ExternalVendorCode/balena-supervisor
1
0
Fork 0
mirror of https://github.com/balena-os/balena-supervisor.git synced 2024-12-23 15:32:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a24d5acf7f
balena-supervisor/test/integration/lib/firewall.spec.ts

473 lines
12 KiB
TypeScript
Raw Normal View History

bug: Fix unhandled promise rejection When invoking iptables-restore it can fail. This wasn't handled and this makes sure that it fails gracefully. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-07-10 14:02:07 +00:00
import _ = require('lodash');
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
import { expect } from 'chai';
import * as sinon from 'sinon';
Refactor test suite to use tsconfig paths This replaces all relative paths in the test suite (e.g `../src/compose/service.ts`) with the aliased path configured through tsconfig. This is a big change but it doesn't affect any functionality
2022-08-17 23:35:08 +00:00
import * as config from '~/src/config';
import * as firewall from '~/lib/firewall';
import * as logger from '~/src/logger';
import * as iptablesMock from '~/test-lib/mocked-iptables';
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
import * as dbFormat from '~/src/device-state/db-format';
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
Refactor test suite to use tsconfig paths This replaces all relative paths in the test suite (e.g `../src/compose/service.ts`) with the aliased path configured through tsconfig. This is a big change but it doesn't affect any functionality
2022-08-17 23:35:08 +00:00
import constants = require('~/lib/constants');
import { RuleAction, Rule } from '~/lib/iptables';
import { log } from '~/lib/supervisor-console';
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
describe('lib/firewall', function () {
bug: Fix unhandled promise rejection When invoking iptables-restore it can fail. This wasn't handled and this makes sure that it fails gracefully. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-07-10 14:02:07 +00:00
let loggerSpy: sinon.SinonSpy;
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
let logSpy: sinon.SinonStub;
bug: Fix unhandled promise rejection When invoking iptables-restore it can fail. This wasn't handled and this makes sure that it fails gracefully. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-07-10 14:02:07 +00:00
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
let apiEndpoint: string;
let listenPort: number;
before(async () => {
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
await config.initialized();
bug: Fix unhandled promise rejection When invoking iptables-restore it can fail. This wasn't handled and this makes sure that it fails gracefully. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-07-10 14:02:07 +00:00
// spy the logs...
loggerSpy = sinon.spy(logger, 'logSystemMessage');
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
logSpy = log.error as sinon.SinonStub;
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
Remove side effects for module imports The supervisor uses the following pattern for async module initialization ```typescript // module.ts export const initialised = (async () => { // do some async initialization })(); // somewhere else import * as module from 'module'; async function setup() { await module.initialise; } ``` The above pattern means that whenever the module is imported, the initialisation procedure will be ran, which is an anti-pattern. This converts any instance of this pattern into a function ```typescript export const initialised = _.once(async () => { // do some async initialization }); ``` And anywhere else on the code it replaces the call with a ```typescript await module.initialised(); ``` Change-type: patch
2022-09-06 18:03:23 +00:00
await firewall.initialised();
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
apiEndpoint = await config.get('apiEndpoint');
listenPort = await config.get('listenPort');
});
after(async () => {
bug: Fix unhandled promise rejection When invoking iptables-restore it can fail. This wasn't handled and this makes sure that it fails gracefully. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-07-10 14:02:07 +00:00
loggerSpy.restore();
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
});
describe('Basic On/Off operation', () => {
it('should confirm the `changed` event is handled', async function () {
await iptablesMock.whilstMocked(async ({ hasAppliedRules }) => {
bug: Fix unhandled promise rejection When invoking iptables-restore it can fail. This wasn't handled and this makes sure that it fails gracefully. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-07-10 14:02:07 +00:00
const changedSpy = sinon.spy();
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
config.on('change', changedSpy);
// set the firewall to be in off mode...
await config.set({ firewallMode: 'off' });
await hasAppliedRules;
// check it fired the events correctly...
expect(changedSpy.called).to.be.true;
expect(changedSpy.calledWith({ firewallMode: 'off' })).to.be.true;
});
});
it('should handle the HOST_FIREWALL_MODE configuration value: invalid', async function () {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule }) => {
// set the firewall to be in off mode...
await config.set({ firewallMode: 'invalid' });
await hasAppliedRules;
// expect that we jump to the firewall chain...
expectRule({
target: 'BALENA-FIREWALL',
chain: 'INPUT',
family: 4,
});
// expect to return...
expectRule({
chain: 'BALENA-FIREWALL',
target: 'RETURN',
family: 4,
});
},
);
});
it('should respect the HOST_FIREWALL_MODE configuration value: off', async function () {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule }) => {
// set the firewall to be in off mode...
await config.set({ firewallMode: 'off' });
await hasAppliedRules;
// expect that we jump to the firewall chain...
expectRule({
action: RuleAction.Append,
target: 'BALENA-FIREWALL',
chain: 'INPUT',
family: 4,
});
// expect to return...
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
const returnRuleIdx = expectRule({
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
table: 'filter',
chain: 'BALENA-FIREWALL',
target: 'RETURN',
family: 4,
});
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
// ... just before we reject everything
const rejectRuleIdx = expectRule({
chain: 'BALENA-FIREWALL',
target: 'REJECT',
matches: iptablesMock.RuleProperty.NotSet,
family: 4,
});
expect(returnRuleIdx).to.be.lessThan(rejectRuleIdx);
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
},
);
});
it('should respect the HOST_FIREWALL_MODE configuration value: on', async function () {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule, expectNoRule }) => {
// set the firewall to be in auto mode...
await config.set({ firewallMode: 'on' });
await hasAppliedRules;
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
// expect that we jump to the firewall chain...
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
expectRule({
action: RuleAction.Append,
target: 'BALENA-FIREWALL',
chain: 'INPUT',
family: 4,
});
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
// expect to not return for any reason...
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
expectNoRule({
chain: 'BALENA-FIREWALL',
target: 'RETURN',
});
},
);
});
it('should respect the HOST_FIREWALL_MODE configuration value: auto (no services in host-network)', async function () {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule }) => {
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
await dbFormat.setApps(
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
{
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
myapp: {
id: 2,
name: 'test-app2',
class: 'fleet',
is_host: false,
releases: {
abcdef2: {
id: 1232,
services: {
'test-service': {
id: 567,
image: 'test-image',
image_id: 5,
environment: {
TEST_VAR: 'test-string',
},
labels: {},
composition: {
tty: true,
},
},
},
networks: {},
volumes: {},
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
},
},
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
},
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
},
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
apiEndpoint,
);
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
// set the firewall to be in auto mode...
await config.set({ firewallMode: 'auto' });
await hasAppliedRules;
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
// expect that we jump to the firewall chain...
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
expectRule({
action: RuleAction.Append,
target: 'BALENA-FIREWALL',
chain: 'INPUT',
family: 4,
});
// expect to return...
expectRule({
chain: 'BALENA-FIREWALL',
target: 'RETURN',
family: 4,
});
},
);
});
it('should respect the HOST_FIREWALL_MODE configuration value: auto (service in host-network)', async function () {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule, expectNoRule }) => {
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
await dbFormat.setApps(
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
{
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
myapp: {
id: 2,
name: 'test-app2',
class: 'fleet',
is_host: false,
releases: {
abcdef2: {
id: 1232,
services: {
'test-service': {
id: 567,
image: 'test-image',
image_id: 5,
environment: {
TEST_VAR: 'test-string',
},
labels: {},
composition: {
tty: true,
network_mode: 'host',
},
},
},
networks: {},
volumes: {},
Add support for GET v3 target state This change updates types and database format in order to allow receiving the new format of the target state from the cloud and allow applications to keep working. This change also updates metadata in the containers, meaning services will need to be restarted on supervisor update Change-type: major
2021-08-03 23:12:47 +00:00
},
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
},
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
},
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
},
Migrate firewall tests to integration
2022-10-19 17:09:45 +00:00
apiEndpoint,
);
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
// set the firewall to be in auto mode...
await config.set({ firewallMode: 'auto' });
await hasAppliedRules;
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
// expect that we jump to the firewall chain...
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
expectRule({
action: RuleAction.Append,
target: 'BALENA-FIREWALL',
chain: 'INPUT',
family: 4,
});
// expect to return...
expectNoRule({
chain: 'BALENA-FIREWALL',
target: 'RETURN',
family: 4,
});
},
);
});
bug: Fix unhandled promise rejection When invoking iptables-restore it can fail. This wasn't handled and this makes sure that it fails gracefully. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-07-10 14:02:07 +00:00
it('should catch errors when rule changes fail', async () => {
await iptablesMock.whilstMocked(async ({ hasAppliedRules }) => {
// clear the spies...
loggerSpy.resetHistory();
logSpy.resetHistory();
// set the firewall to be in off mode...
await config.set({ firewallMode: 'off' });
await hasAppliedRules;
// should have caught the error and logged it
expect(logSpy.calledWith('Error applying firewall mode')).to.be.true;
expect(loggerSpy.called).to.be.true;
}, iptablesMock.realRuleAdaptor);
});
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
});
bug: Allow DNS through firewall for local containers We provide a local DNS server for containers to use and this was not allowed through the firewall when enabled. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-11 13:56:07 +00:00
describe('Service rules', () => {
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
const rejectAllRule = {
target: 'REJECT',
chain: 'BALENA-FIREWALL',
matches: iptablesMock.RuleProperty.NotSet,
};
const checkForRules = (
rules: Array<iptablesMock.Testable<Rule>> | iptablesMock.Testable<Rule>,
expectRule: (rule: iptablesMock.Testable<Rule>) => number,
) => {
rules = _.castArray(rules);
rules.forEach((rule) => {
const ruleIdx = expectRule(rule);
// make sure we reject AFTER the rule...
const rejectAllRuleIdx = expectRule(rejectAllRule);
expect(ruleIdx).is.lessThan(rejectAllRuleIdx);
});
};
bug: Allow DNS through firewall for local containers We provide a local DNS server for containers to use and this was not allowed through the firewall when enabled. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-11 13:56:07 +00:00
it('should have a rule to allow DNS traffic from the balena0 interface', async () => {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule }) => {
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
// set the firewall to be on...
bug: Allow DNS through firewall for local containers We provide a local DNS server for containers to use and this was not allowed through the firewall when enabled. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-11 13:56:07 +00:00
await config.set({ firewallMode: 'on' });
await hasAppliedRules;
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
[4, 6].forEach((family: 4 | 6) => {
// expect that we have a rule to allow DNS access...
checkForRules(
{
family,
target: 'ACCEPT',
chain: 'BALENA-FIREWALL',
proto: 'udp',
matches: ['--dport 53', '-i balena0'],
},
expectRule,
);
});
},
);
});
it('should have a rule to allow SSH traffic any interface', async () => {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule }) => {
// set the firewall to be on...
await config.set({ firewallMode: 'on' });
await hasAppliedRules;
[4, 6].forEach((family: 4 | 6) => {
// expect that we have a rule to allow SSH access...
checkForRules(
{
family,
target: 'ACCEPT',
chain: 'BALENA-FIREWALL',
proto: 'tcp',
matches: ['--dport 22222'],
},
expectRule,
);
});
},
);
});
it('should have a rule to allow Multicast traffic any interface', async () => {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule }) => {
// set the firewall to be on...
await config.set({ firewallMode: 'on' });
await hasAppliedRules;
[4, 6].forEach((family: 4 | 6) => {
// expect that we have a rule to allow multicast...
checkForRules(
{
family,
target: 'ACCEPT',
chain: 'BALENA-FIREWALL',
matches: ['-m addrtype', '--dst-type MULTICAST'],
},
expectRule,
);
});
},
);
});
it('should have a rule to allow balenaEngine traffic any interface', async () => {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule }) => {
// set the firewall to be on...
await config.set({ firewallMode: 'on' });
await hasAppliedRules;
[4, 6].forEach((family: 4 | 6) => {
// expect that we have a rule to allow balenaEngine access...
checkForRules(
{
family,
target: 'ACCEPT',
chain: 'BALENA-FIREWALL',
proto: 'tcp',
matches: ['--dport 2375'],
},
expectRule,
);
bug: Allow DNS through firewall for local containers We provide a local DNS server for containers to use and this was not allowed through the firewall when enabled. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-11 13:56:07 +00:00
});
},
);
});
});
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
describe('Supervisor API access', () => {
it('should allow access in localmode', async function () {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule }) => {
// set the device to be in local mode...
await config.set({ localMode: true });
await hasAppliedRules;
[4, 6].forEach((family: 4 | 6) => {
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
// make sure we have a rule to allow traffic on ANY interface
const allowRuleIdx = expectRule({
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
proto: 'tcp',
matches: [`--dport ${listenPort}`],
target: 'ACCEPT',
chain: 'BALENA-FIREWALL',
table: 'filter',
family,
});
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
// make sure we have a rule to block traffic on ANY interface also
const rejectRuleIdx = expectRule({
proto: 'tcp',
matches: [`--dport ${listenPort}`],
target: 'REJECT',
chain: 'BALENA-FIREWALL',
table: 'filter',
family,
});
// we should always reject AFTER we allow
expect(allowRuleIdx).to.be.lessThan(rejectRuleIdx);
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
});
},
);
});
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
it('should allow limited access in non-localmode', async function () {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule, expectNoRule }) => {
// set the device to be in local mode...
await config.set({ localMode: false });
await hasAppliedRules;
// ensure we have no unrestricted rule...
expectNoRule({
chain: 'BALENA-FIREWALL',
proto: 'tcp',
matches: [`--dport ${listenPort}`],
target: 'ACCEPT',
family: 4,
});
// ensure we do have a restricted rule for each interface...
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
let allowRuleIdx = -1;
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
constants.allowedInterfaces.forEach((intf) => {
[4, 6].forEach((family: 4 | 6) => {
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
allowRuleIdx = expectRule({
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
chain: 'BALENA-FIREWALL',
proto: 'tcp',
matches: [`--dport ${listenPort}`, `-i ${intf}`],
target: 'ACCEPT',
family,
});
});
});
bug: Firewall not blocking supervisor access from outside the device Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-08-12 11:16:55 +00:00
// make sure we have a rule to block traffic on ANY interface also
const rejectRuleIdx = expectRule({
proto: 'tcp',
matches: [`--dport ${listenPort}`],
target: 'REJECT',
chain: 'BALENA-FIREWALL',
table: 'filter',
});
// we should always reject AFTER we allow
expect(allowRuleIdx).to.be.lessThan(rejectRuleIdx);
firewall: Add Host Firewall functionality Controlled by BALENA_HOST_FIREWALL_MODE, the firewall can either be 'on' or 'off'. - In the 'off' state, all traffic is allowed. - In the 'on' state, only traffic for the core services provided by Balena is allowed. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
2020-06-15 16:46:33 +00:00
},
);
});
});
});
Reference in New Issue Copy Permalink