mirror of
https://github.com/juanfont/headscale.git
synced 2026-07-12 19:09:14 +09:00
128 lines
4.5 KiB
Go
128 lines
4.5 KiB
Go
package servertest_test
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/juanfont/headscale/hscontrol/servertest"
|
|
"github.com/juanfont/headscale/hscontrol/types"
|
|
"github.com/stretchr/testify/require"
|
|
"tailscale.com/tailcfg"
|
|
)
|
|
|
|
// TestSSHCheckReDelegatesWhenSessionMissing exercises the fix for
|
|
// https://github.com/juanfont/headscale/issues/3305 with a real control
|
|
// client. The dst node runs the SSH-check poll over its actual Noise
|
|
// connection: it first obtains a genuine HoldAndDelegate auth_id, that auth
|
|
// session is then dropped from the cache (as it would be on expiry, eviction,
|
|
// or a control-plane restart), and the follow-up poll for the now-missing
|
|
// session must re-delegate a fresh HoldAndDelegate rather than dead-ending the
|
|
// client with an error it keeps retrying until the SSH connection times out.
|
|
func TestSSHCheckReDelegatesWhenSessionMissing(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
h := servertest.NewHarness(t, 2)
|
|
|
|
srcID := types.NodeID(h.Client(0).Netmap().SelfNode.ID()) //nolint:gosec
|
|
dstID := types.NodeID(h.Client(1).Netmap().SelfNode.ID()) //nolint:gosec
|
|
|
|
// Subject the same-user (src, dst) pair to an SSH check.
|
|
h.ChangePolicy(t, []byte(`{
|
|
"ssh": [{
|
|
"action": "check",
|
|
"src": ["harness-default@"],
|
|
"dst": ["autogroup:self"],
|
|
"users": ["autogroup:nonroot"]
|
|
}]
|
|
}`))
|
|
|
|
// Sanity: the policy must actually subject this pair to a check, otherwise
|
|
// the test would pass for the wrong reason.
|
|
_, checkFound := h.Server.State().SSHCheckParams(srcID, dstID)
|
|
require.True(t, checkFound, "test setup: (src, dst) must be subject to an SSH check")
|
|
|
|
// The dst node's first poll yields a real HoldAndDelegate carrying a real,
|
|
// cached auth_id — nothing is fabricated.
|
|
initial := pollSSHAction(t, h.Server.URL, h.Client(1), srcID, dstID, "")
|
|
require.NotEmpty(t, initial.HoldAndDelegate, "initial poll must hold and delegate, got %+v", initial)
|
|
|
|
authID := authIDFromHoldURL(t, initial.HoldAndDelegate)
|
|
_, ok := h.Server.State().GetAuthCacheEntry(authID)
|
|
require.True(t, ok, "the auth session must be cached after the initial poll")
|
|
|
|
// Drop the session, reproducing a natural loss (expiry/eviction/restart).
|
|
h.Server.State().DeleteAuthCacheEntryForTest(authID)
|
|
_, ok = h.Server.State().GetAuthCacheEntry(authID)
|
|
require.False(t, ok, "the auth session must be gone before the follow-up poll")
|
|
|
|
// The follow-up poll carries the real auth_id whose session is now missing.
|
|
// With an active check the server must re-delegate a fresh session.
|
|
followUp := pollSSHAction(t, h.Server.URL, h.Client(1), srcID, dstID, authID.String())
|
|
require.NotEmpty(t, followUp.HoldAndDelegate,
|
|
"a missing session under an active check must re-delegate, got %+v", followUp)
|
|
|
|
require.NotEqual(t, authID, authIDFromHoldURL(t, followUp.HoldAndDelegate),
|
|
"re-delegation must mint a fresh auth_id")
|
|
}
|
|
|
|
// pollSSHAction issues an /machine/ssh/action poll from the given node over its
|
|
// real Noise connection, as tailscaled does. An empty authID is the initial
|
|
// poll; a non-empty one is a follow-up.
|
|
func pollSSHAction(
|
|
t *testing.T,
|
|
serverURL string,
|
|
node *servertest.TestClient,
|
|
srcID, dstID types.NodeID,
|
|
authID string,
|
|
) tailcfg.SSHAction {
|
|
t.Helper()
|
|
|
|
actionURL := fmt.Sprintf("%s/machine/ssh/action/%d/to/%d", serverURL, srcID, dstID)
|
|
if authID != "" {
|
|
actionURL += "?auth_id=" + authID
|
|
}
|
|
|
|
// Noise requests are addressed with the https scheme; the control client
|
|
// routes them over the established Noise connection (mirroring how
|
|
// controlclient issues its own register/map calls).
|
|
actionURL = strings.Replace(actionURL, "http://", "https://", 1)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
defer cancel()
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, actionURL, nil)
|
|
require.NoError(t, err)
|
|
|
|
resp, err := node.Direct().DoNoiseRequest(req)
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode, "ssh action poll must return 200")
|
|
|
|
var action tailcfg.SSHAction
|
|
require.NoError(t, json.NewDecoder(resp.Body).Decode(&action))
|
|
|
|
return action
|
|
}
|
|
|
|
// authIDFromHoldURL extracts the auth_id query parameter from a HoldAndDelegate
|
|
// URL.
|
|
func authIDFromHoldURL(t *testing.T, holdURL string) types.AuthID {
|
|
t.Helper()
|
|
|
|
u, err := url.Parse(holdURL)
|
|
require.NoError(t, err)
|
|
|
|
authID, err := types.AuthIDFromString(u.Query().Get("auth_id"))
|
|
require.NoError(t, err, "HoldAndDelegate URL missing a valid auth_id: %s", holdURL)
|
|
|
|
return authID
|
|
}
|