inbound_finalmask_reality_test.go 6.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193
  1. package service
  2. import (
  3. "encoding/json"
  4. "testing"
  5. "github.com/mhsanaei/3x-ui/v3/internal/database"
  6. "github.com/mhsanaei/3x-ui/v3/internal/database/model"
  7. )
  8. const realityFinalMaskStream = `{"network":"tcp","security":"reality","realitySettings":{},"finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`
  9. func TestValidateFinalMaskRealityCombo(t *testing.T) {
  10. tests := []struct {
  11. name string
  12. streamSettings string
  13. wantErr bool
  14. }{
  15. {
  16. name: "empty streamSettings",
  17. streamSettings: "",
  18. wantErr: false,
  19. },
  20. {
  21. name: "reality without finalmask",
  22. streamSettings: `{"security":"reality","realitySettings":{}}`,
  23. wantErr: false,
  24. },
  25. {
  26. name: "reality with empty finalmask",
  27. streamSettings: `{"security":"reality","finalmask":{"tcp":[],"udp":[]}}`,
  28. wantErr: false,
  29. },
  30. {
  31. name: "reality with tcp fragment finalmask",
  32. streamSettings: `{"security":"reality","finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`,
  33. wantErr: true,
  34. },
  35. {
  36. // UDP masks never touch the TCP accept path REALITY runs on —
  37. // TcpmaskManager (the thing that wraps the listener ahead of
  38. // REALITY's handshake) is only built when tcp masks are present,
  39. // so a udp-only config doesn't reproduce the panic and shouldn't
  40. // be rejected.
  41. name: "reality with udp-only finalmask (does not reproduce the panic)",
  42. streamSettings: `{"security":"reality","finalmask":{"udp":[{"type":"salamander"}]}}`,
  43. wantErr: false,
  44. },
  45. {
  46. name: "non-reality security with finalmask",
  47. streamSettings: `{"security":"tls","finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`,
  48. wantErr: false,
  49. },
  50. }
  51. for _, tt := range tests {
  52. t.Run(tt.name, func(t *testing.T) {
  53. err := validateFinalMaskRealityCombo(tt.streamSettings)
  54. if (err != nil) != tt.wantErr {
  55. t.Errorf("validateFinalMaskRealityCombo(%q) error = %v, wantErr %v", tt.streamSettings, err, tt.wantErr)
  56. }
  57. })
  58. }
  59. }
  60. // end-to-end: the guard must actually be wired into AddInbound, not just
  61. // exist as a standalone helper a caller could forget to invoke.
  62. func TestAddInbound_RejectsFinalMaskRealityCombo(t *testing.T) {
  63. setupConflictDB(t)
  64. svc := &InboundService{}
  65. in := &model.Inbound{
  66. Tag: "in-44300-tcp",
  67. Enable: true,
  68. Listen: "0.0.0.0",
  69. Port: 44300,
  70. Protocol: model.VLESS,
  71. StreamSettings: realityFinalMaskStream,
  72. Settings: `{"clients":[]}`,
  73. }
  74. if _, _, err := svc.AddInbound(in); err == nil {
  75. t.Fatal("AddInbound: want error for finalmask+reality, got nil")
  76. }
  77. var count int64
  78. if err := database.GetDB().Model(&model.Inbound{}).Where("tag = ?", "in-44300-tcp").Count(&count).Error; err != nil {
  79. t.Fatalf("count rows: %v", err)
  80. }
  81. if count != 0 {
  82. t.Fatalf("AddInbound: rejected inbound was persisted anyway, row count = %d", count)
  83. }
  84. }
  85. // AddInbound must always create a new row. The add controller binds the model's
  86. // `id` form field and never clears it, so a client that reuses an existing id
  87. // (e.g. duplicating an inbound fetched from /get) must not silently overwrite
  88. // that stored row via GORM Save's upsert-on-primary-key behavior.
  89. func TestAddInbound_IgnoresBoundIdAndCreatesNewRow(t *testing.T) {
  90. setupConflictDB(t)
  91. svc := &InboundService{}
  92. first := &model.Inbound{Tag: "in-45100-tcp", Enable: true, Listen: "0.0.0.0", Port: 45100, Protocol: model.VLESS, Settings: `{"clients":[]}`}
  93. created, _, err := svc.AddInbound(first)
  94. if err != nil {
  95. t.Fatalf("AddInbound first: %v", err)
  96. }
  97. second := &model.Inbound{Id: created.Id, Tag: "in-45101-tcp", Enable: true, Listen: "0.0.0.0", Port: 45101, Protocol: model.VLESS, Settings: `{"clients":[]}`}
  98. if _, _, err := svc.AddInbound(second); err != nil {
  99. t.Fatalf("AddInbound second: %v", err)
  100. }
  101. var count int64
  102. if err := database.GetDB().Model(&model.Inbound{}).Count(&count).Error; err != nil {
  103. t.Fatalf("count: %v", err)
  104. }
  105. if count != 2 {
  106. t.Fatalf("expected 2 inbound rows, got %d: a bound id overwrote the first row instead of creating a new one", count)
  107. }
  108. var reloaded model.Inbound
  109. if err := database.GetDB().First(&reloaded, created.Id).Error; err != nil {
  110. t.Fatalf("reload first: %v", err)
  111. }
  112. if reloaded.Port != 45100 {
  113. t.Fatalf("first inbound port = %d, want 45100 (the second add overwrote it)", reloaded.Port)
  114. }
  115. }
  116. // end-to-end: same guard on the update path, on a row that was valid before
  117. // the edit — the rejected StreamSettings must not overwrite the stored row.
  118. func TestUpdateInbound_RejectsFinalMaskRealityCombo(t *testing.T) {
  119. setupConflictDB(t)
  120. seedInboundConflict(t, "in-44301-tcp", "0.0.0.0", 44301, model.VLESS,
  121. `{"network":"tcp","security":"reality","realitySettings":{}}`, `{"clients":[]}`)
  122. var existing model.Inbound
  123. if err := database.GetDB().Where("tag = ?", "in-44301-tcp").First(&existing).Error; err != nil {
  124. t.Fatalf("read seeded row: %v", err)
  125. }
  126. svc := &InboundService{}
  127. update := existing
  128. update.StreamSettings = realityFinalMaskStream
  129. if _, _, err := svc.UpdateInbound(&update); err == nil {
  130. t.Fatal("UpdateInbound: want error for finalmask+reality, got nil")
  131. }
  132. var reloaded model.Inbound
  133. if err := database.GetDB().First(&reloaded, existing.Id).Error; err != nil {
  134. t.Fatalf("reload: %v", err)
  135. }
  136. if reloaded.StreamSettings != existing.StreamSettings {
  137. t.Fatalf("UpdateInbound: rejected StreamSettings was persisted anyway\ngot: %s\nwant: %s", reloaded.StreamSettings, existing.StreamSettings)
  138. }
  139. }
  140. // GetXrayConfig must heal a row that already carries finalmask+reality in the
  141. // DB (saved before this guard existed - an upgrade, a node sync, a restored
  142. // backup, or a direct DB edit) rather than handing xray-core a config that
  143. // panics it on the first connection. Bypasses AddInbound/UpdateInbound
  144. // entirely by writing the row directly, the same way a pre-existing bad row
  145. // would already be sitting in a real database.
  146. func TestGetXrayConfig_HealsFinalMaskRealityCombo(t *testing.T) {
  147. setupConflictDB(t)
  148. seedInboundConflict(t, "in-44302-tcp", "0.0.0.0", 44302, model.VLESS,
  149. realityFinalMaskStream, `{"clients":[]}`)
  150. svc := &XrayService{}
  151. cfg, err := svc.GetXrayConfig()
  152. if err != nil {
  153. t.Fatalf("GetXrayConfig: %v", err)
  154. }
  155. for i := range cfg.InboundConfigs {
  156. ic := cfg.InboundConfigs[i]
  157. if ic.Tag != "in-44302-tcp" {
  158. continue
  159. }
  160. var stream map[string]any
  161. if err := json.Unmarshal(ic.StreamSettings, &stream); err != nil {
  162. t.Fatalf("unmarshal emitted streamSettings: %v", err)
  163. }
  164. if stream["security"] != "reality" {
  165. t.Fatalf("security = %v, want reality (test setup broken)", stream["security"])
  166. }
  167. if _, has := stream["finalmask"]; has {
  168. t.Fatalf("emitted config still carries finalmask alongside reality — this crashes Xray-core: %v", stream["finalmask"])
  169. }
  170. return
  171. }
  172. t.Fatalf("inbound in-44302-tcp not found in generated config")
  173. }