2020-03-31 14:56:22 +00:00
|
|
|
package socks
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"testing"
|
|
|
|
|
2021-03-01 22:26:37 +00:00
|
|
|
"github.com/cloudflare/cloudflared/ipaccess"
|
2020-03-31 14:56:22 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestUnsupportedBind(t *testing.T) {
|
|
|
|
req := createRequest(t, socks5Version, bindCommand, "2001:db8::68", 1337, false)
|
|
|
|
var b bytes.Buffer
|
|
|
|
|
2021-03-01 22:26:37 +00:00
|
|
|
requestHandler := NewRequestHandler(NewNetDialer(), nil)
|
2020-03-31 14:56:22 +00:00
|
|
|
err := requestHandler.Handle(req, &b)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.True(t, b.Bytes()[1] == commandNotSupported, "expected a response")
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestUnsupportedAssociate(t *testing.T) {
|
|
|
|
req := createRequest(t, socks5Version, associateCommand, "127.0.0.1", 1337, false)
|
|
|
|
var b bytes.Buffer
|
|
|
|
|
2021-03-01 22:26:37 +00:00
|
|
|
requestHandler := NewRequestHandler(NewNetDialer(), nil)
|
2020-03-31 14:56:22 +00:00
|
|
|
err := requestHandler.Handle(req, &b)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.True(t, b.Bytes()[1] == commandNotSupported, "expected a response")
|
|
|
|
}
|
2021-03-01 22:26:37 +00:00
|
|
|
|
|
|
|
func TestHandleConnect(t *testing.T) {
|
|
|
|
req := createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1337, false)
|
|
|
|
var b bytes.Buffer
|
|
|
|
|
|
|
|
requestHandler := NewRequestHandler(NewNetDialer(), nil)
|
|
|
|
err := requestHandler.Handle(req, &b)
|
|
|
|
assert.Error(t, err)
|
|
|
|
assert.True(t, b.Bytes()[1] == connectionRefused, "expected a response")
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestHandleConnectIPAccess(t *testing.T) {
|
|
|
|
prefix := "127.0.0.0/24"
|
|
|
|
rule1, _ := ipaccess.NewRuleByCIDR(&prefix, []int{1337}, true)
|
|
|
|
rule2, _ := ipaccess.NewRuleByCIDR(&prefix, []int{1338}, false)
|
|
|
|
rules := []ipaccess.Rule{rule1, rule2}
|
|
|
|
var b bytes.Buffer
|
|
|
|
|
|
|
|
accessPolicy, _ := ipaccess.NewPolicy(false, nil)
|
|
|
|
requestHandler := NewRequestHandler(NewNetDialer(), accessPolicy)
|
|
|
|
req := createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1337, false)
|
|
|
|
err := requestHandler.Handle(req, &b)
|
|
|
|
assert.Error(t, err)
|
|
|
|
assert.True(t, b.Bytes()[1] == ruleFailure, "expected to be denied as no rules and defaultAllow=false")
|
|
|
|
|
|
|
|
b.Reset()
|
|
|
|
accessPolicy, _ = ipaccess.NewPolicy(true, nil)
|
|
|
|
requestHandler = NewRequestHandler(NewNetDialer(), accessPolicy)
|
|
|
|
req = createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1337, false)
|
|
|
|
err = requestHandler.Handle(req, &b)
|
|
|
|
assert.Error(t, err)
|
|
|
|
assert.True(t, b.Bytes()[1] == connectionRefused, "expected to be allowed as no rules and defaultAllow=true")
|
|
|
|
|
|
|
|
b.Reset()
|
|
|
|
accessPolicy, _ = ipaccess.NewPolicy(false, rules)
|
|
|
|
requestHandler = NewRequestHandler(NewNetDialer(), accessPolicy)
|
|
|
|
req = createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1337, false)
|
|
|
|
err = requestHandler.Handle(req, &b)
|
|
|
|
assert.Error(t, err)
|
|
|
|
assert.True(t, b.Bytes()[1] == connectionRefused, "expected to be allowed as matching rule")
|
|
|
|
|
|
|
|
b.Reset()
|
|
|
|
req = createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1338, false)
|
|
|
|
err = requestHandler.Handle(req, &b)
|
|
|
|
assert.Error(t, err)
|
|
|
|
assert.True(t, b.Bytes()[1] == ruleFailure, "expected to be denied as matching rule")
|
|
|
|
|
|
|
|
b.Reset()
|
|
|
|
req = createRequest(t, socks5Version, connectCommand, "127.0.0.1", 1339, false)
|
|
|
|
err = requestHandler.Handle(req, &b)
|
|
|
|
assert.Error(t, err)
|
|
|
|
assert.True(t, b.Bytes()[1] == ruleFailure, "expect to be denied as no matching rule and defaultAllow=false")
|
|
|
|
}
|