2023-01-27 13:37:20 -08:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2022-02-18 14:10:26 -08:00
|
|
|
|
2022-02-24 12:27:42 -08:00
|
|
|
//go:build linux || darwin
|
2022-02-18 14:10:26 -08:00
|
|
|
|
|
|
|
|
package tailssh
|
|
|
|
|
|
|
|
|
|
import (
|
2022-02-24 14:35:40 -08:00
|
|
|
"bytes"
|
2023-03-24 13:50:33 -07:00
|
|
|
"context"
|
2025-02-10 11:43:08 -06:00
|
|
|
"crypto/ecdsa"
|
2022-10-08 17:54:53 -07:00
|
|
|
"crypto/ed25519"
|
2025-02-10 11:43:08 -06:00
|
|
|
"crypto/elliptic"
|
2022-10-08 17:54:53 -07:00
|
|
|
"crypto/rand"
|
|
|
|
|
"encoding/json"
|
2022-02-24 13:31:54 -08:00
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
2022-04-16 21:49:22 -07:00
|
|
|
"io"
|
2022-02-24 13:31:54 -08:00
|
|
|
"net"
|
2022-04-16 21:49:22 -07:00
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
2022-07-25 20:55:44 -07:00
|
|
|
"net/netip"
|
2022-02-24 14:35:40 -08:00
|
|
|
"os"
|
2022-02-24 13:31:54 -08:00
|
|
|
"os/exec"
|
|
|
|
|
"os/user"
|
2022-04-16 21:49:22 -07:00
|
|
|
"reflect"
|
2022-10-08 17:54:53 -07:00
|
|
|
"runtime"
|
2024-09-30 21:47:45 -06:00
|
|
|
"slices"
|
2023-06-21 19:57:45 -07:00
|
|
|
"strconv"
|
2022-02-24 14:35:40 -08:00
|
|
|
"strings"
|
2022-10-08 17:54:53 -07:00
|
|
|
"sync"
|
2022-04-16 21:49:22 -07:00
|
|
|
"sync/atomic"
|
2022-02-18 14:10:26 -08:00
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
|
|
2025-01-31 12:19:22 -06:00
|
|
|
gossh "golang.org/x/crypto/ssh"
|
2024-11-18 09:55:54 -08:00
|
|
|
"golang.org/x/net/http2"
|
|
|
|
|
"golang.org/x/net/http2/h2c"
|
2022-02-24 13:31:54 -08:00
|
|
|
"tailscale.com/ipn/ipnlocal"
|
2022-02-28 13:08:45 -08:00
|
|
|
"tailscale.com/ipn/store/mem"
|
2023-01-30 10:53:58 -08:00
|
|
|
"tailscale.com/net/memnet"
|
2022-02-24 13:31:54 -08:00
|
|
|
"tailscale.com/net/tsdial"
|
2024-07-29 15:57:11 +03:00
|
|
|
"tailscale.com/sessionrecording"
|
2022-02-18 14:10:26 -08:00
|
|
|
"tailscale.com/tailcfg"
|
2022-03-25 15:35:36 -07:00
|
|
|
"tailscale.com/tempfork/gliderlabs/ssh"
|
2025-02-10 11:43:08 -06:00
|
|
|
testssh "tailscale.com/tempfork/sshtest/ssh"
|
2023-05-03 13:57:17 -07:00
|
|
|
"tailscale.com/tsd"
|
2022-04-16 21:49:22 -07:00
|
|
|
"tailscale.com/tstest"
|
2023-05-04 19:49:32 -07:00
|
|
|
"tailscale.com/types/key"
|
2023-03-23 10:49:56 -07:00
|
|
|
"tailscale.com/types/logid"
|
2022-10-08 17:54:53 -07:00
|
|
|
"tailscale.com/types/netmap"
|
2024-05-03 06:22:29 -07:00
|
|
|
"tailscale.com/types/ptr"
|
2022-03-18 14:46:38 -07:00
|
|
|
"tailscale.com/util/cibuild"
|
2024-11-04 20:49:40 -08:00
|
|
|
"tailscale.com/util/lineiter"
|
2022-10-08 17:54:53 -07:00
|
|
|
"tailscale.com/util/must"
|
2022-12-14 14:20:50 -08:00
|
|
|
"tailscale.com/version/distro"
|
2022-02-24 13:31:54 -08:00
|
|
|
"tailscale.com/wgengine"
|
2022-02-18 14:10:26 -08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestMatchRule(t *testing.T) {
|
|
|
|
|
someAction := new(tailcfg.SSHAction)
|
|
|
|
|
tests := []struct {
|
2024-09-30 21:47:45 -06:00
|
|
|
name string
|
|
|
|
|
rule *tailcfg.SSHRule
|
|
|
|
|
ci *sshConnInfo
|
|
|
|
|
wantErr error
|
|
|
|
|
wantUser string
|
|
|
|
|
wantAcceptEnv []string
|
2022-02-18 14:10:26 -08:00
|
|
|
}{
|
2022-07-21 08:46:55 -07:00
|
|
|
{
|
|
|
|
|
name: "invalid-conn",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"*": "ubuntu",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
wantErr: errInvalidConn,
|
|
|
|
|
},
|
2022-02-18 14:10:26 -08:00
|
|
|
{
|
|
|
|
|
name: "nil-rule",
|
2022-07-21 08:46:55 -07:00
|
|
|
ci: &sshConnInfo{},
|
2022-02-18 14:10:26 -08:00
|
|
|
rule: nil,
|
|
|
|
|
wantErr: errNilRule,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "nil-action",
|
2022-07-21 08:46:55 -07:00
|
|
|
ci: &sshConnInfo{},
|
2022-02-18 14:10:26 -08:00
|
|
|
rule: &tailcfg.SSHRule{},
|
|
|
|
|
wantErr: errNilAction,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "expired",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
2024-05-03 06:22:29 -07:00
|
|
|
RuleExpires: ptr.To(time.Unix(100, 0)),
|
2022-02-18 14:10:26 -08:00
|
|
|
},
|
2022-04-20 17:36:19 -07:00
|
|
|
ci: &sshConnInfo{},
|
2022-02-18 14:10:26 -08:00
|
|
|
wantErr: errRuleExpired,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "no-principal",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
2022-04-01 12:57:12 -07:00
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"*": "ubuntu",
|
|
|
|
|
}},
|
|
|
|
|
ci: &sshConnInfo{},
|
2022-02-18 14:10:26 -08:00
|
|
|
wantErr: errPrincipalMatch,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "no-user-match",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
},
|
2022-02-24 08:58:53 -08:00
|
|
|
ci: &sshConnInfo{sshUser: "alice"},
|
2022-02-18 14:10:26 -08:00
|
|
|
wantErr: errUserMatch,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "ok-wildcard",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"*": "ubuntu",
|
|
|
|
|
},
|
|
|
|
|
},
|
2022-02-24 08:58:53 -08:00
|
|
|
ci: &sshConnInfo{sshUser: "alice"},
|
2022-02-18 14:10:26 -08:00
|
|
|
wantUser: "ubuntu",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "ok-wildcard-and-nil-principal",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{
|
|
|
|
|
nil, // don't crash on this
|
|
|
|
|
{Any: true},
|
|
|
|
|
},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"*": "ubuntu",
|
|
|
|
|
},
|
|
|
|
|
},
|
2022-02-24 08:58:53 -08:00
|
|
|
ci: &sshConnInfo{sshUser: "alice"},
|
2022-02-18 14:10:26 -08:00
|
|
|
wantUser: "ubuntu",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "ok-exact",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"*": "ubuntu",
|
|
|
|
|
"alice": "thealice",
|
|
|
|
|
},
|
|
|
|
|
},
|
2022-02-24 08:58:53 -08:00
|
|
|
ci: &sshConnInfo{sshUser: "alice"},
|
2022-02-18 14:10:26 -08:00
|
|
|
wantUser: "thealice",
|
|
|
|
|
},
|
2024-09-30 21:47:45 -06:00
|
|
|
{
|
|
|
|
|
name: "ok-with-accept-env",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"*": "ubuntu",
|
|
|
|
|
"alice": "thealice",
|
|
|
|
|
},
|
|
|
|
|
AcceptEnv: []string{"EXAMPLE", "?_?", "TEST_*"},
|
|
|
|
|
},
|
|
|
|
|
ci: &sshConnInfo{sshUser: "alice"},
|
|
|
|
|
wantUser: "thealice",
|
|
|
|
|
wantAcceptEnv: []string{"EXAMPLE", "?_?", "TEST_*"},
|
|
|
|
|
},
|
2022-02-18 14:10:26 -08:00
|
|
|
{
|
|
|
|
|
name: "no-users-for-reject",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
Action: &tailcfg.SSHAction{Reject: true},
|
|
|
|
|
},
|
2022-02-24 08:58:53 -08:00
|
|
|
ci: &sshConnInfo{sshUser: "alice"},
|
2022-02-18 14:10:26 -08:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "match-principal-node-ip",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{NodeIP: "1.2.3.4"}},
|
|
|
|
|
SSHUsers: map[string]string{"*": "ubuntu"},
|
|
|
|
|
},
|
2022-07-25 20:55:44 -07:00
|
|
|
ci: &sshConnInfo{src: netip.MustParseAddrPort("1.2.3.4:30343")},
|
2022-02-18 14:10:26 -08:00
|
|
|
wantUser: "ubuntu",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "match-principal-node-id",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Node: "some-node-ID"}},
|
|
|
|
|
SSHUsers: map[string]string{"*": "ubuntu"},
|
|
|
|
|
},
|
2023-08-18 07:57:44 -07:00
|
|
|
ci: &sshConnInfo{node: (&tailcfg.Node{StableID: "some-node-ID"}).View()},
|
2022-02-18 14:10:26 -08:00
|
|
|
wantUser: "ubuntu",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "match-principal-userlogin",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{UserLogin: "foo@bar.com"}},
|
|
|
|
|
SSHUsers: map[string]string{"*": "ubuntu"},
|
|
|
|
|
},
|
2022-10-08 17:54:53 -07:00
|
|
|
ci: &sshConnInfo{uprof: tailcfg.UserProfile{LoginName: "foo@bar.com"}},
|
2022-02-18 14:10:26 -08:00
|
|
|
wantUser: "ubuntu",
|
|
|
|
|
},
|
2022-03-21 10:39:54 -07:00
|
|
|
{
|
|
|
|
|
name: "ssh-user-equal",
|
|
|
|
|
rule: &tailcfg.SSHRule{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"*": "=",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
ci: &sshConnInfo{sshUser: "alice"},
|
|
|
|
|
wantUser: "alice",
|
|
|
|
|
},
|
2022-02-18 14:10:26 -08:00
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
2022-04-20 17:36:19 -07:00
|
|
|
c := &conn{
|
|
|
|
|
info: tt.ci,
|
ssh/tailssh: fix data race during execution of test
In tailssh.go:1284, (*sshSession).startNewRecording starts a fire-and-forget goroutine that can
outlive the test that triggered its creation. Among other things, it uses ss.logf, and may call it
after the test has already returned. Since we typically use (*testing.T).Logf as the logger,
this results in a data race and causes flaky tests.
Ideally, we should fix the root cause and/or use a goroutines.Tracker to wait for the goroutine
to complete. But with the release approaching, it's too risky to make such changes now.
As a workaround, we update the tests to use tstest.WhileTestRunningLogger, which logs to t.Logf
while the test is running and disables logging once the test finishes, avoiding the race.
While there, we also fix TestSSHAuthFlow not to use log.Printf.
Updates #15568
Updates #7707 (probably related)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 23:12:00 -05:00
|
|
|
srv: &server{logf: tstest.WhileTestRunningLogger(t)},
|
2022-04-20 17:36:19 -07:00
|
|
|
}
|
2024-12-12 09:38:07 -08:00
|
|
|
got, gotUser, gotAcceptEnv, err := c.matchRule(tt.rule)
|
2022-02-18 14:10:26 -08:00
|
|
|
if err != tt.wantErr {
|
|
|
|
|
t.Errorf("err = %v; want %v", err, tt.wantErr)
|
|
|
|
|
}
|
|
|
|
|
if gotUser != tt.wantUser {
|
|
|
|
|
t.Errorf("user = %q; want %q", gotUser, tt.wantUser)
|
|
|
|
|
}
|
|
|
|
|
if err == nil && got == nil {
|
|
|
|
|
t.Errorf("expected non-nil action on success")
|
|
|
|
|
}
|
2024-09-30 21:47:45 -06:00
|
|
|
if !slices.Equal(gotAcceptEnv, tt.wantAcceptEnv) {
|
|
|
|
|
t.Errorf("acceptEnv = %v; want %v", gotAcceptEnv, tt.wantAcceptEnv)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestEvalSSHPolicy(t *testing.T) {
|
|
|
|
|
someAction := new(tailcfg.SSHAction)
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
policy *tailcfg.SSHPolicy
|
|
|
|
|
ci *sshConnInfo
|
2025-05-29 09:11:31 -05:00
|
|
|
wantResult evalResult
|
2024-09-30 21:47:45 -06:00
|
|
|
wantUser string
|
|
|
|
|
wantAcceptEnv []string
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "multiple-matches-picks-first-match",
|
|
|
|
|
policy: &tailcfg.SSHPolicy{
|
|
|
|
|
Rules: []*tailcfg.SSHRule{
|
|
|
|
|
{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"other": "other1",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"*": "ubuntu",
|
|
|
|
|
"alice": "thealice",
|
|
|
|
|
},
|
|
|
|
|
AcceptEnv: []string{"EXAMPLE", "?_?", "TEST_*"},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"other2": "other3",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"*": "ubuntu",
|
|
|
|
|
"alice": "thealice",
|
|
|
|
|
"mark": "markthe",
|
|
|
|
|
},
|
|
|
|
|
AcceptEnv: []string{"*"},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
ci: &sshConnInfo{sshUser: "alice"},
|
|
|
|
|
wantUser: "thealice",
|
|
|
|
|
wantAcceptEnv: []string{"EXAMPLE", "?_?", "TEST_*"},
|
2025-05-29 09:11:31 -05:00
|
|
|
wantResult: accepted,
|
2024-09-30 21:47:45 -06:00
|
|
|
},
|
|
|
|
|
{
|
2025-05-29 09:11:31 -05:00
|
|
|
name: "no-matches-returns-rejected",
|
|
|
|
|
policy: &tailcfg.SSHPolicy{
|
|
|
|
|
Rules: []*tailcfg.SSHRule{},
|
|
|
|
|
},
|
|
|
|
|
ci: &sshConnInfo{sshUser: "alice"},
|
|
|
|
|
wantUser: "",
|
|
|
|
|
wantAcceptEnv: nil,
|
|
|
|
|
wantResult: rejected,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "no-user-matches-returns-rejected-user",
|
2024-09-30 21:47:45 -06:00
|
|
|
policy: &tailcfg.SSHPolicy{
|
|
|
|
|
Rules: []*tailcfg.SSHRule{
|
|
|
|
|
{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"other": "other1",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"fedora": "ubuntu",
|
|
|
|
|
},
|
|
|
|
|
AcceptEnv: []string{"EXAMPLE", "?_?", "TEST_*"},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"other2": "other3",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Action: someAction,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
|
|
|
|
SSHUsers: map[string]string{
|
|
|
|
|
"mark": "markthe",
|
|
|
|
|
},
|
|
|
|
|
AcceptEnv: []string{"*"},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
ci: &sshConnInfo{sshUser: "alice"},
|
|
|
|
|
wantUser: "",
|
|
|
|
|
wantAcceptEnv: nil,
|
2025-05-29 09:11:31 -05:00
|
|
|
wantResult: rejectedUser,
|
2024-09-30 21:47:45 -06:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
c := &conn{
|
|
|
|
|
info: tt.ci,
|
ssh/tailssh: fix data race during execution of test
In tailssh.go:1284, (*sshSession).startNewRecording starts a fire-and-forget goroutine that can
outlive the test that triggered its creation. Among other things, it uses ss.logf, and may call it
after the test has already returned. Since we typically use (*testing.T).Logf as the logger,
this results in a data race and causes flaky tests.
Ideally, we should fix the root cause and/or use a goroutines.Tracker to wait for the goroutine
to complete. But with the release approaching, it's too risky to make such changes now.
As a workaround, we update the tests to use tstest.WhileTestRunningLogger, which logs to t.Logf
while the test is running and disables logging once the test finishes, avoiding the race.
While there, we also fix TestSSHAuthFlow not to use log.Printf.
Updates #15568
Updates #7707 (probably related)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 23:12:00 -05:00
|
|
|
srv: &server{logf: tstest.WhileTestRunningLogger(t)},
|
2024-09-30 21:47:45 -06:00
|
|
|
}
|
2025-05-29 09:11:31 -05:00
|
|
|
got, gotUser, gotAcceptEnv, result := c.evalSSHPolicy(tt.policy)
|
|
|
|
|
if result != tt.wantResult {
|
|
|
|
|
t.Errorf("result = %v; want %v", result, tt.wantResult)
|
2024-09-30 21:47:45 -06:00
|
|
|
}
|
|
|
|
|
if gotUser != tt.wantUser {
|
|
|
|
|
t.Errorf("user = %q; want %q", gotUser, tt.wantUser)
|
|
|
|
|
}
|
2025-05-29 09:11:31 -05:00
|
|
|
if tt.wantResult == accepted && got == nil {
|
2024-09-30 21:47:45 -06:00
|
|
|
t.Errorf("expected non-nil action on success")
|
|
|
|
|
}
|
|
|
|
|
if !slices.Equal(gotAcceptEnv, tt.wantAcceptEnv) {
|
|
|
|
|
t.Errorf("acceptEnv = %v; want %v", gotAcceptEnv, tt.wantAcceptEnv)
|
|
|
|
|
}
|
2022-02-18 14:10:26 -08:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-08 17:54:53 -07:00
|
|
|
// localState implements ipnLocalBackend for testing.
|
|
|
|
|
type localState struct {
|
|
|
|
|
sshEnabled bool
|
|
|
|
|
matchingRule *tailcfg.SSHRule
|
|
|
|
|
|
|
|
|
|
// serverActions is a map of the action name to the action.
|
|
|
|
|
// It is served for paths like https://unused/ssh-action/<action-name>.
|
|
|
|
|
// The action name is the last part of the action URL.
|
|
|
|
|
serverActions map[string]*tailcfg.SSHAction
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
currentUser = os.Getenv("USER") // Use the current user for the test.
|
|
|
|
|
testSigner gossh.Signer
|
|
|
|
|
testSignerOnce sync.Once
|
|
|
|
|
)
|
|
|
|
|
|
2023-03-23 14:47:04 -07:00
|
|
|
func (ts *localState) Dialer() *tsdial.Dialer {
|
2023-04-19 21:33:33 -07:00
|
|
|
return &tsdial.Dialer{}
|
2023-03-23 14:47:04 -07:00
|
|
|
}
|
|
|
|
|
|
2022-10-08 17:54:53 -07:00
|
|
|
func (ts *localState) GetSSH_HostKeys() ([]gossh.Signer, error) {
|
|
|
|
|
testSignerOnce.Do(func() {
|
|
|
|
|
_, priv, err := ed25519.GenerateKey(rand.Reader)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
s, err := gossh.NewSignerFromSigner(priv)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
testSigner = s
|
|
|
|
|
})
|
|
|
|
|
return []gossh.Signer{testSigner}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (ts *localState) ShouldRunSSH() bool {
|
|
|
|
|
return ts.sshEnabled
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (ts *localState) NetMap() *netmap.NetworkMap {
|
|
|
|
|
var policy *tailcfg.SSHPolicy
|
|
|
|
|
if ts.matchingRule != nil {
|
|
|
|
|
policy = &tailcfg.SSHPolicy{
|
|
|
|
|
Rules: []*tailcfg.SSHRule{
|
|
|
|
|
ts.matchingRule,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &netmap.NetworkMap{
|
2023-08-21 10:53:57 -07:00
|
|
|
SelfNode: (&tailcfg.Node{
|
2022-10-08 17:54:53 -07:00
|
|
|
ID: 1,
|
2023-08-21 10:53:57 -07:00
|
|
|
}).View(),
|
2022-10-08 17:54:53 -07:00
|
|
|
SSHPolicy: policy,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-06 14:48:40 -04:00
|
|
|
func (ts *localState) WhoIs(proto string, ipp netip.AddrPort) (n tailcfg.NodeView, u tailcfg.UserProfile, ok bool) {
|
|
|
|
|
if proto != "tcp" {
|
|
|
|
|
return tailcfg.NodeView{}, tailcfg.UserProfile{}, false
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-18 07:57:44 -07:00
|
|
|
return (&tailcfg.Node{
|
2022-10-08 17:54:53 -07:00
|
|
|
ID: 2,
|
|
|
|
|
StableID: "peer-id",
|
2023-08-18 07:57:44 -07:00
|
|
|
}).View(), tailcfg.UserProfile{
|
2022-10-08 17:54:53 -07:00
|
|
|
LoginName: "peer",
|
|
|
|
|
}, true
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (ts *localState) DoNoiseRequest(req *http.Request) (*http.Response, error) {
|
|
|
|
|
rec := httptest.NewRecorder()
|
2023-02-01 13:43:06 -08:00
|
|
|
k, ok := strings.CutPrefix(req.URL.Path, "/ssh-action/")
|
2022-10-08 17:54:53 -07:00
|
|
|
if !ok {
|
|
|
|
|
rec.WriteHeader(http.StatusNotFound)
|
|
|
|
|
}
|
|
|
|
|
a, ok := ts.serverActions[k]
|
|
|
|
|
if !ok {
|
|
|
|
|
rec.WriteHeader(http.StatusNotFound)
|
|
|
|
|
return rec.Result(), nil
|
|
|
|
|
}
|
|
|
|
|
rec.WriteHeader(http.StatusOK)
|
|
|
|
|
if err := json.NewEncoder(rec).Encode(a); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return rec.Result(), nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (ts *localState) TailscaleVarRoot() string {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-04 19:49:32 -07:00
|
|
|
func (ts *localState) NodeKey() key.NodePublic {
|
|
|
|
|
return key.NewNode().Public()
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-08 17:54:53 -07:00
|
|
|
func newSSHRule(action *tailcfg.SSHAction) *tailcfg.SSHRule {
|
|
|
|
|
return &tailcfg.SSHRule{
|
|
|
|
|
SSHUsers: map[string]string{
|
2025-05-29 09:11:31 -05:00
|
|
|
"alice": currentUser,
|
2022-10-08 17:54:53 -07:00
|
|
|
},
|
|
|
|
|
Action: action,
|
|
|
|
|
Principals: []*tailcfg.SSHPrincipal{
|
|
|
|
|
{
|
|
|
|
|
Any: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-25 10:19:51 -07:00
|
|
|
func TestSSHRecordingCancelsSessionsOnUploadFailure(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" && runtime.GOOS != "darwin" {
|
|
|
|
|
t.Skipf("skipping on %q; only runs on linux and darwin", runtime.GOOS)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var handler http.HandlerFunc
|
2024-11-18 09:55:54 -08:00
|
|
|
recordingServer := mockRecordingServer(t, func(w http.ResponseWriter, r *http.Request) {
|
2023-03-25 10:19:51 -07:00
|
|
|
handler(w, r)
|
2024-11-18 09:55:54 -08:00
|
|
|
})
|
2023-03-25 10:19:51 -07:00
|
|
|
|
|
|
|
|
s := &server{
|
ssh/tailssh: fix data race during execution of test
In tailssh.go:1284, (*sshSession).startNewRecording starts a fire-and-forget goroutine that can
outlive the test that triggered its creation. Among other things, it uses ss.logf, and may call it
after the test has already returned. Since we typically use (*testing.T).Logf as the logger,
this results in a data race and causes flaky tests.
Ideally, we should fix the root cause and/or use a goroutines.Tracker to wait for the goroutine
to complete. But with the release approaching, it's too risky to make such changes now.
As a workaround, we update the tests to use tstest.WhileTestRunningLogger, which logs to t.Logf
while the test is running and disables logging once the test finishes, avoiding the race.
While there, we also fix TestSSHAuthFlow not to use log.Printf.
Updates #15568
Updates #7707 (probably related)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 23:12:00 -05:00
|
|
|
logf: tstest.WhileTestRunningLogger(t),
|
2023-03-25 10:19:51 -07:00
|
|
|
lb: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
matchingRule: newSSHRule(
|
|
|
|
|
&tailcfg.SSHAction{
|
|
|
|
|
Accept: true,
|
|
|
|
|
Recorders: []netip.AddrPort{
|
|
|
|
|
netip.MustParseAddrPort(recordingServer.Listener.Addr().String()),
|
|
|
|
|
},
|
2023-04-19 21:33:33 -07:00
|
|
|
OnRecordingFailure: &tailcfg.SSHRecorderFailureAction{
|
|
|
|
|
RejectSessionWithMessage: "session rejected",
|
|
|
|
|
TerminateSessionWithMessage: "session terminated",
|
|
|
|
|
},
|
2023-03-25 10:19:51 -07:00
|
|
|
},
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
defer s.Shutdown()
|
|
|
|
|
|
|
|
|
|
const sshUser = "alice"
|
2025-02-10 11:43:08 -06:00
|
|
|
cfg := &testssh.ClientConfig{
|
2023-03-25 10:19:51 -07:00
|
|
|
User: sshUser,
|
2025-02-10 11:43:08 -06:00
|
|
|
HostKeyCallback: testssh.InsecureIgnoreHostKey(),
|
2023-03-25 10:19:51 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
handler func(w http.ResponseWriter, r *http.Request)
|
|
|
|
|
sshCommand string
|
|
|
|
|
wantClientOutput string
|
2023-04-05 08:35:02 -07:00
|
|
|
|
|
|
|
|
clientOutputMustNotContain []string
|
2023-03-25 10:19:51 -07:00
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "upload-denied",
|
|
|
|
|
handler: func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
w.WriteHeader(http.StatusForbidden)
|
|
|
|
|
},
|
|
|
|
|
sshCommand: "echo hello",
|
2023-04-19 21:33:33 -07:00
|
|
|
wantClientOutput: "session rejected\r\n",
|
2023-04-05 08:35:02 -07:00
|
|
|
|
|
|
|
|
clientOutputMustNotContain: []string{"hello"},
|
2023-03-25 10:19:51 -07:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "upload-fails-after-starting",
|
|
|
|
|
handler: func(w http.ResponseWriter, r *http.Request) {
|
2024-11-18 09:55:54 -08:00
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
|
w.(http.Flusher).Flush()
|
2023-03-25 10:19:51 -07:00
|
|
|
r.Body.Read(make([]byte, 1))
|
|
|
|
|
time.Sleep(100 * time.Millisecond)
|
|
|
|
|
},
|
|
|
|
|
sshCommand: "echo hello && sleep 1 && echo world",
|
2023-04-19 21:33:33 -07:00
|
|
|
wantClientOutput: "\r\n\r\nsession terminated\r\n\r\n",
|
2023-04-05 08:35:02 -07:00
|
|
|
|
|
|
|
|
clientOutputMustNotContain: []string{"world"},
|
2023-03-25 10:19:51 -07:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
src, dst := must.Get(netip.ParseAddrPort("100.100.100.101:2231")), must.Get(netip.ParseAddrPort("100.100.100.102:22"))
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
ssh/tailssh: fix data race during execution of test
In tailssh.go:1284, (*sshSession).startNewRecording starts a fire-and-forget goroutine that can
outlive the test that triggered its creation. Among other things, it uses ss.logf, and may call it
after the test has already returned. Since we typically use (*testing.T).Logf as the logger,
this results in a data race and causes flaky tests.
Ideally, we should fix the root cause and/or use a goroutines.Tracker to wait for the goroutine
to complete. But with the release approaching, it's too risky to make such changes now.
As a workaround, we update the tests to use tstest.WhileTestRunningLogger, which logs to t.Logf
while the test is running and disables logging once the test finishes, avoiding the race.
While there, we also fix TestSSHAuthFlow not to use log.Printf.
Updates #15568
Updates #7707 (probably related)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 23:12:00 -05:00
|
|
|
s.logf = tstest.WhileTestRunningLogger(t)
|
2023-03-25 10:19:51 -07:00
|
|
|
tstest.Replace(t, &handler, tt.handler)
|
|
|
|
|
sc, dc := memnet.NewTCPConn(src, dst, 1024)
|
|
|
|
|
var wg sync.WaitGroup
|
|
|
|
|
wg.Add(1)
|
|
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
2025-02-10 11:43:08 -06:00
|
|
|
c, chans, reqs, err := testssh.NewClientConn(sc, sc.RemoteAddr().String(), cfg)
|
2023-03-25 10:19:51 -07:00
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("client: %v", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
2025-02-10 11:43:08 -06:00
|
|
|
client := testssh.NewClient(c, chans, reqs)
|
2023-03-25 10:19:51 -07:00
|
|
|
defer client.Close()
|
|
|
|
|
session, err := client.NewSession()
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("client: %v", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
defer session.Close()
|
|
|
|
|
t.Logf("client established session")
|
|
|
|
|
got, err := session.CombinedOutput(tt.sshCommand)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Logf("client got: %q: %v", got, err)
|
|
|
|
|
} else {
|
|
|
|
|
t.Errorf("client did not get kicked out: %q", got)
|
|
|
|
|
}
|
2023-04-05 08:35:02 -07:00
|
|
|
gotStr := string(got)
|
|
|
|
|
if !strings.HasSuffix(gotStr, tt.wantClientOutput) {
|
2023-03-25 10:19:51 -07:00
|
|
|
t.Errorf("client got %q, want %q", got, tt.wantClientOutput)
|
|
|
|
|
}
|
2023-04-05 08:35:02 -07:00
|
|
|
for _, x := range tt.clientOutputMustNotContain {
|
|
|
|
|
if strings.Contains(gotStr, x) {
|
|
|
|
|
t.Errorf("client output must not contain %q", x)
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-03-25 10:19:51 -07:00
|
|
|
}()
|
|
|
|
|
if err := s.HandleSSHConn(dc); err != nil {
|
|
|
|
|
t.Errorf("unexpected error: %v", err)
|
|
|
|
|
}
|
|
|
|
|
wg.Wait()
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-19 21:33:33 -07:00
|
|
|
func TestMultipleRecorders(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" && runtime.GOOS != "darwin" {
|
|
|
|
|
t.Skipf("skipping on %q; only runs on linux and darwin", runtime.GOOS)
|
|
|
|
|
}
|
|
|
|
|
done := make(chan struct{})
|
2024-11-18 09:55:54 -08:00
|
|
|
recordingServer := mockRecordingServer(t, func(w http.ResponseWriter, r *http.Request) {
|
2023-04-19 21:33:33 -07:00
|
|
|
defer close(done)
|
|
|
|
|
w.WriteHeader(http.StatusOK)
|
2024-11-18 09:55:54 -08:00
|
|
|
w.(http.Flusher).Flush()
|
|
|
|
|
io.ReadAll(r.Body)
|
|
|
|
|
})
|
2023-04-19 21:33:33 -07:00
|
|
|
badRecorder, err := net.Listen("tcp", ":0")
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
badRecorderAddr := badRecorder.Addr().String()
|
|
|
|
|
badRecorder.Close()
|
|
|
|
|
|
2024-11-18 09:55:54 -08:00
|
|
|
badRecordingServer500 := mockRecordingServer(t, func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
|
|
|
})
|
2023-04-19 21:33:33 -07:00
|
|
|
|
|
|
|
|
s := &server{
|
ssh/tailssh: fix data race during execution of test
In tailssh.go:1284, (*sshSession).startNewRecording starts a fire-and-forget goroutine that can
outlive the test that triggered its creation. Among other things, it uses ss.logf, and may call it
after the test has already returned. Since we typically use (*testing.T).Logf as the logger,
this results in a data race and causes flaky tests.
Ideally, we should fix the root cause and/or use a goroutines.Tracker to wait for the goroutine
to complete. But with the release approaching, it's too risky to make such changes now.
As a workaround, we update the tests to use tstest.WhileTestRunningLogger, which logs to t.Logf
while the test is running and disables logging once the test finishes, avoiding the race.
While there, we also fix TestSSHAuthFlow not to use log.Printf.
Updates #15568
Updates #7707 (probably related)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 23:12:00 -05:00
|
|
|
logf: tstest.WhileTestRunningLogger(t),
|
2023-04-19 21:33:33 -07:00
|
|
|
lb: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
matchingRule: newSSHRule(
|
|
|
|
|
&tailcfg.SSHAction{
|
|
|
|
|
Accept: true,
|
|
|
|
|
Recorders: []netip.AddrPort{
|
|
|
|
|
netip.MustParseAddrPort(badRecorderAddr),
|
|
|
|
|
netip.MustParseAddrPort(badRecordingServer500.Listener.Addr().String()),
|
|
|
|
|
netip.MustParseAddrPort(recordingServer.Listener.Addr().String()),
|
|
|
|
|
},
|
|
|
|
|
OnRecordingFailure: &tailcfg.SSHRecorderFailureAction{
|
|
|
|
|
RejectSessionWithMessage: "session rejected",
|
|
|
|
|
TerminateSessionWithMessage: "session terminated",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
),
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
defer s.Shutdown()
|
|
|
|
|
|
|
|
|
|
src, dst := must.Get(netip.ParseAddrPort("100.100.100.101:2231")), must.Get(netip.ParseAddrPort("100.100.100.102:22"))
|
|
|
|
|
sc, dc := memnet.NewTCPConn(src, dst, 1024)
|
|
|
|
|
|
|
|
|
|
const sshUser = "alice"
|
2025-02-10 11:43:08 -06:00
|
|
|
cfg := &testssh.ClientConfig{
|
2023-04-19 21:33:33 -07:00
|
|
|
User: sshUser,
|
2025-02-10 11:43:08 -06:00
|
|
|
HostKeyCallback: testssh.InsecureIgnoreHostKey(),
|
2023-04-19 21:33:33 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var wg sync.WaitGroup
|
|
|
|
|
wg.Add(1)
|
|
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
2025-02-10 11:43:08 -06:00
|
|
|
c, chans, reqs, err := testssh.NewClientConn(sc, sc.RemoteAddr().String(), cfg)
|
2023-04-19 21:33:33 -07:00
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("client: %v", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
2025-02-10 11:43:08 -06:00
|
|
|
client := testssh.NewClient(c, chans, reqs)
|
2023-04-19 21:33:33 -07:00
|
|
|
defer client.Close()
|
|
|
|
|
session, err := client.NewSession()
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("client: %v", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
defer session.Close()
|
|
|
|
|
t.Logf("client established session")
|
|
|
|
|
out, err := session.CombinedOutput("echo Ran echo!")
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("client: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if string(out) != "Ran echo!\n" {
|
|
|
|
|
t.Errorf("client: unexpected output: %q", out)
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
if err := s.HandleSSHConn(dc); err != nil {
|
|
|
|
|
t.Errorf("unexpected error: %v", err)
|
|
|
|
|
}
|
|
|
|
|
wg.Wait()
|
|
|
|
|
select {
|
|
|
|
|
case <-done:
|
|
|
|
|
case <-time.After(1 * time.Second):
|
|
|
|
|
t.Fatal("timed out waiting for recording")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-24 13:50:33 -07:00
|
|
|
// TestSSHRecordingNonInteractive tests that the SSH server records the SSH session
|
|
|
|
|
// when the client is not interactive (i.e. no PTY).
|
|
|
|
|
// It starts a local SSH server and a recording server. The recording server
|
|
|
|
|
// records the SSH session and returns it to the test.
|
|
|
|
|
// The test then verifies that the recording has a valid CastHeader, it does not
|
|
|
|
|
// validate the contents of the recording.
|
|
|
|
|
func TestSSHRecordingNonInteractive(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" && runtime.GOOS != "darwin" {
|
|
|
|
|
t.Skipf("skipping on %q; only runs on linux and darwin", runtime.GOOS)
|
|
|
|
|
}
|
|
|
|
|
var recording []byte
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
|
2024-11-18 09:55:54 -08:00
|
|
|
recordingServer := mockRecordingServer(t, func(w http.ResponseWriter, r *http.Request) {
|
2023-03-24 13:50:33 -07:00
|
|
|
defer cancel()
|
2024-11-18 09:55:54 -08:00
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
|
w.(http.Flusher).Flush()
|
|
|
|
|
|
2023-03-24 13:50:33 -07:00
|
|
|
var err error
|
2023-08-23 16:42:44 +01:00
|
|
|
recording, err = io.ReadAll(r.Body)
|
2023-03-24 13:50:33 -07:00
|
|
|
if err != nil {
|
|
|
|
|
t.Error(err)
|
|
|
|
|
return
|
|
|
|
|
}
|
2024-11-18 09:55:54 -08:00
|
|
|
})
|
2023-03-24 13:50:33 -07:00
|
|
|
|
|
|
|
|
s := &server{
|
ssh/tailssh: fix data race during execution of test
In tailssh.go:1284, (*sshSession).startNewRecording starts a fire-and-forget goroutine that can
outlive the test that triggered its creation. Among other things, it uses ss.logf, and may call it
after the test has already returned. Since we typically use (*testing.T).Logf as the logger,
this results in a data race and causes flaky tests.
Ideally, we should fix the root cause and/or use a goroutines.Tracker to wait for the goroutine
to complete. But with the release approaching, it's too risky to make such changes now.
As a workaround, we update the tests to use tstest.WhileTestRunningLogger, which logs to t.Logf
while the test is running and disables logging once the test finishes, avoiding the race.
While there, we also fix TestSSHAuthFlow not to use log.Printf.
Updates #15568
Updates #7707 (probably related)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 23:12:00 -05:00
|
|
|
logf: tstest.WhileTestRunningLogger(t),
|
2023-03-25 10:19:51 -07:00
|
|
|
lb: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
matchingRule: newSSHRule(
|
|
|
|
|
&tailcfg.SSHAction{
|
|
|
|
|
Accept: true,
|
|
|
|
|
Recorders: []netip.AddrPort{
|
|
|
|
|
must.Get(netip.ParseAddrPort(recordingServer.Listener.Addr().String())),
|
|
|
|
|
},
|
2023-04-19 21:33:33 -07:00
|
|
|
OnRecordingFailure: &tailcfg.SSHRecorderFailureAction{
|
|
|
|
|
RejectSessionWithMessage: "session rejected",
|
|
|
|
|
TerminateSessionWithMessage: "session terminated",
|
|
|
|
|
},
|
2023-03-25 10:19:51 -07:00
|
|
|
},
|
|
|
|
|
),
|
|
|
|
|
},
|
2023-03-24 13:50:33 -07:00
|
|
|
}
|
|
|
|
|
defer s.Shutdown()
|
|
|
|
|
|
|
|
|
|
src, dst := must.Get(netip.ParseAddrPort("100.100.100.101:2231")), must.Get(netip.ParseAddrPort("100.100.100.102:22"))
|
|
|
|
|
sc, dc := memnet.NewTCPConn(src, dst, 1024)
|
|
|
|
|
|
|
|
|
|
const sshUser = "alice"
|
2025-02-10 11:43:08 -06:00
|
|
|
cfg := &testssh.ClientConfig{
|
2023-03-24 13:50:33 -07:00
|
|
|
User: sshUser,
|
2025-02-10 11:43:08 -06:00
|
|
|
HostKeyCallback: testssh.InsecureIgnoreHostKey(),
|
2023-03-24 13:50:33 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var wg sync.WaitGroup
|
|
|
|
|
wg.Add(1)
|
|
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
2025-02-10 11:43:08 -06:00
|
|
|
c, chans, reqs, err := testssh.NewClientConn(sc, sc.RemoteAddr().String(), cfg)
|
2023-03-24 13:50:33 -07:00
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("client: %v", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
2025-02-10 11:43:08 -06:00
|
|
|
client := testssh.NewClient(c, chans, reqs)
|
2023-03-24 13:50:33 -07:00
|
|
|
defer client.Close()
|
|
|
|
|
session, err := client.NewSession()
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("client: %v", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
defer session.Close()
|
|
|
|
|
t.Logf("client established session")
|
|
|
|
|
_, err = session.CombinedOutput("echo Ran echo!")
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("client: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
if err := s.HandleSSHConn(dc); err != nil {
|
|
|
|
|
t.Errorf("unexpected error: %v", err)
|
|
|
|
|
}
|
|
|
|
|
wg.Wait()
|
|
|
|
|
|
|
|
|
|
<-ctx.Done() // wait for recording to finish
|
2024-07-29 15:57:11 +03:00
|
|
|
var ch sessionrecording.CastHeader
|
2023-03-24 13:50:33 -07:00
|
|
|
if err := json.NewDecoder(bytes.NewReader(recording)).Decode(&ch); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
if ch.SSHUser != sshUser {
|
|
|
|
|
t.Errorf("SSHUser = %q; want %q", ch.SSHUser, sshUser)
|
|
|
|
|
}
|
|
|
|
|
if ch.Command != "echo Ran echo!" {
|
|
|
|
|
t.Errorf("Command = %q; want %q", ch.Command, "echo Ran echo!")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-08 17:54:53 -07:00
|
|
|
func TestSSHAuthFlow(t *testing.T) {
|
2023-03-24 13:50:33 -07:00
|
|
|
if runtime.GOOS != "linux" && runtime.GOOS != "darwin" {
|
|
|
|
|
t.Skipf("skipping on %q; only runs on linux and darwin", runtime.GOOS)
|
2022-10-08 17:54:53 -07:00
|
|
|
}
|
|
|
|
|
acceptRule := newSSHRule(&tailcfg.SSHAction{
|
|
|
|
|
Accept: true,
|
|
|
|
|
Message: "Welcome to Tailscale SSH!",
|
|
|
|
|
})
|
2025-05-29 09:11:31 -05:00
|
|
|
bobRule := newSSHRule(&tailcfg.SSHAction{
|
|
|
|
|
Accept: true,
|
|
|
|
|
Message: "Welcome to Tailscale SSH!",
|
|
|
|
|
})
|
|
|
|
|
bobRule.SSHUsers = map[string]string{"bob": "bob"}
|
2022-10-08 17:54:53 -07:00
|
|
|
rejectRule := newSSHRule(&tailcfg.SSHAction{
|
|
|
|
|
Reject: true,
|
|
|
|
|
Message: "Go Away!",
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
tests := []struct {
|
2022-10-11 14:48:01 -07:00
|
|
|
name string
|
|
|
|
|
sshUser string // defaults to alice
|
|
|
|
|
state *localState
|
|
|
|
|
wantBanners []string
|
|
|
|
|
usesPassword bool
|
|
|
|
|
authErr bool
|
2022-10-08 17:54:53 -07:00
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "no-policy",
|
|
|
|
|
state: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
},
|
2025-01-31 12:19:22 -06:00
|
|
|
authErr: true,
|
2025-05-29 09:11:31 -05:00
|
|
|
wantBanners: []string{"tailscale: tailnet policy does not permit you to SSH to this node\n"},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "user-mismatch",
|
|
|
|
|
state: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
matchingRule: bobRule,
|
|
|
|
|
},
|
|
|
|
|
authErr: true,
|
|
|
|
|
wantBanners: []string{`tailscale: tailnet policy does not permit you to SSH as user "alice"` + "\n"},
|
2022-10-08 17:54:53 -07:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "accept",
|
|
|
|
|
state: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
matchingRule: acceptRule,
|
|
|
|
|
},
|
2022-10-09 10:31:19 -07:00
|
|
|
wantBanners: []string{"Welcome to Tailscale SSH!"},
|
2022-10-08 17:54:53 -07:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "reject",
|
|
|
|
|
state: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
matchingRule: rejectRule,
|
|
|
|
|
},
|
2022-10-09 10:31:19 -07:00
|
|
|
wantBanners: []string{"Go Away!"},
|
|
|
|
|
authErr: true,
|
2022-10-08 17:54:53 -07:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "simple-check",
|
|
|
|
|
state: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
matchingRule: newSSHRule(&tailcfg.SSHAction{
|
|
|
|
|
HoldAndDelegate: "https://unused/ssh-action/accept",
|
|
|
|
|
}),
|
|
|
|
|
serverActions: map[string]*tailcfg.SSHAction{
|
|
|
|
|
"accept": acceptRule.Action,
|
|
|
|
|
},
|
|
|
|
|
},
|
2022-10-09 10:31:19 -07:00
|
|
|
wantBanners: []string{"Welcome to Tailscale SSH!"},
|
2022-10-08 17:54:53 -07:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "multi-check",
|
|
|
|
|
state: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
matchingRule: newSSHRule(&tailcfg.SSHAction{
|
2022-10-09 10:31:19 -07:00
|
|
|
Message: "First",
|
2022-10-08 17:54:53 -07:00
|
|
|
HoldAndDelegate: "https://unused/ssh-action/check1",
|
|
|
|
|
}),
|
|
|
|
|
serverActions: map[string]*tailcfg.SSHAction{
|
|
|
|
|
"check1": {
|
|
|
|
|
Message: "url-here",
|
|
|
|
|
HoldAndDelegate: "https://unused/ssh-action/check2",
|
|
|
|
|
},
|
|
|
|
|
"check2": acceptRule.Action,
|
|
|
|
|
},
|
|
|
|
|
},
|
2022-10-09 10:31:19 -07:00
|
|
|
wantBanners: []string{"First", "url-here", "Welcome to Tailscale SSH!"},
|
2022-10-08 17:54:53 -07:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "check-reject",
|
|
|
|
|
state: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
matchingRule: newSSHRule(&tailcfg.SSHAction{
|
2022-10-09 10:31:19 -07:00
|
|
|
Message: "First",
|
2022-10-08 17:54:53 -07:00
|
|
|
HoldAndDelegate: "https://unused/ssh-action/reject",
|
|
|
|
|
}),
|
|
|
|
|
serverActions: map[string]*tailcfg.SSHAction{
|
|
|
|
|
"reject": rejectRule.Action,
|
|
|
|
|
},
|
|
|
|
|
},
|
2022-10-09 10:31:19 -07:00
|
|
|
wantBanners: []string{"First", "Go Away!"},
|
|
|
|
|
authErr: true,
|
2022-10-08 17:54:53 -07:00
|
|
|
},
|
2022-10-11 14:48:01 -07:00
|
|
|
{
|
|
|
|
|
name: "force-password-auth",
|
|
|
|
|
sshUser: "alice+password",
|
|
|
|
|
state: &localState{
|
|
|
|
|
sshEnabled: true,
|
|
|
|
|
matchingRule: acceptRule,
|
|
|
|
|
},
|
|
|
|
|
usesPassword: true,
|
|
|
|
|
wantBanners: []string{"Welcome to Tailscale SSH!"},
|
|
|
|
|
},
|
2022-10-08 17:54:53 -07:00
|
|
|
}
|
|
|
|
|
s := &server{
|
ssh/tailssh: fix data race during execution of test
In tailssh.go:1284, (*sshSession).startNewRecording starts a fire-and-forget goroutine that can
outlive the test that triggered its creation. Among other things, it uses ss.logf, and may call it
after the test has already returned. Since we typically use (*testing.T).Logf as the logger,
this results in a data race and causes flaky tests.
Ideally, we should fix the root cause and/or use a goroutines.Tracker to wait for the goroutine
to complete. But with the release approaching, it's too risky to make such changes now.
As a workaround, we update the tests to use tstest.WhileTestRunningLogger, which logs to t.Logf
while the test is running and disables logging once the test finishes, avoiding the race.
While there, we also fix TestSSHAuthFlow not to use log.Printf.
Updates #15568
Updates #7707 (probably related)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 23:12:00 -05:00
|
|
|
logf: tstest.WhileTestRunningLogger(t),
|
2022-10-08 17:54:53 -07:00
|
|
|
}
|
|
|
|
|
defer s.Shutdown()
|
|
|
|
|
src, dst := must.Get(netip.ParseAddrPort("100.100.100.101:2231")), must.Get(netip.ParseAddrPort("100.100.100.102:22"))
|
|
|
|
|
for _, tc := range tests {
|
2025-02-10 11:43:08 -06:00
|
|
|
for _, authMethods := range [][]string{nil, {"publickey", "password"}, {"password", "publickey"}} {
|
|
|
|
|
t.Run(fmt.Sprintf("%s-skip-none-auth-%v", tc.name, strings.Join(authMethods, "-then-")), func(t *testing.T) {
|
ssh/tailssh: fix data race during execution of test
In tailssh.go:1284, (*sshSession).startNewRecording starts a fire-and-forget goroutine that can
outlive the test that triggered its creation. Among other things, it uses ss.logf, and may call it
after the test has already returned. Since we typically use (*testing.T).Logf as the logger,
this results in a data race and causes flaky tests.
Ideally, we should fix the root cause and/or use a goroutines.Tracker to wait for the goroutine
to complete. But with the release approaching, it's too risky to make such changes now.
As a workaround, we update the tests to use tstest.WhileTestRunningLogger, which logs to t.Logf
while the test is running and disables logging once the test finishes, avoiding the race.
While there, we also fix TestSSHAuthFlow not to use log.Printf.
Updates #15568
Updates #7707 (probably related)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 23:12:00 -05:00
|
|
|
s.logf = tstest.WhileTestRunningLogger(t)
|
|
|
|
|
|
2025-02-10 11:43:08 -06:00
|
|
|
sc, dc := memnet.NewTCPConn(src, dst, 1024)
|
|
|
|
|
s.lb = tc.state
|
|
|
|
|
sshUser := "alice"
|
|
|
|
|
if tc.sshUser != "" {
|
|
|
|
|
sshUser = tc.sshUser
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
wantBanners := slices.Clone(tc.wantBanners)
|
|
|
|
|
noneAuthEnabled := len(authMethods) == 0
|
|
|
|
|
|
|
|
|
|
var publicKeyUsed atomic.Bool
|
|
|
|
|
var passwordUsed atomic.Bool
|
|
|
|
|
var methods []testssh.AuthMethod
|
|
|
|
|
|
|
|
|
|
for _, authMethod := range authMethods {
|
|
|
|
|
switch authMethod {
|
|
|
|
|
case "publickey":
|
|
|
|
|
methods = append(methods,
|
|
|
|
|
testssh.PublicKeysCallback(func() (signers []testssh.Signer, err error) {
|
|
|
|
|
publicKeyUsed.Store(true)
|
|
|
|
|
key, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
sig, err := testssh.NewSignerFromKey(key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return []testssh.Signer{sig}, nil
|
|
|
|
|
}))
|
|
|
|
|
case "password":
|
|
|
|
|
methods = append(methods, testssh.PasswordCallback(func() (secret string, err error) {
|
|
|
|
|
passwordUsed.Store(true)
|
|
|
|
|
return "any-pass", nil
|
|
|
|
|
}))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if noneAuthEnabled && tc.usesPassword {
|
|
|
|
|
methods = append(methods, testssh.PasswordCallback(func() (secret string, err error) {
|
2022-10-11 14:48:01 -07:00
|
|
|
passwordUsed.Store(true)
|
|
|
|
|
return "any-pass", nil
|
2025-02-10 11:43:08 -06:00
|
|
|
}))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cfg := &testssh.ClientConfig{
|
|
|
|
|
User: sshUser,
|
|
|
|
|
HostKeyCallback: testssh.InsecureIgnoreHostKey(),
|
|
|
|
|
SkipNoneAuth: !noneAuthEnabled,
|
|
|
|
|
Auth: methods,
|
|
|
|
|
BannerCallback: func(message string) error {
|
|
|
|
|
if len(wantBanners) == 0 {
|
|
|
|
|
t.Errorf("unexpected banner: %q", message)
|
|
|
|
|
} else if message != wantBanners[0] {
|
|
|
|
|
t.Errorf("banner = %q; want %q", message, wantBanners[0])
|
|
|
|
|
} else {
|
|
|
|
|
t.Logf("banner = %q", message)
|
|
|
|
|
wantBanners = wantBanners[1:]
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var wg sync.WaitGroup
|
|
|
|
|
wg.Add(1)
|
|
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
|
|
|
|
c, chans, reqs, err := testssh.NewClientConn(sc, sc.RemoteAddr().String(), cfg)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if !tc.authErr {
|
|
|
|
|
t.Errorf("client: %v", err)
|
|
|
|
|
}
|
|
|
|
|
return
|
|
|
|
|
} else if tc.authErr {
|
|
|
|
|
c.Close()
|
|
|
|
|
t.Errorf("client: expected error, got nil")
|
|
|
|
|
return
|
2022-10-08 17:54:53 -07:00
|
|
|
}
|
2025-02-10 11:43:08 -06:00
|
|
|
client := testssh.NewClient(c, chans, reqs)
|
|
|
|
|
defer client.Close()
|
|
|
|
|
session, err := client.NewSession()
|
|
|
|
|
if err != nil {
|
2022-10-08 17:54:53 -07:00
|
|
|
t.Errorf("client: %v", err)
|
2025-02-10 11:43:08 -06:00
|
|
|
return
|
2022-10-08 17:54:53 -07:00
|
|
|
}
|
2025-02-10 11:43:08 -06:00
|
|
|
defer session.Close()
|
|
|
|
|
_, err = session.CombinedOutput("echo Ran echo!")
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("client: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
if err := s.HandleSSHConn(dc); err != nil {
|
|
|
|
|
t.Errorf("unexpected error: %v", err)
|
2022-10-08 17:54:53 -07:00
|
|
|
}
|
2025-02-10 11:43:08 -06:00
|
|
|
wg.Wait()
|
|
|
|
|
if len(wantBanners) > 0 {
|
|
|
|
|
t.Errorf("missing banners: %v", wantBanners)
|
2022-10-08 17:54:53 -07:00
|
|
|
}
|
2025-02-10 11:43:08 -06:00
|
|
|
|
|
|
|
|
// Check to see which callbacks were invoked.
|
|
|
|
|
//
|
|
|
|
|
// When `none` auth is enabled, the public key callback should
|
|
|
|
|
// never fire, and the password callback should only fire if
|
|
|
|
|
// authentication succeeded and the client was trying to force
|
|
|
|
|
// password authentication by connecting with the '-password'
|
|
|
|
|
// username suffix.
|
|
|
|
|
//
|
|
|
|
|
// When skipping `none` auth, the first callback should always
|
|
|
|
|
// fire, and the 2nd callback should fire only if
|
|
|
|
|
// authentication failed.
|
|
|
|
|
wantPublicKey := false
|
|
|
|
|
wantPassword := false
|
|
|
|
|
if noneAuthEnabled {
|
|
|
|
|
wantPassword = !tc.authErr && tc.usesPassword
|
|
|
|
|
} else {
|
|
|
|
|
for i, authMethod := range authMethods {
|
|
|
|
|
switch authMethod {
|
|
|
|
|
case "publickey":
|
|
|
|
|
wantPublicKey = i == 0 || tc.authErr
|
|
|
|
|
case "password":
|
|
|
|
|
wantPassword = i == 0 || tc.authErr
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-10-08 17:54:53 -07:00
|
|
|
}
|
2025-02-10 11:43:08 -06:00
|
|
|
|
|
|
|
|
if wantPublicKey && !publicKeyUsed.Load() {
|
|
|
|
|
t.Error("public key should have been attempted")
|
|
|
|
|
} else if !wantPublicKey && publicKeyUsed.Load() {
|
|
|
|
|
t.Errorf("public key should not have been attempted")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if wantPassword && !passwordUsed.Load() {
|
|
|
|
|
t.Error("password should have been attempted")
|
|
|
|
|
} else if !wantPassword && passwordUsed.Load() {
|
|
|
|
|
t.Error("password should not have been attempted")
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
2022-10-08 17:54:53 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-24 13:31:54 -08:00
|
|
|
func TestSSH(t *testing.T) {
|
ssh/tailssh: fix data race during execution of test
In tailssh.go:1284, (*sshSession).startNewRecording starts a fire-and-forget goroutine that can
outlive the test that triggered its creation. Among other things, it uses ss.logf, and may call it
after the test has already returned. Since we typically use (*testing.T).Logf as the logger,
this results in a data race and causes flaky tests.
Ideally, we should fix the root cause and/or use a goroutines.Tracker to wait for the goroutine
to complete. But with the release approaching, it's too risky to make such changes now.
As a workaround, we update the tests to use tstest.WhileTestRunningLogger, which logs to t.Logf
while the test is running and disables logging once the test finishes, avoiding the race.
While there, we also fix TestSSHAuthFlow not to use log.Printf.
Updates #15568
Updates #7707 (probably related)
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-05-09 23:12:00 -05:00
|
|
|
logf := tstest.WhileTestRunningLogger(t)
|
2025-03-20 15:18:29 -07:00
|
|
|
sys := tsd.NewSystem()
|
2025-03-19 10:47:25 -07:00
|
|
|
eng, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set, sys.HealthTracker(), sys.UserMetricsRegistry(), sys.Bus.Get())
|
2022-02-24 13:31:54 -08:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
2023-05-03 13:57:17 -07:00
|
|
|
sys.Set(eng)
|
|
|
|
|
sys.Set(new(mem.Store))
|
|
|
|
|
lb, err := ipnlocal.NewLocalBackend(logf, logid.PublicID{}, sys, 0)
|
2022-02-24 13:31:54 -08:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
defer lb.Shutdown()
|
|
|
|
|
dir := t.TempDir()
|
|
|
|
|
lb.SetVarRoot(dir)
|
|
|
|
|
|
2022-03-09 11:25:07 -08:00
|
|
|
srv := &server{
|
|
|
|
|
lb: lb,
|
|
|
|
|
logf: logf,
|
|
|
|
|
}
|
2022-04-20 13:39:15 -07:00
|
|
|
sc, err := srv.newConn()
|
2022-02-24 13:31:54 -08:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
2022-04-20 13:39:15 -07:00
|
|
|
// Remove the auth checks for the test
|
|
|
|
|
sc.insecureSkipTailscaleAuth = true
|
2022-02-24 13:31:54 -08:00
|
|
|
|
|
|
|
|
u, err := user.Current()
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
2023-05-21 07:35:33 -07:00
|
|
|
um, err := userLookup(u.Username)
|
2023-05-08 09:42:31 -07:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
sc.localUser = um
|
2022-04-20 17:36:19 -07:00
|
|
|
sc.info = &sshConnInfo{
|
2022-02-24 13:31:54 -08:00
|
|
|
sshUser: "test",
|
2022-07-25 20:55:44 -07:00
|
|
|
src: netip.MustParseAddrPort("1.2.3.4:32342"),
|
|
|
|
|
dst: netip.MustParseAddrPort("1.2.3.5:22"),
|
2023-08-18 07:57:44 -07:00
|
|
|
node: (&tailcfg.Node{}).View(),
|
2022-10-08 17:54:53 -07:00
|
|
|
uprof: tailcfg.UserProfile{},
|
2022-02-24 13:31:54 -08:00
|
|
|
}
|
2023-03-23 12:32:44 -07:00
|
|
|
sc.action0 = &tailcfg.SSHAction{Accept: true}
|
|
|
|
|
sc.finalAction = sc.action0
|
2022-02-24 13:31:54 -08:00
|
|
|
|
2022-04-20 13:39:15 -07:00
|
|
|
sc.Handler = func(s ssh.Session) {
|
2022-06-27 11:50:11 -07:00
|
|
|
sc.newSSHSession(s).run()
|
2022-02-24 13:31:54 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ln, err := net.Listen("tcp4", "127.0.0.1:0")
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
defer ln.Close()
|
|
|
|
|
port := ln.Addr().(*net.TCPAddr).Port
|
|
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
|
for {
|
|
|
|
|
c, err := ln.Accept()
|
|
|
|
|
if err != nil {
|
|
|
|
|
if !errors.Is(err, net.ErrClosed) {
|
|
|
|
|
t.Errorf("Accept: %v", err)
|
|
|
|
|
}
|
|
|
|
|
return
|
|
|
|
|
}
|
2022-04-20 13:39:15 -07:00
|
|
|
go sc.HandleConn(c)
|
2022-02-24 13:31:54 -08:00
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
|
2022-02-24 14:35:40 -08:00
|
|
|
execSSH := func(args ...string) *exec.Cmd {
|
|
|
|
|
cmd := exec.Command("ssh",
|
2022-04-21 19:05:27 -07:00
|
|
|
"-F",
|
|
|
|
|
"none",
|
2022-04-20 13:39:15 -07:00
|
|
|
"-v",
|
2022-02-24 14:35:40 -08:00
|
|
|
"-p", fmt.Sprint(port),
|
|
|
|
|
"-o", "StrictHostKeyChecking=no",
|
|
|
|
|
"user@127.0.0.1")
|
|
|
|
|
cmd.Args = append(cmd.Args, args...)
|
|
|
|
|
return cmd
|
2022-02-24 13:31:54 -08:00
|
|
|
}
|
2022-02-24 14:35:40 -08:00
|
|
|
|
|
|
|
|
t.Run("env", func(t *testing.T) {
|
2022-03-18 14:46:38 -07:00
|
|
|
if cibuild.On() {
|
2022-03-17 14:33:09 -07:00
|
|
|
t.Skip("Skipping for now; see https://github.com/tailscale/tailscale/issues/4051")
|
|
|
|
|
}
|
2022-03-08 21:35:55 -08:00
|
|
|
cmd := execSSH("LANG=foo env")
|
|
|
|
|
cmd.Env = append(os.Environ(), "LOCAL_ENV=bar")
|
2022-02-24 14:35:40 -08:00
|
|
|
got, err := cmd.CombinedOutput()
|
|
|
|
|
if err != nil {
|
2022-04-20 13:39:15 -07:00
|
|
|
t.Fatal(err, string(got))
|
2022-02-24 14:35:40 -08:00
|
|
|
}
|
|
|
|
|
m := parseEnv(got)
|
|
|
|
|
if got := m["USER"]; got == "" || got != u.Username {
|
|
|
|
|
t.Errorf("USER = %q; want %q", got, u.Username)
|
|
|
|
|
}
|
|
|
|
|
if got := m["HOME"]; got == "" || got != u.HomeDir {
|
|
|
|
|
t.Errorf("HOME = %q; want %q", got, u.HomeDir)
|
|
|
|
|
}
|
|
|
|
|
if got := m["PWD"]; got == "" || got != u.HomeDir {
|
|
|
|
|
t.Errorf("PWD = %q; want %q", got, u.HomeDir)
|
|
|
|
|
}
|
|
|
|
|
if got := m["SHELL"]; got == "" {
|
|
|
|
|
t.Errorf("no SHELL")
|
|
|
|
|
}
|
|
|
|
|
if got, want := m["LANG"], "foo"; got != want {
|
|
|
|
|
t.Errorf("LANG = %q; want %q", got, want)
|
|
|
|
|
}
|
2022-03-08 21:35:55 -08:00
|
|
|
if got := m["LOCAL_ENV"]; got != "" {
|
|
|
|
|
t.Errorf("LOCAL_ENV leaked over ssh: %v", got)
|
|
|
|
|
}
|
2022-02-24 14:35:40 -08:00
|
|
|
t.Logf("got: %+v", m)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
t.Run("stdout_stderr", func(t *testing.T) {
|
|
|
|
|
cmd := execSSH("sh", "-c", "echo foo; echo bar >&2")
|
|
|
|
|
var outBuf, errBuf bytes.Buffer
|
|
|
|
|
cmd.Stdout = &outBuf
|
|
|
|
|
cmd.Stderr = &errBuf
|
|
|
|
|
if err := cmd.Run(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
t.Logf("Got: %q and %q", outBuf.Bytes(), errBuf.Bytes())
|
|
|
|
|
// TODO: figure out why these aren't right. should be
|
|
|
|
|
// "foo\n" and "bar\n", not "\n" and "bar\n".
|
|
|
|
|
})
|
|
|
|
|
|
2023-06-21 19:57:45 -07:00
|
|
|
t.Run("large_file", func(t *testing.T) {
|
|
|
|
|
const wantSize = 1e6
|
|
|
|
|
var outBuf bytes.Buffer
|
|
|
|
|
cmd := execSSH("head", "-c", strconv.Itoa(wantSize), "/dev/zero")
|
|
|
|
|
cmd.Stdout = &outBuf
|
|
|
|
|
if err := cmd.Run(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
if gotSize := outBuf.Len(); gotSize != wantSize {
|
|
|
|
|
t.Fatalf("got %d, want %d", gotSize, int(wantSize))
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
2022-02-24 14:35:40 -08:00
|
|
|
t.Run("stdin", func(t *testing.T) {
|
2022-03-18 14:46:38 -07:00
|
|
|
if cibuild.On() {
|
2022-03-18 10:45:05 -07:00
|
|
|
t.Skip("Skipping for now; see https://github.com/tailscale/tailscale/issues/4051")
|
|
|
|
|
}
|
2022-02-24 14:35:40 -08:00
|
|
|
cmd := execSSH("cat")
|
|
|
|
|
var outBuf bytes.Buffer
|
|
|
|
|
cmd.Stdout = &outBuf
|
|
|
|
|
const str = "foo\nbar\n"
|
|
|
|
|
cmd.Stdin = strings.NewReader(str)
|
|
|
|
|
if err := cmd.Run(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
if got := outBuf.String(); got != str {
|
|
|
|
|
t.Errorf("got %q; want %q", got, str)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func parseEnv(out []byte) map[string]string {
|
|
|
|
|
e := map[string]string{}
|
2024-11-04 20:49:40 -08:00
|
|
|
for line := range lineiter.Bytes(out) {
|
|
|
|
|
if i := bytes.IndexByte(line, '='); i != -1 {
|
|
|
|
|
e[string(line[:i])] = string(line[i+1:])
|
2022-02-24 14:35:40 -08:00
|
|
|
}
|
2024-11-04 20:49:40 -08:00
|
|
|
}
|
2022-02-24 14:35:40 -08:00
|
|
|
return e
|
2022-02-24 13:31:54 -08:00
|
|
|
}
|
2022-04-16 21:49:22 -07:00
|
|
|
|
2022-04-21 14:40:32 -07:00
|
|
|
func TestAcceptEnvPair(t *testing.T) {
|
|
|
|
|
tests := []struct {
|
|
|
|
|
in string
|
|
|
|
|
want bool
|
|
|
|
|
}{
|
|
|
|
|
{"TERM=x", true},
|
|
|
|
|
{"term=x", false},
|
|
|
|
|
{"TERM", false},
|
|
|
|
|
{"LC_FOO=x", true},
|
|
|
|
|
{"LD_PRELOAD=naah", false},
|
|
|
|
|
{"TERM=screen-256color", true},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
if got := acceptEnvPair(tt.in); got != tt.want {
|
|
|
|
|
t.Errorf("for %q, got %v; want %v", tt.in, got, tt.want)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-12-14 14:20:50 -08:00
|
|
|
|
|
|
|
|
func TestPathFromPAMEnvLine(t *testing.T) {
|
|
|
|
|
u := &user.User{Username: "foo", HomeDir: "/Homes/Foo"}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
line string
|
|
|
|
|
u *user.User
|
|
|
|
|
want string
|
|
|
|
|
}{
|
2022-12-15 14:28:14 -08:00
|
|
|
{"", u, ""},
|
2022-12-14 14:20:50 -08:00
|
|
|
{`PATH DEFAULT="/run/wrappers/bin:@{HOME}/.nix-profile/bin:/etc/profiles/per-user/@{PAM_USER}/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"`,
|
|
|
|
|
u, "/run/wrappers/bin:/Homes/Foo/.nix-profile/bin:/etc/profiles/per-user/foo/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"},
|
|
|
|
|
{`PATH DEFAULT="@{SOMETHING_ELSE}:nope:@{HOME}"`,
|
|
|
|
|
u, ""},
|
|
|
|
|
}
|
|
|
|
|
for i, tt := range tests {
|
|
|
|
|
got := pathFromPAMEnvLine([]byte(tt.line), tt.u)
|
|
|
|
|
if got != tt.want {
|
|
|
|
|
t.Errorf("%d. got %q; want %q", i, got, tt.want)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-15 14:28:14 -08:00
|
|
|
func TestExpandDefaultPathTmpl(t *testing.T) {
|
|
|
|
|
u := &user.User{Username: "foo", HomeDir: "/Homes/Foo"}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
t string
|
|
|
|
|
u *user.User
|
|
|
|
|
want string
|
|
|
|
|
}{
|
|
|
|
|
{"", u, ""},
|
|
|
|
|
{`/run/wrappers/bin:@{HOME}/.nix-profile/bin:/etc/profiles/per-user/@{PAM_USER}/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin`,
|
|
|
|
|
u, "/run/wrappers/bin:/Homes/Foo/.nix-profile/bin:/etc/profiles/per-user/foo/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"},
|
|
|
|
|
{`@{SOMETHING_ELSE}:nope:@{HOME}`, u, ""},
|
|
|
|
|
}
|
|
|
|
|
for i, tt := range tests {
|
|
|
|
|
got := expandDefaultPathTmpl(tt.t, tt.u)
|
|
|
|
|
if got != tt.want {
|
|
|
|
|
t.Errorf("%d. got %q; want %q", i, got, tt.want)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-14 14:20:50 -08:00
|
|
|
func TestPathFromPAMEnvLineOnNixOS(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("skipping on non-linux")
|
|
|
|
|
}
|
|
|
|
|
if distro.Get() != distro.NixOS {
|
|
|
|
|
t.Skip("skipping on non-NixOS")
|
|
|
|
|
}
|
|
|
|
|
u, err := user.Current()
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
got := defaultPathForUserOnNixOS(u)
|
|
|
|
|
if got == "" {
|
|
|
|
|
x, err := os.ReadFile("/etc/pam/environment")
|
|
|
|
|
t.Fatalf("no result. file was: err=%v, contents=%s", err, x)
|
|
|
|
|
}
|
|
|
|
|
t.Logf("success; got=%q", got)
|
|
|
|
|
}
|
2023-05-08 09:42:31 -07:00
|
|
|
|
|
|
|
|
func TestStdOsUserUserAssumptions(t *testing.T) {
|
2024-02-08 17:34:22 -08:00
|
|
|
v := reflect.TypeFor[user.User]()
|
2023-05-08 09:42:31 -07:00
|
|
|
if got, want := v.NumField(), 5; got != want {
|
|
|
|
|
t.Errorf("os/user.User has %v fields; this package assumes %v", got, want)
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-11-18 09:55:54 -08:00
|
|
|
|
|
|
|
|
func mockRecordingServer(t *testing.T, handleRecord http.HandlerFunc) *httptest.Server {
|
|
|
|
|
t.Helper()
|
|
|
|
|
mux := http.NewServeMux()
|
|
|
|
|
mux.HandleFunc("POST /record", func(http.ResponseWriter, *http.Request) {
|
|
|
|
|
t.Errorf("v1 recording endpoint called")
|
|
|
|
|
})
|
|
|
|
|
mux.HandleFunc("HEAD /v2/record", func(http.ResponseWriter, *http.Request) {})
|
|
|
|
|
mux.HandleFunc("POST /v2/record", handleRecord)
|
|
|
|
|
|
|
|
|
|
h2s := &http2.Server{}
|
|
|
|
|
srv := httptest.NewUnstartedServer(h2c.NewHandler(mux, h2s))
|
|
|
|
|
if err := http2.ConfigureServer(srv.Config, h2s); err != nil {
|
|
|
|
|
t.Errorf("configuring HTTP/2 support in recording server: %v", err)
|
|
|
|
|
}
|
|
|
|
|
srv.Start()
|
|
|
|
|
t.Cleanup(srv.Close)
|
|
|
|
|
return srv
|
|
|
|
|
}
|
