Handle errors in integration test setups
Thanks @kev-the-dev Closes #1460 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby
Kristoffer Dalby
parent
63caf9a222
commit
b4a4d0f760
55 changed files with 829 additions and 1118 deletions
|
|
@ -45,10 +45,14 @@ var veryLargeDestination = []string{
|
|||
"208.0.0.0/4:*",
|
||||
}
|
||||
|
||||
func aclScenario(t *testing.T, policy *policy.ACLPolicy, clientsPerUser int) *Scenario {
|
||||
func aclScenario(
|
||||
t *testing.T,
|
||||
policy *policy.ACLPolicy,
|
||||
clientsPerUser int,
|
||||
) *Scenario {
|
||||
t.Helper()
|
||||
scenario, err := NewScenario()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
spec := map[string]int{
|
||||
"user1": clientsPerUser,
|
||||
|
|
@ -58,22 +62,19 @@ func aclScenario(t *testing.T, policy *policy.ACLPolicy, clientsPerUser int) *Sc
|
|||
err = scenario.CreateHeadscaleEnv(spec,
|
||||
[]tsic.Option{
|
||||
tsic.WithDockerEntrypoint([]string{
|
||||
"/bin/bash",
|
||||
"/bin/sh",
|
||||
"-c",
|
||||
"/bin/sleep 3 ; update-ca-certificates ; python3 -m http.server --bind :: 80 & tailscaled --tun=tsdev",
|
||||
"/bin/sleep 3 ; apk add python3 curl ; update-ca-certificates ; python3 -m http.server --bind :: 80 & tailscaled --tun=tsdev",
|
||||
}),
|
||||
tsic.WithDockerWorkdir("/"),
|
||||
},
|
||||
hsic.WithACLPolicy(policy),
|
||||
hsic.WithTestName("acl"),
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
|
||||
err = scenario.WaitForTailscaleSync()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
_, err = scenario.ListTailscaleClientsFQDNs()
|
||||
assert.NoError(t, err)
|
||||
assertNoErrListFQDN(t, err)
|
||||
|
||||
return scenario
|
||||
}
|
||||
|
|
@ -260,7 +261,7 @@ func TestACLHostsInNetMapTable(t *testing.T) {
|
|||
for name, testCase := range tests {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
scenario, err := NewScenario()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
spec := testCase.users
|
||||
|
||||
|
|
@ -268,25 +269,23 @@ func TestACLHostsInNetMapTable(t *testing.T) {
|
|||
[]tsic.Option{},
|
||||
hsic.WithACLPolicy(&testCase.policy),
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
defer scenario.Shutdown()
|
||||
|
||||
allClients, err := scenario.ListTailscaleClients()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
err = scenario.WaitForTailscaleSync()
|
||||
assert.NoError(t, err)
|
||||
err = scenario.WaitForTailscaleSyncWithPeerCount(testCase.want["user1"])
|
||||
assertNoErrSync(t, err)
|
||||
|
||||
for _, client := range allClients {
|
||||
status, err := client.Status()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
user := status.User[status.Self.UserID].LoginName
|
||||
|
||||
assert.Equal(t, (testCase.want[user]), len(status.Peer))
|
||||
}
|
||||
|
||||
err = scenario.Shutdown()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
@ -311,25 +310,26 @@ func TestACLAllowUser80Dst(t *testing.T) {
|
|||
},
|
||||
1,
|
||||
)
|
||||
defer scenario.Shutdown()
|
||||
|
||||
user1Clients, err := scenario.ListTailscaleClients("user1")
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
user2Clients, err := scenario.ListTailscaleClients("user2")
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
// Test that user1 can visit all user2
|
||||
for _, client := range user1Clients {
|
||||
for _, peer := range user2Clients {
|
||||
fqdn, err := peer.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
|
||||
t.Logf("url from %s to %s", client.Hostname(), url)
|
||||
|
||||
result, err := client.Curl(url)
|
||||
assert.Len(t, result, 13)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -337,7 +337,7 @@ func TestACLAllowUser80Dst(t *testing.T) {
|
|||
for _, client := range user2Clients {
|
||||
for _, peer := range user1Clients {
|
||||
fqdn, err := peer.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
|
||||
t.Logf("url from %s to %s", client.Hostname(), url)
|
||||
|
|
@ -347,9 +347,6 @@ func TestACLAllowUser80Dst(t *testing.T) {
|
|||
assert.Error(t, err)
|
||||
}
|
||||
}
|
||||
|
||||
err = scenario.Shutdown()
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
|
||||
func TestACLDenyAllPort80(t *testing.T) {
|
||||
|
|
@ -370,12 +367,13 @@ func TestACLDenyAllPort80(t *testing.T) {
|
|||
},
|
||||
4,
|
||||
)
|
||||
defer scenario.Shutdown()
|
||||
|
||||
allClients, err := scenario.ListTailscaleClients()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
allHostnames, err := scenario.ListTailscaleClientsFQDNs()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
for _, client := range allClients {
|
||||
for _, hostname := range allHostnames {
|
||||
|
|
@ -393,9 +391,6 @@ func TestACLDenyAllPort80(t *testing.T) {
|
|||
assert.Error(t, err)
|
||||
}
|
||||
}
|
||||
|
||||
err = scenario.Shutdown()
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
|
||||
// Test to confirm that we can use user:* from one user.
|
||||
|
|
@ -416,25 +411,26 @@ func TestACLAllowUserDst(t *testing.T) {
|
|||
},
|
||||
2,
|
||||
)
|
||||
defer scenario.Shutdown()
|
||||
|
||||
user1Clients, err := scenario.ListTailscaleClients("user1")
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
user2Clients, err := scenario.ListTailscaleClients("user2")
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
// Test that user1 can visit all user2
|
||||
for _, client := range user1Clients {
|
||||
for _, peer := range user2Clients {
|
||||
fqdn, err := peer.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
|
||||
t.Logf("url from %s to %s", client.Hostname(), url)
|
||||
|
||||
result, err := client.Curl(url)
|
||||
assert.Len(t, result, 13)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -442,7 +438,7 @@ func TestACLAllowUserDst(t *testing.T) {
|
|||
for _, client := range user2Clients {
|
||||
for _, peer := range user1Clients {
|
||||
fqdn, err := peer.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
|
||||
t.Logf("url from %s to %s", client.Hostname(), url)
|
||||
|
|
@ -452,9 +448,6 @@ func TestACLAllowUserDst(t *testing.T) {
|
|||
assert.Error(t, err)
|
||||
}
|
||||
}
|
||||
|
||||
err = scenario.Shutdown()
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
|
||||
// Test to confirm that we can use *:* from one user
|
||||
|
|
@ -474,25 +467,26 @@ func TestACLAllowStarDst(t *testing.T) {
|
|||
},
|
||||
2,
|
||||
)
|
||||
defer scenario.Shutdown()
|
||||
|
||||
user1Clients, err := scenario.ListTailscaleClients("user1")
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
user2Clients, err := scenario.ListTailscaleClients("user2")
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
// Test that user1 can visit all user2
|
||||
for _, client := range user1Clients {
|
||||
for _, peer := range user2Clients {
|
||||
fqdn, err := peer.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
|
||||
t.Logf("url from %s to %s", client.Hostname(), url)
|
||||
|
||||
result, err := client.Curl(url)
|
||||
assert.Len(t, result, 13)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -500,7 +494,7 @@ func TestACLAllowStarDst(t *testing.T) {
|
|||
for _, client := range user2Clients {
|
||||
for _, peer := range user1Clients {
|
||||
fqdn, err := peer.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
|
||||
t.Logf("url from %s to %s", client.Hostname(), url)
|
||||
|
|
@ -510,9 +504,6 @@ func TestACLAllowStarDst(t *testing.T) {
|
|||
assert.Error(t, err)
|
||||
}
|
||||
}
|
||||
|
||||
err = scenario.Shutdown()
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
|
||||
// TestACLNamedHostsCanReachBySubnet is the same as
|
||||
|
|
@ -537,25 +528,26 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
|
|||
},
|
||||
3,
|
||||
)
|
||||
defer scenario.Shutdown()
|
||||
|
||||
user1Clients, err := scenario.ListTailscaleClients("user1")
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
user2Clients, err := scenario.ListTailscaleClients("user2")
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
// Test that user1 can visit all user2
|
||||
for _, client := range user1Clients {
|
||||
for _, peer := range user2Clients {
|
||||
fqdn, err := peer.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
|
||||
t.Logf("url from %s to %s", client.Hostname(), url)
|
||||
|
||||
result, err := client.Curl(url)
|
||||
assert.Len(t, result, 13)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -563,19 +555,16 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
|
|||
for _, client := range user2Clients {
|
||||
for _, peer := range user1Clients {
|
||||
fqdn, err := peer.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
|
||||
t.Logf("url from %s to %s", client.Hostname(), url)
|
||||
|
||||
result, err := client.Curl(url)
|
||||
assert.Len(t, result, 13)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
}
|
||||
}
|
||||
|
||||
err = scenario.Shutdown()
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
|
||||
// This test aims to cover cases where individual hosts are allowed and denied
|
||||
|
|
@ -677,16 +666,17 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
&testCase.policy,
|
||||
2,
|
||||
)
|
||||
defer scenario.Shutdown()
|
||||
|
||||
// Since user/users dont matter here, we basically expect that some clients
|
||||
// will be assigned these ips and that we can pick them up for our own use.
|
||||
test1ip4 := netip.MustParseAddr("100.64.0.1")
|
||||
test1ip6 := netip.MustParseAddr("fd7a:115c:a1e0::1")
|
||||
test1, err := scenario.FindTailscaleClientByIP(test1ip6)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
test1fqdn, err := test1.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
test1ip4URL := fmt.Sprintf("http://%s/etc/hostname", test1ip4.String())
|
||||
test1ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test1ip6.String())
|
||||
test1fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test1fqdn)
|
||||
|
|
@ -694,10 +684,10 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
test2ip4 := netip.MustParseAddr("100.64.0.2")
|
||||
test2ip6 := netip.MustParseAddr("fd7a:115c:a1e0::2")
|
||||
test2, err := scenario.FindTailscaleClientByIP(test2ip6)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
test2fqdn, err := test2.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
test2ip4URL := fmt.Sprintf("http://%s/etc/hostname", test2ip4.String())
|
||||
test2ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test2ip6.String())
|
||||
test2fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test2fqdn)
|
||||
|
|
@ -705,10 +695,10 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
test3ip4 := netip.MustParseAddr("100.64.0.3")
|
||||
test3ip6 := netip.MustParseAddr("fd7a:115c:a1e0::3")
|
||||
test3, err := scenario.FindTailscaleClientByIP(test3ip6)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
test3fqdn, err := test3.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
test3ip4URL := fmt.Sprintf("http://%s/etc/hostname", test3ip4.String())
|
||||
test3ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test3ip6.String())
|
||||
test3fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test3fqdn)
|
||||
|
|
@ -723,7 +713,7 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
test3ip4URL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
result, err = test1.Curl(test3ip6URL)
|
||||
assert.Lenf(
|
||||
|
|
@ -734,7 +724,7 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
test3ip6URL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
result, err = test1.Curl(test3fqdnURL)
|
||||
assert.Lenf(
|
||||
|
|
@ -745,7 +735,7 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
test3fqdnURL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
// test2 can query test3
|
||||
result, err = test2.Curl(test3ip4URL)
|
||||
|
|
@ -757,7 +747,7 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
test3ip4URL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
result, err = test2.Curl(test3ip6URL)
|
||||
assert.Lenf(
|
||||
|
|
@ -768,7 +758,7 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
test3ip6URL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
result, err = test2.Curl(test3fqdnURL)
|
||||
assert.Lenf(
|
||||
|
|
@ -779,7 +769,7 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
test3fqdnURL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
// test3 cannot query test1
|
||||
result, err = test3.Curl(test1ip4URL)
|
||||
|
|
@ -818,7 +808,7 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
result,
|
||||
)
|
||||
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
result, err = test1.Curl(test2ip6URL)
|
||||
assert.Lenf(
|
||||
t,
|
||||
|
|
@ -828,7 +818,7 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
test2ip6URL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
result, err = test1.Curl(test2fqdnURL)
|
||||
assert.Lenf(
|
||||
|
|
@ -839,7 +829,7 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
test2fqdnURL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
// test2 cannot query test1
|
||||
result, err = test2.Curl(test1ip4URL)
|
||||
|
|
@ -853,9 +843,6 @@ func TestACLNamedHostsCanReach(t *testing.T) {
|
|||
result, err = test2.Curl(test1fqdnURL)
|
||||
assert.Empty(t, result)
|
||||
assert.Error(t, err)
|
||||
|
||||
err = scenario.Shutdown()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
@ -953,10 +940,10 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
|
|||
test1ip6 := netip.MustParseAddr("fd7a:115c:a1e0::1")
|
||||
test1, err := scenario.FindTailscaleClientByIP(test1ip)
|
||||
assert.NotNil(t, test1)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
test1fqdn, err := test1.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
test1ipURL := fmt.Sprintf("http://%s/etc/hostname", test1ip.String())
|
||||
test1ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test1ip6.String())
|
||||
test1fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test1fqdn)
|
||||
|
|
@ -965,10 +952,10 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
|
|||
test2ip6 := netip.MustParseAddr("fd7a:115c:a1e0::2")
|
||||
test2, err := scenario.FindTailscaleClientByIP(test2ip)
|
||||
assert.NotNil(t, test2)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
test2fqdn, err := test2.FQDN()
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
test2ipURL := fmt.Sprintf("http://%s/etc/hostname", test2ip.String())
|
||||
test2ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test2ip6.String())
|
||||
test2fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test2fqdn)
|
||||
|
|
@ -983,7 +970,7 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
|
|||
test2ipURL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
result, err = test1.Curl(test2ip6URL)
|
||||
assert.Lenf(
|
||||
|
|
@ -994,7 +981,7 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
|
|||
test2ip6URL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
result, err = test1.Curl(test2fqdnURL)
|
||||
assert.Lenf(
|
||||
|
|
@ -1005,7 +992,7 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
|
|||
test2fqdnURL,
|
||||
result,
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
assertNoErr(t, err)
|
||||
|
||||
result, err = test2.Curl(test1ipURL)
|
||||
assert.Empty(t, result)
|
||||
|
|
@ -1018,9 +1005,6 @@ func TestACLDevice1CanAccessDevice2(t *testing.T) {
|
|||
result, err = test2.Curl(test1fqdnURL)
|
||||
assert.Empty(t, result)
|
||||
assert.Error(t, err)
|
||||
|
||||
err = scenario.Shutdown()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue