refactor(handler/http): extract Authenticator, SnifferBuilder, and normalizeRequest as testable units

Extract three pure-logic components from httpHandler to eliminate I/O
coupling from auth and sniffing construction, enabling synchronous unit
tests and reducing per-request allocation in sniffAndHandle:

- Authenticator struct with AuthResult return type — auth decisions no
  longer write to the connection; callers handle response I/O. Auth
  tests drop net.Pipe/goroutines for direct return-value assertions.
- SnifferBuilder pre-built in Init and reused per-connection via Build(),
  replacing inline sniffing.Sniffer{} construction in sniffAndHandle.
- normalizeRequest extracted to util.go with NormalizedRequest type,
  collapsing 20 lines of inline URL/normalisation into a single call.
- knockMatch extracted as standalone pure function.
- clampBodySize exported as ClampBodySize for cross-package use.
- util_test.go with 22 tests covering utility functions.
- helpers_test.go consolidates shared test fakes (logger, observer, conn).
This commit is contained in:
ginuerzh
2026-05-29 00:14:44 +08:00
parent c246a1d4fa
commit 23b58ddd23
18 changed files with 685 additions and 524 deletions
+127 -305
View File
@@ -1,19 +1,16 @@
package http
import (
"bufio"
"context"
"net"
"net/http"
"testing"
"time"
"github.com/go-gost/core/auth"
"github.com/go-gost/core/handler"
"github.com/go-gost/core/limiter"
"github.com/go-gost/core/limiter/rate"
"github.com/go-gost/core/limiter/traffic"
"github.com/go-gost/core/logger"
)
// stubAuther implements auth.Authenticator for testing.
@@ -26,345 +23,185 @@ func (a *stubAuther) Authenticate(ctx context.Context, user, password string, op
return a.id, a.accept
}
// testLogger implements logger.Logger for testing.
type testLogger struct{}
func (l *testLogger) WithFields(fields map[string]any) logger.Logger { return l }
func (l *testLogger) Debug(args ...any) {}
func (l *testLogger) Debugf(format string, args ...any) {}
func (l *testLogger) Info(args ...any) {}
func (l *testLogger) Infof(format string, args ...any) {}
func (l *testLogger) Warn(args ...any) {}
func (l *testLogger) Warnf(format string, args ...any) {}
func (l *testLogger) Error(args ...any) {}
func (l *testLogger) Errorf(format string, args ...any) {}
func (l *testLogger) Fatal(args ...any) {}
func (l *testLogger) Fatalf(format string, args ...any) {}
func (l *testLogger) GetLevel() logger.LogLevel { return logger.InfoLevel }
func (l *testLogger) IsLevelEnabled(level logger.LogLevel) bool { return false }
func (l *testLogger) Trace(args ...any) {}
func (l *testLogger) Tracef(format string, args ...any) {}
// --- Authenticator tests (synchronous — no net.Pipe or goroutines) ---
func TestAuthenticate_NoAuther(t *testing.T) {
h := &httpHandler{
options: handler.Options{
Logger: &testLogger{},
},
}
h.md.proxyAgent = defaultProxyAgent
client, server := net.Pipe()
defer client.Close()
defer server.Close()
a := &Authenticator{}
req, _ := http.NewRequest("GET", "http://example.com/", nil)
resp := &http.Response{
ProtoMajor: 1,
ProtoMinor: 1,
Header: http.Header{},
ContentLength: -1,
result := a.Authenticate(context.Background(), req)
if !result.OK {
t.Fatal("expected OK=true when no Auther")
}
if result.ClientID != "" {
t.Errorf("expected empty client ID, got %q", result.ClientID)
}
// Read the response from authenticate in a goroutine
go func() {
h.authenticate(context.Background(), server, req, resp, &testLogger{})
}()
// Client side: read the response back
// With no auther, authenticate returns early with ok=true, no response written
br := bufio.NewReader(client)
// The response shouldn't be written when auth succeeds
time.Sleep(50 * time.Millisecond)
// Connection should be clean - no data to read
_ = br
}
func TestAuthenticate_Success(t *testing.T) {
h := &httpHandler{
options: handler.Options{
Auther: &stubAuther{accept: true, id: "testuser"},
Logger: &testLogger{},
},
a := &Authenticator{
Auther: &stubAuther{accept: true, id: "testuser"},
}
h.md.proxyAgent = defaultProxyAgent
client, server := net.Pipe()
defer client.Close()
defer server.Close()
req, _ := http.NewRequest("GET", "http://example.com/", nil)
req.Header.Set("Proxy-Authorization", "Basic dGVzdHVzZXI6cGFzc3dvcmQ=") // testuser:password
resp := &http.Response{
ProtoMajor: 1,
ProtoMinor: 1,
Header: http.Header{},
ContentLength: -1,
req.Header.Set("Proxy-Authorization", "Basic dGVzdHVzZXI6cGFzc3dvcmQ=")
result := a.Authenticate(context.Background(), req)
if !result.OK {
t.Fatal("expected auth success")
}
if result.ClientID != "testuser" {
t.Errorf("got id %q, want testuser", result.ClientID)
}
done := make(chan struct{})
go func() {
defer close(done)
id, ok := h.authenticate(context.Background(), server, req, resp, &testLogger{})
if !ok {
t.Error("expected auth success")
}
if id != "testuser" {
t.Errorf("got id %q, want %q", id, "testuser")
}
}()
time.Sleep(50 * time.Millisecond)
// Auth succeeded, no response written to client
_ = client
<-done
}
func TestAuthenticate_Failure(t *testing.T) {
h := &httpHandler{
options: handler.Options{
Auther: &stubAuther{accept: false},
Logger: &testLogger{},
},
a := &Authenticator{
Auther: &stubAuther{accept: false},
Realm: "gost",
}
h.md.proxyAgent = defaultProxyAgent
client, server := net.Pipe()
defer client.Close()
defer server.Close()
req, _ := http.NewRequest("GET", "http://example.com/", nil)
req.Header.Set("Proxy-Authorization", "Basic dGVzdHVzZXI6cGFzc3dvcmQ=")
resp := &http.Response{
ProtoMajor: 1,
ProtoMinor: 1,
Header: http.Header{},
ContentLength: -1,
result := a.Authenticate(context.Background(), req)
if result.OK {
t.Fatal("expected auth failure")
}
go func() {
h.authenticate(context.Background(), server, req, resp, &testLogger{})
}()
// Read the 407 response
br := bufio.NewReader(client)
r, err := http.ReadResponse(br, req)
if err != nil {
t.Fatalf("failed to read auth response: %v", err)
if result.Response == nil {
t.Fatal("expected non-nil response on failure")
}
defer r.Body.Close()
if r.StatusCode != http.StatusProxyAuthRequired {
t.Errorf("got status %d, want %d", r.StatusCode, http.StatusProxyAuthRequired)
if result.Response.StatusCode != http.StatusProxyAuthRequired {
t.Errorf("got status %d, want %d", result.Response.StatusCode, http.StatusProxyAuthRequired)
}
if r.Header.Get("Proxy-Authenticate") == "" {
if result.Response.Header.Get("Proxy-Authenticate") == "" {
t.Error("expected Proxy-Authenticate header")
}
}
func TestAuthenticate_ProbeResistanceCode(t *testing.T) {
h := &httpHandler{
options: handler.Options{
Auther: &stubAuther{accept: false},
Logger: &testLogger{},
},
a := &Authenticator{
Auther: &stubAuther{accept: false},
PR: &probeResistance{Type: "code", Value: "404"},
}
h.md.proxyAgent = defaultProxyAgent
h.md.probeResistance = &probeResistance{Type: "code", Value: "404"}
client, server := net.Pipe()
defer client.Close()
defer server.Close()
req, _ := http.NewRequest("GET", "http://example.com/", nil)
resp := &http.Response{
ProtoMajor: 1,
ProtoMinor: 1,
Header: http.Header{},
ContentLength: -1,
result := a.Authenticate(context.Background(), req)
if result.OK {
t.Fatal("expected auth failure")
}
go func() {
h.authenticate(context.Background(), server, req, resp, &testLogger{})
}()
br := bufio.NewReader(client)
r, err := http.ReadResponse(br, req)
if err != nil {
t.Fatalf("failed to read probe resistance response: %v", err)
}
defer r.Body.Close()
if r.StatusCode != 404 {
t.Errorf("got status %d, want 404", r.StatusCode)
if result.Response.StatusCode != 404 {
t.Errorf("got status %d, want 404", result.Response.StatusCode)
}
}
func TestAuthenticate_ProbeResistanceKnock(t *testing.T) {
h := &httpHandler{
options: handler.Options{
Auther: &stubAuther{accept: false},
Logger: &testLogger{},
},
a := &Authenticator{
Auther: &stubAuther{accept: false},
Realm: "gost",
PR: &probeResistance{Type: "code", Value: "404", Knock: "secret.example.com"},
}
h.md.proxyAgent = defaultProxyAgent
// Knock matches - probe resistance should be bypassed, fall through to 407
h.md.probeResistance = &probeResistance{Type: "code", Value: "404", Knock: "secret.example.com"}
client, server := net.Pipe()
defer client.Close()
defer server.Close()
req, _ := http.NewRequest("GET", "http://secret.example.com/", nil)
resp := &http.Response{
ProtoMajor: 1,
ProtoMinor: 1,
Header: http.Header{},
ContentLength: -1,
result := a.Authenticate(context.Background(), req)
if result.OK {
t.Fatal("expected auth failure")
}
go func() {
h.authenticate(context.Background(), server, req, resp, &testLogger{})
}()
br := bufio.NewReader(client)
r, err := http.ReadResponse(br, req)
if err != nil {
t.Fatalf("failed to read response: %v", err)
}
defer r.Body.Close()
// Knock matches, so probe resistance is bypassed, get normal 407
if r.StatusCode != http.StatusProxyAuthRequired {
t.Errorf("got status %d, want %d (knock matched, should bypass probe resistance)", r.StatusCode, http.StatusProxyAuthRequired)
// Knock matches, probe resistance bypassed → 407
if result.Response.StatusCode != http.StatusProxyAuthRequired {
t.Errorf("got status %d, want %d (knock matched, bypass probe resistance)",
result.Response.StatusCode, http.StatusProxyAuthRequired)
}
}
func TestAuthenticate_ProbeResistanceKnockMismatch(t *testing.T) {
h := &httpHandler{
options: handler.Options{
Auther: &stubAuther{accept: false},
Logger: &testLogger{},
},
a := &Authenticator{
Auther: &stubAuther{accept: false},
PR: &probeResistance{Type: "code", Value: "503", Knock: "secret.example.com"},
}
h.md.proxyAgent = defaultProxyAgent
// Knock doesn't match - probe resistance should activate
h.md.probeResistance = &probeResistance{Type: "code", Value: "503", Knock: "secret.example.com"}
client, server := net.Pipe()
defer client.Close()
defer server.Close()
req, _ := http.NewRequest("GET", "http://other.example.com/", nil)
resp := &http.Response{
ProtoMajor: 1,
ProtoMinor: 1,
Header: http.Header{},
ContentLength: -1,
result := a.Authenticate(context.Background(), req)
if result.OK {
t.Fatal("expected auth failure")
}
go func() {
h.authenticate(context.Background(), server, req, resp, &testLogger{})
}()
br := bufio.NewReader(client)
r, err := http.ReadResponse(br, req)
if err != nil {
t.Fatalf("failed to read response: %v", err)
}
defer r.Body.Close()
// Knock doesn't match, probe resistance activates
if r.StatusCode != 503 {
t.Errorf("got status %d, want 503", r.StatusCode)
// Knock doesn't match, probe resistance activates → 503
if result.Response.StatusCode != 503 {
t.Errorf("got status %d, want 503", result.Response.StatusCode)
}
}
func TestAuthenticate_ProbeResistanceKnockMultiMatch(t *testing.T) {
h := &httpHandler{
options: handler.Options{
Auther: &stubAuther{accept: false},
Logger: &testLogger{},
a := &Authenticator{
Auther: &stubAuther{accept: false},
Realm: "gost",
PR: &probeResistance{
Type: "code",
Value: "404",
Knock: "a.example.com, b.example.com, secret.example.com",
},
}
h.md.proxyAgent = defaultProxyAgent
// Third entry matches — probe resistance should be bypassed, return 407
h.md.probeResistance = &probeResistance{
Type: "code",
Value: "404",
Knock: "a.example.com, b.example.com, secret.example.com",
}
client, server := net.Pipe()
defer client.Close()
defer server.Close()
req, _ := http.NewRequest("GET", "http://secret.example.com/", nil)
resp := &http.Response{
ProtoMajor: 1,
ProtoMinor: 1,
Header: http.Header{},
ContentLength: -1,
result := a.Authenticate(context.Background(), req)
if result.OK {
t.Fatal("expected auth failure")
}
go func() {
h.authenticate(context.Background(), server, req, resp, &testLogger{})
}()
br := bufio.NewReader(client)
r, err := http.ReadResponse(br, req)
if err != nil {
t.Fatalf("failed to read response: %v", err)
}
defer r.Body.Close()
if r.StatusCode != http.StatusProxyAuthRequired {
t.Errorf("got status %d, want %d (knock matched, should bypass probe resistance)", r.StatusCode, http.StatusProxyAuthRequired)
if result.Response.StatusCode != http.StatusProxyAuthRequired {
t.Errorf("got status %d, want %d (knock matched, bypass probe resistance)",
result.Response.StatusCode, http.StatusProxyAuthRequired)
}
}
func TestAuthenticate_ProbeResistanceKnockMultiMismatch(t *testing.T) {
h := &httpHandler{
options: handler.Options{
Auther: &stubAuther{accept: false},
Logger: &testLogger{},
a := &Authenticator{
Auther: &stubAuther{accept: false},
PR: &probeResistance{
Type: "code",
Value: "503",
Knock: "a.example.com, b.example.com",
},
}
h.md.proxyAgent = defaultProxyAgent
// No entry matches — probe resistance should activate
h.md.probeResistance = &probeResistance{
Type: "code",
Value: "503",
Knock: "a.example.com, b.example.com",
}
client, server := net.Pipe()
defer client.Close()
defer server.Close()
req, _ := http.NewRequest("GET", "http://other.example.com/", nil)
resp := &http.Response{
ProtoMajor: 1,
ProtoMinor: 1,
Header: http.Header{},
ContentLength: -1,
result := a.Authenticate(context.Background(), req)
if result.OK {
t.Fatal("expected auth failure")
}
go func() {
h.authenticate(context.Background(), server, req, resp, &testLogger{})
}()
br := bufio.NewReader(client)
r, err := http.ReadResponse(br, req)
if err != nil {
t.Fatalf("failed to read response: %v", err)
}
defer r.Body.Close()
if r.StatusCode != 503 {
t.Errorf("got status %d, want 503", r.StatusCode)
if result.Response.StatusCode != 503 {
t.Errorf("got status %d, want 503", result.Response.StatusCode)
}
}
func TestAuthenticate_ProbeResistanceHost(t *testing.T) {
a := &Authenticator{
Auther: &stubAuther{accept: false},
PR: &probeResistance{Type: "host", Value: "1.2.3.4:80"},
}
req, _ := http.NewRequest("GET", "http://example.com/", nil)
result := a.Authenticate(context.Background(), req)
if result.OK {
t.Fatal("expected auth failure")
}
if result.PipeTo != "1.2.3.4:80" {
t.Errorf("got PipeTo %q, want 1.2.3.4:80", result.PipeTo)
}
if result.Response != nil {
t.Error("expected nil Response for host probe resistance")
}
}
func TestAuthenticate_ProbeResistanceInvalidCode(t *testing.T) {
a := &Authenticator{
Auther: &stubAuther{accept: false},
Realm: "gost",
PR: &probeResistance{Type: "code", Value: "not-a-number"},
}
req, _ := http.NewRequest("GET", "http://example.com/", nil)
result := a.Authenticate(context.Background(), req)
if result.OK {
t.Fatal("expected auth failure")
}
// Invalid code → status stays at 503 (the probe resistance default)
if result.Response.StatusCode != http.StatusServiceUnavailable {
t.Errorf("got status %d, want %d (invalid code keeps default 503)",
result.Response.StatusCode, http.StatusServiceUnavailable)
}
}
// --- knockMatch tests ---
func TestKnockMatch(t *testing.T) {
tests := []struct {
hostname string
@@ -389,11 +226,12 @@ func TestKnockMatch(t *testing.T) {
}
}
// --- checkRateLimit tests ---
func TestCheckRateLimit_NoLimiter(t *testing.T) {
h := &httpHandler{
options: handler.Options{},
}
addr := &net.TCPAddr{IP: net.ParseIP("1.2.3.4"), Port: 12345}
if !h.checkRateLimit(addr) {
t.Error("checkRateLimit should return true when no limiter is set")
@@ -401,13 +239,11 @@ func TestCheckRateLimit_NoLimiter(t *testing.T) {
}
func TestCheckRateLimit_WithLimiter(t *testing.T) {
// Create a handler with a rate limiter that blocks everything
h := &httpHandler{
options: handler.Options{
RateLimiter: &stubRateLimiter{allow: false, limiter: &stubLimiter{allow: false}},
},
}
addr := &net.TCPAddr{IP: net.ParseIP("1.2.3.4"), Port: 12345}
if h.checkRateLimit(addr) {
t.Error("checkRateLimit should return false when limiter denies")
@@ -420,7 +256,6 @@ func TestCheckRateLimit_Allow(t *testing.T) {
RateLimiter: &stubRateLimiter{allow: true, limiter: &stubLimiter{allow: true}},
},
}
addr := &net.TCPAddr{IP: net.ParseIP("1.2.3.4"), Port: 12345}
if !h.checkRateLimit(addr) {
t.Error("checkRateLimit should return true when limiter allows")
@@ -433,34 +268,22 @@ func TestCheckRateLimit_NilAddr(t *testing.T) {
RateLimiter: &stubRateLimiter{allow: true, limiter: &stubLimiter{allow: true}},
},
}
// Nil addr should not panic - robustness check
func() {
defer func() {
if r := recover(); r != nil {
t.Errorf("checkRateLimit panicked with nil addr: %v", r)
}
}()
// This may panic if addr.String() is called on nil - that's a String() panic, not ours
// But we should guard against it
_ = h.checkRateLimit(nil) //nolint
_ = h.checkRateLimit(nil)
}()
}
// testRecorderObject is a recorder.RecorderObject for testing.
var testRecorderObject = struct {
Record string
Options *testRecorderOptions
}{Record: "serviceHandler"}
type testRecorderOptions struct {
HTTPBody bool
}
// --- Stub implementations (used by multiple test files) ---
// stubRateLimiter implements rate.RateLimiter for testing.
type stubRateLimiter struct {
allow bool
limiter *stubLimiter
allow bool
limiter *stubLimiter
}
func (l *stubRateLimiter) Limiter(key string) rate.Limiter {
@@ -475,9 +298,9 @@ type stubLimiter struct {
allow bool
}
func (l *stubLimiter) Allow(n int) bool { return l.allow }
func (l *stubLimiter) AllowN(n int) bool { return l.allow }
func (l *stubLimiter) Limit() float64 { return 0 }
func (l *stubLimiter) Allow(n int) bool { return l.allow }
func (l *stubLimiter) AllowN(n int) bool { return l.allow }
func (l *stubLimiter) Limit() float64 { return 0 }
// testTrafficLimiter implements traffic.TrafficLimiter for testing.
type testTrafficLimiter struct{}
@@ -497,4 +320,3 @@ type testTLimiter struct{}
func (l *testTLimiter) Wait(ctx context.Context, n int) int { return n }
func (l *testTLimiter) Limit() int { return 0 }
func (l *testTLimiter) Set(n int) {}