mirror of
https://github.com/netbirdio/netbird.git
synced 2026-07-02 04:02:09 -04:00
* [client] categorize root/system-mutating tests behind a privileged build tag Tests that need root or mutate host state (nftables/iptables/DNS, TUN/WireGuard interfaces, routes, eBPF, SSH/service install) are now gated behind a //go:build privileged tag. The default `go test ./client/...` runs as a non-root user with no sudo and leaves host networking untouched; mixed files were split so pure-logic tests stay in the default suite. A self-hosting ory/dockertest/v4 harness (client/testutil/privileged) runs the privileged suite inside a --privileged --cap-add=NET_ADMIN container via `make test-privileged`; a DOCKER_CI=true guard skips the spawn when already inside the container. Added `make test-unit` for the host-safe run. * [client] add PRIV_RUN/PRIV_PKGS filters to the privileged test harness The dockertest harness now reads two optional env vars when building the in-container `go test` command: PRIV_RUN adds a -run test-name filter and PRIV_PKGS overrides the package list. Both empty reproduce the full privileged suite, so CI and `make test-privileged` behave as before. Lets a developer run a single privileged test in the container, e.g.: PRIV_RUN=TestNftablesManager PRIV_PKGS=./client/firewall/nftables/... make test-privileged * [client] fix unused-helper lint after the privileged test split Splitting privileged tests into *_privileged_test.go left their shared helpers in the untagged files, so in the default (no-tag) build they had no callers and golangci-lint flagged them as unused. Moved the privileged-only helpers into the privileged files next to their callers (generateDummyHandler; createEngine/startSignal/startManagement/getConnectedPeers/ getPeers + kaep/kasp; (*mockDaemon).setJWTToken). Annotated the shared routing-test fixtures that must stay untagged for cross-platform compilation with //nolint:unused (systemops_bsd expected* vars, ensureIPv6DefaultRoute on bsd/windows, loopbackIfaceWindows), matching the existing linux variant. * [client] fix privileged test CI failures and run the harness on macOS The host-safe unit run dropped sudo but two privileged test groups were never tagged, and the Docker privileged job silently never ran the suite: - Gate the ssh/server PrivilegeDropper command-construction tests behind the privileged tag (they require root to target a different UID); split them into executor_unix_privileged_test.go. - Tag sharedsock raw-socket tests privileged (need CAP_NET_RAW). - Fix the Docker job command: nested single quotes around the build tags closed the sh -c wrapper early, dropping the go list package set and the privileged tag, so go test ran on the empty repo root. Use double quotes. Make the self-hosting harness usable from a dev Mac: - Build it on darwin as well as linux; it only drives Docker. - Resolve the active docker context endpoint into DOCKER_HOST when the default /var/run/docker.sock is absent (Docker Desktop, Colima, OrbStack). - Rename the misspelled containerGoModache constant to containerGoModCache. * Update client/internal/engine_privileged_test.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update client/internal/routemanager/systemops/systemops_linux_test.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update client/internal/routemanager/systemops/systemops_windows_test.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update client/server/server_privileged_test.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * [ci] Run privileged-tagged tests on darwin, windows and freebsd The privileged build tag split moved root/system-mutating tests behind //go:build privileged, but only the linux docker job was given the tag. The native darwin (sudo), windows (PsExec64 -s) and freebsd VM runners already have the required privileges, so add the privileged tag there too to keep CI running the same set of tests as before the split. * [ci] Exclude dockertest harness from the darwin privileged run The privileged tag now compiles client/testutil/privileged on darwin, whose TestRunPrivilegedSuiteInDocker spawns a container the macOS runner has no Docker for. Exclude the harness package from the darwin list, matching the linux job, so the privileged tests run in place without a container spawn. --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
165 lines
4.2 KiB
Go
165 lines
4.2 KiB
Go
package proxy
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net"
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
cryptossh "golang.org/x/crypto/ssh"
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/credentials/insecure"
|
|
|
|
"github.com/netbirdio/netbird/client/proto"
|
|
nbssh "github.com/netbirdio/netbird/client/ssh"
|
|
"github.com/netbirdio/netbird/client/ssh/testutil"
|
|
)
|
|
|
|
func TestMain(m *testing.M) {
|
|
if len(os.Args) > 2 && os.Args[1] == "ssh" {
|
|
if os.Args[2] == "exec" {
|
|
if len(os.Args) > 3 {
|
|
cmd := os.Args[3]
|
|
if cmd == "echo" && len(os.Args) > 4 {
|
|
fmt.Fprintln(os.Stdout, os.Args[4])
|
|
os.Exit(0)
|
|
}
|
|
}
|
|
fmt.Fprintf(os.Stderr, "Test binary called as 'ssh exec' with args: %v - preventing infinite recursion\n", os.Args)
|
|
os.Exit(1)
|
|
}
|
|
}
|
|
|
|
code := m.Run()
|
|
|
|
testutil.CleanupTestUsers()
|
|
|
|
os.Exit(code)
|
|
}
|
|
|
|
func TestSSHProxy_verifyHostKey(t *testing.T) {
|
|
t.Run("calls daemon to verify host key", func(t *testing.T) {
|
|
mockDaemon := startMockDaemon(t)
|
|
defer mockDaemon.stop()
|
|
|
|
grpcConn, err := grpc.NewClient(mockDaemon.addr, grpc.WithTransportCredentials(insecure.NewCredentials()))
|
|
require.NoError(t, err)
|
|
defer func() { _ = grpcConn.Close() }()
|
|
|
|
proxy := &SSHProxy{
|
|
daemonAddr: mockDaemon.addr,
|
|
daemonClient: proto.NewDaemonServiceClient(grpcConn),
|
|
}
|
|
|
|
testKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
|
|
require.NoError(t, err)
|
|
testPubKey, err := nbssh.GeneratePublicKey(testKey)
|
|
require.NoError(t, err)
|
|
|
|
mockDaemon.setHostKey("test-host", testPubKey)
|
|
|
|
err = proxy.verifyHostKey("test-host", &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 22}, mustParsePublicKey(t, testPubKey))
|
|
assert.NoError(t, err)
|
|
})
|
|
|
|
t.Run("rejects unknown host key", func(t *testing.T) {
|
|
mockDaemon := startMockDaemon(t)
|
|
defer mockDaemon.stop()
|
|
|
|
grpcConn, err := grpc.NewClient(mockDaemon.addr, grpc.WithTransportCredentials(insecure.NewCredentials()))
|
|
require.NoError(t, err)
|
|
defer func() { _ = grpcConn.Close() }()
|
|
|
|
proxy := &SSHProxy{
|
|
daemonAddr: mockDaemon.addr,
|
|
daemonClient: proto.NewDaemonServiceClient(grpcConn),
|
|
}
|
|
|
|
unknownKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
|
|
require.NoError(t, err)
|
|
unknownPubKey, err := nbssh.GeneratePublicKey(unknownKey)
|
|
require.NoError(t, err)
|
|
|
|
err = proxy.verifyHostKey("unknown-host", &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 22}, mustParsePublicKey(t, unknownPubKey))
|
|
assert.Error(t, err)
|
|
assert.Contains(t, err.Error(), "peer unknown-host not found in network")
|
|
})
|
|
}
|
|
|
|
type mockDaemonServer struct {
|
|
proto.UnimplementedDaemonServiceServer
|
|
hostKeys map[string][]byte
|
|
jwtToken string
|
|
}
|
|
|
|
func (m *mockDaemonServer) GetPeerSSHHostKey(ctx context.Context, req *proto.GetPeerSSHHostKeyRequest) (*proto.GetPeerSSHHostKeyResponse, error) {
|
|
key, found := m.hostKeys[req.PeerAddress]
|
|
return &proto.GetPeerSSHHostKeyResponse{
|
|
Found: found,
|
|
SshHostKey: key,
|
|
}, nil
|
|
}
|
|
|
|
func (m *mockDaemonServer) RequestJWTAuth(ctx context.Context, req *proto.RequestJWTAuthRequest) (*proto.RequestJWTAuthResponse, error) {
|
|
return &proto.RequestJWTAuthResponse{
|
|
CachedToken: m.jwtToken,
|
|
}, nil
|
|
}
|
|
|
|
func (m *mockDaemonServer) WaitJWTToken(ctx context.Context, req *proto.WaitJWTTokenRequest) (*proto.WaitJWTTokenResponse, error) {
|
|
return &proto.WaitJWTTokenResponse{
|
|
Token: m.jwtToken,
|
|
}, nil
|
|
}
|
|
|
|
type mockDaemon struct {
|
|
addr string
|
|
server *grpc.Server
|
|
impl *mockDaemonServer
|
|
}
|
|
|
|
func startMockDaemon(t *testing.T) *mockDaemon {
|
|
t.Helper()
|
|
|
|
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
|
require.NoError(t, err)
|
|
|
|
impl := &mockDaemonServer{
|
|
hostKeys: make(map[string][]byte),
|
|
jwtToken: "test-jwt-token",
|
|
}
|
|
|
|
grpcServer := grpc.NewServer()
|
|
proto.RegisterDaemonServiceServer(grpcServer, impl)
|
|
|
|
go func() {
|
|
_ = grpcServer.Serve(listener)
|
|
}()
|
|
|
|
return &mockDaemon{
|
|
addr: listener.Addr().String(),
|
|
server: grpcServer,
|
|
impl: impl,
|
|
}
|
|
}
|
|
|
|
func (m *mockDaemon) setHostKey(addr string, pubKey []byte) {
|
|
m.impl.hostKeys[addr] = pubKey
|
|
}
|
|
|
|
func (m *mockDaemon) stop() {
|
|
if m.server != nil {
|
|
m.server.Stop()
|
|
}
|
|
}
|
|
|
|
func mustParsePublicKey(t *testing.T, pubKeyBytes []byte) cryptossh.PublicKey {
|
|
t.Helper()
|
|
pubKey, _, _, _, err := cryptossh.ParseAuthorizedKey(pubKeyBytes)
|
|
require.NoError(t, err)
|
|
return pubKey
|
|
}
|