Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove TestTwoClustersTunnel integration test. #9802

Merged
merged 2 commits into from
Jan 19, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
229 changes: 0 additions & 229 deletions integration/integration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"bufio"
"bytes"
"context"
"crypto/x509"
"encoding/json"
"fmt"
"io"
Expand All @@ -45,7 +44,6 @@ import (
"golang.org/x/crypto/ssh"

"github.com/gravitational/teleport"
apidefaults "github.com/gravitational/teleport/api/defaults"
"github.com/gravitational/teleport/api/profile"
"github.com/gravitational/teleport/api/types"
apievents "github.com/gravitational/teleport/api/types/events"
Expand Down Expand Up @@ -1469,233 +1467,6 @@ func (s *IntSuite) TestInvalidLogins(c *check.C) {
c.Assert(err, check.ErrorMatches, "cluster wrong-site not found")
}

// TestTwoClustersTunnel creates two teleport clusters: "a" and "b" and creates a
// tunnel from A to B.
//
// Two tests are run, first is when both A and B record sessions at nodes. It
// executes an SSH command on A by connecting directly to A and by connecting
// to B via B<->A tunnel. All sessions should end up in A.
//
// In the second test, sessions are recorded at B. All sessions still show up on
// A (they are Teleport nodes) but in addition, two show up on B when connecting
// over the B<->A tunnel because sessions are recorded at the proxy.
func (s *IntSuite) TestTwoClustersTunnel(c *check.C) {
s.setUpTest(c)
defer s.tearDownTest(c)

tr := utils.NewTracer(utils.ThisFunction()).Start()
defer tr.Stop()

now := time.Now().In(time.UTC).Round(time.Second)

var tests = []struct {
inRecordLocation string
outExecCountSiteA int
outExecCountSiteB int
}{
// normal teleport. since all events are recorded at the node, all events
// end up on site-a and none on site-b.
{
services.RecordAtNode,
3,
0,
},
// recording proxy. since events are recorded at the proxy, 3 events end up
// on site-a (because it's a teleport node so it still records at the node)
// and 2 events end up on site-b because it's recording.
{
services.RecordAtProxy,
3,
2,
},
}

for _, tt := range tests {
s.twoClustersTunnel(c, now, tt.inRecordLocation, tt.outExecCountSiteA, tt.outExecCountSiteB)
}
}

func (s *IntSuite) twoClustersTunnel(c *check.C, now time.Time, proxyRecordMode string, execCountSiteA, execCountSiteB int) {
// start the http proxy, we need to make sure this was not used
ps := &proxyServer{}
ts := httptest.NewServer(ps)
defer ts.Close()

// clear out any proxy environment variables
for _, v := range []string{"http_proxy", "https_proxy", "HTTP_PROXY", "HTTPS_PROXY"} {
os.Setenv(v, "")
}

username := s.me.Username

a := s.newNamedTeleportInstance(c, "site-A")
b := s.newNamedTeleportInstance(c, "site-B")

a.AddUser(username, []string{username})
b.AddUser(username, []string{username})

clusterConfig, err := services.NewClusterConfig(services.ClusterConfigSpecV3{
SessionRecording: proxyRecordMode,
LocalAuth: services.NewBool(true),
})
c.Assert(err, check.IsNil)

acfg := s.defaultServiceConfig()
acfg.Auth.Enabled = true
acfg.Proxy.Enabled = true
acfg.Proxy.DisableWebService = true
acfg.Proxy.DisableWebInterface = true
acfg.SSH.Enabled = true

bcfg := s.defaultServiceConfig()
bcfg.Auth.Enabled = true
bcfg.Auth.ClusterConfig = clusterConfig
bcfg.Proxy.Enabled = true
bcfg.Proxy.DisableWebService = true
bcfg.Proxy.DisableWebInterface = true
bcfg.SSH.Enabled = false

c.Assert(b.CreateEx(a.Secrets.AsSlice(), bcfg), check.IsNil)
defer b.StopAll()
c.Assert(a.CreateEx(b.Secrets.AsSlice(), acfg), check.IsNil)
defer a.StopAll()

c.Assert(b.Start(), check.IsNil)
c.Assert(a.Start(), check.IsNil)

// wait for both sites to see each other via their reverse tunnels (for up to 10 seconds)
abortTime := time.Now().Add(time.Second * 10)
for len(checkGetClusters(c, a.Tunnel)) < 2 && len(checkGetClusters(c, b.Tunnel)) < 2 {
time.Sleep(time.Millisecond * 200)
if time.Now().After(abortTime) {
c.Fatalf("Two clusters do not see each other: tunnels are not working.")
}
}

var (
outputA bytes.Buffer
outputB bytes.Buffer
)

// make sure the direct dialer was used and not the proxy dialer
c.Assert(ps.Count(), check.Equals, 0)

// if we got here, it means two sites are cross-connected. lets execute SSH commands
sshPort := a.GetPortSSHInt()
cmd := []string{"echo", "hello world"}

// directly:
tc, err := a.NewClient(ClientConfig{
Login: username,
Cluster: a.Secrets.SiteName,
Host: Host,
Port: sshPort,
ForwardAgent: true,
})
tc.Stdout = &outputA
c.Assert(err, check.IsNil)
err = tc.SSH(context.TODO(), cmd, false)
c.Assert(err, check.IsNil)
c.Assert(outputA.String(), check.Equals, "hello world\n")

// Update trusted CAs.
err = tc.UpdateTrustedCA(context.TODO(), a.Secrets.SiteName)
c.Assert(err, check.IsNil)

// The known_hosts file should have two certificates, the way bytes.Split
// works that means the output will be 3 (2 certs + 1 empty).
buffer, err := ioutil.ReadFile(filepath.Join(tc.KeysDir, "known_hosts"))
c.Assert(err, check.IsNil)
parts := bytes.Split(buffer, []byte("\n"))
c.Assert(parts, check.HasLen, 3)

// The certs.pem file should have 2 certificates.
buffer, err = ioutil.ReadFile(filepath.Join(tc.KeysDir, "keys", Host, "certs.pem"))
c.Assert(err, check.IsNil)
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM(buffer)
c.Assert(ok, check.Equals, true)
c.Assert(roots.Subjects(), check.HasLen, 2)

// wait for active tunnel connections to be established
waitForActiveTunnelConnections(c, b.Tunnel, a.Secrets.SiteName, 1)

// via tunnel b->a:
tc, err = b.NewClient(ClientConfig{
Login: username,
Cluster: a.Secrets.SiteName,
Host: Host,
Port: sshPort,
ForwardAgent: true,
})
tc.Stdout = &outputB
c.Assert(err, check.IsNil)
err = tc.SSH(context.TODO(), cmd, false)
c.Assert(err, check.IsNil)
c.Assert(outputA.String(), check.DeepEquals, outputB.String())

// Stop "site-A" and try to connect to it again via "site-A" (expect a connection error)
err = a.StopAuth(false)
c.Assert(err, check.IsNil)
err = tc.SSH(context.TODO(), cmd, false)
c.Assert(err, check.FitsTypeOf, trace.ConnectionProblem(nil, ""))

// Reset and start "Site-A" again
err = a.Reset()
c.Assert(err, check.IsNil)
err = a.Start()
c.Assert(err, check.IsNil)

// try to execute an SSH command using the same old client to Site-B
// "site-A" and "site-B" reverse tunnels are supposed to reconnect,
// and 'tc' (client) is also supposed to reconnect
for i := 0; i < 10; i++ {
time.Sleep(250 * time.Millisecond)
err = tc.SSH(context.TODO(), cmd, false)
if err == nil {
break
}
}
c.Assert(err, check.IsNil)

searchAndAssert := func(site auth.ClientI, count int) error {
tickCh := time.Tick(500 * time.Millisecond)
stopCh := time.After(5 * time.Second)

// only look for exec events
eventTypes := []string{events.ExecEvent}

for {
select {
case <-tickCh:
eventsInSite, _, err := site.SearchEvents(now, now.Add(1*time.Hour), apidefaults.Namespace, eventTypes, 0, types.EventOrderAscending, "")
if err != nil {
return trace.Wrap(err)
}

// found the number of events we were looking for
if got, want := len(eventsInSite), count; got == want {
return nil
}
case <-stopCh:
return trace.BadParameter("unable to find %v events after 5s", count)
}
}
}

siteA := a.GetSiteAPI(a.Secrets.SiteName)
err = searchAndAssert(siteA, execCountSiteA)
c.Assert(err, check.IsNil)

siteB := b.GetSiteAPI(b.Secrets.SiteName)
err = searchAndAssert(siteB, execCountSiteB)
c.Assert(err, check.IsNil)

// stop both sites for real
c.Assert(b.StopAll(), check.IsNil)
c.Assert(a.StopAll(), check.IsNil)
}

// TestTwoClustersProxy checks if the reverse tunnel uses a HTTP PROXY to
// establish a connection.
func (s *IntSuite) TestTwoClustersProxy(c *check.C) {
Expand Down