e08a64ebe4
Updates #2624. Updates #3162. Squashed commit of the following: commit 68860da717a23a0bfeba14b7fe10b5e4ad38726d Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jun 29 15:41:33 2021 +0300 all: imp types, names commit ebd4ec26636853d0d58c4e331e6a78feede20813 Merge: 239eb72116e5e09c
Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jun 29 15:14:33 2021 +0300 Merge branch 'master' into 2624-clientid-access commit 239eb7215abc47e99a0300a0f4cf56002689b1a9 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jun 29 15:13:10 2021 +0300 all: fix client blocking check commit e6bece3ea8367b3cbe3d90702a3368c870ad4f13 Merge: 9935f2a39d1656b5
Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jun 29 13:12:28 2021 +0300 Merge branch 'master' into 2624-clientid-access commit 9935f2a30bcfae2b853f3ef610c0ab7a56a8f448 Author: Ildar Kamalov <ik@adguard.com> Date: Tue Jun 29 11:26:51 2021 +0300 client: show block button for client id commit ed786a6a74a081cd89e9d67df3537a4fadd54831 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Jun 25 15:56:23 2021 +0300 client: imp i18n commit 4fed21c68473ad408960c08a7d87624cabce1911 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Jun 25 15:34:09 2021 +0300 all: imp i18n, docs commit 55e65c0d6b939560c53dcb834a4557eb3853d194 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Jun 25 13:34:01 2021 +0300 all: fix cache, imp code, docs, tests commit c1e5a83e76deb44b1f92729bb9ddfcc6a96ac4a8 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Jun 24 19:27:12 2021 +0300 all: allow clientid in access settings
252 lines
5.9 KiB
Go
252 lines
5.9 KiB
Go
package dnsforward
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"testing"
|
|
|
|
"github.com/AdguardTeam/dnsproxy/proxy"
|
|
"github.com/lucas-clemente/quic-go"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// testTLSConn is a tlsConn for tests.
|
|
type testTLSConn struct {
|
|
// Conn is embedded here simply to make testTLSConn a net.Conn without
|
|
// actually implementing all methods.
|
|
net.Conn
|
|
|
|
serverName string
|
|
}
|
|
|
|
// ConnectionState implements the tlsConn interface for testTLSConn.
|
|
func (c testTLSConn) ConnectionState() (cs tls.ConnectionState) {
|
|
cs.ServerName = c.serverName
|
|
|
|
return cs
|
|
}
|
|
|
|
// testQUICSession is a quicSession for tests.
|
|
type testQUICSession struct {
|
|
// Session is embedded here simply to make testQUICSession
|
|
// a quic.Session without acctually implementing all methods.
|
|
quic.Session
|
|
|
|
serverName string
|
|
}
|
|
|
|
// ConnectionState implements the quicSession interface for testQUICSession.
|
|
func (c testQUICSession) ConnectionState() (cs quic.ConnectionState) {
|
|
cs.TLS.ServerName = c.serverName
|
|
|
|
return cs
|
|
}
|
|
|
|
func TestServer_clientIDFromDNSContext(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
proto proxy.Proto
|
|
hostSrvName string
|
|
cliSrvName string
|
|
wantClientID string
|
|
wantErrMsg string
|
|
strictSNI bool
|
|
}{{
|
|
name: "udp",
|
|
proto: proxy.ProtoUDP,
|
|
hostSrvName: "",
|
|
cliSrvName: "",
|
|
wantClientID: "",
|
|
wantErrMsg: "",
|
|
strictSNI: false,
|
|
}, {
|
|
name: "tls_no_client_id",
|
|
proto: proxy.ProtoTLS,
|
|
hostSrvName: "example.com",
|
|
cliSrvName: "example.com",
|
|
wantClientID: "",
|
|
wantErrMsg: "",
|
|
strictSNI: true,
|
|
}, {
|
|
name: "tls_no_client_server_name",
|
|
proto: proxy.ProtoTLS,
|
|
hostSrvName: "example.com",
|
|
cliSrvName: "",
|
|
wantClientID: "",
|
|
wantErrMsg: `client id check: client server name "" ` +
|
|
`doesn't match host server name "example.com"`,
|
|
strictSNI: true,
|
|
}, {
|
|
name: "tls_no_client_server_name_no_strict",
|
|
proto: proxy.ProtoTLS,
|
|
hostSrvName: "example.com",
|
|
cliSrvName: "",
|
|
wantClientID: "",
|
|
wantErrMsg: "",
|
|
strictSNI: false,
|
|
}, {
|
|
name: "tls_client_id",
|
|
proto: proxy.ProtoTLS,
|
|
hostSrvName: "example.com",
|
|
cliSrvName: "cli.example.com",
|
|
wantClientID: "cli",
|
|
wantErrMsg: "",
|
|
strictSNI: true,
|
|
}, {
|
|
name: "tls_client_id_hostname_error",
|
|
proto: proxy.ProtoTLS,
|
|
hostSrvName: "example.com",
|
|
cliSrvName: "cli.example.net",
|
|
wantClientID: "",
|
|
wantErrMsg: `client id check: client server name "cli.example.net" ` +
|
|
`doesn't match host server name "example.com"`,
|
|
strictSNI: true,
|
|
}, {
|
|
name: "tls_invalid_client_id",
|
|
proto: proxy.ProtoTLS,
|
|
hostSrvName: "example.com",
|
|
cliSrvName: "!!!.example.com",
|
|
wantClientID: "",
|
|
wantErrMsg: `client id check: invalid client id "!!!": ` +
|
|
`invalid char '!' at index 0`,
|
|
strictSNI: true,
|
|
}, {
|
|
name: "tls_client_id_too_long",
|
|
proto: proxy.ProtoTLS,
|
|
hostSrvName: "example.com",
|
|
cliSrvName: `abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmno` +
|
|
`pqrstuvwxyz0123456789.example.com`,
|
|
wantClientID: "",
|
|
wantErrMsg: `client id check: invalid client id "abcdefghijklmno` +
|
|
`pqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789": ` +
|
|
`label is too long, max: 63`,
|
|
strictSNI: true,
|
|
}, {
|
|
name: "quic_client_id",
|
|
proto: proxy.ProtoQUIC,
|
|
hostSrvName: "example.com",
|
|
cliSrvName: "cli.example.com",
|
|
wantClientID: "cli",
|
|
wantErrMsg: "",
|
|
strictSNI: true,
|
|
}}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
tlsConf := TLSConfig{
|
|
ServerName: tc.hostSrvName,
|
|
StrictSNICheck: tc.strictSNI,
|
|
}
|
|
|
|
srv := &Server{
|
|
conf: ServerConfig{TLSConfig: tlsConf},
|
|
}
|
|
|
|
var conn net.Conn
|
|
if tc.proto == proxy.ProtoTLS {
|
|
conn = testTLSConn{
|
|
serverName: tc.cliSrvName,
|
|
}
|
|
}
|
|
|
|
var qs quic.Session
|
|
if tc.proto == proxy.ProtoQUIC {
|
|
qs = testQUICSession{
|
|
serverName: tc.cliSrvName,
|
|
}
|
|
}
|
|
|
|
pctx := &proxy.DNSContext{
|
|
Proto: tc.proto,
|
|
Conn: conn,
|
|
QUICSession: qs,
|
|
}
|
|
|
|
clientID, err := srv.clientIDFromDNSContext(pctx)
|
|
assert.Equal(t, tc.wantClientID, clientID)
|
|
|
|
if tc.wantErrMsg == "" {
|
|
assert.NoError(t, err)
|
|
} else {
|
|
require.Error(t, err)
|
|
|
|
assert.Equal(t, tc.wantErrMsg, err.Error())
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestClientIDFromDNSContextHTTPS(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
path string
|
|
wantClientID string
|
|
wantErrMsg string
|
|
}{{
|
|
name: "no_client_id",
|
|
path: "/dns-query",
|
|
wantClientID: "",
|
|
wantErrMsg: "",
|
|
}, {
|
|
name: "no_client_id_slash",
|
|
path: "/dns-query/",
|
|
wantClientID: "",
|
|
wantErrMsg: "",
|
|
}, {
|
|
name: "client_id",
|
|
path: "/dns-query/cli",
|
|
wantClientID: "cli",
|
|
wantErrMsg: "",
|
|
}, {
|
|
name: "client_id_slash",
|
|
path: "/dns-query/cli/",
|
|
wantClientID: "cli",
|
|
wantErrMsg: "",
|
|
}, {
|
|
name: "bad_url",
|
|
path: "/foo",
|
|
wantClientID: "",
|
|
wantErrMsg: `client id check: invalid path "/foo"`,
|
|
}, {
|
|
name: "extra",
|
|
path: "/dns-query/cli/foo",
|
|
wantClientID: "",
|
|
wantErrMsg: `client id check: invalid path "/dns-query/cli/foo": extra parts`,
|
|
}, {
|
|
name: "invalid_client_id",
|
|
path: "/dns-query/!!!",
|
|
wantClientID: "",
|
|
wantErrMsg: `client id check: invalid client id "!!!": ` +
|
|
`invalid char '!' at index 0`,
|
|
}}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
r := &http.Request{
|
|
URL: &url.URL{
|
|
Path: tc.path,
|
|
},
|
|
}
|
|
|
|
pctx := &proxy.DNSContext{
|
|
Proto: proxy.ProtoHTTPS,
|
|
HTTPRequest: r,
|
|
}
|
|
|
|
clientID, err := clientIDFromDNSContextHTTPS(pctx)
|
|
assert.Equal(t, tc.wantClientID, clientID)
|
|
|
|
if tc.wantErrMsg == "" {
|
|
assert.NoError(t, err)
|
|
} else {
|
|
require.Error(t, err)
|
|
|
|
assert.Equal(t, tc.wantErrMsg, err.Error())
|
|
}
|
|
})
|
|
}
|
|
}
|