General fixups discovered by checking errors

There was a lot of tests that actually threw a lot of errors and that did not pass all the way because we didnt check everything. This commit should fix all of these cases. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2023-08-31 18:37:18 +02:00 · 2023-08-31 18:37:18 +02:00 · 1766e6b5df
parent f8a58aa15b
commit 1766e6b5df
11 changed files with 134 additions and 64 deletions
--- a/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
@ -1,7 +1,7 @@
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-name: Integration Test v2 - TestSSHOneUserAllToAll
+name: Integration Test v2 - TestSSHOneUserToAll
 on: [pull_request]
@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true
 jobs:
-  TestSSHOneUserAllToAll:
+  TestSSHOneUserToAll:
    runs-on: ubuntu-latest
    steps:
@ -34,7 +34,7 @@ jobs:
            integration_test/
            config-example.yaml
-      - name: Run TestSSHOneUserAllToAll
+      - name: Run TestSSHOneUserToAll
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@ -50,7 +50,7 @@ jobs:
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
-                  -run "^TestSSHOneUserAllToAll$"
+                  -run "^TestSSHOneUserToAll$"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
--- a/.github/workflows/test-integration-v2-TestSSHUserOnlyIsolation.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHUserOnlyIsolation.yaml
@ -1,7 +1,7 @@
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-name: Integration Test v2 - TestSSUserOnlyIsolation
+name: Integration Test v2 - TestSSHUserOnlyIsolation
 on: [pull_request]
@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true
 jobs:
-  TestSSUserOnlyIsolation:
+  TestSSHUserOnlyIsolation:
    runs-on: ubuntu-latest
    steps:
@ -34,7 +34,7 @@ jobs:
            integration_test/
            config-example.yaml
-      - name: Run TestSSUserOnlyIsolation
+      - name: Run TestSSHUserOnlyIsolation
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@ -50,7 +50,7 @@ jobs:
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
-                  -run "^TestSSUserOnlyIsolation$"
+                  -run "^TestSSHUserOnlyIsolation$"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -30,6 +30,7 @@ linters:
    - exhaustruct
    - nolintlint
    - musttag # causes issues with imported libs
    - depguard
    # deprecated
    - structcheck # replaced by unused
--- a/hscontrol/types/config.go
+++ b/hscontrol/types/config.go
@ -480,6 +480,8 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 			baseDomain = "headscale.net" // does not really matter when MagicDNS is not enabled
 		}
 		log.Trace().Interface("dns_config", dnsConfig).Msg("DNS configuration loaded")
 		return dnsConfig, baseDomain
 	}
--- a/integration/acl_test.go
+++ b/integration/acl_test.go
@ -61,6 +61,10 @@ func aclScenario(
 	err = scenario.CreateHeadscaleEnv(spec,
 		[]tsic.Option{
 			// Alpine containers dont have ip6tables set up, which causes
 			// tailscaled to stop configuring the wgengine, causing it
 			// to not configure DNS.
 			tsic.WithNetfilter("off"),
 			tsic.WithDockerEntrypoint([]string{
 				"/bin/sh",
 				"-c",
--- a/integration/auth_oidc_test.go
+++ b/integration/auth_oidc_test.go
@ -21,6 +21,7 @@ import (
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
 	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
 )
 const (
@ -90,6 +91,7 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 }
 // This test is really flaky.
 func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()
@ -99,13 +101,15 @@ func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
 	baseScenario, err := NewScenario()
 	assertNoErr(t, err)
 	baseScenario.pool.MaxWait = 5 * time.Minute
 	scenario := AuthOIDCScenario{
 		Scenario: baseScenario,
 	}
 	defer scenario.Shutdown()
 	spec := map[string]int{
-		"user1": len(MustTestVersions),
+		"user1": 3,
 	}
 	oidcConfig, err := scenario.runMockOIDC(shortAccessTTL)
@ -143,9 +147,13 @@ func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
 	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d (before expiry)", success, len(allClients)*len(allIps))
-	// await all nodes being logged out after OIDC token expiry
+	// This is not great, but this sadly is a time dependent test, so the
-	err = scenario.WaitForTailscaleLogout()
+	// safe thing to do is wait out the whole TTL time before checking if
-	assertNoErrLogout(t, err)
+	// the clients have logged out. The Wait function cant do it itself
 	// as it has an upper bound of 1 min.
 	time.Sleep(shortAccessTTL)
 	assertTailscaleNodesLogout(t, allClients)
 }
 func (s *AuthOIDCScenario) CreateHeadscaleEnv(
@ -296,27 +304,40 @@ func (s *AuthOIDCScenario) runTailscaleUp(
 				log.Printf("%s login url: %s\n", c.Hostname(), loginURL.String())
-				httpClient := &http.Client{Transport: insecureTransport}
+				if err := s.pool.Retry(func() error {
-				ctx := context.Background()
+					log.Printf("%s logging in with url", c.Hostname())
-				req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
+					httpClient := &http.Client{Transport: insecureTransport}
-				resp, err := httpClient.Do(req)
+					ctx := context.Background()
-				if err != nil {
+					req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
-					log.Printf(
+					resp, err := httpClient.Do(req)
-						"%s failed to get login url %s: %s",
+					if err != nil {
-						c.Hostname(),
+						log.Printf(
-						loginURL,
+							"%s failed to login using url %s: %s",
-						err,
+							c.Hostname(),
-					)
+							loginURL,
 							err,
 						)
-					return err
+						return err
-				}
+					}
-				defer resp.Body.Close()
+					if resp.StatusCode != http.StatusOK {
 						log.Printf("%s response code of oidc login request was %s", c.Hostname(), resp.Status)
-				_, err = io.ReadAll(resp.Body)
+						return errStatusCodeNotOK
-				if err != nil {
+					}
 					log.Printf("%s failed to read response body: %s", c.Hostname(), err)
 					defer resp.Body.Close()
 					_, err = io.ReadAll(resp.Body)
 					if err != nil {
 						log.Printf("%s failed to read response body: %s", c.Hostname(), err)
 						return err
 					}
 					return nil
 				}); err != nil {
 					return err
 				}
@ -357,3 +378,14 @@ func (s *AuthOIDCScenario) Shutdown() {
 	s.Scenario.Shutdown()
 }
 func assertTailscaleNodesLogout(t *testing.T, clients []TailscaleClient) {
 	t.Helper()
 	for _, client := range clients {
 		status, err := client.Status()
 		assertNoErr(t, err)
 		assert.Equal(t, "NeedsLogin", status.BackendState)
 	}
 }
--- a/integration/scenario.go
+++ b/integration/scenario.go
@ -78,14 +78,14 @@ var (
 	)
 	// MustTestVersions is the minimum set of versions we should test.
-	// At the moment, this is arbitrarily choosen as:
+	// At the moment, this is arbitrarily chosen as:
 	//
 	// - Two unstable (HEAD and unstable)
 	// - Two latest versions
-	// - Two oldest versions
+	// - Two oldest versions.
 	MustTestVersions = append(
 		tailscaleVersions2021[0:4],
-		tailscaleVersions2019[len(tailscaleVersions2019)-2:len(tailscaleVersions2019)]...,
+		tailscaleVersions2019[len(tailscaleVersions2019)-2:]...,
 	)
 )
@ -573,7 +573,7 @@ func (s *Scenario) WaitForTailscaleLogout() error {
 		for _, client := range user.Clients {
 			c := client
 			user.syncWaitGroup.Go(func() error {
-				return c.WaitForLogout()
+				return c.WaitForNeedsLogin()
 			})
 		}
 		if err := user.syncWaitGroup.Wait(); err != nil {
--- a/integration/ssh_test.go
+++ b/integration/ssh_test.go
@ -2,6 +2,7 @@ package integration
 import (
 	"fmt"
 	"log"
 	"strings"
 	"testing"
 	"time"
@ -53,10 +54,16 @@ func sshScenario(t *testing.T, policy *policy.ACLPolicy, clientsPerUser int) *Sc
 	err = scenario.CreateHeadscaleEnv(spec,
 		[]tsic.Option{
 			tsic.WithSSH(),
 			// Alpine containers dont have ip6tables set up, which causes
 			// tailscaled to stop configuring the wgengine, causing it
 			// to not configure DNS.
 			tsic.WithNetfilter("off"),
 			tsic.WithDockerEntrypoint([]string{
 				"/bin/sh",
 				"-c",
-				"/bin/sleep 3 ; apk add openssh ; update-ca-certificates ; tailscaled --tun=tsdev",
+				"/bin/sleep 3 ; apk add openssh ; adduser ssh-it-user ; update-ca-certificates ; tailscaled --tun=tsdev",
 			}),
 			tsic.WithDockerWorkdir("/"),
 		},
@ -77,7 +84,7 @@ func sshScenario(t *testing.T, policy *policy.ACLPolicy, clientsPerUser int) *Sc
 	return scenario
 }
-func TestSSHOneUserAllToAll(t *testing.T) {
+func TestSSHOneUserToAll(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()
@ -97,7 +104,7 @@ func TestSSHOneUserAllToAll(t *testing.T) {
 				{
 					Action:       "accept",
 					Sources:      []string{"group:integration-test"},
-					Destinations: []string{"group:integration-test"},
+					Destinations: []string{"*"},
 					Users:        []string{"ssh-it-user"},
 				},
 			},
@ -109,13 +116,19 @@ func TestSSHOneUserAllToAll(t *testing.T) {
 	allClients, err := scenario.ListTailscaleClients()
 	assertNoErrListClients(t, err)
 	user1Clients, err := scenario.ListTailscaleClients("user1")
 	assertNoErrListClients(t, err)
 	user2Clients, err := scenario.ListTailscaleClients("user2")
 	assertNoErrListClients(t, err)
 	err = scenario.WaitForTailscaleSync()
 	assertNoErrSync(t, err)
 	_, err = scenario.ListTailscaleClientsFQDNs()
 	assertNoErrListFQDN(t, err)
-	for _, client := range allClients {
+	for _, client := range user1Clients {
 		for _, peer := range allClients {
 			if client.Hostname() == peer.Hostname() {
 				continue
@ -124,6 +137,16 @@ func TestSSHOneUserAllToAll(t *testing.T) {
 			assertSSHHostname(t, client, peer)
 		}
 	}
 	for _, client := range user2Clients {
 		for _, peer := range allClients {
 			if client.Hostname() == peer.Hostname() {
 				continue
 			}
 			assertSSHPermissionDenied(t, client, peer)
 		}
 	}
 }
 func TestSSHMultipleUsersAllToAll(t *testing.T) {
@ -270,7 +293,7 @@ func TestSSHIsBlockedInACL(t *testing.T) {
 	}
 }
-func TestSSUserOnlyIsolation(t *testing.T) {
+func TestSSHUserOnlyIsolation(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()
@ -365,11 +388,14 @@ func doSSH(t *testing.T, client TailscaleClient, peer TailscaleClient) (string,
 	peerFQDN, _ := peer.FQDN()
 	command := []string{
-		"ssh", "-o StrictHostKeyChecking=no", "-o ConnectTimeout=1",
+		"/usr/bin/ssh", "-o StrictHostKeyChecking=no", "-o ConnectTimeout=1",
 		fmt.Sprintf("%s@%s", "ssh-it-user", peerFQDN),
 		"'hostname'",
 	}
 	log.Printf("Running from %s to %s", client.Hostname(), peer.Hostname())
 	log.Printf("Command: %s", strings.Join(command, " "))
 	return retry(10, 1*time.Second, func() (string, string, error) {
 		return client.Execute(command)
 	})
@ -381,27 +407,28 @@ func assertSSHHostname(t *testing.T, client TailscaleClient, peer TailscaleClien
 	result, _, err := doSSH(t, client, peer)
 	assertNoErr(t, err)
-	assert.Contains(t, peer.ID(), strings.ReplaceAll(result, "\n", ""))
+	assertContains(t, peer.ID(), strings.ReplaceAll(result, "\n", ""))
 }
 func assertSSHPermissionDenied(t *testing.T, client TailscaleClient, peer TailscaleClient) {
 	t.Helper()
-	result, stderr, err := doSSH(t, client, peer)
+	result, stderr, _ := doSSH(t, client, peer)
 	assert.Error(t, err)
 	assert.Empty(t, result)
-	assert.Contains(t, stderr, "Permission denied (tailscale)")
+	assertContains(t, stderr, "Permission denied (tailscale)")
 }
 func assertSSHTimeout(t *testing.T, client TailscaleClient, peer TailscaleClient) {
 	t.Helper()
-	result, stderr, err := doSSH(t, client, peer)
+	result, stderr, _ := doSSH(t, client, peer)
 	assertNoErr(t, err)
 	assert.Empty(t, result)
-	assert.Contains(t, stderr, "Connection timed out")
+	if !strings.Contains(stderr, "Connection timed out") &&
 		!strings.Contains(stderr, "Operation timed out") {
 		t.Fatalf("connection did not time out")
 	}
 }
--- a/integration/tailscale.go
+++ b/integration/tailscale.go
@ -26,7 +26,6 @@ type TailscaleClient interface {
 	Status() (*ipnstate.Status, error)
 	WaitForNeedsLogin() error
 	WaitForRunning() error
 	WaitForLogout() error
 	WaitForPeers(expected int) error
 	Ping(hostnameOrIP string, opts ...tsic.PingOption) error
 	Curl(url string, opts ...tsic.CurlOption) (string, error)
--- a/integration/tsic/tsic.go
+++ b/integration/tsic/tsic.go
@ -35,7 +35,6 @@ var (
 	errTailscaleCannotUpWithoutAuthkey = errors.New("cannot up without authkey")
 	errTailscaleNotConnected           = errors.New("tailscale not connected")
 	errTailscaledNotReadyForLogin      = errors.New("tailscaled not ready for login")
 	errTailscaleNotLoggedOut           = errors.New("tailscale not logged out")
 )
 func errTailscaleStatus(hostname string, err error) error {
@ -64,6 +63,7 @@ type TailscaleInContainer struct {
 	withEntrypoint    []string
 	withExtraHosts    []string
 	workdir           string
 	netfilter         string
 }
 // Option represent optional settings that can be given to a
@ -148,6 +148,15 @@ func WithDockerEntrypoint(args []string) Option {
 	}
 }
 // WithNetfilter configures Tailscales parameter --netfilter-mode
 // allowing us to turn of modifying ip[6]tables/nftables.
 // It takes: "on", "off", "nodivert".
 func WithNetfilter(state string) Option {
 	return func(tsic *TailscaleInContainer) {
 		tsic.netfilter = state
 	}
 }
 // New returns a new TailscaleInContainer instance.
 func New(
 	pool *dockertest.Pool,
@ -340,6 +349,10 @@ func (t *TailscaleInContainer) Login(
 		command = append(command, "--ssh")
 	}
 	if t.netfilter != "" {
 		command = append(command, "--netfilter-mode="+t.netfilter)
 	}
 	if len(t.withTags) > 0 {
 		command = append(command,
 			fmt.Sprintf(`--advertise-tags=%s`, strings.Join(t.withTags, ",")),
@ -513,22 +526,6 @@ func (t *TailscaleInContainer) WaitForRunning() error {
 	})
 }
 // WaitForLogout blocks until the Tailscale instance has logged out.
 func (t *TailscaleInContainer) WaitForLogout() error {
 	return fmt.Errorf("%s err: %w", t.hostname, t.pool.Retry(func() error {
 		status, err := t.Status()
 		if err != nil {
 			return errTailscaleStatus(t.hostname, err)
 		}
 		if status.CurrentTailnet == nil {
 			return nil
 		}
 		return errTailscaleNotLoggedOut
 	}))
 }
 // WaitForPeers blocks until N number of peers is present in the
 // Peer list of the Tailscale instance.
 func (t *TailscaleInContainer) WaitForPeers(expected int) error {
--- a/integration/utils.go
+++ b/integration/utils.go
@ -1,6 +1,7 @@
 package integration
 import (
 	"strings"
 	"testing"
 	"time"
@ -59,6 +60,13 @@ func assertNoErrLogout(t *testing.T, err error) {
 	assertNoErrf(t, "failed to log out tailscale nodes: %s", err)
 }
 func assertContains(t *testing.T, str, subStr string) {
 	t.Helper()
 	if !strings.Contains(str, subStr) {
 		t.Fatalf("%#v does not contain %#v", str, subStr)
 	}
 }
 func pingAllHelper(t *testing.T, clients []TailscaleClient, addrs []string) int {
 	t.Helper()
 	success := 0