extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-08-16 10:08:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix broken auto-generated Rego rule (#769)

Browse Source 
Default Rego policy generated from the rules in some cases is broken.
This change fixes the Rego template for rules to generate policies.

Also, file store load constantly regenerates policy objects from rules.
It allows updating/fixing of the default Rego template during releases.
This commit is contained in:
Givi Khojanashvili
2023-04-01 14:02:08 +04:00
committed by GitHub
parent 909f305728
commit 5dc0ff42a5
6 changed files with 315 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
management/server/policy_test.go
View File

@ -5,63 +5,268 @@ import (
"testing"
"github.com/stretchr/testify/assert"
"golang.org/x/exp/slices"
)
func TestAccount_getPeersByPolicy(t *testing.T) {
account := &Account{
Peers: map[string]*Peer{
"peer1": {
ID: "peer1",
IP: net.IPv4(10, 20, 0, 1),
"cfif97at2r9s73au3q00": {
ID: "cfif97at2r9s73au3q00",
IP: net.ParseIP("100.65.14.88"),
},
"peer2": {
ID: "peer2",
IP: net.IPv4(10, 20, 0, 2),
"cfif97at2r9s73au3q0g": {
ID: "cfif97at2r9s73au3q0g",
IP: net.ParseIP("100.65.80.39"),
},
"peer3": {
ID: "peer3",
IP: net.IPv4(10, 20, 0, 3),
"cfif97at2r9s73au3q10": {
ID: "cfif97at2r9s73au3q10",
IP: net.ParseIP("100.65.254.139"),
},
"cfif97at2r9s73au3q20": {
ID: "cfif97at2r9s73au3q20",
IP: net.ParseIP("100.65.62.5"),
},
"cfj4tiqt2r9s73dmeun0": {
ID: "cfj4tiqt2r9s73dmeun0",
IP: net.ParseIP("100.65.32.206"),
},
"cg7h032t2r9s73cg5fk0": {
ID: "cg7h032t2r9s73cg5fk0",
IP: net.ParseIP("100.65.250.202"),
},
"cgcnkj2t2r9s73cg5vv0": {
ID: "cgcnkj2t2r9s73cg5vv0",
IP: net.ParseIP("100.65.13.186"),
},
"cgcol4qt2r9s73cg601g": {
ID: "cgcol4qt2r9s73cg601g",
IP: net.ParseIP("100.65.29.55"),
},
},
Groups: map[string]*Group{
"gid1": {
ID: "gid1",
Name: "all",
Peers: []string{"peer1", "peer2", "peer3"},
"cet9e92t2r9s7383ns20": {
ID: "cet9e92t2r9s7383ns20",
Name: "All",
Peers: []string{
"cfif97at2r9s73au3q0g",
"cfif97at2r9s73au3q00",
"cfif97at2r9s73au3q20",
"cfif97at2r9s73au3q10",
"cfj4tiqt2r9s73dmeun0",
"cg7h032t2r9s73cg5fk0",
"cgcnkj2t2r9s73cg5vv0",
"cgcol4qt2r9s73cg601g",
},
},
"cev90bat2r9s7383o150": {
ID: "cev90bat2r9s7383o150",
Name: "swarm",
Peers: []string{
"cfif97at2r9s73au3q0g",
"cfif97at2r9s73au3q00",
"cfif97at2r9s73au3q20",
"cfj4tiqt2r9s73dmeun0",
"cgcnkj2t2r9s73cg5vv0",
"cgcol4qt2r9s73cg601g",
},
},
},
Rules: map[string]*Rule{
"default": {
ID: "default",
Name: "default",
Description: "default",
Disabled: false,
Source: []string{"gid1"},
Destination: []string{"gid1"},
"cet9e92t2r9s7383ns2g": {
ID: "cet9e92t2r9s7383ns2g",
Name: "Default",
Description: "This is a default rule that allows connections between all the resources",
Source: []string{
"cet9e92t2r9s7383ns20",
},
Destination: []string{
"cet9e92t2r9s7383ns20",
},
},
"cev90bat2r9s7383o15g": {
ID: "cev90bat2r9s7383o15g",
Name: "Swarm",
Description: "",
Source: []string{
"cev90bat2r9s7383o150",
"cet9e92t2r9s7383ns20",
},
Destination: []string{
"cev90bat2r9s7383o150",
},
},
},
}
rule, err := RuleToPolicy(account.Rules["default"])
rule1, err := RuleToPolicy(account.Rules["cet9e92t2r9s7383ns2g"])
assert.NoError(t, err)
account.Policies = append(account.Policies, rule)
rule2, err := RuleToPolicy(account.Rules["cev90bat2r9s7383o15g"])
assert.NoError(t, err)
peers, firewallRules := account.getPeersByPolicy("peer1")
assert.Len(t, peers, 2)
assert.Contains(t, peers, account.Peers["peer2"])
assert.Contains(t, peers, account.Peers["peer3"])
account.Policies = append(account.Policies, rule1, rule2)
epectedFirewallRules := []*FirewallRule{
{PeerID: "peer1", PeerIP: "10.20.0.1", Direction: "dst", Action: "accept", Port: ""},
{PeerID: "peer2", PeerIP: "10.20.0.2", Direction: "dst", Action: "accept", Port: ""},
{PeerID: "peer3", PeerIP: "10.20.0.3", Direction: "dst", Action: "accept", Port: ""},
{PeerID: "peer1", PeerIP: "10.20.0.1", Direction: "src", Action: "accept", Port: ""},
{PeerID: "peer2", PeerIP: "10.20.0.2", Direction: "src", Action: "accept", Port: ""},
{PeerID: "peer3", PeerIP: "10.20.0.3", Direction: "src", Action: "accept", Port: ""},
}
assert.Len(t, firewallRules, len(epectedFirewallRules))
for i := range firewallRules {
assert.Equal(t, firewallRules[i], epectedFirewallRules[i])
}
t.Run("check that all peers get map", func(t *testing.T) {
for _, p := range account.Peers {
peers, firewallRules := account.getPeersByPolicy(p.ID)
assert.GreaterOrEqual(t, len(peers), 2, "mininum number peers should present")
assert.GreaterOrEqual(t, len(firewallRules), 2, "mininum number of firewall rules should present")
}
})
t.Run("check first peer map details", func(t *testing.T) {
peers, firewallRules := account.getPeersByPolicy("cfif97at2r9s73au3q0g")
assert.Len(t, peers, 7)
assert.Contains(t, peers, account.Peers["cfif97at2r9s73au3q00"])
assert.Contains(t, peers, account.Peers["cfif97at2r9s73au3q10"])
assert.Contains(t, peers, account.Peers["cfif97at2r9s73au3q20"])
assert.Contains(t, peers, account.Peers["cfj4tiqt2r9s73dmeun0"])
assert.Contains(t, peers, account.Peers["cg7h032t2r9s73cg5fk0"])
epectedFirewallRules := []*FirewallRule{
{
PeerID: "cfif97at2r9s73au3q00",
PeerIP: "100.65.14.88",
Direction: "src",
Action: "accept",
Port: "",
id: "cfif97at2r9s73au3q00100.65.14.88srcaccept",
},
{
PeerID: "cfif97at2r9s73au3q00",
PeerIP: "100.65.14.88",
Direction: "dst",
Action: "accept",
Port: "",
id: "cfif97at2r9s73au3q00100.65.14.88dstaccept",
},
{
PeerID: "cfif97at2r9s73au3q0g",
PeerIP: "100.65.80.39",
Direction: "dst",
Action: "accept",
Port: "",
id: "cfif97at2r9s73au3q0g100.65.80.39dstaccept",
},
{
PeerID: "cfif97at2r9s73au3q0g",
PeerIP: "100.65.80.39",
Direction: "src",
Action: "accept",
Port: "",
id: "cfif97at2r9s73au3q0g100.65.80.39srcaccept",
},
{
PeerID: "cfif97at2r9s73au3q10",
PeerIP: "100.65.254.139",
Direction: "dst",
Action: "accept",
Port: "",
id: "cfif97at2r9s73au3q10100.65.254.139dstaccept",
},
{
PeerID: "cfif97at2r9s73au3q10",
PeerIP: "100.65.254.139",
Direction: "src",
Action: "accept",
Port: "",
id: "cfif97at2r9s73au3q10100.65.254.139srcaccept",
},
{
PeerID: "cfif97at2r9s73au3q20",
PeerIP: "100.65.62.5",
Direction: "dst",
Action: "accept",
Port: "",
id: "cfif97at2r9s73au3q20100.65.62.5dstaccept",
},
{
PeerID: "cfif97at2r9s73au3q20",
PeerIP: "100.65.62.5",
Direction: "src",
Action: "accept",
Port: "",
id: "cfif97at2r9s73au3q20100.65.62.5srcaccept",
},
{
PeerID: "cfj4tiqt2r9s73dmeun0",
PeerIP: "100.65.32.206",
Direction: "dst",
Action: "accept",
Port: "",
id: "cfj4tiqt2r9s73dmeun0100.65.32.206dstaccept",
},
{
PeerID: "cfj4tiqt2r9s73dmeun0",
PeerIP: "100.65.32.206",
Direction: "src",
Action: "accept",
Port: "",
id: "cfj4tiqt2r9s73dmeun0100.65.32.206srcaccept",
},
{
PeerID: "cg7h032t2r9s73cg5fk0",
PeerIP: "100.65.250.202",
Direction: "dst",
Action: "accept",
Port: "",
id: "cg7h032t2r9s73cg5fk0100.65.250.202dstaccept",
},
{
PeerID: "cg7h032t2r9s73cg5fk0",
PeerIP: "100.65.250.202",
Direction: "src",
Action: "accept",
Port: "",
id: "cg7h032t2r9s73cg5fk0100.65.250.202srcaccept",
},
{
PeerID: "cgcnkj2t2r9s73cg5vv0",
PeerIP: "100.65.13.186",
Direction: "dst",
Action: "accept",
Port: "",
id: "cgcnkj2t2r9s73cg5vv0100.65.13.186dstaccept",
},
{
PeerID: "cgcnkj2t2r9s73cg5vv0",
PeerIP: "100.65.13.186",
Direction: "src",
Action: "accept",
Port: "",
id: "cgcnkj2t2r9s73cg5vv0100.65.13.186srcaccept",
},
{
PeerID: "cgcol4qt2r9s73cg601g",
PeerIP: "100.65.29.55",
Direction: "dst",
Action: "accept",
Port: "",
id: "cgcol4qt2r9s73cg601g100.65.29.55dstaccept",
},
{
PeerID: "cgcol4qt2r9s73cg601g",
PeerIP: "100.65.29.55",
Direction: "src",
Action: "accept",
Port: "",
id: "cgcol4qt2r9s73cg601g100.65.29.55srcaccept",
},
}
assert.Len(t, firewallRules, len(epectedFirewallRules))
slices.SortFunc(firewallRules, func(a, b *FirewallRule) bool {
return a.PeerID < b.PeerID
})
for i := range firewallRules {
assert.Equal(t, epectedFirewallRules[i], firewallRules[i])
}
})
}