Halaman utama Jelajahi Bantuan
Masuk
yosoyhendrix
/
psiphon-tunnel-core
1
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Pohon: 1d1bb244ee
Ranting Tag
psiphon-tunnel-...
/
psiphon
/
server
/
server_test.go

server_test.go 68 KB
Riwayat Mentahan

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426 
  1. /*
    2. 

  2.  * Copyright (c) 2016, Psiphon Inc.
    3. 

  3.  * All rights reserved.
    4. 

  4.  *
    5. 

  5.  * This program is free software: you can redistribute it and/or modify
    6. 

  6.  * it under the terms of the GNU General Public License as published by
    7. 

  7.  * the Free Software Foundation, either version 3 of the License, or
    8. 

  8.  * (at your option) any later version.
    9. 

  9.  *
    10. 

  10.  * This program is distributed in the hope that it will be useful,
    11. 

  11.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13. 

  13.  * GNU General Public License for more details.
    14. 

  14.  *
    15. 

  15.  * You should have received a copy of the GNU General Public License
    16. 

  16.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17. 

  17.  *
    18. 

  18.  */
    19. 

  19. 

  20. package server
    21. 

  21. 

  22. import (
    23. 

  23. 	"context"
    24. 

  24. 	"encoding/base64"
    25. 

  25. 	"encoding/json"
    26. 

  26. 	"errors"
    27. 

  27. 	"flag"
    28. 

  28. 	"fmt"
    29. 

  29. 	"io/ioutil"
    30. 

  30. 	"net"
    31. 

  31. 	"net/http"
    32. 

  32. 	"net/url"
    33. 

  33. 	"os"
    34. 

  34. 	"path/filepath"
    35. 

  35. 	"strconv"
    36. 

  36. 	"strings"
    37. 

  37. 	"sync"
    38. 

  38. 	"syscall"
    39. 

  39. 	"testing"
    40. 

  40. 	"time"
    41. 

  41. 

  42. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon"
    43. 

  43. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common"
    44. 

  44. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/accesscontrol"
    45. 

  45. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/marionette"
    46. 

  46. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/parameters"
    47. 

  47. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/prng"
    48. 

  48. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/protocol"
    49. 

  49. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/quic"
    50. 

  50. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/tactics"
    51. 

  51. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/values"
    52. 

  52. 	"golang.org/x/net/proxy"
    53. 

  53. )
    54. 

  54. 

  55. var serverIPAddress, testDataDirName string
    56. 

  56. var mockWebServerURL, mockWebServerExpectedResponse string
    57. 

  57. var mockWebServerPort = 8080
    58. 

  58. 

  59. func TestMain(m *testing.M) {
    60. 

  60. 	flag.Parse()
    61. 

  61. 

  62. 	serverIPv4Address, serverIPv6Address, err := common.GetRoutableInterfaceIPAddresses()
    63. 

  63. 	if err != nil {
    64. 

  64. 		fmt.Printf("error getting server IP address: %s\n", err)
    65. 

  65. 		os.Exit(1)
    66. 

  66. 	}
    67. 

  67. 	if serverIPv4Address != nil {
    68. 

  68. 		serverIPAddress = serverIPv4Address.String()
    69. 

  69. 	} else {
    70. 

  70. 		serverIPAddress = serverIPv6Address.String()
    71. 

  71. 	}
    72. 

  72. 

  73. 	testDataDirName, err = ioutil.TempDir("", "psiphon-server-test")
    74. 

  74. 	if err != nil {
    75. 

  75. 		fmt.Printf("TempDir failed: %s\n", err)
    76. 

  76. 		os.Exit(1)
    77. 

  77. 	}
    78. 

  78. 	defer os.RemoveAll(testDataDirName)
    79. 

  79. 

  80. 	psiphon.SetEmitDiagnosticNotices(true, true)
    81. 

  81. 

  82. 	mockWebServerURL, mockWebServerExpectedResponse = runMockWebServer()
    83. 

  83. 

  84. 	os.Exit(m.Run())
    85. 

  85. }
    86. 

  86. 

  87. func runMockWebServer() (string, string) {
    88. 

  88. 

  89. 	responseBody := prng.HexString(100000)
    90. 

  90. 

  91. 	serveMux := http.NewServeMux()
    92. 

  92. 	serveMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
    93. 

  93. 		w.Write([]byte(responseBody))
    94. 

  94. 	})
    95. 

  95. 	webServerAddress := fmt.Sprintf("%s:%d", serverIPAddress, mockWebServerPort)
    96. 

  96. 	server := &http.Server{
    97. 

  97. 		Addr:    webServerAddress,
    98. 

  98. 		Handler: serveMux,
    99. 

  99. 	}
    100. 

  100. 

  101. 	go func() {
    102. 

  102. 		err := server.ListenAndServe()
    103. 

  103. 		if err != nil {
    104. 

  104. 			fmt.Printf("error running mock web server: %s\n", err)
    105. 

  105. 			os.Exit(1)
    106. 

  106. 		}
    107. 

  107. 	}()
    108. 

  108. 

  109. 	// TODO: properly synchronize with web server readiness
    110. 

  110. 	time.Sleep(1 * time.Second)
    111. 

  111. 

  112. 	return fmt.Sprintf("http://%s/", webServerAddress), responseBody
    113. 

  113. }
    114. 

  114. 

  115. // Note: not testing fronted meek protocols, which client is
    116. 

  116. // hard-wired to expect running on privileged ports 80 and 443.
    117. 

  117. 

  118. func TestSSH(t *testing.T) {
    119. 

  119. 	runServer(t,
    120. 

  120. 		&runServerConfig{
    121. 

  121. 			tunnelProtocol:       "SSH",
    122. 

  122. 			enableSSHAPIRequests: true,
    123. 

  123. 			doHotReload:          false,
    124. 

  124. 			doDefaultSponsorID:   false,
    125. 

  125. 			denyTrafficRules:     false,
    126. 

  126. 			requireAuthorization: true,
    127. 

  127. 			omitAuthorization:    false,
    128. 

  128. 			doTunneledWebRequest: true,
    129. 

  129. 			doTunneledNTPRequest: true,
    130. 

  130. 			forceFragmenting:     false,
    131. 

  131. 			forceLivenessTest:    false,
    132. 

  132. 			doPruneServerEntries: false,
    133. 

  133. 			doDanglingTCPConn:    true,
    134. 

  134. 			doPacketManipulation: false,
    135. 

  135. 		})
    136. 

  136. }
    137. 

  137. 

  138. func TestOSSH(t *testing.T) {
    139. 

  139. 	runServer(t,
    140. 

  140. 		&runServerConfig{
    141. 

  141. 			tunnelProtocol:       "OSSH",
    142. 

  142. 			enableSSHAPIRequests: true,
    143. 

  143. 			doHotReload:          false,
    144. 

  144. 			doDefaultSponsorID:   false,
    145. 

  145. 			denyTrafficRules:     false,
    146. 

  146. 			requireAuthorization: true,
    147. 

  147. 			omitAuthorization:    false,
    148. 

  148. 			doTunneledWebRequest: true,
    149. 

  149. 			doTunneledNTPRequest: true,
    150. 

  150. 			forceFragmenting:     false,
    151. 

  151. 			forceLivenessTest:    false,
    152. 

  152. 			doPruneServerEntries: false,
    153. 

  153. 			doDanglingTCPConn:    true,
    154. 

  154. 			doPacketManipulation: false,
    155. 

  155. 		})
    156. 

  156. }
    157. 

  157. 

  158. func TestFragmentedOSSH(t *testing.T) {
    159. 

  159. 	runServer(t,
    160. 

  160. 		&runServerConfig{
    161. 

  161. 			tunnelProtocol:       "OSSH",
    162. 

  162. 			enableSSHAPIRequests: true,
    163. 

  163. 			doHotReload:          false,
    164. 

  164. 			doDefaultSponsorID:   false,
    165. 

  165. 			denyTrafficRules:     false,
    166. 

  166. 			requireAuthorization: true,
    167. 

  167. 			omitAuthorization:    false,
    168. 

  168. 			doTunneledWebRequest: true,
    169. 

  169. 			doTunneledNTPRequest: true,
    170. 

  170. 			forceFragmenting:     true,
    171. 

  171. 			forceLivenessTest:    false,
    172. 

  172. 			doPruneServerEntries: false,
    173. 

  173. 			doDanglingTCPConn:    true,
    174. 

  174. 			doPacketManipulation: false,
    175. 

  175. 		})
    176. 

  176. }
    177. 

  177. 

  178. func TestUnfrontedMeek(t *testing.T) {
    179. 

  179. 	runServer(t,
    180. 

  180. 		&runServerConfig{
    181. 

  181. 			tunnelProtocol:       "UNFRONTED-MEEK-OSSH",
    182. 

  182. 			enableSSHAPIRequests: true,
    183. 

  183. 			doHotReload:          false,
    184. 

  184. 			doDefaultSponsorID:   false,
    185. 

  185. 			denyTrafficRules:     false,
    186. 

  186. 			requireAuthorization: true,
    187. 

  187. 			omitAuthorization:    false,
    188. 

  188. 			doTunneledWebRequest: true,
    189. 

  189. 			doTunneledNTPRequest: true,
    190. 

  190. 			forceFragmenting:     false,
    191. 

  191. 			forceLivenessTest:    false,
    192. 

  192. 			doPruneServerEntries: false,
    193. 

  193. 			doDanglingTCPConn:    true,
    194. 

  194. 			doPacketManipulation: false,
    195. 

  195. 		})
    196. 

  196. }
    197. 

  197. 

  198. func TestUnfrontedMeekHTTPS(t *testing.T) {
    199. 

  199. 	runServer(t,
    200. 

  200. 		&runServerConfig{
    201. 

  201. 			tunnelProtocol:       "UNFRONTED-MEEK-HTTPS-OSSH",
    202. 

  202. 			tlsProfile:           protocol.TLS_PROFILE_RANDOMIZED,
    203. 

  203. 			enableSSHAPIRequests: true,
    204. 

  204. 			doHotReload:          false,
    205. 

  205. 			doDefaultSponsorID:   false,
    206. 

  206. 			denyTrafficRules:     false,
    207. 

  207. 			requireAuthorization: true,
    208. 

  208. 			omitAuthorization:    false,
    209. 

  209. 			doTunneledWebRequest: true,
    210. 

  210. 			doTunneledNTPRequest: true,
    211. 

  211. 			forceFragmenting:     false,
    212. 

  212. 			forceLivenessTest:    false,
    213. 

  213. 			doPruneServerEntries: false,
    214. 

  214. 			doDanglingTCPConn:    true,
    215. 

  215. 			doPacketManipulation: false,
    216. 

  216. 		})
    217. 

  217. }
    218. 

  218. 

  219. func TestUnfrontedMeekHTTPSTLS13(t *testing.T) {
    220. 

  220. 	runServer(t,
    221. 

  221. 		&runServerConfig{
    222. 

  222. 			tunnelProtocol:       "UNFRONTED-MEEK-HTTPS-OSSH",
    223. 

  223. 			tlsProfile:           protocol.TLS_PROFILE_CHROME_70,
    224. 

  224. 			enableSSHAPIRequests: true,
    225. 

  225. 			doHotReload:          false,
    226. 

  226. 			doDefaultSponsorID:   false,
    227. 

  227. 			denyTrafficRules:     false,
    228. 

  228. 			requireAuthorization: true,
    229. 

  229. 			omitAuthorization:    false,
    230. 

  230. 			doTunneledWebRequest: true,
    231. 

  231. 			doTunneledNTPRequest: true,
    232. 

  232. 			forceFragmenting:     false,
    233. 

  233. 			forceLivenessTest:    false,
    234. 

  234. 			doPruneServerEntries: false,
    235. 

  235. 			doDanglingTCPConn:    true,
    236. 

  236. 			doPacketManipulation: false,
    237. 

  237. 		})
    238. 

  238. }
    239. 

  239. 

  240. func TestUnfrontedMeekSessionTicket(t *testing.T) {
    241. 

  241. 	runServer(t,
    242. 

  242. 		&runServerConfig{
    243. 

  243. 			tunnelProtocol:       "UNFRONTED-MEEK-SESSION-TICKET-OSSH",
    244. 

  244. 			tlsProfile:           protocol.TLS_PROFILE_CHROME_58,
    245. 

  245. 			enableSSHAPIRequests: true,
    246. 

  246. 			doHotReload:          false,
    247. 

  247. 			doDefaultSponsorID:   false,
    248. 

  248. 			denyTrafficRules:     false,
    249. 

  249. 			requireAuthorization: true,
    250. 

  250. 			omitAuthorization:    false,
    251. 

  251. 			doTunneledWebRequest: true,
    252. 

  252. 			doTunneledNTPRequest: true,
    253. 

  253. 			forceFragmenting:     false,
    254. 

  254. 			forceLivenessTest:    false,
    255. 

  255. 			doPruneServerEntries: false,
    256. 

  256. 			doDanglingTCPConn:    true,
    257. 

  257. 			doPacketManipulation: false,
    258. 

  258. 		})
    259. 

  259. }
    260. 

  260. 

  261. func TestUnfrontedMeekSessionTicketTLS13(t *testing.T) {
    262. 

  262. 	runServer(t,
    263. 

  263. 		&runServerConfig{
    264. 

  264. 			tunnelProtocol:       "UNFRONTED-MEEK-SESSION-TICKET-OSSH",
    265. 

  265. 			tlsProfile:           protocol.TLS_PROFILE_CHROME_70,
    266. 

  266. 			enableSSHAPIRequests: true,
    267. 

  267. 			doHotReload:          false,
    268. 

  268. 			doDefaultSponsorID:   false,
    269. 

  269. 			denyTrafficRules:     false,
    270. 

  270. 			requireAuthorization: true,
    271. 

  271. 			omitAuthorization:    false,
    272. 

  272. 			doTunneledWebRequest: true,
    273. 

  273. 			doTunneledNTPRequest: true,
    274. 

  274. 			forceFragmenting:     false,
    275. 

  275. 			forceLivenessTest:    false,
    276. 

  276. 			doPruneServerEntries: false,
    277. 

  277. 			doDanglingTCPConn:    true,
    278. 

  278. 			doPacketManipulation: false,
    279. 

  279. 		})
    280. 

  280. }
    281. 

  281. 

  282. func TestQUICOSSH(t *testing.T) {
    283. 

  283. 	if !quic.Enabled() {
    284. 

  284. 		t.Skip("QUIC is not enabled")
    285. 

  285. 	}
    286. 

  286. 	runServer(t,
    287. 

  287. 		&runServerConfig{
    288. 

  288. 			tunnelProtocol:       "QUIC-OSSH",
    289. 

  289. 			enableSSHAPIRequests: true,
    290. 

  290. 			doHotReload:          false,
    291. 

  291. 			doDefaultSponsorID:   false,
    292. 

  292. 			denyTrafficRules:     false,
    293. 

  293. 			requireAuthorization: true,
    294. 

  294. 			omitAuthorization:    false,
    295. 

  295. 			doTunneledWebRequest: true,
    296. 

  296. 			doTunneledNTPRequest: true,
    297. 

  297. 			forceFragmenting:     false,
    298. 

  298. 			forceLivenessTest:    false,
    299. 

  299. 			doPruneServerEntries: false,
    300. 

  300. 			doDanglingTCPConn:    false,
    301. 

  301. 			doPacketManipulation: false,
    302. 

  302. 		})
    303. 

  303. }
    304. 

  304. 

  305. func TestMarionetteOSSH(t *testing.T) {
    306. 

  306. 	if !marionette.Enabled() {
    307. 

  307. 		t.Skip("Marionette is not enabled")
    308. 

  308. 	}
    309. 

  309. 	runServer(t,
    310. 

  310. 		&runServerConfig{
    311. 

  311. 			tunnelProtocol:       "MARIONETTE-OSSH",
    312. 

  312. 			enableSSHAPIRequests: true,
    313. 

  313. 			doHotReload:          false,
    314. 

  314. 			doDefaultSponsorID:   false,
    315. 

  315. 			denyTrafficRules:     false,
    316. 

  316. 			requireAuthorization: true,
    317. 

  317. 			omitAuthorization:    false,
    318. 

  318. 			doTunneledWebRequest: true,
    319. 

  319. 			doTunneledNTPRequest: true,
    320. 

  320. 			forceFragmenting:     false,
    321. 

  321. 			forceLivenessTest:    false,
    322. 

  322. 			doPruneServerEntries: false,
    323. 

  323. 			doDanglingTCPConn:    false,
    324. 

  324. 			doPacketManipulation: false,
    325. 

  325. 		})
    326. 

  326. }
    327. 

  327. 

  328. func TestWebTransportAPIRequests(t *testing.T) {
    329. 

  329. 	runServer(t,
    330. 

  330. 		&runServerConfig{
    331. 

  331. 			tunnelProtocol:       "OSSH",
    332. 

  332. 			enableSSHAPIRequests: false,
    333. 

  333. 			doHotReload:          false,
    334. 

  334. 			doDefaultSponsorID:   false,
    335. 

  335. 			denyTrafficRules:     false,
    336. 

  336. 			requireAuthorization: false,
    337. 

  337. 			omitAuthorization:    true,
    338. 

  338. 			doTunneledWebRequest: true,
    339. 

  339. 			doTunneledNTPRequest: true,
    340. 

  340. 			forceFragmenting:     false,
    341. 

  341. 			forceLivenessTest:    false,
    342. 

  342. 			doPruneServerEntries: false,
    343. 

  343. 			doDanglingTCPConn:    false,
    344. 

  344. 			doPacketManipulation: false,
    345. 

  345. 		})
    346. 

  346. }
    347. 

  347. 

  348. func TestHotReload(t *testing.T) {
    349. 

  349. 	runServer(t,
    350. 

  350. 		&runServerConfig{
    351. 

  351. 			tunnelProtocol:       "OSSH",
    352. 

  352. 			enableSSHAPIRequests: true,
    353. 

  353. 			doHotReload:          true,
    354. 

  354. 			doDefaultSponsorID:   false,
    355. 

  355. 			denyTrafficRules:     false,
    356. 

  356. 			requireAuthorization: true,
    357. 

  357. 			omitAuthorization:    false,
    358. 

  358. 			doTunneledWebRequest: true,
    359. 

  359. 			doTunneledNTPRequest: true,
    360. 

  360. 			forceFragmenting:     false,
    361. 

  361. 			forceLivenessTest:    false,
    362. 

  362. 			doPruneServerEntries: false,
    363. 

  363. 			doDanglingTCPConn:    false,
    364. 

  364. 			doPacketManipulation: false,
    365. 

  365. 		})
    366. 

  366. }
    367. 

  367. 

  368. func TestDefaultSponsorID(t *testing.T) {
    369. 

  369. 	runServer(t,
    370. 

  370. 		&runServerConfig{
    371. 

  371. 			tunnelProtocol:       "OSSH",
    372. 

  372. 			enableSSHAPIRequests: true,
    373. 

  373. 			doHotReload:          true,
    374. 

  374. 			doDefaultSponsorID:   true,
    375. 

  375. 			denyTrafficRules:     false,
    376. 

  376. 			requireAuthorization: true,
    377. 

  377. 			omitAuthorization:    false,
    378. 

  378. 			doTunneledWebRequest: true,
    379. 

  379. 			doTunneledNTPRequest: true,
    380. 

  380. 			forceFragmenting:     false,
    381. 

  381. 			forceLivenessTest:    false,
    382. 

  382. 			doPruneServerEntries: false,
    383. 

  383. 			doDanglingTCPConn:    false,
    384. 

  384. 			doPacketManipulation: false,
    385. 

  385. 		})
    386. 

  386. }
    387. 

  387. 

  388. func TestDenyTrafficRules(t *testing.T) {
    389. 

  389. 	runServer(t,
    390. 

  390. 		&runServerConfig{
    391. 

  391. 			tunnelProtocol:       "OSSH",
    392. 

  392. 			enableSSHAPIRequests: true,
    393. 

  393. 			doHotReload:          true,
    394. 

  394. 			doDefaultSponsorID:   false,
    395. 

  395. 			denyTrafficRules:     true,
    396. 

  396. 			requireAuthorization: true,
    397. 

  397. 			omitAuthorization:    false,
    398. 

  398. 			doTunneledWebRequest: true,
    399. 

  399. 			doTunneledNTPRequest: true,
    400. 

  400. 			forceFragmenting:     false,
    401. 

  401. 			forceLivenessTest:    false,
    402. 

  402. 			doPruneServerEntries: false,
    403. 

  403. 			doDanglingTCPConn:    false,
    404. 

  404. 			doPacketManipulation: false,
    405. 

  405. 		})
    406. 

  406. }
    407. 

  407. 

  408. func TestOmitAuthorization(t *testing.T) {
    409. 

  409. 	runServer(t,
    410. 

  410. 		&runServerConfig{
    411. 

  411. 			tunnelProtocol:       "OSSH",
    412. 

  412. 			enableSSHAPIRequests: true,
    413. 

  413. 			doHotReload:          true,
    414. 

  414. 			doDefaultSponsorID:   false,
    415. 

  415. 			denyTrafficRules:     false,
    416. 

  416. 			requireAuthorization: true,
    417. 

  417. 			omitAuthorization:    true,
    418. 

  418. 			doTunneledWebRequest: true,
    419. 

  419. 			doTunneledNTPRequest: true,
    420. 

  420. 			forceFragmenting:     false,
    421. 

  421. 			forceLivenessTest:    false,
    422. 

  422. 			doPruneServerEntries: false,
    423. 

  423. 			doDanglingTCPConn:    false,
    424. 

  424. 			doPacketManipulation: false,
    425. 

  425. 		})
    426. 

  426. }
    427. 

  427. 

  428. func TestNoAuthorization(t *testing.T) {
    429. 

  429. 	runServer(t,
    430. 

  430. 		&runServerConfig{
    431. 

  431. 			tunnelProtocol:       "OSSH",
    432. 

  432. 			enableSSHAPIRequests: true,
    433. 

  433. 			doHotReload:          true,
    434. 

  434. 			doDefaultSponsorID:   false,
    435. 

  435. 			denyTrafficRules:     false,
    436. 

  436. 			requireAuthorization: false,
    437. 

  437. 			omitAuthorization:    true,
    438. 

  438. 			doTunneledWebRequest: true,
    439. 

  439. 			doTunneledNTPRequest: true,
    440. 

  440. 			forceFragmenting:     false,
    441. 

  441. 			forceLivenessTest:    false,
    442. 

  442. 			doPruneServerEntries: false,
    443. 

  443. 			doDanglingTCPConn:    false,
    444. 

  444. 			doPacketManipulation: false,
    445. 

  445. 		})
    446. 

  446. }
    447. 

  447. 

  448. func TestUnusedAuthorization(t *testing.T) {
    449. 

  449. 	runServer(t,
    450. 

  450. 		&runServerConfig{
    451. 

  451. 			tunnelProtocol:       "OSSH",
    452. 

  452. 			enableSSHAPIRequests: true,
    453. 

  453. 			doHotReload:          true,
    454. 

  454. 			doDefaultSponsorID:   false,
    455. 

  455. 			denyTrafficRules:     false,
    456. 

  456. 			requireAuthorization: false,
    457. 

  457. 			omitAuthorization:    false,
    458. 

  458. 			doTunneledWebRequest: true,
    459. 

  459. 			doTunneledNTPRequest: true,
    460. 

  460. 			forceFragmenting:     false,
    461. 

  461. 			forceLivenessTest:    false,
    462. 

  462. 			doPruneServerEntries: false,
    463. 

  463. 			doDanglingTCPConn:    false,
    464. 

  464. 			doPacketManipulation: false,
    465. 

  465. 		})
    466. 

  466. }
    467. 

  467. 

  468. func TestTCPOnlySLOK(t *testing.T) {
    469. 

  469. 	runServer(t,
    470. 

  470. 		&runServerConfig{
    471. 

  471. 			tunnelProtocol:       "OSSH",
    472. 

  472. 			enableSSHAPIRequests: true,
    473. 

  473. 			doHotReload:          false,
    474. 

  474. 			doDefaultSponsorID:   false,
    475. 

  475. 			denyTrafficRules:     false,
    476. 

  476. 			requireAuthorization: true,
    477. 

  477. 			omitAuthorization:    false,
    478. 

  478. 			doTunneledWebRequest: true,
    479. 

  479. 			doTunneledNTPRequest: false,
    480. 

  480. 			forceFragmenting:     false,
    481. 

  481. 			forceLivenessTest:    false,
    482. 

  482. 			doPruneServerEntries: false,
    483. 

  483. 			doDanglingTCPConn:    false,
    484. 

  484. 			doPacketManipulation: false,
    485. 

  485. 		})
    486. 

  486. }
    487. 

  487. 

  488. func TestUDPOnlySLOK(t *testing.T) {
    489. 

  489. 	runServer(t,
    490. 

  490. 		&runServerConfig{
    491. 

  491. 			tunnelProtocol:       "OSSH",
    492. 

  492. 			enableSSHAPIRequests: true,
    493. 

  493. 			doHotReload:          false,
    494. 

  494. 			doDefaultSponsorID:   false,
    495. 

  495. 			denyTrafficRules:     false,
    496. 

  496. 			requireAuthorization: true,
    497. 

  497. 			omitAuthorization:    false,
    498. 

  498. 			doTunneledWebRequest: false,
    499. 

  499. 			doTunneledNTPRequest: true,
    500. 

  500. 			forceFragmenting:     false,
    501. 

  501. 			forceLivenessTest:    false,
    502. 

  502. 			doPruneServerEntries: false,
    503. 

  503. 			doDanglingTCPConn:    false,
    504. 

  504. 			doPacketManipulation: false,
    505. 

  505. 		})
    506. 

  506. }
    507. 

  507. 

  508. func TestLivenessTest(t *testing.T) {
    509. 

  509. 	runServer(t,
    510. 

  510. 		&runServerConfig{
    511. 

  511. 			tunnelProtocol:       "OSSH",
    512. 

  512. 			enableSSHAPIRequests: true,
    513. 

  513. 			doHotReload:          false,
    514. 

  514. 			doDefaultSponsorID:   false,
    515. 

  515. 			denyTrafficRules:     false,
    516. 

  516. 			requireAuthorization: true,
    517. 

  517. 			omitAuthorization:    false,
    518. 

  518. 			doTunneledWebRequest: true,
    519. 

  519. 			doTunneledNTPRequest: true,
    520. 

  520. 			forceFragmenting:     false,
    521. 

  521. 			forceLivenessTest:    true,
    522. 

  522. 			doPruneServerEntries: false,
    523. 

  523. 			doDanglingTCPConn:    false,
    524. 

  524. 			doPacketManipulation: false,
    525. 

  525. 		})
    526. 

  526. }
    527. 

  527. 

  528. func TestPruneServerEntries(t *testing.T) {
    529. 

  529. 	runServer(t,
    530. 

  530. 		&runServerConfig{
    531. 

  531. 			tunnelProtocol:       "OSSH",
    532. 

  532. 			enableSSHAPIRequests: true,
    533. 

  533. 			doHotReload:          false,
    534. 

  534. 			doDefaultSponsorID:   false,
    535. 

  535. 			denyTrafficRules:     false,
    536. 

  536. 			requireAuthorization: true,
    537. 

  537. 			omitAuthorization:    false,
    538. 

  538. 			doTunneledWebRequest: true,
    539. 

  539. 			doTunneledNTPRequest: true,
    540. 

  540. 			forceFragmenting:     false,
    541. 

  541. 			forceLivenessTest:    true,
    542. 

  542. 			doPruneServerEntries: true,
    543. 

  543. 			doDanglingTCPConn:    false,
    544. 

  544. 			doPacketManipulation: false,
    545. 

  545. 		})
    546. 

  546. }
    547. 

  547. 

  548. type runServerConfig struct {
    549. 

  549. 	tunnelProtocol       string
    550. 

  550. 	tlsProfile           string
    551. 

  551. 	enableSSHAPIRequests bool
    552. 

  552. 	doHotReload          bool
    553. 

  553. 	doDefaultSponsorID   bool
    554. 

  554. 	denyTrafficRules     bool
    555. 

  555. 	requireAuthorization bool
    556. 

  556. 	omitAuthorization    bool
    557. 

  557. 	doTunneledWebRequest bool
    558. 

  558. 	doTunneledNTPRequest bool
    559. 

  559. 	forceFragmenting     bool
    560. 

  560. 	forceLivenessTest    bool
    561. 

  561. 	doPruneServerEntries bool
    562. 

  562. 	doDanglingTCPConn    bool
    563. 

  563. 	doPacketManipulation bool
    564. 

  564. }
    565. 

  565. 

  566. var (
    567. 

  567. 	testSSHClientVersions = []string{"SSH-2.0-A", "SSH-2.0-B", "SSH-2.0-C"}
    568. 

  568. 	testUserAgents        = []string{"ua1", "ua2", "ua3"}
    569. 

  569. 	testNetworkType       = "WIFI"
    570. 

  570. )
    571. 

  571. 

  572. var serverRuns = 0
    573. 

  573. 

  574. func runServer(t *testing.T, runConfig *runServerConfig) {
    575. 

  575. 

  576. 	serverRuns += 1
    577. 

  577. 

  578. 	// configure authorized access
    579. 

  579. 

  580. 	accessType := "test-access-type"
    581. 

  581. 

  582. 	accessControlSigningKey, accessControlVerificationKey, err := accesscontrol.NewKeyPair(accessType)
    583. 

  583. 	if err != nil {
    584. 

  584. 		t.Fatalf("error creating access control key pair: %s", err)
    585. 

  585. 	}
    586. 

  586. 

  587. 	accessControlVerificationKeyRing := accesscontrol.VerificationKeyRing{
    588. 

  588. 		Keys: []*accesscontrol.VerificationKey{accessControlVerificationKey},
    589. 

  589. 	}
    590. 

  590. 

  591. 	var seedAuthorizationID [32]byte
    592. 

  592. 

  593. 	clientAuthorization, authorizationID, err := accesscontrol.IssueAuthorization(
    594. 

  594. 		accessControlSigningKey,
    595. 

  595. 		seedAuthorizationID[:],
    596. 

  596. 		time.Now().Add(1*time.Hour))
    597. 

  597. 	if err != nil {
    598. 

  598. 		t.Fatalf("error issuing authorization: %s", err)
    599. 

  599. 	}
    600. 

  600. 

  601. 	authorizationIDStr := base64.StdEncoding.EncodeToString(authorizationID)
    602. 

  602. 

  603. 	// Enable tactics when the test protocol is meek. Both the client and the
    604. 

  604. 	// server will be configured to support tactics. The client config will be
    605. 

  605. 	// set with a nonfunctional config so that the tactics request must
    606. 

  606. 	// succeed, overriding the nonfunctional values, for the tunnel to
    607. 

  607. 	// establish.
    608. 

  608. 

  609. 	doClientTactics := protocol.TunnelProtocolUsesMeek(runConfig.tunnelProtocol)
    610. 

  610. 	doServerTactics := doClientTactics || runConfig.forceFragmenting
    611. 

  611. 

  612. 	// All servers require a tactics config with valid keys.
    613. 

  613. 	tacticsRequestPublicKey, tacticsRequestPrivateKey, tacticsRequestObfuscatedKey, err :=
    614. 

  614. 		tactics.GenerateKeys()
    615. 

  615. 	if err != nil {
    616. 

  616. 		t.Fatalf("error generating tactics keys: %s", err)
    617. 

  617. 	}
    618. 

  618. 

  619. 	livenessTestSize := 0
    620. 

  620. 	if doClientTactics || runConfig.forceLivenessTest {
    621. 

  621. 		livenessTestSize = 1048576
    622. 

  622. 	}
    623. 

  623. 

  624. 	// create a server
    625. 

  625. 

  626. 	psiphonServerIPAddress := serverIPAddress
    627. 

  627. 	if protocol.TunnelProtocolUsesQUIC(runConfig.tunnelProtocol) ||
    628. 

  628. 		protocol.TunnelProtocolUsesMarionette(runConfig.tunnelProtocol) {
    629. 

  629. 		// Workaround for macOS firewall.
    630. 

  630. 		psiphonServerIPAddress = "127.0.0.1"
    631. 

  631. 	}
    632. 

  632. 	psiphonServerPort := 4000
    633. 

  633. 

  634. 	generateConfigParams := &GenerateConfigParams{
    635. 

  635. 		ServerIPAddress:      psiphonServerIPAddress,
    636. 

  636. 		EnableSSHAPIRequests: runConfig.enableSSHAPIRequests,
    637. 

  637. 		WebServerPort:        8000,
    638. 

  638. 		TunnelProtocolPorts:  map[string]int{runConfig.tunnelProtocol: psiphonServerPort},
    639. 

  639. 	}
    640. 

  640. 

  641. 	if protocol.TunnelProtocolUsesMarionette(runConfig.tunnelProtocol) {
    642. 

  642. 		generateConfigParams.TunnelProtocolPorts[runConfig.tunnelProtocol] = 0
    643. 

  643. 		generateConfigParams.MarionetteFormat = "http_simple_nonblocking"
    644. 

  644. 	}
    645. 

  645. 

  646. 	if doServerTactics {
    647. 

  647. 		generateConfigParams.TacticsRequestPublicKey = tacticsRequestPublicKey
    648. 

  648. 		generateConfigParams.TacticsRequestObfuscatedKey = tacticsRequestObfuscatedKey
    649. 

  649. 	}
    650. 

  650. 

  651. 	serverConfigJSON, _, _, _, encodedServerEntry, err := GenerateConfig(generateConfigParams)
    652. 

  652. 	if err != nil {
    653. 

  653. 		t.Fatalf("error generating server config: %s", err)
    654. 

  654. 	}
    655. 

  655. 

  656. 	// customize server config
    657. 

  657. 

  658. 	// Initialize prune server entry test cases and associated data to pave into psinet.
    659. 

  659. 	pruneServerEntryTestCases, psinetValidServerEntryTags, expectedNumPruneNotices :=
    660. 

  660. 		initializePruneServerEntriesTest(t, runConfig)
    661. 

  661. 

  662. 	// Pave psinet with random values to test handshake homepages.
    663. 

  663. 	psinetFilename := filepath.Join(testDataDirName, "psinet.json")
    664. 

  664. 	sponsorID, expectedHomepageURL := pavePsinetDatabaseFile(
    665. 

  665. 		t, runConfig.doDefaultSponsorID, psinetFilename, psinetValidServerEntryTags)
    666. 

  666. 

  667. 	// Pave OSL config for SLOK testing
    668. 

  668. 	oslConfigFilename := filepath.Join(testDataDirName, "osl_config.json")
    669. 

  669. 	propagationChannelID := paveOSLConfigFile(t, oslConfigFilename)
    670. 

  670. 

  671. 	// Pave traffic rules file which exercises handshake parameter filtering. Client
    672. 

  672. 	// must handshake with specified sponsor ID in order to allow ports for tunneled
    673. 

  673. 	// requests.
    674. 

  674. 	trafficRulesFilename := filepath.Join(testDataDirName, "traffic_rules.json")
    675. 

  675. 	paveTrafficRulesFile(
    676. 

  676. 		t,
    677. 

  677. 		trafficRulesFilename,
    678. 

  678. 		propagationChannelID,
    679. 

  679. 		accessType,
    680. 

  680. 		authorizationIDStr,
    681. 

  681. 		runConfig.requireAuthorization,
    682. 

  682. 		runConfig.denyTrafficRules,
    683. 

  683. 		livenessTestSize)
    684. 

  684. 

  685. 	var tacticsConfigFilename string
    686. 

  686. 

  687. 	// Only pave the tactics config when tactics are required. This exercises the
    688. 

  688. 	// case where the tactics config is omitted.
    689. 

  689. 	if doServerTactics {
    690. 

  690. 		tacticsConfigFilename = filepath.Join(testDataDirName, "tactics_config.json")
    691. 

  691. 		paveTacticsConfigFile(
    692. 

  692. 			t,
    693. 

  693. 			tacticsConfigFilename,
    694. 

  694. 			tacticsRequestPublicKey,
    695. 

  695. 			tacticsRequestPrivateKey,
    696. 

  696. 			tacticsRequestObfuscatedKey,
    697. 

  697. 			runConfig.tunnelProtocol,
    698. 

  698. 			propagationChannelID,
    699. 

  699. 			livenessTestSize)
    700. 

  700. 	}
    701. 

  701. 

  702. 	blocklistFilename := filepath.Join(testDataDirName, "blocklist.csv")
    703. 

  703. 	paveBlocklistFile(t, blocklistFilename)
    704. 

  704. 

  705. 	var serverConfig map[string]interface{}
    706. 

  706. 	json.Unmarshal(serverConfigJSON, &serverConfig)
    707. 

  707. 	serverConfig["GeoIPDatabaseFilename"] = ""
    708. 

  708. 	serverConfig["PsinetDatabaseFilename"] = psinetFilename
    709. 

  709. 	serverConfig["TrafficRulesFilename"] = trafficRulesFilename
    710. 

  710. 	serverConfig["OSLConfigFilename"] = oslConfigFilename
    711. 

  711. 	if doServerTactics {
    712. 

  712. 		serverConfig["TacticsConfigFilename"] = tacticsConfigFilename
    713. 

  713. 	}
    714. 

  714. 	serverConfig["BlocklistFilename"] = blocklistFilename
    715. 

  715. 

  716. 	serverConfig["LogFilename"] = filepath.Join(testDataDirName, "psiphond.log")
    717. 

  717. 	serverConfig["LogLevel"] = "debug"
    718. 

  718. 

  719. 	serverConfig["AccessControlVerificationKeyRing"] = accessControlVerificationKeyRing
    720. 

  720. 

  721. 	// Set this parameter so at least the semaphore functions are called.
    722. 

  722. 	// TODO: test that the concurrency limit is correctly enforced.
    723. 

  723. 	serverConfig["MaxConcurrentSSHHandshakes"] = 1
    724. 

  724. 

  725. 	// Exercise this option.
    726. 

  726. 	serverConfig["PeriodicGarbageCollectionSeconds"] = 1
    727. 

  727. 

  728. 	// Allow port forwards to local test web server.
    729. 

  729. 	serverConfig["AllowBogons"] = true
    730. 

  730. 

  731. 	serverConfig["RunPacketManipulator"] = runConfig.doPacketManipulation
    732. 

  732. 

  733. 	serverConfigJSON, _ = json.Marshal(serverConfig)
    734. 

  734. 

  735. 	serverTunnelLog := make(chan map[string]interface{}, 1)
    736. 

  736. 	uniqueUserLog := make(chan map[string]interface{}, 1)
    737. 

  737. 

  738. 	setLogCallback(func(log []byte) {
    739. 

  739. 

  740. 		logFields := make(map[string]interface{})
    741. 

  741. 

  742. 		err := json.Unmarshal(log, &logFields)
    743. 

  743. 		if err != nil {
    744. 

  744. 			return
    745. 

  745. 		}
    746. 

  746. 

  747. 		if logFields["event_name"] == nil {
    748. 

  748. 			return
    749. 

  749. 		}
    750. 

  750. 

  751. 		switch logFields["event_name"].(string) {
    752. 

  752. 		case "unique_user":
    753. 

  753. 			select {
    754. 

  754. 			case uniqueUserLog <- logFields:
    755. 

  755. 			default:
    756. 

  756. 			}
    757. 

  757. 		case "server_tunnel":
    758. 

  758. 			select {
    759. 

  759. 			case serverTunnelLog <- logFields:
    760. 

  760. 			default:
    761. 

  761. 			}
    762. 

  762. 		}
    763. 

  763. 	})
    764. 

  764. 

  765. 	// run server
    766. 

  766. 

  767. 	serverWaitGroup := new(sync.WaitGroup)
    768. 

  768. 	serverWaitGroup.Add(1)
    769. 

  769. 	go func() {
    770. 

  770. 		defer serverWaitGroup.Done()
    771. 

  771. 		err := RunServices(serverConfigJSON)
    772. 

  772. 		if err != nil {
    773. 

  773. 			// TODO: wrong goroutine for t.FatalNow()
    774. 

  774. 			t.Errorf("error running server: %s", err)
    775. 

  775. 		}
    776. 

  776. 	}()
    777. 

  777. 

  778. 	stopServer := func() {
    779. 

  779. 

  780. 		// Test: orderly server shutdown
    781. 

  781. 

  782. 		p, _ := os.FindProcess(os.Getpid())
    783. 

  783. 		p.Signal(os.Interrupt)
    784. 

  784. 

  785. 		shutdownTimeout := time.NewTimer(5 * time.Second)
    786. 

  786. 

  787. 		shutdownOk := make(chan struct{}, 1)
    788. 

  788. 		go func() {
    789. 

  789. 			serverWaitGroup.Wait()
    790. 

  790. 			shutdownOk <- struct{}{}
    791. 

  791. 		}()
    792. 

  792. 

  793. 		select {
    794. 

  794. 		case <-shutdownOk:
    795. 

  795. 		case <-shutdownTimeout.C:
    796. 

  796. 			t.Errorf("server shutdown timeout exceeded")
    797. 

  797. 		}
    798. 

  798. 	}
    799. 

  799. 

  800. 	// Stop server on early exits due to failure.
    801. 

  801. 	defer func() {
    802. 

  802. 		if stopServer != nil {
    803. 

  803. 			stopServer()
    804. 

  804. 		}
    805. 

  805. 	}()
    806. 

  806. 

  807. 	// TODO: monitor logs for more robust wait-until-loaded. For example,
    808. 

  808. 	// especially with the race detector on, QUIC-OSSH tests can fail as the
    809. 

  809. 	// client sends its initial packet before the server is ready.
    810. 

  810. 	time.Sleep(1 * time.Second)
    811. 

  811. 

  812. 	// Test: hot reload (of psinet and traffic rules)
    813. 

  813. 

  814. 	if runConfig.doHotReload {
    815. 

  815. 

  816. 		// Pave new config files with different random values.
    817. 

  817. 		sponsorID, expectedHomepageURL = pavePsinetDatabaseFile(
    818. 

  818. 			t, runConfig.doDefaultSponsorID, psinetFilename, psinetValidServerEntryTags)
    819. 

  819. 

  820. 		propagationChannelID = paveOSLConfigFile(t, oslConfigFilename)
    821. 

  821. 

  822. 		paveTrafficRulesFile(
    823. 

  823. 			t,
    824. 

  824. 			trafficRulesFilename,
    825. 

  825. 			propagationChannelID,
    826. 

  826. 			accessType,
    827. 

  827. 			authorizationIDStr,
    828. 

  828. 			runConfig.requireAuthorization,
    829. 

  829. 			runConfig.denyTrafficRules,
    830. 

  830. 			livenessTestSize)
    831. 

  831. 

  832. 		p, _ := os.FindProcess(os.Getpid())
    833. 

  833. 		p.Signal(syscall.SIGUSR1)
    834. 

  834. 

  835. 		// TODO: monitor logs for more robust wait-until-reloaded
    836. 

  836. 		time.Sleep(1 * time.Second)
    837. 

  837. 

  838. 		// After reloading psinet, the new sponsorID/expectedHomepageURL
    839. 

  839. 		// should be active, as tested in the client "Homepage" notice
    840. 

  840. 		// handler below.
    841. 

  841. 	}
    842. 

  842. 

  843. 	// Exercise server_load logging
    844. 

  844. 	p, _ := os.FindProcess(os.Getpid())
    845. 

  845. 	p.Signal(syscall.SIGUSR2)
    846. 

  846. 

  847. 	// configure client
    848. 

  848. 

  849. 	values.SetSSHClientVersionsSpec(values.NewPickOneSpec(testSSHClientVersions))
    850. 

  850. 

  851. 	values.SetUserAgentsSpec(values.NewPickOneSpec(testUserAgents))
    852. 

  852. 

  853. 	// TODO: currently, TargetServerEntry only works with one tunnel
    854. 

  854. 	numTunnels := 1
    855. 

  855. 	localSOCKSProxyPort := 1081
    856. 

  856. 	localHTTPProxyPort := 8081
    857. 

  857. 

  858. 	// Use a distinct suffix for network ID for each test run to ensure tactics
    859. 

  859. 	// from different runs don't apply; this is a workaround for the singleton
    860. 

  860. 	// datastore.
    861. 

  861. 	jsonNetworkID := fmt.Sprintf(`,"NetworkID" : "WIFI-%s"`, time.Now().String())
    862. 

  862. 

  863. 	jsonLimitTLSProfiles := ""
    864. 

  864. 	if runConfig.tlsProfile != "" {
    865. 

  865. 		jsonLimitTLSProfiles = fmt.Sprintf(`,"LimitTLSProfiles" : ["%s"]`, runConfig.tlsProfile)
    866. 

  866. 	}
    867. 

  867. 

  868. 	clientConfigJSON := fmt.Sprintf(`
    869. 

  869.     {
    870. 

  870.         "ClientPlatform" : "Android_10_com.test.app",
    871. 

  871.         "ClientVersion" : "0",
    872. 

  872.         "SponsorId" : "0",
    873. 

  873.         "PropagationChannelId" : "0",
    874. 

  874.         "TunnelWholeDevice" : 1,
    875. 

  875.         "DeviceRegion" : "US",
    876. 

  876.         "DisableRemoteServerListFetcher" : true,
    877. 

  877.         "EstablishTunnelPausePeriodSeconds" : 1,
    878. 

  878.         "ConnectionWorkerPoolSize" : %d,
    879. 

  879.         "LimitTunnelProtocols" : ["%s"]
    880. 

  880.         %s
    881. 

  881.         %s
    882. 

  882.     }`, numTunnels, runConfig.tunnelProtocol, jsonLimitTLSProfiles, jsonNetworkID)
    883. 

  883. 

  884. 	clientConfig, err := psiphon.LoadConfig([]byte(clientConfigJSON))
    885. 

  885. 	if err != nil {
    886. 

  886. 		t.Fatalf("error processing configuration file: %s", err)
    887. 

  887. 	}
    888. 

  888. 

  889. 	clientConfig.DataRootDirectory = testDataDirName
    890. 

  890. 

  891. 	if !runConfig.doDefaultSponsorID {
    892. 

  892. 		clientConfig.SponsorId = sponsorID
    893. 

  893. 	}
    894. 

  894. 	clientConfig.PropagationChannelId = propagationChannelID
    895. 

  895. 	clientConfig.TunnelPoolSize = numTunnels
    896. 

  896. 	clientConfig.TargetServerEntry = string(encodedServerEntry)
    897. 

  897. 	clientConfig.LocalSocksProxyPort = localSOCKSProxyPort
    898. 

  898. 	clientConfig.LocalHttpProxyPort = localHTTPProxyPort
    899. 

  899. 	clientConfig.EmitSLOKs = true
    900. 

  900. 	clientConfig.EmitServerAlerts = true
    901. 

  901. 

  902. 	if !runConfig.omitAuthorization {
    903. 

  903. 		clientConfig.Authorizations = []string{clientAuthorization}
    904. 

  904. 	}
    905. 

  905. 

  906. 	err = clientConfig.Commit(false)
    907. 

  907. 	if err != nil {
    908. 

  908. 		t.Fatalf("error committing configuration file: %s", err)
    909. 

  909. 	}
    910. 

  910. 

  911. 	if doClientTactics {
    912. 

  912. 		// Configure nonfunctional values that must be overridden by tactics.
    913. 

  913. 

  914. 		applyParameters := make(map[string]interface{})
    915. 

  915. 

  916. 		applyParameters[parameters.TunnelConnectTimeout] = "1s"
    917. 

  917. 		applyParameters[parameters.TunnelRateLimits] = common.RateLimits{WriteBytesPerSecond: 1}
    918. 

  918. 

  919. 		err = clientConfig.SetClientParameters("", true, applyParameters)
    920. 

  920. 		if err != nil {
    921. 

  921. 			t.Fatalf("SetClientParameters failed: %s", err)
    922. 

  922. 		}
    923. 

  923. 

  924. 	} else {
    925. 

  925. 

  926. 		// Directly apply same parameters that would've come from tactics.
    927. 

  927. 

  928. 		applyParameters := make(map[string]interface{})
    929. 

  929. 

  930. 		if runConfig.forceFragmenting {
    931. 

  931. 			applyParameters[parameters.FragmentorLimitProtocols] = protocol.TunnelProtocols{runConfig.tunnelProtocol}
    932. 

  932. 			applyParameters[parameters.FragmentorProbability] = 1.0
    933. 

  933. 			applyParameters[parameters.FragmentorMinTotalBytes] = 1000
    934. 

  934. 			applyParameters[parameters.FragmentorMaxTotalBytes] = 2000
    935. 

  935. 			applyParameters[parameters.FragmentorMinWriteBytes] = 1
    936. 

  936. 			applyParameters[parameters.FragmentorMaxWriteBytes] = 100
    937. 

  937. 			applyParameters[parameters.FragmentorMinDelay] = 1 * time.Millisecond
    938. 

  938. 			applyParameters[parameters.FragmentorMaxDelay] = 10 * time.Millisecond
    939. 

  939. 		}
    940. 

  940. 

  941. 		if runConfig.forceLivenessTest {
    942. 

  942. 			applyParameters[parameters.LivenessTestMinUpstreamBytes] = livenessTestSize
    943. 

  943. 			applyParameters[parameters.LivenessTestMaxUpstreamBytes] = livenessTestSize
    944. 

  944. 			applyParameters[parameters.LivenessTestMinDownstreamBytes] = livenessTestSize
    945. 

  945. 			applyParameters[parameters.LivenessTestMaxDownstreamBytes] = livenessTestSize
    946. 

  946. 		}
    947. 

  947. 

  948. 		if runConfig.doPruneServerEntries {
    949. 

  949. 			applyParameters[parameters.PsiphonAPIStatusRequestShortPeriodMin] = 1 * time.Millisecond
    950. 

  950. 			applyParameters[parameters.PsiphonAPIStatusRequestShortPeriodMax] = 1 * time.Millisecond
    951. 

  951. 		}
    952. 

  952. 

  953. 		err = clientConfig.SetClientParameters("", true, applyParameters)
    954. 

  954. 		if err != nil {
    955. 

  955. 			t.Fatalf("SetClientParameters failed: %s", err)
    956. 

  956. 		}
    957. 

  957. 	}
    958. 

  958. 

  959. 	// connect to server with client
    960. 

  960. 

  961. 	err = psiphon.OpenDataStore(clientConfig)
    962. 

  962. 	if err != nil {
    963. 

  963. 		t.Fatalf("error initializing client datastore: %s", err)
    964. 

  964. 	}
    965. 

  965. 	defer psiphon.CloseDataStore()
    966. 

  966. 

  967. 	// Test unique user counting cases.
    968. 

  968. 	var expectUniqueUser bool
    969. 

  969. 	switch serverRuns % 3 {
    970. 

  970. 	case 0:
    971. 

  971. 		// Mock no last_connected.
    972. 

  972. 		psiphon.SetKeyValue("lastConnected", "")
    973. 

  973. 		expectUniqueUser = true
    974. 

  974. 	case 1:
    975. 

  975. 		// Mock previous day last_connected.
    976. 

  976. 		psiphon.SetKeyValue(
    977. 

  977. 			"lastConnected",
    978. 

  978. 			time.Now().UTC().AddDate(0, 0, -1).Truncate(1*time.Hour).Format(time.RFC3339))
    979. 

  979. 		expectUniqueUser = true
    980. 

  980. 	case 2:
    981. 

  981. 		// Leave previous last_connected.
    982. 

  982. 		expectUniqueUser = false
    983. 

  983. 	}
    984. 

  984. 

  985. 	// Clear SLOKs from previous test runs.
    986. 

  986. 	psiphon.DeleteSLOKs()
    987. 

  987. 

  988. 	// Store prune server entry test server entries and failed tunnel records.
    989. 

  989. 	storePruneServerEntriesTest(
    990. 

  990. 		t, runConfig, testDataDirName, pruneServerEntryTestCases)
    991. 

  991. 

  992. 	controller, err := psiphon.NewController(clientConfig)
    993. 

  993. 	if err != nil {
    994. 

  994. 		t.Fatalf("error creating client controller: %s", err)
    995. 

  995. 	}
    996. 

  996. 

  997. 	connectedServer := make(chan struct{}, 1)
    998. 

  998. 	tunnelsEstablished := make(chan struct{}, 1)
    999. 

  999. 	homepageReceived := make(chan struct{}, 1)
    1000. 

  1000. 	slokSeeded := make(chan struct{}, 1)
    1001. 

  1001. 

  1002. 	numPruneNotices := 0
    1003. 

  1003. 	pruneServerEntriesNoticesEmitted := make(chan struct{}, 1)
    1004. 

  1004. 

  1005. 	serverAlertDisallowedNoticesEmitted := make(chan struct{}, 1)
    1006. 

  1006. 

  1007. 	psiphon.SetNoticeWriter(psiphon.NewNoticeReceiver(
    1008. 

  1008. 		func(notice []byte) {
    1009. 

  1009. 

  1010. 			//fmt.Printf("%s\n", string(notice))
    1011. 

  1011. 

  1012. 			noticeType, payload, err := psiphon.GetNotice(notice)
    1013. 

  1013. 			if err != nil {
    1014. 

  1014. 				return
    1015. 

  1015. 			}
    1016. 

  1016. 

  1017. 			switch noticeType {
    1018. 

  1018. 

  1019. 			case "ConnectedServer":
    1020. 

  1020. 				sendNotificationReceived(connectedServer)
    1021. 

  1021. 

  1022. 			case "Tunnels":
    1023. 

  1023. 				count := int(payload["count"].(float64))
    1024. 

  1024. 				if count >= numTunnels {
    1025. 

  1025. 					sendNotificationReceived(tunnelsEstablished)
    1026. 

  1026. 				}
    1027. 

  1027. 

  1028. 			case "Homepage":
    1029. 

  1029. 				homepageURL := payload["url"].(string)
    1030. 

  1030. 				if homepageURL != expectedHomepageURL {
    1031. 

  1031. 					// TODO: wrong goroutine for t.FatalNow()
    1032. 

  1032. 					t.Errorf("unexpected homepage: %s", homepageURL)
    1033. 

  1033. 				}
    1034. 

  1034. 				sendNotificationReceived(homepageReceived)
    1035. 

  1035. 

  1036. 			case "SLOKSeeded":
    1037. 

  1037. 				sendNotificationReceived(slokSeeded)
    1038. 

  1038. 

  1039. 			case "PruneServerEntry":
    1040. 

  1040. 				numPruneNotices += 1
    1041. 

  1041. 				if numPruneNotices == expectedNumPruneNotices {
    1042. 

  1042. 					sendNotificationReceived(pruneServerEntriesNoticesEmitted)
    1043. 

  1043. 				}
    1044. 

  1044. 

  1045. 			case "ServerAlert":
    1046. 

  1046. 				reason := payload["reason"].(string)
    1047. 

  1047. 				if reason == protocol.PSIPHON_API_ALERT_DISALLOWED_TRAFFIC {
    1048. 

  1048. 					sendNotificationReceived(serverAlertDisallowedNoticesEmitted)
    1049. 

  1049. 				}
    1050. 

  1050. 			}
    1051. 

  1051. 		}))
    1052. 

  1052. 

  1053. 	ctx, cancelFunc := context.WithCancel(context.Background())
    1054. 

  1054. 

  1055. 	controllerWaitGroup := new(sync.WaitGroup)
    1056. 

  1056. 

  1057. 	controllerWaitGroup.Add(1)
    1058. 

  1058. 	go func() {
    1059. 

  1059. 		defer controllerWaitGroup.Done()
    1060. 

  1060. 		controller.Run(ctx)
    1061. 

  1061. 	}()
    1062. 

  1062. 

  1063. 	stopClient := func() {
    1064. 

  1064. 		cancelFunc()
    1065. 

  1065. 

  1066. 		shutdownTimeout := time.NewTimer(20 * time.Second)
    1067. 

  1067. 

  1068. 		shutdownOk := make(chan struct{}, 1)
    1069. 

  1069. 		go func() {
    1070. 

  1070. 			controllerWaitGroup.Wait()
    1071. 

  1071. 			shutdownOk <- struct{}{}
    1072. 

  1072. 		}()
    1073. 

  1073. 

  1074. 		select {
    1075. 

  1075. 		case <-shutdownOk:
    1076. 

  1076. 		case <-shutdownTimeout.C:
    1077. 

  1077. 			t.Errorf("controller shutdown timeout exceeded")
    1078. 

  1078. 		}
    1079. 

  1079. 	}
    1080. 

  1080. 

  1081. 	// Stop client on early exits due to failure.
    1082. 

  1082. 	defer func() {
    1083. 

  1083. 		if stopClient != nil {
    1084. 

  1084. 			stopClient()
    1085. 

  1085. 		}
    1086. 

  1086. 	}()
    1087. 

  1087. 

  1088. 	// Test: tunnels must be established, and correct homepage
    1089. 

  1089. 	// must be received, within 30 seconds
    1090. 

  1090. 

  1091. 	timeoutSignal := make(chan struct{})
    1092. 

  1092. 	go func() {
    1093. 

  1093. 		timer := time.NewTimer(30 * time.Second)
    1094. 

  1094. 		<-timer.C
    1095. 

  1095. 		close(timeoutSignal)
    1096. 

  1096. 	}()
    1097. 

  1097. 

  1098. 	waitOnNotification(t, connectedServer, timeoutSignal, "connected server timeout exceeded")
    1099. 

  1099. 	waitOnNotification(t, tunnelsEstablished, timeoutSignal, "tunnel established timeout exceeded")
    1100. 

  1100. 	waitOnNotification(t, homepageReceived, timeoutSignal, "homepage received timeout exceeded")
    1101. 

  1101. 

  1102. 	expectTrafficFailure := runConfig.denyTrafficRules || (runConfig.omitAuthorization && runConfig.requireAuthorization)
    1103. 

  1103. 

  1104. 	if runConfig.doTunneledWebRequest {
    1105. 

  1105. 

  1106. 		// Test: tunneled web site fetch
    1107. 

  1107. 

  1108. 		err = makeTunneledWebRequest(
    1109. 

  1109. 			t, localHTTPProxyPort, mockWebServerURL, mockWebServerExpectedResponse)
    1110. 

  1110. 

  1111. 		if err == nil {
    1112. 

  1112. 			if expectTrafficFailure {
    1113. 

  1113. 				t.Fatalf("unexpected tunneled web request success")
    1114. 

  1114. 			}
    1115. 

  1115. 		} else {
    1116. 

  1116. 			if !expectTrafficFailure {
    1117. 

  1117. 				t.Fatalf("tunneled web request failed: %s", err)
    1118. 

  1118. 			}
    1119. 

  1119. 		}
    1120. 

  1120. 	}
    1121. 

  1121. 

  1122. 	if runConfig.doTunneledNTPRequest {
    1123. 

  1123. 

  1124. 		// Test: tunneled UDP packets
    1125. 

  1125. 

  1126. 		udpgwServerAddress := serverConfig["UDPInterceptUdpgwServerAddress"].(string)
    1127. 

  1127. 

  1128. 		err = makeTunneledNTPRequest(t, localSOCKSProxyPort, udpgwServerAddress)
    1129. 

  1129. 

  1130. 		if err == nil {
    1131. 

  1131. 			if expectTrafficFailure {
    1132. 

  1132. 				t.Fatalf("unexpected tunneled NTP request success")
    1133. 

  1133. 			}
    1134. 

  1134. 		} else {
    1135. 

  1135. 			if !expectTrafficFailure {
    1136. 

  1136. 				t.Fatalf("tunneled NTP request failed: %s", err)
    1137. 

  1137. 			}
    1138. 

  1138. 		}
    1139. 

  1139. 	}
    1140. 

  1140. 

  1141. 	// Test: await SLOK payload or server alert notice
    1142. 

  1142. 

  1143. 	time.Sleep(1 * time.Second)
    1144. 

  1144. 

  1145. 	if !expectTrafficFailure {
    1146. 

  1146. 

  1147. 		waitOnNotification(t, slokSeeded, timeoutSignal, "SLOK seeded timeout exceeded")
    1148. 

  1148. 

  1149. 		numSLOKs := psiphon.CountSLOKs()
    1150. 

  1150. 		if numSLOKs != expectedNumSLOKs {
    1151. 

  1151. 			t.Fatalf("unexpected number of SLOKs: %d", numSLOKs)
    1152. 

  1152. 		}
    1153. 

  1153. 

  1154. 	} else {
    1155. 

  1155. 

  1156. 		// Note: in expectTrafficFailure case, timeoutSignal may have already fired.
    1157. 

  1157. 

  1158. 		waitOnNotification(t, serverAlertDisallowedNoticesEmitted, nil, "")
    1159. 

  1159. 	}
    1160. 

  1160. 

  1161. 	// Test: await expected prune server entry notices
    1162. 

  1162. 	//
    1163. 

  1163. 	// Note: will take up to PsiphonAPIStatusRequestShortPeriodMax to emit.
    1164. 

  1164. 

  1165. 	if expectedNumPruneNotices > 0 {
    1166. 

  1166. 		waitOnNotification(t, pruneServerEntriesNoticesEmitted, nil, "")
    1167. 

  1167. 	}
    1168. 

  1168. 

  1169. 	if runConfig.doDanglingTCPConn {
    1170. 

  1170. 

  1171. 		// Test: client that has established TCP connection but not completed
    1172. 

  1172. 		// any handshakes must not block/delay server shutdown
    1173. 

  1173. 

  1174. 		danglingConn, err := net.Dial(
    1175. 

  1175. 			"tcp", net.JoinHostPort(psiphonServerIPAddress, strconv.Itoa(psiphonServerPort)))
    1176. 

  1176. 		if err != nil {
    1177. 

  1177. 			t.Fatalf("TCP dial failed: %s", err)
    1178. 

  1178. 		}
    1179. 

  1179. 		defer danglingConn.Close()
    1180. 

  1180. 	}
    1181. 

  1181. 

  1182. 	// Shutdown to ensure logs/notices are flushed
    1183. 

  1183. 

  1184. 	stopClient()
    1185. 

  1185. 	stopClient = nil
    1186. 

  1186. 	stopServer()
    1187. 

  1187. 	stopServer = nil
    1188. 

  1188. 

  1189. 	// Test: all expected server logs were emitted
    1190. 

  1190. 

  1191. 	// TODO: stops should be fully synchronous, but, intermittently,
    1192. 

  1192. 	// server_tunnel fails to appear ("missing server tunnel log")
    1193. 

  1193. 	// without this delay.
    1194. 

  1194. 	time.Sleep(100 * time.Millisecond)
    1195. 

  1195. 

  1196. 	expectClientBPFField := psiphon.ClientBPFEnabled() && doClientTactics
    1197. 

  1197. 	expectServerBPFField := ServerBPFEnabled() && doServerTactics
    1198. 

  1198. 	expectServerPacketManipulationField := runConfig.doPacketManipulation
    1199. 

  1199. 

  1200. 	select {
    1201. 

  1201. 	case logFields := <-serverTunnelLog:
    1202. 

  1202. 		err := checkExpectedServerTunnelLogFields(
    1203. 

  1203. 			runConfig,
    1204. 

  1204. 			expectClientBPFField,
    1205. 

  1205. 			expectServerBPFField,
    1206. 

  1206. 			expectServerPacketManipulationField,
    1207. 

  1207. 			logFields)
    1208. 

  1208. 		if err != nil {
    1209. 

  1209. 			t.Fatalf("invalid server tunnel log fields: %s", err)
    1210. 

  1210. 		}
    1211. 

  1211. 	default:
    1212. 

  1212. 		t.Fatalf("missing server tunnel log")
    1213. 

  1213. 	}
    1214. 

  1214. 

  1215. 	if expectUniqueUser {
    1216. 

  1216. 		select {
    1217. 

  1217. 		case logFields := <-uniqueUserLog:
    1218. 

  1218. 			err := checkExpectedUniqueUserLogFields(
    1219. 

  1219. 				runConfig,
    1220. 

  1220. 				logFields)
    1221. 

  1221. 			if err != nil {
    1222. 

  1222. 				t.Fatalf("invalid unique user log fields: %s", err)
    1223. 

  1223. 			}
    1224. 

  1224. 		default:
    1225. 

  1225. 			t.Fatalf("missing unique user log")
    1226. 

  1226. 		}
    1227. 

  1227. 	} else {
    1228. 

  1228. 		select {
    1229. 

  1229. 		case <-uniqueUserLog:
    1230. 

  1230. 			t.Fatalf("unexpected unique user log")
    1231. 

  1231. 		default:
    1232. 

  1232. 		}
    1233. 

  1233. 	}
    1234. 

  1234. 

  1235. 	// Check that datastore had retained/pruned server entries as expected.
    1236. 

  1236. 	checkPruneServerEntriesTest(t, runConfig, testDataDirName, pruneServerEntryTestCases)
    1237. 

  1237. }
    1238. 

  1238. 

  1239. func checkExpectedServerTunnelLogFields(
    1240. 

  1240. 	runConfig *runServerConfig,
    1241. 

  1241. 	expectClientBPFField bool,
    1242. 

  1242. 	expectServerBPFField bool,
    1243. 

  1243. 	expectServerPacketManipulationField bool,
    1244. 

  1244. 	fields map[string]interface{}) error {
    1245. 

  1245. 

  1246. 	// Limitations:
    1247. 

  1247. 	//
    1248. 

  1248. 	// - client_build_rev not set in test build (see common/buildinfo.go)
    1249. 

  1249. 	// - egress_region, upstream_proxy_type, upstream_proxy_custom_header_names not exercised in test
    1250. 

  1250. 	// - fronting_provider_id/meek_dial_ip_address/meek_resolved_ip_address only logged for FRONTED meek protocols
    1251. 

  1251. 

  1252. 	for _, name := range []string{
    1253. 

  1253. 		"session_id",
    1254. 

  1254. 		"last_connected",
    1255. 

  1255. 		"establishment_duration",
    1256. 

  1256. 		"propagation_channel_id",
    1257. 

  1257. 		"sponsor_id",
    1258. 

  1258. 		"client_platform",
    1259. 

  1259. 		"relay_protocol",
    1260. 

  1260. 		"tunnel_whole_device",
    1261. 

  1261. 		"device_region",
    1262. 

  1262. 		"ssh_client_version",
    1263. 

  1263. 		"server_entry_region",
    1264. 

  1264. 		"server_entry_source",
    1265. 

  1265. 		"server_entry_timestamp",
    1266. 

  1266. 		"dial_port_number",
    1267. 

  1267. 		"is_replay",
    1268. 

  1268. 		"dial_duration",
    1269. 

  1269. 		"candidate_number",
    1270. 

  1270. 		"established_tunnels_count",
    1271. 

  1271. 		"network_latency_multiplier",
    1272. 

  1272. 		"network_type",
    1273. 

  1273. 	} {
    1274. 

  1274. 		if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1275. 

  1275. 			return fmt.Errorf("missing expected field '%s'", name)
    1276. 

  1276. 		}
    1277. 

  1277. 	}
    1278. 

  1278. 

  1279. 	if fields["relay_protocol"].(string) != runConfig.tunnelProtocol {
    1280. 

  1280. 		return fmt.Errorf("unexpected relay_protocol '%s'", fields["relay_protocol"])
    1281. 

  1281. 	}
    1282. 

  1282. 

  1283. 	if !common.Contains(testSSHClientVersions, fields["ssh_client_version"].(string)) {
    1284. 

  1284. 		return fmt.Errorf("unexpected relay_protocol '%s'", fields["ssh_client_version"])
    1285. 

  1285. 	}
    1286. 

  1286. 

  1287. 	if protocol.TunnelProtocolUsesObfuscatedSSH(runConfig.tunnelProtocol) {
    1288. 

  1288. 

  1289. 		for _, name := range []string{
    1290. 

  1290. 			"padding",
    1291. 

  1291. 			"pad_response",
    1292. 

  1292. 		} {
    1293. 

  1293. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1294. 

  1294. 				return fmt.Errorf("missing expected field '%s'", name)
    1295. 

  1295. 			}
    1296. 

  1296. 		}
    1297. 

  1297. 	}
    1298. 

  1298. 

  1299. 	if protocol.TunnelProtocolUsesMeek(runConfig.tunnelProtocol) {
    1300. 

  1300. 

  1301. 		for _, name := range []string{
    1302. 

  1302. 			"user_agent",
    1303. 

  1303. 			"meek_transformed_host_name",
    1304. 

  1304. 			"meek_cookie_size",
    1305. 

  1305. 			"meek_limit_request",
    1306. 

  1306. 			tactics.APPLIED_TACTICS_TAG_PARAMETER_NAME,
    1307. 

  1307. 		} {
    1308. 

  1308. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1309. 

  1309. 				return fmt.Errorf("missing expected field '%s'", name)
    1310. 

  1310. 			}
    1311. 

  1311. 		}
    1312. 

  1312. 

  1313. 		if !common.Contains(testUserAgents, fields["user_agent"].(string)) {
    1314. 

  1314. 			return fmt.Errorf("unexpected user_agent '%s'", fields["user_agent"])
    1315. 

  1315. 		}
    1316. 

  1316. 	}
    1317. 

  1317. 

  1318. 	if protocol.TunnelProtocolUsesMeekHTTP(runConfig.tunnelProtocol) {
    1319. 

  1319. 

  1320. 		for _, name := range []string{
    1321. 

  1321. 			"meek_host_header",
    1322. 

  1322. 		} {
    1323. 

  1323. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1324. 

  1324. 				return fmt.Errorf("missing expected field '%s'", name)
    1325. 

  1325. 			}
    1326. 

  1326. 		}
    1327. 

  1327. 

  1328. 		for _, name := range []string{
    1329. 

  1329. 			"meek_dial_ip_address",
    1330. 

  1330. 			"meek_resolved_ip_address",
    1331. 

  1331. 		} {
    1332. 

  1332. 			if fields[name] != nil {
    1333. 

  1333. 				return fmt.Errorf("unexpected field '%s'", name)
    1334. 

  1334. 			}
    1335. 

  1335. 		}
    1336. 

  1336. 	}
    1337. 

  1337. 

  1338. 	if protocol.TunnelProtocolUsesMeekHTTPS(runConfig.tunnelProtocol) {
    1339. 

  1339. 

  1340. 		for _, name := range []string{
    1341. 

  1341. 			"tls_profile",
    1342. 

  1342. 			"tls_version",
    1343. 

  1343. 			"meek_sni_server_name",
    1344. 

  1344. 		} {
    1345. 

  1345. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1346. 

  1346. 				return fmt.Errorf("missing expected field '%s'", name)
    1347. 

  1347. 			}
    1348. 

  1348. 		}
    1349. 

  1349. 

  1350. 		for _, name := range []string{
    1351. 

  1351. 			"meek_dial_ip_address",
    1352. 

  1352. 			"meek_resolved_ip_address",
    1353. 

  1353. 			"meek_host_header",
    1354. 

  1354. 		} {
    1355. 

  1355. 			if fields[name] != nil {
    1356. 

  1356. 				return fmt.Errorf("unexpected field '%s'", name)
    1357. 

  1357. 			}
    1358. 

  1358. 		}
    1359. 

  1359. 

  1360. 		if !common.Contains(protocol.SupportedTLSProfiles, fields["tls_profile"].(string)) {
    1361. 

  1361. 			return fmt.Errorf("unexpected tls_profile '%s'", fields["tls_profile"])
    1362. 

  1362. 		}
    1363. 

  1363. 

  1364. 		tlsVersion := fields["tls_version"].(string)
    1365. 

  1365. 		if !strings.HasPrefix(tlsVersion, protocol.TLS_VERSION_12) &&
    1366. 

  1366. 			!strings.HasPrefix(tlsVersion, protocol.TLS_VERSION_13) {
    1367. 

  1367. 			return fmt.Errorf("unexpected tls_version '%s'", fields["tls_version"])
    1368. 

  1368. 		}
    1369. 

  1369. 	}
    1370. 

  1370. 

  1371. 	if protocol.TunnelProtocolUsesQUIC(runConfig.tunnelProtocol) {
    1372. 

  1372. 

  1373. 		for _, name := range []string{
    1374. 

  1374. 			"quic_version",
    1375. 

  1375. 			"quic_dial_sni_address",
    1376. 

  1376. 		} {
    1377. 

  1377. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1378. 

  1378. 				return fmt.Errorf("missing expected field '%s'", name)
    1379. 

  1379. 			}
    1380. 

  1380. 		}
    1381. 

  1381. 

  1382. 		if !common.Contains(protocol.SupportedQUICVersions, fields["quic_version"].(string)) {
    1383. 

  1383. 			return fmt.Errorf("unexpected quic_version '%s'", fields["quic_version"])
    1384. 

  1384. 		}
    1385. 

  1385. 	}
    1386. 

  1386. 

  1387. 	if runConfig.forceFragmenting {
    1388. 

  1388. 

  1389. 		for _, name := range []string{
    1390. 

  1390. 			"upstream_bytes_fragmented",
    1391. 

  1391. 			"upstream_min_bytes_written",
    1392. 

  1392. 			"upstream_max_bytes_written",
    1393. 

  1393. 			"upstream_min_delayed",
    1394. 

  1394. 			"upstream_max_delayed",
    1395. 

  1395. 		} {
    1396. 

  1396. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1397. 

  1397. 				return fmt.Errorf("missing expected field '%s'", name)
    1398. 

  1398. 			}
    1399. 

  1399. 		}
    1400. 

  1400. 	}
    1401. 

  1401. 

  1402. 	if expectClientBPFField {
    1403. 

  1403. 		name := "client_bpf"
    1404. 

  1404. 		if fields[name] == nil {
    1405. 

  1405. 			return fmt.Errorf("missing expected field '%s'", name)
    1406. 

  1406. 		} else if fmt.Sprintf("%s", fields[name]) != "test-client-bpf" {
    1407. 

  1407. 			return fmt.Errorf("unexpected field value %s: '%s'", name, fields[name])
    1408. 

  1408. 		}
    1409. 

  1409. 	}
    1410. 

  1410. 

  1411. 	if expectServerBPFField {
    1412. 

  1412. 		name := "server_bpf"
    1413. 

  1413. 		if fields[name] == nil {
    1414. 

  1414. 			return fmt.Errorf("missing expected field '%s'", name)
    1415. 

  1415. 		} else if fmt.Sprintf("%s", fields[name]) != "test-server-bpf" {
    1416. 

  1416. 			return fmt.Errorf("unexpected field value %s: '%s'", name, fields[name])
    1417. 

  1417. 		}
    1418. 

  1418. 	}
    1419. 

  1419. 

  1420. 	if expectServerPacketManipulationField {
    1421. 

  1421. 		name := "server_packet_manipulation"
    1422. 

  1422. 		if fields[name] == nil {
    1423. 

  1423. 			return fmt.Errorf("missing expected field '%s'", name)
    1424. 

  1424. 		} else if fmt.Sprintf("%s", fields[name]) != "test-packetman-spec" {
    1425. 

  1425. 			return fmt.Errorf("unexpected field value %s: '%s'", name, fields[name])
    1426. 

  1426. 		}
    1427. 

  1427. 	}
    1428. 

  1428. 

  1429. 	if fields["network_type"].(string) != testNetworkType {
    1430. 

  1430. 		return fmt.Errorf("unexpected network_type '%s'", fields["network_type"])
    1431. 

  1431. 	}
    1432. 

  1432. 

  1433. 	return nil
    1434. 

  1434. }
    1435. 

  1435. 

  1436. func checkExpectedUniqueUserLogFields(
    1437. 

  1437. 	runConfig *runServerConfig,
    1438. 

  1438. 	fields map[string]interface{}) error {
    1439. 

  1439. 

  1440. 	for _, name := range []string{
    1441. 

  1441. 		"session_id",
    1442. 

  1442. 		"last_connected",
    1443. 

  1443. 		"propagation_channel_id",
    1444. 

  1444. 		"sponsor_id",
    1445. 

  1445. 		"client_platform",
    1446. 

  1446. 		"tunnel_whole_device",
    1447. 

  1447. 		"device_region",
    1448. 

  1448. 	} {
    1449. 

  1449. 		if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1450. 

  1450. 			return fmt.Errorf("missing expected field '%s'", name)
    1451. 

  1451. 		}
    1452. 

  1452. 	}
    1453. 

  1453. 

  1454. 	return nil
    1455. 

  1455. }
    1456. 

  1456. 

  1457. func makeTunneledWebRequest(
    1458. 

  1458. 	t *testing.T,
    1459. 

  1459. 	localHTTPProxyPort int,
    1460. 

  1460. 	requestURL, expectedResponseBody string) error {
    1461. 

  1461. 

  1462. 	roundTripTimeout := 30 * time.Second
    1463. 

  1463. 

  1464. 	proxyUrl, err := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", localHTTPProxyPort))
    1465. 

  1465. 	if err != nil {
    1466. 

  1466. 		return fmt.Errorf("error initializing proxied HTTP request: %s", err)
    1467. 

  1467. 	}
    1468. 

  1468. 

  1469. 	httpClient := &http.Client{
    1470. 

  1470. 		Transport: &http.Transport{
    1471. 

  1471. 			Proxy: http.ProxyURL(proxyUrl),
    1472. 

  1472. 		},
    1473. 

  1473. 		Timeout: roundTripTimeout,
    1474. 

  1474. 	}
    1475. 

  1475. 

  1476. 	response, err := httpClient.Get(requestURL)
    1477. 

  1477. 	if err != nil {
    1478. 

  1478. 		return fmt.Errorf("error sending proxied HTTP request: %s", err)
    1479. 

  1479. 	}
    1480. 

  1480. 

  1481. 	body, err := ioutil.ReadAll(response.Body)
    1482. 

  1482. 	if err != nil {
    1483. 

  1483. 		return fmt.Errorf("error reading proxied HTTP response: %s", err)
    1484. 

  1484. 	}
    1485. 

  1485. 	response.Body.Close()
    1486. 

  1486. 

  1487. 	if string(body) != expectedResponseBody {
    1488. 

  1488. 		return fmt.Errorf("unexpected proxied HTTP response")
    1489. 

  1489. 	}
    1490. 

  1490. 

  1491. 	return nil
    1492. 

  1492. }
    1493. 

  1493. 

  1494. func makeTunneledNTPRequest(t *testing.T, localSOCKSProxyPort int, udpgwServerAddress string) error {
    1495. 

  1495. 

  1496. 	timeout := 20 * time.Second
    1497. 

  1497. 	var err error
    1498. 

  1498. 

  1499. 	for _, testHostname := range []string{"time.google.com", "time.nist.gov", "pool.ntp.org"} {
    1500. 

  1500. 		err = makeTunneledNTPRequestAttempt(t, testHostname, timeout, localSOCKSProxyPort, udpgwServerAddress)
    1501. 

  1501. 		if err == nil {
    1502. 

  1502. 			break
    1503. 

  1503. 		}
    1504. 

  1504. 		t.Logf("makeTunneledNTPRequestAttempt failed: %s", err)
    1505. 

  1505. 	}
    1506. 

  1506. 

  1507. 	return err
    1508. 

  1508. }
    1509. 

  1509. 

  1510. var nextUDPProxyPort = 7300
    1511. 

  1511. 

  1512. func makeTunneledNTPRequestAttempt(
    1513. 

  1513. 	t *testing.T, testHostname string, timeout time.Duration, localSOCKSProxyPort int, udpgwServerAddress string) error {
    1514. 

  1514. 

  1515. 	nextUDPProxyPort++
    1516. 

  1516. 	localUDPProxyAddress, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", nextUDPProxyPort))
    1517. 

  1517. 	if err != nil {
    1518. 

  1518. 		return fmt.Errorf("ResolveUDPAddr failed: %s", err)
    1519. 

  1519. 	}
    1520. 

  1520. 

  1521. 	// Note: this proxy is intended for this test only -- it only accepts a single connection,
    1522. 

  1522. 	// handles it, and then terminates.
    1523. 

  1523. 

  1524. 	localUDPProxy := func(destinationIP net.IP, destinationPort uint16, waitGroup *sync.WaitGroup) {
    1525. 

  1525. 

  1526. 		if waitGroup != nil {
    1527. 

  1527. 			defer waitGroup.Done()
    1528. 

  1528. 		}
    1529. 

  1529. 

  1530. 		destination := net.JoinHostPort(destinationIP.String(), strconv.Itoa(int(destinationPort)))
    1531. 

  1531. 

  1532. 		serverUDPConn, err := net.ListenUDP("udp", localUDPProxyAddress)
    1533. 

  1533. 		if err != nil {
    1534. 

  1534. 			t.Logf("ListenUDP for %s failed: %s", destination, err)
    1535. 

  1535. 			return
    1536. 

  1536. 		}
    1537. 

  1537. 		defer serverUDPConn.Close()
    1538. 

  1538. 

  1539. 		udpgwPreambleSize := 11 // see writeUdpgwPreamble
    1540. 

  1540. 		buffer := make([]byte, udpgwProtocolMaxMessageSize)
    1541. 

  1541. 		packetSize, clientAddr, err := serverUDPConn.ReadFromUDP(
    1542. 

  1542. 			buffer[udpgwPreambleSize:])
    1543. 

  1543. 		if err != nil {
    1544. 

  1544. 			t.Logf("serverUDPConn.Read for %s failed: %s", destination, err)
    1545. 

  1545. 			return
    1546. 

  1546. 		}
    1547. 

  1547. 

  1548. 		socksProxyAddress := fmt.Sprintf("127.0.0.1:%d", localSOCKSProxyPort)
    1549. 

  1549. 

  1550. 		dialer, err := proxy.SOCKS5("tcp", socksProxyAddress, nil, proxy.Direct)
    1551. 

  1551. 		if err != nil {
    1552. 

  1552. 			t.Logf("proxy.SOCKS5 for %s failed: %s", destination, err)
    1553. 

  1553. 			return
    1554. 

  1554. 		}
    1555. 

  1555. 

  1556. 		socksTCPConn, err := dialer.Dial("tcp", udpgwServerAddress)
    1557. 

  1557. 		if err != nil {
    1558. 

  1558. 			t.Logf("dialer.Dial for %s failed: %s", destination, err)
    1559. 

  1559. 			return
    1560. 

  1560. 		}
    1561. 

  1561. 		defer socksTCPConn.Close()
    1562. 

  1562. 

  1563. 		flags := uint8(0)
    1564. 

  1564. 		if destinationPort == 53 {
    1565. 

  1565. 			flags = udpgwProtocolFlagDNS
    1566. 

  1566. 		}
    1567. 

  1567. 

  1568. 		err = writeUdpgwPreamble(
    1569. 

  1569. 			udpgwPreambleSize,
    1570. 

  1570. 			flags,
    1571. 

  1571. 			0,
    1572. 

  1572. 			destinationIP,
    1573. 

  1573. 			destinationPort,
    1574. 

  1574. 			uint16(packetSize),
    1575. 

  1575. 			buffer)
    1576. 

  1576. 		if err != nil {
    1577. 

  1577. 			t.Logf("writeUdpgwPreamble for %s failed: %s", destination, err)
    1578. 

  1578. 			return
    1579. 

  1579. 		}
    1580. 

  1580. 

  1581. 		_, err = socksTCPConn.Write(buffer[0 : udpgwPreambleSize+packetSize])
    1582. 

  1582. 		if err != nil {
    1583. 

  1583. 			t.Logf("socksTCPConn.Write for %s failed: %s", destination, err)
    1584. 

  1584. 			return
    1585. 

  1585. 		}
    1586. 

  1586. 

  1587. 		udpgwProtocolMessage, err := readUdpgwMessage(socksTCPConn, buffer)
    1588. 

  1588. 		if err != nil {
    1589. 

  1589. 			t.Logf("readUdpgwMessage for %s failed: %s", destination, err)
    1590. 

  1590. 			return
    1591. 

  1591. 		}
    1592. 

  1592. 

  1593. 		_, err = serverUDPConn.WriteToUDP(udpgwProtocolMessage.packet, clientAddr)
    1594. 

  1594. 		if err != nil {
    1595. 

  1595. 			t.Logf("serverUDPConn.Write for %s failed: %s", destination, err)
    1596. 

  1596. 			return
    1597. 

  1597. 		}
    1598. 

  1598. 	}
    1599. 

  1599. 

  1600. 	// Tunneled DNS request
    1601. 

  1601. 

  1602. 	waitGroup := new(sync.WaitGroup)
    1603. 

  1603. 	waitGroup.Add(1)
    1604. 

  1604. 	go localUDPProxy(
    1605. 

  1605. 		net.IP(make([]byte, 4)), // ignored due to transparent DNS forwarding
    1606. 

  1606. 		53,
    1607. 

  1607. 		waitGroup)
    1608. 

  1608. 	// TODO: properly synchronize with local UDP proxy startup
    1609. 

  1609. 	time.Sleep(1 * time.Second)
    1610. 

  1610. 

  1611. 	clientUDPConn, err := net.DialUDP("udp", nil, localUDPProxyAddress)
    1612. 

  1612. 	if err != nil {
    1613. 

  1613. 		return fmt.Errorf("DialUDP failed: %s", err)
    1614. 

  1614. 	}
    1615. 

  1615. 

  1616. 	clientUDPConn.SetReadDeadline(time.Now().Add(timeout))
    1617. 

  1617. 	clientUDPConn.SetWriteDeadline(time.Now().Add(timeout))
    1618. 

  1618. 

  1619. 	addrs, _, err := psiphon.ResolveIP(testHostname, clientUDPConn)
    1620. 

  1620. 

  1621. 	clientUDPConn.Close()
    1622. 

  1622. 

  1623. 	if err == nil && (len(addrs) == 0 || len(addrs[0]) < 4) {
    1624. 

  1624. 		err = errors.New("no address")
    1625. 

  1625. 	}
    1626. 

  1626. 	if err != nil {
    1627. 

  1627. 		return fmt.Errorf("ResolveIP failed: %s", err)
    1628. 

  1628. 	}
    1629. 

  1629. 

  1630. 	waitGroup.Wait()
    1631. 

  1631. 

  1632. 	// Tunneled NTP request
    1633. 

  1633. 

  1634. 	waitGroup = new(sync.WaitGroup)
    1635. 

  1635. 	waitGroup.Add(1)
    1636. 

  1636. 	go localUDPProxy(
    1637. 

  1637. 		addrs[0][len(addrs[0])-4:],
    1638. 

  1638. 		123,
    1639. 

  1639. 		waitGroup)
    1640. 

  1640. 	// TODO: properly synchronize with local UDP proxy startup
    1641. 

  1641. 	time.Sleep(1 * time.Second)
    1642. 

  1642. 

  1643. 	clientUDPConn, err = net.DialUDP("udp", nil, localUDPProxyAddress)
    1644. 

  1644. 	if err != nil {
    1645. 

  1645. 		return fmt.Errorf("DialUDP failed: %s", err)
    1646. 

  1646. 	}
    1647. 

  1647. 

  1648. 	clientUDPConn.SetReadDeadline(time.Now().Add(timeout))
    1649. 

  1649. 	clientUDPConn.SetWriteDeadline(time.Now().Add(timeout))
    1650. 

  1650. 

  1651. 	// NTP protocol code from: https://groups.google.com/d/msg/golang-nuts/FlcdMU5fkLQ/CAeoD9eqm-IJ
    1652. 

  1652. 

  1653. 	ntpData := make([]byte, 48)
    1654. 

  1654. 	ntpData[0] = 3<<3 | 3
    1655. 

  1655. 

  1656. 	_, err = clientUDPConn.Write(ntpData)
    1657. 

  1657. 	if err != nil {
    1658. 

  1658. 		clientUDPConn.Close()
    1659. 

  1659. 		return fmt.Errorf("NTP Write failed: %s", err)
    1660. 

  1660. 	}
    1661. 

  1661. 

  1662. 	_, err = clientUDPConn.Read(ntpData)
    1663. 

  1663. 	if err != nil {
    1664. 

  1664. 		clientUDPConn.Close()
    1665. 

  1665. 		return fmt.Errorf("NTP Read failed: %s", err)
    1666. 

  1666. 	}
    1667. 

  1667. 

  1668. 	clientUDPConn.Close()
    1669. 

  1669. 

  1670. 	var sec, frac uint64
    1671. 

  1671. 	sec = uint64(ntpData[43]) | uint64(ntpData[42])<<8 | uint64(ntpData[41])<<16 | uint64(ntpData[40])<<24
    1672. 

  1672. 	frac = uint64(ntpData[47]) | uint64(ntpData[46])<<8 | uint64(ntpData[45])<<16 | uint64(ntpData[44])<<24
    1673. 

  1673. 

  1674. 	nsec := sec * 1e9
    1675. 

  1675. 	nsec += (frac * 1e9) >> 32
    1676. 

  1676. 

  1677. 	ntpNow := time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration(nsec)).Local()
    1678. 

  1678. 

  1679. 	now := time.Now()
    1680. 

  1680. 

  1681. 	diff := ntpNow.Sub(now)
    1682. 

  1682. 	if diff < 0 {
    1683. 

  1683. 		diff = -diff
    1684. 

  1684. 	}
    1685. 

  1685. 

  1686. 	if diff > 1*time.Minute {
    1687. 

  1687. 		return fmt.Errorf("Unexpected NTP time: %s; local time: %s", ntpNow, now)
    1688. 

  1688. 	}
    1689. 

  1689. 

  1690. 	waitGroup.Wait()
    1691. 

  1691. 

  1692. 	return nil
    1693. 

  1693. }
    1694. 

  1694. 

  1695. func pavePsinetDatabaseFile(
    1696. 

  1696. 	t *testing.T,
    1697. 

  1697. 	useDefaultSponsorID bool,
    1698. 

  1698. 	psinetFilename string,
    1699. 

  1699. 	validServerEntryTags []string) (string, string) {
    1700. 

  1700. 

  1701. 	sponsorID := prng.HexString(8)
    1702. 

  1702. 

  1703. 	defaultSponsorID := ""
    1704. 

  1704. 	if useDefaultSponsorID {
    1705. 

  1705. 		defaultSponsorID = sponsorID
    1706. 

  1706. 	}
    1707. 

  1707. 

  1708. 	fakeDomain := prng.HexString(4)
    1709. 

  1709. 	fakePath := prng.HexString(4)
    1710. 

  1710. 	expectedHomepageURL := fmt.Sprintf("https://%s.com/%s", fakeDomain, fakePath)
    1711. 

  1711. 

  1712. 	psinetJSONFormat := `
    1713. 

  1713.     {
    1714. 

  1714.         "default_sponsor_id" : "%s",
    1715. 

  1715.         "sponsors": {
    1716. 

  1716.             "%s": {
    1717. 

  1717.                 "home_pages": {
    1718. 

  1718.                     "None": [
    1719. 

  1719.                         {
    1720. 

  1720.                             "region": null,
    1721. 

  1721.                             "url": "%s"
    1722. 

  1722.                         }
    1723. 

  1723.                     ]
    1724. 

  1724.                 }
    1725. 

  1725.             }
    1726. 

  1726.         },
    1727. 

  1727.         "valid_server_entry_tags" : {
    1728. 

  1728.             %s
    1729. 

  1729.         }
    1730. 

  1730.     }
    1731. 

  1731. 	`
    1732. 

  1732. 

  1733. 	validServerEntryTagsJSON := ""
    1734. 

  1734. 	for _, serverEntryTag := range validServerEntryTags {
    1735. 

  1735. 		if len(validServerEntryTagsJSON) > 0 {
    1736. 

  1736. 			validServerEntryTagsJSON += ", "
    1737. 

  1737. 		}
    1738. 

  1738. 		validServerEntryTagsJSON += fmt.Sprintf("\"%s\" : true", serverEntryTag)
    1739. 

  1739. 	}
    1740. 

  1740. 

  1741. 	psinetJSON := fmt.Sprintf(
    1742. 

  1742. 		psinetJSONFormat,
    1743. 

  1743. 		defaultSponsorID,
    1744. 

  1744. 		sponsorID,
    1745. 

  1745. 		expectedHomepageURL,
    1746. 

  1746. 		validServerEntryTagsJSON)
    1747. 

  1747. 

  1748. 	err := ioutil.WriteFile(psinetFilename, []byte(psinetJSON), 0600)
    1749. 

  1749. 	if err != nil {
    1750. 

  1750. 		t.Fatalf("error paving psinet database file: %s", err)
    1751. 

  1751. 	}
    1752. 

  1752. 

  1753. 	return sponsorID, expectedHomepageURL
    1754. 

  1754. }
    1755. 

  1755. 

  1756. func paveTrafficRulesFile(
    1757. 

  1757. 	t *testing.T,
    1758. 

  1758. 	trafficRulesFilename string,
    1759. 

  1759. 	propagationChannelID string,
    1760. 

  1760. 	accessType string,
    1761. 

  1761. 	authorizationID string,
    1762. 

  1762. 	requireAuthorization bool,
    1763. 

  1763. 	deny bool,
    1764. 

  1764. 	livenessTestSize int) {
    1765. 

  1765. 

  1766. 	// Test both default and fast lookups
    1767. 

  1767. 	if intLookupThreshold != 10 {
    1768. 

  1768. 		t.Fatalf("unexpected intLookupThreshold")
    1769. 

  1769. 	}
    1770. 

  1770. 

  1771. 	TCPPorts := fmt.Sprintf("%d", mockWebServerPort)
    1772. 

  1772. 	UDPPorts := "53, 123, 10001, 10002, 10003, 10004, 10005, 10006, 10007, 10008, 10009, 10010"
    1773. 

  1773. 

  1774. 	allowTCPPorts := TCPPorts
    1775. 

  1775. 	allowUDPPorts := UDPPorts
    1776. 

  1776. 	disallowTCPPorts := "0"
    1777. 

  1777. 	disallowUDPPorts := "0"
    1778. 

  1778. 

  1779. 	if deny {
    1780. 

  1780. 		allowTCPPorts = "0"
    1781. 

  1781. 		allowUDPPorts = "0"
    1782. 

  1782. 		disallowTCPPorts = TCPPorts
    1783. 

  1783. 		disallowUDPPorts = UDPPorts
    1784. 

  1784. 	}
    1785. 

  1785. 

  1786. 	authorizationFilterFormat := `,
    1787. 

  1787.                     "AuthorizedAccessTypes" : ["%s"],
    1788. 

  1788.                     "ActiveAuthorizationIDs" : ["%s"]
    1789. 

  1789. 	`
    1790. 

  1790. 

  1791. 	authorizationFilter := ""
    1792. 

  1792. 	if requireAuthorization {
    1793. 

  1793. 		authorizationFilter = fmt.Sprintf(
    1794. 

  1794. 			authorizationFilterFormat, accessType, authorizationID)
    1795. 

  1795. 	}
    1796. 

  1796. 

  1797. 	// Supports two traffic rule test cases:
    1798. 

  1798. 	//
    1799. 

  1799. 	// 1. no ports are allowed until after the filtered rule is applied
    1800. 

  1800. 	// 2. no required ports are allowed (deny = true)
    1801. 

  1801. 

  1802. 	trafficRulesJSONFormat := `
    1803. 

  1803.     {
    1804. 

  1804.         "DefaultRules" :  {
    1805. 

  1805.             "RateLimits" : {
    1806. 

  1806.                 "ReadBytesPerSecond": 16384,
    1807. 

  1807.                 "WriteBytesPerSecond": 16384,
    1808. 

  1808.                 "ReadUnthrottledBytes": %d,
    1809. 

  1809.                 "WriteUnthrottledBytes": %d
    1810. 

  1810.             },
    1811. 

  1811.             "AllowTCPPorts" : [0],
    1812. 

  1812.             "AllowUDPPorts" : [0],
    1813. 

  1813.             "MeekRateLimiterHistorySize" : 10,
    1814. 

  1814.             "MeekRateLimiterThresholdSeconds" : 1,
    1815. 

  1815.             "MeekRateLimiterGarbageCollectionTriggerCount" : 1,
    1816. 

  1816.             "MeekRateLimiterReapHistoryFrequencySeconds" : 1,
    1817. 

  1817.             "MeekRateLimiterRegions" : []
    1818. 

  1818.         },
    1819. 

  1819.         "FilteredRules" : [
    1820. 

  1820.             {
    1821. 

  1821.                 "Filter" : {
    1822. 

  1822.                     "HandshakeParameters" : {
    1823. 

  1823.                         "propagation_channel_id" : ["%s"]
    1824. 

  1824.                     }%s
    1825. 

  1825.                 },
    1826. 

  1826.                 "Rules" : {
    1827. 

  1827.                     "RateLimits" : {
    1828. 

  1828.                         "ReadBytesPerSecond": 2097152,
    1829. 

  1829.                         "WriteBytesPerSecond": 2097152
    1830. 

  1830.                     },
    1831. 

  1831.                     "AllowTCPPorts" : [%s],
    1832. 

  1832.                     "AllowUDPPorts" : [%s],
    1833. 

  1833.                     "DisallowTCPPorts" : [%s],
    1834. 

  1834.                     "DisallowUDPPorts" : [%s]
    1835. 

  1835.                 }
    1836. 

  1836.             }
    1837. 

  1837.         ]
    1838. 

  1838.     }
    1839. 

  1839.     `
    1840. 

  1840. 

  1841. 	trafficRulesJSON := fmt.Sprintf(
    1842. 

  1842. 		trafficRulesJSONFormat,
    1843. 

  1843. 		livenessTestSize, livenessTestSize,
    1844. 

  1844. 		propagationChannelID, authorizationFilter,
    1845. 

  1845. 		allowTCPPorts, allowUDPPorts, disallowTCPPorts, disallowUDPPorts)
    1846. 

  1846. 

  1847. 	err := ioutil.WriteFile(trafficRulesFilename, []byte(trafficRulesJSON), 0600)
    1848. 

  1848. 	if err != nil {
    1849. 

  1849. 		t.Fatalf("error paving traffic rules file: %s", err)
    1850. 

  1850. 	}
    1851. 

  1851. }
    1852. 

  1852. 

  1853. var expectedNumSLOKs = 3
    1854. 

  1854. 

  1855. func paveOSLConfigFile(t *testing.T, oslConfigFilename string) string {
    1856. 

  1856. 

  1857. 	oslConfigJSONFormat := `
    1858. 

  1858.     {
    1859. 

  1859.       "Schemes" : [
    1860. 

  1860.         {
    1861. 

  1861.           "Epoch" : "%s",
    1862. 

  1862.           "Regions" : [],
    1863. 

  1863.           "PropagationChannelIDs" : ["%s"],
    1864. 

  1864.           "MasterKey" : "wFuSbqU/pJ/35vRmoM8T9ys1PgDa8uzJps1Y+FNKa5U=",
    1865. 

  1865.           "SeedSpecs" : [
    1866. 

  1866.             {
    1867. 

  1867.               "ID" : "IXHWfVgWFkEKvgqsjmnJuN3FpaGuCzQMETya+DSQvsk=",
    1868. 

  1868.               "UpstreamSubnets" : ["0.0.0.0/0"],
    1869. 

  1869.               "Targets" :
    1870. 

  1870.               {
    1871. 

  1871.                   "BytesRead" : 1,
    1872. 

  1872.                   "BytesWritten" : 1,
    1873. 

  1873.                   "PortForwardDurationNanoseconds" : 1
    1874. 

  1874.               }
    1875. 

  1875.             },
    1876. 

  1876.             {
    1877. 

  1877.               "ID" : "qvpIcORLE2Pi5TZmqRtVkEp+OKov0MhfsYPLNV7FYtI=",
    1878. 

  1878.               "UpstreamSubnets" : ["0.0.0.0/0"],
    1879. 

  1879.               "Targets" :
    1880. 

  1880.               {
    1881. 

  1881.                   "BytesRead" : 1,
    1882. 

  1882.                   "BytesWritten" : 1,
    1883. 

  1883.                   "PortForwardDurationNanoseconds" : 1
    1884. 

  1884.               }
    1885. 

  1885.             }
    1886. 

  1886.           ],
    1887. 

  1887.           "SeedSpecThreshold" : 2,
    1888. 

  1888.           "SeedPeriodNanoseconds" : 2592000000000000,
    1889. 

  1889.           "SeedPeriodKeySplits": [
    1890. 

  1890.             {
    1891. 

  1891.               "Total": 2,
    1892. 

  1892.               "Threshold": 2
    1893. 

  1893.             }
    1894. 

  1894.           ]
    1895. 

  1895.         },
    1896. 

  1896.         {
    1897. 

  1897.           "Epoch" : "%s",
    1898. 

  1898.           "Regions" : [],
    1899. 

  1899.           "PropagationChannelIDs" : ["%s"],
    1900. 

  1900.           "MasterKey" : "HDc/mvd7e+lKDJD0fMpJW66YJ/VW4iqDRjeclEsMnro=",
    1901. 

  1901.           "SeedSpecs" : [
    1902. 

  1902.             {
    1903. 

  1903.               "ID" : "/M0vsT0IjzmI0MvTI9IYe8OVyeQGeaPZN2xGxfLw/UQ=",
    1904. 

  1904.               "UpstreamSubnets" : ["0.0.0.0/0"],
    1905. 

  1905.               "Targets" :
    1906. 

  1906.               {
    1907. 

  1907.                   "BytesRead" : 1,
    1908. 

  1908.                   "BytesWritten" : 1,
    1909. 

  1909.                   "PortForwardDurationNanoseconds" : 1
    1910. 

  1910.               }
    1911. 

  1911.             }
    1912. 

  1912.           ],
    1913. 

  1913.           "SeedSpecThreshold" : 1,
    1914. 

  1914.           "SeedPeriodNanoseconds" : 2592000000000000,
    1915. 

  1915.           "SeedPeriodKeySplits": [
    1916. 

  1916.             {
    1917. 

  1917.               "Total": 1,
    1918. 

  1918.               "Threshold": 1
    1919. 

  1919.             }
    1920. 

  1920.           ]
    1921. 

  1921.         }
    1922. 

  1922.       ]
    1923. 

  1923.     }
    1924. 

  1924.     `
    1925. 

  1925. 

  1926. 	propagationChannelID := prng.HexString(8)
    1927. 

  1927. 

  1928. 	now := time.Now().UTC()
    1929. 

  1929. 	epoch := now.Truncate(720 * time.Hour)
    1930. 

  1930. 	epochStr := epoch.Format(time.RFC3339Nano)
    1931. 

  1931. 

  1932. 	oslConfigJSON := fmt.Sprintf(
    1933. 

  1933. 		oslConfigJSONFormat,
    1934. 

  1934. 		epochStr, propagationChannelID,
    1935. 

  1935. 		epochStr, propagationChannelID)
    1936. 

  1936. 

  1937. 	err := ioutil.WriteFile(oslConfigFilename, []byte(oslConfigJSON), 0600)
    1938. 

  1938. 	if err != nil {
    1939. 

  1939. 		t.Fatalf("error paving osl config file: %s", err)
    1940. 

  1940. 	}
    1941. 

  1941. 

  1942. 	return propagationChannelID
    1943. 

  1943. }
    1944. 

  1944. 

  1945. func paveTacticsConfigFile(
    1946. 

  1946. 	t *testing.T, tacticsConfigFilename string,
    1947. 

  1947. 	tacticsRequestPublicKey, tacticsRequestPrivateKey, tacticsRequestObfuscatedKey string,
    1948. 

  1948. 	tunnelProtocol string,
    1949. 

  1949. 	propagationChannelID string,
    1950. 

  1950. 	livenessTestSize int) {
    1951. 

  1951. 

  1952. 	// Setting LimitTunnelProtocols passively exercises the
    1953. 

  1953. 	// server-side LimitTunnelProtocols enforcement.
    1954. 

  1954. 

  1955. 	tacticsConfigJSONFormat := `
    1956. 

  1956.     {
    1957. 

  1957.       "RequestPublicKey" : "%s",
    1958. 

  1958.       "RequestPrivateKey" : "%s",
    1959. 

  1959.       "RequestObfuscatedKey" : "%s",
    1960. 

  1960.       "EnforceServerSide" : true,
    1961. 

  1961.       "DefaultTactics" : {
    1962. 

  1962.         "TTL" : "60s",
    1963. 

  1963.         "Probability" : 1.0,
    1964. 

  1964.         "Parameters" : {
    1965. 

  1965.           "LimitTunnelProtocols" : ["%s"],
    1966. 

  1966.           "FragmentorLimitProtocols" : ["%s"],
    1967. 

  1967.           "FragmentorProbability" : 1.0,
    1968. 

  1968.           "FragmentorMinTotalBytes" : 1000,
    1969. 

  1969.           "FragmentorMaxTotalBytes" : 2000,
    1970. 

  1970.           "FragmentorMinWriteBytes" : 1,
    1971. 

  1971.           "FragmentorMaxWriteBytes" : 100,
    1972. 

  1972.           "FragmentorMinDelay" : "1ms",
    1973. 

  1973.           "FragmentorMaxDelay" : "10ms",
    1974. 

  1974.           "FragmentorDownstreamLimitProtocols" : ["%s"],
    1975. 

  1975.           "FragmentorDownstreamProbability" : 1.0,
    1976. 

  1976.           "FragmentorDownstreamMinTotalBytes" : 1000,
    1977. 

  1977.           "FragmentorDownstreamMaxTotalBytes" : 2000,
    1978. 

  1978.           "FragmentorDownstreamMinWriteBytes" : 1,
    1979. 

  1979.           "FragmentorDownstreamMaxWriteBytes" : 100,
    1980. 

  1980.           "FragmentorDownstreamMinDelay" : "1ms",
    1981. 

  1981.           "FragmentorDownstreamMaxDelay" : "10ms",
    1982. 

  1982.           "LivenessTestMinUpstreamBytes" : %d,
    1983. 

  1983.           "LivenessTestMaxUpstreamBytes" : %d,
    1984. 

  1984.           "LivenessTestMinDownstreamBytes" : %d,
    1985. 

  1985.           "LivenessTestMaxDownstreamBytes" : %d,
    1986. 

  1986.           "BPFServerTCPProgram": {
    1987. 

  1987.             "Name" : "test-server-bpf",
    1988. 

  1988.               "Instructions" : [
    1989. 

  1989.                 {"Op": "RetConstant", "Args": {"Val": 65535}}]},
    1990. 

  1990.           "BPFServerTCPProbability" : 1.0,
    1991. 

  1991.           "BPFClientTCPProgram": {
    1992. 

  1992.             "Name" : "test-client-bpf",
    1993. 

  1993.               "Instructions" : [
    1994. 

  1994.                 {"Op": "RetConstant", "Args": {"Val": 65535}}]},
    1995. 

  1995.           "BPFClientTCPProbability" : 1.0,
    1996. 

  1996.           "ServerPacketManipulationSpecs" : [{"Name": "test-packetman-spec", "PacketSpecs": [["TCP-flags S"]]}],
    1997. 

  1997.           "ServerPacketManipulationProbability" : 1.0,
    1998. 

  1998.           "ServerProtocolPacketManipulations": {"All" : ["test-packetman-spec"]}
    1999. 

  1999.         }
    2000. 

  2000.       },
    2001. 

  2001.       "FilteredTactics" : [
    2002. 

  2002.         {
    2003. 

  2003.           "Filter" : {
    2004. 

  2004.             "APIParameters" : {"propagation_channel_id" : ["%s"]},
    2005. 

  2005.             "SpeedTestRTTMilliseconds" : {
    2006. 

  2006.               "Aggregation" : "Median",
    2007. 

  2007.               "AtLeast" : 1
    2008. 

  2008.             }
    2009. 

  2009.           },
    2010. 

  2010.           "Tactics" : {
    2011. 

  2011.             "Parameters" : {
    2012. 

  2012.               "TunnelConnectTimeout" : "20s",
    2013. 

  2013.               "TunnelRateLimits" : {"WriteBytesPerSecond": 1000000},
    2014. 

  2014.               "TransformHostNameProbability" : 1.0,
    2015. 

  2015.               "PickUserAgentProbability" : 1.0,
    2016. 

  2016.               "ApplicationParameters" : {
    2017. 

  2017.                 "AppFlag1" : true,
    2018. 

  2018.                 "AppConfig1" : {"Option1" : "A", "Option2" : "B"},
    2019. 

  2019.                 "AppSwitches1" : [1, 2, 3, 4]
    2020. 

  2020.               }
    2021. 

  2021.             }
    2022. 

  2022.           }
    2023. 

  2023.         }
    2024. 

  2024.       ]
    2025. 

  2025.     }
    2026. 

  2026.     `
    2027. 

  2027. 

  2028. 	tacticsConfigJSON := fmt.Sprintf(
    2029. 

  2029. 		tacticsConfigJSONFormat,
    2030. 

  2030. 		tacticsRequestPublicKey, tacticsRequestPrivateKey, tacticsRequestObfuscatedKey,
    2031. 

  2031. 		tunnelProtocol,
    2032. 

  2032. 		tunnelProtocol,
    2033. 

  2033. 		tunnelProtocol,
    2034. 

  2034. 		livenessTestSize, livenessTestSize, livenessTestSize, livenessTestSize,
    2035. 

  2035. 		propagationChannelID)
    2036. 

  2036. 

  2037. 	err := ioutil.WriteFile(tacticsConfigFilename, []byte(tacticsConfigJSON), 0600)
    2038. 

  2038. 	if err != nil {
    2039. 

  2039. 		t.Fatalf("error paving tactics config file: %s", err)
    2040. 

  2040. 	}
    2041. 

  2041. }
    2042. 

  2042. 

  2043. func paveBlocklistFile(t *testing.T, blocklistFilename string) {
    2044. 

  2044. 

  2045. 	blocklistContent :=
    2046. 

  2046. 		"255.255.255.255,test-source,test-subject\n2001:db8:f75c::0951:58bc:ef22,test-source,test-subject\nexample.org,test-source,test-subject\n"
    2047. 

  2047. 

  2048. 	err := ioutil.WriteFile(blocklistFilename, []byte(blocklistContent), 0600)
    2049. 

  2049. 	if err != nil {
    2050. 

  2050. 		t.Fatalf("error paving blocklist file: %s", err)
    2051. 

  2051. 	}
    2052. 

  2052. }
    2053. 

  2053. 

  2054. func sendNotificationReceived(c chan<- struct{}) {
    2055. 

  2055. 	select {
    2056. 

  2056. 	case c <- struct{}{}:
    2057. 

  2057. 	default:
    2058. 

  2058. 	}
    2059. 

  2059. }
    2060. 

  2060. 

  2061. func waitOnNotification(t *testing.T, c, timeoutSignal <-chan struct{}, timeoutMessage string) {
    2062. 

  2062. 	if timeoutSignal == nil {
    2063. 

  2063. 		<-c
    2064. 

  2064. 	} else {
    2065. 

  2065. 		select {
    2066. 

  2066. 		case <-c:
    2067. 

  2067. 		case <-timeoutSignal:
    2068. 

  2068. 			t.Fatalf(timeoutMessage)
    2069. 

  2069. 		}
    2070. 

  2070. 	}
    2071. 

  2071. }
    2072. 

  2072. 

  2073. type pruneServerEntryTestCase struct {
    2074. 

  2074. 	IPAddress         string
    2075. 

  2075. 	ExplicitTag       bool
    2076. 

  2076. 	ExpectedTag       string
    2077. 

  2077. 	LocalTimestamp    string
    2078. 

  2078. 	PsinetValid       bool
    2079. 

  2079. 	ExpectPrune       bool
    2080. 

  2080. 	IsEmbedded        bool
    2081. 

  2081. 	DialPort0         bool
    2082. 

  2082. 	ServerEntryFields protocol.ServerEntryFields
    2083. 

  2083. }
    2084. 

  2084. 

  2085. func initializePruneServerEntriesTest(
    2086. 

  2086. 	t *testing.T,
    2087. 

  2087. 	runConfig *runServerConfig) ([]*pruneServerEntryTestCase, []string, int) {
    2088. 

  2088. 

  2089. 	if !runConfig.doPruneServerEntries {
    2090. 

  2090. 		return nil, nil, 0
    2091. 

  2091. 	}
    2092. 

  2092. 

  2093. 	newTimeStamp := time.Now().UTC().Format(time.RFC3339)
    2094. 

  2094. 	oldTimeStamp := time.Now().Add(-30 * 24 * time.Hour).UTC().Format(time.RFC3339)
    2095. 

  2095. 

  2096. 	// Test Cases:
    2097. 

  2097. 	// - ExplicitTag: server entry includes a tag; vs. generate a derived tag
    2098. 

  2098. 	// - LocalTimestamp: server entry is sufficiently old to be pruned; vs. not
    2099. 

  2099. 	// - PsinetValid: server entry is reported valid by psinet; vs. deleted
    2100. 

  2100. 	// - ExpectPrune: prune outcome based on flags above
    2101. 

  2101. 	// - IsEmbedded: pruned embedded server entries leave a tombstone and cannot
    2102. 

  2102. 	//   be reimported
    2103. 

  2103. 	// - DialPort0: set dial port to 0, a special prune case (see statusAPIRequestHandler)
    2104. 

  2104. 

  2105. 	pruneServerEntryTestCases := []*pruneServerEntryTestCase{
    2106. 

  2106. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.1", ExplicitTag: true, LocalTimestamp: newTimeStamp, PsinetValid: true, ExpectPrune: false},
    2107. 

  2107. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.2", ExplicitTag: false, LocalTimestamp: newTimeStamp, PsinetValid: true, ExpectPrune: false},
    2108. 

  2108. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.3", ExplicitTag: true, LocalTimestamp: oldTimeStamp, PsinetValid: true, ExpectPrune: false},
    2109. 

  2109. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.4", ExplicitTag: false, LocalTimestamp: oldTimeStamp, PsinetValid: true, ExpectPrune: false},
    2110. 

  2110. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.5", ExplicitTag: true, LocalTimestamp: newTimeStamp, PsinetValid: false, ExpectPrune: false},
    2111. 

  2111. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.6", ExplicitTag: false, LocalTimestamp: newTimeStamp, PsinetValid: false, ExpectPrune: false},
    2112. 

  2112. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.7", ExplicitTag: true, LocalTimestamp: oldTimeStamp, PsinetValid: false, ExpectPrune: true, IsEmbedded: false},
    2113. 

  2113. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.8", ExplicitTag: false, LocalTimestamp: oldTimeStamp, PsinetValid: false, ExpectPrune: true, IsEmbedded: false},
    2114. 

  2114. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.9", ExplicitTag: true, LocalTimestamp: oldTimeStamp, PsinetValid: false, ExpectPrune: true, IsEmbedded: true},
    2115. 

  2115. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.10", ExplicitTag: false, LocalTimestamp: oldTimeStamp, PsinetValid: false, ExpectPrune: true, IsEmbedded: true},
    2116. 

  2116. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.11", ExplicitTag: true, LocalTimestamp: oldTimeStamp, PsinetValid: true, ExpectPrune: true, IsEmbedded: false, DialPort0: true},
    2117. 

  2117. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.12", ExplicitTag: false, LocalTimestamp: oldTimeStamp, PsinetValid: true, ExpectPrune: true, IsEmbedded: true, DialPort0: true},
    2118. 

  2118. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.13", ExplicitTag: true, LocalTimestamp: oldTimeStamp, PsinetValid: true, ExpectPrune: true, IsEmbedded: true, DialPort0: true},
    2119. 

  2119. 	}
    2120. 

  2120. 

  2121. 	for _, testCase := range pruneServerEntryTestCases {
    2122. 

  2122. 

  2123. 		dialPort := 4000
    2124. 

  2124. 		if testCase.DialPort0 {
    2125. 

  2125. 			dialPort = 0
    2126. 

  2126. 		}
    2127. 

  2127. 

  2128. 		_, _, _, _, encodedServerEntry, err := GenerateConfig(
    2129. 

  2129. 			&GenerateConfigParams{
    2130. 

  2130. 				ServerIPAddress:     testCase.IPAddress,
    2131. 

  2131. 				WebServerPort:       8000,
    2132. 

  2132. 				TunnelProtocolPorts: map[string]int{runConfig.tunnelProtocol: dialPort},
    2133. 

  2133. 			})
    2134. 

  2134. 		if err != nil {
    2135. 

  2135. 			t.Fatalf("GenerateConfig failed: %s", err)
    2136. 

  2136. 		}
    2137. 

  2137. 

  2138. 		serverEntrySource := protocol.SERVER_ENTRY_SOURCE_REMOTE
    2139. 

  2139. 		if testCase.IsEmbedded {
    2140. 

  2140. 			serverEntrySource = protocol.SERVER_ENTRY_SOURCE_EMBEDDED
    2141. 

  2141. 		}
    2142. 

  2142. 

  2143. 		serverEntryFields, err := protocol.DecodeServerEntryFields(
    2144. 

  2144. 			string(encodedServerEntry),
    2145. 

  2145. 			testCase.LocalTimestamp,
    2146. 

  2146. 			serverEntrySource)
    2147. 

  2147. 		if err != nil {
    2148. 

  2148. 			t.Fatalf("DecodeServerEntryFields failed: %s", err)
    2149. 

  2149. 		}
    2150. 

  2150. 

  2151. 		if testCase.ExplicitTag {
    2152. 

  2152. 			testCase.ExpectedTag = prng.Base64String(32)
    2153. 

  2153. 			serverEntryFields.SetTag(testCase.ExpectedTag)
    2154. 

  2154. 		} else {
    2155. 

  2155. 			testCase.ExpectedTag = protocol.GenerateServerEntryTag(
    2156. 

  2156. 				serverEntryFields.GetIPAddress(),
    2157. 

  2157. 				serverEntryFields.GetWebServerSecret())
    2158. 

  2158. 		}
    2159. 

  2159. 

  2160. 		testCase.ServerEntryFields = serverEntryFields
    2161. 

  2161. 	}
    2162. 

  2162. 

  2163. 	psinetValidServerEntryTags := make([]string, 0)
    2164. 

  2164. 	expectedNumPruneNotices := 0
    2165. 

  2165. 

  2166. 	for _, testCase := range pruneServerEntryTestCases {
    2167. 

  2167. 

  2168. 		if testCase.PsinetValid {
    2169. 

  2169. 			psinetValidServerEntryTags = append(
    2170. 

  2170. 				psinetValidServerEntryTags, testCase.ExpectedTag)
    2171. 

  2171. 		}
    2172. 

  2172. 

  2173. 		if testCase.ExpectPrune {
    2174. 

  2174. 			expectedNumPruneNotices += 1
    2175. 

  2175. 		}
    2176. 

  2176. 	}
    2177. 

  2177. 

  2178. 	return pruneServerEntryTestCases,
    2179. 

  2179. 		psinetValidServerEntryTags,
    2180. 

  2180. 		expectedNumPruneNotices
    2181. 

  2181. }
    2182. 

  2182. 

  2183. func storePruneServerEntriesTest(
    2184. 

  2184. 	t *testing.T,
    2185. 

  2185. 	runConfig *runServerConfig,
    2186. 

  2186. 	testDataDirName string,
    2187. 

  2187. 	pruneServerEntryTestCases []*pruneServerEntryTestCase) {
    2188. 

  2188. 

  2189. 	if !runConfig.doPruneServerEntries {
    2190. 

  2190. 		return
    2191. 

  2191. 	}
    2192. 

  2192. 

  2193. 	for _, testCase := range pruneServerEntryTestCases {
    2194. 

  2194. 

  2195. 		err := psiphon.StoreServerEntry(testCase.ServerEntryFields, true)
    2196. 

  2196. 		if err != nil {
    2197. 

  2197. 			t.Fatalf("StoreServerEntry failed: %s", err)
    2198. 

  2198. 		}
    2199. 

  2199. 	}
    2200. 

  2200. 

  2201. 	clientConfig := &psiphon.Config{
    2202. 

  2202. 		SponsorId:            "0",
    2203. 

  2203. 		PropagationChannelId: "0",
    2204. 

  2204. 

  2205. 		// DataRootDirectory must to be set to avoid a migration in the current
    2206. 

  2206. 		// working directory.
    2207. 

  2207. 		DataRootDirectory: testDataDirName,
    2208. 

  2208. 	}
    2209. 

  2209. 	err := clientConfig.Commit(false)
    2210. 

  2210. 	if err != nil {
    2211. 

  2211. 		t.Fatalf("Commit failed: %s", err)
    2212. 

  2212. 	}
    2213. 

  2213. 

  2214. 	applyParameters := make(map[string]interface{})
    2215. 

  2215. 	applyParameters[parameters.RecordFailedTunnelPersistentStatsProbability] = 1.0
    2216. 

  2216. 

  2217. 	err = clientConfig.SetClientParameters("", true, applyParameters)
    2218. 

  2218. 	if err != nil {
    2219. 

  2219. 		t.Fatalf("SetClientParameters failed: %s", err)
    2220. 

  2220. 	}
    2221. 

  2221. 

  2222. 	verifyTestCasesStored := make(verifyTestCasesStoredLookup)
    2223. 

  2223. 	for _, testCase := range pruneServerEntryTestCases {
    2224. 

  2224. 		verifyTestCasesStored.mustBeStored(testCase.IPAddress)
    2225. 

  2225. 	}
    2226. 

  2226. 

  2227. 	scanServerEntries(t, clientConfig, pruneServerEntryTestCases, func(
    2228. 

  2228. 		t *testing.T,
    2229. 

  2229. 		testCase *pruneServerEntryTestCase,
    2230. 

  2230. 		serverEntry *protocol.ServerEntry) {
    2231. 

  2231. 

  2232. 		verifyTestCasesStored.isStored(testCase.IPAddress)
    2233. 

  2233. 

  2234. 		// Check that random tag was retained or derived tag was calculated as
    2235. 

  2235. 		// expected
    2236. 

  2236. 

  2237. 		if serverEntry.Tag != testCase.ExpectedTag {
    2238. 

  2238. 			t.Fatalf("unexpected tag for %s got %s expected %s",
    2239. 

  2239. 				testCase.IPAddress, serverEntry.Tag, testCase.ExpectedTag)
    2240. 

  2240. 		}
    2241. 

  2241. 

  2242. 		// Create failed tunnel event records to exercise pruning
    2243. 

  2243. 

  2244. 		dialParams, err := psiphon.MakeDialParameters(
    2245. 

  2245. 			clientConfig,
    2246. 

  2246. 			nil,
    2247. 

  2247. 			func(_ *protocol.ServerEntry, _ string) bool { return true },
    2248. 

  2248. 			func(serverEntry *protocol.ServerEntry) (string, bool) {
    2249. 

  2249. 				return runConfig.tunnelProtocol, true
    2250. 

  2250. 			},
    2251. 

  2251. 			serverEntry,
    2252. 

  2252. 			false,
    2253. 

  2253. 			0,
    2254. 

  2254. 			0)
    2255. 

  2255. 		if err != nil {
    2256. 

  2256. 			t.Fatalf("MakeDialParameters failed: %s", err)
    2257. 

  2257. 		}
    2258. 

  2258. 

  2259. 		err = psiphon.RecordFailedTunnelStat(
    2260. 

  2260. 			clientConfig, dialParams, nil, 0, 0, errors.New("test error"))
    2261. 

  2261. 		if err != nil {
    2262. 

  2262. 			t.Fatalf("RecordFailedTunnelStat failed: %s", err)
    2263. 

  2263. 		}
    2264. 

  2264. 	})
    2265. 

  2265. 

  2266. 	verifyTestCasesStored.checkStored(
    2267. 

  2267. 		t, "missing prune test case server entries")
    2268. 

  2268. }
    2269. 

  2269. 

  2270. func checkPruneServerEntriesTest(
    2271. 

  2271. 	t *testing.T,
    2272. 

  2272. 	runConfig *runServerConfig,
    2273. 

  2273. 	testDataDirName string,
    2274. 

  2274. 	pruneServerEntryTestCases []*pruneServerEntryTestCase) {
    2275. 

  2275. 

  2276. 	if !runConfig.doPruneServerEntries {
    2277. 

  2277. 		return
    2278. 

  2278. 	}
    2279. 

  2279. 

  2280. 	clientConfig := &psiphon.Config{
    2281. 

  2281. 		SponsorId:            "0",
    2282. 

  2282. 		PropagationChannelId: "0",
    2283. 

  2283. 

  2284. 		// DataRootDirectory must to be set to avoid a migration in the current
    2285. 

  2285. 		// working directory.
    2286. 

  2286. 		DataRootDirectory: testDataDirName,
    2287. 

  2287. 	}
    2288. 

  2288. 	err := clientConfig.Commit(false)
    2289. 

  2289. 	if err != nil {
    2290. 

  2290. 		t.Fatalf("Commit failed: %s", err)
    2291. 

  2291. 	}
    2292. 

  2292. 

  2293. 	// Check that server entries remain or are pruned as expected
    2294. 

  2294. 

  2295. 	verifyTestCasesStored := make(verifyTestCasesStoredLookup)
    2296. 

  2296. 	for _, testCase := range pruneServerEntryTestCases {
    2297. 

  2297. 		if !testCase.ExpectPrune {
    2298. 

  2298. 			verifyTestCasesStored.mustBeStored(testCase.IPAddress)
    2299. 

  2299. 		}
    2300. 

  2300. 	}
    2301. 

  2301. 

  2302. 	scanServerEntries(t, clientConfig, pruneServerEntryTestCases, func(
    2303. 

  2303. 		t *testing.T,
    2304. 

  2304. 		testCase *pruneServerEntryTestCase,
    2305. 

  2305. 		serverEntry *protocol.ServerEntry) {
    2306. 

  2306. 

  2307. 		if testCase.ExpectPrune {
    2308. 

  2308. 			t.Fatalf("expected prune for %s", testCase.IPAddress)
    2309. 

  2309. 		} else {
    2310. 

  2310. 			verifyTestCasesStored.isStored(testCase.IPAddress)
    2311. 

  2311. 		}
    2312. 

  2312. 	})
    2313. 

  2313. 

  2314. 	verifyTestCasesStored.checkStored(
    2315. 

  2315. 		t, "missing prune test case server entries")
    2316. 

  2316. 

  2317. 	// Check that pruned server entries reimport or not, as expected
    2318. 

  2318. 

  2319. 	for _, testCase := range pruneServerEntryTestCases {
    2320. 

  2320. 

  2321. 		err := psiphon.StoreServerEntry(testCase.ServerEntryFields, true)
    2322. 

  2322. 		if err != nil {
    2323. 

  2323. 			t.Fatalf("StoreServerEntry failed: %s", err)
    2324. 

  2324. 		}
    2325. 

  2325. 	}
    2326. 

  2326. 

  2327. 	verifyTestCasesStored = make(verifyTestCasesStoredLookup)
    2328. 

  2328. 	for _, testCase := range pruneServerEntryTestCases {
    2329. 

  2329. 		if !testCase.ExpectPrune || !testCase.IsEmbedded {
    2330. 

  2330. 			verifyTestCasesStored.mustBeStored(testCase.IPAddress)
    2331. 

  2331. 		}
    2332. 

  2332. 	}
    2333. 

  2333. 

  2334. 	scanServerEntries(t, clientConfig, pruneServerEntryTestCases, func(
    2335. 

  2335. 		t *testing.T,
    2336. 

  2336. 		testCase *pruneServerEntryTestCase,
    2337. 

  2337. 		serverEntry *protocol.ServerEntry) {
    2338. 

  2338. 

  2339. 		if testCase.ExpectPrune && testCase.IsEmbedded {
    2340. 

  2340. 			t.Fatalf("expected tombstone for %s", testCase.IPAddress)
    2341. 

  2341. 		} else {
    2342. 

  2342. 			verifyTestCasesStored.isStored(testCase.IPAddress)
    2343. 

  2343. 		}
    2344. 

  2344. 	})
    2345. 

  2345. 

  2346. 	verifyTestCasesStored.checkStored(
    2347. 

  2347. 		t, "missing reimported prune test case server entries")
    2348. 

  2348. 

  2349. 	// Non-embedded server entries with tombstones _can_ be reimported
    2350. 

  2350. 

  2351. 	for _, testCase := range pruneServerEntryTestCases {
    2352. 

  2352. 

  2353. 		testCase.ServerEntryFields.SetLocalSource(protocol.SERVER_ENTRY_SOURCE_REMOTE)
    2354. 

  2354. 

  2355. 		err := psiphon.StoreServerEntry(testCase.ServerEntryFields, true)
    2356. 

  2356. 		if err != nil {
    2357. 

  2357. 			t.Fatalf("StoreServerEntry failed: %s", err)
    2358. 

  2358. 		}
    2359. 

  2359. 	}
    2360. 

  2360. 

  2361. 	verifyTestCasesStored = make(verifyTestCasesStoredLookup)
    2362. 

  2362. 	for _, testCase := range pruneServerEntryTestCases {
    2363. 

  2363. 		verifyTestCasesStored.mustBeStored(testCase.IPAddress)
    2364. 

  2364. 	}
    2365. 

  2365. 

  2366. 	scanServerEntries(t, clientConfig, pruneServerEntryTestCases, func(
    2367. 

  2367. 		t *testing.T,
    2368. 

  2368. 		testCase *pruneServerEntryTestCase,
    2369. 

  2369. 		serverEntry *protocol.ServerEntry) {
    2370. 

  2370. 

  2371. 		verifyTestCasesStored.isStored(testCase.IPAddress)
    2372. 

  2372. 	})
    2373. 

  2373. 

  2374. 	verifyTestCasesStored.checkStored(
    2375. 

  2375. 		t, "missing non-embedded reimported prune test case server entries")
    2376. 

  2376. }
    2377. 

  2377. 

  2378. func scanServerEntries(
    2379. 

  2379. 	t *testing.T,
    2380. 

  2380. 	clientConfig *psiphon.Config,
    2381. 

  2381. 	pruneServerEntryTestCases []*pruneServerEntryTestCase,
    2382. 

  2382. 	scanner func(
    2383. 

  2383. 		t *testing.T,
    2384. 

  2384. 		testCase *pruneServerEntryTestCase,
    2385. 

  2385. 		serverEntry *protocol.ServerEntry)) {
    2386. 

  2386. 

  2387. 	_, iterator, err := psiphon.NewServerEntryIterator(clientConfig)
    2388. 

  2388. 	if err != nil {
    2389. 

  2389. 		t.Fatalf("NewServerEntryIterator failed: %s", err)
    2390. 

  2390. 	}
    2391. 

  2391. 	defer iterator.Close()
    2392. 

  2392. 

  2393. 	for {
    2394. 

  2394. 

  2395. 		serverEntry, err := iterator.Next()
    2396. 

  2396. 		if err != nil {
    2397. 

  2397. 			t.Fatalf("ServerIterator.Next failed: %s", err)
    2398. 

  2398. 		}
    2399. 

  2399. 		if serverEntry == nil {
    2400. 

  2400. 			break
    2401. 

  2401. 		}
    2402. 

  2402. 

  2403. 		for _, testCase := range pruneServerEntryTestCases {
    2404. 

  2404. 			if testCase.IPAddress == serverEntry.IpAddress {
    2405. 

  2405. 				scanner(t, testCase, serverEntry)
    2406. 

  2406. 				break
    2407. 

  2407. 			}
    2408. 

  2408. 		}
    2409. 

  2409. 	}
    2410. 

  2410. }
    2411. 

  2411. 

  2412. type verifyTestCasesStoredLookup map[string]bool
    2413. 

  2413. 

  2414. func (v verifyTestCasesStoredLookup) mustBeStored(s string) {
    2415. 

  2415. 	v[s] = true
    2416. 

  2416. }
    2417. 

  2417. 

  2418. func (v verifyTestCasesStoredLookup) isStored(s string) {
    2419. 

  2419. 	delete(v, s)
    2420. 

  2420. }
    2421. 

  2421. 

  2422. func (v verifyTestCasesStoredLookup) checkStored(t *testing.T, errMessage string) {
    2423. 

  2423. 	if len(v) != 0 {
    2424. 

  2424. 		t.Fatalf("%s: %+v", errMessage, v)
    2425. 

  2425. 	}
    2426. 

  2426. }
    2427.