test: add e2e-tests for boundary CLI

Author: evgeniy-scherbina

.github/workflows/ci.yml

@@ -73,6 +73,9 @@ jobs:
     - name: Download and verify dependencies
       run: make deps
 
+#    - name: Setup tmate session
+#      uses: mxschmitt/action-tmate@v3
+
     - name: Run tests
       run: make test
 

Makefile

@@ -49,15 +49,17 @@ deps:
 .PHONY: test
 test:
 	@echo "Running tests..."
-	go test -v -race ./...
+	@which go > /dev/null || (echo "Go not found in PATH" && exit 1)
+	sudo $(shell which go) test -v -race ./...
 	@echo "✓ All tests passed!"
 
 # Run tests with coverage (needs sudo for E2E tests)
 .PHONY: test-coverage
 test-coverage:
 	@echo "Running tests with coverage..."
-	go test -v -race -coverprofile=coverage.out ./...
-	go tool cover -html=coverage.out -o coverage.html
+	@which go > /dev/null || (echo "Go not found in PATH" && exit 1)
+	sudo $(shell which go) test -v -race -coverprofile=coverage.out ./...
+	$(shell which go) tool cover -html=coverage.out -o coverage.html
 	@echo "✓ Coverage report generated: coverage.html"
 
 # CI checks (deps, test, build)

e2e_tests/boundary_integration_test.go

@@ -0,0 +1,250 @@
+package e2e_tests
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+// getUserInfo returns information about the current user, handling sudo scenarios
+func getUserInfo() (string, int, int, string, string) {
+	// Only consider SUDO_USER if we're actually running with elevated privileges
+	// In environments like Coder workspaces, SUDO_USER may be set to 'root'
+	// but we're not actually running under sudo
+	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" && os.Geteuid() == 0 && sudoUser != "root" {
+		// We're actually running under sudo with a non-root original user
+		user, err := user.Lookup(sudoUser)
+		if err != nil {
+			return getCurrentUserInfo() // Fallback to current user
+		}
+
+		uid, _ := strconv.Atoi(os.Getenv("SUDO_UID"))
+		gid, _ := strconv.Atoi(os.Getenv("SUDO_GID"))
+
+		// If we couldn't get UID/GID from env, parse from user info
+		if uid == 0 {
+			if parsedUID, err := strconv.Atoi(user.Uid); err == nil {
+				uid = parsedUID
+			}
+		}
+		if gid == 0 {
+			if parsedGID, err := strconv.Atoi(user.Gid); err == nil {
+				gid = parsedGID
+			}
+		}
+
+		configDir := getConfigDir(user.HomeDir)
+
+		return sudoUser, uid, gid, user.HomeDir, configDir
+	}
+
+	// Not actually running under sudo, use current user
+	return getCurrentUserInfo()
+}
+
+// getCurrentUserInfo gets information for the current user
+func getCurrentUserInfo() (string, int, int, string, string) {
+	currentUser, err := user.Current()
+	if err != nil {
+		// Fallback with empty values if we can't get user info
+		return "", 0, 0, "", ""
+	}
+
+	uid, _ := strconv.Atoi(currentUser.Uid)
+	gid, _ := strconv.Atoi(currentUser.Gid)
+
+	configDir := getConfigDir(currentUser.HomeDir)
+
+	return currentUser.Username, uid, gid, currentUser.HomeDir, configDir
+}
+
+// getConfigDir determines the config directory based on XDG_CONFIG_HOME or fallback
+func getConfigDir(homeDir string) string {
+	// Use XDG_CONFIG_HOME if set, otherwise fallback to ~/.config/coder_boundary
+	if xdgConfigHome := os.Getenv("XDG_CONFIG_HOME"); xdgConfigHome != "" {
+		return filepath.Join(xdgConfigHome, "coder_boundary")
+	}
+	return filepath.Join(homeDir, ".config", "coder_boundary")
+}
+
+// findProjectRoot finds the project root by looking for go.mod file
+func findProjectRoot(t *testing.T) string {
+	cwd, err := os.Getwd()
+	require.NoError(t, err, "Failed to get current working directory")
+
+	// Start from current directory and walk up until we find go.mod
+	dir := cwd
+	for {
+		goModPath := filepath.Join(dir, "go.mod")
+		if _, err := os.Stat(goModPath); err == nil {
+			return dir
+		}
+
+		parent := filepath.Dir(dir)
+		if parent == dir {
+			// Reached filesystem root
+			t.Fatalf("Could not find go.mod file starting from %s", cwd)
+		}
+		dir = parent
+	}
+}
+
+// getNamespaceName gets the single network namespace name
+// Fails if there are 0 or multiple namespaces
+func getNamespaceName(t *testing.T) string {
+	cmd := exec.Command("ip", "netns", "list")
+	output, err := cmd.Output()
+	require.NoError(t, err, "Failed to list network namespaces")
+
+	lines := strings.Split(string(output), "\n")
+	var namespaces []string
+
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if line != "" {
+			// Extract namespace name (first field)
+			parts := strings.Fields(line)
+			if len(parts) > 0 {
+				namespaces = append(namespaces, parts[0])
+			}
+		}
+	}
+
+	require.Len(t, namespaces, 1, "Expected exactly one network namespace, found %d: %v", len(namespaces), namespaces)
+	return namespaces[0]
+}
+
+func TestBoundaryIntegration(t *testing.T) {
+	// Find project root by looking for go.mod file
+	projectRoot := findProjectRoot(t)
+
+	// Build the boundary binary
+	buildCmd := exec.Command("go", "build", "-o", "/tmp/boundary-test", "./cmd/...")
+	buildCmd.Dir = projectRoot
+	err := buildCmd.Run()
+	require.NoError(t, err, "Failed to build boundary binary")
+
+	// Create context for boundary process
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	// Start boundary process with sudo
+	boundaryCmd := exec.CommandContext(ctx, "/tmp/boundary-test",
+		"--allow", "dev.coder.com",
+		"--allow", "jsonplaceholder.typicode.com",
+		"--log-level", "debug",
+		"--", "bash", "-c", "sleep 10 && echo 'Test completed'")
+
+	// Suppress output to prevent terminal corruption
+	boundaryCmd.Stdout = os.Stdout // Let it go to /dev/null
+	boundaryCmd.Stderr = os.Stderr
+
+	// Start the process
+	err = boundaryCmd.Start()
+	require.NoError(t, err, "Failed to start boundary process")
+
+	// Give boundary time to start
+	time.Sleep(2 * time.Second)
+
+	// Get the namespace name that boundary created
+	namespaceName := getNamespaceName(t)
+
+	// Test HTTP request through boundary (from inside the jail)
+	t.Run("HTTPRequestThroughBoundary", func(t *testing.T) {
+		// Run curl directly in the namespace using ip netns exec
+		curlCmd := exec.Command("sudo", "ip", "netns", "exec", namespaceName,
+			"curl", "http://jsonplaceholder.typicode.com/todos/1")
+
+		// Capture stderr separately
+		var stderr bytes.Buffer
+		curlCmd.Stderr = &stderr
+		output, err := curlCmd.Output()
+
+		if err != nil {
+			t.Fatalf("curl command failed: %v, stderr: %s, output: %s", err, stderr.String(), string(output))
+		}
+
+		// Verify response contains expected content
+		expectedResponse := `{
+  "userId": 1,
+  "id": 1,
+  "title": "delectus aut autem",
+  "completed": false
+}`
+		require.Equal(t, expectedResponse, string(output))
+	})
+
+	// Test HTTPS request through boundary (from inside the jail)
+	t.Run("HTTPSRequestThroughBoundary", func(t *testing.T) {
+		u, err := user.Current()
+		if err != nil {
+			panic(err)
+		}
+		fmt.Printf("u.Username: %v\n", u.Username)
+		fmt.Printf("u.HomeDir: %v\n", u.HomeDir)
+
+		sudoUser, uid, gid, homeDir, configDir := getUserInfo()
+		fmt.Printf("sudoUser: %v\n", sudoUser)
+		fmt.Printf("uid: %v\n", uid)
+		fmt.Printf("gid: %v\n", gid)
+		fmt.Printf("homeDir: %v\n", homeDir)
+		fmt.Printf("configDir: %v\n", configDir)
+		certPath := fmt.Sprintf("%v/ca-cert.pem", configDir)
+
+		// Run curl directly in the namespace using ip netns exec
+		// TODO(yevhenii): remove env
+		curlCmd := exec.Command("sudo", "ip", "netns", "exec", namespaceName,
+			"env", fmt.Sprintf("SSL_CERT_FILE=%v", certPath), "curl", "-s", "https://dev.coder.com/api/v2")
+
+		// Capture stderr separately
+		var stderr bytes.Buffer
+		curlCmd.Stderr = &stderr
+		output, err := curlCmd.Output()
+
+		if err != nil {
+			t.Fatalf("curl command failed: %v, stderr: %s, output: %s", err, stderr.String(), string(output))
+		}
+
+		// Verify response contains expected content
+		expectedResponse := `{"message":"👋"}
+`
+		require.Equal(t, expectedResponse, string(output))
+	})
+
+	// Test blocked domain (from inside the jail)
+	t.Run("BlockedDomainTest", func(t *testing.T) {
+		// Run curl directly in the namespace using ip netns exec
+		curlCmd := exec.Command("sudo", "ip", "netns", "exec", namespaceName,
+			"curl", "-s", "http://example.com")
+
+		// Capture stderr separately
+		var stderr bytes.Buffer
+		curlCmd.Stderr = &stderr
+		output, err := curlCmd.Output()
+
+		if err != nil {
+			t.Fatalf("curl command failed: %v, stderr: %s, output: %s", err, stderr.String(), string(output))
+		}
+		require.Contains(t, string(output), "Request Blocked by Boundary")
+	})
+
+	// Clean up
+	cancel()                 // This will terminate the boundary process
+	err = boundaryCmd.Wait() // Wait for process to finish
+	if err != nil {
+		t.Logf("Boundary process finished with error: %v", err)
+	}
+
+	// Clean up binary
+	os.Remove("/tmp/boundary-test")
+}

jail/linux.go

@@ -43,6 +43,18 @@ func NewLinuxJail(config Config) (*LinuxJail, error) {
 func (l *LinuxJail) Start() error {
 	l.logger.Debug("Setup called")
 
+	e := getEnvs(l.configDir, l.caCertPath)
+	//p := fmt.Sprintf("http://localhost:%d", l.httpProxyPort)
+	l.commandEnv = mergeEnvs(e, map[string]string{
+		//"HOME":        l.homeDir,
+		//"USER":        l.username,
+		//"LOGNAME":     l.username,
+		//"HTTP_PROXY":  p,
+		//"HTTPS_PROXY": p,
+		//"http_proxy":  p,
+		//"https_proxy": p,
+	})
+
 	// Setup DNS configuration BEFORE creating namespace
 	// This ensures the namespace-specific resolv.conf is available when namespace is created
 	err := l.setupDNS()
@@ -75,10 +87,10 @@ func (l *LinuxJail) Start() error {
 func (l *LinuxJail) Command(command []string) *exec.Cmd {
 	l.logger.Debug("Creating command with namespace", "namespace", l.namespace)
 
-	cmdArgs := []string{"ip", "netns", "exec", l.namespace}
+	cmdArgs := []string{"netns", "exec", l.namespace}
 	cmdArgs = append(cmdArgs, command...)
 
-	cmd := exec.Command("sudo", cmdArgs...)
+	cmd := exec.Command("ip", cmdArgs...)
 	cmd.Env = l.commandEnv
 
 	return cmd
@@ -214,6 +226,19 @@ func (l *LinuxJail) setupIptables() error {
 		return fmt.Errorf("failed to add comprehensive TCP redirect rule: %v", err)
 	}
 
+	// TODO: clean up this rules
+	cmd = exec.Command("iptables", "-A", "FORWARD", "-s", "192.168.100.0/24", "-j", "ACCEPT")
+	err = cmd.Run()
+	if err != nil {
+		return err
+	}
+
+	cmd = exec.Command("iptables", "-A", "FORWARD", "-d", "192.168.100.0/24", "-j", "ACCEPT")
+	err = cmd.Run()
+	if err != nil {
+		return err
+	}
+
 	l.logger.Debug("Comprehensive TCP boundarying enabled", "interface", l.vethHost, "proxy_port", l.httpProxyPort)
 	return nil
 }

tls/tls.go

@@ -86,6 +86,8 @@ func (cm *CertificateManager) loadOrGenerateCA() error {
 	caKeyPath := filepath.Join(cm.configDir, "ca-key.pem")
 	caCertPath := filepath.Join(cm.configDir, "ca-cert.pem")
 
+	cm.logger.Debug("paths", "cm.configDir", cm.configDir, "caCertPath", caCertPath)
+
 	// Try to load existing CA
 	if cm.loadExistingCA(caKeyPath, caCertPath) {
 		cm.logger.Debug("Loaded existing CA certificate")