package nebula import ( "net" "regexp" "testing" "github.com/slackhq/nebula/cidr" "github.com/slackhq/nebula/config" "github.com/slackhq/nebula/test" "github.com/stretchr/testify/assert" ) func TestNewAllowListFromConfig(t *testing.T) { l := test.NewLogger() c := config.NewC(l) c.Settings["allowlist"] = map[interface{}]interface{}{ "192.168.0.0": true, } r, err := newAllowListFromConfig(c, "allowlist", nil) assert.EqualError(t, err, "config `allowlist` has invalid CIDR: 192.168.0.0") assert.Nil(t, r) c.Settings["allowlist"] = map[interface{}]interface{}{ "192.168.0.0/16": "abc", } r, err = newAllowListFromConfig(c, "allowlist", nil) assert.EqualError(t, err, "config `allowlist` has invalid value (type string): abc") c.Settings["allowlist"] = map[interface{}]interface{}{ "192.168.0.0/16": true, "10.0.0.0/8": false, } r, err = newAllowListFromConfig(c, "allowlist", nil) assert.EqualError(t, err, "config `allowlist` contains both true and false rules, but no default set for 0.0.0.0/0") c.Settings["allowlist"] = map[interface{}]interface{}{ "0.0.0.0/0": true, "10.0.0.0/8": false, "10.42.42.0/24": true, "fd00::/8": true, "fd00:fd00::/16": false, } r, err = newAllowListFromConfig(c, "allowlist", nil) assert.EqualError(t, err, "config `allowlist` contains both true and false rules, but no default set for ::/0") c.Settings["allowlist"] = map[interface{}]interface{}{ "0.0.0.0/0": true, "10.0.0.0/8": false, "10.42.42.0/24": true, } r, err = newAllowListFromConfig(c, "allowlist", nil) if assert.NoError(t, err) { assert.NotNil(t, r) } c.Settings["allowlist"] = map[interface{}]interface{}{ "0.0.0.0/0": true, "10.0.0.0/8": false, "10.42.42.0/24": true, "::/0": false, "fd00::/8": true, "fd00:fd00::/16": false, } r, err = newAllowListFromConfig(c, "allowlist", nil) if assert.NoError(t, err) { assert.NotNil(t, r) } // Test interface names c.Settings["allowlist"] = map[interface{}]interface{}{ "interfaces": map[interface{}]interface{}{ `docker.*`: "foo", }, } lr, err := NewLocalAllowListFromConfig(c, "allowlist") assert.EqualError(t, err, "config `allowlist.interfaces` has invalid value (type string): foo") c.Settings["allowlist"] = map[interface{}]interface{}{ "interfaces": map[interface{}]interface{}{ `docker.*`: false, `eth.*`: true, }, } lr, err = NewLocalAllowListFromConfig(c, "allowlist") assert.EqualError(t, err, "config `allowlist.interfaces` values must all be the same true/false value") c.Settings["allowlist"] = map[interface{}]interface{}{ "interfaces": map[interface{}]interface{}{ `docker.*`: false, }, } lr, err = NewLocalAllowListFromConfig(c, "allowlist") if assert.NoError(t, err) { assert.NotNil(t, lr) } } func TestAllowList_Allow(t *testing.T) { assert.Equal(t, true, ((*AllowList)(nil)).Allow(net.ParseIP("1.1.1.1"))) tree := cidr.NewTree6() tree.AddCIDR(cidr.Parse("0.0.0.0/0"), true) tree.AddCIDR(cidr.Parse("10.0.0.0/8"), false) tree.AddCIDR(cidr.Parse("10.42.42.42/32"), true) tree.AddCIDR(cidr.Parse("10.42.0.0/16"), true) tree.AddCIDR(cidr.Parse("10.42.42.0/24"), true) tree.AddCIDR(cidr.Parse("10.42.42.0/24"), false) tree.AddCIDR(cidr.Parse("::1/128"), true) tree.AddCIDR(cidr.Parse("::2/128"), false) al := &AllowList{cidrTree: tree} assert.Equal(t, true, al.Allow(net.ParseIP("1.1.1.1"))) assert.Equal(t, false, al.Allow(net.ParseIP("10.0.0.4"))) assert.Equal(t, true, al.Allow(net.ParseIP("10.42.42.42"))) assert.Equal(t, false, al.Allow(net.ParseIP("10.42.42.41"))) assert.Equal(t, true, al.Allow(net.ParseIP("10.42.0.1"))) assert.Equal(t, true, al.Allow(net.ParseIP("::1"))) assert.Equal(t, false, al.Allow(net.ParseIP("::2"))) } func TestLocalAllowList_AllowName(t *testing.T) { assert.Equal(t, true, ((*LocalAllowList)(nil)).AllowName("docker0")) rules := []AllowListNameRule{ {Name: regexp.MustCompile("^docker.*$"), Allow: false}, {Name: regexp.MustCompile("^tun.*$"), Allow: false}, } al := &LocalAllowList{nameRules: rules} assert.Equal(t, false, al.AllowName("docker0")) assert.Equal(t, false, al.AllowName("tun0")) assert.Equal(t, true, al.AllowName("eth0")) rules = []AllowListNameRule{ {Name: regexp.MustCompile("^eth.*$"), Allow: true}, {Name: regexp.MustCompile("^ens.*$"), Allow: true}, } al = &LocalAllowList{nameRules: rules} assert.Equal(t, false, al.AllowName("docker0")) assert.Equal(t, true, al.AllowName("eth0")) assert.Equal(t, true, al.AllowName("ens5")) }