headscale/integration/ssh_test.go

408 lines
8.8 KiB
Go
Raw Normal View History

2022-10-26 05:31:30 -06:00
package integration
import (
"fmt"
"strings"
2022-10-26 05:31:30 -06:00
"testing"
"time"
2022-10-26 05:31:30 -06:00
"github.com/juanfont/headscale/hscontrol/policy"
2022-11-11 05:20:12 -07:00
"github.com/juanfont/headscale/integration/hsic"
"github.com/juanfont/headscale/integration/tsic"
"github.com/stretchr/testify/assert"
2022-10-26 05:31:30 -06:00
)
var retry = func(times int, sleepInterval time.Duration,
doWork func() (string, string, error),
) (string, string, error) {
var result string
var stderr string
2022-11-11 05:20:12 -07:00
var err error
2022-11-11 05:20:12 -07:00
for attempts := 0; attempts < times; attempts++ {
tempResult, tempStderr, err := doWork()
result += tempResult
stderr += tempStderr
2022-11-11 05:20:12 -07:00
if err == nil {
return result, stderr, nil
}
// If we get a permission denied error, we can fail immediately
// since that is something we wont recover from by retrying.
if err != nil && strings.Contains(stderr, "Permission denied (tailscale)") {
return result, stderr, err
}
2022-11-11 05:20:12 -07:00
time.Sleep(sleepInterval)
}
return result, stderr, err
2022-11-11 05:20:12 -07:00
}
func sshScenario(t *testing.T, policy *policy.ACLPolicy, clientsPerUser int) *Scenario {
t.Helper()
2022-10-26 05:31:30 -06:00
scenario, err := NewScenario()
assertNoErr(t, err)
2022-10-26 05:31:30 -06:00
2022-11-11 05:20:12 -07:00
spec := map[string]int{
"user1": clientsPerUser,
"user2": clientsPerUser,
2022-11-11 05:20:12 -07:00
}
err = scenario.CreateHeadscaleEnv(spec,
[]tsic.Option{
tsic.WithDockerEntrypoint([]string{
"/bin/sh",
"-c",
"/bin/sleep 3 ; apk add openssh ; update-ca-certificates ; tailscaled --tun=tsdev",
}),
tsic.WithDockerWorkdir("/"),
},
hsic.WithACLPolicy(policy),
hsic.WithTestName("ssh"),
hsic.WithConfigEnv(map[string]string{
"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
}),
2022-11-11 05:20:12 -07:00
)
assertNoErr(t, err)
err = scenario.WaitForTailscaleSync()
assertNoErr(t, err)
_, err = scenario.ListTailscaleClientsFQDNs()
assertNoErr(t, err)
return scenario
}
func TestSSHOneUserAllToAll(t *testing.T) {
IntegrationSkip(t)
t.Parallel()
scenario := sshScenario(t,
&policy.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1"},
},
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []policy.SSH{
{
Action: "accept",
Sources: []string{"group:integration-test"},
Destinations: []string{"group:integration-test"},
Users: []string{"ssh-it-user"},
},
},
},
len(MustTestVersions)-2,
)
defer scenario.Shutdown()
allClients, err := scenario.ListTailscaleClients()
assertNoErrListClients(t, err)
2022-10-26 05:31:30 -06:00
err = scenario.WaitForTailscaleSync()
assertNoErrSync(t, err)
2022-10-26 05:31:30 -06:00
_, err = scenario.ListTailscaleClientsFQDNs()
assertNoErrListFQDN(t, err)
2022-10-26 05:31:30 -06:00
for _, client := range allClients {
for _, peer := range allClients {
if client.Hostname() == peer.Hostname() {
continue
2022-10-26 05:31:30 -06:00
}
assertSSHHostname(t, client, peer)
2022-10-26 05:31:30 -06:00
}
}
}
2022-11-11 05:20:12 -07:00
func TestSSHMultipleUsersAllToAll(t *testing.T) {
2022-11-11 05:20:12 -07:00
IntegrationSkip(t)
t.Parallel()
2022-11-11 05:20:12 -07:00
scenario := sshScenario(t,
&policy.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1", "user2"},
},
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
2022-11-11 05:20:12 -07:00
},
},
SSHs: []policy.SSH{
{
Action: "accept",
Sources: []string{"group:integration-test"},
Destinations: []string{"group:integration-test"},
Users: []string{"ssh-it-user"},
2022-11-11 05:20:12 -07:00
},
},
},
len(MustTestVersions)-2,
2022-11-11 05:20:12 -07:00
)
defer scenario.Shutdown()
2022-11-11 05:20:12 -07:00
nsOneClients, err := scenario.ListTailscaleClients("user1")
assertNoErrListClients(t, err)
2022-11-11 05:20:12 -07:00
nsTwoClients, err := scenario.ListTailscaleClients("user2")
assertNoErrListClients(t, err)
2022-11-11 05:20:12 -07:00
err = scenario.WaitForTailscaleSync()
assertNoErrSync(t, err)
2022-11-11 05:20:12 -07:00
_, err = scenario.ListTailscaleClientsFQDNs()
assertNoErrListFQDN(t, err)
2022-11-11 05:20:12 -07:00
testInterUserSSH := func(sourceClients []TailscaleClient, targetClients []TailscaleClient) {
2022-11-11 05:20:12 -07:00
for _, client := range sourceClients {
for _, peer := range targetClients {
assertSSHHostname(t, client, peer)
2022-11-11 05:20:12 -07:00
}
}
}
testInterUserSSH(nsOneClients, nsTwoClients)
testInterUserSSH(nsTwoClients, nsOneClients)
}
func TestSSHNoSSHConfigured(t *testing.T) {
IntegrationSkip(t)
t.Parallel()
scenario := sshScenario(t,
&policy.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1"},
},
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []policy.SSH{},
},
len(MustTestVersions)-2,
2022-11-11 05:20:12 -07:00
)
defer scenario.Shutdown()
allClients, err := scenario.ListTailscaleClients()
assertNoErrListClients(t, err)
err = scenario.WaitForTailscaleSync()
assertNoErrSync(t, err)
_, err = scenario.ListTailscaleClientsFQDNs()
assertNoErrListFQDN(t, err)
for _, client := range allClients {
for _, peer := range allClients {
if client.Hostname() == peer.Hostname() {
continue
}
assertSSHPermissionDenied(t, client, peer)
}
}
2022-11-11 05:20:12 -07:00
}
func TestSSHIsBlockedInACL(t *testing.T) {
IntegrationSkip(t)
t.Parallel()
2022-11-11 05:20:12 -07:00
scenario := sshScenario(t,
&policy.ACLPolicy{
Groups: map[string][]string{
"group:integration-test": {"user1"},
},
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:80"},
},
},
SSHs: []policy.SSH{
{
Action: "accept",
Sources: []string{"group:integration-test"},
Destinations: []string{"group:integration-test"},
Users: []string{"ssh-it-user"},
},
},
},
len(MustTestVersions)-2,
)
defer scenario.Shutdown()
allClients, err := scenario.ListTailscaleClients()
assertNoErrListClients(t, err)
2022-11-11 05:20:12 -07:00
err = scenario.WaitForTailscaleSync()
assertNoErrSync(t, err)
2022-11-11 05:20:12 -07:00
_, err = scenario.ListTailscaleClientsFQDNs()
assertNoErrListFQDN(t, err)
for _, client := range allClients {
for _, peer := range allClients {
if client.Hostname() == peer.Hostname() {
continue
2022-11-11 05:20:12 -07:00
}
assertSSHTimeout(t, client, peer)
}
}
}
func TestSSUserOnlyIsolation(t *testing.T) {
IntegrationSkip(t)
t.Parallel()
scenario := sshScenario(t,
&policy.ACLPolicy{
Groups: map[string][]string{
"group:ssh1": {"user1"},
"group:ssh2": {"user2"},
},
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"*:*"},
},
},
SSHs: []policy.SSH{
{
Action: "accept",
Sources: []string{"group:ssh1"},
Destinations: []string{"group:ssh1"},
Users: []string{"ssh-it-user"},
},
{
Action: "accept",
Sources: []string{"group:ssh2"},
Destinations: []string{"group:ssh2"},
Users: []string{"ssh-it-user"},
},
},
},
len(MustTestVersions)-2,
)
defer scenario.Shutdown()
2022-11-11 05:20:12 -07:00
ssh1Clients, err := scenario.ListTailscaleClients("user1")
assertNoErrListClients(t, err)
ssh2Clients, err := scenario.ListTailscaleClients("user2")
assertNoErrListClients(t, err)
err = scenario.WaitForTailscaleSync()
assertNoErrSync(t, err)
_, err = scenario.ListTailscaleClientsFQDNs()
assertNoErrListFQDN(t, err)
for _, client := range ssh1Clients {
for _, peer := range ssh2Clients {
if client.Hostname() == peer.Hostname() {
continue
}
assertSSHPermissionDenied(t, client, peer)
}
}
for _, client := range ssh2Clients {
for _, peer := range ssh1Clients {
if client.Hostname() == peer.Hostname() {
continue
}
assertSSHPermissionDenied(t, client, peer)
}
}
for _, client := range ssh1Clients {
for _, peer := range ssh1Clients {
if client.Hostname() == peer.Hostname() {
continue
2022-11-11 05:20:12 -07:00
}
assertSSHHostname(t, client, peer)
}
}
for _, client := range ssh2Clients {
for _, peer := range ssh2Clients {
if client.Hostname() == peer.Hostname() {
continue
2022-11-11 05:20:12 -07:00
}
assertSSHHostname(t, client, peer)
}
}
}
func doSSH(t *testing.T, client TailscaleClient, peer TailscaleClient) (string, string, error) {
t.Helper()
peerFQDN, _ := peer.FQDN()
command := []string{
"ssh", "-o StrictHostKeyChecking=no", "-o ConnectTimeout=1",
fmt.Sprintf("%s@%s", "ssh-it-user", peerFQDN),
"'hostname'",
}
return retry(10, 1*time.Second, func() (string, string, error) {
return client.Execute(command)
})
}
func assertSSHHostname(t *testing.T, client TailscaleClient, peer TailscaleClient) {
t.Helper()
result, _, err := doSSH(t, client, peer)
assertNoErr(t, err)
assert.Contains(t, peer.ID(), strings.ReplaceAll(result, "\n", ""))
}
func assertSSHPermissionDenied(t *testing.T, client TailscaleClient, peer TailscaleClient) {
t.Helper()
result, stderr, err := doSSH(t, client, peer)
assert.Error(t, err)
assert.Empty(t, result)
assert.Contains(t, stderr, "Permission denied (tailscale)")
}
func assertSSHTimeout(t *testing.T, client TailscaleClient, peer TailscaleClient) {
t.Helper()
result, stderr, err := doSSH(t, client, peer)
assertNoErr(t, err)
assert.Empty(t, result)
assert.Contains(t, stderr, "Connection timed out")
2022-11-11 05:20:12 -07:00
}