feat: add the openvpn experiment #1585
Conversation
|
tests green again after latest additions. |
There was a problem hiding this comment.
My main, still open, design question is about whether we would be able to easily disable the experiment via the OONI backend API if it misbehaves. This is my main reason for saying "request changes". My understanding is that, if the OONI backend does not return any target to measure, then the experiment will use the defaults configured for "riseupvpn". I do not think this is desirable at this stage, because we still think at this experiment as unstable and we would like to have a chance to configure it to not run remotely. How could we achieve this? Would removing the hardcoded fallback be a possibility?
Apart from that, I have done a careful review that includes:
-
several minimal cosmetic requests including documenting public fields
-
suggestions and questions about simplifying the codebase a bit
-
small design questions
internal/engine/inputloader.go
Outdated
| for _, provider := range openvpn.APIEnabledProviders { | ||
| reply, err := il.vpnConfig(ctx, provider) | ||
| if err != nil { | ||
| break |
There was a problem hiding this comment.
If you want to stop at the first error, you should return an error here. Looking at the context of the code, it seems to me the semantics to want is to ignore (and maybe warn?) on error. To this end, you should continue here.
There was a problem hiding this comment.
tx for pointing this out! this for loop is not really used atm, so I'll go with returning the error
internal/engine/inputloader.go
Outdated
| // here we're just collecting all the inputs. we also cache the configs so that | ||
| // each experiment run can access the credentials for a given provider. |
There was a problem hiding this comment.
I don't see where you're caching the configs in the following two lines
There was a problem hiding this comment.
you're right - cacheing happens in the session method. updated the comment.
| }, | ||
| } | ||
|
|
||
| // Shuffle returns a shuffled copy of the endpointList. |
There was a problem hiding this comment.
Is it really a shuffled copy? It seems to me this is shuffling e itself.
To make a shuffled copy you need to do something like this:
copy := append([]endpointList{}, e...)and then you need to do a rand.Shuffle on copy (obviously).
Also, I'd rename this method Shuffled (like Python's sort and sorted).
There was a problem hiding this comment.
noted. I changed the docstring to reflect that we mutate the list in place.
in any case, I'll probably stop using the default endpoint list, so probably this code needs to be deleted soon.
| } | ||
|
|
||
| func TestAddConnectionTestKeys(t *testing.T) { | ||
| t.Run("append connection result to empty keys", func(t *testing.T) { |
There was a problem hiding this comment.
Please, add a test for the UDP case as well
|
For disabling the experiment: would this work? 8c5fa11 would this be handled correctly by the mobile/desktop apps just by returning an error? right now if the HTTP client finds a 404 miniooni panics btw, I'm not sure if I need to catch this error explicitely. |
|
addressed the comments in the review; I think the only case I'd still defend is adding a boolean for success (in the top-level OpenVPN handshake archival result, I have removed the nested result struct) since I think simplifies analysis in some cases (ooni data can always override it) do note that after agreeing on the failure/success format, I'll need to modify the spec accordingly! |
|
tests seem to be failing for an unrelated reason |
|
Added a couple of commits, one for accepting options in the oonirun descriptor (not used at the moment), and the other using {
"name": "openvpn-riseup",
"description": "measure vpn connection to riseup gateway",
"author": "Ain Ghazal <ain@openobservatory.org>",
"nettests": [
{
"test_name": "openvpn",
"inputs": [
"openvpn://riseupvpn.corp/?address=51.15.187.53:53&transport=udp"
],
"options": {
"Cipher": "AES-256-GCM",
"Auth": "SHA512",
"Compress": "",
"Obfuscation": "none",
"SafeCA": "-----BEGIN CERTIFICATE-----\nMIIBYjCCAQigAwIBAgIBATAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxMRUFQIFJv\nb3QgQ0EwHhcNMjExMTAyMTkwNTM3WhcNMjYxMTAyMTkxMDM3WjAXMRUwEwYDVQQD\nEwxMRUFQIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQxOXBGu+gf\npjHzVteGTWL6XnFxtEnKMFpKaJkA/VOHmESzoLsZRQxt88GssxaqC01J17idQiqv\nzgNpedmtvFtyo0UwQzAOBgNVHQ8BAf8EBAMCAqQwEgYDVR0TAQH/BAgwBgEB/wIB\nATAdBgNVHQ4EFgQUZdoUlJrCIUNFrpffAq+LQjnwEz4wCgYIKoZIzj0EAwIDSAAw\nRQIgfr3w4tnRG+NdI3LsGPlsRktGK20xHTzsB3orB0yC6cICIQCB+/9y8nmSStfN\nVUMUyk2hNd7/kC8nL222TTD7VZUtsg==\n-----END CERTIFICATE-----",
"SafeCert": "-----BEGIN CERTIFICATE-----\nMIICdzCCAh2gAwIBAgIQaiLN8Wt8B7n/fkNAb0dPhjAKBggqhkjOPQQDAjAzMTEw\nLwYDVQQDDChMRUFQIFJvb3QgQ0EgKGNsaWVudCBjZXJ0aWZpY2F0ZXMgb25seSEp\nMB4XDTI0MDUyMzExNDYzOFoXDTI0MDYyNzExNDYzOFowFDESMBAGA1UEAxMJVU5M\nSU1JVEVEMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6/FnGI7yIw0P\nb1p+IRiTrLi+lc2bacboPE//bsTFBh+PuTudyZeGY9mxZDd1wBauwBux8nnSnaKK\nJGzd+5xQrG9xlb19aMSBWpS8+rdCz03zEG31SQgwSAAUjmYsDEhstwY329K7noCZ\n125Dp5HIPZYRS5Xbc5NirazrRongsYdq53Mlmp2S/KPFBo6LkkNppBcSzIo6wsUo\n96PViTy15yA4PWhrI5dP798Wg7od4R5Q/cM+zyaxoycwKUck4Ixhqw7nod8OBXZu\nwITKGGqFmMtAQAa8FZG1y+e85O7GH55K/W/3sO5T4fcV+A9V5AyynRQfZbxvIT0I\nbMX1/y7+WwIDAQABo2cwZTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwIwHQYDVR0OBBYEFJ81OtiqvnHEnXngCTa2wpyPeOhKMB8GA1UdIwQYMBaA\nFH1KYtj/K0nEebaisdyOPmMHXKj+MAoGCCqGSM49BAMCA0gAMEUCIBmbOvPti2bM\nEkjHRoCRE4h09da1YMDdYhYgndmnQaeMAiEAs0RqX86JTcB2M4FkW+gw1ni3Okuc\ntBKwmlxGufWxzpE=\n-----END CERTIFICATE-----",
"SafeKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEA6/FnGI7yIw0Pb1p+IRiTrLi+lc2bacboPE//bsTFBh+PuTud\nyZeGY9mxZDd1wBauwBux8nnSnaKKJGzd+5xQrG9xlb19aMSBWpS8+rdCz03zEG31\nSQgwSAAUjmYsDEhstwY329K7noCZ125Dp5HIPZYRS5Xbc5NirazrRongsYdq53Ml\nmp2S/KPFBo6LkkNppBcSzIo6wsUo96PViTy15yA4PWhrI5dP798Wg7od4R5Q/cM+\nzyaxoycwKUck4Ixhqw7nod8OBXZuwITKGGqFmMtAQAa8FZG1y+e85O7GH55K/W/3\nsO5T4fcV+A9V5AyynRQfZbxvIT0IbMX1/y7+WwIDAQABAoIBAHLmFUmtWxdcpdaZ\nX/DoEgo70XwMK5Hgbnnoj0C3DCeGOSyAbr+cTbLUcYGXTH1lzmX5Vrf5QWrIm7NP\nXO7J2bOPdeXw6GCbyU5+PmVt11gy4ppuodOV7EUz3M7XzL2Si3a5zXv8bKesgr6Z\nkNLKuJPdP8DqUns/G//txImOXWC13QFk0KGeEzWU5/5tXR8SP/wft68sYQiNmfPw\nxGIuqIs/ILsEYM/vXirBx3Q4KyfrJZ71X3ueRKxhxnMAN6wztYqwa7A9NjSMu566\npjG2c0tBXEk+IrX4ehXk/+tM9oCHM+gV19uOky56mTjNQEetFibMbd8u/5zF/pga\niu+KEBECgYEA/qklejvogI4jFA0pwK//3gYMostn+hq4pM3yBHGgxNuJu2PQr7oP\nZ8KUaHIoZOb/FD2E/JuYkpA6raIWVd/7R+oVwq8OVPpKxtAtjD9u4+gHvkpDF1dv\nNkwHSeG9+9EOcNeqCHzGLK6VJys0FVEBOJSWgGy5xsjvFsYpbrLaJdMCgYEA7S8O\na9RoA0AEr3B/zcrGRKZceyF/z7maOYEUuZL8Cf4GxSciQN5DddcYXl5yzjFUiubV\ncM4kzqvQfBrVYFhNAHOPVQ4Unp+UzEWKe3juPnYVJOh0GLreW0nSC2QMftSZrspC\nlgDr2d3q06tAXDNKo0mko6b4MQF6GzdpNTcpyFkCgYAxutpEuno20IrtGXzz0erH\ncqr5B3uwjZNNK6J9V6srhiupWl6gUlc7zfWpR9G3kpxxWWok4kWzKVMsISD3eBvb\n+UxyjjjgQ1hi5rheUOzYuLD6agob/skK82Hg/aJaEIMfah4cNjGE/DrIQVmUaBMy\n92FEhvboaMi3y86/fVG4XQKBgBBRhX97vLBEjk33woNJKTz96Sz7kAydq3O7Ys6l\nwzt4w8R6vcuSvzdzVhTgEKwJDtUDrrm1JSkm/xAa1IVtbdbTHJBwiJClUBqBylZW\naqXXf/rrF1nAOZ40RQRNnOJ5BB3Xgp9JbvCtaQOpK6NsT/1OCsrLqRXOETWgKVfk\n9LX5AoGAAuuOw6PNpKvef595GzTjsXuGDH7PtVkr4CP5j7qDCKh1t7rjk3RiHzTH\nsyXNZQIsRagE3lo32t5ORhW0X+2oGjAS/YkHKDo/ueGqEzBbWtVcDZKNoxfnjCZ6\ngBNUSqhYykBGDI0ST56CnG0ZJSxztncR39W2TrxpYju3qy1g3Ps=\n-----END RSA PRIVATE KEY-----\n"
}
}
]
} |
|
updated the spec to reflect the latest change in the archival format: ooni/spec@518c1d5 |
bassosimone
changed the title
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/spec/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#2688 - [x] related ooni/probe-cli pull request: ooni/probe-cli#1585 - [x] If I changed a spec, I also bumped its version number and/or date ## Description Add initial spec for the `openvpn` experiment. This proposal supersedes a previous version (#255). ICMP Pings and URLGrabber over the tunnel are not included, this experiment just does OpenVPN handshakes at the moment. --------- Co-authored-by: Simone Basso <bassosimone@gmail.com>
Description
First iteration of a new openvpn experiment. This takes a set of endpoints and uses minivpn to attempt a handshake with each of the configured endpoints.
A new API endpoint has been added to the backend that is able to distribute valid configuration parameters for an OpenVPN connection, including credentials.
Checklist