_host_map entry") } func BenchmarkLighthouseHandleRequest(b *testing.B) { l := NewTestLogger() lh1 := "10.128.0.2" lh1IP := net.ParseIP(lh1) udpServer, _ := NewListener(l, "0.0.0.0", 0, true) lh := NewLightHouse(l, true, &net.IPNet{IP: net.IP{0, 0, 0, 1}, Mask: net.IPMask{0, 0, 0, 0}}, []uint32{ip2int(lh1IP)}, 10, 10003, udpServer, false, 1, false) hAddr := NewUDPAddrFromString("4.5.6.7:12345") hAddr2 := NewUDPAddrFromString("4.5.6.7:12346") lh.addrMap[3] = &ip4And6{v4: []*Ip4AndPort{ NewIp4AndPort(hAddr.IP, uint32(hAddr.Port)), NewIp4AndPort(hAddr2.IP, uint32(hAddr2.Port))}, } rAddr := NewUDPAddrFromString("1.2.2.3:12345") rAddr2 := NewUDPAddrFromString("1.2.2.3:12346") lh.addrMap[2] = &ip4And6{v4: []*Ip4AndPort{ NewIp4AndPort(rAddr.IP, uint32(rAddr.Port)), NewIp4AndPort(rAddr2.IP, uint32(rAddr2.Port))}, } mw := &mockEncWriter{} b.Run("notfound", func(b *testing.B) { lhh := lh.NewRequestHandler() req := &NebulaMeta{ Type: NebulaMeta_HostQuery, Details: &NebulaMetaDetails{ VpnIp: 4, Ip4AndPorts: nil, }, } p, err := proto.Marshal(req) assert.NoError(b, err) for n := 0; n < b.N; n++ { lhh.HandleRequest(rAddr, 2, p, mw) } }) b.Run("found", func(b *testing.B) { lhh := lh.NewRequestHandler() req := &NebulaMeta{ Type: NebulaMeta_HostQuery, Details: &NebulaMetaDetails{ VpnIp: 3, Ip4AndPorts: nil, }, } p, err := proto.Marshal(req) assert.NoError(b, err) for n := 0; n < b.N; n++ { lhh.HandleRequest(rAddr, 2, p, mw) } }) } func TestLighthouse_Memory(t *testing.T) { l := NewTestLogger() myUdpAddr0 := &udpAddr{IP: net.ParseIP("10.0.0.2"), Port: 4242} myUdpAddr1 := &udpAddr{IP: net.ParseIP("192.168.0.2"), Port: 4242} myUdpAddr2 := &udpAddr{IP: net.ParseIP("172.16.0.2"), Port: 4242} myUdpAddr3 := &udpAddr{IP: net.ParseIP("100.152.0.2"), Port: 4242} myUdpAddr4 := &udpAddr{IP: net.ParseIP("24.15.0.2"), Port: 4242} myUdpAddr5 := &udpAddr{IP: net.ParseIP("192.168.0.2"), Port: 4243} myUdpAddr6 := &udpAddr{IP: net.ParseIP("192.168.0.2"), Port: 4244} myUdpAddr7 := &udpAddr{IP: net.ParseIP("192.168.0.2"), Port: 4245} myUdpAddr8 := &udpAddr{IP: net.ParseIP("192.168.0.2"), Port: 4246} myUdpAddr9 := &udpAddr{IP: net.ParseIP("192.168.0.2"), Port: 4247} myUdpAddr10 := &udpAddr{IP: net.ParseIP("192.168.0.2"), Port: 4248} myUdpAddr11 := &udpAddr{IP: net.ParseIP("192.168.0.2"), Port: 4249} myVpnIp := ip2int(net.ParseIP("10.128.0.2")) theirUdpAddr0 := &udpAddr{IP: net.ParseIP("10.0.0.3"), Port: 4242} theirUdpAddr1 := &udpAddr{IP: net.ParseIP("192.168.0.3"), Port: 4242} theirUdpAddr2 := &udpAddr{IP: net.ParseIP("172.16.0.3"), Port: 4242} theirUdpAddr3 := &udpAddr{IP: net.ParseIP("100.152.0.3"), Port: 4242} theirUdpAddr4 := &udpAddr{IP: net.ParseIP("24.15.0.3"), Port: 4242} theirVpnIp := ip2int(net.ParseIP("10.128.0.3")) udpServer, _ := NewListener(l, "0.0.0.0", 0, true) lh := NewLightHouse(l, true, &net.IPNet{IP: net.IP{10, 128, 0, 1}, Mask: net.IPMask{255, 255, 255, 0}}, []uint32{}, 10, 10003, udpServer, false, 1, false) lhh := lh.NewRequestHandler() // Test that my first update responds with just that newLHHostUpdate(myUdpAddr0, myVpnIp, []*udpAddr{myUdpAddr1, myUdpAddr2}, lhh) r := newLHHostRequest(myUdpAddr0, myVpnIp, myVpnIp, lhh) assertIp4InArray(t, r.msg.Details.Ip4AndPorts, myUdpAddr1, myUdpAddr2) // Ensure we don't accumulate addresses newLHHostUpdate(myUdpAddr0, myVpnIp, []*udpAddr{myUdpAddr3}, lhh) r = newLHHostRequest(myUdpAddr0, myVpnIp, myVpnIp, lhh) assertIp4InArray(t, r.msg.Details.Ip4AndPorts, myUdpAddr3) // Grow it back to 2 newLHHostUpdate(myUdpAddr0, myVpnIp, []*udpAddr{myUdpAddr1, myUdpAddr4}, lhh) r = newLHHostRequest(myUdpAddr0, myVpnIp, myVpnIp, lhh) assertIp4InArray(t, r.msg.Details.Ip4AndPorts, myUdpAddr1, myUdpAddr4) // Update a different host newLHHostUpdate(theirUdpAddr0, theirVpnIp, []*udpAddr{theirUdpAddr1, theirUdpAddr2, theirUdpAddr3, theirUdpAddr4}, lhh) r = newLHHostRequest(theirUdpAddr0, theirVpnIp, myVpnIp, lhh) assertIp4InArray(t, r.msg.Details.Ip4AndPorts, theirUdpAddr1, theirUdpAddr2, theirUdpAddr3, theirUdpAddr4) // Make sure we didn't get changed r = newLHHostRequest(myUdpAddr0, myVpnIp, myVpnIp, lhh) assertIp4InArray(t, r.msg.Details.Ip4AndPorts, myUdpAddr1, myUdpAddr4) // Ensure proper ordering and limiting // Send 12 addrs, get 10 back, one removed on a dupe check the other by limiting newLHHostUpdate( myUdpAddr0, myVpnIp, []*udpAddr{ myUdpAddr1, myUdpAddr2, myUdpAddr3, myUdpAddr4, myUdpAddr5, myUdpAddr5, //Duplicated on purpose myUdpAddr6, myUdpAddr7, myUdpAddr8, myUdpAddr9, myUdpAddr10, myUdpAddr11, // This should get cut }, lhh) r = newLHHostRequest(myUdpAddr0, myVpnIp, myVpnIp, lhh) assertIp4InArray( t, r.msg.Details.Ip4AndPorts, myUdpAddr1, myUdpAddr2, myUdpAddr3, myUdpAddr4, myUdpAddr5, myUdpAddr6, myUdpAddr7, myUdpAddr8, myUdpAddr9, myUdpAddr10, ) // Make sure we won't add ips in our vpn network bad1 := &udpAddr{IP: net.ParseIP("10.128.0.99"), Port: 4242} bad2 := &udpAddr{IP: net.ParseIP("10.128.0.100"), Port: 4242} good := &udpAddr{IP: net.ParseIP("1.128.0.99"), Port: 4242} newLHHostUpdate(myUdpAddr0, myVpnIp, []*udpAddr{bad1, bad2, good}, lhh) r = newLHHostRequest(myUdpAddr0, myVpnIp, myVpnIp, lhh) assertIp4InArray(t, r.msg.Details.Ip4AndPorts, good) } func newLHHostRequest(fromAddr *udpAddr, myVpnIp, queryVpnIp uint32, lhh *LightHouseHandler) testLhReply { req := &NebulaMeta{ Type: NebulaMeta_HostQuery, Details: &NebulaMetaDetails{ VpnIp: queryVpnIp, }, } b, err := req.Marshal() if err != nil { panic(err) } w := &testEncWriter{} lhh.HandleRequest(fromAddr, myVpnIp, b, w) return w.lastReply } func newLHHostUpdate(fromAddr *udpAddr, vpnIp uint32, addrs []*udpAddr, lhh *LightHouseHandler) { req := &NebulaMeta{ Type: NebulaMeta_HostUpdateNotification, Details: &NebulaMetaDetails{ VpnIp: vpnIp, Ip4AndPorts: make([]*Ip4AndPort, len(addrs)), }, } for k, v := range addrs { req.Details.Ip4AndPorts[k] = &Ip4AndPort{Ip: ip2int(v.IP), Port: uint32(v.Port)} } b, err := req.Marshal() if err != nil { panic(err) } w := &testEncWriter{} lhh.HandleRequest(fromAddr, vpnIp, b, w) } func Test_lhRemoteAllowList(t *testing.T) { l := NewTestLogger() c := NewConfig(l) c.Settings["remoteallowlist"] = map[interface{}]interface{}{ "10.20.0.0/12": false, } allowList, err := c.GetAllowList("remoteallowlist", false) assert.Nil(t, err) lh1 := "10.128.0.2" lh1IP := net.ParseIP(lh1) udpServer, _ := NewListener(l, "0.0.0.0", 0, true) lh := NewLightHouse(l, true, &net.IPNet{IP: net.IP{0, 0, 0, 1}, Mask: net.IPMask{255, 255, 255, 0}}, []uint32{ip2int(lh1IP)}, 10, 10003, udpServer, false, 1, false) lh.SetRemoteAllowList(allowList) // A disallowed ip should not enter the cache but we should end up with an empty entry in the addrMap remote1IP := net.ParseIP("10.20.0.3") lh.AddRemote(ip2int(remote1IP), NewUDPAddr(remote1IP, uint16(4242)), true) assert.NotNil(t, lh.addrMap[ip2int(remote1IP)]) assert.Empty(t, lh.addrMap[ip2int(remote1IP)].v4) assert.Empty(t, lh.addrMap[ip2int(remote1IP)].v6) // Make sure a good ip enters the cache and addrMap remote2IP := net.ParseIP("10.128.0.3") remote2UDPAddr := NewUDPAddr(remote2IP, uint16(4242)) lh.AddRemote(ip2int(remote2IP), remote2UDPAddr, true) assertIp4InArray(t, lh.addrMap[ip2int(remote2IP)].learnedV4, remote2UDPAddr) // Another good ip gets into the cache, ordering is inverted remote3IP := net.ParseIP("10.128.0.4") remote3UDPAddr := NewUDPAddr(remote3IP, uint16(4243)) lh.AddRemote(ip2int(remote2IP), remote3UDPAddr, true) assertIp4InArray(t, lh.addrMap[ip2int(remote2IP)].learnedV4, remote3UDPAddr, remote2UDPAddr) // If we exceed the length limit we should only have the most recent addresses addedAddrs := []*udpAddr{} for i := 0; i < 11; i++ { remoteUDPAddr := NewUDPAddr(net.IP{10, 128, 0, 4}, uint16(4243+i)) lh.AddRemote(ip2int(remote2IP), remoteUDPAddr, true) // The first entry here is a duplicate, don't add it to the assert list if i != 0 { addedAddrs = append(addedAddrs, remoteUDPAddr) } } // We should only have the last 10 of what we tried to add assert.True(t, len(addedAddrs) >= 10, "We should have tried to add at least 10 addresses") ln := len(addedAddrs) assertIp4InArray( t, lh.addrMap[ip2int(remote2IP)].learnedV4, addedAddrs[ln-1], addedAddrs[ln-2], addedAddrs[ln-3], addedAddrs[ln-4], addedAddrs[ln-5], addedAddrs[ln-6], addedAddrs[ln-7], addedAddrs[ln-8], addedAddrs[ln-9], addedAddrs[ln-10], ) } func Test_ipMaskContains(t *testing.T) { assert.True(t, ipMaskContains(ip2int(net.ParseIP("10.0.0.1")), 32-24, ip2int(net.ParseIP("10.0.0.255")))) assert.False(t, ipMaskContains(ip2int(net.ParseIP("10.0.0.1")), 32-24, ip2int(net.ParseIP("10.0.1.1")))) assert.True(t, ipMaskContains(ip2int(net.ParseIP("10.0.0.1")), 32, ip2int(net.ParseIP("10.0.1.1")))) } type testLhReply struct { nebType NebulaMessageType nebSubType NebulaMessageSubType vpnIp uint32 msg *NebulaMeta } type testEncWriter struct { lastReply testLhReply } func (tw *testEncWriter) SendMessageToVpnIp(t NebulaMessageType, st NebulaMessageSubType, vpnIp uint32, p, _, _ []byte) { tw.lastReply = testLhReply{ nebType: t, nebSubType: st, vpnIp: vpnIp, msg: &NebulaMeta{}, } err := proto.Unmarshal(p, tw.lastReply.msg) if err != nil { panic(err) } } // assertIp4InArray asserts every address in want is at the same position in have and that the lengths match func assertIp4InArray(t *testing.T, have []*Ip4AndPort, want ...*udpAddr) { assert.Len(t, have, len(want)) for k, w := range want { if !(have[k].Ip == ip2int(w.IP) && have[k].Port == uint32(w.Port)) { assert.Fail(t, fmt.Sprintf("Response did not contain: %v:%v at %v; %v", w.IP, w.Port, k, translateV4toUdpAddr(have))) } } } func translateV4toUdpAddr(ips []*Ip4AndPort) []*udpAddr { addrs := make([]*udpAddr, len(ips)) for k, v := range ips { addrs[k] = NewUDPAddrFromLH4(v) } return addrs }