Startseite Erkunden Hilfe
Anmelden
vpn
/
nebula
Mirror von https://github.com/slackhq/nebula.git
2
0
Fork 0
Dateien Issues 0 Wiki
Struktur: 5a131b2975
Branches Tags
nebula
/
connection_manager_test.go

connection_manager_test.go 9.4 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298 
  1. package nebula
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"crypto/ed25519"
    6. 

  6. 	"crypto/rand"
    7. 

  7. 	"net"
    8. 

  8. 	"testing"
    9. 

  9. 	"time"
    10. 

  10. 

  11. 	"github.com/flynn/noise"
    12. 

  12. 	"github.com/slackhq/nebula/cert"
    13. 

  13. 	"github.com/slackhq/nebula/config"
    14. 

  14. 	"github.com/slackhq/nebula/iputil"
    15. 

  15. 	"github.com/slackhq/nebula/test"
    16. 

  16. 	"github.com/slackhq/nebula/udp"
    17. 

  17. 	"github.com/stretchr/testify/assert"
    18. 

  18. )
    19. 

  19. 

  20. var vpnIp iputil.VpnIp
    21. 

  21. 

  22. func newTestLighthouse() *LightHouse {
    23. 

  23. 	lh := &LightHouse{
    24. 

  24. 		l:       test.NewLogger(),
    25. 

  25. 		addrMap: map[iputil.VpnIp]*RemoteList{},
    26. 

  26. 	}
    27. 

  27. 	lighthouses := map[iputil.VpnIp]struct{}{}
    28. 

  28. 	staticList := map[iputil.VpnIp]struct{}{}
    29. 

  29. 

  30. 	lh.lighthouses.Store(&lighthouses)
    31. 

  31. 	lh.staticList.Store(&staticList)
    32. 

  32. 

  33. 	return lh
    34. 

  34. }
    35. 

  35. 

  36. func Test_NewConnectionManagerTest(t *testing.T) {
    37. 

  37. 	l := test.NewLogger()
    38. 

  38. 	//_, tuncidr, _ := net.ParseCIDR("1.1.1.1/24")
    39. 

  39. 	_, vpncidr, _ := net.ParseCIDR("172.1.1.1/24")
    40. 

  40. 	_, localrange, _ := net.ParseCIDR("10.1.1.1/24")
    41. 

  41. 	vpnIp = iputil.Ip2VpnIp(net.ParseIP("172.1.1.2"))
    42. 

  42. 	preferredRanges := []*net.IPNet{localrange}
    43. 

  43. 

  44. 	// Very incomplete mock objects
    45. 

  45. 	hostMap := NewHostMap(l, vpncidr, preferredRanges)
    46. 

  46. 	cs := &CertState{
    47. 

  47. 		RawCertificate:      []byte{},
    48. 

  48. 		PrivateKey:          []byte{},
    49. 

  49. 		Certificate:         &cert.NebulaCertificate{},
    50. 

  50. 		RawCertificateNoKey: []byte{},
    51. 

  51. 	}
    52. 

  52. 

  53. 	lh := newTestLighthouse()
    54. 

  54. 	ifce := &Interface{
    55. 

  55. 		hostMap:          hostMap,
    56. 

  56. 		inside:           &test.NoopTun{},
    57. 

  57. 		outside:          &udp.NoopConn{},
    58. 

  58. 		firewall:         &Firewall{},
    59. 

  59. 		lightHouse:       lh,
    60. 

  60. 		pki:              &PKI{},
    61. 

  61. 		handshakeManager: NewHandshakeManager(l, vpncidr, preferredRanges, hostMap, lh, &udp.NoopConn{}, defaultHandshakeConfig),
    62. 

  62. 		l:                l,
    63. 

  63. 	}
    64. 

  64. 	ifce.pki.cs.Store(cs)
    65. 

  65. 

  66. 	// Create manager
    67. 

  67. 	ctx, cancel := context.WithCancel(context.Background())
    68. 

  68. 	defer cancel()
    69. 

  69. 	punchy := NewPunchyFromConfig(l, config.NewC(l))
    70. 

  70. 	nc := newConnectionManager(ctx, l, ifce, 5, 10, punchy)
    71. 

  71. 	p := []byte("")
    72. 

  72. 	nb := make([]byte, 12, 12)
    73. 

  73. 	out := make([]byte, mtu)
    74. 

  74. 

  75. 	// Add an ip we have established a connection w/ to hostmap
    76. 

  76. 	hostinfo := &HostInfo{
    77. 

  77. 		vpnIp:         vpnIp,
    78. 

  78. 		localIndexId:  1099,
    79. 

  79. 		remoteIndexId: 9901,
    80. 

  80. 	}
    81. 

  81. 	hostinfo.ConnectionState = &ConnectionState{
    82. 

  82. 		certState: cs,
    83. 

  83. 		H:         &noise.HandshakeState{},
    84. 

  84. 	}
    85. 

  85. 	nc.hostMap.unlockedAddHostInfo(hostinfo, ifce)
    86. 

  86. 

  87. 	// We saw traffic out to vpnIp
    88. 

  88. 	nc.Out(hostinfo.localIndexId)
    89. 

  89. 	nc.In(hostinfo.localIndexId)
    90. 

  90. 	assert.NotContains(t, nc.pendingDeletion, hostinfo.localIndexId)
    91. 

  91. 	assert.Contains(t, nc.hostMap.Hosts, hostinfo.vpnIp)
    92. 

  92. 	assert.Contains(t, nc.hostMap.Indexes, hostinfo.localIndexId)
    93. 

  93. 	assert.Contains(t, nc.out, hostinfo.localIndexId)
    94. 

  94. 

  95. 	// Do a traffic check tick, should not be pending deletion but should not have any in/out packets recorded
    96. 

  96. 	nc.doTrafficCheck(hostinfo.localIndexId, p, nb, out, time.Now())
    97. 

  97. 	assert.NotContains(t, nc.pendingDeletion, hostinfo.localIndexId)
    98. 

  98. 	assert.NotContains(t, nc.out, hostinfo.localIndexId)
    99. 

  99. 	assert.NotContains(t, nc.in, hostinfo.localIndexId)
    100. 

  100. 

  101. 	// Do another traffic check tick, this host should be pending deletion now
    102. 

  102. 	nc.Out(hostinfo.localIndexId)
    103. 

  103. 	nc.doTrafficCheck(hostinfo.localIndexId, p, nb, out, time.Now())
    104. 

  104. 	assert.Contains(t, nc.pendingDeletion, hostinfo.localIndexId)
    105. 

  105. 	assert.NotContains(t, nc.out, hostinfo.localIndexId)
    106. 

  106. 	assert.NotContains(t, nc.in, hostinfo.localIndexId)
    107. 

  107. 	assert.Contains(t, nc.hostMap.Indexes, hostinfo.localIndexId)
    108. 

  108. 	assert.Contains(t, nc.hostMap.Hosts, hostinfo.vpnIp)
    109. 

  109. 

  110. 	// Do a final traffic check tick, the host should now be removed
    111. 

  111. 	nc.doTrafficCheck(hostinfo.localIndexId, p, nb, out, time.Now())
    112. 

  112. 	assert.NotContains(t, nc.pendingDeletion, hostinfo.localIndexId)
    113. 

  113. 	assert.NotContains(t, nc.hostMap.Hosts, hostinfo.vpnIp)
    114. 

  114. 	assert.NotContains(t, nc.hostMap.Indexes, hostinfo.localIndexId)
    115. 

  115. }
    116. 

  116. 

  117. func Test_NewConnectionManagerTest2(t *testing.T) {
    118. 

  118. 	l := test.NewLogger()
    119. 

  119. 	//_, tuncidr, _ := net.ParseCIDR("1.1.1.1/24")
    120. 

  120. 	_, vpncidr, _ := net.ParseCIDR("172.1.1.1/24")
    121. 

  121. 	_, localrange, _ := net.ParseCIDR("10.1.1.1/24")
    122. 

  122. 	preferredRanges := []*net.IPNet{localrange}
    123. 

  123. 

  124. 	// Very incomplete mock objects
    125. 

  125. 	hostMap := NewHostMap(l, vpncidr, preferredRanges)
    126. 

  126. 	cs := &CertState{
    127. 

  127. 		RawCertificate:      []byte{},
    128. 

  128. 		PrivateKey:          []byte{},
    129. 

  129. 		Certificate:         &cert.NebulaCertificate{},
    130. 

  130. 		RawCertificateNoKey: []byte{},
    131. 

  131. 	}
    132. 

  132. 

  133. 	lh := newTestLighthouse()
    134. 

  134. 	ifce := &Interface{
    135. 

  135. 		hostMap:          hostMap,
    136. 

  136. 		inside:           &test.NoopTun{},
    137. 

  137. 		outside:          &udp.NoopConn{},
    138. 

  138. 		firewall:         &Firewall{},
    139. 

  139. 		lightHouse:       lh,
    140. 

  140. 		pki:              &PKI{},
    141. 

  141. 		handshakeManager: NewHandshakeManager(l, vpncidr, preferredRanges, hostMap, lh, &udp.NoopConn{}, defaultHandshakeConfig),
    142. 

  142. 		l:                l,
    143. 

  143. 	}
    144. 

  144. 	ifce.pki.cs.Store(cs)
    145. 

  145. 

  146. 	// Create manager
    147. 

  147. 	ctx, cancel := context.WithCancel(context.Background())
    148. 

  148. 	defer cancel()
    149. 

  149. 	punchy := NewPunchyFromConfig(l, config.NewC(l))
    150. 

  150. 	nc := newConnectionManager(ctx, l, ifce, 5, 10, punchy)
    151. 

  151. 	p := []byte("")
    152. 

  152. 	nb := make([]byte, 12, 12)
    153. 

  153. 	out := make([]byte, mtu)
    154. 

  154. 

  155. 	// Add an ip we have established a connection w/ to hostmap
    156. 

  156. 	hostinfo := &HostInfo{
    157. 

  157. 		vpnIp:         vpnIp,
    158. 

  158. 		localIndexId:  1099,
    159. 

  159. 		remoteIndexId: 9901,
    160. 

  160. 	}
    161. 

  161. 	hostinfo.ConnectionState = &ConnectionState{
    162. 

  162. 		certState: cs,
    163. 

  163. 		H:         &noise.HandshakeState{},
    164. 

  164. 	}
    165. 

  165. 	nc.hostMap.unlockedAddHostInfo(hostinfo, ifce)
    166. 

  166. 

  167. 	// We saw traffic out to vpnIp
    168. 

  168. 	nc.Out(hostinfo.localIndexId)
    169. 

  169. 	nc.In(hostinfo.localIndexId)
    170. 

  170. 	assert.NotContains(t, nc.pendingDeletion, hostinfo.vpnIp)
    171. 

  171. 	assert.Contains(t, nc.hostMap.Hosts, hostinfo.vpnIp)
    172. 

  172. 	assert.Contains(t, nc.hostMap.Indexes, hostinfo.localIndexId)
    173. 

  173. 

  174. 	// Do a traffic check tick, should not be pending deletion but should not have any in/out packets recorded
    175. 

  175. 	nc.doTrafficCheck(hostinfo.localIndexId, p, nb, out, time.Now())
    176. 

  176. 	assert.NotContains(t, nc.pendingDeletion, hostinfo.localIndexId)
    177. 

  177. 	assert.NotContains(t, nc.out, hostinfo.localIndexId)
    178. 

  178. 	assert.NotContains(t, nc.in, hostinfo.localIndexId)
    179. 

  179. 

  180. 	// Do another traffic check tick, this host should be pending deletion now
    181. 

  181. 	nc.Out(hostinfo.localIndexId)
    182. 

  182. 	nc.doTrafficCheck(hostinfo.localIndexId, p, nb, out, time.Now())
    183. 

  183. 	assert.Contains(t, nc.pendingDeletion, hostinfo.localIndexId)
    184. 

  184. 	assert.NotContains(t, nc.out, hostinfo.localIndexId)
    185. 

  185. 	assert.NotContains(t, nc.in, hostinfo.localIndexId)
    186. 

  186. 	assert.Contains(t, nc.hostMap.Indexes, hostinfo.localIndexId)
    187. 

  187. 	assert.Contains(t, nc.hostMap.Hosts, hostinfo.vpnIp)
    188. 

  188. 

  189. 	// We saw traffic, should no longer be pending deletion
    190. 

  190. 	nc.In(hostinfo.localIndexId)
    191. 

  191. 	nc.doTrafficCheck(hostinfo.localIndexId, p, nb, out, time.Now())
    192. 

  192. 	assert.NotContains(t, nc.pendingDeletion, hostinfo.localIndexId)
    193. 

  193. 	assert.NotContains(t, nc.out, hostinfo.localIndexId)
    194. 

  194. 	assert.NotContains(t, nc.in, hostinfo.localIndexId)
    195. 

  195. 	assert.Contains(t, nc.hostMap.Indexes, hostinfo.localIndexId)
    196. 

  196. 	assert.Contains(t, nc.hostMap.Hosts, hostinfo.vpnIp)
    197. 

  197. }
    198. 

  198. 

  199. // Check if we can disconnect the peer.
    200. 

  200. // Validate if the peer's certificate is invalid (expired, etc.)
    201. 

  201. // Disconnect only if disconnectInvalid: true is set.
    202. 

  202. func Test_NewConnectionManagerTest_DisconnectInvalid(t *testing.T) {
    203. 

  203. 	now := time.Now()
    204. 

  204. 	l := test.NewLogger()
    205. 

  205. 	ipNet := net.IPNet{
    206. 

  206. 		IP:   net.IPv4(172, 1, 1, 2),
    207. 

  207. 		Mask: net.IPMask{255, 255, 255, 0},
    208. 

  208. 	}
    209. 

  209. 	_, vpncidr, _ := net.ParseCIDR("172.1.1.1/24")
    210. 

  210. 	_, localrange, _ := net.ParseCIDR("10.1.1.1/24")
    211. 

  211. 	preferredRanges := []*net.IPNet{localrange}
    212. 

  212. 	hostMap := NewHostMap(l, vpncidr, preferredRanges)
    213. 

  213. 

  214. 	// Generate keys for CA and peer's cert.
    215. 

  215. 	pubCA, privCA, _ := ed25519.GenerateKey(rand.Reader)
    216. 

  216. 	caCert := cert.NebulaCertificate{
    217. 

  217. 		Details: cert.NebulaCertificateDetails{
    218. 

  218. 			Name:      "ca",
    219. 

  219. 			NotBefore: now,
    220. 

  220. 			NotAfter:  now.Add(1 * time.Hour),
    221. 

  221. 			IsCA:      true,
    222. 

  222. 			PublicKey: pubCA,
    223. 

  223. 		},
    224. 

  224. 	}
    225. 

  225. 	caCert.Sign(cert.Curve_CURVE25519, privCA)
    226. 

  226. 	ncp := &cert.NebulaCAPool{
    227. 

  227. 		CAs: cert.NewCAPool().CAs,
    228. 

  228. 	}
    229. 

  229. 	ncp.CAs["ca"] = &caCert
    230. 

  230. 

  231. 	pubCrt, _, _ := ed25519.GenerateKey(rand.Reader)
    232. 

  232. 	peerCert := cert.NebulaCertificate{
    233. 

  233. 		Details: cert.NebulaCertificateDetails{
    234. 

  234. 			Name:      "host",
    235. 

  235. 			Ips:       []*net.IPNet{&ipNet},
    236. 

  236. 			Subnets:   []*net.IPNet{},
    237. 

  237. 			NotBefore: now,
    238. 

  238. 			NotAfter:  now.Add(60 * time.Second),
    239. 

  239. 			PublicKey: pubCrt,
    240. 

  240. 			IsCA:      false,
    241. 

  241. 			Issuer:    "ca",
    242. 

  242. 		},
    243. 

  243. 	}
    244. 

  244. 	peerCert.Sign(cert.Curve_CURVE25519, privCA)
    245. 

  245. 

  246. 	cs := &CertState{
    247. 

  247. 		RawCertificate:      []byte{},
    248. 

  248. 		PrivateKey:          []byte{},
    249. 

  249. 		Certificate:         &cert.NebulaCertificate{},
    250. 

  250. 		RawCertificateNoKey: []byte{},
    251. 

  251. 	}
    252. 

  252. 

  253. 	lh := newTestLighthouse()
    254. 

  254. 	ifce := &Interface{
    255. 

  255. 		hostMap:           hostMap,
    256. 

  256. 		inside:            &test.NoopTun{},
    257. 

  257. 		outside:           &udp.NoopConn{},
    258. 

  258. 		firewall:          &Firewall{},
    259. 

  259. 		lightHouse:        lh,
    260. 

  260. 		handshakeManager:  NewHandshakeManager(l, vpncidr, preferredRanges, hostMap, lh, &udp.NoopConn{}, defaultHandshakeConfig),
    261. 

  261. 		l:                 l,
    262. 

  262. 		disconnectInvalid: true,
    263. 

  263. 		pki:               &PKI{},
    264. 

  264. 	}
    265. 

  265. 	ifce.pki.cs.Store(cs)
    266. 

  266. 	ifce.pki.caPool.Store(ncp)
    267. 

  267. 

  268. 	// Create manager
    269. 

  269. 	ctx, cancel := context.WithCancel(context.Background())
    270. 

  270. 	defer cancel()
    271. 

  271. 	punchy := NewPunchyFromConfig(l, config.NewC(l))
    272. 

  272. 	nc := newConnectionManager(ctx, l, ifce, 5, 10, punchy)
    273. 

  273. 	ifce.connectionManager = nc
    274. 

  274. 

  275. 	hostinfo := &HostInfo{
    276. 

  276. 		vpnIp: vpnIp,
    277. 

  277. 		ConnectionState: &ConnectionState{
    278. 

  278. 			certState: cs,
    279. 

  279. 			peerCert:  &peerCert,
    280. 

  280. 			H:         &noise.HandshakeState{},
    281. 

  281. 		},
    282. 

  282. 	}
    283. 

  283. 	nc.hostMap.unlockedAddHostInfo(hostinfo, ifce)
    284. 

  284. 

  285. 	// Move ahead 45s.
    286. 

  286. 	// Check if to disconnect with invalid certificate.
    287. 

  287. 	// Should be alive.
    288. 

  288. 	nextTick := now.Add(45 * time.Second)
    289. 

  289. 	invalid := nc.isInvalidCertificate(nextTick, hostinfo)
    290. 

  290. 	assert.False(t, invalid)
    291. 

  291. 

  292. 	// Move ahead 61s.
    293. 

  293. 	// Check if to disconnect with invalid certificate.
    294. 

  294. 	// Should be disconnected.
    295. 

  295. 	nextTick = now.Add(61 * time.Second)
    296. 

  296. 	invalid = nc.isInvalidCertificate(nextTick, hostinfo)
    297. 

  297. 	assert.True(t, invalid)
    298. 

  298. }
    299.