github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/enforcer/nfqdatapath/utils_test.go (about) 1 // +build linux 2 3 package nfqdatapath 4 5 import ( 6 "crypto/ecdsa" 7 "net" 8 "testing" 9 10 "github.com/golang/mock/gomock" 11 . "github.com/smartystreets/goconvey/convey" 12 "go.aporeto.io/enforcerd/trireme-lib/collector" 13 "go.aporeto.io/enforcerd/trireme-lib/collector/mockcollector" 14 "go.aporeto.io/enforcerd/trireme-lib/controller/constants" 15 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection" 16 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet" 17 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext" 18 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/mocksecrets" 19 "go.aporeto.io/enforcerd/trireme-lib/policy" 20 ) 21 22 var ( 23 srcAddress = net.ParseIP("1.1.1.1") 24 srcPort uint16 = 2000 25 srcID = "src5454" 26 dstAddress = net.ParseIP("2.2.2.2") 27 dstPort uint16 = 80 28 dstID = "dst4545" 29 ) 30 31 func setupDatapath(ctrl *gomock.Controller, collector collector.EventCollector) *Datapath { 32 33 defer MockGetUDPRawSocket()() 34 35 secrets := mocksecrets.NewMockSecrets(ctrl) 36 secrets.EXPECT().AckSize().Return(uint32(300)).AnyTimes() 37 secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes() 38 secrets.EXPECT().TransmittedKey().Return([]byte("dummy")).AnyTimes() 39 40 return newWithDefaults(ctrl, "serverID", collector, secrets, constants.RemoteContainer, []string{"1._,1.1.1/31"}, false) 41 } 42 43 func generateCommonTestData(action policy.ActionType, oaction policy.ObserveActionType) (*packet.Packet, *connection.TCPConnection, *connection.UDPConnection, *pucontext.PUContext, *policy.FlowPolicy) { // nolint 44 45 p := packet.TestGetTCPPacket(srcAddress, dstAddress, srcPort, dstPort) 46 47 tcpConn := &connection.TCPConnection{} 48 udpConn := &connection.UDPConnection{} 49 puContext := &pucontext.PUContext{} 50 policy := &policy.FlowPolicy{Action: action} 51 52 return p, tcpConn, udpConn, puContext, policy 53 } 54 55 func generateTestEndpoints(reverse bool) (*collector.EndPoint, *collector.EndPoint) { 56 57 src := &collector.EndPoint{ 58 IP: srcAddress.String(), 59 Port: srcPort, 60 ID: srcID, 61 } 62 dst := &collector.EndPoint{ 63 IP: dstAddress.String(), 64 Port: dstPort, 65 ID: dstID, 66 } 67 68 if reverse { 69 return dst, src 70 } 71 72 return src, dst 73 } 74 75 func TestReportAcceptedFlow(t *testing.T) { 76 77 ctrl := gomock.NewController(t) 78 defer ctrl.Finish() 79 80 mockCollector := mockcollector.NewMockEventCollector(ctrl) 81 82 Convey("Given I setup datapath", t, func() { 83 dp := setupDatapath(ctrl, mockCollector) 84 85 Convey("Then datapath should not be nil", func() { 86 So(dp, ShouldNotBeNil) 87 }) 88 89 Convey("Then check reportAcceptedFlow", func() { 90 91 src, dst := generateTestEndpoints(false) 92 93 flowRecord := collector.FlowRecord{ 94 Count: 1, 95 Source: *src, 96 Destination: *dst, 97 Action: policy.Accept, 98 } 99 100 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 101 102 p, conn, _, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone) 103 104 dp.reportAcceptedFlow(p, conn, srcID, dstID, context, policy, policy, false) 105 }) 106 107 Convey("Then check reportAcceptedFlow with same src dst ID", func() { 108 109 src, dst := generateTestEndpoints(false) 110 111 flowRecord := collector.FlowRecord{ 112 Count: 1, 113 Source: *src, 114 Destination: *dst, 115 Action: policy.Accept | policy.Log, 116 } 117 118 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 119 120 p, conn, _, context, policy := generateCommonTestData(policy.Accept|policy.Log, policy.ObserveNone) 121 122 dp.reportAcceptedFlow(p, conn, srcID, srcID, context, policy, policy, false) 123 }) 124 125 Convey("Then check reportAcceptedFlow with reverse", func() { 126 127 src, dst := generateTestEndpoints(true) 128 129 flowRecord := collector.FlowRecord{ 130 Count: 1, 131 Source: *src, 132 Destination: *dst, 133 Action: policy.Accept, 134 } 135 136 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 137 138 p, conn, _, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone) 139 140 dp.reportAcceptedFlow(p, conn, srcID, dstID, context, policy, policy, true) 141 }) 142 }) 143 } 144 145 func TestReportExternalServiceFlow(t *testing.T) { 146 147 ctrl := gomock.NewController(t) 148 defer ctrl.Finish() 149 150 mockCollector := mockcollector.NewMockEventCollector(ctrl) 151 152 Convey("Given I setup datapath", t, func() { 153 dp := setupDatapath(ctrl, mockCollector) 154 155 Convey("Then datapath should not be nil", func() { 156 So(dp, ShouldNotBeNil) 157 }) 158 159 Convey("Then check reportAcceptedFlow", func() { 160 161 src, dst := generateTestEndpoints(false) 162 163 flowRecord := collector.FlowRecord{ 164 Count: 1, 165 Source: *src, 166 Destination: *dst, 167 Action: policy.Accept, 168 } 169 170 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 171 172 p, _, _, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone) 173 174 dp.reportExternalServiceFlow(context, policy, policy, true, p) 175 }) 176 177 Convey("Then check reportAcceptedFlow reverse", func() { 178 179 src, dst := generateTestEndpoints(false) 180 181 flowRecord := collector.FlowRecord{ 182 Count: 1, 183 Source: *dst, 184 Destination: *src, 185 Action: policy.Reject, 186 DropReason: collector.PolicyDrop, 187 } 188 189 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 190 191 p, _, _, context, policy := generateCommonTestData(policy.Reject, policy.ObserveContinue) 192 193 dp.reportReverseExternalServiceFlow(context, policy, policy, false, p) 194 }) 195 }) 196 } 197 198 func TestReportUDPAcceptedFlow(t *testing.T) { 199 200 ctrl := gomock.NewController(t) 201 defer ctrl.Finish() 202 203 mockCollector := mockcollector.NewMockEventCollector(ctrl) 204 205 Convey("Given I setup datapath", t, func() { 206 dp := setupDatapath(ctrl, mockCollector) 207 208 Convey("Then datapath should not be nil", func() { 209 So(dp, ShouldNotBeNil) 210 }) 211 212 Convey("Then check reportAcceptedFlow", func() { 213 214 src, dst := generateTestEndpoints(false) 215 216 flowRecord := collector.FlowRecord{ 217 Count: 1, 218 Source: *src, 219 Destination: *dst, 220 Action: policy.Accept, 221 } 222 223 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 224 225 p, _, conn, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone) 226 227 dp.reportUDPAcceptedFlow(p, conn, srcID, dstID, context, policy, policy, false) 228 }) 229 230 Convey("Then check reportAcceptedFlow with reverse", func() { 231 232 src, dst := generateTestEndpoints(true) 233 234 flowRecord := collector.FlowRecord{ 235 Count: 1, 236 Source: *src, 237 Destination: *dst, 238 Action: policy.Accept, 239 } 240 241 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 242 243 p, _, conn, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone) 244 245 dp.reportUDPAcceptedFlow(p, conn, srcID, dstID, context, policy, policy, true) 246 }) 247 }) 248 } 249 250 func TestReportRejectedFlow(t *testing.T) { 251 252 ctrl := gomock.NewController(t) 253 defer ctrl.Finish() 254 255 mockCollector := mockcollector.NewMockEventCollector(ctrl) 256 257 Convey("Given I setup datapath", t, func() { 258 dp := setupDatapath(ctrl, mockCollector) 259 260 Convey("Then datapath should not be nil", func() { 261 So(dp, ShouldNotBeNil) 262 }) 263 264 Convey("Then check reportRejectedFlow", func() { 265 266 src, dst := generateTestEndpoints(false) 267 268 flowRecord := collector.FlowRecord{ 269 Count: 1, 270 Source: *src, 271 Destination: *dst, 272 Action: policy.Reject, 273 DropReason: collector.PolicyDrop, 274 } 275 276 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 277 278 p, conn, _, context, policy := generateCommonTestData(policy.Reject, policy.ObserveNone) 279 280 dp.reportRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, policy, policy, false) 281 }) 282 283 Convey("Then check reportRejectedFlow with report and packet policy nil", func() { 284 285 src, dst := generateTestEndpoints(false) 286 287 flowRecord := collector.FlowRecord{ 288 Count: 1, 289 Source: *src, 290 Destination: *dst, 291 Action: policy.Reject | policy.Log, 292 DropReason: collector.PolicyDrop, 293 } 294 295 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 296 297 p, conn, _, context, _ := generateCommonTestData(policy.Reject|policy.Log, policy.ObserveNone) 298 299 dp.reportRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, nil, nil, false) 300 }) 301 302 Convey("Then check reportRejectedFlow with reverse", func() { 303 304 src, dst := generateTestEndpoints(true) 305 306 flowRecord := collector.FlowRecord{ 307 Count: 1, 308 Source: *src, 309 Destination: *dst, 310 Action: policy.Reject, 311 DropReason: collector.PolicyDrop, 312 } 313 314 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 315 316 p, conn, _, context, policy := generateCommonTestData(policy.Reject, policy.ObserveNone) 317 318 dp.reportRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, policy, policy, true) 319 }) 320 }) 321 } 322 323 func TestReportUDPRejectedFlow(t *testing.T) { 324 325 ctrl := gomock.NewController(t) 326 defer ctrl.Finish() 327 328 mockCollector := mockcollector.NewMockEventCollector(ctrl) 329 330 Convey("Given I setup datapath", t, func() { 331 dp := setupDatapath(ctrl, mockCollector) 332 333 Convey("Then datapath should not be nil", func() { 334 So(dp, ShouldNotBeNil) 335 }) 336 337 Convey("Then check reportRejectedFlow", func() { 338 339 src, dst := generateTestEndpoints(false) 340 341 flowRecord := collector.FlowRecord{ 342 Count: 1, 343 Source: *src, 344 Destination: *dst, 345 Action: policy.Reject, 346 DropReason: collector.PolicyDrop, 347 } 348 349 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 350 351 p, _, conn, context, policy := generateCommonTestData(policy.Reject, policy.ObserveNone) 352 353 dp.reportUDPRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, policy, policy, false) 354 }) 355 356 Convey("Then check reportRejectedFlow with policy and packet policy nil", func() { 357 358 src, dst := generateTestEndpoints(false) 359 360 flowRecord := collector.FlowRecord{ 361 Count: 1, 362 Source: *src, 363 Destination: *dst, 364 Action: policy.Reject | policy.Log, 365 DropReason: collector.PolicyDrop, 366 } 367 368 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 369 370 p, _, conn, context, _ := generateCommonTestData(policy.Reject|policy.Log, policy.ObserveNone) 371 372 dp.reportUDPRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, nil, nil, false) 373 }) 374 375 Convey("Then check reportRejectedFlow with reverse", func() { 376 377 src, dst := generateTestEndpoints(true) 378 379 flowRecord := collector.FlowRecord{ 380 Count: 1, 381 Source: *src, 382 Destination: *dst, 383 Action: policy.Reject, 384 DropReason: collector.PolicyDrop, 385 } 386 387 mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1) 388 389 p, _, conn, context, policy := generateCommonTestData(policy.Reject, policy.ObserveNone) 390 391 dp.reportUDPRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, policy, policy, true) 392 }) 393 }) 394 } 395 396 func TestReportDefaultEndpoint(t *testing.T) { 397 398 ctrl := gomock.NewController(t) 399 defer ctrl.Finish() 400 401 mockCollector := mockcollector.NewMockEventCollector(ctrl) 402 403 Convey("Given I setup datapath", t, func() { 404 dp := setupDatapath(ctrl, mockCollector) 405 406 Convey("Then datapath should not be nil", func() { 407 So(dp, ShouldNotBeNil) 408 }) 409 410 Convey("Then check reportRejectedFlow with dest ID set to default", func() { 411 412 src, dst := generateTestEndpoints(false) 413 src.Type = collector.EndPointTypePU 414 dst.ID = collector.DefaultEndPoint 415 dst.Type = collector.EndPointTypeExternalIP 416 417 flowRecord := collector.FlowRecord{ 418 Count: 1, 419 Source: *src, 420 Destination: *dst, 421 Action: policy.Reject, 422 DropReason: collector.PolicyDrop, 423 } 424 425 mockCollector.EXPECT().CollectFlowEvent(EndpointTypeMatcher(&flowRecord)).Times(1) 426 427 p, conn, _, context, policy := generateCommonTestData(policy.Reject, policy.ObserveNone) 428 429 dp.reportRejectedFlow(p, conn, src.ID, dst.ID, context, collector.PolicyDrop, policy, policy, false) 430 }) 431 432 Convey("Then check reportAcceptedFlow with src ID set to default", func() { 433 434 src, dst := generateTestEndpoints(false) 435 dst.Type = collector.EndPointTypePU 436 src.ID = collector.DefaultEndPoint 437 src.Type = collector.EndPointTypeExternalIP 438 439 flowRecord := collector.FlowRecord{ 440 Count: 1, 441 Source: *src, 442 Destination: *dst, 443 Action: policy.Accept, 444 } 445 446 mockCollector.EXPECT().CollectFlowEvent(EndpointTypeMatcher(&flowRecord)).Times(1) 447 448 p, conn, _, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone) 449 450 dp.reportAcceptedFlow(p, conn, src.ID, dst.ID, context, policy, policy, false) 451 }) 452 }) 453 }