mirror of
https://github.com/netbirdio/netbird.git
synced 2025-03-05 02:11:13 +01:00
a47c69c472
* wip: Add PrivateNetworkCheck checks interface implementation * use generic CheckAction constant * Add private network check to posture checks * Fix copy function target in posture checks * Add network check functionality to posture package * regenerate the openapi specs * Update Posture Check actions in test file * Remove unused function * Refactor network address handling in PrivateNetworkCheck * Refactor Prefixes to Ranges in private network checks * Implement private network checks in posture checks handler tests * Add test for check copy * Add gorm serializer for network range
150 lines
3.3 KiB
Go
150 lines
3.3 KiB
Go
package posture
|
|
|
|
import (
|
|
"net/netip"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
nbpeer "github.com/netbirdio/netbird/management/server/peer"
|
|
)
|
|
|
|
func TestPrivateNetworkCheck_Check(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
check PrivateNetworkCheck
|
|
peer nbpeer.Peer
|
|
wantErr bool
|
|
isValid bool
|
|
}{
|
|
{
|
|
name: "Peer private networks matches the allowed range",
|
|
check: PrivateNetworkCheck{
|
|
Action: CheckActionAllow,
|
|
Ranges: []netip.Prefix{
|
|
netip.MustParsePrefix("192.168.0.0/24"),
|
|
netip.MustParsePrefix("10.0.0.0/8"),
|
|
},
|
|
},
|
|
peer: nbpeer.Peer{
|
|
Meta: nbpeer.PeerSystemMeta{
|
|
NetworkAddresses: []nbpeer.NetworkAddress{
|
|
{
|
|
NetIP: netip.MustParsePrefix("192.168.0.123/24"),
|
|
},
|
|
{
|
|
NetIP: netip.MustParsePrefix("fe80::6089:eaff:fe0c:232f/64"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
wantErr: false,
|
|
isValid: true,
|
|
},
|
|
{
|
|
name: "Peer private networks doesn't matches the allowed range",
|
|
check: PrivateNetworkCheck{
|
|
Action: CheckActionAllow,
|
|
Ranges: []netip.Prefix{
|
|
netip.MustParsePrefix("192.168.0.0/24"),
|
|
netip.MustParsePrefix("10.0.0.0/8"),
|
|
},
|
|
},
|
|
peer: nbpeer.Peer{
|
|
Meta: nbpeer.PeerSystemMeta{
|
|
NetworkAddresses: []nbpeer.NetworkAddress{
|
|
{
|
|
NetIP: netip.MustParsePrefix("198.19.249.3/24"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
wantErr: false,
|
|
isValid: false,
|
|
},
|
|
{
|
|
name: "Peer with no privates network in the allow range",
|
|
check: PrivateNetworkCheck{
|
|
Action: CheckActionAllow,
|
|
Ranges: []netip.Prefix{
|
|
netip.MustParsePrefix("192.168.0.0/16"),
|
|
netip.MustParsePrefix("10.0.0.0/8"),
|
|
},
|
|
},
|
|
peer: nbpeer.Peer{},
|
|
wantErr: true,
|
|
isValid: false,
|
|
},
|
|
{
|
|
name: "Peer private networks matches the denied range",
|
|
check: PrivateNetworkCheck{
|
|
Action: CheckActionDeny,
|
|
Ranges: []netip.Prefix{
|
|
netip.MustParsePrefix("192.168.0.0/24"),
|
|
netip.MustParsePrefix("10.0.0.0/8"),
|
|
},
|
|
},
|
|
peer: nbpeer.Peer{
|
|
Meta: nbpeer.PeerSystemMeta{
|
|
NetworkAddresses: []nbpeer.NetworkAddress{
|
|
{
|
|
NetIP: netip.MustParsePrefix("192.168.0.123/24"),
|
|
},
|
|
{
|
|
NetIP: netip.MustParsePrefix("fe80::6089:eaff:fe0c:232f/64"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
wantErr: false,
|
|
isValid: false,
|
|
},
|
|
{
|
|
name: "Peer private networks doesn't matches the denied range",
|
|
check: PrivateNetworkCheck{
|
|
Action: CheckActionDeny,
|
|
Ranges: []netip.Prefix{
|
|
netip.MustParsePrefix("192.168.0.0/24"),
|
|
netip.MustParsePrefix("10.0.0.0/8"),
|
|
},
|
|
},
|
|
peer: nbpeer.Peer{
|
|
Meta: nbpeer.PeerSystemMeta{
|
|
NetworkAddresses: []nbpeer.NetworkAddress{
|
|
{
|
|
NetIP: netip.MustParsePrefix("198.19.249.3/24"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
wantErr: false,
|
|
isValid: true,
|
|
},
|
|
{
|
|
name: "Peer with no private networks in the denied range",
|
|
check: PrivateNetworkCheck{
|
|
Action: CheckActionDeny,
|
|
Ranges: []netip.Prefix{
|
|
netip.MustParsePrefix("192.168.0.0/16"),
|
|
netip.MustParsePrefix("10.0.0.0/8"),
|
|
},
|
|
},
|
|
peer: nbpeer.Peer{},
|
|
wantErr: true,
|
|
isValid: false,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
isValid, err := tt.check.Check(tt.peer)
|
|
if tt.wantErr {
|
|
assert.Error(t, err)
|
|
} else {
|
|
assert.NoError(t, err)
|
|
}
|
|
assert.Equal(t, tt.isValid, isValid)
|
|
})
|
|
}
|
|
}
|