首頁 探索 說明
登入
golang
/
nebula
镜像来自 https://github.com/slackhq/nebula
2
0
複刻 0
檔案 問題管理 0 Wiki
目錄樹: 0c2e5973e1
分支列表 標籤列表
nebula
/
e2e
/
handshakes_test.go

handshakes_test.go 8.1 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206 
  1. // +build e2e_testing
    2. 

  2. 

  3. package e2e
    4. 

  4. 

  5. import (
    6. 

  6. 	"net"
    7. 

  7. 	"testing"
    8. 

  8. 	"time"
    9. 

  9. 

  10. 	"github.com/slackhq/nebula/e2e/router"
    11. 

  11. )
    12. 

  12. 

  13. func TestGoodHandshake(t *testing.T) {
    14. 

  14. 	ca, _, caKey, _ := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{})
    15. 

  15. 	myControl, myVpnIp, myUdpAddr := newSimpleServer(ca, caKey, "me", net.IP{10, 0, 0, 1})
    16. 

  16. 	theirControl, theirVpnIp, theirUdpAddr := newSimpleServer(ca, caKey, "them", net.IP{10, 0, 0, 2})
    17. 

  17. 

  18. 	// Put their info in our lighthouse
    19. 

  19. 	myControl.InjectLightHouseAddr(theirVpnIp, theirUdpAddr)
    20. 

  20. 

  21. 	// Start the servers
    22. 

  22. 	myControl.Start()
    23. 

  23. 	theirControl.Start()
    24. 

  24. 

  25. 	// Send a udp packet through to begin standing up the tunnel, this should come out the other side
    26. 

  26. 	myControl.InjectTunUDPPacket(theirVpnIp, 80, 80, []byte("Hi from me"))
    27. 

  27. 

  28. 	// Have them consume my stage 0 packet. They have a tunnel now
    29. 

  29. 	theirControl.InjectUDPPacket(myControl.GetFromUDP(true))
    30. 

  30. 

  31. 	// Have me consume their stage 1 packet. I have a tunnel now
    32. 

  32. 	myControl.InjectUDPPacket(theirControl.GetFromUDP(true))
    33. 

  33. 

  34. 	// Wait until we see my cached packet come through
    35. 

  35. 	myControl.WaitForType(1, 0, theirControl)
    36. 

  36. 

  37. 	// Make sure our host infos are correct
    38. 

  38. 	assertHostInfoPair(t, myUdpAddr, theirUdpAddr, myVpnIp, theirVpnIp, myControl, theirControl)
    39. 

  39. 

  40. 	// Get that cached packet and make sure it looks right
    41. 

  41. 	myCachedPacket := theirControl.GetFromTun(true)
    42. 

  42. 	assertUdpPacket(t, []byte("Hi from me"), myCachedPacket, myVpnIp, theirVpnIp, 80, 80)
    43. 

  43. 

  44. 	// Do a bidirectional tunnel test
    45. 

  45. 	assertTunnel(t, myVpnIp, theirVpnIp, myControl, theirControl, router.NewR(myControl, theirControl))
    46. 

  46. 

  47. 	myControl.Stop()
    48. 

  48. 	theirControl.Stop()
    49. 

  49. 	//TODO: assert hostmaps
    50. 

  50. }
    51. 

  51. 

  52. func TestWrongResponderHandshake(t *testing.T) {
    53. 

  53. 	ca, _, caKey, _ := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{})
    54. 

  54. 

  55. 	myControl, myVpnIp, myUdpAddr := newSimpleServer(ca, caKey, "me", net.IP{10, 0, 0, 1})
    56. 

  56. 	theirControl, theirVpnIp, theirUdpAddr := newSimpleServer(ca, caKey, "them", net.IP{10, 0, 0, 2})
    57. 

  57. 	evilControl, evilVpnIp, evilUdpAddr := newSimpleServer(ca, caKey, "evil", net.IP{10, 0, 0, 99})
    58. 

  58. 

  59. 	// Put the evil udp addr in for their vpn Ip, this is a case of being lied to by the lighthouse
    60. 

  60. 	myControl.InjectLightHouseAddr(theirVpnIp, evilUdpAddr)
    61. 

  61. 

  62. 	// But also add their real udp addr, which should be tried after evil
    63. 

  63. 	myControl.InjectLightHouseAddr(theirVpnIp, theirUdpAddr)
    64. 

  64. 

  65. 	// Build a router so we don't have to reason who gets which packet
    66. 

  66. 	r := router.NewR(myControl, theirControl, evilControl)
    67. 

  67. 

  68. 	// Start the servers
    69. 

  69. 	myControl.Start()
    70. 

  70. 	theirControl.Start()
    71. 

  71. 	evilControl.Start()
    72. 

  72. 

  73. 	t.Log("Stand up the tunnel with evil (because the lighthouse cache is lying to us about who it is)")
    74. 

  74. 	myControl.InjectTunUDPPacket(theirVpnIp, 80, 80, []byte("Hi from me"))
    75. 

  75. 	r.OnceFrom(myControl)
    76. 

  76. 	r.OnceFrom(evilControl)
    77. 

  77. 

  78. 	t.Log("I should have a tunnel with evil now and there should not be a cached packet waiting for us")
    79. 

  79. 	assertTunnel(t, myVpnIp, evilVpnIp, myControl, evilControl, r)
    80. 

  80. 	assertHostInfoPair(t, myUdpAddr, evilUdpAddr, myVpnIp, evilVpnIp, myControl, evilControl)
    81. 

  81. 

  82. 	//TODO: Assert pending hostmap - I should have a correct hostinfo for them now
    83. 

  83. 

  84. 	t.Log("Lets let the messages fly, this time we should have a tunnel with them")
    85. 

  85. 	r.OnceFrom(myControl)
    86. 

  86. 	r.OnceFrom(theirControl)
    87. 

  87. 

  88. 	t.Log("I should now have a tunnel with them now and my original packet should get there")
    89. 

  89. 	r.RouteUntilAfterMsgType(myControl, 1, 0)
    90. 

  90. 	myCachedPacket := theirControl.GetFromTun(true)
    91. 

  91. 	assertUdpPacket(t, []byte("Hi from me"), myCachedPacket, myVpnIp, theirVpnIp, 80, 80)
    92. 

  92. 

  93. 	t.Log("I should now have a proper tunnel with them")
    94. 

  94. 	assertHostInfoPair(t, myUdpAddr, theirUdpAddr, myVpnIp, theirVpnIp, myControl, theirControl)
    95. 

  95. 	assertTunnel(t, myVpnIp, theirVpnIp, myControl, theirControl, r)
    96. 

  96. 

  97. 	t.Log("Lets make sure evil is still good")
    98. 

  98. 	assertTunnel(t, myVpnIp, evilVpnIp, myControl, evilControl, r)
    99. 

  99. 

  100. 	//TODO: assert hostmaps for everyone
    101. 

  101. 	t.Log("Success!")
    102. 

  102. 	//TODO: myControl is attempting to shut down 2 tunnels but is blocked on the udp txChan after the first close message
    103. 

  103. 	// what we really need here is a way to exit all the go routines loops (there are many)
    104. 

  104. 	//myControl.Stop()
    105. 

  105. 	//theirControl.Stop()
    106. 

  106. }
    107. 

  107. 

  108. ////TODO: We need to test lies both as the race winner and race loser
    109. 

  109. //func TestManyWrongResponderHandshake(t *testing.T) {
    110. 

  110. //	ca, _, caKey, _ := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{})
    111. 

  111. //
    112. 

  112. //	myControl, myVpnIp, myUdpAddr := newSimpleServer(ca, caKey, "me", net.IP{10, 0, 0, 99})
    113. 

  113. //	theirControl, theirVpnIp, theirUdpAddr := newSimpleServer(ca, caKey, "them", net.IP{10, 0, 0, 2})
    114. 

  114. //	evilControl, evilVpnIp, evilUdpAddr := newSimpleServer(ca, caKey, "evil", net.IP{10, 0, 0, 1})
    115. 

  115. //
    116. 

  116. //	t.Log("Build a router so we don't have to reason who gets which packet")
    117. 

  117. //	r := newRouter(myControl, theirControl, evilControl)
    118. 

  118. //
    119. 

  119. //	t.Log("Lets add more than 10 evil addresses, this exceeds the hostinfo remotes limit")
    120. 

  120. //	for i := 0; i < 10; i++ {
    121. 

  121. //		addr := net.UDPAddr{IP: evilUdpAddr.IP, Port: evilUdpAddr.Port + i}
    122. 

  122. //		myControl.InjectLightHouseAddr(theirVpnIp, &addr)
    123. 

  123. //		// We also need to tell our router about it
    124. 

  124. //		r.AddRoute(addr.IP, uint16(addr.Port), evilControl)
    125. 

  125. //	}
    126. 

  126. //
    127. 

  127. //	// Start the servers
    128. 

  128. //	myControl.Start()
    129. 

  129. //	theirControl.Start()
    130. 

  130. //	evilControl.Start()
    131. 

  131. //
    132. 

  132. //	t.Log("Stand up the tunnel with evil (because the lighthouse cache is lying to us about who it is)")
    133. 

  133. //	myControl.InjectTunUDPPacket(theirVpnIp, 80, 80, []byte("Hi from me"))
    134. 

  134. //
    135. 

  135. //	t.Log("We need to spin until we get to the right remote for them")
    136. 

  136. //	getOut := false
    137. 

  137. //	injected := false
    138. 

  138. //	for {
    139. 

  139. //		t.Log("Routing for me and evil while we work through the bad ips")
    140. 

  140. //		r.RouteExitFunc(myControl, func(packet *nebula.UdpPacket, receiver *nebula.Control) exitType {
    141. 

  141. //			// We should stop routing right after we see a packet coming from us to them
    142. 

  142. //			if *receiver == *theirControl {
    143. 

  143. //				getOut = true
    144. 

  144. //				return drainAndExit
    145. 

  145. //			}
    146. 

  146. //
    147. 

  147. //			// We need to poke our real ip in at some point, this is a well protected check looking for that moment
    148. 

  148. //			if *receiver == *evilControl {
    149. 

  149. //				hi := myControl.GetHostInfoByVpnIP(ip2int(theirVpnIp), true)
    150. 

  150. //				if !injected && len(hi.RemoteAddrs) == 1 {
    151. 

  151. //					t.Log("I am on my last ip for them, time to inject the real one into my lighthouse")
    152. 

  152. //					myControl.InjectLightHouseAddr(theirVpnIp, theirUdpAddr)
    153. 

  153. //					injected = true
    154. 

  154. //				}
    155. 

  155. //				return drainAndExit
    156. 

  156. //			}
    157. 

  157. //
    158. 

  158. //			return keepRouting
    159. 

  159. //		})
    160. 

  160. //
    161. 

  161. //		if getOut {
    162. 

  162. //			break
    163. 

  163. //		}
    164. 

  164. //
    165. 

  165. //		r.RouteForUntilAfterToAddr(evilControl, myUdpAddr, drainAndExit)
    166. 

  166. //	}
    167. 

  167. //
    168. 

  168. //	t.Log("I should have a tunnel with evil and them, evil should not have a cached packet")
    169. 

  169. //	assertTunnel(t, myVpnIp, evilVpnIp, myControl, evilControl, r)
    170. 

  170. //	evilHostInfo := myControl.GetHostInfoByVpnIP(ip2int(evilVpnIp), false)
    171. 

  171. //	realEvilUdpAddr := &net.UDPAddr{IP: evilHostInfo.CurrentRemote.IP, Port: int(evilHostInfo.CurrentRemote.Port)}
    172. 

  172. //
    173. 

  173. //	t.Log("Assert mine and evil's host pairs", evilUdpAddr, realEvilUdpAddr)
    174. 

  174. //	assertHostInfoPair(t, myUdpAddr, realEvilUdpAddr, myVpnIp, evilVpnIp, myControl, evilControl)
    175. 

  175. //
    176. 

  176. //	//t.Log("Draining everyones packets")
    177. 

  177. //	//r.Drain(theirControl)
    178. 

  178. //	//r.DrainAll(myControl, theirControl, evilControl)
    179. 

  179. //	//
    180. 

  180. //	//go func() {
    181. 

  181. //	//	for {
    182. 

  182. //	//		time.Sleep(10 * time.Millisecond)
    183. 

  183. //	//		t.Log(len(theirControl.GetUDPTxChan()))
    184. 

  184. //	//		t.Log(len(theirControl.GetTunTxChan()))
    185. 

  185. //	//		t.Log(len(myControl.GetUDPTxChan()))
    186. 

  186. //	//		t.Log(len(evilControl.GetUDPTxChan()))
    187. 

  187. //	//		t.Log("=====")
    188. 

  188. //	//	}
    189. 

  189. //	//}()
    190. 

  190. //
    191. 

  191. //	t.Log("I should have a tunnel with them now and my original packet should get there")
    192. 

  192. //	r.RouteUntilAfterMsgType(myControl, 1, 0)
    193. 

  193. //	myCachedPacket := theirControl.GetFromTun(true)
    194. 

  194. //
    195. 

  195. //	t.Log("Got the cached packet, lets test the tunnel")
    196. 

  196. //	assertUdpPacket(t, []byte("Hi from me"), myCachedPacket, myVpnIp, theirVpnIp, 80, 80)
    197. 

  197. //
    198. 

  198. //	t.Log("Testing tunnels with them")
    199. 

  199. //	assertHostInfoPair(t, myUdpAddr, theirUdpAddr, myVpnIp, theirVpnIp, myControl, theirControl)
    200. 

  200. //	assertTunnel(t, myVpnIp, theirVpnIp, myControl, theirControl, r)
    201. 

  201. //
    202. 

  202. //	t.Log("Testing tunnels with evil")
    203. 

  203. //	assertTunnel(t, myVpnIp, evilVpnIp, myControl, evilControl, r)
    204. 

  204. //
    205. 

  205. //	//TODO: assert hostmaps for everyone
    206. 

  206. //}
    207.