From 69b561f944b746ee1c0957081110f5c84a01dfa9 Mon Sep 17 00:00:00 2001 From: ginuerzh Date: Fri, 26 Jun 2026 22:00:35 +0800 Subject: [PATCH] feat: add comprehensive HTTP e2e tests covering connector, TLS, probeResist, idleTimeout, and UDP relay Adds 12 new HTTP handler test scenarios: HTTP connector (no-auth, auth, TLS upstream), CONNECT tunnel (no-sniffing, bypass-403), probeResist (host, web, file, knock), idleTimeout, and UDP relay over HTTP. Introduces RunGostContainerWithFiles helper for mounting extra files into test containers. --- tests/e2e/PLAN-HTTP.md | 276 ++++++++ tests/e2e/PLAN.md | 183 ++++++ tests/e2e/http_test.go | 605 ++++++++++++++++++ tests/e2e/scripts/http_idle_timeout.py | 60 ++ tests/e2e/scripts/http_udp_relay.py | 135 ++++ tests/e2e/testdata/http/client_connector.yaml | 20 + .../testdata/http/client_connector_auth.yaml | 23 + .../testdata/http/client_connector_tls.yaml | 20 + tests/e2e/testdata/http/decoy.html | 1 + tests/e2e/testdata/http/server.yaml | 7 + tests/e2e/testdata/http/server_auth.yaml | 16 + tests/e2e/testdata/http/server_connect.yaml | 12 + .../testdata/http/server_connect_bypass.yaml | 20 + tests/e2e/testdata/http/server_headers.yaml | 25 + .../testdata/http/server_idle_timeout.yaml | 9 + tests/e2e/testdata/http/server_metadata.yaml | 20 + .../http/server_proberesist_file.yaml | 16 + .../http/server_proberesist_host.yaml | 16 + .../http/server_proberesist_knock.yaml | 17 + .../testdata/http/server_proberesist_web.yaml | 16 + tests/e2e/testdata/http/server_tls.yaml | 7 + tests/e2e/testdata/http/server_udp.yaml | 9 + tests/e2e/utils.go | 28 +- 23 files changed, 1531 insertions(+), 10 deletions(-) create mode 100644 tests/e2e/PLAN-HTTP.md create mode 100644 tests/e2e/PLAN.md create mode 100644 tests/e2e/http_test.go create mode 100644 tests/e2e/scripts/http_idle_timeout.py create mode 100644 tests/e2e/scripts/http_udp_relay.py create mode 100644 tests/e2e/testdata/http/client_connector.yaml create mode 100644 tests/e2e/testdata/http/client_connector_auth.yaml create mode 100644 tests/e2e/testdata/http/client_connector_tls.yaml create mode 100644 tests/e2e/testdata/http/decoy.html create mode 100644 tests/e2e/testdata/http/server.yaml create mode 100644 tests/e2e/testdata/http/server_auth.yaml create mode 100644 tests/e2e/testdata/http/server_connect.yaml create mode 100644 tests/e2e/testdata/http/server_connect_bypass.yaml create mode 100644 tests/e2e/testdata/http/server_headers.yaml create mode 100644 tests/e2e/testdata/http/server_idle_timeout.yaml create mode 100644 tests/e2e/testdata/http/server_metadata.yaml create mode 100644 tests/e2e/testdata/http/server_proberesist_file.yaml create mode 100644 tests/e2e/testdata/http/server_proberesist_host.yaml create mode 100644 tests/e2e/testdata/http/server_proberesist_knock.yaml create mode 100644 tests/e2e/testdata/http/server_proberesist_web.yaml create mode 100644 tests/e2e/testdata/http/server_tls.yaml create mode 100644 tests/e2e/testdata/http/server_udp.yaml diff --git a/tests/e2e/PLAN-HTTP.md b/tests/e2e/PLAN-HTTP.md new file mode 100644 index 0000000..688ca92 --- /dev/null +++ b/tests/e2e/PLAN-HTTP.md @@ -0,0 +1,276 @@ +# 执行计划:HTTP Handler E2E 测试 + utils.go 重构 + +## 背景 + +从 PLAN.md 的 Step 0 和 Step 1A 开始实施。HTTP proxy 是 gost 最基础的协议,目前 e2e 测试仅覆盖 shadowsocks 和 parallel selector。本计划先重构 utils.go 提取公共 helper,然后用 helper 写 HTTP handler 测试套件,最后同步重构 shadowsocks_test.go。 + +## 变更文件清单 + +| 文件 | 操作 | 说明 | +|------|------|------| +| `tests/e2e/utils.go` | 修改 | 新增 `RunTCPCase` / `RunUDPCase` | +| `tests/e2e/http_test.go` | 新建 | HTTP proxy 测试套件 | +| `tests/e2e/testdata/http/server.yaml` | 新建 | 无 auth 的 HTTP proxy 服务器 | +| `tests/e2e/testdata/http/server_auth.yaml` | 新建 | 带 auth 的 HTTP proxy 服务器 | +| `tests/e2e/shadowsocks_test.go` | 修改 | 重构为使用 `RunTCPCase` / `RunUDPCase` | + +--- + +## Step 1: 修改 `utils.go` — 提取 RunTCPCase / RunUDPCase + +从 `shadowsocks_test.go` 的 `runTCPCase` 和 `runUDPCase` 提取为包级函数。关键差异:参数需要传入 echo container IP 和 echo container 本身(用于 dump logs)。 + +### RunTCPCase 签名与逻辑 + +```go +// RunTCPCase runs a full TCP proxy test case: +// start server → render client config → start client → curl assertion → cleanup. +func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP string, + name, serverConfig, clientConfig string) +``` + +逻辑(从 shadowsocks_test.go:132-160 提取,一字不差): +1. 生成 serverAlias = `name + "-server"` +2. `RunGostContainerWithOptions(ctx, networkName, serverConfig, [serverAlias], ["8388/tcp"])` +3. `defer serverC.Terminate(ctx)` +4. `RenderConfig(clientConfig, {ServerAddr: serverAlias + ":8388"})` +5. `defer os.Remove(rendered)` +6. `RunGostContainerWithPorts(ctx, networkName, rendered, "8080/tcp")` +7. `defer clientC.Terminate(ctx)` +8. `clientC.Exec(ctx, ["curl", "-v", "-s", "-x", "http://127.0.0.1:8080", "http://:5678"])` +9. 断言 exitCode==0 且 body 包含 `"hello-gost"`,失败时 DumpLogs + +**问题:端口硬编码**。shadowsocks 用 8388 作为服务端口,但其他协议可能用不同端口。需要参数化。 + +### 修正设计 — 参数化端口 + +```go +type TCPOptions struct { + ServerPort string // 容器内服务端口,默认 "8388/tcp" + ClientPort string // 客户端代理端口,默认 "8080/tcp" +} + +func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP string, + name, serverConfig, clientConfig string, opts ...TCPOptions) +``` + +当 `opts` 为空时使用默认值 `{ServerPort: "8388/tcp", ClientPort: "8080/tcp"}`。这样 shadowsocks 测试无需任何改动,而 HTTP 测试可传 `TCPOptions{ServerPort: "8080/tcp", ClientPort: "8080/tcp"}`。 + +等一下 — 仔细看 shadowsocks 的 server 容器暴露的是 `8388/tcp`,HTTP proxy 场景下只有一个 gost 容器(不做 server→client 链路),直接暴露 proxy 端口。 + +**重新思考:HTTP proxy 不需要 server+client 两容器模式。** + +HTTP proxy 测试是最简单的模式 — 只需一个 gost 容器运行 HTTP proxy,然后容器内 curl 通过它访问 echo server。这和 parallel_selector_test.go 的模式一致。但为了统一框架和后续协议(SOCKS5、relay 等都需要 server+client 模式),我们应该: + +- HTTP 的"无 auth"用例:**单容器模式**(同 parallel_selector) +- HTTP 的"带 auth"用例:**也可以单容器**,只需在 curl 加 `--proxy-user` + +所以 HTTP proxy 不需要 server/client 分离,但 RunTCPCase helper 仍然服务于 SOCKS5/relay 等需要链路的协议。 + +### 最终 RunTCPCase 设计 + +```go +func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP, name string, + serverConfig, clientConfig string, serverPort, clientPort string) +``` + +- `serverPort`: 服务端容器暴露端口,如 `"8388/tcp"` +- `clientPort`: 客户端容器暴露端口,如 `"8080/tcp"` +- 渲染模板时用 `ServerAddr: serverAlias + ":" + strings.TrimSuffix(serverPort, "/tcp")` + +### RunUDPCase 设计 + +```go +func RunUDPCase(t *testing.T, ctx context.Context, networkName, name string, + serverConfig, clientConfig string, serverPort, clientPort string) +``` + +逻辑从 shadowsocks_test.go:76-126 提取。 + +--- + +## Step 2: 新建 `testdata/http/` 配置文件 + +### `testdata/http/server.yaml` — 无 auth 的 HTTP proxy + +```yaml +services: +- name: http-proxy + addr: :8080 + handler: + type: http + listener: + type: tcp +``` + +单容器即可测试:gost 启动后在 :8080 提供 HTTP proxy 服务。 + +### `testdata/http/server_auth.yaml` — 带 auth 的 HTTP proxy + +```yaml +services: +- name: http-proxy-auth + addr: :8080 + handler: + type: http + auther: auther-0 + listener: + type: tcp + +authers: +- name: auther-0 + auths: + - username: user + password: pass +``` + +--- + +## Step 3: 新建 `http_test.go` + +### 套件结构 + +```go +type HTTPSuite struct { + suite.Suite + ctx context.Context + echoC testcontainers.Container + echoIP string +} + +func (s *HTTPSuite) SetupSuite() // 启动 TCP echo +func (s *HTTPSuite) TearDownSuite() // 关闭 echo + +func (s *HTTPSuite) TestHTTPProxy() // 无 auth +func (s *HTTPSuite) TestHTTPProxyAuth() // 带 auth + +func TestHTTPSuite(t *testing.T) { + suite.Run(t, new(HTTPSuite)) +} +``` + +### TestHTTPProxy — 单容器模式(同 parallel_selector) + +```go +func (s *HTTPSuite) TestHTTPProxy() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, err := gostC.Exec(s.ctx, cmd) + s.Require().NoError(err) + + body, err := io.ReadAll(out) + s.Require().NoError(err) + if code != 0 || !strings.Contains(string(body), "hello-gost") { + DumpLogs(s.T(), s.ctx, "http-proxy logs", gostC) + } + s.Require().Equal(0, code) + s.Require().Contains(string(body), "hello-gost") +} +``` + +### TestHTTPProxyAuth — 带 auth 验证 + +```go +func (s *HTTPSuite) TestHTTPProxyAuth() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server_auth.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + // 测试1:无 auth 应失败(407) + s.T().Run("no-auth-should-fail", func(t *testing.T) { + cmd := []string{"curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", + "-x", "http://127.0.0.1:8080", fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, _ := gostC.Exec(s.ctx, cmd) + body, _ := io.ReadAll(out) + // curl exit code 非 0 或 HTTP status 是 407 + // 注意:gost HTTP proxy 在无 auth 时返回 407,curl 不会自动重试 + // 所以这里验证返回码是 407 或 curl 返回非零 + httpStatus := strings.TrimSpace(string(body)) + s.Assert().True(code != 0 || httpStatus == "407", + "expected auth failure, got status: %s, exit code: %d", httpStatus, code) + }) + + // 测试2:正确 auth 应成功 + s.T().Run("with-auth-should-succeed", func(t *testing.T) { + cmd := []string{"curl", "-v", "-s", "-x", + "http://user:pass@127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, err := gostC.Exec(s.ctx, cmd) + s.Require().NoError(err) + + body, err := io.ReadAll(out) + s.Require().NoError(err) + if code != 0 || !strings.Contains(string(body), "hello-gost") { + DumpLogs(s.T(), s.ctx, "http-proxy-auth logs", gostC) + } + s.Require().Equal(0, code) + s.Require().Contains(string(body), "hello-gost") + }) +} +``` + +### 注意事项 +- HTTP proxy 是**单容器模式**,不需要 server/client 分离(不像 shadowsocks 需要解密/加密链路) +- auth 测试分两步:先验证无 auth 被拒(407),再验证正确 auth 成功 +- curl 使用 `http://user:pass@host:port` 格式传递 proxy auth + +--- + +## Step 4: 重构 `shadowsocks_test.go` + +将 `runTCPCase` 和 `runUDPCase` 方法替换为调用 `utils.go` 中的 `RunTCPCase` / `RunUDPCase`: + +**Before**: +```go +func (s *ShadowsocksSuite) TestShadowsocksTCP() { + s.runTCPCase("aes256gcm", "testdata/shadowsocks/tcp_server_aes256gcm.yaml", "testdata/shadowsocks/tcp_client_aes256gcm.yaml") + s.runTCPCase("chacha20", "testdata/shadowsocks/tcp_server_chacha20.yaml", "testdata/shadowsocks/tcp_client_chacha20.yaml") +} +``` + +**After**: +```go +func (s *ShadowsocksSuite) TestShadowsocksTCP() { + RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "aes256gcm", + "testdata/shadowsocks/tcp_server_aes256gcm.yaml", + "testdata/shadowsocks/tcp_client_aes256gcm.yaml", + "8388/tcp", "8080/tcp") + RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "chacha20", + "testdata/shadowsocks/tcp_server_chacha20.yaml", + "testdata/shadowsocks/tcp_client_chacha20.yaml", + "8388/tcp", "8080/tcp") +} +``` + +删除 `runTCPCase` 和 `runUDPCase` 方法。UDP 测试同理。 + +--- + +## 实施顺序 + +1. **`utils.go`** — 添加 `RunTCPCase` + `RunUDPCase`(不删除任何现有函数) +2. **`testdata/http/`** — 创建 `server.yaml` + `server_auth.yaml` +3. **`http_test.go`** — 创建 HTTP 套件 +4. **编译验证** — `cd gost && go build ./... && go vet ./tests/e2e/...` +5. **`shadowsocks_test.go`** — 重构为使用新 helper +6. **最终编译验证** — `go build ./... && go vet ./tests/e2e/...` +7. **运行测试** — `go test ./tests/e2e/ -v -run TestHTTPSuite -timeout 5m` +8. **回归测试** — `go test ./tests/e2e/ -v -run TestShadowsocksSuite -timeout 5m` + +--- + +## 验证 + +```bash +cd /config/workspace/go-gost/gost +go build ./... +go vet ./tests/e2e/... +go test ./tests/e2e/ -v -run TestHTTPSuite -timeout 5m +go test ./tests/e2e/ -v -run TestShadowsocksSuite -timeout 5m +``` diff --git a/tests/e2e/PLAN.md b/tests/e2e/PLAN.md new file mode 100644 index 0000000..955407a --- /dev/null +++ b/tests/e2e/PLAN.md @@ -0,0 +1,183 @@ +# Plan: Expand E2E Test Suite + +## Context + +The e2e test framework (`tests/e2e/`) currently covers only **2 protocols** (Shadowsocks, parallel selector) out of **~30+ registered protocols** in gost. This plan systematically adds test coverage for all major protocols, following the existing Docker-based testcontainers pattern exactly. + +**Key insight**: gost auto-generates self-signed TLS certs when none are provided (`x/config/parsing/tls.go` — `BuildDefaultTLSConfig`), and clients with default config skip cert verification. This means TLS-based protocols (ws→wss, h2c→h2, quic, etc.) can be tested **without mounting cert files**. + +--- + +## Step 0: Refactor `utils.go` — Add Reusable Test Helpers + +**File**: `tests/e2e/utils.go` + +Extract the repeated patterns from `shadowsocks_test.go` into reusable helpers: + +1. **`RunTCPCase(t, ctx, networkName, echoIP, name, serverConfig, clientConfig string)`** — Full lifecycle: start server → render client config → start client → curl assertion → cleanup. Extracts the logic from `ShadowsocksSuite.runTCPCase`. + +2. **`RunUDPCase(t, ctx, networkName, name, serverConfig, clientConfig string)`** — Same for UDP: start server → render client → start client → dial UDP → retry loop → assertion → cleanup. Extracts from `runUDPCase`. + +These eliminate ~40 lines of boilerplate per suite. Each suite's test methods become one-liners: +```go +func (s *SOCKS5Suite) TestSOCKS5TCP() { + RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "socks5-tcp", + "testdata/socks5/tcp_server.yaml", "testdata/socks5/tcp_client.yaml") +} +``` + +--- + +## Step 1: Tier 1 — Core Protocols (Plain TCP, No Special Infrastructure) + +Each suite follows the exact pattern: suite struct → `SetupSuite` (echo containers) → `TearDownSuite` → test methods calling `RunTCPCase`/`RunUDPCase` → `suite.Run()` entry point. + +### 1A. HTTP Proxy Suite +- **Files**: `http_test.go`, `testdata/http/` (2 configs) +- **Configs**: `server.yaml` (handler `http`, listener `tcp`), `server_auth.yaml` (+ basic auth) +- **Tests**: `TestHTTPProxy`, `TestHTTPProxyAuth` (curl with `--proxy-user`) +- **Note**: Simplest test — single gost container acts as HTTP proxy + +### 1B. SOCKS5 Suite +- **Files**: `socks5_test.go`, `testdata/socks5/` (4 configs) +- **Configs**: `tcp_server.yaml` (handler `socks5`), `tcp_client.yaml` (connector `socks5`, dialer `tcp`), + auth variants +- **Tests**: `TestSOCKS5TCP`, `TestSOCKS5TCPAuth` + +### 1C. SOCKS4 Suite +- **Files**: `socks4_test.go`, `testdata/socks4/` (4 configs) +- **Configs**: `tcp_server.yaml` (handler `socks4`), `tcp_client.yaml` (connector `socks4`), + socks4a variants +- **Tests**: `TestSOCKS4TCP`, `TestSOCKS4aTCP` + +### 1D. HTTP2 Cleartext Suite +- **Files**: `http2_test.go`, `testdata/http2/` (2 configs) +- **Configs**: `tcp_server.yaml` (handler `http2`, listener `http2`), `tcp_client.yaml` (connector `http2`, dialer `http2`) +- **Tests**: `TestHTTP2TCP` + +### 1E. Relay Suite +- **Files**: `relay_test.go`, `testdata/relay/` (4 configs) +- **Configs**: `tcp_server.yaml` (handler `relay`, listener `tcp`), `tcp_client.yaml` (connector `relay`, dialer `tcp`), + auth variants +- **Tests**: `TestRelayTCP`, `TestRelayTCPAuth` + +--- + +## Step 2: Tier 2 — TLS/Transport Protocols + +Same pattern but using TLS listeners/dialers. No explicit cert files needed — gost auto-generates them. + +### 2A. TLS Suite +- **Files**: `tls_test.go`, `testdata/tls/` (4 configs) +- **Tests**: `TestTLSHTTPProxy` (handler `http` + listener `tls`), `TestTLSSOCKS5` (handler `socks5` + listener `tls`) + +### 2B. WebSocket Suite +- **Files**: `ws_test.go`, `testdata/ws/` (4 configs) +- **Tests**: `TestWSSOCKS5` (dialer `ws`), `TestWSSSOCKS5` (dialer `wss`) + +### 2C. gRPC Suite +- **Files**: `grpc_test.go`, `testdata/grpc/` (2 configs) +- **Tests**: `TestGRPCSOCKS5` (listener `grpc`, metadata `insecure: true`) + +### 2D. HTTP/2 TLS (h2) Suite +- **Files**: `h2_test.go`, `testdata/h2/` (2 configs) +- **Tests**: `TestH2HTTP2Proxy` (listener `h2`, dialer `h2`) + +### 2E. QUIC Suite +- **Files**: `quic_test.go`, `testdata/quic/` (2 configs) +- **Tests**: `TestQUICHTTP` (listener `quic`, handler `http` — uses UDP ports) + +### 2F. KCP Suite +- **Files**: `kcp_test.go`, `testdata/kcp/` (2 configs) +- **Tests**: `TestKCPSOCKS5` (listener `kcp`, handler `socks5` — uses UDP) + +### 2G. Multiplex Variants (mws/mwss/mtls/mtcp) +- **Files**: `mux_test.go`, `testdata/mux/` (6 configs) +- **Tests**: `TestMWSSOCKS5`, `TestMWSSSOCKS5`, `TestMtlSSOCKS5`, `TestMtcpSOCKS5` + +### 2H. Obfuscation (ohttp/otls) +- **Files**: `obfs_test.go`, `testdata/obfs/` (4 configs) +- **Tests**: `TestOHTTP`, `TestOTLS` + +### 2I. PHT (HTTP Pipe) +- **Files**: `pht_test.go`, `testdata/pht/` (4 configs) +- **Tests**: `TestPHT`, `TestPHTS` + +--- + +## Step 3: Tier 3 — Special Infrastructure (Deferred) + +These require Docker capabilities (`NET_ADMIN`, `NET_RAW`), SSH key generation, or iptables setup. Implemented after Tiers 1-2 are stable. + +| Protocol | Challenge | Approach | +|----------|-----------|----------| +| SSH/sshd | Host key generation | Generate SSH key at test time, mount into container | +| HTTP/3/WebTransport | QUIC+UDP, TLS | Uses UDP like QUIC suite; auto certs work | +| TUN/TAP | `CAP_NET_ADMIN`, `/dev/net/tun` | Privileged container + routing setup | +| Tungo/MASQUE | Same as TUN | Same approach | +| ICMP | `CAP_NET_RAW`, raw sockets | Privileged container | +| Redirect (red/redu) | iptables rules | Privileged + iptables setup in container | +| DTLS | UDP + TLS | Auto certs; UDP port mapping | + +--- + +## Files to Create/Modify + +### New files (per suite): +- `tests/e2e/_test.go` — Suite struct + test methods +- `tests/e2e/testdata//` — Server + client YAML configs + +### Modified files: +- `tests/e2e/utils.go` — Add `RunTCPCase`, `RunUDPCase` helpers +- `tests/e2e/shadowsocks_test.go` — Refactor to use new helpers (optional, reduces duplication) +- `tests/e2e/README.md` — Document new suites + +### Reference files (read-only): +- `tests/e2e/shadowsocks_test.go` — Pattern template for all suites +- `tests/e2e/testdata/shadowsocks/tcp_server_aes256gcm.yaml` — Server config template +- `tests/e2e/testdata/shadowsocks/tcp_client_aes256gcm.yaml` — Client config template + +--- + +## Config Pattern Reference + +**Server** (all protocols): +```yaml +services: +- name: -server + addr: : + handler: + type: + listener: + type: +``` + +**Client** (all protocols): +```yaml +services: +- name: http-proxy + addr: :8080 + handler: + type: http + chain: -chain + listener: + type: tcp +chains: +- name: -chain + hops: + - name: -hop + nodes: + - name: -node + addr: {{.ServerAddr}} + connector: + type: + dialer: + type: +``` + +--- + +## Verification + +After each suite is implemented: +1. `cd gost && go build ./...` — Ensure compilation +2. `go vet ./tests/e2e/` — Static analysis +3. `go test ./tests/e2e/ -v -run TestXxxSuite -timeout 5m` — Run individual suite +4. `go test ./tests/e2e/ -v -timeout 10m` — Run all suites together diff --git a/tests/e2e/http_test.go b/tests/e2e/http_test.go new file mode 100644 index 0000000..a9b763c --- /dev/null +++ b/tests/e2e/http_test.go @@ -0,0 +1,605 @@ +package e2e + +import ( + "context" + "encoding/base64" + "fmt" + "io" + "os" + "strings" + "testing" + + "github.com/stretchr/testify/suite" + "github.com/testcontainers/testcontainers-go" +) + +type HTTPSuite struct { + suite.Suite + ctx context.Context + echoC testcontainers.Container + echoIP string +} + +func (s *HTTPSuite) SetupSuite() { + s.ctx = context.Background() + + s.T().Logf("start tcp echo container...") + echoC, err := RunEchoContainer(s.ctx, SharedNetworkName) + s.Require().NoError(err) + s.echoC = echoC + + echoIP, err := echoC.ContainerIP(s.ctx) + s.Require().NoError(err) + s.echoIP = echoIP +} + +// sendRaw sends a raw HTTP request via netcat and returns the response. +// Uses base64 to avoid shell quoting issues with CRLF bytes. +func (s *HTTPSuite) sendRaw(gostC testcontainers.Container, host, port, data string) string { + encoded := base64.StdEncoding.EncodeToString([]byte(data)) + cmd := []string{"sh", "-c", + fmt.Sprintf("echo %s | base64 -d | nc -w 5 %s %s", encoded, host, port)} + _, out, _ := gostC.Exec(s.ctx, cmd) + b, _ := io.ReadAll(out) + return string(b) +} + +func (s *HTTPSuite) TearDownSuite() { + if s.echoC != nil { + s.echoC.Terminate(s.ctx) + } +} + +// TestHTTPProxy verifies basic HTTP forward proxy (no auth, no metadata). +// Covers: handler type http, listener type tcp, basic GET via proxy. +func (s *HTTPSuite) TestHTTPProxy() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + // curl -x uses HTTP forward proxy (GET with absolute URL) + cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, err := gostC.Exec(s.ctx, cmd) + s.Require().NoError(err) + + body, err := io.ReadAll(out) + s.Require().NoError(err) + if code != 0 || !strings.Contains(string(body), "hello-gost") { + DumpLogs(s.T(), s.ctx, "http-proxy logs", gostC) + } + s.Require().Equal(0, code) + s.Require().Contains(string(body), "hello-gost") +} + +// TestHTTPProxyAuth verifies proxy authentication and the authBasicRealm +// metadata parameter. +// +// Covers: +// - auther: basic auth on HTTP proxy +// - authBasicRealm: custom realm string in 407 Proxy-Authenticate header +func (s *HTTPSuite) TestHTTPProxyAuth() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server_auth.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + s.T().Run("no-auth-407", func(t *testing.T) { + cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null", + "-x", "http://127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + _, out, _ := gostC.Exec(s.ctx, cmd) + body, _ := io.ReadAll(out) + output := string(body) + s.Assert().Contains(output, "407", + "no auth should return 407") + s.Assert().Contains(output, "gost-e2e-realm", + "authBasicRealm should appear in 407 Proxy-Authenticate") + }) + + s.T().Run("wrong-auth-407", func(t *testing.T) { + cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}", + "-x", "http://wrong:pass@127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + _, out, _ := gostC.Exec(s.ctx, cmd) + body, _ := io.ReadAll(out) + s.Assert().Contains(string(body), "407", + "wrong password should return 407") + }) + + s.T().Run("with-auth-success", func(t *testing.T) { + cmd := []string{"curl", "-v", "-s", "-x", "http://user:pass@127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, err := gostC.Exec(s.ctx, cmd) + s.Require().NoError(err) + + body, err := io.ReadAll(out) + s.Require().NoError(err) + if code != 0 || !strings.Contains(string(body), "hello-gost") { + DumpLogs(s.T(), s.ctx, "http-proxy-auth logs", gostC) + } + s.Require().Equal(0, code) + s.Require().Contains(string(body), "hello-gost") + }) +} + +// TestHTTPProxyMetadata verifies: +// - probeResist: code:404 — unauthorised clients see 404 instead of 407 +// - keepalive: config parsing (applied at Init time) +// - compression: config parsing (applied at Init time) +func (s *HTTPSuite) TestHTTPProxyMetadata() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server_metadata.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + s.T().Run("probe-resist-404", func(t *testing.T) { + cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}", + "-x", "http://127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + _, out, _ := gostC.Exec(s.ctx, cmd) + body, _ := io.ReadAll(out) + output := string(body) + s.Assert().NotContains(output, "407", + "probeResist should hide 407 status") + s.Assert().Contains(output, "404", + "probeResist should return configured decoy code") + }) + + s.T().Run("with-auth-success", func(t *testing.T) { + cmd := []string{"curl", "-v", "-s", "-x", "http://user:pass@127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, err := gostC.Exec(s.ctx, cmd) + s.Require().NoError(err) + + body, err := io.ReadAll(out) + s.Require().NoError(err) + if code != 0 || !strings.Contains(string(body), "hello-gost") { + DumpLogs(s.T(), s.ctx, "http-metadata logs", gostC) + } + s.Require().Equal(0, code) + s.Require().Contains(string(body), "hello-gost") + }) +} + +// TestHTTPProxyHeaders verifies: +// - header: custom response headers (X-Proxy-Info, X-Custom) on +// proxy-originated error responses. The header metadata is set on +// the skeleton response used for error paths after authentication. +// - proxyAgent: custom Proxy-Agent header in proxy responses. +// +// Uses a bypass matcher (0.0.0.0/0) that blocks all traffic after auth +// succeeds → requests hit 403 Forbidden path which carries custom headers. +func (s *HTTPSuite) TestHTTPProxyHeaders() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server_headers.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + // Auth succeeds, but target is bypassed → 403 Forbidden + // The 403 response is built from the skeleton resp which + // carries h.md.header (custom headers) and h.md.proxyAgent. + s.T().Log("bypass: expect 403 with custom headers") + cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null", + "-x", "http://user:pass@127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + _, out, _ := gostC.Exec(s.ctx, cmd) + headers, _ := io.ReadAll(out) + output := string(headers) + + // Bypass → 403 Forbidden + s.Assert().Contains(output, "403", + "bypass should return 403") + // header: custom X-Proxy-Info header on error response + s.Assert().Contains(output, "X-Proxy-Info: gost-e2e", + "custom header should appear in 403 response") + // header: custom X-Custom header on error response + s.Assert().Contains(output, "X-Custom: test-value", + "custom header should appear in 403 response") + // proxyAgent: custom Proxy-Agent header on error response + s.Assert().Contains(output, "Proxy-Agent: gost-e2e/1.0", + "proxyAgent should appear in 403 response") +} + +// TestHTTPConnect verifies HTTP CONNECT tunnel: +// - sniffing-enabled: sniffing:true + sniffing.timeout:2s +// - no-sniffing: plain CONNECT (default, no metadata) +// - bypass-403: CONNECT blocked by (0.0.0.0/0) bypass +// +// Uses curl --proxytunnel (-p) to force CONNECT method instead of GET. +func (s *HTTPSuite) TestHTTPConnect() { + s.T().Run("sniffing-enabled", func(t *testing.T) { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server_connect.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + cmd := []string{"curl", "-v", "-s", "-p", "-x", "http://127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, err := gostC.Exec(s.ctx, cmd) + s.Require().NoError(err) + + body, err := io.ReadAll(out) + s.Require().NoError(err) + if code != 0 || !strings.Contains(string(body), "hello-gost") { + DumpLogs(s.T(), s.ctx, "http-connect sniffing logs", gostC) + } + s.Require().Equal(0, code) + s.Require().Contains(string(body), "hello-gost") + }) + + s.T().Run("no-sniffing", func(t *testing.T) { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + cmd := []string{"curl", "-v", "-s", "-p", "-x", "http://127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, err := gostC.Exec(s.ctx, cmd) + s.Require().NoError(err) + + body, err := io.ReadAll(out) + s.Require().NoError(err) + if code != 0 || !strings.Contains(string(body), "hello-gost") { + DumpLogs(s.T(), s.ctx, "http-connect no-sniffing logs", gostC) + } + s.Require().Equal(0, code) + s.Require().Contains(string(body), "hello-gost") + }) + + s.T().Run("bypass-403", func(t *testing.T) { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server_connect_bypass.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null", + "-p", "-x", "http://user:pass@127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + _, out, _ := gostC.Exec(s.ctx, cmd) + body, _ := io.ReadAll(out) + output := string(body) + s.Assert().Contains(output, "403", + "CONNECT bypass should return 403") + }) +} + +// TestHTTPProxyDirectRequest verifies that a non-proxy-form HTTP request +// (raw GET / sent to the proxy port) is rejected with 400 Bad Request. +// A raw request with empty Host header has no valid scheme to infer, +// so the handler returns 400. +func (s *HTTPSuite) TestHTTPProxyDirectRequest() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + resp := s.sendRaw(gostC, "127.0.0.1", "8080", + "GET / HTTP/1.0\r\nHost: bad!\r\n\r\n") + s.Assert().Contains(resp, "400", + "non-proxy GET should return 400") +} + +// TestHTTPProxyPOST verifies that POST method forwarding works through +// the HTTP forward proxy. The echo server only handles GET, so the proxy +// should forward the POST request and return whatever the upstream sends +// back (501 Not Implemented from the echo server — not a proxy error). +// 501 is the real upstream response, proving the proxy forwarded it. +func (s *HTTPSuite) TestHTTPProxyPOST() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}", + "-X", "POST", "-x", "http://127.0.0.1:8080", + fmt.Sprintf("http://%s:5678/", s.echoIP)} + _, out, _ := gostC.Exec(s.ctx, cmd) + body, _ := io.ReadAll(out) + output := string(body) + // The echo server's BaseHTTPRequestHandler defaults to 501 for POST. + // If we get 501 through the proxy, it means the method was forwarded. + s.Assert().Contains(output, "501", + "POST through proxy should be forwarded, echo server returns 501") +} + +// TestHTTPConnectUnreachable verifies that CONNECT to an unreachable target +// returns 503 Service Unavailable. +func (s *HTTPSuite) TestHTTPConnectUnreachable() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server_connect.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + // Send a raw CONNECT request to a port where nothing is listening. + resp := s.sendRaw(gostC, "127.0.0.1", "8080", + fmt.Sprintf("CONNECT %s:1 HTTP/1.0\r\nHost: %s:1\r\n\r\n", s.echoIP, s.echoIP)) + s.Assert().Contains(resp, "503", + "CONNECT to unreachable target should return 503") +} + +// TestHTTPConnector verifies HTTP connector type: a gost client uses an HTTP +// connector to forward through an upstream HTTP proxy (no auth), reaching the +// target via the proxy chain. This covers the server+client two-container +// pattern where the client connects to the server via connector type: http. +func (s *HTTPSuite) TestHTTPConnector() { + // Start upstream HTTP proxy server (no auth). + serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName, + "testdata/http/server.yaml", []string{"http-server"}, []string{"8080/tcp"}) + s.Require().NoError(err) + defer serverC.Terminate(s.ctx) + + // Render client config that chains through the upstream server. + rendered, err := RenderConfig("testdata/http/client_connector.yaml", + ConfigData{ServerAddr: "http-server:8080"}) + s.Require().NoError(err) + defer os.Remove(rendered) + + // Start client with the rendered config. + clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + rendered, "8080/tcp") + s.Require().NoError(err) + defer clientC.Terminate(s.ctx) + + // Request through client proxy → HTTP connector → upstream HTTP server → target. + cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, err := clientC.Exec(s.ctx, cmd) + s.Require().NoError(err) + + body, err := io.ReadAll(out) + s.Require().NoError(err) + if code != 0 || !strings.Contains(string(body), "hello-gost") { + DumpLogs(s.T(), s.ctx, "http-connector client logs", clientC) + DumpLogs(s.T(), s.ctx, "http-connector server logs", serverC) + } + s.Require().Equal(0, code) + s.Require().Contains(string(body), "hello-gost") +} + +// TestHTTPConnectorAuth verifies HTTP connector with authentication: +// no-auth → 407, correct auth → success. +func (s *HTTPSuite) TestHTTPConnectorAuth() { + // Start upstream HTTP proxy with auth and network alias. + serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName, + "testdata/http/server_auth.yaml", []string{"http-server"}, []string{"8080/tcp"}) + s.Require().NoError(err) + defer serverC.Terminate(s.ctx) + + s.T().Run("no-auth-407", func(t *testing.T) { + // Send raw request directly to server container (no auth) → 407. + resp := s.sendRaw(serverC, "127.0.0.1", "8080", + "GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n") + s.Assert().Contains(resp, "407", + "no auth via upstream should return 407") + }) + + s.T().Run("correct-auth-success", func(t *testing.T) { + rendered, err := RenderConfig("testdata/http/client_connector_auth.yaml", + ConfigData{ServerAddr: "http-server:8080"}) + s.Require().NoError(err) + defer os.Remove(rendered) + + clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + rendered, "8080/tcp") + s.Require().NoError(err) + defer clientC.Terminate(s.ctx) + + cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, err := clientC.Exec(s.ctx, cmd) + s.Require().NoError(err) + + body, err := io.ReadAll(out) + s.Require().NoError(err) + if code != 0 || !strings.Contains(string(body), "hello-gost") { + DumpLogs(s.T(), s.ctx, "http-connector-auth client logs", clientC) + DumpLogs(s.T(), s.ctx, "http-connector-auth server logs", serverC) + } + s.Require().Equal(0, code) + s.Require().Contains(string(body), "hello-gost") + }) +} + +// TestHTTPProbeResistHost verifies probeResist host type. +// When auth fails, the handler pipes the raw request to +// the decoy host (tcp-echo:5678). The TCP echo server echoes +// back the request bytes rather than returning a 407. +func (s *HTTPSuite) TestHTTPProbeResistHost() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server_proberesist_host.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + // Without auth, probeResist host pipes the raw request to tcp-echo:5678. + // The HTTP echo server returns 200 OK with "hello-gost", proving the + // request reached the decoy host rather than getting a 407 response. + resp := s.sendRaw(gostC, "127.0.0.1", "8080", + "GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n") + s.Assert().NotContains(resp, "407", + "probeResist host should hide 407 response") + s.Assert().Contains(resp, "hello-gost", + "probeResist host should pipe request to decoy host") +} + +// TestHTTPProbeResistKnock verifies probeResist knock mechanism. +// Clients that connect with a recognized knock Host header +// get a normal 407 auth challenge instead of the decoy response. +// +// Uses server_proberesist_knock.yaml: +// - probeResist: code:404 (decoy 404 for unknown hosts) +// - knock: secret.example.com (known hosts get normal 407) +func (s *HTTPSuite) TestHTTPProbeResistKnock() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server_proberesist_knock.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + s.T().Run("unknown-host-decoy", func(t *testing.T) { + // URL hostname doesn't match knock list → probeResist fires → 404 + resp := s.sendRaw(gostC, "127.0.0.1", "8080", + "GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n") + s.Assert().Contains(resp, "404", + "unknown host should get decoy 404") + s.Assert().NotContains(resp, "407", + "unknown host should NOT get 407") + }) + + s.T().Run("knock-host-407", func(t *testing.T) { + // URL hostname matches knock list → normal 407 auth challenge. + // Note: knock checks req.URL.Hostname(), not the Host header. + resp := s.sendRaw(gostC, "127.0.0.1", "8080", + "GET http://secret.example.com:5678/ HTTP/1.0\r\nHost: secret.example.com\r\n\r\n") + s.Assert().Contains(resp, "407", + "knock host should get normal 407") + }) +} + +// TestHTTPConnectorTLS verifies HTTP connector using TLS dialer +// to upstream HTTPS proxy (listener type: tls). +// The TLS listener auto-generates a self-signed cert; +// the TLS dialer defaults to InsecureSkipVerify=true, so +// handshake succeeds without explicit cert configuration. +func (s *HTTPSuite) TestHTTPConnectorTLS() { + serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName, + "testdata/http/server_tls.yaml", []string{"tls-server"}, []string{"8443/tcp"}) + s.Require().NoError(err) + defer serverC.Terminate(s.ctx) + + rendered, err := RenderConfig("testdata/http/client_connector_tls.yaml", + ConfigData{ServerAddr: "tls-server:8443"}) + s.Require().NoError(err) + defer os.Remove(rendered) + + clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + rendered, "8080/tcp") + s.Require().NoError(err) + defer clientC.Terminate(s.ctx) + + cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080", + fmt.Sprintf("http://%s:5678", s.echoIP)} + code, out, err := clientC.Exec(s.ctx, cmd) + s.Require().NoError(err) + + body, err := io.ReadAll(out) + s.Require().NoError(err) + if code != 0 || !strings.Contains(string(body), "hello-gost") { + DumpLogs(s.T(), s.ctx, "http-connector-tls client logs", clientC) + DumpLogs(s.T(), s.ctx, "http-connector-tls server logs", serverC) + } + s.Require().Equal(0, code) + s.Require().Contains(string(body), "hello-gost") +} + +// TestHTTPProbeResistWeb verifies probeResist web type. +// On auth failure, the handler fetches the decoy URL +// (tcp-echo:5678) and returns its response body. +func (s *HTTPSuite) TestHTTPProbeResistWeb() { + gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName, + "testdata/http/server_proberesist_web.yaml", "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + // Without auth, probeResist web fetches http://tcp-echo:5678 + // and returns the echo server's response ("hello-gost"). + resp := s.sendRaw(gostC, "127.0.0.1", "8080", + "GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n") + s.Assert().NotContains(resp, "407", + "probeResist web should hide 407 response") + s.Assert().Contains(resp, "hello-gost", + "probeResist web should return decoy response body") +} + +// TestHTTPProbeResistFile verifies probeResist file type. +// On auth failure, the handler reads a local file and +// returns its contents as the HTTP response body. +func (s *HTTPSuite) TestHTTPProbeResistFile() { + gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName, + "testdata/http/server_proberesist_file.yaml", + []testcontainers.ContainerFile{ + {HostFilePath: "testdata/http/decoy.html", ContainerFilePath: "/tmp/decoy.html", FileMode: 0644}, + }, + "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + // Without auth, probeResist file reads /tmp/decoy.html and + // returns "decoy-response" rather than a 407. + resp := s.sendRaw(gostC, "127.0.0.1", "8080", + "GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n") + s.Assert().NotContains(resp, "407", + "probeResist file should hide 407 response") + s.Assert().Contains(resp, "decoy-response", + "probeResist file should return decoy file content") +} + +// TestHTTPIdleTimeout verifies idleTimeout on CONNECT tunnels. +// After the configured idle timeout, the pipe between client +// and target should close. +func (s *HTTPSuite) TestHTTPIdleTimeout() { + gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName, + "testdata/http/server_idle_timeout.yaml", + []testcontainers.ContainerFile{ + {HostFilePath: "scripts/http_idle_timeout.py", ContainerFilePath: "/scripts/http_idle_timeout.py", FileMode: 0644}, + }, + "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + // The Python script: + // 1. Opens a CONNECT tunnel to tcp-echo:5678 + // 2. Sends and receives data (confirm tunnel is alive) + // 3. Waits > idleTimeout (3s + 2s buffer) + // 4. Sends more data — expects connection to be closed + code, out, err := gostC.Exec(s.ctx, []string{ + "python3", "/scripts/http_idle_timeout.py", + "127.0.0.1", "8080", "3", + }) + output, _ := io.ReadAll(out) + s.T().Logf("idle timeout output:\n%s", string(output)) + if code != 0 { + DumpLogs(s.T(), s.ctx, "http-idle-timeout logs", gostC) + } + s.Require().Equal(0, code, "idle timeout test script should exit 0") +} + +// TestHTTPUDPRelay verifies UDP relay over HTTP. Uses +// X-Gost-Protocol: udp in the CONNECT request to establish +// a SOCKS5 UDP tunnel through the HTTP handler. +func (s *HTTPSuite) TestHTTPUDPRelay() { + // Start UDP echo container on the shared network. + udpC, err := RunUDPEchoContainer(s.ctx, SharedNetworkName) + s.Require().NoError(err) + defer udpC.Terminate(s.ctx) + + gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName, + "testdata/http/server_udp.yaml", + []testcontainers.ContainerFile{ + {HostFilePath: "scripts/http_udp_relay.py", ContainerFilePath: "/scripts/http_udp_relay.py", FileMode: 0644}, + }, + "8080/tcp") + s.Require().NoError(err) + defer gostC.Terminate(s.ctx) + + // The Python script: + // 1. Connects to gost HTTP proxy + // 2. Sends CONNECT with X-Gost-Protocol: udp + // 3. After 200 OK, sends a SOCKS5 UDP frame targeting udp-echo:5679 + // 4. Reads back the echoed frame + code, out, err := gostC.Exec(s.ctx, []string{ + "python3", "/scripts/http_udp_relay.py", + "127.0.0.1", "8080", + }) + output, _ := io.ReadAll(out) + s.T().Logf("udp relay output:\n%s", string(output)) + if code != 0 { + DumpLogs(s.T(), s.ctx, "http-udp logs", gostC) + } + s.Require().Equal(0, code, "udp relay test script should exit 0") +} + +func TestHTTPSuite(t *testing.T) { + suite.Run(t, new(HTTPSuite)) +} diff --git a/tests/e2e/scripts/http_idle_timeout.py b/tests/e2e/scripts/http_idle_timeout.py new file mode 100644 index 0000000..89f8ee9 --- /dev/null +++ b/tests/e2e/scripts/http_idle_timeout.py @@ -0,0 +1,60 @@ +import socket +import sys +import time + + +def main(): + host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1" + port = int(sys.argv[2]) if len(sys.argv) > 2 else 8080 + idle_timeout = int(sys.argv[3]) if len(sys.argv) > 3 else 3 + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(10) + s.connect((host, port)) + + # CONNECT to echo server + req = b"CONNECT tcp-echo:5678 HTTP/1.1\r\nHost: tcp-echo:5678\r\n\r\n" + s.sendall(req) + + # Read 200 OK response + resp = b"" + while b"\r\n\r\n" not in resp: + chunk = s.recv(4096) + if not chunk: + break + resp += chunk + + if b"200" not in resp: + print(f"FAIL: expected 200, got {resp.decode(errors='replace')}") + sys.exit(1) + + # Send request through the CONNECT tunnel + s.sendall(b"ping-1\n") + data = s.recv(4096) + if b"ping-1" not in data: + print(f"FAIL: expected ping-1 echo, got {data!r}") + sys.exit(1) + print(f"PASS: first request through tunnel succeeded") + + # Wait longer than idleTimeout + wait = idle_timeout + 2 + print(f"Waiting {wait}s for idle timeout...") + time.sleep(wait) + + # Try to send more data — idle timeout should have closed the pipe + try: + s.sendall(b"ping-2\n") + data = s.recv(4096) + if not data: + print("PASS: connection closed after idle timeout (empty recv)") + sys.exit(0) + # Got data means the pipe is still alive + print(f"FAIL: connection still alive after idle timeout, got {data!r}") + sys.exit(1) + except (socket.timeout, ConnectionResetError, BrokenPipeError, OSError) as e: + print(f"PASS: connection closed after idle timeout: {e}") + sys.exit(0) + + +if __name__ == "__main__": + main() diff --git a/tests/e2e/scripts/http_udp_relay.py b/tests/e2e/scripts/http_udp_relay.py new file mode 100644 index 0000000..2257d62 --- /dev/null +++ b/tests/e2e/scripts/http_udp_relay.py @@ -0,0 +1,135 @@ +import socket +import struct +import sys + + +UDP_ECHO_HOST = "udp-echo" +UDP_ECHO_PORT = 5679 + + +def encode_socks5_addr(host, port): + """Encode (host, port) as SOCKS5 ADDRESS + PORT. + + Uses ATYP=3 (domain name) so Docker DNS resolves the host. + Returns (atyp, address_bytes, port_bytes). + """ + host_bytes = host.encode() + addr_bytes = struct.pack("!B", len(host_bytes)) + host_bytes + port_bytes = struct.pack("!H", port) + return 0x03, addr_bytes, port_bytes + + +def build_udp_frame(payload, host, port): + """Build a SOCKS5 UDP relay frame over TCP. + + gost HTTP UDP relay uses RSV=data-length and FRAG=0xff. + Frame: [RSV:2][FRAG:1][ATYP:1][DST.ADDR][DST.PORT:2][DATA] + """ + atyp, addr_bytes, port_bytes = encode_socks5_addr(host, port) + rsv = struct.pack("!H", len(payload)) + frag = b"\xff" + atyp_byte = struct.pack("!B", atyp) + return rsv + frag + atyp_byte + addr_bytes + port_bytes + payload + + +def recvn(sock, n): + """Receive exactly n bytes from socket.""" + buf = b"" + while len(buf) < n: + chunk = sock.recv(n - len(buf)) + if not chunk: + raise ConnectionError("connection closed while reading") + buf += chunk + return buf + + +def read_socks5_frame(sock): + """Read one SOCKS5 UDP relay frame from the TCP connection. + + Returns (addr, port, data). + """ + # Read header: RSV(2) + FRAG(1) + ATYP(1) + header = recvn(sock, 4) + rsv = struct.unpack("!H", header[:2])[0] + frag = header[2] + atyp = header[3] + + # Read address based on ATYP + if atyp == 1: # IPv4 + addr_bytes = recvn(sock, 4) + addr = socket.inet_ntoa(addr_bytes) + elif atyp == 3: # Domain name + domain_len = recvn(sock, 1) + addr = recvn(sock, domain_len[0]).decode() + elif atyp == 4: # IPv6 + addr_bytes = recvn(sock, 16) + addr = socket.inet_ntop(socket.AF_INET6, addr_bytes) + else: + raise ValueError(f"unknown ATYP: {atyp}") + + port_bytes = recvn(sock, 2) + port = struct.unpack("!H", port_bytes)[0] + + # Read data + if rsv > 0: + data = recvn(sock, rsv) + else: + # Standard SOCKS5 UDP: read remaining + data = b"" + while True: + chunk = sock.recv(4096) + if not chunk: + break + data += chunk + + return addr, port, data + + +def main(): + host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1" + port = int(sys.argv[2]) if len(sys.argv) > 2 else 8080 + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(10) + s.connect((host, port)) + + # Send CONNECT with X-Gost-Protocol: udp + req = ( + b"CONNECT 0.0.0.0:0 HTTP/1.1\r\n" + b"Host: 0.0.0.0:0\r\n" + b"X-Gost-Protocol: udp\r\n" + b"Proxy-Connection: keep-alive\r\n" + b"\r\n" + ) + s.sendall(req) + + # Read 200 OK + resp = b"" + while b"\r\n\r\n" not in resp: + chunk = s.recv(4096) + if not chunk: + break + resp += chunk + + if b"200" not in resp: + print(f"FAIL: expected 200, got {resp.decode(errors='replace')}") + sys.exit(1) + + # Build and send UDP relay frame + payload = b"hello-gost" + frame = build_udp_frame(payload, UDP_ECHO_HOST, UDP_ECHO_PORT) + s.sendall(frame) + + # Read response frame + addr, rport, data = read_socks5_frame(s) + + if b"hello-gost" in data: + print(f"PASS: received expected data from {addr}:{rport}") + sys.exit(0) + else: + print(f"FAIL: expected hello-gost in response, got {data!r}") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/tests/e2e/testdata/http/client_connector.yaml b/tests/e2e/testdata/http/client_connector.yaml new file mode 100644 index 0000000..a888378 --- /dev/null +++ b/tests/e2e/testdata/http/client_connector.yaml @@ -0,0 +1,20 @@ +services: +- name: http-proxy + addr: :8080 + handler: + type: http + chain: http-chain + listener: + type: tcp + +chains: +- name: http-chain + hops: + - name: hop-0 + nodes: + - name: node-0 + addr: {{.ServerAddr}} + connector: + type: http + dialer: + type: tcp diff --git a/tests/e2e/testdata/http/client_connector_auth.yaml b/tests/e2e/testdata/http/client_connector_auth.yaml new file mode 100644 index 0000000..8690662 --- /dev/null +++ b/tests/e2e/testdata/http/client_connector_auth.yaml @@ -0,0 +1,23 @@ +services: +- name: http-proxy + addr: :8080 + handler: + type: http + chain: http-chain + listener: + type: tcp + +chains: +- name: http-chain + hops: + - name: hop-0 + nodes: + - name: node-0 + addr: {{.ServerAddr}} + connector: + type: http + auth: + username: user + password: pass + dialer: + type: tcp diff --git a/tests/e2e/testdata/http/client_connector_tls.yaml b/tests/e2e/testdata/http/client_connector_tls.yaml new file mode 100644 index 0000000..53902d6 --- /dev/null +++ b/tests/e2e/testdata/http/client_connector_tls.yaml @@ -0,0 +1,20 @@ +services: +- name: http-proxy + addr: :8080 + handler: + type: http + chain: https-chain + listener: + type: tcp + +chains: +- name: https-chain + hops: + - name: hop-0 + nodes: + - name: node-0 + addr: {{.ServerAddr}} + connector: + type: http + dialer: + type: tls diff --git a/tests/e2e/testdata/http/decoy.html b/tests/e2e/testdata/http/decoy.html new file mode 100644 index 0000000..5ffbd67 --- /dev/null +++ b/tests/e2e/testdata/http/decoy.html @@ -0,0 +1 @@ +decoy-response diff --git a/tests/e2e/testdata/http/server.yaml b/tests/e2e/testdata/http/server.yaml new file mode 100644 index 0000000..413275d --- /dev/null +++ b/tests/e2e/testdata/http/server.yaml @@ -0,0 +1,7 @@ +services: +- name: http-proxy + addr: :8080 + handler: + type: http + listener: + type: tcp diff --git a/tests/e2e/testdata/http/server_auth.yaml b/tests/e2e/testdata/http/server_auth.yaml new file mode 100644 index 0000000..4de5b21 --- /dev/null +++ b/tests/e2e/testdata/http/server_auth.yaml @@ -0,0 +1,16 @@ +services: +- name: http-proxy-auth + addr: :8080 + handler: + type: http + auther: auther-0 + metadata: + # authBasicRealm: custom realm in 407 Proxy-Authenticate header + authBasicRealm: gost-e2e-realm + listener: + type: tcp +authers: +- name: auther-0 + auths: + - username: user + password: pass diff --git a/tests/e2e/testdata/http/server_connect.yaml b/tests/e2e/testdata/http/server_connect.yaml new file mode 100644 index 0000000..1868f68 --- /dev/null +++ b/tests/e2e/testdata/http/server_connect.yaml @@ -0,0 +1,12 @@ +services: +- name: http-connect + addr: :8080 + handler: + type: http + metadata: + # sniffing: enable protocol sniffing on CONNECT tunnels + sniffing: true + # sniffing.timeout: timeout for initial sniff read (2s) + sniffing.timeout: 2s + listener: + type: tcp diff --git a/tests/e2e/testdata/http/server_connect_bypass.yaml b/tests/e2e/testdata/http/server_connect_bypass.yaml new file mode 100644 index 0000000..8a65022 --- /dev/null +++ b/tests/e2e/testdata/http/server_connect_bypass.yaml @@ -0,0 +1,20 @@ +bypasses: +- name: bypass-0 + matchers: + - 0.0.0.0/0 + +services: +- name: http-connect-bypass + addr: :8080 + handler: + type: http + auther: auther-0 + listener: + type: tcp + bypass: bypass-0 + +authers: +- name: auther-0 + auths: + - username: user + password: pass diff --git a/tests/e2e/testdata/http/server_headers.yaml b/tests/e2e/testdata/http/server_headers.yaml new file mode 100644 index 0000000..6162c49 --- /dev/null +++ b/tests/e2e/testdata/http/server_headers.yaml @@ -0,0 +1,25 @@ +bypasses: +- name: bypass-0 + matchers: + - 0.0.0.0/0 + +services: +- name: http-headers + addr: :8080 + handler: + type: http + auther: auther-0 + metadata: + header: + X-Proxy-Info: gost-e2e + X-Custom: test-value + proxyAgent: gost-e2e/1.0 + listener: + type: tcp + bypass: bypass-0 + +authers: +- name: auther-0 + auths: + - username: user + password: pass diff --git a/tests/e2e/testdata/http/server_idle_timeout.yaml b/tests/e2e/testdata/http/server_idle_timeout.yaml new file mode 100644 index 0000000..8c0b5ec --- /dev/null +++ b/tests/e2e/testdata/http/server_idle_timeout.yaml @@ -0,0 +1,9 @@ +services: +- name: http-idle + addr: :8080 + handler: + type: http + metadata: + idleTimeout: 3s + listener: + type: tcp diff --git a/tests/e2e/testdata/http/server_metadata.yaml b/tests/e2e/testdata/http/server_metadata.yaml new file mode 100644 index 0000000..a76ed26 --- /dev/null +++ b/tests/e2e/testdata/http/server_metadata.yaml @@ -0,0 +1,20 @@ +services: +- name: http-proxy-meta + addr: :8080 + handler: + type: http + auther: auther-0 + metadata: + # probeResist: decoy response on auth failure (code:404 hides the proxy) + probeResist: code:404 + # keepalive: enable HTTP keep-alive on upstream transport (parse test) + keepalive: true + # compression: enable HTTP compression on upstream transport (parse test) + compression: true + listener: + type: tcp +authers: +- name: auther-0 + auths: + - username: user + password: pass diff --git a/tests/e2e/testdata/http/server_proberesist_file.yaml b/tests/e2e/testdata/http/server_proberesist_file.yaml new file mode 100644 index 0000000..9016cfe --- /dev/null +++ b/tests/e2e/testdata/http/server_proberesist_file.yaml @@ -0,0 +1,16 @@ +services: +- name: http-proxy + addr: :8080 + handler: + type: http + auther: auther-0 + metadata: + probeResist: file:/tmp/decoy.html + listener: + type: tcp + +authers: +- name: auther-0 + auths: + - username: user + password: pass diff --git a/tests/e2e/testdata/http/server_proberesist_host.yaml b/tests/e2e/testdata/http/server_proberesist_host.yaml new file mode 100644 index 0000000..a912aa4 --- /dev/null +++ b/tests/e2e/testdata/http/server_proberesist_host.yaml @@ -0,0 +1,16 @@ +services: +- name: http-proxy + addr: :8080 + handler: + type: http + auther: auther-0 + metadata: + probeResist: host:tcp-echo:5678 + listener: + type: tcp + +authers: +- name: auther-0 + auths: + - username: user + password: pass diff --git a/tests/e2e/testdata/http/server_proberesist_knock.yaml b/tests/e2e/testdata/http/server_proberesist_knock.yaml new file mode 100644 index 0000000..5411607 --- /dev/null +++ b/tests/e2e/testdata/http/server_proberesist_knock.yaml @@ -0,0 +1,17 @@ +services: +- name: http-proxy + addr: :8080 + handler: + type: http + auther: auther-0 + metadata: + probeResist: code:404 + knock: secret.example.com + listener: + type: tcp + +authers: +- name: auther-0 + auths: + - username: user + password: pass diff --git a/tests/e2e/testdata/http/server_proberesist_web.yaml b/tests/e2e/testdata/http/server_proberesist_web.yaml new file mode 100644 index 0000000..5d30d4a --- /dev/null +++ b/tests/e2e/testdata/http/server_proberesist_web.yaml @@ -0,0 +1,16 @@ +services: +- name: http-proxy + addr: :8080 + handler: + type: http + auther: auther-0 + metadata: + probeResist: web:tcp-echo:5678 + listener: + type: tcp + +authers: +- name: auther-0 + auths: + - username: user + password: pass diff --git a/tests/e2e/testdata/http/server_tls.yaml b/tests/e2e/testdata/http/server_tls.yaml new file mode 100644 index 0000000..cbb66d2 --- /dev/null +++ b/tests/e2e/testdata/http/server_tls.yaml @@ -0,0 +1,7 @@ +services: +- name: https-server + addr: :8443 + handler: + type: http + listener: + type: tls diff --git a/tests/e2e/testdata/http/server_udp.yaml b/tests/e2e/testdata/http/server_udp.yaml new file mode 100644 index 0000000..e581f14 --- /dev/null +++ b/tests/e2e/testdata/http/server_udp.yaml @@ -0,0 +1,9 @@ +services: +- name: http-udp + addr: :8080 + handler: + type: http + metadata: + udp: true + listener: + type: tcp diff --git a/tests/e2e/utils.go b/tests/e2e/utils.go index 320865a..f77abe2 100644 --- a/tests/e2e/utils.go +++ b/tests/e2e/utils.go @@ -129,18 +129,29 @@ func udpEchoContainerRequest(_ context.Context, networkName string) testcontaine } func RunGostContainer(ctx context.Context, networkName, yamlPath string) (testcontainers.Container, error) { - return runGostContainer(ctx, networkName, yamlPath, nil, nil) + return runGostContainer(ctx, networkName, yamlPath, nil, nil, nil) } func RunGostContainerWithPorts(ctx context.Context, networkName, yamlPath string, exposedPorts ...string) (testcontainers.Container, error) { - return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts) + return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts, nil) } func RunGostContainerWithOptions(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string) (testcontainers.Container, error) { - return runGostContainer(ctx, networkName, yamlPath, aliases, exposedPorts) + return runGostContainer(ctx, networkName, yamlPath, aliases, exposedPorts, nil) } -func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string) (testcontainers.Container, error) { +// RunGostContainerWithFiles starts a gost container with extra files mounted. +func RunGostContainerWithFiles(ctx context.Context, networkName, yamlPath string, extraFiles []testcontainers.ContainerFile, exposedPorts ...string) (testcontainers.Container, error) { + return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts, extraFiles) +} + +func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string, extraFiles []testcontainers.ContainerFile) (testcontainers.Container, error) { + files := []testcontainers.ContainerFile{ + {HostFilePath: GostBinPath, ContainerFilePath: "/bin/gost", FileMode: 0755}, + {HostFilePath: yamlPath, ContainerFilePath: "/config.yaml", FileMode: 0644}, + } + files = append(files, extraFiles...) + req := testcontainers.ContainerRequest{ FromDockerfile: testcontainers.FromDockerfile{ Context: ".", @@ -153,17 +164,14 @@ func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases }, }, ExposedPorts: exposedPorts, - // interal check for udp ports will be failed + // internal check for udp ports will be failed WaitingFor: wait.ForExposedPort().SkipInternalCheck(), Networks: []string{networkName}, NetworkAliases: map[string][]string{ networkName: aliases, }, - Files: []testcontainers.ContainerFile{ - {HostFilePath: GostBinPath, ContainerFilePath: "/bin/gost", FileMode: 0755}, - {HostFilePath: yamlPath, ContainerFilePath: "/config.yaml", FileMode: 0644}, - }, - Cmd: []string{"/bin/gost", "-C", "/config.yaml"}, + Files: files, + Cmd: []string{"/bin/gost", "-C", "/config.yaml"}, } return testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{