feat(e2e): Add tunnel establishment E2E tests (T-6.1)#103
Merged
Conversation
- Add PowerShell test script (Test-TunnelEstablishment.ps1) with: - TC1: Boot + Login tests (Service, Interface, Routes, DC connectivity) - TC2: DNS-SRV Discovery for LDAP - TC3: DNS-SRV Discovery for Kerberos (UDP/TCP) - TC4: UDP Kerberos connectivity validation - Proper CI exit codes and formatted output - Add Go GUID-based interface verification: - FindWireGuardInterface() with priority search (GUID > Description > Name) - VerifyInterface() for status validation - HasRouteToNetwork() for route checking - Windows-specific via winipcfg, stubs for other platforms - Add GitHub Actions workflow (e2e-tunnel.yml): - Manual workflow_dispatch for lab testing - PowerShell syntax validation - Test result documentation Tested on Windows 11 VM (10.0.0.160): - TC1.2-TC1.6: PASS (WireGuard interface, routes, DC connectivity) - TC2.1b: PASS (LDAP SRV via nslookup) - TC4.1-TC4.2: PASS (DC discovery, UDP Kerberos) Closes #54 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes nilerr lint error by renaming inner error variable. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add waitForServer helper that polls the server until it's ready, preventing flaky test failures when the server goroutine hasn't started listening before the test proceeds. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add waitForServerReady helper that polls the SSH server until it's accepting connections, preventing flaky test failures when the server goroutine hasn't started its Accept loop before tests proceed. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Increase dial timeout from 100ms to 500ms - Use exponential backoff (10ms -> 100ms cap) - Increase overall timeout from 5s to 10s for slow Windows runners - Add better error message including last error details Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Go 1.21+ has builtin min function, custom definition shadows it and triggers golangci-lint predeclared error. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The SSH server may need a moment to reset its state after accepting a probe connection that closes without completing the handshake. Add 100ms delay after successful probe to avoid interference. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace TCP probe with actual SSH connection attempt in waitForServerReady. The previous approach only verified TCP listener was ready, but the SSH server needs more time to initialize its internal state. Now we attempt a real SSH handshake (which will fail auth) to ensure the server is fully operational before tests proceed. This fixes flaky tests on FreeBSD and other platforms where the SSH server's Accept loop wasn't ready when tests started connecting.
Changed waitForServerReady to only consider the server ready when it receives an SSH-protocol response (error containing 'ssh:'). This is more reliable than checking for network-level errors like 'connection refused', which may vary across platforms (FreeBSD, Windows, etc.). The server is ready when: - SSH handshake completes (any ssh: error means we talked SSH) - Connection succeeds (unexpected but valid) Added 200ms delay after successful probe to ensure server's Accept loop is stable for subsequent connections.
…ests
The pattern `defer require.NoError(t, server.Stop())` was calling
Stop() immediately because Go evaluates function arguments at defer
time, not when the deferred function runs.
Changed to `defer func() { require.NoError(t, server.Stop()) }()`
which properly defers the entire call until function exit.
Also simplified waitForServerReady to use lightweight SSH banner
check instead of full SSH handshake.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add trust_windows.go with the following functions required by trusttest/main.go: - GetCertFingerprint: SHA-256 fingerprint of certificate - GetCertPin: SPKI pin (sha256//BASE64) from cert file - GetCertPinFromDER: SPKI pin from DER-encoded cert - VerifyServerCert: Verify cert against pin - VerifyServerCertChain: Verify cert chain against pin - InstallCACert: Install CA cert to Windows store (certutil) - RemoveCACert: Remove CA cert from Windows store (certutil) - TrustStoreRoot/TrustStoreCA: Store type constants Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add security_windows.go with DPAPI encryption, ACL hardening, and SecureConfig for encrypted setup key management - Add eventlog_windows.go with Windows Event Log integration - Add nolint:forbidigo comments to CLI test tools (securitytest, trusttest) - Implements T-5.6 security features for Windows pre-login VPN Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Handle LocalFree return values properly in security_windows.go - Convert if-else chain to switch statement in securitytest/main.go Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documentation
Test Cases Implemented
Test Evidence (Windows 11 VM - 10.0.0.160)
Direct CLI validation:
Get-Service NetBirdMachine→ Runningwt0interface Up, IP 100.95.22.56/16Test-NetConnection -Port 389→ TcpTestSucceeded via wt0klist -li 0x3e7→ 7 cached Kerberos tickets (SYSTEM account)nltest /dsgetdc:test.local→ DC01.test.local foundFiles Changed
scripts/tests/Test-TunnelEstablishment.ps1- PowerShell E2E test scriptclient/internal/tunnel/interface_windows.go- Go interface verification (Windows)client/internal/tunnel/interface_other.go- Stub for non-Windows.github/workflows/e2e-tunnel.yml- CI workflow for lab testingTest Plan
Closes #54
🤖 Generated with Claude Code