github.com/slackhq/nebula@v1.9.0/allow_list_test.go (about)

     1  package nebula
     2  
     3  import (
     4  	"net"
     5  	"regexp"
     6  	"testing"
     7  
     8  	"github.com/slackhq/nebula/cidr"
     9  	"github.com/slackhq/nebula/config"
    10  	"github.com/slackhq/nebula/test"
    11  	"github.com/stretchr/testify/assert"
    12  )
    13  
    14  func TestNewAllowListFromConfig(t *testing.T) {
    15  	l := test.NewLogger()
    16  	c := config.NewC(l)
    17  	c.Settings["allowlist"] = map[interface{}]interface{}{
    18  		"192.168.0.0": true,
    19  	}
    20  	r, err := newAllowListFromConfig(c, "allowlist", nil)
    21  	assert.EqualError(t, err, "config `allowlist` has invalid CIDR: 192.168.0.0")
    22  	assert.Nil(t, r)
    23  
    24  	c.Settings["allowlist"] = map[interface{}]interface{}{
    25  		"192.168.0.0/16": "abc",
    26  	}
    27  	r, err = newAllowListFromConfig(c, "allowlist", nil)
    28  	assert.EqualError(t, err, "config `allowlist` has invalid value (type string): abc")
    29  
    30  	c.Settings["allowlist"] = map[interface{}]interface{}{
    31  		"192.168.0.0/16": true,
    32  		"10.0.0.0/8":     false,
    33  	}
    34  	r, err = newAllowListFromConfig(c, "allowlist", nil)
    35  	assert.EqualError(t, err, "config `allowlist` contains both true and false rules, but no default set for 0.0.0.0/0")
    36  
    37  	c.Settings["allowlist"] = map[interface{}]interface{}{
    38  		"0.0.0.0/0":      true,
    39  		"10.0.0.0/8":     false,
    40  		"10.42.42.0/24":  true,
    41  		"fd00::/8":       true,
    42  		"fd00:fd00::/16": false,
    43  	}
    44  	r, err = newAllowListFromConfig(c, "allowlist", nil)
    45  	assert.EqualError(t, err, "config `allowlist` contains both true and false rules, but no default set for ::/0")
    46  
    47  	c.Settings["allowlist"] = map[interface{}]interface{}{
    48  		"0.0.0.0/0":     true,
    49  		"10.0.0.0/8":    false,
    50  		"10.42.42.0/24": true,
    51  	}
    52  	r, err = newAllowListFromConfig(c, "allowlist", nil)
    53  	if assert.NoError(t, err) {
    54  		assert.NotNil(t, r)
    55  	}
    56  
    57  	c.Settings["allowlist"] = map[interface{}]interface{}{
    58  		"0.0.0.0/0":      true,
    59  		"10.0.0.0/8":     false,
    60  		"10.42.42.0/24":  true,
    61  		"::/0":           false,
    62  		"fd00::/8":       true,
    63  		"fd00:fd00::/16": false,
    64  	}
    65  	r, err = newAllowListFromConfig(c, "allowlist", nil)
    66  	if assert.NoError(t, err) {
    67  		assert.NotNil(t, r)
    68  	}
    69  
    70  	// Test interface names
    71  
    72  	c.Settings["allowlist"] = map[interface{}]interface{}{
    73  		"interfaces": map[interface{}]interface{}{
    74  			`docker.*`: "foo",
    75  		},
    76  	}
    77  	lr, err := NewLocalAllowListFromConfig(c, "allowlist")
    78  	assert.EqualError(t, err, "config `allowlist.interfaces` has invalid value (type string): foo")
    79  
    80  	c.Settings["allowlist"] = map[interface{}]interface{}{
    81  		"interfaces": map[interface{}]interface{}{
    82  			`docker.*`: false,
    83  			`eth.*`:    true,
    84  		},
    85  	}
    86  	lr, err = NewLocalAllowListFromConfig(c, "allowlist")
    87  	assert.EqualError(t, err, "config `allowlist.interfaces` values must all be the same true/false value")
    88  
    89  	c.Settings["allowlist"] = map[interface{}]interface{}{
    90  		"interfaces": map[interface{}]interface{}{
    91  			`docker.*`: false,
    92  		},
    93  	}
    94  	lr, err = NewLocalAllowListFromConfig(c, "allowlist")
    95  	if assert.NoError(t, err) {
    96  		assert.NotNil(t, lr)
    97  	}
    98  }
    99  
   100  func TestAllowList_Allow(t *testing.T) {
   101  	assert.Equal(t, true, ((*AllowList)(nil)).Allow(net.ParseIP("1.1.1.1")))
   102  
   103  	tree := cidr.NewTree6[bool]()
   104  	tree.AddCIDR(cidr.Parse("0.0.0.0/0"), true)
   105  	tree.AddCIDR(cidr.Parse("10.0.0.0/8"), false)
   106  	tree.AddCIDR(cidr.Parse("10.42.42.42/32"), true)
   107  	tree.AddCIDR(cidr.Parse("10.42.0.0/16"), true)
   108  	tree.AddCIDR(cidr.Parse("10.42.42.0/24"), true)
   109  	tree.AddCIDR(cidr.Parse("10.42.42.0/24"), false)
   110  	tree.AddCIDR(cidr.Parse("::1/128"), true)
   111  	tree.AddCIDR(cidr.Parse("::2/128"), false)
   112  	al := &AllowList{cidrTree: tree}
   113  
   114  	assert.Equal(t, true, al.Allow(net.ParseIP("1.1.1.1")))
   115  	assert.Equal(t, false, al.Allow(net.ParseIP("10.0.0.4")))
   116  	assert.Equal(t, true, al.Allow(net.ParseIP("10.42.42.42")))
   117  	assert.Equal(t, false, al.Allow(net.ParseIP("10.42.42.41")))
   118  	assert.Equal(t, true, al.Allow(net.ParseIP("10.42.0.1")))
   119  	assert.Equal(t, true, al.Allow(net.ParseIP("::1")))
   120  	assert.Equal(t, false, al.Allow(net.ParseIP("::2")))
   121  }
   122  
   123  func TestLocalAllowList_AllowName(t *testing.T) {
   124  	assert.Equal(t, true, ((*LocalAllowList)(nil)).AllowName("docker0"))
   125  
   126  	rules := []AllowListNameRule{
   127  		{Name: regexp.MustCompile("^docker.*$"), Allow: false},
   128  		{Name: regexp.MustCompile("^tun.*$"), Allow: false},
   129  	}
   130  	al := &LocalAllowList{nameRules: rules}
   131  
   132  	assert.Equal(t, false, al.AllowName("docker0"))
   133  	assert.Equal(t, false, al.AllowName("tun0"))
   134  	assert.Equal(t, true, al.AllowName("eth0"))
   135  
   136  	rules = []AllowListNameRule{
   137  		{Name: regexp.MustCompile("^eth.*$"), Allow: true},
   138  		{Name: regexp.MustCompile("^ens.*$"), Allow: true},
   139  	}
   140  	al = &LocalAllowList{nameRules: rules}
   141  
   142  	assert.Equal(t, false, al.AllowName("docker0"))
   143  	assert.Equal(t, true, al.AllowName("eth0"))
   144  	assert.Equal(t, true, al.AllowName("ens5"))
   145  }