tailscale/net/tshttpproxy/tshttpproxy_test.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

package tshttpproxy

import (
	"net/http"
	"net/url"
	"os"
	"runtime"
	"strings"
	"testing"
	"time"

	"tailscale.com/util/must"
)

func TestGetAuthHeaderNoResult(t *testing.T) {
	const proxyURL = "http://127.0.0.1:38274"

	u, err := url.Parse(proxyURL)
	if err != nil {
		t.Fatalf("can't parse %q: %v", proxyURL, err)
	}

	got, err := GetAuthHeader(u)
	if err != nil {
		t.Fatalf("can't get auth header value: %v", err)
	}

	if runtime.GOOS == "windows" && strings.HasPrefix(got, "Negotiate") {
		t.Logf("didn't get empty result, but got acceptable Windows Negotiate header")
		return
	}
	if got != "" {
		t.Fatalf("GetAuthHeader(%q) = %q; want empty string", proxyURL, got)
	}
}

func TestGetAuthHeaderBasicAuth(t *testing.T) {
	const proxyURL = "http://user:password@127.0.0.1:38274"
	const want = "Basic dXNlcjpwYXNzd29yZA=="

	u, err := url.Parse(proxyURL)
	if err != nil {
		t.Fatalf("can't parse %q: %v", proxyURL, err)
	}

	got, err := GetAuthHeader(u)
	if err != nil {
		t.Fatalf("can't get auth header value: %v", err)
	}

	if got != want {
		t.Fatalf("GetAuthHeader(%q) = %q; want %q", proxyURL, got, want)
	}
}

func TestProxyFromEnvironment_setNoProxyUntil(t *testing.T) {
	const fakeProxyEnv = "10.1.2.3:456"
	const fakeProxyFull = "http://" + fakeProxyEnv

	defer os.Setenv("HTTPS_PROXY", os.Getenv("HTTPS_PROXY"))
	os.Setenv("HTTPS_PROXY", fakeProxyEnv)

	req := &http.Request{URL: must.Get(url.Parse("https://example.com/"))}
	for i := range 3 {
		switch i {
		case 1:
			setNoProxyUntil(time.Minute)
		case 2:
			setNoProxyUntil(0)
		}
		got, err := ProxyFromEnvironment(req)
		if err != nil {
			t.Fatalf("[%d] ProxyFromEnvironment: %v", i, err)
		}
		if got == nil || got.String() != fakeProxyFull {
			t.Errorf("[%d] Got proxy %v; want %v", i, got, fakeProxyFull)
		}
	}

}

func TestSetSelfProxy(t *testing.T) {
	// Ensure we clean everything up at the end of our test
	t.Cleanup(func() {
		config = nil
		proxyFunc = nil
	})

	testCases := []struct {
		name      string
		env       map[string]string
		self      []string
		wantHTTP  string
		wantHTTPS string
	}{
		{
			name: "no self proxy",
			env: map[string]string{
				"HTTP_PROXY":  "127.0.0.1:1234",
				"HTTPS_PROXY": "127.0.0.1:1234",
			},
			self:      nil,
			wantHTTP:  "127.0.0.1:1234",
			wantHTTPS: "127.0.0.1:1234",
		},
		{
			name: "skip proxies",
			env: map[string]string{
				"HTTP_PROXY":  "127.0.0.1:1234",
				"HTTPS_PROXY": "127.0.0.1:5678",
			},
			self:      []string{"127.0.0.1:1234", "127.0.0.1:5678"},
			wantHTTP:  "", // skipped
			wantHTTPS: "", // skipped
		},
		{
			name: "localhost normalization of env var",
			env: map[string]string{
				"HTTP_PROXY":  "localhost:1234",
				"HTTPS_PROXY": "[::1]:5678",
			},
			self:      []string{"127.0.0.1:1234", "127.0.0.1:5678"},
			wantHTTP:  "", // skipped
			wantHTTPS: "", // skipped
		},
		{
			name: "localhost normalization of addr",
			env: map[string]string{
				"HTTP_PROXY":  "127.0.0.1:1234",
				"HTTPS_PROXY": "127.0.0.1:1234",
			},
			self:      []string{"[::1]:1234"},
			wantHTTP:  "", // skipped
			wantHTTPS: "", // skipped
		},
		{
			name: "no ports",
			env: map[string]string{
				"HTTP_PROXY":  "myproxy",
				"HTTPS_PROXY": "myproxy",
			},
			self:      []string{"127.0.0.1:1234"},
			wantHTTP:  "myproxy",
			wantHTTPS: "myproxy",
		},
	}
	for _, tt := range testCases {
		t.Run(tt.name, func(t *testing.T) {
			for k, v := range tt.env {
				oldEnv, found := os.LookupEnv(k)
				if found {
					t.Cleanup(func() {
						os.Setenv(k, oldEnv)
					})
				}
				os.Setenv(k, v)
			}

			// Reset computed variables
			config = nil
			proxyFunc = func(*url.URL) (*url.URL, error) {
				panic("should not be called")
			}

			SetSelfProxy(tt.self...)

			if got := config.HTTPProxy; got != tt.wantHTTP {
				t.Errorf("got HTTPProxy=%q; want %q", got, tt.wantHTTP)
			}
			if got := config.HTTPSProxy; got != tt.wantHTTPS {
				t.Errorf("got HTTPSProxy=%q; want %q", got, tt.wantHTTPS)
			}
			if proxyFunc != nil {
				t.Errorf("wanted nil proxyFunc")
			}

			// Verify that we do actually proxy through the
			// expected proxy, if we have one configured.
			pf := getProxyFunc()
			if tt.wantHTTP != "" {
				want := "http://" + tt.wantHTTP

				uu, _ := url.Parse("http://tailscale.com")
				dest, err := pf(uu)
				if err != nil {
					t.Error(err)
				} else if dest.String() != want {
					t.Errorf("got dest=%q; want %q", dest, want)
				}
			}
			if tt.wantHTTPS != "" {
				want := "http://" + tt.wantHTTPS

				uu, _ := url.Parse("https://tailscale.com")
				dest, err := pf(uu)
				if err != nil {
					t.Error(err)
				} else if dest.String() != want {
					t.Errorf("got dest=%q; want %q", dest, want)
				}
			}
		})
	}
}
all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com> 2023-01-27 21:37:20 +00:00			`// Copyright (c) Tailscale Inc & AUTHORS`
			`// SPDX-License-Identifier: BSD-3-Clause`
net/tshttpproxy: support basic auth when available (#1354) This allows proxy URLs such as: http://azurediamond:hunter2@192.168.122.154:38274 to be used in order to dial out to control, logs or derp servers. Signed-off-by: Christine Dodrill <xe@tailscale.com> 2021-02-17 21:01:47 +00:00
			`package tshttpproxy`

			`import (`
net/tshttpproxy: don't ignore env-based HTTP proxies after system lookups fail There was a mechanism in tshttpproxy to note that a Windows proxy lookup failed and to stop hitting it so often. But that turns out to fire a lot (no PAC file configured at all results in a proxy lookup), so after the first proxy lookup, we were enabling the "omg something's wrong, stop looking up proxies" bit for awhile, which was then also preventing the normal Go environment-based proxy lookups from working. This at least fixes environment-based proxies. Plenty of other Windows-specific proxy work remains (using WinHttpGetIEProxyConfigForCurrentUser instead of just PAC files, ignoring certain types of errors, etc), but this should fix the regression reported in #4811. Updates #4811 Change-Id: I665e1891897d58e290163bda5ca51a22a017c5f9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-13 17:58:47 +00:00			`"net/http"`
net/tshttpproxy: support basic auth when available (#1354) This allows proxy URLs such as: http://azurediamond:hunter2@192.168.122.154:38274 to be used in order to dial out to control, logs or derp servers. Signed-off-by: Christine Dodrill <xe@tailscale.com> 2021-02-17 21:01:47 +00:00			`"net/url"`
net/tshttpproxy: don't ignore env-based HTTP proxies after system lookups fail There was a mechanism in tshttpproxy to note that a Windows proxy lookup failed and to stop hitting it so often. But that turns out to fire a lot (no PAC file configured at all results in a proxy lookup), so after the first proxy lookup, we were enabling the "omg something's wrong, stop looking up proxies" bit for awhile, which was then also preventing the normal Go environment-based proxy lookups from working. This at least fixes environment-based proxies. Plenty of other Windows-specific proxy work remains (using WinHttpGetIEProxyConfigForCurrentUser instead of just PAC files, ignoring certain types of errors, etc), but this should fix the regression reported in #4811. Updates #4811 Change-Id: I665e1891897d58e290163bda5ca51a22a017c5f9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-13 17:58:47 +00:00			`"os"`
net/tshttpproxy: support HTTP proxy environment credentials on Windows too and some minor style nits. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-02-18 05:23:39 +00:00			`"runtime"`
			`"strings"`
net/tshttpproxy: support basic auth when available (#1354) This allows proxy URLs such as: http://azurediamond:hunter2@192.168.122.154:38274 to be used in order to dial out to control, logs or derp servers. Signed-off-by: Christine Dodrill <xe@tailscale.com> 2021-02-17 21:01:47 +00:00			`"testing"`
net/tshttpproxy: don't ignore env-based HTTP proxies after system lookups fail There was a mechanism in tshttpproxy to note that a Windows proxy lookup failed and to stop hitting it so often. But that turns out to fire a lot (no PAC file configured at all results in a proxy lookup), so after the first proxy lookup, we were enabling the "omg something's wrong, stop looking up proxies" bit for awhile, which was then also preventing the normal Go environment-based proxy lookups from working. This at least fixes environment-based proxies. Plenty of other Windows-specific proxy work remains (using WinHttpGetIEProxyConfigForCurrentUser instead of just PAC files, ignoring certain types of errors, etc), but this should fix the regression reported in #4811. Updates #4811 Change-Id: I665e1891897d58e290163bda5ca51a22a017c5f9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-13 17:58:47 +00:00			`"time"`

			`"tailscale.com/util/must"`
net/tshttpproxy: support basic auth when available (#1354) This allows proxy URLs such as: http://azurediamond:hunter2@192.168.122.154:38274 to be used in order to dial out to control, logs or derp servers. Signed-off-by: Christine Dodrill <xe@tailscale.com> 2021-02-17 21:01:47 +00:00			`)`

			`func TestGetAuthHeaderNoResult(t *testing.T) {`
net/tshttpproxy: support HTTP proxy environment credentials on Windows too and some minor style nits. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-02-18 05:23:39 +00:00			`const proxyURL = "http://127.0.0.1:38274"`
net/tshttpproxy: support basic auth when available (#1354) This allows proxy URLs such as: http://azurediamond:hunter2@192.168.122.154:38274 to be used in order to dial out to control, logs or derp servers. Signed-off-by: Christine Dodrill <xe@tailscale.com> 2021-02-17 21:01:47 +00:00
			`u, err := url.Parse(proxyURL)`
			`if err != nil {`
			`t.Fatalf("can't parse %q: %v", proxyURL, err)`
			`}`

net/tshttpproxy: support HTTP proxy environment credentials on Windows too and some minor style nits. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-02-18 05:23:39 +00:00			`got, err := GetAuthHeader(u)`
net/tshttpproxy: support basic auth when available (#1354) This allows proxy URLs such as: http://azurediamond:hunter2@192.168.122.154:38274 to be used in order to dial out to control, logs or derp servers. Signed-off-by: Christine Dodrill <xe@tailscale.com> 2021-02-17 21:01:47 +00:00			`if err != nil {`
			`t.Fatalf("can't get auth header value: %v", err)`
			`}`

net/tshttpproxy: support HTTP proxy environment credentials on Windows too and some minor style nits. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-02-18 05:23:39 +00:00			`if runtime.GOOS == "windows" && strings.HasPrefix(got, "Negotiate") {`
			`t.Logf("didn't get empty result, but got acceptable Windows Negotiate header")`
			`return`
			`}`
			`if got != "" {`
			`t.Fatalf("GetAuthHeader(%q) = %q; want empty string", proxyURL, got)`
net/tshttpproxy: support basic auth when available (#1354) This allows proxy URLs such as: http://azurediamond:hunter2@192.168.122.154:38274 to be used in order to dial out to control, logs or derp servers. Signed-off-by: Christine Dodrill <xe@tailscale.com> 2021-02-17 21:01:47 +00:00			`}`
			`}`

			`func TestGetAuthHeaderBasicAuth(t *testing.T) {`
net/tshttpproxy: support HTTP proxy environment credentials on Windows too and some minor style nits. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-02-18 05:23:39 +00:00			`const proxyURL = "http://user:password@127.0.0.1:38274"`
			`const want = "Basic dXNlcjpwYXNzd29yZA=="`
net/tshttpproxy: support basic auth when available (#1354) This allows proxy URLs such as: http://azurediamond:hunter2@192.168.122.154:38274 to be used in order to dial out to control, logs or derp servers. Signed-off-by: Christine Dodrill <xe@tailscale.com> 2021-02-17 21:01:47 +00:00
			`u, err := url.Parse(proxyURL)`
			`if err != nil {`
			`t.Fatalf("can't parse %q: %v", proxyURL, err)`
			`}`

net/tshttpproxy: support HTTP proxy environment credentials on Windows too and some minor style nits. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-02-18 05:23:39 +00:00			`got, err := GetAuthHeader(u)`
net/tshttpproxy: support basic auth when available (#1354) This allows proxy URLs such as: http://azurediamond:hunter2@192.168.122.154:38274 to be used in order to dial out to control, logs or derp servers. Signed-off-by: Christine Dodrill <xe@tailscale.com> 2021-02-17 21:01:47 +00:00			`if err != nil {`
			`t.Fatalf("can't get auth header value: %v", err)`
			`}`

net/tshttpproxy: support HTTP proxy environment credentials on Windows too and some minor style nits. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-02-18 05:23:39 +00:00			`if got != want {`
			`t.Fatalf("GetAuthHeader(%q) = %q; want %q", proxyURL, got, want)`
net/tshttpproxy: support basic auth when available (#1354) This allows proxy URLs such as: http://azurediamond:hunter2@192.168.122.154:38274 to be used in order to dial out to control, logs or derp servers. Signed-off-by: Christine Dodrill <xe@tailscale.com> 2021-02-17 21:01:47 +00:00			`}`
			`}`
net/tshttpproxy: don't ignore env-based HTTP proxies after system lookups fail There was a mechanism in tshttpproxy to note that a Windows proxy lookup failed and to stop hitting it so often. But that turns out to fire a lot (no PAC file configured at all results in a proxy lookup), so after the first proxy lookup, we were enabling the "omg something's wrong, stop looking up proxies" bit for awhile, which was then also preventing the normal Go environment-based proxy lookups from working. This at least fixes environment-based proxies. Plenty of other Windows-specific proxy work remains (using WinHttpGetIEProxyConfigForCurrentUser instead of just PAC files, ignoring certain types of errors, etc), but this should fix the regression reported in #4811. Updates #4811 Change-Id: I665e1891897d58e290163bda5ca51a22a017c5f9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-13 17:58:47 +00:00
			`func TestProxyFromEnvironment_setNoProxyUntil(t *testing.T) {`
			`const fakeProxyEnv = "10.1.2.3:456"`
			`const fakeProxyFull = "http://" + fakeProxyEnv`

			`defer os.Setenv("HTTPS_PROXY", os.Getenv("HTTPS_PROXY"))`
			`os.Setenv("HTTPS_PROXY", fakeProxyEnv)`

			`req := &http.Request{URL: must.Get(url.Parse("https://example.com/"))}`
all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-04-16 21:15:13 +01:00			`for i := range 3 {`
net/tshttpproxy: don't ignore env-based HTTP proxies after system lookups fail There was a mechanism in tshttpproxy to note that a Windows proxy lookup failed and to stop hitting it so often. But that turns out to fire a lot (no PAC file configured at all results in a proxy lookup), so after the first proxy lookup, we were enabling the "omg something's wrong, stop looking up proxies" bit for awhile, which was then also preventing the normal Go environment-based proxy lookups from working. This at least fixes environment-based proxies. Plenty of other Windows-specific proxy work remains (using WinHttpGetIEProxyConfigForCurrentUser instead of just PAC files, ignoring certain types of errors, etc), but this should fix the regression reported in #4811. Updates #4811 Change-Id: I665e1891897d58e290163bda5ca51a22a017c5f9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-11-13 17:58:47 +00:00			`switch i {`
			`case 1:`
			`setNoProxyUntil(time.Minute)`
			`case 2:`
			`setNoProxyUntil(0)`
			`}`
			`got, err := ProxyFromEnvironment(req)`
			`if err != nil {`
			`t.Fatalf("[%d] ProxyFromEnvironment: %v", i, err)`
			`}`
			`if got == nil \|\| got.String() != fakeProxyFull {`
			`t.Errorf("[%d] Got proxy %v; want %v", i, got, fakeProxyFull)`
			`}`
			`}`

			`}`
net/tshttpproxy: don't proxy through ourselves When running a SOCKS or HTTP proxy, configure the tshttpproxy package to drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment variables. Fixes #7407 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I6cd7cad7a609c639780484bad521c7514841764b 2023-03-05 02:49:05 +00:00
			`func TestSetSelfProxy(t *testing.T) {`
			`// Ensure we clean everything up at the end of our test`
			`t.Cleanup(func() {`
			`config = nil`
			`proxyFunc = nil`
			`})`

			`testCases := []struct {`
			`name string`
			`env map[string]string`
			`self []string`
			`wantHTTP string`
			`wantHTTPS string`
			`}{`
			`{`
			`name: "no self proxy",`
			`env: map[string]string{`
			`"HTTP_PROXY": "127.0.0.1:1234",`
			`"HTTPS_PROXY": "127.0.0.1:1234",`
			`},`
			`self: nil,`
			`wantHTTP: "127.0.0.1:1234",`
			`wantHTTPS: "127.0.0.1:1234",`
			`},`
			`{`
			`name: "skip proxies",`
			`env: map[string]string{`
			`"HTTP_PROXY": "127.0.0.1:1234",`
			`"HTTPS_PROXY": "127.0.0.1:5678",`
			`},`
			`self: []string{"127.0.0.1:1234", "127.0.0.1:5678"},`
			`wantHTTP: "", // skipped`
			`wantHTTPS: "", // skipped`
			`},`
			`{`
			`name: "localhost normalization of env var",`
			`env: map[string]string{`
			`"HTTP_PROXY": "localhost:1234",`
			`"HTTPS_PROXY": "[::1]:5678",`
			`},`
			`self: []string{"127.0.0.1:1234", "127.0.0.1:5678"},`
			`wantHTTP: "", // skipped`
			`wantHTTPS: "", // skipped`
			`},`
			`{`
			`name: "localhost normalization of addr",`
			`env: map[string]string{`
			`"HTTP_PROXY": "127.0.0.1:1234",`
			`"HTTPS_PROXY": "127.0.0.1:1234",`
			`},`
			`self: []string{"[::1]:1234"},`
			`wantHTTP: "", // skipped`
			`wantHTTPS: "", // skipped`
			`},`
			`{`
			`name: "no ports",`
			`env: map[string]string{`
			`"HTTP_PROXY": "myproxy",`
			`"HTTPS_PROXY": "myproxy",`
			`},`
			`self: []string{"127.0.0.1:1234"},`
			`wantHTTP: "myproxy",`
			`wantHTTPS: "myproxy",`
			`},`
			`}`
			`for _, tt := range testCases {`
			`t.Run(tt.name, func(t *testing.T) {`
			`for k, v := range tt.env {`
			`oldEnv, found := os.LookupEnv(k)`
			`if found {`
			`t.Cleanup(func() {`
			`os.Setenv(k, oldEnv)`
			`})`
			`}`
			`os.Setenv(k, v)`
			`}`

			`// Reset computed variables`
			`config = nil`
			`proxyFunc = func(url.URL) (url.URL, error) {`
			`panic("should not be called")`
			`}`

			`SetSelfProxy(tt.self...)`

			`if got := config.HTTPProxy; got != tt.wantHTTP {`
			`t.Errorf("got HTTPProxy=%q; want %q", got, tt.wantHTTP)`
			`}`
			`if got := config.HTTPSProxy; got != tt.wantHTTPS {`
			`t.Errorf("got HTTPSProxy=%q; want %q", got, tt.wantHTTPS)`
			`}`
			`if proxyFunc != nil {`
			`t.Errorf("wanted nil proxyFunc")`
			`}`

			`// Verify that we do actually proxy through the`
			`// expected proxy, if we have one configured.`
			`pf := getProxyFunc()`
			`if tt.wantHTTP != "" {`
			`want := "http://" + tt.wantHTTP`

			`uu, _ := url.Parse("http://tailscale.com")`
			`dest, err := pf(uu)`
			`if err != nil {`
			`t.Error(err)`
			`} else if dest.String() != want {`
			`t.Errorf("got dest=%q; want %q", dest, want)`
			`}`
			`}`
			`if tt.wantHTTPS != "" {`
			`want := "http://" + tt.wantHTTPS`

			`uu, _ := url.Parse("https://tailscale.com")`
			`dest, err := pf(uu)`
			`if err != nil {`
			`t.Error(err)`
			`} else if dest.String() != want {`
			`t.Errorf("got dest=%q; want %q", dest, want)`
			`}`
			`}`
			`})`
			`}`
			`}`