mirror of
https://github.com/netbirdio/netbird.git
synced 2026-04-25 02:42:08 -04:00
Compare commits
2 Commits
coderabbit
...
fix/sessio
| Author | SHA1 | Date | |
|---|---|---|---|
|
a53cc20752 | ||
|
|
db4865acb7 |
@@ -135,7 +135,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
|
||||
mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
@@ -1671,7 +1671,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
|
||||
mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
|
||||
@@ -1,125 +0,0 @@
|
||||
//go:build darwin && !ios
|
||||
|
||||
package systemops
|
||||
|
||||
import (
|
||||
"net/netip"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
nbnet "github.com/netbirdio/netbird/client/net"
|
||||
)
|
||||
|
||||
// TestAfOf verifies that afOf returns the correct string for each address family.
|
||||
func TestAfOf(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
addr netip.Addr
|
||||
want string
|
||||
}{
|
||||
{
|
||||
name: "IPv4 unspecified",
|
||||
addr: netip.IPv4Unspecified(),
|
||||
want: "IPv4",
|
||||
},
|
||||
{
|
||||
name: "IPv4 private",
|
||||
addr: netip.MustParseAddr("10.0.0.1"),
|
||||
want: "IPv4",
|
||||
},
|
||||
{
|
||||
name: "IPv4 loopback",
|
||||
addr: netip.MustParseAddr("127.0.0.1"),
|
||||
want: "IPv4",
|
||||
},
|
||||
{
|
||||
name: "IPv6 unspecified",
|
||||
addr: netip.IPv6Unspecified(),
|
||||
want: "IPv6",
|
||||
},
|
||||
{
|
||||
name: "IPv6 loopback",
|
||||
addr: netip.MustParseAddr("::1"),
|
||||
want: "IPv6",
|
||||
},
|
||||
{
|
||||
name: "IPv6 unicast",
|
||||
addr: netip.MustParseAddr("2001:db8::1"),
|
||||
want: "IPv6",
|
||||
},
|
||||
{
|
||||
name: "IPv6 link-local",
|
||||
addr: netip.MustParseAddr("fe80::1"),
|
||||
want: "IPv6",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
assert.Equal(t, tt.want, afOf(tt.addr))
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestIsAddrRouted_AdvancedRoutingBypassesTunnelLookup verifies that when
|
||||
// AdvancedRouting is active, IsAddrRouted immediately returns (false, zero)
|
||||
// regardless of the provided vpn routes, because the WG socket is bound to
|
||||
// the physical interface via IP_BOUND_IF and bypasses the main routing table.
|
||||
func TestIsAddrRouted_AdvancedRoutingBypassesTunnelLookup(t *testing.T) {
|
||||
// On darwin, AdvancedRouting returns true unless overridden.
|
||||
// Ensure we reset the state after the test.
|
||||
t.Setenv("NB_USE_LEGACY_ROUTING", "false")
|
||||
t.Setenv("NB_USE_NETSTACK_MODE", "false")
|
||||
nbnet.Init()
|
||||
|
||||
require.True(t, nbnet.AdvancedRouting(), "test requires advanced routing to be active on darwin")
|
||||
|
||||
vpnRoutes := []netip.Prefix{
|
||||
netip.MustParsePrefix("10.0.0.0/8"),
|
||||
netip.MustParsePrefix("192.168.1.0/24"),
|
||||
netip.MustParsePrefix("0.0.0.0/0"),
|
||||
}
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
addr netip.Addr
|
||||
}{
|
||||
{"IPv4 in VPN route", netip.MustParseAddr("10.0.0.1")},
|
||||
{"IPv4 in narrow VPN route", netip.MustParseAddr("192.168.1.100")},
|
||||
{"IPv4 default route covered", netip.MustParseAddr("8.8.8.8")},
|
||||
{"IPv6 in VPN route", netip.MustParseAddr("2001:db8::1")},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
routed, prefix := IsAddrRouted(tt.addr, vpnRoutes)
|
||||
assert.False(t, routed, "should not be marked as routed via VPN when advanced routing is active")
|
||||
assert.Equal(t, netip.Prefix{}, prefix, "matched prefix should be zero when advanced routing is active")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestIsAddrRouted_LegacyModeFallsThroughToTable verifies that when
|
||||
// NB_USE_LEGACY_ROUTING=true disables advanced routing, IsAddrRouted
|
||||
// performs the normal VPN-route vs local-route comparison.
|
||||
func TestIsAddrRouted_LegacyModeFallsThroughToTable(t *testing.T) {
|
||||
t.Setenv("NB_USE_LEGACY_ROUTING", "true")
|
||||
nbnet.Init()
|
||||
|
||||
require.False(t, nbnet.AdvancedRouting(), "test requires advanced routing to be disabled")
|
||||
|
||||
// Use an address that is very unlikely to exist in the host routing table
|
||||
// as a local route, so the VPN route wins.
|
||||
vpnRoutes := []netip.Prefix{
|
||||
netip.MustParsePrefix("198.51.100.0/24"), // TEST-NET-2 – not in normal routing tables
|
||||
}
|
||||
|
||||
addr := netip.MustParseAddr("198.51.100.1")
|
||||
routed, _ := IsAddrRouted(addr, vpnRoutes)
|
||||
// We cannot assert a specific outcome because it depends on the host's
|
||||
// routing table, but we CAN assert that the call did not panic and returned
|
||||
// a consistent pair.
|
||||
_ = routed
|
||||
}
|
||||
@@ -1,140 +0,0 @@
|
||||
//go:build !android && !ios
|
||||
|
||||
package systemops
|
||||
|
||||
import (
|
||||
"net/netip"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
||||
nbnet "github.com/netbirdio/netbird/client/net"
|
||||
)
|
||||
|
||||
// withLegacyRouting forcibly puts the nbnet package into legacy (non-advanced)
|
||||
// routing mode for the duration of the test, then restores the previous value.
|
||||
func withLegacyRouting(t *testing.T) {
|
||||
t.Helper()
|
||||
t.Setenv("NB_USE_LEGACY_ROUTING", "true")
|
||||
t.Setenv("NB_USE_NETSTACK_MODE", "false")
|
||||
nbnet.Init()
|
||||
t.Cleanup(func() {
|
||||
// After the test, re-initialise with no overrides so that subsequent
|
||||
// tests start with a clean state.
|
||||
nbnet.Init()
|
||||
})
|
||||
}
|
||||
|
||||
// withAdvancedRouting attempts to enable advanced routing for the test.
|
||||
// On platforms where Init() cannot produce AdvancedRouting()=true (e.g. Linux
|
||||
// without root), the calling test is skipped.
|
||||
func withAdvancedRouting(t *testing.T) {
|
||||
t.Helper()
|
||||
t.Setenv("NB_USE_LEGACY_ROUTING", "false")
|
||||
t.Setenv("NB_USE_NETSTACK_MODE", "false")
|
||||
nbnet.Init()
|
||||
t.Cleanup(func() {
|
||||
nbnet.Init()
|
||||
})
|
||||
if !nbnet.AdvancedRouting() {
|
||||
t.Skip("advanced routing not available in this environment (need root or darwin)")
|
||||
}
|
||||
}
|
||||
|
||||
// TestIsAddrRouted_AdvancedRoutingShortCircuit verifies that when
|
||||
// AdvancedRouting() returns true, IsAddrRouted immediately returns
|
||||
// (false, zero prefix) regardless of any VPN routes, because the WG socket is
|
||||
// bound directly to the physical interface and bypasses the kernel routing table.
|
||||
func TestIsAddrRouted_AdvancedRoutingShortCircuit(t *testing.T) {
|
||||
withAdvancedRouting(t)
|
||||
|
||||
vpnRoutes := []netip.Prefix{
|
||||
netip.MustParsePrefix("10.0.0.0/8"),
|
||||
netip.MustParsePrefix("192.168.0.0/16"),
|
||||
netip.MustParsePrefix("0.0.0.0/0"),
|
||||
netip.MustParsePrefix("::/0"),
|
||||
}
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
addr string
|
||||
}{
|
||||
{"IPv4 matched by 10/8", "10.0.0.1"},
|
||||
{"IPv4 matched by 192.168/16", "192.168.1.1"},
|
||||
{"IPv4 caught by default", "8.8.8.8"},
|
||||
{"IPv6 caught by default", "2001:db8::1"},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
addr := netip.MustParseAddr(tt.addr)
|
||||
routed, prefix := IsAddrRouted(addr, vpnRoutes)
|
||||
assert.False(t, routed, "advanced routing must short-circuit VPN route check")
|
||||
assert.Equal(t, netip.Prefix{}, prefix, "returned prefix must be zero under advanced routing")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestIsAddrRouted_AdvancedRouting_EmptyRoutes verifies the short-circuit with
|
||||
// an empty vpnRoutes slice — the result must still be (false, zero).
|
||||
func TestIsAddrRouted_AdvancedRouting_EmptyRoutes(t *testing.T) {
|
||||
withAdvancedRouting(t)
|
||||
|
||||
routed, prefix := IsAddrRouted(netip.MustParseAddr("10.0.0.1"), nil)
|
||||
assert.False(t, routed)
|
||||
assert.Equal(t, netip.Prefix{}, prefix)
|
||||
}
|
||||
|
||||
// TestIsAddrRouted_LegacyMode_NonVPNAddress verifies that under legacy routing
|
||||
// an address that is not covered by any VPN prefix returns false.
|
||||
func TestIsAddrRouted_LegacyMode_NonVPNAddress(t *testing.T) {
|
||||
withLegacyRouting(t)
|
||||
|
||||
// 198.51.100.x (TEST-NET-2) is not normally in any routing table.
|
||||
vpnRoutes := []netip.Prefix{
|
||||
netip.MustParsePrefix("10.0.0.0/8"),
|
||||
}
|
||||
|
||||
addr := netip.MustParseAddr("198.51.100.1")
|
||||
routed, _ := IsAddrRouted(addr, vpnRoutes)
|
||||
assert.False(t, routed, "address not in VPN routes should not be marked as VPN-routed")
|
||||
}
|
||||
|
||||
// TestIsAddrRouted_LegacyMode_EmptyVPNRoutes verifies that an empty vpnRoutes
|
||||
// slice always yields (false, zero prefix) even under legacy routing.
|
||||
func TestIsAddrRouted_LegacyMode_EmptyVPNRoutes(t *testing.T) {
|
||||
withLegacyRouting(t)
|
||||
|
||||
routed, prefix := IsAddrRouted(netip.MustParseAddr("10.0.0.1"), nil)
|
||||
assert.False(t, routed)
|
||||
assert.Equal(t, netip.Prefix{}, prefix)
|
||||
}
|
||||
|
||||
// TestIsAddrRouted_AdvancedVsLegacy_ContrastiveBehaviour documents the
|
||||
// contract difference between the two modes: with a VPN default route and an
|
||||
// address that matches it, legacy mode may mark it as VPN-routed while advanced
|
||||
// mode must never do so.
|
||||
func TestIsAddrRouted_AdvancedVsLegacy_ContrastiveBehaviour(t *testing.T) {
|
||||
vpnRoutes := []netip.Prefix{
|
||||
netip.MustParsePrefix("0.0.0.0/0"),
|
||||
}
|
||||
addr := netip.MustParseAddr("8.8.8.8")
|
||||
|
||||
// --- advanced routing: must always return false ---
|
||||
t.Run("advanced routing", func(t *testing.T) {
|
||||
withAdvancedRouting(t)
|
||||
routed, prefix := IsAddrRouted(addr, vpnRoutes)
|
||||
assert.False(t, routed, "advanced routing must bypass VPN route lookup")
|
||||
assert.Equal(t, netip.Prefix{}, prefix)
|
||||
})
|
||||
|
||||
// --- legacy routing: delegates to kernel table check, does not panic ---
|
||||
t.Run("legacy routing", func(t *testing.T) {
|
||||
withLegacyRouting(t)
|
||||
// We don't assert true/false here because it depends on the host
|
||||
// routing table, but the call must not panic and must return
|
||||
// a valid (bool, prefix) pair.
|
||||
routed, prefix := IsAddrRouted(addr, vpnRoutes)
|
||||
t.Logf("legacy IsAddrRouted(%s, %v) = (%v, %v)", addr, vpnRoutes, routed, prefix)
|
||||
})
|
||||
}
|
||||
@@ -1,121 +0,0 @@
|
||||
//go:build (darwin && !ios) || windows
|
||||
|
||||
package net
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
// resetAdvancedRoutingState resets the package-level advancedRoutingSupported variable
|
||||
// and cleans up after the test.
|
||||
func resetAdvancedRoutingState(t *testing.T) {
|
||||
t.Helper()
|
||||
orig := advancedRoutingSupported
|
||||
t.Cleanup(func() { advancedRoutingSupported = orig })
|
||||
}
|
||||
|
||||
// TestCheckAdvancedRoutingSupport_LegacyRoutingTrue verifies that setting
|
||||
// NB_USE_LEGACY_ROUTING=true disables advanced routing.
|
||||
func TestCheckAdvancedRoutingSupport_LegacyRoutingTrue(t *testing.T) {
|
||||
t.Setenv(envUseLegacyRouting, "true")
|
||||
assert.False(t, checkAdvancedRoutingSupport())
|
||||
}
|
||||
|
||||
// TestCheckAdvancedRoutingSupport_LegacyRoutingFalse verifies that
|
||||
// NB_USE_LEGACY_ROUTING=false still allows advanced routing when netstack is off.
|
||||
func TestCheckAdvancedRoutingSupport_LegacyRoutingFalse(t *testing.T) {
|
||||
t.Setenv(envUseLegacyRouting, "false")
|
||||
t.Setenv("NB_USE_NETSTACK_MODE", "false")
|
||||
assert.True(t, checkAdvancedRoutingSupport())
|
||||
}
|
||||
|
||||
// TestCheckAdvancedRoutingSupport_LegacyRoutingInvalid verifies that an invalid
|
||||
// value for NB_USE_LEGACY_ROUTING is ignored (treated as false), so advanced
|
||||
// routing remains enabled when netstack is off.
|
||||
func TestCheckAdvancedRoutingSupport_LegacyRoutingInvalid(t *testing.T) {
|
||||
t.Setenv(envUseLegacyRouting, "notabool")
|
||||
t.Setenv("NB_USE_NETSTACK_MODE", "false")
|
||||
// The invalid value is ignored; the default (false) is kept, so advanced routing
|
||||
// is not suppressed by the legacy-routing flag.
|
||||
assert.True(t, checkAdvancedRoutingSupport())
|
||||
}
|
||||
|
||||
// TestCheckAdvancedRoutingSupport_NetstackEnabled verifies that netstack mode
|
||||
// disables advanced routing.
|
||||
func TestCheckAdvancedRoutingSupport_NetstackEnabled(t *testing.T) {
|
||||
t.Setenv(envUseLegacyRouting, "false")
|
||||
t.Setenv("NB_USE_NETSTACK_MODE", "true")
|
||||
assert.False(t, checkAdvancedRoutingSupport())
|
||||
}
|
||||
|
||||
// TestCheckAdvancedRoutingSupport_NoEnvVars verifies that with no env overrides
|
||||
// advanced routing is supported (the happy path).
|
||||
func TestCheckAdvancedRoutingSupport_NoEnvVars(t *testing.T) {
|
||||
// Unset both controlling variables so we hit the default path.
|
||||
t.Setenv(envUseLegacyRouting, "")
|
||||
t.Setenv("NB_USE_NETSTACK_MODE", "false")
|
||||
assert.True(t, checkAdvancedRoutingSupport())
|
||||
}
|
||||
|
||||
// TestCheckAdvancedRoutingSupport_LegacyRoutingEmptyString verifies that an
|
||||
// empty NB_USE_LEGACY_ROUTING is treated as "not set" and does not disable
|
||||
// advanced routing.
|
||||
func TestCheckAdvancedRoutingSupport_LegacyRoutingEmptyString(t *testing.T) {
|
||||
t.Setenv(envUseLegacyRouting, "")
|
||||
t.Setenv("NB_USE_NETSTACK_MODE", "false")
|
||||
assert.True(t, checkAdvancedRoutingSupport())
|
||||
}
|
||||
|
||||
// TestAdvancedRouting_ReflectsInit verifies that after calling Init() with
|
||||
// NB_USE_LEGACY_ROUTING=true, AdvancedRouting() returns false.
|
||||
func TestAdvancedRouting_ReflectsInit(t *testing.T) {
|
||||
resetAdvancedRoutingState(t)
|
||||
|
||||
t.Setenv(envUseLegacyRouting, "true")
|
||||
Init()
|
||||
|
||||
assert.False(t, AdvancedRouting(), "AdvancedRouting should return false after Init with legacy routing")
|
||||
}
|
||||
|
||||
// TestAdvancedRouting_ReflectsInit_Advanced verifies that after calling Init()
|
||||
// without legacy overrides, AdvancedRouting() returns true.
|
||||
func TestAdvancedRouting_ReflectsInit_Advanced(t *testing.T) {
|
||||
resetAdvancedRoutingState(t)
|
||||
|
||||
t.Setenv(envUseLegacyRouting, "false")
|
||||
t.Setenv("NB_USE_NETSTACK_MODE", "false")
|
||||
Init()
|
||||
|
||||
assert.True(t, AdvancedRouting(), "AdvancedRouting should return true after Init without legacy overrides")
|
||||
}
|
||||
|
||||
// TestSetAndGetVPNInterfaceName verifies SetVPNInterfaceName and GetVPNInterfaceName
|
||||
// are consistent.
|
||||
func TestSetAndGetVPNInterfaceName(t *testing.T) {
|
||||
orig := GetVPNInterfaceName()
|
||||
t.Cleanup(func() { SetVPNInterfaceName(orig) })
|
||||
|
||||
SetVPNInterfaceName("utun3")
|
||||
assert.Equal(t, "utun3", GetVPNInterfaceName())
|
||||
}
|
||||
|
||||
// TestSetVPNInterfaceName_Empty verifies that setting an empty name is accepted.
|
||||
func TestSetVPNInterfaceName_Empty(t *testing.T) {
|
||||
orig := GetVPNInterfaceName()
|
||||
t.Cleanup(func() { SetVPNInterfaceName(orig) })
|
||||
|
||||
SetVPNInterfaceName("")
|
||||
assert.Equal(t, "", GetVPNInterfaceName())
|
||||
}
|
||||
|
||||
// TestSetVPNInterfaceName_OverwritesPrevious verifies that the second call wins.
|
||||
func TestSetVPNInterfaceName_OverwritesPrevious(t *testing.T) {
|
||||
orig := GetVPNInterfaceName()
|
||||
t.Cleanup(func() { SetVPNInterfaceName(orig) })
|
||||
|
||||
SetVPNInterfaceName("utun1")
|
||||
SetVPNInterfaceName("utun9")
|
||||
assert.Equal(t, "utun9", GetVPNInterfaceName())
|
||||
}
|
||||
@@ -1,39 +0,0 @@
|
||||
//go:build ios || android
|
||||
|
||||
package net
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
// TestAdvancedRouting_Mobile verifies that AdvancedRouting always returns true
|
||||
// on mobile platforms.
|
||||
func TestAdvancedRouting_Mobile(t *testing.T) {
|
||||
assert.True(t, AdvancedRouting(), "AdvancedRouting must always be true on mobile")
|
||||
}
|
||||
|
||||
// TestInit_Mobile verifies that Init is a no-op and does not panic.
|
||||
func TestInit_Mobile(t *testing.T) {
|
||||
// Should not panic.
|
||||
Init()
|
||||
// After Init, AdvancedRouting must still return true.
|
||||
assert.True(t, AdvancedRouting())
|
||||
}
|
||||
|
||||
// TestSetVPNInterfaceName_Mobile verifies that SetVPNInterfaceName is a no-op
|
||||
// and does not panic.
|
||||
func TestSetVPNInterfaceName_Mobile(t *testing.T) {
|
||||
// Should not panic for any input.
|
||||
SetVPNInterfaceName("utun0")
|
||||
SetVPNInterfaceName("")
|
||||
}
|
||||
|
||||
// TestGetVPNInterfaceName_Mobile verifies that GetVPNInterfaceName always
|
||||
// returns an empty string on mobile.
|
||||
func TestGetVPNInterfaceName_Mobile(t *testing.T) {
|
||||
// Even after a SetVPNInterfaceName call (no-op), the getter returns "".
|
||||
SetVPNInterfaceName("utun0")
|
||||
assert.Equal(t, "", GetVPNInterfaceName(), "GetVPNInterfaceName must return empty string on mobile")
|
||||
}
|
||||
@@ -1,286 +0,0 @@
|
||||
//go:build darwin && !ios
|
||||
|
||||
package net
|
||||
|
||||
import (
|
||||
"net"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
// resetBoundIfaces clears global state before each test that manipulates it.
|
||||
func resetBoundIfaces(t *testing.T) {
|
||||
t.Helper()
|
||||
ClearBoundInterfaces()
|
||||
t.Cleanup(ClearBoundInterfaces)
|
||||
}
|
||||
|
||||
// TestIsV6Network verifies the isV6Network helper correctly identifies v6 networks.
|
||||
func TestIsV6Network(t *testing.T) {
|
||||
tests := []struct {
|
||||
network string
|
||||
want bool
|
||||
}{
|
||||
{"tcp6", true},
|
||||
{"udp6", true},
|
||||
{"ip6", true},
|
||||
{"tcp", false},
|
||||
{"udp", false},
|
||||
{"tcp4", false},
|
||||
{"udp4", false},
|
||||
{"ip4", false},
|
||||
{"ip", false},
|
||||
{"", false},
|
||||
// Arbitrary suffix-6 strings
|
||||
{"unix6", true},
|
||||
{"custom6", true},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.network, func(t *testing.T) {
|
||||
assert.Equal(t, tt.want, isV6Network(tt.network))
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestSetBoundInterface_AFINET sets boundIface4 via AF_INET.
|
||||
func TestSetBoundInterface_AFINET(t *testing.T) {
|
||||
resetBoundIfaces(t)
|
||||
|
||||
iface := &net.Interface{Index: 5, Name: "en0"}
|
||||
SetBoundInterface(unix.AF_INET, iface)
|
||||
|
||||
boundIfaceMu.RLock()
|
||||
got := boundIface4
|
||||
boundIfaceMu.RUnlock()
|
||||
|
||||
require.NotNil(t, got)
|
||||
assert.Equal(t, 5, got.Index)
|
||||
assert.Equal(t, "en0", got.Name)
|
||||
}
|
||||
|
||||
// TestSetBoundInterface_AFINET6 sets boundIface6 via AF_INET6.
|
||||
func TestSetBoundInterface_AFINET6(t *testing.T) {
|
||||
resetBoundIfaces(t)
|
||||
|
||||
iface := &net.Interface{Index: 7, Name: "utun0"}
|
||||
SetBoundInterface(unix.AF_INET6, iface)
|
||||
|
||||
boundIfaceMu.RLock()
|
||||
got := boundIface6
|
||||
boundIfaceMu.RUnlock()
|
||||
|
||||
require.NotNil(t, got)
|
||||
assert.Equal(t, 7, got.Index)
|
||||
assert.Equal(t, "utun0", got.Name)
|
||||
}
|
||||
|
||||
// TestSetBoundInterface_Nil verifies nil iface is rejected without panicking.
|
||||
func TestSetBoundInterface_Nil(t *testing.T) {
|
||||
resetBoundIfaces(t)
|
||||
|
||||
// Should not panic, just log a warning and leave existing values untouched.
|
||||
iface := &net.Interface{Index: 1, Name: "en1"}
|
||||
SetBoundInterface(unix.AF_INET, iface)
|
||||
|
||||
SetBoundInterface(unix.AF_INET, nil)
|
||||
|
||||
boundIfaceMu.RLock()
|
||||
got := boundIface4
|
||||
boundIfaceMu.RUnlock()
|
||||
|
||||
// Value must be unchanged after the rejected nil write.
|
||||
require.NotNil(t, got)
|
||||
assert.Equal(t, 1, got.Index)
|
||||
}
|
||||
|
||||
// TestSetBoundInterface_UnknownAF verifies unknown address families are ignored.
|
||||
func TestSetBoundInterface_UnknownAF(t *testing.T) {
|
||||
resetBoundIfaces(t)
|
||||
|
||||
iface := &net.Interface{Index: 3, Name: "en2"}
|
||||
// Use an address family that is not AF_INET or AF_INET6.
|
||||
SetBoundInterface(99, iface)
|
||||
|
||||
boundIfaceMu.RLock()
|
||||
v4, v6 := boundIface4, boundIface6
|
||||
boundIfaceMu.RUnlock()
|
||||
|
||||
assert.Nil(t, v4, "unknown AF must not populate boundIface4")
|
||||
assert.Nil(t, v6, "unknown AF must not populate boundIface6")
|
||||
}
|
||||
|
||||
// TestClearBoundInterfaces clears both cached interfaces.
|
||||
func TestClearBoundInterfaces(t *testing.T) {
|
||||
iface4 := &net.Interface{Index: 1, Name: "en0"}
|
||||
iface6 := &net.Interface{Index: 2, Name: "en0"}
|
||||
|
||||
SetBoundInterface(unix.AF_INET, iface4)
|
||||
SetBoundInterface(unix.AF_INET6, iface6)
|
||||
|
||||
ClearBoundInterfaces()
|
||||
|
||||
boundIfaceMu.RLock()
|
||||
v4, v6 := boundIface4, boundIface6
|
||||
boundIfaceMu.RUnlock()
|
||||
|
||||
assert.Nil(t, v4, "boundIface4 must be nil after clear")
|
||||
assert.Nil(t, v6, "boundIface6 must be nil after clear")
|
||||
}
|
||||
|
||||
// TestClearBoundInterfaces_Idempotent verifies clearing twice does not panic.
|
||||
func TestClearBoundInterfaces_Idempotent(t *testing.T) {
|
||||
ClearBoundInterfaces()
|
||||
ClearBoundInterfaces()
|
||||
|
||||
boundIfaceMu.RLock()
|
||||
v4, v6 := boundIface4, boundIface6
|
||||
boundIfaceMu.RUnlock()
|
||||
|
||||
assert.Nil(t, v4)
|
||||
assert.Nil(t, v6)
|
||||
}
|
||||
|
||||
// TestBoundInterfaceFor_PreferSameFamily verifies v4 iface returned for "tcp" and
|
||||
// v6 iface returned for "tcp6" when both slots are populated.
|
||||
func TestBoundInterfaceFor_PreferSameFamily(t *testing.T) {
|
||||
resetBoundIfaces(t)
|
||||
|
||||
en0 := &net.Interface{Index: 1, Name: "en0"}
|
||||
en1 := &net.Interface{Index: 2, Name: "en1"}
|
||||
SetBoundInterface(unix.AF_INET, en0)
|
||||
SetBoundInterface(unix.AF_INET6, en1)
|
||||
|
||||
got4 := boundInterfaceFor("tcp", "1.2.3.4:80")
|
||||
require.NotNil(t, got4)
|
||||
assert.Equal(t, "en0", got4.Name, "tcp should prefer v4 interface")
|
||||
|
||||
got6 := boundInterfaceFor("tcp6", "[::1]:80")
|
||||
require.NotNil(t, got6)
|
||||
assert.Equal(t, "en1", got6.Name, "tcp6 should prefer v6 interface")
|
||||
}
|
||||
|
||||
// TestBoundInterfaceFor_FallbackToOtherFamily returns the other family's iface
|
||||
// when the preferred slot is empty.
|
||||
func TestBoundInterfaceFor_FallbackToOtherFamily(t *testing.T) {
|
||||
resetBoundIfaces(t)
|
||||
|
||||
// Only v4 populated.
|
||||
en0 := &net.Interface{Index: 1, Name: "en0"}
|
||||
SetBoundInterface(unix.AF_INET, en0)
|
||||
|
||||
// Asking for v6 should fall back to en0.
|
||||
got := boundInterfaceFor("tcp6", "[::1]:80")
|
||||
require.NotNil(t, got)
|
||||
assert.Equal(t, "en0", got.Name)
|
||||
}
|
||||
|
||||
// TestBoundInterfaceFor_BothEmpty returns nil when both slots are empty.
|
||||
func TestBoundInterfaceFor_BothEmpty(t *testing.T) {
|
||||
resetBoundIfaces(t)
|
||||
|
||||
got := boundInterfaceFor("tcp", "1.2.3.4:80")
|
||||
assert.Nil(t, got)
|
||||
|
||||
got6 := boundInterfaceFor("tcp6", "[::1]:80")
|
||||
assert.Nil(t, got6)
|
||||
}
|
||||
|
||||
// TestZoneInterface_Empty returns nil for empty address.
|
||||
func TestZoneInterface_Empty(t *testing.T) {
|
||||
iface := zoneInterface("")
|
||||
assert.Nil(t, iface)
|
||||
}
|
||||
|
||||
// TestZoneInterface_NoZone returns nil when address has no zone.
|
||||
func TestZoneInterface_NoZone(t *testing.T) {
|
||||
// Regular IPv4 address with port — no zone identifier.
|
||||
iface := zoneInterface("192.168.1.1:80")
|
||||
assert.Nil(t, iface)
|
||||
|
||||
// Regular IPv6 address with port — no zone identifier.
|
||||
iface = zoneInterface("[2001:db8::1]:80")
|
||||
assert.Nil(t, iface)
|
||||
|
||||
// Plain IPv6 address without port or zone.
|
||||
iface = zoneInterface("2001:db8::1")
|
||||
assert.Nil(t, iface)
|
||||
}
|
||||
|
||||
// TestZoneInterface_InvalidAddress returns nil for completely invalid strings.
|
||||
func TestZoneInterface_InvalidAddress(t *testing.T) {
|
||||
iface := zoneInterface("not-an-address")
|
||||
assert.Nil(t, iface)
|
||||
|
||||
iface = zoneInterface("::::")
|
||||
assert.Nil(t, iface)
|
||||
}
|
||||
|
||||
// TestZoneInterface_NonExistentZoneName returns nil for a zone name that does
|
||||
// not correspond to a real interface on the host.
|
||||
func TestZoneInterface_NonExistentZoneName(t *testing.T) {
|
||||
// Use an interface name that is very unlikely to exist.
|
||||
iface := zoneInterface("fe80::1%nonexistentiface99999")
|
||||
assert.Nil(t, iface)
|
||||
}
|
||||
|
||||
// TestZoneInterface_NonExistentZoneIndex returns nil for a zone expressed as an
|
||||
// integer index that is not in use.
|
||||
func TestZoneInterface_NonExistentZoneIndex(t *testing.T) {
|
||||
// Interface index 999999 should not exist on any test machine.
|
||||
iface := zoneInterface("fe80::1%999999")
|
||||
assert.Nil(t, iface)
|
||||
}
|
||||
|
||||
// TestBoundInterfaceFor_SetThenClear verifies that clearing state causes
|
||||
// boundInterfaceFor to return nil afterwards.
|
||||
func TestBoundInterfaceFor_SetThenClear(t *testing.T) {
|
||||
resetBoundIfaces(t)
|
||||
|
||||
en0 := &net.Interface{Index: 1, Name: "en0"}
|
||||
SetBoundInterface(unix.AF_INET, en0)
|
||||
|
||||
got := boundInterfaceFor("tcp", "1.2.3.4:80")
|
||||
require.NotNil(t, got, "should return iface while set")
|
||||
|
||||
ClearBoundInterfaces()
|
||||
|
||||
got = boundInterfaceFor("tcp", "1.2.3.4:80")
|
||||
assert.Nil(t, got, "should return nil after clear")
|
||||
}
|
||||
|
||||
// TestSetBoundInterface_OverwritesPreviousValue verifies that calling
|
||||
// SetBoundInterface again updates the stored pointer.
|
||||
func TestSetBoundInterface_OverwritesPreviousValue(t *testing.T) {
|
||||
resetBoundIfaces(t)
|
||||
|
||||
first := &net.Interface{Index: 1, Name: "en0"}
|
||||
second := &net.Interface{Index: 3, Name: "en1"}
|
||||
|
||||
SetBoundInterface(unix.AF_INET, first)
|
||||
SetBoundInterface(unix.AF_INET, second)
|
||||
|
||||
boundIfaceMu.RLock()
|
||||
got := boundIface4
|
||||
boundIfaceMu.RUnlock()
|
||||
|
||||
require.NotNil(t, got)
|
||||
assert.Equal(t, "en1", got.Name, "second call should overwrite first")
|
||||
}
|
||||
|
||||
// TestBoundInterfaceFor_OnlyV6Populated returns v6 iface for v4 network
|
||||
// when only v6 slot is filled.
|
||||
func TestBoundInterfaceFor_OnlyV6Populated(t *testing.T) {
|
||||
resetBoundIfaces(t)
|
||||
|
||||
en1 := &net.Interface{Index: 2, Name: "en1"}
|
||||
SetBoundInterface(unix.AF_INET6, en1)
|
||||
|
||||
// v4 network, v4 slot empty → should fall back to v6 slot.
|
||||
got := boundInterfaceFor("tcp", "1.2.3.4:80")
|
||||
require.NotNil(t, got)
|
||||
assert.Equal(t, "en1", got.Name)
|
||||
}
|
||||
@@ -335,7 +335,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
|
||||
mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
|
||||
@@ -163,7 +163,7 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
|
||||
}
|
||||
|
||||
gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
|
||||
srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.JobManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider())
|
||||
srv, err := nbgrpc.NewServer(s.Config, s.AccountManager(), s.SettingsManager(), s.JobManager(), s.SecretsManager(), s.Metrics(), s.AuthManager(), s.IntegratedValidator(), s.NetworkMapController(), s.OAuthConfigProvider(), s.SessionStore())
|
||||
if err != nil {
|
||||
log.Fatalf("failed to create management server: %v", err)
|
||||
}
|
||||
|
||||
@@ -6,6 +6,7 @@ import (
|
||||
log "github.com/sirupsen/logrus"
|
||||
|
||||
"github.com/netbirdio/management-integrations/integrations"
|
||||
|
||||
"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
|
||||
proxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy/manager"
|
||||
|
||||
@@ -66,6 +67,12 @@ func (s *BaseServer) SecretsManager() grpc.SecretsManager {
|
||||
})
|
||||
}
|
||||
|
||||
func (s *BaseServer) SessionStore() *auth.SessionStore {
|
||||
return Create(s, func() *auth.SessionStore {
|
||||
return auth.NewSessionStore(s.CacheStore())
|
||||
})
|
||||
}
|
||||
|
||||
func (s *BaseServer) AuthManager() auth.Manager {
|
||||
audiences := s.Config.GetAuthAudiences()
|
||||
audience := s.Config.HttpConfig.AuthAudience
|
||||
|
||||
@@ -14,6 +14,7 @@ import (
|
||||
"sync/atomic"
|
||||
"time"
|
||||
|
||||
jwtv5 "github.com/golang-jwt/jwt/v5"
|
||||
pb "github.com/golang/protobuf/proto" // nolint
|
||||
"github.com/golang/protobuf/ptypes/timestamp"
|
||||
"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
|
||||
@@ -67,6 +68,7 @@ type Server struct {
|
||||
appMetrics telemetry.AppMetrics
|
||||
peerLocks sync.Map
|
||||
authManager auth.Manager
|
||||
sessionStore *auth.SessionStore
|
||||
|
||||
logBlockedPeers bool
|
||||
blockPeersWithSameConfig bool
|
||||
@@ -98,6 +100,7 @@ func NewServer(
|
||||
integratedPeerValidator integrated_validator.IntegratedValidator,
|
||||
networkMapController network_map.Controller,
|
||||
oAuthConfigProvider idp.OAuthConfigProvider,
|
||||
sessionStore *auth.SessionStore,
|
||||
) (*Server, error) {
|
||||
if appMetrics != nil {
|
||||
// update gauge based on number of connected peers which is equal to open gRPC streams
|
||||
@@ -140,6 +143,7 @@ func NewServer(
|
||||
integratedPeerValidator: integratedPeerValidator,
|
||||
networkMapController: networkMapController,
|
||||
oAuthConfigProvider: oAuthConfigProvider,
|
||||
sessionStore: sessionStore,
|
||||
|
||||
loginFilter: newLoginFilter(),
|
||||
|
||||
@@ -535,7 +539,7 @@ func (s *Server) cancelPeerRoutinesWithoutLock(ctx context.Context, accountID st
|
||||
log.WithContext(ctx).Debugf("peer %s has been disconnected", peer.Key)
|
||||
}
|
||||
|
||||
func (s *Server) validateToken(ctx context.Context, jwtToken string) (string, error) {
|
||||
func (s *Server) validateToken(ctx context.Context, peerKey, jwtToken string) (string, error) {
|
||||
if s.authManager == nil {
|
||||
return "", status.Errorf(codes.Internal, "missing auth manager")
|
||||
}
|
||||
@@ -545,6 +549,10 @@ func (s *Server) validateToken(ctx context.Context, jwtToken string) (string, er
|
||||
return "", status.Errorf(codes.InvalidArgument, "invalid jwt token, err: %v", err)
|
||||
}
|
||||
|
||||
if err := s.claimLoginToken(ctx, peerKey, jwtToken, token); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
// we need to call this method because if user is new, we will automatically add it to existing or create a new account
|
||||
accountId, _, err := s.accountManager.GetAccountIDFromUserAuth(ctx, userAuth)
|
||||
if err != nil {
|
||||
@@ -828,6 +836,31 @@ func (s *Server) prepareLoginResponse(ctx context.Context, peer *nbpeer.Peer, ne
|
||||
return loginResp, nil
|
||||
}
|
||||
|
||||
func (s *Server) claimLoginToken(ctx context.Context, peerKey, jwtToken string, token *jwtv5.Token) error {
|
||||
if s.sessionStore == nil || token == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
exp, err := token.Claims.GetExpirationTime()
|
||||
if err != nil || exp == nil {
|
||||
log.WithContext(ctx).Warnf("JWT has no usable exp claim for peer %s", peerKey)
|
||||
return status.Error(codes.Unauthenticated, "jwt token has no expiration")
|
||||
}
|
||||
|
||||
err = s.sessionStore.RegisterToken(ctx, jwtToken, exp.Time)
|
||||
if err == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
if errors.Is(err, auth.ErrTokenAlreadyUsed) || errors.Is(err, auth.ErrTokenExpired) {
|
||||
log.WithContext(ctx).Warnf("%v for peer %s", err, peerKey)
|
||||
return status.Error(codes.Unauthenticated, err.Error())
|
||||
}
|
||||
|
||||
log.WithContext(ctx).Warnf("failed to claim JWT for peer %s: %v", peerKey, err)
|
||||
return status.Error(codes.Unavailable, "failed to claim jwt token")
|
||||
}
|
||||
|
||||
// processJwtToken validates the existence of a JWT token in the login request, and returns the corresponding user ID if
|
||||
// the token is valid.
|
||||
//
|
||||
@@ -838,7 +871,7 @@ func (s *Server) processJwtToken(ctx context.Context, loginReq *proto.LoginReque
|
||||
if loginReq.GetJwtToken() != "" {
|
||||
var err error
|
||||
for i := 0; i < 3; i++ {
|
||||
userID, err = s.validateToken(ctx, loginReq.GetJwtToken())
|
||||
userID, err = s.validateToken(ctx, peerKey.String(), loginReq.GetJwtToken())
|
||||
if err == nil {
|
||||
break
|
||||
}
|
||||
|
||||
61
management/server/auth/session.go
Normal file
61
management/server/auth/session.go
Normal file
@@ -0,0 +1,61 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/eko/gocache/lib/v4/cache"
|
||||
"github.com/eko/gocache/lib/v4/store"
|
||||
)
|
||||
|
||||
const (
|
||||
usedTokenKeyPrefix = "jwt-used:"
|
||||
usedTokenMarker = "1"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrTokenAlreadyUsed = errors.New("JWT already used")
|
||||
ErrTokenExpired = errors.New("JWT expired")
|
||||
)
|
||||
|
||||
type SessionStore struct {
|
||||
cache *cache.Cache[string]
|
||||
}
|
||||
|
||||
func NewSessionStore(cacheStore store.StoreInterface) *SessionStore {
|
||||
return &SessionStore{cache: cache.New[string](cacheStore)}
|
||||
}
|
||||
|
||||
// RegisterToken records a JWT until its exp time and rejects reuse.
|
||||
func (s *SessionStore) RegisterToken(ctx context.Context, token string, expiresAt time.Time) error {
|
||||
ttl := time.Until(expiresAt)
|
||||
if ttl <= 0 {
|
||||
return ErrTokenExpired
|
||||
}
|
||||
|
||||
key := usedTokenKeyPrefix + hashToken(token)
|
||||
_, err := s.cache.Get(ctx, key)
|
||||
if err == nil {
|
||||
return ErrTokenAlreadyUsed
|
||||
}
|
||||
|
||||
var notFound *store.NotFound
|
||||
if !errors.As(err, ¬Found) {
|
||||
return fmt.Errorf("failed to lookup used token entry: %w", err)
|
||||
}
|
||||
|
||||
if err := s.cache.Set(ctx, key, usedTokenMarker, store.WithExpiration(ttl)); err != nil {
|
||||
return fmt.Errorf("failed to store used token entry: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func hashToken(token string) string {
|
||||
sum := sha256.Sum256([]byte(token))
|
||||
return hex.EncodeToString(sum[:])
|
||||
}
|
||||
82
management/server/auth/session_test.go
Normal file
82
management/server/auth/session_test.go
Normal file
@@ -0,0 +1,82 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
nbcache "github.com/netbirdio/netbird/management/server/cache"
|
||||
)
|
||||
|
||||
func newTestSessionStore(t *testing.T) *SessionStore {
|
||||
t.Helper()
|
||||
cacheStore, err := nbcache.NewStore(context.Background(), time.Hour, time.Hour, 100)
|
||||
require.NoError(t, err)
|
||||
return NewSessionStore(cacheStore)
|
||||
}
|
||||
|
||||
func TestSessionStore_FirstRegisterSucceeds(t *testing.T) {
|
||||
s := newTestSessionStore(t)
|
||||
ctx := context.Background()
|
||||
|
||||
require.NoError(t, s.RegisterToken(ctx, "token", time.Now().Add(time.Hour)))
|
||||
}
|
||||
|
||||
func TestSessionStore_RegisterSameTokenTwiceIsRejected(t *testing.T) {
|
||||
s := newTestSessionStore(t)
|
||||
ctx := context.Background()
|
||||
token := "token"
|
||||
exp := time.Now().Add(time.Hour)
|
||||
|
||||
require.NoError(t, s.RegisterToken(ctx, token, exp))
|
||||
|
||||
err := s.RegisterToken(ctx, token, exp)
|
||||
require.Error(t, err)
|
||||
assert.ErrorIs(t, err, ErrTokenAlreadyUsed)
|
||||
}
|
||||
|
||||
func TestSessionStore_RegisterDifferentTokensAreIndependent(t *testing.T) {
|
||||
s := newTestSessionStore(t)
|
||||
ctx := context.Background()
|
||||
exp := time.Now().Add(time.Hour)
|
||||
|
||||
require.NoError(t, s.RegisterToken(ctx, "tokenA", exp))
|
||||
require.NoError(t, s.RegisterToken(ctx, "tokenB", exp))
|
||||
}
|
||||
|
||||
func TestSessionStore_RegisterWithPastExpiryIsRejected(t *testing.T) {
|
||||
s := newTestSessionStore(t)
|
||||
ctx := context.Background()
|
||||
token := "token"
|
||||
|
||||
err := s.RegisterToken(ctx, token, time.Now().Add(-time.Second))
|
||||
require.Error(t, err)
|
||||
assert.ErrorIs(t, err, ErrTokenExpired)
|
||||
}
|
||||
|
||||
func TestSessionStore_EntryEvictsAtTTLAndAllowsReRegistration(t *testing.T) {
|
||||
s := newTestSessionStore(t)
|
||||
ctx := context.Background()
|
||||
token := "token"
|
||||
|
||||
require.NoError(t, s.RegisterToken(ctx, token, time.Now().Add(50*time.Millisecond)))
|
||||
|
||||
err := s.RegisterToken(ctx, token, time.Now().Add(50*time.Millisecond))
|
||||
assert.ErrorIs(t, err, ErrTokenAlreadyUsed)
|
||||
|
||||
time.Sleep(120 * time.Millisecond)
|
||||
|
||||
require.NoError(t, s.RegisterToken(ctx, token, time.Now().Add(time.Hour)))
|
||||
}
|
||||
|
||||
func TestHashToken_StableAndDoesNotLeak(t *testing.T) {
|
||||
a := hashToken("tokenA")
|
||||
b := hashToken("tokenB")
|
||||
assert.Equal(t, a, hashToken("tokenA"), "hash must be deterministic")
|
||||
assert.NotEqual(t, a, b, "different tokens must hash differently")
|
||||
assert.Len(t, a, 64, "sha256 hex must be 64 chars")
|
||||
assert.NotContains(t, a, "tokenA", "raw token must not appear in hash")
|
||||
}
|
||||
@@ -391,7 +391,7 @@ func startManagementForTest(t *testing.T, testFile string, config *config.Config
|
||||
return nil, nil, "", cleanup, err
|
||||
}
|
||||
|
||||
mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, MockIntegratedValidator{}, networkMapController, nil)
|
||||
mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, MockIntegratedValidator{}, networkMapController, nil, nil)
|
||||
if err != nil {
|
||||
return nil, nil, "", cleanup, err
|
||||
}
|
||||
|
||||
@@ -256,6 +256,7 @@ func startServer(
|
||||
server.MockIntegratedValidator{},
|
||||
networkMapController,
|
||||
nil,
|
||||
nil,
|
||||
)
|
||||
if err != nil {
|
||||
t.Fatalf("failed creating management server: %v", err)
|
||||
|
||||
@@ -138,7 +138,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, mgmt.MockIntegratedValidator{}, networkMapController, nil)
|
||||
mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user