Home Explore Help
Sign In
Tailscale
/
tailscale
mirror of https://github.com/tailscale/tailscale.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: v1.95.0-pr
Branches Tags
tailscale
/
k8s-operator
/
api-proxy
/
proxy_test.go

proxy_test.go 6.0 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199 
  1. // Copyright (c) Tailscale Inc & AUTHORS
    2. 

  2. // SPDX-License-Identifier: BSD-3-Clause
    3. 

  3. 

  4. //go:build !plan9
    5. 

  5. 

  6. package apiproxy
    7. 

  7. 

  8. import (
    9. 

  9. 	"net/http"
    10. 

  10. 	"net/netip"
    11. 

  11. 	"reflect"
    12. 

  12. 	"testing"
    13. 

  13. 

  14. 	"github.com/google/go-cmp/cmp"
    15. 

  15. 	"go.uber.org/zap"
    16. 

  16. 	"tailscale.com/client/tailscale/apitype"
    17. 

  17. 	"tailscale.com/tailcfg"
    18. 

  18. 	"tailscale.com/util/must"
    19. 

  19. )
    20. 

  20. 

  21. func TestImpersonationHeaders(t *testing.T) {
    22. 

  22. 	zl, err := zap.NewDevelopment()
    23. 

  23. 	if err != nil {
    24. 

  24. 		t.Fatal(err)
    25. 

  25. 	}
    26. 

  26. 	tests := []struct {
    27. 

  27. 		name     string
    28. 

  28. 		emailish string
    29. 

  29. 		tags     []string
    30. 

  30. 		capMap   tailcfg.PeerCapMap
    31. 

  31. 

  32. 		wantHeaders http.Header
    33. 

  33. 	}{
    34. 

  34. 		{
    35. 

  35. 			name:     "user",
    36. 

  36. 			emailish: "[email protected]",
    37. 

  37. 			wantHeaders: http.Header{
    38. 

  38. 				"Impersonate-User": {"[email protected]"},
    39. 

  39. 			},
    40. 

  40. 		},
    41. 

  41. 		{
    42. 

  42. 			name:     "tagged",
    43. 

  43. 			emailish: "tagged-device",
    44. 

  44. 			tags:     []string{"tag:foo", "tag:bar"},
    45. 

  45. 			wantHeaders: http.Header{
    46. 

  46. 				"Impersonate-User":  {"node.ts.net"},
    47. 

  47. 				"Impersonate-Group": {"tag:foo", "tag:bar"},
    48. 

  48. 			},
    49. 

  49. 		},
    50. 

  50. 		{
    51. 

  51. 			name:     "user-with-cap",
    52. 

  52. 			emailish: "[email protected]",
    53. 

  53. 			capMap: tailcfg.PeerCapMap{
    54. 

  54. 				tailcfg.PeerCapabilityKubernetes: {
    55. 

  55. 					tailcfg.RawMessage(`{"impersonate":{"groups":["group1","group2"]}}`),
    56. 

  56. 					tailcfg.RawMessage(`{"impersonate":{"groups":["group1","group3"]}}`), // One group is duplicated.
    57. 

  57. 					tailcfg.RawMessage(`{"impersonate":{"groups":["group4"]}}`),
    58. 

  58. 					tailcfg.RawMessage(`{"impersonate":{"groups":["group2"]}}`), // duplicate
    59. 

  59. 

  60. 					// These should be ignored, but should parse correctly.
    61. 

  61. 					tailcfg.RawMessage(`{}`),
    62. 

  62. 					tailcfg.RawMessage(`{"impersonate":{}}`),
    63. 

  63. 					tailcfg.RawMessage(`{"impersonate":{"groups":[]}}`),
    64. 

  64. 				},
    65. 

  65. 			},
    66. 

  66. 			wantHeaders: http.Header{
    67. 

  67. 				"Impersonate-Group": {"group1", "group2", "group3", "group4"},
    68. 

  68. 				"Impersonate-User":  {"[email protected]"},
    69. 

  69. 			},
    70. 

  70. 		},
    71. 

  71. 		{
    72. 

  72. 			name:     "tagged-with-cap",
    73. 

  73. 			emailish: "tagged-device",
    74. 

  74. 			tags:     []string{"tag:foo", "tag:bar"},
    75. 

  75. 			capMap: tailcfg.PeerCapMap{
    76. 

  76. 				tailcfg.PeerCapabilityKubernetes: {
    77. 

  77. 					tailcfg.RawMessage(`{"impersonate":{"groups":["group1"]}}`),
    78. 

  78. 				},
    79. 

  79. 			},
    80. 

  80. 			wantHeaders: http.Header{
    81. 

  81. 				"Impersonate-Group": {"group1"},
    82. 

  82. 				"Impersonate-User":  {"node.ts.net"},
    83. 

  83. 			},
    84. 

  84. 		},
    85. 

  85. 		{
    86. 

  86. 			name:     "mix-of-caps",
    87. 

  87. 			emailish: "tagged-device",
    88. 

  88. 			tags:     []string{"tag:foo", "tag:bar"},
    89. 

  89. 			capMap: tailcfg.PeerCapMap{
    90. 

  90. 				tailcfg.PeerCapabilityKubernetes: {
    91. 

  91. 					tailcfg.RawMessage(`{"impersonate":{"groups":["group1"]},"recorder":["tag:foo"],"enforceRecorder":true}`),
    92. 

  92. 				},
    93. 

  93. 			},
    94. 

  94. 			wantHeaders: http.Header{
    95. 

  95. 				"Impersonate-Group": {"group1"},
    96. 

  96. 				"Impersonate-User":  {"node.ts.net"},
    97. 

  97. 			},
    98. 

  98. 		},
    99. 

  99. 		{
    100. 

  100. 			name:     "bad-cap",
    101. 

  101. 			emailish: "tagged-device",
    102. 

  102. 			tags:     []string{"tag:foo", "tag:bar"},
    103. 

  103. 			capMap: tailcfg.PeerCapMap{
    104. 

  104. 				tailcfg.PeerCapabilityKubernetes: {
    105. 

  105. 					tailcfg.RawMessage(`[]`),
    106. 

  106. 				},
    107. 

  107. 			},
    108. 

  108. 			wantHeaders: http.Header{},
    109. 

  109. 		},
    110. 

  110. 	}
    111. 

  111. 

  112. 	for _, tc := range tests {
    113. 

  113. 		r := must.Get(http.NewRequest("GET", "https://op.ts.net/api/foo", nil))
    114. 

  114. 		r = r.WithContext(whoIsKey.WithValue(r.Context(), &apitype.WhoIsResponse{
    115. 

  115. 			Node: &tailcfg.Node{
    116. 

  116. 				Name: "node.ts.net",
    117. 

  117. 				Tags: tc.tags,
    118. 

  118. 			},
    119. 

  119. 			UserProfile: &tailcfg.UserProfile{
    120. 

  120. 				LoginName: tc.emailish,
    121. 

  121. 			},
    122. 

  122. 			CapMap: tc.capMap,
    123. 

  123. 		}))
    124. 

  124. 		addImpersonationHeaders(r, zl.Sugar())
    125. 

  125. 

  126. 		if d := cmp.Diff(tc.wantHeaders, r.Header); d != "" {
    127. 

  127. 			t.Errorf("unexpected header (-want +got):\n%s", d)
    128. 

  128. 		}
    129. 

  129. 	}
    130. 

  130. }
    131. 

  131. 

  132. func Test_determineRecorderConfig(t *testing.T) {
    133. 

  133. 	addr1, addr2 := netip.MustParseAddrPort("[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:80"), netip.MustParseAddrPort("100.99.99.99:80")
    134. 

  134. 	tests := []struct {
    135. 

  135. 		name                  string
    136. 

  136. 		wantFailOpen          bool
    137. 

  137. 		wantRecorderAddresses []netip.AddrPort
    138. 

  138. 		who                   *apitype.WhoIsResponse
    139. 

  139. 	}{
    140. 

  140. 		{
    141. 

  141. 			name:                  "two_ips_fail_closed",
    142. 

  142. 			who:                   whoResp(map[string][]string{string(tailcfg.PeerCapabilityKubernetes): {`{"recorderAddrs":["[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:80","100.99.99.99:80"],"enforceRecorder":true}`}}),
    143. 

  143. 			wantRecorderAddresses: []netip.AddrPort{addr1, addr2},
    144. 

  144. 		},
    145. 

  145. 		{
    146. 

  146. 			name:                  "two_ips_fail_open",
    147. 

  147. 			who:                   whoResp(map[string][]string{string(tailcfg.PeerCapabilityKubernetes): {`{"recorderAddrs":["[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:80","100.99.99.99:80"]}`}}),
    148. 

  148. 			wantRecorderAddresses: []netip.AddrPort{addr1, addr2},
    149. 

  149. 			wantFailOpen:          true,
    150. 

  150. 		},
    151. 

  151. 		{
    152. 

  152. 			name:                  "odd_rule_combination_fail_closed",
    153. 

  153. 			who:                   whoResp(map[string][]string{string(tailcfg.PeerCapabilityKubernetes): {`{"recorderAddrs":["100.99.99.99:80"],"enforceRecorder":false}`, `{"recorderAddrs":["[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:80"]}`, `{"enforceRecorder":true,"impersonate":{"groups":["system:masters"]}}`}}),
    154. 

  154. 			wantRecorderAddresses: []netip.AddrPort{addr2, addr1},
    155. 

  155. 		},
    156. 

  156. 		{
    157. 

  157. 			name:         "no_caps",
    158. 

  158. 			who:          whoResp(map[string][]string{}),
    159. 

  159. 			wantFailOpen: true,
    160. 

  160. 		},
    161. 

  161. 		{
    162. 

  162. 			name:         "no_recorder_caps",
    163. 

  163. 			who:          whoResp(map[string][]string{"foo": {`{"x":"y"}`}, string(tailcfg.PeerCapabilityKubernetes): {`{"impersonate":{"groups":["system:masters"]}}`}}),
    164. 

  164. 			wantFailOpen: true,
    165. 

  165. 		},
    166. 

  166. 	}
    167. 

  167. 	for _, tt := range tests {
    168. 

  168. 		t.Run(tt.name, func(t *testing.T) {
    169. 

  169. 			gotFailOpen, gotRecorderAddresses, err := determineRecorderConfig(tt.who)
    170. 

  170. 			if err != nil {
    171. 

  171. 				t.Fatalf("unexpected error: %v", err)
    172. 

  172. 			}
    173. 

  173. 			if gotFailOpen != tt.wantFailOpen {
    174. 

  174. 				t.Errorf("determineRecorderConfig() gotFailOpen = %v, want %v", gotFailOpen, tt.wantFailOpen)
    175. 

  175. 			}
    176. 

  176. 			if !reflect.DeepEqual(gotRecorderAddresses, tt.wantRecorderAddresses) {
    177. 

  177. 				t.Errorf("determineRecorderConfig() gotRecorderAddresses = %v, want %v", gotRecorderAddresses, tt.wantRecorderAddresses)
    178. 

  178. 			}
    179. 

  179. 		})
    180. 

  180. 	}
    181. 

  181. }
    182. 

  182. 

  183. func whoResp(capMap map[string][]string) *apitype.WhoIsResponse {
    184. 

  184. 	resp := &apitype.WhoIsResponse{
    185. 

  185. 		CapMap: tailcfg.PeerCapMap{},
    186. 

  186. 	}
    187. 

  187. 	for cap, rules := range capMap {
    188. 

  188. 		resp.CapMap[tailcfg.PeerCapability(cap)] = raw(rules...)
    189. 

  189. 	}
    190. 

  190. 	return resp
    191. 

  191. }
    192. 

  192. 

  193. func raw(in ...string) []tailcfg.RawMessage {
    194. 

  194. 	var out []tailcfg.RawMessage
    195. 

  195. 	for _, i := range in {
    196. 

  196. 		out = append(out, tailcfg.RawMessage(i))
    197. 

  197. 	}
    198. 

  198. 	return out
    199. 

  199. }
    200.