diff options
| author | Henning Baldersheim <balder@yahoo-inc.com> | 2023-01-16 16:23:20 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-16 16:23:20 +0100 |
| commit | 529acb49e1369a4bf1842cd7e84de91caf66b769 (patch) | |
| tree | 7664a780d0e66281513d8fb21edec7278d5c2f23 /node-admin/src/test | |
| parent | 2ee6905f0c6535fe95cc0516e4634f3ac37414b2 (diff) | |
Revert "open wireguard port for config servers (#25586)"
This reverts commit 2ee6905f0c6535fe95cc0516e4634f3ac37414b2.
Diffstat (limited to 'node-admin/src/test')
| -rw-r--r-- | node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java | 115 |
1 files changed, 54 insertions, 61 deletions
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java index 0b0184975a0..9fbe22482ea 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java @@ -19,12 +19,12 @@ import static org.junit.jupiter.api.Assertions.assertEquals; public class AclTest { private static final Acl aclCommon = new Acl( - Set.of(1234, 453), Set.of(4321), + Set.of(1234, 453), testNodes(Set.of(), "192.1.2.2", "fb00::1", "fe80::2", "fe80::3"), Set.of()); private static final Acl aclWithoutPorts = new Acl( - Set.of(), Set.of(), + Set.of(), testNodes(Set.of(), "192.1.2.2", "fb00::1", "fe80::2"), Set.of()); @@ -32,15 +32,14 @@ public class AclTest { void no_trusted_ports() { String listRulesIpv4 = String.join("\n", aclWithoutPorts.toRules(IPVersion.IPv4)); assertEquals( - """ - -P INPUT ACCEPT - -P FORWARD ACCEPT - -P OUTPUT ACCEPT - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -A INPUT -i lo -j ACCEPT - -A INPUT -p icmp -j ACCEPT - -A INPUT -s 192.1.2.2/32 -j ACCEPT - -A INPUT -j REJECT --reject-with icmp-port-unreachable""", + "-P INPUT ACCEPT\n" + + "-P FORWARD ACCEPT\n" + + "-P OUTPUT ACCEPT\n" + + "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + + "-A INPUT -i lo -j ACCEPT\n" + + "-A INPUT -p icmp -j ACCEPT\n" + + "-A INPUT -s 192.1.2.2/32 -j ACCEPT\n" + + "-A INPUT -j REJECT --reject-with icmp-port-unreachable", listRulesIpv4); } @@ -48,17 +47,15 @@ public class AclTest { void ipv4_rules() { String listRulesIpv4 = String.join("\n", aclCommon.toRules(IPVersion.IPv4)); assertEquals( - """ - -P INPUT ACCEPT - -P FORWARD ACCEPT - -P OUTPUT ACCEPT - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -A INPUT -i lo -j ACCEPT - -A INPUT -p icmp -j ACCEPT - -A INPUT -p tcp -m multiport --dports 453,1234 -j ACCEPT - -A INPUT -p udp -m multiport --dports 4321 -j ACCEPT - -A INPUT -s 192.1.2.2/32 -j ACCEPT - -A INPUT -j REJECT --reject-with icmp-port-unreachable""", + "-P INPUT ACCEPT\n" + + "-P FORWARD ACCEPT\n" + + "-P OUTPUT ACCEPT\n" + + "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + + "-A INPUT -i lo -j ACCEPT\n" + + "-A INPUT -p icmp -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 453,1234 -j ACCEPT\n" + + "-A INPUT -s 192.1.2.2/32 -j ACCEPT\n" + + "-A INPUT -j REJECT --reject-with icmp-port-unreachable", listRulesIpv4); } @@ -66,25 +63,23 @@ public class AclTest { void ipv6_rules() { String listRulesIpv6 = String.join("\n", aclCommon.toRules(IPVersion.IPv6)); assertEquals( - """ - -P INPUT ACCEPT - -P FORWARD ACCEPT - -P OUTPUT ACCEPT - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -A INPUT -i lo -j ACCEPT - -A INPUT -p ipv6-icmp -j ACCEPT - -A INPUT -p tcp -m multiport --dports 453,1234 -j ACCEPT - -A INPUT -p udp -m multiport --dports 4321 -j ACCEPT - -A INPUT -s fb00::1/128 -j ACCEPT - -A INPUT -s fe80::2/128 -j ACCEPT - -A INPUT -s fe80::3/128 -j ACCEPT - -A INPUT -j REJECT --reject-with icmp6-port-unreachable""", listRulesIpv6); + "-P INPUT ACCEPT\n" + + "-P FORWARD ACCEPT\n" + + "-P OUTPUT ACCEPT\n" + + "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + + "-A INPUT -i lo -j ACCEPT\n" + + "-A INPUT -p ipv6-icmp -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 453,1234 -j ACCEPT\n" + + "-A INPUT -s fb00::1/128 -j ACCEPT\n" + + "-A INPUT -s fe80::2/128 -j ACCEPT\n" + + "-A INPUT -s fe80::3/128 -j ACCEPT\n" + + "-A INPUT -j REJECT --reject-with icmp6-port-unreachable", listRulesIpv6); } @Test void ipv6_rules_stable_order() { Acl aclCommonDifferentOrder = new Acl( - Set.of(453, 1234), Set.of(4321), + Set.of(453, 1234), testNodes(Set.of(), "fe80::2", "192.1.2.2", "fb00::1", "fe80::3"), Set.of()); @@ -95,31 +90,29 @@ public class AclTest { @Test void trusted_networks() { - Acl acl = new Acl(Set.of(4080), Set.of(), testNodes(Set.of(), "127.0.0.1"), Set.of("10.0.0.0/24", "2001:db8::/32")); - - assertEquals(""" - -P INPUT ACCEPT - -P FORWARD ACCEPT - -P OUTPUT ACCEPT - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -A INPUT -i lo -j ACCEPT - -A INPUT -p icmp -j ACCEPT - -A INPUT -p tcp -m multiport --dports 4080 -j ACCEPT - -A INPUT -s 127.0.0.1/32 -j ACCEPT - -A INPUT -s 10.0.0.0/24 -j ACCEPT - -A INPUT -j REJECT --reject-with icmp-port-unreachable""", + Acl acl = new Acl(Set.of(4080), testNodes(Set.of(), "127.0.0.1"), Set.of("10.0.0.0/24", "2001:db8::/32")); + + assertEquals("-P INPUT ACCEPT\n" + + "-P FORWARD ACCEPT\n" + + "-P OUTPUT ACCEPT\n" + + "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + + "-A INPUT -i lo -j ACCEPT\n" + + "-A INPUT -p icmp -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 4080 -j ACCEPT\n" + + "-A INPUT -s 127.0.0.1/32 -j ACCEPT\n" + + "-A INPUT -s 10.0.0.0/24 -j ACCEPT\n" + + "-A INPUT -j REJECT --reject-with icmp-port-unreachable", String.join("\n", acl.toRules(IPVersion.IPv4))); - assertEquals(""" - -P INPUT ACCEPT - -P FORWARD ACCEPT - -P OUTPUT ACCEPT - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -A INPUT -i lo -j ACCEPT - -A INPUT -p ipv6-icmp -j ACCEPT - -A INPUT -p tcp -m multiport --dports 4080 -j ACCEPT - -A INPUT -s 2001:db8::/32 -j ACCEPT - -A INPUT -j REJECT --reject-with icmp6-port-unreachable""", + assertEquals("-P INPUT ACCEPT\n" + + "-P FORWARD ACCEPT\n" + + "-P OUTPUT ACCEPT\n" + + "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + + "-A INPUT -i lo -j ACCEPT\n" + + "-A INPUT -p ipv6-icmp -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 4080 -j ACCEPT\n" + + "-A INPUT -s 2001:db8::/32 -j ACCEPT\n" + + "-A INPUT -j REJECT --reject-with icmp6-port-unreachable", String.join("\n", acl.toRules(IPVersion.IPv6))); } @@ -128,7 +121,7 @@ public class AclTest { Set<Acl.Node> testNodes = Stream.concat(testNodes(NodeType.config, Set.of(), "172.17.0.41", "172.17.0.42", "172.17.0.43").stream(), testNodes(NodeType.tenant, Set.of(19070), "172.17.0.81", "172.17.0.82", "172.17.0.83").stream()) .collect(Collectors.toSet()); - Acl acl = new Acl(Set.of(22, 4443), Set.of(), testNodes, Set.of()); + Acl acl = new Acl(Set.of(22, 4443), testNodes, Set.of()); assertEquals(""" -P INPUT ACCEPT -P FORWARD ACCEPT @@ -149,7 +142,7 @@ public class AclTest { Set<Acl.Node> testNodes2 = Stream.concat(testNodes(NodeType.config, Set.of(), "2001:db8::41", "2001:db8::42", "2001:db8::43").stream(), testNodes(NodeType.tenant, Set.of(19070), "2001:db8::81", "2001:db8::82", "2001:db8::83").stream()) .collect(Collectors.toSet()); - Acl acl2 = new Acl(Set.of(22, 4443), Set.of(), testNodes2, Set.of()); + Acl acl2 = new Acl(Set.of(22, 4443), testNodes2, Set.of()); assertEquals(""" -P INPUT ACCEPT |