Compare commits
10 Commits
f638d8081f
..
dev
| Author | SHA1 | Date | |
|---|---|---|---|
| 7eb0be458e | |||
| b139ed5968 | |||
| 43724a5c40 | |||
| 0bb9109c71 | |||
| a0427be086 | |||
| 590c6f48bd | |||
| 69b561f944 | |||
| 3c87a8b96e | |||
| c9cfc440ad | |||
| c305f93703 |
@@ -39,6 +39,7 @@ var (
|
|||||||
apiAddr string
|
apiAddr string
|
||||||
metricsAddr string
|
metricsAddr string
|
||||||
reload time.Duration
|
reload time.Duration
|
||||||
|
showConfig bool
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
@@ -102,6 +103,7 @@ func init() {
|
|||||||
flag.StringVar(&apiAddr, "api", "", "api service address")
|
flag.StringVar(&apiAddr, "api", "", "api service address")
|
||||||
flag.StringVar(&metricsAddr, "metrics", "", "metrics service address")
|
flag.StringVar(&metricsAddr, "metrics", "", "metrics service address")
|
||||||
flag.DurationVar(&reload, "R", 0, "auto reload period (e.g. 30s, 1m)")
|
flag.DurationVar(&reload, "R", 0, "auto reload period (e.g. 30s, 1m)")
|
||||||
|
flag.BoolVar(&showConfig, "P", false, "print config only")
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
if printVersion {
|
if printVersion {
|
||||||
|
|||||||
@@ -2,7 +2,9 @@ package main
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
"os/signal"
|
"os/signal"
|
||||||
@@ -23,6 +25,7 @@ import (
|
|||||||
metrics "github.com/go-gost/x/metrics/service"
|
metrics "github.com/go-gost/x/metrics/service"
|
||||||
"github.com/go-gost/x/registry"
|
"github.com/go-gost/x/registry"
|
||||||
"github.com/judwhite/go-svc"
|
"github.com/judwhite/go-svc"
|
||||||
|
"gopkg.in/yaml.v3"
|
||||||
)
|
)
|
||||||
|
|
||||||
type program struct {
|
type program struct {
|
||||||
@@ -90,6 +93,17 @@ func (p *program) run(cfg *config.Config) error {
|
|||||||
svc.Serve()
|
svc.Serve()
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
|
if showConfig {
|
||||||
|
if outputFormat == "json" {
|
||||||
|
marshal, _ := json.Marshal(cfg)
|
||||||
|
fmt.Println(string(marshal))
|
||||||
|
} else {
|
||||||
|
marshal, _ := yaml.Marshal(cfg)
|
||||||
|
fmt.Println(string(marshal))
|
||||||
|
}
|
||||||
|
os.Exit(0)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
if p.srvApi != nil {
|
if p.srvApi != nil {
|
||||||
p.srvApi.Close()
|
p.srvApi.Close()
|
||||||
|
|||||||
@@ -3,8 +3,8 @@ module github.com/go-gost/gost
|
|||||||
go 1.26.3
|
go 1.26.3
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/go-gost/core v0.4.2
|
github.com/go-gost/core v0.5.1
|
||||||
github.com/go-gost/x v0.12.2
|
github.com/go-gost/x v0.13.0
|
||||||
github.com/judwhite/go-svc v1.2.1
|
github.com/judwhite/go-svc v1.2.1
|
||||||
github.com/moby/moby/client v0.4.0
|
github.com/moby/moby/client v0.4.0
|
||||||
github.com/stretchr/testify v1.11.1
|
github.com/stretchr/testify v1.11.1
|
||||||
@@ -49,7 +49,7 @@ require (
|
|||||||
github.com/go-gost/go-shadowsocks2 v0.1.3 // indirect
|
github.com/go-gost/go-shadowsocks2 v0.1.3 // indirect
|
||||||
github.com/go-gost/gosocks4 v0.1.0 // indirect
|
github.com/go-gost/gosocks4 v0.1.0 // indirect
|
||||||
github.com/go-gost/gosocks5 v0.5.0 // indirect
|
github.com/go-gost/gosocks5 v0.5.0 // indirect
|
||||||
github.com/go-gost/plugin v0.3.0 // indirect
|
github.com/go-gost/plugin v0.4.0 // indirect
|
||||||
github.com/go-gost/relay v0.6.1 // indirect
|
github.com/go-gost/relay v0.6.1 // indirect
|
||||||
github.com/go-gost/tls-dissector v0.2.0 // indirect
|
github.com/go-gost/tls-dissector v0.2.0 // indirect
|
||||||
github.com/go-logr/logr v1.4.3 // indirect
|
github.com/go-logr/logr v1.4.3 // indirect
|
||||||
|
|||||||
@@ -83,24 +83,22 @@ github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE
|
|||||||
github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
|
github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
|
||||||
github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
|
github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
|
||||||
github.com/gin-gonic/gin v1.10.1/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
|
github.com/gin-gonic/gin v1.10.1/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
|
||||||
github.com/go-gost/core v0.4.2 h1:NBCkdWItIiwt15cA2mkRza/u6ukxQVSW74bc33o70zE=
|
github.com/go-gost/core v0.5.1 h1:HbIn3naEOC661Z4SwzaSYUzffWSRbU0P6gkxiHmuG0I=
|
||||||
github.com/go-gost/core v0.4.2/go.mod h1:WGI43jOka7FAsSAwi/fSMaqxdR+E339ycb4NBGlFr6A=
|
github.com/go-gost/core v0.5.1/go.mod h1:WGI43jOka7FAsSAwi/fSMaqxdR+E339ycb4NBGlFr6A=
|
||||||
github.com/go-gost/go-shadowsocks2 v0.1.3 h1:6CUZLp+mTWXnKP2aK8/Z9ZP+ERMX9gSbywmPu4kGX/A=
|
github.com/go-gost/go-shadowsocks2 v0.1.3 h1:6CUZLp+mTWXnKP2aK8/Z9ZP+ERMX9gSbywmPu4kGX/A=
|
||||||
github.com/go-gost/go-shadowsocks2 v0.1.3/go.mod h1:866zFNNI3He6Wef1M/IvAjTal74WhcfKfBgRpTlkKys=
|
github.com/go-gost/go-shadowsocks2 v0.1.3/go.mod h1:866zFNNI3He6Wef1M/IvAjTal74WhcfKfBgRpTlkKys=
|
||||||
github.com/go-gost/gosocks4 v0.1.0 h1:eAzev6qw4fzkFQKC9uCHLVNnnPdHyqCggbnfNN80Pmk=
|
github.com/go-gost/gosocks4 v0.1.0 h1:eAzev6qw4fzkFQKC9uCHLVNnnPdHyqCggbnfNN80Pmk=
|
||||||
github.com/go-gost/gosocks4 v0.1.0/go.mod h1:hzVjwijJuZR1pp3GqpTj+AKcSGrx68RlWTrQMFMYBP0=
|
github.com/go-gost/gosocks4 v0.1.0/go.mod h1:hzVjwijJuZR1pp3GqpTj+AKcSGrx68RlWTrQMFMYBP0=
|
||||||
github.com/go-gost/gosocks5 v0.5.0 h1:YE37l1MJwde8diIQdynStqogMotG5enoTdborhA5yic=
|
github.com/go-gost/gosocks5 v0.5.0 h1:YE37l1MJwde8diIQdynStqogMotG5enoTdborhA5yic=
|
||||||
github.com/go-gost/gosocks5 v0.5.0/go.mod h1:1G6I7HP7VFVxveGkoK8mnprnJqSqJjdcASKsdUn4Pp4=
|
github.com/go-gost/gosocks5 v0.5.0/go.mod h1:1G6I7HP7VFVxveGkoK8mnprnJqSqJjdcASKsdUn4Pp4=
|
||||||
github.com/go-gost/plugin v0.3.0 h1:pmll8nNd9PX92BWMB5+b2y2SEkBAWJLxD2ANfX+WHuw=
|
github.com/go-gost/plugin v0.4.0 h1:M7MR5PL7QAFCrdWfcXVX+5iLNTVIZlhl8FfdV/K8dZY=
|
||||||
github.com/go-gost/plugin v0.3.0/go.mod h1:oN23l+yGDCIP9G3KnDl/I/0zVGOobZUDCB2Z5yYYXts=
|
github.com/go-gost/plugin v0.4.0/go.mod h1:oN23l+yGDCIP9G3KnDl/I/0zVGOobZUDCB2Z5yYYXts=
|
||||||
github.com/go-gost/relay v0.6.1 h1:7SqnHFbY8x/DzvjpK03a5zcVH9+TbJAcnW/RT6s1ecc=
|
github.com/go-gost/relay v0.6.1 h1:7SqnHFbY8x/DzvjpK03a5zcVH9+TbJAcnW/RT6s1ecc=
|
||||||
github.com/go-gost/relay v0.6.1/go.mod h1:Dku0f5sfjOClrZFiDmQUrYYJ4uof7rnkCUBfsl0PSAI=
|
github.com/go-gost/relay v0.6.1/go.mod h1:Dku0f5sfjOClrZFiDmQUrYYJ4uof7rnkCUBfsl0PSAI=
|
||||||
github.com/go-gost/tls-dissector v0.2.0 h1:9tE6WOzzpurATTBWn60DU4R8gibpGNY8/qVcc1SicVg=
|
github.com/go-gost/tls-dissector v0.2.0 h1:9tE6WOzzpurATTBWn60DU4R8gibpGNY8/qVcc1SicVg=
|
||||||
github.com/go-gost/tls-dissector v0.2.0/go.mod h1:/9QfdewqmHdaE362Hv5nDaSWLx3pCmtD870d6GaquXs=
|
github.com/go-gost/tls-dissector v0.2.0/go.mod h1:/9QfdewqmHdaE362Hv5nDaSWLx3pCmtD870d6GaquXs=
|
||||||
github.com/go-gost/x v0.12.1 h1:gemrGRucwroz7xkhjgTfkG0F8YDC1uKSlT6McGhCbhU=
|
github.com/go-gost/x v0.13.0 h1:iQOdO7o9GHIgNRtQTeoi/1WiTZw2C+/kC/y5JsN8WjE=
|
||||||
github.com/go-gost/x v0.12.1/go.mod h1:hrewVDMVncuoRwteqJr/ReMN/a/IunlVN/zCZajr9Q8=
|
github.com/go-gost/x v0.13.0/go.mod h1:P9zH+y/4+bNN2ZcoQZJ0tD59RXdvuRhioXDNfSCVsxU=
|
||||||
github.com/go-gost/x v0.12.2 h1:RrWj92rJbFoV338iSjnoIm9IvNRB8Vm3Oj5iHCx4Hi8=
|
|
||||||
github.com/go-gost/x v0.12.2/go.mod h1:hrewVDMVncuoRwteqJr/ReMN/a/IunlVN/zCZajr9Q8=
|
|
||||||
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
|
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
|
||||||
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
|
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
|
||||||
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
|
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
|
||||||
|
|||||||
@@ -0,0 +1,276 @@
|
|||||||
|
# 执行计划:HTTP Handler E2E 测试 + utils.go 重构
|
||||||
|
|
||||||
|
## 背景
|
||||||
|
|
||||||
|
从 PLAN.md 的 Step 0 和 Step 1A 开始实施。HTTP proxy 是 gost 最基础的协议,目前 e2e 测试仅覆盖 shadowsocks 和 parallel selector。本计划先重构 utils.go 提取公共 helper,然后用 helper 写 HTTP handler 测试套件,最后同步重构 shadowsocks_test.go。
|
||||||
|
|
||||||
|
## 变更文件清单
|
||||||
|
|
||||||
|
| 文件 | 操作 | 说明 |
|
||||||
|
|------|------|------|
|
||||||
|
| `tests/e2e/utils.go` | 修改 | 新增 `RunTCPCase` / `RunUDPCase` |
|
||||||
|
| `tests/e2e/http_test.go` | 新建 | HTTP proxy 测试套件 |
|
||||||
|
| `tests/e2e/testdata/http/server.yaml` | 新建 | 无 auth 的 HTTP proxy 服务器 |
|
||||||
|
| `tests/e2e/testdata/http/server_auth.yaml` | 新建 | 带 auth 的 HTTP proxy 服务器 |
|
||||||
|
| `tests/e2e/shadowsocks_test.go` | 修改 | 重构为使用 `RunTCPCase` / `RunUDPCase` |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 1: 修改 `utils.go` — 提取 RunTCPCase / RunUDPCase
|
||||||
|
|
||||||
|
从 `shadowsocks_test.go` 的 `runTCPCase` 和 `runUDPCase` 提取为包级函数。关键差异:参数需要传入 echo container IP 和 echo container 本身(用于 dump logs)。
|
||||||
|
|
||||||
|
### RunTCPCase 签名与逻辑
|
||||||
|
|
||||||
|
```go
|
||||||
|
// RunTCPCase runs a full TCP proxy test case:
|
||||||
|
// start server → render client config → start client → curl assertion → cleanup.
|
||||||
|
func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP string,
|
||||||
|
name, serverConfig, clientConfig string)
|
||||||
|
```
|
||||||
|
|
||||||
|
逻辑(从 shadowsocks_test.go:132-160 提取,一字不差):
|
||||||
|
1. 生成 serverAlias = `name + "-server"`
|
||||||
|
2. `RunGostContainerWithOptions(ctx, networkName, serverConfig, [serverAlias], ["8388/tcp"])`
|
||||||
|
3. `defer serverC.Terminate(ctx)`
|
||||||
|
4. `RenderConfig(clientConfig, {ServerAddr: serverAlias + ":8388"})`
|
||||||
|
5. `defer os.Remove(rendered)`
|
||||||
|
6. `RunGostContainerWithPorts(ctx, networkName, rendered, "8080/tcp")`
|
||||||
|
7. `defer clientC.Terminate(ctx)`
|
||||||
|
8. `clientC.Exec(ctx, ["curl", "-v", "-s", "-x", "http://127.0.0.1:8080", "http://<echoIP>:5678"])`
|
||||||
|
9. 断言 exitCode==0 且 body 包含 `"hello-gost"`,失败时 DumpLogs
|
||||||
|
|
||||||
|
**问题:端口硬编码**。shadowsocks 用 8388 作为服务端口,但其他协议可能用不同端口。需要参数化。
|
||||||
|
|
||||||
|
### 修正设计 — 参数化端口
|
||||||
|
|
||||||
|
```go
|
||||||
|
type TCPOptions struct {
|
||||||
|
ServerPort string // 容器内服务端口,默认 "8388/tcp"
|
||||||
|
ClientPort string // 客户端代理端口,默认 "8080/tcp"
|
||||||
|
}
|
||||||
|
|
||||||
|
func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP string,
|
||||||
|
name, serverConfig, clientConfig string, opts ...TCPOptions)
|
||||||
|
```
|
||||||
|
|
||||||
|
当 `opts` 为空时使用默认值 `{ServerPort: "8388/tcp", ClientPort: "8080/tcp"}`。这样 shadowsocks 测试无需任何改动,而 HTTP 测试可传 `TCPOptions{ServerPort: "8080/tcp", ClientPort: "8080/tcp"}`。
|
||||||
|
|
||||||
|
等一下 — 仔细看 shadowsocks 的 server 容器暴露的是 `8388/tcp`,HTTP proxy 场景下只有一个 gost 容器(不做 server→client 链路),直接暴露 proxy 端口。
|
||||||
|
|
||||||
|
**重新思考:HTTP proxy 不需要 server+client 两容器模式。**
|
||||||
|
|
||||||
|
HTTP proxy 测试是最简单的模式 — 只需一个 gost 容器运行 HTTP proxy,然后容器内 curl 通过它访问 echo server。这和 parallel_selector_test.go 的模式一致。但为了统一框架和后续协议(SOCKS5、relay 等都需要 server+client 模式),我们应该:
|
||||||
|
|
||||||
|
- HTTP 的"无 auth"用例:**单容器模式**(同 parallel_selector)
|
||||||
|
- HTTP 的"带 auth"用例:**也可以单容器**,只需在 curl 加 `--proxy-user`
|
||||||
|
|
||||||
|
所以 HTTP proxy 不需要 server/client 分离,但 RunTCPCase helper 仍然服务于 SOCKS5/relay 等需要链路的协议。
|
||||||
|
|
||||||
|
### 最终 RunTCPCase 设计
|
||||||
|
|
||||||
|
```go
|
||||||
|
func RunTCPCase(t *testing.T, ctx context.Context, networkName, echoIP, name string,
|
||||||
|
serverConfig, clientConfig string, serverPort, clientPort string)
|
||||||
|
```
|
||||||
|
|
||||||
|
- `serverPort`: 服务端容器暴露端口,如 `"8388/tcp"`
|
||||||
|
- `clientPort`: 客户端容器暴露端口,如 `"8080/tcp"`
|
||||||
|
- 渲染模板时用 `ServerAddr: serverAlias + ":" + strings.TrimSuffix(serverPort, "/tcp")`
|
||||||
|
|
||||||
|
### RunUDPCase 设计
|
||||||
|
|
||||||
|
```go
|
||||||
|
func RunUDPCase(t *testing.T, ctx context.Context, networkName, name string,
|
||||||
|
serverConfig, clientConfig string, serverPort, clientPort string)
|
||||||
|
```
|
||||||
|
|
||||||
|
逻辑从 shadowsocks_test.go:76-126 提取。
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 2: 新建 `testdata/http/` 配置文件
|
||||||
|
|
||||||
|
### `testdata/http/server.yaml` — 无 auth 的 HTTP proxy
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
```
|
||||||
|
|
||||||
|
单容器即可测试:gost 启动后在 :8080 提供 HTTP proxy 服务。
|
||||||
|
|
||||||
|
### `testdata/http/server_auth.yaml` — 带 auth 的 HTTP proxy
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
- name: http-proxy-auth
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 3: 新建 `http_test.go`
|
||||||
|
|
||||||
|
### 套件结构
|
||||||
|
|
||||||
|
```go
|
||||||
|
type HTTPSuite struct {
|
||||||
|
suite.Suite
|
||||||
|
ctx context.Context
|
||||||
|
echoC testcontainers.Container
|
||||||
|
echoIP string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HTTPSuite) SetupSuite() // 启动 TCP echo
|
||||||
|
func (s *HTTPSuite) TearDownSuite() // 关闭 echo
|
||||||
|
|
||||||
|
func (s *HTTPSuite) TestHTTPProxy() // 无 auth
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyAuth() // 带 auth
|
||||||
|
|
||||||
|
func TestHTTPSuite(t *testing.T) {
|
||||||
|
suite.Run(t, new(HTTPSuite))
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### TestHTTPProxy — 单容器模式(同 parallel_selector)
|
||||||
|
|
||||||
|
```go
|
||||||
|
func (s *HTTPSuite) TestHTTPProxy() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-proxy logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### TestHTTPProxyAuth — 带 auth 验证
|
||||||
|
|
||||||
|
```go
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyAuth() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_auth.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// 测试1:无 auth 应失败(407)
|
||||||
|
s.T().Run("no-auth-should-fail", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"-x", "http://127.0.0.1:8080", fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
// curl exit code 非 0 或 HTTP status 是 407
|
||||||
|
// 注意:gost HTTP proxy 在无 auth 时返回 407,curl 不会自动重试
|
||||||
|
// 所以这里验证返回码是 407 或 curl 返回非零
|
||||||
|
httpStatus := strings.TrimSpace(string(body))
|
||||||
|
s.Assert().True(code != 0 || httpStatus == "407",
|
||||||
|
"expected auth failure, got status: %s, exit code: %d", httpStatus, code)
|
||||||
|
})
|
||||||
|
|
||||||
|
// 测试2:正确 auth 应成功
|
||||||
|
s.T().Run("with-auth-should-succeed", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x",
|
||||||
|
"http://user:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-proxy-auth logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### 注意事项
|
||||||
|
- HTTP proxy 是**单容器模式**,不需要 server/client 分离(不像 shadowsocks 需要解密/加密链路)
|
||||||
|
- auth 测试分两步:先验证无 auth 被拒(407),再验证正确 auth 成功
|
||||||
|
- curl 使用 `http://user:pass@host:port` 格式传递 proxy auth
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 4: 重构 `shadowsocks_test.go`
|
||||||
|
|
||||||
|
将 `runTCPCase` 和 `runUDPCase` 方法替换为调用 `utils.go` 中的 `RunTCPCase` / `RunUDPCase`:
|
||||||
|
|
||||||
|
**Before**:
|
||||||
|
```go
|
||||||
|
func (s *ShadowsocksSuite) TestShadowsocksTCP() {
|
||||||
|
s.runTCPCase("aes256gcm", "testdata/shadowsocks/tcp_server_aes256gcm.yaml", "testdata/shadowsocks/tcp_client_aes256gcm.yaml")
|
||||||
|
s.runTCPCase("chacha20", "testdata/shadowsocks/tcp_server_chacha20.yaml", "testdata/shadowsocks/tcp_client_chacha20.yaml")
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
**After**:
|
||||||
|
```go
|
||||||
|
func (s *ShadowsocksSuite) TestShadowsocksTCP() {
|
||||||
|
RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "aes256gcm",
|
||||||
|
"testdata/shadowsocks/tcp_server_aes256gcm.yaml",
|
||||||
|
"testdata/shadowsocks/tcp_client_aes256gcm.yaml",
|
||||||
|
"8388/tcp", "8080/tcp")
|
||||||
|
RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "chacha20",
|
||||||
|
"testdata/shadowsocks/tcp_server_chacha20.yaml",
|
||||||
|
"testdata/shadowsocks/tcp_client_chacha20.yaml",
|
||||||
|
"8388/tcp", "8080/tcp")
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
删除 `runTCPCase` 和 `runUDPCase` 方法。UDP 测试同理。
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 实施顺序
|
||||||
|
|
||||||
|
1. **`utils.go`** — 添加 `RunTCPCase` + `RunUDPCase`(不删除任何现有函数)
|
||||||
|
2. **`testdata/http/`** — 创建 `server.yaml` + `server_auth.yaml`
|
||||||
|
3. **`http_test.go`** — 创建 HTTP 套件
|
||||||
|
4. **编译验证** — `cd gost && go build ./... && go vet ./tests/e2e/...`
|
||||||
|
5. **`shadowsocks_test.go`** — 重构为使用新 helper
|
||||||
|
6. **最终编译验证** — `go build ./... && go vet ./tests/e2e/...`
|
||||||
|
7. **运行测试** — `go test ./tests/e2e/ -v -run TestHTTPSuite -timeout 5m`
|
||||||
|
8. **回归测试** — `go test ./tests/e2e/ -v -run TestShadowsocksSuite -timeout 5m`
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 验证
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd /config/workspace/go-gost/gost
|
||||||
|
go build ./...
|
||||||
|
go vet ./tests/e2e/...
|
||||||
|
go test ./tests/e2e/ -v -run TestHTTPSuite -timeout 5m
|
||||||
|
go test ./tests/e2e/ -v -run TestShadowsocksSuite -timeout 5m
|
||||||
|
```
|
||||||
@@ -0,0 +1,183 @@
|
|||||||
|
# Plan: Expand E2E Test Suite
|
||||||
|
|
||||||
|
## Context
|
||||||
|
|
||||||
|
The e2e test framework (`tests/e2e/`) currently covers only **2 protocols** (Shadowsocks, parallel selector) out of **~30+ registered protocols** in gost. This plan systematically adds test coverage for all major protocols, following the existing Docker-based testcontainers pattern exactly.
|
||||||
|
|
||||||
|
**Key insight**: gost auto-generates self-signed TLS certs when none are provided (`x/config/parsing/tls.go` — `BuildDefaultTLSConfig`), and clients with default config skip cert verification. This means TLS-based protocols (ws→wss, h2c→h2, quic, etc.) can be tested **without mounting cert files**.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 0: Refactor `utils.go` — Add Reusable Test Helpers
|
||||||
|
|
||||||
|
**File**: `tests/e2e/utils.go`
|
||||||
|
|
||||||
|
Extract the repeated patterns from `shadowsocks_test.go` into reusable helpers:
|
||||||
|
|
||||||
|
1. **`RunTCPCase(t, ctx, networkName, echoIP, name, serverConfig, clientConfig string)`** — Full lifecycle: start server → render client config → start client → curl assertion → cleanup. Extracts the logic from `ShadowsocksSuite.runTCPCase`.
|
||||||
|
|
||||||
|
2. **`RunUDPCase(t, ctx, networkName, name, serverConfig, clientConfig string)`** — Same for UDP: start server → render client → start client → dial UDP → retry loop → assertion → cleanup. Extracts from `runUDPCase`.
|
||||||
|
|
||||||
|
These eliminate ~40 lines of boilerplate per suite. Each suite's test methods become one-liners:
|
||||||
|
```go
|
||||||
|
func (s *SOCKS5Suite) TestSOCKS5TCP() {
|
||||||
|
RunTCPCase(s.T(), s.ctx, SharedNetworkName, s.echoIP, "socks5-tcp",
|
||||||
|
"testdata/socks5/tcp_server.yaml", "testdata/socks5/tcp_client.yaml")
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 1: Tier 1 — Core Protocols (Plain TCP, No Special Infrastructure)
|
||||||
|
|
||||||
|
Each suite follows the exact pattern: suite struct → `SetupSuite` (echo containers) → `TearDownSuite` → test methods calling `RunTCPCase`/`RunUDPCase` → `suite.Run()` entry point.
|
||||||
|
|
||||||
|
### 1A. HTTP Proxy Suite
|
||||||
|
- **Files**: `http_test.go`, `testdata/http/` (2 configs)
|
||||||
|
- **Configs**: `server.yaml` (handler `http`, listener `tcp`), `server_auth.yaml` (+ basic auth)
|
||||||
|
- **Tests**: `TestHTTPProxy`, `TestHTTPProxyAuth` (curl with `--proxy-user`)
|
||||||
|
- **Note**: Simplest test — single gost container acts as HTTP proxy
|
||||||
|
|
||||||
|
### 1B. SOCKS5 Suite
|
||||||
|
- **Files**: `socks5_test.go`, `testdata/socks5/` (4 configs)
|
||||||
|
- **Configs**: `tcp_server.yaml` (handler `socks5`), `tcp_client.yaml` (connector `socks5`, dialer `tcp`), + auth variants
|
||||||
|
- **Tests**: `TestSOCKS5TCP`, `TestSOCKS5TCPAuth`
|
||||||
|
|
||||||
|
### 1C. SOCKS4 Suite
|
||||||
|
- **Files**: `socks4_test.go`, `testdata/socks4/` (4 configs)
|
||||||
|
- **Configs**: `tcp_server.yaml` (handler `socks4`), `tcp_client.yaml` (connector `socks4`), + socks4a variants
|
||||||
|
- **Tests**: `TestSOCKS4TCP`, `TestSOCKS4aTCP`
|
||||||
|
|
||||||
|
### 1D. HTTP2 Cleartext Suite
|
||||||
|
- **Files**: `http2_test.go`, `testdata/http2/` (2 configs)
|
||||||
|
- **Configs**: `tcp_server.yaml` (handler `http2`, listener `http2`), `tcp_client.yaml` (connector `http2`, dialer `http2`)
|
||||||
|
- **Tests**: `TestHTTP2TCP`
|
||||||
|
|
||||||
|
### 1E. Relay Suite
|
||||||
|
- **Files**: `relay_test.go`, `testdata/relay/` (4 configs)
|
||||||
|
- **Configs**: `tcp_server.yaml` (handler `relay`, listener `tcp`), `tcp_client.yaml` (connector `relay`, dialer `tcp`), + auth variants
|
||||||
|
- **Tests**: `TestRelayTCP`, `TestRelayTCPAuth`
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 2: Tier 2 — TLS/Transport Protocols
|
||||||
|
|
||||||
|
Same pattern but using TLS listeners/dialers. No explicit cert files needed — gost auto-generates them.
|
||||||
|
|
||||||
|
### 2A. TLS Suite
|
||||||
|
- **Files**: `tls_test.go`, `testdata/tls/` (4 configs)
|
||||||
|
- **Tests**: `TestTLSHTTPProxy` (handler `http` + listener `tls`), `TestTLSSOCKS5` (handler `socks5` + listener `tls`)
|
||||||
|
|
||||||
|
### 2B. WebSocket Suite
|
||||||
|
- **Files**: `ws_test.go`, `testdata/ws/` (4 configs)
|
||||||
|
- **Tests**: `TestWSSOCKS5` (dialer `ws`), `TestWSSSOCKS5` (dialer `wss`)
|
||||||
|
|
||||||
|
### 2C. gRPC Suite
|
||||||
|
- **Files**: `grpc_test.go`, `testdata/grpc/` (2 configs)
|
||||||
|
- **Tests**: `TestGRPCSOCKS5` (listener `grpc`, metadata `insecure: true`)
|
||||||
|
|
||||||
|
### 2D. HTTP/2 TLS (h2) Suite
|
||||||
|
- **Files**: `h2_test.go`, `testdata/h2/` (2 configs)
|
||||||
|
- **Tests**: `TestH2HTTP2Proxy` (listener `h2`, dialer `h2`)
|
||||||
|
|
||||||
|
### 2E. QUIC Suite
|
||||||
|
- **Files**: `quic_test.go`, `testdata/quic/` (2 configs)
|
||||||
|
- **Tests**: `TestQUICHTTP` (listener `quic`, handler `http` — uses UDP ports)
|
||||||
|
|
||||||
|
### 2F. KCP Suite
|
||||||
|
- **Files**: `kcp_test.go`, `testdata/kcp/` (2 configs)
|
||||||
|
- **Tests**: `TestKCPSOCKS5` (listener `kcp`, handler `socks5` — uses UDP)
|
||||||
|
|
||||||
|
### 2G. Multiplex Variants (mws/mwss/mtls/mtcp)
|
||||||
|
- **Files**: `mux_test.go`, `testdata/mux/` (6 configs)
|
||||||
|
- **Tests**: `TestMWSSOCKS5`, `TestMWSSSOCKS5`, `TestMtlSSOCKS5`, `TestMtcpSOCKS5`
|
||||||
|
|
||||||
|
### 2H. Obfuscation (ohttp/otls)
|
||||||
|
- **Files**: `obfs_test.go`, `testdata/obfs/` (4 configs)
|
||||||
|
- **Tests**: `TestOHTTP`, `TestOTLS`
|
||||||
|
|
||||||
|
### 2I. PHT (HTTP Pipe)
|
||||||
|
- **Files**: `pht_test.go`, `testdata/pht/` (4 configs)
|
||||||
|
- **Tests**: `TestPHT`, `TestPHTS`
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Step 3: Tier 3 — Special Infrastructure (Deferred)
|
||||||
|
|
||||||
|
These require Docker capabilities (`NET_ADMIN`, `NET_RAW`), SSH key generation, or iptables setup. Implemented after Tiers 1-2 are stable.
|
||||||
|
|
||||||
|
| Protocol | Challenge | Approach |
|
||||||
|
|----------|-----------|----------|
|
||||||
|
| SSH/sshd | Host key generation | Generate SSH key at test time, mount into container |
|
||||||
|
| HTTP/3/WebTransport | QUIC+UDP, TLS | Uses UDP like QUIC suite; auto certs work |
|
||||||
|
| TUN/TAP | `CAP_NET_ADMIN`, `/dev/net/tun` | Privileged container + routing setup |
|
||||||
|
| Tungo/MASQUE | Same as TUN | Same approach |
|
||||||
|
| ICMP | `CAP_NET_RAW`, raw sockets | Privileged container |
|
||||||
|
| Redirect (red/redu) | iptables rules | Privileged + iptables setup in container |
|
||||||
|
| DTLS | UDP + TLS | Auto certs; UDP port mapping |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Files to Create/Modify
|
||||||
|
|
||||||
|
### New files (per suite):
|
||||||
|
- `tests/e2e/<protocol>_test.go` — Suite struct + test methods
|
||||||
|
- `tests/e2e/testdata/<protocol>/` — Server + client YAML configs
|
||||||
|
|
||||||
|
### Modified files:
|
||||||
|
- `tests/e2e/utils.go` — Add `RunTCPCase`, `RunUDPCase` helpers
|
||||||
|
- `tests/e2e/shadowsocks_test.go` — Refactor to use new helpers (optional, reduces duplication)
|
||||||
|
- `tests/e2e/README.md` — Document new suites
|
||||||
|
|
||||||
|
### Reference files (read-only):
|
||||||
|
- `tests/e2e/shadowsocks_test.go` — Pattern template for all suites
|
||||||
|
- `tests/e2e/testdata/shadowsocks/tcp_server_aes256gcm.yaml` — Server config template
|
||||||
|
- `tests/e2e/testdata/shadowsocks/tcp_client_aes256gcm.yaml` — Client config template
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Config Pattern Reference
|
||||||
|
|
||||||
|
**Server** (all protocols):
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
- name: <proto>-server
|
||||||
|
addr: :<port>
|
||||||
|
handler:
|
||||||
|
type: <handler-type>
|
||||||
|
listener:
|
||||||
|
type: <listener-type>
|
||||||
|
```
|
||||||
|
|
||||||
|
**Client** (all protocols):
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
chain: <proto>-chain
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
chains:
|
||||||
|
- name: <proto>-chain
|
||||||
|
hops:
|
||||||
|
- name: <proto>-hop
|
||||||
|
nodes:
|
||||||
|
- name: <proto>-node
|
||||||
|
addr: {{.ServerAddr}}
|
||||||
|
connector:
|
||||||
|
type: <connector-type>
|
||||||
|
dialer:
|
||||||
|
type: <dialer-type>
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Verification
|
||||||
|
|
||||||
|
After each suite is implemented:
|
||||||
|
1. `cd gost && go build ./...` — Ensure compilation
|
||||||
|
2. `go vet ./tests/e2e/` — Static analysis
|
||||||
|
3. `go test ./tests/e2e/ -v -run TestXxxSuite -timeout 5m` — Run individual suite
|
||||||
|
4. `go test ./tests/e2e/ -v -timeout 10m` — Run all suites together
|
||||||
@@ -0,0 +1,360 @@
|
|||||||
|
package e2e
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/suite"
|
||||||
|
"github.com/testcontainers/testcontainers-go"
|
||||||
|
)
|
||||||
|
|
||||||
|
type DNSSuite struct {
|
||||||
|
suite.Suite
|
||||||
|
ctx context.Context
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *DNSSuite) SetupSuite() {
|
||||||
|
s.ctx = context.Background()
|
||||||
|
}
|
||||||
|
|
||||||
|
// dnsQuery sends a DNS query via the Python client and retries on failure.
|
||||||
|
// expected can be an IP string, "empty" (expect zero answer records), or "" (no check).
|
||||||
|
func (s *DNSSuite) dnsQuery(gostC testcontainers.Container, mode, host, port, qname, qtype, expected string) {
|
||||||
|
args := []string{"python3", "/scripts/dns_query.py", mode, host, port, qname, qtype}
|
||||||
|
if expected != "" {
|
||||||
|
args = append(args, expected)
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := range 5 {
|
||||||
|
code, out, err := gostC.Exec(s.ctx, args)
|
||||||
|
if err != nil {
|
||||||
|
s.T().Logf("query attempt %d exec error: %v", i+1, err)
|
||||||
|
time.Sleep(time.Second)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
if err != nil {
|
||||||
|
s.T().Logf("query attempt %d read error: %v", i+1, err)
|
||||||
|
time.Sleep(time.Second)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
output := string(body)
|
||||||
|
s.T().Logf("query attempt %d: %s", i+1, strings.TrimSpace(output))
|
||||||
|
|
||||||
|
if code == 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
time.Sleep(time.Second)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.T().Fatalf("DNS query %s %s %s %s failed after 5 retries", mode, qname, qtype, host)
|
||||||
|
}
|
||||||
|
|
||||||
|
// dnsQueryOnce sends a single DNS query with no retries. Returns exit code and output.
|
||||||
|
func (s *DNSSuite) dnsQueryOnce(gostC testcontainers.Container, mode, host, port, qname, qtype string) (int, string) {
|
||||||
|
args := []string{"python3", "/scripts/dns_query.py", mode, host, port, qname, qtype}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, args)
|
||||||
|
if err != nil {
|
||||||
|
return 1, fmt.Sprintf("exec error: %v", err)
|
||||||
|
}
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
return code, string(body)
|
||||||
|
}
|
||||||
|
|
||||||
|
// dnsQueryWithDelay calls dnsQuery with a small wait before the first attempt.
|
||||||
|
func (s *DNSSuite) dnsQueryWithDelay(gostC testcontainers.Container, mode, host, port, qname, qtype, expected string) {
|
||||||
|
time.Sleep(500 * time.Millisecond)
|
||||||
|
s.dnsQuery(gostC, mode, host, port, qname, qtype, expected)
|
||||||
|
}
|
||||||
|
|
||||||
|
// sendRaw sends raw data via base64+nc and returns the response.
|
||||||
|
func (s *DNSSuite) sendRaw(gostC testcontainers.Container, host, port, data string) string {
|
||||||
|
encoded := base64.StdEncoding.EncodeToString([]byte(data))
|
||||||
|
cmd := []string{"sh", "-c",
|
||||||
|
fmt.Sprintf("echo %s | base64 -d | nc -w 3 -u %s %s", encoded, host, port)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
b, _ := io.ReadAll(out)
|
||||||
|
return string(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
// startDNSResponder starts the UDP DNS responder and returns the container.
|
||||||
|
func (s *DNSSuite) startDNSResponder() testcontainers.Container {
|
||||||
|
dnsC, err := RunDNSResponderContainer(s.ctx, SharedNetworkName)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
return dnsC
|
||||||
|
}
|
||||||
|
|
||||||
|
// startGostWithQueryScript starts a gost container with dns_query.py mounted.
|
||||||
|
func (s *DNSSuite) startGostWithQueryScript(yamlPath, exposedPort string) testcontainers.Container {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
yamlPath,
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/dns_query.py", ContainerFilePath: "/scripts/dns_query.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
exposedPort)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
return gostC
|
||||||
|
}
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// Upstream resolution
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
func (s *DNSSuite) TestDNSUpstream() {
|
||||||
|
dnsC := s.startDNSResponder()
|
||||||
|
defer dnsC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
gostC := s.startGostWithQueryScript("testdata/dns/server_upstream.yaml", "1053/udp")
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("a-record", func(t *testing.T) {
|
||||||
|
s.dnsQueryWithDelay(gostC, "udp", "127.0.0.1", "1053", "test.example.com", "A", "10.0.0.1")
|
||||||
|
})
|
||||||
|
s.T().Run("aaaa-record", func(t *testing.T) {
|
||||||
|
s.dnsQuery(gostC, "udp", "127.0.0.1", "1053", "example.com", "AAAA", "::1")
|
||||||
|
})
|
||||||
|
s.T().Run("second-a-record", func(t *testing.T) {
|
||||||
|
s.dnsQuery(gostC, "udp", "127.0.0.1", "1053", "test2.example.com", "A", "10.0.0.2")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// TCP mode
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
func (s *DNSSuite) TestDNSTCP() {
|
||||||
|
s.T().Log("start TCP DNS responder container...")
|
||||||
|
dnsC, err := RunTCPDNSResponderContainer(s.ctx, SharedNetworkName)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer dnsC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
gostC := s.startGostWithQueryScript("testdata/dns/server_tcp.yaml", "1053/tcp")
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.dnsQueryWithDelay(gostC, "tcp", "127.0.0.1", "1053", "test.example.com", "A", "10.0.0.1")
|
||||||
|
s.dnsQuery(gostC, "tcp", "127.0.0.1", "1053", "test2.example.com", "A", "10.0.0.2")
|
||||||
|
}
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// Bypass rules
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
func (s *DNSSuite) TestDNSBypass() {
|
||||||
|
dnsC := s.startDNSResponder()
|
||||||
|
defer dnsC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
gostC := s.startGostWithQueryScript("testdata/dns/server_bypass.yaml", "1053/udp")
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("blocked-domain-empty-answer", func(t *testing.T) {
|
||||||
|
s.dnsQueryWithDelay(gostC, "udp", "127.0.0.1", "1053",
|
||||||
|
"test.example.com", "A", "empty")
|
||||||
|
})
|
||||||
|
s.T().Run("non-blocked-domain", func(t *testing.T) {
|
||||||
|
s.dnsQuery(gostC, "udp", "127.0.0.1", "1053",
|
||||||
|
"test2.example.com", "A", "10.0.0.2")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// Host mapper
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
// TestDNSHostMapper verifies DNS resolution via the host mapper before
|
||||||
|
// reaching the upstream exchanger.
|
||||||
|
//
|
||||||
|
// Config: server_hosts.yaml maps mapped.example.com → 10.0.0.100 and
|
||||||
|
// points the handler at an unreachable upstream (udp://127.0.0.1:1).
|
||||||
|
// The handler checks the host mapper before the exchange path, so
|
||||||
|
// mapped names resolve without needing any upstream DNS. Unmapped
|
||||||
|
// names must fall through to the exchanger, which fails — confirming
|
||||||
|
// the host-mapper path was the only reason mapped names worked.
|
||||||
|
func (s *DNSSuite) TestDNSHostMapper() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/dns/server_hosts.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/dns_query.py", ContainerFilePath: "/scripts/dns_query.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"1053/udp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("mapped-a-record", func(t *testing.T) {
|
||||||
|
// mapped.example.com → host mapper returns 10.0.0.100
|
||||||
|
// without contacting any upstream.
|
||||||
|
s.dnsQueryWithDelay(gostC, "udp", "127.0.0.1", "1053",
|
||||||
|
"mapped.example.com", "A", "10.0.0.100")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("unmapped-domain", func(t *testing.T) {
|
||||||
|
// test.example.com is not in the hosts mapping. The handler
|
||||||
|
// will fall through to the exchanger path, which fails because
|
||||||
|
// no upstream is configured. Query should return empty/NXDOMAIN.
|
||||||
|
code, output := s.dnsQueryOnce(gostC, "udp", "127.0.0.1", "1053",
|
||||||
|
"test.example.com", "A")
|
||||||
|
s.T().Logf("unmapped query: code=%d, %s", code, strings.TrimSpace(output))
|
||||||
|
// Non-zero exit indicates no valid response — expected since
|
||||||
|
// there's no working upstream.
|
||||||
|
s.Assert().NotEqual(0, code,
|
||||||
|
"unmapped domain should fail with no upstream")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// Exchange failure (unreachable upstream)
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
// TestDNSExchangeFailure verifies graceful handling when the upstream DNS
|
||||||
|
// exchanger is unreachable.
|
||||||
|
//
|
||||||
|
// Config: server_exchange_failure.yaml points to udp://127.0.0.1:1 which
|
||||||
|
// is unreachable. The handler must not crash or leak goroutines when the
|
||||||
|
// upstream exchange fails.
|
||||||
|
func (s *DNSSuite) TestDNSExchangeFailure() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/dns/server_exchange_failure.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/dns_query.py", ContainerFilePath: "/scripts/dns_query.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"1053/udp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("unreachable-upstream", func(t *testing.T) {
|
||||||
|
// Send query once — the exchange will fail (timeout / ICMP
|
||||||
|
// unreachable). No response is expected.
|
||||||
|
code, output := s.dnsQueryOnce(gostC, "udp", "127.0.0.1", "1053",
|
||||||
|
"test.example.com", "A")
|
||||||
|
s.T().Logf("exchange failure result: code=%d, %s",
|
||||||
|
code, strings.TrimSpace(output))
|
||||||
|
// Non-zero exit is expected since the exchange fails.
|
||||||
|
s.Assert().NotEqual(0, code,
|
||||||
|
"exchange failure should return non-zero exit")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("container-alive-after-failure", func(t *testing.T) {
|
||||||
|
// Verify the gost container is still running after the
|
||||||
|
// failed exchange — proves no crash or hang.
|
||||||
|
aliveCode, _, aliveErr := gostC.Exec(s.ctx, []string{"true"})
|
||||||
|
s.Require().NoError(aliveErr,
|
||||||
|
"container exec should succeed after exchange failure")
|
||||||
|
s.Require().Equal(0, aliveCode,
|
||||||
|
"gost container should be alive after exchange failure")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// Rate limiter
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
// TestDNSRateLimiter verifies that rate limiting configuration is accepted
|
||||||
|
// and the handler processes queries through the rate limiter path without
|
||||||
|
// crashing. Uses a generous global limit (1000/s) so queries pass.
|
||||||
|
func (s *DNSSuite) TestDNSRateLimiter() {
|
||||||
|
dnsC := s.startDNSResponder()
|
||||||
|
defer dnsC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/dns/server_rlimiter.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/dns_query.py", ContainerFilePath: "/scripts/dns_query.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"1053/udp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("query-with-limiter", func(t *testing.T) {
|
||||||
|
s.dnsQueryWithDelay(gostC, "udp", "127.0.0.1", "1053",
|
||||||
|
"test.example.com", "A", "10.0.0.1")
|
||||||
|
})
|
||||||
|
s.T().Run("second-query-with-limiter", func(t *testing.T) {
|
||||||
|
s.dnsQuery(gostC, "udp", "127.0.0.1", "1053",
|
||||||
|
"test2.example.com", "A", "10.0.0.2")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// Invalid query
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
// TestDNSInvalidQuery verifies the DNS listener gracefully handles malformed
|
||||||
|
// DNS messages. Sends garbage bytes and checks the gost container is
|
||||||
|
// unaffected (no crash, no hang).
|
||||||
|
func (s *DNSSuite) TestDNSInvalidQuery() {
|
||||||
|
gostC := s.startGostWithQueryScript("testdata/dns/server_upstream.yaml", "1053/udp")
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("send-garbage-bytes", func(t *testing.T) {
|
||||||
|
// Send 5 bytes of garbage via UDP. The miekg/dns server
|
||||||
|
// will fail to parse them and discard the packet.
|
||||||
|
s.sendRaw(gostC, "127.0.0.1", "1053", "garbage!")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("container-alive-after-garbage", func(t *testing.T) {
|
||||||
|
// Verify the gost container is still alive after receiving
|
||||||
|
// invalid data.
|
||||||
|
aliveCode, _, aliveErr := gostC.Exec(s.ctx, []string{"true"})
|
||||||
|
s.Require().NoError(aliveErr,
|
||||||
|
"container exec should succeed after invalid query")
|
||||||
|
s.Require().Equal(0, aliveCode,
|
||||||
|
"gost container should be alive after invalid query")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
// DNS over TLS
|
||||||
|
// ---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
// TestDNSTLS verifies the DNS listener in TLS mode (DNS over TLS).
|
||||||
|
// Starts the UDP DNS responder (unencrypted), a gost DNS server with
|
||||||
|
// listener mode: tls, and queries through the TLS endpoint.
|
||||||
|
func (s *DNSSuite) TestDNSTLS() {
|
||||||
|
dnsC := s.startDNSResponder()
|
||||||
|
defer dnsC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/dns/server_tls.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/dns_tls_query.py", ContainerFilePath: "/scripts/dns_tls_query.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"1053/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Query via TLS
|
||||||
|
args := []string{"python3", "/scripts/dns_tls_query.py",
|
||||||
|
"127.0.0.1", "1053", "test.example.com", "A", "10.0.0.1"}
|
||||||
|
|
||||||
|
for i := range 5 {
|
||||||
|
code, out, err := gostC.Exec(s.ctx, args)
|
||||||
|
if err != nil {
|
||||||
|
s.T().Logf("tls query attempt %d exec error: %v", i+1, err)
|
||||||
|
time.Sleep(time.Second)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
if err != nil {
|
||||||
|
s.T().Logf("tls query attempt %d read error: %v", i+1, err)
|
||||||
|
time.Sleep(time.Second)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
output := string(body)
|
||||||
|
s.T().Logf("tls query attempt %d: %s", i+1, strings.TrimSpace(output))
|
||||||
|
|
||||||
|
if code == 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
time.Sleep(time.Second)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.T().Fatal("TLS query failed after 5 retries")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestDNSSuite(t *testing.T) {
|
||||||
|
suite.Run(t, new(DNSSuite))
|
||||||
|
}
|
||||||
@@ -0,0 +1,194 @@
|
|||||||
|
package e2e
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"io"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/suite"
|
||||||
|
"github.com/testcontainers/testcontainers-go"
|
||||||
|
)
|
||||||
|
|
||||||
|
type FileSuite struct {
|
||||||
|
suite.Suite
|
||||||
|
ctx context.Context
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *FileSuite) SetupSuite() {
|
||||||
|
s.ctx = context.Background()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *FileSuite) TearDownSuite() {}
|
||||||
|
|
||||||
|
// TestFileGetExisting verifies that GET on an existing file returns
|
||||||
|
// the file content with HTTP 200. Covers the basic file serving path:
|
||||||
|
// file handler → http.FileServer → file read.
|
||||||
|
func (s *FileSuite) TestFileGetExisting() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/file/server.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "testdata/file/hello.txt", ContainerFilePath: "/srv/files/hello.txt", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8080/hello.txt"}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost-file") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "file-server logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost-file")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestFileGetNotFound verifies that GET on a nonexistent file returns
|
||||||
|
// 404 Not Found.
|
||||||
|
func (s *FileSuite) TestFileGetNotFound() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/file/server.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "testdata/file/hello.txt", ContainerFilePath: "/srv/files/hello.txt", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"http://127.0.0.1:8080/nonexistent.txt"}
|
||||||
|
_, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
s.Assert().Contains(string(body), "404")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestFileGetIndexHtml verifies that GET / serves index.html when
|
||||||
|
// present in the served directory. Covers the default index document
|
||||||
|
// behavior of http.FileServer.
|
||||||
|
func (s *FileSuite) TestFileGetIndexHtml() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/file/server.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "testdata/file/index.html", ContainerFilePath: "/srv/files/index.html", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8080/"}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "gost file index") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "file-server index logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "gost file index")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestFilePutUpload verifies that PUT uploads a file when file.put is
|
||||||
|
// enabled. Uploads a file and then reads it back via GET to confirm
|
||||||
|
// the content was persisted.
|
||||||
|
func (s *FileSuite) TestFilePutUpload() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/file/server_put.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "testdata/file/.empty", ContainerFilePath: "/srv/files/.empty", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Create source content inside the container.
|
||||||
|
_, _, err = gostC.Exec(s.ctx, []string{
|
||||||
|
"sh", "-c", "printf 'uploaded-content' > /tmp/upload_src.txt",
|
||||||
|
})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
// Upload via PUT.
|
||||||
|
_, out, err := gostC.Exec(s.ctx, []string{
|
||||||
|
"curl", "-v", "-s", "-T", "/tmp/upload_src.txt",
|
||||||
|
"http://127.0.0.1:8080/uploaded.txt",
|
||||||
|
})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
putBody, _ := io.ReadAll(out)
|
||||||
|
s.T().Logf("PUT response:\n%s", string(putBody))
|
||||||
|
|
||||||
|
// Read back the uploaded file via GET.
|
||||||
|
_, out2, err := gostC.Exec(s.ctx, []string{
|
||||||
|
"curl", "-v", "-s",
|
||||||
|
"http://127.0.0.1:8080/uploaded.txt",
|
||||||
|
})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
body, _ := io.ReadAll(out2)
|
||||||
|
s.Assert().Contains(string(body), "uploaded-content")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestFilePutNoPermission verifies that PUT returns 405 Method Not
|
||||||
|
// Allowed when file.put is not enabled (default: false).
|
||||||
|
func (s *FileSuite) TestFilePutNoPermission() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/file/server.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "testdata/file/.empty", ContainerFilePath: "/srv/files/.empty", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"-T", "/dev/null", "http://127.0.0.1:8080/test.txt"}
|
||||||
|
_, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
s.Assert().Contains(string(body), "405")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestFileAuth verifies authentication on the file handler.
|
||||||
|
// Without credentials the handler returns 401 Unauthorized,
|
||||||
|
// with valid credentials it serves the file.
|
||||||
|
func (s *FileSuite) TestFileAuth() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/file/server_auth.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "testdata/file/hello.txt", ContainerFilePath: "/srv/files/hello.txt", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("no-auth-401", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"http://127.0.0.1:8080/hello.txt"}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
s.Assert().Contains(string(body), "401")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("with-auth-success", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-u", "user:pass",
|
||||||
|
"http://127.0.0.1:8080/hello.txt"}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost-file") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "file-server auth logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost-file")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestFileSuite(t *testing.T) {
|
||||||
|
suite.Run(t, new(FileSuite))
|
||||||
|
}
|
||||||
@@ -0,0 +1,291 @@
|
|||||||
|
package e2e
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/suite"
|
||||||
|
"github.com/testcontainers/testcontainers-go"
|
||||||
|
)
|
||||||
|
|
||||||
|
type ForwardSuite struct {
|
||||||
|
suite.Suite
|
||||||
|
ctx context.Context
|
||||||
|
echoC testcontainers.Container
|
||||||
|
echoIP string
|
||||||
|
udpC testcontainers.Container
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *ForwardSuite) SetupSuite() {
|
||||||
|
s.ctx = context.Background()
|
||||||
|
|
||||||
|
s.T().Logf("start tcp echo container...")
|
||||||
|
echoC, err := RunEchoContainer(s.ctx, SharedNetworkName)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.echoC = echoC
|
||||||
|
|
||||||
|
echoIP, err := echoC.ContainerIP(s.ctx)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.echoIP = echoIP
|
||||||
|
|
||||||
|
s.T().Logf("start udp echo container...")
|
||||||
|
udpC, err := RunUDPEchoContainer(s.ctx, SharedNetworkName)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.udpC = udpC
|
||||||
|
}
|
||||||
|
|
||||||
|
// sendRaw sends a raw HTTP request via netcat and returns the response.
|
||||||
|
// Uses base64 to avoid shell quoting issues with CRLF bytes.
|
||||||
|
func (s *ForwardSuite) sendRaw(gostC testcontainers.Container, host, port, data string) string {
|
||||||
|
encoded := base64.StdEncoding.EncodeToString([]byte(data))
|
||||||
|
cmd := []string{"sh", "-c",
|
||||||
|
fmt.Sprintf("echo %s | base64 -d | nc -w 5 %s %s", encoded, host, port)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
b, _ := io.ReadAll(out)
|
||||||
|
return string(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *ForwardSuite) TearDownSuite() {
|
||||||
|
if s.echoC != nil {
|
||||||
|
s.echoC.Terminate(s.ctx)
|
||||||
|
}
|
||||||
|
if s.udpC != nil {
|
||||||
|
s.udpC.Terminate(s.ctx)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestTCPForward verifies basic TCP forward handler (handler type: tcp).
|
||||||
|
// The forward handler pipes raw TCP connections to the configured forwarder
|
||||||
|
// node (tcp-echo:5678). curl connects directly to the handler port and sends
|
||||||
|
// an HTTP request, expecting the echo server's "hello-gost" response.
|
||||||
|
func (s *ForwardSuite) TestTCPForward() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/forward/server.yaml", "8000/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// curl directly to the handler port (not via -x proxy flag).
|
||||||
|
// The TCP forward handler pipes our connection to tcp-echo:5678.
|
||||||
|
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8000/"}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "tcp-forward logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestForwardAlias verifies that the "forward" handler type (alias for "tcp")
|
||||||
|
// works identically to the "tcp" handler type.
|
||||||
|
func (s *ForwardSuite) TestForwardAlias() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/forward/server.yaml", "8000/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8000/"}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "forward-alias logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestTCPForwardSniffing verifies TCP forward handler with sniffing enabled.
|
||||||
|
// When sniffing is enabled and the connection starts with HTTP data, the handler
|
||||||
|
// detects the protocol via sniffing.Sniff and delegates to the HTTP sniffer
|
||||||
|
// for protocol-aware forwarding. The result is the same as raw forwarding:
|
||||||
|
// "hello-gost" from the echo server.
|
||||||
|
func (s *ForwardSuite) TestTCPForwardSniffing() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/forward/server_sniffing.yaml", "8000/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// curl directly — sniffing detects HTTP and handles via sniffer.
|
||||||
|
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8000/"}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "tcp-forward-sniffing logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestTCPForwardRaw verifies raw TCP forwarding by sending an HTTP request
|
||||||
|
// via netcat through the forward handler. This tests the handleRawForwarding
|
||||||
|
// code path (no sniffing), proving that raw bytes are piped through correctly.
|
||||||
|
func (s *ForwardSuite) TestTCPForwardRaw() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/forward/server.yaml", "8000/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Send raw HTTP request via nc (not curl) to exercise the raw pipe path.
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8000",
|
||||||
|
"GET / HTTP/1.0\r\nHost: tcp-echo\r\n\r\n")
|
||||||
|
s.Assert().Contains(resp, "hello-gost",
|
||||||
|
"raw request through TCP forward should reach echo server")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestTCPForwardIdleTimeout verifies that idleTimeout closes the pipe after
|
||||||
|
// a period of inactivity. The forward handler's xnet.Pipe uses idleTimeout
|
||||||
|
// as a read deadline on the upstream connection — if no data flows for
|
||||||
|
// that duration, the pipe closes both directions.
|
||||||
|
func (s *ForwardSuite) TestTCPForwardIdleTimeout() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/forward/server_idle_timeout.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/tcp_idle_timeout.py", ContainerFilePath: "/scripts/tcp_idle_timeout.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8000/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// The Python script:
|
||||||
|
// 1. Connects to gost TCP forward port
|
||||||
|
// 2. Sends HTTP GET → expects "hello-gost" confirm pipe is alive
|
||||||
|
// 3. Waits > idleTimeout (3s + 2s buffer)
|
||||||
|
// 4. Sends more data — expects connection to be closed
|
||||||
|
code, out, err := gostC.Exec(s.ctx, []string{
|
||||||
|
"python3", "/scripts/tcp_idle_timeout.py",
|
||||||
|
"127.0.0.1", "8000", "3",
|
||||||
|
})
|
||||||
|
output, _ := io.ReadAll(out)
|
||||||
|
s.T().Logf("idle timeout output:\n%s", string(output))
|
||||||
|
if code != 0 {
|
||||||
|
DumpLogs(s.T(), s.ctx, "tcp-idle-timeout logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code, "idle timeout test script should exit 0")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestUDPForward verifies basic UDP forwarding (handler: udp, listener: udp).
|
||||||
|
// The handler uses handleRawDatagram via the stateful UDP listener's
|
||||||
|
// per-client session conns (which implement net.PacketConn).
|
||||||
|
// A Python script inside the gost container sends a UDP datagram through
|
||||||
|
// the forward handler and verifies the echo response from udp-echo:5679.
|
||||||
|
func (s *ForwardSuite) TestUDPForward() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/forward/server_udp.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/udp_forward_test.py", ContainerFilePath: "/scripts/udp_forward_test.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"9000/udp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
code, out, err := gostC.Exec(s.ctx, []string{
|
||||||
|
"python3", "/scripts/udp_forward_test.py",
|
||||||
|
"127.0.0.1", "9000",
|
||||||
|
})
|
||||||
|
output, _ := io.ReadAll(out)
|
||||||
|
s.T().Logf("udp forward output:\n%s", string(output))
|
||||||
|
if code != 0 {
|
||||||
|
DumpLogs(s.T(), s.ctx, "udp-forward logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code, "udp forward test script should exit 0")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestUDPForwardStateless verifies UDP forwarding with stateless mode.
|
||||||
|
// Both listener and handler use stateless: true, so each datagram is a
|
||||||
|
// single request-response cycle with no per-client session tracking.
|
||||||
|
func (s *ForwardSuite) TestUDPForwardStateless() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/forward/server_udp_stateless.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/udp_forward_test.py", ContainerFilePath: "/scripts/udp_forward_test.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"9000/udp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
code, out, err := gostC.Exec(s.ctx, []string{
|
||||||
|
"python3", "/scripts/udp_forward_test.py",
|
||||||
|
"127.0.0.1", "9000",
|
||||||
|
})
|
||||||
|
output, _ := io.ReadAll(out)
|
||||||
|
s.T().Logf("udp forward stateless output:\n%s", string(output))
|
||||||
|
if code != 0 {
|
||||||
|
DumpLogs(s.T(), s.ctx, "udp-forward-stateless logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code, "udp forward stateless test script should exit 0")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestTCPForwardSniffingBypass verifies that when sniffing is enabled and a
|
||||||
|
// bypass rule blocks the target, the HTTP sniffer returns 403 Forbidden.
|
||||||
|
// The forward handler delegates to the HTTP sniffer (via handleSniffedProtocol),
|
||||||
|
// and the sniffer's resolveHTTPNode checks h.options.Bypass and returns 403
|
||||||
|
// when the destination is matched.
|
||||||
|
func (s *ForwardSuite) TestTCPForwardSniffingBypass() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/forward/server_bypass_sniffing.yaml", "8000/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// curl connects directly; sniffing detects HTTP. The sniffer bypass
|
||||||
|
// check matches 0.0.0.0/0 and returns 403 Forbidden.
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||||
|
"http://127.0.0.1:8000/"}
|
||||||
|
_, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
output := string(body)
|
||||||
|
|
||||||
|
s.Assert().Contains(output, "403",
|
||||||
|
"bypass should return 403 Forbidden from sniffer")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestTCPForwardMultiNodeProtocol verifies that sniffing + protocol-filtered
|
||||||
|
// forwarder nodes correctly routes an HTTP request to the node with matching
|
||||||
|
// protocol (http), rather than the one with protocol: tls.
|
||||||
|
//
|
||||||
|
// Config has two nodes:
|
||||||
|
// - echo-http (protocol: http) → tcp-echo:5678 (works, returns "hello-gost")
|
||||||
|
// - echo-tls (protocol: tls) → tcp-echo:1 (closed port, would fail)
|
||||||
|
//
|
||||||
|
// With sniffing enabled, an HTTP request is detected as protocol "http",
|
||||||
|
// Select("http") filters to only the echo-http node. If protocol filtering
|
||||||
|
// fails and the tls node is selected instead, the connection to port 1
|
||||||
|
// fails and the test fails.
|
||||||
|
func (s *ForwardSuite) TestTCPForwardMultiNodeProtocol() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/forward/server_multi_node.yaml", "8000/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// curl sends an HTTP request → sniffed as "http" → Select("http")
|
||||||
|
// filters to echo-http (protocol: http) → pipes to tcp-echo:5678
|
||||||
|
cmd := []string{"curl", "-v", "-s", "http://127.0.0.1:8000/"}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "tcp-forward-multi-node logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost",
|
||||||
|
"HTTP request should route to the http-protocol node via protocol filtering")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestForwardSuite(t *testing.T) {
|
||||||
|
suite.Run(t, new(ForwardSuite))
|
||||||
|
}
|
||||||
@@ -0,0 +1,216 @@
|
|||||||
|
package e2e
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"os"
|
||||||
|
"strings"
|
||||||
|
"sync"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/suite"
|
||||||
|
"github.com/testcontainers/testcontainers-go"
|
||||||
|
)
|
||||||
|
|
||||||
|
// HTTP2Suite covers the HTTP/2 proxy handler (handler type: http2) together
|
||||||
|
// with the HTTP/2 listener (listener type: http2). The http2 listener wraps
|
||||||
|
// the underlying TCP listener with TLS and configures an h2 server, so the
|
||||||
|
// handler is always reached over HTTP/2 frames.
|
||||||
|
//
|
||||||
|
// Because Alpine's curl cannot be relied on to speak HTTP/2 proxy to the
|
||||||
|
// server directly, the suite uses the canonical GOST chaining pattern: a
|
||||||
|
// client container exposes a plain HTTP proxy which forwards through an
|
||||||
|
// http2 connector + http2 dialer to the http2 server. This exercises the
|
||||||
|
// h2 listener, the h2 handler, and the h2 connector/dialer together.
|
||||||
|
type HTTP2Suite struct {
|
||||||
|
suite.Suite
|
||||||
|
ctx context.Context
|
||||||
|
echoC testcontainers.Container
|
||||||
|
echoIP string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HTTP2Suite) SetupSuite() {
|
||||||
|
s.ctx = context.Background()
|
||||||
|
|
||||||
|
s.T().Logf("start tcp echo container...")
|
||||||
|
echoC, err := RunEchoContainer(s.ctx, SharedNetworkName)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.echoC = echoC
|
||||||
|
|
||||||
|
echoIP, err := echoC.ContainerIP(s.ctx)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.echoIP = echoIP
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HTTP2Suite) TearDownSuite() {
|
||||||
|
if s.echoC != nil {
|
||||||
|
s.echoC.Terminate(s.ctx)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// startChain brings up an http2 server (alias "h2-server") and an http client
|
||||||
|
// container that chains to it through connector/dialer type http2. The client
|
||||||
|
// exposes port 8080 for curl. The rendered client config is cleaned up by the
|
||||||
|
// caller-supplied template path resolving {{.ServerAddr}} to h2-server:8443.
|
||||||
|
func (s *HTTP2Suite) startChain(serverYAML, clientTmpl string) (testcontainers.Container, testcontainers.Container) {
|
||||||
|
s.T().Helper()
|
||||||
|
|
||||||
|
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||||
|
serverYAML, []string{"h2-server"}, []string{"8443/tcp"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
rendered, err := RenderConfig(clientTmpl, ConfigData{ServerAddr: "h2-server:8443"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.T().Cleanup(func() { os.Remove(rendered) })
|
||||||
|
|
||||||
|
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
rendered, "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
return serverC, clientC
|
||||||
|
}
|
||||||
|
|
||||||
|
// curlEcho runs curl through the client's local http proxy and returns the
|
||||||
|
// process exit code plus the captured body.
|
||||||
|
func (s *HTTP2Suite) curlEcho(clientC testcontainers.Container) (int, string) {
|
||||||
|
s.T().Helper()
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, _ := clientC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
return code, string(body)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HTTP2Suite) dump(label string, cs ...testcontainers.Container) {
|
||||||
|
for _, c := range cs {
|
||||||
|
DumpLogs(s.T(), s.ctx, label, c)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTP2ForwardProxy verifies the core HTTP/2 proxy path: a plain HTTP
|
||||||
|
// request through the client proxy is tunneled to the http2 server via an h2
|
||||||
|
// CONNECT stream and reaches the echo backend.
|
||||||
|
//
|
||||||
|
// Covers:
|
||||||
|
// - listener type: http2 (TLS + h2 server)
|
||||||
|
// - handler type: http2 (CONNECT tunnel + bidirectional pipe)
|
||||||
|
// - connector type: http2, dialer type: http2 (h2 client)
|
||||||
|
func (s *HTTP2Suite) TestHTTP2ForwardProxy() {
|
||||||
|
serverC, clientC := s.startChain("testdata/http2/server.yaml", "testdata/http2/client.yaml")
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
code, body := s.curlEcho(clientC)
|
||||||
|
if code != 0 || !strings.Contains(body, "hello-gost") {
|
||||||
|
s.dump("http2-forward logs", clientC, serverC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(body, "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTP2Auth verifies proxy authentication over the h2 tunnel, plus
|
||||||
|
// authBasicRealm and hash metadata parsing on the http2 handler.
|
||||||
|
//
|
||||||
|
// - with auth: CONNECT succeeds → echo body returned
|
||||||
|
// - without auth: server rejects CONNECT (407) → client cannot reach echo
|
||||||
|
func (s *HTTP2Suite) TestHTTP2Auth() {
|
||||||
|
s.T().Run("with-auth-success", func(t *testing.T) {
|
||||||
|
serverC, clientC := s.startChain("testdata/http2/server_auth.yaml", "testdata/http2/client_auth.yaml")
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
code, body := s.curlEcho(clientC)
|
||||||
|
if code != 0 || !strings.Contains(body, "hello-gost") {
|
||||||
|
s.dump("http2-auth-success logs", clientC, serverC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(body, "hello-gost")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("no-auth-fails", func(t *testing.T) {
|
||||||
|
// Server requires auth; client sends none → the http2 CONNECT is
|
||||||
|
// rejected with 407, so curl cannot obtain the echo body.
|
||||||
|
serverC, clientC := s.startChain("testdata/http2/server_auth.yaml", "testdata/http2/client.yaml")
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
code, body := s.curlEcho(clientC)
|
||||||
|
if strings.Contains(body, "hello-gost") {
|
||||||
|
s.dump("http2-auth-noauth logs", clientC, serverC)
|
||||||
|
}
|
||||||
|
s.Require().Zero(code,
|
||||||
|
"curl should still receive an HTTP response from the local proxy")
|
||||||
|
s.Require().NotContains(body, "hello-gost",
|
||||||
|
"without auth the echo backend must be unreachable")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTP2Bypass verifies that a bypass matcher on the http2 handler blocks
|
||||||
|
// the CONNECT target after authentication succeeds. The server returns 403, so
|
||||||
|
// the client cannot reach the echo backend.
|
||||||
|
func (s *HTTP2Suite) TestHTTP2Bypass() {
|
||||||
|
serverC, clientC := s.startChain("testdata/http2/server_bypass.yaml", "testdata/http2/client_auth.yaml")
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
code, body := s.curlEcho(clientC)
|
||||||
|
if strings.Contains(body, "hello-gost") {
|
||||||
|
s.dump("http2-bypass logs", clientC, serverC)
|
||||||
|
}
|
||||||
|
s.Require().Zero(code,
|
||||||
|
"curl should still receive an HTTP response from the local proxy")
|
||||||
|
s.Require().NotContains(body, "hello-gost",
|
||||||
|
"bypass should prevent reaching the echo backend")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTP2ProbeResist verifies that probeResist, header and authBasicRealm
|
||||||
|
// metadata parse cleanly on the http2 handler and do not break the success
|
||||||
|
// path. With correct credentials the request still reaches the echo backend.
|
||||||
|
func (s *HTTP2Suite) TestHTTP2ProbeResist() {
|
||||||
|
serverC, clientC := s.startChain("testdata/http2/server_proberesist.yaml", "testdata/http2/client_auth.yaml")
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
code, body := s.curlEcho(clientC)
|
||||||
|
if code != 0 || !strings.Contains(body, "hello-gost") {
|
||||||
|
s.dump("http2-proberesist logs", clientC, serverC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(body, "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTP2Multiplex verifies HTTP/2 stream multiplexing: many concurrent
|
||||||
|
// requests through the client proxy are tunneled as parallel h2 streams over a
|
||||||
|
// single underlying connection to the http2 server. All requests must reach
|
||||||
|
// the echo backend.
|
||||||
|
func (s *HTTP2Suite) TestHTTP2Multiplex() {
|
||||||
|
serverC, clientC := s.startChain("testdata/http2/server.yaml", "testdata/http2/client.yaml")
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
const n = 6
|
||||||
|
var wg sync.WaitGroup
|
||||||
|
wg.Add(n)
|
||||||
|
failed := make(chan string, n)
|
||||||
|
for i := 0; i < n; i++ {
|
||||||
|
go func() {
|
||||||
|
defer wg.Done()
|
||||||
|
_, body := s.curlEcho(clientC)
|
||||||
|
if !strings.Contains(body, "hello-gost") {
|
||||||
|
failed <- "missing echo body"
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
}
|
||||||
|
wg.Wait()
|
||||||
|
close(failed)
|
||||||
|
|
||||||
|
if len(failed) > 0 {
|
||||||
|
s.dump("http2-multiplex logs", clientC, serverC)
|
||||||
|
}
|
||||||
|
s.Require().Empty(failed, "all concurrent h2 requests should reach the echo backend")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestHTTP2Suite(t *testing.T) {
|
||||||
|
suite.Run(t, new(HTTP2Suite))
|
||||||
|
}
|
||||||
@@ -0,0 +1,605 @@
|
|||||||
|
package e2e
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"os"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/suite"
|
||||||
|
"github.com/testcontainers/testcontainers-go"
|
||||||
|
)
|
||||||
|
|
||||||
|
type HTTPSuite struct {
|
||||||
|
suite.Suite
|
||||||
|
ctx context.Context
|
||||||
|
echoC testcontainers.Container
|
||||||
|
echoIP string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HTTPSuite) SetupSuite() {
|
||||||
|
s.ctx = context.Background()
|
||||||
|
|
||||||
|
s.T().Logf("start tcp echo container...")
|
||||||
|
echoC, err := RunEchoContainer(s.ctx, SharedNetworkName)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.echoC = echoC
|
||||||
|
|
||||||
|
echoIP, err := echoC.ContainerIP(s.ctx)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
s.echoIP = echoIP
|
||||||
|
}
|
||||||
|
|
||||||
|
// sendRaw sends a raw HTTP request via netcat and returns the response.
|
||||||
|
// Uses base64 to avoid shell quoting issues with CRLF bytes.
|
||||||
|
func (s *HTTPSuite) sendRaw(gostC testcontainers.Container, host, port, data string) string {
|
||||||
|
encoded := base64.StdEncoding.EncodeToString([]byte(data))
|
||||||
|
cmd := []string{"sh", "-c",
|
||||||
|
fmt.Sprintf("echo %s | base64 -d | nc -w 5 %s %s", encoded, host, port)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
b, _ := io.ReadAll(out)
|
||||||
|
return string(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *HTTPSuite) TearDownSuite() {
|
||||||
|
if s.echoC != nil {
|
||||||
|
s.echoC.Terminate(s.ctx)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxy verifies basic HTTP forward proxy (no auth, no metadata).
|
||||||
|
// Covers: handler type http, listener type tcp, basic GET via proxy.
|
||||||
|
func (s *HTTPSuite) TestHTTPProxy() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// curl -x uses HTTP forward proxy (GET with absolute URL)
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-proxy logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxyAuth verifies proxy authentication and the authBasicRealm
|
||||||
|
// metadata parameter.
|
||||||
|
//
|
||||||
|
// Covers:
|
||||||
|
// - auther: basic auth on HTTP proxy
|
||||||
|
// - authBasicRealm: custom realm string in 407 Proxy-Authenticate header
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyAuth() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_auth.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("no-auth-407", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||||
|
"-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
output := string(body)
|
||||||
|
s.Assert().Contains(output, "407",
|
||||||
|
"no auth should return 407")
|
||||||
|
s.Assert().Contains(output, "gost-e2e-realm",
|
||||||
|
"authBasicRealm should appear in 407 Proxy-Authenticate")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("wrong-auth-407", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"-x", "http://wrong:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
s.Assert().Contains(string(body), "407",
|
||||||
|
"wrong password should return 407")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("with-auth-success", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://user:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-proxy-auth logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxyMetadata verifies:
|
||||||
|
// - probeResist: code:404 — unauthorised clients see 404 instead of 407
|
||||||
|
// - keepalive: config parsing (applied at Init time)
|
||||||
|
// - compression: config parsing (applied at Init time)
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyMetadata() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_metadata.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("probe-resist-404", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
output := string(body)
|
||||||
|
s.Assert().NotContains(output, "407",
|
||||||
|
"probeResist should hide 407 status")
|
||||||
|
s.Assert().Contains(output, "404",
|
||||||
|
"probeResist should return configured decoy code")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("with-auth-success", func(t *testing.T) {
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://user:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-metadata logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxyHeaders verifies:
|
||||||
|
// - header: custom response headers (X-Proxy-Info, X-Custom) on
|
||||||
|
// proxy-originated error responses. The header metadata is set on
|
||||||
|
// the skeleton response used for error paths after authentication.
|
||||||
|
// - proxyAgent: custom Proxy-Agent header in proxy responses.
|
||||||
|
//
|
||||||
|
// Uses a bypass matcher (0.0.0.0/0) that blocks all traffic after auth
|
||||||
|
// succeeds → requests hit 403 Forbidden path which carries custom headers.
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyHeaders() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_headers.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Auth succeeds, but target is bypassed → 403 Forbidden
|
||||||
|
// The 403 response is built from the skeleton resp which
|
||||||
|
// carries h.md.header (custom headers) and h.md.proxyAgent.
|
||||||
|
s.T().Log("bypass: expect 403 with custom headers")
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||||
|
"-x", "http://user:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
headers, _ := io.ReadAll(out)
|
||||||
|
output := string(headers)
|
||||||
|
|
||||||
|
// Bypass → 403 Forbidden
|
||||||
|
s.Assert().Contains(output, "403",
|
||||||
|
"bypass should return 403")
|
||||||
|
// header: custom X-Proxy-Info header on error response
|
||||||
|
s.Assert().Contains(output, "X-Proxy-Info: gost-e2e",
|
||||||
|
"custom header should appear in 403 response")
|
||||||
|
// header: custom X-Custom header on error response
|
||||||
|
s.Assert().Contains(output, "X-Custom: test-value",
|
||||||
|
"custom header should appear in 403 response")
|
||||||
|
// proxyAgent: custom Proxy-Agent header on error response
|
||||||
|
s.Assert().Contains(output, "Proxy-Agent: gost-e2e/1.0",
|
||||||
|
"proxyAgent should appear in 403 response")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPConnect verifies HTTP CONNECT tunnel:
|
||||||
|
// - sniffing-enabled: sniffing:true + sniffing.timeout:2s
|
||||||
|
// - no-sniffing: plain CONNECT (default, no metadata)
|
||||||
|
// - bypass-403: CONNECT blocked by (0.0.0.0/0) bypass
|
||||||
|
//
|
||||||
|
// Uses curl --proxytunnel (-p) to force CONNECT method instead of GET.
|
||||||
|
func (s *HTTPSuite) TestHTTPConnect() {
|
||||||
|
s.T().Run("sniffing-enabled", func(t *testing.T) {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_connect.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-p", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connect sniffing logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("no-sniffing", func(t *testing.T) {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-p", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := gostC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connect no-sniffing logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("bypass-403", func(t *testing.T) {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_connect_bypass.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-D", "-", "-o", "/dev/null",
|
||||||
|
"-p", "-x", "http://user:pass@127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
output := string(body)
|
||||||
|
s.Assert().Contains(output, "403",
|
||||||
|
"CONNECT bypass should return 403")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxyDirectRequest verifies that a non-proxy-form HTTP request
|
||||||
|
// (raw GET / sent to the proxy port) is rejected with 400 Bad Request.
|
||||||
|
// A raw request with empty Host header has no valid scheme to infer,
|
||||||
|
// so the handler returns 400.
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyDirectRequest() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET / HTTP/1.0\r\nHost: bad!\r\n\r\n")
|
||||||
|
s.Assert().Contains(resp, "400",
|
||||||
|
"non-proxy GET should return 400")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProxyPOST verifies that POST method forwarding works through
|
||||||
|
// the HTTP forward proxy. The echo server only handles GET, so the proxy
|
||||||
|
// should forward the POST request and return whatever the upstream sends
|
||||||
|
// back (501 Not Implemented from the echo server — not a proxy error).
|
||||||
|
// 501 is the real upstream response, proving the proxy forwarded it.
|
||||||
|
func (s *HTTPSuite) TestHTTPProxyPOST() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-o", "/dev/null", "-w", "%{http_code}",
|
||||||
|
"-X", "POST", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678/", s.echoIP)}
|
||||||
|
_, out, _ := gostC.Exec(s.ctx, cmd)
|
||||||
|
body, _ := io.ReadAll(out)
|
||||||
|
output := string(body)
|
||||||
|
// The echo server's BaseHTTPRequestHandler defaults to 501 for POST.
|
||||||
|
// If we get 501 through the proxy, it means the method was forwarded.
|
||||||
|
s.Assert().Contains(output, "501",
|
||||||
|
"POST through proxy should be forwarded, echo server returns 501")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPConnectUnreachable verifies that CONNECT to an unreachable target
|
||||||
|
// returns 503 Service Unavailable.
|
||||||
|
func (s *HTTPSuite) TestHTTPConnectUnreachable() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_connect.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Send a raw CONNECT request to a port where nothing is listening.
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
fmt.Sprintf("CONNECT %s:1 HTTP/1.0\r\nHost: %s:1\r\n\r\n", s.echoIP, s.echoIP))
|
||||||
|
s.Assert().Contains(resp, "503",
|
||||||
|
"CONNECT to unreachable target should return 503")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPConnector verifies HTTP connector type: a gost client uses an HTTP
|
||||||
|
// connector to forward through an upstream HTTP proxy (no auth), reaching the
|
||||||
|
// target via the proxy chain. This covers the server+client two-container
|
||||||
|
// pattern where the client connects to the server via connector type: http.
|
||||||
|
func (s *HTTPSuite) TestHTTPConnector() {
|
||||||
|
// Start upstream HTTP proxy server (no auth).
|
||||||
|
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server.yaml", []string{"http-server"}, []string{"8080/tcp"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Render client config that chains through the upstream server.
|
||||||
|
rendered, err := RenderConfig("testdata/http/client_connector.yaml",
|
||||||
|
ConfigData{ServerAddr: "http-server:8080"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer os.Remove(rendered)
|
||||||
|
|
||||||
|
// Start client with the rendered config.
|
||||||
|
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
rendered, "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Request through client proxy → HTTP connector → upstream HTTP server → target.
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := clientC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector client logs", clientC)
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector server logs", serverC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPConnectorAuth verifies HTTP connector with authentication:
|
||||||
|
// no-auth → 407, correct auth → success.
|
||||||
|
func (s *HTTPSuite) TestHTTPConnectorAuth() {
|
||||||
|
// Start upstream HTTP proxy with auth and network alias.
|
||||||
|
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_auth.yaml", []string{"http-server"}, []string{"8080/tcp"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("no-auth-407", func(t *testing.T) {
|
||||||
|
// Send raw request directly to server container (no auth) → 407.
|
||||||
|
resp := s.sendRaw(serverC, "127.0.0.1", "8080",
|
||||||
|
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||||
|
s.Assert().Contains(resp, "407",
|
||||||
|
"no auth via upstream should return 407")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("correct-auth-success", func(t *testing.T) {
|
||||||
|
rendered, err := RenderConfig("testdata/http/client_connector_auth.yaml",
|
||||||
|
ConfigData{ServerAddr: "http-server:8080"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer os.Remove(rendered)
|
||||||
|
|
||||||
|
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
rendered, "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := clientC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector-auth client logs", clientC)
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector-auth server logs", serverC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProbeResistHost verifies probeResist host type.
|
||||||
|
// When auth fails, the handler pipes the raw request to
|
||||||
|
// the decoy host (tcp-echo:5678). The TCP echo server echoes
|
||||||
|
// back the request bytes rather than returning a 407.
|
||||||
|
func (s *HTTPSuite) TestHTTPProbeResistHost() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_proberesist_host.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Without auth, probeResist host pipes the raw request to tcp-echo:5678.
|
||||||
|
// The HTTP echo server returns 200 OK with "hello-gost", proving the
|
||||||
|
// request reached the decoy host rather than getting a 407 response.
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||||
|
s.Assert().NotContains(resp, "407",
|
||||||
|
"probeResist host should hide 407 response")
|
||||||
|
s.Assert().Contains(resp, "hello-gost",
|
||||||
|
"probeResist host should pipe request to decoy host")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProbeResistKnock verifies probeResist knock mechanism.
|
||||||
|
// Clients that connect with a recognized knock Host header
|
||||||
|
// get a normal 407 auth challenge instead of the decoy response.
|
||||||
|
//
|
||||||
|
// Uses server_proberesist_knock.yaml:
|
||||||
|
// - probeResist: code:404 (decoy 404 for unknown hosts)
|
||||||
|
// - knock: secret.example.com (known hosts get normal 407)
|
||||||
|
func (s *HTTPSuite) TestHTTPProbeResistKnock() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_proberesist_knock.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
s.T().Run("unknown-host-decoy", func(t *testing.T) {
|
||||||
|
// URL hostname doesn't match knock list → probeResist fires → 404
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||||
|
s.Assert().Contains(resp, "404",
|
||||||
|
"unknown host should get decoy 404")
|
||||||
|
s.Assert().NotContains(resp, "407",
|
||||||
|
"unknown host should NOT get 407")
|
||||||
|
})
|
||||||
|
|
||||||
|
s.T().Run("knock-host-407", func(t *testing.T) {
|
||||||
|
// URL hostname matches knock list → normal 407 auth challenge.
|
||||||
|
// Note: knock checks req.URL.Hostname(), not the Host header.
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET http://secret.example.com:5678/ HTTP/1.0\r\nHost: secret.example.com\r\n\r\n")
|
||||||
|
s.Assert().Contains(resp, "407",
|
||||||
|
"knock host should get normal 407")
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPConnectorTLS verifies HTTP connector using TLS dialer
|
||||||
|
// to upstream HTTPS proxy (listener type: tls).
|
||||||
|
// The TLS listener auto-generates a self-signed cert;
|
||||||
|
// the TLS dialer defaults to InsecureSkipVerify=true, so
|
||||||
|
// handshake succeeds without explicit cert configuration.
|
||||||
|
func (s *HTTPSuite) TestHTTPConnectorTLS() {
|
||||||
|
serverC, err := RunGostContainerWithOptions(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_tls.yaml", []string{"tls-server"}, []string{"8443/tcp"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer serverC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
rendered, err := RenderConfig("testdata/http/client_connector_tls.yaml",
|
||||||
|
ConfigData{ServerAddr: "tls-server:8443"})
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer os.Remove(rendered)
|
||||||
|
|
||||||
|
clientC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
rendered, "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer clientC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
cmd := []string{"curl", "-v", "-s", "-x", "http://127.0.0.1:8080",
|
||||||
|
fmt.Sprintf("http://%s:5678", s.echoIP)}
|
||||||
|
code, out, err := clientC.Exec(s.ctx, cmd)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
|
||||||
|
body, err := io.ReadAll(out)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
if code != 0 || !strings.Contains(string(body), "hello-gost") {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector-tls client logs", clientC)
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-connector-tls server logs", serverC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code)
|
||||||
|
s.Require().Contains(string(body), "hello-gost")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProbeResistWeb verifies probeResist web type.
|
||||||
|
// On auth failure, the handler fetches the decoy URL
|
||||||
|
// (tcp-echo:5678) and returns its response body.
|
||||||
|
func (s *HTTPSuite) TestHTTPProbeResistWeb() {
|
||||||
|
gostC, err := RunGostContainerWithPorts(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_proberesist_web.yaml", "8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Without auth, probeResist web fetches http://tcp-echo:5678
|
||||||
|
// and returns the echo server's response ("hello-gost").
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||||
|
s.Assert().NotContains(resp, "407",
|
||||||
|
"probeResist web should hide 407 response")
|
||||||
|
s.Assert().Contains(resp, "hello-gost",
|
||||||
|
"probeResist web should return decoy response body")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPProbeResistFile verifies probeResist file type.
|
||||||
|
// On auth failure, the handler reads a local file and
|
||||||
|
// returns its contents as the HTTP response body.
|
||||||
|
func (s *HTTPSuite) TestHTTPProbeResistFile() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_proberesist_file.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "testdata/http/decoy.html", ContainerFilePath: "/tmp/decoy.html", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// Without auth, probeResist file reads /tmp/decoy.html and
|
||||||
|
// returns "decoy-response" rather than a 407.
|
||||||
|
resp := s.sendRaw(gostC, "127.0.0.1", "8080",
|
||||||
|
"GET http://127.0.0.1:5678/ HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n")
|
||||||
|
s.Assert().NotContains(resp, "407",
|
||||||
|
"probeResist file should hide 407 response")
|
||||||
|
s.Assert().Contains(resp, "decoy-response",
|
||||||
|
"probeResist file should return decoy file content")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPIdleTimeout verifies idleTimeout on CONNECT tunnels.
|
||||||
|
// After the configured idle timeout, the pipe between client
|
||||||
|
// and target should close.
|
||||||
|
func (s *HTTPSuite) TestHTTPIdleTimeout() {
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_idle_timeout.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/http_idle_timeout.py", ContainerFilePath: "/scripts/http_idle_timeout.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// The Python script:
|
||||||
|
// 1. Opens a CONNECT tunnel to tcp-echo:5678
|
||||||
|
// 2. Sends and receives data (confirm tunnel is alive)
|
||||||
|
// 3. Waits > idleTimeout (3s + 2s buffer)
|
||||||
|
// 4. Sends more data — expects connection to be closed
|
||||||
|
code, out, err := gostC.Exec(s.ctx, []string{
|
||||||
|
"python3", "/scripts/http_idle_timeout.py",
|
||||||
|
"127.0.0.1", "8080", "3",
|
||||||
|
})
|
||||||
|
output, _ := io.ReadAll(out)
|
||||||
|
s.T().Logf("idle timeout output:\n%s", string(output))
|
||||||
|
if code != 0 {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-idle-timeout logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code, "idle timeout test script should exit 0")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestHTTPUDPRelay verifies UDP relay over HTTP. Uses
|
||||||
|
// X-Gost-Protocol: udp in the CONNECT request to establish
|
||||||
|
// a SOCKS5 UDP tunnel through the HTTP handler.
|
||||||
|
func (s *HTTPSuite) TestHTTPUDPRelay() {
|
||||||
|
// Start UDP echo container on the shared network.
|
||||||
|
udpC, err := RunUDPEchoContainer(s.ctx, SharedNetworkName)
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer udpC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
gostC, err := RunGostContainerWithFiles(s.ctx, SharedNetworkName,
|
||||||
|
"testdata/http/server_udp.yaml",
|
||||||
|
[]testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/http_udp_relay.py", ContainerFilePath: "/scripts/http_udp_relay.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
"8080/tcp")
|
||||||
|
s.Require().NoError(err)
|
||||||
|
defer gostC.Terminate(s.ctx)
|
||||||
|
|
||||||
|
// The Python script:
|
||||||
|
// 1. Connects to gost HTTP proxy
|
||||||
|
// 2. Sends CONNECT with X-Gost-Protocol: udp
|
||||||
|
// 3. After 200 OK, sends a SOCKS5 UDP frame targeting udp-echo:5679
|
||||||
|
// 4. Reads back the echoed frame
|
||||||
|
code, out, err := gostC.Exec(s.ctx, []string{
|
||||||
|
"python3", "/scripts/http_udp_relay.py",
|
||||||
|
"127.0.0.1", "8080",
|
||||||
|
})
|
||||||
|
output, _ := io.ReadAll(out)
|
||||||
|
s.T().Logf("udp relay output:\n%s", string(output))
|
||||||
|
if code != 0 {
|
||||||
|
DumpLogs(s.T(), s.ctx, "http-udp logs", gostC)
|
||||||
|
}
|
||||||
|
s.Require().Equal(0, code, "udp relay test script should exit 0")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestHTTPSuite(t *testing.T) {
|
||||||
|
suite.Run(t, new(HTTPSuite))
|
||||||
|
}
|
||||||
@@ -0,0 +1,162 @@
|
|||||||
|
"""DNS query client for e2e tests.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
python3 dns_query.py udp host port qname qtype [expected_ip|empty]
|
||||||
|
python3 dns_query.py tcp host port qname qtype [expected_ip|empty]
|
||||||
|
|
||||||
|
Sends a DNS query and optionally checks the response:
|
||||||
|
- expected_ip: verify response contains this IP address
|
||||||
|
- "empty": verify response has zero answer records (NXDOMAIN or blocked)
|
||||||
|
- omitted: exit 0 on any valid DNS response
|
||||||
|
|
||||||
|
Exits 0 on success, 1 on failure.
|
||||||
|
"""
|
||||||
|
import struct
|
||||||
|
import socket
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
def encode_name(name):
|
||||||
|
parts = name.rstrip(".").split(".")
|
||||||
|
return b"".join(bytes([len(p)]) + p.encode() for p in parts) + b"\x00"
|
||||||
|
|
||||||
|
|
||||||
|
def skip_name(data, pos):
|
||||||
|
"""Skip one DNS name at pos, return position after it."""
|
||||||
|
while True:
|
||||||
|
length = data[pos]
|
||||||
|
if length == 0:
|
||||||
|
return pos + 1
|
||||||
|
if length & 0xC0:
|
||||||
|
return pos + 2
|
||||||
|
pos += length + 1
|
||||||
|
|
||||||
|
|
||||||
|
def build_query(qname, qtype):
|
||||||
|
tid = 0x1234
|
||||||
|
flags = 0x0100 # RD=1
|
||||||
|
qdcount = 1
|
||||||
|
header = struct.pack(">HHHHHH", tid, flags, qdcount, 0, 0, 0)
|
||||||
|
qname_enc = encode_name(qname)
|
||||||
|
question = qname_enc + struct.pack(">HH", qtype, 1) # QTYPE, QCLASS=IN
|
||||||
|
return header + question
|
||||||
|
|
||||||
|
|
||||||
|
def parse_response(data):
|
||||||
|
if len(data) < 12:
|
||||||
|
return [], -1
|
||||||
|
flags = struct.unpack(">H", data[2:4])[0]
|
||||||
|
rcode = flags & 0x0F
|
||||||
|
qdcount = struct.unpack(">H", data[4:6])[0]
|
||||||
|
ancount = struct.unpack(">H", data[6:8])[0]
|
||||||
|
|
||||||
|
# Skip question section
|
||||||
|
pos = 12
|
||||||
|
for _ in range(qdcount):
|
||||||
|
pos = skip_name(data, pos) + 4 # QTYPE + QCLASS
|
||||||
|
|
||||||
|
answers = []
|
||||||
|
for _ in range(ancount):
|
||||||
|
pos = skip_name(data, pos)
|
||||||
|
rtype, rclass, ttl, rdlength = struct.unpack(">HHIH", data[pos:pos + 10])
|
||||||
|
pos += 10
|
||||||
|
rdata = data[pos:pos + rdlength]
|
||||||
|
pos += rdlength
|
||||||
|
answers.append((rtype, rclass, ttl, rdata))
|
||||||
|
|
||||||
|
return answers, rcode
|
||||||
|
|
||||||
|
|
||||||
|
def query_udp(host, port, query):
|
||||||
|
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||||
|
sock.settimeout(5)
|
||||||
|
sock.sendto(query, (host, port))
|
||||||
|
data, _ = sock.recvfrom(4096)
|
||||||
|
sock.close()
|
||||||
|
return data
|
||||||
|
|
||||||
|
|
||||||
|
def query_tcp(host, port, query):
|
||||||
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
sock.settimeout(5)
|
||||||
|
sock.connect((host, port))
|
||||||
|
sock.sendall(struct.pack(">H", len(query)) + query)
|
||||||
|
raw = sock.recv(2)
|
||||||
|
if len(raw) < 2:
|
||||||
|
sock.close()
|
||||||
|
return b""
|
||||||
|
msglen = struct.unpack(">H", raw)[0]
|
||||||
|
data = b""
|
||||||
|
while len(data) < msglen:
|
||||||
|
chunk = sock.recv(msglen - len(data))
|
||||||
|
if not chunk:
|
||||||
|
break
|
||||||
|
data += chunk
|
||||||
|
sock.close()
|
||||||
|
return data
|
||||||
|
|
||||||
|
|
||||||
|
def format_ip(rtype, rdata):
|
||||||
|
if rtype == 1 and len(rdata) == 4:
|
||||||
|
return socket.inet_ntoa(rdata)
|
||||||
|
if rtype == 28 and len(rdata) == 16:
|
||||||
|
return socket.inet_ntop(socket.AF_INET6, rdata)
|
||||||
|
return repr(rdata)
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if len(sys.argv) < 5:
|
||||||
|
print("Usage: dns_query.py <udp|tcp> <host> <port> <qname> <qtype> [expected_ip|empty]")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
mode = sys.argv[1]
|
||||||
|
host = sys.argv[2]
|
||||||
|
port = int(sys.argv[3])
|
||||||
|
qname = sys.argv[4]
|
||||||
|
qtype_str = sys.argv[5]
|
||||||
|
expected = sys.argv[6] if len(sys.argv) > 6 else None
|
||||||
|
|
||||||
|
qtype_map = {"A": 1, "AAAA": 28}
|
||||||
|
qtype = qtype_map.get(qtype_str, 1)
|
||||||
|
|
||||||
|
query = build_query(qname, qtype)
|
||||||
|
|
||||||
|
try:
|
||||||
|
if mode == "tcp":
|
||||||
|
data = query_tcp(host, port, query)
|
||||||
|
else:
|
||||||
|
data = query_udp(host, port, query)
|
||||||
|
except Exception as e:
|
||||||
|
print(f"ERROR: {e}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
if not data:
|
||||||
|
print("ERROR: empty response")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
answers, rcode = parse_response(data)
|
||||||
|
print(f"Got {len(answers)} answer(s), rcode={rcode}")
|
||||||
|
|
||||||
|
for rtype, _, _, rdata in answers:
|
||||||
|
print(f" {format_ip(rtype, rdata)}")
|
||||||
|
|
||||||
|
if expected == "empty":
|
||||||
|
if len(answers) == 0:
|
||||||
|
print("MATCH: empty answer (expected)")
|
||||||
|
sys.exit(0)
|
||||||
|
print(f"NO MATCH: expected empty, got {len(answers)} answers")
|
||||||
|
sys.exit(1)
|
||||||
|
elif expected:
|
||||||
|
for rtype, _, _, rdata in answers:
|
||||||
|
ip = format_ip(rtype, rdata)
|
||||||
|
if ip == expected:
|
||||||
|
print(f"MATCH: expected {expected}")
|
||||||
|
sys.exit(0)
|
||||||
|
print(f"NO MATCH: expected {expected}")
|
||||||
|
sys.exit(1)
|
||||||
|
else:
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
@@ -0,0 +1,88 @@
|
|||||||
|
"""Simple authoritative DNS responder for e2e tests.
|
||||||
|
|
||||||
|
Listens on UDP port 5353 and responds with static records:
|
||||||
|
|
||||||
|
test.example.com. IN A 10.0.0.1
|
||||||
|
test2.example.com. IN A 10.0.0.2
|
||||||
|
example.com. IN AAAA ::1
|
||||||
|
|
||||||
|
All other queries receive NXDOMAIN.
|
||||||
|
"""
|
||||||
|
import socketserver
|
||||||
|
import struct
|
||||||
|
import socket
|
||||||
|
|
||||||
|
|
||||||
|
def decode_name(data, offset):
|
||||||
|
labels = []
|
||||||
|
while True:
|
||||||
|
length = data[offset]
|
||||||
|
if length == 0:
|
||||||
|
offset += 1
|
||||||
|
break
|
||||||
|
if length & 0xC0:
|
||||||
|
offset += 2
|
||||||
|
break
|
||||||
|
offset += 1
|
||||||
|
labels.append(data[offset:offset + length].decode())
|
||||||
|
offset += length
|
||||||
|
return '.'.join(labels), offset
|
||||||
|
|
||||||
|
|
||||||
|
def encode_name(name):
|
||||||
|
parts = name.rstrip(".").split(".")
|
||||||
|
return b"".join(bytes([len(p)]) + p.encode() for p in parts) + b"\x00"
|
||||||
|
|
||||||
|
|
||||||
|
RECORDS = {
|
||||||
|
("test.example.com", 1): (1, 300, socket.inet_aton("10.0.0.1")),
|
||||||
|
("test2.example.com", 1): (1, 300, socket.inet_aton("10.0.0.2")),
|
||||||
|
("example.com", 28): (28, 300, socket.inet_pton(socket.AF_INET6, "::1")),
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
class DNSResponder(socketserver.DatagramRequestHandler):
|
||||||
|
def handle(self):
|
||||||
|
data = self.rfile.read(512)
|
||||||
|
if len(data) < 12:
|
||||||
|
return
|
||||||
|
|
||||||
|
tid = struct.unpack(">H", data[:2])[0]
|
||||||
|
qdcount = struct.unpack(">H", data[4:6])[0]
|
||||||
|
|
||||||
|
if qdcount == 0:
|
||||||
|
return
|
||||||
|
|
||||||
|
qname, pos = decode_name(data, 12)
|
||||||
|
qtype = struct.unpack(">H", data[pos:pos + 2])[0]
|
||||||
|
qclass = struct.unpack(">H", data[pos + 2:pos + 4])[0]
|
||||||
|
|
||||||
|
key = (qname, qtype)
|
||||||
|
if key in RECORDS:
|
||||||
|
rcode = 0
|
||||||
|
ancount = 1
|
||||||
|
rtype, ttl, rdata = RECORDS[key]
|
||||||
|
else:
|
||||||
|
rcode = 3 # NXDOMAIN
|
||||||
|
ancount = 0
|
||||||
|
rtype, ttl, rdata = 0, 0, b""
|
||||||
|
|
||||||
|
flags = 0x8000 | 0x0400 | rcode # QR=1, AA=1, rcode
|
||||||
|
header = struct.pack(">HHHHHH", tid, flags, qdcount, ancount, 0, 0)
|
||||||
|
|
||||||
|
question = data[12:pos + 4]
|
||||||
|
|
||||||
|
answer = b""
|
||||||
|
if ancount:
|
||||||
|
answer = (
|
||||||
|
struct.pack(">HH", 0xC00C, rtype) # NAME pointer + TYPE
|
||||||
|
+ struct.pack(">HI", qclass, ttl) # CLASS + TTL
|
||||||
|
+ struct.pack(">H", len(rdata)) + rdata # RDLENGTH + RDATA
|
||||||
|
)
|
||||||
|
|
||||||
|
self.wfile.write(header + question + answer)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
with socketserver.UDPServer(("0.0.0.0", 5353), DNSResponder) as srv:
|
||||||
|
srv.serve_forever()
|
||||||
@@ -0,0 +1,83 @@
|
|||||||
|
"""Simple authoritative DNS responder for TCP mode e2e tests.
|
||||||
|
|
||||||
|
Listens on TCP port 5353 and responds with the same static records
|
||||||
|
as dns_responder.py, but over TCP (RFC 5966).
|
||||||
|
"""
|
||||||
|
import socketserver
|
||||||
|
import struct
|
||||||
|
import socket
|
||||||
|
|
||||||
|
|
||||||
|
def decode_name(data, offset):
|
||||||
|
labels = []
|
||||||
|
while True:
|
||||||
|
length = data[offset]
|
||||||
|
if length == 0:
|
||||||
|
offset += 1
|
||||||
|
break
|
||||||
|
if length & 0xC0:
|
||||||
|
offset += 2
|
||||||
|
break
|
||||||
|
offset += 1
|
||||||
|
labels.append(data[offset:offset + length].decode())
|
||||||
|
offset += length
|
||||||
|
return '.'.join(labels), offset
|
||||||
|
|
||||||
|
|
||||||
|
RECORDS = {
|
||||||
|
("test.example.com", 1): (1, 300, socket.inet_aton("10.0.0.1")),
|
||||||
|
("test2.example.com", 1): (1, 300, socket.inet_aton("10.0.0.2")),
|
||||||
|
("example.com", 28): (28, 300, socket.inet_pton(socket.AF_INET6, "::1")),
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
class DNSResponder(socketserver.StreamRequestHandler):
|
||||||
|
def handle(self):
|
||||||
|
# TCP DNS: 2-byte length prefix
|
||||||
|
raw = self.rfile.read(2)
|
||||||
|
if len(raw) < 2:
|
||||||
|
return
|
||||||
|
msglen = struct.unpack(">H", raw)[0]
|
||||||
|
data = self.rfile.read(msglen)
|
||||||
|
if len(data) < 12:
|
||||||
|
return
|
||||||
|
|
||||||
|
tid = struct.unpack(">H", data[:2])[0]
|
||||||
|
qdcount = struct.unpack(">H", data[4:6])[0]
|
||||||
|
|
||||||
|
if qdcount == 0:
|
||||||
|
return
|
||||||
|
|
||||||
|
qname, pos = decode_name(data, 12)
|
||||||
|
qtype = struct.unpack(">H", data[pos:pos + 2])[0]
|
||||||
|
qclass = struct.unpack(">H", data[pos + 2:pos + 4])[0]
|
||||||
|
|
||||||
|
key = (qname, qtype)
|
||||||
|
if key in RECORDS:
|
||||||
|
rcode = 0
|
||||||
|
ancount = 1
|
||||||
|
rtype, ttl, rdata = RECORDS[key]
|
||||||
|
else:
|
||||||
|
rcode = 3 # NXDOMAIN
|
||||||
|
ancount = 0
|
||||||
|
rtype, ttl, rdata = 0, 0, b""
|
||||||
|
|
||||||
|
flags = 0x8000 | 0x0400 | rcode
|
||||||
|
header = struct.pack(">HHHHHH", tid, flags, qdcount, ancount, 0, 0)
|
||||||
|
question = data[12:pos + 4]
|
||||||
|
|
||||||
|
answer = b""
|
||||||
|
if ancount:
|
||||||
|
answer = (
|
||||||
|
struct.pack(">HH", 0xC00C, rtype)
|
||||||
|
+ struct.pack(">HI", qclass, ttl)
|
||||||
|
+ struct.pack(">H", len(rdata)) + rdata
|
||||||
|
)
|
||||||
|
|
||||||
|
dnsmsg = header + question + answer
|
||||||
|
self.wfile.write(struct.pack(">H", len(dnsmsg)) + dnsmsg)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
with socketserver.TCPServer(("0.0.0.0", 5353), DNSResponder) as srv:
|
||||||
|
srv.serve_forever()
|
||||||
@@ -0,0 +1,140 @@
|
|||||||
|
"""DNS query client over TLS for e2e tests.
|
||||||
|
|
||||||
|
Connects to the DNS-over-TLS endpoint and performs a DNS query.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
python3 dns_tls_query.py host port qname qtype [expected_ip]
|
||||||
|
"""
|
||||||
|
import struct
|
||||||
|
import socket
|
||||||
|
import ssl
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
def encode_name(name):
|
||||||
|
parts = name.rstrip(".").split(".")
|
||||||
|
return b"".join(bytes([len(p)]) + p.encode() for p in parts) + b"\x00"
|
||||||
|
|
||||||
|
|
||||||
|
def build_query(tid, qname, qtype):
|
||||||
|
flags = 0x0100
|
||||||
|
qdcount = 1
|
||||||
|
header = struct.pack(">HHHHHH", tid, flags, qdcount, 0, 0, 0)
|
||||||
|
qname_enc = encode_name(qname)
|
||||||
|
question = qname_enc + struct.pack(">HH", qtype, 1)
|
||||||
|
return header + question
|
||||||
|
|
||||||
|
|
||||||
|
def parse_response(data):
|
||||||
|
if len(data) < 12:
|
||||||
|
return [], -1
|
||||||
|
flags = struct.unpack(">H", data[2:4])[0]
|
||||||
|
rcode = flags & 0x0F
|
||||||
|
qdcount = struct.unpack(">H", data[4:6])[0]
|
||||||
|
ancount = struct.unpack(">H", data[6:8])[0]
|
||||||
|
|
||||||
|
pos = 12
|
||||||
|
for _ in range(qdcount):
|
||||||
|
while data[pos] != 0:
|
||||||
|
if data[pos] & 0xC0:
|
||||||
|
pos += 2
|
||||||
|
break
|
||||||
|
pos += data[pos] + 1
|
||||||
|
else:
|
||||||
|
pos += 1
|
||||||
|
pos += 4
|
||||||
|
|
||||||
|
answers = []
|
||||||
|
for _ in range(ancount):
|
||||||
|
if data[pos] & 0xC0:
|
||||||
|
pos += 2
|
||||||
|
else:
|
||||||
|
while data[pos] != 0:
|
||||||
|
pos += data[pos] + 1
|
||||||
|
pos += 1
|
||||||
|
rtype, rclass, ttl, rdlength = struct.unpack(">HHIH", data[pos:pos + 10])
|
||||||
|
pos += 10
|
||||||
|
rdata = data[pos:pos + rdlength]
|
||||||
|
pos += rdlength
|
||||||
|
answers.append((rtype, rdata))
|
||||||
|
|
||||||
|
return answers, rcode
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if len(sys.argv) < 5:
|
||||||
|
print(f"Usage: {sys.argv[0]} host port qname qtype [expected_ip]")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
host = sys.argv[1]
|
||||||
|
port = int(sys.argv[2])
|
||||||
|
qname = sys.argv[3]
|
||||||
|
qtype_str = sys.argv[4]
|
||||||
|
expected = sys.argv[5] if len(sys.argv) > 5 else None
|
||||||
|
|
||||||
|
qtype_map = {"A": 1, "AAAA": 28}
|
||||||
|
qtype = qtype_map.get(qtype_str, 1)
|
||||||
|
|
||||||
|
query = build_query(0x1234, qname, qtype)
|
||||||
|
|
||||||
|
ctx = ssl.create_default_context()
|
||||||
|
ctx.check_hostname = False
|
||||||
|
ctx.verify_mode = ssl.CERT_NONE
|
||||||
|
|
||||||
|
try:
|
||||||
|
with socket.create_connection((host, port), timeout=5) as sock:
|
||||||
|
with ctx.wrap_socket(sock, server_hostname=host) as tls_sock:
|
||||||
|
# TCP DNS: 2-byte length prefix
|
||||||
|
tls_sock.sendall(struct.pack(">H", len(query)) + query)
|
||||||
|
raw = tls_sock.recv(2)
|
||||||
|
if len(raw) < 2:
|
||||||
|
print("ERROR: short response header")
|
||||||
|
sys.exit(1)
|
||||||
|
msglen = struct.unpack(">H", raw)[0]
|
||||||
|
data = b""
|
||||||
|
while len(data) < msglen:
|
||||||
|
chunk = tls_sock.recv(msglen - len(data))
|
||||||
|
if not chunk:
|
||||||
|
break
|
||||||
|
data += chunk
|
||||||
|
except Exception as e:
|
||||||
|
print(f"ERROR: {e}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
if not data:
|
||||||
|
print("ERROR: empty response")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
answers, rcode = parse_response(data)
|
||||||
|
print(f"Got {len(answers)} answer(s), rcode={rcode}")
|
||||||
|
|
||||||
|
for rtype, rdata in answers:
|
||||||
|
if rtype == 1 and len(rdata) == 4:
|
||||||
|
ip = socket.inet_ntoa(rdata)
|
||||||
|
print(f" A {ip}")
|
||||||
|
elif rtype == 28 and len(rdata) == 16:
|
||||||
|
ip6 = socket.inet_ntop(socket.AF_INET6, rdata)
|
||||||
|
print(f" AAAA {ip6}")
|
||||||
|
else:
|
||||||
|
print(f" TYPE={rtype} RDATA={rdata.hex()}")
|
||||||
|
|
||||||
|
if expected:
|
||||||
|
for rtype, rdata in answers:
|
||||||
|
if rtype == 1 and len(rdata) == 4:
|
||||||
|
ip = socket.inet_ntoa(rdata)
|
||||||
|
if ip == expected:
|
||||||
|
print(f"MATCH: expected {expected}")
|
||||||
|
sys.exit(0)
|
||||||
|
elif rtype == 28 and len(rdata) == 16:
|
||||||
|
ip6 = socket.inet_ntop(socket.AF_INET6, rdata)
|
||||||
|
if ip6 == expected:
|
||||||
|
print(f"MATCH: expected {expected}")
|
||||||
|
sys.exit(0)
|
||||||
|
print(f"NO MATCH: expected {expected}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
@@ -0,0 +1,68 @@
|
|||||||
|
import socket
|
||||||
|
import sys
|
||||||
|
import time
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
|
||||||
|
port = int(sys.argv[2]) if len(sys.argv) > 2 else 8080
|
||||||
|
idle_timeout = int(sys.argv[3]) if len(sys.argv) > 3 else 3
|
||||||
|
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
s.settimeout(10)
|
||||||
|
s.connect((host, port))
|
||||||
|
|
||||||
|
# CONNECT to echo server
|
||||||
|
req = b"CONNECT tcp-echo:5678 HTTP/1.1\r\nHost: tcp-echo:5678\r\n\r\n"
|
||||||
|
s.sendall(req)
|
||||||
|
|
||||||
|
# Read 200 OK response
|
||||||
|
resp = b""
|
||||||
|
while b"\r\n\r\n" not in resp:
|
||||||
|
chunk = s.recv(4096)
|
||||||
|
if not chunk:
|
||||||
|
break
|
||||||
|
resp += chunk
|
||||||
|
|
||||||
|
if b"200" not in resp:
|
||||||
|
print(f"FAIL: expected 200, got {resp.decode(errors='replace')}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
# Send an HTTP GET through the CONNECT tunnel. The tunnel target
|
||||||
|
# is an HTTP echo server (BaseHTTPRequestHandler), so we must speak
|
||||||
|
# HTTP or the connection closes.
|
||||||
|
req = b"GET / HTTP/1.0\r\nHost: tcp-echo\r\n\r\n"
|
||||||
|
s.sendall(req)
|
||||||
|
data = b""
|
||||||
|
while b"hello-gost" not in data:
|
||||||
|
chunk = s.recv(4096)
|
||||||
|
if not chunk:
|
||||||
|
break
|
||||||
|
data += chunk
|
||||||
|
if b"hello-gost" not in data:
|
||||||
|
print(f"FAIL: expected hello-gost echo, got {data!r}")
|
||||||
|
sys.exit(1)
|
||||||
|
print(f"PASS: first request through tunnel succeeded")
|
||||||
|
|
||||||
|
# Wait longer than idleTimeout
|
||||||
|
wait = idle_timeout + 2
|
||||||
|
print(f"Waiting {wait}s for idle timeout...")
|
||||||
|
time.sleep(wait)
|
||||||
|
|
||||||
|
# Try to send more data — idle timeout should have closed the pipe
|
||||||
|
try:
|
||||||
|
s.sendall(b"ping-2\n")
|
||||||
|
data = s.recv(4096)
|
||||||
|
if not data:
|
||||||
|
print("PASS: connection closed after idle timeout (empty recv)")
|
||||||
|
sys.exit(0)
|
||||||
|
# Got data means the pipe is still alive
|
||||||
|
print(f"FAIL: connection still alive after idle timeout, got {data!r}")
|
||||||
|
sys.exit(1)
|
||||||
|
except (socket.timeout, ConnectionResetError, BrokenPipeError, OSError) as e:
|
||||||
|
print(f"PASS: connection closed after idle timeout: {e}")
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
@@ -0,0 +1,135 @@
|
|||||||
|
import socket
|
||||||
|
import struct
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
UDP_ECHO_HOST = "udp-echo"
|
||||||
|
UDP_ECHO_PORT = 5679
|
||||||
|
|
||||||
|
|
||||||
|
def encode_socks5_addr(host, port):
|
||||||
|
"""Encode (host, port) as SOCKS5 ADDRESS + PORT.
|
||||||
|
|
||||||
|
Uses ATYP=3 (domain name) so Docker DNS resolves the host.
|
||||||
|
Returns (atyp, address_bytes, port_bytes).
|
||||||
|
"""
|
||||||
|
host_bytes = host.encode()
|
||||||
|
addr_bytes = struct.pack("!B", len(host_bytes)) + host_bytes
|
||||||
|
port_bytes = struct.pack("!H", port)
|
||||||
|
return 0x03, addr_bytes, port_bytes
|
||||||
|
|
||||||
|
|
||||||
|
def build_udp_frame(payload, host, port):
|
||||||
|
"""Build a SOCKS5 UDP relay frame over TCP.
|
||||||
|
|
||||||
|
gost HTTP UDP relay uses RSV=data-length and FRAG=0xff.
|
||||||
|
Frame: [RSV:2][FRAG:1][ATYP:1][DST.ADDR][DST.PORT:2][DATA]
|
||||||
|
"""
|
||||||
|
atyp, addr_bytes, port_bytes = encode_socks5_addr(host, port)
|
||||||
|
rsv = struct.pack("!H", len(payload))
|
||||||
|
frag = b"\xff"
|
||||||
|
atyp_byte = struct.pack("!B", atyp)
|
||||||
|
return rsv + frag + atyp_byte + addr_bytes + port_bytes + payload
|
||||||
|
|
||||||
|
|
||||||
|
def recvn(sock, n):
|
||||||
|
"""Receive exactly n bytes from socket."""
|
||||||
|
buf = b""
|
||||||
|
while len(buf) < n:
|
||||||
|
chunk = sock.recv(n - len(buf))
|
||||||
|
if not chunk:
|
||||||
|
raise ConnectionError("connection closed while reading")
|
||||||
|
buf += chunk
|
||||||
|
return buf
|
||||||
|
|
||||||
|
|
||||||
|
def read_socks5_frame(sock):
|
||||||
|
"""Read one SOCKS5 UDP relay frame from the TCP connection.
|
||||||
|
|
||||||
|
Returns (addr, port, data).
|
||||||
|
"""
|
||||||
|
# Read header: RSV(2) + FRAG(1) + ATYP(1)
|
||||||
|
header = recvn(sock, 4)
|
||||||
|
rsv = struct.unpack("!H", header[:2])[0]
|
||||||
|
frag = header[2]
|
||||||
|
atyp = header[3]
|
||||||
|
|
||||||
|
# Read address based on ATYP
|
||||||
|
if atyp == 1: # IPv4
|
||||||
|
addr_bytes = recvn(sock, 4)
|
||||||
|
addr = socket.inet_ntoa(addr_bytes)
|
||||||
|
elif atyp == 3: # Domain name
|
||||||
|
domain_len = recvn(sock, 1)
|
||||||
|
addr = recvn(sock, domain_len[0]).decode()
|
||||||
|
elif atyp == 4: # IPv6
|
||||||
|
addr_bytes = recvn(sock, 16)
|
||||||
|
addr = socket.inet_ntop(socket.AF_INET6, addr_bytes)
|
||||||
|
else:
|
||||||
|
raise ValueError(f"unknown ATYP: {atyp}")
|
||||||
|
|
||||||
|
port_bytes = recvn(sock, 2)
|
||||||
|
port = struct.unpack("!H", port_bytes)[0]
|
||||||
|
|
||||||
|
# Read data
|
||||||
|
if rsv > 0:
|
||||||
|
data = recvn(sock, rsv)
|
||||||
|
else:
|
||||||
|
# Standard SOCKS5 UDP: read remaining
|
||||||
|
data = b""
|
||||||
|
while True:
|
||||||
|
chunk = sock.recv(4096)
|
||||||
|
if not chunk:
|
||||||
|
break
|
||||||
|
data += chunk
|
||||||
|
|
||||||
|
return addr, port, data
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
|
||||||
|
port = int(sys.argv[2]) if len(sys.argv) > 2 else 8080
|
||||||
|
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
s.settimeout(10)
|
||||||
|
s.connect((host, port))
|
||||||
|
|
||||||
|
# Send CONNECT with X-Gost-Protocol: udp
|
||||||
|
req = (
|
||||||
|
b"CONNECT 0.0.0.0:0 HTTP/1.1\r\n"
|
||||||
|
b"Host: 0.0.0.0:0\r\n"
|
||||||
|
b"X-Gost-Protocol: udp\r\n"
|
||||||
|
b"Proxy-Connection: keep-alive\r\n"
|
||||||
|
b"\r\n"
|
||||||
|
)
|
||||||
|
s.sendall(req)
|
||||||
|
|
||||||
|
# Read 200 OK
|
||||||
|
resp = b""
|
||||||
|
while b"\r\n\r\n" not in resp:
|
||||||
|
chunk = s.recv(4096)
|
||||||
|
if not chunk:
|
||||||
|
break
|
||||||
|
resp += chunk
|
||||||
|
|
||||||
|
if b"200" not in resp:
|
||||||
|
print(f"FAIL: expected 200, got {resp.decode(errors='replace')}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
# Build and send UDP relay frame
|
||||||
|
payload = b"hello-gost"
|
||||||
|
frame = build_udp_frame(payload, UDP_ECHO_HOST, UDP_ECHO_PORT)
|
||||||
|
s.sendall(frame)
|
||||||
|
|
||||||
|
# Read response frame
|
||||||
|
addr, rport, data = read_socks5_frame(s)
|
||||||
|
|
||||||
|
if b"hello-gost" in data:
|
||||||
|
print(f"PASS: received expected data from {addr}:{rport}")
|
||||||
|
sys.exit(0)
|
||||||
|
else:
|
||||||
|
print(f"FAIL: expected hello-gost in response, got {data!r}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
@@ -0,0 +1,53 @@
|
|||||||
|
import socket
|
||||||
|
import sys
|
||||||
|
import time
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
|
||||||
|
port = int(sys.argv[2]) if len(sys.argv) > 2 else 8000
|
||||||
|
idle_timeout = int(sys.argv[3]) if len(sys.argv) > 3 else 3
|
||||||
|
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
s.settimeout(10)
|
||||||
|
s.connect((host, port))
|
||||||
|
|
||||||
|
# Send an HTTP GET request — the forward handler pipes us to tcp-echo:5678
|
||||||
|
req = b"GET / HTTP/1.0\r\nHost: tcp-echo\r\n\r\n"
|
||||||
|
s.sendall(req)
|
||||||
|
|
||||||
|
# Read response — should contain "hello-gost" (echo server reply)
|
||||||
|
resp = b""
|
||||||
|
while b"hello-gost" not in resp:
|
||||||
|
chunk = s.recv(4096)
|
||||||
|
if not chunk:
|
||||||
|
break
|
||||||
|
resp += chunk
|
||||||
|
|
||||||
|
if b"hello-gost" not in resp:
|
||||||
|
print(f"FAIL: expected hello-gost in response, got {resp.decode(errors='replace')}")
|
||||||
|
sys.exit(1)
|
||||||
|
print(f"PASS: first request through forward pipe succeeded")
|
||||||
|
|
||||||
|
# Wait longer than idleTimeout
|
||||||
|
wait = idle_timeout + 2
|
||||||
|
print(f"Waiting {wait}s for idle timeout...")
|
||||||
|
time.sleep(wait)
|
||||||
|
|
||||||
|
# Try to send more data — idle timeout should have closed the pipe
|
||||||
|
try:
|
||||||
|
s.sendall(b"GET / HTTP/1.0\r\nHost: tcp-echo\r\n\r\n")
|
||||||
|
data = s.recv(4096)
|
||||||
|
if not data:
|
||||||
|
print("PASS: connection closed after idle timeout (empty recv)")
|
||||||
|
sys.exit(0)
|
||||||
|
# Got data means the pipe is still alive
|
||||||
|
print(f"FAIL: connection still alive after idle timeout, got {data!r}")
|
||||||
|
sys.exit(1)
|
||||||
|
except (socket.timeout, ConnectionResetError, BrokenPipeError, OSError) as e:
|
||||||
|
print(f"PASS: connection closed after idle timeout: {e}")
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
@@ -0,0 +1,25 @@
|
|||||||
|
import socket
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
host = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1"
|
||||||
|
port = int(sys.argv[2]) if len(sys.argv) > 2 else 9000
|
||||||
|
|
||||||
|
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||||
|
sock.settimeout(5)
|
||||||
|
|
||||||
|
payload = b"hello-gost-udp"
|
||||||
|
sock.sendto(payload, (host, port))
|
||||||
|
|
||||||
|
data, addr = sock.recvfrom(2048)
|
||||||
|
if data == payload:
|
||||||
|
print("PASS: received echo")
|
||||||
|
sys.exit(0)
|
||||||
|
else:
|
||||||
|
print(f"FAIL: expected {payload!r}, got {data!r}")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
+16
@@ -0,0 +1,16 @@
|
|||||||
|
services:
|
||||||
|
- name: dns
|
||||||
|
addr: :1053
|
||||||
|
handler:
|
||||||
|
type: dns
|
||||||
|
metadata:
|
||||||
|
dns: udp://dns-server:5353
|
||||||
|
timeout: 5s
|
||||||
|
listener:
|
||||||
|
type: dns
|
||||||
|
bypass: block-example
|
||||||
|
|
||||||
|
bypasses:
|
||||||
|
- name: block-example
|
||||||
|
matchers:
|
||||||
|
- test.example.com
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
services:
|
||||||
|
- name: dns
|
||||||
|
addr: :1053
|
||||||
|
handler:
|
||||||
|
type: dns
|
||||||
|
metadata:
|
||||||
|
dns: udp://127.0.0.1:1
|
||||||
|
timeout: 2s
|
||||||
|
listener:
|
||||||
|
type: dns
|
||||||
+22
@@ -0,0 +1,22 @@
|
|||||||
|
services:
|
||||||
|
- name: dns
|
||||||
|
addr: :1053
|
||||||
|
handler:
|
||||||
|
type: dns
|
||||||
|
metadata:
|
||||||
|
# Unreachable upstream so the system-DNS fallback is bypassed.
|
||||||
|
# The host mapper resolves mapped names before the exchanger is
|
||||||
|
# reached; unmapped names must hit the exchanger and fail.
|
||||||
|
dns: udp://127.0.0.1:1
|
||||||
|
timeout: 2s
|
||||||
|
listener:
|
||||||
|
type: dns
|
||||||
|
hosts: my-hosts
|
||||||
|
|
||||||
|
hosts:
|
||||||
|
- name: my-hosts
|
||||||
|
mappings:
|
||||||
|
- ip: 10.0.0.100
|
||||||
|
hostname: mapped.example.com
|
||||||
|
- ip: 192.168.1.200
|
||||||
|
hostname: aaaa.mapped.example.com
|
||||||
+16
@@ -0,0 +1,16 @@
|
|||||||
|
services:
|
||||||
|
- name: dns
|
||||||
|
addr: :1053
|
||||||
|
handler:
|
||||||
|
type: dns
|
||||||
|
metadata:
|
||||||
|
dns: udp://dns-server:5353
|
||||||
|
timeout: 5s
|
||||||
|
listener:
|
||||||
|
type: dns
|
||||||
|
rlimiter: limiter-0
|
||||||
|
|
||||||
|
rlimiters:
|
||||||
|
- name: limiter-0
|
||||||
|
limits:
|
||||||
|
- "$ 1000"
|
||||||
+12
@@ -0,0 +1,12 @@
|
|||||||
|
services:
|
||||||
|
- name: dns
|
||||||
|
addr: :1053
|
||||||
|
handler:
|
||||||
|
type: dns
|
||||||
|
metadata:
|
||||||
|
dns: tcp://dns-server:5353
|
||||||
|
timeout: 5s
|
||||||
|
listener:
|
||||||
|
type: dns
|
||||||
|
metadata:
|
||||||
|
mode: tcp
|
||||||
+12
@@ -0,0 +1,12 @@
|
|||||||
|
services:
|
||||||
|
- name: dns
|
||||||
|
addr: :1053
|
||||||
|
handler:
|
||||||
|
type: dns
|
||||||
|
metadata:
|
||||||
|
dns: udp://dns-server:5353
|
||||||
|
timeout: 5s
|
||||||
|
listener:
|
||||||
|
type: dns
|
||||||
|
metadata:
|
||||||
|
mode: tls
|
||||||
+10
@@ -0,0 +1,10 @@
|
|||||||
|
services:
|
||||||
|
- name: dns
|
||||||
|
addr: :1053
|
||||||
|
handler:
|
||||||
|
type: dns
|
||||||
|
metadata:
|
||||||
|
dns: udp://dns-server:5353
|
||||||
|
timeout: 5s
|
||||||
|
listener:
|
||||||
|
type: dns
|
||||||
Vendored
Vendored
+1
@@ -0,0 +1 @@
|
|||||||
|
<html><body>gost file index</body></html>
|
||||||
Vendored
+9
@@ -0,0 +1,9 @@
|
|||||||
|
services:
|
||||||
|
- name: file-server
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: file
|
||||||
|
metadata:
|
||||||
|
file.dir: /srv/files
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
+15
@@ -0,0 +1,15 @@
|
|||||||
|
services:
|
||||||
|
- name: file-server-auth
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: file
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
file.dir: /srv/files
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
+10
@@ -0,0 +1,10 @@
|
|||||||
|
services:
|
||||||
|
- name: file-server-put
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: file
|
||||||
|
metadata:
|
||||||
|
file.dir: /srv/files
|
||||||
|
file.put: true
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
+11
@@ -0,0 +1,11 @@
|
|||||||
|
services:
|
||||||
|
- name: forward-tcp
|
||||||
|
addr: :8000
|
||||||
|
handler:
|
||||||
|
type: tcp
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
forwarder:
|
||||||
|
nodes:
|
||||||
|
- name: echo
|
||||||
|
addr: tcp-echo:5678
|
||||||
@@ -0,0 +1,20 @@
|
|||||||
|
services:
|
||||||
|
- name: forward-tcp
|
||||||
|
addr: :8000
|
||||||
|
handler:
|
||||||
|
type: tcp
|
||||||
|
metadata:
|
||||||
|
sniffing: true
|
||||||
|
sniffing.timeout: 2s
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
bypass: block-all
|
||||||
|
forwarder:
|
||||||
|
nodes:
|
||||||
|
- name: echo
|
||||||
|
addr: tcp-echo:5678
|
||||||
|
|
||||||
|
bypasses:
|
||||||
|
- name: block-all
|
||||||
|
matchers:
|
||||||
|
- 0.0.0.0/0
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
services:
|
||||||
|
- name: forward-tcp
|
||||||
|
addr: :8000
|
||||||
|
handler:
|
||||||
|
type: tcp
|
||||||
|
metadata:
|
||||||
|
idleTimeout: 3s
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
forwarder:
|
||||||
|
nodes:
|
||||||
|
- name: echo
|
||||||
|
addr: tcp-echo:5678
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
services:
|
||||||
|
- name: forward-tcp
|
||||||
|
addr: :8000
|
||||||
|
handler:
|
||||||
|
type: tcp
|
||||||
|
metadata:
|
||||||
|
sniffing: true
|
||||||
|
sniffing.timeout: 2s
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
forwarder:
|
||||||
|
nodes:
|
||||||
|
- name: echo-http
|
||||||
|
addr: tcp-echo:5678
|
||||||
|
protocol: http
|
||||||
|
- name: echo-tls
|
||||||
|
addr: tcp-echo:1
|
||||||
|
protocol: tls
|
||||||
+14
@@ -0,0 +1,14 @@
|
|||||||
|
services:
|
||||||
|
- name: forward-tcp
|
||||||
|
addr: :8000
|
||||||
|
handler:
|
||||||
|
type: tcp
|
||||||
|
metadata:
|
||||||
|
sniffing: true
|
||||||
|
sniffing.timeout: 2s
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
forwarder:
|
||||||
|
nodes:
|
||||||
|
- name: echo
|
||||||
|
addr: tcp-echo:5678
|
||||||
+11
@@ -0,0 +1,11 @@
|
|||||||
|
services:
|
||||||
|
- name: udp-forward
|
||||||
|
addr: :9000
|
||||||
|
handler:
|
||||||
|
type: udp
|
||||||
|
listener:
|
||||||
|
type: udp
|
||||||
|
forwarder:
|
||||||
|
nodes:
|
||||||
|
- name: echo
|
||||||
|
addr: udp-echo:5679
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
services:
|
||||||
|
- name: udp-forward
|
||||||
|
addr: :9000
|
||||||
|
handler:
|
||||||
|
type: udp
|
||||||
|
metadata:
|
||||||
|
stateless: true
|
||||||
|
listener:
|
||||||
|
type: udp
|
||||||
|
metadata:
|
||||||
|
stateless: true
|
||||||
|
forwarder:
|
||||||
|
nodes:
|
||||||
|
- name: echo
|
||||||
|
addr: udp-echo:5679
|
||||||
+20
@@ -0,0 +1,20 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
chain: http-chain
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
chains:
|
||||||
|
- name: http-chain
|
||||||
|
hops:
|
||||||
|
- name: hop-0
|
||||||
|
nodes:
|
||||||
|
- name: node-0
|
||||||
|
addr: {{.ServerAddr}}
|
||||||
|
connector:
|
||||||
|
type: http
|
||||||
|
dialer:
|
||||||
|
type: tcp
|
||||||
@@ -0,0 +1,23 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
chain: http-chain
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
chains:
|
||||||
|
- name: http-chain
|
||||||
|
hops:
|
||||||
|
- name: hop-0
|
||||||
|
nodes:
|
||||||
|
- name: node-0
|
||||||
|
addr: {{.ServerAddr}}
|
||||||
|
connector:
|
||||||
|
type: http
|
||||||
|
auth:
|
||||||
|
username: user
|
||||||
|
password: pass
|
||||||
|
dialer:
|
||||||
|
type: tcp
|
||||||
@@ -0,0 +1,20 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
chain: https-chain
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
chains:
|
||||||
|
- name: https-chain
|
||||||
|
hops:
|
||||||
|
- name: hop-0
|
||||||
|
nodes:
|
||||||
|
- name: node-0
|
||||||
|
addr: {{.ServerAddr}}
|
||||||
|
connector:
|
||||||
|
type: http
|
||||||
|
dialer:
|
||||||
|
type: tls
|
||||||
Vendored
+1
@@ -0,0 +1 @@
|
|||||||
|
<html><body>decoy-response</body></html>
|
||||||
Vendored
+7
@@ -0,0 +1,7 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
+16
@@ -0,0 +1,16 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy-auth
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
# authBasicRealm: custom realm in 407 Proxy-Authenticate header
|
||||||
|
authBasicRealm: gost-e2e-realm
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
+12
@@ -0,0 +1,12 @@
|
|||||||
|
services:
|
||||||
|
- name: http-connect
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
metadata:
|
||||||
|
# sniffing: enable protocol sniffing on CONNECT tunnels
|
||||||
|
sniffing: true
|
||||||
|
# sniffing.timeout: timeout for initial sniff read (2s)
|
||||||
|
sniffing.timeout: 2s
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
@@ -0,0 +1,20 @@
|
|||||||
|
bypasses:
|
||||||
|
- name: bypass-0
|
||||||
|
matchers:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
|
||||||
|
services:
|
||||||
|
- name: http-connect-bypass
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
bypass: bypass-0
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
+25
@@ -0,0 +1,25 @@
|
|||||||
|
bypasses:
|
||||||
|
- name: bypass-0
|
||||||
|
matchers:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
|
||||||
|
services:
|
||||||
|
- name: http-headers
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
header:
|
||||||
|
X-Proxy-Info: gost-e2e
|
||||||
|
X-Custom: test-value
|
||||||
|
proxyAgent: gost-e2e/1.0
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
bypass: bypass-0
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
services:
|
||||||
|
- name: http-idle
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
metadata:
|
||||||
|
idleTimeout: 3s
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
+20
@@ -0,0 +1,20 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy-meta
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
# probeResist: decoy response on auth failure (code:404 hides the proxy)
|
||||||
|
probeResist: code:404
|
||||||
|
# keepalive: enable HTTP keep-alive on upstream transport (parse test)
|
||||||
|
keepalive: true
|
||||||
|
# compression: enable HTTP compression on upstream transport (parse test)
|
||||||
|
compression: true
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
probeResist: file:/tmp/decoy.html
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
probeResist: host:tcp-echo:5678
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
probeResist: code:404
|
||||||
|
knock: secret.example.com
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
probeResist: web:tcp-echo:5678
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
+7
@@ -0,0 +1,7 @@
|
|||||||
|
services:
|
||||||
|
- name: https-server
|
||||||
|
addr: :8443
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
listener:
|
||||||
|
type: tls
|
||||||
+9
@@ -0,0 +1,9 @@
|
|||||||
|
services:
|
||||||
|
- name: http-udp
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
metadata:
|
||||||
|
udp: true
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
Vendored
+20
@@ -0,0 +1,20 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
chain: h2-chain
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
chains:
|
||||||
|
- name: h2-chain
|
||||||
|
hops:
|
||||||
|
- name: hop-0
|
||||||
|
nodes:
|
||||||
|
- name: node-0
|
||||||
|
addr: {{.ServerAddr}}
|
||||||
|
connector:
|
||||||
|
type: http2
|
||||||
|
dialer:
|
||||||
|
type: http2
|
||||||
+23
@@ -0,0 +1,23 @@
|
|||||||
|
services:
|
||||||
|
- name: http-proxy
|
||||||
|
addr: :8080
|
||||||
|
handler:
|
||||||
|
type: http
|
||||||
|
chain: h2-chain
|
||||||
|
listener:
|
||||||
|
type: tcp
|
||||||
|
|
||||||
|
chains:
|
||||||
|
- name: h2-chain
|
||||||
|
hops:
|
||||||
|
- name: hop-0
|
||||||
|
nodes:
|
||||||
|
- name: node-0
|
||||||
|
addr: {{.ServerAddr}}
|
||||||
|
connector:
|
||||||
|
type: http2
|
||||||
|
auth:
|
||||||
|
username: user
|
||||||
|
password: pass
|
||||||
|
dialer:
|
||||||
|
type: http2
|
||||||
Vendored
+7
@@ -0,0 +1,7 @@
|
|||||||
|
services:
|
||||||
|
- name: h2-proxy
|
||||||
|
addr: :8443
|
||||||
|
handler:
|
||||||
|
type: http2
|
||||||
|
listener:
|
||||||
|
type: http2
|
||||||
+18
@@ -0,0 +1,18 @@
|
|||||||
|
services:
|
||||||
|
- name: h2-proxy-auth
|
||||||
|
addr: :8443
|
||||||
|
handler:
|
||||||
|
type: http2
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
# authBasicRealm: custom realm in 407 Proxy-Authenticate header
|
||||||
|
authBasicRealm: gost-e2e-realm
|
||||||
|
# hash: pin upstream selection by request host (metadata parse coverage)
|
||||||
|
hash: host
|
||||||
|
listener:
|
||||||
|
type: http2
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
+20
@@ -0,0 +1,20 @@
|
|||||||
|
bypasses:
|
||||||
|
- name: bypass-0
|
||||||
|
matchers:
|
||||||
|
- 0.0.0.0/0
|
||||||
|
|
||||||
|
services:
|
||||||
|
- name: h2-proxy-bypass
|
||||||
|
addr: :8443
|
||||||
|
handler:
|
||||||
|
type: http2
|
||||||
|
auther: auther-0
|
||||||
|
listener:
|
||||||
|
type: http2
|
||||||
|
bypass: bypass-0
|
||||||
|
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
@@ -0,0 +1,20 @@
|
|||||||
|
services:
|
||||||
|
- name: h2-proxy-pr
|
||||||
|
addr: :8443
|
||||||
|
handler:
|
||||||
|
type: http2
|
||||||
|
auther: auther-0
|
||||||
|
metadata:
|
||||||
|
# probeResist: hide the proxy behind a 404 decoy on auth failure
|
||||||
|
probeResist: code:404
|
||||||
|
# header: custom response headers set on proxy responses
|
||||||
|
header:
|
||||||
|
X-Proxy-Info: gost-e2e
|
||||||
|
authBasicRealm: gost-e2e-realm
|
||||||
|
listener:
|
||||||
|
type: http2
|
||||||
|
authers:
|
||||||
|
- name: auther-0
|
||||||
|
auths:
|
||||||
|
- username: user
|
||||||
|
password: pass
|
||||||
+81
-9
@@ -128,19 +128,94 @@ func udpEchoContainerRequest(_ context.Context, networkName string) testcontaine
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// RunDNSResponderContainer starts a UDP-based DNS responder for e2e DNS tests.
|
||||||
|
// The container is registered with the network alias "dns-server".
|
||||||
|
func RunDNSResponderContainer(ctx context.Context, networkName string) (testcontainers.Container, error) {
|
||||||
|
req := testcontainers.ContainerRequest{
|
||||||
|
FromDockerfile: testcontainers.FromDockerfile{
|
||||||
|
Context: ".",
|
||||||
|
Dockerfile: "Dockerfile",
|
||||||
|
Repo: "gost-e2e",
|
||||||
|
Tag: "latest",
|
||||||
|
KeepImage: true,
|
||||||
|
BuildOptionsModifier: func(opts *client.ImageBuildOptions) {
|
||||||
|
opts.NetworkMode = "host"
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Networks: []string{networkName},
|
||||||
|
NetworkAliases: map[string][]string{
|
||||||
|
networkName: {"dns-server"},
|
||||||
|
},
|
||||||
|
Files: []testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/dns_responder.py", ContainerFilePath: "/scripts/dns_server.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
ExposedPorts: []string{"5353/udp"},
|
||||||
|
Cmd: []string{"python3", "/scripts/dns_server.py"},
|
||||||
|
WaitingFor: wait.ForExposedPort().SkipInternalCheck(),
|
||||||
|
}
|
||||||
|
|
||||||
|
return testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
|
||||||
|
ContainerRequest: req,
|
||||||
|
Started: true,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// RunTCPDNSResponderContainer starts a TCP-based DNS responder for e2e DNS tests.
|
||||||
|
// The container is registered with the network alias "dns-server".
|
||||||
|
func RunTCPDNSResponderContainer(ctx context.Context, networkName string) (testcontainers.Container, error) {
|
||||||
|
req := testcontainers.ContainerRequest{
|
||||||
|
FromDockerfile: testcontainers.FromDockerfile{
|
||||||
|
Context: ".",
|
||||||
|
Dockerfile: "Dockerfile",
|
||||||
|
Repo: "gost-e2e",
|
||||||
|
Tag: "latest",
|
||||||
|
KeepImage: true,
|
||||||
|
BuildOptionsModifier: func(opts *client.ImageBuildOptions) {
|
||||||
|
opts.NetworkMode = "host"
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Networks: []string{networkName},
|
||||||
|
NetworkAliases: map[string][]string{
|
||||||
|
networkName: {"dns-server"},
|
||||||
|
},
|
||||||
|
Files: []testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: "scripts/dns_responder_tcp.py", ContainerFilePath: "/scripts/dns_server.py", FileMode: 0644},
|
||||||
|
},
|
||||||
|
ExposedPorts: []string{"5353/tcp"},
|
||||||
|
Cmd: []string{"python3", "/scripts/dns_server.py"},
|
||||||
|
WaitingFor: wait.ForExposedPort(),
|
||||||
|
}
|
||||||
|
|
||||||
|
return testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
|
||||||
|
ContainerRequest: req,
|
||||||
|
Started: true,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
func RunGostContainer(ctx context.Context, networkName, yamlPath string) (testcontainers.Container, error) {
|
func RunGostContainer(ctx context.Context, networkName, yamlPath string) (testcontainers.Container, error) {
|
||||||
return runGostContainer(ctx, networkName, yamlPath, nil, nil)
|
return runGostContainer(ctx, networkName, yamlPath, nil, nil, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func RunGostContainerWithPorts(ctx context.Context, networkName, yamlPath string, exposedPorts ...string) (testcontainers.Container, error) {
|
func RunGostContainerWithPorts(ctx context.Context, networkName, yamlPath string, exposedPorts ...string) (testcontainers.Container, error) {
|
||||||
return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts)
|
return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func RunGostContainerWithOptions(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string) (testcontainers.Container, error) {
|
func RunGostContainerWithOptions(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string) (testcontainers.Container, error) {
|
||||||
return runGostContainer(ctx, networkName, yamlPath, aliases, exposedPorts)
|
return runGostContainer(ctx, networkName, yamlPath, aliases, exposedPorts, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string) (testcontainers.Container, error) {
|
// RunGostContainerWithFiles starts a gost container with extra files mounted.
|
||||||
|
func RunGostContainerWithFiles(ctx context.Context, networkName, yamlPath string, extraFiles []testcontainers.ContainerFile, exposedPorts ...string) (testcontainers.Container, error) {
|
||||||
|
return runGostContainer(ctx, networkName, yamlPath, nil, exposedPorts, extraFiles)
|
||||||
|
}
|
||||||
|
|
||||||
|
func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases, exposedPorts []string, extraFiles []testcontainers.ContainerFile) (testcontainers.Container, error) {
|
||||||
|
files := []testcontainers.ContainerFile{
|
||||||
|
{HostFilePath: GostBinPath, ContainerFilePath: "/bin/gost", FileMode: 0755},
|
||||||
|
{HostFilePath: yamlPath, ContainerFilePath: "/config.yaml", FileMode: 0644},
|
||||||
|
}
|
||||||
|
files = append(files, extraFiles...)
|
||||||
|
|
||||||
req := testcontainers.ContainerRequest{
|
req := testcontainers.ContainerRequest{
|
||||||
FromDockerfile: testcontainers.FromDockerfile{
|
FromDockerfile: testcontainers.FromDockerfile{
|
||||||
Context: ".",
|
Context: ".",
|
||||||
@@ -153,16 +228,13 @@ func runGostContainer(ctx context.Context, networkName, yamlPath string, aliases
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
ExposedPorts: exposedPorts,
|
ExposedPorts: exposedPorts,
|
||||||
// interal check for udp ports will be failed
|
// internal check for udp ports will be failed
|
||||||
WaitingFor: wait.ForExposedPort().SkipInternalCheck(),
|
WaitingFor: wait.ForExposedPort().SkipInternalCheck(),
|
||||||
Networks: []string{networkName},
|
Networks: []string{networkName},
|
||||||
NetworkAliases: map[string][]string{
|
NetworkAliases: map[string][]string{
|
||||||
networkName: aliases,
|
networkName: aliases,
|
||||||
},
|
},
|
||||||
Files: []testcontainers.ContainerFile{
|
Files: files,
|
||||||
{HostFilePath: GostBinPath, ContainerFilePath: "/bin/gost", FileMode: 0755},
|
|
||||||
{HostFilePath: yamlPath, ContainerFilePath: "/config.yaml", FileMode: 0644},
|
|
||||||
},
|
|
||||||
Cmd: []string{"/bin/gost", "-C", "/config.yaml"},
|
Cmd: []string{"/bin/gost", "-C", "/config.yaml"},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user