From 17e74f480669737764cf1ac4448269330e98b4d9 Mon Sep 17 00:00:00 2001 From: Simone Basso Date: Thu, 9 May 2024 15:58:05 +0200 Subject: [PATCH] fix(enginenetx): give priority to DNS (#1592) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This implements the changes requested in https://github.com/ooni/probe-cli/pull/1552. We rearrange the chains such that the DNS has priority and extended policies come after it. Part of https://github.com/ooni/probe/issues/2704. --------- Co-authored-by: Arturo Filastò --- internal/enginenetx/network.go | 43 +- internal/enginenetx/network_internal_test.go | 487 +++++++++++++++++-- 2 files changed, 482 insertions(+), 48 deletions(-) diff --git a/internal/enginenetx/network.go b/internal/enginenetx/network.go index e681de1f1e..f3bc819ed8 100644 --- a/internal/enginenetx/network.go +++ b/internal/enginenetx/network.go @@ -113,7 +113,9 @@ func NewNetwork( // Note that: // // - we're enabling compression, which is desiredable since this transport - // is not made for measuring and compression is good(TM); + // is not made for measuring and compression is good(TM), also note that + // when the request uses Accept-Encoding, this kind of automatic management + // of compression is disabled, so there is no conflict. // // - if proxyURL is nil, the proxy option is equivalent to disabling // the proxy, otherwise it means that we're using the ooni/oohttp library @@ -152,16 +154,41 @@ func newHTTPSDialerPolicy( return &dnsPolicy{logger, resolver} } - // create a composed fallback TLS dialer policy - fallback := &statsPolicy{ - Fallback: &bridgesPolicy{Fallback: &dnsPolicy{logger, resolver}}, - Stats: stats, + // create a policy interleaving stats policies and bridges policies + statsOrBridges := &mixPolicyInterleave{ + Primary: &statsPolicyV2{ + Stats: stats, + }, + Fallback: &bridgesPolicyV2{}, + Factor: 3, } - // make sure we honor a user-provided policy - policy, err := newUserPolicy(kvStore, fallback) + // wrap the DNS policy with a policy that extends tactics for test + // helpers so that we also try using different SNIs. + dnsExt := &testHelpersPolicy{ + Child: &dnsPolicy{logger, resolver}, + } + + // compose dnsExt and statsOrBridges such that dnsExt has + // priority in the selection of tactics + composed := &mixPolicyInterleave{ + Primary: dnsExt, + Fallback: statsOrBridges, + Factor: 3, + } + + // attempt to load a user-provided dialing policy + primary, err := newUserPolicyV2(kvStore) + + // on error, just use composed if err != nil { - return fallback + return composed + } + + // otherwise, finish creating the dialing policy + policy := &mixPolicyEitherOr{ + Primary: primary, + Fallback: composed, } return policy diff --git a/internal/enginenetx/network_internal_test.go b/internal/enginenetx/network_internal_test.go index 5b3e7bda8b..947005d96e 100644 --- a/internal/enginenetx/network_internal_test.go +++ b/internal/enginenetx/network_internal_test.go @@ -7,6 +7,7 @@ import ( "net/url" "sync" "testing" + "time" "github.com/apex/log" "github.com/google/go-cmp/cmp" @@ -214,7 +215,7 @@ func TestNetworkUnit(t *testing.T) { } // Make sure we get the correct policy type depending on how we call newHTTPSDialerPolicy -func TestNewHTTPSDialerPolicy(t *testing.T) { +func TestNewHTTPSDialerPolicyTypes(t *testing.T) { // testcase is a test case implemented by this function type testcase struct { // name is the name of the test case @@ -229,53 +230,102 @@ func TestNewHTTPSDialerPolicy(t *testing.T) { // expectType is the string representation of the // type constructed using these params expectType string + + // extraChecks is an OPTIONAL function that + // will perform extra checks on the policy type + extraChecks func(t *testing.T, root httpsDialerPolicy) } minimalUserPolicy := []byte(`{"Version":3}`) - cases := []testcase{{ - name: "when there is a proxy URL and there is a user policy", - kvStore: func() model.KeyValueStore { - store := &kvstore.Memory{} - // this policy is mostly empty but it's enough to load - runtimex.Try0(store.Set(userPolicyKey, minimalUserPolicy)) - return store - }, - proxyURL: &url.URL{ - Scheme: "socks5", - Host: "127.0.0.1:9050", - Path: "/", - }, - expectType: "*enginenetx.dnsPolicy", - }, { - name: "when there is a proxy URL and there is no user policy", - kvStore: func() model.KeyValueStore { - return &kvstore.Memory{} + // this function ensures that the part dealing with stats or bridges is correct + verifyStatsOrBridgesChain := func(t *testing.T, root *mixPolicyInterleave) { + if root.Factor != 3 { + t.Fatal("expected .Factory to be 3") + } + _ = root.Primary.(*statsPolicyV2) + _ = root.Fallback.(*bridgesPolicyV2) + + } + + // this function ensures that the DNS ext part of the chain is correct + verifyDNSExtChain := func(_ *testing.T, root *testHelpersPolicy) { + _ = root.Child.(*dnsPolicy) + } + + // this function ensures that the policy used when there's no use policy has + // the correct type and anything below it also has the correct type + verifyNoUserPolicyChain := func(t *testing.T, root httpsDialerPolicy) { + interleavePolicy := root.(*mixPolicyInterleave) + if interleavePolicy.Factor != 3 { + t.Fatal("expected .Factory to be 3") + } + verifyDNSExtChain(t, interleavePolicy.Primary.(*testHelpersPolicy)) + verifyStatsOrBridgesChain(t, interleavePolicy.Fallback.(*mixPolicyInterleave)) + + } + + // this function ansures that the policy used when there's an user policy has + // the correct type and anything below it also has the correct type + verifyUserPolicyChain := func(t *testing.T, root httpsDialerPolicy) { + eitherOrPolicy := root.(*mixPolicyEitherOr) + _ = eitherOrPolicy.Primary.(*userPolicyV2) + verifyNoUserPolicyChain(t, eitherOrPolicy.Fallback) + } + + cases := []testcase{ + { + name: "when there is a proxy URL and there is a user policy", + kvStore: func() model.KeyValueStore { + store := &kvstore.Memory{} + // this policy is mostly empty but it's enough to load + runtimex.Try0(store.Set(userPolicyKey, minimalUserPolicy)) + return store + }, + proxyURL: &url.URL{ + Scheme: "socks5", + Host: "127.0.0.1:9050", + Path: "/", + }, + expectType: "*enginenetx.dnsPolicy", }, - proxyURL: &url.URL{ - Scheme: "socks5", - Host: "127.0.0.1:9050", - Path: "/", + + { + name: "when there is a proxy URL and there is no user policy", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: &url.URL{ + Scheme: "socks5", + Host: "127.0.0.1:9050", + Path: "/", + }, + expectType: "*enginenetx.dnsPolicy", }, - expectType: "*enginenetx.dnsPolicy", - }, { - name: "when there is no proxy URL and there is a user policy", - kvStore: func() model.KeyValueStore { - store := &kvstore.Memory{} - // this policy is mostly empty but it's enough to load - runtimex.Try0(store.Set(userPolicyKey, minimalUserPolicy)) - return store + + { + name: "when there is no proxy URL and there is a user policy", + kvStore: func() model.KeyValueStore { + store := &kvstore.Memory{} + // this policy is mostly empty but it's enough to load + runtimex.Try0(store.Set(userPolicyKey, minimalUserPolicy)) + return store + }, + proxyURL: nil, + expectType: "*enginenetx.mixPolicyEitherOr", + extraChecks: verifyUserPolicyChain, }, - proxyURL: nil, - expectType: "*enginenetx.userPolicy", - }, { - name: "when there is no proxy URL and there is no user policy", - kvStore: func() model.KeyValueStore { - return &kvstore.Memory{} + + { + name: "when there is no proxy URL and there is no user policy", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: nil, + expectType: "*enginenetx.mixPolicyInterleave", + extraChecks: verifyNoUserPolicyChain, }, - proxyURL: nil, - expectType: "*enginenetx.statsPolicy", - }} + } for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { @@ -292,6 +342,363 @@ func TestNewHTTPSDialerPolicy(t *testing.T) { if diff := cmp.Diff(tc.expectType, got); diff != "" { t.Fatal(diff) } + + if tc.extraChecks != nil { + tc.extraChecks(t, p) + } + }) + } +} + +// This test ensures that newHTTPSDialerPolicy is functionally working as intended. +func TestNewHTTPSDialerPolicyFunctional(t *testing.T) { + // testcase is a test case implemented by this func + type testcase struct { + // name is the test case name + name string + + // kvStore is the key-value store possibly containing user policies + // and previous statistics about TLS endpoints + kvStore func() model.KeyValueStore + + // proxyURL is the OPTIONAL proxy URL. + proxyURL *url.URL + + // resolver is the DNS resolver. + resolver model.Resolver + + // domain is the domain for which to use LookupTactics. + domain string + + // totalExpectedEntries is the total number of entries we + // expect the code to generate as part of this run + totalExpectedEntries int + + // initialExpectedEntries contains the initial entries that + // we expect to see when getting results + initialExpectedEntries []*httpsDialerTactic + } + + cases := []testcase{ + + // Let's start with test cases in which there is no proxy and + // no state, where we want to see that we're using the DNS, and + // that, on top of this, we're getting bridges tactics when + // we're using api.ooni.io and we're getting various SNIs when + // instead we're using test helper domains. + + { + name: "without proxy, with empty key-value store, and NXDOMAIN for www.example.com", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: nil, + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return nil, netxlite.ErrOODNSNoSuchHost + }, + }, + domain: "www.example.com", + totalExpectedEntries: 0, + initialExpectedEntries: nil, + }, + + { + name: "without proxy, with empty key-value store, and addresses for www.example.com", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: nil, + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return []string{"93.184.215.14", "2606:2800:21f:cb07:6820:80da:af6b:8b2c"}, nil + }, + }, + domain: "www.example.com", + totalExpectedEntries: 2, + initialExpectedEntries: []*httpsDialerTactic{{ + Address: "93.184.215.14", + InitialDelay: 0, + Port: "443", + SNI: "www.example.com", + VerifyHostname: "www.example.com", + }, { + Address: "2606:2800:21f:cb07:6820:80da:af6b:8b2c", + InitialDelay: 0, + Port: "443", + SNI: "www.example.com", + VerifyHostname: "www.example.com", + }}, + }, + + { + name: "without proxy, with empty key-value store, and NXDOMAIN for api.ooni.io", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: nil, + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return nil, netxlite.ErrOODNSNoSuchHost + }, + }, + domain: "api.ooni.io", + totalExpectedEntries: 152, + initialExpectedEntries: nil, + }, + + { + name: "without proxy, with empty key-value store, and addresses for api.ooni.io", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: nil, + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return []string{"130.192.91.211", "130.192.91.231"}, nil + }, + }, + domain: "api.ooni.io", + totalExpectedEntries: 154, + initialExpectedEntries: []*httpsDialerTactic{{ + Address: "130.192.91.211", + InitialDelay: 0, + Port: "443", + SNI: "api.ooni.io", + VerifyHostname: "api.ooni.io", + }, { + Address: "130.192.91.231", + InitialDelay: 0, + Port: "443", + SNI: "api.ooni.io", + VerifyHostname: "api.ooni.io", + }}, + }, + + { + name: "without proxy, with empty key-value store, and NXDOMAIN for 0.th.ooni.org", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: nil, + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return nil, netxlite.ErrOODNSNoSuchHost + }, + }, + domain: "0.th.ooni.org", + totalExpectedEntries: 0, + initialExpectedEntries: nil, + }, + + { + name: "without proxy, with empty key-value store, and addresses for 0.th.ooni.org", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: nil, + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return []string{"130.192.91.211", "130.192.91.231"}, nil + }, + }, + domain: "0.th.ooni.org", + totalExpectedEntries: 306, + initialExpectedEntries: []*httpsDialerTactic{{ + Address: "130.192.91.211", + InitialDelay: 0, + Port: "443", + SNI: "0.th.ooni.org", + VerifyHostname: "0.th.ooni.org", + }, { + Address: "130.192.91.231", + InitialDelay: 0, + Port: "443", + SNI: "0.th.ooni.org", + VerifyHostname: "0.th.ooni.org", + }}, + }, + + // Now we repeat the same test cases but with a proxy and we want + // to always and only see the results obtained via DNS. + + { + name: "with proxy, with empty key-value store, and NXDOMAIN for www.example.com", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: &url.URL{}, // does not need to be filled + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return nil, netxlite.ErrOODNSNoSuchHost + }, + }, + domain: "www.example.com", + totalExpectedEntries: 0, + initialExpectedEntries: nil, + }, + + { + name: "with proxy, with empty key-value store, and addresses for www.example.com", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: &url.URL{}, // does not need to be filled + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return []string{"93.184.215.14", "2606:2800:21f:cb07:6820:80da:af6b:8b2c"}, nil + }, + }, + domain: "www.example.com", + totalExpectedEntries: 2, + initialExpectedEntries: []*httpsDialerTactic{{ + Address: "93.184.215.14", + InitialDelay: 0, + Port: "443", + SNI: "www.example.com", + VerifyHostname: "www.example.com", + }, { + Address: "2606:2800:21f:cb07:6820:80da:af6b:8b2c", + InitialDelay: 0, + Port: "443", + SNI: "www.example.com", + VerifyHostname: "www.example.com", + }}, + }, + + { + name: "with proxy, with empty key-value store, and NXDOMAIN for api.ooni.io", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: &url.URL{}, // does not need to be filled + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return nil, netxlite.ErrOODNSNoSuchHost + }, + }, + domain: "api.ooni.io", + totalExpectedEntries: 0, + initialExpectedEntries: nil, + }, + + { + name: "without proxy, with empty key-value store, and addresses for api.ooni.io", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: &url.URL{}, // does not need to be filled + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return []string{"130.192.91.211", "130.192.91.231"}, nil + }, + }, + domain: "api.ooni.io", + totalExpectedEntries: 2, + initialExpectedEntries: []*httpsDialerTactic{{ + Address: "130.192.91.211", + InitialDelay: 0, + Port: "443", + SNI: "api.ooni.io", + VerifyHostname: "api.ooni.io", + }, { + Address: "130.192.91.231", + InitialDelay: 0, + Port: "443", + SNI: "api.ooni.io", + VerifyHostname: "api.ooni.io", + }}, + }, + + { + name: "with proxy, with empty key-value store, and NXDOMAIN for 0.th.ooni.org", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: &url.URL{}, // does not need to be filled + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return nil, netxlite.ErrOODNSNoSuchHost + }, + }, + domain: "0.th.ooni.org", + totalExpectedEntries: 0, + initialExpectedEntries: nil, + }, + + { + name: "with proxy, with empty key-value store, and addresses for 0.th.ooni.org", + kvStore: func() model.KeyValueStore { + return &kvstore.Memory{} + }, + proxyURL: &url.URL{}, // does not need to be filled + resolver: &mocks.Resolver{ + MockLookupHost: func(ctx context.Context, domain string) ([]string, error) { + return []string{"130.192.91.211", "130.192.91.231"}, nil + }, + }, + domain: "0.th.ooni.org", + totalExpectedEntries: 2, + initialExpectedEntries: []*httpsDialerTactic{{ + Address: "130.192.91.211", + InitialDelay: 0, + Port: "443", + SNI: "0.th.ooni.org", + VerifyHostname: "0.th.ooni.org", + }, { + Address: "130.192.91.231", + InitialDelay: 0, + Port: "443", + SNI: "0.th.ooni.org", + VerifyHostname: "0.th.ooni.org", + }}, + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + // Create manager for keeping track of statistics. This implies creating a background + // goroutine that we'll need to close when we're done. + stats := newStatsManager(tc.kvStore(), model.DiscardLogger, 24*time.Hour) + defer stats.Close() + + // Create a new HTTPS dialer policy. + policy := newHTTPSDialerPolicy( + tc.kvStore(), + model.DiscardLogger, + tc.proxyURL, // possibly nil + tc.resolver, + stats, + ) + + // Start to generate tactics for the given domain and port. + generator := policy.LookupTactics(context.Background(), tc.domain, "443") + + // Collect tactics + var tactics []*httpsDialerTactic + for entry := range generator { + tactics = append(tactics, entry) + } + + // To help debugging, log how many tactics we've got + t.Log("got", len(tactics), "tactics") + + // make sure the number of expected entries is the actual number + if len(tactics) != tc.totalExpectedEntries { + t.Fatal("expected", tc.totalExpectedEntries, ", got", len(tactics)) + } + + // make sure we have at least N initial entries + if len(tactics) < len(tc.initialExpectedEntries) { + t.Fatal("expected at least", len(tc.initialExpectedEntries), "tactics, got", len(tactics)) + } + + // if we have expected initial entries, make sure they match + if len(tc.initialExpectedEntries) > 0 { + if diff := cmp.Diff(tc.initialExpectedEntries, tactics[:len(tc.initialExpectedEntries)]); diff != "" { + t.Fatal(diff) + } + } }) } }