Merge branch 'keymgr-integration-test' into 'main'
CI: Add client auth integration test. Closes #954 See merge request tpo/core/arti!1399
This commit is contained in:
commit
42115116e4
|
@ -166,7 +166,7 @@ rust-nightly:
|
|||
- cargo test --verbose --target x86_64-unknown-linux-gnu --all-features
|
||||
- rustup component add clippy
|
||||
# We check these extra warnings on CI only, since we don't want to forbid them while developing.
|
||||
|
||||
|
||||
# The --cfg allows us to write #![cfg_attr(ci_arti_nightly, allow(clippy::needless_borrow))]
|
||||
# and similar, for when nightly clippy has false positives. (There is no builtin
|
||||
# cfg flag for nightly, and a cargo "feature" would be bad with --all-features.)
|
||||
|
|
|
@ -1021,10 +1021,12 @@ impl<R: Runtime> TorClient<R> {
|
|||
|
||||
let mut hs_client_secret_keys_builder = HsClientSecretKeysBuilder::default();
|
||||
if let Some(ks_hsc_desc_enc) = ks_hsc_desc_enc {
|
||||
debug!("Found descriptor decryption key for {hsid}");
|
||||
hs_client_secret_keys_builder.ks_hsc_desc_enc(ks_hsc_desc_enc);
|
||||
}
|
||||
|
||||
if let Some(ks_hsc_intro_auth) = ks_hsc_intro_auth {
|
||||
debug!("Found INTRODUCE1 signing key for {hsid}");
|
||||
hs_client_secret_keys_builder.ks_hsc_intro_auth(ks_hsc_intro_auth);
|
||||
}
|
||||
|
||||
|
|
|
@ -23,3 +23,7 @@ log_sensitive_information = true
|
|||
# When TestingTorNetwork is enabled, tor uses a hard-coded value
|
||||
# of 120 here; match it.
|
||||
hsdir_interval = 120
|
||||
|
||||
# Configure the keystore dir
|
||||
[storage]
|
||||
keystore_dir = "./keystore"
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
<graphml xmlns="http://graphml.graphdrawing.org/xmlns" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://graphml.graphdrawing.org/xmlns http://graphml.graphdrawing.org/xmlns/1.0/graphml.xsd">
|
||||
<key attr.name="socksproxy" attr.type="string" for="node" id="d7" />
|
||||
<key attr.name="peers" attr.type="string" for="node" id="d5" />
|
||||
<key attr.name="sendsize" attr.type="string" for="node" id="d3" />
|
||||
<key attr.name="recvsize" attr.type="string" for="node" id="d2" />
|
||||
<key attr.name="count" attr.type="string" for="node" id="d1" />
|
||||
<key attr.name="time" attr.type="string" for="node" id="d0" />
|
||||
<graph edgedefault="directed">
|
||||
<node id="start">
|
||||
<data key="d5">yr4tcjsgag3l7ar4kt5j2gav22nfs5uaktys5yy2yuuisjreu7ty6aad.onion:80</data>
|
||||
<data key="d7">localhost:9000</data>
|
||||
</node>
|
||||
<node id="stream">
|
||||
<data key="d2">1 MiB</data>
|
||||
<data key="d3">1 KiB</data>
|
||||
</node>
|
||||
<node id="pause">
|
||||
<data key="d0">1,2,3,4,5,6,7,8,9,10</data>
|
||||
</node>
|
||||
<node id="end">
|
||||
<data key="d1">10</data>
|
||||
<data key="d0">3600</data>
|
||||
</node>
|
||||
<edge source="start" target="stream" />
|
||||
<edge source="stream" target="end" />
|
||||
<edge source="end" target="pause" />
|
||||
<edge source="pause" target="start" />
|
||||
</graph>
|
||||
</graphml>
|
|
@ -11,6 +11,7 @@ export RUST_BACKTRACE=1
|
|||
# TODO: isn't there a way to set the permissions in the git repo? Tried `git
|
||||
# update-index --chmod`, but it refuses to set permissions on a directory.
|
||||
chmod 700 shadow.data.template/hosts/fileserver-onion/hs
|
||||
chmod 700 shadow.data.template/hosts/fileserver-onion-auth/hs
|
||||
|
||||
# Run the simulation
|
||||
shadow \
|
||||
|
@ -25,7 +26,7 @@ shadow \
|
|||
> shadow.log
|
||||
|
||||
# Check whether file transfers via arti inside the simulation succeeded
|
||||
for HOST in articlient articlient-bridge articlient-onion; do
|
||||
for HOST in articlient articlient-bridge; do
|
||||
successes="$(grep -c stream-success shadow.data/hosts/$HOST/tgen.*.stdout || true)"
|
||||
if [ "$successes" = 10 ]
|
||||
then
|
||||
|
@ -36,6 +37,22 @@ for HOST in articlient articlient-bridge articlient-onion; do
|
|||
fi
|
||||
done
|
||||
|
||||
for HOST in articlient-onion articlient-onion-auth; do
|
||||
successes="$(grep -c stream-success shadow.data/hosts/$HOST/tgen.*.stdout || true)"
|
||||
# NOTE: For the HS client tests we only require half of the streams to succeed
|
||||
# to work around the issue described in https://github.com/shadow/shadow/issues/2544
|
||||
# and arti!1399.
|
||||
#
|
||||
# See also: https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/1399#note_2921505
|
||||
if [ "$successes" -ge 5 ]
|
||||
then
|
||||
echo "Simulation successful"
|
||||
else
|
||||
echo "Failed. Only got $successes successful streams."
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
pushd shadow.data/hosts/articlient-bridge/
|
||||
for PCAP in *.pcap; do
|
||||
# verify all connection are either from/to the bridge, or local.
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
../../../../conf/arti.common.toml
|
|
@ -0,0 +1 @@
|
|||
../../../../conf/arti.onion.toml
|
|
@ -0,0 +1,7 @@
|
|||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||
QyNTUxOQAAACD4Tjq19rMz8G49hAAqsAP4MjQUwvU1mYPWxsmVLigDAgAAAJBopPdlaKT3
|
||||
ZQAAAAtzc2gtZWQyNTUxOQAAACD4Tjq19rMz8G49hAAqsAP4MjQUwvU1mYPWxsmVLigDAg
|
||||
AAAEAIsbCNVF+6EdbfJtuw5ehopIUpQtKCQzCDpoaTp9Hfq/hOOrX2szPwbj2EACqwA/gy
|
||||
NBTC9TWZg9bGyZUuKAMCAAAACHRlc3Qta2V5AQIDBAU=
|
||||
-----END OPENSSH PRIVATE KEY-----
|
|
@ -0,0 +1,2 @@
|
|||
descriptor:x25519:IOKTNZA7YBQYJSTZR4V7NSPIPVAGWO3QGTRCJKOVKCMYFTXDQJIA
|
||||
|
|
@ -0,0 +1 @@
|
|||
yr4tcjsgag3l7ar4kt5j2gav22nfs5uaktys5yy2yuuisjreu7ty6aad.onion
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,3 @@
|
|||
%include ../../../conf/tor.common.torrc
|
||||
%include ../../../conf/tor.client.torrc
|
||||
%include ../../../conf/tor.onionserver.torrc
|
|
@ -43,6 +43,20 @@ hosts:
|
|||
--defaults-torrc torrc-defaults -f torrc
|
||||
start_time: 900
|
||||
expected_final_state: running
|
||||
fileserver-onion-auth:
|
||||
network_node_id: 0
|
||||
processes:
|
||||
- path: tgen
|
||||
# See https://shadow.github.io/docs/guide/compatibility_notes.html#libopenblas
|
||||
environment: { OPENBLAS_NUM_THREADS: "1" }
|
||||
args: ../../../conf/tgen.onionserver.graphml.xml
|
||||
start_time: 1
|
||||
expected_final_state: running
|
||||
- path: tor
|
||||
args: --Address fileserver-onion-auth --Nickname fileserveronionauth
|
||||
--defaults-torrc torrc-defaults -f torrc
|
||||
start_time: 900
|
||||
expected_final_state: running
|
||||
4uthority:
|
||||
network_node_id: 0
|
||||
ip_addr: 100.0.0.1
|
||||
|
@ -160,4 +174,20 @@ hosts:
|
|||
environment: { OPENBLAS_NUM_THREADS: "1" }
|
||||
args: ../../../conf/tgen.toronionclient.graphml.xml
|
||||
start_time: 1500
|
||||
articlient-onion-auth:
|
||||
network_node_id: 0
|
||||
processes:
|
||||
# Use the version of arti built with keymgr and experimental-api support:
|
||||
- path: ../../target/x86_64-unknown-linux-gnu/debug/arti-extra
|
||||
args: proxy -c ./arti.d/arti.common.toml -c ./arti.d/arti.onion.toml -o proxy.socks_port=9000 --disable-fs-permission-checks -l debug,tor_proto=trace
|
||||
environment:
|
||||
RUST_BACKTRACE: "1"
|
||||
HOME: ./home
|
||||
start_time: 15m
|
||||
expected_final_state: running
|
||||
- path: tgen
|
||||
# See https://shadow.github.io/docs/guide/compatibility_notes.html#libopenblas
|
||||
environment: { OPENBLAS_NUM_THREADS: "1" }
|
||||
args: ../../../conf/tgen.toronionclient-auth.graphml.xml
|
||||
start_time: 1500
|
||||
|
||||
|
|
Loading…
Reference in New Issue