-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add the openvpn experiment #1585
Conversation
tests green again after latest additions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My main, still open, design question is about whether we would be able to easily disable the experiment via the OONI backend API if it misbehaves. This is my main reason for saying "request changes". My understanding is that, if the OONI backend does not return any target to measure, then the experiment will use the defaults configured for "riseupvpn". I do not think this is desirable at this stage, because we still think at this experiment as unstable and we would like to have a chance to configure it to not run remotely. How could we achieve this? Would removing the hardcoded fallback be a possibility?
Apart from that, I have done a careful review that includes:
-
several minimal cosmetic requests including documenting public fields
-
suggestions and questions about simplifying the codebase a bit
-
small design questions
internal/engine/inputloader.go
Outdated
for _, provider := range openvpn.APIEnabledProviders { | ||
reply, err := il.vpnConfig(ctx, provider) | ||
if err != nil { | ||
break |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you want to stop at the first error, you should return an error here. Looking at the context of the code, it seems to me the semantics to want is to ignore (and maybe warn?) on error. To this end, you should continue here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tx for pointing this out! this for loop is not really used atm, so I'll go with returning the error
internal/engine/inputloader.go
Outdated
// here we're just collecting all the inputs. we also cache the configs so that | ||
// each experiment run can access the credentials for a given provider. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see where you're caching the configs in the following two lines
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you're right - cacheing happens in the session method. updated the comment.
}, | ||
} | ||
|
||
// Shuffle returns a shuffled copy of the endpointList. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it really a shuffled copy? It seems to me this is shuffling e
itself.
To make a shuffled copy you need to do something like this:
copy := append([]endpointList{}, e...)
and then you need to do a rand.Shuffle
on copy
(obviously).
Also, I'd rename this method Shuffled
(like Python's sort
and sorted
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noted. I changed the docstring to reflect that we mutate the list in place.
in any case, I'll probably stop using the default endpoint list, so probably this code needs to be deleted soon.
} | ||
|
||
func TestAddConnectionTestKeys(t *testing.T) { | ||
t.Run("append connection result to empty keys", func(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, add a test for the UDP case as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added
For disabling the experiment: would this work? 8c5fa11 would this be handled correctly by the mobile/desktop apps just by returning an error? right now if the HTTP client finds a 404 miniooni panics btw, I'm not sure if I need to catch this error explicitely. |
addressed the comments in the review; I think the only case I'd still defend is adding a boolean for success (in the top-level OpenVPN handshake archival result, I have removed the nested result struct) since I think simplifies analysis in some cases (ooni data can always override it) do note that after agreeing on the failure/success format, I'll need to modify the spec accordingly! |
Added a couple of commits, one for accepting options in the oonirun descriptor (not used at the moment), and the other using {
"name": "openvpn-riseup",
"description": "measure vpn connection to riseup gateway",
"author": "Ain Ghazal <[email protected]>",
"nettests": [
{
"test_name": "openvpn",
"inputs": [
"openvpn://riseupvpn.corp/?address=51.15.187.53:53&transport=udp"
],
"options": {
"Cipher": "AES-256-GCM",
"Auth": "SHA512",
"Compress": "",
"Obfuscation": "none",
"SafeCA": "-----BEGIN CERTIFICATE-----\nMIIBYjCCAQigAwIBAgIBATAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxMRUFQIFJv\nb3QgQ0EwHhcNMjExMTAyMTkwNTM3WhcNMjYxMTAyMTkxMDM3WjAXMRUwEwYDVQQD\nEwxMRUFQIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQxOXBGu+gf\npjHzVteGTWL6XnFxtEnKMFpKaJkA/VOHmESzoLsZRQxt88GssxaqC01J17idQiqv\nzgNpedmtvFtyo0UwQzAOBgNVHQ8BAf8EBAMCAqQwEgYDVR0TAQH/BAgwBgEB/wIB\nATAdBgNVHQ4EFgQUZdoUlJrCIUNFrpffAq+LQjnwEz4wCgYIKoZIzj0EAwIDSAAw\nRQIgfr3w4tnRG+NdI3LsGPlsRktGK20xHTzsB3orB0yC6cICIQCB+/9y8nmSStfN\nVUMUyk2hNd7/kC8nL222TTD7VZUtsg==\n-----END CERTIFICATE-----",
"SafeCert": "-----BEGIN CERTIFICATE-----\nMIICdzCCAh2gAwIBAgIQaiLN8Wt8B7n/fkNAb0dPhjAKBggqhkjOPQQDAjAzMTEw\nLwYDVQQDDChMRUFQIFJvb3QgQ0EgKGNsaWVudCBjZXJ0aWZpY2F0ZXMgb25seSEp\nMB4XDTI0MDUyMzExNDYzOFoXDTI0MDYyNzExNDYzOFowFDESMBAGA1UEAxMJVU5M\nSU1JVEVEMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6/FnGI7yIw0P\nb1p+IRiTrLi+lc2bacboPE//bsTFBh+PuTudyZeGY9mxZDd1wBauwBux8nnSnaKK\nJGzd+5xQrG9xlb19aMSBWpS8+rdCz03zEG31SQgwSAAUjmYsDEhstwY329K7noCZ\n125Dp5HIPZYRS5Xbc5NirazrRongsYdq53Mlmp2S/KPFBo6LkkNppBcSzIo6wsUo\n96PViTy15yA4PWhrI5dP798Wg7od4R5Q/cM+zyaxoycwKUck4Ixhqw7nod8OBXZu\nwITKGGqFmMtAQAa8FZG1y+e85O7GH55K/W/3sO5T4fcV+A9V5AyynRQfZbxvIT0I\nbMX1/y7+WwIDAQABo2cwZTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB\nBQUHAwIwHQYDVR0OBBYEFJ81OtiqvnHEnXngCTa2wpyPeOhKMB8GA1UdIwQYMBaA\nFH1KYtj/K0nEebaisdyOPmMHXKj+MAoGCCqGSM49BAMCA0gAMEUCIBmbOvPti2bM\nEkjHRoCRE4h09da1YMDdYhYgndmnQaeMAiEAs0RqX86JTcB2M4FkW+gw1ni3Okuc\ntBKwmlxGufWxzpE=\n-----END CERTIFICATE-----",
"SafeKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEA6/FnGI7yIw0Pb1p+IRiTrLi+lc2bacboPE//bsTFBh+PuTud\nyZeGY9mxZDd1wBauwBux8nnSnaKKJGzd+5xQrG9xlb19aMSBWpS8+rdCz03zEG31\nSQgwSAAUjmYsDEhstwY329K7noCZ125Dp5HIPZYRS5Xbc5NirazrRongsYdq53Ml\nmp2S/KPFBo6LkkNppBcSzIo6wsUo96PViTy15yA4PWhrI5dP798Wg7od4R5Q/cM+\nzyaxoycwKUck4Ixhqw7nod8OBXZuwITKGGqFmMtAQAa8FZG1y+e85O7GH55K/W/3\nsO5T4fcV+A9V5AyynRQfZbxvIT0IbMX1/y7+WwIDAQABAoIBAHLmFUmtWxdcpdaZ\nX/DoEgo70XwMK5Hgbnnoj0C3DCeGOSyAbr+cTbLUcYGXTH1lzmX5Vrf5QWrIm7NP\nXO7J2bOPdeXw6GCbyU5+PmVt11gy4ppuodOV7EUz3M7XzL2Si3a5zXv8bKesgr6Z\nkNLKuJPdP8DqUns/G//txImOXWC13QFk0KGeEzWU5/5tXR8SP/wft68sYQiNmfPw\nxGIuqIs/ILsEYM/vXirBx3Q4KyfrJZ71X3ueRKxhxnMAN6wztYqwa7A9NjSMu566\npjG2c0tBXEk+IrX4ehXk/+tM9oCHM+gV19uOky56mTjNQEetFibMbd8u/5zF/pga\niu+KEBECgYEA/qklejvogI4jFA0pwK//3gYMostn+hq4pM3yBHGgxNuJu2PQr7oP\nZ8KUaHIoZOb/FD2E/JuYkpA6raIWVd/7R+oVwq8OVPpKxtAtjD9u4+gHvkpDF1dv\nNkwHSeG9+9EOcNeqCHzGLK6VJys0FVEBOJSWgGy5xsjvFsYpbrLaJdMCgYEA7S8O\na9RoA0AEr3B/zcrGRKZceyF/z7maOYEUuZL8Cf4GxSciQN5DddcYXl5yzjFUiubV\ncM4kzqvQfBrVYFhNAHOPVQ4Unp+UzEWKe3juPnYVJOh0GLreW0nSC2QMftSZrspC\nlgDr2d3q06tAXDNKo0mko6b4MQF6GzdpNTcpyFkCgYAxutpEuno20IrtGXzz0erH\ncqr5B3uwjZNNK6J9V6srhiupWl6gUlc7zfWpR9G3kpxxWWok4kWzKVMsISD3eBvb\n+UxyjjjgQ1hi5rheUOzYuLD6agob/skK82Hg/aJaEIMfah4cNjGE/DrIQVmUaBMy\n92FEhvboaMi3y86/fVG4XQKBgBBRhX97vLBEjk33woNJKTz96Sz7kAydq3O7Ys6l\nwzt4w8R6vcuSvzdzVhTgEKwJDtUDrrm1JSkm/xAa1IVtbdbTHJBwiJClUBqBylZW\naqXXf/rrF1nAOZ40RQRNnOJ5BB3Xgp9JbvCtaQOpK6NsT/1OCsrLqRXOETWgKVfk\n9LX5AoGAAuuOw6PNpKvef595GzTjsXuGDH7PtVkr4CP5j7qDCKh1t7rjk3RiHzTH\nsyXNZQIsRagE3lo32t5ORhW0X+2oGjAS/YkHKDo/ueGqEzBbWtVcDZKNoxfnjCZ6\ngBNUSqhYykBGDI0ST56CnG0ZJSxztncR39W2TrxpYju3qy1g3Ps=\n-----END RSA PRIVATE KEY-----\n"
}
}
]
} |
updated the spec to reflect the latest change in the archival format: ooni/spec@518c1d5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am going to merge such that we can continue development in tree. Notably, this experiment is a very good candidate for reasoning about richer input, hence merging it is going to provide collateral help in completing richer input.
💥 🐳
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/spec/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#2688 - [x] related ooni/probe-cli pull request: ooni/probe-cli#1585 - [x] If I changed a spec, I also bumped its version number and/or date ## Description Add initial spec for the `openvpn` experiment. This proposal supersedes a previous version (#255). ICMP Pings and URLGrabber over the tunnel are not included, this experiment just does OpenVPN handshakes at the moment. --------- Co-authored-by: Simone Basso <[email protected]>
Description
First iteration of a new openvpn experiment. This takes a set of endpoints and uses minivpn to attempt a handshake with each of the configured endpoints.
A new API endpoint has been added to the backend that is able to distribute valid configuration parameters for an OpenVPN connection, including credentials.
Checklist