// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
package tsconsensus
import (
"context"
"fmt"
"net/netip"
"testing"
"tailscale.com/ipn"
"tailscale.com/ipn/ipnstate"
"tailscale.com/tailcfg"
"tailscale.com/types/key"
"tailscale.com/types/views"
)
type testStatusGetter struct {
status *ipnstate.Status
}
func (sg testStatusGetter) getStatus(ctx context.Context) (*ipnstate.Status, error) {
return sg.status, nil
}
const testTag string = "tag:clusterTag"
func makeAuthTestPeer(i int, tags views.Slice[string]) *ipnstate.PeerStatus {
return &ipnstate.PeerStatus{
ID: tailcfg.StableNodeID(fmt.Sprintf("%d", i)),
Tags: &tags,
TailscaleIPs: []netip.Addr{
netip.AddrFrom4([4]byte{100, 0, 0, byte(i)}),
netip.MustParseAddr(fmt.Sprintf("fd7a:115c:a1e0:0::%d", i)),
},
}
}
func makeAuthTestPeers(tags [][]string) []*ipnstate.PeerStatus {
peers := make([]*ipnstate.PeerStatus, len(tags))
for i, ts := range tags {
peers[i] = makeAuthTestPeer(i, views.SliceOf(ts))
}
return peers
}
func authForStatus(s *ipnstate.Status) *authorization {
return &authorization{
sg: testStatusGetter{
status: s,
},
tag: testTag,
}
}
func authForPeers(self *ipnstate.PeerStatus, peers []*ipnstate.PeerStatus) *authorization {
s := &ipnstate.Status{
BackendState: ipn.Running.String(),
Self: self,
Peer: map[key.NodePublic]*ipnstate.PeerStatus{},
}
for _, p := range peers {
s.Peer[key.NewNode().Public()] = p
}
return authForStatus(s)
}
func TestAuthRefreshErrorsNotRunning(t *testing.T) {
tests := []struct {
in *ipnstate.Status
expected string
}{
{
in: nil,
expected: "no status",
},
{
in: &ipnstate.Status{
BackendState: "NeedsMachineAuth",
},
expected: "ts Server is not running",
},
}
for _, tt := range tests {
t.Run(tt.expected, func(t *testing.T) {
ctx := t.Context()
a := authForStatus(tt.in)
err := a.Refresh(ctx)
if err == nil {
t.Fatalf("expected err to be non-nil")
}
if err.Error() != tt.expected {
t.Fatalf("expected: %s, got: %s", tt.expected, err.Error())
}
})
}
}
func TestAuthUnrefreshed(t *testing.T) {
a := authForStatus(nil)
if a.AllowsHost(netip.MustParseAddr("100.0.0.1")) {
t.Fatalf("never refreshed authorization, allowsHost: expected false, got true")
}
gotAllowedPeers := a.AllowedPeers()
if gotAllowedPeers.Len() != 0 {
t.Fatalf("never refreshed authorization, allowedPeers: expected [], got %v", gotAllowedPeers)
}
if a.SelfAllowed() != false {
t.Fatalf("never refreshed authorization, selfAllowed: expected false got true")
}
}
func TestAuthAllowsHost(t *testing.T) {
peerTags := [][]string{
{"woo"},
nil,
{"woo", testTag},
{testTag},
}
peers := makeAuthTestPeers(peerTags)
tests := []struct {
name string
peerStatus *ipnstate.PeerStatus
expected bool
}{
{
name: "tagged with different tag",
peerStatus: peers[0],
expected: false,
},
{
name: "not tagged",
peerStatus: peers[1],
expected: false,
},
{
name: "tags includes testTag",
peerStatus: peers[2],
expected: true,
},
{
name: "only tag is testTag",
peerStatus: peers[3],
expected: true,
},
}
a := authForPeers(nil, peers)
err := a.Refresh(t.Context())
if err != nil {
t.Fatal(err)
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// test we get the expected result for any of the peers TailscaleIPs
for _, addr := range tt.peerStatus.TailscaleIPs {
got := a.AllowsHost(addr)
if got != tt.expected {
t.Fatalf("allowed for peer with tags: %v, expected: %t, got %t", tt.peerStatus.Tags, tt.expected, got)
}
}
})
}
}
func TestAuthAllowedPeers(t *testing.T) {
ctx := t.Context()
peerTags := [][]string{
{"woo"},
nil,
{"woo", testTag},
{testTag},
}
peers := makeAuthTestPeers(peerTags)
a := authForPeers(nil, peers)
err := a.Refresh(ctx)
if err != nil {
t.Fatal(err)
}
ps := a.AllowedPeers()
if ps.Len() != 2 {
t.Fatalf("expected: 2, got: %d", ps.Len())
}
for _, i := range []int{2, 3} {
if !ps.ContainsFunc(func(p *ipnstate.PeerStatus) bool {
return p.ID == peers[i].ID
}) {
t.Fatalf("expected peers[%d] to be in AllowedPeers because it is tagged with testTag", i)
}
}
}
func TestAuthSelfAllowed(t *testing.T) {
tests := []struct {
name string
in []string
expected bool
}{
{
name: "self has different tag",
in: []string{"woo"},
expected: false,
},
{
name: "selfs tags include testTag",
in: []string{"woo", testTag},
expected: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
ctx := t.Context()
self := makeAuthTestPeer(0, views.SliceOf(tt.in))
a := authForPeers(self, nil)
err := a.Refresh(ctx)
if err != nil {
t.Fatal(err)
}
got := a.SelfAllowed()
if got != tt.expected {
t.Fatalf("expected: %t, got: %t", tt.expected, got)
}
})
}
}