e904b90006
This diff introduces a new package called `./internal/archival`. This package collects data from `./internal/model` network interfaces (e.g., `Dialer`, `QUICDialer`, `HTTPTransport`), saves such data into an internal tabular data format suitable for on-line processing and analysis, and allows exporting data into the OONI data format. The code for collecting and the internal tabular data formats are adapted from `measurex`. The code for formatting and exporting OONI data-format-compliant structures is adapted from `netx/archival`. My original objective was to _also_ (1) fully replace `netx/archival` with this package and (2) adapt `measurex` to use this package rather than its own code. Both operations seem easily feasible because: (a) this code is `measurex` code without extensions that are `measurex` related, which will need to be added back as part of the process; (b) the API provided by this code allows for trivially converting from using `netx/archival` to using this code. Yet, both changes should not be taken lightly. After implementing them, there's need to spend some time doing QA and ensuring all nettests work as intended. However, I am planning a release in the next two weeks, and this QA task is likely going to defer the release. For this reason, I have chosen to commit the work done so far into the tree and defer the second part of this refactoring for a later moment in time. (This explains why the title mentions "1/N"). On a more high-level perspective, it would also be beneficial, I guess, to explain _why_ I am doing these changes. There are two intertwined reasons. The first reason is that `netx/archival` has shortcomings deriving from its original https://github.com/ooni/netx legacy. The most relevant shortcoming is that it saves all kind of data into the same tabular structure named `Event`. This design choice is unfortunate because it does not allow one to apply data-type specific logic when processing the results. In turn, this choice results in complex processing code. Therefore, I believe that replacing the code with event-specific data structures is clearly an improvement in terms of code maintainability and would quite likely lead us to more confidently change and evolve the codebase. The second reason why I would like to move forward these changes is to unify the codepaths used for measuring. At this point in time, we basically have two codepaths: `./internal/engine/netx` and `./internal/measurex`. They both have pros and cons and I don't think we want to rewrite whole experiments using `netx`. Rather, what we probably want is to gradually merge these two codepaths such that `netx` is a set of abstractions on top of `measurex` (which is more low-level and has a more-easily-testable design). Because saving events and generating an archival data format out of them consists of at least 50% of the complexity of both `netx` and `measurex`, it seems reasonable to unify this archival-related part of the two codebases as the first step. At the highest level of abstraction, these changes are part of the train of changes which will eventually lead us to bless `websteps` as a first class citizen in OONI land. Because `websteps` requires different underlying primitives, I chose to develop these primitives from scratch rather than wrestling with `netx`, which used another model. The model used by `websteps` is that we perform each operation in isolation and immediately we save the results, while `netx` creates whole data structures and collects all the events happening via tracing. We believe the model used by `websteps` to be better because it does not require your code to figure out everything that happened after the measurement, which is a source of subtle bugs in the current implementation. So, when I started implementing websteps I extracted the bits of `netx` that could also be beneficial to `websteps` into a separate library, thus `netxlite` was born. The reference issue describing merging the archival of `netx` and `measurex` is https://github.com/ooni/probe/issues/1957. As of this writing the issue still references the original plan, which I could not complete by the end of this Sprint, so I am going to adapt the text of the issue to only refer to what was done in here next. Of course, I also need follow-up issues.
464 lines
12 KiB
Go
464 lines
12 KiB
Go
package archival
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"errors"
|
|
"io"
|
|
"net"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/google/go-cmp/cmp"
|
|
"github.com/lucas-clemente/quic-go"
|
|
"github.com/marten-seemann/qtls-go1-17" // it's annoying to depend on that
|
|
"github.com/ooni/probe-cli/v3/internal/fakefill"
|
|
"github.com/ooni/probe-cli/v3/internal/model"
|
|
"github.com/ooni/probe-cli/v3/internal/model/mocks"
|
|
"github.com/ooni/probe-cli/v3/internal/netxlite"
|
|
)
|
|
|
|
func TestSaverWriteTo(t *testing.T) {
|
|
// newAddr creates an new net.Addr for testing.
|
|
newAddr := func(endpoint string) net.Addr {
|
|
return &mocks.Addr{
|
|
MockString: func() string {
|
|
return endpoint
|
|
},
|
|
MockNetwork: func() string {
|
|
return "udp"
|
|
},
|
|
}
|
|
}
|
|
|
|
// newConn is a helper function for creating a new connection.
|
|
newConn := func(numBytes int, err error) model.UDPLikeConn {
|
|
return &mocks.UDPLikeConn{
|
|
MockWriteTo: func(p []byte, addr net.Addr) (int, error) {
|
|
time.Sleep(time.Microsecond)
|
|
return numBytes, err
|
|
},
|
|
}
|
|
}
|
|
|
|
t.Run("on success", func(t *testing.T) {
|
|
const mockedEndpoint = "8.8.4.4:443"
|
|
const mockedNumBytes = 128
|
|
addr := newAddr(mockedEndpoint)
|
|
conn := newConn(mockedNumBytes, nil)
|
|
saver := NewSaver()
|
|
v := &SingleNetworkEventValidator{
|
|
ExpectedCount: mockedNumBytes,
|
|
ExpectedErr: nil,
|
|
ExpectedNetwork: "udp",
|
|
ExpectedOp: netxlite.WriteToOperation,
|
|
ExpectedEpnt: mockedEndpoint,
|
|
Saver: saver,
|
|
}
|
|
buf := make([]byte, 1024)
|
|
count, err := saver.WriteTo(conn, buf, addr)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if count != mockedNumBytes {
|
|
t.Fatal("invalid count")
|
|
}
|
|
if err := v.Validate(); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
})
|
|
|
|
t.Run("on failure", func(t *testing.T) {
|
|
const mockedEndpoint = "8.8.4.4:443"
|
|
mockedError := netxlite.NewTopLevelGenericErrWrapper(io.EOF)
|
|
addr := newAddr(mockedEndpoint)
|
|
conn := newConn(0, mockedError)
|
|
saver := NewSaver()
|
|
v := &SingleNetworkEventValidator{
|
|
ExpectedCount: 0,
|
|
ExpectedErr: mockedError,
|
|
ExpectedNetwork: "udp",
|
|
ExpectedOp: netxlite.WriteToOperation,
|
|
ExpectedEpnt: mockedEndpoint,
|
|
Saver: saver,
|
|
}
|
|
buf := make([]byte, 1024)
|
|
count, err := saver.WriteTo(conn, buf, addr)
|
|
if !errors.Is(err, mockedError) {
|
|
t.Fatal("unexpected err", err)
|
|
}
|
|
if count != 0 {
|
|
t.Fatal("invalid count")
|
|
}
|
|
if err := v.Validate(); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestSaverReadFrom(t *testing.T) {
|
|
// newAddr creates an new net.Addr for testing.
|
|
newAddr := func(endpoint string) net.Addr {
|
|
return &mocks.Addr{
|
|
MockString: func() string {
|
|
return endpoint
|
|
},
|
|
MockNetwork: func() string {
|
|
return "udp"
|
|
},
|
|
}
|
|
}
|
|
|
|
// newConn is a helper function for creating a new connection.
|
|
newConn := func(numBytes int, addr net.Addr, err error) model.UDPLikeConn {
|
|
return &mocks.UDPLikeConn{
|
|
MockReadFrom: func(p []byte) (int, net.Addr, error) {
|
|
time.Sleep(time.Microsecond)
|
|
return numBytes, addr, err
|
|
},
|
|
}
|
|
}
|
|
|
|
t.Run("on success", func(t *testing.T) {
|
|
const mockedEndpoint = "8.8.4.4:443"
|
|
const mockedNumBytes = 128
|
|
expectedAddr := newAddr(mockedEndpoint)
|
|
conn := newConn(mockedNumBytes, expectedAddr, nil)
|
|
saver := NewSaver()
|
|
v := &SingleNetworkEventValidator{
|
|
ExpectedCount: mockedNumBytes,
|
|
ExpectedErr: nil,
|
|
ExpectedNetwork: "udp",
|
|
ExpectedOp: netxlite.ReadFromOperation,
|
|
ExpectedEpnt: mockedEndpoint,
|
|
Saver: saver,
|
|
}
|
|
buf := make([]byte, 1024)
|
|
count, addr, err := saver.ReadFrom(conn, buf)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if expectedAddr.Network() != addr.Network() {
|
|
t.Fatal("invalid addr.Network")
|
|
}
|
|
if expectedAddr.String() != addr.String() {
|
|
t.Fatal("invalid addr.String")
|
|
}
|
|
if count != mockedNumBytes {
|
|
t.Fatal("invalid count")
|
|
}
|
|
if err := v.Validate(); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
})
|
|
|
|
t.Run("on failure", func(t *testing.T) {
|
|
mockedError := netxlite.NewTopLevelGenericErrWrapper(io.EOF)
|
|
conn := newConn(0, nil, mockedError)
|
|
saver := NewSaver()
|
|
v := &SingleNetworkEventValidator{
|
|
ExpectedCount: 0,
|
|
ExpectedErr: mockedError,
|
|
ExpectedNetwork: "udp",
|
|
ExpectedOp: netxlite.ReadFromOperation,
|
|
ExpectedEpnt: "",
|
|
Saver: saver,
|
|
}
|
|
buf := make([]byte, 1024)
|
|
count, addr, err := saver.ReadFrom(conn, buf)
|
|
if !errors.Is(err, mockedError) {
|
|
t.Fatal(err)
|
|
}
|
|
if addr != nil {
|
|
t.Fatal("invalid addr")
|
|
}
|
|
if count != 0 {
|
|
t.Fatal("invalid count")
|
|
}
|
|
if err := v.Validate(); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestSaverQUICDialContext(t *testing.T) {
|
|
// newQUICDialer creates a new QUICDialer for testing.
|
|
newQUICDialer := func(sess quic.EarlySession, err error) model.QUICDialer {
|
|
return &mocks.QUICDialer{
|
|
MockDialContext: func(
|
|
ctx context.Context, network, address string, tlsConfig *tls.Config,
|
|
quicConfig *quic.Config) (quic.EarlySession, error) {
|
|
time.Sleep(time.Microsecond)
|
|
return sess, err
|
|
},
|
|
}
|
|
}
|
|
|
|
// newQUICSession creates a new quic.EarlySession for testing.
|
|
newQUICSession := func(handshakeComplete context.Context, state tls.ConnectionState) quic.EarlySession {
|
|
return &mocks.QUICEarlySession{
|
|
MockHandshakeComplete: func() context.Context {
|
|
return handshakeComplete
|
|
},
|
|
MockConnectionState: func() quic.ConnectionState {
|
|
return quic.ConnectionState{
|
|
TLS: qtls.ConnectionStateWith0RTT{
|
|
ConnectionState: state,
|
|
},
|
|
}
|
|
},
|
|
MockCloseWithError: func(code quic.ApplicationErrorCode, reason string) error {
|
|
return nil
|
|
},
|
|
}
|
|
}
|
|
|
|
t.Run("on success", func(t *testing.T) {
|
|
handshakeCtx := context.Background()
|
|
handshakeCtx, handshakeCancel := context.WithCancel(handshakeCtx)
|
|
handshakeCancel() // simulate a completed handshake
|
|
const expectedNetwork = "udp"
|
|
const mockedEndpoint = "8.8.4.4:443"
|
|
saver := NewSaver()
|
|
var peerCerts [][]byte
|
|
ff := &fakefill.Filler{}
|
|
ff.Fill(&peerCerts)
|
|
if len(peerCerts) < 1 {
|
|
t.Fatal("did not fill peerCerts")
|
|
}
|
|
v := &SingleQUICTLSHandshakeValidator{
|
|
ExpectedALPN: []string{"h3"},
|
|
ExpectedSNI: "dns.google",
|
|
ExpectedSkipVerify: true,
|
|
//
|
|
ExpectedCipherSuite: tls.TLS_AES_128_GCM_SHA256,
|
|
ExpectedNegotiatedProtocol: "h3",
|
|
ExpectedPeerCerts: peerCerts,
|
|
ExpectedVersion: tls.VersionTLS13,
|
|
//
|
|
ExpectedNetwork: "quic",
|
|
ExpectedRemoteAddr: mockedEndpoint,
|
|
//
|
|
QUICConfig: &quic.Config{},
|
|
//
|
|
ExpectedFailure: nil,
|
|
Saver: saver,
|
|
}
|
|
sess := newQUICSession(handshakeCtx, v.NewTLSConnectionState())
|
|
dialer := newQUICDialer(sess, nil)
|
|
ctx := context.Background()
|
|
sess, err := saver.QUICDialContext(ctx, dialer, expectedNetwork,
|
|
mockedEndpoint, v.NewTLSConfig(), v.QUICConfig)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if sess == nil {
|
|
t.Fatal("expected nil sess")
|
|
}
|
|
sess.CloseWithError(0, "")
|
|
if err := v.Validate(); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
})
|
|
|
|
t.Run("on handshake timeout", func(t *testing.T) {
|
|
handshakeCtx := context.Background()
|
|
handshakeCtx, handshakeCancel := context.WithCancel(handshakeCtx)
|
|
defer handshakeCancel()
|
|
const expectedNetwork = "udp"
|
|
const mockedEndpoint = "8.8.4.4:443"
|
|
saver := NewSaver()
|
|
v := &SingleQUICTLSHandshakeValidator{
|
|
ExpectedALPN: []string{"h3"},
|
|
ExpectedSNI: "dns.google",
|
|
ExpectedSkipVerify: true,
|
|
//
|
|
ExpectedCipherSuite: 0,
|
|
ExpectedNegotiatedProtocol: "",
|
|
ExpectedPeerCerts: nil,
|
|
ExpectedVersion: 0,
|
|
//
|
|
ExpectedNetwork: "quic",
|
|
ExpectedRemoteAddr: mockedEndpoint,
|
|
//
|
|
QUICConfig: &quic.Config{},
|
|
//
|
|
ExpectedFailure: context.DeadlineExceeded,
|
|
Saver: saver,
|
|
}
|
|
sess := newQUICSession(handshakeCtx, tls.ConnectionState{})
|
|
dialer := newQUICDialer(sess, nil)
|
|
ctx := context.Background()
|
|
ctx, cancel := context.WithTimeout(ctx, time.Microsecond)
|
|
defer cancel()
|
|
sess, err := saver.QUICDialContext(ctx, dialer, expectedNetwork,
|
|
mockedEndpoint, v.NewTLSConfig(), v.QUICConfig)
|
|
if !errors.Is(err, context.DeadlineExceeded) {
|
|
t.Fatal("unexpected error")
|
|
}
|
|
if sess != nil {
|
|
t.Fatal("expected nil sess")
|
|
}
|
|
if err := v.Validate(); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
})
|
|
|
|
t.Run("on other error", func(t *testing.T) {
|
|
mockedError := netxlite.NewTopLevelGenericErrWrapper(io.EOF)
|
|
const expectedNetwork = "udp"
|
|
const mockedEndpoint = "8.8.4.4:443"
|
|
saver := NewSaver()
|
|
v := &SingleQUICTLSHandshakeValidator{
|
|
ExpectedALPN: []string{"h3"},
|
|
ExpectedSNI: "dns.google",
|
|
ExpectedSkipVerify: true,
|
|
//
|
|
ExpectedCipherSuite: 0,
|
|
ExpectedNegotiatedProtocol: "",
|
|
ExpectedPeerCerts: nil,
|
|
ExpectedVersion: 0,
|
|
//
|
|
ExpectedNetwork: "quic",
|
|
ExpectedRemoteAddr: mockedEndpoint,
|
|
//
|
|
QUICConfig: &quic.Config{},
|
|
//
|
|
ExpectedFailure: mockedError,
|
|
Saver: saver,
|
|
}
|
|
dialer := newQUICDialer(nil, mockedError)
|
|
ctx := context.Background()
|
|
sess, err := saver.QUICDialContext(ctx, dialer, expectedNetwork,
|
|
mockedEndpoint, v.NewTLSConfig(), v.QUICConfig)
|
|
if !errors.Is(err, mockedError) {
|
|
t.Fatal("unexpected error")
|
|
}
|
|
if sess != nil {
|
|
t.Fatal("expected nil sess")
|
|
}
|
|
if err := v.Validate(); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
})
|
|
|
|
// TODO(bassosimone): here we're not testing the case in which
|
|
// the certificate is invalid for the required SNI.
|
|
//
|
|
// We need first to figure out whether this is what happens
|
|
// when we validate for QUIC in such cases. If that's the case
|
|
// indeed, then we can write the tests.
|
|
|
|
t.Run("on x509.HostnameError", func(t *testing.T) {
|
|
t.Skip("test not implemented")
|
|
})
|
|
|
|
t.Run("on x509.UnknownAuthorityError", func(t *testing.T) {
|
|
t.Skip("test not implemented")
|
|
})
|
|
|
|
t.Run("on x509.CertificateInvalidError", func(t *testing.T) {
|
|
t.Skip("test not implemented")
|
|
})
|
|
}
|
|
|
|
type SingleQUICTLSHandshakeValidator struct {
|
|
// related to the tls.Config
|
|
ExpectedALPN []string
|
|
ExpectedSNI string
|
|
ExpectedSkipVerify bool
|
|
|
|
// related to the tls.ConnectionState
|
|
ExpectedCipherSuite uint16
|
|
ExpectedNegotiatedProtocol string
|
|
ExpectedPeerCerts [][]byte
|
|
ExpectedVersion uint16
|
|
|
|
// related to the mocked conn (TLS) / dial params (QUIC)
|
|
ExpectedNetwork string
|
|
ExpectedRemoteAddr string
|
|
|
|
// tells us whether we're using QUIC
|
|
QUICConfig *quic.Config
|
|
|
|
// other fields
|
|
ExpectedFailure error
|
|
Saver *Saver
|
|
}
|
|
|
|
func (v *SingleQUICTLSHandshakeValidator) NewTLSConfig() *tls.Config {
|
|
return &tls.Config{
|
|
NextProtos: v.ExpectedALPN,
|
|
ServerName: v.ExpectedSNI,
|
|
InsecureSkipVerify: v.ExpectedSkipVerify,
|
|
}
|
|
}
|
|
|
|
func (v *SingleQUICTLSHandshakeValidator) NewTLSConnectionState() tls.ConnectionState {
|
|
var state tls.ConnectionState
|
|
if v.ExpectedCipherSuite != 0 {
|
|
state.CipherSuite = v.ExpectedCipherSuite
|
|
}
|
|
if v.ExpectedNegotiatedProtocol != "" {
|
|
state.NegotiatedProtocol = v.ExpectedNegotiatedProtocol
|
|
}
|
|
for _, cert := range v.ExpectedPeerCerts {
|
|
state.PeerCertificates = append(state.PeerCertificates, &x509.Certificate{
|
|
Raw: cert,
|
|
})
|
|
}
|
|
if v.ExpectedVersion != 0 {
|
|
state.Version = v.ExpectedVersion
|
|
}
|
|
return state
|
|
}
|
|
|
|
func (v *SingleQUICTLSHandshakeValidator) Validate() error {
|
|
trace := v.Saver.MoveOutTrace()
|
|
var entries []*QUICTLSHandshakeEvent
|
|
if v.QUICConfig != nil {
|
|
entries = trace.QUICHandshake
|
|
} else {
|
|
entries = trace.TLSHandshake
|
|
}
|
|
if len(entries) != 1 {
|
|
return errors.New("expected to see a single entry")
|
|
}
|
|
entry := entries[0]
|
|
if diff := cmp.Diff(entry.ALPN, v.ExpectedALPN); diff != "" {
|
|
return errors.New(diff)
|
|
}
|
|
if entry.CipherSuite != netxlite.TLSCipherSuiteString(v.ExpectedCipherSuite) {
|
|
return errors.New("unexpected .CipherSuite")
|
|
}
|
|
if !errors.Is(entry.Failure, v.ExpectedFailure) {
|
|
return errors.New("unexpected .Failure")
|
|
}
|
|
if !entry.Finished.After(entry.Started) {
|
|
return errors.New(".Finished is not after .Started")
|
|
}
|
|
if entry.NegotiatedProto != v.ExpectedNegotiatedProtocol {
|
|
return errors.New("unexpected .NegotiatedProto")
|
|
}
|
|
if entry.Network != v.ExpectedNetwork {
|
|
return errors.New("unexpected .Network")
|
|
}
|
|
if diff := cmp.Diff(entry.PeerCerts, v.ExpectedPeerCerts); diff != "" {
|
|
return errors.New("unexpected .PeerCerts")
|
|
}
|
|
if entry.RemoteAddr != v.ExpectedRemoteAddr {
|
|
return errors.New("unexpected .RemoteAddr")
|
|
}
|
|
if entry.SNI != v.ExpectedSNI {
|
|
return errors.New("unexpected .ServerName")
|
|
}
|
|
if entry.SkipVerify != v.ExpectedSkipVerify {
|
|
return errors.New("unexpected .SkipVerify")
|
|
}
|
|
if entry.TLSVersion != netxlite.TLSVersionString(v.ExpectedVersion) {
|
|
return errors.New("unexpected .Version")
|
|
}
|
|
return nil
|
|
}
|