feat: support client verify for derp (add integration tests) (#2046)
* feat: support client verify for derp * docs: fix doc for integration test * tests: add integration test for DERP verify endpoint * tests: use `tailcfg.DERPMap` instead of `[]byte` * refactor: introduce func `ContainsNodeKey` * tests(dsic): use string builder for cmd args * ci: fix tests order * tests: fix derper failure * chore: cleanup * tests(verify-client): perfer to use `CreateHeadscaleEnv` * refactor(verify-client): simplify error handling * tests: fix `TestDERPVerifyEndpoint` * refactor: make `doVerify` a seperated func --------- Co-authored-by: 117503445 <t117503445@gmail.com>
This commit is contained in:
ArcticLampyrid
GitHub
parent
c6336adb01
commit
edf9e25001
14 changed files with 735 additions and 118 deletions
|
|
@ -33,7 +33,7 @@ const (
|
|||
defaultPingTimeout = 300 * time.Millisecond
|
||||
defaultPingCount = 10
|
||||
dockerContextPath = "../."
|
||||
headscaleCertPath = "/usr/local/share/ca-certificates/headscale.crt"
|
||||
caCertRoot = "/usr/local/share/ca-certificates"
|
||||
dockerExecuteTimeout = 60 * time.Second
|
||||
)
|
||||
|
||||
|
|
@ -71,7 +71,7 @@ type TailscaleInContainer struct {
|
|||
fqdn string
|
||||
|
||||
// optional config
|
||||
headscaleCert []byte
|
||||
caCerts [][]byte
|
||||
headscaleHostname string
|
||||
withWebsocketDERP bool
|
||||
withSSH bool
|
||||
|
|
@ -93,11 +93,10 @@ type TailscaleInContainerBuildConfig struct {
|
|||
// Tailscale instance.
|
||||
type Option = func(c *TailscaleInContainer)
|
||||
|
||||
// WithHeadscaleTLS takes the certificate of the Headscale instance
|
||||
// and adds it to the trusted surtificate of the Tailscale container.
|
||||
func WithHeadscaleTLS(cert []byte) Option {
|
||||
// WithCACert adds it to the trusted surtificate of the Tailscale container.
|
||||
func WithCACert(cert []byte) Option {
|
||||
return func(tsic *TailscaleInContainer) {
|
||||
tsic.headscaleCert = cert
|
||||
tsic.caCerts = append(tsic.caCerts, cert)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -126,7 +125,7 @@ func WithOrCreateNetwork(network *dockertest.Network) Option {
|
|||
}
|
||||
|
||||
// WithHeadscaleName set the name of the headscale instance,
|
||||
// mostly useful in combination with TLS and WithHeadscaleTLS.
|
||||
// mostly useful in combination with TLS and WithCACert.
|
||||
func WithHeadscaleName(hsName string) Option {
|
||||
return func(tsic *TailscaleInContainer) {
|
||||
tsic.headscaleHostname = hsName
|
||||
|
|
@ -260,12 +259,8 @@ func New(
|
|||
)
|
||||
}
|
||||
|
||||
if tsic.headscaleHostname != "" {
|
||||
tailscaleOptions.ExtraHosts = []string{
|
||||
"host.docker.internal:host-gateway",
|
||||
fmt.Sprintf("%s:host-gateway", tsic.headscaleHostname),
|
||||
}
|
||||
}
|
||||
tailscaleOptions.ExtraHosts = append(tailscaleOptions.ExtraHosts,
|
||||
"host.docker.internal:host-gateway")
|
||||
|
||||
if tsic.workdir != "" {
|
||||
tailscaleOptions.WorkingDir = tsic.workdir
|
||||
|
|
@ -351,8 +346,8 @@ func New(
|
|||
|
||||
tsic.container = container
|
||||
|
||||
if tsic.hasTLS() {
|
||||
err = tsic.WriteFile(headscaleCertPath, tsic.headscaleCert)
|
||||
for i, cert := range tsic.caCerts {
|
||||
err = tsic.WriteFile(fmt.Sprintf("%s/user-%d.crt", caCertRoot, i), cert)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
|
||||
}
|
||||
|
|
@ -361,10 +356,6 @@ func New(
|
|||
return tsic, nil
|
||||
}
|
||||
|
||||
func (t *TailscaleInContainer) hasTLS() bool {
|
||||
return len(t.headscaleCert) != 0
|
||||
}
|
||||
|
||||
// Shutdown stops and cleans up the Tailscale container.
|
||||
func (t *TailscaleInContainer) Shutdown() error {
|
||||
err := t.SaveLog("/tmp/control")
|
||||
|
|
@ -739,6 +730,34 @@ func (t *TailscaleInContainer) watchIPN(ctx context.Context) (*ipn.Notify, error
|
|||
}
|
||||
}
|
||||
|
||||
func (t *TailscaleInContainer) DebugDERPRegion(region string) (*ipnstate.DebugDERPRegionReport, error) {
|
||||
if !util.TailscaleVersionNewerOrEqual("1.34", t.version) {
|
||||
panic("tsic.DebugDERPRegion() called with unsupported version: " + t.version)
|
||||
}
|
||||
|
||||
command := []string{
|
||||
"tailscale",
|
||||
"debug",
|
||||
"derp",
|
||||
region,
|
||||
}
|
||||
|
||||
result, stderr, err := t.Execute(command)
|
||||
if err != nil {
|
||||
fmt.Printf("stderr: %s\n", stderr) // nolint
|
||||
|
||||
return nil, fmt.Errorf("failed to execute tailscale debug derp command: %w", err)
|
||||
}
|
||||
|
||||
var report ipnstate.DebugDERPRegionReport
|
||||
err = json.Unmarshal([]byte(result), &report)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to unmarshal tailscale derp region report: %w", err)
|
||||
}
|
||||
|
||||
return &report, err
|
||||
}
|
||||
|
||||
// Netcheck returns the current Netcheck Report (netcheck.Report) of the Tailscale instance.
|
||||
func (t *TailscaleInContainer) Netcheck() (*netcheck.Report, error) {
|
||||
command := []string{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue