From df01372f0584a6a556a510de1cd69eb6dceba8f0 Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Mon, 19 Aug 2024 23:55:58 +0100
Subject: [PATCH] test(connlib): filter disabled resources before longest match
 (#6340)

In `connlib`, when a CIDR resource gets disabled, we remove it from the
`IpNetworkTable` that does the routing for the packets. This ensures
that when we check for the `longest_match` of a packet, disabled
resources are not considered.

In
https://github.com/firezone/firezone/actions/runs/10449400486/job/28931681264?pr=6339,
CI found a bug where the reference implementation in the tests diverged
from this behaviour because it implements this behaviour slightly
differently. To ensure we don't match against a disabled resource, we
match all resources, filter out the disabled ones and then pick the one
with the highest netmask which should be the most specific one.
---
 rust/connlib/tunnel/proptest-regressions/tests.txt | 1 +
 rust/connlib/tunnel/src/tests/sim_client.rs        | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/rust/connlib/tunnel/proptest-regressions/tests.txt b/rust/connlib/tunnel/proptest-regressions/tests.txt
index 83b961fdf..ed8a22275 100644
--- a/rust/connlib/tunnel/proptest-regressions/tests.txt
+++ b/rust/connlib/tunnel/proptest-regressions/tests.txt
@@ -84,3 +84,4 @@ cc 28c9fbe9572e61da2342347e3e5c159f3d4a62e90f3d85d6b7911fd015845656
 cc ec2f348067458f6a7d3f2fbd1ab708a53fc27708440a3fcb6ed8557adc6db7d3
 cc 2984b737f902f82c96ffec888a624afd7117078c125822b85de908c05f8e0b4c
 cc 51ad9fe7ef585d42bd1a6369da810a5adb6d756e71aa393362e542f1560d0273
+cc b926f32ea3b2a04753bddd37be4804fd38fe35646e08507e68565883bd9fe2ed
diff --git a/rust/connlib/tunnel/src/tests/sim_client.rs b/rust/connlib/tunnel/src/tests/sim_client.rs
index d4e46a254..f7521cbc2 100644
--- a/rust/connlib/tunnel/src/tests/sim_client.rs
+++ b/rust/connlib/tunnel/src/tests/sim_client.rs
@@ -566,10 +566,13 @@ impl RefClient {
     }
 
     pub(crate) fn cidr_resource_by_ip(&self, ip: IpAddr) -> Option<ResourceId> {
+        // Manually implement `longest_match` because we need to filter disabled resources _before_ we match.
         self.cidr_resources
-            .longest_match(ip)
+            .matches(ip)
+            .filter(|(_, r)| !self.disabled_resources.contains(&r.id))
+            .sorted_by(|(n1, _), (n2, _)| n1.netmask().cmp(&n2.netmask()).reverse()) // Highest netmask is most specific.
+            .next()
             .map(|(_, r)| r.id)
-            .filter(|id| !self.disabled_resources.contains(id))
     }
 
     pub(crate) fn resolved_ip4_for_non_resources(