# This is a distributed test of the Network Address Translation involving a topology
# with a router inbetween three separate virtual networks:
# - "external" -- i.e. the internet,
# - "internal" -- i.e. an office LAN,
#
# This test puts one server on each of those networks and its primary goal is to ensure that:
# - server (named client in the code) in internal network can reach server (named server in the code) on the external network,
# - server in external network can not reach server in internal network (skipped in some cases),
# - when using externalIP, only the specified IP is used for NAT,
# - port forwarding functionality behaves correctly
#
# The client is behind the nat (read: protected by the nat) and the server is on the external network, attempting to access services behind the NAT.

import ./make-test-python.nix (
  {
    pkgs,
    lib,
    withFirewall ? false,
    nftables ? false,
    ...
  }:
  let
    unit = if nftables then "nftables" else (if withFirewall then "firewall" else "nat");

    routerAlternativeExternalIp = "192.168.2.234";

    makeNginxConfig = hostname: {
      enable = true;
      virtualHosts."${hostname}" = {
        root = "/etc";
        locations."/".index = "hostname";
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 8080;
          }
        ];
      };
    };

    makeCommonConfig = hostname: {
      services.nginx = makeNginxConfig hostname;
      services.vsftpd = {
        enable = true;
        anonymousUser = true;
        localRoot = "/etc/";
        extraConfig = ''
          pasv_min_port=51000
          pasv_max_port=51999
        '';
      };

      # Disable eth0 autoconfiguration
      networking.useDHCP = false;

      environment.systemPackages = [
        (pkgs.writeScriptBin "check-connection" ''
          #!/usr/bin/env bash

          set -e

          if [[ "$2" == "" || "$3" == "" || "$1" == "--help" || "$1" == "-h" ]];
          then
              echo "check-connection <target-address> <target-hostname> <[expect-success|expect-failure]>"
              exit 1
          fi

          ADDRESS="$1"
          HOSTNAME="$2"

          function test_icmp() { timeout 3 ping -c 1 $ADDRESS; }
          function test_http() { [[ `timeout 3 curl $ADDRESS` == "$HOSTNAME" ]]; }
          function test_ftp() { timeout 3 curl ftp://$ADDRESS; }

          if [[ "$3" == "expect-success" ]];
          then
              test_icmp; test_http; test_ftp
          else
              ! test_icmp; ! test_http; ! test_ftp
          fi
        '')
        (pkgs.writeScriptBin "check-last-clients-ip" ''
          #!/usr/bin/env bash
          set -e

          [[ `cat /var/log/nginx/access.log | tail -n1 | awk '{print $1}'` == "$1" ]]
        '')
      ];
    };

  in
  # VLANS:
  # 1 -- simulates the internal network
  # 2 -- simulates the external network
  {
    name =
      "nat"
      + (lib.optionalString nftables "Nftables")
      + (if withFirewall then "WithFirewall" else "Standalone");
    meta = with pkgs.lib.maintainers; {
      maintainers = [
        tne
        rob
      ];
    };

    nodes = {
      client =
        { pkgs, nodes, ... }:
        lib.mkMerge [
          (makeCommonConfig "client")
          {
            virtualisation.vlans = [ 1 ];
            networking.defaultGateway =
              (pkgs.lib.head nodes.router.networking.interfaces.eth1.ipv4.addresses).address;
            networking.nftables.enable = nftables;
            networking.firewall.enable = false;
          }
        ];

      router =
        { nodes, ... }:
        lib.mkMerge [
          (makeCommonConfig "router")
          {
            virtualisation.vlans = [
              1
              2
            ];
            networking.firewall = {
              enable = withFirewall;
              filterForward = nftables;
              allowedTCPPorts = [
                21
                80
                8080
              ];
              # For FTP passive mode
              allowedTCPPortRanges = [
                {
                  from = 51000;
                  to = 51999;
                }
              ];
            };
            networking.nftables.enable = nftables;
            networking.nat =
              let
                clientIp = (pkgs.lib.head nodes.client.networking.interfaces.eth1.ipv4.addresses).address;
                serverIp = (pkgs.lib.head nodes.router.networking.interfaces.eth2.ipv4.addresses).address;
              in
              {
                enable = true;
                internalIPs = [ "${clientIp}/24" ];
                # internalInterfaces = [ "eth1" ];
                externalInterface = "eth2";
                externalIP = serverIp;

                forwardPorts = [
                  {
                    destination = "${clientIp}:8080";
                    proto = "tcp";
                    sourcePort = 8080;

                    loopbackIPs = [ serverIp ];
                  }
                ];
              };

            networking.interfaces.eth2.ipv4.addresses = lib.mkOrder 10000 [
              {
                address = routerAlternativeExternalIp;
                prefixLength = 24;
              }
            ];

            services.nginx.virtualHosts.router.listen = lib.mkOrder (-1) [
              {
                addr = routerAlternativeExternalIp;
                port = 8080;
              }
            ];

            specialisation.no-nat.configuration = {
              networking.nat.enable = lib.mkForce false;
            };
          }
        ];

      server =
        { nodes, ... }:
        lib.mkMerge [
          (makeCommonConfig "server")
          {
            virtualisation.vlans = [ 2 ];
            networking.firewall.enable = false;

            networking.defaultGateway =
              (pkgs.lib.head nodes.router.networking.interfaces.eth2.ipv4.addresses).address;
          }
        ];
    };

    testScript =
      { nodes, ... }:
      let
        clientIp = (pkgs.lib.head nodes.client.networking.interfaces.eth1.ipv4.addresses).address;
        serverIp = (pkgs.lib.head nodes.server.networking.interfaces.eth1.ipv4.addresses).address;
        routerIp = (pkgs.lib.head nodes.router.networking.interfaces.eth2.ipv4.addresses).address;
      in
      ''
        def wait_for_machine(m):
          m.wait_for_unit("network.target")
          m.wait_for_unit("nginx.service")

        client.start()
        router.start()
        server.start()

        wait_for_machine(router)
        wait_for_machine(client)
        wait_for_machine(server)

        # We assume we are isolated from layer 2 attacks or are securely configured (like disabling forwarding by default)
        # Relevant moby issue describing the problem allowing bypassing of NAT: https://github.com/moby/moby/issues/14041
        ${lib.optionalString (!nftables) ''
          router.succeed("iptables -P FORWARD DROP")
        ''}

        # Sanity checks.
        ## The router should have direct access to the server
        router.succeed("check-connection ${serverIp} server expect-success")
        ## The server should have direct access to the router
        server.succeed("check-connection ${routerIp} router expect-success")

        # The client should be also able to connect via the NAT router...
        client.succeed("check-connection ${serverIp} server expect-success")
        # ... but its IP should be rewritten to be that of the router.
        server.succeed("check-last-clients-ip ${routerIp}")

        # Active FTP (where the FTP server connects back to us via a random port) should work directly...
        router.succeed("timeout 3 curl -P eth2:51000-51999 ftp://${serverIp}")
        # ... but not from behind NAT.
        client.fail("timeout 3 curl -P eth1:51000-51999 ftp://${serverIp};")

        # If using nftables without firewall, filterForward can't be used and L2 security can't easily be simulated like with iptables, skipping.
        # See moby github issue mentioned above.
        ${lib.optionalString (nftables && withFirewall) ''
          # The server should not be able to reach the client directly...
          server.succeed("check-connection ${clientIp} client expect-failure")
        ''}
        # ... but the server should be able to reach a port forwarded address of the client
        server.succeed('[[ `timeout 3 curl http://${routerIp}:8080` == "client" ]]')
        # The IP address the client sees should not be rewritten to be that of the router (#277016)
        client.succeed("check-last-clients-ip ${serverIp}")

        # But this forwarded port shouldn't intercept communication with
        # other IPs than externalIp.
        server.succeed('[[ `timeout 3 curl http://${routerAlternativeExternalIp}:8080` == "router" ]]')

        # The loopback should allow the router itself to access the forwarded port
        # Note: The reason we use routerIp here is because only routerIp is listed for reflection in networking.nat.forwardPorts.loopbackIPs
        # The purpose of loopbackIPs is to allow things inside of the NAT to for example access their own public domain when a service has to make a request
        #   to itself/another service on the same NAT through a public address
        router.succeed('[[ `timeout 3 curl http://${routerIp}:8080` == "client" ]]')
        # The loopback should also allow the client to access its own forwarded port
        client.succeed('[[ `timeout 3 curl http://${routerIp}:8080` == "client" ]]')

        # If we turn off NAT, nothing should work
        router.succeed(
            "systemctl stop ${unit}.service"
        )

        # If using nftables and firewall, this makes no sense. We deactivated the firewall after all,
        # so we are once again affected by the same issue as the moby github issue mentioned above.
        # If using nftables without firewall, filterForward can't be used and L2 security can't easily be simulated like with iptables, skipping.
        # See moby github issue mentioned above.
        ${lib.optionalString (!nftables) ''
          client.succeed("check-connection ${serverIp} server expect-failure")
          server.succeed("check-connection ${clientIp} client expect-failure")
        ''}
        # These should revert to their pre-NATed versions
        server.succeed('[[ `timeout 3 curl http://${routerIp}:8080` == "router" ]]')
        router.succeed('[[ `timeout 3 curl http://${routerIp}:8080` == "router" ]]')

        # Reverse the effect of nat stop
        router.succeed(
            "systemctl start ${unit}.service"
          )

        # Switch to a config without NAT at all, again nothing should work
        router.succeed(
            "/run/booted-system/specialisation/no-nat/bin/switch-to-configuration test 2>&1"
        )

        # If using nftables without firewall, filterForward can't be used and L2 security can't easily be simulated like with iptables, skipping.
        # See moby github issue mentioned above.
        ${lib.optionalString (nftables && withFirewall) ''
          client.succeed("check-connection ${serverIp} server expect-failure")
          server.succeed("check-connection ${clientIp} client expect-failure")
        ''}

        # These should revert to their pre-NATed versions
        server.succeed('[[ `timeout 3 curl http://${routerIp}:8080` == "router" ]]')
        router.succeed('[[ `timeout 3 curl http://${routerIp}:8080` == "router" ]]')
      '';
  }
)