ooni-probe-cli/internal/engine/netx/selfcensor/selfcensor_test.go

package selfcensor_test

import (
	"context"
	"strings"
	"testing"
	"time"

	"github.com/ooni/probe-cli/v3/internal/engine/netx"
	"github.com/ooni/probe-cli/v3/internal/engine/netx/selfcensor"
)

// TestDisabled MUST be the first test in this file.
func TestDisabled(t *testing.T) {
	if selfcensor.Enabled() != false {
		t.Fatal("self censorship should be disabled by default")
	}
	if selfcensor.Attempts() != 0 {
		t.Fatal("we expect no self censorship attempts at the beginning")
	}
	t.Run("the system resolver does not trigger selfcensor events", func(t *testing.T) {
		addrs, err := selfcensor.SystemResolver{}.LookupHost(
			context.Background(), "dns.google",
		)
		if err != nil {
			t.Fatal(err)
		}
		if addrs == nil {
			t.Fatal("expected non-nil addrs here")
		}
		if selfcensor.Attempts() != 0 {
			t.Fatal("we expect no self censorship attempts by default")
		}
	})
	t.Run("the system dialer does not trigger selfcensor events", func(t *testing.T) {
		conn, err := selfcensor.SystemDialer{}.DialContext(
			context.Background(), "tcp", "8.8.8.8:443",
		)
		if err != nil {
			t.Fatal(err)
		}
		if conn == nil {
			t.Fatal("expected non-nil conn here")
		}
		conn.Close()
		if selfcensor.Attempts() != 0 {
			t.Fatal("we expect no self censorship attempts by default")
		}
	})
}

// TestDisabled MUST be the second test in this file.
func TestEnableInvalidJSON(t *testing.T) {
	if selfcensor.Enabled() != false {
		t.Fatal("we need to start with self censorship not enabled")
	}
	err := selfcensor.Enable("{")
	if err == nil || !strings.HasSuffix(err.Error(), "unexpected end of JSON input") {
		t.Fatal("not the error we expectd")
	}
	if selfcensor.Enabled() != false {
		t.Fatal("we expected self censorship to still be not enabled")
	}
}

// TestMaybeEnableWorksAsIntended MUST be the second test in this file.
func TestMaybeEnableWorksAsIntended(t *testing.T) {
	if selfcensor.Enabled() != false {
		t.Fatal("we need to start with self censorship not enabled")
	}
	err := selfcensor.MaybeEnable("")
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != false {
		t.Fatal("we expected self censorship to still be not enabled")
	}
}

func TestResolveCauseNXDOMAIN(t *testing.T) {
	err := selfcensor.MaybeEnable(`{"PoisonSystemDNS":{"dns.google":["NXDOMAIN"]}}`)
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != true {
		t.Fatal("we expected self censorship to be enabled now")
	}
	addrs, err := selfcensor.SystemResolver{}.LookupHost(
		context.Background(), "dns.google",
	)
	if err == nil || !strings.HasSuffix(err.Error(), "no such host") {
		t.Fatal("not the error we expected")
	}
	if addrs != nil {
		t.Fatal("expected nil addrs here")
	}
}

func TestResolveCauseTimeout(t *testing.T) {
	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
	defer cancel()
	err := selfcensor.MaybeEnable(`{"PoisonSystemDNS":{"dns.google":["TIMEOUT"]}}`)
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != true {
		t.Fatal("we expected self censorship to be enabled now")
	}
	addrs, err := selfcensor.SystemResolver{}.LookupHost(ctx, "dns.google")
	if err == nil || err.Error() != "i/o timeout" {
		t.Fatal("not the error we expected")
	}
	if addrs != nil {
		t.Fatal("expected nil addrs here")
	}
}

func TestResolveCauseBogon(t *testing.T) {
	err := selfcensor.MaybeEnable(`{"PoisonSystemDNS":{"dns.google":["10.0.0.7"]}}`)
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != true {
		t.Fatal("we expected self censorship to be enabled now")
	}
	addrs, err := selfcensor.SystemResolver{}.LookupHost(
		context.Background(), "dns.google")
	if err != nil {
		t.Fatal(err)
	}
	if len(addrs) != 1 || addrs[0] != "10.0.0.7" {
		t.Fatal("not the addrs we expected")
	}
}

func TestResolveCheckNetworkAndAddress(t *testing.T) {
	err := selfcensor.MaybeEnable(`{"PoisonSystemDNS":{"dns.google":["10.0.0.7"]}}`)
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != true {
		t.Fatal("we expected self censorship to be enabled now")
	}
	reso := selfcensor.SystemResolver{}
	if reso.Network() != "system" {
		t.Fatal("invalid Network")
	}
	if reso.Address() != "" {
		t.Fatal("invalid Address")
	}
}

func TestDialHandlesErrorsWithBlockedFingerprints(t *testing.T) {
	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
	cancel() // so we should fail immediately!
	err := selfcensor.MaybeEnable(`{"BlockedFingerprints":{"dns.google":"TIMEOUT"}}`)
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != true {
		t.Fatal("we expected self censorship to be enabled now")
	}
	addrs, err := selfcensor.SystemDialer{}.DialContext(ctx, "tcp", "8.8.8.8:443")
	if err == nil || !strings.HasSuffix(err.Error(), "operation was canceled") {
		t.Fatal("not the error we expected")
	}
	if addrs != nil {
		t.Fatal("expected nil addrs here")
	}
}

func TestDialCauseTimeout(t *testing.T) {
	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
	defer cancel()
	err := selfcensor.MaybeEnable(`{"BlockedEndpoints":{"8.8.8.8:443":"TIMEOUT"}}`)
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != true {
		t.Fatal("we expected self censorship to be enabled now")
	}
	addrs, err := selfcensor.SystemDialer{}.DialContext(ctx, "tcp", "8.8.8.8:443")
	if err == nil || err.Error() != "i/o timeout" {
		t.Fatal("not the error we expected")
	}
	if addrs != nil {
		t.Fatal("expected nil addrs here")
	}
}

func TestDialCauseConnectionRefused(t *testing.T) {
	err := selfcensor.MaybeEnable(`{"BlockedEndpoints":{"8.8.8.8:443":"REJECT"}}`)
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != true {
		t.Fatal("we expected self censorship to be enabled now")
	}
	addrs, err := selfcensor.SystemDialer{}.DialContext(
		context.Background(), "tcp", "8.8.8.8:443")
	if err == nil || !strings.HasSuffix(err.Error(), "connection refused") {
		t.Fatal("not the error we expected")
	}
	if addrs != nil {
		t.Fatal("expected nil addrs here")
	}
}

func TestBlockedFingerprintsTimeout(t *testing.T) {
	err := selfcensor.MaybeEnable(`{"BlockedFingerprints":{"dns.google":"TIMEOUT"}}`)
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != true {
		t.Fatal("we expected self censorship to be enabled now")
	}
	tlsDialer := netx.NewTLSDialer(netx.Config{
		Dialer: selfcensor.SystemDialer{},
	})
	conn, err := tlsDialer.DialTLSContext(
		context.Background(), "tcp", "dns.google:443")
	if err == nil || err.Error() != "generic_timeout_error" {
		t.Fatal("not the error expected")
	}
	if conn != nil {
		t.Fatal("expected nil conn here")
	}
}

func TestBlockedFingerprintsNoMatch(t *testing.T) {
	err := selfcensor.MaybeEnable(`{"BlockedFingerprints":{"ooni.io":"TIMEOUT"}}`)
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != true {
		t.Fatal("we expected self censorship to be enabled now")
	}
	tlsDialer := netx.NewTLSDialer(netx.Config{
		Dialer: selfcensor.SystemDialer{},
	})
	conn, err := tlsDialer.DialTLSContext(
		context.Background(), "tcp", "dns.google:443")
	if err != nil {
		t.Fatal(err)
	}
	if conn == nil {
		t.Fatal("expected non-nil conn here")
	}
	conn.Close()
}

func TestBlockedFingerprintsConnectionReset(t *testing.T) {
	err := selfcensor.MaybeEnable(`{"BlockedFingerprints":{"dns.google":"RST"}}`)
	if err != nil {
		t.Fatal(err)
	}
	if selfcensor.Enabled() != true {
		t.Fatal("we expected self censorship to be enabled now")
	}
	tlsDialer := netx.NewTLSDialer(netx.Config{
		Dialer: selfcensor.SystemDialer{},
	})
	conn, err := tlsDialer.DialTLSContext(
		context.Background(), "tcp", "dns.google:443")
	if err == nil || err.Error() != "connection_reset" {
		t.Fatal("not the error we expected")
	}
	if conn != nil {
		t.Fatal("expected nil conn here")
	}
}
chore: merge probe-engine into probe-cli (#201) This is how I did it: 1. `git clone https://github.com/ooni/probe-engine internal/engine` 2. ``` (cd internal/engine && git describe --tags) v0.23.0 ``` 3. `nvim go.mod` (merging `go.mod` with `internal/engine/go.mod` 4. `rm -rf internal/.git internal/engine/go.{mod,sum}` 5. `git add internal/engine` 6. `find . -type f -name \*.go -exec sed -i 's@/ooni/probe-engine@/ooni/probe-cli/v3/internal/engine@g' {} \;` 7. `go build ./...` (passes) 8. `go test -race ./...` (temporary failure on RiseupVPN) 9. `go mod tidy` 10. this commit message Once this piece of work is done, we can build a new version of `ooniprobe` that is using `internal/engine` directly. We need to do more work to ensure all the other functionality in `probe-engine` (e.g. making mobile packages) are still WAI. Part of https://github.com/ooni/probe/issues/1335 2021-02-02 12:05:47 +01:00			`package selfcensor_test`

			`import (`
			`"context"`
			`"strings"`
			`"testing"`
			`"time"`

			`"github.com/ooni/probe-cli/v3/internal/engine/netx"`
			`"github.com/ooni/probe-cli/v3/internal/engine/netx/selfcensor"`
			`)`

			`// TestDisabled MUST be the first test in this file.`
			`func TestDisabled(t *testing.T) {`
			`if selfcensor.Enabled() != false {`
			`t.Fatal("self censorship should be disabled by default")`
			`}`
			`if selfcensor.Attempts() != 0 {`
			`t.Fatal("we expect no self censorship attempts at the beginning")`
			`}`
			`t.Run("the system resolver does not trigger selfcensor events", func(t *testing.T) {`
			`addrs, err := selfcensor.SystemResolver{}.LookupHost(`
			`context.Background(), "dns.google",`
			`)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if addrs == nil {`
			`t.Fatal("expected non-nil addrs here")`
			`}`
			`if selfcensor.Attempts() != 0 {`
			`t.Fatal("we expect no self censorship attempts by default")`
			`}`
			`})`
			`t.Run("the system dialer does not trigger selfcensor events", func(t *testing.T) {`
			`conn, err := selfcensor.SystemDialer{}.DialContext(`
			`context.Background(), "tcp", "8.8.8.8:443",`
			`)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if conn == nil {`
			`t.Fatal("expected non-nil conn here")`
			`}`
			`conn.Close()`
			`if selfcensor.Attempts() != 0 {`
			`t.Fatal("we expect no self censorship attempts by default")`
			`}`
			`})`
			`}`

			`// TestDisabled MUST be the second test in this file.`
			`func TestEnableInvalidJSON(t *testing.T) {`
			`if selfcensor.Enabled() != false {`
			`t.Fatal("we need to start with self censorship not enabled")`
			`}`
			`err := selfcensor.Enable("{")`
			`if err == nil \|\| !strings.HasSuffix(err.Error(), "unexpected end of JSON input") {`
			`t.Fatal("not the error we expectd")`
			`}`
			`if selfcensor.Enabled() != false {`
			`t.Fatal("we expected self censorship to still be not enabled")`
			`}`
			`}`

			`// TestMaybeEnableWorksAsIntended MUST be the second test in this file.`
			`func TestMaybeEnableWorksAsIntended(t *testing.T) {`
			`if selfcensor.Enabled() != false {`
			`t.Fatal("we need to start with self censorship not enabled")`
			`}`
			`err := selfcensor.MaybeEnable("")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != false {`
			`t.Fatal("we expected self censorship to still be not enabled")`
			`}`
			`}`

			`func TestResolveCauseNXDOMAIN(t *testing.T) {`
			err := selfcensor.MaybeEnable(`{"PoisonSystemDNS":{"dns.google":["NXDOMAIN"]}}`)
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != true {`
			`t.Fatal("we expected self censorship to be enabled now")`
			`}`
			`addrs, err := selfcensor.SystemResolver{}.LookupHost(`
			`context.Background(), "dns.google",`
			`)`
			`if err == nil \|\| !strings.HasSuffix(err.Error(), "no such host") {`
			`t.Fatal("not the error we expected")`
			`}`
			`if addrs != nil {`
			`t.Fatal("expected nil addrs here")`
			`}`
			`}`

			`func TestResolveCauseTimeout(t *testing.T) {`
			`ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)`
			`defer cancel()`
			err := selfcensor.MaybeEnable(`{"PoisonSystemDNS":{"dns.google":["TIMEOUT"]}}`)
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != true {`
			`t.Fatal("we expected self censorship to be enabled now")`
			`}`
			`addrs, err := selfcensor.SystemResolver{}.LookupHost(ctx, "dns.google")`
			`if err == nil \|\| err.Error() != "i/o timeout" {`
			`t.Fatal("not the error we expected")`
			`}`
			`if addrs != nil {`
			`t.Fatal("expected nil addrs here")`
			`}`
			`}`

			`func TestResolveCauseBogon(t *testing.T) {`
			err := selfcensor.MaybeEnable(`{"PoisonSystemDNS":{"dns.google":["10.0.0.7"]}}`)
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != true {`
			`t.Fatal("we expected self censorship to be enabled now")`
			`}`
			`addrs, err := selfcensor.SystemResolver{}.LookupHost(`
			`context.Background(), "dns.google")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if len(addrs) != 1 \|\| addrs[0] != "10.0.0.7" {`
			`t.Fatal("not the addrs we expected")`
			`}`
			`}`

			`func TestResolveCheckNetworkAndAddress(t *testing.T) {`
			err := selfcensor.MaybeEnable(`{"PoisonSystemDNS":{"dns.google":["10.0.0.7"]}}`)
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != true {`
			`t.Fatal("we expected self censorship to be enabled now")`
			`}`
			`reso := selfcensor.SystemResolver{}`
			`if reso.Network() != "system" {`
			`t.Fatal("invalid Network")`
			`}`
			`if reso.Address() != "" {`
			`t.Fatal("invalid Address")`
			`}`
			`}`

			`func TestDialHandlesErrorsWithBlockedFingerprints(t *testing.T) {`
			`ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)`
			`cancel() // so we should fail immediately!`
			err := selfcensor.MaybeEnable(`{"BlockedFingerprints":{"dns.google":"TIMEOUT"}}`)
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != true {`
			`t.Fatal("we expected self censorship to be enabled now")`
			`}`
			`addrs, err := selfcensor.SystemDialer{}.DialContext(ctx, "tcp", "8.8.8.8:443")`
			`if err == nil \|\| !strings.HasSuffix(err.Error(), "operation was canceled") {`
			`t.Fatal("not the error we expected")`
			`}`
			`if addrs != nil {`
			`t.Fatal("expected nil addrs here")`
			`}`
			`}`

			`func TestDialCauseTimeout(t *testing.T) {`
			`ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)`
			`defer cancel()`
			err := selfcensor.MaybeEnable(`{"BlockedEndpoints":{"8.8.8.8:443":"TIMEOUT"}}`)
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != true {`
			`t.Fatal("we expected self censorship to be enabled now")`
			`}`
			`addrs, err := selfcensor.SystemDialer{}.DialContext(ctx, "tcp", "8.8.8.8:443")`
			`if err == nil \|\| err.Error() != "i/o timeout" {`
			`t.Fatal("not the error we expected")`
			`}`
			`if addrs != nil {`
			`t.Fatal("expected nil addrs here")`
			`}`
			`}`

			`func TestDialCauseConnectionRefused(t *testing.T) {`
			err := selfcensor.MaybeEnable(`{"BlockedEndpoints":{"8.8.8.8:443":"REJECT"}}`)
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != true {`
			`t.Fatal("we expected self censorship to be enabled now")`
			`}`
			`addrs, err := selfcensor.SystemDialer{}.DialContext(`
			`context.Background(), "tcp", "8.8.8.8:443")`
			`if err == nil \|\| !strings.HasSuffix(err.Error(), "connection refused") {`
			`t.Fatal("not the error we expected")`
			`}`
			`if addrs != nil {`
			`t.Fatal("expected nil addrs here")`
			`}`
			`}`

			`func TestBlockedFingerprintsTimeout(t *testing.T) {`
			err := selfcensor.MaybeEnable(`{"BlockedFingerprints":{"dns.google":"TIMEOUT"}}`)
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != true {`
			`t.Fatal("we expected self censorship to be enabled now")`
			`}`
			`tlsDialer := netx.NewTLSDialer(netx.Config{`
			`Dialer: selfcensor.SystemDialer{},`
			`})`
			`conn, err := tlsDialer.DialTLSContext(`
			`context.Background(), "tcp", "dns.google:443")`
			`if err == nil \|\| err.Error() != "generic_timeout_error" {`
			`t.Fatal("not the error expected")`
			`}`
			`if conn != nil {`
			`t.Fatal("expected nil conn here")`
			`}`
			`}`

			`func TestBlockedFingerprintsNoMatch(t *testing.T) {`
			err := selfcensor.MaybeEnable(`{"BlockedFingerprints":{"ooni.io":"TIMEOUT"}}`)
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != true {`
			`t.Fatal("we expected self censorship to be enabled now")`
			`}`
			`tlsDialer := netx.NewTLSDialer(netx.Config{`
			`Dialer: selfcensor.SystemDialer{},`
			`})`
			`conn, err := tlsDialer.DialTLSContext(`
			`context.Background(), "tcp", "dns.google:443")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if conn == nil {`
			`t.Fatal("expected non-nil conn here")`
			`}`
			`conn.Close()`
			`}`

			`func TestBlockedFingerprintsConnectionReset(t *testing.T) {`
			err := selfcensor.MaybeEnable(`{"BlockedFingerprints":{"dns.google":"RST"}}`)
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if selfcensor.Enabled() != true {`
			`t.Fatal("we expected self censorship to be enabled now")`
			`}`
			`tlsDialer := netx.NewTLSDialer(netx.Config{`
			`Dialer: selfcensor.SystemDialer{},`
			`})`
			`conn, err := tlsDialer.DialTLSContext(`
			`context.Background(), "tcp", "dns.google:443")`
			`if err == nil \|\| err.Error() != "connection_reset" {`
			`t.Fatal("not the error we expected")`
			`}`
			`if conn != nil {`
			`t.Fatal("expected nil conn here")`
			`}`
			`}`