feat: support embedding encrypted psiphon config (#285)

We use an optional build tag to hide this configuration. When you
choose this configuration, you need to provide the encrypted config
as well as the corresponding decryption key.

This is not the final design. This is an interim design to start
working and experimenting with this functionality. The general
idea here is to support psiphon in the binaries we build without
committing the psiphon config to the repository itself.

Part of https://github.com/ooni/probe/issues/985

internal/engine/.gitignore

@@ -12,4 +12,6 @@
 /oohelper
 /oohelperd
 /oonipsiphon/
+/psiphon-config.json.age
+/psiphon-config.key
 .DS_Store

internal/engine/session.go

@@ -275,15 +275,6 @@ func (s *Session) DefaultHTTPClient() *http.Client {
 	return &http.Client{Transport: s.httpDefaultTransport}
 }
 
-// FetchPsiphonConfig fetches psiphon config from the API.
-func (s *Session) FetchPsiphonConfig(ctx context.Context) ([]byte, error) {
-	clnt, err := s.NewOrchestraClient(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return clnt.FetchPsiphonConfig(ctx)
-}
-
 // FetchTorTargets fetches tor targets from the API.
 func (s *Session) FetchTorTargets(
 	ctx context.Context, cc string) (map[string]model.TorTarget, error) {

internal/engine/session_nopsiphon.go

@@ -0,0 +1,14 @@
+// +build !ooni_psiphon_config
+
+package engine
+
+import "context"
+
+// FetchPsiphonConfig fetches psiphon config from the API.
+func (s *Session) FetchPsiphonConfig(ctx context.Context) ([]byte, error) {
+	clnt, err := s.NewOrchestraClient(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return clnt.FetchPsiphonConfig(ctx)
+}

internal/engine/session_psiphon.go

@@ -0,0 +1,34 @@
+// +build ooni_psiphon_config
+
+package engine
+
+import (
+	"bytes"
+	"context"
+	_ "embed"
+	"io/ioutil"
+
+	"filippo.io/age"
+)
+
+//go:embed psiphon-config.json.age
+var psiphonConfigJSONAge []byte
+
+//go:embed psiphon-config.key
+var psiphonConfigSecretKey string
+
+// FetchPsiphonConfig decrypts psiphonConfigJSONAge using
+// filippo.io/age _and_ psiphonConfigSecretKey.
+func (s *Session) FetchPsiphonConfig(ctx context.Context) ([]byte, error) {
+	key := "AGE-SECRET-KEY-1" + psiphonConfigSecretKey
+	identity, err := age.ParseX25519Identity(key)
+	if err != nil {
+		return nil, err
+	}
+	input := bytes.NewReader(psiphonConfigJSONAge)
+	output, err := age.Decrypt(input, identity)
+	if err != nil {
+		return nil, err
+	}
+	return ioutil.ReadAll(output)
+}

internal/engine/session_psiphon_test.go

@@ -0,0 +1,19 @@
+// +build ooni_psiphon_config
+
+package engine
+
+import (
+	"context"
+	"testing"
+)
+
+func TestSessionEmbeddedPsiphonConfig(t *testing.T) {
+	s := &Session{}
+	data, err := s.FetchPsiphonConfig(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+	if data == nil {
+		t.Fatal("expected non-nil data here")
+	}
+}