From dd5fb03c496e6199b20cbefd6419d7d9c6992eb5 Mon Sep 17 00:00:00 2001 From: Cecylia Bocovich Date: Tue, 18 Mar 2025 13:25:00 -0400 Subject: [PATCH] Remove default relay pattern option from broker This was only useful to us when we first implemented the feature, to be able to support proxies that hadn't yet updated, when we had a single Snowflake bridge. Now that we have multiple bridges, it is unecessary as proxies that don't send their accepted relay pattern are rejected anyway. --- broker/broker.go | 30 +++++++++++++---------------- broker/snowflake-broker_test.go | 34 ++++++++++++++++----------------- broker/sqs_test.go | 2 +- 3 files changed, 31 insertions(+), 35 deletions(-) diff --git a/broker/broker.go b/broker/broker.go index a1252b7..8351d8f 100644 --- a/broker/broker.go +++ b/broker/broker.go @@ -44,9 +44,8 @@ type BrokerContext struct { proxyPolls chan *ProxyPoll metrics *Metrics - bridgeList BridgeListHolderFileBased - allowedRelayPattern string - presumedPatternForLegacyClient string + bridgeList BridgeListHolderFileBased + allowedRelayPattern string } func (ctx *BrokerContext) GetBridgeInfo(fingerprint bridgefingerprint.Fingerprint) (BridgeInfo, error) { @@ -55,8 +54,7 @@ func (ctx *BrokerContext) GetBridgeInfo(fingerprint bridgefingerprint.Fingerprin func NewBrokerContext( metricsLogger *log.Logger, - allowedRelayPattern, - presumedPatternForLegacyClient string, + allowedRelayPattern string, ) *BrokerContext { snowflakes := new(SnowflakeHeap) heap.Init(snowflakes) @@ -79,14 +77,13 @@ func NewBrokerContext( bridgeListHolder.LoadBridgeInfo(bytes.NewReader([]byte(DefaultBridges))) return &BrokerContext{ - snowflakes: snowflakes, - restrictedSnowflakes: rSnowflakes, - idToSnowflake: make(map[string]*Snowflake), - proxyPolls: make(chan *ProxyPoll), - metrics: metrics, - bridgeList: bridgeListHolder, - allowedRelayPattern: allowedRelayPattern, - presumedPatternForLegacyClient: presumedPatternForLegacyClient, + snowflakes: snowflakes, + restrictedSnowflakes: rSnowflakes, + idToSnowflake: make(map[string]*Snowflake), + proxyPolls: make(chan *ProxyPoll), + metrics: metrics, + bridgeList: bridgeListHolder, + allowedRelayPattern: allowedRelayPattern, } } @@ -176,7 +173,7 @@ func (ctx *BrokerContext) InstallBridgeListProfile(reader io.Reader) error { func (ctx *BrokerContext) CheckProxyRelayPattern(pattern string, nonSupported bool) bool { if nonSupported { - pattern = ctx.presumedPatternForLegacyClient + return false } proxyPattern := namematcher.NewNameMatcher(pattern) brokerPattern := namematcher.NewNameMatcher(ctx.allowedRelayPattern) @@ -197,7 +194,7 @@ func main() { var addr string var geoipDatabase string var geoip6Database string - var bridgeListFilePath, allowedRelayPattern, presumedPatternForLegacyClient string + var bridgeListFilePath, allowedRelayPattern string var brokerSQSQueueName, brokerSQSQueueRegion string var disableTLS bool var certFilename, keyFilename string @@ -215,7 +212,6 @@ func main() { flag.StringVar(&geoip6Database, "geoip6db", "/usr/share/tor/geoip6", "path to correctly formatted geoip database mapping IPv6 address ranges to country codes") flag.StringVar(&bridgeListFilePath, "bridge-list-path", "", "file path for bridgeListFile") flag.StringVar(&allowedRelayPattern, "allowed-relay-pattern", "", "allowed pattern for relay host name. The broker will reject proxies whose AcceptedRelayPattern is more restrictive than this") - flag.StringVar(&presumedPatternForLegacyClient, "default-relay-pattern", "", "presumed pattern for legacy client") flag.StringVar(&brokerSQSQueueName, "broker-sqs-name", "", "name of broker SQS queue to listen for incoming messages on") flag.StringVar(&brokerSQSQueueRegion, "broker-sqs-region", "", "name of AWS region of broker SQS queue") flag.BoolVar(&disableTLS, "disable-tls", false, "don't use HTTPS") @@ -248,7 +244,7 @@ func main() { metricsLogger := log.New(metricsFile, "", 0) - ctx := NewBrokerContext(metricsLogger, allowedRelayPattern, presumedPatternForLegacyClient) + ctx := NewBrokerContext(metricsLogger, allowedRelayPattern) if bridgeListFilePath != "" { bridgeListFile, err := os.Open(bridgeListFilePath) diff --git a/broker/snowflake-broker_test.go b/broker/snowflake-broker_test.go index 2f6f9e1..ddfa551 100644 --- a/broker/snowflake-broker_test.go +++ b/broker/snowflake-broker_test.go @@ -89,7 +89,7 @@ func TestBroker(t *testing.T) { Convey("Context", t, func() { buf := new(bytes.Buffer) - ctx := NewBrokerContext(log.New(buf, "", 0), "", "") + ctx := NewBrokerContext(log.New(buf, "", 0), "snowflake.torproject.net") i := &IPC{ctx} Convey("Adds Snowflake", func() { @@ -407,7 +407,7 @@ client-sqs-ips Convey("Responds to proxy polls...", func() { done := make(chan bool) w := httptest.NewRecorder() - data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`)) + data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0", "AcceptedRelayPattern": "snowflake.torproject.net"}`)) r, err := http.NewRequest("POST", "snowflake.broker/proxy", data) So(err, ShouldBeNil) @@ -493,7 +493,7 @@ client-sqs-ips }) Convey("End-To-End", t, func() { - ctx := NewBrokerContext(NullLogger(), "", "") + ctx := NewBrokerContext(NullLogger(), "snowflake.torproject.net") i := &IPC{ctx} Convey("Check for client/proxy data race", func() { @@ -504,7 +504,7 @@ client-sqs-ips // Make proxy poll wp := httptest.NewRecorder() - datap := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`)) + datap := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","AcceptedRelayPattern":"snowflake.torproject.net"}`)) rp, err := http.NewRequest("POST", "snowflake.broker/proxy", datap) So(err, ShouldBeNil) @@ -549,7 +549,7 @@ client-sqs-ips polled := make(chan bool) // Proxy polls with its ID first... - dataP := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`)) + dataP := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","AcceptedRelayPattern":"snowflake.torproject.net"}`)) wP := httptest.NewRecorder() rP, err := http.NewRequest("POST", "snowflake.broker/proxy", dataP) So(err, ShouldBeNil) @@ -646,7 +646,7 @@ func TestSnowflakeHeap(t *testing.T) { func TestInvalidGeoipFile(t *testing.T) { Convey("Geoip", t, func() { // Make sure things behave properly if geoip file fails to load - ctx := NewBrokerContext(NullLogger(), "", "") + ctx := NewBrokerContext(NullLogger(), "") if err := ctx.metrics.LoadGeoipDatabases("invalid_filename", "invalid_filename6"); err != nil { log.Printf("loading geo ip databases returned error: %v", err) } @@ -660,7 +660,7 @@ func TestMetrics(t *testing.T) { Convey("Test metrics...", t, func() { done := make(chan bool) buf := new(bytes.Buffer) - ctx := NewBrokerContext(log.New(buf, "", 0), "", "") + ctx := NewBrokerContext(log.New(buf, "", 0), "snowflake.torproject.net") i := &IPC{ctx} err := ctx.metrics.LoadGeoipDatabases("test_geoip", "test_geoip6") @@ -669,7 +669,7 @@ func TestMetrics(t *testing.T) { //Test addition of proxy polls Convey("for proxy polls", func() { w := httptest.NewRecorder() - data := bytes.NewReader([]byte("{\"Sid\":\"ymbcCMto7KHNGYlp\",\"Version\":\"1.0\"}")) + data := bytes.NewReader([]byte("{\"Sid\":\"ymbcCMto7KHNGYlp\",\"Version\":\"1.0\",\"AcceptedRelayPattern\":\"snowflake.torproject.net\"}")) r, err := http.NewRequest("POST", "snowflake.broker/proxy", data) r.RemoteAddr = "129.97.208.23:8888" //CA geoip So(err, ShouldBeNil) @@ -682,7 +682,7 @@ func TestMetrics(t *testing.T) { <-done w = httptest.NewRecorder() - data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"standalone"}`)) + data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"standalone","AcceptedRelayPattern":"snowflake.torproject.net"}`)) r, err = http.NewRequest("POST", "snowflake.broker/proxy", data) r.RemoteAddr = "129.97.208.23:8888" //CA geoip So(err, ShouldBeNil) @@ -695,7 +695,7 @@ func TestMetrics(t *testing.T) { <-done w = httptest.NewRecorder() - data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"badge"}`)) + data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"badge","AcceptedRelayPattern":"snowflake.torproject.net"}`)) r, err = http.NewRequest("POST", "snowflake.broker/proxy", data) r.RemoteAddr = "129.97.208.23:8888" //CA geoip So(err, ShouldBeNil) @@ -708,7 +708,7 @@ func TestMetrics(t *testing.T) { <-done w = httptest.NewRecorder() - data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"webext"}`)) + data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"webext","AcceptedRelayPattern":"snowflake.torproject.net"}`)) r, err = http.NewRequest("POST", "snowflake.broker/proxy", data) r.RemoteAddr = "129.97.208.23:8888" //CA geoip So(err, ShouldBeNil) @@ -728,8 +728,8 @@ func TestMetrics(t *testing.T) { So(metricsStr, ShouldContainSubstring, "\nsnowflake-ips-webext 1\n") So(metricsStr, ShouldEndWith, `snowflake-ips-total 4 snowflake-idle-count 8 -snowflake-proxy-poll-with-relay-url-count 0 -snowflake-proxy-poll-without-relay-url-count 8 +snowflake-proxy-poll-with-relay-url-count 8 +snowflake-proxy-poll-without-relay-url-count 0 snowflake-proxy-rejected-for-relay-url-count 0 client-denied-count 0 client-restricted-denied-count 0 @@ -899,7 +899,7 @@ snowflake-ips-nat-unknown 0 //Test unique ip Convey("proxy counts by unique ip", func() { w := httptest.NewRecorder() - data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`)) + data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","AcceptedRelayPattern":"snowflake.torproject.net"}`)) r, err := http.NewRequest("POST", "snowflake.broker/proxy", data) r.RemoteAddr = "129.97.208.23:8888" //CA geoip So(err, ShouldBeNil) @@ -911,7 +911,7 @@ snowflake-ips-nat-unknown 0 p.offerChannel <- nil <-done - data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`)) + data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","AcceptedRelayPattern":"snowflake.torproject.net"}`)) r, err = http.NewRequest("POST", "snowflake.broker/proxy", data) if err != nil { log.Printf("unable to get NewRequest with error: %v", err) @@ -933,7 +933,7 @@ snowflake-ips-nat-unknown 0 //Test NAT types Convey("proxy counts by NAT type", func() { w := httptest.NewRecorder() - data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.2","Type":"unknown","NAT":"restricted"}`)) + data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.2","Type":"unknown","NAT":"restricted","AcceptedRelayPattern":"snowflake.torproject.net"}`)) r, err := http.NewRequest("POST", "snowflake.broker/proxy", data) r.RemoteAddr = "129.97.208.23:8888" //CA geoip So(err, ShouldBeNil) @@ -948,7 +948,7 @@ snowflake-ips-nat-unknown 0 ctx.metrics.printMetrics() So(buf.String(), ShouldContainSubstring, "snowflake-ips-nat-restricted 1\nsnowflake-ips-nat-unrestricted 0\nsnowflake-ips-nat-unknown 0") - data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.2","Type":"unknown","NAT":"unrestricted"}`)) + data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.2","Type":"unknown","NAT":"unrestricted","AcceptedRelayPattern":"snowflake.torproject.net"}`)) r, err = http.NewRequest("POST", "snowflake.broker/proxy", data) if err != nil { log.Printf("unable to get NewRequest with error: %v", err) diff --git a/broker/sqs_test.go b/broker/sqs_test.go index 708e3ef..59fe701 100644 --- a/broker/sqs_test.go +++ b/broker/sqs_test.go @@ -23,7 +23,7 @@ func TestSQS(t *testing.T) { Convey("Context", t, func() { buf := new(bytes.Buffer) - ipcCtx := NewBrokerContext(log.New(buf, "", 0), "", "") + ipcCtx := NewBrokerContext(log.New(buf, "", 0), "") i := &IPC{ipcCtx} Convey("Responds to SQS client offers...", func() {