public async Task WhenInstanceAvailableButRelayPolicyFails_ThenProbeThrowsUnauthorizedException(
[WindowsInstance] ResourceTask <InstanceLocator> testInstance,
[Credential(Role = PredefinedRole.IapTunnelUser)] ResourceTask <ICredential> credential)
{
var service = new TunnelService(CreateAuthorizationAdapter(
await credential,
null));
var destination = new TunnelDestination(
await testInstance,
3389);
using (var tunnel = await service.CreateTunnelAsync(
destination,
new DenyAllPolicy()))
{
// The Probe should still succeed.
await tunnel.Probe(TimeSpan.FromSeconds(20));
// Trying to send ot receive anything should cause a connection reset.
var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
socket.Connect(new IPEndPoint(IPAddress.Loopback, tunnel.LocalPort));
socket.ReceiveTimeout = 100;
Assert.AreEqual(0, socket.Receive(new byte[1]));
}
}
public async Task WhenInstanceAvailableAndUserInRole_ThenCreateTunnelAndProbeSucceeds(
[WindowsInstance] ResourceTask <InstanceLocator> testInstance,
[Credential(Role = PredefinedRole.IapTunnelUser)] ResourceTask <ICredential> credential)
{
var service = new TunnelService(CreateAuthorizationAdapter(
await credential));
var destination = new TunnelDestination(
await testInstance,
3389);
var tunnel = await service.CreateTunnelAsync(destination);
Assert.AreEqual(destination, tunnel.Destination);
await tunnel.Probe(TimeSpan.FromSeconds(20));
tunnel.Close();
}
public async Task WhenInstanceAvailableButRelayPolicyFails_ThenXxxx(
[WindowsInstance] ResourceTask <InstanceLocator> testInstance,
[Credential(Role = PredefinedRole.ComputeViewer)] ResourceTask <ICredential> credential)
{
var service = new TunnelService(CreateAuthorizationAdapter(
await credential));
var destination = new TunnelDestination(
await testInstance,
3389);
var tunnel = await service.CreateTunnelAsync(
destination,
new DenyAllPolicy());
AssertEx.ThrowsAggregateException <UnauthorizedException>(
() => tunnel.Probe(TimeSpan.FromSeconds(20)).Wait());
tunnel.Close();
}
public async Task WhenDeviceEnrolled_ThenAuditLogIndicatesDevice(
[WindowsInstance] ResourceTask <InstanceLocator> testInstance)
{
var service = new TunnelService(CreateAuthorizationAdapterForSecureConnectUser());
// Probe a random port so that we have something unique to look for
// in the audit log.
var randomPort = (ushort)new Random().Next(10000, 50000);
var destination = new TunnelDestination(
await testInstance,
randomPort);
using (var tunnel = await service.CreateTunnelAsync(
destination,
new SameProcessRelayPolicy()))
{
Assert.AreEqual(destination, tunnel.Destination);
Assert.IsTrue(tunnel.IsMutualTlsEnabled);
// The probe will fail, but it will leave a record in the audit log.
try
{
await tunnel.Probe(TimeSpan.FromSeconds(5));
}
catch (UnauthorizedException)
{ }
}
var logs = await GetIapAccessLogsForPortAsync(randomPort);
Assert.IsTrue(logs.Any(), "data access log emitted");
var metadata = (JToken)logs.First().ProtoPayload["metadata"];
Assert.AreNotEqual(
"Unknown",
metadata.Value <string>("device_state"));
CollectionAssert.Contains(
new[] { "Normal", "Cross Organization" },
metadata.Value <string>("device_state"));
}
public async Task WhenInstanceAvailableAndUserInRole_ThenCreateTunnelAndProbeSucceeds(
[WindowsInstance] ResourceTask <InstanceLocator> testInstance,
[Credential(Role = PredefinedRole.IapTunnelUser)] ResourceTask <ICredential> credential)
{
var service = new TunnelService(CreateAuthorizationAdapter(
await credential,
null));
var destination = new TunnelDestination(
await testInstance,
3389);
using (var tunnel = await service.CreateTunnelAsync(
destination,
new SameProcessRelayPolicy()))
{
Assert.AreEqual(destination, tunnel.Destination);
Assert.IsFalse(tunnel.IsMutualTlsEnabled);
await tunnel.Probe(TimeSpan.FromSeconds(20));
}
}
public async Task WhenInstanceAvailableButUserNotInRole_ThenProbeFails(
[WindowsInstance] ResourceTask <InstanceLocator> testInstance,
[Credential(Role = PredefinedRole.ComputeViewer)] ResourceTask <ICredential> credential)
{
var service = new TunnelService(CreateAuthorizationAdapter(
await credential,
null));
var destination = new TunnelDestination(
await testInstance,
3389);
using (var tunnel = await service.CreateTunnelAsync(
destination,
new SameProcessRelayPolicy()))
{
Assert.AreEqual(destination, tunnel.Destination);
AssertEx.ThrowsAggregateException <UnauthorizedException>(
() => tunnel.Probe(TimeSpan.FromSeconds(20)).Wait());
}
}
public async Task WhenInstanceNotAvailable_ThenProbeFails(
[Credential(Role = PredefinedRole.ComputeViewer)] ResourceTask <ICredential> credential)
{
var service = new TunnelService(CreateAuthorizationAdapter(
await credential));
var destination = new TunnelDestination(
new InstanceLocator(
TestProject.ProjectId,
"us-central1-a",
"nonexistinginstance"),
3389);
var tunnel = await service.CreateTunnelAsync(destination);
Assert.AreEqual(destination, tunnel.Destination);
AssertEx.ThrowsAggregateException <UnauthorizedException>(
() => tunnel.Probe(TimeSpan.FromSeconds(20)).Wait());
tunnel.Close();
}