Compare commits
10 Commits
f638d8081f
..
dev
| Author | SHA1 | Date | |
|---|---|---|---|
| 7eb0be458e | |||
| b139ed5968 | |||
| 43724a5c40 | |||
| 0bb9109c71 | |||
| a0427be086 | |||
| 590c6f48bd | |||
| 69b561f944 | |||
| 3c87a8b96e | |||
| c9cfc440ad | |||
| c305f93703 |
@@ -39,6 +39,7 @@ var (
|
||||
apiAddr string
|
||||
metricsAddr string
|
||||
reload time.Duration
|
||||
showConfig bool
|
||||
)
|
||||
|
||||
func init() {
|
||||
@@ -102,6 +103,7 @@ func init() {
|
||||
flag.StringVar(&apiAddr, "api", "", "api service address")
|
||||
flag.StringVar(&metricsAddr, "metrics", "", "metrics service address")
|
||||
flag.DurationVar(&reload, "R", 0, "auto reload period (e.g. 30s, 1m)")
|
||||
flag.BoolVar(&showConfig, "P", false, "print config only")
|
||||
flag.Parse()
|
||||
|
||||
if printVersion {
|
||||
|
||||
@@ -2,7 +2,9 @@ package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
"os/signal"
|
||||
@@ -23,6 +25,7 @@ import (
|
||||
metrics "github.com/go-gost/x/metrics/service"
|
||||
"github.com/go-gost/x/registry"
|
||||
"github.com/judwhite/go-svc"
|
||||
"gopkg.in/yaml.v3"
|
||||
)
|
||||
|
||||
type program struct {
|
||||
@@ -90,6 +93,17 @@ func (p *program) run(cfg *config.Config) error {
|
||||
svc.Serve()
|
||||
}()
|
||||
}
|
||||
if showConfig {
|
||||
if outputFormat == "json" {
|
||||
marshal, _ := json.Marshal(cfg)
|
||||
fmt.Println(string(marshal))
|
||||
} else {
|
||||
marshal, _ := yaml.Marshal(cfg)
|
||||
fmt.Println(string(marshal))
|
||||
}
|
||||
os.Exit(0)
|
||||
return nil
|
||||
}
|
||||
|
||||
if p.srvApi != nil {
|
||||
p.srvApi.Close()
|
||||
|
||||
@@ -3,8 +3,8 @@ module github.com/go-gost/gost
|
||||
go 1.26.3
|
||||
|
||||
require (
|
||||
github.com/go-gost/core v0.4.2
|
||||
github.com/go-gost/x v0.12.2
|
||||
github.com/go-gost/core v0.5.1
|
||||
github.com/go-gost/x v0.13.0
|
||||
github.com/judwhite/go-svc v1.2.1
|
||||
github.com/moby/moby/client v0.4.0
|
||||
github.com/stretchr/testify v1.11.1
|
||||
@@ -49,7 +49,7 @@ require (
|
||||
github.com/go-gost/go-shadowsocks2 v0.1.3 // indirect
|
||||
github.com/go-gost/gosocks4 v0.1.0 // indirect
|
||||
github.com/go-gost/gosocks5 v0.5.0 // indirect
|
||||
github.com/go-gost/plugin v0.3.0 // indirect
|
||||
github.com/go-gost/plugin v0.4.0 // indirect
|
||||
github.com/go-gost/relay v0.6.1 // indirect
|
||||
github.com/go-gost/tls-dissector v0.2.0 // indirect
|
||||
github.com/go-logr/logr v1.4.3 // indirect
|
||||
|
||||
@@ -83,24 +83,22 @@ github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE
|
||||
github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
|
||||
github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
|
||||
github.com/gin-gonic/gin v1.10.1/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
|
||||
github.com/go-gost/core v0.4.2 h1:NBCkdWItIiwt15cA2mkRza/u6ukxQVSW74bc33o70zE=
|
||||
github.com/go-gost/core v0.4.2/go.mod h1:WGI43jOka7FAsSAwi/fSMaqxdR+E339ycb4NBGlFr6A=
|
||||
github.com/go-gost/core v0.5.1 h1:HbIn3naEOC661Z4SwzaSYUzffWSRbU0P6gkxiHmuG0I=
|
||||
github.com/go-gost/core v0.5.1/go.mod h1:WGI43jOka7FAsSAwi/fSMaqxdR+E339ycb4NBGlFr6A=
|
||||
github.com/go-gost/go-shadowsocks2 v0.1.3 h1:6CUZLp+mTWXnKP2aK8/Z9ZP+ERMX9gSbywmPu4kGX/A=
|
||||
github.com/go-gost/go-shadowsocks2 v0.1.3/go.mod h1:866zFNNI3He6Wef1M/IvAjTal74WhcfKfBgRpTlkKys=
|
||||
github.com/go-gost/gosocks4 v0.1.0 h1:eAzev6qw4fzkFQKC9uCHLVNnnPdHyqCggbnfNN80Pmk=
|
||||
github.com/go-gost/gosocks4 v0.1.0/go.mod h1:hzVjwijJuZR1pp3GqpTj+AKcSGrx68RlWTrQMFMYBP0=
|
||||
github.com/go-gost/gosocks5 v0.5.0 h1:YE37l1MJwde8diIQdynStqogMotG5enoTdborhA5yic=
|
||||
github.com/go-gost/gosocks5 v0.5.0/go.mod h1:1G6I7HP7VFVxveGkoK8mnprnJqSqJjdcASKsdUn4Pp4=
|
||||
github.com/go-gost/plugin v0.3.0 h1:pmll8nNd9PX92BWMB5+b2y2SEkBAWJLxD2ANfX+WHuw=
|
||||
github.com/go-gost/plugin v0.3.0/go.mod h1:oN23l+yGDCIP9G3KnDl/I/0zVGOobZUDCB2Z5yYYXts=
|
||||
github.com/go-gost/plugin v0.4.0 h1:M7MR5PL7QAFCrdWfcXVX+5iLNTVIZlhl8FfdV/K8dZY=
|
||||
github.com/go-gost/plugin v0.4.0/go.mod h1:oN23l+yGDCIP9G3KnDl/I/0zVGOobZUDCB2Z5yYYXts=
|
||||
github.com/go-gost/relay v0.6.1 h1:7SqnHFbY8x/DzvjpK03a5zcVH9+TbJAcnW/RT6s1ecc=
|
||||
github.com/go-gost/relay v0.6.1/go.mod h1:Dku0f5sfjOClrZFiDmQUrYYJ4uof7rnkCUBfsl0PSAI=
|
||||
github.com/go-gost/tls-dissector v0.2.0 h1:9tE6WOzzpurATTBWn60DU4R8gibpGNY8/qVcc1SicVg=
|
||||
github.com/go-gost/tls-dissector v0.2.0/go.mod h1:/9QfdewqmHdaE362Hv5nDaSWLx3pCmtD870d6GaquXs=
|
||||
github.com/go-gost/x v0.12.1 h1:gemrGRucwroz7xkhjgTfkG0F8YDC1uKSlT6McGhCbhU=
|
||||
github.com/go-gost/x v0.12.1/go.mod h1:hrewVDMVncuoRwteqJr/ReMN/a/IunlVN/zCZajr9Q8=
|
||||
github.com/go-gost/x v0.12.2 h1:RrWj92rJbFoV338iSjnoIm9IvNRB8Vm3Oj5iHCx4Hi8=
|
||||
github.com/go-gost/x v0.12.2/go.mod h1:hrewVDMVncuoRwteqJr/ReMN/a/IunlVN/zCZajr9Q8=
|
||||
github.com/go-gost/x v0.13.0 h1:iQOdO7o9GHIgNRtQTeoi/1WiTZw2C+/kC/y5JsN8WjE=
|
||||
github.com/go-gost/x v0.13.0/go.mod h1:P9zH+y/4+bNN2ZcoQZJ0tD59RXdvuRhioXDNfSCVsxU=
|
||||
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
|
||||
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
|
||||
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
|
||||
|
||||
@@ -0,0 +1,276 @@
|
||||
# 执行计划:HTTP Handler E2E 测试 + utils.go 重构
|
||||
|
||||
## 背景
|
||||
|
||||
从 PLAN.md 的 Step 0 和 Step 1A 开始实施。HTTP proxy 是 gost 最基础的协议,目前 e2e 测试仅覆盖 shadowsocks 和 parallel selector。本计划先重构 utils.go 提取公共 helper,然后用 helper 写 HTTP handler 测试套件,最后同步重构 shadowsocks_test.go。
|
||||
|
||||
## 变更文件清单
|
||||
|
||||
| 文件 | 操作 | 说明 |
|
||||
|------|------|------|
|
||||
| `tests/e2e/utils.go` | 修改 | 新增 `RunTCPCase` / `RunUDPCase` |
|
||||
| `tests/e2e/http_test.go` | 新建 | HTTP proxy 测试套件 |
|
||||
| `tests/e2e/testdata/http/server.yaml` | 新建 | 无 auth 的 HTTP proxy 服务器 |
|
||||
| `tests/e2e/testdata/http/server_auth.yaml` | 新建 | 带 auth 的 HTTP proxy 服务器 |
|
||||
| `tests/e2e/shadowsocks_test.go` | 修改 | 重构为使用 `RunTCPCase` / `RunUDPCase` |
|
||||
|
||||
---
|
||||
|
||||
## Step 1: 修改 `utils.go` — 提取 RunTCPCase / RunUDPCase
|
||||
|
||||
从 `shadowsocks_test.go` 的 `runTCPCase` 和 `runUDPCase` 提取为包级函数。关键差异:参数需要传入 echo container IP 和 echo container 本身(用于 dump logs)。
|
||||
|
||||
### RunTCPCase 签名与逻辑
|
||||
|
||||
```go
|
||||
// RunTCPCase runs a full TCP proxy test case:
|
||||
// start server → render client config → start client → curl assertion → cleanup.
|
||||
func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP string,
|
||||
name, serverConfig, clientConfig string)
|
||||
```
|
||||
|
||||
逻辑(从 shadowsocks_test.go:132-160 提取,一字不差):
|
||||
1. 生成 serverAlias = `name + "-server"`
|
||||
2. `RunGostContainerWithOptions(ctx, networkName, serverConfig, [serverAlias], ["8388/tcp"])`
|
||||
3. `defer serverC.Terminate(ctx)`
|
||||
4. `RenderConfig(clientConfig, {ServerAddr: serverAlias + ":8388"})`
|
||||
5. `defer os.Remove(rendered)`
|
||||
6. `RunGostContainerWithPorts(ctx, networkName, rendered, "8080/tcp")`
|
||||
7. `defer clientC.Terminate(ctx)`
|
||||
8. `clientC.Exec(ctx, ["curl", "-v", "-s", "-x", "http://127.0.0.1:8080", "http://<echoIP>:5678"])`
|
||||
9. 断言 exitCode==0 且 body 包含 `"hello-gost"`,失败时 DumpLogs
|
||||
|
||||
**问题:端口硬编码**。shadowsocks 用 8388 作为服务端口,但其他协议可能用不同端口。需要参数化。
|
||||
|
||||
### 修正设计 — 参数化端口
|
||||
|
||||
```go
|
||||
type TCPOptions struct {
|
||||
ServerPort string // 容器内服务端口,默认 "8388/tcp"
|
||||
ClientPort string // 客户端代理端口,默认 "8080/tcp"
|
||||
}
|
||||
|
||||
func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP string,
|
||||
name, serverConfig, clientConfig string, opts ...TCPOptions)
|
||||
```
|
||||
|
||||
当 `opts` 为空时使用默认值 `{ServerPort: "8388/tcp", ClientPort: "8080/tcp"}`。这样 shadowsocks 测试无需任何改动,而 HTTP 测试可传 `TCPOptions{ServerPort: "8080/tcp", ClientPort: "8080/tcp"}`。
|
||||
|
||||
等一下 — 仔细看 shadowsocks 的 server 容器暴露的是 `8388/tcp`,HTTP proxy 场景下只有一个 gost 容器(不做 server→client 链路),直接暴露 proxy 端口。
|
||||
|
||||
**重新思考:HTTP proxy 不需要 server+client 两容器模式。**
|
||||
|
||||
HTTP proxy 测试是最简单的模式 — 只需一个 gost 容器运行 HTTP proxy,然后容器内 curl 通过它访问 echo server。这和 parallel_selector_test.go 的模式一致。但为了统一框架和后续协议(SOCKS5、relay 等都需要 server+client 模式),我们应该:
|
||||
|
||||
- HTTP 的"无 auth"用例:**单容器模式**(同 parallel_selector)
|
||||
- HTTP 的"带 auth"用例:**也可以单容器**,只需在 curl 加 `--proxy-user`
|
||||
|
||||
所以 HTTP proxy 不需要 server/client 分离,但 RunTCPCase helper 仍然服务于 SOCKS5/relay 等需要链路的协议。
|
||||
|
||||
### 最终 RunTCPCase 设计
|
||||
|
||||
```go
|
||||
func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP, name string,
|
||||
serverConfig, clientConfig string, serverPort, clientPort string)
|
||||
```
|
||||
|
||||
- `serverPort`: 服务端容器暴露端口,如 `"8388/tcp"`
|
||||
- `clientPort`: 客户端容器暴露端口,如 `"8080/tcp"`
|
||||
- 渲染模板时用 `ServerAddr: serverAlias + ":" + strings.TrimSuffix(serverPort, "/tcp")`
|
||||
|
||||
### RunUDPCase 设计
|
||||
|
||||
```go
|
||||
func RunUDPCase(t *testing.T, ctx context.Context, networkName, name string,
|
||||
serverConfig, clientConfig string, serverPort, clientPort string)
|
||||
```
|
||||
|
||||
逻辑从 shadowsocks_test.go:76-126 提取。
|
||||
|
||||
---
|
||||
|
||||
## Step 2: 新建 `testdata/http/` 配置文件
|
||||
|
||||
### `testdata/http/server.yaml` — 无 auth 的 HTTP proxy
|
||||
|
||||
```yaml
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
listener:
|
||||
type: tcp
|
||||
```
|
||||
|
||||
单容器即可测试:gost 启动后在 :8080 提供 HTTP proxy 服务。
|
||||
|
||||
### `testdata/http/server_auth.yaml` — 带 auth 的 HTTP proxy
|
||||
|
||||
```yaml
|
||||
services:
|
||||
- name: http-proxy-auth
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
auther: auther-0
|
||||
listener:
|
||||
type: tcp
|
||||
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Step 3: 新建 `http_test.go`
|
||||
|
||||
### 套件结构
|
||||
|
||||
```go
|
||||
type HTTPSuite struct {
|
||||
suite.Suite
|
||||
ctx context.Context
|
||||
echoC testcontainers.Container
|
||||
echoIP string
|
||||
}
|
||||
|
||||
func (s *HTTPSuite) SetupSuite() // 启动 TCP echo
|
||||
func (s *HTTPSuite) TearDownSuite() // 关闭 echo
|
||||
|
||||
func (s *HTTPSuite) TestHTTPProxy() // 无 auth
|
||||
func (s *HTTPSuite) TestHTTPProxyAuth() // 带 auth
|
||||
|
||||
func TestHTTPSuite(t *testing.T) {
|
||||
suite.Run(t, new(HTTPSuite))
|
||||
}
|
||||
```
|
||||
|
||||
### TestHTTPProxy — 单容器模式(同 parallel_selector)
|
||||
|
||||
```go
|
||||
func (s *HTTPSuite) TestHTTPProxy() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "http-proxy logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
}
|
||||
```
|
||||
|
||||
### TestHTTPProxyAuth — 带 auth 验证
|
||||
|
||||
```go
|
||||
func (s *HTTPSuite) TestHTTPProxyAuth() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_auth.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// 测试1:无 auth 应失败(407)
|
||||
s.T().Run("no-auth-should-fail", func(t *testing.T) {
|
||||
cmd := []string{"curl", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||
"-x", "http://127.0.0.1:8080", fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
body, _ := io.ReadAll(out)
|
||||
// curl exit code 非 0 或 HTTP status 是 407
|
||||
// 注意:gost HTTP proxy 在无 auth 时返回 407,curl 不会自动重试
|
||||
// 所以这里验证返回码是 407 或 curl 返回非零
|
||||
httpStatus := strings.TrimSpace(string(body))
|
||||
s.Assert().True(code != 0 || httpStatus == "407",
|
||||
"expected auth failure, got status: %s, exit code: %d", httpStatus, code)
|
||||
})
|
||||
|
||||
// 测试2:正确 auth 应成功
|
||||
s.T().Run("with-auth-should-succeed", func(t *testing.T) {
|
||||
cmd := []string{"curl", "-v", "-s", "-x",
|
||||
"http://user:pass@127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "http-proxy-auth logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
})
|
||||
}
|
||||
```
|
||||
|
||||
### 注意事项
|
||||
- HTTP proxy 是**单容器模式**,不需要 server/client 分离(不像 shadowsocks 需要解密/加密链路)
|
||||
- auth 测试分两步:先验证无 auth 被拒(407),再验证正确 auth 成功
|
||||
- curl 使用 `http://user:pass@host:port` 格式传递 proxy auth
|
||||
|
||||
---
|
||||
|
||||
## Step 4: 重构 `shadowsocks_test.go`
|
||||
|
||||
将 `runTCPCase` 和 `runUDPCase` 方法替换为调用 `utils.go` 中的 `RunTCPCase` / `RunUDPCase`:
|
||||
|
||||
**Before**:
|
||||
```go
|
||||
func (s *ShadowsocksSuite) TestShadowsocksTCP() {
|
||||
s.runTCPCase("aes256gcm", "testdata/shadowsocks/tcp_server_aes256gcm.yaml", "testdata/shadowsocks/tcp_client_aes256gcm.yaml")
|
||||
s.runTCPCase("chacha20", "testdata/shadowsocks/tcp_server_chacha20.yaml", "testdata/shadowsocks/tcp_client_chacha20.yaml")
|
||||
}
|
||||
```
|
||||
|
||||
**After**:
|
||||
```go
|
||||
func (s *ShadowsocksSuite) TestShadowsocksTCP() {
|
||||
RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "aes256gcm",
|
||||
"testdata/shadowsocks/tcp_server_aes256gcm.yaml",
|
||||
"testdata/shadowsocks/tcp_client_aes256gcm.yaml",
|
||||
"8388/tcp", "8080/tcp")
|
||||
RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "chacha20",
|
||||
"testdata/shadowsocks/tcp_server_chacha20.yaml",
|
||||
"testdata/shadowsocks/tcp_client_chacha20.yaml",
|
||||
"8388/tcp", "8080/tcp")
|
||||
}
|
||||
```
|
||||
|
||||
删除 `runTCPCase` 和 `runUDPCase` 方法。UDP 测试同理。
|
||||
|
||||
---
|
||||
|
||||
## 实施顺序
|
||||
|
||||
1. **`utils.go`** — 添加 `RunTCPCase` + `RunUDPCase`(不删除任何现有函数)
|
||||
2. **`testdata/http/`** — 创建 `server.yaml` + `server_auth.yaml`
|
||||
3. **`http_test.go`** — 创建 HTTP 套件
|
||||
4. **编译验证** — `cd gost && go build ./... && go vet ./tests/e2e/...`
|
||||
5. **`shadowsocks_test.go`** — 重构为使用新 helper
|
||||
6. **最终编译验证** — `go build ./... && go vet ./tests/e2e/...`
|
||||
7. **运行测试** — `go test ./tests/e2e/ -v -run TestHTTPSuite -timeout 5m`
|
||||
8. **回归测试** — `go test ./tests/e2e/ -v -run TestShadowsocksSuite -timeout 5m`
|
||||
|
||||
---
|
||||
|
||||
## 验证
|
||||
|
||||
```bash
|
||||
cd /config/workspace/go-gost/gost
|
||||
go build ./...
|
||||
go vet ./tests/e2e/...
|
||||
go test ./tests/e2e/ -v -run TestHTTPSuite -timeout 5m
|
||||
go test ./tests/e2e/ -v -run TestShadowsocksSuite -timeout 5m
|
||||
```
|
||||
@@ -0,0 +1,183 @@
|
||||
# Plan: Expand E2E Test Suite
|
||||
|
||||
## Context
|
||||
|
||||
The e2e test framework (`tests/e2e/`) currently covers only **2 protocols** (Shadowsocks, parallel selector) out of **~30+ registered protocols** in gost. This plan systematically adds test coverage for all major protocols, following the existing Docker-based testcontainers pattern exactly.
|
||||
|
||||
**Key insight**: gost auto-generates self-signed TLS certs when none are provided (`x/config/parsing/tls.go` — `BuildDefaultTLSConfig`), and clients with default config skip cert verification. This means TLS-based protocols (ws→wss, h2c→h2, quic, etc.) can be tested **without mounting cert files**.
|
||||
|
||||
---
|
||||
|
||||
## Step 0: Refactor `utils.go` — Add Reusable Test Helpers
|
||||
|
||||
**File**: `tests/e2e/utils.go`
|
||||
|
||||
Extract the repeated patterns from `shadowsocks_test.go` into reusable helpers:
|
||||
|
||||
1. **`RunTCPCase(t, ctx, networkName, echoIP, name, serverConfig, clientConfig string)`** — Full lifecycle: start server → render client config → start client → curl assertion → cleanup. Extracts the logic from `ShadowsocksSuite.runTCPCase`.
|
||||
|
||||
2. **`RunUDPCase(t, ctx, networkName, name, serverConfig, clientConfig string)`** — Same for UDP: start server → render client → start client → dial UDP → retry loop → assertion → cleanup. Extracts from `runUDPCase`.
|
||||
|
||||
These eliminate ~40 lines of boilerplate per suite. Each suite's test methods become one-liners:
|
||||
```go
|
||||
func (s *SOCKS5Suite) TestSOCKS5TCP() {
|
||||
RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "socks5-tcp",
|
||||
"testdata/socks5/tcp_server.yaml", "testdata/socks5/tcp_client.yaml")
|
||||
}
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Step 1: Tier 1 — Core Protocols (Plain TCP, No Special Infrastructure)
|
||||
|
||||
Each suite follows the exact pattern: suite struct → `SetupSuite` (echo containers) → `TearDownSuite` → test methods calling `RunTCPCase`/`RunUDPCase` → `suite.Run()` entry point.
|
||||
|
||||
### 1A. HTTP Proxy Suite
|
||||
- **Files**: `http_test.go`, `testdata/http/` (2 configs)
|
||||
- **Configs**: `server.yaml` (handler `http`, listener `tcp`), `server_auth.yaml` (+ basic auth)
|
||||
- **Tests**: `TestHTTPProxy`, `TestHTTPProxyAuth` (curl with `--proxy-user`)
|
||||
- **Note**: Simplest test — single gost container acts as HTTP proxy
|
||||
|
||||
### 1B. SOCKS5 Suite
|
||||
- **Files**: `socks5_test.go`, `testdata/socks5/` (4 configs)
|
||||
- **Configs**: `tcp_server.yaml` (handler `socks5`), `tcp_client.yaml` (connector `socks5`, dialer `tcp`), + auth variants
|
||||
- **Tests**: `TestSOCKS5TCP`, `TestSOCKS5TCPAuth`
|
||||
|
||||
### 1C. SOCKS4 Suite
|
||||
- **Files**: `socks4_test.go`, `testdata/socks4/` (4 configs)
|
||||
- **Configs**: `tcp_server.yaml` (handler `socks4`), `tcp_client.yaml` (connector `socks4`), + socks4a variants
|
||||
- **Tests**: `TestSOCKS4TCP`, `TestSOCKS4aTCP`
|
||||
|
||||
### 1D. HTTP2 Cleartext Suite
|
||||
- **Files**: `http2_test.go`, `testdata/http2/` (2 configs)
|
||||
- **Configs**: `tcp_server.yaml` (handler `http2`, listener `http2`), `tcp_client.yaml` (connector `http2`, dialer `http2`)
|
||||
- **Tests**: `TestHTTP2TCP`
|
||||
|
||||
### 1E. Relay Suite
|
||||
- **Files**: `relay_test.go`, `testdata/relay/` (4 configs)
|
||||
- **Configs**: `tcp_server.yaml` (handler `relay`, listener `tcp`), `tcp_client.yaml` (connector `relay`, dialer `tcp`), + auth variants
|
||||
- **Tests**: `TestRelayTCP`, `TestRelayTCPAuth`
|
||||
|
||||
---
|
||||
|
||||
## Step 2: Tier 2 — TLS/Transport Protocols
|
||||
|
||||
Same pattern but using TLS listeners/dialers. No explicit cert files needed — gost auto-generates them.
|
||||
|
||||
### 2A. TLS Suite
|
||||
- **Files**: `tls_test.go`, `testdata/tls/` (4 configs)
|
||||
- **Tests**: `TestTLSHTTPProxy` (handler `http` + listener `tls`), `TestTLSSOCKS5` (handler `socks5` + listener `tls`)
|
||||
|
||||
### 2B. WebSocket Suite
|
||||
- **Files**: `ws_test.go`, `testdata/ws/` (4 configs)
|
||||
- **Tests**: `TestWSSOCKS5` (dialer `ws`), `TestWSSSOCKS5` (dialer `wss`)
|
||||
|
||||
### 2C. gRPC Suite
|
||||
- **Files**: `grpc_test.go`, `testdata/grpc/` (2 configs)
|
||||
- **Tests**: `TestGRPCSOCKS5` (listener `grpc`, metadata `insecure: true`)
|
||||
|
||||
### 2D. HTTP/2 TLS (h2) Suite
|
||||
- **Files**: `h2_test.go`, `testdata/h2/` (2 configs)
|
||||
- **Tests**: `TestH2HTTP2Proxy` (listener `h2`, dialer `h2`)
|
||||
|
||||
### 2E. QUIC Suite
|
||||
- **Files**: `quic_test.go`, `testdata/quic/` (2 configs)
|
||||
- **Tests**: `TestQUICHTTP` (listener `quic`, handler `http` — uses UDP ports)
|
||||
|
||||
### 2F. KCP Suite
|
||||
- **Files**: `kcp_test.go`, `testdata/kcp/` (2 configs)
|
||||
- **Tests**: `TestKCPSOCKS5` (listener `kcp`, handler `socks5` — uses UDP)
|
||||
|
||||
### 2G. Multiplex Variants (mws/mwss/mtls/mtcp)
|
||||
- **Files**: `mux_test.go`, `testdata/mux/` (6 configs)
|
||||
- **Tests**: `TestMWSSOCKS5`, `TestMWSSSOCKS5`, `TestMtlSSOCKS5`, `TestMtcpSOCKS5`
|
||||
|
||||
### 2H. Obfuscation (ohttp/otls)
|
||||
- **Files**: `obfs_test.go`, `testdata/obfs/` (4 configs)
|
||||
- **Tests**: `TestOHTTP`, `TestOTLS`
|
||||
|
||||
### 2I. PHT (HTTP Pipe)
|
||||
- **Files**: `pht_test.go`, `testdata/pht/` (4 configs)
|
||||
- **Tests**: `TestPHT`, `TestPHTS`
|
||||
|
||||
---
|
||||
|
||||
## Step 3: Tier 3 — Special Infrastructure (Deferred)
|
||||
|
||||
These require Docker capabilities (`NET_ADMIN`, `NET_RAW`), SSH key generation, or iptables setup. Implemented after Tiers 1-2 are stable.
|
||||
|
||||
| Protocol | Challenge | Approach |
|
||||
|----------|-----------|----------|
|
||||
| SSH/sshd | Host key generation | Generate SSH key at test time, mount into container |
|
||||
| HTTP/3/WebTransport | QUIC+UDP, TLS | Uses UDP like QUIC suite; auto certs work |
|
||||
| TUN/TAP | `CAP_NET_ADMIN`, `/dev/net/tun` | Privileged container + routing setup |
|
||||
| Tungo/MASQUE | Same as TUN | Same approach |
|
||||
| ICMP | `CAP_NET_RAW`, raw sockets | Privileged container |
|
||||
| Redirect (red/redu) | iptables rules | Privileged + iptables setup in container |
|
||||
| DTLS | UDP + TLS | Auto certs; UDP port mapping |
|
||||
|
||||
---
|
||||
|
||||
## Files to Create/Modify
|
||||
|
||||
### New files (per suite):
|
||||
- `tests/e2e/<protocol>_test.go` — Suite struct + test methods
|
||||
- `tests/e2e/testdata/<protocol>/` — Server + client YAML configs
|
||||
|
||||
### Modified files:
|
||||
- `tests/e2e/utils.go` — Add `RunTCPCase`, `RunUDPCase` helpers
|
||||
- `tests/e2e/shadowsocks_test.go` — Refactor to use new helpers (optional, reduces duplication)
|
||||
- `tests/e2e/README.md` — Document new suites
|
||||
|
||||
### Reference files (read-only):
|
||||
- `tests/e2e/shadowsocks_test.go` — Pattern template for all suites
|
||||
- `tests/e2e/testdata/shadowsocks/tcp_server_aes256gcm.yaml` — Server config template
|
||||
- `tests/e2e/testdata/shadowsocks/tcp_client_aes256gcm.yaml` — Client config template
|
||||
|
||||
---
|
||||
|
||||
## Config Pattern Reference
|
||||
|
||||
**Server** (all protocols):
|
||||
```yaml
|
||||
services:
|
||||
- name: <proto>-server
|
||||
addr: :<port>
|
||||
handler:
|
||||
type: <handler-type>
|
||||
listener:
|
||||
type: <listener-type>
|
||||
```
|
||||
|
||||
**Client** (all protocols):
|
||||
```yaml
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
chain: <proto>-chain
|
||||
listener:
|
||||
type: tcp
|
||||
chains:
|
||||
- name: <proto>-chain
|
||||
hops:
|
||||
- name: <proto>-hop
|
||||
nodes:
|
||||
- name: <proto>-node
|
||||
addr: {{.ServerAddr}}
|
||||
connector:
|
||||
type: <connector-type>
|
||||
dialer:
|
||||
type: <dialer-type>
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Verification
|
||||
|
||||
After each suite is implemented:
|
||||
1. `cd gost && go build ./...` — Ensure compilation
|
||||
2. `go vet ./tests/e2e/` — Static analysis
|
||||
3. `go test ./tests/e2e/ -v -run TestXxxSuite -timeout 5m` — Run individual suite
|
||||
4. `go test ./tests/e2e/ -v -timeout 10m` — Run all suites together
|
||||
@@ -0,0 +1,360 @@
|
||||
package e2e
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"io"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/suite"
|
||||
"github.com/testcontainers/testcontainers-go"
|
||||
)
|
||||
|
||||
type DNSSuite struct {
|
||||
suite.Suite
|
||||
ctx context.Context
|
||||
}
|
||||
|
||||
func (s *DNSSuite) SetupSuite() {
|
||||
s.ctx = context.Background()
|
||||
}
|
||||
|
||||
// dnsQuery sends a DNS query via the Python client and retries on failure.
|
||||
// expected can be an IP string, "empty" (expect zero answer records), or "" (no check).
|
||||
func (s *DNSSuite) dnsQuery(gostC testcontainers.Container, mode, host, port, qname, qtype, expected string) {
|
||||
args := []string{"python3", "/scripts/dns_query.py", mode, host, port, qname, qtype}
|
||||
if expected != "" {
|
||||
args = append(args, expected)
|
||||
}
|
||||
|
||||
for i := range 5 {
|
||||
code, out, err := gostC.Exec(s.ctx, args)
|
||||
if err != nil {
|
||||
s.T().Logf("query attempt %d exec error: %v", i+1, err)
|
||||
time.Sleep(time.Second)
|
||||
continue
|
||||
}
|
||||
body, err := io.ReadAll(out)
|
||||
if err != nil {
|
||||
s.T().Logf("query attempt %d read error: %v", i+1, err)
|
||||
time.Sleep(time.Second)
|
||||
continue
|
||||
}
|
||||
output := string(body)
|
||||
s.T().Logf("query attempt %d: %s", i+1, strings.TrimSpace(output))
|
||||
|
||||
if code == 0 {
|
||||
return
|
||||
}
|
||||
time.Sleep(time.Second)
|
||||
}
|
||||
|
||||
s.T().Fatalf("DNS query %s %s %s %s failed after 5 retries", mode, qname, qtype, host)
|
||||
}
|
||||
|
||||
// dnsQueryOnce sends a single DNS query with no retries. Returns exit code and output.
|
||||
func (s *DNSSuite) dnsQueryOnce(gostC testcontainers.Container, mode, host, port, qname, qtype string) (int, string) {
|
||||
args := []string{"python3", "/scripts/dns_query.py", mode, host, port, qname, qtype}
|
||||
code, out, err := gostC.Exec(s.ctx, args)
|
||||
if err != nil {
|
||||
return 1, fmt.Sprintf("exec error: %v", err)
|
||||
}
|
||||
body, _ := io.ReadAll(out)
|
||||
return code, string(body)
|
||||
}
|
||||
|
||||
// dnsQueryWithDelay calls dnsQuery with a small wait before the first attempt.
|
||||
func (s *DNSSuite) dnsQueryWithDelay(gostC testcontainers.Container, mode, host, port, qname, qtype, expected string) {
|
||||
time.Sleep(500 * time.Millisecond)
|
||||
s.dnsQuery(gostC, mode, host, port, qname, qtype, expected)
|
||||
}
|
||||
|
||||
// sendRaw sends raw data via base64+nc and returns the response.
|
||||
func (s *DNSSuite) sendRaw(gostC testcontainers.Container, host, port, data string) string {
|
||||
encoded := base64.StdEncoding.EncodeToString([]byte(data))
|
||||
cmd := []string{"sh", "-c",
|
||||
fmt.Sprintf("echo %s | base64 -d | nc -w 3 -u %s %s", encoded, host, port)}
|
||||
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
b, _ := io.ReadAll(out)
|
||||
return string(b)
|
||||
}
|
||||
|
||||
// startDNSResponder starts the UDP DNS responder and returns the container.
|
||||
func (s *DNSSuite) startDNSResponder() testcontainers.Container {
|
||||
dnsC, err := RunDNSResponderContainer(s.ctx, SharedNetworkName)
|
||||
s.Require().NoError(err)
|
||||
return dnsC
|
||||
}
|
||||
|
||||
// startGostWithQueryScript starts a gost container with dns_query.py mounted.
|
||||
func (s *DNSSuite) startGostWithQueryScript(yamlPath, exposedPort string) testcontainers.Container {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
yamlPath,
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/dns_query.py", ContainerFilePath: "/scripts/dns_query.py", FileMode: 0644},
|
||||
},
|
||||
exposedPort)
|
||||
s.Require().NoError(err)
|
||||
return gostC
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Upstream resolution
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func (s *DNSSuite) TestDNSUpstream() {
|
||||
dnsC := s.startDNSResponder()
|
||||
defer dnsC.Terminate(s.ctx)
|
||||
|
||||
gostC := s.startGostWithQueryScript("testdata/dns/server_upstream.yaml", "1053/udp")
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("a-record", func(t *testing.T) {
|
||||
s.dnsQueryWithDelay(gostC, "udp", "127.0.0.1", "1053", "test.example.com", "A", "10.0.0.1")
|
||||
})
|
||||
s.T().Run("aaaa-record", func(t *testing.T) {
|
||||
s.dnsQuery(gostC, "udp", "127.0.0.1", "1053", "example.com", "AAAA", "::1")
|
||||
})
|
||||
s.T().Run("second-a-record", func(t *testing.T) {
|
||||
s.dnsQuery(gostC, "udp", "127.0.0.1", "1053", "test2.example.com", "A", "10.0.0.2")
|
||||
})
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// TCP mode
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func (s *DNSSuite) TestDNSTCP() {
|
||||
s.T().Log("start TCP DNS responder container...")
|
||||
dnsC, err := RunTCPDNSResponderContainer(s.ctx, SharedNetworkName)
|
||||
s.Require().NoError(err)
|
||||
defer dnsC.Terminate(s.ctx)
|
||||
|
||||
gostC := s.startGostWithQueryScript("testdata/dns/server_tcp.yaml", "1053/tcp")
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.dnsQueryWithDelay(gostC, "tcp", "127.0.0.1", "1053", "test.example.com", "A", "10.0.0.1")
|
||||
s.dnsQuery(gostC, "tcp", "127.0.0.1", "1053", "test2.example.com", "A", "10.0.0.2")
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Bypass rules
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func (s *DNSSuite) TestDNSBypass() {
|
||||
dnsC := s.startDNSResponder()
|
||||
defer dnsC.Terminate(s.ctx)
|
||||
|
||||
gostC := s.startGostWithQueryScript("testdata/dns/server_bypass.yaml", "1053/udp")
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("blocked-domain-empty-answer", func(t *testing.T) {
|
||||
s.dnsQueryWithDelay(gostC, "udp", "127.0.0.1", "1053",
|
||||
"test.example.com", "A", "empty")
|
||||
})
|
||||
s.T().Run("non-blocked-domain", func(t *testing.T) {
|
||||
s.dnsQuery(gostC, "udp", "127.0.0.1", "1053",
|
||||
"test2.example.com", "A", "10.0.0.2")
|
||||
})
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Host mapper
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// TestDNSHostMapper verifies DNS resolution via the host mapper before
|
||||
// reaching the upstream exchanger.
|
||||
//
|
||||
// Config: server_hosts.yaml maps mapped.example.com → 10.0.0.100 and
|
||||
// points the handler at an unreachable upstream (udp://127.0.0.1:1).
|
||||
// The handler checks the host mapper before the exchange path, so
|
||||
// mapped names resolve without needing any upstream DNS. Unmapped
|
||||
// names must fall through to the exchanger, which fails — confirming
|
||||
// the host-mapper path was the only reason mapped names worked.
|
||||
func (s *DNSSuite) TestDNSHostMapper() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/dns/server_hosts.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/dns_query.py", ContainerFilePath: "/scripts/dns_query.py", FileMode: 0644},
|
||||
},
|
||||
"1053/udp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("mapped-a-record", func(t *testing.T) {
|
||||
// mapped.example.com → host mapper returns 10.0.0.100
|
||||
// without contacting any upstream.
|
||||
s.dnsQueryWithDelay(gostC, "udp", "127.0.0.1", "1053",
|
||||
"mapped.example.com", "A", "10.0.0.100")
|
||||
})
|
||||
|
||||
s.T().Run("unmapped-domain", func(t *testing.T) {
|
||||
// test.example.com is not in the hosts mapping. The handler
|
||||
// will fall through to the exchanger path, which fails because
|
||||
// no upstream is configured. Query should return empty/NXDOMAIN.
|
||||
code, output := s.dnsQueryOnce(gostC, "udp", "127.0.0.1", "1053",
|
||||
"test.example.com", "A")
|
||||
s.T().Logf("unmapped query: code=%d, %s", code, strings.TrimSpace(output))
|
||||
// Non-zero exit indicates no valid response — expected since
|
||||
// there's no working upstream.
|
||||
s.Assert().NotEqual(0, code,
|
||||
"unmapped domain should fail with no upstream")
|
||||
})
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Exchange failure (unreachable upstream)
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// TestDNSExchangeFailure verifies graceful handling when the upstream DNS
|
||||
// exchanger is unreachable.
|
||||
//
|
||||
// Config: server_exchange_failure.yaml points to udp://127.0.0.1:1 which
|
||||
// is unreachable. The handler must not crash or leak goroutines when the
|
||||
// upstream exchange fails.
|
||||
func (s *DNSSuite) TestDNSExchangeFailure() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/dns/server_exchange_failure.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/dns_query.py", ContainerFilePath: "/scripts/dns_query.py", FileMode: 0644},
|
||||
},
|
||||
"1053/udp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("unreachable-upstream", func(t *testing.T) {
|
||||
// Send query once — the exchange will fail (timeout / ICMP
|
||||
// unreachable). No response is expected.
|
||||
code, output := s.dnsQueryOnce(gostC, "udp", "127.0.0.1", "1053",
|
||||
"test.example.com", "A")
|
||||
s.T().Logf("exchange failure result: code=%d, %s",
|
||||
code, strings.TrimSpace(output))
|
||||
// Non-zero exit is expected since the exchange fails.
|
||||
s.Assert().NotEqual(0, code,
|
||||
"exchange failure should return non-zero exit")
|
||||
})
|
||||
|
||||
s.T().Run("container-alive-after-failure", func(t *testing.T) {
|
||||
// Verify the gost container is still running after the
|
||||
// failed exchange — proves no crash or hang.
|
||||
aliveCode, _, aliveErr := gostC.Exec(s.ctx, []string{"true"})
|
||||
s.Require().NoError(aliveErr,
|
||||
"container exec should succeed after exchange failure")
|
||||
s.Require().Equal(0, aliveCode,
|
||||
"gost container should be alive after exchange failure")
|
||||
})
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Rate limiter
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// TestDNSRateLimiter verifies that rate limiting configuration is accepted
|
||||
// and the handler processes queries through the rate limiter path without
|
||||
// crashing. Uses a generous global limit (1000/s) so queries pass.
|
||||
func (s *DNSSuite) TestDNSRateLimiter() {
|
||||
dnsC := s.startDNSResponder()
|
||||
defer dnsC.Terminate(s.ctx)
|
||||
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/dns/server_rlimiter.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/dns_query.py", ContainerFilePath: "/scripts/dns_query.py", FileMode: 0644},
|
||||
},
|
||||
"1053/udp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("query-with-limiter", func(t *testing.T) {
|
||||
s.dnsQueryWithDelay(gostC, "udp", "127.0.0.1", "1053",
|
||||
"test.example.com", "A", "10.0.0.1")
|
||||
})
|
||||
s.T().Run("second-query-with-limiter", func(t *testing.T) {
|
||||
s.dnsQuery(gostC, "udp", "127.0.0.1", "1053",
|
||||
"test2.example.com", "A", "10.0.0.2")
|
||||
})
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Invalid query
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// TestDNSInvalidQuery verifies the DNS listener gracefully handles malformed
|
||||
// DNS messages. Sends garbage bytes and checks the gost container is
|
||||
// unaffected (no crash, no hang).
|
||||
func (s *DNSSuite) TestDNSInvalidQuery() {
|
||||
gostC := s.startGostWithQueryScript("testdata/dns/server_upstream.yaml", "1053/udp")
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("send-garbage-bytes", func(t *testing.T) {
|
||||
// Send 5 bytes of garbage via UDP. The miekg/dns server
|
||||
// will fail to parse them and discard the packet.
|
||||
s.sendRaw(gostC, "127.0.0.1", "1053", "garbage!")
|
||||
})
|
||||
|
||||
s.T().Run("container-alive-after-garbage", func(t *testing.T) {
|
||||
// Verify the gost container is still alive after receiving
|
||||
// invalid data.
|
||||
aliveCode, _, aliveErr := gostC.Exec(s.ctx, []string{"true"})
|
||||
s.Require().NoError(aliveErr,
|
||||
"container exec should succeed after invalid query")
|
||||
s.Require().Equal(0, aliveCode,
|
||||
"gost container should be alive after invalid query")
|
||||
})
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// DNS over TLS
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// TestDNSTLS verifies the DNS listener in TLS mode (DNS over TLS).
|
||||
// Starts the UDP DNS responder (unencrypted), a gost DNS server with
|
||||
// listener mode: tls, and queries through the TLS endpoint.
|
||||
func (s *DNSSuite) TestDNSTLS() {
|
||||
dnsC := s.startDNSResponder()
|
||||
defer dnsC.Terminate(s.ctx)
|
||||
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/dns/server_tls.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/dns_tls_query.py", ContainerFilePath: "/scripts/dns_tls_query.py", FileMode: 0644},
|
||||
},
|
||||
"1053/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// Query via TLS
|
||||
args := []string{"python3", "/scripts/dns_tls_query.py",
|
||||
"127.0.0.1", "1053", "test.example.com", "A", "10.0.0.1"}
|
||||
|
||||
for i := range 5 {
|
||||
code, out, err := gostC.Exec(s.ctx, args)
|
||||
if err != nil {
|
||||
s.T().Logf("tls query attempt %d exec error: %v", i+1, err)
|
||||
time.Sleep(time.Second)
|
||||
continue
|
||||
}
|
||||
body, err := io.ReadAll(out)
|
||||
if err != nil {
|
||||
s.T().Logf("tls query attempt %d read error: %v", i+1, err)
|
||||
time.Sleep(time.Second)
|
||||
continue
|
||||
}
|
||||
output := string(body)
|
||||
s.T().Logf("tls query attempt %d: %s", i+1, strings.TrimSpace(output))
|
||||
|
||||
if code == 0 {
|
||||
return
|
||||
}
|
||||
time.Sleep(time.Second)
|
||||
}
|
||||
|
||||
s.T().Fatal("TLS query failed after 5 retries")
|
||||
}
|
||||
|
||||
func TestDNSSuite(t *testing.T) {
|
||||
suite.Run(t, new(DNSSuite))
|
||||
}
|
||||
@@ -0,0 +1,194 @@
|
||||
package e2e
|
||||
|
||||
import (
|
||||
"context"
|
||||
"io"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/suite"
|
||||
"github.com/testcontainers/testcontainers-go"
|
||||
)
|
||||
|
||||
type FileSuite struct {
|
||||
suite.Suite
|
||||
ctx context.Context
|
||||
}
|
||||
|
||||
func (s *FileSuite) SetupSuite() {
|
||||
s.ctx = context.Background()
|
||||
}
|
||||
|
||||
func (s *FileSuite) TearDownSuite() {}
|
||||
|
||||
// TestFileGetExisting verifies that GET on an existing file returns
|
||||
// the file content with HTTP 200. Covers the basic file serving path:
|
||||
// file handler → http.FileServer → file read.
|
||||
func (s *FileSuite) TestFileGetExisting() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/file/server.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "testdata/file/hello.txt", ContainerFilePath: "/srv/files/hello.txt", FileMode: 0644},
|
||||
},
|
||||
"8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8080/hello.txt"}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost-file") {
|
||||
DumpLogs(s.T(), s.ctx, "file-server logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost-file")
|
||||
}
|
||||
|
||||
// TestFileGetNotFound verifies that GET on a nonexistent file returns
|
||||
// 404 Not Found.
|
||||
func (s *FileSuite) TestFileGetNotFound() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/file/server.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "testdata/file/hello.txt", ContainerFilePath: "/srv/files/hello.txt", FileMode: 0644},
|
||||
},
|
||||
"8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||
"http://127.0.0.1:8080/nonexistent.txt"}
|
||||
_, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
body, _ := io.ReadAll(out)
|
||||
s.Assert().Contains(string(body), "404")
|
||||
}
|
||||
|
||||
// TestFileGetIndexHtml verifies that GET / serves index.html when
|
||||
// present in the served directory. Covers the default index document
|
||||
// behavior of http.FileServer.
|
||||
func (s *FileSuite) TestFileGetIndexHtml() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/file/server.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "testdata/file/index.html", ContainerFilePath: "/srv/files/index.html", FileMode: 0644},
|
||||
},
|
||||
"8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8080/"}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "gost file index") {
|
||||
DumpLogs(s.T(), s.ctx, "file-server index logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "gost file index")
|
||||
}
|
||||
|
||||
// TestFilePutUpload verifies that PUT uploads a file when file.put is
|
||||
// enabled. Uploads a file and then reads it back via GET to confirm
|
||||
// the content was persisted.
|
||||
func (s *FileSuite) TestFilePutUpload() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/file/server_put.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "testdata/file/.empty", ContainerFilePath: "/srv/files/.empty", FileMode: 0644},
|
||||
},
|
||||
"8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// Create source content inside the container.
|
||||
_, _, err = gostC.Exec(s.ctx, []string{
|
||||
"sh", "-c", "printf 'uploaded-content' > /tmp/upload_src.txt",
|
||||
})
|
||||
s.Require().NoError(err)
|
||||
|
||||
// Upload via PUT.
|
||||
_, out, err := gostC.Exec(s.ctx, []string{
|
||||
"curl", "-v", "-s", "-T", "/tmp/upload_src.txt",
|
||||
"http://127.0.0.1:8080/uploaded.txt",
|
||||
})
|
||||
s.Require().NoError(err)
|
||||
putBody, _ := io.ReadAll(out)
|
||||
s.T().Logf("PUT response:\n%s", string(putBody))
|
||||
|
||||
// Read back the uploaded file via GET.
|
||||
_, out2, err := gostC.Exec(s.ctx, []string{
|
||||
"curl", "-v", "-s",
|
||||
"http://127.0.0.1:8080/uploaded.txt",
|
||||
})
|
||||
s.Require().NoError(err)
|
||||
body, _ := io.ReadAll(out2)
|
||||
s.Assert().Contains(string(body), "uploaded-content")
|
||||
}
|
||||
|
||||
// TestFilePutNoPermission verifies that PUT returns 405 Method Not
|
||||
// Allowed when file.put is not enabled (default: false).
|
||||
func (s *FileSuite) TestFilePutNoPermission() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/file/server.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "testdata/file/.empty", ContainerFilePath: "/srv/files/.empty", FileMode: 0644},
|
||||
},
|
||||
"8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||
"-T", "/dev/null", "http://127.0.0.1:8080/test.txt"}
|
||||
_, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
body, _ := io.ReadAll(out)
|
||||
s.Assert().Contains(string(body), "405")
|
||||
}
|
||||
|
||||
// TestFileAuth verifies authentication on the file handler.
|
||||
// Without credentials the handler returns 401 Unauthorized,
|
||||
// with valid credentials it serves the file.
|
||||
func (s *FileSuite) TestFileAuth() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/file/server_auth.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "testdata/file/hello.txt", ContainerFilePath: "/srv/files/hello.txt", FileMode: 0644},
|
||||
},
|
||||
"8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("no-auth-401", func(t *testing.T) {
|
||||
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||
"http://127.0.0.1:8080/hello.txt"}
|
||||
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
body, _ := io.ReadAll(out)
|
||||
s.Assert().Contains(string(body), "401")
|
||||
})
|
||||
|
||||
s.T().Run("with-auth-success", func(t *testing.T) {
|
||||
cmd := []string{"curl", "-v", "-s", "-u", "user:pass",
|
||||
"http://127.0.0.1:8080/hello.txt"}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost-file") {
|
||||
DumpLogs(s.T(), s.ctx, "file-server auth logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost-file")
|
||||
})
|
||||
}
|
||||
|
||||
func TestFileSuite(t *testing.T) {
|
||||
suite.Run(t, new(FileSuite))
|
||||
}
|
||||
@@ -0,0 +1,291 @@
|
||||
package e2e
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"io"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/suite"
|
||||
"github.com/testcontainers/testcontainers-go"
|
||||
)
|
||||
|
||||
type ForwardSuite struct {
|
||||
suite.Suite
|
||||
ctx context.Context
|
||||
echoC testcontainers.Container
|
||||
echoIP string
|
||||
udpC testcontainers.Container
|
||||
}
|
||||
|
||||
func (s *ForwardSuite) SetupSuite() {
|
||||
s.ctx = context.Background()
|
||||
|
||||
s.T().Logf("start tcp echo container...")
|
||||
echoC, err := RunEchoContainer(s.ctx, SharedNetworkName)
|
||||
s.Require().NoError(err)
|
||||
s.echoC = echoC
|
||||
|
||||
echoIP, err := echoC.ContainerIP(s.ctx)
|
||||
s.Require().NoError(err)
|
||||
s.echoIP = echoIP
|
||||
|
||||
s.T().Logf("start udp echo container...")
|
||||
udpC, err := RunUDPEchoContainer(s.ctx, SharedNetworkName)
|
||||
s.Require().NoError(err)
|
||||
s.udpC = udpC
|
||||
}
|
||||
|
||||
// sendRaw sends a raw HTTP request via netcat and returns the response.
|
||||
// Uses base64 to avoid shell quoting issues with CRLF bytes.
|
||||
func (s *ForwardSuite) sendRaw(gostC testcontainers.Container, host, port, data string) string {
|
||||
encoded := base64.StdEncoding.EncodeToString([]byte(data))
|
||||
cmd := []string{"sh", "-c",
|
||||
fmt.Sprintf("echo %s | base64 -d | nc -w 5 %s %s", encoded, host, port)}
|
||||
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
b, _ := io.ReadAll(out)
|
||||
return string(b)
|
||||
}
|
||||
|
||||
func (s *ForwardSuite) TearDownSuite() {
|
||||
if s.echoC != nil {
|
||||
s.echoC.Terminate(s.ctx)
|
||||
}
|
||||
if s.udpC != nil {
|
||||
s.udpC.Terminate(s.ctx)
|
||||
}
|
||||
}
|
||||
|
||||
// TestTCPForward verifies basic TCP forward handler (handler type: tcp).
|
||||
// The forward handler pipes raw TCP connections to the configured forwarder
|
||||
// node (tcp-echo:5678). curl connects directly to the handler port and sends
|
||||
// an HTTP request, expecting the echo server's "hello-gost" response.
|
||||
func (s *ForwardSuite) TestTCPForward() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/forward/server.yaml", "8000/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// curl directly to the handler port (not via -x proxy flag).
|
||||
// The TCP forward handler pipes our connection to tcp-echo:5678.
|
||||
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8000/"}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "tcp-forward logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
}
|
||||
|
||||
// TestForwardAlias verifies that the "forward" handler type (alias for "tcp")
|
||||
// works identically to the "tcp" handler type.
|
||||
func (s *ForwardSuite) TestForwardAlias() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/forward/server.yaml", "8000/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8000/"}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "forward-alias logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
}
|
||||
|
||||
// TestTCPForwardSniffing verifies TCP forward handler with sniffing enabled.
|
||||
// When sniffing is enabled and the connection starts with HTTP data, the handler
|
||||
// detects the protocol via sniffing.Sniff and delegates to the HTTP sniffer
|
||||
// for protocol-aware forwarding. The result is the same as raw forwarding:
|
||||
// "hello-gost" from the echo server.
|
||||
func (s *ForwardSuite) TestTCPForwardSniffing() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/forward/server_sniffing.yaml", "8000/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// curl directly — sniffing detects HTTP and handles via sniffer.
|
||||
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8000/"}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "tcp-forward-sniffing logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
}
|
||||
|
||||
// TestTCPForwardRaw verifies raw TCP forwarding by sending an HTTP request
|
||||
// via netcat through the forward handler. This tests the handleRawForwarding
|
||||
// code path (no sniffing), proving that raw bytes are piped through correctly.
|
||||
func (s *ForwardSuite) TestTCPForwardRaw() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/forward/server.yaml", "8000/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// Send raw HTTP request via nc (not curl) to exercise the raw pipe path.
|
||||
resp := s.sendRaw(gostC, "127.0.0.1", "8000",
|
||||
"GET / HTTP/1.0\r\nHost: tcp-echo\r\n\r\n")
|
||||
s.Assert().Contains(resp, "hello-gost",
|
||||
"raw request through TCP forward should reach echo server")
|
||||
}
|
||||
|
||||
// TestTCPForwardIdleTimeout verifies that idleTimeout closes the pipe after
|
||||
// a period of inactivity. The forward handler's xnet.Pipe uses idleTimeout
|
||||
// as a read deadline on the upstream connection — if no data flows for
|
||||
// that duration, the pipe closes both directions.
|
||||
func (s *ForwardSuite) TestTCPForwardIdleTimeout() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/forward/server_idle_timeout.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/tcp_idle_timeout.py", ContainerFilePath: "/scripts/tcp_idle_timeout.py", FileMode: 0644},
|
||||
},
|
||||
"8000/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// The Python script:
|
||||
// 1. Connects to gost TCP forward port
|
||||
// 2. Sends HTTP GET → expects "hello-gost" confirm pipe is alive
|
||||
// 3. Waits > idleTimeout (3s + 2s buffer)
|
||||
// 4. Sends more data — expects connection to be closed
|
||||
code, out, err := gostC.Exec(s.ctx, []string{
|
||||
"python3", "/scripts/tcp_idle_timeout.py",
|
||||
"127.0.0.1", "8000", "3",
|
||||
})
|
||||
output, _ := io.ReadAll(out)
|
||||
s.T().Logf("idle timeout output:\n%s", string(output))
|
||||
if code != 0 {
|
||||
DumpLogs(s.T(), s.ctx, "tcp-idle-timeout logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code, "idle timeout test script should exit 0")
|
||||
}
|
||||
|
||||
// TestUDPForward verifies basic UDP forwarding (handler: udp, listener: udp).
|
||||
// The handler uses handleRawDatagram via the stateful UDP listener's
|
||||
// per-client session conns (which implement net.PacketConn).
|
||||
// A Python script inside the gost container sends a UDP datagram through
|
||||
// the forward handler and verifies the echo response from udp-echo:5679.
|
||||
func (s *ForwardSuite) TestUDPForward() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/forward/server_udp.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/udp_forward_test.py", ContainerFilePath: "/scripts/udp_forward_test.py", FileMode: 0644},
|
||||
},
|
||||
"9000/udp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
code, out, err := gostC.Exec(s.ctx, []string{
|
||||
"python3", "/scripts/udp_forward_test.py",
|
||||
"127.0.0.1", "9000",
|
||||
})
|
||||
output, _ := io.ReadAll(out)
|
||||
s.T().Logf("udp forward output:\n%s", string(output))
|
||||
if code != 0 {
|
||||
DumpLogs(s.T(), s.ctx, "udp-forward logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code, "udp forward test script should exit 0")
|
||||
}
|
||||
|
||||
// TestUDPForwardStateless verifies UDP forwarding with stateless mode.
|
||||
// Both listener and handler use stateless: true, so each datagram is a
|
||||
// single request-response cycle with no per-client session tracking.
|
||||
func (s *ForwardSuite) TestUDPForwardStateless() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/forward/server_udp_stateless.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/udp_forward_test.py", ContainerFilePath: "/scripts/udp_forward_test.py", FileMode: 0644},
|
||||
},
|
||||
"9000/udp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
code, out, err := gostC.Exec(s.ctx, []string{
|
||||
"python3", "/scripts/udp_forward_test.py",
|
||||
"127.0.0.1", "9000",
|
||||
})
|
||||
output, _ := io.ReadAll(out)
|
||||
s.T().Logf("udp forward stateless output:\n%s", string(output))
|
||||
if code != 0 {
|
||||
DumpLogs(s.T(), s.ctx, "udp-forward-stateless logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code, "udp forward stateless test script should exit 0")
|
||||
}
|
||||
|
||||
// TestTCPForwardSniffingBypass verifies that when sniffing is enabled and a
|
||||
// bypass rule blocks the target, the HTTP sniffer returns 403 Forbidden.
|
||||
// The forward handler delegates to the HTTP sniffer (via handleSniffedProtocol),
|
||||
// and the sniffer's resolveHTTPNode checks h.options.Bypass and returns 403
|
||||
// when the destination is matched.
|
||||
func (s *ForwardSuite) TestTCPForwardSniffingBypass() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/forward/server_bypass_sniffing.yaml", "8000/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// curl connects directly; sniffing detects HTTP. The sniffer bypass
|
||||
// check matches 0.0.0.0/0 and returns 403 Forbidden.
|
||||
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||
"http://127.0.0.1:8000/"}
|
||||
_, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
body, _ := io.ReadAll(out)
|
||||
output := string(body)
|
||||
|
||||
s.Assert().Contains(output, "403",
|
||||
"bypass should return 403 Forbidden from sniffer")
|
||||
}
|
||||
|
||||
// TestTCPForwardMultiNodeProtocol verifies that sniffing + protocol-filtered
|
||||
// forwarder nodes correctly routes an HTTP request to the node with matching
|
||||
// protocol (http), rather than the one with protocol: tls.
|
||||
//
|
||||
// Config has two nodes:
|
||||
// - echo-http (protocol: http) → tcp-echo:5678 (works, returns "hello-gost")
|
||||
// - echo-tls (protocol: tls) → tcp-echo:1 (closed port, would fail)
|
||||
//
|
||||
// With sniffing enabled, an HTTP request is detected as protocol "http",
|
||||
// Select("http") filters to only the echo-http node. If protocol filtering
|
||||
// fails and the tls node is selected instead, the connection to port 1
|
||||
// fails and the test fails.
|
||||
func (s *ForwardSuite) TestTCPForwardMultiNodeProtocol() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/forward/server_multi_node.yaml", "8000/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// curl sends an HTTP request → sniffed as "http" → Select("http")
|
||||
// filters to echo-http (protocol: http) → pipes to tcp-echo:5678
|
||||
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8000/"}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "tcp-forward-multi-node logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost",
|
||||
"HTTP request should route to the http-protocol node via protocol filtering")
|
||||
}
|
||||
|
||||
func TestForwardSuite(t *testing.T) {
|
||||
suite.Run(t, new(ForwardSuite))
|
||||
}
|
||||
@@ -0,0 +1,216 @@
|
||||
package e2e
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"strings"
|
||||
"sync"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/suite"
|
||||
"github.com/testcontainers/testcontainers-go"
|
||||
)
|
||||
|
||||
// HTTP2Suite covers the HTTP/2 proxy handler (handler type: http2) together
|
||||
// with the HTTP/2 listener (listener type: http2). The http2 listener wraps
|
||||
// the underlying TCP listener with TLS and configures an h2 server, so the
|
||||
// handler is always reached over HTTP/2 frames.
|
||||
//
|
||||
// Because Alpine's curl cannot be relied on to speak HTTP/2 proxy to the
|
||||
// server directly, the suite uses the canonical GOST chaining pattern: a
|
||||
// client container exposes a plain HTTP proxy which forwards through an
|
||||
// http2 connector + http2 dialer to the http2 server. This exercises the
|
||||
// h2 listener, the h2 handler, and the h2 connector/dialer together.
|
||||
type HTTP2Suite struct {
|
||||
suite.Suite
|
||||
ctx context.Context
|
||||
echoC testcontainers.Container
|
||||
echoIP string
|
||||
}
|
||||
|
||||
func (s *HTTP2Suite) SetupSuite() {
|
||||
s.ctx = context.Background()
|
||||
|
||||
s.T().Logf("start tcp echo container...")
|
||||
echoC, err := RunEchoContainer(s.ctx, SharedNetworkName)
|
||||
s.Require().NoError(err)
|
||||
s.echoC = echoC
|
||||
|
||||
echoIP, err := echoC.ContainerIP(s.ctx)
|
||||
s.Require().NoError(err)
|
||||
s.echoIP = echoIP
|
||||
}
|
||||
|
||||
func (s *HTTP2Suite) TearDownSuite() {
|
||||
if s.echoC != nil {
|
||||
s.echoC.Terminate(s.ctx)
|
||||
}
|
||||
}
|
||||
|
||||
// startChain brings up an http2 server (alias "h2-server") and an http client
|
||||
// container that chains to it through connector/dialer type http2. The client
|
||||
// exposes port 8080 for curl. The rendered client config is cleaned up by the
|
||||
// caller-supplied template path resolving {{.ServerAddr}} to h2-server:8443.
|
||||
func (s *HTTP2Suite) startChain(serverYAML, clientTmpl string) (testcontainers.Container, testcontainers.Container) {
|
||||
s.T().Helper()
|
||||
|
||||
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||
serverYAML, []string{"h2-server"}, []string{"8443/tcp"})
|
||||
s.Require().NoError(err)
|
||||
|
||||
rendered, err := RenderConfig(clientTmpl, ConfigData{ServerAddr: "h2-server:8443"})
|
||||
s.Require().NoError(err)
|
||||
s.T().Cleanup(func() { os.Remove(rendered) })
|
||||
|
||||
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
rendered, "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
|
||||
return serverC, clientC
|
||||
}
|
||||
|
||||
// curlEcho runs curl through the client's local http proxy and returns the
|
||||
// process exit code plus the captured body.
|
||||
func (s *HTTP2Suite) curlEcho(clientC testcontainers.Container) (int, string) {
|
||||
s.T().Helper()
|
||||
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, _ := clientC.Exec(s.ctx, cmd)
|
||||
body, _ := io.ReadAll(out)
|
||||
return code, string(body)
|
||||
}
|
||||
|
||||
func (s *HTTP2Suite) dump(label string, cs ...testcontainers.Container) {
|
||||
for _, c := range cs {
|
||||
DumpLogs(s.T(), s.ctx, label, c)
|
||||
}
|
||||
}
|
||||
|
||||
// TestHTTP2ForwardProxy verifies the core HTTP/2 proxy path: a plain HTTP
|
||||
// request through the client proxy is tunneled to the http2 server via an h2
|
||||
// CONNECT stream and reaches the echo backend.
|
||||
//
|
||||
// Covers:
|
||||
// - listener type: http2 (TLS + h2 server)
|
||||
// - handler type: http2 (CONNECT tunnel + bidirectional pipe)
|
||||
// - connector type: http2, dialer type: http2 (h2 client)
|
||||
func (s *HTTP2Suite) TestHTTP2ForwardProxy() {
|
||||
serverC, clientC := s.startChain("testdata/http2/server.yaml", "testdata/http2/client.yaml")
|
||||
defer serverC.Terminate(s.ctx)
|
||||
defer clientC.Terminate(s.ctx)
|
||||
|
||||
code, body := s.curlEcho(clientC)
|
||||
if code != 0 || !strings.Contains(body, "hello-gost") {
|
||||
s.dump("http2-forward logs", clientC, serverC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(body, "hello-gost")
|
||||
}
|
||||
|
||||
// TestHTTP2Auth verifies proxy authentication over the h2 tunnel, plus
|
||||
// authBasicRealm and hash metadata parsing on the http2 handler.
|
||||
//
|
||||
// - with auth: CONNECT succeeds → echo body returned
|
||||
// - without auth: server rejects CONNECT (407) → client cannot reach echo
|
||||
func (s *HTTP2Suite) TestHTTP2Auth() {
|
||||
s.T().Run("with-auth-success", func(t *testing.T) {
|
||||
serverC, clientC := s.startChain("testdata/http2/server_auth.yaml", "testdata/http2/client_auth.yaml")
|
||||
defer serverC.Terminate(s.ctx)
|
||||
defer clientC.Terminate(s.ctx)
|
||||
|
||||
code, body := s.curlEcho(clientC)
|
||||
if code != 0 || !strings.Contains(body, "hello-gost") {
|
||||
s.dump("http2-auth-success logs", clientC, serverC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(body, "hello-gost")
|
||||
})
|
||||
|
||||
s.T().Run("no-auth-fails", func(t *testing.T) {
|
||||
// Server requires auth; client sends none → the http2 CONNECT is
|
||||
// rejected with 407, so curl cannot obtain the echo body.
|
||||
serverC, clientC := s.startChain("testdata/http2/server_auth.yaml", "testdata/http2/client.yaml")
|
||||
defer serverC.Terminate(s.ctx)
|
||||
defer clientC.Terminate(s.ctx)
|
||||
|
||||
code, body := s.curlEcho(clientC)
|
||||
if strings.Contains(body, "hello-gost") {
|
||||
s.dump("http2-auth-noauth logs", clientC, serverC)
|
||||
}
|
||||
s.Require().Zero(code,
|
||||
"curl should still receive an HTTP response from the local proxy")
|
||||
s.Require().NotContains(body, "hello-gost",
|
||||
"without auth the echo backend must be unreachable")
|
||||
})
|
||||
}
|
||||
|
||||
// TestHTTP2Bypass verifies that a bypass matcher on the http2 handler blocks
|
||||
// the CONNECT target after authentication succeeds. The server returns 403, so
|
||||
// the client cannot reach the echo backend.
|
||||
func (s *HTTP2Suite) TestHTTP2Bypass() {
|
||||
serverC, clientC := s.startChain("testdata/http2/server_bypass.yaml", "testdata/http2/client_auth.yaml")
|
||||
defer serverC.Terminate(s.ctx)
|
||||
defer clientC.Terminate(s.ctx)
|
||||
|
||||
code, body := s.curlEcho(clientC)
|
||||
if strings.Contains(body, "hello-gost") {
|
||||
s.dump("http2-bypass logs", clientC, serverC)
|
||||
}
|
||||
s.Require().Zero(code,
|
||||
"curl should still receive an HTTP response from the local proxy")
|
||||
s.Require().NotContains(body, "hello-gost",
|
||||
"bypass should prevent reaching the echo backend")
|
||||
}
|
||||
|
||||
// TestHTTP2ProbeResist verifies that probeResist, header and authBasicRealm
|
||||
// metadata parse cleanly on the http2 handler and do not break the success
|
||||
// path. With correct credentials the request still reaches the echo backend.
|
||||
func (s *HTTP2Suite) TestHTTP2ProbeResist() {
|
||||
serverC, clientC := s.startChain("testdata/http2/server_proberesist.yaml", "testdata/http2/client_auth.yaml")
|
||||
defer serverC.Terminate(s.ctx)
|
||||
defer clientC.Terminate(s.ctx)
|
||||
|
||||
code, body := s.curlEcho(clientC)
|
||||
if code != 0 || !strings.Contains(body, "hello-gost") {
|
||||
s.dump("http2-proberesist logs", clientC, serverC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(body, "hello-gost")
|
||||
}
|
||||
|
||||
// TestHTTP2Multiplex verifies HTTP/2 stream multiplexing: many concurrent
|
||||
// requests through the client proxy are tunneled as parallel h2 streams over a
|
||||
// single underlying connection to the http2 server. All requests must reach
|
||||
// the echo backend.
|
||||
func (s *HTTP2Suite) TestHTTP2Multiplex() {
|
||||
serverC, clientC := s.startChain("testdata/http2/server.yaml", "testdata/http2/client.yaml")
|
||||
defer serverC.Terminate(s.ctx)
|
||||
defer clientC.Terminate(s.ctx)
|
||||
|
||||
const n = 6
|
||||
var wg sync.WaitGroup
|
||||
wg.Add(n)
|
||||
failed := make(chan string, n)
|
||||
for i := 0; i < n; i++ {
|
||||
go func() {
|
||||
defer wg.Done()
|
||||
_, body := s.curlEcho(clientC)
|
||||
if !strings.Contains(body, "hello-gost") {
|
||||
failed <- "missing echo body"
|
||||
}
|
||||
}()
|
||||
}
|
||||
wg.Wait()
|
||||
close(failed)
|
||||
|
||||
if len(failed) > 0 {
|
||||
s.dump("http2-multiplex logs", clientC, serverC)
|
||||
}
|
||||
s.Require().Empty(failed, "all concurrent h2 requests should reach the echo backend")
|
||||
}
|
||||
|
||||
func TestHTTP2Suite(t *testing.T) {
|
||||
suite.Run(t, new(HTTP2Suite))
|
||||
}
|
||||
@@ -0,0 +1,605 @@
|
||||
package e2e
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/suite"
|
||||
"github.com/testcontainers/testcontainers-go"
|
||||
)
|
||||
|
||||
type HTTPSuite struct {
|
||||
suite.Suite
|
||||
ctx context.Context
|
||||
echoC testcontainers.Container
|
||||
echoIP string
|
||||
}
|
||||
|
||||
func (s *HTTPSuite) SetupSuite() {
|
||||
s.ctx = context.Background()
|
||||
|
||||
s.T().Logf("start tcp echo container...")
|
||||
echoC, err := RunEchoContainer(s.ctx, SharedNetworkName)
|
||||
s.Require().NoError(err)
|
||||
s.echoC = echoC
|
||||
|
||||
echoIP, err := echoC.ContainerIP(s.ctx)
|
||||
s.Require().NoError(err)
|
||||
s.echoIP = echoIP
|
||||
}
|
||||
|
||||
// sendRaw sends a raw HTTP request via netcat and returns the response.
|
||||
// Uses base64 to avoid shell quoting issues with CRLF bytes.
|
||||
func (s *HTTPSuite) sendRaw(gostC testcontainers.Container, host, port, data string) string {
|
||||
encoded := base64.StdEncoding.EncodeToString([]byte(data))
|
||||
cmd := []string{"sh", "-c",
|
||||
fmt.Sprintf("echo %s | base64 -d | nc -w 5 %s %s", encoded, host, port)}
|
||||
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
b, _ := io.ReadAll(out)
|
||||
return string(b)
|
||||
}
|
||||
|
||||
func (s *HTTPSuite) TearDownSuite() {
|
||||
if s.echoC != nil {
|
||||
s.echoC.Terminate(s.ctx)
|
||||
}
|
||||
}
|
||||
|
||||
// TestHTTPProxy verifies basic HTTP forward proxy (no auth, no metadata).
|
||||
// Covers: handler type http, listener type tcp, basic GET via proxy.
|
||||
func (s *HTTPSuite) TestHTTPProxy() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// curl -x uses HTTP forward proxy (GET with absolute URL)
|
||||
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "http-proxy logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
}
|
||||
|
||||
// TestHTTPProxyAuth verifies proxy authentication and the authBasicRealm
|
||||
// metadata parameter.
|
||||
//
|
||||
// Covers:
|
||||
// - auther: basic auth on HTTP proxy
|
||||
// - authBasicRealm: custom realm string in 407 Proxy-Authenticate header
|
||||
func (s *HTTPSuite) TestHTTPProxyAuth() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_auth.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("no-auth-407", func(t *testing.T) {
|
||||
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||
"-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
body, _ := io.ReadAll(out)
|
||||
output := string(body)
|
||||
s.Assert().Contains(output, "407",
|
||||
"no auth should return 407")
|
||||
s.Assert().Contains(output, "gost-e2e-realm",
|
||||
"authBasicRealm should appear in 407 Proxy-Authenticate")
|
||||
})
|
||||
|
||||
s.T().Run("wrong-auth-407", func(t *testing.T) {
|
||||
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||
"-x", "http://wrong:pass@127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
body, _ := io.ReadAll(out)
|
||||
s.Assert().Contains(string(body), "407",
|
||||
"wrong password should return 407")
|
||||
})
|
||||
|
||||
s.T().Run("with-auth-success", func(t *testing.T) {
|
||||
cmd := []string{"curl", "-v", "-s", "-x", "http://user:pass@127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "http-proxy-auth logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
})
|
||||
}
|
||||
|
||||
// TestHTTPProxyMetadata verifies:
|
||||
// - probeResist: code:404 — unauthorised clients see 404 instead of 407
|
||||
// - keepalive: config parsing (applied at Init time)
|
||||
// - compression: config parsing (applied at Init time)
|
||||
func (s *HTTPSuite) TestHTTPProxyMetadata() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_metadata.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("probe-resist-404", func(t *testing.T) {
|
||||
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||
"-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
body, _ := io.ReadAll(out)
|
||||
output := string(body)
|
||||
s.Assert().NotContains(output, "407",
|
||||
"probeResist should hide 407 status")
|
||||
s.Assert().Contains(output, "404",
|
||||
"probeResist should return configured decoy code")
|
||||
})
|
||||
|
||||
s.T().Run("with-auth-success", func(t *testing.T) {
|
||||
cmd := []string{"curl", "-v", "-s", "-x", "http://user:pass@127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "http-metadata logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
})
|
||||
}
|
||||
|
||||
// TestHTTPProxyHeaders verifies:
|
||||
// - header: custom response headers (X-Proxy-Info, X-Custom) on
|
||||
// proxy-originated error responses. The header metadata is set on
|
||||
// the skeleton response used for error paths after authentication.
|
||||
// - proxyAgent: custom Proxy-Agent header in proxy responses.
|
||||
//
|
||||
// Uses a bypass matcher (0.0.0.0/0) that blocks all traffic after auth
|
||||
// succeeds → requests hit 403 Forbidden path which carries custom headers.
|
||||
func (s *HTTPSuite) TestHTTPProxyHeaders() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_headers.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// Auth succeeds, but target is bypassed → 403 Forbidden
|
||||
// The 403 response is built from the skeleton resp which
|
||||
// carries h.md.header (custom headers) and h.md.proxyAgent.
|
||||
s.T().Log("bypass: expect 403 with custom headers")
|
||||
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||
"-x", "http://user:pass@127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
headers, _ := io.ReadAll(out)
|
||||
output := string(headers)
|
||||
|
||||
// Bypass → 403 Forbidden
|
||||
s.Assert().Contains(output, "403",
|
||||
"bypass should return 403")
|
||||
// header: custom X-Proxy-Info header on error response
|
||||
s.Assert().Contains(output, "X-Proxy-Info: gost-e2e",
|
||||
"custom header should appear in 403 response")
|
||||
// header: custom X-Custom header on error response
|
||||
s.Assert().Contains(output, "X-Custom: test-value",
|
||||
"custom header should appear in 403 response")
|
||||
// proxyAgent: custom Proxy-Agent header on error response
|
||||
s.Assert().Contains(output, "Proxy-Agent: gost-e2e/1.0",
|
||||
"proxyAgent should appear in 403 response")
|
||||
}
|
||||
|
||||
// TestHTTPConnect verifies HTTP CONNECT tunnel:
|
||||
// - sniffing-enabled: sniffing:true + sniffing.timeout:2s
|
||||
// - no-sniffing: plain CONNECT (default, no metadata)
|
||||
// - bypass-403: CONNECT blocked by (0.0.0.0/0) bypass
|
||||
//
|
||||
// Uses curl --proxytunnel (-p) to force CONNECT method instead of GET.
|
||||
func (s *HTTPSuite) TestHTTPConnect() {
|
||||
s.T().Run("sniffing-enabled", func(t *testing.T) {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_connect.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "-p", "-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "http-connect sniffing logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
})
|
||||
|
||||
s.T().Run("no-sniffing", func(t *testing.T) {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "-p", "-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "http-connect no-sniffing logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
})
|
||||
|
||||
s.T().Run("bypass-403", func(t *testing.T) {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_connect_bypass.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||
"-p", "-x", "http://user:pass@127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
body, _ := io.ReadAll(out)
|
||||
output := string(body)
|
||||
s.Assert().Contains(output, "403",
|
||||
"CONNECT bypass should return 403")
|
||||
})
|
||||
}
|
||||
|
||||
// TestHTTPProxyDirectRequest verifies that a non-proxy-form HTTP request
|
||||
// (raw GET / sent to the proxy port) is rejected with 400 Bad Request.
|
||||
// A raw request with empty Host header has no valid scheme to infer,
|
||||
// so the handler returns 400.
|
||||
func (s *HTTPSuite) TestHTTPProxyDirectRequest() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||
"GET / HTTP/1.0\r\nHost: bad!\r\n\r\n")
|
||||
s.Assert().Contains(resp, "400",
|
||||
"non-proxy GET should return 400")
|
||||
}
|
||||
|
||||
// TestHTTPProxyPOST verifies that POST method forwarding works through
|
||||
// the HTTP forward proxy. The echo server only handles GET, so the proxy
|
||||
// should forward the POST request and return whatever the upstream sends
|
||||
// back (501 Not Implemented from the echo server — not a proxy error).
|
||||
// 501 is the real upstream response, proving the proxy forwarded it.
|
||||
func (s *HTTPSuite) TestHTTPProxyPOST() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||
"-X", "POST", "-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678/", s.echoIP)}
|
||||
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||
body, _ := io.ReadAll(out)
|
||||
output := string(body)
|
||||
// The echo server's BaseHTTPRequestHandler defaults to 501 for POST.
|
||||
// If we get 501 through the proxy, it means the method was forwarded.
|
||||
s.Assert().Contains(output, "501",
|
||||
"POST through proxy should be forwarded, echo server returns 501")
|
||||
}
|
||||
|
||||
// TestHTTPConnectUnreachable verifies that CONNECT to an unreachable target
|
||||
// returns 503 Service Unavailable.
|
||||
func (s *HTTPSuite) TestHTTPConnectUnreachable() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_connect.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// Send a raw CONNECT request to a port where nothing is listening.
|
||||
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||
fmt.Sprintf("CONNECT %s:1 HTTP/1.0\r\nHost: %s:1\r\n\r\n", s.echoIP, s.echoIP))
|
||||
s.Assert().Contains(resp, "503",
|
||||
"CONNECT to unreachable target should return 503")
|
||||
}
|
||||
|
||||
// TestHTTPConnector verifies HTTP connector type: a gost client uses an HTTP
|
||||
// connector to forward through an upstream HTTP proxy (no auth), reaching the
|
||||
// target via the proxy chain. This covers the server+client two-container
|
||||
// pattern where the client connects to the server via connector type: http.
|
||||
func (s *HTTPSuite) TestHTTPConnector() {
|
||||
// Start upstream HTTP proxy server (no auth).
|
||||
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server.yaml", []string{"http-server"}, []string{"8080/tcp"})
|
||||
s.Require().NoError(err)
|
||||
defer serverC.Terminate(s.ctx)
|
||||
|
||||
// Render client config that chains through the upstream server.
|
||||
rendered, err := RenderConfig("testdata/http/client_connector.yaml",
|
||||
ConfigData{ServerAddr: "http-server:8080"})
|
||||
s.Require().NoError(err)
|
||||
defer os.Remove(rendered)
|
||||
|
||||
// Start client with the rendered config.
|
||||
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
rendered, "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer clientC.Terminate(s.ctx)
|
||||
|
||||
// Request through client proxy → HTTP connector → upstream HTTP server → target.
|
||||
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, err := clientC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "http-connector client logs", clientC)
|
||||
DumpLogs(s.T(), s.ctx, "http-connector server logs", serverC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
}
|
||||
|
||||
// TestHTTPConnectorAuth verifies HTTP connector with authentication:
|
||||
// no-auth → 407, correct auth → success.
|
||||
func (s *HTTPSuite) TestHTTPConnectorAuth() {
|
||||
// Start upstream HTTP proxy with auth and network alias.
|
||||
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_auth.yaml", []string{"http-server"}, []string{"8080/tcp"})
|
||||
s.Require().NoError(err)
|
||||
defer serverC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("no-auth-407", func(t *testing.T) {
|
||||
// Send raw request directly to server container (no auth) → 407.
|
||||
resp := s.sendRaw(serverC, "127.0.0.1", "8080",
|
||||
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||
s.Assert().Contains(resp, "407",
|
||||
"no auth via upstream should return 407")
|
||||
})
|
||||
|
||||
s.T().Run("correct-auth-success", func(t *testing.T) {
|
||||
rendered, err := RenderConfig("testdata/http/client_connector_auth.yaml",
|
||||
ConfigData{ServerAddr: "http-server:8080"})
|
||||
s.Require().NoError(err)
|
||||
defer os.Remove(rendered)
|
||||
|
||||
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
rendered, "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer clientC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, err := clientC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "http-connector-auth client logs", clientC)
|
||||
DumpLogs(s.T(), s.ctx, "http-connector-auth server logs", serverC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
})
|
||||
}
|
||||
|
||||
// TestHTTPProbeResistHost verifies probeResist host type.
|
||||
// When auth fails, the handler pipes the raw request to
|
||||
// the decoy host (tcp-echo:5678). The TCP echo server echoes
|
||||
// back the request bytes rather than returning a 407.
|
||||
func (s *HTTPSuite) TestHTTPProbeResistHost() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_proberesist_host.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// Without auth, probeResist host pipes the raw request to tcp-echo:5678.
|
||||
// The HTTP echo server returns 200 OK with "hello-gost", proving the
|
||||
// request reached the decoy host rather than getting a 407 response.
|
||||
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||
s.Assert().NotContains(resp, "407",
|
||||
"probeResist host should hide 407 response")
|
||||
s.Assert().Contains(resp, "hello-gost",
|
||||
"probeResist host should pipe request to decoy host")
|
||||
}
|
||||
|
||||
// TestHTTPProbeResistKnock verifies probeResist knock mechanism.
|
||||
// Clients that connect with a recognized knock Host header
|
||||
// get a normal 407 auth challenge instead of the decoy response.
|
||||
//
|
||||
// Uses server_proberesist_knock.yaml:
|
||||
// - probeResist: code:404 (decoy 404 for unknown hosts)
|
||||
// - knock: secret.example.com (known hosts get normal 407)
|
||||
func (s *HTTPSuite) TestHTTPProbeResistKnock() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_proberesist_knock.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
s.T().Run("unknown-host-decoy", func(t *testing.T) {
|
||||
// URL hostname doesn't match knock list → probeResist fires → 404
|
||||
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||
s.Assert().Contains(resp, "404",
|
||||
"unknown host should get decoy 404")
|
||||
s.Assert().NotContains(resp, "407",
|
||||
"unknown host should NOT get 407")
|
||||
})
|
||||
|
||||
s.T().Run("knock-host-407", func(t *testing.T) {
|
||||
// URL hostname matches knock list → normal 407 auth challenge.
|
||||
// Note: knock checks req.URL.Hostname(), not the Host header.
|
||||
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||
"GET http://secret.example.com:5678/ HTTP/1.0\r\nHost: secret.example.com\r\n\r\n")
|
||||
s.Assert().Contains(resp, "407",
|
||||
"knock host should get normal 407")
|
||||
})
|
||||
}
|
||||
|
||||
// TestHTTPConnectorTLS verifies HTTP connector using TLS dialer
|
||||
// to upstream HTTPS proxy (listener type: tls).
|
||||
// The TLS listener auto-generates a self-signed cert;
|
||||
// the TLS dialer defaults to InsecureSkipVerify=true, so
|
||||
// handshake succeeds without explicit cert configuration.
|
||||
func (s *HTTPSuite) TestHTTPConnectorTLS() {
|
||||
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_tls.yaml", []string{"tls-server"}, []string{"8443/tcp"})
|
||||
s.Require().NoError(err)
|
||||
defer serverC.Terminate(s.ctx)
|
||||
|
||||
rendered, err := RenderConfig("testdata/http/client_connector_tls.yaml",
|
||||
ConfigData{ServerAddr: "tls-server:8443"})
|
||||
s.Require().NoError(err)
|
||||
defer os.Remove(rendered)
|
||||
|
||||
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
rendered, "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer clientC.Terminate(s.ctx)
|
||||
|
||||
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||
code, out, err := clientC.Exec(s.ctx, cmd)
|
||||
s.Require().NoError(err)
|
||||
|
||||
body, err := io.ReadAll(out)
|
||||
s.Require().NoError(err)
|
||||
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||
DumpLogs(s.T(), s.ctx, "http-connector-tls client logs", clientC)
|
||||
DumpLogs(s.T(), s.ctx, "http-connector-tls server logs", serverC)
|
||||
}
|
||||
s.Require().Equal(0, code)
|
||||
s.Require().Contains(string(body), "hello-gost")
|
||||
}
|
||||
|
||||
// TestHTTPProbeResistWeb verifies probeResist web type.
|
||||
// On auth failure, the handler fetches the decoy URL
|
||||
// (tcp-echo:5678) and returns its response body.
|
||||
func (s *HTTPSuite) TestHTTPProbeResistWeb() {
|
||||
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_proberesist_web.yaml", "8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// Without auth, probeResist web fetches http://tcp-echo:5678
|
||||
// and returns the echo server's response ("hello-gost").
|
||||
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||
s.Assert().NotContains(resp, "407",
|
||||
"probeResist web should hide 407 response")
|
||||
s.Assert().Contains(resp, "hello-gost",
|
||||
"probeResist web should return decoy response body")
|
||||
}
|
||||
|
||||
// TestHTTPProbeResistFile verifies probeResist file type.
|
||||
// On auth failure, the handler reads a local file and
|
||||
// returns its contents as the HTTP response body.
|
||||
func (s *HTTPSuite) TestHTTPProbeResistFile() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_proberesist_file.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "testdata/http/decoy.html", ContainerFilePath: "/tmp/decoy.html", FileMode: 0644},
|
||||
},
|
||||
"8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// Without auth, probeResist file reads /tmp/decoy.html and
|
||||
// returns "decoy-response" rather than a 407.
|
||||
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||
s.Assert().NotContains(resp, "407",
|
||||
"probeResist file should hide 407 response")
|
||||
s.Assert().Contains(resp, "decoy-response",
|
||||
"probeResist file should return decoy file content")
|
||||
}
|
||||
|
||||
// TestHTTPIdleTimeout verifies idleTimeout on CONNECT tunnels.
|
||||
// After the configured idle timeout, the pipe between client
|
||||
// and target should close.
|
||||
func (s *HTTPSuite) TestHTTPIdleTimeout() {
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_idle_timeout.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/http_idle_timeout.py", ContainerFilePath: "/scripts/http_idle_timeout.py", FileMode: 0644},
|
||||
},
|
||||
"8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// The Python script:
|
||||
// 1. Opens a CONNECT tunnel to tcp-echo:5678
|
||||
// 2. Sends and receives data (confirm tunnel is alive)
|
||||
// 3. Waits > idleTimeout (3s + 2s buffer)
|
||||
// 4. Sends more data — expects connection to be closed
|
||||
code, out, err := gostC.Exec(s.ctx, []string{
|
||||
"python3", "/scripts/http_idle_timeout.py",
|
||||
"127.0.0.1", "8080", "3",
|
||||
})
|
||||
output, _ := io.ReadAll(out)
|
||||
s.T().Logf("idle timeout output:\n%s", string(output))
|
||||
if code != 0 {
|
||||
DumpLogs(s.T(), s.ctx, "http-idle-timeout logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code, "idle timeout test script should exit 0")
|
||||
}
|
||||
|
||||
// TestHTTPUDPRelay verifies UDP relay over HTTP. Uses
|
||||
// X-Gost-Protocol: udp in the CONNECT request to establish
|
||||
// a SOCKS5 UDP tunnel through the HTTP handler.
|
||||
func (s *HTTPSuite) TestHTTPUDPRelay() {
|
||||
// Start UDP echo container on the shared network.
|
||||
udpC, err := RunUDPEchoContainer(s.ctx, SharedNetworkName)
|
||||
s.Require().NoError(err)
|
||||
defer udpC.Terminate(s.ctx)
|
||||
|
||||
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||
"testdata/http/server_udp.yaml",
|
||||
[]testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/http_udp_relay.py", ContainerFilePath: "/scripts/http_udp_relay.py", FileMode: 0644},
|
||||
},
|
||||
"8080/tcp")
|
||||
s.Require().NoError(err)
|
||||
defer gostC.Terminate(s.ctx)
|
||||
|
||||
// The Python script:
|
||||
// 1. Connects to gost HTTP proxy
|
||||
// 2. Sends CONNECT with X-Gost-Protocol: udp
|
||||
// 3. After 200 OK, sends a SOCKS5 UDP frame targeting udp-echo:5679
|
||||
// 4. Reads back the echoed frame
|
||||
code, out, err := gostC.Exec(s.ctx, []string{
|
||||
"python3", "/scripts/http_udp_relay.py",
|
||||
"127.0.0.1", "8080",
|
||||
})
|
||||
output, _ := io.ReadAll(out)
|
||||
s.T().Logf("udp relay output:\n%s", string(output))
|
||||
if code != 0 {
|
||||
DumpLogs(s.T(), s.ctx, "http-udp logs", gostC)
|
||||
}
|
||||
s.Require().Equal(0, code, "udp relay test script should exit 0")
|
||||
}
|
||||
|
||||
func TestHTTPSuite(t *testing.T) {
|
||||
suite.Run(t, new(HTTPSuite))
|
||||
}
|
||||
@@ -0,0 +1,162 @@
|
||||
"""DNS query client for e2e tests.
|
||||
|
||||
Usage:
|
||||
python3 dns_query.py udp host port qname qtype [expected_ip|empty]
|
||||
python3 dns_query.py tcp host port qname qtype [expected_ip|empty]
|
||||
|
||||
Sends a DNS query and optionally checks the response:
|
||||
- expected_ip: verify response contains this IP address
|
||||
- "empty": verify response has zero answer records (NXDOMAIN or blocked)
|
||||
- omitted: exit 0 on any valid DNS response
|
||||
|
||||
Exits 0 on success, 1 on failure.
|
||||
"""
|
||||
import struct
|
||||
import socket
|
||||
import sys
|
||||
|
||||
|
||||
def encode_name(name):
|
||||
parts = name.rstrip(".").split(".")
|
||||
return b"".join(bytes([len(p)]) + p.encode() for p in parts) + b"\x00"
|
||||
|
||||
|
||||
def skip_name(data, pos):
|
||||
"""Skip one DNS name at pos, return position after it."""
|
||||
while True:
|
||||
length = data[pos]
|
||||
if length == 0:
|
||||
return pos + 1
|
||||
if length & 0xC0:
|
||||
return pos + 2
|
||||
pos += length + 1
|
||||
|
||||
|
||||
def build_query(qname, qtype):
|
||||
tid = 0x1234
|
||||
flags = 0x0100 # RD=1
|
||||
qdcount = 1
|
||||
header = struct.pack(">HHHHHH", tid, flags, qdcount, 0, 0, 0)
|
||||
qname_enc = encode_name(qname)
|
||||
question = qname_enc + struct.pack(">HH", qtype, 1) # QTYPE, QCLASS=IN
|
||||
return header + question
|
||||
|
||||
|
||||
def parse_response(data):
|
||||
if len(data) < 12:
|
||||
return [], -1
|
||||
flags = struct.unpack(">H", data[2:4])[0]
|
||||
rcode = flags & 0x0F
|
||||
qdcount = struct.unpack(">H", data[4:6])[0]
|
||||
ancount = struct.unpack(">H", data[6:8])[0]
|
||||
|
||||
# Skip question section
|
||||
pos = 12
|
||||
for _ in range(qdcount):
|
||||
pos = skip_name(data, pos) + 4 # QTYPE + QCLASS
|
||||
|
||||
answers = []
|
||||
for _ in range(ancount):
|
||||
pos = skip_name(data, pos)
|
||||
rtype, rclass, ttl, rdlength = struct.unpack(">HHIH", data[pos:pos + 10])
|
||||
pos += 10
|
||||
rdata = data[pos:pos + rdlength]
|
||||
pos += rdlength
|
||||
answers.append((rtype, rclass, ttl, rdata))
|
||||
|
||||
return answers, rcode
|
||||
|
||||
|
||||
def query_udp(host, port, query):
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
sock.settimeout(5)
|
||||
sock.sendto(query, (host, port))
|
||||
data, _ = sock.recvfrom(4096)
|
||||
sock.close()
|
||||
return data
|
||||
|
||||
|
||||
def query_tcp(host, port, query):
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock.settimeout(5)
|
||||
sock.connect((host, port))
|
||||
sock.sendall(struct.pack(">H", len(query)) + query)
|
||||
raw = sock.recv(2)
|
||||
if len(raw) < 2:
|
||||
sock.close()
|
||||
return b""
|
||||
msglen = struct.unpack(">H", raw)[0]
|
||||
data = b""
|
||||
while len(data) < msglen:
|
||||
chunk = sock.recv(msglen - len(data))
|
||||
if not chunk:
|
||||
break
|
||||
data += chunk
|
||||
sock.close()
|
||||
return data
|
||||
|
||||
|
||||
def format_ip(rtype, rdata):
|
||||
if rtype == 1 and len(rdata) == 4:
|
||||
return socket.inet_ntoa(rdata)
|
||||
if rtype == 28 and len(rdata) == 16:
|
||||
return socket.inet_ntop(socket.AF_INET6, rdata)
|
||||
return repr(rdata)
|
||||
|
||||
|
||||
def main():
|
||||
if len(sys.argv) < 5:
|
||||
print("Usage: dns_query.py <udp|tcp> <host> <port> <qname> <qtype> [expected_ip|empty]")
|
||||
sys.exit(1)
|
||||
|
||||
mode = sys.argv[1]
|
||||
host = sys.argv[2]
|
||||
port = int(sys.argv[3])
|
||||
qname = sys.argv[4]
|
||||
qtype_str = sys.argv[5]
|
||||
expected = sys.argv[6] if len(sys.argv) > 6 else None
|
||||
|
||||
qtype_map = {"A": 1, "AAAA": 28}
|
||||
qtype = qtype_map.get(qtype_str, 1)
|
||||
|
||||
query = build_query(qname, qtype)
|
||||
|
||||
try:
|
||||
if mode == "tcp":
|
||||
data = query_tcp(host, port, query)
|
||||
else:
|
||||
data = query_udp(host, port, query)
|
||||
except Exception as e:
|
||||
print(f"ERROR: {e}")
|
||||
sys.exit(1)
|
||||
|
||||
if not data:
|
||||
print("ERROR: empty response")
|
||||
sys.exit(1)
|
||||
|
||||
answers, rcode = parse_response(data)
|
||||
print(f"Got {len(answers)} answer(s), rcode={rcode}")
|
||||
|
||||
for rtype, _, _, rdata in answers:
|
||||
print(f" {format_ip(rtype, rdata)}")
|
||||
|
||||
if expected == "empty":
|
||||
if len(answers) == 0:
|
||||
print("MATCH: empty answer (expected)")
|
||||
sys.exit(0)
|
||||
print(f"NO MATCH: expected empty, got {len(answers)} answers")
|
||||
sys.exit(1)
|
||||
elif expected:
|
||||
for rtype, _, _, rdata in answers:
|
||||
ip = format_ip(rtype, rdata)
|
||||
if ip == expected:
|
||||
print(f"MATCH: expected {expected}")
|
||||
sys.exit(0)
|
||||
print(f"NO MATCH: expected {expected}")
|
||||
sys.exit(1)
|
||||
else:
|
||||
sys.exit(0)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -0,0 +1,88 @@
|
||||
"""Simple authoritative DNS responder for e2e tests.
|
||||
|
||||
Listens on UDP port 5353 and responds with static records:
|
||||
|
||||
test.example.com. IN A 10.0.0.1
|
||||
test2.example.com. IN A 10.0.0.2
|
||||
example.com. IN AAAA ::1
|
||||
|
||||
All other queries receive NXDOMAIN.
|
||||
"""
|
||||
import socketserver
|
||||
import struct
|
||||
import socket
|
||||
|
||||
|
||||
def decode_name(data, offset):
|
||||
labels = []
|
||||
while True:
|
||||
length = data[offset]
|
||||
if length == 0:
|
||||
offset += 1
|
||||
break
|
||||
if length & 0xC0:
|
||||
offset += 2
|
||||
break
|
||||
offset += 1
|
||||
labels.append(data[offset:offset + length].decode())
|
||||
offset += length
|
||||
return '.'.join(labels), offset
|
||||
|
||||
|
||||
def encode_name(name):
|
||||
parts = name.rstrip(".").split(".")
|
||||
return b"".join(bytes([len(p)]) + p.encode() for p in parts) + b"\x00"
|
||||
|
||||
|
||||
RECORDS = {
|
||||
("test.example.com", 1): (1, 300, socket.inet_aton("10.0.0.1")),
|
||||
("test2.example.com", 1): (1, 300, socket.inet_aton("10.0.0.2")),
|
||||
("example.com", 28): (28, 300, socket.inet_pton(socket.AF_INET6, "::1")),
|
||||
}
|
||||
|
||||
|
||||
class DNSResponder(socketserver.DatagramRequestHandler):
|
||||
def handle(self):
|
||||
data = self.rfile.read(512)
|
||||
if len(data) < 12:
|
||||
return
|
||||
|
||||
tid = struct.unpack(">H", data[:2])[0]
|
||||
qdcount = struct.unpack(">H", data[4:6])[0]
|
||||
|
||||
if qdcount == 0:
|
||||
return
|
||||
|
||||
qname, pos = decode_name(data, 12)
|
||||
qtype = struct.unpack(">H", data[pos:pos + 2])[0]
|
||||
qclass = struct.unpack(">H", data[pos + 2:pos + 4])[0]
|
||||
|
||||
key = (qname, qtype)
|
||||
if key in RECORDS:
|
||||
rcode = 0
|
||||
ancount = 1
|
||||
rtype, ttl, rdata = RECORDS[key]
|
||||
else:
|
||||
rcode = 3 # NXDOMAIN
|
||||
ancount = 0
|
||||
rtype, ttl, rdata = 0, 0, b""
|
||||
|
||||
flags = 0x8000 | 0x0400 | rcode # QR=1, AA=1, rcode
|
||||
header = struct.pack(">HHHHHH", tid, flags, qdcount, ancount, 0, 0)
|
||||
|
||||
question = data[12:pos + 4]
|
||||
|
||||
answer = b""
|
||||
if ancount:
|
||||
answer = (
|
||||
struct.pack(">HH", 0xC00C, rtype) # NAME pointer + TYPE
|
||||
+ struct.pack(">HI", qclass, ttl) # CLASS + TTL
|
||||
+ struct.pack(">H", len(rdata)) + rdata # RDLENGTH + RDATA
|
||||
)
|
||||
|
||||
self.wfile.write(header + question + answer)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
with socketserver.UDPServer(("0.0.0.0", 5353), DNSResponder) as srv:
|
||||
srv.serve_forever()
|
||||
@@ -0,0 +1,83 @@
|
||||
"""Simple authoritative DNS responder for TCP mode e2e tests.
|
||||
|
||||
Listens on TCP port 5353 and responds with the same static records
|
||||
as dns_responder.py, but over TCP (RFC 5966).
|
||||
"""
|
||||
import socketserver
|
||||
import struct
|
||||
import socket
|
||||
|
||||
|
||||
def decode_name(data, offset):
|
||||
labels = []
|
||||
while True:
|
||||
length = data[offset]
|
||||
if length == 0:
|
||||
offset += 1
|
||||
break
|
||||
if length & 0xC0:
|
||||
offset += 2
|
||||
break
|
||||
offset += 1
|
||||
labels.append(data[offset:offset + length].decode())
|
||||
offset += length
|
||||
return '.'.join(labels), offset
|
||||
|
||||
|
||||
RECORDS = {
|
||||
("test.example.com", 1): (1, 300, socket.inet_aton("10.0.0.1")),
|
||||
("test2.example.com", 1): (1, 300, socket.inet_aton("10.0.0.2")),
|
||||
("example.com", 28): (28, 300, socket.inet_pton(socket.AF_INET6, "::1")),
|
||||
}
|
||||
|
||||
|
||||
class DNSResponder(socketserver.StreamRequestHandler):
|
||||
def handle(self):
|
||||
# TCP DNS: 2-byte length prefix
|
||||
raw = self.rfile.read(2)
|
||||
if len(raw) < 2:
|
||||
return
|
||||
msglen = struct.unpack(">H", raw)[0]
|
||||
data = self.rfile.read(msglen)
|
||||
if len(data) < 12:
|
||||
return
|
||||
|
||||
tid = struct.unpack(">H", data[:2])[0]
|
||||
qdcount = struct.unpack(">H", data[4:6])[0]
|
||||
|
||||
if qdcount == 0:
|
||||
return
|
||||
|
||||
qname, pos = decode_name(data, 12)
|
||||
qtype = struct.unpack(">H", data[pos:pos + 2])[0]
|
||||
qclass = struct.unpack(">H", data[pos + 2:pos + 4])[0]
|
||||
|
||||
key = (qname, qtype)
|
||||
if key in RECORDS:
|
||||
rcode = 0
|
||||
ancount = 1
|
||||
rtype, ttl, rdata = RECORDS[key]
|
||||
else:
|
||||
rcode = 3 # NXDOMAIN
|
||||
ancount = 0
|
||||
rtype, ttl, rdata = 0, 0, b""
|
||||
|
||||
flags = 0x8000 | 0x0400 | rcode
|
||||
header = struct.pack(">HHHHHH", tid, flags, qdcount, ancount, 0, 0)
|
||||
question = data[12:pos + 4]
|
||||
|
||||
answer = b""
|
||||
if ancount:
|
||||
answer = (
|
||||
struct.pack(">HH", 0xC00C, rtype)
|
||||
+ struct.pack(">HI", qclass, ttl)
|
||||
+ struct.pack(">H", len(rdata)) + rdata
|
||||
)
|
||||
|
||||
dnsmsg = header + question + answer
|
||||
self.wfile.write(struct.pack(">H", len(dnsmsg)) + dnsmsg)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
with socketserver.TCPServer(("0.0.0.0", 5353), DNSResponder) as srv:
|
||||
srv.serve_forever()
|
||||
@@ -0,0 +1,140 @@
|
||||
"""DNS query client over TLS for e2e tests.
|
||||
|
||||
Connects to the DNS-over-TLS endpoint and performs a DNS query.
|
||||
|
||||
Usage:
|
||||
python3 dns_tls_query.py host port qname qtype [expected_ip]
|
||||
"""
|
||||
import struct
|
||||
import socket
|
||||
import ssl
|
||||
import sys
|
||||
|
||||
|
||||
def encode_name(name):
|
||||
parts = name.rstrip(".").split(".")
|
||||
return b"".join(bytes([len(p)]) + p.encode() for p in parts) + b"\x00"
|
||||
|
||||
|
||||
def build_query(tid, qname, qtype):
|
||||
flags = 0x0100
|
||||
qdcount = 1
|
||||
header = struct.pack(">HHHHHH", tid, flags, qdcount, 0, 0, 0)
|
||||
qname_enc = encode_name(qname)
|
||||
question = qname_enc + struct.pack(">HH", qtype, 1)
|
||||
return header + question
|
||||
|
||||
|
||||
def parse_response(data):
|
||||
if len(data) < 12:
|
||||
return [], -1
|
||||
flags = struct.unpack(">H", data[2:4])[0]
|
||||
rcode = flags & 0x0F
|
||||
qdcount = struct.unpack(">H", data[4:6])[0]
|
||||
ancount = struct.unpack(">H", data[6:8])[0]
|
||||
|
||||
pos = 12
|
||||
for _ in range(qdcount):
|
||||
while data[pos] != 0:
|
||||
if data[pos] & 0xC0:
|
||||
pos += 2
|
||||
break
|
||||
pos += data[pos] + 1
|
||||
else:
|
||||
pos += 1
|
||||
pos += 4
|
||||
|
||||
answers = []
|
||||
for _ in range(ancount):
|
||||
if data[pos] & 0xC0:
|
||||
pos += 2
|
||||
else:
|
||||
while data[pos] != 0:
|
||||
pos += data[pos] + 1
|
||||
pos += 1
|
||||
rtype, rclass, ttl, rdlength = struct.unpack(">HHIH", data[pos:pos + 10])
|
||||
pos += 10
|
||||
rdata = data[pos:pos + rdlength]
|
||||
pos += rdlength
|
||||
answers.append((rtype, rdata))
|
||||
|
||||
return answers, rcode
|
||||
|
||||
|
||||
def main():
|
||||
if len(sys.argv) < 5:
|
||||
print(f"Usage: {sys.argv[0]} host port qname qtype [expected_ip]")
|
||||
sys.exit(1)
|
||||
|
||||
host = sys.argv[1]
|
||||
port = int(sys.argv[2])
|
||||
qname = sys.argv[3]
|
||||
qtype_str = sys.argv[4]
|
||||
expected = sys.argv[5] if len(sys.argv) > 5 else None
|
||||
|
||||
qtype_map = {"A": 1, "AAAA": 28}
|
||||
qtype = qtype_map.get(qtype_str, 1)
|
||||
|
||||
query = build_query(0x1234, qname, qtype)
|
||||
|
||||
ctx = ssl.create_default_context()
|
||||
ctx.check_hostname = False
|
||||
ctx.verify_mode = ssl.CERT_NONE
|
||||
|
||||
try:
|
||||
with socket.create_connection((host, port), timeout=5) as sock:
|
||||
with ctx.wrap_socket(sock, server_hostname=host) as tls_sock:
|
||||
# TCP DNS: 2-byte length prefix
|
||||
tls_sock.sendall(struct.pack(">H", len(query)) + query)
|
||||
raw = tls_sock.recv(2)
|
||||
if len(raw) < 2:
|
||||
print("ERROR: short response header")
|
||||
sys.exit(1)
|
||||
msglen = struct.unpack(">H", raw)[0]
|
||||
data = b""
|
||||
while len(data) < msglen:
|
||||
chunk = tls_sock.recv(msglen - len(data))
|
||||
if not chunk:
|
||||
break
|
||||
data += chunk
|
||||
except Exception as e:
|
||||
print(f"ERROR: {e}")
|
||||
sys.exit(1)
|
||||
|
||||
if not data:
|
||||
print("ERROR: empty response")
|
||||
sys.exit(1)
|
||||
|
||||
answers, rcode = parse_response(data)
|
||||
print(f"Got {len(answers)} answer(s), rcode={rcode}")
|
||||
|
||||
for rtype, rdata in answers:
|
||||
if rtype == 1 and len(rdata) == 4:
|
||||
ip = socket.inet_ntoa(rdata)
|
||||
print(f" A {ip}")
|
||||
elif rtype == 28 and len(rdata) == 16:
|
||||
ip6 = socket.inet_ntop(socket.AF_INET6, rdata)
|
||||
print(f" AAAA {ip6}")
|
||||
else:
|
||||
print(f" TYPE={rtype} RDATA={rdata.hex()}")
|
||||
|
||||
if expected:
|
||||
for rtype, rdata in answers:
|
||||
if rtype == 1 and len(rdata) == 4:
|
||||
ip = socket.inet_ntoa(rdata)
|
||||
if ip == expected:
|
||||
print(f"MATCH: expected {expected}")
|
||||
sys.exit(0)
|
||||
elif rtype == 28 and len(rdata) == 16:
|
||||
ip6 = socket.inet_ntop(socket.AF_INET6, rdata)
|
||||
if ip6 == expected:
|
||||
print(f"MATCH: expected {expected}")
|
||||
sys.exit(0)
|
||||
print(f"NO MATCH: expected {expected}")
|
||||
sys.exit(1)
|
||||
|
||||
sys.exit(0)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -0,0 +1,68 @@
|
||||
import socket
|
||||
import sys
|
||||
import time
|
||||
|
||||
|
||||
def main():
|
||||
host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
|
||||
port = int(sys.argv[2]) if len(sys.argv) > 2 else 8080
|
||||
idle_timeout = int(sys.argv[3]) if len(sys.argv) > 3 else 3
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.settimeout(10)
|
||||
s.connect((host, port))
|
||||
|
||||
# CONNECT to echo server
|
||||
req = b"CONNECT tcp-echo:5678 HTTP/1.1\r\nHost: tcp-echo:5678\r\n\r\n"
|
||||
s.sendall(req)
|
||||
|
||||
# Read 200 OK response
|
||||
resp = b""
|
||||
while b"\r\n\r\n" not in resp:
|
||||
chunk = s.recv(4096)
|
||||
if not chunk:
|
||||
break
|
||||
resp += chunk
|
||||
|
||||
if b"200" not in resp:
|
||||
print(f"FAIL: expected 200, got {resp.decode(errors='replace')}")
|
||||
sys.exit(1)
|
||||
|
||||
# Send an HTTP GET through the CONNECT tunnel. The tunnel target
|
||||
# is an HTTP echo server (BaseHTTPRequestHandler), so we must speak
|
||||
# HTTP or the connection closes.
|
||||
req = b"GET / HTTP/1.0\r\nHost: tcp-echo\r\n\r\n"
|
||||
s.sendall(req)
|
||||
data = b""
|
||||
while b"hello-gost" not in data:
|
||||
chunk = s.recv(4096)
|
||||
if not chunk:
|
||||
break
|
||||
data += chunk
|
||||
if b"hello-gost" not in data:
|
||||
print(f"FAIL: expected hello-gost echo, got {data!r}")
|
||||
sys.exit(1)
|
||||
print(f"PASS: first request through tunnel succeeded")
|
||||
|
||||
# Wait longer than idleTimeout
|
||||
wait = idle_timeout + 2
|
||||
print(f"Waiting {wait}s for idle timeout...")
|
||||
time.sleep(wait)
|
||||
|
||||
# Try to send more data — idle timeout should have closed the pipe
|
||||
try:
|
||||
s.sendall(b"ping-2\n")
|
||||
data = s.recv(4096)
|
||||
if not data:
|
||||
print("PASS: connection closed after idle timeout (empty recv)")
|
||||
sys.exit(0)
|
||||
# Got data means the pipe is still alive
|
||||
print(f"FAIL: connection still alive after idle timeout, got {data!r}")
|
||||
sys.exit(1)
|
||||
except (socket.timeout, ConnectionResetError, BrokenPipeError, OSError) as e:
|
||||
print(f"PASS: connection closed after idle timeout: {e}")
|
||||
sys.exit(0)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -0,0 +1,135 @@
|
||||
import socket
|
||||
import struct
|
||||
import sys
|
||||
|
||||
|
||||
UDP_ECHO_HOST = "udp-echo"
|
||||
UDP_ECHO_PORT = 5679
|
||||
|
||||
|
||||
def encode_socks5_addr(host, port):
|
||||
"""Encode (host, port) as SOCKS5 ADDRESS + PORT.
|
||||
|
||||
Uses ATYP=3 (domain name) so Docker DNS resolves the host.
|
||||
Returns (atyp, address_bytes, port_bytes).
|
||||
"""
|
||||
host_bytes = host.encode()
|
||||
addr_bytes = struct.pack("!B", len(host_bytes)) + host_bytes
|
||||
port_bytes = struct.pack("!H", port)
|
||||
return 0x03, addr_bytes, port_bytes
|
||||
|
||||
|
||||
def build_udp_frame(payload, host, port):
|
||||
"""Build a SOCKS5 UDP relay frame over TCP.
|
||||
|
||||
gost HTTP UDP relay uses RSV=data-length and FRAG=0xff.
|
||||
Frame: [RSV:2][FRAG:1][ATYP:1][DST.ADDR][DST.PORT:2][DATA]
|
||||
"""
|
||||
atyp, addr_bytes, port_bytes = encode_socks5_addr(host, port)
|
||||
rsv = struct.pack("!H", len(payload))
|
||||
frag = b"\xff"
|
||||
atyp_byte = struct.pack("!B", atyp)
|
||||
return rsv + frag + atyp_byte + addr_bytes + port_bytes + payload
|
||||
|
||||
|
||||
def recvn(sock, n):
|
||||
"""Receive exactly n bytes from socket."""
|
||||
buf = b""
|
||||
while len(buf) < n:
|
||||
chunk = sock.recv(n - len(buf))
|
||||
if not chunk:
|
||||
raise ConnectionError("connection closed while reading")
|
||||
buf += chunk
|
||||
return buf
|
||||
|
||||
|
||||
def read_socks5_frame(sock):
|
||||
"""Read one SOCKS5 UDP relay frame from the TCP connection.
|
||||
|
||||
Returns (addr, port, data).
|
||||
"""
|
||||
# Read header: RSV(2) + FRAG(1) + ATYP(1)
|
||||
header = recvn(sock, 4)
|
||||
rsv = struct.unpack("!H", header[:2])[0]
|
||||
frag = header[2]
|
||||
atyp = header[3]
|
||||
|
||||
# Read address based on ATYP
|
||||
if atyp == 1: # IPv4
|
||||
addr_bytes = recvn(sock, 4)
|
||||
addr = socket.inet_ntoa(addr_bytes)
|
||||
elif atyp == 3: # Domain name
|
||||
domain_len = recvn(sock, 1)
|
||||
addr = recvn(sock, domain_len[0]).decode()
|
||||
elif atyp == 4: # IPv6
|
||||
addr_bytes = recvn(sock, 16)
|
||||
addr = socket.inet_ntop(socket.AF_INET6, addr_bytes)
|
||||
else:
|
||||
raise ValueError(f"unknown ATYP: {atyp}")
|
||||
|
||||
port_bytes = recvn(sock, 2)
|
||||
port = struct.unpack("!H", port_bytes)[0]
|
||||
|
||||
# Read data
|
||||
if rsv > 0:
|
||||
data = recvn(sock, rsv)
|
||||
else:
|
||||
# Standard SOCKS5 UDP: read remaining
|
||||
data = b""
|
||||
while True:
|
||||
chunk = sock.recv(4096)
|
||||
if not chunk:
|
||||
break
|
||||
data += chunk
|
||||
|
||||
return addr, port, data
|
||||
|
||||
|
||||
def main():
|
||||
host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
|
||||
port = int(sys.argv[2]) if len(sys.argv) > 2 else 8080
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.settimeout(10)
|
||||
s.connect((host, port))
|
||||
|
||||
# Send CONNECT with X-Gost-Protocol: udp
|
||||
req = (
|
||||
b"CONNECT 0.0.0.0:0 HTTP/1.1\r\n"
|
||||
b"Host: 0.0.0.0:0\r\n"
|
||||
b"X-Gost-Protocol: udp\r\n"
|
||||
b"Proxy-Connection: keep-alive\r\n"
|
||||
b"\r\n"
|
||||
)
|
||||
s.sendall(req)
|
||||
|
||||
# Read 200 OK
|
||||
resp = b""
|
||||
while b"\r\n\r\n" not in resp:
|
||||
chunk = s.recv(4096)
|
||||
if not chunk:
|
||||
break
|
||||
resp += chunk
|
||||
|
||||
if b"200" not in resp:
|
||||
print(f"FAIL: expected 200, got {resp.decode(errors='replace')}")
|
||||
sys.exit(1)
|
||||
|
||||
# Build and send UDP relay frame
|
||||
payload = b"hello-gost"
|
||||
frame = build_udp_frame(payload, UDP_ECHO_HOST, UDP_ECHO_PORT)
|
||||
s.sendall(frame)
|
||||
|
||||
# Read response frame
|
||||
addr, rport, data = read_socks5_frame(s)
|
||||
|
||||
if b"hello-gost" in data:
|
||||
print(f"PASS: received expected data from {addr}:{rport}")
|
||||
sys.exit(0)
|
||||
else:
|
||||
print(f"FAIL: expected hello-gost in response, got {data!r}")
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -0,0 +1,53 @@
|
||||
import socket
|
||||
import sys
|
||||
import time
|
||||
|
||||
|
||||
def main():
|
||||
host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
|
||||
port = int(sys.argv[2]) if len(sys.argv) > 2 else 8000
|
||||
idle_timeout = int(sys.argv[3]) if len(sys.argv) > 3 else 3
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.settimeout(10)
|
||||
s.connect((host, port))
|
||||
|
||||
# Send an HTTP GET request — the forward handler pipes us to tcp-echo:5678
|
||||
req = b"GET / HTTP/1.0\r\nHost: tcp-echo\r\n\r\n"
|
||||
s.sendall(req)
|
||||
|
||||
# Read response — should contain "hello-gost" (echo server reply)
|
||||
resp = b""
|
||||
while b"hello-gost" not in resp:
|
||||
chunk = s.recv(4096)
|
||||
if not chunk:
|
||||
break
|
||||
resp += chunk
|
||||
|
||||
if b"hello-gost" not in resp:
|
||||
print(f"FAIL: expected hello-gost in response, got {resp.decode(errors='replace')}")
|
||||
sys.exit(1)
|
||||
print(f"PASS: first request through forward pipe succeeded")
|
||||
|
||||
# Wait longer than idleTimeout
|
||||
wait = idle_timeout + 2
|
||||
print(f"Waiting {wait}s for idle timeout...")
|
||||
time.sleep(wait)
|
||||
|
||||
# Try to send more data — idle timeout should have closed the pipe
|
||||
try:
|
||||
s.sendall(b"GET / HTTP/1.0\r\nHost: tcp-echo\r\n\r\n")
|
||||
data = s.recv(4096)
|
||||
if not data:
|
||||
print("PASS: connection closed after idle timeout (empty recv)")
|
||||
sys.exit(0)
|
||||
# Got data means the pipe is still alive
|
||||
print(f"FAIL: connection still alive after idle timeout, got {data!r}")
|
||||
sys.exit(1)
|
||||
except (socket.timeout, ConnectionResetError, BrokenPipeError, OSError) as e:
|
||||
print(f"PASS: connection closed after idle timeout: {e}")
|
||||
sys.exit(0)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -0,0 +1,25 @@
|
||||
import socket
|
||||
import sys
|
||||
|
||||
|
||||
def main():
|
||||
host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
|
||||
port = int(sys.argv[2]) if len(sys.argv) > 2 else 9000
|
||||
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
sock.settimeout(5)
|
||||
|
||||
payload = b"hello-gost-udp"
|
||||
sock.sendto(payload, (host, port))
|
||||
|
||||
data, addr = sock.recvfrom(2048)
|
||||
if data == payload:
|
||||
print("PASS: received echo")
|
||||
sys.exit(0)
|
||||
else:
|
||||
print(f"FAIL: expected {payload!r}, got {data!r}")
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
+16
@@ -0,0 +1,16 @@
|
||||
services:
|
||||
- name: dns
|
||||
addr: :1053
|
||||
handler:
|
||||
type: dns
|
||||
metadata:
|
||||
dns: udp://dns-server:5353
|
||||
timeout: 5s
|
||||
listener:
|
||||
type: dns
|
||||
bypass: block-example
|
||||
|
||||
bypasses:
|
||||
- name: block-example
|
||||
matchers:
|
||||
- test.example.com
|
||||
@@ -0,0 +1,10 @@
|
||||
services:
|
||||
- name: dns
|
||||
addr: :1053
|
||||
handler:
|
||||
type: dns
|
||||
metadata:
|
||||
dns: udp://127.0.0.1:1
|
||||
timeout: 2s
|
||||
listener:
|
||||
type: dns
|
||||
+22
@@ -0,0 +1,22 @@
|
||||
services:
|
||||
- name: dns
|
||||
addr: :1053
|
||||
handler:
|
||||
type: dns
|
||||
metadata:
|
||||
# Unreachable upstream so the system-DNS fallback is bypassed.
|
||||
# The host mapper resolves mapped names before the exchanger is
|
||||
# reached; unmapped names must hit the exchanger and fail.
|
||||
dns: udp://127.0.0.1:1
|
||||
timeout: 2s
|
||||
listener:
|
||||
type: dns
|
||||
hosts: my-hosts
|
||||
|
||||
hosts:
|
||||
- name: my-hosts
|
||||
mappings:
|
||||
- ip: 10.0.0.100
|
||||
hostname: mapped.example.com
|
||||
- ip: 192.168.1.200
|
||||
hostname: aaaa.mapped.example.com
|
||||
+16
@@ -0,0 +1,16 @@
|
||||
services:
|
||||
- name: dns
|
||||
addr: :1053
|
||||
handler:
|
||||
type: dns
|
||||
metadata:
|
||||
dns: udp://dns-server:5353
|
||||
timeout: 5s
|
||||
listener:
|
||||
type: dns
|
||||
rlimiter: limiter-0
|
||||
|
||||
rlimiters:
|
||||
- name: limiter-0
|
||||
limits:
|
||||
- "$ 1000"
|
||||
+12
@@ -0,0 +1,12 @@
|
||||
services:
|
||||
- name: dns
|
||||
addr: :1053
|
||||
handler:
|
||||
type: dns
|
||||
metadata:
|
||||
dns: tcp://dns-server:5353
|
||||
timeout: 5s
|
||||
listener:
|
||||
type: dns
|
||||
metadata:
|
||||
mode: tcp
|
||||
+12
@@ -0,0 +1,12 @@
|
||||
services:
|
||||
- name: dns
|
||||
addr: :1053
|
||||
handler:
|
||||
type: dns
|
||||
metadata:
|
||||
dns: udp://dns-server:5353
|
||||
timeout: 5s
|
||||
listener:
|
||||
type: dns
|
||||
metadata:
|
||||
mode: tls
|
||||
+10
@@ -0,0 +1,10 @@
|
||||
services:
|
||||
- name: dns
|
||||
addr: :1053
|
||||
handler:
|
||||
type: dns
|
||||
metadata:
|
||||
dns: udp://dns-server:5353
|
||||
timeout: 5s
|
||||
listener:
|
||||
type: dns
|
||||
Vendored
Vendored
+1
@@ -0,0 +1 @@
|
||||
<html><body>gost file index</body></html>
|
||||
Vendored
+9
@@ -0,0 +1,9 @@
|
||||
services:
|
||||
- name: file-server
|
||||
addr: :8080
|
||||
handler:
|
||||
type: file
|
||||
metadata:
|
||||
file.dir: /srv/files
|
||||
listener:
|
||||
type: tcp
|
||||
+15
@@ -0,0 +1,15 @@
|
||||
services:
|
||||
- name: file-server-auth
|
||||
addr: :8080
|
||||
handler:
|
||||
type: file
|
||||
auther: auther-0
|
||||
metadata:
|
||||
file.dir: /srv/files
|
||||
listener:
|
||||
type: tcp
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
+10
@@ -0,0 +1,10 @@
|
||||
services:
|
||||
- name: file-server-put
|
||||
addr: :8080
|
||||
handler:
|
||||
type: file
|
||||
metadata:
|
||||
file.dir: /srv/files
|
||||
file.put: true
|
||||
listener:
|
||||
type: tcp
|
||||
+11
@@ -0,0 +1,11 @@
|
||||
services:
|
||||
- name: forward-tcp
|
||||
addr: :8000
|
||||
handler:
|
||||
type: tcp
|
||||
listener:
|
||||
type: tcp
|
||||
forwarder:
|
||||
nodes:
|
||||
- name: echo
|
||||
addr: tcp-echo:5678
|
||||
@@ -0,0 +1,20 @@
|
||||
services:
|
||||
- name: forward-tcp
|
||||
addr: :8000
|
||||
handler:
|
||||
type: tcp
|
||||
metadata:
|
||||
sniffing: true
|
||||
sniffing.timeout: 2s
|
||||
listener:
|
||||
type: tcp
|
||||
bypass: block-all
|
||||
forwarder:
|
||||
nodes:
|
||||
- name: echo
|
||||
addr: tcp-echo:5678
|
||||
|
||||
bypasses:
|
||||
- name: block-all
|
||||
matchers:
|
||||
- 0.0.0.0/0
|
||||
@@ -0,0 +1,13 @@
|
||||
services:
|
||||
- name: forward-tcp
|
||||
addr: :8000
|
||||
handler:
|
||||
type: tcp
|
||||
metadata:
|
||||
idleTimeout: 3s
|
||||
listener:
|
||||
type: tcp
|
||||
forwarder:
|
||||
nodes:
|
||||
- name: echo
|
||||
addr: tcp-echo:5678
|
||||
@@ -0,0 +1,18 @@
|
||||
services:
|
||||
- name: forward-tcp
|
||||
addr: :8000
|
||||
handler:
|
||||
type: tcp
|
||||
metadata:
|
||||
sniffing: true
|
||||
sniffing.timeout: 2s
|
||||
listener:
|
||||
type: tcp
|
||||
forwarder:
|
||||
nodes:
|
||||
- name: echo-http
|
||||
addr: tcp-echo:5678
|
||||
protocol: http
|
||||
- name: echo-tls
|
||||
addr: tcp-echo:1
|
||||
protocol: tls
|
||||
+14
@@ -0,0 +1,14 @@
|
||||
services:
|
||||
- name: forward-tcp
|
||||
addr: :8000
|
||||
handler:
|
||||
type: tcp
|
||||
metadata:
|
||||
sniffing: true
|
||||
sniffing.timeout: 2s
|
||||
listener:
|
||||
type: tcp
|
||||
forwarder:
|
||||
nodes:
|
||||
- name: echo
|
||||
addr: tcp-echo:5678
|
||||
+11
@@ -0,0 +1,11 @@
|
||||
services:
|
||||
- name: udp-forward
|
||||
addr: :9000
|
||||
handler:
|
||||
type: udp
|
||||
listener:
|
||||
type: udp
|
||||
forwarder:
|
||||
nodes:
|
||||
- name: echo
|
||||
addr: udp-echo:5679
|
||||
@@ -0,0 +1,15 @@
|
||||
services:
|
||||
- name: udp-forward
|
||||
addr: :9000
|
||||
handler:
|
||||
type: udp
|
||||
metadata:
|
||||
stateless: true
|
||||
listener:
|
||||
type: udp
|
||||
metadata:
|
||||
stateless: true
|
||||
forwarder:
|
||||
nodes:
|
||||
- name: echo
|
||||
addr: udp-echo:5679
|
||||
+20
@@ -0,0 +1,20 @@
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
chain: http-chain
|
||||
listener:
|
||||
type: tcp
|
||||
|
||||
chains:
|
||||
- name: http-chain
|
||||
hops:
|
||||
- name: hop-0
|
||||
nodes:
|
||||
- name: node-0
|
||||
addr: {{.ServerAddr}}
|
||||
connector:
|
||||
type: http
|
||||
dialer:
|
||||
type: tcp
|
||||
@@ -0,0 +1,23 @@
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
chain: http-chain
|
||||
listener:
|
||||
type: tcp
|
||||
|
||||
chains:
|
||||
- name: http-chain
|
||||
hops:
|
||||
- name: hop-0
|
||||
nodes:
|
||||
- name: node-0
|
||||
addr: {{.ServerAddr}}
|
||||
connector:
|
||||
type: http
|
||||
auth:
|
||||
username: user
|
||||
password: pass
|
||||
dialer:
|
||||
type: tcp
|
||||
@@ -0,0 +1,20 @@
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
chain: https-chain
|
||||
listener:
|
||||
type: tcp
|
||||
|
||||
chains:
|
||||
- name: https-chain
|
||||
hops:
|
||||
- name: hop-0
|
||||
nodes:
|
||||
- name: node-0
|
||||
addr: {{.ServerAddr}}
|
||||
connector:
|
||||
type: http
|
||||
dialer:
|
||||
type: tls
|
||||
Vendored
+1
@@ -0,0 +1 @@
|
||||
<html><body>decoy-response</body></html>
|
||||
Vendored
+7
@@ -0,0 +1,7 @@
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
listener:
|
||||
type: tcp
|
||||
+16
@@ -0,0 +1,16 @@
|
||||
services:
|
||||
- name: http-proxy-auth
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
auther: auther-0
|
||||
metadata:
|
||||
# authBasicRealm: custom realm in 407 Proxy-Authenticate header
|
||||
authBasicRealm: gost-e2e-realm
|
||||
listener:
|
||||
type: tcp
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
+12
@@ -0,0 +1,12 @@
|
||||
services:
|
||||
- name: http-connect
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
metadata:
|
||||
# sniffing: enable protocol sniffing on CONNECT tunnels
|
||||
sniffing: true
|
||||
# sniffing.timeout: timeout for initial sniff read (2s)
|
||||
sniffing.timeout: 2s
|
||||
listener:
|
||||
type: tcp
|
||||
@@ -0,0 +1,20 @@
|
||||
bypasses:
|
||||
- name: bypass-0
|
||||
matchers:
|
||||
- 0.0.0.0/0
|
||||
|
||||
services:
|
||||
- name: http-connect-bypass
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
auther: auther-0
|
||||
listener:
|
||||
type: tcp
|
||||
bypass: bypass-0
|
||||
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
+25
@@ -0,0 +1,25 @@
|
||||
bypasses:
|
||||
- name: bypass-0
|
||||
matchers:
|
||||
- 0.0.0.0/0
|
||||
|
||||
services:
|
||||
- name: http-headers
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
auther: auther-0
|
||||
metadata:
|
||||
header:
|
||||
X-Proxy-Info: gost-e2e
|
||||
X-Custom: test-value
|
||||
proxyAgent: gost-e2e/1.0
|
||||
listener:
|
||||
type: tcp
|
||||
bypass: bypass-0
|
||||
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
@@ -0,0 +1,9 @@
|
||||
services:
|
||||
- name: http-idle
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
metadata:
|
||||
idleTimeout: 3s
|
||||
listener:
|
||||
type: tcp
|
||||
+20
@@ -0,0 +1,20 @@
|
||||
services:
|
||||
- name: http-proxy-meta
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
auther: auther-0
|
||||
metadata:
|
||||
# probeResist: decoy response on auth failure (code:404 hides the proxy)
|
||||
probeResist: code:404
|
||||
# keepalive: enable HTTP keep-alive on upstream transport (parse test)
|
||||
keepalive: true
|
||||
# compression: enable HTTP compression on upstream transport (parse test)
|
||||
compression: true
|
||||
listener:
|
||||
type: tcp
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
@@ -0,0 +1,16 @@
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
auther: auther-0
|
||||
metadata:
|
||||
probeResist: file:/tmp/decoy.html
|
||||
listener:
|
||||
type: tcp
|
||||
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
@@ -0,0 +1,16 @@
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
auther: auther-0
|
||||
metadata:
|
||||
probeResist: host:tcp-echo:5678
|
||||
listener:
|
||||
type: tcp
|
||||
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
@@ -0,0 +1,17 @@
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
auther: auther-0
|
||||
metadata:
|
||||
probeResist: code:404
|
||||
knock: secret.example.com
|
||||
listener:
|
||||
type: tcp
|
||||
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
@@ -0,0 +1,16 @@
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
auther: auther-0
|
||||
metadata:
|
||||
probeResist: web:tcp-echo:5678
|
||||
listener:
|
||||
type: tcp
|
||||
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
+7
@@ -0,0 +1,7 @@
|
||||
services:
|
||||
- name: https-server
|
||||
addr: :8443
|
||||
handler:
|
||||
type: http
|
||||
listener:
|
||||
type: tls
|
||||
+9
@@ -0,0 +1,9 @@
|
||||
services:
|
||||
- name: http-udp
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
metadata:
|
||||
udp: true
|
||||
listener:
|
||||
type: tcp
|
||||
Vendored
+20
@@ -0,0 +1,20 @@
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
chain: h2-chain
|
||||
listener:
|
||||
type: tcp
|
||||
|
||||
chains:
|
||||
- name: h2-chain
|
||||
hops:
|
||||
- name: hop-0
|
||||
nodes:
|
||||
- name: node-0
|
||||
addr: {{.ServerAddr}}
|
||||
connector:
|
||||
type: http2
|
||||
dialer:
|
||||
type: http2
|
||||
+23
@@ -0,0 +1,23 @@
|
||||
services:
|
||||
- name: http-proxy
|
||||
addr: :8080
|
||||
handler:
|
||||
type: http
|
||||
chain: h2-chain
|
||||
listener:
|
||||
type: tcp
|
||||
|
||||
chains:
|
||||
- name: h2-chain
|
||||
hops:
|
||||
- name: hop-0
|
||||
nodes:
|
||||
- name: node-0
|
||||
addr: {{.ServerAddr}}
|
||||
connector:
|
||||
type: http2
|
||||
auth:
|
||||
username: user
|
||||
password: pass
|
||||
dialer:
|
||||
type: http2
|
||||
Vendored
+7
@@ -0,0 +1,7 @@
|
||||
services:
|
||||
- name: h2-proxy
|
||||
addr: :8443
|
||||
handler:
|
||||
type: http2
|
||||
listener:
|
||||
type: http2
|
||||
+18
@@ -0,0 +1,18 @@
|
||||
services:
|
||||
- name: h2-proxy-auth
|
||||
addr: :8443
|
||||
handler:
|
||||
type: http2
|
||||
auther: auther-0
|
||||
metadata:
|
||||
# authBasicRealm: custom realm in 407 Proxy-Authenticate header
|
||||
authBasicRealm: gost-e2e-realm
|
||||
# hash: pin upstream selection by request host (metadata parse coverage)
|
||||
hash: host
|
||||
listener:
|
||||
type: http2
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
+20
@@ -0,0 +1,20 @@
|
||||
bypasses:
|
||||
- name: bypass-0
|
||||
matchers:
|
||||
- 0.0.0.0/0
|
||||
|
||||
services:
|
||||
- name: h2-proxy-bypass
|
||||
addr: :8443
|
||||
handler:
|
||||
type: http2
|
||||
auther: auther-0
|
||||
listener:
|
||||
type: http2
|
||||
bypass: bypass-0
|
||||
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
@@ -0,0 +1,20 @@
|
||||
services:
|
||||
- name: h2-proxy-pr
|
||||
addr: :8443
|
||||
handler:
|
||||
type: http2
|
||||
auther: auther-0
|
||||
metadata:
|
||||
# probeResist: hide the proxy behind a 404 decoy on auth failure
|
||||
probeResist: code:404
|
||||
# header: custom response headers set on proxy responses
|
||||
header:
|
||||
X-Proxy-Info: gost-e2e
|
||||
authBasicRealm: gost-e2e-realm
|
||||
listener:
|
||||
type: http2
|
||||
authers:
|
||||
- name: auther-0
|
||||
auths:
|
||||
- username: user
|
||||
password: pass
|
||||
+82
-10
@@ -128,19 +128,94 @@ func udpEchoContainerRequest(_ context.Context, networkName string) testcontaine
|
||||
}
|
||||
}
|
||||
|
||||
// RunDNSResponderContainer starts a UDP-based DNS responder for e2e DNS tests.
|
||||
// The container is registered with the network alias "dns-server".
|
||||
func RunDNSResponderContainer(ctx context.Context, networkName string) (testcontainers.Container, error) {
|
||||
req := testcontainers.ContainerRequest{
|
||||
FromDockerfile: testcontainers.FromDockerfile{
|
||||
Context: ".",
|
||||
Dockerfile: "Dockerfile",
|
||||
Repo: "gost-e2e",
|
||||
Tag: "latest",
|
||||
KeepImage: true,
|
||||
BuildOptionsModifier: func(opts *client.ImageBuildOptions) {
|
||||
opts.NetworkMode = "host"
|
||||
},
|
||||
},
|
||||
Networks: []string{networkName},
|
||||
NetworkAliases: map[string][]string{
|
||||
networkName: {"dns-server"},
|
||||
},
|
||||
Files: []testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/dns_responder.py", ContainerFilePath: "/scripts/dns_server.py", FileMode: 0644},
|
||||
},
|
||||
ExposedPorts: []string{"5353/udp"},
|
||||
Cmd: []string{"python3", "/scripts/dns_server.py"},
|
||||
WaitingFor: wait.ForExposedPort().SkipInternalCheck(),
|
||||
}
|
||||
|
||||
return testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
|
||||
ContainerRequest: req,
|
||||
Started: true,
|
||||
})
|
||||
}
|
||||
|
||||
// RunTCPDNSResponderContainer starts a TCP-based DNS responder for e2e DNS tests.
|
||||
// The container is registered with the network alias "dns-server".
|
||||
func RunTCPDNSResponderContainer(ctx context.Context, networkName string) (testcontainers.Container, error) {
|
||||
req := testcontainers.ContainerRequest{
|
||||
FromDockerfile: testcontainers.FromDockerfile{
|
||||
Context: ".",
|
||||
Dockerfile: "Dockerfile",
|
||||
Repo: "gost-e2e",
|
||||
Tag: "latest",
|
||||
KeepImage: true,
|
||||
BuildOptionsModifier: func(opts *client.ImageBuildOptions) {
|
||||
opts.NetworkMode = "host"
|
||||
},
|
||||
},
|
||||
Networks: []string{networkName},
|
||||
NetworkAliases: map[string][]string{
|
||||
networkName: {"dns-server"},
|
||||
},
|
||||
Files: []testcontainers.ContainerFile{
|
||||
{HostFilePath: "scripts/dns_responder_tcp.py", ContainerFilePath: "/scripts/dns_server.py", FileMode: 0644},
|
||||
},
|
||||
ExposedPorts: []string{"5353/tcp"},
|
||||
Cmd: []string{"python3", "/scripts/dns_server.py"},
|
||||
WaitingFor: wait.ForExposedPort(),
|
||||
}
|
||||
|
||||
return testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
|
||||
ContainerRequest: req,
|
||||
Started: true,
|
||||
})
|
||||
}
|
||||
|
||||
func RunGostContainer(ctx context.Context, networkName, yamlPath string) (testcontainers.Container, error) {
|
||||
return runGostContainer(ctx, networkName, yamlPath, nil, nil)
|
||||
return runGostContainer(ctx, networkName, yamlPath, nil, nil, nil)
|
||||
}
|
||||
|
||||
func RunGostContainerWithPorts(ctx context.Context, networkName, yamlPath string, exposedPorts ...string) (testcontainers.Container, error) {
|
||||
return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts)
|
||||
return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts, nil)
|
||||
}
|
||||
|
||||
func RunGostContainerWithOptions(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string) (testcontainers.Container, error) {
|
||||
return runGostContainer(ctx, networkName, yamlPath, aliases, exposedPorts)
|
||||
return runGostContainer(ctx, networkName, yamlPath, aliases, exposedPorts, nil)
|
||||
}
|
||||
|
||||
func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string) (testcontainers.Container, error) {
|
||||
// RunGostContainerWithFiles starts a gost container with extra files mounted.
|
||||
func RunGostContainerWithFiles(ctx context.Context, networkName, yamlPath string, extraFiles []testcontainers.ContainerFile, exposedPorts ...string) (testcontainers.Container, error) {
|
||||
return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts, extraFiles)
|
||||
}
|
||||
|
||||
func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string, extraFiles []testcontainers.ContainerFile) (testcontainers.Container, error) {
|
||||
files := []testcontainers.ContainerFile{
|
||||
{HostFilePath: GostBinPath, ContainerFilePath: "/bin/gost", FileMode: 0755},
|
||||
{HostFilePath: yamlPath, ContainerFilePath: "/config.yaml", FileMode: 0644},
|
||||
}
|
||||
files = append(files, extraFiles...)
|
||||
|
||||
req := testcontainers.ContainerRequest{
|
||||
FromDockerfile: testcontainers.FromDockerfile{
|
||||
Context: ".",
|
||||
@@ -153,17 +228,14 @@ func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases
|
||||
},
|
||||
},
|
||||
ExposedPorts: exposedPorts,
|
||||
// interal check for udp ports will be failed
|
||||
// internal check for udp ports will be failed
|
||||
WaitingFor: wait.ForExposedPort().SkipInternalCheck(),
|
||||
Networks: []string{networkName},
|
||||
NetworkAliases: map[string][]string{
|
||||
networkName: aliases,
|
||||
},
|
||||
Files: []testcontainers.ContainerFile{
|
||||
{HostFilePath: GostBinPath, ContainerFilePath: "/bin/gost", FileMode: 0755},
|
||||
{HostFilePath: yamlPath, ContainerFilePath: "/config.yaml", FileMode: 0644},
|
||||
},
|
||||
Cmd: []string{"/bin/gost", "-C", "/config.yaml"},
|
||||
Files: files,
|
||||
Cmd: []string{"/bin/gost", "-C", "/config.yaml"},
|
||||
}
|
||||
|
||||
return testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
|
||||
|
||||
Reference in New Issue
Block a user