Add tls and domain names to core-api and mqtt

nat-lab/bin/core-api.py

@@ -2,6 +2,7 @@
 
 import json
 import paho.mqtt.client as mqtt  # type: ignore # pylint: disable=import-error
+import ssl
 from dataclasses import asdict, dataclass
 from enum import Enum
 from http import HTTPStatus
@@ -22,6 +23,8 @@
     "weight": 1,
 }
 
+CERTIFICATE_PATH = "/etc/ssl/server_certificate/server.pem"
+
 
 class CoreApiErrorCode(Enum):
     MACHINE_ALREADY_EXISTS = 101117
@@ -129,6 +132,8 @@ def do_GET(self):
         elif self.path.split("/")[-1] == "map":
             machine_id = self.path.split("/")[-2]
             self.handle_get_machine_map(machine_id)
+        elif self.path == "/v1/health":
+            self.handle_root_path()
 
     def do_HEAD(self):
         self._set_headers()
@@ -271,9 +276,14 @@ def get_meshmap(self, machine_id):
         }
 
 
-def run(mqttc, port=8080):
+def run(mqttc, port=443):
     server_address = ("", port)
     httpd = CoreServer(server_address, CoreApiHandler, mqttc)
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    context.load_cert_chain(
+        certfile=CERTIFICATE_PATH,
+    )
+    httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
     print("Starting httpd...")
     httpd.serve_forever()
 
@@ -300,7 +310,14 @@ def main():
     mqttc.on_connect = on_connect
     mqttc.on_message = on_message
     mqttc.on_subscribe = on_subscribe
-    mqttc.connect("10.0.80.85", port=1883, keepalive=60)
+    mqttc.tls_set(
+        ca_certs=CERTIFICATE_PATH,
+        certfile=CERTIFICATE_PATH,
+        keyfile=CERTIFICATE_PATH,
+        tls_version=ssl.PROTOCOL_TLSv1_2,
+        cert_reqs=ssl.CERT_REQUIRED,
+    )
+    mqttc.connect("mqtt.nordvpn.com", port=8883, keepalive=60)
 
     mqttc.loop_start()
 

nat-lab/bin/dns-server

@@ -8,14 +8,22 @@ KNOWN = {
         b"google.com": dns.Record_AAAA(address="2a00:1450:400e:80c::200e"),
         b"www.google.com": dns.Record_AAAA(address="2a00:1450:400e:80c::200e"),
         b"error-with-noerror-return-code.com": None,
+        b"api.nordvpn.com": dns.Record_AAAA(address="2001:db8:85a4::adda:edde:b"),
+        b"mqtt.nordvpn.com": dns.Record_AAAA(address="2001:db8:85a4::adda:edde:a"),
     },
     dns.A: {
         b"google.com": dns.Record_A(address="142.250.179.206"),
         b"www.google.com": dns.Record_A(address="142.250.179.206"),
         b"error-with-noerror-return-code.com": None,
+        b"api.nordvpn.com": dns.Record_A(address="10.0.80.86"),
+        b"mqtt.nordvpn.com": dns.Record_A(address="10.0.80.85"),
     },
     dns.CNAME: {
         b"www.microsoft.com": dns.Record_CNAME(name="www.microsoft.com-c-3.edgekey.net.")
+    },
+    dns.PTR: {
+        b"85.80.0.10.in-addr.arpa": dns.Record_PTR(name="mqtt.nordvpn.com"),
+        b"86.80.0.10.in-addr.arpa": dns.Record_PTR(name="api.nordvpn.com"),
     }
 }
 

nat-lab/data/core_api/README.md

@@ -0,0 +1,4 @@
+# Self-Signed Certificate (SSC)
+
+This folder contains **self-signed certificate**. \
+Please note that this certificate is intended **only for testing purposes** in nat-lab environment.

nat-lab/data/core_api/rumqttd.toml

@@ -0,0 +1,22 @@
+id = 0
+
+[router]
+id = 0
+max_connections = 10010
+max_outgoing_packet_count = 200
+max_segment_size = 104857600
+max_segment_count = 10
+
+[v4.2]
+name = "v4-2"
+listen = "0.0.0.0:8883"
+next_connection_delay_ms = 10
+    [v4.2.tls]
+    certpath = "/etc/ssl/server_certificate/server.pem"
+    keypath = "/etc/ssl/server_certificate/server.pem"
+    [v4.2.connections]
+    connection_timeout_ms = 60000
+    throttle_delay_ms = 0
+    max_payload_size = 20480
+    max_inflight_count = 100
+    max_inflight_size = 1024

nat-lab/data/core_api/server.pem

@@ -0,0 +1,82 @@
+-----BEGIN CERTIFICATE-----
+MIIFETCCAvmgAwIBAgIUWhq+CsRySgcGzg328sgZKln3otYwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNKi5ub3JkdnBuLmNvbTAeFw0yNDEwMTcxMDQzMTVaFw0z
+NDEwMTUxMDQzMTVaMBgxFjAUBgNVBAMMDSoubm9yZHZwbi5jb20wggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQDUV0b6EYcUKkdZdFVibm6nChwrf4+AAIdM
+adcZi4zHfFeWohzv15w7NchxqOwBPG8RTNjinVtDNEoFWL3NEiW3Lq73t7TbmQe5
+fd/uEZYrJuovDmwxOb6EBUYKHzpAmEnjXMidMK16058/n8LhjdMJtweov/VW454B
+yuD4LxUxmcHBfENlB4fBZ8D9txsSZjNWm5UXTqBh7H1gl/tlXemRjEiuNnL5yuHx
+MhGJDeoB7vD0mPqd3iwQv63jzOFuQs2chSeu+qpDly2LSZ0yWiTSBL/pJlO6lKhP
+T2cAHmRIn8gK2Qv28ocZoombDVGju9CZ4GwCku34iDCmPla/W4bdhHv/6Lv0Oya/
+U2K4h2wF8wmzE2z/AIrktOQPJBvE/I8Qav8YE5TGrRufEf5/VZ6/p8BXLXCj3FCS
+QGmKGSa5iSqHKHsyWd4zCQkkDVKiwq/sG4dM98+ipxvJRmiij7CbOIbcxDIWqVg7
+6eRKFra6nnCeigN2Co+JWHokwqjHiSViaPJr65gK6WS3he/4QRtZ+1uvOwmm4joV
+g+cR592a7dpo7JrOiETt5ZidQ9vJIQnzFqsFZIbzlfk5Tgw3MIUsgQSvzYqARsAP
+I2WWy3cY8+vvLjkG1b5PygZW4npkG8gFqRKXQrG4h5GA9VssGNBmNwmETtk3GZTU
+XaUVSDUyrQIDAQABo1MwUTAdBgNVHQ4EFgQU515mzr6cq786S3dcqgN9oTc8XdYw
+HwYDVR0jBBgwFoAU515mzr6cq786S3dcqgN9oTc8XdYwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAgEALFKHm5rLOcmWgY+bKhw2LEG00XAEXXJfX6hL
+k6m/V1lnK2uzIofDQ2guvzCbdxGQ82tNPdmYCLX1kC8Ko18ckupfBFIGh+7XcGbl
+b4nVLkY4Zkp9nfdvvD0I1zemyNbeWrL3vHRwHdyvOmEE0GxMFxg4QvypSOvBblKA
+Ya8H9Yu2/A8DOvmu34Gt1HatVLYBuxNN7cmXv3E9v3Y/vBbcYHHeQmMOewJgoe83
+iRJg1HrUYv9mUQduRWeYLdEp6Yg6VZ6uG1ESnYuIvP8VMVh7tGIntYGqVyGZfI7p
+i3J1suBCdyrA6dmFt9F7XxMCJ1rWWfevFjH91PXDcV2HkE8BdRHtWr9hECVNYPkC
+fVHf8DZ80PK0yg8PBZHFxbXDm2hS4dyca5mDDGK0bQlXeYwA50ba0ksXTMs+Xivv
+j3IwltyWnTqZTuM1LZilNBoUhuACd8e7lu5qxnQTy7eNIp7Zr1W41EClPdMytzr0
+3CG87qLlCo+Y06XQK1jiYoYW8GScAO+Vyyz4+gh5kD8fDhmQTkvsbW1sp0qi/or3
+bHXzTMBMz0xPJY4Go4Gispk7e4zABCc+ePJZX/XkCKYXbg1GfCJTKCyY6a/CRsZH
+tWUaccfhYOu2C8BsRBSZO3RJLdOCsSI7SNdA3I3wRbx4HUeS91/Ql9ZhU0aXYcVX
+7NlGzYk=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDUV0b6EYcUKkdZ
+dFVibm6nChwrf4+AAIdMadcZi4zHfFeWohzv15w7NchxqOwBPG8RTNjinVtDNEoF
+WL3NEiW3Lq73t7TbmQe5fd/uEZYrJuovDmwxOb6EBUYKHzpAmEnjXMidMK16058/
+n8LhjdMJtweov/VW454ByuD4LxUxmcHBfENlB4fBZ8D9txsSZjNWm5UXTqBh7H1g
+l/tlXemRjEiuNnL5yuHxMhGJDeoB7vD0mPqd3iwQv63jzOFuQs2chSeu+qpDly2L
+SZ0yWiTSBL/pJlO6lKhPT2cAHmRIn8gK2Qv28ocZoombDVGju9CZ4GwCku34iDCm
+Pla/W4bdhHv/6Lv0Oya/U2K4h2wF8wmzE2z/AIrktOQPJBvE/I8Qav8YE5TGrRuf
+Ef5/VZ6/p8BXLXCj3FCSQGmKGSa5iSqHKHsyWd4zCQkkDVKiwq/sG4dM98+ipxvJ
+Rmiij7CbOIbcxDIWqVg76eRKFra6nnCeigN2Co+JWHokwqjHiSViaPJr65gK6WS3
+he/4QRtZ+1uvOwmm4joVg+cR592a7dpo7JrOiETt5ZidQ9vJIQnzFqsFZIbzlfk5
+Tgw3MIUsgQSvzYqARsAPI2WWy3cY8+vvLjkG1b5PygZW4npkG8gFqRKXQrG4h5GA
+9VssGNBmNwmETtk3GZTUXaUVSDUyrQIDAQABAoICAEBbqaQOnvHiNJjs1RpN3VTc
+kBgxA/XocxmadLsF3Gf0DHoX7YxWPcCGdxfX+pwPTJyiPZRF3Ezcsti3AmP+7ZZ9
+XEOxluv+EGTMvYvjIbA3jcAwb2NmHJPYI1fbCiVc4vw5+YYHJHV3Yat/iSoi+cVW
+h8hCUiKBP7lMW+5tGs/bSeoSdzzOUPuyLkDX+CkV99Z2tnQHfT3g10lpFyWslqfq
+LHc9ApEqSFv58G2pXXUzji2clk018wYqipJiXSs1rSsVAqeayvNMhV3TtIT35HQR
+Q3dvie4hs3fCWbYkAAIxB4keKu2wqXkAFhP8L/Pf74RMDIClNuJeqNwiRdme7Jt2
+2GgASFiE5JKtVRyNYE+sOsnsbgbU4aAl3/EtQB9CyH6hd2Ol35UJPIwyFmmA8Bie
+Ov9spMSre2g6i3OkoiNPLPB0DqQtmsmDqf785XJLY33mkMHgPnHp3inA+Yq7MfDn
+PMBCGKFWspJUN/qknjH+yELo98VSRetrWw9zchcniG+3VgG4Kj39U7UQ10l4KvWN
+FyjsqzPQf46aDlKCgFatK41Gz7IaeBDGEbjuLxJZwXjQAuzx0Bm/L3IR6aV9vyx8
+IL1P2ft+o/WegV4Wqy567xaU6698TFqRTTdzSWUomnvEBxIJWX5Em5jLoWP7VLrn
+9Z8NBu1XJ5VYXuyiLGQjAoIBAQD0ZbqOxHcmBepfE24iNVPmy1bKztgI2TLhZbMf
+NtfL5iWTLz8AtShYQC5l6iQyAvwBs71utuaUqtw9u0gRwoaNfFrdRP/M3c6z4rYI
+nL6Fo8bmGiSOD1vlpIyZTtEAqGdAOnCHLLJKh4Njb8y1Yo+37+PMCurmKO98b5w0
+QFElV9mlCHFZevrBHUkxRQRS5PRAyxiXwhhlfHtFEeEH20AiYgZ8bNxALED8d6vn
+GsVBG9xojFUC53lmfbWe00dT8y1ebvbZ+lIdqvO/kBP2KV0ct4gTQOOXh5sa4vVV
+d+NIhrgpHjRhUw71JOwMdD+TTwPwgU5lF6lZk/jvxWo8k0JrAoIBAQDea/O5HTUw
+vvdagEd7m7XwgLSqnlRLssor52H9fiHLI1j/NcvzTS4hmCCPEuK3RwTMrEYh70Cp
+t523oBXPJrLT4Q85nKqmiHR9AYk4Rq3Ln43aDHkfuZXj5Ryb8XNqYgY9uv0Z25JM
+gK+shAI3E+Mt34FKgVu/A7jbpFJN6OPDDn4nrUNNP0j8ZJqwwrbZPqSR3/IjWhvp
+JJbDpOlp36hx1OArIErvj3RF1PLvlHyeKJsB67e5coeeE/nFsJVlXGl09jjK2KoI
+Eg4+pV+SQCQ3/7QknMujJ35INHEELifLknDJc0lm4djwu8kv1cF1wOshXOM41+Pn
+rGimTNeNgRVHAoIBAF4ijOAOxoHrx2GFn2cnuUBtU+ncEBQgbNuqi3rbafVMmW5+
+xTqljHuphPWWYQiuY5jYPX/WjSv4P8q7R0An+CGpI2qU+B5V1RcunMTmcvAQrDzX
+Fvts6Q2j+s/WLuSc+OAhYlR+n9HbLn1vg57d7tN/X/OoxN+QJuZ8KuNpXpgOpXNO
+tDIuD0Ww3Q9QMSEotPf8AmX5yeHVN7nb8BxRk/tqXGsylwdUxFc6VQk4I4A3lgbi
+/p+Wvwj+JKWfZZrtUK1N+mDtbRGmViqT+UxYlFfKTWx1EvS7s7+AadTYz7+QvICB
+9NUD5AACj7UgVZiM18ycUbDYk09AkqLwHEJmyi8CggEAC/5qQBsxGRXTJNAyCppU
+70khdOngxcw4VrG9ePvqOpgHXou6Gb6ZtDoN12k/TH7J5XeMuJu8Muqx2IsLYgZG
+MmK6fXLTSPOmxG7mxWAaUxahgZaWmX1addWO+2HDxYLPr1h7+X77nqB52KWtsOaj
+o3+f6zKajexXdZCg146taYFIkD8pl+rHtsR+CvYVAhX8rdkTp5BeXO4aKyajZ5Al
+9y1xgSHWqKBltrZK+1xYc/bglPPvDlL8uSt+loh1Jegbz7DPUzDnylOe7QXh53MK
+APMK9cZ2vK+OgbpCNeV/Q9z7tAFBfgjDuAeIS8oNCpqCk2P85L3PjliftAgEv56s
+VQKCAQBjht8PMXhc63vtrHWJltkC7VBtygfucsTTrB7FQVjWcXTUWskURRGDAinG
+XpuayEUEdyGyutsWnkweqhLBdVZcwS9+o84bsL9srEygb/Gx0G8rs4UgHc3+c+/N
+crCy9wN9xVqruYK7lLUsfjt9NT90iiSgJpuI7quKJdFIh38ig2ONWz0tIN0kqP1C
+3yaEV4JgvAvDW/PXj5XTbr5OmOlx8yghN8F6jwxnWhHNKLpvIHU5m+JXkBtAu8rB
++chQNgLIhWwSwmy2h/XVRtMVoo+yA4dJZg8oPzgAF2JHDRbvaIT1KDYct2kxfvMo
+etf7Fk7VzWqsqNebsCgXUnjopQDp
+-----END PRIVATE KEY-----

nat-lab/docker-compose.yml

@@ -90,9 +90,11 @@ services:
       - "derp-03:10.0.10.3"
       - "derp-00:10.0.10.245"
       - "pmtu-probe:10.0.80.84"
+      - "api.nordvpn.com:10.0.80.86"
     volumes:
       - ../:/libtelio
       - ./data/teliod:/etc/teliod
+      - ./data/core_api/server.pem:/etc/ssl/server_certificate/server.pem
     healthcheck:
       test: "ls /ready"
   cone-client-02:
@@ -586,17 +588,20 @@ services:
   mqtt-broker:
     hostname: mqtt-broker
     image: bytebeamio/rumqttd
-    entrypoint: rumqttd -v
+    entrypoint: rumqttd -c /etc/mqtt/rumqttd.toml
     networks:
       internet:
         ipv4_address: 10.0.80.85
         ipv6_address: 2001:db8:85a4::adda:edde:a
     healthcheck:
-      test: ["CMD-SHELL", "netstat -tlnp | grep 1883 | grep LISTEN"]
+      test: ["CMD-SHELL", "netstat -tlnp | grep 8883 | grep LISTEN"]
       interval: 10s
       timeout: 5s
       retries: 5
       start_period: 5s
+    volumes:
+      - ./data/core_api/rumqttd.toml:/etc/mqtt/rumqttd.toml
+      - ./data/core_api/server.pem:/etc/ssl/server_certificate/server.pem
 
   core-api:
     hostname: core-api
@@ -605,14 +610,19 @@ services:
     environment:
       PYTHONUNBUFFERED: 1
     healthcheck:
-      test: "curl http://localhost:8080" # Here the port comes directly from the source code of api server where it is hardcoded
+      test: "curl --cacert /etc/ssl/server_certificate/server.pem https://api.nordvpn.com/v1/health"
     networks:
       internet:
         ipv4_address: 10.0.80.86
         ipv6_address: 2001:db8:85a4::adda:edde:b
     depends_on:
       mqtt-broker:
         condition: service_healthy
+    volumes:
+      - ./data/core_api/server.pem:/etc/ssl/server_certificate/server.pem
+    dns:
+      - 10.0.80.82
+      - 10.0.80.83
 
 networks:
   # Network representing public internet,

nat-lab/tests/config.py

@@ -204,3 +204,8 @@ def get_root_path(path: str) -> str:
 LIBDROP_PORT = 49111
 
 LINUX_INTERFACE_NAME = "tun10"
+
+CORE_API_URL = "https://api.nordvpn.com"
+MQTT_BROKER_HOST = "mqtt.nordvpn.com"
+MQTT_BROKER_IP = "10.0.80.85"
+CORE_API_CA_CERTIFICATE_PATH = "/etc/ssl/server_certificate/server.pem"

nat-lab/tests/helpers.py

@@ -1,5 +1,6 @@
 import asyncio
 import itertools
+import json
 import pytest
 from config import WG_SERVERS
 from contextlib import AsyncExitStack, asynccontextmanager
@@ -28,6 +29,7 @@
 )
 from utils.ping import ping
 from utils.router import IPStack
+from uuid import UUID
 
 
 @dataclass
@@ -421,3 +423,38 @@ async def ping_between_all_nodes(env: Environment) -> None:
         )
         if not client.is_node(node)
     ])
+
+
+async def send_https_request(
+    connection, endpoint, method, ca_cert_path, data=None, expect_response=True
+):
+    curl_command = [
+        "curl",
+        "--cacert",
+        ca_cert_path,
+        "-X",
+        method,
+        endpoint,
+        "-H",
+        "Content-Type: application/json",
+    ]
+
+    if data:
+        curl_command.extend(["-d", data])
+
+    process = await connection.create_process(curl_command).execute()
+    response = process.get_stdout()
+    if expect_response:
+        try:
+            return json.loads(response)
+        except json.JSONDecodeError:
+            assert False, f"Expected JSON response but got: {response}"
+    return None
+
+
+def verify_uuid(uuid_to_test, version=4):
+    try:
+        uuid_obj = UUID(uuid_to_test, version=version)
+    except ValueError:
+        assert False, "Not a valid UUID"
+    assert str(uuid_obj) == uuid_to_test, "Not a valid UUID"