mirrors/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-12-05 01:12:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

ipn/ipnlocal: reduce profileManager boilerplate in network-lock tests

Browse Source 
Updates tailscale/corp#33537

Signed-off-by: Alex Chan <alexc@tailscale.com>
This commit is contained in:
Alex Chan 2025-11-19 09:41:43 +00:00 committed by Alex Chan
parent 62d64c05e1
commit aeda3e8183
1 changed files with 33 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
ipn/ipnlocal/network-lock_test.go
View File

@ -37,13 +37,12 @@ import (
"tailscale.com/types/netmap" "tailscale.com/types/netmap"
"tailscale.com/types/persist" "tailscale.com/types/persist"
"tailscale.com/types/tkatype" "tailscale.com/types/tkatype"
"tailscale.com/util/eventbus"
"tailscale.com/util/eventbus/eventbustest" "tailscale.com/util/eventbus/eventbustest"
"tailscale.com/util/must" "tailscale.com/util/must"
"tailscale.com/util/set" "tailscale.com/util/set"
) )
func fakeControlClient(t *testing.T, c *http.Client) (*controlclient.Auto, *eventbus.Bus) { func fakeControlClient(t *testing.T, c *http.Client) *controlclient.Auto {
hi := hostinfo.New() hi := hostinfo.New()
ni := tailcfg.NetInfo{LinkType: "wired"} ni := tailcfg.NetInfo{LinkType: "wired"}
hi.NetInfo = &ni hi.NetInfo = &ni
@ -51,7 +50,6 @@ func fakeControlClient(t *testing.T, c *http.Client) (*controlclient.Auto, *even
k := key.NewMachine() k := key.NewMachine()
dialer := tsdial.NewDialer(netmon.NewStatic()) dialer := tsdial.NewDialer(netmon.NewStatic())
dialer.SetBus(bus)
opts := controlclient.Options{ opts := controlclient.Options{
ServerURL: "https://example.com", ServerURL: "https://example.com",
Hostinfo: hi, Hostinfo: hi,
@ -70,10 +68,11 @@ func fakeControlClient(t *testing.T, c *http.Client) (*controlclient.Auto, *even
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
return cc, bus return cc
} }
func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server, *http.Client) { func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server, *http.Client) {
t.Helper()
ts := httptest.NewUnstartedServer(handler) ts := httptest.NewUnstartedServer(handler)
ts.StartTLS() ts.StartTLS()
client := ts.Client() client := ts.Client()
@ -84,6 +83,17 @@ func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server,
return ts, client return ts, client
} }
func setupProfileManager(t *testing.T, nodePriv key.NodePrivate, nlPriv key.NLPrivate) *profileManager {
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t))))
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: nlPriv,
},
}).View(), ipn.NetworkProfile{}))
return pm
}
func TestTKAEnablementFlow(t *testing.T) { func TestTKAEnablementFlow(t *testing.T) {
nodePriv := key.NewNode() nodePriv := key.NewNode()
@ -158,14 +168,8 @@ func TestTKAEnablementFlow(t *testing.T) {
defer ts.Close() defer ts.Close()
temp := t.TempDir() temp := t.TempDir()
cc, bus := fakeControlClient(t, client) cc := fakeControlClient(t, client)
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(bus))) pm := setupProfileManager(t, nodePriv, nlPriv)
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: nlPriv,
},
}).View(), ipn.NetworkProfile{}))
b := LocalBackend{ b := LocalBackend{
capTailnetLock: true, capTailnetLock: true,
varRoot: temp, varRoot: temp,
@ -199,13 +203,7 @@ func TestTKADisablementFlow(t *testing.T) {
nlPriv := key.NewNLPrivate() nlPriv := key.NewNLPrivate()
key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2} key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t)))) pm := setupProfileManager(t, nodePriv, nlPriv)
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: nlPriv,
},
}).View(), ipn.NetworkProfile{}))
temp := t.TempDir() temp := t.TempDir()
tkaPath := filepath.Join(temp, "tka-profile", string(pm.CurrentProfile().ID())) tkaPath := filepath.Join(temp, "tka-profile", string(pm.CurrentProfile().ID()))
@ -267,7 +265,7 @@ func TestTKADisablementFlow(t *testing.T) {
})) }))
defer ts.Close() defer ts.Close()
cc, _ := fakeControlClient(t, client) cc := fakeControlClient(t, client)
b := LocalBackend{ b := LocalBackend{
varRoot: temp, varRoot: temp,
cc: cc, cc: cc,
@ -391,13 +389,7 @@ func TestTKASync(t *testing.T) {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
nodePriv := key.NewNode() nodePriv := key.NewNode()
nlPriv := key.NewNLPrivate() nlPriv := key.NewNLPrivate()
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t)))) pm := setupProfileManager(t, nodePriv, nlPriv)
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: nlPriv,
},
}).View(), ipn.NetworkProfile{}))
// Setup the tka authority on the control plane. // Setup the tka authority on the control plane.
key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2} key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
@ -518,7 +510,7 @@ func TestTKASync(t *testing.T) {
defer ts.Close() defer ts.Close()
// Setup the client. // Setup the client.
cc, _ := fakeControlClient(t, client) cc := fakeControlClient(t, client)
b := LocalBackend{ b := LocalBackend{
varRoot: temp, varRoot: temp,
cc: cc, cc: cc,
@ -560,13 +552,7 @@ func TestTKASyncTriggersCompact(t *testing.T) {
nodePriv := key.NewNode() nodePriv := key.NewNode()
nlPriv := key.NewNLPrivate() nlPriv := key.NewNLPrivate()
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t)))) pm := setupProfileManager(t, nodePriv, nlPriv)
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: nlPriv,
},
}).View(), ipn.NetworkProfile{}))
// Create a clock, and roll it back by 30 days. // Create a clock, and roll it back by 30 days.
// //
@ -702,7 +688,7 @@ func TestTKASyncTriggersCompact(t *testing.T) {
defer ts.Close() defer ts.Close()
// Setup the client. // Setup the client.
cc, _ := fakeControlClient(t, client) cc := fakeControlClient(t, client)
b := LocalBackend{ b := LocalBackend{
cc: cc, cc: cc,
ccAuto: cc, ccAuto: cc,
@ -923,13 +909,7 @@ func TestTKADisable(t *testing.T) {
disablementSecret := bytes.Repeat([]byte{0xa5}, 32) disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
nlPriv := key.NewNLPrivate() nlPriv := key.NewNLPrivate()
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t)))) pm := setupProfileManager(t, nodePriv, nlPriv)
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: nlPriv,
},
}).View(), ipn.NetworkProfile{}))
temp := t.TempDir() temp := t.TempDir()
tkaPath := filepath.Join(temp, "tka-profile", string(pm.CurrentProfile().ID())) tkaPath := filepath.Join(temp, "tka-profile", string(pm.CurrentProfile().ID()))
@ -985,7 +965,7 @@ func TestTKADisable(t *testing.T) {
})) }))
defer ts.Close() defer ts.Close()
cc, _ := fakeControlClient(t, client) cc := fakeControlClient(t, client)
b := LocalBackend{ b := LocalBackend{
varRoot: temp, varRoot: temp,
cc: cc, cc: cc,
@ -1014,13 +994,7 @@ func TestTKASign(t *testing.T) {
toSign := key.NewNode() toSign := key.NewNode()
nlPriv := key.NewNLPrivate() nlPriv := key.NewNLPrivate()
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t)))) pm := setupProfileManager(t, nodePriv, nlPriv)
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: nlPriv,
},
}).View(), ipn.NetworkProfile{}))
// Make a fake TKA authority, to seed local state. // Make a fake TKA authority, to seed local state.
disablementSecret := bytes.Repeat([]byte{0xa5}, 32) disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
@ -1076,7 +1050,7 @@ func TestTKASign(t *testing.T) {
} }
})) }))
defer ts.Close() defer ts.Close()
cc, _ := fakeControlClient(t, client) cc := fakeControlClient(t, client)
b := LocalBackend{ b := LocalBackend{
varRoot: temp, varRoot: temp,
cc: cc, cc: cc,
@ -1103,13 +1077,7 @@ func TestTKAForceDisable(t *testing.T) {
nlPriv := key.NewNLPrivate() nlPriv := key.NewNLPrivate()
key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2} key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t)))) pm := setupProfileManager(t, nodePriv, nlPriv)
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: nlPriv,
},
}).View(), ipn.NetworkProfile{}))
temp := t.TempDir() temp := t.TempDir()
tkaPath := filepath.Join(temp, "tka-profile", string(pm.CurrentProfile().ID())) tkaPath := filepath.Join(temp, "tka-profile", string(pm.CurrentProfile().ID()))
@ -1156,7 +1124,7 @@ func TestTKAForceDisable(t *testing.T) {
})) }))
defer ts.Close() defer ts.Close()
cc, _ := fakeControlClient(t, client) cc := fakeControlClient(t, client)
sys := tsd.NewSystem() sys := tsd.NewSystem()
sys.Set(pm.Store()) sys.Set(pm.Store())
@ -1201,13 +1169,7 @@ func TestTKAAffectedSigs(t *testing.T) {
// toSign := key.NewNode() // toSign := key.NewNode()
nlPriv := key.NewNLPrivate() nlPriv := key.NewNLPrivate()
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t)))) pm := setupProfileManager(t, nodePriv, nlPriv)
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: nlPriv,
},
}).View(), ipn.NetworkProfile{}))
// Make a fake TKA authority, to seed local state. // Make a fake TKA authority, to seed local state.
disablementSecret := bytes.Repeat([]byte{0xa5}, 32) disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
@ -1292,7 +1254,7 @@ func TestTKAAffectedSigs(t *testing.T) {
} }
})) }))
defer ts.Close() defer ts.Close()
cc, _ := fakeControlClient(t, client) cc := fakeControlClient(t, client)
b := LocalBackend{ b := LocalBackend{
varRoot: temp, varRoot: temp,
cc: cc, cc: cc,
@ -1334,13 +1296,7 @@ func TestTKARecoverCompromisedKeyFlow(t *testing.T) {
cosignPriv := key.NewNLPrivate() cosignPriv := key.NewNLPrivate()
compromisedPriv := key.NewNLPrivate() compromisedPriv := key.NewNLPrivate()
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t)))) pm := setupProfileManager(t, nodePriv, nlPriv)
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: nlPriv,
},
}).View(), ipn.NetworkProfile{}))
// Make a fake TKA authority, to seed local state. // Make a fake TKA authority, to seed local state.
disablementSecret := bytes.Repeat([]byte{0xa5}, 32) disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
@ -1404,7 +1360,7 @@ func TestTKARecoverCompromisedKeyFlow(t *testing.T) {
} }
})) }))
defer ts.Close() defer ts.Close()
cc, _ := fakeControlClient(t, client) cc := fakeControlClient(t, client)
b := LocalBackend{ b := LocalBackend{
varRoot: temp, varRoot: temp,
cc: cc, cc: cc,
@ -1425,13 +1381,7 @@ func TestTKARecoverCompromisedKeyFlow(t *testing.T) {
// Cosign using the cosigning key. // Cosign using the cosigning key.
{ {
pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t)))) pm := setupProfileManager(t, nodePriv, cosignPriv)
must.Do(pm.SetPrefs((&ipn.Prefs{
Persist: &persist.Persist{
PrivateNodeKey: nodePriv,
NetworkLockKey: cosignPriv,
},
}).View(), ipn.NetworkProfile{}))
b := LocalBackend{ b := LocalBackend{
varRoot: temp, varRoot: temp,
logf: t.Logf, logf: t.Logf,