archives/snowflake
2
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git synced 2025-10-13 11:11:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove default relay pattern option from broker

Browse source 
This was only useful to us when we first implemented the feature, to be
able to support proxies that hadn't yet updated, when we had a single
Snowflake bridge. Now that we have multiple bridges, it is unecessary as
proxies that don't send their accepted relay pattern are rejected
anyway.
This commit is contained in:
Cecylia Bocovich 2025-03-18 13:25:00 -04:00
parent c0ac0186f1
commit dd5fb03c49
No known key found for this signature in database
GPG key ID: 009DE379FD9B7B90
3 changed files with 31 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

30
broker/broker.go
View file

@ -44,9 +44,8 @@ type BrokerContext struct {
proxyPolls chan *ProxyPoll proxyPolls chan *ProxyPoll
metrics *Metrics metrics *Metrics
bridgeList BridgeListHolderFileBased bridgeList BridgeListHolderFileBased
allowedRelayPattern string allowedRelayPattern string
presumedPatternForLegacyClient string
} }
func (ctx *BrokerContext) GetBridgeInfo(fingerprint bridgefingerprint.Fingerprint) (BridgeInfo, error) { func (ctx *BrokerContext) GetBridgeInfo(fingerprint bridgefingerprint.Fingerprint) (BridgeInfo, error) {
@ -55,8 +54,7 @@ func (ctx *BrokerContext) GetBridgeInfo(fingerprint bridgefingerprint.Fingerprin
func NewBrokerContext( func NewBrokerContext(
metricsLogger *log.Logger, metricsLogger *log.Logger,
allowedRelayPattern, allowedRelayPattern string,
presumedPatternForLegacyClient string,
) *BrokerContext { ) *BrokerContext {
snowflakes := new(SnowflakeHeap) snowflakes := new(SnowflakeHeap)
heap.Init(snowflakes) heap.Init(snowflakes)
@ -79,14 +77,13 @@ func NewBrokerContext(
bridgeListHolder.LoadBridgeInfo(bytes.NewReader([]byte(DefaultBridges))) bridgeListHolder.LoadBridgeInfo(bytes.NewReader([]byte(DefaultBridges)))
return &BrokerContext{ return &BrokerContext{
snowflakes: snowflakes, snowflakes: snowflakes,
restrictedSnowflakes: rSnowflakes, restrictedSnowflakes: rSnowflakes,
idToSnowflake: make(map[string]*Snowflake), idToSnowflake: make(map[string]*Snowflake),
proxyPolls: make(chan *ProxyPoll), proxyPolls: make(chan *ProxyPoll),
metrics: metrics, metrics: metrics,
bridgeList: bridgeListHolder, bridgeList: bridgeListHolder,
allowedRelayPattern: allowedRelayPattern, allowedRelayPattern: allowedRelayPattern,
presumedPatternForLegacyClient: presumedPatternForLegacyClient,
} }
} }
@ -176,7 +173,7 @@ func (ctx *BrokerContext) InstallBridgeListProfile(reader io.Reader) error {
func (ctx *BrokerContext) CheckProxyRelayPattern(pattern string, nonSupported bool) bool { func (ctx *BrokerContext) CheckProxyRelayPattern(pattern string, nonSupported bool) bool {
if nonSupported { if nonSupported {
pattern = ctx.presumedPatternForLegacyClient return false
} }
proxyPattern := namematcher.NewNameMatcher(pattern) proxyPattern := namematcher.NewNameMatcher(pattern)
brokerPattern := namematcher.NewNameMatcher(ctx.allowedRelayPattern) brokerPattern := namematcher.NewNameMatcher(ctx.allowedRelayPattern)
@ -197,7 +194,7 @@ func main() {
var addr string var addr string
var geoipDatabase string var geoipDatabase string
var geoip6Database string var geoip6Database string
var bridgeListFilePath, allowedRelayPattern, presumedPatternForLegacyClient string var bridgeListFilePath, allowedRelayPattern string
var brokerSQSQueueName, brokerSQSQueueRegion string var brokerSQSQueueName, brokerSQSQueueRegion string
var disableTLS bool var disableTLS bool
var certFilename, keyFilename string var certFilename, keyFilename string
@ -215,7 +212,6 @@ func main() {
flag.StringVar(&geoip6Database, "geoip6db", "/usr/share/tor/geoip6", "path to correctly formatted geoip database mapping IPv6 address ranges to country codes") flag.StringVar(&geoip6Database, "geoip6db", "/usr/share/tor/geoip6", "path to correctly formatted geoip database mapping IPv6 address ranges to country codes")
flag.StringVar(&bridgeListFilePath, "bridge-list-path", "", "file path for bridgeListFile") flag.StringVar(&bridgeListFilePath, "bridge-list-path", "", "file path for bridgeListFile")
flag.StringVar(&allowedRelayPattern, "allowed-relay-pattern", "", "allowed pattern for relay host name. The broker will reject proxies whose AcceptedRelayPattern is more restrictive than this") flag.StringVar(&allowedRelayPattern, "allowed-relay-pattern", "", "allowed pattern for relay host name. The broker will reject proxies whose AcceptedRelayPattern is more restrictive than this")
flag.StringVar(&presumedPatternForLegacyClient, "default-relay-pattern", "", "presumed pattern for legacy client")
flag.StringVar(&brokerSQSQueueName, "broker-sqs-name", "", "name of broker SQS queue to listen for incoming messages on") flag.StringVar(&brokerSQSQueueName, "broker-sqs-name", "", "name of broker SQS queue to listen for incoming messages on")
flag.StringVar(&brokerSQSQueueRegion, "broker-sqs-region", "", "name of AWS region of broker SQS queue") flag.StringVar(&brokerSQSQueueRegion, "broker-sqs-region", "", "name of AWS region of broker SQS queue")
flag.BoolVar(&disableTLS, "disable-tls", false, "don't use HTTPS") flag.BoolVar(&disableTLS, "disable-tls", false, "don't use HTTPS")
@ -248,7 +244,7 @@ func main() {
metricsLogger := log.New(metricsFile, "", 0) metricsLogger := log.New(metricsFile, "", 0)
ctx := NewBrokerContext(metricsLogger, allowedRelayPattern, presumedPatternForLegacyClient) ctx := NewBrokerContext(metricsLogger, allowedRelayPattern)
if bridgeListFilePath != "" { if bridgeListFilePath != "" {
bridgeListFile, err := os.Open(bridgeListFilePath) bridgeListFile, err := os.Open(bridgeListFilePath)

34
broker/snowflake-broker_test.go
View file

@ -89,7 +89,7 @@ func TestBroker(t *testing.T) {
Convey("Context", t, func() { Convey("Context", t, func() {
buf := new(bytes.Buffer) buf := new(bytes.Buffer)
ctx := NewBrokerContext(log.New(buf, "", 0), "", "") ctx := NewBrokerContext(log.New(buf, "", 0), "snowflake.torproject.net")
i := &IPC{ctx} i := &IPC{ctx}
Convey("Adds Snowflake", func() { Convey("Adds Snowflake", func() {
@ -407,7 +407,7 @@ client-sqs-ips
Convey("Responds to proxy polls...", func() { Convey("Responds to proxy polls...", func() {
done := make(chan bool) done := make(chan bool)
w := httptest.NewRecorder() w := httptest.NewRecorder()
data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`)) data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0", "AcceptedRelayPattern": "snowflake.torproject.net"}`))
r, err := http.NewRequest("POST", "snowflake.broker/proxy", data) r, err := http.NewRequest("POST", "snowflake.broker/proxy", data)
So(err, ShouldBeNil) So(err, ShouldBeNil)
@ -493,7 +493,7 @@ client-sqs-ips
}) })
Convey("End-To-End", t, func() { Convey("End-To-End", t, func() {
ctx := NewBrokerContext(NullLogger(), "", "") ctx := NewBrokerContext(NullLogger(), "snowflake.torproject.net")
i := &IPC{ctx} i := &IPC{ctx}
Convey("Check for client/proxy data race", func() { Convey("Check for client/proxy data race", func() {
@ -504,7 +504,7 @@ client-sqs-ips
// Make proxy poll // Make proxy poll
wp := httptest.NewRecorder() wp := httptest.NewRecorder()
datap := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`)) datap := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","AcceptedRelayPattern":"snowflake.torproject.net"}`))
rp, err := http.NewRequest("POST", "snowflake.broker/proxy", datap) rp, err := http.NewRequest("POST", "snowflake.broker/proxy", datap)
So(err, ShouldBeNil) So(err, ShouldBeNil)
@ -549,7 +549,7 @@ client-sqs-ips
polled := make(chan bool) polled := make(chan bool)
// Proxy polls with its ID first... // Proxy polls with its ID first...
dataP := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`)) dataP := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","AcceptedRelayPattern":"snowflake.torproject.net"}`))
wP := httptest.NewRecorder() wP := httptest.NewRecorder()
rP, err := http.NewRequest("POST", "snowflake.broker/proxy", dataP) rP, err := http.NewRequest("POST", "snowflake.broker/proxy", dataP)
So(err, ShouldBeNil) So(err, ShouldBeNil)
@ -646,7 +646,7 @@ func TestSnowflakeHeap(t *testing.T) {
func TestInvalidGeoipFile(t *testing.T) { func TestInvalidGeoipFile(t *testing.T) {
Convey("Geoip", t, func() { Convey("Geoip", t, func() {
// Make sure things behave properly if geoip file fails to load // Make sure things behave properly if geoip file fails to load
ctx := NewBrokerContext(NullLogger(), "", "") ctx := NewBrokerContext(NullLogger(), "")
if err := ctx.metrics.LoadGeoipDatabases("invalid_filename", "invalid_filename6"); err != nil { if err := ctx.metrics.LoadGeoipDatabases("invalid_filename", "invalid_filename6"); err != nil {
log.Printf("loading geo ip databases returned error: %v", err) log.Printf("loading geo ip databases returned error: %v", err)
} }
@ -660,7 +660,7 @@ func TestMetrics(t *testing.T) {
Convey("Test metrics...", t, func() { Convey("Test metrics...", t, func() {
done := make(chan bool) done := make(chan bool)
buf := new(bytes.Buffer) buf := new(bytes.Buffer)
ctx := NewBrokerContext(log.New(buf, "", 0), "", "") ctx := NewBrokerContext(log.New(buf, "", 0), "snowflake.torproject.net")
i := &IPC{ctx} i := &IPC{ctx}
err := ctx.metrics.LoadGeoipDatabases("test_geoip", "test_geoip6") err := ctx.metrics.LoadGeoipDatabases("test_geoip", "test_geoip6")
@ -669,7 +669,7 @@ func TestMetrics(t *testing.T) {
//Test addition of proxy polls //Test addition of proxy polls
Convey("for proxy polls", func() { Convey("for proxy polls", func() {
w := httptest.NewRecorder() w := httptest.NewRecorder()
data := bytes.NewReader([]byte("{\"Sid\":\"ymbcCMto7KHNGYlp\",\"Version\":\"1.0\"}")) data := bytes.NewReader([]byte("{\"Sid\":\"ymbcCMto7KHNGYlp\",\"Version\":\"1.0\",\"AcceptedRelayPattern\":\"snowflake.torproject.net\"}"))
r, err := http.NewRequest("POST", "snowflake.broker/proxy", data) r, err := http.NewRequest("POST", "snowflake.broker/proxy", data)
r.RemoteAddr = "129.97.208.23:8888" //CA geoip r.RemoteAddr = "129.97.208.23:8888" //CA geoip
So(err, ShouldBeNil) So(err, ShouldBeNil)
@ -682,7 +682,7 @@ func TestMetrics(t *testing.T) {
<-done <-done
w = httptest.NewRecorder() w = httptest.NewRecorder()
data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"standalone"}`)) data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"standalone","AcceptedRelayPattern":"snowflake.torproject.net"}`))
r, err = http.NewRequest("POST", "snowflake.broker/proxy", data) r, err = http.NewRequest("POST", "snowflake.broker/proxy", data)
r.RemoteAddr = "129.97.208.23:8888" //CA geoip r.RemoteAddr = "129.97.208.23:8888" //CA geoip
So(err, ShouldBeNil) So(err, ShouldBeNil)
@ -695,7 +695,7 @@ func TestMetrics(t *testing.T) {
<-done <-done
w = httptest.NewRecorder() w = httptest.NewRecorder()
data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"badge"}`)) data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"badge","AcceptedRelayPattern":"snowflake.torproject.net"}`))
r, err = http.NewRequest("POST", "snowflake.broker/proxy", data) r, err = http.NewRequest("POST", "snowflake.broker/proxy", data)
r.RemoteAddr = "129.97.208.23:8888" //CA geoip r.RemoteAddr = "129.97.208.23:8888" //CA geoip
So(err, ShouldBeNil) So(err, ShouldBeNil)
@ -708,7 +708,7 @@ func TestMetrics(t *testing.T) {
<-done <-done
w = httptest.NewRecorder() w = httptest.NewRecorder()
data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"webext"}`)) data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","Type":"webext","AcceptedRelayPattern":"snowflake.torproject.net"}`))
r, err = http.NewRequest("POST", "snowflake.broker/proxy", data) r, err = http.NewRequest("POST", "snowflake.broker/proxy", data)
r.RemoteAddr = "129.97.208.23:8888" //CA geoip r.RemoteAddr = "129.97.208.23:8888" //CA geoip
So(err, ShouldBeNil) So(err, ShouldBeNil)
@ -728,8 +728,8 @@ func TestMetrics(t *testing.T) {
So(metricsStr, ShouldContainSubstring, "\nsnowflake-ips-webext 1\n") So(metricsStr, ShouldContainSubstring, "\nsnowflake-ips-webext 1\n")
So(metricsStr, ShouldEndWith, `snowflake-ips-total 4 So(metricsStr, ShouldEndWith, `snowflake-ips-total 4
snowflake-idle-count 8 snowflake-idle-count 8
snowflake-proxy-poll-with-relay-url-count 0 snowflake-proxy-poll-with-relay-url-count 8
snowflake-proxy-poll-without-relay-url-count 8 snowflake-proxy-poll-without-relay-url-count 0
snowflake-proxy-rejected-for-relay-url-count 0 snowflake-proxy-rejected-for-relay-url-count 0
client-denied-count 0 client-denied-count 0
client-restricted-denied-count 0 client-restricted-denied-count 0
@ -899,7 +899,7 @@ snowflake-ips-nat-unknown 0
//Test unique ip //Test unique ip
Convey("proxy counts by unique ip", func() { Convey("proxy counts by unique ip", func() {
w := httptest.NewRecorder() w := httptest.NewRecorder()
data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`)) data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","AcceptedRelayPattern":"snowflake.torproject.net"}`))
r, err := http.NewRequest("POST", "snowflake.broker/proxy", data) r, err := http.NewRequest("POST", "snowflake.broker/proxy", data)
r.RemoteAddr = "129.97.208.23:8888" //CA geoip r.RemoteAddr = "129.97.208.23:8888" //CA geoip
So(err, ShouldBeNil) So(err, ShouldBeNil)
@ -911,7 +911,7 @@ snowflake-ips-nat-unknown 0
p.offerChannel <- nil p.offerChannel <- nil
<-done <-done
data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0"}`)) data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.0","AcceptedRelayPattern":"snowflake.torproject.net"}`))
r, err = http.NewRequest("POST", "snowflake.broker/proxy", data) r, err = http.NewRequest("POST", "snowflake.broker/proxy", data)
if err != nil { if err != nil {
log.Printf("unable to get NewRequest with error: %v", err) log.Printf("unable to get NewRequest with error: %v", err)
@ -933,7 +933,7 @@ snowflake-ips-nat-unknown 0
//Test NAT types //Test NAT types
Convey("proxy counts by NAT type", func() { Convey("proxy counts by NAT type", func() {
w := httptest.NewRecorder() w := httptest.NewRecorder()
data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.2","Type":"unknown","NAT":"restricted"}`)) data := bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.2","Type":"unknown","NAT":"restricted","AcceptedRelayPattern":"snowflake.torproject.net"}`))
r, err := http.NewRequest("POST", "snowflake.broker/proxy", data) r, err := http.NewRequest("POST", "snowflake.broker/proxy", data)
r.RemoteAddr = "129.97.208.23:8888" //CA geoip r.RemoteAddr = "129.97.208.23:8888" //CA geoip
So(err, ShouldBeNil) So(err, ShouldBeNil)
@ -948,7 +948,7 @@ snowflake-ips-nat-unknown 0
ctx.metrics.printMetrics() ctx.metrics.printMetrics()
So(buf.String(), ShouldContainSubstring, "snowflake-ips-nat-restricted 1\nsnowflake-ips-nat-unrestricted 0\nsnowflake-ips-nat-unknown 0") So(buf.String(), ShouldContainSubstring, "snowflake-ips-nat-restricted 1\nsnowflake-ips-nat-unrestricted 0\nsnowflake-ips-nat-unknown 0")
data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.2","Type":"unknown","NAT":"unrestricted"}`)) data = bytes.NewReader([]byte(`{"Sid":"ymbcCMto7KHNGYlp","Version":"1.2","Type":"unknown","NAT":"unrestricted","AcceptedRelayPattern":"snowflake.torproject.net"}`))
r, err = http.NewRequest("POST", "snowflake.broker/proxy", data) r, err = http.NewRequest("POST", "snowflake.broker/proxy", data)
if err != nil { if err != nil {
log.Printf("unable to get NewRequest with error: %v", err) log.Printf("unable to get NewRequest with error: %v", err)

2
broker/sqs_test.go
View file

@ -23,7 +23,7 @@ func TestSQS(t *testing.T) {
Convey("Context", t, func() { Convey("Context", t, func() {
buf := new(bytes.Buffer) buf := new(bytes.Buffer)
ipcCtx := NewBrokerContext(log.New(buf, "", 0), "", "") ipcCtx := NewBrokerContext(log.New(buf, "", 0), "")
i := &IPC{ipcCtx} i := &IPC{ipcCtx}
Convey("Responds to SQS client offers...", func() { Convey("Responds to SQS client offers...", func() {