service_sharelink_test.go 5.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178
  1. package sub
  2. import (
  3. "net/url"
  4. "strings"
  5. "testing"
  6. "github.com/mhsanaei/3x-ui/v3/internal/database/model"
  7. )
  8. // shareLinkInbound builds a VLESS inbound with one client and the given stream
  9. // settings, mirroring flowTestInbound but without forcing a flow.
  10. func shareLinkInbound(streamSettings string) *model.Inbound {
  11. return &model.Inbound{
  12. Listen: "203.0.113.1",
  13. Port: 443,
  14. Protocol: model.VLESS,
  15. Remark: "sharelink",
  16. Settings: `{"clients":[{"id":"11111111-2222-4333-8444-555555555555","email":"user"}],"decryption":"none","encryption":"none"}`,
  17. StreamSettings: streamSettings,
  18. }
  19. }
  20. // TestGenVlessLink_TLSParamsMapped locks every field that applyShareTLSParams
  21. // (service.go:1029) writes into a TLS share link. Without these assertions a mutant
  22. // that drops `sni`, swaps a key, or skips `pcs`/`alpn`/`fp` survives the whole suite —
  23. // the existing flow tests only check `flow=`.
  24. func TestGenVlessLink_TLSParamsMapped(t *testing.T) {
  25. stream := `{
  26. "network":"tcp","security":"tls",
  27. "tcpSettings":{"header":{"type":"none"}},
  28. "tlsSettings":{
  29. "serverName":"sni.example.com",
  30. "alpn":["h2","http/1.1"],
  31. "settings":{"fingerprint":"chrome","pinnedPeerCertSha256":["YWJj"]}
  32. }
  33. }`
  34. s := &SubService{}
  35. link := s.genVlessLink(shareLinkInbound(stream), "user")
  36. // url.Values.Encode() percent-encodes values: "," -> %2C, "/" -> %2F.
  37. wants := []string{
  38. "security=tls",
  39. "sni=sni.example.com",
  40. "fp=chrome",
  41. "alpn=h2%2Chttp%2F1.1",
  42. "pcs=YWJj",
  43. }
  44. for _, w := range wants {
  45. if !strings.Contains(link, w) {
  46. t.Fatalf("TLS link missing %q\n got: %s", w, link)
  47. }
  48. }
  49. }
  50. // Locks the reality field mapping of applyShareRealityParams; distinct pbk/sid
  51. // catch a swap mutant. spx is now a per-client derived value (#5718 / follow-up).
  52. func TestGenVlessLink_RealityParamsMapped(t *testing.T) {
  53. stream := `{
  54. "network":"tcp","security":"reality",
  55. "tcpSettings":{"header":{"type":"none"}},
  56. "realitySettings":{
  57. "serverNames":["reality.example.com"],
  58. "shortIds":["ab12cd"],
  59. "settings":{"publicKey":"PBKvalue","fingerprint":"firefox","spiderX":"/mypath"}
  60. }
  61. }`
  62. s := &SubService{}
  63. link := s.genVlessLink(shareLinkInbound(stream), "user")
  64. wants := []string{
  65. "security=reality",
  66. "sni=reality.example.com",
  67. "pbk=PBKvalue",
  68. "sid=ab12cd",
  69. "fp=firefox",
  70. "spx=%2F",
  71. }
  72. for _, w := range wants {
  73. if !strings.Contains(link, w) {
  74. t.Fatalf("reality link missing %q\n got: %s", w, link)
  75. }
  76. }
  77. // A pbk<->sid swap must not silently pass: pbk must not carry the shortId.
  78. if strings.Contains(link, "pbk=ab12cd") || strings.Contains(link, "sid=PBKvalue") {
  79. t.Fatalf("reality pbk/sid mapping crossed: %s", link)
  80. }
  81. }
  82. // realityTwoClientInbound builds a reality VLESS inbound carrying two clients
  83. // with distinct subIds so the per-client spx derivation can be exercised.
  84. func realityTwoClientInbound() *model.Inbound {
  85. return &model.Inbound{
  86. Listen: "203.0.113.1",
  87. Port: 443,
  88. Protocol: model.VLESS,
  89. Remark: "sharelink",
  90. Settings: `{"clients":[
  91. {"id":"11111111-2222-4333-8444-555555555555","email":"alice","subId":"subAlice"},
  92. {"id":"22222222-3333-4444-8555-666666666666","email":"bob","subId":"subBob"}
  93. ],"decryption":"none","encryption":"none"}`,
  94. StreamSettings: `{
  95. "network":"tcp","security":"reality",
  96. "tcpSettings":{"header":{"type":"none"}},
  97. "realitySettings":{
  98. "serverNames":["reality.example.com"],
  99. "shortIds":["ab12cd"],
  100. "settings":{"publicKey":"PBKvalue","fingerprint":"firefox","spiderX":"/seed"}
  101. }
  102. }`,
  103. }
  104. }
  105. func spxParam(t *testing.T, link string) string {
  106. t.Helper()
  107. u, err := url.Parse(link)
  108. if err != nil {
  109. t.Fatalf("parse link %q: %v", link, err)
  110. }
  111. spx := u.Query().Get("spx")
  112. if spx == "" || spx[0] != '/' {
  113. t.Fatalf("spx missing or not /-prefixed in %q", link)
  114. }
  115. return spx
  116. }
  117. // spx must be stable for a given client across repeated exports (the #5718
  118. // complaint) yet differ between clients so the value can't be fingerprinted.
  119. func TestGenVlessLink_RealitySpiderXPerClientStable(t *testing.T) {
  120. s := &SubService{}
  121. inbound := realityTwoClientInbound()
  122. aliceFirst := spxParam(t, s.genVlessLink(inbound, "alice"))
  123. aliceSecond := spxParam(t, s.genVlessLink(inbound, "alice"))
  124. bob := spxParam(t, s.genVlessLink(inbound, "bob"))
  125. if aliceFirst != aliceSecond {
  126. t.Fatalf("spx not stable for the same client: %q vs %q", aliceFirst, aliceSecond)
  127. }
  128. if aliceFirst == bob {
  129. t.Fatalf("spx identical across clients (fingerprintable): %q", aliceFirst)
  130. }
  131. }
  132. func TestDeriveSpiderX(t *testing.T) {
  133. if got := deriveSpiderX("seed", "clientA"); got != deriveSpiderX("seed", "clientA") {
  134. t.Fatalf("deriveSpiderX not deterministic: %q", got)
  135. }
  136. if deriveSpiderX("seed", "clientA") == deriveSpiderX("seed", "clientB") {
  137. t.Fatal("deriveSpiderX must differ per client")
  138. }
  139. if deriveSpiderX("seedA", "clientA") == deriveSpiderX("seedB", "clientA") {
  140. t.Fatal("rotating the seed must rotate a client's spx")
  141. }
  142. got := deriveSpiderX("seed", "clientA")
  143. if len(got) != 16 || got[0] != '/' {
  144. t.Fatalf("deriveSpiderX shape = %q, want /-prefixed 15-char path", got)
  145. }
  146. if fallback := deriveSpiderX("", ""); len(fallback) != 16 || fallback[0] != '/' {
  147. t.Fatalf("empty-input fallback = %q, want /-prefixed path", fallback)
  148. }
  149. }
  150. // Cross-language vectors shared with frontend/src/test/spider-x.test.ts: the
  151. // panel builds these links in TS, so both derivations must agree byte-for-byte.
  152. func TestDeriveSpiderXMatchesFrontendVectors(t *testing.T) {
  153. vectors := map[string]struct{ seed, clientKey, want string }{
  154. "seed and subId": {"/seed", "subAlice", "/c252fbc3ecd3e3c"},
  155. "seed only": {"/", "", "/d08ed99bd9afc60"},
  156. }
  157. for name, v := range vectors {
  158. t.Run(name, func(t *testing.T) {
  159. if got := deriveSpiderX(v.seed, v.clientKey); got != v.want {
  160. t.Fatalf("deriveSpiderX(%q, %q) = %q, want %q (must match frontend/src/lib/xray/spider-x.ts)", v.seed, v.clientKey, got, v.want)
  161. }
  162. })
  163. }
  164. }