inbound_finalmask_reality_test.go 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215
  1. package service
  2. import (
  3. "encoding/json"
  4. "testing"
  5. "github.com/mhsanaei/3x-ui/v3/internal/database"
  6. "github.com/mhsanaei/3x-ui/v3/internal/database/model"
  7. )
  8. const realityFinalMaskStream = `{"network":"tcp","security":"reality","realitySettings":{},"finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`
  9. func TestValidateFinalMaskRealityCombo(t *testing.T) {
  10. tests := []struct {
  11. name string
  12. streamSettings string
  13. wantErr bool
  14. }{
  15. {
  16. name: "empty streamSettings",
  17. streamSettings: "",
  18. wantErr: false,
  19. },
  20. {
  21. name: "reality without finalmask",
  22. streamSettings: `{"security":"reality","realitySettings":{}}`,
  23. wantErr: false,
  24. },
  25. {
  26. name: "reality with empty finalmask",
  27. streamSettings: `{"security":"reality","finalmask":{"tcp":[],"udp":[]}}`,
  28. wantErr: false,
  29. },
  30. {
  31. name: "reality with tcp fragment finalmask",
  32. streamSettings: `{"security":"reality","finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`,
  33. wantErr: true,
  34. },
  35. {
  36. // UDP masks never touch the TCP accept path REALITY runs on —
  37. // TcpmaskManager (the thing that wraps the listener ahead of
  38. // REALITY's handshake) is only built when tcp masks are present,
  39. // so a udp-only config doesn't reproduce the panic and shouldn't
  40. // be rejected.
  41. name: "reality with udp-only finalmask (does not reproduce the panic)",
  42. streamSettings: `{"security":"reality","finalmask":{"udp":[{"type":"salamander"}]}}`,
  43. wantErr: false,
  44. },
  45. {
  46. name: "non-reality security with finalmask",
  47. streamSettings: `{"security":"tls","finalmask":{"tcp":[{"type":"fragment","settings":{"packets":"tlshello"}}]}}`,
  48. wantErr: false,
  49. },
  50. }
  51. for _, tt := range tests {
  52. t.Run(tt.name, func(t *testing.T) {
  53. err := validateFinalMaskRealityCombo(tt.streamSettings)
  54. if (err != nil) != tt.wantErr {
  55. t.Errorf("validateFinalMaskRealityCombo(%q) error = %v, wantErr %v", tt.streamSettings, err, tt.wantErr)
  56. }
  57. })
  58. }
  59. }
  60. // end-to-end: the guard must actually be wired into AddInbound, not just
  61. // exist as a standalone helper a caller could forget to invoke.
  62. func TestAddInbound_RejectsFinalMaskRealityCombo(t *testing.T) {
  63. setupConflictDB(t)
  64. svc := &InboundService{}
  65. in := &model.Inbound{
  66. Tag: "in-44300-tcp",
  67. Enable: true,
  68. Listen: "0.0.0.0",
  69. Port: 44300,
  70. Protocol: model.VLESS,
  71. StreamSettings: realityFinalMaskStream,
  72. Settings: `{"clients":[]}`,
  73. }
  74. if _, _, err := svc.AddInbound(in); err == nil {
  75. t.Fatal("AddInbound: want error for finalmask+reality, got nil")
  76. }
  77. var count int64
  78. if err := database.GetDB().Model(&model.Inbound{}).Where("tag = ?", "in-44300-tcp").Count(&count).Error; err != nil {
  79. t.Fatalf("count rows: %v", err)
  80. }
  81. if count != 0 {
  82. t.Fatalf("AddInbound: rejected inbound was persisted anyway, row count = %d", count)
  83. }
  84. }
  85. func TestAddInbound_IgnoresBoundIdAndCreatesNewRow(t *testing.T) {
  86. setupConflictDB(t)
  87. svc := &InboundService{}
  88. first := &model.Inbound{Tag: "in-45100-tcp", Enable: true, Listen: "0.0.0.0", Port: 45100, Protocol: model.VLESS, Settings: `{"clients":[]}`}
  89. created, _, err := svc.AddInbound(first)
  90. if err != nil {
  91. t.Fatalf("AddInbound first: %v", err)
  92. }
  93. second := &model.Inbound{Id: created.Id, Tag: "in-45101-tcp", Enable: true, Listen: "0.0.0.0", Port: 45101, Protocol: model.VLESS, Settings: `{"clients":[]}`}
  94. if _, _, err := svc.AddInbound(second); err != nil {
  95. t.Fatalf("AddInbound second: %v", err)
  96. }
  97. var count int64
  98. if err := database.GetDB().Model(&model.Inbound{}).Count(&count).Error; err != nil {
  99. t.Fatalf("count: %v", err)
  100. }
  101. if count != 2 {
  102. t.Fatalf("expected 2 inbound rows, got %d: a bound id overwrote the first row instead of creating a new one", count)
  103. }
  104. var reloaded model.Inbound
  105. if err := database.GetDB().First(&reloaded, created.Id).Error; err != nil {
  106. t.Fatalf("reload first: %v", err)
  107. }
  108. if reloaded.Port != 45100 {
  109. t.Fatalf("first inbound port = %d, want 45100 (the second add overwrote it)", reloaded.Port)
  110. }
  111. }
  112. func TestAddInbound_AcceptsWireguardClientWithKey(t *testing.T) {
  113. setupConflictDB(t)
  114. svc := &InboundService{}
  115. settings := `{"secretKey":"` + wgTestSecretKey() + `","mtu":1420,"clients":[{"email":"wgimp@x","enable":true,"privateKey":"keep-priv","publicKey":"keep-pub","allowedIPs":["10.0.0.50/32"]}]}`
  116. in := &model.Inbound{
  117. Tag: "in-45200-wg",
  118. Enable: true,
  119. Listen: "0.0.0.0",
  120. Port: 45200,
  121. Protocol: model.WireGuard,
  122. Settings: settings,
  123. }
  124. if _, _, err := svc.AddInbound(in); err != nil {
  125. t.Fatalf("AddInbound rejected a keyed WireGuard client: %v", err)
  126. }
  127. var count int64
  128. if err := database.GetDB().Model(&model.Inbound{}).Where("tag = ?", "in-45200-wg").Count(&count).Error; err != nil {
  129. t.Fatalf("count: %v", err)
  130. }
  131. if count != 1 {
  132. t.Fatalf("WireGuard inbound with a keyed client was not created, row count = %d", count)
  133. }
  134. }
  135. // end-to-end: same guard on the update path, on a row that was valid before
  136. // the edit — the rejected StreamSettings must not overwrite the stored row.
  137. func TestUpdateInbound_RejectsFinalMaskRealityCombo(t *testing.T) {
  138. setupConflictDB(t)
  139. seedInboundConflict(t, "in-44301-tcp", "0.0.0.0", 44301, model.VLESS,
  140. `{"network":"tcp","security":"reality","realitySettings":{}}`, `{"clients":[]}`)
  141. var existing model.Inbound
  142. if err := database.GetDB().Where("tag = ?", "in-44301-tcp").First(&existing).Error; err != nil {
  143. t.Fatalf("read seeded row: %v", err)
  144. }
  145. svc := &InboundService{}
  146. update := existing
  147. update.StreamSettings = realityFinalMaskStream
  148. if _, _, err := svc.UpdateInbound(&update); err == nil {
  149. t.Fatal("UpdateInbound: want error for finalmask+reality, got nil")
  150. }
  151. var reloaded model.Inbound
  152. if err := database.GetDB().First(&reloaded, existing.Id).Error; err != nil {
  153. t.Fatalf("reload: %v", err)
  154. }
  155. if reloaded.StreamSettings != existing.StreamSettings {
  156. t.Fatalf("UpdateInbound: rejected StreamSettings was persisted anyway\ngot: %s\nwant: %s", reloaded.StreamSettings, existing.StreamSettings)
  157. }
  158. }
  159. // GetXrayConfig must heal a row that already carries finalmask+reality in the
  160. // DB (saved before this guard existed - an upgrade, a node sync, a restored
  161. // backup, or a direct DB edit) rather than handing xray-core a config that
  162. // panics it on the first connection. Bypasses AddInbound/UpdateInbound
  163. // entirely by writing the row directly, the same way a pre-existing bad row
  164. // would already be sitting in a real database.
  165. func TestGetXrayConfig_HealsFinalMaskRealityCombo(t *testing.T) {
  166. setupConflictDB(t)
  167. seedInboundConflict(t, "in-44302-tcp", "0.0.0.0", 44302, model.VLESS,
  168. realityFinalMaskStream, `{"clients":[]}`)
  169. svc := &XrayService{}
  170. cfg, err := svc.GetXrayConfig()
  171. if err != nil {
  172. t.Fatalf("GetXrayConfig: %v", err)
  173. }
  174. for i := range cfg.InboundConfigs {
  175. ic := cfg.InboundConfigs[i]
  176. if ic.Tag != "in-44302-tcp" {
  177. continue
  178. }
  179. var stream map[string]any
  180. if err := json.Unmarshal(ic.StreamSettings, &stream); err != nil {
  181. t.Fatalf("unmarshal emitted streamSettings: %v", err)
  182. }
  183. if stream["security"] != "reality" {
  184. t.Fatalf("security = %v, want reality (test setup broken)", stream["security"])
  185. }
  186. if _, has := stream["finalmask"]; has {
  187. t.Fatalf("emitted config still carries finalmask alongside reality — this crashes Xray-core: %v", stream["finalmask"])
  188. }
  189. return
  190. }
  191. t.Fatalf("inbound in-44302-tcp not found in generated config")
  192. }