nebula/interface_test.go at master · Kiterepo/nebula · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
package nebula

import (
	"net/netip"
	"testing"

	"github.com/slackhq/nebula/cert"
	"github.com/slackhq/nebula/config"
	"github.com/slackhq/nebula/test"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

// TestReloadFirewall_CertUnsafeNetworksChanged verifies that reloadFirewall
// rebuilds the firewall when only the certificate's UnsafeNetworks have changed,
// even if the firewall section of the YAML has not.
func TestReloadFirewall_CertUnsafeNetworksChanged(t *testing.T) {
	l := test.NewLogger()

	vpnNet := netip.MustParsePrefix("10.0.0.1/24")
	initialUnsafe := []netip.Prefix{netip.MustParsePrefix("198.51.100.0/24")}

	// dummyCert avoids dragging the real signing pipeline into a unit test.
	c1 := &dummyCert{
		version:        cert.Version2,
		networks:       []netip.Prefix{vpnNet},
		unsafeNetworks: initialUnsafe,
	}
	pki := &PKI{}
	pki.cs.Store(&CertState{v2Cert: c1, initiatingVersion: cert.Version2})

	rawYAML := `firewall:
  outbound:
    - port: any
      proto: any
      host: any
  inbound:
    - port: any
      proto: any
      host: any
`
	cfg := config.NewC(l)
	require.NoError(t, cfg.LoadString(rawYAML))

	fw, err := NewFirewallFromConfig(l, pki.getCertState(), cfg)
	require.NoError(t, err)
	require.Equal(t, initialUnsafe, fw.unsafeNetworks)

	f := &Interface{
		pki:      pki,
		firewall: fw,
		l:        l,
	}

	// Swap the cert with a different UnsafeNetworks set.
	newUnsafe := []netip.Prefix{
		netip.MustParsePrefix("198.51.100.0/24"),
		netip.MustParsePrefix("203.0.113.0/24"),
	}
	c2 := &dummyCert{
		version:        cert.Version2,
		networks:       []netip.Prefix{vpnNet},
		unsafeNetworks: newUnsafe,
	}
	pki.cs.Store(&CertState{v2Cert: c2, initiatingVersion: cert.Version2})

	// Reload with the same YAML so HasChanged("firewall") reports false.
	require.NoError(t, cfg.ReloadConfigString(rawYAML))
	require.False(t, cfg.HasChanged("firewall"))

	f.reloadFirewall(cfg)

	assert.NotSame(t, fw, f.firewall, "firewall pointer should have been replaced")
	assert.Equal(t, newUnsafe, f.firewall.unsafeNetworks)
	assert.True(t, f.firewall.routableNetworks.Contains(netip.MustParseAddr("203.0.113.5")))
}

// TestReloadFirewall_NoChange verifies that reloadFirewall is a no-op when
// neither the firewall config nor the cert's UnsafeNetworks have changed.
func TestReloadFirewall_NoChange(t *testing.T) {
	l := test.NewLogger()

	vpnNet := netip.MustParsePrefix("10.0.0.1/24")
	unsafe := []netip.Prefix{netip.MustParsePrefix("198.51.100.0/24")}

	c1 := &dummyCert{
		version:        cert.Version2,
		networks:       []netip.Prefix{vpnNet},
		unsafeNetworks: unsafe,
	}
	pki := &PKI{}
	pki.cs.Store(&CertState{v2Cert: c1, initiatingVersion: cert.Version2})

	rawYAML := `firewall:
  outbound:
    - port: any
      proto: any
      host: any
  inbound:
    - port: any
      proto: any
      host: any
`
	cfg := config.NewC(l)
	require.NoError(t, cfg.LoadString(rawYAML))

	fw, err := NewFirewallFromConfig(l, pki.getCertState(), cfg)
	require.NoError(t, err)

	f := &Interface{
		pki:      pki,
		firewall: fw,
		l:        l,
	}

	require.NoError(t, cfg.ReloadConfigString(rawYAML))
	f.reloadFirewall(cfg)

	assert.Same(t, fw, f.firewall, "firewall should not have been replaced")
}