/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ /* vim:set ts=2 sw=2 sts=2 et: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /** * This test checks following expectations when using HTTP/2 proxy: * * - when we request https access, we don't create different sessions for * different origins, only new tunnels inside a single session * - when the isolation key (`proxy_isolation`) is changed, new single session * is created for new requests to same origins as before * - error code returned from the tunnel (a proxy error - not end-server * error!) doesn't kill the existing session * - check we are seeing expected nsresult error codes on channels * (nsIChannel.status) corresponding to different proxy status code * responses (502, 504, 407, ...) * - check we don't try to ask for credentials or otherwise authenticate to * the proxy when 407 is returned and there is no Proxy-Authenticate * response header sent * - a stream reset for a connect stream to the proxy does not cause session to * be closed and the request through the proxy will failed. * - a "soft" stream error on a connection to the origin server will close the * stream, but it will not close niether the HTTP/2 session to the proxy nor * to the origin server. * - a "hard" stream error on a connection to the origin server will close the * HTTP/2 session to the origin server, but it will not close the HTTP/2 * session to the proxy. */ /* eslint-env node */ /* global serverPort */ "use strict"; const pps = Cc["@mozilla.org/network/protocol-proxy-service;1"].getService(); let proxy_port; let filter; let proxy; // See moz-http2 const proxy_auth = "authorization-token"; let proxy_isolation; class ProxyFilter { constructor(type, host, port, flags) { this._type = type; this._host = host; this._port = port; this._flags = flags; this.QueryInterface = ChromeUtils.generateQI(["nsIProtocolProxyFilter"]); } applyFilter(uri, pi, cb) { cb.onProxyFilterResult( pps.newProxyInfo( this._type, this._host, this._port, proxy_auth, proxy_isolation, this._flags, 1000, null ) ); } } class UnxpectedAuthPrompt2 { constructor(signal) { this.signal = signal; this.QueryInterface = ChromeUtils.generateQI(["nsIAuthPrompt2"]); } asyncPromptAuth() { this.signal.triggered = true; throw Components.Exception("", Cr.ERROR_UNEXPECTED); } } class SimpleAuthPrompt2 { constructor(signal) { this.signal = signal; this.QueryInterface = ChromeUtils.generateQI(["nsIAuthPrompt2"]); } asyncPromptAuth(channel, callback, context, encryptionLevel, authInfo) { this.signal.triggered = true; executeSoon(function () { authInfo.username = "user"; authInfo.password = "pass"; callback.onAuthAvailable(context, authInfo); }); } } class AuthRequestor { constructor(prompt) { this.prompt = prompt; this.QueryInterface = ChromeUtils.generateQI(["nsIInterfaceRequestor"]); } getInterface(iid) { if (iid.equals(Ci.nsIAuthPrompt2)) { return this.prompt(); } throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE); } } function createPrincipal(url) { var ssm = Services.scriptSecurityManager; try { return ssm.createContentPrincipal(Services.io.newURI(url), {}); } catch (e) { return null; } } function make_channel(url) { return NetUtil.newChannel({ uri: url, loadingPrincipal: createPrincipal(url), securityFlags: Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT, // Using TYPE_DOCUMENT for the authentication dialog test, it'd be blocked for other types contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT, }); } function get_response(channel, flags = CL_ALLOW_UNKNOWN_CL, delay = 0) { return new Promise(resolve => { var listener = new ChannelListener( (request, data) => { request.QueryInterface(Ci.nsIHttpChannel); const status = request.status; const http_code = status ? undefined : request.responseStatus; request.QueryInterface(Ci.nsIProxiedChannel); const proxy_connect_response_code = request.httpProxyConnectResponseCode; resolve({ status, http_code, data, proxy_connect_response_code }); }, null, flags ); if (delay > 0) { do_timeout(delay, function () { channel.asyncOpen(listener); }); } else { channel.asyncOpen(listener); } }); } let initial_session_count = 0; class http2ProxyCode { static listen(server, envport) { if (!server) { return Promise.resolve(0); } let portSelection = 0; if (envport !== undefined) { try { portSelection = parseInt(envport, 10); } catch (e) { portSelection = -1; } } return new Promise(resolve => { server.listen(portSelection, "0.0.0.0", 2000, () => { resolve(server.address().port); }); }); } static startNewProxy() { const fs = require("fs"); const options = { key: fs.readFileSync(__dirname + "/http2-cert.key"), cert: fs.readFileSync(__dirname + "/http2-cert.pem"), }; const http2 = require("http2"); global.proxy = http2.createSecureServer(options); this.setupProxy(); return http2ProxyCode.listen(proxy).then(port => { return { port, success: true }; }); } static closeProxy() { proxy.closeSockets(); return new Promise(resolve => { proxy.close(resolve); }); } static proxySessionCount() { if (!proxy) { return 0; } return proxy.proxy_session_count; } static proxySessionToOriginServersCount() { if (!proxy) { return 0; } return proxy.sessionToOriginServersCount; } static setupProxy() { if (!proxy) { throw new Error("proxy is null"); } proxy.proxy_session_count = 0; proxy.sessionToOriginServersCount = 0; proxy.on("session", () => { ++proxy.proxy_session_count; }); // We need to track active connections so we can forcefully close keep-alive // connections when shutting down the proxy. proxy.socketIndex = 0; proxy.socketMap = {}; proxy.on("connection", function (socket) { let index = proxy.socketIndex++; proxy.socketMap[index] = socket; socket.on("close", function () { delete proxy.socketMap[index]; }); }); proxy.closeSockets = function () { for (let i in proxy.socketMap) { proxy.socketMap[i].destroy(); } }; proxy.on("stream", (stream, headers) => { if (headers[":method"] !== "CONNECT") { // Only accept CONNECT requests stream.respond({ ":status": 405 }); stream.end(); return; } const target = headers[":authority"]; const authorization_token = headers["proxy-authorization"]; if (target == "407.example.com:443") { stream.respond({ ":status": 407 }); // Deliberately send no Proxy-Authenticate header stream.end(); return; } if (target == "407.basic.example.com:443") { // we want to return a different response than 407 to not re-request // credentials (and thus loop) but also not 200 to not let the channel // attempt to waste time connecting a non-existing https server - hence // 418 I'm a teapot :) if ("Basic dXNlcjpwYXNz" == authorization_token) { stream.respond({ ":status": 418 }); stream.end(); return; } stream.respond({ ":status": 407, "proxy-authenticate": "Basic realm='foo'", }); stream.end(); return; } if (target == "404.example.com:443") { // 404 Not Found, a response code that a proxy should return when the host can't be found stream.respond({ ":status": 404 }); stream.end(); return; } if (target == "429.example.com:443") { // 429 Too Many Requests, a response code that a proxy should return when receiving too many requests stream.respond({ ":status": 429 }); stream.end(); return; } if (target == "502.example.com:443") { // 502 Bad Gateway, a response code mostly resembling immediate connection error stream.respond({ ":status": 502 }); stream.end(); return; } if (target == "504.example.com:443") { // 504 Gateway Timeout, did not receive a timely response from an upstream server stream.respond({ ":status": 504 }); stream.end(); return; } if (target == "reset.example.com:443") { // always reset the stream. stream.close(0x0); return; } ++proxy.sessionToOriginServersCount; const net = require("net"); const socket = net.connect(serverPort, "127.0.0.1", () => { try { stream.respond({ ":status": 200 }); socket.pipe(stream); stream.pipe(socket); } catch (exception) { console.log(exception); stream.close(); } }); socket.on("error", error => { throw new Error( `Unexpected error when conneting the HTTP/2 server from the HTTP/2 proxy during CONNECT handling: '${error}'` ); }); }); } } async function proxy_session_counter() { let data = await NodeServer.execute( processId, `http2ProxyCode.proxySessionCount()` ); return parseInt(data) - initial_session_count; } async function proxy_session_to_origin_server_counter() { let data = await NodeServer.execute( processId, `http2ProxyCode.proxySessionToOriginServersCount()` ); return parseInt(data) - initial_session_count; } let processId; add_task(async function setup() { // Set to allow the cert presented by our H2 server do_get_profile(); // The moz-http2 cert is for foo.example.com and is signed by http2-ca.pem // so add that cert to the trust list as a signing cert. let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( Ci.nsIX509CertDB ); addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u"); let server_port = Services.env.get("MOZHTTP2_PORT"); Assert.notEqual(server_port, null); processId = await NodeServer.fork(); await NodeServer.execute(processId, `serverPort = ${server_port}`); await NodeServer.execute(processId, http2ProxyCode); let proxy = await NodeServer.execute( processId, `http2ProxyCode.startNewProxy()` ); proxy_port = proxy.port; Assert.notEqual(proxy_port, null); Services.prefs.setStringPref( "services.settings.server", `data:,#remote-settings-dummy/v1` ); Services.prefs.setBoolPref("network.http.http2.enabled", true); // Even with network state isolation active, we don't end up using the // partitioned principal. Services.prefs.setBoolPref("privacy.partition.network_state", true); // make all native resolve calls "secretly" resolve localhost instead Services.prefs.setBoolPref("network.dns.native-is-localhost", true); filter = new ProxyFilter("https", "localhost", proxy_port, 0); pps.registerFilter(filter, 10); initial_session_count = await proxy_session_counter(); info(`Initial proxy session count = ${initial_session_count}`); }); registerCleanupFunction(async () => { Services.prefs.clearUserPref("services.settings.server"); Services.prefs.clearUserPref("network.http.http2.enabled"); Services.prefs.clearUserPref("network.dns.native-is-localhost"); pps.unregisterFilter(filter); await NodeServer.execute(processId, `http2ProxyCode.closeProxy()`); await NodeServer.kill(processId); }); /** * Test series beginning. */ // Check we reach the h2 end server and keep only one session with the proxy for two different origin. // Here we use the first isolation token. add_task(async function proxy_success_one_session() { proxy_isolation = "TOKEN1"; const foo = await get_response( make_channel(`https://foo.example.com/random-request-1`) ); const alt1 = await get_response( make_channel(`https://alt1.example.com/random-request-2`) ); Assert.equal(foo.status, Cr.NS_OK); Assert.equal(foo.proxy_connect_response_code, 200); Assert.equal(foo.http_code, 200); Assert.ok(foo.data.match("random-request-1")); Assert.ok(foo.data.match("You Win!")); Assert.equal(alt1.status, Cr.NS_OK); Assert.equal(alt1.proxy_connect_response_code, 200); Assert.equal(alt1.http_code, 200); Assert.ok(alt1.data.match("random-request-2")); Assert.ok(alt1.data.match("You Win!")); Assert.equal( await proxy_session_counter(), 1, "Created just one session with the proxy" ); }); // The proxy responses with 407 instead of 200 Connected, make sure we get a proper error // code from the channel and not try to ask for any credentials. add_task(async function proxy_auth_failure() { const chan = make_channel(`https://407.example.com/`); const auth_prompt = { triggered: false }; chan.notificationCallbacks = new AuthRequestor( () => new UnxpectedAuthPrompt2(auth_prompt) ); const { status, http_code, proxy_connect_response_code } = await get_response( chan, CL_EXPECT_FAILURE ); Assert.equal(status, Cr.NS_ERROR_PROXY_AUTHENTICATION_FAILED); Assert.equal(proxy_connect_response_code, 407); Assert.equal(http_code, undefined); Assert.equal(auth_prompt.triggered, false, "Auth prompt didn't trigger"); Assert.equal( await proxy_session_counter(), 1, "No new session created by 407" ); }); // The proxy responses with 407 with Proxy-Authenticate header presence. Make // sure that we prompt the auth prompt to ask for credentials. add_task(async function proxy_auth_basic() { const chan = make_channel(`https://407.basic.example.com/`); const auth_prompt = { triggered: false }; chan.notificationCallbacks = new AuthRequestor( () => new SimpleAuthPrompt2(auth_prompt) ); const { status, http_code, proxy_connect_response_code } = await get_response( chan, CL_EXPECT_FAILURE ); // 418 indicates we pass the basic authentication. Assert.equal(status, Cr.NS_ERROR_PROXY_CONNECTION_REFUSED); Assert.equal(proxy_connect_response_code, 418); Assert.equal(http_code, undefined); Assert.equal(auth_prompt.triggered, true, "Auth prompt should trigger"); Assert.equal( await proxy_session_counter(), 1, "No new session created by 407" ); }); // 502 Bad gateway code returned by the proxy, still one session only, proper different code // from the channel. add_task(async function proxy_bad_gateway_failure() { const { status, http_code, proxy_connect_response_code } = await get_response( make_channel(`https://502.example.com/`), CL_EXPECT_FAILURE ); Assert.equal(status, Cr.NS_ERROR_PROXY_BAD_GATEWAY); Assert.equal(proxy_connect_response_code, 502); Assert.equal(http_code, undefined); Assert.equal( await proxy_session_counter(), 1, "No new session created by 502 after 407" ); }); // Second 502 Bad gateway code returned by the proxy, still one session only with the proxy. add_task(async function proxy_bad_gateway_failure_two() { const { status, http_code, proxy_connect_response_code } = await get_response( make_channel(`https://502.example.com/`), CL_EXPECT_FAILURE ); Assert.equal(status, Cr.NS_ERROR_PROXY_BAD_GATEWAY); Assert.equal(proxy_connect_response_code, 502); Assert.equal(http_code, undefined); Assert.equal( await proxy_session_counter(), 1, "No new session created by second 502" ); }); // 504 Gateway timeout code returned by the proxy, still one session only, proper different code // from the channel. add_task(async function proxy_gateway_timeout_failure() { const { status, http_code, proxy_connect_response_code } = await get_response( make_channel(`https://504.example.com/`), CL_EXPECT_FAILURE ); Assert.equal(status, Cr.NS_ERROR_PROXY_GATEWAY_TIMEOUT); Assert.equal(proxy_connect_response_code, 504); Assert.equal(http_code, undefined); Assert.equal( await proxy_session_counter(), 1, "No new session created by 504 after 502" ); }); // 404 Not Found means the proxy could not resolve the host. As for other error responses // we still expect this not to close the existing session. add_task(async function proxy_host_not_found_failure() { const { status, http_code, proxy_connect_response_code } = await get_response( make_channel(`https://404.example.com/`), CL_EXPECT_FAILURE ); Assert.equal(status, Cr.NS_ERROR_UNKNOWN_HOST); Assert.equal(proxy_connect_response_code, 404); Assert.equal(http_code, undefined); Assert.equal( await proxy_session_counter(), 1, "No new session created by 404 after 504" ); }); add_task(async function proxy_too_many_requests_failure() { const { status, http_code, proxy_connect_response_code } = await get_response( make_channel(`https://429.example.com/`), CL_EXPECT_FAILURE ); Assert.equal(status, Cr.NS_ERROR_PROXY_TOO_MANY_REQUESTS); Assert.equal(proxy_connect_response_code, 429); Assert.equal(http_code, undefined); Assert.equal( await proxy_session_counter(), 1, "No new session created by 429 after 504" ); }); add_task(async function proxy_stream_reset_failure() { const { status, http_code, proxy_connect_response_code } = await get_response( make_channel(`https://reset.example.com/`), CL_EXPECT_FAILURE ); Assert.equal(status, Cr.NS_ERROR_NET_INTERRUPT); Assert.equal(proxy_connect_response_code, 0); Assert.equal(http_code, undefined); Assert.equal( await proxy_session_counter(), 1, "No new session created by 429 after 504" ); }); // The soft errors are not closing the session. add_task(async function origin_server_stream_soft_failure() { var current_num_sessions_to_origin_server = await proxy_session_to_origin_server_counter(); const { status, http_code, proxy_connect_response_code } = await get_response( make_channel(`https://foo.example.com/illegalhpacksoft`), CL_EXPECT_FAILURE ); Assert.equal(status, Cr.NS_ERROR_ILLEGAL_VALUE); Assert.equal(proxy_connect_response_code, 200); Assert.equal(http_code, undefined); Assert.equal( await proxy_session_counter(), 1, "No session to the proxy closed by soft stream errors" ); Assert.equal( await proxy_session_to_origin_server_counter(), current_num_sessions_to_origin_server, "No session to the origin server closed by soft stream errors" ); }); // The soft errors are not closing the session. add_task( async function origin_server_stream_soft_failure_multiple_streams_not_affected() { var current_num_sessions_to_origin_server = await proxy_session_to_origin_server_counter(); let should_succeed = get_response( make_channel(`https://foo.example.com/750ms`) ); const failed = await get_response( make_channel(`https://foo.example.com/illegalhpacksoft`), CL_EXPECT_FAILURE, 20 ); const succeeded = await should_succeed; Assert.equal(failed.status, Cr.NS_ERROR_ILLEGAL_VALUE); Assert.equal(failed.proxy_connect_response_code, 200); Assert.equal(failed.http_code, undefined); Assert.equal(succeeded.status, Cr.NS_OK); Assert.equal(succeeded.proxy_connect_response_code, 200); Assert.equal(succeeded.http_code, 200); Assert.equal( await proxy_session_counter(), 1, "No session to the proxy closed by soft stream errors" ); Assert.equal( await proxy_session_to_origin_server_counter(), current_num_sessions_to_origin_server, "No session to the origin server closed by soft stream errors" ); } ); // Make sure that the above error codes don't kill the session to the proxy. add_task(async function proxy_success_still_one_session() { const foo = await get_response( make_channel(`https://foo.example.com/random-request-1`) ); const alt1 = await get_response( make_channel(`https://alt1.example.com/random-request-2`) ); Assert.equal(foo.status, Cr.NS_OK); Assert.equal(foo.http_code, 200); Assert.equal(foo.proxy_connect_response_code, 200); Assert.ok(foo.data.match("random-request-1")); Assert.equal(alt1.status, Cr.NS_OK); Assert.equal(alt1.proxy_connect_response_code, 200); Assert.equal(alt1.http_code, 200); Assert.ok(alt1.data.match("random-request-2")); Assert.equal( await proxy_session_counter(), 1, "No new session to the proxy created after stream error codes" ); }); // Have a new isolation key, this means we are expected to create a new, and again one only, // session with the proxy to reach the end server. add_task(async function proxy_success_isolated_session() { Assert.notEqual(proxy_isolation, "TOKEN2"); proxy_isolation = "TOKEN2"; const foo = await get_response( make_channel(`https://foo.example.com/random-request-1`) ); const alt1 = await get_response( make_channel(`https://alt1.example.com/random-request-2`) ); const lh = await get_response( make_channel(`https://localhost/random-request-3`) ); Assert.equal(foo.status, Cr.NS_OK); Assert.equal(foo.proxy_connect_response_code, 200); Assert.equal(foo.http_code, 200); Assert.ok(foo.data.match("random-request-1")); Assert.ok(foo.data.match("You Win!")); Assert.equal(alt1.status, Cr.NS_OK); Assert.equal(alt1.proxy_connect_response_code, 200); Assert.equal(alt1.http_code, 200); Assert.ok(alt1.data.match("random-request-2")); Assert.ok(alt1.data.match("You Win!")); Assert.equal(lh.status, Cr.NS_OK); Assert.equal(lh.proxy_connect_response_code, 200); Assert.equal(lh.http_code, 200); Assert.ok(lh.data.match("random-request-3")); Assert.ok(lh.data.match("You Win!")); Assert.equal( await proxy_session_counter(), 2, "Just one new session seen after changing the isolation key" ); }); // Check that error codes are still handled the same way with new isolation, just in case. add_task(async function proxy_bad_gateway_failure_isolated() { const failure1 = await get_response( make_channel(`https://502.example.com/`), CL_EXPECT_FAILURE ); const failure2 = await get_response( make_channel(`https://502.example.com/`), CL_EXPECT_FAILURE ); Assert.equal(failure1.status, Cr.NS_ERROR_PROXY_BAD_GATEWAY); Assert.equal(failure1.proxy_connect_response_code, 502); Assert.equal(failure1.http_code, undefined); Assert.equal(failure2.status, Cr.NS_ERROR_PROXY_BAD_GATEWAY); Assert.equal(failure2.proxy_connect_response_code, 502); Assert.equal(failure2.http_code, undefined); Assert.equal( await proxy_session_counter(), 2, "No new session created by 502" ); }); add_task(async function proxy_success_check_number_of_session() { const foo = await get_response( make_channel(`https://foo.example.com/random-request-1`) ); const alt1 = await get_response( make_channel(`https://alt1.example.com/random-request-2`) ); const lh = await get_response( make_channel(`https://localhost/random-request-3`) ); Assert.equal(foo.status, Cr.NS_OK); Assert.equal(foo.proxy_connect_response_code, 200); Assert.equal(foo.http_code, 200); Assert.ok(foo.data.match("random-request-1")); Assert.ok(foo.data.match("You Win!")); Assert.equal(alt1.status, Cr.NS_OK); Assert.equal(alt1.proxy_connect_response_code, 200); Assert.equal(alt1.http_code, 200); Assert.ok(alt1.data.match("random-request-2")); Assert.ok(alt1.data.match("You Win!")); Assert.equal(lh.status, Cr.NS_OK); Assert.equal(lh.proxy_connect_response_code, 200); Assert.equal(lh.http_code, 200); Assert.ok(lh.data.match("random-request-3")); Assert.ok(lh.data.match("You Win!")); Assert.equal( await proxy_session_counter(), 2, "The number of sessions has not changed" ); }); // The hard errors are closing the session. add_task(async function origin_server_stream_hard_failure() { var current_num_sessions_to_origin_server = await proxy_session_to_origin_server_counter(); const { status, http_code, proxy_connect_response_code } = await get_response( make_channel(`https://foo.example.com/illegalhpackhard`), CL_EXPECT_FAILURE ); Assert.equal(status, 0x804b0053); Assert.equal(proxy_connect_response_code, 200); Assert.equal(http_code, undefined); Assert.equal( await proxy_session_counter(), 2, "No new session to the proxy." ); Assert.equal( await proxy_session_to_origin_server_counter(), current_num_sessions_to_origin_server, "No new session to the origin server yet." ); // Check the a new session ill be opened. const foo = await get_response( make_channel(`https://foo.example.com/random-request-1`) ); Assert.equal(foo.status, Cr.NS_OK); Assert.equal(foo.proxy_connect_response_code, 200); Assert.equal(foo.http_code, 200); Assert.ok(foo.data.match("random-request-1")); Assert.ok(foo.data.match("You Win!")); Assert.equal( await proxy_session_counter(), 2, "No new session to the proxy is created after a hard stream failure on the session to the origin server." ); Assert.equal( await proxy_session_to_origin_server_counter(), current_num_sessions_to_origin_server + 1, "A new session to the origin server after a hard stream error" ); }); // The hard errors are closing the session. add_task( async function origin_server_stream_hard_failure_multiple_streams_affected() { var current_num_sessions_to_origin_server = await proxy_session_to_origin_server_counter(); let should_fail = get_response( make_channel(`https://foo.example.com/750msNoData`), CL_EXPECT_FAILURE ); const failed1 = await get_response( make_channel(`https://foo.example.com/illegalhpackhard`), CL_EXPECT_FAILURE, 10 ); const failed2 = await should_fail; Assert.equal(failed1.status, 0x804b0053); Assert.equal(failed1.proxy_connect_response_code, 200); Assert.equal(failed1.http_code, undefined); Assert.equal(failed2.status, 0x804b0053); Assert.equal(failed2.proxy_connect_response_code, 200); Assert.equal(failed2.http_code, undefined); Assert.equal( await proxy_session_counter(), 2, "No new session to the proxy" ); Assert.equal( await proxy_session_to_origin_server_counter(), current_num_sessions_to_origin_server, "No session to the origin server yet." ); // Check the a new session ill be opened. const foo = await get_response( make_channel(`https://foo.example.com/random-request-1`) ); Assert.equal(foo.status, Cr.NS_OK); Assert.equal(foo.proxy_connect_response_code, 200); Assert.equal(foo.http_code, 200); Assert.ok(foo.data.match("random-request-1")); Assert.ok(foo.data.match("You Win!")); Assert.equal( await proxy_session_counter(), 2, "No new session to the proxy is created after a hard stream failure on the session to the origin server." ); Assert.equal( await proxy_session_to_origin_server_counter(), current_num_sessions_to_origin_server + 1, "A new session to the origin server after a hard stream error" ); } );