2021-02-02 12:05:47 +01:00
|
|
|
package iptables
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"errors"
|
|
|
|
|
"net"
|
|
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
|
|
|
|
"net/url"
|
|
|
|
|
"runtime"
|
|
|
|
|
"strings"
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
|
|
2021-02-10 07:40:48 +01:00
|
|
|
"golang.org/x/sys/execabs"
|
|
|
|
|
|
2021-02-02 12:05:47 +01:00
|
|
|
"github.com/apex/log"
|
2021-02-03 12:23:15 +01:00
|
|
|
"github.com/ooni/probe-cli/v3/internal/cmd/jafar/resolver"
|
|
|
|
|
"github.com/ooni/probe-cli/v3/internal/cmd/jafar/uncensored"
|
refactor: flatten and separate (#353)
* refactor(atomicx): move outside the engine package
After merging probe-engine into probe-cli, my impression is that we have
too much unnecessary nesting of packages in this repository.
The idea of this commit and of a bunch of following commits will instead
be to reduce the nesting and simplify the structure.
While there, improve the documentation.
* fix: always use the atomicx package
For consistency, never use sync/atomic and always use ./internal/atomicx
so we can just grep and make sure we're not risking to crash if we make
a subtle mistake on a 32 bit platform.
While there, mention in the contributing guidelines that we want to
always prefer the ./internal/atomicx package over sync/atomic.
* fix(atomicx): remove unnecessary constructor
We don't need a constructor here. The default constructed `&Int64{}`
instance is already usable and the constructor does not add anything to
what we are doing, rather it just creates extra confusion.
* cleanup(atomicx): we are not using Float64
Because atomicx.Float64 is unused, we can safely zap it.
* cleanup(atomicx): simplify impl and improve tests
We can simplify the implementation by using defer and by letting
the Load() method call Add(0).
We can improve tests by making many goroutines updated the
atomic int64 value concurrently.
* refactor(fsx): can live in the ./internal pkg
Let us reduce the amount of nesting. While there, ensure that the
package only exports the bare minimum, and improve the documentation
of the tests, to ease reading the code.
* refactor: move runtimex to ./internal
* refactor: move shellx into the ./internal package
While there, remove unnecessary dependency between packages.
While there, specify in the contributing guidelines that
one should use x/sys/execabs instead of os/exec.
* refactor: move ooapi into the ./internal pkg
* refactor(humanize): move to ./internal and better docs
* refactor: move platform to ./internal
* refactor(randx): move to ./internal
* refactor(multierror): move into the ./internal pkg
* refactor(kvstore): all kvstores in ./internal
Rather than having part of the kvstore inside ./internal/engine/kvstore
and part in ./internal/engine/kvstore.go, let us put every piece of code
that is kvstore related into the ./internal/kvstore package.
* fix(kvstore): always return ErrNoSuchKey on Get() error
It should help to use the kvstore everywhere removing all the
copies that are lingering around the tree.
* sessionresolver: make KVStore mandatory
Simplifies implementation. While there, use the ./internal/kvstore
package rather than having our private implementation.
* fix(ooapi): use the ./internal/kvstore package
* fix(platform): better documentation
2021-06-04 10:34:18 +02:00
|
|
|
"github.com/ooni/probe-cli/v3/internal/shellx"
|
2021-02-02 12:05:47 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
|
log.SetLevel(log.ErrorLevel)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newCensoringPolicy() *CensoringPolicy {
|
|
|
|
|
policy := NewCensoringPolicy()
|
|
|
|
|
policy.Waive() // start over to allow for repeated tests on failure
|
|
|
|
|
return policy
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestCannotApplyPolicy(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
policy.DropIPs = []string{"antani"}
|
|
|
|
|
if err := policy.Apply(); err == nil {
|
|
|
|
|
t.Fatal("expected an error here")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestCreateChainsError(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
if err := policy.Apply(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
// you should not be able to apply the policy when there is
|
|
|
|
|
// already a policy, you need to waive it first
|
|
|
|
|
if err := policy.Apply(); err == nil {
|
|
|
|
|
t.Fatal("expected an error here")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestDropIP(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
policy.DropIPs = []string{"1.1.1.1"}
|
|
|
|
|
if err := policy.Apply(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
|
|
|
|
|
defer cancel()
|
|
|
|
|
conn, err := (&net.Dialer{}).DialContext(ctx, "tcp", "1.1.1.1:853")
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Fatalf("expected an error here")
|
|
|
|
|
}
|
|
|
|
|
if err.Error() != "dial tcp 1.1.1.1:853: i/o timeout" {
|
|
|
|
|
t.Fatal("unexpected error occurred")
|
|
|
|
|
}
|
|
|
|
|
if conn != nil {
|
|
|
|
|
t.Fatal("expected nil connection here")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestDropKeyword(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
policy.DropKeywords = []string{"ooni.io"}
|
|
|
|
|
if err := policy.Apply(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
|
|
|
|
|
defer cancel()
|
|
|
|
|
req, err := http.NewRequest("GET", "http://www.ooni.io", nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
resp, err := http.DefaultClient.Do(req.WithContext(ctx))
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Fatal("expected an error here")
|
|
|
|
|
}
|
|
|
|
|
if !strings.HasSuffix(err.Error(), "context deadline exceeded") {
|
|
|
|
|
t.Fatal("unexpected error occurred")
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
t.Fatal("expected nil response here")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestDropKeywordHex(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
policy.DropKeywordsHex = []string{"|6f 6f 6e 69|"}
|
|
|
|
|
if err := policy.Apply(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
|
|
|
|
|
defer cancel()
|
|
|
|
|
req, err := http.NewRequest("GET", "http://www.ooni.io", nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
resp, err := http.DefaultClient.Do(req.WithContext(ctx))
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Fatal("expected an error here")
|
|
|
|
|
}
|
|
|
|
|
// the error we see with GitHub Actions is different from the error
|
|
|
|
|
// we see when testing locally on Fedora
|
|
|
|
|
if !strings.HasSuffix(err.Error(), "operation not permitted") &&
|
|
|
|
|
!strings.HasSuffix(err.Error(), "Temporary failure in name resolution") &&
|
|
|
|
|
!strings.HasSuffix(err.Error(), "no such host") {
|
|
|
|
|
t.Fatalf("unexpected error occurred: %+v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
t.Fatal("expected nil response here")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestResetIP(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
policy.ResetIPs = []string{"1.1.1.1"}
|
|
|
|
|
if err := policy.Apply(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
conn, err := (&net.Dialer{}).Dial("tcp", "1.1.1.1:853")
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Fatalf("expected an error here")
|
|
|
|
|
}
|
|
|
|
|
if err.Error() != "dial tcp 1.1.1.1:853: connect: connection refused" {
|
|
|
|
|
t.Fatal("unexpected error occurred")
|
|
|
|
|
}
|
|
|
|
|
if conn != nil {
|
|
|
|
|
t.Fatal("expected nil connection here")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestResetKeyword(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
policy.ResetKeywords = []string{"ooni.io"}
|
|
|
|
|
if err := policy.Apply(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
resp, err := http.Get("http://www.ooni.io")
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Fatal("expected an error here")
|
|
|
|
|
}
|
|
|
|
|
if strings.Contains(err.Error(), "read: connection reset by peer") == false {
|
|
|
|
|
t.Fatal("unexpected error occurred")
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
t.Fatal("expected nil response here")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestResetKeywordHex(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
policy.ResetKeywordsHex = []string{"|6f 6f 6e 69|"}
|
|
|
|
|
if err := policy.Apply(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
resp, err := http.Get("http://www.ooni.io")
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Fatal("expected an error here")
|
|
|
|
|
}
|
|
|
|
|
if strings.Contains(err.Error(), "read: connection reset by peer") == false {
|
|
|
|
|
t.Fatal("unexpected error occurred")
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
t.Fatal("expected nil response here")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestHijackDNS(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
resolver := resolver.NewCensoringResolver(
|
|
|
|
|
[]string{"ooni.io"}, nil, nil,
|
|
|
|
|
uncensored.Must(uncensored.NewClient("dot://1.1.1.1:853")),
|
|
|
|
|
)
|
|
|
|
|
server, err := resolver.Start("127.0.0.1:0")
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
defer server.Shutdown()
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
policy.HijackDNSAddress = server.PacketConn.LocalAddr().String()
|
|
|
|
|
if err := policy.Apply(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
addrs, err := net.LookupHost("www.ooni.io")
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Fatal("expected an error here")
|
|
|
|
|
}
|
|
|
|
|
if strings.Contains(err.Error(), "no such host") == false {
|
|
|
|
|
t.Fatal("unexpected error occurred")
|
|
|
|
|
}
|
|
|
|
|
if addrs != nil {
|
|
|
|
|
t.Fatal("expected nil addrs here")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestHijackHTTP(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
// Implementation note: this test is complicated by the fact
|
|
|
|
|
// that we are running as root and so we're whitelisted.
|
|
|
|
|
server := httptest.NewServer(http.HandlerFunc(
|
|
|
|
|
func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
w.WriteHeader(451)
|
|
|
|
|
}),
|
|
|
|
|
)
|
|
|
|
|
defer server.Close()
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
pu, err := url.Parse(server.URL)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
policy.HijackHTTPAddress = pu.Host
|
|
|
|
|
if err := policy.Apply(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
2021-06-04 14:02:18 +02:00
|
|
|
err = shellx.Run(log.Log, "sudo", "-u", "nobody", "--",
|
2021-02-02 12:05:47 +01:00
|
|
|
"curl", "-sf", "http://example.com")
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Fatal("expected an error here")
|
|
|
|
|
}
|
2021-02-10 07:40:48 +01:00
|
|
|
var exitErr *execabs.ExitError
|
2021-02-02 12:05:47 +01:00
|
|
|
if !errors.As(err, &exitErr) {
|
|
|
|
|
t.Fatal("not the error type we expected")
|
|
|
|
|
}
|
|
|
|
|
if exitErr.ExitCode() != 22 {
|
|
|
|
|
t.Fatal("not the exit code we expected")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestHijackHTTPS(t *testing.T) {
|
|
|
|
|
if runtime.GOOS != "linux" {
|
|
|
|
|
t.Skip("not implemented on this platform")
|
|
|
|
|
}
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
t.Skip("skip test in short mode")
|
|
|
|
|
}
|
|
|
|
|
// Implementation note: this test is complicated by the fact
|
|
|
|
|
// that we are running as root and so we're whitelisted.
|
|
|
|
|
server := httptest.NewTLSServer(http.HandlerFunc(
|
|
|
|
|
func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
w.WriteHeader(451)
|
|
|
|
|
}),
|
|
|
|
|
)
|
|
|
|
|
defer server.Close()
|
|
|
|
|
policy := newCensoringPolicy()
|
|
|
|
|
defer policy.Waive()
|
|
|
|
|
pu, err := url.Parse(server.URL)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
policy.HijackHTTPSAddress = pu.Host
|
|
|
|
|
if err := policy.Apply(); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
2021-06-04 14:02:18 +02:00
|
|
|
err = shellx.Run(log.Log, "sudo", "-u", "nobody", "--",
|
2021-02-02 12:05:47 +01:00
|
|
|
"curl", "-sf", "https://example.com")
|
|
|
|
|
if err == nil {
|
|
|
|
|
t.Fatal("expected an error here")
|
|
|
|
|
}
|
|
|
|
|
t.Log(err)
|
2021-02-10 07:40:48 +01:00
|
|
|
var exitErr *execabs.ExitError
|
2021-02-02 12:05:47 +01:00
|
|
|
if !errors.As(err, &exitErr) {
|
|
|
|
|
t.Fatal("not the error type we expected")
|
|
|
|
|
}
|
|
|
|
|
if exitErr.ExitCode() != 60 {
|
|
|
|
|
t.Fatal("not the exit code we expected")
|
|
|
|
|
}
|
|
|
|
|
}
|