Главная Обзор Помощь
Вход
yosoyhendrix
/
psiphon-tunnel-core
зеркало из https://github.com/Psiphon-Labs/psiphon-tunnel-core
1
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: 9152fee4b7
Ветки Метки
psiphon-tunnel-...
/
psiphon
/
server
/
server_test.go

server_test.go 82 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871 
  1. /*
    2. 

  2.  * Copyright (c) 2016, Psiphon Inc.
    3. 

  3.  * All rights reserved.
    4. 

  4.  *
    5. 

  5.  * This program is free software: you can redistribute it and/or modify
    6. 

  6.  * it under the terms of the GNU General Public License as published by
    7. 

  7.  * the Free Software Foundation, either version 3 of the License, or
    8. 

  8.  * (at your option) any later version.
    9. 

  9.  *
    10. 

  10.  * This program is distributed in the hope that it will be useful,
    11. 

  11.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13. 

  13.  * GNU General Public License for more details.
    14. 

  14.  *
    15. 

  15.  * You should have received a copy of the GNU General Public License
    16. 

  16.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17. 

  17.  *
    18. 

  18.  */
    19. 

  19. 

  20. package server
    21. 

  21. 

  22. import (
    23. 

  23. 	"context"
    24. 

  24. 	"encoding/base64"
    25. 

  25. 	"encoding/json"
    26. 

  26. 	"errors"
    27. 

  27. 	"flag"
    28. 

  28. 	"fmt"
    29. 

  29. 	"io/ioutil"
    30. 

  30. 	"net"
    31. 

  31. 	"net/http"
    32. 

  32. 	"net/url"
    33. 

  33. 	"os"
    34. 

  34. 	"path/filepath"
    35. 

  35. 	"reflect"
    36. 

  36. 	"regexp"
    37. 

  37. 	"strconv"
    38. 

  38. 	"strings"
    39. 

  39. 	"sync"
    40. 

  40. 	"syscall"
    41. 

  41. 	"testing"
    42. 

  42. 	"time"
    43. 

  43. 

  44. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon"
    45. 

  45. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common"
    46. 

  46. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/accesscontrol"
    47. 

  47. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/parameters"
    48. 

  48. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/prng"
    49. 

  49. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/protocol"
    50. 

  50. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/quic"
    51. 

  51. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/tactics"
    52. 

  52. 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/values"
    53. 

  53. 	"golang.org/x/net/proxy"
    54. 

  54. )
    55. 

  55. 

  56. var serverIPAddress, testDataDirName string
    57. 

  57. var mockWebServerURL, mockWebServerExpectedResponse string
    58. 

  58. var mockWebServerPort = "8080"
    59. 

  59. 

  60. func TestMain(m *testing.M) {
    61. 

  61. 	flag.Parse()
    62. 

  62. 

  63. 	serverIPv4Address, serverIPv6Address, err := common.GetRoutableInterfaceIPAddresses()
    64. 

  64. 	if err != nil {
    65. 

  65. 		fmt.Printf("error getting server IP address: %s\n", err)
    66. 

  66. 		os.Exit(1)
    67. 

  67. 	}
    68. 

  68. 	if serverIPv4Address != nil {
    69. 

  69. 		serverIPAddress = serverIPv4Address.String()
    70. 

  70. 	} else {
    71. 

  71. 		serverIPAddress = serverIPv6Address.String()
    72. 

  72. 	}
    73. 

  73. 

  74. 	testDataDirName, err = ioutil.TempDir("", "psiphon-server-test")
    75. 

  75. 	if err != nil {
    76. 

  76. 		fmt.Printf("TempDir failed: %s\n", err)
    77. 

  77. 		os.Exit(1)
    78. 

  78. 	}
    79. 

  79. 	defer os.RemoveAll(testDataDirName)
    80. 

  80. 

  81. 	psiphon.SetEmitDiagnosticNotices(true, true)
    82. 

  82. 

  83. 	mockWebServerURL, mockWebServerExpectedResponse = runMockWebServer()
    84. 

  84. 

  85. 	os.Exit(m.Run())
    86. 

  86. }
    87. 

  87. 

  88. func runMockWebServer() (string, string) {
    89. 

  89. 

  90. 	responseBody := prng.HexString(100000)
    91. 

  91. 

  92. 	serveMux := http.NewServeMux()
    93. 

  93. 	serveMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
    94. 

  94. 		w.Write([]byte(responseBody))
    95. 

  95. 	})
    96. 

  96. 	webServerAddress := net.JoinHostPort(serverIPAddress, mockWebServerPort)
    97. 

  97. 	server := &http.Server{
    98. 

  98. 		Addr:    webServerAddress,
    99. 

  99. 		Handler: serveMux,
    100. 

  100. 	}
    101. 

  101. 

  102. 	go func() {
    103. 

  103. 		err := server.ListenAndServe()
    104. 

  104. 		if err != nil {
    105. 

  105. 			fmt.Printf("error running mock web server: %s\n", err)
    106. 

  106. 			os.Exit(1)
    107. 

  107. 		}
    108. 

  108. 	}()
    109. 

  109. 

  110. 	// TODO: properly synchronize with web server readiness
    111. 

  111. 	time.Sleep(1 * time.Second)
    112. 

  112. 

  113. 	return fmt.Sprintf("http://%s/", webServerAddress), responseBody
    114. 

  114. }
    115. 

  115. 

  116. // Note: not testing fronted meek protocols, which client is
    117. 

  117. // hard-wired to expect running on privileged ports 80 and 443.
    118. 

  118. 

  119. func TestSSH(t *testing.T) {
    120. 

  120. 	runServer(t,
    121. 

  121. 		&runServerConfig{
    122. 

  122. 			tunnelProtocol:       "SSH",
    123. 

  123. 			enableSSHAPIRequests: true,
    124. 

  124. 			doHotReload:          false,
    125. 

  125. 			doDefaultSponsorID:   false,
    126. 

  126. 			denyTrafficRules:     false,
    127. 

  127. 			requireAuthorization: true,
    128. 

  128. 			omitAuthorization:    false,
    129. 

  129. 			doTunneledWebRequest: true,
    130. 

  130. 			doTunneledNTPRequest: true,
    131. 

  131. 			forceFragmenting:     false,
    132. 

  132. 			forceLivenessTest:    false,
    133. 

  133. 			doPruneServerEntries: false,
    134. 

  134. 			doDanglingTCPConn:    true,
    135. 

  135. 			doPacketManipulation: false,
    136. 

  136. 			doBurstMonitor:       false,
    137. 

  137. 			doSplitTunnel:        false,
    138. 

  138. 			limitQUICVersions:    false,
    139. 

  139. 		})
    140. 

  140. }
    141. 

  141. 

  142. func TestOSSH(t *testing.T) {
    143. 

  143. 	runServer(t,
    144. 

  144. 		&runServerConfig{
    145. 

  145. 			tunnelProtocol:       "OSSH",
    146. 

  146. 			enableSSHAPIRequests: true,
    147. 

  147. 			doHotReload:          false,
    148. 

  148. 			doDefaultSponsorID:   false,
    149. 

  149. 			denyTrafficRules:     false,
    150. 

  150. 			requireAuthorization: true,
    151. 

  151. 			omitAuthorization:    false,
    152. 

  152. 			doTunneledWebRequest: true,
    153. 

  153. 			doTunneledNTPRequest: true,
    154. 

  154. 			forceFragmenting:     false,
    155. 

  155. 			forceLivenessTest:    false,
    156. 

  156. 			doPruneServerEntries: false,
    157. 

  157. 			doDanglingTCPConn:    true,
    158. 

  158. 			doPacketManipulation: false,
    159. 

  159. 			doBurstMonitor:       false,
    160. 

  160. 			doSplitTunnel:        false,
    161. 

  161. 			limitQUICVersions:    false,
    162. 

  162. 		})
    163. 

  163. }
    164. 

  164. 

  165. func TestFragmentedOSSH(t *testing.T) {
    166. 

  166. 	runServer(t,
    167. 

  167. 		&runServerConfig{
    168. 

  168. 			tunnelProtocol:       "OSSH",
    169. 

  169. 			enableSSHAPIRequests: true,
    170. 

  170. 			doHotReload:          false,
    171. 

  171. 			doDefaultSponsorID:   false,
    172. 

  172. 			denyTrafficRules:     false,
    173. 

  173. 			requireAuthorization: true,
    174. 

  174. 			omitAuthorization:    false,
    175. 

  175. 			doTunneledWebRequest: true,
    176. 

  176. 			doTunneledNTPRequest: true,
    177. 

  177. 			forceFragmenting:     true,
    178. 

  178. 			forceLivenessTest:    false,
    179. 

  179. 			doPruneServerEntries: false,
    180. 

  180. 			doDanglingTCPConn:    true,
    181. 

  181. 			doPacketManipulation: false,
    182. 

  182. 			doBurstMonitor:       false,
    183. 

  183. 			doSplitTunnel:        false,
    184. 

  184. 			limitQUICVersions:    false,
    185. 

  185. 		})
    186. 

  186. }
    187. 

  187. 

  188. func TestUnfrontedMeek(t *testing.T) {
    189. 

  189. 	runServer(t,
    190. 

  190. 		&runServerConfig{
    191. 

  191. 			tunnelProtocol:       "UNFRONTED-MEEK-OSSH",
    192. 

  192. 			enableSSHAPIRequests: true,
    193. 

  193. 			doHotReload:          false,
    194. 

  194. 			doDefaultSponsorID:   false,
    195. 

  195. 			denyTrafficRules:     false,
    196. 

  196. 			requireAuthorization: true,
    197. 

  197. 			omitAuthorization:    false,
    198. 

  198. 			doTunneledWebRequest: true,
    199. 

  199. 			doTunneledNTPRequest: true,
    200. 

  200. 			forceFragmenting:     false,
    201. 

  201. 			forceLivenessTest:    false,
    202. 

  202. 			doPruneServerEntries: false,
    203. 

  203. 			doDanglingTCPConn:    true,
    204. 

  204. 			doPacketManipulation: false,
    205. 

  205. 			doBurstMonitor:       false,
    206. 

  206. 			doSplitTunnel:        false,
    207. 

  207. 			limitQUICVersions:    false,
    208. 

  208. 		})
    209. 

  209. }
    210. 

  210. 

  211. func TestUnfrontedMeekHTTPS(t *testing.T) {
    212. 

  212. 	runServer(t,
    213. 

  213. 		&runServerConfig{
    214. 

  214. 			tunnelProtocol:       "UNFRONTED-MEEK-HTTPS-OSSH",
    215. 

  215. 			tlsProfile:           protocol.TLS_PROFILE_RANDOMIZED,
    216. 

  216. 			enableSSHAPIRequests: true,
    217. 

  217. 			doHotReload:          false,
    218. 

  218. 			doDefaultSponsorID:   false,
    219. 

  219. 			denyTrafficRules:     false,
    220. 

  220. 			requireAuthorization: true,
    221. 

  221. 			omitAuthorization:    false,
    222. 

  222. 			doTunneledWebRequest: true,
    223. 

  223. 			doTunneledNTPRequest: true,
    224. 

  224. 			forceFragmenting:     false,
    225. 

  225. 			forceLivenessTest:    false,
    226. 

  226. 			doPruneServerEntries: false,
    227. 

  227. 			doDanglingTCPConn:    true,
    228. 

  228. 			doPacketManipulation: false,
    229. 

  229. 			doBurstMonitor:       false,
    230. 

  230. 			doSplitTunnel:        false,
    231. 

  231. 			limitQUICVersions:    false,
    232. 

  232. 		})
    233. 

  233. }
    234. 

  234. 

  235. func TestUnfrontedMeekHTTPSTLS13(t *testing.T) {
    236. 

  236. 	runServer(t,
    237. 

  237. 		&runServerConfig{
    238. 

  238. 			tunnelProtocol:       "UNFRONTED-MEEK-HTTPS-OSSH",
    239. 

  239. 			tlsProfile:           protocol.TLS_PROFILE_CHROME_70,
    240. 

  240. 			enableSSHAPIRequests: true,
    241. 

  241. 			doHotReload:          false,
    242. 

  242. 			doDefaultSponsorID:   false,
    243. 

  243. 			denyTrafficRules:     false,
    244. 

  244. 			requireAuthorization: true,
    245. 

  245. 			omitAuthorization:    false,
    246. 

  246. 			doTunneledWebRequest: true,
    247. 

  247. 			doTunneledNTPRequest: true,
    248. 

  248. 			forceFragmenting:     false,
    249. 

  249. 			forceLivenessTest:    false,
    250. 

  250. 			doPruneServerEntries: false,
    251. 

  251. 			doDanglingTCPConn:    true,
    252. 

  252. 			doPacketManipulation: false,
    253. 

  253. 			doBurstMonitor:       false,
    254. 

  254. 			doSplitTunnel:        false,
    255. 

  255. 			limitQUICVersions:    false,
    256. 

  256. 		})
    257. 

  257. }
    258. 

  258. 

  259. func TestUnfrontedMeekSessionTicket(t *testing.T) {
    260. 

  260. 	runServer(t,
    261. 

  261. 		&runServerConfig{
    262. 

  262. 			tunnelProtocol:       "UNFRONTED-MEEK-SESSION-TICKET-OSSH",
    263. 

  263. 			tlsProfile:           protocol.TLS_PROFILE_CHROME_58,
    264. 

  264. 			enableSSHAPIRequests: true,
    265. 

  265. 			doHotReload:          false,
    266. 

  266. 			doDefaultSponsorID:   false,
    267. 

  267. 			denyTrafficRules:     false,
    268. 

  268. 			requireAuthorization: true,
    269. 

  269. 			omitAuthorization:    false,
    270. 

  270. 			doTunneledWebRequest: true,
    271. 

  271. 			doTunneledNTPRequest: true,
    272. 

  272. 			forceFragmenting:     false,
    273. 

  273. 			forceLivenessTest:    false,
    274. 

  274. 			doPruneServerEntries: false,
    275. 

  275. 			doDanglingTCPConn:    true,
    276. 

  276. 			doPacketManipulation: false,
    277. 

  277. 			doBurstMonitor:       false,
    278. 

  278. 			doSplitTunnel:        false,
    279. 

  279. 			limitQUICVersions:    false,
    280. 

  280. 		})
    281. 

  281. }
    282. 

  282. 

  283. func TestUnfrontedMeekSessionTicketTLS13(t *testing.T) {
    284. 

  284. 	runServer(t,
    285. 

  285. 		&runServerConfig{
    286. 

  286. 			tunnelProtocol:       "UNFRONTED-MEEK-SESSION-TICKET-OSSH",
    287. 

  287. 			tlsProfile:           protocol.TLS_PROFILE_CHROME_70,
    288. 

  288. 			enableSSHAPIRequests: true,
    289. 

  289. 			doHotReload:          false,
    290. 

  290. 			doDefaultSponsorID:   false,
    291. 

  291. 			denyTrafficRules:     false,
    292. 

  292. 			requireAuthorization: true,
    293. 

  293. 			omitAuthorization:    false,
    294. 

  294. 			doTunneledWebRequest: true,
    295. 

  295. 			doTunneledNTPRequest: true,
    296. 

  296. 			forceFragmenting:     false,
    297. 

  297. 			forceLivenessTest:    false,
    298. 

  298. 			doPruneServerEntries: false,
    299. 

  299. 			doDanglingTCPConn:    true,
    300. 

  300. 			doPacketManipulation: false,
    301. 

  301. 			doBurstMonitor:       false,
    302. 

  302. 			doSplitTunnel:        false,
    303. 

  303. 			limitQUICVersions:    false,
    304. 

  304. 		})
    305. 

  305. }
    306. 

  306. 

  307. func TestQUICOSSH(t *testing.T) {
    308. 

  308. 	if !quic.Enabled() {
    309. 

  309. 		t.Skip("QUIC is not enabled")
    310. 

  310. 	}
    311. 

  311. 	runServer(t,
    312. 

  312. 		&runServerConfig{
    313. 

  313. 			tunnelProtocol:       "QUIC-OSSH",
    314. 

  314. 			enableSSHAPIRequests: true,
    315. 

  315. 			doHotReload:          false,
    316. 

  316. 			doDefaultSponsorID:   false,
    317. 

  317. 			denyTrafficRules:     false,
    318. 

  318. 			requireAuthorization: true,
    319. 

  319. 			omitAuthorization:    false,
    320. 

  320. 			doTunneledWebRequest: true,
    321. 

  321. 			doTunneledNTPRequest: true,
    322. 

  322. 			forceFragmenting:     false,
    323. 

  323. 			forceLivenessTest:    false,
    324. 

  324. 			doPruneServerEntries: false,
    325. 

  325. 			doDanglingTCPConn:    false,
    326. 

  326. 			doPacketManipulation: false,
    327. 

  327. 			doBurstMonitor:       false,
    328. 

  328. 			doSplitTunnel:        false,
    329. 

  329. 			limitQUICVersions:    false,
    330. 

  330. 		})
    331. 

  331. }
    332. 

  332. 

  333. func TestLimitedQUICOSSH(t *testing.T) {
    334. 

  334. 	if !quic.Enabled() {
    335. 

  335. 		t.Skip("QUIC is not enabled")
    336. 

  336. 	}
    337. 

  337. 	runServer(t,
    338. 

  338. 		&runServerConfig{
    339. 

  339. 			tunnelProtocol:       "QUIC-OSSH",
    340. 

  340. 			enableSSHAPIRequests: true,
    341. 

  341. 			doHotReload:          false,
    342. 

  342. 			doDefaultSponsorID:   false,
    343. 

  343. 			denyTrafficRules:     false,
    344. 

  344. 			requireAuthorization: true,
    345. 

  345. 			omitAuthorization:    false,
    346. 

  346. 			doTunneledWebRequest: true,
    347. 

  347. 			doTunneledNTPRequest: true,
    348. 

  348. 			forceFragmenting:     false,
    349. 

  349. 			forceLivenessTest:    false,
    350. 

  350. 			doPruneServerEntries: false,
    351. 

  351. 			doDanglingTCPConn:    false,
    352. 

  352. 			doPacketManipulation: false,
    353. 

  353. 			doBurstMonitor:       false,
    354. 

  354. 			doSplitTunnel:        false,
    355. 

  355. 			limitQUICVersions:    true,
    356. 

  356. 		})
    357. 

  357. }
    358. 

  358. 

  359. func TestWebTransportAPIRequests(t *testing.T) {
    360. 

  360. 	runServer(t,
    361. 

  361. 		&runServerConfig{
    362. 

  362. 			tunnelProtocol:       "OSSH",
    363. 

  363. 			enableSSHAPIRequests: false,
    364. 

  364. 			doHotReload:          false,
    365. 

  365. 			doDefaultSponsorID:   false,
    366. 

  366. 			denyTrafficRules:     false,
    367. 

  367. 			requireAuthorization: false,
    368. 

  368. 			omitAuthorization:    true,
    369. 

  369. 			doTunneledWebRequest: true,
    370. 

  370. 			doTunneledNTPRequest: true,
    371. 

  371. 			forceFragmenting:     false,
    372. 

  372. 			forceLivenessTest:    false,
    373. 

  373. 			doPruneServerEntries: false,
    374. 

  374. 			doDanglingTCPConn:    false,
    375. 

  375. 			doPacketManipulation: false,
    376. 

  376. 			doBurstMonitor:       false,
    377. 

  377. 			doSplitTunnel:        false,
    378. 

  378. 			limitQUICVersions:    false,
    379. 

  379. 		})
    380. 

  380. }
    381. 

  381. 

  382. func TestHotReload(t *testing.T) {
    383. 

  383. 	runServer(t,
    384. 

  384. 		&runServerConfig{
    385. 

  385. 			tunnelProtocol:       "OSSH",
    386. 

  386. 			enableSSHAPIRequests: true,
    387. 

  387. 			doHotReload:          true,
    388. 

  388. 			doDefaultSponsorID:   false,
    389. 

  389. 			denyTrafficRules:     false,
    390. 

  390. 			requireAuthorization: true,
    391. 

  391. 			omitAuthorization:    false,
    392. 

  392. 			doTunneledWebRequest: true,
    393. 

  393. 			doTunneledNTPRequest: true,
    394. 

  394. 			forceFragmenting:     false,
    395. 

  395. 			forceLivenessTest:    false,
    396. 

  396. 			doPruneServerEntries: false,
    397. 

  397. 			doDanglingTCPConn:    false,
    398. 

  398. 			doPacketManipulation: false,
    399. 

  399. 			doBurstMonitor:       false,
    400. 

  400. 			doSplitTunnel:        false,
    401. 

  401. 			limitQUICVersions:    false,
    402. 

  402. 		})
    403. 

  403. }
    404. 

  404. 

  405. func TestDefaultSponsorID(t *testing.T) {
    406. 

  406. 	runServer(t,
    407. 

  407. 		&runServerConfig{
    408. 

  408. 			tunnelProtocol:       "OSSH",
    409. 

  409. 			enableSSHAPIRequests: true,
    410. 

  410. 			doHotReload:          true,
    411. 

  411. 			doDefaultSponsorID:   true,
    412. 

  412. 			denyTrafficRules:     false,
    413. 

  413. 			requireAuthorization: true,
    414. 

  414. 			omitAuthorization:    false,
    415. 

  415. 			doTunneledWebRequest: true,
    416. 

  416. 			doTunneledNTPRequest: true,
    417. 

  417. 			forceFragmenting:     false,
    418. 

  418. 			forceLivenessTest:    false,
    419. 

  419. 			doPruneServerEntries: false,
    420. 

  420. 			doDanglingTCPConn:    false,
    421. 

  421. 			doPacketManipulation: false,
    422. 

  422. 			doBurstMonitor:       false,
    423. 

  423. 			doSplitTunnel:        false,
    424. 

  424. 			limitQUICVersions:    false,
    425. 

  425. 		})
    426. 

  426. }
    427. 

  427. 

  428. func TestDenyTrafficRules(t *testing.T) {
    429. 

  429. 	runServer(t,
    430. 

  430. 		&runServerConfig{
    431. 

  431. 			tunnelProtocol:       "OSSH",
    432. 

  432. 			enableSSHAPIRequests: true,
    433. 

  433. 			doHotReload:          true,
    434. 

  434. 			doDefaultSponsorID:   false,
    435. 

  435. 			denyTrafficRules:     true,
    436. 

  436. 			requireAuthorization: true,
    437. 

  437. 			omitAuthorization:    false,
    438. 

  438. 			doTunneledWebRequest: true,
    439. 

  439. 			doTunneledNTPRequest: true,
    440. 

  440. 			forceFragmenting:     false,
    441. 

  441. 			forceLivenessTest:    false,
    442. 

  442. 			doPruneServerEntries: false,
    443. 

  443. 			doDanglingTCPConn:    false,
    444. 

  444. 			doPacketManipulation: false,
    445. 

  445. 			doBurstMonitor:       false,
    446. 

  446. 			doSplitTunnel:        false,
    447. 

  447. 			limitQUICVersions:    false,
    448. 

  448. 		})
    449. 

  449. }
    450. 

  450. 

  451. func TestOmitAuthorization(t *testing.T) {
    452. 

  452. 	runServer(t,
    453. 

  453. 		&runServerConfig{
    454. 

  454. 			tunnelProtocol:       "OSSH",
    455. 

  455. 			enableSSHAPIRequests: true,
    456. 

  456. 			doHotReload:          true,
    457. 

  457. 			doDefaultSponsorID:   false,
    458. 

  458. 			denyTrafficRules:     false,
    459. 

  459. 			requireAuthorization: true,
    460. 

  460. 			omitAuthorization:    true,
    461. 

  461. 			doTunneledWebRequest: true,
    462. 

  462. 			doTunneledNTPRequest: true,
    463. 

  463. 			forceFragmenting:     false,
    464. 

  464. 			forceLivenessTest:    false,
    465. 

  465. 			doPruneServerEntries: false,
    466. 

  466. 			doDanglingTCPConn:    false,
    467. 

  467. 			doPacketManipulation: false,
    468. 

  468. 			doBurstMonitor:       false,
    469. 

  469. 			doSplitTunnel:        false,
    470. 

  470. 			limitQUICVersions:    false,
    471. 

  471. 		})
    472. 

  472. }
    473. 

  473. 

  474. func TestNoAuthorization(t *testing.T) {
    475. 

  475. 	runServer(t,
    476. 

  476. 		&runServerConfig{
    477. 

  477. 			tunnelProtocol:       "OSSH",
    478. 

  478. 			enableSSHAPIRequests: true,
    479. 

  479. 			doHotReload:          true,
    480. 

  480. 			doDefaultSponsorID:   false,
    481. 

  481. 			denyTrafficRules:     false,
    482. 

  482. 			requireAuthorization: false,
    483. 

  483. 			omitAuthorization:    true,
    484. 

  484. 			doTunneledWebRequest: true,
    485. 

  485. 			doTunneledNTPRequest: true,
    486. 

  486. 			forceFragmenting:     false,
    487. 

  487. 			forceLivenessTest:    false,
    488. 

  488. 			doPruneServerEntries: false,
    489. 

  489. 			doDanglingTCPConn:    false,
    490. 

  490. 			doPacketManipulation: false,
    491. 

  491. 			doBurstMonitor:       false,
    492. 

  492. 			doSplitTunnel:        false,
    493. 

  493. 			limitQUICVersions:    false,
    494. 

  494. 		})
    495. 

  495. }
    496. 

  496. 

  497. func TestUnusedAuthorization(t *testing.T) {
    498. 

  498. 	runServer(t,
    499. 

  499. 		&runServerConfig{
    500. 

  500. 			tunnelProtocol:       "OSSH",
    501. 

  501. 			enableSSHAPIRequests: true,
    502. 

  502. 			doHotReload:          true,
    503. 

  503. 			doDefaultSponsorID:   false,
    504. 

  504. 			denyTrafficRules:     false,
    505. 

  505. 			requireAuthorization: false,
    506. 

  506. 			omitAuthorization:    false,
    507. 

  507. 			doTunneledWebRequest: true,
    508. 

  508. 			doTunneledNTPRequest: true,
    509. 

  509. 			forceFragmenting:     false,
    510. 

  510. 			forceLivenessTest:    false,
    511. 

  511. 			doPruneServerEntries: false,
    512. 

  512. 			doDanglingTCPConn:    false,
    513. 

  513. 			doPacketManipulation: false,
    514. 

  514. 			doBurstMonitor:       false,
    515. 

  515. 			doSplitTunnel:        false,
    516. 

  516. 			limitQUICVersions:    false,
    517. 

  517. 		})
    518. 

  518. }
    519. 

  519. 

  520. func TestTCPOnlySLOK(t *testing.T) {
    521. 

  521. 	runServer(t,
    522. 

  522. 		&runServerConfig{
    523. 

  523. 			tunnelProtocol:       "OSSH",
    524. 

  524. 			enableSSHAPIRequests: true,
    525. 

  525. 			doHotReload:          false,
    526. 

  526. 			doDefaultSponsorID:   false,
    527. 

  527. 			denyTrafficRules:     false,
    528. 

  528. 			requireAuthorization: true,
    529. 

  529. 			omitAuthorization:    false,
    530. 

  530. 			doTunneledWebRequest: true,
    531. 

  531. 			doTunneledNTPRequest: false,
    532. 

  532. 			forceFragmenting:     false,
    533. 

  533. 			forceLivenessTest:    false,
    534. 

  534. 			doPruneServerEntries: false,
    535. 

  535. 			doDanglingTCPConn:    false,
    536. 

  536. 			doPacketManipulation: false,
    537. 

  537. 			doBurstMonitor:       false,
    538. 

  538. 			doSplitTunnel:        false,
    539. 

  539. 			limitQUICVersions:    false,
    540. 

  540. 		})
    541. 

  541. }
    542. 

  542. 

  543. func TestUDPOnlySLOK(t *testing.T) {
    544. 

  544. 	runServer(t,
    545. 

  545. 		&runServerConfig{
    546. 

  546. 			tunnelProtocol:       "OSSH",
    547. 

  547. 			enableSSHAPIRequests: true,
    548. 

  548. 			doHotReload:          false,
    549. 

  549. 			doDefaultSponsorID:   false,
    550. 

  550. 			denyTrafficRules:     false,
    551. 

  551. 			requireAuthorization: true,
    552. 

  552. 			omitAuthorization:    false,
    553. 

  553. 			doTunneledWebRequest: false,
    554. 

  554. 			doTunneledNTPRequest: true,
    555. 

  555. 			forceFragmenting:     false,
    556. 

  556. 			forceLivenessTest:    false,
    557. 

  557. 			doPruneServerEntries: false,
    558. 

  558. 			doDanglingTCPConn:    false,
    559. 

  559. 			doPacketManipulation: false,
    560. 

  560. 			doBurstMonitor:       false,
    561. 

  561. 			doSplitTunnel:        false,
    562. 

  562. 			limitQUICVersions:    false,
    563. 

  563. 		})
    564. 

  564. }
    565. 

  565. 

  566. func TestLivenessTest(t *testing.T) {
    567. 

  567. 	runServer(t,
    568. 

  568. 		&runServerConfig{
    569. 

  569. 			tunnelProtocol:       "OSSH",
    570. 

  570. 			enableSSHAPIRequests: true,
    571. 

  571. 			doHotReload:          false,
    572. 

  572. 			doDefaultSponsorID:   false,
    573. 

  573. 			denyTrafficRules:     false,
    574. 

  574. 			requireAuthorization: true,
    575. 

  575. 			omitAuthorization:    false,
    576. 

  576. 			doTunneledWebRequest: true,
    577. 

  577. 			doTunneledNTPRequest: true,
    578. 

  578. 			forceFragmenting:     false,
    579. 

  579. 			forceLivenessTest:    true,
    580. 

  580. 			doPruneServerEntries: false,
    581. 

  581. 			doDanglingTCPConn:    false,
    582. 

  582. 			doPacketManipulation: false,
    583. 

  583. 			doBurstMonitor:       false,
    584. 

  584. 			doSplitTunnel:        false,
    585. 

  585. 			limitQUICVersions:    false,
    586. 

  586. 		})
    587. 

  587. }
    588. 

  588. 

  589. func TestPruneServerEntries(t *testing.T) {
    590. 

  590. 	runServer(t,
    591. 

  591. 		&runServerConfig{
    592. 

  592. 			tunnelProtocol:       "OSSH",
    593. 

  593. 			enableSSHAPIRequests: true,
    594. 

  594. 			doHotReload:          false,
    595. 

  595. 			doDefaultSponsorID:   false,
    596. 

  596. 			denyTrafficRules:     false,
    597. 

  597. 			requireAuthorization: true,
    598. 

  598. 			omitAuthorization:    false,
    599. 

  599. 			doTunneledWebRequest: true,
    600. 

  600. 			doTunneledNTPRequest: true,
    601. 

  601. 			forceFragmenting:     false,
    602. 

  602. 			forceLivenessTest:    true,
    603. 

  603. 			doPruneServerEntries: true,
    604. 

  604. 			doDanglingTCPConn:    false,
    605. 

  605. 			doPacketManipulation: false,
    606. 

  606. 			doBurstMonitor:       false,
    607. 

  607. 			doSplitTunnel:        false,
    608. 

  608. 			limitQUICVersions:    false,
    609. 

  609. 		})
    610. 

  610. }
    611. 

  611. 

  612. func TestBurstMonitor(t *testing.T) {
    613. 

  613. 	runServer(t,
    614. 

  614. 		&runServerConfig{
    615. 

  615. 			tunnelProtocol:       "OSSH",
    616. 

  616. 			enableSSHAPIRequests: true,
    617. 

  617. 			doHotReload:          false,
    618. 

  618. 			doDefaultSponsorID:   false,
    619. 

  619. 			denyTrafficRules:     false,
    620. 

  620. 			requireAuthorization: true,
    621. 

  621. 			omitAuthorization:    false,
    622. 

  622. 			doTunneledWebRequest: true,
    623. 

  623. 			doTunneledNTPRequest: true,
    624. 

  624. 			forceFragmenting:     false,
    625. 

  625. 			forceLivenessTest:    false,
    626. 

  626. 			doPruneServerEntries: false,
    627. 

  627. 			doDanglingTCPConn:    true,
    628. 

  628. 			doPacketManipulation: false,
    629. 

  629. 			doBurstMonitor:       true,
    630. 

  630. 			doSplitTunnel:        false,
    631. 

  631. 			limitQUICVersions:    false,
    632. 

  632. 		})
    633. 

  633. }
    634. 

  634. 

  635. func TestSplitTunnel(t *testing.T) {
    636. 

  636. 	runServer(t,
    637. 

  637. 		&runServerConfig{
    638. 

  638. 			tunnelProtocol:       "OSSH",
    639. 

  639. 			enableSSHAPIRequests: true,
    640. 

  640. 			doHotReload:          false,
    641. 

  641. 			doDefaultSponsorID:   false,
    642. 

  642. 			denyTrafficRules:     false,
    643. 

  643. 			requireAuthorization: true,
    644. 

  644. 			omitAuthorization:    false,
    645. 

  645. 			doTunneledWebRequest: true,
    646. 

  646. 			doTunneledNTPRequest: true,
    647. 

  647. 			forceFragmenting:     false,
    648. 

  648. 			forceLivenessTest:    false,
    649. 

  649. 			doPruneServerEntries: false,
    650. 

  650. 			doDanglingTCPConn:    true,
    651. 

  651. 			doPacketManipulation: false,
    652. 

  652. 			doBurstMonitor:       false,
    653. 

  653. 			doSplitTunnel:        true,
    654. 

  654. 			limitQUICVersions:    false,
    655. 

  655. 		})
    656. 

  656. }
    657. 

  657. 

  658. type runServerConfig struct {
    659. 

  659. 	tunnelProtocol       string
    660. 

  660. 	tlsProfile           string
    661. 

  661. 	enableSSHAPIRequests bool
    662. 

  662. 	doHotReload          bool
    663. 

  663. 	doDefaultSponsorID   bool
    664. 

  664. 	denyTrafficRules     bool
    665. 

  665. 	requireAuthorization bool
    666. 

  666. 	omitAuthorization    bool
    667. 

  667. 	doTunneledWebRequest bool
    668. 

  668. 	doTunneledNTPRequest bool
    669. 

  669. 	forceFragmenting     bool
    670. 

  670. 	forceLivenessTest    bool
    671. 

  671. 	doPruneServerEntries bool
    672. 

  672. 	doDanglingTCPConn    bool
    673. 

  673. 	doPacketManipulation bool
    674. 

  674. 	doBurstMonitor       bool
    675. 

  675. 	doSplitTunnel        bool
    676. 

  676. 	limitQUICVersions    bool
    677. 

  677. }
    678. 

  678. 

  679. var (
    680. 

  680. 	testSSHClientVersions                = []string{"SSH-2.0-A", "SSH-2.0-B", "SSH-2.0-C"}
    681. 

  681. 	testUserAgents                       = []string{"ua1", "ua2", "ua3"}
    682. 

  682. 	testNetworkType                      = "WIFI"
    683. 

  683. 	testCustomHostNameRegex              = `[a-z0-9]{5,10}\.example\.org`
    684. 

  684. 	testClientFeatures                   = []string{"feature 1", "feature 2"}
    685. 

  685. 	testDisallowedTrafficAlertActionURLs = []string{"https://example.org/disallowed"}
    686. 

  686. )
    687. 

  687. 

  688. var serverRuns = 0
    689. 

  689. 

  690. func runServer(t *testing.T, runConfig *runServerConfig) {
    691. 

  691. 

  692. 	serverRuns += 1
    693. 

  693. 

  694. 	// configure authorized access
    695. 

  695. 

  696. 	accessType := "test-access-type"
    697. 

  697. 

  698. 	accessControlSigningKey, accessControlVerificationKey, err := accesscontrol.NewKeyPair(accessType)
    699. 

  699. 	if err != nil {
    700. 

  700. 		t.Fatalf("error creating access control key pair: %s", err)
    701. 

  701. 	}
    702. 

  702. 

  703. 	accessControlVerificationKeyRing := accesscontrol.VerificationKeyRing{
    704. 

  704. 		Keys: []*accesscontrol.VerificationKey{accessControlVerificationKey},
    705. 

  705. 	}
    706. 

  706. 

  707. 	var seedAuthorizationID [32]byte
    708. 

  708. 

  709. 	clientAuthorization, authorizationID, err := accesscontrol.IssueAuthorization(
    710. 

  710. 		accessControlSigningKey,
    711. 

  711. 		seedAuthorizationID[:],
    712. 

  712. 		time.Now().Add(1*time.Hour))
    713. 

  713. 	if err != nil {
    714. 

  714. 		t.Fatalf("error issuing authorization: %s", err)
    715. 

  715. 	}
    716. 

  716. 

  717. 	authorizationIDStr := base64.StdEncoding.EncodeToString(authorizationID)
    718. 

  718. 

  719. 	// Enable tactics when the test protocol is meek. Both the client and the
    720. 

  720. 	// server will be configured to support tactics. The client config will be
    721. 

  721. 	// set with a nonfunctional config so that the tactics request must
    722. 

  722. 	// succeed, overriding the nonfunctional values, for the tunnel to
    723. 

  723. 	// establish.
    724. 

  724. 

  725. 	doClientTactics := protocol.TunnelProtocolUsesMeek(runConfig.tunnelProtocol)
    726. 

  726. 	doServerTactics := doClientTactics || runConfig.forceFragmenting || runConfig.doBurstMonitor
    727. 

  727. 

  728. 	// All servers require a tactics config with valid keys.
    729. 

  729. 	tacticsRequestPublicKey, tacticsRequestPrivateKey, tacticsRequestObfuscatedKey, err :=
    730. 

  730. 		tactics.GenerateKeys()
    731. 

  731. 	if err != nil {
    732. 

  732. 		t.Fatalf("error generating tactics keys: %s", err)
    733. 

  733. 	}
    734. 

  734. 

  735. 	livenessTestSize := 0
    736. 

  736. 	if doClientTactics || runConfig.forceLivenessTest {
    737. 

  737. 		livenessTestSize = 1048576
    738. 

  738. 	}
    739. 

  739. 

  740. 	// create a server
    741. 

  741. 

  742. 	psiphonServerIPAddress := serverIPAddress
    743. 

  743. 	if protocol.TunnelProtocolUsesQUIC(runConfig.tunnelProtocol) {
    744. 

  744. 		// Workaround for macOS firewall.
    745. 

  745. 		psiphonServerIPAddress = "127.0.0.1"
    746. 

  746. 	}
    747. 

  747. 	psiphonServerPort := 4000
    748. 

  748. 

  749. 	var limitQUICVersions protocol.QUICVersions
    750. 

  750. 	if runConfig.limitQUICVersions {
    751. 

  751. 		selectedQUICVersion := protocol.SupportedQUICVersions[prng.Intn(
    752. 

  752. 			len(protocol.SupportedQUICVersions))]
    753. 

  753. 		limitQUICVersions = protocol.QUICVersions{selectedQUICVersion}
    754. 

  754. 	}
    755. 

  755. 

  756. 	generateConfigParams := &GenerateConfigParams{
    757. 

  757. 		ServerIPAddress:      psiphonServerIPAddress,
    758. 

  758. 		EnableSSHAPIRequests: runConfig.enableSSHAPIRequests,
    759. 

  759. 		WebServerPort:        8000,
    760. 

  760. 		TunnelProtocolPorts:  map[string]int{runConfig.tunnelProtocol: psiphonServerPort},
    761. 

  761. 		LimitQUICVersions:    limitQUICVersions,
    762. 

  762. 	}
    763. 

  763. 

  764. 	if doServerTactics {
    765. 

  765. 		generateConfigParams.TacticsRequestPublicKey = tacticsRequestPublicKey
    766. 

  766. 		generateConfigParams.TacticsRequestObfuscatedKey = tacticsRequestObfuscatedKey
    767. 

  767. 	}
    768. 

  768. 

  769. 	serverConfigJSON, _, _, _, encodedServerEntry, err := GenerateConfig(generateConfigParams)
    770. 

  770. 	if err != nil {
    771. 

  771. 		t.Fatalf("error generating server config: %s", err)
    772. 

  772. 	}
    773. 

  773. 

  774. 	// customize server config
    775. 

  775. 

  776. 	// Initialize prune server entry test cases and associated data to pave into psinet.
    777. 

  777. 	pruneServerEntryTestCases, psinetValidServerEntryTags, expectedNumPruneNotices :=
    778. 

  778. 		initializePruneServerEntriesTest(t, runConfig)
    779. 

  779. 

  780. 	// Pave psinet with random values to test handshake homepages.
    781. 

  781. 	psinetFilename := filepath.Join(testDataDirName, "psinet.json")
    782. 

  782. 	sponsorID, expectedHomepageURL := pavePsinetDatabaseFile(
    783. 

  783. 		t, runConfig.doDefaultSponsorID, psinetFilename, psinetValidServerEntryTags)
    784. 

  784. 

  785. 	// Pave OSL config for SLOK testing
    786. 

  786. 	oslConfigFilename := filepath.Join(testDataDirName, "osl_config.json")
    787. 

  787. 	propagationChannelID := paveOSLConfigFile(t, oslConfigFilename)
    788. 

  788. 

  789. 	// Pave traffic rules file which exercises handshake parameter filtering. Client
    790. 

  790. 	// must handshake with specified sponsor ID in order to allow ports for tunneled
    791. 

  791. 	// requests.
    792. 

  792. 	trafficRulesFilename := filepath.Join(testDataDirName, "traffic_rules.json")
    793. 

  793. 	paveTrafficRulesFile(
    794. 

  794. 		t,
    795. 

  795. 		trafficRulesFilename,
    796. 

  796. 		propagationChannelID,
    797. 

  797. 		accessType,
    798. 

  798. 		authorizationIDStr,
    799. 

  799. 		runConfig.requireAuthorization,
    800. 

  800. 		runConfig.denyTrafficRules,
    801. 

  801. 		livenessTestSize)
    802. 

  802. 

  803. 	var tacticsConfigFilename string
    804. 

  804. 

  805. 	// Only pave the tactics config when tactics are required. This exercises the
    806. 

  806. 	// case where the tactics config is omitted.
    807. 

  807. 	if doServerTactics {
    808. 

  808. 		tacticsConfigFilename = filepath.Join(testDataDirName, "tactics_config.json")
    809. 

  809. 		paveTacticsConfigFile(
    810. 

  810. 			t,
    811. 

  811. 			tacticsConfigFilename,
    812. 

  812. 			tacticsRequestPublicKey,
    813. 

  813. 			tacticsRequestPrivateKey,
    814. 

  814. 			tacticsRequestObfuscatedKey,
    815. 

  815. 			runConfig.tunnelProtocol,
    816. 

  816. 			propagationChannelID,
    817. 

  817. 			livenessTestSize,
    818. 

  818. 			runConfig.doBurstMonitor)
    819. 

  819. 	}
    820. 

  820. 

  821. 	blocklistFilename := filepath.Join(testDataDirName, "blocklist.csv")
    822. 

  822. 	paveBlocklistFile(t, blocklistFilename)
    823. 

  823. 

  824. 	var serverConfig map[string]interface{}
    825. 

  825. 	json.Unmarshal(serverConfigJSON, &serverConfig)
    826. 

  826. 

  827. 	// The test GeoIP database maps all IPs to a single, non-"None" country. When
    828. 

  828. 	// split tunnel mode is enabled, this should cause port forwards to be
    829. 

  829. 	// untunneled. When split tunnel mode is not enabled, port forwards should be
    830. 

  830. 	// tunneled despite the country match.
    831. 

  831. 	geoIPDatabaseFilename := filepath.Join(testDataDirName, "geoip_database.mmbd")
    832. 

  832. 	paveGeoIPDatabaseFile(t, geoIPDatabaseFilename)
    833. 

  833. 	serverConfig["GeoIPDatabaseFilenames"] = []string{geoIPDatabaseFilename}
    834. 

  834. 

  835. 	serverConfig["PsinetDatabaseFilename"] = psinetFilename
    836. 

  836. 	serverConfig["TrafficRulesFilename"] = trafficRulesFilename
    837. 

  837. 	serverConfig["OSLConfigFilename"] = oslConfigFilename
    838. 

  838. 	if doServerTactics {
    839. 

  839. 		serverConfig["TacticsConfigFilename"] = tacticsConfigFilename
    840. 

  840. 	}
    841. 

  841. 	serverConfig["BlocklistFilename"] = blocklistFilename
    842. 

  842. 

  843. 	serverConfig["LogFilename"] = filepath.Join(testDataDirName, "psiphond.log")
    844. 

  844. 	serverConfig["LogLevel"] = "debug"
    845. 

  845. 

  846. 	serverConfig["AccessControlVerificationKeyRing"] = accessControlVerificationKeyRing
    847. 

  847. 

  848. 	// Set this parameter so at least the semaphore functions are called.
    849. 

  849. 	// TODO: test that the concurrency limit is correctly enforced.
    850. 

  850. 	serverConfig["MaxConcurrentSSHHandshakes"] = 1
    851. 

  851. 

  852. 	// Ensure peak failure rate log fields for a single port forward attempt
    853. 

  853. 	serverConfig["PeakUpstreamFailureRateMinimumSampleSize"] = 1
    854. 

  854. 

  855. 	// Exercise this option.
    856. 

  856. 	serverConfig["PeriodicGarbageCollectionSeconds"] = 1
    857. 

  857. 

  858. 	// Allow port forwards to local test web server.
    859. 

  859. 	serverConfig["AllowBogons"] = true
    860. 

  860. 

  861. 	serverConfig["RunPacketManipulator"] = runConfig.doPacketManipulation
    862. 

  862. 

  863. 	if protocol.TunnelProtocolUsesQUIC(runConfig.tunnelProtocol) && quic.GQUICEnabled() {
    864. 

  864. 		// Enable legacy QUIC version support.
    865. 

  865. 		serverConfig["EnableGQUIC"] = true
    866. 

  866. 	}
    867. 

  867. 

  868. 	serverConfigJSON, _ = json.Marshal(serverConfig)
    869. 

  869. 

  870. 	serverTunnelLog := make(chan map[string]interface{}, 1)
    871. 

  871. 	uniqueUserLog := make(chan map[string]interface{}, 1)
    872. 

  872. 

  873. 	setLogCallback(func(log []byte) {
    874. 

  874. 

  875. 		logFields := make(map[string]interface{})
    876. 

  876. 

  877. 		err := json.Unmarshal(log, &logFields)
    878. 

  878. 		if err != nil {
    879. 

  879. 			return
    880. 

  880. 		}
    881. 

  881. 

  882. 		if logFields["event_name"] == nil {
    883. 

  883. 			return
    884. 

  884. 		}
    885. 

  885. 

  886. 		switch logFields["event_name"].(string) {
    887. 

  887. 		case "unique_user":
    888. 

  888. 			select {
    889. 

  889. 			case uniqueUserLog <- logFields:
    890. 

  890. 			default:
    891. 

  891. 			}
    892. 

  892. 		case "server_tunnel":
    893. 

  893. 			select {
    894. 

  894. 			case serverTunnelLog <- logFields:
    895. 

  895. 			default:
    896. 

  896. 			}
    897. 

  897. 		}
    898. 

  898. 	})
    899. 

  899. 

  900. 	// run server
    901. 

  901. 

  902. 	serverWaitGroup := new(sync.WaitGroup)
    903. 

  903. 	serverWaitGroup.Add(1)
    904. 

  904. 	go func() {
    905. 

  905. 		defer serverWaitGroup.Done()
    906. 

  906. 		err := RunServices(serverConfigJSON)
    907. 

  907. 		if err != nil {
    908. 

  908. 			// TODO: wrong goroutine for t.FatalNow()
    909. 

  909. 			t.Errorf("error running server: %s", err)
    910. 

  910. 		}
    911. 

  911. 	}()
    912. 

  912. 

  913. 	stopServer := func() {
    914. 

  914. 

  915. 		// Test: orderly server shutdown
    916. 

  916. 

  917. 		p, _ := os.FindProcess(os.Getpid())
    918. 

  918. 		p.Signal(os.Interrupt)
    919. 

  919. 

  920. 		shutdownTimeout := time.NewTimer(5 * time.Second)
    921. 

  921. 

  922. 		shutdownOk := make(chan struct{}, 1)
    923. 

  923. 		go func() {
    924. 

  924. 			serverWaitGroup.Wait()
    925. 

  925. 			shutdownOk <- struct{}{}
    926. 

  926. 		}()
    927. 

  927. 

  928. 		select {
    929. 

  929. 		case <-shutdownOk:
    930. 

  930. 		case <-shutdownTimeout.C:
    931. 

  931. 			t.Errorf("server shutdown timeout exceeded")
    932. 

  932. 		}
    933. 

  933. 	}
    934. 

  934. 

  935. 	// Stop server on early exits due to failure.
    936. 

  936. 	defer func() {
    937. 

  937. 		if stopServer != nil {
    938. 

  938. 			stopServer()
    939. 

  939. 		}
    940. 

  940. 	}()
    941. 

  941. 

  942. 	// TODO: monitor logs for more robust wait-until-loaded. For example,
    943. 

  943. 	// especially with the race detector on, QUIC-OSSH tests can fail as the
    944. 

  944. 	// client sends its initial packet before the server is ready.
    945. 

  945. 	time.Sleep(1 * time.Second)
    946. 

  946. 

  947. 	// Test: hot reload (of psinet and traffic rules)
    948. 

  948. 

  949. 	if runConfig.doHotReload {
    950. 

  950. 

  951. 		// Pave new config files with different random values.
    952. 

  952. 		sponsorID, expectedHomepageURL = pavePsinetDatabaseFile(
    953. 

  953. 			t, runConfig.doDefaultSponsorID, psinetFilename, psinetValidServerEntryTags)
    954. 

  954. 

  955. 		propagationChannelID = paveOSLConfigFile(t, oslConfigFilename)
    956. 

  956. 

  957. 		paveTrafficRulesFile(
    958. 

  958. 			t,
    959. 

  959. 			trafficRulesFilename,
    960. 

  960. 			propagationChannelID,
    961. 

  961. 			accessType,
    962. 

  962. 			authorizationIDStr,
    963. 

  963. 			runConfig.requireAuthorization,
    964. 

  964. 			runConfig.denyTrafficRules,
    965. 

  965. 			livenessTestSize)
    966. 

  966. 

  967. 		p, _ := os.FindProcess(os.Getpid())
    968. 

  968. 		p.Signal(syscall.SIGUSR1)
    969. 

  969. 

  970. 		// TODO: monitor logs for more robust wait-until-reloaded
    971. 

  971. 		time.Sleep(1 * time.Second)
    972. 

  972. 

  973. 		// After reloading psinet, the new sponsorID/expectedHomepageURL
    974. 

  974. 		// should be active, as tested in the client "Homepage" notice
    975. 

  975. 		// handler below.
    976. 

  976. 	}
    977. 

  977. 

  978. 	// Exercise server_load logging
    979. 

  979. 	p, _ := os.FindProcess(os.Getpid())
    980. 

  980. 	p.Signal(syscall.SIGUSR2)
    981. 

  981. 

  982. 	// configure client
    983. 

  983. 

  984. 	values.SetSSHClientVersionsSpec(values.NewPickOneSpec(testSSHClientVersions))
    985. 

  985. 

  986. 	values.SetUserAgentsSpec(values.NewPickOneSpec(testUserAgents))
    987. 

  987. 

  988. 	// TODO: currently, TargetServerEntry only works with one tunnel
    989. 

  989. 	numTunnels := 1
    990. 

  990. 	localSOCKSProxyPort := 1081
    991. 

  991. 	localHTTPProxyPort := 8081
    992. 

  992. 

  993. 	// Use a distinct suffix for network ID for each test run to ensure tactics
    994. 

  994. 	// from different runs don't apply; this is a workaround for the singleton
    995. 

  995. 	// datastore.
    996. 

  996. 	jsonNetworkID := fmt.Sprintf(`,"NetworkID" : "WIFI-%s"`, time.Now().String())
    997. 

  997. 

  998. 	jsonLimitTLSProfiles := ""
    999. 

  999. 	if runConfig.tlsProfile != "" {
    1000. 

  1000. 		jsonLimitTLSProfiles = fmt.Sprintf(`,"LimitTLSProfiles" : ["%s"]`, runConfig.tlsProfile)
    1001. 

  1001. 	}
    1002. 

  1002. 

  1003. 	testClientFeaturesJSON, _ := json.Marshal(testClientFeatures)
    1004. 

  1004. 

  1005. 	clientConfigJSON := fmt.Sprintf(`
    1006. 

  1006.     {
    1007. 

  1007.         "ClientPlatform" : "Android_10_com.test.app",
    1008. 

  1008.         "ClientVersion" : "0",
    1009. 

  1009.         "ClientFeatures" : %s,
    1010. 

  1010.         "SponsorId" : "0",
    1011. 

  1011.         "PropagationChannelId" : "0",
    1012. 

  1012.         "DeviceRegion" : "US",
    1013. 

  1013.         "DisableRemoteServerListFetcher" : true,
    1014. 

  1014.         "EstablishTunnelPausePeriodSeconds" : 1,
    1015. 

  1015.         "ConnectionWorkerPoolSize" : %d,
    1016. 

  1016.         "LimitTunnelProtocols" : ["%s"]
    1017. 

  1017.         %s
    1018. 

  1018.         %s
    1019. 

  1019.     }`,
    1020. 

  1020. 		string(testClientFeaturesJSON),
    1021. 

  1021. 		numTunnels,
    1022. 

  1022. 		runConfig.tunnelProtocol,
    1023. 

  1023. 		jsonLimitTLSProfiles,
    1024. 

  1024. 		jsonNetworkID)
    1025. 

  1025. 

  1026. 	clientConfig, err := psiphon.LoadConfig([]byte(clientConfigJSON))
    1027. 

  1027. 	if err != nil {
    1028. 

  1028. 		t.Fatalf("error processing configuration file: %s", err)
    1029. 

  1029. 	}
    1030. 

  1030. 

  1031. 	clientConfig.DataRootDirectory = testDataDirName
    1032. 

  1032. 

  1033. 	if !runConfig.doDefaultSponsorID {
    1034. 

  1034. 		clientConfig.SponsorId = sponsorID
    1035. 

  1035. 	}
    1036. 

  1036. 	clientConfig.PropagationChannelId = propagationChannelID
    1037. 

  1037. 	clientConfig.TunnelPoolSize = numTunnels
    1038. 

  1038. 	clientConfig.TargetServerEntry = string(encodedServerEntry)
    1039. 

  1039. 	clientConfig.LocalSocksProxyPort = localSOCKSProxyPort
    1040. 

  1040. 	clientConfig.LocalHttpProxyPort = localHTTPProxyPort
    1041. 

  1041. 	clientConfig.EmitSLOKs = true
    1042. 

  1042. 	clientConfig.EmitServerAlerts = true
    1043. 

  1043. 

  1044. 	if runConfig.doSplitTunnel {
    1045. 

  1045. 		clientConfig.SplitTunnelOwnRegion = true
    1046. 

  1046. 	}
    1047. 

  1047. 

  1048. 	if !runConfig.omitAuthorization {
    1049. 

  1049. 		clientConfig.Authorizations = []string{clientAuthorization}
    1050. 

  1050. 	}
    1051. 

  1051. 

  1052. 	err = clientConfig.Commit(false)
    1053. 

  1053. 	if err != nil {
    1054. 

  1054. 		t.Fatalf("error committing configuration file: %s", err)
    1055. 

  1055. 	}
    1056. 

  1056. 

  1057. 	if doClientTactics {
    1058. 

  1058. 		// Configure nonfunctional values that must be overridden by tactics.
    1059. 

  1059. 

  1060. 		applyParameters := make(map[string]interface{})
    1061. 

  1061. 

  1062. 		applyParameters[parameters.TunnelConnectTimeout] = "1s"
    1063. 

  1063. 		applyParameters[parameters.TunnelRateLimits] = common.RateLimits{WriteBytesPerSecond: 1}
    1064. 

  1064. 

  1065. 		err = clientConfig.SetParameters("", true, applyParameters)
    1066. 

  1066. 		if err != nil {
    1067. 

  1067. 			t.Fatalf("SetParameters failed: %s", err)
    1068. 

  1068. 		}
    1069. 

  1069. 

  1070. 	} else {
    1071. 

  1071. 

  1072. 		// Directly apply same parameters that would've come from tactics.
    1073. 

  1073. 

  1074. 		applyParameters := make(map[string]interface{})
    1075. 

  1075. 

  1076. 		if runConfig.forceFragmenting {
    1077. 

  1077. 			applyParameters[parameters.FragmentorLimitProtocols] = protocol.TunnelProtocols{runConfig.tunnelProtocol}
    1078. 

  1078. 			applyParameters[parameters.FragmentorProbability] = 1.0
    1079. 

  1079. 			applyParameters[parameters.FragmentorMinTotalBytes] = 1000
    1080. 

  1080. 			applyParameters[parameters.FragmentorMaxTotalBytes] = 2000
    1081. 

  1081. 			applyParameters[parameters.FragmentorMinWriteBytes] = 1
    1082. 

  1082. 			applyParameters[parameters.FragmentorMaxWriteBytes] = 100
    1083. 

  1083. 			applyParameters[parameters.FragmentorMinDelay] = 1 * time.Millisecond
    1084. 

  1084. 			applyParameters[parameters.FragmentorMaxDelay] = 10 * time.Millisecond
    1085. 

  1085. 		}
    1086. 

  1086. 

  1087. 		if runConfig.forceLivenessTest {
    1088. 

  1088. 			applyParameters[parameters.LivenessTestMinUpstreamBytes] = livenessTestSize
    1089. 

  1089. 			applyParameters[parameters.LivenessTestMaxUpstreamBytes] = livenessTestSize
    1090. 

  1090. 			applyParameters[parameters.LivenessTestMinDownstreamBytes] = livenessTestSize
    1091. 

  1091. 			applyParameters[parameters.LivenessTestMaxDownstreamBytes] = livenessTestSize
    1092. 

  1092. 		}
    1093. 

  1093. 

  1094. 		if runConfig.doPruneServerEntries {
    1095. 

  1095. 			applyParameters[parameters.PsiphonAPIStatusRequestShortPeriodMin] = 1 * time.Millisecond
    1096. 

  1096. 			applyParameters[parameters.PsiphonAPIStatusRequestShortPeriodMax] = 1 * time.Millisecond
    1097. 

  1097. 		}
    1098. 

  1098. 

  1099. 		err = clientConfig.SetParameters("", true, applyParameters)
    1100. 

  1100. 		if err != nil {
    1101. 

  1101. 			t.Fatalf("SetParameters failed: %s", err)
    1102. 

  1102. 		}
    1103. 

  1103. 	}
    1104. 

  1104. 

  1105. 	// connect to server with client
    1106. 

  1106. 

  1107. 	err = psiphon.OpenDataStore(clientConfig)
    1108. 

  1108. 	if err != nil {
    1109. 

  1109. 		t.Fatalf("error initializing client datastore: %s", err)
    1110. 

  1110. 	}
    1111. 

  1111. 	defer psiphon.CloseDataStore()
    1112. 

  1112. 

  1113. 	// Test unique user counting cases.
    1114. 

  1114. 	var expectUniqueUser bool
    1115. 

  1115. 	switch serverRuns % 3 {
    1116. 

  1116. 	case 0:
    1117. 

  1117. 		// Mock no last_connected.
    1118. 

  1118. 		psiphon.SetKeyValue("lastConnected", "")
    1119. 

  1119. 		expectUniqueUser = true
    1120. 

  1120. 	case 1:
    1121. 

  1121. 		// Mock previous day last_connected.
    1122. 

  1122. 		psiphon.SetKeyValue(
    1123. 

  1123. 			"lastConnected",
    1124. 

  1124. 			time.Now().UTC().AddDate(0, 0, -1).Truncate(1*time.Hour).Format(time.RFC3339))
    1125. 

  1125. 		expectUniqueUser = true
    1126. 

  1126. 	case 2:
    1127. 

  1127. 		// Leave previous last_connected.
    1128. 

  1128. 		expectUniqueUser = false
    1129. 

  1129. 	}
    1130. 

  1130. 

  1131. 	// Clear SLOKs from previous test runs.
    1132. 

  1132. 	psiphon.DeleteSLOKs()
    1133. 

  1133. 

  1134. 	// Store prune server entry test server entries and failed tunnel records.
    1135. 

  1135. 	storePruneServerEntriesTest(
    1136. 

  1136. 		t, runConfig, testDataDirName, pruneServerEntryTestCases)
    1137. 

  1137. 

  1138. 	controller, err := psiphon.NewController(clientConfig)
    1139. 

  1139. 	if err != nil {
    1140. 

  1140. 		t.Fatalf("error creating client controller: %s", err)
    1141. 

  1141. 	}
    1142. 

  1142. 

  1143. 	connectedServer := make(chan struct{}, 1)
    1144. 

  1144. 	tunnelsEstablished := make(chan struct{}, 1)
    1145. 

  1145. 	homepageReceived := make(chan struct{}, 1)
    1146. 

  1146. 	slokSeeded := make(chan struct{}, 1)
    1147. 

  1147. 	numPruneNotices := 0
    1148. 

  1148. 	pruneServerEntriesNoticesEmitted := make(chan struct{}, 1)
    1149. 

  1149. 	serverAlertDisallowedNoticesEmitted := make(chan struct{}, 1)
    1150. 

  1150. 	untunneledPortForward := make(chan struct{}, 1)
    1151. 

  1151. 

  1152. 	psiphon.SetNoticeWriter(psiphon.NewNoticeReceiver(
    1153. 

  1153. 		func(notice []byte) {
    1154. 

  1154. 

  1155. 			//fmt.Printf("%s\n", string(notice))
    1156. 

  1156. 

  1157. 			noticeType, payload, err := psiphon.GetNotice(notice)
    1158. 

  1158. 			if err != nil {
    1159. 

  1159. 				return
    1160. 

  1160. 			}
    1161. 

  1161. 

  1162. 			switch noticeType {
    1163. 

  1163. 

  1164. 			case "ConnectedServer":
    1165. 

  1165. 				sendNotificationReceived(connectedServer)
    1166. 

  1166. 

  1167. 			case "Tunnels":
    1168. 

  1168. 				count := int(payload["count"].(float64))
    1169. 

  1169. 				if count >= numTunnels {
    1170. 

  1170. 					sendNotificationReceived(tunnelsEstablished)
    1171. 

  1171. 				}
    1172. 

  1172. 

  1173. 			case "Homepage":
    1174. 

  1174. 				homepageURL := payload["url"].(string)
    1175. 

  1175. 				if homepageURL != expectedHomepageURL {
    1176. 

  1176. 					// TODO: wrong goroutine for t.FatalNow()
    1177. 

  1177. 					t.Errorf("unexpected homepage: %s", homepageURL)
    1178. 

  1178. 				}
    1179. 

  1179. 				sendNotificationReceived(homepageReceived)
    1180. 

  1180. 

  1181. 			case "SLOKSeeded":
    1182. 

  1182. 				sendNotificationReceived(slokSeeded)
    1183. 

  1183. 

  1184. 			case "PruneServerEntry":
    1185. 

  1185. 				numPruneNotices += 1
    1186. 

  1186. 				if numPruneNotices == expectedNumPruneNotices {
    1187. 

  1187. 					sendNotificationReceived(pruneServerEntriesNoticesEmitted)
    1188. 

  1188. 				}
    1189. 

  1189. 

  1190. 			case "ServerAlert":
    1191. 

  1191. 

  1192. 				reason := payload["reason"].(string)
    1193. 

  1193. 				actionURLsPayload := payload["actionURLs"].([]interface{})
    1194. 

  1194. 				actionURLs := make([]string, len(actionURLsPayload))
    1195. 

  1195. 				for i, value := range actionURLsPayload {
    1196. 

  1196. 					actionURLs[i] = value.(string)
    1197. 

  1197. 				}
    1198. 

  1198. 				if reason == protocol.PSIPHON_API_ALERT_DISALLOWED_TRAFFIC &&
    1199. 

  1199. 					reflect.DeepEqual(actionURLs, testDisallowedTrafficAlertActionURLs) {
    1200. 

  1200. 					sendNotificationReceived(serverAlertDisallowedNoticesEmitted)
    1201. 

  1201. 				}
    1202. 

  1202. 

  1203. 			case "Untunneled":
    1204. 

  1204. 				sendNotificationReceived(untunneledPortForward)
    1205. 

  1205. 

  1206. 			}
    1207. 

  1207. 		}))
    1208. 

  1208. 

  1209. 	ctx, cancelFunc := context.WithCancel(context.Background())
    1210. 

  1210. 

  1211. 	controllerWaitGroup := new(sync.WaitGroup)
    1212. 

  1212. 

  1213. 	controllerWaitGroup.Add(1)
    1214. 

  1214. 	go func() {
    1215. 

  1215. 		defer controllerWaitGroup.Done()
    1216. 

  1216. 		controller.Run(ctx)
    1217. 

  1217. 	}()
    1218. 

  1218. 

  1219. 	stopClient := func() {
    1220. 

  1220. 		cancelFunc()
    1221. 

  1221. 

  1222. 		shutdownTimeout := time.NewTimer(20 * time.Second)
    1223. 

  1223. 

  1224. 		shutdownOk := make(chan struct{}, 1)
    1225. 

  1225. 		go func() {
    1226. 

  1226. 			controllerWaitGroup.Wait()
    1227. 

  1227. 			shutdownOk <- struct{}{}
    1228. 

  1228. 		}()
    1229. 

  1229. 

  1230. 		select {
    1231. 

  1231. 		case <-shutdownOk:
    1232. 

  1232. 		case <-shutdownTimeout.C:
    1233. 

  1233. 			t.Errorf("controller shutdown timeout exceeded")
    1234. 

  1234. 		}
    1235. 

  1235. 	}
    1236. 

  1236. 

  1237. 	// Stop client on early exits due to failure.
    1238. 

  1238. 	defer func() {
    1239. 

  1239. 		if stopClient != nil {
    1240. 

  1240. 			stopClient()
    1241. 

  1241. 		}
    1242. 

  1242. 	}()
    1243. 

  1243. 

  1244. 	// Test: tunnels must be established, and correct homepage
    1245. 

  1245. 	// must be received, within 30 seconds
    1246. 

  1246. 

  1247. 	timeoutSignal := make(chan struct{})
    1248. 

  1248. 	go func() {
    1249. 

  1249. 		timer := time.NewTimer(30 * time.Second)
    1250. 

  1250. 		<-timer.C
    1251. 

  1251. 		close(timeoutSignal)
    1252. 

  1252. 	}()
    1253. 

  1253. 

  1254. 	waitOnNotification(t, connectedServer, timeoutSignal, "connected server timeout exceeded")
    1255. 

  1255. 	waitOnNotification(t, tunnelsEstablished, timeoutSignal, "tunnel established timeout exceeded")
    1256. 

  1256. 	waitOnNotification(t, homepageReceived, timeoutSignal, "homepage received timeout exceeded")
    1257. 

  1257. 

  1258. 	expectTrafficFailure := runConfig.denyTrafficRules || (runConfig.omitAuthorization && runConfig.requireAuthorization)
    1259. 

  1259. 

  1260. 	if runConfig.doTunneledWebRequest {
    1261. 

  1261. 

  1262. 		// Test: tunneled web site fetch
    1263. 

  1263. 

  1264. 		err = makeTunneledWebRequest(
    1265. 

  1265. 			t, localHTTPProxyPort, mockWebServerURL, mockWebServerExpectedResponse)
    1266. 

  1266. 

  1267. 		if err == nil {
    1268. 

  1268. 			if expectTrafficFailure {
    1269. 

  1269. 				t.Fatalf("unexpected tunneled web request success")
    1270. 

  1270. 			}
    1271. 

  1271. 		} else {
    1272. 

  1272. 			if !expectTrafficFailure {
    1273. 

  1273. 				t.Fatalf("tunneled web request failed: %s", err)
    1274. 

  1274. 			}
    1275. 

  1275. 		}
    1276. 

  1276. 	}
    1277. 

  1277. 

  1278. 	if runConfig.doTunneledNTPRequest {
    1279. 

  1279. 

  1280. 		// Test: tunneled UDP packets
    1281. 

  1281. 

  1282. 		udpgwServerAddress := serverConfig["UDPInterceptUdpgwServerAddress"].(string)
    1283. 

  1283. 

  1284. 		err = makeTunneledNTPRequest(t, localSOCKSProxyPort, udpgwServerAddress)
    1285. 

  1285. 

  1286. 		if err == nil {
    1287. 

  1287. 			if expectTrafficFailure {
    1288. 

  1288. 				t.Fatalf("unexpected tunneled NTP request success")
    1289. 

  1289. 			}
    1290. 

  1290. 		} else {
    1291. 

  1291. 			if !expectTrafficFailure {
    1292. 

  1292. 				t.Fatalf("tunneled NTP request failed: %s", err)
    1293. 

  1293. 			}
    1294. 

  1294. 		}
    1295. 

  1295. 	}
    1296. 

  1296. 

  1297. 	// Test: await SLOK payload or server alert notice
    1298. 

  1298. 

  1299. 	time.Sleep(1 * time.Second)
    1300. 

  1300. 

  1301. 	if !expectTrafficFailure {
    1302. 

  1302. 

  1303. 		waitOnNotification(t, slokSeeded, timeoutSignal, "SLOK seeded timeout exceeded")
    1304. 

  1304. 

  1305. 		numSLOKs := psiphon.CountSLOKs()
    1306. 

  1306. 		if numSLOKs != expectedNumSLOKs {
    1307. 

  1307. 			t.Fatalf("unexpected number of SLOKs: %d", numSLOKs)
    1308. 

  1308. 		}
    1309. 

  1309. 

  1310. 	} else {
    1311. 

  1311. 

  1312. 		// Note: in expectTrafficFailure case, timeoutSignal may have already fired.
    1313. 

  1313. 

  1314. 		waitOnNotification(t, serverAlertDisallowedNoticesEmitted, nil, "")
    1315. 

  1315. 	}
    1316. 

  1316. 

  1317. 	// Test: await expected prune server entry notices
    1318. 

  1318. 	//
    1319. 

  1319. 	// Note: will take up to PsiphonAPIStatusRequestShortPeriodMax to emit.
    1320. 

  1320. 

  1321. 	if expectedNumPruneNotices > 0 {
    1322. 

  1322. 		waitOnNotification(t, pruneServerEntriesNoticesEmitted, nil, "")
    1323. 

  1323. 	}
    1324. 

  1324. 

  1325. 	if runConfig.doDanglingTCPConn {
    1326. 

  1326. 

  1327. 		// Test: client that has established TCP connection but not completed
    1328. 

  1328. 		// any handshakes must not block/delay server shutdown
    1329. 

  1329. 

  1330. 		danglingConn, err := net.Dial(
    1331. 

  1331. 			"tcp", net.JoinHostPort(psiphonServerIPAddress, strconv.Itoa(psiphonServerPort)))
    1332. 

  1332. 		if err != nil {
    1333. 

  1333. 			t.Fatalf("TCP dial failed: %s", err)
    1334. 

  1334. 		}
    1335. 

  1335. 		defer danglingConn.Close()
    1336. 

  1336. 	}
    1337. 

  1337. 

  1338. 	// Test: check for split tunnel notice
    1339. 

  1339. 

  1340. 	if runConfig.doSplitTunnel {
    1341. 

  1341. 		if !runConfig.doTunneledWebRequest || expectTrafficFailure {
    1342. 

  1342. 			t.Fatalf("invalid test run configuration")
    1343. 

  1343. 		}
    1344. 

  1344. 		waitOnNotification(t, untunneledPortForward, nil, "")
    1345. 

  1345. 	} else {
    1346. 

  1346. 		// There should be no "Untunneled" notice. This check assumes that any
    1347. 

  1347. 		// unexpected Untunneled notice will have been delivered at this point,
    1348. 

  1348. 		// after the SLOK notice.
    1349. 

  1349. 		select {
    1350. 

  1350. 		case <-untunneledPortForward:
    1351. 

  1351. 			t.Fatalf("unexpected untunnedl port forward")
    1352. 

  1352. 		default:
    1353. 

  1353. 		}
    1354. 

  1354. 	}
    1355. 

  1355. 

  1356. 	// Trigger server_load logging once more, to exercise
    1357. 

  1357. 	// sshClient.peakMetrics. As we don't have a reference to the server's
    1358. 

  1358. 	// Support struct, we can't invoke logServerLoad directly and there's a
    1359. 

  1359. 	// potential race between asynchronous logServerLoad invocation and
    1360. 

  1360. 	// client shutdown. For now, we sleep as a workaround.
    1361. 

  1361. 

  1362. 	p.Signal(syscall.SIGUSR2)
    1363. 

  1363. 	time.Sleep(1 * time.Second)
    1364. 

  1364. 

  1365. 	// Shutdown to ensure logs/notices are flushed
    1366. 

  1366. 

  1367. 	stopClient()
    1368. 

  1368. 	stopClient = nil
    1369. 

  1369. 	stopServer()
    1370. 

  1370. 	stopServer = nil
    1371. 

  1371. 

  1372. 	// Test: all expected server logs were emitted
    1373. 

  1373. 

  1374. 	// TODO: stops should be fully synchronous, but, intermittently,
    1375. 

  1375. 	// server_tunnel fails to appear ("missing server tunnel log")
    1376. 

  1376. 	// without this delay.
    1377. 

  1377. 	time.Sleep(100 * time.Millisecond)
    1378. 

  1378. 

  1379. 	expectClientBPFField := psiphon.ClientBPFEnabled() && doClientTactics
    1380. 

  1380. 	expectServerBPFField := ServerBPFEnabled() && doServerTactics
    1381. 

  1381. 	expectServerPacketManipulationField := runConfig.doPacketManipulation
    1382. 

  1382. 	expectBurstFields := runConfig.doBurstMonitor
    1383. 

  1383. 	expectTCPPortForwardDial := runConfig.doTunneledWebRequest
    1384. 

  1384. 	expectTCPDataTransfer := runConfig.doTunneledWebRequest && !expectTrafficFailure && !runConfig.doSplitTunnel
    1385. 

  1385. 	// Even with expectTrafficFailure, DNS port forwards will succeed
    1386. 

  1386. 	expectUDPDataTransfer := runConfig.doTunneledNTPRequest
    1387. 

  1387. 	expectQUICVersion := ""
    1388. 

  1388. 	if runConfig.limitQUICVersions {
    1389. 

  1389. 		expectQUICVersion = limitQUICVersions[0]
    1390. 

  1390. 	}
    1391. 

  1391. 

  1392. 	select {
    1393. 

  1393. 	case logFields := <-serverTunnelLog:
    1394. 

  1394. 		err := checkExpectedServerTunnelLogFields(
    1395. 

  1395. 			runConfig,
    1396. 

  1396. 			expectClientBPFField,
    1397. 

  1397. 			expectServerBPFField,
    1398. 

  1398. 			expectServerPacketManipulationField,
    1399. 

  1399. 			expectBurstFields,
    1400. 

  1400. 			expectTCPPortForwardDial,
    1401. 

  1401. 			expectTCPDataTransfer,
    1402. 

  1402. 			expectUDPDataTransfer,
    1403. 

  1403. 			expectQUICVersion,
    1404. 

  1404. 			logFields)
    1405. 

  1405. 		if err != nil {
    1406. 

  1406. 			t.Fatalf("invalid server tunnel log fields: %s", err)
    1407. 

  1407. 		}
    1408. 

  1408. 	default:
    1409. 

  1409. 		t.Fatalf("missing server tunnel log")
    1410. 

  1410. 	}
    1411. 

  1411. 

  1412. 	if expectUniqueUser {
    1413. 

  1413. 		select {
    1414. 

  1414. 		case logFields := <-uniqueUserLog:
    1415. 

  1415. 			err := checkExpectedUniqueUserLogFields(
    1416. 

  1416. 				runConfig,
    1417. 

  1417. 				logFields)
    1418. 

  1418. 			if err != nil {
    1419. 

  1419. 				t.Fatalf("invalid unique user log fields: %s", err)
    1420. 

  1420. 			}
    1421. 

  1421. 		default:
    1422. 

  1422. 			t.Fatalf("missing unique user log")
    1423. 

  1423. 		}
    1424. 

  1424. 	} else {
    1425. 

  1425. 		select {
    1426. 

  1426. 		case <-uniqueUserLog:
    1427. 

  1427. 			t.Fatalf("unexpected unique user log")
    1428. 

  1428. 		default:
    1429. 

  1429. 		}
    1430. 

  1430. 	}
    1431. 

  1431. 

  1432. 	// Check that datastore had retained/pruned server entries as expected.
    1433. 

  1433. 	checkPruneServerEntriesTest(t, runConfig, testDataDirName, pruneServerEntryTestCases)
    1434. 

  1434. }
    1435. 

  1435. 

  1436. func sendNotificationReceived(c chan<- struct{}) {
    1437. 

  1437. 	select {
    1438. 

  1438. 	case c <- struct{}{}:
    1439. 

  1439. 	default:
    1440. 

  1440. 	}
    1441. 

  1441. }
    1442. 

  1442. 

  1443. func waitOnNotification(t *testing.T, c, timeoutSignal <-chan struct{}, timeoutMessage string) {
    1444. 

  1444. 	if timeoutSignal == nil {
    1445. 

  1445. 		<-c
    1446. 

  1446. 	} else {
    1447. 

  1447. 		select {
    1448. 

  1448. 		case <-c:
    1449. 

  1449. 		case <-timeoutSignal:
    1450. 

  1450. 			t.Fatalf(timeoutMessage)
    1451. 

  1451. 		}
    1452. 

  1452. 	}
    1453. 

  1453. }
    1454. 

  1454. 

  1455. func checkExpectedServerTunnelLogFields(
    1456. 

  1456. 	runConfig *runServerConfig,
    1457. 

  1457. 	expectClientBPFField bool,
    1458. 

  1458. 	expectServerBPFField bool,
    1459. 

  1459. 	expectServerPacketManipulationField bool,
    1460. 

  1460. 	expectBurstFields bool,
    1461. 

  1461. 	expectTCPPortForwardDial bool,
    1462. 

  1462. 	expectTCPDataTransfer bool,
    1463. 

  1463. 	expectUDPDataTransfer bool,
    1464. 

  1464. 	expectQUICVersion string,
    1465. 

  1465. 	fields map[string]interface{}) error {
    1466. 

  1466. 

  1467. 	// Limitations:
    1468. 

  1468. 	//
    1469. 

  1469. 	// - client_build_rev not set in test build (see common/buildinfo.go)
    1470. 

  1470. 	// - egress_region, upstream_proxy_type, upstream_proxy_custom_header_names not exercised in test
    1471. 

  1471. 	// - fronting_provider_id/meek_dial_ip_address/meek_resolved_ip_address only logged for FRONTED meek protocols
    1472. 

  1472. 

  1473. 	for _, name := range []string{
    1474. 

  1474. 		"start_time",
    1475. 

  1475. 		"duration",
    1476. 

  1476. 		"session_id",
    1477. 

  1477. 		"is_first_tunnel_in_session",
    1478. 

  1478. 		"last_connected",
    1479. 

  1479. 		"establishment_duration",
    1480. 

  1480. 		"propagation_channel_id",
    1481. 

  1481. 		"sponsor_id",
    1482. 

  1482. 		"client_platform",
    1483. 

  1483. 		"client_features",
    1484. 

  1484. 		"relay_protocol",
    1485. 

  1485. 		"device_region",
    1486. 

  1486. 		"ssh_client_version",
    1487. 

  1487. 		"server_entry_region",
    1488. 

  1488. 		"server_entry_source",
    1489. 

  1489. 		"server_entry_timestamp",
    1490. 

  1490. 		"dial_port_number",
    1491. 

  1491. 		"is_replay",
    1492. 

  1492. 		"dial_duration",
    1493. 

  1493. 		"candidate_number",
    1494. 

  1494. 		"established_tunnels_count",
    1495. 

  1495. 		"network_latency_multiplier",
    1496. 

  1496. 		"network_type",
    1497. 

  1497. 

  1498. 		// The test run ensures that logServerLoad is invoked while the client
    1499. 

  1499. 		// is connected, so the following must be logged.
    1500. 

  1500. 		"peak_concurrent_proximate_accepted_clients",
    1501. 

  1501. 		"peak_concurrent_proximate_established_clients",
    1502. 

  1502. 	} {
    1503. 

  1503. 		if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1504. 

  1504. 			return fmt.Errorf("missing expected field '%s'", name)
    1505. 

  1505. 		}
    1506. 

  1506. 	}
    1507. 

  1507. 

  1508. 	if fields["relay_protocol"].(string) != runConfig.tunnelProtocol {
    1509. 

  1509. 		return fmt.Errorf("unexpected relay_protocol '%s'", fields["relay_protocol"])
    1510. 

  1510. 	}
    1511. 

  1511. 

  1512. 	if !common.Contains(testSSHClientVersions, fields["ssh_client_version"].(string)) {
    1513. 

  1513. 		return fmt.Errorf("unexpected relay_protocol '%s'", fields["ssh_client_version"])
    1514. 

  1514. 	}
    1515. 

  1515. 

  1516. 	clientFeatures := fields["client_features"].([]interface{})
    1517. 

  1517. 	if len(clientFeatures) != len(testClientFeatures) {
    1518. 

  1518. 		return fmt.Errorf("unexpected client_features '%s'", fields["client_features"])
    1519. 

  1519. 	}
    1520. 

  1520. 	for i, feature := range testClientFeatures {
    1521. 

  1521. 		if clientFeatures[i].(string) != feature {
    1522. 

  1522. 			return fmt.Errorf("unexpected client_features '%s'", fields["client_features"])
    1523. 

  1523. 		}
    1524. 

  1524. 	}
    1525. 

  1525. 

  1526. 	if fields["network_type"].(string) != testNetworkType {
    1527. 

  1527. 		return fmt.Errorf("unexpected network_type '%s'", fields["network_type"])
    1528. 

  1528. 	}
    1529. 

  1529. 

  1530. 	// With interruptions, timeouts, and retries in some tests, there may be
    1531. 

  1531. 	// more than one dangling accepted_client.
    1532. 

  1532. 

  1533. 	peakConcurrentProximateAcceptedClients :=
    1534. 

  1534. 		int(fields["peak_concurrent_proximate_accepted_clients"].(float64))
    1535. 

  1535. 	if peakConcurrentProximateAcceptedClients < 0 ||
    1536. 

  1536. 		peakConcurrentProximateAcceptedClients > 10 {
    1537. 

  1537. 		return fmt.Errorf(
    1538. 

  1538. 			"unexpected peak_concurrent_proximate_accepted_clients '%v'",
    1539. 

  1539. 			fields["peak_concurrent_proximate_accepted_clients"])
    1540. 

  1540. 	}
    1541. 

  1541. 

  1542. 	peakConcurrentProximateEstablishedClients :=
    1543. 

  1543. 		int(fields["peak_concurrent_proximate_established_clients"].(float64))
    1544. 

  1544. 	if peakConcurrentProximateEstablishedClients != 0 {
    1545. 

  1545. 		return fmt.Errorf(
    1546. 

  1546. 			"unexpected peak_concurrent_proximate_established_clients '%v'",
    1547. 

  1547. 			fields["peak_concurrent_proximate_established_clients"])
    1548. 

  1548. 	}
    1549. 

  1549. 

  1550. 	// In some negative test cases, no port forwards are attempted, in which
    1551. 

  1551. 	// case these fields are not logged.
    1552. 

  1552. 

  1553. 	if expectTCPDataTransfer {
    1554. 

  1554. 

  1555. 		if fields["peak_tcp_port_forward_failure_rate"] == nil {
    1556. 

  1556. 			return fmt.Errorf("missing expected field 'peak_tcp_port_forward_failure_rate'")
    1557. 

  1557. 		}
    1558. 

  1558. 		if fields["peak_tcp_port_forward_failure_rate"].(float64) != 0.0 {
    1559. 

  1559. 			return fmt.Errorf(
    1560. 

  1560. 				"unexpected peak_tcp_port_forward_failure_rate '%v'",
    1561. 

  1561. 				fields["peak_tcp_port_forward_failure_rate"])
    1562. 

  1562. 		}
    1563. 

  1563. 

  1564. 		if fields["peak_tcp_port_forward_failure_rate_sample_size"] == nil {
    1565. 

  1565. 			return fmt.Errorf("missing expected field 'peak_tcp_port_forward_failure_rate_sample_size'")
    1566. 

  1566. 		}
    1567. 

  1567. 		if fields["peak_tcp_port_forward_failure_rate_sample_size"].(float64) <= 0.0 {
    1568. 

  1568. 			return fmt.Errorf(
    1569. 

  1569. 				"unexpected peak_tcp_port_forward_failure_rate_sample_size '%v'",
    1570. 

  1570. 				fields["peak_tcp_port_forward_failure_rate_sample_size"])
    1571. 

  1571. 		}
    1572. 

  1572. 

  1573. 	} else {
    1574. 

  1574. 

  1575. 		if fields["peak_tcp_port_forward_failure_rate"] != nil {
    1576. 

  1576. 			return fmt.Errorf("unexpected field 'peak_tcp_port_forward_failure_rate'")
    1577. 

  1577. 		}
    1578. 

  1578. 

  1579. 		if fields["peak_tcp_port_forward_failure_rate_sample_size"] != nil {
    1580. 

  1580. 			return fmt.Errorf("unexpected field 'peak_tcp_port_forward_failure_rate_sample_size'")
    1581. 

  1581. 		}
    1582. 

  1582. 	}
    1583. 

  1583. 

  1584. 	if expectUDPDataTransfer {
    1585. 

  1585. 

  1586. 		if fields["peak_dns_failure_rate"] == nil {
    1587. 

  1587. 			return fmt.Errorf("missing expected field 'peak_dns_failure_rate'")
    1588. 

  1588. 		}
    1589. 

  1589. 		if fields["peak_dns_failure_rate"].(float64) != 0.0 {
    1590. 

  1590. 			return fmt.Errorf(
    1591. 

  1591. 				"unexpected peak_dns_failure_rate '%v'", fields["peak_dns_failure_rate"])
    1592. 

  1592. 		}
    1593. 

  1593. 

  1594. 		if fields["peak_dns_failure_rate_sample_size"] == nil {
    1595. 

  1595. 			return fmt.Errorf("missing expected field 'peak_dns_failure_rate_sample_size'")
    1596. 

  1596. 		}
    1597. 

  1597. 		if fields["peak_dns_failure_rate_sample_size"].(float64) <= 0.0 {
    1598. 

  1598. 			return fmt.Errorf(
    1599. 

  1599. 				"unexpected peak_dns_failure_rate_sample_size '%v'",
    1600. 

  1600. 				fields["peak_dns_failure_rate_sample_size"])
    1601. 

  1601. 		}
    1602. 

  1602. 

  1603. 	} else {
    1604. 

  1604. 

  1605. 		if fields["peak_dns_failure_rate"] != nil {
    1606. 

  1606. 			return fmt.Errorf("unexpected field 'peak_dns_failure_rate'")
    1607. 

  1607. 		}
    1608. 

  1608. 

  1609. 		if fields["peak_dns_failure_rate_sample_size"] != nil {
    1610. 

  1610. 			return fmt.Errorf("unexpected field 'peak_dns_failure_rate_sample_size'")
    1611. 

  1611. 		}
    1612. 

  1612. 	}
    1613. 

  1613. 

  1614. 	// TODO: the following cases should check that fields are not logged when
    1615. 

  1615. 	// not expected.
    1616. 

  1616. 

  1617. 	if runConfig.doSplitTunnel {
    1618. 

  1618. 

  1619. 		if fields["split_tunnel"] == nil {
    1620. 

  1620. 			return fmt.Errorf("missing expected field 'split_tunnel'")
    1621. 

  1621. 		}
    1622. 

  1622. 		if fields["split_tunnel"].(bool) != true {
    1623. 

  1623. 			return fmt.Errorf("missing split_tunnel value")
    1624. 

  1624. 		}
    1625. 

  1625. 	}
    1626. 

  1626. 

  1627. 	if protocol.TunnelProtocolUsesObfuscatedSSH(runConfig.tunnelProtocol) {
    1628. 

  1628. 

  1629. 		for _, name := range []string{
    1630. 

  1630. 			"padding",
    1631. 

  1631. 			"pad_response",
    1632. 

  1632. 		} {
    1633. 

  1633. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1634. 

  1634. 				return fmt.Errorf("missing expected field '%s'", name)
    1635. 

  1635. 			}
    1636. 

  1636. 		}
    1637. 

  1637. 	}
    1638. 

  1638. 

  1639. 	if protocol.TunnelProtocolUsesMeek(runConfig.tunnelProtocol) {
    1640. 

  1640. 

  1641. 		for _, name := range []string{
    1642. 

  1642. 			"user_agent",
    1643. 

  1643. 			"meek_transformed_host_name",
    1644. 

  1644. 			"meek_cookie_size",
    1645. 

  1645. 			"meek_limit_request",
    1646. 

  1646. 			"meek_underlying_connection_count",
    1647. 

  1647. 			tactics.APPLIED_TACTICS_TAG_PARAMETER_NAME,
    1648. 

  1648. 		} {
    1649. 

  1649. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1650. 

  1650. 				return fmt.Errorf("missing expected field '%s'", name)
    1651. 

  1651. 			}
    1652. 

  1652. 		}
    1653. 

  1653. 

  1654. 		if !common.Contains(testUserAgents, fields["user_agent"].(string)) {
    1655. 

  1655. 			return fmt.Errorf("unexpected user_agent '%s'", fields["user_agent"])
    1656. 

  1656. 		}
    1657. 

  1657. 	}
    1658. 

  1658. 

  1659. 	if protocol.TunnelProtocolUsesMeekHTTP(runConfig.tunnelProtocol) {
    1660. 

  1660. 

  1661. 		for _, name := range []string{
    1662. 

  1662. 			"meek_host_header",
    1663. 

  1663. 		} {
    1664. 

  1664. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1665. 

  1665. 				return fmt.Errorf("missing expected field '%s'", name)
    1666. 

  1666. 			}
    1667. 

  1667. 		}
    1668. 

  1668. 

  1669. 		hostName := fields["meek_host_header"].(string)
    1670. 

  1670. 		dialPortNumber := int(fields["dial_port_number"].(float64))
    1671. 

  1671. 		if dialPortNumber != 80 {
    1672. 

  1672. 			hostName, _, _ = net.SplitHostPort(hostName)
    1673. 

  1673. 		}
    1674. 

  1674. 		if regexp.MustCompile(testCustomHostNameRegex).FindString(hostName) != hostName {
    1675. 

  1675. 			return fmt.Errorf("unexpected meek_host_header '%s'", fields["meek_host_header"])
    1676. 

  1676. 		}
    1677. 

  1677. 

  1678. 		for _, name := range []string{
    1679. 

  1679. 			"meek_dial_ip_address",
    1680. 

  1680. 			"meek_resolved_ip_address",
    1681. 

  1681. 		} {
    1682. 

  1682. 			if fields[name] != nil {
    1683. 

  1683. 				return fmt.Errorf("unexpected field '%s'", name)
    1684. 

  1684. 			}
    1685. 

  1685. 		}
    1686. 

  1686. 	}
    1687. 

  1687. 

  1688. 	if protocol.TunnelProtocolUsesMeekHTTPS(runConfig.tunnelProtocol) {
    1689. 

  1689. 

  1690. 		for _, name := range []string{
    1691. 

  1691. 			"tls_profile",
    1692. 

  1692. 			"tls_version",
    1693. 

  1693. 			"meek_sni_server_name",
    1694. 

  1694. 		} {
    1695. 

  1695. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1696. 

  1696. 				return fmt.Errorf("missing expected field '%s'", name)
    1697. 

  1697. 			}
    1698. 

  1698. 		}
    1699. 

  1699. 

  1700. 		hostName := fields["meek_sni_server_name"].(string)
    1701. 

  1701. 		if regexp.MustCompile(testCustomHostNameRegex).FindString(hostName) != hostName {
    1702. 

  1702. 			return fmt.Errorf("unexpected meek_sni_server_name '%s'", fields["meek_sni_server_name"])
    1703. 

  1703. 		}
    1704. 

  1704. 

  1705. 		for _, name := range []string{
    1706. 

  1706. 			"meek_dial_ip_address",
    1707. 

  1707. 			"meek_resolved_ip_address",
    1708. 

  1708. 			"meek_host_header",
    1709. 

  1709. 		} {
    1710. 

  1710. 			if fields[name] != nil {
    1711. 

  1711. 				return fmt.Errorf("unexpected field '%s'", name)
    1712. 

  1712. 			}
    1713. 

  1713. 		}
    1714. 

  1714. 

  1715. 		if !common.Contains(protocol.SupportedTLSProfiles, fields["tls_profile"].(string)) {
    1716. 

  1716. 			return fmt.Errorf("unexpected tls_profile '%s'", fields["tls_profile"])
    1717. 

  1717. 		}
    1718. 

  1718. 

  1719. 		tlsVersion := fields["tls_version"].(string)
    1720. 

  1720. 		if !strings.HasPrefix(tlsVersion, protocol.TLS_VERSION_12) &&
    1721. 

  1721. 			!strings.HasPrefix(tlsVersion, protocol.TLS_VERSION_13) {
    1722. 

  1722. 			return fmt.Errorf("unexpected tls_version '%s'", fields["tls_version"])
    1723. 

  1723. 		}
    1724. 

  1724. 	}
    1725. 

  1725. 

  1726. 	if protocol.TunnelProtocolUsesQUIC(runConfig.tunnelProtocol) {
    1727. 

  1727. 

  1728. 		for _, name := range []string{
    1729. 

  1729. 			"quic_version",
    1730. 

  1730. 			"quic_dial_sni_address",
    1731. 

  1731. 		} {
    1732. 

  1732. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1733. 

  1733. 				return fmt.Errorf("missing expected field '%s'", name)
    1734. 

  1734. 			}
    1735. 

  1735. 		}
    1736. 

  1736. 

  1737. 		quicVersion := fields["quic_version"].(string)
    1738. 

  1738. 		if !common.Contains(protocol.SupportedQUICVersions, quicVersion) ||
    1739. 

  1739. 			(runConfig.limitQUICVersions && quicVersion != expectQUICVersion) {
    1740. 

  1740. 

  1741. 			return fmt.Errorf("unexpected quic_version '%s'", fields["quic_version"])
    1742. 

  1742. 		}
    1743. 

  1743. 	}
    1744. 

  1744. 

  1745. 	if runConfig.forceFragmenting {
    1746. 

  1746. 

  1747. 		for _, name := range []string{
    1748. 

  1748. 			"upstream_bytes_fragmented",
    1749. 

  1749. 			"upstream_min_bytes_written",
    1750. 

  1750. 			"upstream_max_bytes_written",
    1751. 

  1751. 			"upstream_min_delayed",
    1752. 

  1752. 			"upstream_max_delayed",
    1753. 

  1753. 		} {
    1754. 

  1754. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1755. 

  1755. 				return fmt.Errorf("missing expected field '%s'", name)
    1756. 

  1756. 			}
    1757. 

  1757. 		}
    1758. 

  1758. 	}
    1759. 

  1759. 

  1760. 	if expectClientBPFField {
    1761. 

  1761. 		name := "client_bpf"
    1762. 

  1762. 		if fields[name] == nil {
    1763. 

  1763. 			return fmt.Errorf("missing expected field '%s'", name)
    1764. 

  1764. 		} else if fmt.Sprintf("%s", fields[name]) != "test-client-bpf" {
    1765. 

  1765. 			return fmt.Errorf("unexpected field value %s: '%s'", name, fields[name])
    1766. 

  1766. 		}
    1767. 

  1767. 	}
    1768. 

  1768. 

  1769. 	if expectServerBPFField {
    1770. 

  1770. 		name := "server_bpf"
    1771. 

  1771. 		if fields[name] == nil {
    1772. 

  1772. 			return fmt.Errorf("missing expected field '%s'", name)
    1773. 

  1773. 		} else if fmt.Sprintf("%s", fields[name]) != "test-server-bpf" {
    1774. 

  1774. 			return fmt.Errorf("unexpected field value %s: '%s'", name, fields[name])
    1775. 

  1775. 		}
    1776. 

  1776. 	}
    1777. 

  1777. 

  1778. 	if expectServerPacketManipulationField {
    1779. 

  1779. 		name := "server_packet_manipulation"
    1780. 

  1780. 		if fields[name] == nil {
    1781. 

  1781. 			return fmt.Errorf("missing expected field '%s'", name)
    1782. 

  1782. 		} else if fmt.Sprintf("%s", fields[name]) != "test-packetman-spec" {
    1783. 

  1783. 			return fmt.Errorf("unexpected field value %s: '%s'", name, fields[name])
    1784. 

  1784. 		}
    1785. 

  1785. 	}
    1786. 

  1786. 

  1787. 	if expectBurstFields {
    1788. 

  1788. 

  1789. 		// common.TestBurstMonitoredConn covers inclusion of additional fields.
    1790. 

  1790. 		for _, name := range []string{
    1791. 

  1791. 			"burst_upstream_first_rate",
    1792. 

  1792. 			"burst_upstream_last_rate",
    1793. 

  1793. 			"burst_upstream_min_rate",
    1794. 

  1794. 			"burst_upstream_max_rate",
    1795. 

  1795. 			"burst_downstream_first_rate",
    1796. 

  1796. 			"burst_downstream_last_rate",
    1797. 

  1797. 			"burst_downstream_min_rate",
    1798. 

  1798. 			"burst_downstream_max_rate",
    1799. 

  1799. 		} {
    1800. 

  1800. 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1801. 

  1801. 				return fmt.Errorf("missing expected field '%s'", name)
    1802. 

  1802. 			}
    1803. 

  1803. 		}
    1804. 

  1804. 	}
    1805. 

  1805. 

  1806. 	var checkTCPMetric func(float64) bool
    1807. 

  1807. 	if expectTCPPortForwardDial {
    1808. 

  1808. 		checkTCPMetric = func(f float64) bool { return f > 0 }
    1809. 

  1809. 	} else {
    1810. 

  1810. 		checkTCPMetric = func(f float64) bool { return f == 0 }
    1811. 

  1811. 	}
    1812. 

  1812. 

  1813. 	for _, name := range []string{
    1814. 

  1814. 		"peak_concurrent_dialing_port_forward_count_tcp",
    1815. 

  1815. 	} {
    1816. 

  1816. 		if fields[name] == nil {
    1817. 

  1817. 			return fmt.Errorf("missing expected field '%s'", name)
    1818. 

  1818. 		}
    1819. 

  1819. 		if !checkTCPMetric(fields[name].(float64)) {
    1820. 

  1820. 			return fmt.Errorf("unexpected field value %s: '%v'", name, fields[name])
    1821. 

  1821. 		}
    1822. 

  1822. 	}
    1823. 

  1823. 

  1824. 	if expectTCPDataTransfer {
    1825. 

  1825. 		checkTCPMetric = func(f float64) bool { return f > 0 }
    1826. 

  1826. 	} else {
    1827. 

  1827. 		checkTCPMetric = func(f float64) bool { return f == 0 }
    1828. 

  1828. 	}
    1829. 

  1829. 

  1830. 	for _, name := range []string{
    1831. 

  1831. 		"bytes_up_tcp",
    1832. 

  1832. 		"bytes_down_tcp",
    1833. 

  1833. 		"peak_concurrent_port_forward_count_tcp",
    1834. 

  1834. 		"total_port_forward_count_tcp",
    1835. 

  1835. 	} {
    1836. 

  1836. 		if fields[name] == nil {
    1837. 

  1837. 			return fmt.Errorf("missing expected field '%s'", name)
    1838. 

  1838. 		}
    1839. 

  1839. 		if !checkTCPMetric(fields[name].(float64)) {
    1840. 

  1840. 			return fmt.Errorf("unexpected field value %s: '%v'", name, fields[name])
    1841. 

  1841. 		}
    1842. 

  1842. 	}
    1843. 

  1843. 

  1844. 	var checkUDPMetric func(float64) bool
    1845. 

  1845. 	if expectUDPDataTransfer {
    1846. 

  1846. 		checkUDPMetric = func(f float64) bool { return f > 0 }
    1847. 

  1847. 	} else {
    1848. 

  1848. 		checkUDPMetric = func(f float64) bool { return f == 0 }
    1849. 

  1849. 	}
    1850. 

  1850. 

  1851. 	for _, name := range []string{
    1852. 

  1852. 		"bytes_up_udp",
    1853. 

  1853. 		"bytes_down_udp",
    1854. 

  1854. 		"peak_concurrent_port_forward_count_udp",
    1855. 

  1855. 		"total_port_forward_count_udp",
    1856. 

  1856. 		"total_udpgw_channel_count",
    1857. 

  1857. 	} {
    1858. 

  1858. 		if fields[name] == nil {
    1859. 

  1859. 			return fmt.Errorf("missing expected field '%s'", name)
    1860. 

  1860. 		}
    1861. 

  1861. 		if !checkUDPMetric(fields[name].(float64)) {
    1862. 

  1862. 			return fmt.Errorf("unexpected field value %s: '%v'", name, fields[name])
    1863. 

  1863. 		}
    1864. 

  1864. 	}
    1865. 

  1865. 

  1866. 	return nil
    1867. 

  1867. }
    1868. 

  1868. 

  1869. func checkExpectedUniqueUserLogFields(
    1870. 

  1870. 	runConfig *runServerConfig,
    1871. 

  1871. 	fields map[string]interface{}) error {
    1872. 

  1872. 

  1873. 	for _, name := range []string{
    1874. 

  1874. 		"session_id",
    1875. 

  1875. 		"last_connected",
    1876. 

  1876. 		"propagation_channel_id",
    1877. 

  1877. 		"sponsor_id",
    1878. 

  1878. 		"client_platform",
    1879. 

  1879. 		"device_region",
    1880. 

  1880. 	} {
    1881. 

  1881. 		if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
    1882. 

  1882. 			return fmt.Errorf("missing expected field '%s'", name)
    1883. 

  1883. 		}
    1884. 

  1884. 	}
    1885. 

  1885. 

  1886. 	return nil
    1887. 

  1887. }
    1888. 

  1888. 

  1889. func makeTunneledWebRequest(
    1890. 

  1890. 	t *testing.T,
    1891. 

  1891. 	localHTTPProxyPort int,
    1892. 

  1892. 	requestURL, expectedResponseBody string) error {
    1893. 

  1893. 

  1894. 	roundTripTimeout := 30 * time.Second
    1895. 

  1895. 

  1896. 	proxyUrl, err := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", localHTTPProxyPort))
    1897. 

  1897. 	if err != nil {
    1898. 

  1898. 		return fmt.Errorf("error initializing proxied HTTP request: %s", err)
    1899. 

  1899. 	}
    1900. 

  1900. 

  1901. 	httpClient := &http.Client{
    1902. 

  1902. 		Transport: &http.Transport{
    1903. 

  1903. 			Proxy: http.ProxyURL(proxyUrl),
    1904. 

  1904. 		},
    1905. 

  1905. 		Timeout: roundTripTimeout,
    1906. 

  1906. 	}
    1907. 

  1907. 

  1908. 	response, err := httpClient.Get(requestURL)
    1909. 

  1909. 	if err != nil {
    1910. 

  1910. 		return fmt.Errorf("error sending proxied HTTP request: %s", err)
    1911. 

  1911. 	}
    1912. 

  1912. 

  1913. 	body, err := ioutil.ReadAll(response.Body)
    1914. 

  1914. 	if err != nil {
    1915. 

  1915. 		return fmt.Errorf("error reading proxied HTTP response: %s", err)
    1916. 

  1916. 	}
    1917. 

  1917. 	response.Body.Close()
    1918. 

  1918. 

  1919. 	if string(body) != expectedResponseBody {
    1920. 

  1920. 		return fmt.Errorf("unexpected proxied HTTP response")
    1921. 

  1921. 	}
    1922. 

  1922. 

  1923. 	return nil
    1924. 

  1924. }
    1925. 

  1925. 

  1926. func makeTunneledNTPRequest(t *testing.T, localSOCKSProxyPort int, udpgwServerAddress string) error {
    1927. 

  1927. 

  1928. 	timeout := 20 * time.Second
    1929. 

  1929. 	var err error
    1930. 

  1930. 

  1931. 	testHostnames := []string{"time.google.com", "time.nist.gov", "pool.ntp.org"}
    1932. 

  1932. 	indexes := prng.Perm(len(testHostnames))
    1933. 

  1933. 

  1934. 	for _, index := range indexes {
    1935. 

  1935. 		testHostname := testHostnames[index]
    1936. 

  1936. 		err = makeTunneledNTPRequestAttempt(t, testHostname, timeout, localSOCKSProxyPort, udpgwServerAddress)
    1937. 

  1937. 		if err == nil {
    1938. 

  1938. 			break
    1939. 

  1939. 		}
    1940. 

  1940. 		t.Logf("makeTunneledNTPRequestAttempt failed: %s", err)
    1941. 

  1941. 	}
    1942. 

  1942. 

  1943. 	return err
    1944. 

  1944. }
    1945. 

  1945. 

  1946. var nextUDPProxyPort = 7300
    1947. 

  1947. 

  1948. func makeTunneledNTPRequestAttempt(
    1949. 

  1949. 	t *testing.T, testHostname string, timeout time.Duration, localSOCKSProxyPort int, udpgwServerAddress string) error {
    1950. 

  1950. 

  1951. 	nextUDPProxyPort++
    1952. 

  1952. 	localUDPProxyAddress, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", nextUDPProxyPort))
    1953. 

  1953. 	if err != nil {
    1954. 

  1954. 		return fmt.Errorf("ResolveUDPAddr failed: %s", err)
    1955. 

  1955. 	}
    1956. 

  1956. 

  1957. 	// Note: this proxy is intended for this test only -- it only accepts a single connection,
    1958. 

  1958. 	// handles it, and then terminates.
    1959. 

  1959. 

  1960. 	localUDPProxy := func(destinationIP net.IP, destinationPort uint16, waitGroup *sync.WaitGroup) {
    1961. 

  1961. 

  1962. 		if waitGroup != nil {
    1963. 

  1963. 			defer waitGroup.Done()
    1964. 

  1964. 		}
    1965. 

  1965. 

  1966. 		destination := net.JoinHostPort(destinationIP.String(), strconv.Itoa(int(destinationPort)))
    1967. 

  1967. 

  1968. 		serverUDPConn, err := net.ListenUDP("udp", localUDPProxyAddress)
    1969. 

  1969. 		if err != nil {
    1970. 

  1970. 			t.Logf("ListenUDP for %s failed: %s", destination, err)
    1971. 

  1971. 			return
    1972. 

  1972. 		}
    1973. 

  1973. 		defer serverUDPConn.Close()
    1974. 

  1974. 

  1975. 		udpgwPreambleSize := 11 // see writeUdpgwPreamble
    1976. 

  1976. 		buffer := make([]byte, udpgwProtocolMaxMessageSize)
    1977. 

  1977. 		packetSize, clientAddr, err := serverUDPConn.ReadFromUDP(
    1978. 

  1978. 			buffer[udpgwPreambleSize:])
    1979. 

  1979. 		if err != nil {
    1980. 

  1980. 			t.Logf("serverUDPConn.Read for %s failed: %s", destination, err)
    1981. 

  1981. 			return
    1982. 

  1982. 		}
    1983. 

  1983. 

  1984. 		socksProxyAddress := fmt.Sprintf("127.0.0.1:%d", localSOCKSProxyPort)
    1985. 

  1985. 

  1986. 		dialer, err := proxy.SOCKS5("tcp", socksProxyAddress, nil, proxy.Direct)
    1987. 

  1987. 		if err != nil {
    1988. 

  1988. 			t.Logf("proxy.SOCKS5 for %s failed: %s", destination, err)
    1989. 

  1989. 			return
    1990. 

  1990. 		}
    1991. 

  1991. 

  1992. 		socksTCPConn, err := dialer.Dial("tcp", udpgwServerAddress)
    1993. 

  1993. 		if err != nil {
    1994. 

  1994. 			t.Logf("dialer.Dial for %s failed: %s", destination, err)
    1995. 

  1995. 			return
    1996. 

  1996. 		}
    1997. 

  1997. 		defer socksTCPConn.Close()
    1998. 

  1998. 

  1999. 		flags := uint8(0)
    2000. 

  2000. 		if destinationPort == 53 {
    2001. 

  2001. 			flags = udpgwProtocolFlagDNS
    2002. 

  2002. 		}
    2003. 

  2003. 

  2004. 		err = writeUdpgwPreamble(
    2005. 

  2005. 			udpgwPreambleSize,
    2006. 

  2006. 			flags,
    2007. 

  2007. 			0,
    2008. 

  2008. 			destinationIP,
    2009. 

  2009. 			destinationPort,
    2010. 

  2010. 			uint16(packetSize),
    2011. 

  2011. 			buffer)
    2012. 

  2012. 		if err != nil {
    2013. 

  2013. 			t.Logf("writeUdpgwPreamble for %s failed: %s", destination, err)
    2014. 

  2014. 			return
    2015. 

  2015. 		}
    2016. 

  2016. 

  2017. 		_, err = socksTCPConn.Write(buffer[0 : udpgwPreambleSize+packetSize])
    2018. 

  2018. 		if err != nil {
    2019. 

  2019. 			t.Logf("socksTCPConn.Write for %s failed: %s", destination, err)
    2020. 

  2020. 			return
    2021. 

  2021. 		}
    2022. 

  2022. 

  2023. 		udpgwProtocolMessage, err := readUdpgwMessage(socksTCPConn, buffer)
    2024. 

  2024. 		if err != nil {
    2025. 

  2025. 			t.Logf("readUdpgwMessage for %s failed: %s", destination, err)
    2026. 

  2026. 			return
    2027. 

  2027. 		}
    2028. 

  2028. 

  2029. 		_, err = serverUDPConn.WriteToUDP(udpgwProtocolMessage.packet, clientAddr)
    2030. 

  2030. 		if err != nil {
    2031. 

  2031. 			t.Logf("serverUDPConn.Write for %s failed: %s", destination, err)
    2032. 

  2032. 			return
    2033. 

  2033. 		}
    2034. 

  2034. 	}
    2035. 

  2035. 

  2036. 	// Tunneled DNS request
    2037. 

  2037. 

  2038. 	waitGroup := new(sync.WaitGroup)
    2039. 

  2039. 	waitGroup.Add(1)
    2040. 

  2040. 	go localUDPProxy(
    2041. 

  2041. 		net.IP(make([]byte, 4)), // ignored due to transparent DNS forwarding
    2042. 

  2042. 		53,
    2043. 

  2043. 		waitGroup)
    2044. 

  2044. 	// TODO: properly synchronize with local UDP proxy startup
    2045. 

  2045. 	time.Sleep(1 * time.Second)
    2046. 

  2046. 

  2047. 	clientUDPConn, err := net.DialUDP("udp", nil, localUDPProxyAddress)
    2048. 

  2048. 	if err != nil {
    2049. 

  2049. 		return fmt.Errorf("DialUDP failed: %s", err)
    2050. 

  2050. 	}
    2051. 

  2051. 

  2052. 	clientUDPConn.SetReadDeadline(time.Now().Add(timeout))
    2053. 

  2053. 	clientUDPConn.SetWriteDeadline(time.Now().Add(timeout))
    2054. 

  2054. 

  2055. 	addrs, _, err := psiphon.ResolveIP(testHostname, clientUDPConn)
    2056. 

  2056. 

  2057. 	clientUDPConn.Close()
    2058. 

  2058. 

  2059. 	if err == nil && (len(addrs) == 0 || len(addrs[0]) < 4) {
    2060. 

  2060. 		err = errors.New("no address")
    2061. 

  2061. 	}
    2062. 

  2062. 	if err != nil {
    2063. 

  2063. 		return fmt.Errorf("ResolveIP failed: %s", err)
    2064. 

  2064. 	}
    2065. 

  2065. 

  2066. 	waitGroup.Wait()
    2067. 

  2067. 

  2068. 	// Tunneled NTP request
    2069. 

  2069. 

  2070. 	waitGroup = new(sync.WaitGroup)
    2071. 

  2071. 	waitGroup.Add(1)
    2072. 

  2072. 	go localUDPProxy(
    2073. 

  2073. 		addrs[0][len(addrs[0])-4:],
    2074. 

  2074. 		123,
    2075. 

  2075. 		waitGroup)
    2076. 

  2076. 	// TODO: properly synchronize with local UDP proxy startup
    2077. 

  2077. 	time.Sleep(1 * time.Second)
    2078. 

  2078. 

  2079. 	clientUDPConn, err = net.DialUDP("udp", nil, localUDPProxyAddress)
    2080. 

  2080. 	if err != nil {
    2081. 

  2081. 		return fmt.Errorf("DialUDP failed: %s", err)
    2082. 

  2082. 	}
    2083. 

  2083. 

  2084. 	clientUDPConn.SetReadDeadline(time.Now().Add(timeout))
    2085. 

  2085. 	clientUDPConn.SetWriteDeadline(time.Now().Add(timeout))
    2086. 

  2086. 

  2087. 	// NTP protocol code from: https://groups.google.com/d/msg/golang-nuts/FlcdMU5fkLQ/CAeoD9eqm-IJ
    2088. 

  2088. 

  2089. 	ntpData := make([]byte, 48)
    2090. 

  2090. 	ntpData[0] = 3<<3 | 3
    2091. 

  2091. 

  2092. 	_, err = clientUDPConn.Write(ntpData)
    2093. 

  2093. 	if err != nil {
    2094. 

  2094. 		clientUDPConn.Close()
    2095. 

  2095. 		return fmt.Errorf("NTP Write failed: %s", err)
    2096. 

  2096. 	}
    2097. 

  2097. 

  2098. 	_, err = clientUDPConn.Read(ntpData)
    2099. 

  2099. 	if err != nil {
    2100. 

  2100. 		clientUDPConn.Close()
    2101. 

  2101. 		return fmt.Errorf("NTP Read failed: %s", err)
    2102. 

  2102. 	}
    2103. 

  2103. 

  2104. 	clientUDPConn.Close()
    2105. 

  2105. 

  2106. 	var sec, frac uint64
    2107. 

  2107. 	sec = uint64(ntpData[43]) | uint64(ntpData[42])<<8 | uint64(ntpData[41])<<16 | uint64(ntpData[40])<<24
    2108. 

  2108. 	frac = uint64(ntpData[47]) | uint64(ntpData[46])<<8 | uint64(ntpData[45])<<16 | uint64(ntpData[44])<<24
    2109. 

  2109. 

  2110. 	nsec := sec * 1e9
    2111. 

  2111. 	nsec += (frac * 1e9) >> 32
    2112. 

  2112. 

  2113. 	ntpNow := time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration(nsec)).Local()
    2114. 

  2114. 

  2115. 	now := time.Now()
    2116. 

  2116. 

  2117. 	diff := ntpNow.Sub(now)
    2118. 

  2118. 	if diff < 0 {
    2119. 

  2119. 		diff = -diff
    2120. 

  2120. 	}
    2121. 

  2121. 

  2122. 	if diff > 1*time.Minute {
    2123. 

  2123. 		return fmt.Errorf("Unexpected NTP time: %s; local time: %s", ntpNow, now)
    2124. 

  2124. 	}
    2125. 

  2125. 

  2126. 	waitGroup.Wait()
    2127. 

  2127. 

  2128. 	return nil
    2129. 

  2129. }
    2130. 

  2130. 

  2131. func pavePsinetDatabaseFile(
    2132. 

  2132. 	t *testing.T,
    2133. 

  2133. 	useDefaultSponsorID bool,
    2134. 

  2134. 	psinetFilename string,
    2135. 

  2135. 	validServerEntryTags []string) (string, string) {
    2136. 

  2136. 

  2137. 	sponsorID := prng.HexString(8)
    2138. 

  2138. 

  2139. 	defaultSponsorID := ""
    2140. 

  2140. 	if useDefaultSponsorID {
    2141. 

  2141. 		defaultSponsorID = sponsorID
    2142. 

  2142. 	}
    2143. 

  2143. 

  2144. 	fakeDomain := prng.HexString(4)
    2145. 

  2145. 	fakePath := prng.HexString(4)
    2146. 

  2146. 	expectedHomepageURL := fmt.Sprintf("https://%s.com/%s", fakeDomain, fakePath)
    2147. 

  2147. 

  2148. 	psinetJSONFormat := `
    2149. 

  2149.     {
    2150. 

  2150.         "default_sponsor_id" : "%s",
    2151. 

  2151.         "sponsors": {
    2152. 

  2152.             "%s": {
    2153. 

  2153.                 "home_pages": {
    2154. 

  2154.                     "None": [
    2155. 

  2155.                         {
    2156. 

  2156.                             "region": null,
    2157. 

  2157.                             "url": "%s"
    2158. 

  2158.                         }
    2159. 

  2159.                     ]
    2160. 

  2160.                 }
    2161. 

  2161.             }
    2162. 

  2162.         },
    2163. 

  2163.         "default_alert_action_urls" : {
    2164. 

  2164.             "%s": %s
    2165. 

  2165.         },
    2166. 

  2166.         "valid_server_entry_tags" : {
    2167. 

  2167.             %s
    2168. 

  2168.         }
    2169. 

  2169.     }
    2170. 

  2170. 	`
    2171. 

  2171. 

  2172. 	actionURLsJSON, _ := json.Marshal(testDisallowedTrafficAlertActionURLs)
    2173. 

  2173. 

  2174. 	validServerEntryTagsJSON := ""
    2175. 

  2175. 	for _, serverEntryTag := range validServerEntryTags {
    2176. 

  2176. 		if len(validServerEntryTagsJSON) > 0 {
    2177. 

  2177. 			validServerEntryTagsJSON += ", "
    2178. 

  2178. 		}
    2179. 

  2179. 		validServerEntryTagsJSON += fmt.Sprintf("\"%s\" : true", serverEntryTag)
    2180. 

  2180. 	}
    2181. 

  2181. 

  2182. 	psinetJSON := fmt.Sprintf(
    2183. 

  2183. 		psinetJSONFormat,
    2184. 

  2184. 		defaultSponsorID,
    2185. 

  2185. 		sponsorID,
    2186. 

  2186. 		expectedHomepageURL,
    2187. 

  2187. 		protocol.PSIPHON_API_ALERT_DISALLOWED_TRAFFIC,
    2188. 

  2188. 		actionURLsJSON,
    2189. 

  2189. 		validServerEntryTagsJSON)
    2190. 

  2190. 

  2191. 	err := ioutil.WriteFile(psinetFilename, []byte(psinetJSON), 0600)
    2192. 

  2192. 	if err != nil {
    2193. 

  2193. 		t.Fatalf("error paving psinet database file: %s", err)
    2194. 

  2194. 	}
    2195. 

  2195. 

  2196. 	return sponsorID, expectedHomepageURL
    2197. 

  2197. }
    2198. 

  2198. 

  2199. func paveTrafficRulesFile(
    2200. 

  2200. 	t *testing.T,
    2201. 

  2201. 	trafficRulesFilename string,
    2202. 

  2202. 	propagationChannelID string,
    2203. 

  2203. 	accessType string,
    2204. 

  2204. 	authorizationID string,
    2205. 

  2205. 	requireAuthorization bool,
    2206. 

  2206. 	deny bool,
    2207. 

  2207. 	livenessTestSize int) {
    2208. 

  2208. 

  2209. 	// Test both default and fast lookups
    2210. 

  2210. 	if intLookupThreshold != 10 {
    2211. 

  2211. 		t.Fatalf("unexpected intLookupThreshold")
    2212. 

  2212. 	}
    2213. 

  2213. 

  2214. 	TCPPorts := mockWebServerPort
    2215. 

  2215. 	UDPPorts := "53, 123, 10001, 10002, 10003, 10004, 10005, 10006, 10007, 10008, 10009, 10010"
    2216. 

  2216. 

  2217. 	allowTCPPorts := TCPPorts
    2218. 

  2218. 	allowUDPPorts := UDPPorts
    2219. 

  2219. 	disallowTCPPorts := "1"
    2220. 

  2220. 	disallowUDPPorts := "1"
    2221. 

  2221. 

  2222. 	if deny {
    2223. 

  2223. 		allowTCPPorts = "1"
    2224. 

  2224. 		allowUDPPorts = "1"
    2225. 

  2225. 		disallowTCPPorts = TCPPorts
    2226. 

  2226. 		disallowUDPPorts = UDPPorts
    2227. 

  2227. 	}
    2228. 

  2228. 

  2229. 	authorizationFilterFormat := `,
    2230. 

  2230.                     "AuthorizedAccessTypes" : ["%s"],
    2231. 

  2231.                     "ActiveAuthorizationIDs" : ["%s"]
    2232. 

  2232. 	`
    2233. 

  2233. 

  2234. 	authorizationFilter := ""
    2235. 

  2235. 	if requireAuthorization {
    2236. 

  2236. 		authorizationFilter = fmt.Sprintf(
    2237. 

  2237. 			authorizationFilterFormat, accessType, authorizationID)
    2238. 

  2238. 	}
    2239. 

  2239. 

  2240. 	// Supports two traffic rule test cases:
    2241. 

  2241. 	//
    2242. 

  2242. 	// 1. no ports are allowed until after the filtered rule is applied
    2243. 

  2243. 	// 2. no required ports are allowed (deny = true)
    2244. 

  2244. 

  2245. 	trafficRulesJSONFormat := `
    2246. 

  2246.     {
    2247. 

  2247.         "DefaultRules" :  {
    2248. 

  2248.             "RateLimits" : {
    2249. 

  2249.                 "ReadBytesPerSecond": 16384,
    2250. 

  2250.                 "WriteBytesPerSecond": 16384,
    2251. 

  2251.                 "ReadUnthrottledBytes": %d,
    2252. 

  2252.                 "WriteUnthrottledBytes": %d
    2253. 

  2253.             },
    2254. 

  2254.             "AllowTCPPorts" : [1],
    2255. 

  2255.             "AllowUDPPorts" : [1],
    2256. 

  2256.             "MeekRateLimiterHistorySize" : 10,
    2257. 

  2257.             "MeekRateLimiterThresholdSeconds" : 1,
    2258. 

  2258.             "MeekRateLimiterGarbageCollectionTriggerCount" : 1,
    2259. 

  2259.             "MeekRateLimiterReapHistoryFrequencySeconds" : 1,
    2260. 

  2260.             "MeekRateLimiterRegions" : []
    2261. 

  2261.         },
    2262. 

  2262.         "FilteredRules" : [
    2263. 

  2263.             {
    2264. 

  2264.                 "Filter" : {
    2265. 

  2265.                     "HandshakeParameters" : {
    2266. 

  2266.                         "propagation_channel_id" : ["%s"]
    2267. 

  2267.                     }%s
    2268. 

  2268.                 },
    2269. 

  2269.                 "Rules" : {
    2270. 

  2270.                     "RateLimits" : {
    2271. 

  2271.                         "ReadBytesPerSecond": 2097152,
    2272. 

  2272.                         "WriteBytesPerSecond": 2097152
    2273. 

  2273.                     },
    2274. 

  2274.                     "AllowTCPPorts" : [%s],
    2275. 

  2275.                     "AllowUDPPorts" : [%s],
    2276. 

  2276.                     "DisallowTCPPorts" : [%s],
    2277. 

  2277.                     "DisallowUDPPorts" : [%s]
    2278. 

  2278.                 }
    2279. 

  2279.             }
    2280. 

  2280.         ]
    2281. 

  2281.     }
    2282. 

  2282.     `
    2283. 

  2283. 

  2284. 	trafficRulesJSON := fmt.Sprintf(
    2285. 

  2285. 		trafficRulesJSONFormat,
    2286. 

  2286. 		livenessTestSize, livenessTestSize,
    2287. 

  2287. 		propagationChannelID, authorizationFilter,
    2288. 

  2288. 		allowTCPPorts, allowUDPPorts, disallowTCPPorts, disallowUDPPorts)
    2289. 

  2289. 

  2290. 	err := ioutil.WriteFile(trafficRulesFilename, []byte(trafficRulesJSON), 0600)
    2291. 

  2291. 	if err != nil {
    2292. 

  2292. 		t.Fatalf("error paving traffic rules file: %s", err)
    2293. 

  2293. 	}
    2294. 

  2294. }
    2295. 

  2295. 

  2296. var expectedNumSLOKs = 3
    2297. 

  2297. 

  2298. func paveOSLConfigFile(t *testing.T, oslConfigFilename string) string {
    2299. 

  2299. 

  2300. 	oslConfigJSONFormat := `
    2301. 

  2301.     {
    2302. 

  2302.       "Schemes" : [
    2303. 

  2303.         {
    2304. 

  2304.           "Epoch" : "%s",
    2305. 

  2305.           "Regions" : [],
    2306. 

  2306.           "PropagationChannelIDs" : ["%s"],
    2307. 

  2307.           "MasterKey" : "wFuSbqU/pJ/35vRmoM8T9ys1PgDa8uzJps1Y+FNKa5U=",
    2308. 

  2308.           "SeedSpecs" : [
    2309. 

  2309.             {
    2310. 

  2310.               "ID" : "IXHWfVgWFkEKvgqsjmnJuN3FpaGuCzQMETya+DSQvsk=",
    2311. 

  2311.               "UpstreamSubnets" : ["0.0.0.0/0"],
    2312. 

  2312.               "Targets" :
    2313. 

  2313.               {
    2314. 

  2314.                   "BytesRead" : 1,
    2315. 

  2315.                   "BytesWritten" : 1,
    2316. 

  2316.                   "PortForwardDurationNanoseconds" : 1
    2317. 

  2317.               }
    2318. 

  2318.             },
    2319. 

  2319.             {
    2320. 

  2320.               "ID" : "qvpIcORLE2Pi5TZmqRtVkEp+OKov0MhfsYPLNV7FYtI=",
    2321. 

  2321.               "UpstreamSubnets" : ["0.0.0.0/0"],
    2322. 

  2322.               "Targets" :
    2323. 

  2323.               {
    2324. 

  2324.                   "BytesRead" : 1,
    2325. 

  2325.                   "BytesWritten" : 1,
    2326. 

  2326.                   "PortForwardDurationNanoseconds" : 1
    2327. 

  2327.               }
    2328. 

  2328.             }
    2329. 

  2329.           ],
    2330. 

  2330.           "SeedSpecThreshold" : 2,
    2331. 

  2331.           "SeedPeriodNanoseconds" : 2592000000000000,
    2332. 

  2332.           "SeedPeriodKeySplits": [
    2333. 

  2333.             {
    2334. 

  2334.               "Total": 2,
    2335. 

  2335.               "Threshold": 2
    2336. 

  2336.             }
    2337. 

  2337.           ]
    2338. 

  2338.         },
    2339. 

  2339.         {
    2340. 

  2340.           "Epoch" : "%s",
    2341. 

  2341.           "Regions" : [],
    2342. 

  2342.           "PropagationChannelIDs" : ["%s"],
    2343. 

  2343.           "MasterKey" : "HDc/mvd7e+lKDJD0fMpJW66YJ/VW4iqDRjeclEsMnro=",
    2344. 

  2344.           "SeedSpecs" : [
    2345. 

  2345.             {
    2346. 

  2346.               "ID" : "/M0vsT0IjzmI0MvTI9IYe8OVyeQGeaPZN2xGxfLw/UQ=",
    2347. 

  2347.               "UpstreamSubnets" : ["0.0.0.0/0"],
    2348. 

  2348.               "Targets" :
    2349. 

  2349.               {
    2350. 

  2350.                   "BytesRead" : 1,
    2351. 

  2351.                   "BytesWritten" : 1,
    2352. 

  2352.                   "PortForwardDurationNanoseconds" : 1
    2353. 

  2353.               }
    2354. 

  2354.             }
    2355. 

  2355.           ],
    2356. 

  2356.           "SeedSpecThreshold" : 1,
    2357. 

  2357.           "SeedPeriodNanoseconds" : 2592000000000000,
    2358. 

  2358.           "SeedPeriodKeySplits": [
    2359. 

  2359.             {
    2360. 

  2360.               "Total": 1,
    2361. 

  2361.               "Threshold": 1
    2362. 

  2362.             }
    2363. 

  2363.           ]
    2364. 

  2364.         }
    2365. 

  2365.       ]
    2366. 

  2366.     }
    2367. 

  2367.     `
    2368. 

  2368. 

  2369. 	propagationChannelID := prng.HexString(8)
    2370. 

  2370. 

  2371. 	now := time.Now().UTC()
    2372. 

  2372. 	epoch := now.Truncate(720 * time.Hour)
    2373. 

  2373. 	epochStr := epoch.Format(time.RFC3339Nano)
    2374. 

  2374. 

  2375. 	oslConfigJSON := fmt.Sprintf(
    2376. 

  2376. 		oslConfigJSONFormat,
    2377. 

  2377. 		epochStr, propagationChannelID,
    2378. 

  2378. 		epochStr, propagationChannelID)
    2379. 

  2379. 

  2380. 	err := ioutil.WriteFile(oslConfigFilename, []byte(oslConfigJSON), 0600)
    2381. 

  2381. 	if err != nil {
    2382. 

  2382. 		t.Fatalf("error paving osl config file: %s", err)
    2383. 

  2383. 	}
    2384. 

  2384. 

  2385. 	return propagationChannelID
    2386. 

  2386. }
    2387. 

  2387. 

  2388. func paveTacticsConfigFile(
    2389. 

  2389. 	t *testing.T, tacticsConfigFilename string,
    2390. 

  2390. 	tacticsRequestPublicKey, tacticsRequestPrivateKey, tacticsRequestObfuscatedKey string,
    2391. 

  2391. 	tunnelProtocol string,
    2392. 

  2392. 	propagationChannelID string,
    2393. 

  2393. 	livenessTestSize int,
    2394. 

  2394. 	doBurstMonitor bool) {
    2395. 

  2395. 

  2396. 	// Setting LimitTunnelProtocols passively exercises the
    2397. 

  2397. 	// server-side LimitTunnelProtocols enforcement.
    2398. 

  2398. 

  2399. 	tacticsConfigJSONFormat := `
    2400. 

  2400.     {
    2401. 

  2401.       "RequestPublicKey" : "%s",
    2402. 

  2402.       "RequestPrivateKey" : "%s",
    2403. 

  2403.       "RequestObfuscatedKey" : "%s",
    2404. 

  2404.       "DefaultTactics" : {
    2405. 

  2405.         "TTL" : "60s",
    2406. 

  2406.         "Probability" : 1.0,
    2407. 

  2407.         "Parameters" : {
    2408. 

  2408.           %s
    2409. 

  2409.           "LimitTunnelProtocols" : ["%s"],
    2410. 

  2410.           "FragmentorLimitProtocols" : ["%s"],
    2411. 

  2411.           "FragmentorProbability" : 1.0,
    2412. 

  2412.           "FragmentorMinTotalBytes" : 1000,
    2413. 

  2413.           "FragmentorMaxTotalBytes" : 2000,
    2414. 

  2414.           "FragmentorMinWriteBytes" : 1,
    2415. 

  2415.           "FragmentorMaxWriteBytes" : 100,
    2416. 

  2416.           "FragmentorMinDelay" : "1ms",
    2417. 

  2417.           "FragmentorMaxDelay" : "10ms",
    2418. 

  2418.           "FragmentorDownstreamLimitProtocols" : ["%s"],
    2419. 

  2419.           "FragmentorDownstreamProbability" : 1.0,
    2420. 

  2420.           "FragmentorDownstreamMinTotalBytes" : 1000,
    2421. 

  2421.           "FragmentorDownstreamMaxTotalBytes" : 2000,
    2422. 

  2422.           "FragmentorDownstreamMinWriteBytes" : 1,
    2423. 

  2423.           "FragmentorDownstreamMaxWriteBytes" : 100,
    2424. 

  2424.           "FragmentorDownstreamMinDelay" : "1ms",
    2425. 

  2425.           "FragmentorDownstreamMaxDelay" : "10ms",
    2426. 

  2426.           "LivenessTestMinUpstreamBytes" : %d,
    2427. 

  2427.           "LivenessTestMaxUpstreamBytes" : %d,
    2428. 

  2428.           "LivenessTestMinDownstreamBytes" : %d,
    2429. 

  2429.           "LivenessTestMaxDownstreamBytes" : %d,
    2430. 

  2430.           "BPFServerTCPProgram": {
    2431. 

  2431.             "Name" : "test-server-bpf",
    2432. 

  2432.               "Instructions" : [
    2433. 

  2433.                 {"Op": "RetConstant", "Args": {"Val": 65535}}]},
    2434. 

  2434.           "BPFServerTCPProbability" : 1.0,
    2435. 

  2435.           "BPFClientTCPProgram": {
    2436. 

  2436.             "Name" : "test-client-bpf",
    2437. 

  2437.               "Instructions" : [
    2438. 

  2438.                 {"Op": "RetConstant", "Args": {"Val": 65535}}]},
    2439. 

  2439.           "BPFClientTCPProbability" : 1.0,
    2440. 

  2440.           "ServerPacketManipulationSpecs" : [{"Name": "test-packetman-spec", "PacketSpecs": [["TCP-flags S"]]}],
    2441. 

  2441.           "ServerPacketManipulationProbability" : 1.0,
    2442. 

  2442.           "ServerProtocolPacketManipulations": {"All" : ["test-packetman-spec"]}
    2443. 

  2443.         }
    2444. 

  2444.       },
    2445. 

  2445.       "FilteredTactics" : [
    2446. 

  2446.         {
    2447. 

  2447.           "Filter" : {
    2448. 

  2448.             "APIParameters" : {"propagation_channel_id" : ["%s"]},
    2449. 

  2449.             "SpeedTestRTTMilliseconds" : {
    2450. 

  2450.               "Aggregation" : "Median",
    2451. 

  2451.               "AtLeast" : 1
    2452. 

  2452.             }
    2453. 

  2453.           },
    2454. 

  2454.           "Tactics" : {
    2455. 

  2455.             "Parameters" : {
    2456. 

  2456.               "TunnelConnectTimeout" : "20s",
    2457. 

  2457.               "TunnelRateLimits" : {"WriteBytesPerSecond": 1000000},
    2458. 

  2458.               "TransformHostNameProbability" : 1.0,
    2459. 

  2459.               "PickUserAgentProbability" : 1.0,
    2460. 

  2460.               "ApplicationParameters" : {
    2461. 

  2461.                 "AppFlag1" : true,
    2462. 

  2462.                 "AppConfig1" : {"Option1" : "A", "Option2" : "B"},
    2463. 

  2463.                 "AppSwitches1" : [1, 2, 3, 4]
    2464. 

  2464.               },
    2465. 

  2465.               "CustomHostNameRegexes": ["%s"],
    2466. 

  2466.               "CustomHostNameProbability": 1.0,
    2467. 

  2467.               "CustomHostNameLimitProtocols": ["%s"]
    2468. 

  2468.             }
    2469. 

  2469.           }
    2470. 

  2470.         }
    2471. 

  2471.       ]
    2472. 

  2472.     }
    2473. 

  2473.     `
    2474. 

  2474. 

  2475. 	burstParameters := ""
    2476. 

  2476. 	if doBurstMonitor {
    2477. 

  2477. 		burstParameters = `
    2478. 

  2478.           "ServerBurstUpstreamDeadline" : "100ms",
    2479. 

  2479.           "ServerBurstUpstreamTargetBytes" : 1000,
    2480. 

  2480.           "ServerBurstDownstreamDeadline" : "100ms",
    2481. 

  2481.           "ServerBurstDownstreamTargetBytes" : 100000,
    2482. 

  2482.           "ClientBurstUpstreamDeadline" : "100ms",
    2483. 

  2483.           "ClientBurstUpstreamTargetBytes" : 1000,
    2484. 

  2484.           "ClientBurstDownstreamDeadline" : "100ms",
    2485. 

  2485.           "ClientBurstDownstreamTargetBytes" : 100000,
    2486. 

  2486. 	`
    2487. 

  2487. 	}
    2488. 

  2488. 

  2489. 	tacticsConfigJSON := fmt.Sprintf(
    2490. 

  2490. 		tacticsConfigJSONFormat,
    2491. 

  2491. 		tacticsRequestPublicKey, tacticsRequestPrivateKey, tacticsRequestObfuscatedKey,
    2492. 

  2492. 		burstParameters,
    2493. 

  2493. 		tunnelProtocol,
    2494. 

  2494. 		tunnelProtocol,
    2495. 

  2495. 		tunnelProtocol,
    2496. 

  2496. 		livenessTestSize, livenessTestSize, livenessTestSize, livenessTestSize,
    2497. 

  2497. 		propagationChannelID,
    2498. 

  2498. 		strings.ReplaceAll(testCustomHostNameRegex, `\`, `\\`),
    2499. 

  2499. 		tunnelProtocol)
    2500. 

  2500. 

  2501. 	err := ioutil.WriteFile(tacticsConfigFilename, []byte(tacticsConfigJSON), 0600)
    2502. 

  2502. 	if err != nil {
    2503. 

  2503. 		t.Fatalf("error paving tactics config file: %s", err)
    2504. 

  2504. 	}
    2505. 

  2505. }
    2506. 

  2506. 

  2507. func paveBlocklistFile(t *testing.T, blocklistFilename string) {
    2508. 

  2508. 

  2509. 	blocklistContent :=
    2510. 

  2510. 		"255.255.255.255,test-source,test-subject\n2001:db8:f75c::0951:58bc:ef22,test-source,test-subject\nexample.org,test-source,test-subject\n"
    2511. 

  2511. 

  2512. 	err := ioutil.WriteFile(blocklistFilename, []byte(blocklistContent), 0600)
    2513. 

  2513. 	if err != nil {
    2514. 

  2514. 		t.Fatalf("error paving blocklist file: %s", err)
    2515. 

  2515. 	}
    2516. 

  2516. }
    2517. 

  2517. 

  2518. type pruneServerEntryTestCase struct {
    2519. 

  2519. 	IPAddress         string
    2520. 

  2520. 	ExplicitTag       bool
    2521. 

  2521. 	ExpectedTag       string
    2522. 

  2522. 	LocalTimestamp    string
    2523. 

  2523. 	PsinetValid       bool
    2524. 

  2524. 	ExpectPrune       bool
    2525. 

  2525. 	IsEmbedded        bool
    2526. 

  2526. 	DialPort0         bool
    2527. 

  2527. 	ServerEntryFields protocol.ServerEntryFields
    2528. 

  2528. }
    2529. 

  2529. 

  2530. func initializePruneServerEntriesTest(
    2531. 

  2531. 	t *testing.T,
    2532. 

  2532. 	runConfig *runServerConfig) ([]*pruneServerEntryTestCase, []string, int) {
    2533. 

  2533. 

  2534. 	if !runConfig.doPruneServerEntries {
    2535. 

  2535. 		return nil, nil, 0
    2536. 

  2536. 	}
    2537. 

  2537. 

  2538. 	newTimeStamp := time.Now().UTC().Format(time.RFC3339)
    2539. 

  2539. 	oldTimeStamp := time.Now().Add(-30 * 24 * time.Hour).UTC().Format(time.RFC3339)
    2540. 

  2540. 

  2541. 	// Test Cases:
    2542. 

  2542. 	// - ExplicitTag: server entry includes a tag; vs. generate a derived tag
    2543. 

  2543. 	// - LocalTimestamp: server entry is sufficiently old to be pruned; vs. not
    2544. 

  2544. 	// - PsinetValid: server entry is reported valid by psinet; vs. deleted
    2545. 

  2545. 	// - ExpectPrune: prune outcome based on flags above
    2546. 

  2546. 	// - IsEmbedded: pruned embedded server entries leave a tombstone and cannot
    2547. 

  2547. 	//   be reimported
    2548. 

  2548. 	// - DialPort0: set dial port to 0, a special prune case (see statusAPIRequestHandler)
    2549. 

  2549. 

  2550. 	pruneServerEntryTestCases := []*pruneServerEntryTestCase{
    2551. 

  2551. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.1", ExplicitTag: true, LocalTimestamp: newTimeStamp, PsinetValid: true, ExpectPrune: false},
    2552. 

  2552. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.2", ExplicitTag: false, LocalTimestamp: newTimeStamp, PsinetValid: true, ExpectPrune: false},
    2553. 

  2553. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.3", ExplicitTag: true, LocalTimestamp: oldTimeStamp, PsinetValid: true, ExpectPrune: false},
    2554. 

  2554. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.4", ExplicitTag: false, LocalTimestamp: oldTimeStamp, PsinetValid: true, ExpectPrune: false},
    2555. 

  2555. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.5", ExplicitTag: true, LocalTimestamp: newTimeStamp, PsinetValid: false, ExpectPrune: false},
    2556. 

  2556. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.6", ExplicitTag: false, LocalTimestamp: newTimeStamp, PsinetValid: false, ExpectPrune: false},
    2557. 

  2557. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.7", ExplicitTag: true, LocalTimestamp: oldTimeStamp, PsinetValid: false, ExpectPrune: true, IsEmbedded: false},
    2558. 

  2558. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.8", ExplicitTag: false, LocalTimestamp: oldTimeStamp, PsinetValid: false, ExpectPrune: true, IsEmbedded: false},
    2559. 

  2559. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.9", ExplicitTag: true, LocalTimestamp: oldTimeStamp, PsinetValid: false, ExpectPrune: true, IsEmbedded: true},
    2560. 

  2560. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.10", ExplicitTag: false, LocalTimestamp: oldTimeStamp, PsinetValid: false, ExpectPrune: true, IsEmbedded: true},
    2561. 

  2561. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.11", ExplicitTag: true, LocalTimestamp: oldTimeStamp, PsinetValid: true, ExpectPrune: true, IsEmbedded: false, DialPort0: true},
    2562. 

  2562. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.12", ExplicitTag: false, LocalTimestamp: oldTimeStamp, PsinetValid: true, ExpectPrune: true, IsEmbedded: true, DialPort0: true},
    2563. 

  2563. 		&pruneServerEntryTestCase{IPAddress: "192.0.2.13", ExplicitTag: true, LocalTimestamp: oldTimeStamp, PsinetValid: true, ExpectPrune: true, IsEmbedded: true, DialPort0: true},
    2564. 

  2564. 	}
    2565. 

  2565. 

  2566. 	for _, testCase := range pruneServerEntryTestCases {
    2567. 

  2567. 

  2568. 		dialPort := 4000
    2569. 

  2569. 		if testCase.DialPort0 {
    2570. 

  2570. 			dialPort = 0
    2571. 

  2571. 		}
    2572. 

  2572. 

  2573. 		_, _, _, _, encodedServerEntry, err := GenerateConfig(
    2574. 

  2574. 			&GenerateConfigParams{
    2575. 

  2575. 				ServerIPAddress:     testCase.IPAddress,
    2576. 

  2576. 				WebServerPort:       8000,
    2577. 

  2577. 				TunnelProtocolPorts: map[string]int{runConfig.tunnelProtocol: dialPort},
    2578. 

  2578. 			})
    2579. 

  2579. 		if err != nil {
    2580. 

  2580. 			t.Fatalf("GenerateConfig failed: %s", err)
    2581. 

  2581. 		}
    2582. 

  2582. 

  2583. 		serverEntrySource := protocol.SERVER_ENTRY_SOURCE_REMOTE
    2584. 

  2584. 		if testCase.IsEmbedded {
    2585. 

  2585. 			serverEntrySource = protocol.SERVER_ENTRY_SOURCE_EMBEDDED
    2586. 

  2586. 		}
    2587. 

  2587. 

  2588. 		serverEntryFields, err := protocol.DecodeServerEntryFields(
    2589. 

  2589. 			string(encodedServerEntry),
    2590. 

  2590. 			testCase.LocalTimestamp,
    2591. 

  2591. 			serverEntrySource)
    2592. 

  2592. 		if err != nil {
    2593. 

  2593. 			t.Fatalf("DecodeServerEntryFields failed: %s", err)
    2594. 

  2594. 		}
    2595. 

  2595. 

  2596. 		if testCase.ExplicitTag {
    2597. 

  2597. 			testCase.ExpectedTag = prng.Base64String(32)
    2598. 

  2598. 			serverEntryFields.SetTag(testCase.ExpectedTag)
    2599. 

  2599. 		} else {
    2600. 

  2600. 			testCase.ExpectedTag = protocol.GenerateServerEntryTag(
    2601. 

  2601. 				serverEntryFields.GetIPAddress(),
    2602. 

  2602. 				serverEntryFields.GetWebServerSecret())
    2603. 

  2603. 		}
    2604. 

  2604. 

  2605. 		testCase.ServerEntryFields = serverEntryFields
    2606. 

  2606. 	}
    2607. 

  2607. 

  2608. 	psinetValidServerEntryTags := make([]string, 0)
    2609. 

  2609. 	expectedNumPruneNotices := 0
    2610. 

  2610. 

  2611. 	for _, testCase := range pruneServerEntryTestCases {
    2612. 

  2612. 

  2613. 		if testCase.PsinetValid {
    2614. 

  2614. 			psinetValidServerEntryTags = append(
    2615. 

  2615. 				psinetValidServerEntryTags, testCase.ExpectedTag)
    2616. 

  2616. 		}
    2617. 

  2617. 

  2618. 		if testCase.ExpectPrune {
    2619. 

  2619. 			expectedNumPruneNotices += 1
    2620. 

  2620. 		}
    2621. 

  2621. 	}
    2622. 

  2622. 

  2623. 	return pruneServerEntryTestCases,
    2624. 

  2624. 		psinetValidServerEntryTags,
    2625. 

  2625. 		expectedNumPruneNotices
    2626. 

  2626. }
    2627. 

  2627. 

  2628. func storePruneServerEntriesTest(
    2629. 

  2629. 	t *testing.T,
    2630. 

  2630. 	runConfig *runServerConfig,
    2631. 

  2631. 	testDataDirName string,
    2632. 

  2632. 	pruneServerEntryTestCases []*pruneServerEntryTestCase) {
    2633. 

  2633. 

  2634. 	if !runConfig.doPruneServerEntries {
    2635. 

  2635. 		return
    2636. 

  2636. 	}
    2637. 

  2637. 

  2638. 	for _, testCase := range pruneServerEntryTestCases {
    2639. 

  2639. 

  2640. 		err := psiphon.StoreServerEntry(testCase.ServerEntryFields, true)
    2641. 

  2641. 		if err != nil {
    2642. 

  2642. 			t.Fatalf("StoreServerEntry failed: %s", err)
    2643. 

  2643. 		}
    2644. 

  2644. 	}
    2645. 

  2645. 

  2646. 	clientConfig := &psiphon.Config{
    2647. 

  2647. 		SponsorId:            "0",
    2648. 

  2648. 		PropagationChannelId: "0",
    2649. 

  2649. 

  2650. 		// DataRootDirectory must to be set to avoid a migration in the current
    2651. 

  2651. 		// working directory.
    2652. 

  2652. 		DataRootDirectory: testDataDirName,
    2653. 

  2653. 	}
    2654. 

  2654. 	err := clientConfig.Commit(false)
    2655. 

  2655. 	if err != nil {
    2656. 

  2656. 		t.Fatalf("Commit failed: %s", err)
    2657. 

  2657. 	}
    2658. 

  2658. 

  2659. 	applyParameters := make(map[string]interface{})
    2660. 

  2660. 	applyParameters[parameters.RecordFailedTunnelPersistentStatsProbability] = 1.0
    2661. 

  2661. 

  2662. 	err = clientConfig.SetParameters("", true, applyParameters)
    2663. 

  2663. 	if err != nil {
    2664. 

  2664. 		t.Fatalf("SetParameters failed: %s", err)
    2665. 

  2665. 	}
    2666. 

  2666. 

  2667. 	verifyTestCasesStored := make(verifyTestCasesStoredLookup)
    2668. 

  2668. 	for _, testCase := range pruneServerEntryTestCases {
    2669. 

  2669. 		verifyTestCasesStored.mustBeStored(testCase.IPAddress)
    2670. 

  2670. 	}
    2671. 

  2671. 

  2672. 	scanServerEntries(t, clientConfig, pruneServerEntryTestCases, func(
    2673. 

  2673. 		t *testing.T,
    2674. 

  2674. 		testCase *pruneServerEntryTestCase,
    2675. 

  2675. 		serverEntry *protocol.ServerEntry) {
    2676. 

  2676. 

  2677. 		verifyTestCasesStored.isStored(testCase.IPAddress)
    2678. 

  2678. 

  2679. 		// Check that random tag was retained or derived tag was calculated as
    2680. 

  2680. 		// expected
    2681. 

  2681. 

  2682. 		if serverEntry.Tag != testCase.ExpectedTag {
    2683. 

  2683. 			t.Fatalf("unexpected tag for %s got %s expected %s",
    2684. 

  2684. 				testCase.IPAddress, serverEntry.Tag, testCase.ExpectedTag)
    2685. 

  2685. 		}
    2686. 

  2686. 

  2687. 		// Create failed tunnel event records to exercise pruning
    2688. 

  2688. 

  2689. 		dialParams, err := psiphon.MakeDialParameters(
    2690. 

  2690. 			clientConfig,
    2691. 

  2691. 			nil,
    2692. 

  2692. 			func(_ *protocol.ServerEntry, _ string) bool { return true },
    2693. 

  2693. 			func(serverEntry *protocol.ServerEntry) (string, bool) {
    2694. 

  2694. 				return runConfig.tunnelProtocol, true
    2695. 

  2695. 			},
    2696. 

  2696. 			serverEntry,
    2697. 

  2697. 			false,
    2698. 

  2698. 			0,
    2699. 

  2699. 			0)
    2700. 

  2700. 		if err != nil {
    2701. 

  2701. 			t.Fatalf("MakeDialParameters failed: %s", err)
    2702. 

  2702. 		}
    2703. 

  2703. 

  2704. 		err = psiphon.RecordFailedTunnelStat(
    2705. 

  2705. 			clientConfig, dialParams, nil, 0, 0, errors.New("test error"))
    2706. 

  2706. 		if err != nil {
    2707. 

  2707. 			t.Fatalf("RecordFailedTunnelStat failed: %s", err)
    2708. 

  2708. 		}
    2709. 

  2709. 	})
    2710. 

  2710. 

  2711. 	verifyTestCasesStored.checkStored(
    2712. 

  2712. 		t, "missing prune test case server entries")
    2713. 

  2713. }
    2714. 

  2714. 

  2715. func checkPruneServerEntriesTest(
    2716. 

  2716. 	t *testing.T,
    2717. 

  2717. 	runConfig *runServerConfig,
    2718. 

  2718. 	testDataDirName string,
    2719. 

  2719. 	pruneServerEntryTestCases []*pruneServerEntryTestCase) {
    2720. 

  2720. 

  2721. 	if !runConfig.doPruneServerEntries {
    2722. 

  2722. 		return
    2723. 

  2723. 	}
    2724. 

  2724. 

  2725. 	clientConfig := &psiphon.Config{
    2726. 

  2726. 		SponsorId:            "0",
    2727. 

  2727. 		PropagationChannelId: "0",
    2728. 

  2728. 

  2729. 		// DataRootDirectory must to be set to avoid a migration in the current
    2730. 

  2730. 		// working directory.
    2731. 

  2731. 		DataRootDirectory: testDataDirName,
    2732. 

  2732. 	}
    2733. 

  2733. 	err := clientConfig.Commit(false)
    2734. 

  2734. 	if err != nil {
    2735. 

  2735. 		t.Fatalf("Commit failed: %s", err)
    2736. 

  2736. 	}
    2737. 

  2737. 

  2738. 	// Check that server entries remain or are pruned as expected
    2739. 

  2739. 

  2740. 	verifyTestCasesStored := make(verifyTestCasesStoredLookup)
    2741. 

  2741. 	for _, testCase := range pruneServerEntryTestCases {
    2742. 

  2742. 		if !testCase.ExpectPrune {
    2743. 

  2743. 			verifyTestCasesStored.mustBeStored(testCase.IPAddress)
    2744. 

  2744. 		}
    2745. 

  2745. 	}
    2746. 

  2746. 

  2747. 	scanServerEntries(t, clientConfig, pruneServerEntryTestCases, func(
    2748. 

  2748. 		t *testing.T,
    2749. 

  2749. 		testCase *pruneServerEntryTestCase,
    2750. 

  2750. 		serverEntry *protocol.ServerEntry) {
    2751. 

  2751. 

  2752. 		if testCase.ExpectPrune {
    2753. 

  2753. 			t.Fatalf("expected prune for %s", testCase.IPAddress)
    2754. 

  2754. 		} else {
    2755. 

  2755. 			verifyTestCasesStored.isStored(testCase.IPAddress)
    2756. 

  2756. 		}
    2757. 

  2757. 	})
    2758. 

  2758. 

  2759. 	verifyTestCasesStored.checkStored(
    2760. 

  2760. 		t, "missing prune test case server entries")
    2761. 

  2761. 

  2762. 	// Check that pruned server entries reimport or not, as expected
    2763. 

  2763. 

  2764. 	for _, testCase := range pruneServerEntryTestCases {
    2765. 

  2765. 

  2766. 		err := psiphon.StoreServerEntry(testCase.ServerEntryFields, true)
    2767. 

  2767. 		if err != nil {
    2768. 

  2768. 			t.Fatalf("StoreServerEntry failed: %s", err)
    2769. 

  2769. 		}
    2770. 

  2770. 	}
    2771. 

  2771. 

  2772. 	verifyTestCasesStored = make(verifyTestCasesStoredLookup)
    2773. 

  2773. 	for _, testCase := range pruneServerEntryTestCases {
    2774. 

  2774. 		if !testCase.ExpectPrune || !testCase.IsEmbedded {
    2775. 

  2775. 			verifyTestCasesStored.mustBeStored(testCase.IPAddress)
    2776. 

  2776. 		}
    2777. 

  2777. 	}
    2778. 

  2778. 

  2779. 	scanServerEntries(t, clientConfig, pruneServerEntryTestCases, func(
    2780. 

  2780. 		t *testing.T,
    2781. 

  2781. 		testCase *pruneServerEntryTestCase,
    2782. 

  2782. 		serverEntry *protocol.ServerEntry) {
    2783. 

  2783. 

  2784. 		if testCase.ExpectPrune && testCase.IsEmbedded {
    2785. 

  2785. 			t.Fatalf("expected tombstone for %s", testCase.IPAddress)
    2786. 

  2786. 		} else {
    2787. 

  2787. 			verifyTestCasesStored.isStored(testCase.IPAddress)
    2788. 

  2788. 		}
    2789. 

  2789. 	})
    2790. 

  2790. 

  2791. 	verifyTestCasesStored.checkStored(
    2792. 

  2792. 		t, "missing reimported prune test case server entries")
    2793. 

  2793. 

  2794. 	// Non-embedded server entries with tombstones _can_ be reimported
    2795. 

  2795. 

  2796. 	for _, testCase := range pruneServerEntryTestCases {
    2797. 

  2797. 

  2798. 		testCase.ServerEntryFields.SetLocalSource(protocol.SERVER_ENTRY_SOURCE_REMOTE)
    2799. 

  2799. 

  2800. 		err := psiphon.StoreServerEntry(testCase.ServerEntryFields, true)
    2801. 

  2801. 		if err != nil {
    2802. 

  2802. 			t.Fatalf("StoreServerEntry failed: %s", err)
    2803. 

  2803. 		}
    2804. 

  2804. 	}
    2805. 

  2805. 

  2806. 	verifyTestCasesStored = make(verifyTestCasesStoredLookup)
    2807. 

  2807. 	for _, testCase := range pruneServerEntryTestCases {
    2808. 

  2808. 		verifyTestCasesStored.mustBeStored(testCase.IPAddress)
    2809. 

  2809. 	}
    2810. 

  2810. 

  2811. 	scanServerEntries(t, clientConfig, pruneServerEntryTestCases, func(
    2812. 

  2812. 		t *testing.T,
    2813. 

  2813. 		testCase *pruneServerEntryTestCase,
    2814. 

  2814. 		serverEntry *protocol.ServerEntry) {
    2815. 

  2815. 

  2816. 		verifyTestCasesStored.isStored(testCase.IPAddress)
    2817. 

  2817. 	})
    2818. 

  2818. 

  2819. 	verifyTestCasesStored.checkStored(
    2820. 

  2820. 		t, "missing non-embedded reimported prune test case server entries")
    2821. 

  2821. }
    2822. 

  2822. 

  2823. func scanServerEntries(
    2824. 

  2824. 	t *testing.T,
    2825. 

  2825. 	clientConfig *psiphon.Config,
    2826. 

  2826. 	pruneServerEntryTestCases []*pruneServerEntryTestCase,
    2827. 

  2827. 	scanner func(
    2828. 

  2828. 		t *testing.T,
    2829. 

  2829. 		testCase *pruneServerEntryTestCase,
    2830. 

  2830. 		serverEntry *protocol.ServerEntry)) {
    2831. 

  2831. 

  2832. 	_, iterator, err := psiphon.NewServerEntryIterator(clientConfig)
    2833. 

  2833. 	if err != nil {
    2834. 

  2834. 		t.Fatalf("NewServerEntryIterator failed: %s", err)
    2835. 

  2835. 	}
    2836. 

  2836. 	defer iterator.Close()
    2837. 

  2837. 

  2838. 	for {
    2839. 

  2839. 

  2840. 		serverEntry, err := iterator.Next()
    2841. 

  2841. 		if err != nil {
    2842. 

  2842. 			t.Fatalf("ServerIterator.Next failed: %s", err)
    2843. 

  2843. 		}
    2844. 

  2844. 		if serverEntry == nil {
    2845. 

  2845. 			break
    2846. 

  2846. 		}
    2847. 

  2847. 

  2848. 		for _, testCase := range pruneServerEntryTestCases {
    2849. 

  2849. 			if testCase.IPAddress == serverEntry.IpAddress {
    2850. 

  2850. 				scanner(t, testCase, serverEntry)
    2851. 

  2851. 				break
    2852. 

  2852. 			}
    2853. 

  2853. 		}
    2854. 

  2854. 	}
    2855. 

  2855. }
    2856. 

  2856. 

  2857. type verifyTestCasesStoredLookup map[string]bool
    2858. 

  2858. 

  2859. func (v verifyTestCasesStoredLookup) mustBeStored(s string) {
    2860. 

  2860. 	v[s] = true
    2861. 

  2861. }
    2862. 

  2862. 

  2863. func (v verifyTestCasesStoredLookup) isStored(s string) {
    2864. 

  2864. 	delete(v, s)
    2865. 

  2865. }
    2866. 

  2866. 

  2867. func (v verifyTestCasesStoredLookup) checkStored(t *testing.T, errMessage string) {
    2868. 

  2868. 	if len(v) != 0 {
    2869. 

  2869. 		t.Fatalf("%s: %+v", errMessage, v)
    2870. 

  2870. 	}
    2871. 

  2871. }
    2872.