"use strict"; const { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js"); var h2Port; var prefs; var http2pref; var altsvcpref1; var altsvcpref2; // https://foo.example.com:(h2Port) // https://bar.example.com:(h2Port) <- invalid for bar, but ok for foo var h1Foo; // server http://foo.example.com:(h1Foo.identity.primaryPort) var h1Bar; // server http://bar.example.com:(h1bar.identity.primaryPort) var otherServer; // server socket listening for other connection. var h2FooRoute; // foo.example.com:H2PORT var h2BarRoute; // bar.example.com:H2PORT var h2Route; // :H2PORT var httpFooOrigin; // http://foo.exmaple.com:PORT/ var httpsFooOrigin; // https://foo.exmaple.com:PORT/ var httpBarOrigin; // http://bar.example.com:PORT/ var httpsBarOrigin; // https://bar.example.com:PORT/ function run_test() { h2Port = Services.env.get("MOZHTTP2_PORT"); Assert.notEqual(h2Port, null); Assert.notEqual(h2Port, ""); // Set to allow the cert presented by our H2 server do_get_profile(); prefs = Services.prefs; http2pref = prefs.getBoolPref("network.http.http2.enabled"); altsvcpref1 = prefs.getBoolPref("network.http.altsvc.enabled"); altsvcpref2 = prefs.getBoolPref("network.http.altsvc.oe", true); prefs.setBoolPref("network.http.http2.enabled", true); prefs.setBoolPref("network.http.altsvc.enabled", true); prefs.setBoolPref("network.http.altsvc.oe", true); prefs.setCharPref( "network.dns.localDomains", "foo.example.com, bar.example.com" ); // The moz-http2 cert is for foo.example.com and is signed by http2-ca.pem // so add that cert to the trust list as a signing cert. The same cert is used // for both h2FooRoute and h2BarRoute though it is only valid for // the foo.example.com domain name. let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( Ci.nsIX509CertDB ); addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u"); h1Foo = new HttpServer(); h1Foo.registerPathHandler("/altsvc-test", h1Server); h1Foo.registerPathHandler("/.well-known/http-opportunistic", h1ServerWK); h1Foo.start(-1); h1Foo.identity.setPrimary( "http", "foo.example.com", h1Foo.identity.primaryPort ); h1Bar = new HttpServer(); h1Bar.registerPathHandler("/altsvc-test", h1Server); h1Bar.start(-1); h1Bar.identity.setPrimary( "http", "bar.example.com", h1Bar.identity.primaryPort ); h2FooRoute = "foo.example.com:" + h2Port; h2BarRoute = "bar.example.com:" + h2Port; h2Route = ":" + h2Port; httpFooOrigin = "http://foo.example.com:" + h1Foo.identity.primaryPort + "/"; httpsFooOrigin = "https://" + h2FooRoute + "/"; httpBarOrigin = "http://bar.example.com:" + h1Bar.identity.primaryPort + "/"; httpsBarOrigin = "https://" + h2BarRoute + "/"; dump( "http foo - " + httpFooOrigin + "\n" + "https foo - " + httpsFooOrigin + "\n" + "http bar - " + httpBarOrigin + "\n" + "https bar - " + httpsBarOrigin + "\n" ); doTest1(); } function h1Server(metadata, response) { response.setStatusLine(metadata.httpVersion, 200, "OK"); response.setHeader("Content-Type", "text/plain", false); response.setHeader("Connection", "close", false); response.setHeader("Cache-Control", "no-cache", false); response.setHeader("Access-Control-Allow-Origin", "*", false); response.setHeader("Access-Control-Allow-Method", "GET", false); response.setHeader("Access-Control-Allow-Headers", "x-altsvc", false); try { var hval = "h2=" + metadata.getHeader("x-altsvc"); response.setHeader("Alt-Svc", hval, false); } catch (e) {} var body = "Q: What did 0 say to 8? A: Nice Belt!\n"; response.bodyOutputStream.write(body, body.length); } function h1ServerWK(metadata, response) { response.setStatusLine(metadata.httpVersion, 200, "OK"); response.setHeader("Content-Type", "application/json", false); response.setHeader("Connection", "close", false); response.setHeader("Cache-Control", "no-cache", false); response.setHeader("Access-Control-Allow-Origin", "*", false); response.setHeader("Access-Control-Allow-Method", "GET", false); response.setHeader("Access-Control-Allow-Headers", "x-altsvc", false); var body = '["http://foo.example.com:' + h1Foo.identity.primaryPort + '"]'; response.bodyOutputStream.write(body, body.length); } function resetPrefs() { prefs.setBoolPref("network.http.http2.enabled", http2pref); prefs.setBoolPref("network.http.altsvc.enabled", altsvcpref1); prefs.setBoolPref("network.http.altsvc.oe", altsvcpref2); prefs.clearUserPref("network.dns.localDomains"); prefs.clearUserPref("network.security.ports.banned"); } function makeChan(origin) { return NetUtil.newChannel({ uri: origin + "altsvc-test", loadUsingSystemPrincipal: true, }).QueryInterface(Ci.nsIHttpChannel); } var origin; var xaltsvc; var loadWithoutClearingMappings = false; var disallowH3 = false; var disallowH2 = false; var nextTest; var expectPass = true; var waitFor = 0; var originAttributes = {}; var Listener = function() {}; Listener.prototype = { onStartRequest: function testOnStartRequest(request) { Assert.ok(request instanceof Ci.nsIHttpChannel); if (expectPass) { if (!Components.isSuccessCode(request.status)) { do_throw( "Channel should have a success code! (" + request.status + ")" ); } Assert.equal(request.responseStatus, 200); } else { Assert.equal(Components.isSuccessCode(request.status), false); } }, onDataAvailable: function testOnDataAvailable(request, stream, off, cnt) { read_stream(stream, cnt); }, onStopRequest: function testOnStopRequest(request, status) { var routed = ""; try { routed = request.getRequestHeader("Alt-Used"); } catch (e) {} dump("routed is " + routed + "\n"); Assert.equal(Components.isSuccessCode(status), expectPass); if (waitFor != 0) { Assert.equal(routed, ""); do_test_pending(); loadWithoutClearingMappings = true; do_timeout(waitFor, doTest); waitFor = 0; xaltsvc = "NA"; } else if (xaltsvc == "NA") { Assert.equal(routed, ""); nextTest(); } else if (routed == xaltsvc) { Assert.equal(routed, xaltsvc); // always true, but a useful log nextTest(); } else { dump("poll later for alt svc mapping\n"); do_test_pending(); loadWithoutClearingMappings = true; do_timeout(500, doTest); } do_test_finished(); }, }; function testsDone() { dump("testDone\n"); resetPrefs(); do_test_pending(); otherServer.close(); do_test_pending(); h1Foo.stop(do_test_finished); do_test_pending(); h1Bar.stop(do_test_finished); } function doTest() { dump("execute doTest " + origin + "\n"); var chan = makeChan(origin); var listener = new Listener(); if (xaltsvc != "NA") { chan.setRequestHeader("x-altsvc", xaltsvc, false); } if (loadWithoutClearingMappings) { chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI; } else { chan.loadFlags = Ci.nsIRequest.LOAD_FRESH_CONNECTION | Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI; } if (disallowH3) { let internalChannel = chan.QueryInterface(Ci.nsIHttpChannelInternal); internalChannel.allowHttp3 = false; disallowH3 = false; } if (disallowH2) { let internalChannel = chan.QueryInterface(Ci.nsIHttpChannelInternal); internalChannel.allowSpdy = false; disallowH2 = false; } loadWithoutClearingMappings = false; chan.loadInfo.originAttributes = originAttributes; chan.asyncOpen(listener); } // xaltsvc is overloaded to do two things.. // 1] it is sent in the x-altsvc request header, and the response uses the value in the Alt-Svc response header // 2] the test polls until necko sets Alt-Used to that value (i.e. it uses that route) // // When xaltsvc is set to h2Route (i.e. :port with the implied hostname) it doesn't match the alt-used, // which is always explicit, so it needs to be changed after the channel is created but before the // listener is invoked // http://foo served from h2=:port function doTest1() { dump("doTest1()\n"); origin = httpFooOrigin; xaltsvc = h2Route; nextTest = doTest2; do_test_pending(); doTest(); xaltsvc = h2FooRoute; } // http://foo served from h2=foo:port function doTest2() { dump("doTest2()\n"); origin = httpFooOrigin; xaltsvc = h2FooRoute; nextTest = doTest3; do_test_pending(); doTest(); } // http://foo served from h2=bar:port // requires cert for foo function doTest3() { dump("doTest3()\n"); origin = httpFooOrigin; xaltsvc = h2BarRoute; nextTest = doTest4; do_test_pending(); doTest(); } // https://bar should fail because host bar has cert for foo function doTest4() { dump("doTest4()\n"); origin = httpsBarOrigin; xaltsvc = ""; expectPass = false; nextTest = doTest5; do_test_pending(); doTest(); } // https://foo no alt-svc (just check cert setup) function doTest5() { dump("doTest5()\n"); origin = httpsFooOrigin; xaltsvc = "NA"; expectPass = true; nextTest = doTest6; do_test_pending(); doTest(); } // https://foo via bar (bar has cert for foo) function doTest6() { dump("doTest6()\n"); origin = httpsFooOrigin; xaltsvc = h2BarRoute; nextTest = doTest7; do_test_pending(); doTest(); } // check again https://bar should fail because host bar has cert for foo function doTest7() { dump("doTest7()\n"); origin = httpsBarOrigin; xaltsvc = ""; expectPass = false; nextTest = doTest8; do_test_pending(); doTest(); } // http://bar via h2 on bar // should not use TLS/h2 because h2BarRoute is not auth'd for bar // however the test ought to PASS (i.e. get a 200) because fallback // to plaintext happens.. thus the timeout function doTest8() { dump("doTest8()\n"); origin = httpBarOrigin; xaltsvc = h2BarRoute; expectPass = true; waitFor = 500; nextTest = doTest9; do_test_pending(); doTest(); } // http://bar served from h2=:port, which is like the bar route in 8 function doTest9() { dump("doTest9()\n"); origin = httpBarOrigin; xaltsvc = h2Route; expectPass = true; waitFor = 500; nextTest = doTest10; do_test_pending(); doTest(); xaltsvc = h2BarRoute; } // check again https://bar should fail because host bar has cert for foo function doTest10() { dump("doTest10()\n"); origin = httpsBarOrigin; xaltsvc = ""; expectPass = false; nextTest = doTest11; do_test_pending(); doTest(); } // http://bar served from h2=foo, should fail because host foo only has // cert for foo. Fail in this case means alt-svc is not used, but content // is served function doTest11() { dump("doTest11()\n"); origin = httpBarOrigin; xaltsvc = h2FooRoute; expectPass = true; waitFor = 500; nextTest = doTest12; do_test_pending(); doTest(); } // Test 12-15: // Insert a cache of http://foo served from h2=:port with origin attributes. function doTest12() { dump("doTest12()\n"); origin = httpFooOrigin; xaltsvc = h2Route; originAttributes = { userContextId: 1, firstPartyDomain: "a.com", }; nextTest = doTest13; do_test_pending(); doTest(); xaltsvc = h2FooRoute; } // Make sure we get a cache miss with a different userContextId. function doTest13() { dump("doTest13()\n"); origin = httpFooOrigin; xaltsvc = "NA"; originAttributes = { userContextId: 2, firstPartyDomain: "a.com", }; loadWithoutClearingMappings = true; nextTest = doTest14; do_test_pending(); doTest(); } // Make sure we get a cache miss with a different firstPartyDomain. function doTest14() { dump("doTest14()\n"); origin = httpFooOrigin; xaltsvc = "NA"; originAttributes = { userContextId: 1, firstPartyDomain: "b.com", }; loadWithoutClearingMappings = true; nextTest = doTest15; do_test_pending(); doTest(); } // // Make sure we get a cache hit with the same origin attributes. function doTest15() { dump("doTest15()\n"); origin = httpFooOrigin; xaltsvc = "NA"; originAttributes = { userContextId: 1, firstPartyDomain: "a.com", }; loadWithoutClearingMappings = true; nextTest = doTest16; do_test_pending(); doTest(); // This ensures a cache hit. xaltsvc = h2FooRoute; } // Make sure we do not use H2 if it is disabled on a channel. function doTest16() { dump("doTest16()\n"); origin = httpFooOrigin; xaltsvc = "NA"; disallowH2 = true; originAttributes = { userContextId: 1, firstPartyDomain: "a.com", }; loadWithoutClearingMappings = true; nextTest = doTest17; do_test_pending(); doTest(); } // Make sure we use H2 if only Http3 is disabled on a channel. function doTest17() { dump("doTest17()\n"); origin = httpFooOrigin; xaltsvc = h2Route; disallowH3 = true; originAttributes = { userContextId: 1, firstPartyDomain: "a.com", }; loadWithoutClearingMappings = true; nextTest = doTest18; do_test_pending(); doTest(); // This should ensures a cache hit. xaltsvc = h2FooRoute; } // Check we don't connect to blocked ports function doTest18() { dump("doTest18()\n"); origin = httpFooOrigin; nextTest = testsDone; otherServer = Cc["@mozilla.org/network/server-socket;1"].createInstance( Ci.nsIServerSocket ); otherServer.init(-1, true, -1); xaltsvc = "localhost:" + otherServer.port; Services.prefs.setCharPref( "network.security.ports.banned", "" + otherServer.port ); dump("Blocked port: " + otherServer.port); waitFor = 500; otherServer.asyncListen({ onSocketAccepted() { Assert.ok(false, "Got connection to socket when we didn't expect it!"); }, onStopListening() { // We get closed when the entire file is done, which guarantees we get the socket accept // if we do connect to the alt-svc header do_test_finished(); }, }); nextTest = doTest19; do_test_pending(); doTest(); } // Check we don't connect to blocked ports function doTest19() { dump("doTest19()\n"); origin = httpFooOrigin; nextTest = testsDone; otherServer = Cc["@mozilla.org/network/server-socket;1"].createInstance( Ci.nsIServerSocket ); const BAD_PORT_U32 = 6667 + 65536; otherServer.init(BAD_PORT_U32, true, -1); Assert.ok(otherServer.port == 6667, "Trying to listen on port 6667"); xaltsvc = "localhost:" + BAD_PORT_U32; dump("Blocked port: " + otherServer.port); waitFor = 500; otherServer.asyncListen({ onSocketAccepted() { Assert.ok(false, "Got connection to socket when we didn't expect it!"); }, onStopListening() { // We get closed when the entire file is done, which guarantees we get the socket accept // if we do connect to the alt-svc header do_test_finished(); }, }); nextTest = doTest20; do_test_pending(); doTest(); } function doTest20() { dump("doTest20()\n"); origin = httpFooOrigin; nextTest = testsDone; otherServer = Cc["@mozilla.org/network/server-socket;1"].createInstance( Ci.nsIServerSocket ); const BAD_PORT_U64 = 6666 + 429496729; otherServer.init(6666, true, -1); Assert.ok(otherServer.port == 6666, "Trying to listen on port 6666"); xaltsvc = "localhost:" + BAD_PORT_U64; dump("Blocked port: " + otherServer.port); waitFor = 500; otherServer.asyncListen({ onSocketAccepted() { Assert.ok(false, "Got connection to socket when we didn't expect it!"); }, onStopListening() { // We get closed when the entire file is done, which guarantees we get the socket accept // if we do connect to the alt-svc header do_test_finished(); }, }); nextTest = doTest21; do_test_pending(); doTest(); } // Port 65535 should be OK function doTest21() { dump("doTest21()\n"); origin = httpFooOrigin; nextTest = testsDone; otherServer = Cc["@mozilla.org/network/server-socket;1"].createInstance( Ci.nsIServerSocket ); const GOOD_PORT = 65535; otherServer.init(65535, true, -1); Assert.ok(otherServer.port == 65535, "Trying to listen on port 65535"); xaltsvc = "localhost:" + GOOD_PORT; dump("Allowed port: " + otherServer.port); waitFor = 500; otherServer.asyncListen({ onSocketAccepted() { Assert.ok(true, "Got connection to socket when we didn't expect it!"); }, onStopListening() { // We get closed when the entire file is done, which guarantees we get the socket accept // if we do connect to the alt-svc header do_test_finished(); }, }); do_test_pending(); doTest(); }