| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411 |
- package service
- import (
- "encoding/json"
- "testing"
- )
- func rulesFromRaw(t *testing.T, raw string) []map[string]any {
- t.Helper()
- var cfg map[string]any
- if err := json.Unmarshal([]byte(raw), &cfg); err != nil {
- t.Fatalf("unmarshal: %v", err)
- }
- return routingRulesFromCfg(cfg)
- }
- func TestEnsureDnsServerRouting_NoOpWithoutDnsServers(t *testing.T) {
- in := `{"routing":{"rules":[{"type":"field","outboundTag":"blocked","ip":["geoip:private"]}]}}`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- if out != in {
- t.Fatalf("expected unchanged input, got: %s", out)
- }
- }
- func TestEnsureDnsServerRouting_NoOpForPublicDnsServer(t *testing.T) {
- in := `{
- "dns": {"servers": ["1.1.1.1"]},
- "routing": {"rules": [{"type":"field","outboundTag":"blocked","ip":["geoip:private"]}]}
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- if out != in {
- t.Fatalf("expected unchanged input for a public DNS server, got: %s", out)
- }
- }
- func TestEnsureDnsServerRouting_NoOpWithoutPrivateBlockRule(t *testing.T) {
- // Private DNS server, but nothing in routing would block it — no rule
- // needed.
- in := `{
- "dns": {"servers": ["172.20.0.53"]},
- "routing": {"rules": [{"type":"field","inboundTag":["api"],"outboundTag":"api"}]}
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- if out != in {
- t.Fatalf("expected unchanged input without a private-block rule, got: %s", out)
- }
- }
- func TestEnsureDnsServerRouting_InsertsAllowRuleBeforeBlock(t *testing.T) {
- // Reproduces the reported bug: dns.servers on a private docker IP
- // (e.g. a same-network AdGuard Home) plus the panel's default
- // geoip:private block rule silently drops Xray's own DNS traffic.
- in := `{
- "dns": {"servers": ["172.20.0.53"], "queryStrategy": "UseIPv4"},
- "routing": {
- "rules": [
- {"type":"field","inboundTag":["api"],"outboundTag":"api"},
- {"type":"field","outboundTag":"blocked","ip":["geoip:private"]},
- {"type":"field","outboundTag":"blocked","protocol":["bittorrent"]}
- ]
- }
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- rules := rulesFromRaw(t, out)
- if len(rules) != 4 {
- t.Fatalf("rules len = %d, want 4: %s", len(rules), out)
- }
- if tag, _ := rules[1]["outboundTag"].(string); tag != "direct" {
- t.Fatalf("expected inserted allow-rule at index 1, got outboundTag %v\nfull: %s", rules[1]["outboundTag"], out)
- }
- ips := readRuleIPs(rules[1]["ip"])
- if len(ips) != 1 || ips[0] != "172.20.0.53" {
- t.Fatalf("allow-rule ip = %v, want [172.20.0.53]", ips)
- }
- if port, _ := rules[1]["port"].(string); port != "53" {
- t.Fatalf("allow-rule port = %v, want \"53\" (scoped to DNS traffic only)", rules[1]["port"])
- }
- if tag, _ := rules[2]["outboundTag"].(string); tag != "blocked" {
- t.Fatalf("private-block rule should still follow the allow-rule, got %v", rules[2])
- }
- }
- func TestEnsureDnsServerRouting_HandlesObjectServerEntryWithExplicitPort(t *testing.T) {
- in := `{
- "dns": {"servers": [{"address": "172.20.0.53", "port": 5353}]},
- "routing": {"rules": [{"type":"field","outboundTag":"blocked","ip":["geoip:private"]}]}
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- rules := rulesFromRaw(t, out)
- ips := readRuleIPs(rules[0]["ip"])
- if len(ips) != 1 || ips[0] != "172.20.0.53" {
- t.Fatalf("allow-rule ip = %v, want [172.20.0.53]", ips)
- }
- if port, _ := rules[0]["port"].(string); port != "5353" {
- t.Fatalf("allow-rule port = %v, want the object's explicit \"5353\"", rules[0]["port"])
- }
- }
- func TestEnsureDnsServerRouting_GroupsDistinctPortsIntoSeparateRules(t *testing.T) {
- // Two internal resolvers on different ports must not be merged into
- // one ip+port rule — that would cross-allow ip1:port2 and ip2:port1,
- // widening the exception beyond what's actually needed.
- in := `{
- "dns": {"servers": ["172.20.0.53", "10.0.0.53:5353"]},
- "routing": {"rules": [{"type":"field","outboundTag":"blocked","ip":["geoip:private"]}]}
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- rules := rulesFromRaw(t, out)
- if len(rules) != 3 {
- t.Fatalf("rules len = %d, want 3 (one rule per port + the block rule): %s", len(rules), out)
- }
- if p, _ := rules[0]["port"].(string); p != "53" {
- t.Fatalf("rules[0] port = %v, want \"53\" (sorted ascending)", rules[0]["port"])
- }
- if ips := readRuleIPs(rules[0]["ip"]); len(ips) != 1 || ips[0] != "172.20.0.53" {
- t.Fatalf("rules[0] ip = %v, want [172.20.0.53]", ips)
- }
- if p, _ := rules[1]["port"].(string); p != "5353" {
- t.Fatalf("rules[1] port = %v, want \"5353\"", rules[1]["port"])
- }
- if ips := readRuleIPs(rules[1]["ip"]); len(ips) != 1 || ips[0] != "10.0.0.53" {
- t.Fatalf("rules[1] ip = %v, want [10.0.0.53]", ips)
- }
- }
- func TestEnsureDnsServerRouting_StripsSchemePortAndPath(t *testing.T) {
- in := `{
- "dns": {"servers": [
- "tcp://10.0.0.53:5353",
- "https+local://192.168.1.1/dns-query",
- "[fd00::53]:53"
- ]},
- "routing": {"rules": [{"type":"field","outboundTag":"blocked","ip":["geoip:private"]}]}
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- rules := rulesFromRaw(t, out)
- // 192.168.1.1 and fd00::53 share the default port 53; 10.0.0.53:5353
- // is its own group.
- if len(rules) != 3 {
- t.Fatalf("rules len = %d, want 3 (2 port groups + block rule): %s", len(rules), out)
- }
- port53 := rules[0]
- if p, _ := port53["port"].(string); p != "53" {
- t.Fatalf("rules[0] port = %v, want \"53\"", port53["port"])
- }
- want53 := map[string]bool{"192.168.1.1": true, "fd00::53": true}
- ips := readRuleIPs(port53["ip"])
- if len(ips) != len(want53) {
- t.Fatalf("rules[0] ip = %v, want entries matching %v", ips, want53)
- }
- for _, ip := range ips {
- if !want53[ip] {
- t.Fatalf("unexpected ip %q in port-53 rule %v", ip, ips)
- }
- }
- port5353 := rules[1]
- if p, _ := port5353["port"].(string); p != "5353" {
- t.Fatalf("rules[1] port = %v, want \"5353\"", port5353["port"])
- }
- if ips := readRuleIPs(port5353["ip"]); len(ips) != 1 || ips[0] != "10.0.0.53" {
- t.Fatalf("rules[1] ip = %v, want [10.0.0.53]", ips)
- }
- }
- func TestEnsureDnsServerRouting_SkipsSpecialAndDomainAddresses(t *testing.T) {
- in := `{
- "dns": {"servers": ["localhost", "fakedns", "dns.google", "8.8.8.8"]},
- "routing": {"rules": [{"type":"field","outboundTag":"blocked","ip":["geoip:private"]}]}
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- if out != in {
- t.Fatalf("expected unchanged input (no private literal IPs present), got: %s", out)
- }
- }
- func TestEnsureDnsServerRouting_IdempotentOnSecondSave(t *testing.T) {
- in := `{
- "dns": {"servers": ["172.20.0.53"]},
- "routing": {"rules": [{"type":"field","outboundTag":"blocked","ip":["geoip:private"]}]}
- }`
- first, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- second, err := EnsureDnsServerRouting(first)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- if second != first {
- t.Fatalf("expected no further change on second pass\nfirst: %s\nsecond: %s", first, second)
- }
- }
- func TestEnsureDnsServerRouting_UpdatesOwnedRuleWhenServersChange(t *testing.T) {
- in := `{
- "dns": {"servers": ["172.20.0.53"]},
- "routing": {
- "rules": [
- {"type":"field","ip":["172.20.0.53"],"port":"53","outboundTag":"direct"},
- {"type":"field","outboundTag":"blocked","ip":["geoip:private"]}
- ]
- }
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- if out != in {
- t.Fatalf("dns servers unchanged, expected no-op, got: %s", out)
- }
- // Admin adds a second internal resolver on the same port.
- in2 := `{
- "dns": {"servers": ["172.20.0.53", "10.0.0.53"]},
- "routing": {
- "rules": [
- {"type":"field","ip":["172.20.0.53"],"port":"53","outboundTag":"direct"},
- {"type":"field","outboundTag":"blocked","ip":["geoip:private"]}
- ]
- }
- }`
- out2, err := EnsureDnsServerRouting(in2)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- rules := rulesFromRaw(t, out2)
- if len(rules) != 2 {
- t.Fatalf("rules len = %d, want 2 (existing rule updated in place): %s", len(rules), out2)
- }
- ips := readRuleIPs(rules[0]["ip"])
- if len(ips) != 2 || ips[0] != "10.0.0.53" || ips[1] != "172.20.0.53" {
- t.Fatalf("allow-rule ip = %v, want [10.0.0.53 172.20.0.53]", ips)
- }
- }
- func TestEnsureDnsServerRouting_RemovesOwnedRuleWhenNoLongerNeeded(t *testing.T) {
- // Admin switches dns.servers to a public resolver — our previously
- // inserted allow-rule is now dead weight and should be dropped.
- in := `{
- "dns": {"servers": ["1.1.1.1"]},
- "routing": {
- "rules": [
- {"type":"field","ip":["172.20.0.53"],"port":"53","outboundTag":"direct"},
- {"type":"field","outboundTag":"blocked","ip":["geoip:private"]}
- ]
- }
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- rules := rulesFromRaw(t, out)
- if len(rules) != 1 {
- t.Fatalf("rules len = %d, want 1 (stale allow-rule removed): %s", len(rules), out)
- }
- if tag, _ := rules[0]["outboundTag"].(string); tag != "blocked" {
- t.Fatalf("remaining rule should be the block rule, got %v", rules[0])
- }
- }
- func TestEnsureDnsServerRouting_DoesNotTouchManualRuleWithExtraMatchers(t *testing.T) {
- // A hand-written rule that also allows the DNS IP but carries an extra
- // matcher isn't recognized as "ours" and must be left alone; a fresh
- // managed rule is inserted alongside it instead.
- in := `{
- "dns": {"servers": ["172.20.0.53"]},
- "routing": {
- "rules": [
- {"type":"field","ip":["172.20.0.53"],"port":"53","domain":["example.com"],"outboundTag":"direct"},
- {"type":"field","outboundTag":"blocked","ip":["geoip:private"]}
- ]
- }
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- rules := rulesFromRaw(t, out)
- if len(rules) != 3 {
- t.Fatalf("rules len = %d, want 3 (manual rule kept, managed rule inserted): %s", len(rules), out)
- }
- if _, ok := rules[0]["domain"]; !ok {
- t.Fatalf("manual rule with domain matcher should be untouched, got %v", rules[0])
- }
- }
- func TestEnsureDnsServerRouting_RepositionsRuleDraggedAfterBlockRule(t *testing.T) {
- // The Routing tab lets admins freely drag rules around
- // (RoutingTab.tsx move-up/move-down and drag-and-drop), and a managed
- // rule renders as an indistinguishable normal row there. If it ends up
- // at or after the block rule — directly, or incidentally while
- // reordering something else — the exact bug this file fixes comes
- // back silently: the block rule matches first and Xray's own DNS
- // traffic is dropped again. Detecting only ip/content drift isn't
- // enough; position must be checked too.
- in := `{
- "dns": {"servers": ["172.20.0.53"]},
- "routing": {
- "rules": [
- {"type":"field","outboundTag":"blocked","ip":["geoip:private"]},
- {"type":"field","ip":["172.20.0.53"],"port":"53","outboundTag":"direct"}
- ]
- }
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- rules := rulesFromRaw(t, out)
- if len(rules) != 2 {
- t.Fatalf("rules len = %d, want 2: %s", len(rules), out)
- }
- if tag, _ := rules[0]["outboundTag"].(string); tag != "direct" {
- t.Fatalf("managed rule should be re-homed to index 0 (before the block rule), got %v\nfull: %s", rules[0], out)
- }
- if tag, _ := rules[1]["outboundTag"].(string); tag != "blocked" {
- t.Fatalf("block rule should now be at index 1, got %v\nfull: %s", rules[1], out)
- }
- }
- func TestEnsureDnsServerRouting_TreatsExplicitlyEnabledRuleAsOwned(t *testing.T) {
- // RuleFormModal.tsx's submit() always writes an "enabled" key, even
- // when the admin changed nothing and it was already true — merely
- // opening the auto-generated rule in the editor must not disown it.
- in := `{
- "dns": {"servers": ["172.20.0.53"]},
- "routing": {
- "rules": [
- {"type":"field","ip":["172.20.0.53"],"port":"53","outboundTag":"direct","enabled":true},
- {"type":"field","outboundTag":"blocked","ip":["geoip:private"]}
- ]
- }
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- rules := rulesFromRaw(t, out)
- if len(rules) != 2 {
- t.Fatalf("rules len = %d, want 2 (no duplicate inserted): %s", len(rules), out)
- }
- }
- func TestEnsureDnsServerRouting_DisabledRuleIsDisownedAndReplaced(t *testing.T) {
- // toggleRule() in RoutingTab.tsx writes enabled=false on a plain
- // switch flip. An admin who explicitly disables the managed rule is
- // choosing to turn the exception off; re-enabling it on the next save
- // would silently override that. The disabled rule is left alone and a
- // fresh, enabled one is (re-)created to keep the fix working.
- in := `{
- "dns": {"servers": ["172.20.0.53"]},
- "routing": {
- "rules": [
- {"type":"field","ip":["172.20.0.53"],"port":"53","outboundTag":"direct","enabled":false},
- {"type":"field","outboundTag":"blocked","ip":["geoip:private"]}
- ]
- }
- }`
- out, err := EnsureDnsServerRouting(in)
- if err != nil {
- t.Fatalf("unexpected err: %v", err)
- }
- rules := rulesFromRaw(t, out)
- if len(rules) != 3 {
- t.Fatalf("rules len = %d, want 3 (disabled rule kept as-is, fresh managed rule added): %s", len(rules), out)
- }
- if enabled, _ := rules[0]["enabled"].(bool); enabled {
- t.Fatalf("original disabled rule should be untouched, got %v", rules[0])
- }
- if _, ok := rules[1]["enabled"]; ok {
- t.Fatalf("freshly (re-)generated rule shouldn't carry an enabled key, got %v", rules[1])
- }
- if tag, _ := rules[1]["outboundTag"].(string); tag != "direct" {
- t.Fatalf("expected the fresh managed rule at index 1, got %v", rules[1])
- }
- }
- func TestEnsureDnsServerRouting_InvalidJsonReturnsAsIs(t *testing.T) {
- in := "definitely not json"
- out, err := EnsureDnsServerRouting(in)
- if err == nil {
- t.Fatalf("expected error for invalid json, got none")
- }
- if out != in {
- t.Fatalf("expected raw passthrough on error, got %q", out)
- }
- }
|