-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mock the daemon and run tests against prod builds #9584
Conversation
8acaf44
to
5a4a291
Compare
153e0b7
to
40b3c98
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FANCY!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! Lots of questions, but all to make sure I better understand what I'm approving here.
src/commands/commandui.cpp
Outdated
LogHandler::setStderr(true); | ||
|
||
// Disable encrypted settings for testing. | ||
CryptoSettings::mock(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for my lack of understanding - why can't we have encryption on our dummy builds?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was done for MacOS (and presumably iOS too?) - access to platform secrets is something that requires a signed executable, and we don't want to require codesigning to run tests. It used to be that the Crypto settings for MacOS were no-ops when compiled with MZ_DUMMY
so this just kind of made it consistent for all platforms.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After a bit of research, I think we could put this back if we add a check to disable crypto settings if the codesign is invalid on MacOS. Something to the tune of:
#include <sys/codesign.h>
MacOSCryptoSettings::MacOSCryptoSettings() : CryptoSettings() {
int flags = 0;
if ((csopts(getpid(), CS_OP_STATUS, &flags, sizeof(flags) == 0) && (flags & CS_VALID)) {
m_keyVersion = CryptoSettings::EncryptedChachaPolyV1;
} else {
m_keyVersion = CryptoSettings::NoEncryption;
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would that mean if somone bitflips a thing in our binary, therefore breaking codesign we would just disable encyption?
I actually like the specific-opt in :D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I prefer it to be aligned with code signing instead of a compile flag. Thinking about the ways a hidden adversary could exploit this down the line, it seems more likely to get a "build with a testing flag" out into prod than a "build that wasn't codesigned".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, it sounds much better to disarm the cryptosettings by checking for valid codesignatures.
Joke is on me though - we kind of all agree that it should be done this way... but it's actually turning out to be hard to do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did it! See the PR here: #9679
Once that one is merged, I will rebase this and undo the crypto settings mocks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rebase complete!
36baa42
to
a0ac136
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Just one more thing before I feel comfortable approving.
src/commands/commandui.cpp
Outdated
LogHandler::setStderr(true); | ||
|
||
// Disable encrypted settings for testing. | ||
CryptoSettings::mock(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I prefer it to be aligned with code signing instead of a compile flag. Thinking about the ways a hidden adversary could exploit this down the line, it seems more likely to get a "build with a testing flag" out into prod than a "build that wasn't codesigned".
Normally we don't notice this bug because of queueing delays, but the deactivation isnt actually finished at the time when we emit this signal. This was causing issues in the WASM client because it doesn't have threading, meaning that it wound up processing the deactivate signal out of order.
This eliminates the need to hardcode a settings filename for MZ_DUMMY.
When trying to run functional tests against a production client - we can't presume that it's enabled by default as most prod clients use browser auth.
This doesn't really do anything useful anymore, and we are better off processing a broken daemon as a controller error anyways
This was a real bug. We added the SubscriptionNotFound expiration type, but never updated the notification handler, which would now trigger assert on Linux as a result. There isn't really a need for that assert anyways, so let's just remove it.
a0ac136
to
a18a569
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍🏻 Thanks!
Description
This is something of a hobby project. The end goal is to try and run functional tests against production builds of the VPN client, and to get there we need a way to mock out the controller a little better. The first checkpoint of which is to write a mock daemon and replace the
DummyController
with it.Roughly speaking a high-level change log for this effort goes like this:
MockDaemon
class that mocks out the daemon APIs and creates a local socket server.DummyController
with aLocalSocketController
that talks to the mocked daemon.--testing
option to automatically create the mock daemon.#ifdef MZ_DUMMY
with runtime switches triggered by--testing
:Then to get tests working on the production builds, we need to extend the
--testing
option to make the prod build act like the dummy build:Disable cryptosettings.Reference
This is a prerequisite for the following JIRA tasks
Checklist