github.com/slackhq/nebula@v1.9.0/allow_list_test.go (about) 1 package nebula 2 3 import ( 4 "net" 5 "regexp" 6 "testing" 7 8 "github.com/slackhq/nebula/cidr" 9 "github.com/slackhq/nebula/config" 10 "github.com/slackhq/nebula/test" 11 "github.com/stretchr/testify/assert" 12 ) 13 14 func TestNewAllowListFromConfig(t *testing.T) { 15 l := test.NewLogger() 16 c := config.NewC(l) 17 c.Settings["allowlist"] = map[interface{}]interface{}{ 18 "192.168.0.0": true, 19 } 20 r, err := newAllowListFromConfig(c, "allowlist", nil) 21 assert.EqualError(t, err, "config `allowlist` has invalid CIDR: 192.168.0.0") 22 assert.Nil(t, r) 23 24 c.Settings["allowlist"] = map[interface{}]interface{}{ 25 "192.168.0.0/16": "abc", 26 } 27 r, err = newAllowListFromConfig(c, "allowlist", nil) 28 assert.EqualError(t, err, "config `allowlist` has invalid value (type string): abc") 29 30 c.Settings["allowlist"] = map[interface{}]interface{}{ 31 "192.168.0.0/16": true, 32 "10.0.0.0/8": false, 33 } 34 r, err = newAllowListFromConfig(c, "allowlist", nil) 35 assert.EqualError(t, err, "config `allowlist` contains both true and false rules, but no default set for 0.0.0.0/0") 36 37 c.Settings["allowlist"] = map[interface{}]interface{}{ 38 "0.0.0.0/0": true, 39 "10.0.0.0/8": false, 40 "10.42.42.0/24": true, 41 "fd00::/8": true, 42 "fd00:fd00::/16": false, 43 } 44 r, err = newAllowListFromConfig(c, "allowlist", nil) 45 assert.EqualError(t, err, "config `allowlist` contains both true and false rules, but no default set for ::/0") 46 47 c.Settings["allowlist"] = map[interface{}]interface{}{ 48 "0.0.0.0/0": true, 49 "10.0.0.0/8": false, 50 "10.42.42.0/24": true, 51 } 52 r, err = newAllowListFromConfig(c, "allowlist", nil) 53 if assert.NoError(t, err) { 54 assert.NotNil(t, r) 55 } 56 57 c.Settings["allowlist"] = map[interface{}]interface{}{ 58 "0.0.0.0/0": true, 59 "10.0.0.0/8": false, 60 "10.42.42.0/24": true, 61 "::/0": false, 62 "fd00::/8": true, 63 "fd00:fd00::/16": false, 64 } 65 r, err = newAllowListFromConfig(c, "allowlist", nil) 66 if assert.NoError(t, err) { 67 assert.NotNil(t, r) 68 } 69 70 // Test interface names 71 72 c.Settings["allowlist"] = map[interface{}]interface{}{ 73 "interfaces": map[interface{}]interface{}{ 74 `docker.*`: "foo", 75 }, 76 } 77 lr, err := NewLocalAllowListFromConfig(c, "allowlist") 78 assert.EqualError(t, err, "config `allowlist.interfaces` has invalid value (type string): foo") 79 80 c.Settings["allowlist"] = map[interface{}]interface{}{ 81 "interfaces": map[interface{}]interface{}{ 82 `docker.*`: false, 83 `eth.*`: true, 84 }, 85 } 86 lr, err = NewLocalAllowListFromConfig(c, "allowlist") 87 assert.EqualError(t, err, "config `allowlist.interfaces` values must all be the same true/false value") 88 89 c.Settings["allowlist"] = map[interface{}]interface{}{ 90 "interfaces": map[interface{}]interface{}{ 91 `docker.*`: false, 92 }, 93 } 94 lr, err = NewLocalAllowListFromConfig(c, "allowlist") 95 if assert.NoError(t, err) { 96 assert.NotNil(t, lr) 97 } 98 } 99 100 func TestAllowList_Allow(t *testing.T) { 101 assert.Equal(t, true, ((*AllowList)(nil)).Allow(net.ParseIP("1.1.1.1"))) 102 103 tree := cidr.NewTree6[bool]() 104 tree.AddCIDR(cidr.Parse("0.0.0.0/0"), true) 105 tree.AddCIDR(cidr.Parse("10.0.0.0/8"), false) 106 tree.AddCIDR(cidr.Parse("10.42.42.42/32"), true) 107 tree.AddCIDR(cidr.Parse("10.42.0.0/16"), true) 108 tree.AddCIDR(cidr.Parse("10.42.42.0/24"), true) 109 tree.AddCIDR(cidr.Parse("10.42.42.0/24"), false) 110 tree.AddCIDR(cidr.Parse("::1/128"), true) 111 tree.AddCIDR(cidr.Parse("::2/128"), false) 112 al := &AllowList{cidrTree: tree} 113 114 assert.Equal(t, true, al.Allow(net.ParseIP("1.1.1.1"))) 115 assert.Equal(t, false, al.Allow(net.ParseIP("10.0.0.4"))) 116 assert.Equal(t, true, al.Allow(net.ParseIP("10.42.42.42"))) 117 assert.Equal(t, false, al.Allow(net.ParseIP("10.42.42.41"))) 118 assert.Equal(t, true, al.Allow(net.ParseIP("10.42.0.1"))) 119 assert.Equal(t, true, al.Allow(net.ParseIP("::1"))) 120 assert.Equal(t, false, al.Allow(net.ParseIP("::2"))) 121 } 122 123 func TestLocalAllowList_AllowName(t *testing.T) { 124 assert.Equal(t, true, ((*LocalAllowList)(nil)).AllowName("docker0")) 125 126 rules := []AllowListNameRule{ 127 {Name: regexp.MustCompile("^docker.*$"), Allow: false}, 128 {Name: regexp.MustCompile("^tun.*$"), Allow: false}, 129 } 130 al := &LocalAllowList{nameRules: rules} 131 132 assert.Equal(t, false, al.AllowName("docker0")) 133 assert.Equal(t, false, al.AllowName("tun0")) 134 assert.Equal(t, true, al.AllowName("eth0")) 135 136 rules = []AllowListNameRule{ 137 {Name: regexp.MustCompile("^eth.*$"), Allow: true}, 138 {Name: regexp.MustCompile("^ens.*$"), Allow: true}, 139 } 140 al = &LocalAllowList{nameRules: rules} 141 142 assert.Equal(t, false, al.AllowName("docker0")) 143 assert.Equal(t, true, al.AllowName("eth0")) 144 assert.Equal(t, true, al.AllowName("ens5")) 145 }