diff --git a/internal/cmd/miniooni/main.go b/internal/cmd/miniooni/main.go index db9e71da9..11add9c7e 100644 --- a/internal/cmd/miniooni/main.go +++ b/internal/cmd/miniooni/main.go @@ -26,6 +26,7 @@ import ( // Options contains the options you can set from the CLI. type Options struct { Annotations []string + AuthFile string Emoji bool ExtraOptions []string HomeDir string @@ -228,6 +229,13 @@ func registerOONIRun(rootCmd *cobra.Command, globalOptions *Options) { []string{}, "Path to the OONI Run v2 descriptor to run (may be specified multiple times)", ) + flags.StringVarP( + &globalOptions.AuthFile, + "bearer-token-file", + "", + "", + "Path to a file containing a bearer token for fetching a remote OONI Run v2 descriptor", + ) } // registerAllExperiments registers a subcommand for each experiment diff --git a/internal/cmd/miniooni/oonirun.go b/internal/cmd/miniooni/oonirun.go index 366839bad..d4c2a2690 100644 --- a/internal/cmd/miniooni/oonirun.go +++ b/internal/cmd/miniooni/oonirun.go @@ -21,6 +21,7 @@ func ooniRunMain(ctx context.Context, logger := sess.Logger() cfg := &oonirun.LinkConfig{ AcceptChanges: currentOptions.Yes, + AuthFile: currentOptions.AuthFile, Annotations: annotations, KVStore: sess.KeyValueStore(), MaxRuntime: currentOptions.MaxRuntime, diff --git a/internal/oonirun/link.go b/internal/oonirun/link.go index d5ceba265..3321db03b 100644 --- a/internal/oonirun/link.go +++ b/internal/oonirun/link.go @@ -19,6 +19,10 @@ type LinkConfig struct { // reviewing what it contains or what has changed. AcceptChanges bool + // AuthFile is OPTIONAL and will add an authentication header to the + // request used for fetching this OONI Run link. + AuthFile string + // Annotations contains OPTIONAL Annotations for the experiment. Annotations map[string]string diff --git a/internal/oonirun/v2.go b/internal/oonirun/v2.go index 6552ad582..c2a3ca065 100644 --- a/internal/oonirun/v2.go +++ b/internal/oonirun/v2.go @@ -5,15 +5,19 @@ package oonirun // import ( + "bufio" "context" + "encoding/base64" "encoding/json" "errors" "fmt" + "strings" "sync/atomic" "github.com/hexops/gotextdiff" "github.com/hexops/gotextdiff/myers" "github.com/hexops/gotextdiff/span" + "github.com/ooni/probe-cli/v3/internal/fsx" "github.com/ooni/probe-cli/v3/internal/httpclientx" "github.com/ooni/probe-cli/v3/internal/kvstore" "github.com/ooni/probe-cli/v3/internal/model" @@ -63,12 +67,16 @@ type V2Nettest struct { // getV2DescriptorFromHTTPSURL GETs a v2Descriptor instance from // a static URL (e.g., from a GitHub repo or from a Gist). func getV2DescriptorFromHTTPSURL(ctx context.Context, client model.HTTPClient, - logger model.Logger, URL string) (*V2Descriptor, error) { + logger model.Logger, URL, auth string) (*V2Descriptor, error) { + if auth != "" { + // we assume a bearer token + auth = fmt.Sprintf("Bearer %s", auth) + } return httpclientx.GetJSON[*V2Descriptor]( ctx, httpclientx.NewEndpoint(URL), &httpclientx.Config{ - Authorization: "", // not needed + Authorization: auth, Client: client, Logger: logger, UserAgent: model.HTTPHeaderUserAgent, @@ -140,9 +148,9 @@ func v2DescriptorCacheLoad(fsstore model.KeyValueStore) (*v2DescriptorCache, err // - err is the error that occurred, or nil in case of success. func (cache *v2DescriptorCache) PullChangesWithoutSideEffects( ctx context.Context, client model.HTTPClient, logger model.Logger, - URL string) (oldValue, newValue *V2Descriptor, err error) { + URL, auth string) (oldValue, newValue *V2Descriptor, err error) { oldValue = cache.Entries[URL] - newValue, err = getV2DescriptorFromHTTPSURL(ctx, client, logger, URL) + newValue, err = getV2DescriptorFromHTTPSURL(ctx, client, logger, URL, auth) return } @@ -263,7 +271,11 @@ func v2MeasureHTTPS(ctx context.Context, config *LinkConfig, URL string) error { // pull a possibly new descriptor without updating the old descriptor clnt := config.Session.DefaultHTTPClient() - oldValue, newValue, err := cache.PullChangesWithoutSideEffects(ctx, clnt, logger, URL) + auth, err := v2MaybeGetAuthenticationTokenFromFile(config.AuthFile) + if err != nil { + logger.Warnf("oonirun: failed to retrieve auth token: %v", err) + } + oldValue, newValue, err := cache.PullChangesWithoutSideEffects(ctx, clnt, logger, URL, auth) if err != nil { return err } @@ -290,3 +302,46 @@ func v2MeasureHTTPS(ctx context.Context, config *LinkConfig, URL string) error { // note: this function gracefully handles nil values return V2MeasureDescriptor(ctx, config, newValue) } + +func v2MaybeGetAuthenticationTokenFromFile(path string) (string, error) { + if path != "" { + return v2ReadBearerTokenFromFile(path) + } + return "", nil +} + +// v2ReadBearerTokenFromFile tries to extract a valid (base64) bearer token from +// the first line of the passed text file. +// If there is an error while reading from the file, the error will be returned. +// If we can read from the file but there's no valid token found, an empty string will be returned. +func v2ReadBearerTokenFromFile(fileName string) (string, error) { + filep, err := fsx.OpenFile(fileName) + if err != nil { + return "", err + } + defer filep.Close() + + scanner := bufio.NewScanner(filep) + + // Scan the first line + if scanner.Scan() { + line := scanner.Text() + + token := strings.TrimSpace(line) + + // if this is not a valid base64 token, return empty string + if _, err := base64.StdEncoding.DecodeString(token); err != nil { + return "", nil + } + + return token, nil + } + + // Check for any scanning error + if err := scanner.Err(); err != nil { + return "", err + } + + // Return empty string if file is empty + return "", nil +} diff --git a/internal/oonirun/v2_test.go b/internal/oonirun/v2_test.go index b77b9b7bf..63d3075af 100644 --- a/internal/oonirun/v2_test.go +++ b/internal/oonirun/v2_test.go @@ -6,6 +6,8 @@ import ( "errors" "net/http" "net/http/httptest" + "os" + "path/filepath" "testing" "github.com/ooni/probe-cli/v3/internal/httpclientx" @@ -262,6 +264,131 @@ func TestOONIRunV2LinkEmptyTestName(t *testing.T) { } } +func TestOONIRunV2LinkWithAuthentication(t *testing.T) { + + t.Run("authentication raises error if no token is passed", func(t *testing.T) { + token := "c2VjcmV0" + bearerToken := "Bearer " + token + + // make a local server that returns a reasonable descriptor for the example experiment + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + authHeader := r.Header.Get("Authorization") + if authHeader != bearerToken { + // If the header is not what expected, return a 401 Unauthorized status + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return + } + descriptor := &V2Descriptor{ + Name: "", + Description: "", + Author: "", + Nettests: []V2Nettest{{ + Inputs: []string{}, + Options: json.RawMessage(`{ + "SleepTime": 10000000 + }`), + TestName: "example", + }}, + } + data, err := json.Marshal(descriptor) + runtimex.PanicOnError(err, "json.Marshal failed") + w.Write(data) + })) + + defer server.Close() + ctx := context.Background() + + // create a minimal link configuration + config := &LinkConfig{ + AcceptChanges: true, // avoid "oonirun: need to accept changes" error + Annotations: map[string]string{ + "platform": "linux", + }, + KVStore: &kvstore.Memory{}, + MaxRuntime: 0, + NoCollector: true, + NoJSON: true, + Random: false, + ReportFile: "", + Session: newMinimalFakeSession(), + } + + // construct a link runner relative to the local server URL + r := NewLinkRunner(config, server.URL) + + if err := r.Run(ctx); err != nil { + if err.Error() != "httpx: request failed" { + t.Fatal("expected error") + } + } + }) + + t.Run("authentication does not fail the auth token is passed", func(t *testing.T) { + token := "c2VjcmV0" + bearerToken := "Bearer " + token + + // make a local server that returns a reasonable descriptor for the example experiment + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + authHeader := r.Header.Get("Authorization") + if authHeader != bearerToken { + // If the header is not what expected, return a 401 Unauthorized status + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return + } + descriptor := &V2Descriptor{ + Name: "", + Description: "", + Author: "", + Nettests: []V2Nettest{{ + Inputs: []string{}, + Options: json.RawMessage(`{ + "SleepTime": 10000000 + }`), + TestName: "example", + }}, + } + data, err := json.Marshal(descriptor) + runtimex.PanicOnError(err, "json.Marshal failed") + w.Write(data) + })) + + defer server.Close() + ctx := context.Background() + + authFile, err := os.CreateTemp(t.TempDir(), "token-") + if err != nil { + t.Fatal(err) + } + defer authFile.Close() + defer os.Remove(authFile.Name()) + + authFile.Write([]byte(token)) + + // create a minimal link configuration + config := &LinkConfig{ + AcceptChanges: true, // avoid "oonirun: need to accept changes" error + Annotations: map[string]string{ + "platform": "linux", + }, + AuthFile: authFile.Name(), + KVStore: &kvstore.Memory{}, + MaxRuntime: 0, + NoCollector: true, + NoJSON: true, + Random: false, + ReportFile: "", + Session: newMinimalFakeSession(), + } + + // construct a link runner relative to the local server URL + r := NewLinkRunner(config, server.URL) + + if err := r.Run(ctx); err != nil { + t.Fatal(err) + } + }) +} + func TestOONIRunV2LinkConnectionResetByPeer(t *testing.T) { // create a local server that will reset the connection immediately. // actually contains an empty test name, which is what we want to test @@ -509,7 +636,6 @@ func TestV2MeasureHTTPS(t *testing.T) { t.Fatal("unexpected err", err) } }) - } func TestV2DescriptorCacheLoad(t *testing.T) { @@ -535,3 +661,138 @@ func TestV2DescriptorCacheLoad(t *testing.T) { } }) } + +func Test_readFirstLineFromFile(t *testing.T) { + + t.Run("return empty string if file is empty", func(t *testing.T) { + f, err := os.CreateTemp(t.TempDir(), "auth-") + if err != nil { + t.Fatal(err) + } + f.Write([]byte("")) + defer f.Close() + defer os.Remove(f.Name()) + + line, err := v2ReadBearerTokenFromFile(f.Name()) + if line != "" { + t.Fatal("expected empty string") + } + if err != nil { + t.Fatal("expected err==nil") + } + }) + + t.Run("return empty string if first line is just whitespace", func(t *testing.T) { + f, err := os.CreateTemp(t.TempDir(), "auth-") + if err != nil { + t.Fatal(err) + } + f.Write([]byte(" \n")) + defer f.Close() + defer os.Remove(f.Name()) + + line, err := v2ReadBearerTokenFromFile(f.Name()) + if line != "" { + t.Fatal("expected empty string") + } + if err != nil { + t.Fatal("expected err==nil") + } + }) + + t.Run("return error if file does not exist", func(t *testing.T) { + line, err := v2ReadBearerTokenFromFile(filepath.Join(t.TempDir(), "non-existent")) + if line != "" { + t.Fatal("expected empty string") + } + if !errors.Is(err, os.ErrNotExist) { + t.Fatal("expected ErrNotExist") + } + }) + + t.Run("return first line with a file of one line without EOL", func(t *testing.T) { + f, err := os.CreateTemp(t.TempDir(), "auth-") + if err != nil { + t.Fatal(err) + } + + token := "c2VjcmV0" // b64("secret") + f.Write([]byte(token)) + defer f.Close() + defer os.Remove(f.Name()) + + line, err := v2ReadBearerTokenFromFile(f.Name()) + if line != token { + t.Fatalf("expected %s, got %s", token, line) + } + if err != nil { + t.Fatal("expected err==nil") + } + }) + + t.Run("return first line with a file of one line with EOL", func(t *testing.T) { + f, err := os.CreateTemp(t.TempDir(), "auth-") + if err != nil { + t.Fatal(err) + } + + token := "c2VjcmV0" // b64("secret") + f.Write(append([]byte(token), '\n')) + defer f.Close() + defer os.Remove(f.Name()) + + line, err := v2ReadBearerTokenFromFile(f.Name()) + if line != token { + t.Fatalf("expected %s, got %s", token, line) + } + if err != nil { + t.Fatal("expected err==nil") + } + }) + + t.Run("return first line with a file of >1 line", func(t *testing.T) { + f, err := os.CreateTemp(t.TempDir(), "auth-") + if err != nil { + t.Fatal(err) + } + + token := "c2VjcmV0" // b64("secret") + f.Write([]byte(token)) + f.Write([]byte("\n")) + f.Write([]byte("something\nelse\nand\nsomething\nmore")) + defer f.Close() + defer os.Remove(f.Name()) + + line, err := v2ReadBearerTokenFromFile(f.Name()) + if line != token { + t.Fatalf("expected %s, got %s", token, line) + } + if err != nil { + t.Fatal("expected err==nil") + } + }) + + t.Run("return empty string if not a valid b64 token", func(t *testing.T) { + f, err := os.CreateTemp(t.TempDir(), "auth-") + if err != nil { + t.Fatal(err) + } + + token := "secret!" + f.Write([]byte(token)) + f.Write([]byte("\n")) + f.Write([]byte(" antani\n")) + defer f.Close() + defer os.Remove(f.Name()) + + expected := "" + + line, err := v2ReadBearerTokenFromFile(f.Name()) + if line != expected { + t.Fatalf("expected empty string, got %s", line) + } + if err != nil { + t.Fatal("expected err==nil") + } + }) +}