1
0

inbound_finalmask_reality_test.go 8.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223
  1. package service
  2. import (
  3. "encoding/json"
  4. "testing"
  5. "github.com/mhsanaei/3x-ui/v3/internal/database"
  6. "github.com/mhsanaei/3x-ui/v3/internal/database/model"
  7. )
  8. const realityFinalMaskStream = `{"network":"tcp","security":"reality","realitySettings":{},"finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`
  9. func TestValidateFinalMaskRealityCombo(t *testing.T) {
  10. tests := []struct {
  11. name string
  12. streamSettings string
  13. wantErr bool
  14. }{
  15. {
  16. name: "empty streamSettings",
  17. streamSettings: "",
  18. wantErr: false,
  19. },
  20. {
  21. name: "reality without finalmask",
  22. streamSettings: `{"security":"reality","realitySettings":{}}`,
  23. wantErr: false,
  24. },
  25. {
  26. name: "reality with empty finalmask",
  27. streamSettings: `{"security":"reality","finalmask":{"tcp":[],"udp":[]}}`,
  28. wantErr: false,
  29. },
  30. {
  31. name: "reality with tcp fragment finalmask",
  32. streamSettings: `{"security":"reality","finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`,
  33. wantErr: true,
  34. },
  35. {
  36. // UDP masks never touch the TCP accept path REALITY runs on —
  37. // TcpmaskManager (the thing that wraps the listener ahead of
  38. // REALITY's handshake) is only built when tcp masks are present,
  39. // so a udp-only config doesn't reproduce the panic and shouldn't
  40. // be rejected.
  41. name: "reality with udp-only finalmask (does not reproduce the panic)",
  42. streamSettings: `{"security":"reality","finalmask":{"udp":[{"type":"salamander"}]}}`,
  43. wantErr: false,
  44. },
  45. {
  46. name: "non-reality security with finalmask",
  47. streamSettings: `{"security":"tls","finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`,
  48. wantErr: false,
  49. },
  50. }
  51. for _, tt := range tests {
  52. t.Run(tt.name, func(t *testing.T) {
  53. err := validateFinalMaskRealityCombo(tt.streamSettings)
  54. if (err != nil) != tt.wantErr {
  55. t.Errorf("validateFinalMaskRealityCombo(%q) error = %v, wantErr %v", tt.streamSettings, err, tt.wantErr)
  56. }
  57. })
  58. }
  59. }
  60. // end-to-end: the guard must actually be wired into AddInbound, not just
  61. // exist as a standalone helper a caller could forget to invoke.
  62. func TestAddInbound_RejectsFinalMaskRealityCombo(t *testing.T) {
  63. setupConflictDB(t)
  64. svc := &InboundService{}
  65. in := &model.Inbound{
  66. Tag: "in-44300-tcp",
  67. Enable: true,
  68. Listen: "0.0.0.0",
  69. Port: 44300,
  70. Protocol: model.VLESS,
  71. StreamSettings: realityFinalMaskStream,
  72. Settings: `{"clients":[]}`,
  73. }
  74. if _, _, err := svc.AddInbound(in); err == nil {
  75. t.Fatal("AddInbound: want error for finalmask+reality, got nil")
  76. }
  77. var count int64
  78. if err := database.GetDB().Model(&model.Inbound{}).Where("tag = ?", "in-44300-tcp").Count(&count).Error; err != nil {
  79. t.Fatalf("count rows: %v", err)
  80. }
  81. if count != 0 {
  82. t.Fatalf("AddInbound: rejected inbound was persisted anyway, row count = %d", count)
  83. }
  84. }
  85. // AddInbound must always create a new row. The add controller binds the model's
  86. // `id` form field and never clears it, so a client that reuses an existing id
  87. // (e.g. duplicating an inbound fetched from /get) must not silently overwrite
  88. // that stored row via GORM Save's upsert-on-primary-key behavior.
  89. func TestAddInbound_IgnoresBoundIdAndCreatesNewRow(t *testing.T) {
  90. setupConflictDB(t)
  91. svc := &InboundService{}
  92. first := &model.Inbound{Tag: "in-45100-tcp", Enable: true, Listen: "0.0.0.0", Port: 45100, Protocol: model.VLESS, Settings: `{"clients":[]}`}
  93. created, _, err := svc.AddInbound(first)
  94. if err != nil {
  95. t.Fatalf("AddInbound first: %v", err)
  96. }
  97. second := &model.Inbound{Id: created.Id, Tag: "in-45101-tcp", Enable: true, Listen: "0.0.0.0", Port: 45101, Protocol: model.VLESS, Settings: `{"clients":[]}`}
  98. if _, _, err := svc.AddInbound(second); err != nil {
  99. t.Fatalf("AddInbound second: %v", err)
  100. }
  101. var count int64
  102. if err := database.GetDB().Model(&model.Inbound{}).Count(&count).Error; err != nil {
  103. t.Fatalf("count: %v", err)
  104. }
  105. if count != 2 {
  106. t.Fatalf("expected 2 inbound rows, got %d: a bound id overwrote the first row instead of creating a new one", count)
  107. }
  108. var reloaded model.Inbound
  109. if err := database.GetDB().First(&reloaded, created.Id).Error; err != nil {
  110. t.Fatalf("reload first: %v", err)
  111. }
  112. if reloaded.Port != 45100 {
  113. t.Fatalf("first inbound port = %d, want 45100 (the second add overwrote it)", reloaded.Port)
  114. }
  115. }
  116. // A WireGuard inbound carrying clients (an imported config, or a node-reconcile
  117. // re-add) must be accepted: WG clients are keyed by their public key and have no
  118. // `id`, so the generic default validation branch wrongly rejected them with
  119. // "empty client ID".
  120. func TestAddInbound_AcceptsWireguardClientWithKey(t *testing.T) {
  121. setupConflictDB(t)
  122. svc := &InboundService{}
  123. settings := `{"secretKey":"` + wgTestSecretKey() + `","mtu":1420,"clients":[{"email":"wgimp@x","enable":true,"privateKey":"keep-priv","publicKey":"keep-pub","allowedIPs":["10.0.0.50/32"]}]}`
  124. in := &model.Inbound{
  125. Tag: "in-45200-wg",
  126. Enable: true,
  127. Listen: "0.0.0.0",
  128. Port: 45200,
  129. Protocol: model.WireGuard,
  130. Settings: settings,
  131. }
  132. if _, _, err := svc.AddInbound(in); err != nil {
  133. t.Fatalf("AddInbound rejected a keyed WireGuard client: %v", err)
  134. }
  135. var count int64
  136. if err := database.GetDB().Model(&model.Inbound{}).Where("tag = ?", "in-45200-wg").Count(&count).Error; err != nil {
  137. t.Fatalf("count: %v", err)
  138. }
  139. if count != 1 {
  140. t.Fatalf("WireGuard inbound with a keyed client was not created, row count = %d", count)
  141. }
  142. }
  143. // end-to-end: same guard on the update path, on a row that was valid before
  144. // the edit — the rejected StreamSettings must not overwrite the stored row.
  145. func TestUpdateInbound_RejectsFinalMaskRealityCombo(t *testing.T) {
  146. setupConflictDB(t)
  147. seedInboundConflict(t, "in-44301-tcp", "0.0.0.0", 44301, model.VLESS,
  148. `{"network":"tcp","security":"reality","realitySettings":{}}`, `{"clients":[]}`)
  149. var existing model.Inbound
  150. if err := database.GetDB().Where("tag = ?", "in-44301-tcp").First(&existing).Error; err != nil {
  151. t.Fatalf("read seeded row: %v", err)
  152. }
  153. svc := &InboundService{}
  154. update := existing
  155. update.StreamSettings = realityFinalMaskStream
  156. if _, _, err := svc.UpdateInbound(&update); err == nil {
  157. t.Fatal("UpdateInbound: want error for finalmask+reality, got nil")
  158. }
  159. var reloaded model.Inbound
  160. if err := database.GetDB().First(&reloaded, existing.Id).Error; err != nil {
  161. t.Fatalf("reload: %v", err)
  162. }
  163. if reloaded.StreamSettings != existing.StreamSettings {
  164. t.Fatalf("UpdateInbound: rejected StreamSettings was persisted anyway\ngot: %s\nwant: %s", reloaded.StreamSettings, existing.StreamSettings)
  165. }
  166. }
  167. // GetXrayConfig must heal a row that already carries finalmask+reality in the
  168. // DB (saved before this guard existed - an upgrade, a node sync, a restored
  169. // backup, or a direct DB edit) rather than handing xray-core a config that
  170. // panics it on the first connection. Bypasses AddInbound/UpdateInbound
  171. // entirely by writing the row directly, the same way a pre-existing bad row
  172. // would already be sitting in a real database.
  173. func TestGetXrayConfig_HealsFinalMaskRealityCombo(t *testing.T) {
  174. setupConflictDB(t)
  175. seedInboundConflict(t, "in-44302-tcp", "0.0.0.0", 44302, model.VLESS,
  176. realityFinalMaskStream, `{"clients":[]}`)
  177. svc := &XrayService{}
  178. cfg, err := svc.GetXrayConfig()
  179. if err != nil {
  180. t.Fatalf("GetXrayConfig: %v", err)
  181. }
  182. for i := range cfg.InboundConfigs {
  183. ic := cfg.InboundConfigs[i]
  184. if ic.Tag != "in-44302-tcp" {
  185. continue
  186. }
  187. var stream map[string]any
  188. if err := json.Unmarshal(ic.StreamSettings, &stream); err != nil {
  189. t.Fatalf("unmarshal emitted streamSettings: %v", err)
  190. }
  191. if stream["security"] != "reality" {
  192. t.Fatalf("security = %v, want reality (test setup broken)", stream["security"])
  193. }
  194. if _, has := stream["finalmask"]; has {
  195. t.Fatalf("emitted config still carries finalmask alongside reality — this crashes Xray-core: %v", stream["finalmask"])
  196. }
  197. return
  198. }
  199. t.Fatalf("inbound in-44302-tcp not found in generated config")
  200. }