starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Feature] add a tampering proxy for integration tests #894

New Issue
Open
opened 2025-12-29 02:25:32 +01:00 by adam · 1 comment
adam commented 2025-12-29 02:25:32 +01:00
Owner
Copy Link

Originally created by @Rorical on GitHub (Dec 23, 2024).

Use case

When I was trying to implement the test for #1812 which include an simulated MiTM attack to check if the verifer for oidc challenge code is working, I find it requires a lot of code specific to that test.

Specifically, I need to add the following functions:

func (s *AuthOIDCScenario) runTailscaleUpWithModifier(
	userStr string,
	loginServer string,
	httpClientModifier func(*http.Client),
) error { ... }

func (s *AuthOIDCScenario) CreateHeadscaleEnvWithHTTPModifier(
	users map[string]int,
	httpModifier func(*http.Client),
	opts ...hsic.Option,
) error { ... }

where the httpModifier function is used to modify the http roundtrips between headscale and oidc server.

In later discussion, @kradalby suggest to have a tampering proxy that is able to modify the requests: https://github.com/juanfont/headscale/pull/1812#discussion_r1894852089

Unless I am really missing something, I think what bothers me is that it isnt the tailscale client that is doing the request, but a httpClient.Do(req). I think the "correct" way to do this is to have the request go through a proxy and that could be passed as an option to hsic or tsic. where you can give it a func that will modify the requests.
That way we can have unmodified (and only one version of) runTailscaleUp, and have failing and passing nodes in the same test, some just get tampered with and some dont, compared to a dedicated test for each.
This is a lot of code that is very specific to one test, and a proxy in between headscale and tailscale for tampering would be quite useful.

I think adding such feature will be greatly helpful for future improvements, such as more attack simulation tests.

Description

We can have a tampering proxy that is able to modify the request among many parties in the integration tests:

  1. tailscale client
  2. headscale instance
  3. user operations (browser)
  4. thirdparty service providers (oidc server)

Therefore we can support more powerful integration test

Contribution

  • I can write the design doc for this feature
  • I can contribute this feature

How can it be implemented?

Having a Proxy set up and pass all request through it.

Originally created by @Rorical on GitHub (Dec 23, 2024). ### Use case When I was trying to implement the test for #1812 which include an simulated MiTM attack to check if the verifer for oidc challenge code is working, I find it requires a lot of code specific to that test. Specifically, I need to add the following functions: ```go func (s *AuthOIDCScenario) runTailscaleUpWithModifier( userStr string, loginServer string, httpClientModifier func(*http.Client), ) error { ... } func (s *AuthOIDCScenario) CreateHeadscaleEnvWithHTTPModifier( users map[string]int, httpModifier func(*http.Client), opts ...hsic.Option, ) error { ... } ``` where the httpModifier function is used to modify the http roundtrips between headscale and oidc server. In later discussion, @kradalby suggest to have a tampering proxy that is able to modify the requests: https://github.com/juanfont/headscale/pull/1812#discussion_r1894852089 > Unless I am really missing something, I think what bothers me is that it isnt the tailscale client that is doing the request, but a httpClient.Do(req). I think the "correct" way to do this is to have the request go through a proxy and that could be passed as an option to hsic or tsic. where you can give it a func that will modify the requests. That way we can have unmodified (and only one version of) runTailscaleUp, and have failing and passing nodes in the same test, some just get tampered with and some dont, compared to a dedicated test for each. This is a lot of code that is very specific to one test, and a proxy in between headscale and tailscale for tampering would be quite useful. I think adding such feature will be greatly helpful for future improvements, such as more attack simulation tests. ### Description We can have a tampering proxy that is able to modify the request among many parties in the integration tests: 1. tailscale client 2. headscale instance 3. user operations (browser) 4. thirdparty service providers (oidc server) Therefore we can support more powerful integration test ### Contribution - [ ] I can write the design doc for this feature - [X] I can contribute this feature ### How can it be implemented? Having a `Proxy` set up and pass all request through it.
adam added the enhancementno-stale-botOIDC labels 2025-12-29 02:25:32 +01:00
adam commented 2025-12-29 02:25:32 +01:00
Author
Owner
Copy Link

@Rorical commented on GitHub (Dec 23, 2024):

#2315 This draft PR illustrate how the MiTM test is working before for OIDC Verifer feature in #2314 .

@Rorical commented on GitHub (Dec 23, 2024): #2315 This draft PR illustrate how the MiTM test is working before for OIDC Verifer feature in #2314 .
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label OIDC enhancement no-stale-bot
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#894
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?