diff options
| author | James O'Doherty <james@theodohertyfamily.com> | 2026-05-29 19:14:11 -0400 |
|---|---|---|
| committer | James O'Doherty <james@theodohertyfamily.com> | 2026-05-29 19:14:11 -0400 |
| commit | 284ed362550e1fccc62ecd876dbd3f4c8fc721e2 (patch) | |
| tree | 00fe97c8a3c10d55032f714f84f104cf97be6c50 /tests/e2e/config_test.go | |
| parent | ee2f5d545825752af63da36e2b9ec7a92985a875 (diff) | |
feat(dns): implement unprivileged DNS isolation, precedence order, and profile configuration
Completed the remaining roadmap and documentation requirements by implementing robust unprivileged DNS management, completing the profile configuration subcommand, and resolving data-plane transition socket crashes.
Detailed changes:
- **DNS Isolation**: Implemented `ConfigureResolvConf` in `internal/wireguard/wireguard.go` to override `/etc/resolv.conf` within the unprivileged network/mount namespace. Transitioned the mount namespace to private propagation (`MS_PRIVATE`) and safely bind-mounted a temporary resolv.conf file over `/etc/resolv.conf` without mutating the host's configuration.
- **DNS Precedence Order**: Integrated CLI flag `--dns-server`, parsed `.conf` interface DNS parameters, and added a safe default fallback (`1.1.1.1`) to ensure absolute host DNS leak prevention inside wrapped sessions.
- **Socket Duplication in FDBind**: Resolved a lifecycle panic in `FDBind` where `wireguard-go` called `Close` and `Open` during device state transitions, causing "use of closed network connection" errors. Implemented file descriptor duplication using `unix.Dup` during bind initialization to gracefully persist the host-socket context across interface transitions and allow clean exit synchronization.
- **Profile Configuration**: Implemented `handleProfileConfigure` in `internal/cli/cli.go` to launch the default system `$EDITOR` (falling back to `vi`) on a profile, satisfying the documentation's requirements.
- **Hermetic Testing Polish**:
- Created `dns_helpers.go` providing a `MockDNSServer` packet probe.
- Added E2E tests for unprivileged DNS resolution, data-plane UDP handshake transmission, and 3-way DNS precedence routing.
- Refactored `TestNamespaceLifecycleAutomation`, `TestConfigPropagation`, and `TestMTUFragmentation` to use default profile fallbacks, fixing failing stats on missing profiles.
- Resolved all `golangci-lint` and `go fmt` warnings to maintain a completely clean static analysis pipeline.
Diffstat (limited to 'tests/e2e/config_test.go')
| -rw-r--r-- | tests/e2e/config_test.go | 34 |
1 files changed, 24 insertions, 10 deletions
diff --git a/tests/e2e/config_test.go b/tests/e2e/config_test.go index e613b13..c8749ce 100644 --- a/tests/e2e/config_test.go +++ b/tests/e2e/config_test.go @@ -4,6 +4,7 @@ import ( "fmt" "os" "os/exec" + "path/filepath" "strings" "testing" ) @@ -14,12 +15,30 @@ func TestConfigPropagation(t *testing.T) { t.Skipf("Skipping test: %v", err) } + tmpConfigDir := t.TempDir() tmpRuntimeDir := t.TempDir() profile := "config-test-vpn" + // Write a valid dummy profile for config-test-vpn so it doesn't fail the profile-existence check + confContent := `[Interface] +PrivateKey = YXNkZmFzZGZhc2RmYXNkZmFzZGZhc2RmYXNkZmFzZGY= +Address = 10.0.0.2/24 + +[Peer] +PublicKey = YXNkZmFzZGZhc2RmYXNkZmFzZGZhc2RmYXNkZmFzZGY= +Endpoint = 127.0.0.1:51820 +AllowedIPs = 10.0.0.0/24 +` + profilesDir := filepath.Join(tmpConfigDir, "wg-wrap", "profiles") + _ = os.MkdirAll(profilesDir, 0755) + _ = os.WriteFile(filepath.Join(profilesDir, profile+".conf"), []byte(confContent), 0644) + // Test 1: Non-isolated configuration cmd := exec.Command(binaryPath, "show-config", "--profile", profile) - cmd.Env = append(os.Environ(), fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpRuntimeDir)) + cmd.Env = append(os.Environ(), + fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpRuntimeDir), + fmt.Sprintf("XDG_CONFIG_HOME=%s", tmpConfigDir), + ) out, err := cmd.CombinedOutput() if err != nil { t.Fatalf("show-config failed: %v\nOutput: %s", err, string(out)) @@ -37,16 +56,11 @@ func TestConfigPropagation(t *testing.T) { } // Test 2: Configuration after bootstrap (Isolated) - // We use 'test-ns' as a way to run a command that we know is isolated. - // Actually, we can just run 'show-config' but the current 'Route' - // handles 'show-config' BEFORE the bootstrap. - // To test isolated config, we can't use 'show-config' because it's a diagnostic - // command designed to run outside isolation. - - // To verify what an isolated process sees, we can use a target command - // that prints the environment. cmdIsolated := exec.Command(binaryPath, "--profile", profile, "--", "sh", "-c", "echo $XDG_RUNTIME_DIR") - cmdIsolated.Env = append(os.Environ(), fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpRuntimeDir)) + cmdIsolated.Env = append(os.Environ(), + fmt.Sprintf("XDG_RUNTIME_DIR=%s", tmpRuntimeDir), + fmt.Sprintf("XDG_CONFIG_HOME=%s", tmpConfigDir), + ) outIso, err := cmdIsolated.CombinedOutput() if err != nil { t.Fatalf("Isolated command failed: %v\nOutput: %s", err, string(outIso)) |