2023-03-28 18:39:22 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 13:12:13 +00:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 18:39:22 +00:00
|
|
|
|
2019-08-19 18:03:03 +00:00
|
|
|
package connect
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
2022-05-25 17:37:44 +00:00
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2019-08-19 18:03:03 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
testTrustDomain1 = "5fcd4b81-a2ca-405a-ac62-0fac602c1949.consul"
|
|
|
|
|
testTrustDomain2 = "d2e1a32e-5733-47f2-a9dd-6cf271aab5b7.consul"
|
|
|
|
|
|
2021-09-01 14:35:39 +00:00
|
|
|
testTrustDomainSuffix1 = internal + ".5fcd4b81-a2ca-405a-ac62-0fac602c1949.consul"
|
|
|
|
|
testTrustDomainSuffix1WithPart = internalVersion + ".5fcd4b81-a2ca-405a-ac62-0fac602c1949.consul"
|
|
|
|
|
testTrustDomainSuffix2 = internal + ".d2e1a32e-5733-47f2-a9dd-6cf271aab5b7.consul"
|
|
|
|
|
testTrustDomainSuffix2WithPart = internalVersion + ".d2e1a32e-5733-47f2-a9dd-6cf271aab5b7.consul"
|
2019-08-19 18:03:03 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestUpstreamSNI(t *testing.T) {
|
|
|
|
|
newup := func(typ, name, ns, dc string) *structs.Upstream {
|
|
|
|
|
u := &structs.Upstream{
|
|
|
|
|
DestinationType: typ,
|
|
|
|
|
DestinationNamespace: ns,
|
|
|
|
|
DestinationName: name,
|
|
|
|
|
Datacenter: dc,
|
|
|
|
|
LocalBindPort: 9999, // required
|
|
|
|
|
}
|
|
|
|
|
require.NoError(t, u.Validate())
|
|
|
|
|
return u
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
t.Run("service", func(t *testing.T) {
|
|
|
|
|
// empty namespace, empty subset, empty dc
|
|
|
|
|
require.Equal(t, "api.default.foo."+testTrustDomainSuffix1,
|
|
|
|
|
UpstreamSNI(newup(structs.UpstreamDestTypeService,
|
|
|
|
|
"api", "", "",
|
|
|
|
|
), "", "foo", testTrustDomain1))
|
|
|
|
|
|
|
|
|
|
// empty namespace, empty subset, set dc
|
|
|
|
|
require.Equal(t, "api.default.bar."+testTrustDomainSuffix1,
|
|
|
|
|
UpstreamSNI(newup(structs.UpstreamDestTypeService,
|
|
|
|
|
"api", "", "bar",
|
|
|
|
|
), "", "foo", testTrustDomain1))
|
|
|
|
|
|
|
|
|
|
// set namespace, empty subset, empty dc
|
|
|
|
|
require.Equal(t, "api.neighbor.foo."+testTrustDomainSuffix2,
|
|
|
|
|
UpstreamSNI(newup(structs.UpstreamDestTypeService,
|
|
|
|
|
"api", "neighbor", "",
|
|
|
|
|
), "", "foo", testTrustDomain2))
|
|
|
|
|
|
|
|
|
|
// set namespace, empty subset, set dc
|
|
|
|
|
require.Equal(t, "api.neighbor.bar."+testTrustDomainSuffix2,
|
|
|
|
|
UpstreamSNI(newup(structs.UpstreamDestTypeService,
|
|
|
|
|
"api", "neighbor", "bar",
|
|
|
|
|
), "", "foo", testTrustDomain2))
|
|
|
|
|
|
|
|
|
|
// empty namespace, set subset, empty dc
|
|
|
|
|
require.Equal(t, "v2.api.default.foo."+testTrustDomainSuffix1,
|
|
|
|
|
UpstreamSNI(newup(structs.UpstreamDestTypeService,
|
|
|
|
|
"api", "", "",
|
|
|
|
|
), "v2", "foo", testTrustDomain1))
|
|
|
|
|
|
|
|
|
|
// empty namespace, set subset, set dc
|
|
|
|
|
require.Equal(t, "v2.api.default.bar."+testTrustDomainSuffix1,
|
|
|
|
|
UpstreamSNI(newup(structs.UpstreamDestTypeService,
|
|
|
|
|
"api", "", "bar",
|
|
|
|
|
), "v2", "foo", testTrustDomain1))
|
|
|
|
|
|
|
|
|
|
// set namespace, set subset, empty dc
|
|
|
|
|
require.Equal(t, "canary.api.neighbor.foo."+testTrustDomainSuffix2,
|
|
|
|
|
UpstreamSNI(newup(structs.UpstreamDestTypeService,
|
|
|
|
|
"api", "neighbor", "",
|
|
|
|
|
), "canary", "foo", testTrustDomain2))
|
|
|
|
|
|
|
|
|
|
// set namespace, set subset, set dc
|
|
|
|
|
require.Equal(t, "canary.api.neighbor.bar."+testTrustDomainSuffix2,
|
|
|
|
|
UpstreamSNI(newup(structs.UpstreamDestTypeService,
|
|
|
|
|
"api", "neighbor", "bar",
|
|
|
|
|
), "canary", "foo", testTrustDomain2))
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
t.Run("prepared query", func(t *testing.T) {
|
|
|
|
|
// empty dc
|
|
|
|
|
require.Equal(t, "magicquery.default.foo.query."+testTrustDomain1,
|
|
|
|
|
UpstreamSNI(newup(structs.UpstreamDestTypePreparedQuery,
|
|
|
|
|
"magicquery", "", "",
|
|
|
|
|
), "", "foo", testTrustDomain1))
|
|
|
|
|
|
|
|
|
|
// set dc
|
|
|
|
|
require.Equal(t, "magicquery.default.bar.query."+testTrustDomain2,
|
|
|
|
|
UpstreamSNI(newup(structs.UpstreamDestTypePreparedQuery,
|
|
|
|
|
"magicquery", "", "bar",
|
|
|
|
|
), "", "foo", testTrustDomain2))
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-24 15:16:28 +00:00
|
|
|
func TestGatewaySNI(t *testing.T) {
|
|
|
|
|
type testCase struct {
|
|
|
|
|
name string
|
|
|
|
|
dc string
|
|
|
|
|
trustDomain string
|
|
|
|
|
expect string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
run := func(t *testing.T, tc testCase) {
|
|
|
|
|
got := GatewaySNI(tc.dc, "", tc.trustDomain)
|
|
|
|
|
require.Equal(t, tc.expect, got)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cases := []testCase{
|
|
|
|
|
{
|
|
|
|
|
name: "foo in domain1",
|
|
|
|
|
dc: "foo",
|
|
|
|
|
trustDomain: "domain1",
|
|
|
|
|
expect: "foo.internal.domain1",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "bar in domain2",
|
|
|
|
|
dc: "bar",
|
|
|
|
|
trustDomain: "domain2",
|
|
|
|
|
expect: "bar.internal.domain2",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, c := range cases {
|
|
|
|
|
t.Run(c.name, func(t *testing.T) {
|
|
|
|
|
run(t, c)
|
|
|
|
|
})
|
|
|
|
|
}
|
2019-08-19 18:03:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestServiceSNI(t *testing.T) {
|
|
|
|
|
// empty namespace, empty subset
|
|
|
|
|
require.Equal(t, "api.default.foo."+testTrustDomainSuffix1,
|
2021-09-01 14:35:39 +00:00
|
|
|
ServiceSNI("api", "", "", "", "foo", testTrustDomain1))
|
2019-08-19 18:03:03 +00:00
|
|
|
|
|
|
|
|
// set namespace, empty subset
|
|
|
|
|
require.Equal(t, "api.neighbor.foo."+testTrustDomainSuffix2,
|
2021-09-01 14:35:39 +00:00
|
|
|
ServiceSNI("api", "", "neighbor", "", "foo", testTrustDomain2))
|
2019-08-19 18:03:03 +00:00
|
|
|
|
|
|
|
|
// empty namespace, set subset
|
|
|
|
|
require.Equal(t, "v2.api.default.foo."+testTrustDomainSuffix1,
|
2021-09-01 14:35:39 +00:00
|
|
|
ServiceSNI("api", "v2", "", "", "foo", testTrustDomain1))
|
2019-08-19 18:03:03 +00:00
|
|
|
|
|
|
|
|
// set namespace, set subset
|
|
|
|
|
require.Equal(t, "canary.api.neighbor.foo."+testTrustDomainSuffix2,
|
2021-09-01 14:35:39 +00:00
|
|
|
ServiceSNI("api", "canary", "neighbor", "", "foo", testTrustDomain2))
|
|
|
|
|
|
|
|
|
|
// empty namespace, empty subset, set partition
|
|
|
|
|
require.Equal(t, "api.default.part1.foo."+testTrustDomainSuffix1WithPart,
|
|
|
|
|
ServiceSNI("api", "", "", "part1", "foo", testTrustDomain1))
|
|
|
|
|
|
|
|
|
|
// set namespace, empty subset, set partition
|
|
|
|
|
require.Equal(t, "api.neighbor.part1.foo."+testTrustDomainSuffix2WithPart,
|
|
|
|
|
ServiceSNI("api", "", "neighbor", "part1", "foo", testTrustDomain2))
|
|
|
|
|
|
|
|
|
|
// empty namespace, set subset, set partition
|
|
|
|
|
require.Equal(t, "v2.api.default.part1.foo."+testTrustDomainSuffix1WithPart,
|
|
|
|
|
ServiceSNI("api", "v2", "", "part1", "foo", testTrustDomain1))
|
|
|
|
|
|
|
|
|
|
// set namespace, set subset, set partition
|
|
|
|
|
require.Equal(t, "canary.api.neighbor.part1.foo."+testTrustDomainSuffix2WithPart,
|
|
|
|
|
ServiceSNI("api", "canary", "neighbor", "part1", "foo", testTrustDomain2))
|
2019-08-19 18:03:03 +00:00
|
|
|
}
|
|
|
|
|
|
2022-05-25 17:37:44 +00:00
|
|
|
func TestPeeredServiceSNI(t *testing.T) {
|
|
|
|
|
require.Equal(t, "api.billing.default.webstuff.external."+testTrustDomainSuffix1,
|
|
|
|
|
PeeredServiceSNI("api", "billing", "", "webstuff", testTrustDomainSuffix1))
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-19 18:03:03 +00:00
|
|
|
func TestQuerySNI(t *testing.T) {
|
|
|
|
|
require.Equal(t, "magicquery.default.foo.query."+testTrustDomain1,
|
|
|
|
|
QuerySNI("magicquery", "foo", testTrustDomain1))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestTargetSNI(t *testing.T) {
|
|
|
|
|
// empty namespace, empty subset
|
|
|
|
|
require.Equal(t, "api.default.foo."+testTrustDomainSuffix1,
|
2022-08-23 13:13:43 +00:00
|
|
|
TargetSNI(structs.NewDiscoveryTarget(structs.DiscoveryTargetOpts{
|
|
|
|
|
Service: "api",
|
|
|
|
|
Partition: "default",
|
|
|
|
|
Datacenter: "foo",
|
|
|
|
|
}), testTrustDomain1))
|
2021-09-07 20:29:32 +00:00
|
|
|
|
|
|
|
|
require.Equal(t, "api.default.foo."+testTrustDomainSuffix1,
|
2022-08-23 13:13:43 +00:00
|
|
|
TargetSNI(structs.NewDiscoveryTarget(structs.DiscoveryTargetOpts{
|
|
|
|
|
Service: "api",
|
|
|
|
|
Datacenter: "foo",
|
|
|
|
|
}), testTrustDomain1))
|
2019-08-19 18:03:03 +00:00
|
|
|
|
|
|
|
|
// set namespace, empty subset
|
|
|
|
|
require.Equal(t, "api.neighbor.foo."+testTrustDomainSuffix2,
|
2022-08-23 13:13:43 +00:00
|
|
|
TargetSNI(structs.NewDiscoveryTarget(structs.DiscoveryTargetOpts{
|
|
|
|
|
Service: "api",
|
|
|
|
|
Namespace: "neighbor",
|
|
|
|
|
Partition: "default",
|
|
|
|
|
Datacenter: "foo",
|
|
|
|
|
}), testTrustDomain2))
|
2019-08-19 18:03:03 +00:00
|
|
|
|
|
|
|
|
// empty namespace, set subset
|
|
|
|
|
require.Equal(t, "v2.api.default.foo."+testTrustDomainSuffix1,
|
2022-08-23 13:13:43 +00:00
|
|
|
TargetSNI(structs.NewDiscoveryTarget(structs.DiscoveryTargetOpts{
|
|
|
|
|
Service: "api",
|
|
|
|
|
ServiceSubset: "v2",
|
|
|
|
|
Partition: "default",
|
|
|
|
|
Datacenter: "foo",
|
|
|
|
|
}), testTrustDomain1))
|
2019-08-19 18:03:03 +00:00
|
|
|
|
|
|
|
|
// set namespace, set subset
|
|
|
|
|
require.Equal(t, "canary.api.neighbor.foo."+testTrustDomainSuffix2,
|
2022-08-23 13:13:43 +00:00
|
|
|
TargetSNI(structs.NewDiscoveryTarget(structs.DiscoveryTargetOpts{
|
|
|
|
|
Service: "api",
|
|
|
|
|
ServiceSubset: "canary",
|
|
|
|
|
Namespace: "neighbor",
|
|
|
|
|
Partition: "default",
|
|
|
|
|
Datacenter: "foo",
|
|
|
|
|
}), testTrustDomain2))
|
2019-08-19 18:03:03 +00:00
|
|
|
}
|
