mirror of
https://github.com/netbirdio/netbird.git
synced 2025-01-23 14:28:51 +01:00
5dc0ff42a5
Default Rego policy generated from the rules in some cases is broken. This change fixes the Rego template for rules to generate policies. Also, file store load constantly regenerates policy objects from rules. It allows updating/fixing of the default Rego template during releases.
273 lines
6.9 KiB
Go
273 lines
6.9 KiB
Go
package server
|
|
|
|
import (
|
|
"net"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"golang.org/x/exp/slices"
|
|
)
|
|
|
|
func TestAccount_getPeersByPolicy(t *testing.T) {
|
|
account := &Account{
|
|
Peers: map[string]*Peer{
|
|
"cfif97at2r9s73au3q00": {
|
|
ID: "cfif97at2r9s73au3q00",
|
|
IP: net.ParseIP("100.65.14.88"),
|
|
},
|
|
"cfif97at2r9s73au3q0g": {
|
|
ID: "cfif97at2r9s73au3q0g",
|
|
IP: net.ParseIP("100.65.80.39"),
|
|
},
|
|
"cfif97at2r9s73au3q10": {
|
|
ID: "cfif97at2r9s73au3q10",
|
|
IP: net.ParseIP("100.65.254.139"),
|
|
},
|
|
"cfif97at2r9s73au3q20": {
|
|
ID: "cfif97at2r9s73au3q20",
|
|
IP: net.ParseIP("100.65.62.5"),
|
|
},
|
|
"cfj4tiqt2r9s73dmeun0": {
|
|
ID: "cfj4tiqt2r9s73dmeun0",
|
|
IP: net.ParseIP("100.65.32.206"),
|
|
},
|
|
"cg7h032t2r9s73cg5fk0": {
|
|
ID: "cg7h032t2r9s73cg5fk0",
|
|
IP: net.ParseIP("100.65.250.202"),
|
|
},
|
|
"cgcnkj2t2r9s73cg5vv0": {
|
|
ID: "cgcnkj2t2r9s73cg5vv0",
|
|
IP: net.ParseIP("100.65.13.186"),
|
|
},
|
|
"cgcol4qt2r9s73cg601g": {
|
|
ID: "cgcol4qt2r9s73cg601g",
|
|
IP: net.ParseIP("100.65.29.55"),
|
|
},
|
|
},
|
|
Groups: map[string]*Group{
|
|
"cet9e92t2r9s7383ns20": {
|
|
ID: "cet9e92t2r9s7383ns20",
|
|
Name: "All",
|
|
Peers: []string{
|
|
"cfif97at2r9s73au3q0g",
|
|
"cfif97at2r9s73au3q00",
|
|
"cfif97at2r9s73au3q20",
|
|
"cfif97at2r9s73au3q10",
|
|
"cfj4tiqt2r9s73dmeun0",
|
|
"cg7h032t2r9s73cg5fk0",
|
|
"cgcnkj2t2r9s73cg5vv0",
|
|
"cgcol4qt2r9s73cg601g",
|
|
},
|
|
},
|
|
"cev90bat2r9s7383o150": {
|
|
ID: "cev90bat2r9s7383o150",
|
|
Name: "swarm",
|
|
Peers: []string{
|
|
"cfif97at2r9s73au3q0g",
|
|
"cfif97at2r9s73au3q00",
|
|
"cfif97at2r9s73au3q20",
|
|
"cfj4tiqt2r9s73dmeun0",
|
|
"cgcnkj2t2r9s73cg5vv0",
|
|
"cgcol4qt2r9s73cg601g",
|
|
},
|
|
},
|
|
},
|
|
Rules: map[string]*Rule{
|
|
"cet9e92t2r9s7383ns2g": {
|
|
ID: "cet9e92t2r9s7383ns2g",
|
|
Name: "Default",
|
|
Description: "This is a default rule that allows connections between all the resources",
|
|
Source: []string{
|
|
"cet9e92t2r9s7383ns20",
|
|
},
|
|
Destination: []string{
|
|
"cet9e92t2r9s7383ns20",
|
|
},
|
|
},
|
|
"cev90bat2r9s7383o15g": {
|
|
ID: "cev90bat2r9s7383o15g",
|
|
Name: "Swarm",
|
|
Description: "",
|
|
Source: []string{
|
|
"cev90bat2r9s7383o150",
|
|
"cet9e92t2r9s7383ns20",
|
|
},
|
|
Destination: []string{
|
|
"cev90bat2r9s7383o150",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
rule1, err := RuleToPolicy(account.Rules["cet9e92t2r9s7383ns2g"])
|
|
assert.NoError(t, err)
|
|
|
|
rule2, err := RuleToPolicy(account.Rules["cev90bat2r9s7383o15g"])
|
|
assert.NoError(t, err)
|
|
|
|
account.Policies = append(account.Policies, rule1, rule2)
|
|
|
|
t.Run("check that all peers get map", func(t *testing.T) {
|
|
for _, p := range account.Peers {
|
|
peers, firewallRules := account.getPeersByPolicy(p.ID)
|
|
assert.GreaterOrEqual(t, len(peers), 2, "mininum number peers should present")
|
|
assert.GreaterOrEqual(t, len(firewallRules), 2, "mininum number of firewall rules should present")
|
|
}
|
|
})
|
|
|
|
t.Run("check first peer map details", func(t *testing.T) {
|
|
peers, firewallRules := account.getPeersByPolicy("cfif97at2r9s73au3q0g")
|
|
assert.Len(t, peers, 7)
|
|
assert.Contains(t, peers, account.Peers["cfif97at2r9s73au3q00"])
|
|
assert.Contains(t, peers, account.Peers["cfif97at2r9s73au3q10"])
|
|
assert.Contains(t, peers, account.Peers["cfif97at2r9s73au3q20"])
|
|
assert.Contains(t, peers, account.Peers["cfj4tiqt2r9s73dmeun0"])
|
|
assert.Contains(t, peers, account.Peers["cg7h032t2r9s73cg5fk0"])
|
|
|
|
epectedFirewallRules := []*FirewallRule{
|
|
{
|
|
PeerID: "cfif97at2r9s73au3q00",
|
|
PeerIP: "100.65.14.88",
|
|
Direction: "src",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cfif97at2r9s73au3q00100.65.14.88srcaccept",
|
|
},
|
|
{
|
|
PeerID: "cfif97at2r9s73au3q00",
|
|
PeerIP: "100.65.14.88",
|
|
Direction: "dst",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cfif97at2r9s73au3q00100.65.14.88dstaccept",
|
|
},
|
|
|
|
{
|
|
PeerID: "cfif97at2r9s73au3q0g",
|
|
PeerIP: "100.65.80.39",
|
|
Direction: "dst",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cfif97at2r9s73au3q0g100.65.80.39dstaccept",
|
|
},
|
|
{
|
|
PeerID: "cfif97at2r9s73au3q0g",
|
|
PeerIP: "100.65.80.39",
|
|
Direction: "src",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cfif97at2r9s73au3q0g100.65.80.39srcaccept",
|
|
},
|
|
|
|
{
|
|
PeerID: "cfif97at2r9s73au3q10",
|
|
PeerIP: "100.65.254.139",
|
|
Direction: "dst",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cfif97at2r9s73au3q10100.65.254.139dstaccept",
|
|
},
|
|
{
|
|
PeerID: "cfif97at2r9s73au3q10",
|
|
PeerIP: "100.65.254.139",
|
|
Direction: "src",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cfif97at2r9s73au3q10100.65.254.139srcaccept",
|
|
},
|
|
|
|
{
|
|
PeerID: "cfif97at2r9s73au3q20",
|
|
PeerIP: "100.65.62.5",
|
|
Direction: "dst",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cfif97at2r9s73au3q20100.65.62.5dstaccept",
|
|
},
|
|
{
|
|
PeerID: "cfif97at2r9s73au3q20",
|
|
PeerIP: "100.65.62.5",
|
|
Direction: "src",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cfif97at2r9s73au3q20100.65.62.5srcaccept",
|
|
},
|
|
|
|
{
|
|
PeerID: "cfj4tiqt2r9s73dmeun0",
|
|
PeerIP: "100.65.32.206",
|
|
Direction: "dst",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cfj4tiqt2r9s73dmeun0100.65.32.206dstaccept",
|
|
},
|
|
{
|
|
PeerID: "cfj4tiqt2r9s73dmeun0",
|
|
PeerIP: "100.65.32.206",
|
|
Direction: "src",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cfj4tiqt2r9s73dmeun0100.65.32.206srcaccept",
|
|
},
|
|
|
|
{
|
|
PeerID: "cg7h032t2r9s73cg5fk0",
|
|
PeerIP: "100.65.250.202",
|
|
Direction: "dst",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cg7h032t2r9s73cg5fk0100.65.250.202dstaccept",
|
|
},
|
|
{
|
|
PeerID: "cg7h032t2r9s73cg5fk0",
|
|
PeerIP: "100.65.250.202",
|
|
Direction: "src",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cg7h032t2r9s73cg5fk0100.65.250.202srcaccept",
|
|
},
|
|
|
|
{
|
|
PeerID: "cgcnkj2t2r9s73cg5vv0",
|
|
PeerIP: "100.65.13.186",
|
|
Direction: "dst",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cgcnkj2t2r9s73cg5vv0100.65.13.186dstaccept",
|
|
},
|
|
{
|
|
PeerID: "cgcnkj2t2r9s73cg5vv0",
|
|
PeerIP: "100.65.13.186",
|
|
Direction: "src",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cgcnkj2t2r9s73cg5vv0100.65.13.186srcaccept",
|
|
},
|
|
|
|
{
|
|
PeerID: "cgcol4qt2r9s73cg601g",
|
|
PeerIP: "100.65.29.55",
|
|
Direction: "dst",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cgcol4qt2r9s73cg601g100.65.29.55dstaccept",
|
|
},
|
|
{
|
|
PeerID: "cgcol4qt2r9s73cg601g",
|
|
PeerIP: "100.65.29.55",
|
|
Direction: "src",
|
|
Action: "accept",
|
|
Port: "",
|
|
id: "cgcol4qt2r9s73cg601g100.65.29.55srcaccept",
|
|
},
|
|
}
|
|
assert.Len(t, firewallRules, len(epectedFirewallRules))
|
|
slices.SortFunc(firewallRules, func(a, b *FirewallRule) bool {
|
|
return a.PeerID < b.PeerID
|
|
})
|
|
for i := range firewallRules {
|
|
assert.Equal(t, epectedFirewallRules[i], firewallRules[i])
|
|
}
|
|
})
|
|
}
|