0c48bc0746
* refactor: enable QA tests and jafar self test Part of https://github.com/ooni/probe/issues/1335 * chore: make sure all workflows run on release branches
130 lines
3.7 KiB
Bash
Executable File
130 lines
3.7 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
#
|
|
# This script uses cURL to verify that Jafar is able to produce a
|
|
# bunch of censorship conditions. It should be noted that this script
|
|
# only works on Linux and will never work on other systems.
|
|
#
|
|
|
|
set -e
|
|
|
|
function execute() {
|
|
echo "+ $@" 1>&2
|
|
"$@"
|
|
}
|
|
|
|
function expectexitcode() {
|
|
local expect
|
|
local exitcode
|
|
expect=$1
|
|
shift
|
|
set +e
|
|
"$@"
|
|
exitcode=$?
|
|
set -e
|
|
echo "expected exitcode $expect, found $exitcode" 1>&2
|
|
if [ $exitcode != $expect ]; then
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
function runtest() {
|
|
echo "=== BEGIN $1 ==="
|
|
"$1"
|
|
echo "=== END $1 ==="
|
|
}
|
|
|
|
function http_got_nothing() {
|
|
expectexitcode 52 execute ./jafar -iptables-hijack-http-to 127.0.0.1:7117 \
|
|
-main-command 'curl -sm5 --connect-to ::example.com: http://ooni.io'
|
|
}
|
|
|
|
function http_recv_error() {
|
|
expectexitcode 56 execute ./jafar -iptables-reset-keyword ooni \
|
|
-main-command 'curl -sm5 --connect-to ::example.com: http://ooni.io'
|
|
}
|
|
|
|
function http_operation_timedout() {
|
|
expectexitcode 28 execute ./jafar -iptables-drop-keyword ooni \
|
|
-main-command 'curl -sm5 --connect-to ::example.com: http://ooni.io'
|
|
}
|
|
|
|
function http_couldnt_connect() {
|
|
local ip
|
|
ip=$(host -tA example.com|cut -f4 -d' ')
|
|
expectexitcode 7 execute ./jafar -iptables-reset-ip $ip \
|
|
-main-command 'curl -sm5 --connect-to ::example.com: http://ooni.io'
|
|
}
|
|
|
|
function http_blockpage() {
|
|
outfile=$(mktemp)
|
|
chown nobody $outfile # curl runs as user nobody
|
|
expectexitcode 0 execute ./jafar -http-proxy-block ooni \
|
|
-iptables-hijack-http-to 127.0.0.1:80 \
|
|
-main-command "curl -so $outfile --connect-to ::example.com: http://ooni.io"
|
|
if ! grep -q '451 Unavailable For Legal Reasons' $outfile; then
|
|
echo "fatal: the blockpage does not contain the expected pattern" 1>&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
function dns_injection() {
|
|
output=$(expectexitcode 0 execute ./jafar \
|
|
-iptables-hijack-dns-to 127.0.0.1:53 \
|
|
-dns-proxy-hijack ooni \
|
|
-main-command 'dig +time=2 +short @example.com ooni.io')
|
|
if [ "$output" != "127.0.0.1" ]; then
|
|
echo "fatal: the resulting IP is not the expected one" 1>&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
function dns_timeout() {
|
|
expectexitcode 9 execute ./jafar \
|
|
-iptables-hijack-dns-to 127.0.0.1:53 \
|
|
-dns-proxy-ignore ooni \
|
|
-main-command 'dig +time=2 +short @example.com ooni.io'
|
|
}
|
|
|
|
function dns_nxdomain() {
|
|
output=$(expectexitcode 0 execute ./jafar \
|
|
-iptables-hijack-dns-to 127.0.0.1:53 \
|
|
-dns-proxy-block ooni \
|
|
-main-command 'dig +time=2 +short @example.com ooni.io')
|
|
if [ "$output" != "" ]; then
|
|
echo "fatal: expected no output here" 1>&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
function sni_man_in_the_middle() {
|
|
expectexitcode 60 execute ./jafar -iptables-hijack-https-to 127.0.0.1:4114 \
|
|
-main-command 'curl -sm5 --connect-to ::example.com: https://ooni.io'
|
|
}
|
|
|
|
function sni_got_nothing() {
|
|
expectexitcode 52 execute ./jafar -iptables-hijack-https-to 127.0.0.1:4114 \
|
|
-main-command 'curl -sm5 --cacert badproxy.pem --connect-to ::example.com: https://ooni.io'
|
|
}
|
|
|
|
function sni_connect_error() {
|
|
expectexitcode 35 execute ./jafar -iptables-reset-keyword ooni \
|
|
-main-command 'curl -sm5 --connect-to ::example.com: https://ooni.io'
|
|
}
|
|
|
|
function main() {
|
|
runtest http_got_nothing
|
|
runtest http_recv_error
|
|
runtest http_operation_timedout
|
|
runtest http_couldnt_connect
|
|
runtest http_blockpage
|
|
runtest dns_injection
|
|
runtest dns_timeout
|
|
runtest dns_nxdomain
|
|
runtest sni_man_in_the_middle
|
|
runtest sni_got_nothing
|
|
runtest sni_connect_error
|
|
}
|
|
|
|
main "$@"
|