forked from ooni/probe-cli
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(webconnectivityqa): import misconfigured-TLS test cases (ooni#1243)
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This diff imports the misconfigured-TLS test cases of the QA/webconnectivity.py test suite in webconnectivityqa. The only QA/webconnectivity.py test case we're not merging is the one about self-signed certificate, which are equivalent enough to an unknown root certificate that it seems unimportant to merge them. In other word, we have basically finished rewriting Jafar. Now it will be time to drop Jafar. 😅
- Loading branch information
1 parent
f7189e0
commit 4e58066
Showing
10 changed files
with
375 additions
and
158 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
package webconnectivityqa | ||
|
||
import ( | ||
"github.com/ooni/netem" | ||
"github.com/ooni/probe-cli/v3/internal/netemx" | ||
) | ||
|
||
// Sometimes people we measure the websites of let their certificates expire and | ||
// we want to be confident about correctly measuring this condition | ||
func badSSLWithExpiredCertificate() *TestCase { | ||
return &TestCase{ | ||
Name: "badSSLWithExpiredCertificate", | ||
Flags: TestCaseFlagNoLTE, // LTE flags it correctly but let's focus on v0.4 for now | ||
Input: "https://expired.badssl.com/", | ||
Configure: func(env *netemx.QAEnv) { | ||
// nothing | ||
}, | ||
ExpectErr: false, | ||
ExpectTestKeys: &testKeys{ | ||
DNSConsistency: "consistent", | ||
HTTPExperimentFailure: "ssl_invalid_certificate", | ||
XStatus: 16, // StatusAnomalyControlFailure | ||
XNullNullFlags: 4, // analysisFlagNullNullTLSMisconfigured | ||
Accessible: nil, | ||
Blocking: nil, | ||
}, | ||
} | ||
} | ||
|
||
// Sometimes people we measure the websites of misconfigured the certificate names and | ||
// we want to be confident about correctly measuring this condition | ||
func badSSLWithWrongServerName() *TestCase { | ||
return &TestCase{ | ||
Name: "badSSLWithWrongServerName", | ||
Flags: TestCaseFlagNoLTE, // LTE flags it correctly but let's focus on v0.4 for now | ||
Input: "https://wrong.host.badssl.com/", | ||
Configure: func(env *netemx.QAEnv) { | ||
// nothing | ||
}, | ||
ExpectErr: false, | ||
ExpectTestKeys: &testKeys{ | ||
DNSConsistency: "consistent", | ||
HTTPExperimentFailure: "ssl_invalid_hostname", | ||
XStatus: 16, // StatusAnomalyControlFailure | ||
XNullNullFlags: 4, // analysisFlagNullNullTLSMisconfigured | ||
Accessible: nil, | ||
Blocking: nil, | ||
}, | ||
} | ||
} | ||
|
||
// Let's be sure we correctly flag a website using an unknown-to-us authority. | ||
func badSSLWithUnknownAuthorityWithConsistentDNS() *TestCase { | ||
return &TestCase{ | ||
Name: "badSSLWithUnknownAuthorityWithConsistentDNS", | ||
Flags: TestCaseFlagNoLTE, // LTE flags it correctly but let's focus on v0.4 for now | ||
Input: "https://untrusted-root.badssl.com/", | ||
Configure: func(env *netemx.QAEnv) { | ||
// nothing | ||
}, | ||
ExpectErr: false, | ||
ExpectTestKeys: &testKeys{ | ||
DNSConsistency: "consistent", | ||
HTTPExperimentFailure: "ssl_unknown_authority", | ||
XStatus: 16, // StatusAnomalyControlFailure | ||
XNullNullFlags: 4, // analysisFlagNullNullTLSMisconfigured | ||
Accessible: nil, | ||
Blocking: nil, | ||
}, | ||
} | ||
} | ||
|
||
// This test case models when we're redirected to a blockpage website using a custom CA. | ||
func badSSLWithUnknownAuthorityWithInconsistentDNS() *TestCase { | ||
return &TestCase{ | ||
Name: "badSSLWithUnknownAuthorityWithInconsistentDNS", | ||
Flags: 0, | ||
Input: "https://www.example.com/", | ||
Configure: func(env *netemx.QAEnv) { | ||
|
||
// add DPI rule to force all the cleartext DNS queries to | ||
// point the client to used the ISPProxyAddress | ||
env.DPIEngine().AddRule(&netem.DPISpoofDNSResponse{ | ||
Addresses: []string{netemx.AddressBadSSLCom}, | ||
Logger: env.Logger(), | ||
Domain: "www.example.com", | ||
}) | ||
|
||
}, | ||
ExpectErr: false, | ||
ExpectTestKeys: &testKeys{ | ||
DNSConsistency: "inconsistent", | ||
HTTPExperimentFailure: "ssl_unknown_authority", | ||
XStatus: 9248, // StatusExperimentHTTP | StatusAnomalyTLSHandshake | StatusAnomalyDNS | ||
XDNSFlags: 4, // AnalysisDNSUnexpectedAddrs | ||
XBlockingFlags: 33, // analysisFlagSuccess | analysisFlagDNSBlocking | ||
Accessible: false, | ||
Blocking: "dns", | ||
}, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
package webconnectivityqa | ||
|
||
import ( | ||
"net/http" | ||
"testing" | ||
|
||
"github.com/apex/log" | ||
"github.com/ooni/probe-cli/v3/internal/netemx" | ||
"github.com/ooni/probe-cli/v3/internal/netxlite" | ||
"github.com/ooni/probe-cli/v3/internal/runtimex" | ||
) | ||
|
||
func TestBadSSLConditions(t *testing.T) { | ||
type testCaseConfig struct { | ||
expectedErr string | ||
testCase *TestCase | ||
} | ||
|
||
testcases := []*testCaseConfig{{ | ||
expectedErr: "ssl_unknown_authority", | ||
testCase: badSSLWithUnknownAuthorityWithConsistentDNS(), | ||
}, { | ||
expectedErr: "ssl_invalid_certificate", | ||
testCase: badSSLWithExpiredCertificate(), | ||
}, { | ||
expectedErr: "ssl_invalid_hostname", | ||
testCase: badSSLWithWrongServerName(), | ||
}, { | ||
expectedErr: "ssl_unknown_authority", | ||
testCase: badSSLWithUnknownAuthorityWithInconsistentDNS(), | ||
}} | ||
|
||
for _, tc := range testcases { | ||
t.Run(tc.testCase.Name, func(t *testing.T) { | ||
env := netemx.MustNewScenario(netemx.InternetScenario) | ||
tc.testCase.Configure(env) | ||
|
||
env.Do(func() { | ||
client := netxlite.NewHTTPClientStdlib(log.Log) | ||
req := runtimex.Try1(http.NewRequest("GET", tc.testCase.Input, nil)) | ||
resp, err := client.Do(req) | ||
if err == nil || err.Error() != tc.expectedErr { | ||
t.Fatal("unexpected err", err) | ||
} | ||
if resp != nil { | ||
t.Fatal("expected nil resp") | ||
} | ||
}) | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.