Merge branch 'keymgr-integration-test' into 'main'

CI: Add client auth integration test.

Closes #954

See merge request tpo/core/arti!1399

.gitlab-ci.yml

@@ -166,7 +166,7 @@ rust-nightly:
     - cargo test --verbose --target x86_64-unknown-linux-gnu --all-features
     - rustup component add clippy
     # We check these extra warnings on CI only, since we don't want to forbid them while developing.
-    
+
     # The --cfg allows us to write #![cfg_attr(ci_arti_nightly, allow(clippy::needless_borrow))]
     # and similar, for when nightly clippy has false positives.  (There is no builtin
     # cfg flag for nightly, and a cargo "feature" would be bad with --all-features.)

crates/arti-client/src/client.rs

@@ -1021,10 +1021,12 @@ impl<R: Runtime> TorClient<R> {
 
                 let mut hs_client_secret_keys_builder = HsClientSecretKeysBuilder::default();
                 if let Some(ks_hsc_desc_enc) = ks_hsc_desc_enc {
+                    debug!("Found descriptor decryption key for {hsid}");
                     hs_client_secret_keys_builder.ks_hsc_desc_enc(ks_hsc_desc_enc);
                 }
 
                 if let Some(ks_hsc_intro_auth) = ks_hsc_intro_auth {
+                    debug!("Found INTRODUCE1 signing key for {hsid}");
                     hs_client_secret_keys_builder.ks_hsc_intro_auth(ks_hsc_intro_auth);
                 }
 

tests/shadow/conf/arti.common.toml

@@ -23,3 +23,7 @@ log_sensitive_information = true
 # When TestingTorNetwork is enabled, tor uses a hard-coded value
 # of 120 here; match it.
 hsdir_interval = 120
+
+# Configure the keystore dir
+[storage]
+keystore_dir = "./keystore"

tests/shadow/conf/tgen.toronionclient-auth.graphml.xml

@@ -0,0 +1,29 @@
+<graphml xmlns="http://graphml.graphdrawing.org/xmlns" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://graphml.graphdrawing.org/xmlns http://graphml.graphdrawing.org/xmlns/1.0/graphml.xsd">
+  <key attr.name="socksproxy" attr.type="string" for="node" id="d7" />
+  <key attr.name="peers" attr.type="string" for="node" id="d5" />
+  <key attr.name="sendsize" attr.type="string" for="node" id="d3" />
+  <key attr.name="recvsize" attr.type="string" for="node" id="d2" />
+  <key attr.name="count" attr.type="string" for="node" id="d1" />
+  <key attr.name="time" attr.type="string" for="node" id="d0" />
+  <graph edgedefault="directed">
+    <node id="start">
+      <data key="d5">yr4tcjsgag3l7ar4kt5j2gav22nfs5uaktys5yy2yuuisjreu7ty6aad.onion:80</data>
+      <data key="d7">localhost:9000</data>
+    </node>
+    <node id="stream">
+      <data key="d2">1 MiB</data>
+      <data key="d3">1 KiB</data>
+    </node>
+    <node id="pause">
+      <data key="d0">1,2,3,4,5,6,7,8,9,10</data>
+    </node>
+    <node id="end">
+      <data key="d1">10</data>
+      <data key="d0">3600</data>
+    </node>
+    <edge source="start" target="stream" />
+    <edge source="stream" target="end" />
+    <edge source="end" target="pause" />
+    <edge source="pause" target="start" />
+  </graph>
+</graphml>

tests/shadow/run.sh

@@ -11,6 +11,7 @@ export RUST_BACKTRACE=1
 # TODO: isn't there a way to set the permissions in the git repo? Tried `git
 # update-index --chmod`, but it refuses to set permissions on a directory.
 chmod 700 shadow.data.template/hosts/fileserver-onion/hs
+chmod 700 shadow.data.template/hosts/fileserver-onion-auth/hs
 
 # Run the simulation
 shadow \
@@ -25,7 +26,7 @@ shadow \
   > shadow.log
 
 # Check whether file transfers via arti inside the simulation succeeded
-for HOST in articlient articlient-bridge articlient-onion; do
+for HOST in articlient articlient-bridge; do
   successes="$(grep -c stream-success shadow.data/hosts/$HOST/tgen.*.stdout || true)"
   if [ "$successes" = 10 ]
   then
@@ -36,6 +37,22 @@ for HOST in articlient articlient-bridge articlient-onion; do
   fi
 done
 
+for HOST in articlient-onion articlient-onion-auth; do
+  successes="$(grep -c stream-success shadow.data/hosts/$HOST/tgen.*.stdout || true)"
+  # NOTE: For the HS client tests we only require half of the streams to succeed
+  # to work around the issue described in https://github.com/shadow/shadow/issues/2544
+  # and arti!1399.
+  #
+  # See also: https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/1399#note_2921505
+  if [ "$successes" -ge 5 ]
+  then
+    echo "Simulation successful"
+  else
+    echo "Failed. Only got $successes successful streams."
+    exit 1
+  fi
+done
+
 pushd shadow.data/hosts/articlient-bridge/
 for PCAP in *.pcap; do
 	# verify all connection are either from/to the bridge, or local.

tests/shadow/shadow.data.template/hosts/articlient-onion-auth/arti.d/arti.common.toml

@@ -0,0 +1 @@
+../../../../conf/arti.common.toml

tests/shadow/shadow.data.template/hosts/articlient-onion-auth/arti.d/arti.onion.toml

@@ -0,0 +1 @@
+../../../../conf/arti.onion.toml

tests/shadow/shadow.data.template/hosts/articlient-onion-auth/keystore/client/default/yr4tcjsgag3l7ar4kt5j2gav22nfs5uaktys5yy2yuuisjreu7ty6aad.onion/KP_hsc_desc_enc.x25519_private

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACD4Tjq19rMz8G49hAAqsAP4MjQUwvU1mYPWxsmVLigDAgAAAJBopPdlaKT3
+ZQAAAAtzc2gtZWQyNTUxOQAAACD4Tjq19rMz8G49hAAqsAP4MjQUwvU1mYPWxsmVLigDAg
+AAAEAIsbCNVF+6EdbfJtuw5ehopIUpQtKCQzCDpoaTp9Hfq/hOOrX2szPwbj2EACqwA/gy
+NBTC9TWZg9bGyZUuKAMCAAAACHRlc3Qta2V5AQIDBAU=
+-----END OPENSSH PRIVATE KEY-----

tests/shadow/shadow.data.template/hosts/fileserver-onion-auth/hs/authorized_clients/default.auth

@@ -0,0 +1,2 @@
+descriptor:x25519:IOKTNZA7YBQYJSTZR4V7NSPIPVAGWO3QGTRCJKOVKCMYFTXDQJIA
+

tests/shadow/shadow.data.template/hosts/fileserver-onion-auth/hs/hostname

@@ -0,0 +1 @@
+yr4tcjsgag3l7ar4kt5j2gav22nfs5uaktys5yy2yuuisjreu7ty6aad.onion

tests/shadow/shadow.data.template/hosts/fileserver-onion-auth/torrc-defaults

@@ -0,0 +1,3 @@
+%include ../../../conf/tor.common.torrc
+%include ../../../conf/tor.client.torrc
+%include ../../../conf/tor.onionserver.torrc

tests/shadow/shadow.yaml

@@ -43,6 +43,20 @@ hosts:
             --defaults-torrc torrc-defaults -f torrc
       start_time: 900
       expected_final_state: running
+  fileserver-onion-auth:
+    network_node_id: 0
+    processes:
+    - path: tgen
+      # See https://shadow.github.io/docs/guide/compatibility_notes.html#libopenblas
+      environment: { OPENBLAS_NUM_THREADS: "1" }
+      args: ../../../conf/tgen.onionserver.graphml.xml
+      start_time: 1
+      expected_final_state: running
+    - path: tor
+      args: --Address fileserver-onion-auth --Nickname fileserveronionauth
+            --defaults-torrc torrc-defaults -f torrc
+      start_time: 900
+      expected_final_state: running
   4uthority:
     network_node_id: 0
     ip_addr: 100.0.0.1
@@ -160,4 +174,20 @@ hosts:
       environment: { OPENBLAS_NUM_THREADS: "1" }
       args: ../../../conf/tgen.toronionclient.graphml.xml
       start_time: 1500
+  articlient-onion-auth:
+    network_node_id: 0
+    processes:
+    # Use the version of arti built with keymgr and experimental-api support:
+    - path: ../../target/x86_64-unknown-linux-gnu/debug/arti-extra
+      args: proxy -c ./arti.d/arti.common.toml -c ./arti.d/arti.onion.toml -o proxy.socks_port=9000 --disable-fs-permission-checks -l debug,tor_proto=trace
+      environment:
+        RUST_BACKTRACE: "1"
+        HOME: ./home
+      start_time: 15m
+      expected_final_state: running
+    - path: tgen
+      # See https://shadow.github.io/docs/guide/compatibility_notes.html#libopenblas
+      environment: { OPENBLAS_NUM_THREADS: "1" }
+      args: ../../../conf/tgen.toronionclient-auth.graphml.xml
+      start_time: 1500