2023-05-29 16:00:18 +02:00
|
|
|
package acl
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/golang/mock/gomock"
|
|
|
|
|
|
|
|
"github.com/netbirdio/netbird/client/internal/acl/mocks"
|
|
|
|
mgmProto "github.com/netbirdio/netbird/management/proto"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestDefaultManager(t *testing.T) {
|
2023-06-02 08:14:47 +02:00
|
|
|
networkMap := &mgmProto.NetworkMap{
|
|
|
|
FirewallRules: []*mgmProto.FirewallRule{
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.1",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_TCP,
|
|
|
|
Port: "80",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.2",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_DROP,
|
|
|
|
Protocol: mgmProto.FirewallRule_UDP,
|
|
|
|
Port: "53",
|
|
|
|
},
|
2023-05-29 16:00:18 +02:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
ctrl := gomock.NewController(t)
|
|
|
|
defer ctrl.Finish()
|
|
|
|
|
|
|
|
iface := mocks.NewMockIFaceMapper(ctrl)
|
2023-05-31 19:04:38 +02:00
|
|
|
iface.EXPECT().IsUserspaceBind().Return(true)
|
|
|
|
// iface.EXPECT().Name().Return("lo")
|
2023-06-08 11:46:57 +02:00
|
|
|
iface.EXPECT().SetFilter(gomock.Any())
|
2023-05-29 16:00:18 +02:00
|
|
|
|
|
|
|
// we receive one rule from the management so for testing purposes ignore it
|
|
|
|
acl, err := Create(iface)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("create ACL manager: %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
defer acl.Stop()
|
|
|
|
|
|
|
|
t.Run("apply firewall rules", func(t *testing.T) {
|
2023-06-02 08:14:47 +02:00
|
|
|
acl.ApplyFiltering(networkMap)
|
2023-05-29 16:00:18 +02:00
|
|
|
|
|
|
|
if len(acl.rulesPairs) != 2 {
|
|
|
|
t.Errorf("firewall rules not applied: %v", acl.rulesPairs)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("add extra rules", func(t *testing.T) {
|
2023-06-20 20:33:41 +02:00
|
|
|
existedPairs := map[string]struct{}{}
|
|
|
|
for id := range acl.rulesPairs {
|
|
|
|
existedPairs[id] = struct{}{}
|
|
|
|
}
|
|
|
|
|
2023-05-29 16:00:18 +02:00
|
|
|
// remove first rule
|
2023-06-02 08:14:47 +02:00
|
|
|
networkMap.FirewallRules = networkMap.FirewallRules[1:]
|
|
|
|
networkMap.FirewallRules = append(
|
|
|
|
networkMap.FirewallRules,
|
|
|
|
&mgmProto.FirewallRule{
|
|
|
|
PeerIP: "10.93.0.3",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_DROP,
|
|
|
|
Protocol: mgmProto.FirewallRule_ICMP,
|
|
|
|
},
|
|
|
|
)
|
2023-05-29 16:00:18 +02:00
|
|
|
|
2023-06-02 08:14:47 +02:00
|
|
|
acl.ApplyFiltering(networkMap)
|
2023-05-29 16:00:18 +02:00
|
|
|
|
|
|
|
// we should have one old and one new rule in the existed rules
|
|
|
|
if len(acl.rulesPairs) != 2 {
|
|
|
|
t.Errorf("firewall rules not applied")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-06-20 20:33:41 +02:00
|
|
|
// check that old rule was removed
|
|
|
|
previousCount := 0
|
|
|
|
for id := range acl.rulesPairs {
|
|
|
|
if _, ok := existedPairs[id]; ok {
|
|
|
|
previousCount++
|
2023-05-29 16:00:18 +02:00
|
|
|
}
|
|
|
|
}
|
2023-06-20 20:33:41 +02:00
|
|
|
if previousCount != 1 {
|
|
|
|
t.Errorf("old rule was not removed")
|
|
|
|
}
|
2023-05-29 16:00:18 +02:00
|
|
|
})
|
2023-05-31 19:04:38 +02:00
|
|
|
|
|
|
|
t.Run("handle default rules", func(t *testing.T) {
|
2023-06-02 08:14:47 +02:00
|
|
|
networkMap.FirewallRules = networkMap.FirewallRules[:0]
|
|
|
|
|
|
|
|
networkMap.FirewallRulesIsEmpty = true
|
|
|
|
if acl.ApplyFiltering(networkMap); len(acl.rulesPairs) != 0 {
|
|
|
|
t.Errorf("rules should be empty if FirewallRulesIsEmpty is set, got: %v", len(acl.rulesPairs))
|
2023-05-31 19:04:38 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-06-02 08:14:47 +02:00
|
|
|
networkMap.FirewallRulesIsEmpty = false
|
|
|
|
acl.ApplyFiltering(networkMap)
|
2023-05-31 19:04:38 +02:00
|
|
|
if len(acl.rulesPairs) != 2 {
|
2023-06-02 08:14:47 +02:00
|
|
|
t.Errorf("rules should contain 2 rules if FirewallRulesIsEmpty is not set, got: %v", len(acl.rulesPairs))
|
2023-05-31 19:04:38 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
})
|
2023-05-29 16:00:18 +02:00
|
|
|
}
|
2023-06-02 08:14:47 +02:00
|
|
|
|
|
|
|
func TestDefaultManagerSquashRules(t *testing.T) {
|
|
|
|
networkMap := &mgmProto.NetworkMap{
|
|
|
|
RemotePeers: []*mgmProto.RemotePeerConfig{
|
|
|
|
{AllowedIps: []string{"10.93.0.1"}},
|
|
|
|
{AllowedIps: []string{"10.93.0.2"}},
|
|
|
|
{AllowedIps: []string{"10.93.0.3"}},
|
|
|
|
{AllowedIps: []string{"10.93.0.4"}},
|
|
|
|
},
|
|
|
|
FirewallRules: []*mgmProto.FirewallRule{
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.1",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.2",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.3",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.4",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.1",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.2",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.3",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.4",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
manager := &DefaultManager{}
|
2023-06-02 13:26:33 +02:00
|
|
|
rules, _ := manager.squashAcceptRules(networkMap)
|
2023-06-02 08:14:47 +02:00
|
|
|
if len(rules) != 2 {
|
|
|
|
t.Errorf("rules should contain 2, got: %v", rules)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
r := rules[0]
|
|
|
|
if r.PeerIP != "0.0.0.0" {
|
|
|
|
t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
|
|
|
|
return
|
|
|
|
} else if r.Direction != mgmProto.FirewallRule_IN {
|
|
|
|
t.Errorf("direction should be IN, got: %v", r.Direction)
|
|
|
|
return
|
|
|
|
} else if r.Protocol != mgmProto.FirewallRule_ALL {
|
|
|
|
t.Errorf("protocol should be ALL, got: %v", r.Protocol)
|
|
|
|
return
|
|
|
|
} else if r.Action != mgmProto.FirewallRule_ACCEPT {
|
|
|
|
t.Errorf("action should be ACCEPT, got: %v", r.Action)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
r = rules[1]
|
|
|
|
if r.PeerIP != "0.0.0.0" {
|
|
|
|
t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
|
|
|
|
return
|
|
|
|
} else if r.Direction != mgmProto.FirewallRule_OUT {
|
|
|
|
t.Errorf("direction should be OUT, got: %v", r.Direction)
|
|
|
|
return
|
|
|
|
} else if r.Protocol != mgmProto.FirewallRule_ALL {
|
|
|
|
t.Errorf("protocol should be ALL, got: %v", r.Protocol)
|
|
|
|
return
|
|
|
|
} else if r.Action != mgmProto.FirewallRule_ACCEPT {
|
|
|
|
t.Errorf("action should be ACCEPT, got: %v", r.Action)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
|
|
|
|
networkMap := &mgmProto.NetworkMap{
|
|
|
|
RemotePeers: []*mgmProto.RemotePeerConfig{
|
|
|
|
{AllowedIps: []string{"10.93.0.1"}},
|
|
|
|
{AllowedIps: []string{"10.93.0.2"}},
|
|
|
|
{AllowedIps: []string{"10.93.0.3"}},
|
|
|
|
{AllowedIps: []string{"10.93.0.4"}},
|
|
|
|
},
|
|
|
|
FirewallRules: []*mgmProto.FirewallRule{
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.1",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.2",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.3",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.4",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_TCP,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.1",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.2",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.3",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_ALL,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.4",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_UDP,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
manager := &DefaultManager{}
|
2023-06-02 13:26:33 +02:00
|
|
|
if rules, _ := manager.squashAcceptRules(networkMap); len(rules) != len(networkMap.FirewallRules) {
|
2023-06-02 08:14:47 +02:00
|
|
|
t.Errorf("we should got same amount of rules as intput, got %v", len(rules))
|
|
|
|
}
|
|
|
|
}
|
2023-06-02 13:26:33 +02:00
|
|
|
|
|
|
|
func TestDefaultManagerEnableSSHRules(t *testing.T) {
|
|
|
|
networkMap := &mgmProto.NetworkMap{
|
|
|
|
PeerConfig: &mgmProto.PeerConfig{
|
|
|
|
SshConfig: &mgmProto.SSHConfig{
|
|
|
|
SshEnabled: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
RemotePeers: []*mgmProto.RemotePeerConfig{
|
|
|
|
{AllowedIps: []string{"10.93.0.1"}},
|
|
|
|
{AllowedIps: []string{"10.93.0.2"}},
|
|
|
|
{AllowedIps: []string{"10.93.0.3"}},
|
|
|
|
},
|
|
|
|
FirewallRules: []*mgmProto.FirewallRule{
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.1",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_TCP,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.2",
|
|
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_TCP,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PeerIP: "10.93.0.3",
|
|
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
|
|
Protocol: mgmProto.FirewallRule_UDP,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
ctrl := gomock.NewController(t)
|
|
|
|
defer ctrl.Finish()
|
|
|
|
|
|
|
|
iface := mocks.NewMockIFaceMapper(ctrl)
|
|
|
|
iface.EXPECT().IsUserspaceBind().Return(true)
|
|
|
|
// iface.EXPECT().Name().Return("lo")
|
2023-06-08 11:46:57 +02:00
|
|
|
iface.EXPECT().SetFilter(gomock.Any())
|
2023-06-02 13:26:33 +02:00
|
|
|
|
|
|
|
// we receive one rule from the management so for testing purposes ignore it
|
|
|
|
acl, err := Create(iface)
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("create ACL manager: %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
defer acl.Stop()
|
|
|
|
|
|
|
|
acl.ApplyFiltering(networkMap)
|
|
|
|
|
|
|
|
if len(acl.rulesPairs) != 4 {
|
|
|
|
t.Errorf("expect 4 rules (last must be SSH), got: %d", len(acl.rulesPairs))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|