feat(miniooni): implement torsf tunnel (#921)

This diff adds to miniooni support for using the torsf tunnel. Such a
tunnel consists of a snowflake pluggable transport in front of a custom
instance of tor and requires tor to be installed.

The usage is like:

```
./miniooni --tunnel=torsf [...]
```

The default snowflake rendezvous method is "domain_fronting". You can
select the AMP cache instead using "amp":

```
./miniooni --snowflake-rendezvous=amp --tunnel=torsf [...]
```

Part of ooni/probe#1955

Author: bassosimone

internal/cmd/miniooni/main.go

@@ -25,25 +25,26 @@ import (
 
 // Options contains the options you can set from the CLI.
 type Options struct {
-	Annotations      []string
-	Emoji            bool
-	ExtraOptions     []string
-	HomeDir          string
-	Inputs           []string
-	InputFilePaths   []string
-	MaxRuntime       int64
-	NoJSON           bool
-	NoCollector      bool
-	ProbeServicesURL string
-	Proxy            string
-	Random           bool
-	RepeatEvery      int64
-	ReportFile       string
-	TorArgs          []string
-	TorBinary        string
-	Tunnel           string
-	Verbose          bool
-	Yes              bool
+	Annotations         []string
+	Emoji               bool
+	ExtraOptions        []string
+	HomeDir             string
+	Inputs              []string
+	InputFilePaths      []string
+	MaxRuntime          int64
+	NoJSON              bool
+	NoCollector         bool
+	ProbeServicesURL    string
+	Proxy               string
+	Random              bool
+	RepeatEvery         int64
+	ReportFile          string
+	SnowflakeRendezvous string
+	TorArgs             []string
+	TorBinary           string
+	Tunnel              string
+	Verbose             bool
+	Yes                 bool
 }
 
 // main is the main function of miniooni.
@@ -125,6 +126,13 @@ func main() {
 		"set the output report file path (default: \"report.jsonl\")",
 	)
 
+	flags.StringVar(
+		&globalOptions.SnowflakeRendezvous,
+		"snowflake-rendezvous",
+		"domain_fronting",
+		"rendezvous method for --tunnel=torsf (one of: \"domain_fronting\" and \"amp\")",
+	)
+
 	flags.StringSliceVar(
 		&globalOptions.TorArgs,
 		"tor-args",
@@ -143,7 +151,7 @@ func main() {
 		&globalOptions.Tunnel,
 		"tunnel",
 		"",
-		"tunnel to use to communicate with the OONI backend (one of: tor, psiphon)",
+		"tunnel to use to communicate with the OONI backend (one of: psiphon, tor, torsf)",
 	)
 
 	flags.BoolVarP(

internal/cmd/miniooni/session.go

@@ -36,14 +36,15 @@ func newSessionOrPanic(ctx context.Context, currentOptions *Options,
 	runtimex.PanicOnError(err, "cannot create tunnelDir")
 
 	config := engine.SessionConfig{
-		KVStore:         kvstore,
-		Logger:          logger,
-		ProxyURL:        proxyURL,
-		SoftwareName:    softwareName,
-		SoftwareVersion: softwareVersion,
-		TorArgs:         currentOptions.TorArgs,
-		TorBinary:       currentOptions.TorBinary,
-		TunnelDir:       tunnelDir,
+		KVStore:             kvstore,
+		Logger:              logger,
+		ProxyURL:            proxyURL,
+		SnowflakeRendezvous: currentOptions.SnowflakeRendezvous,
+		SoftwareName:        softwareName,
+		SoftwareVersion:     softwareVersion,
+		TorArgs:             currentOptions.TorArgs,
+		TorBinary:           currentOptions.TorBinary,
+		TunnelDir:           tunnelDir,
 	}
 	if currentOptions.ProbeServicesURL != "" {
 		config.AvailableProbeServices = []model.OOAPIService{{

internal/engine/session.go

@@ -35,6 +35,10 @@ type SessionConfig struct {
 	TorArgs                []string
 	TorBinary              string
 
+	// SnowflakeRendezvous is the rendezvous method
+	// to be used by the torsf tunnel
+	SnowflakeRendezvous string
+
 	// TunnelDir is the directory where we should store
 	// the state of persistent tunnels. This field is
 	// optional _unless_ you want to use tunnels. In such
@@ -171,16 +175,17 @@ func NewSession(ctx context.Context, config SessionConfig) (*Session, error) {
 	proxyURL := config.ProxyURL
 	if proxyURL != nil {
 		switch proxyURL.Scheme {
-		case "psiphon", "tor", "fake":
+		case "psiphon", "tor", "torsf", "fake":
 			config.Logger.Infof(
 				"starting '%s' tunnel; please be patient...", proxyURL.Scheme)
 			tunnel, _, err := tunnel.Start(ctx, &tunnel.Config{
-				Logger:    config.Logger,
-				Name:      proxyURL.Scheme,
-				Session:   &sessionTunnelEarlySession{},
-				TorArgs:   config.TorArgs,
-				TorBinary: config.TorBinary,
-				TunnelDir: config.TunnelDir,
+				Logger:              config.Logger,
+				Name:                proxyURL.Scheme,
+				SnowflakeRendezvous: config.SnowflakeRendezvous,
+				Session:             &sessionTunnelEarlySession{},
+				TorArgs:             config.TorArgs,
+				TorBinary:           config.TorBinary,
+				TunnelDir:           config.TunnelDir,
 			})
 			if err != nil {
 				return nil, err

internal/ptx/ptx.go

@@ -74,6 +74,10 @@ type Listener struct {
 	// counts the bytes consumed by the experiment.
 	ExperimentByteCounter *bytecounter.Counter
 
+	// ListenSocks is OPTIONAL and allows you to override the
+	// function called by default to listen for SOCKS5.
+	ListenSocks func(network string, laddr string) (SocksListener, error)
+
 	// Logger is the OPTIONAL logger. When not set, this library
 	// will not emit logs. (But the underlying pluggable transport
 	// may still emit its own log messages.)
@@ -98,10 +102,7 @@ type Listener struct {
 	laddr net.Addr
 
 	// listener allows us to stop the listener.
-	listener ptxSocksListener
-
-	// overrideListenSocks allows us to override pt.ListenSocks.
-	overrideListenSocks func(network string, laddr string) (ptxSocksListener, error)
+	listener SocksListener
 }
 
 // logger returns the Logger, if set, or the defaultLogger.
@@ -148,7 +149,7 @@ func (lst *Listener) forwardWithContext(ctx context.Context, left, right net.Con
 // handleSocksConn handles a new SocksConn connection by establishing
 // the corresponding PT connection and forwarding traffic. This
 // function TAKES OWNERSHIP of the socksConn argument.
-func (lst *Listener) handleSocksConn(ctx context.Context, socksConn ptxSocksConn) error {
+func (lst *Listener) handleSocksConn(ctx context.Context, socksConn SocksConn) error {
 	err := socksConn.Grant(&net.TCPAddr{IP: net.IPv4zero, Port: 0})
 	if err != nil {
 		lst.logger().Warnf("ptx: socksConn.Grant error: %s", err)
@@ -169,10 +170,10 @@ func (lst *Listener) handleSocksConn(ctx context.Context, socksConn ptxSocksConn
 	return nil                                     // used for testing
 }
 
-// ptxSocksListener is a pt.SocksListener-like structure.
-type ptxSocksListener interface {
+// SocksListener is the listener for socks connections.
+type SocksListener interface {
 	// AcceptSocks accepts a socks conn
-	AcceptSocks() (ptxSocksConn, error)
+	AcceptSocks() (SocksConn, error)
 
 	// Addr returns the listening address.
 	Addr() net.Addr
@@ -181,8 +182,8 @@ type ptxSocksListener interface {
 	Close() error
 }
 
-// ptxSocksConn is a pt.SocksConn-like structure.
-type ptxSocksConn interface {
+// SocksConn is a SOCKS connection.
+type SocksConn interface {
 	// net.Conn is the embedded interface.
 	net.Conn
 
@@ -192,7 +193,7 @@ type ptxSocksConn interface {
 
 // acceptLoop accepts and handles local socks connection. This function
 // DOES NOT take ownership of the socks listener.
-func (lst *Listener) acceptLoop(ctx context.Context, ln ptxSocksListener) {
+func (lst *Listener) acceptLoop(ctx context.Context, ln SocksListener) {
 	for {
 		conn, err := ln.AcceptSocks()
 		if err != nil {
@@ -243,15 +244,15 @@ func (lst *Listener) Start() error {
 }
 
 // listenSocks calles either pt.ListenSocks or lst.overrideListenSocks.
-func (lst *Listener) listenSocks(network string, laddr string) (ptxSocksListener, error) {
-	if lst.overrideListenSocks != nil {
-		return lst.overrideListenSocks(network, laddr)
+func (lst *Listener) listenSocks(network string, laddr string) (SocksListener, error) {
+	if lst.ListenSocks != nil {
+		return lst.ListenSocks(network, laddr)
 	}
 	return lst.castListener(pt.ListenSocks(network, laddr))
 }
 
 // castListener casts a pt.SocksListener to ptxSocksListener.
-func (lst *Listener) castListener(in *pt.SocksListener, err error) (ptxSocksListener, error) {
+func (lst *Listener) castListener(in *pt.SocksListener, err error) (SocksListener, error) {
 	if err != nil {
 		return nil, err
 	}
@@ -264,7 +265,7 @@ type ptxSocksListenerAdapter struct {
 }
 
 // AcceptSocks adapts pt.SocksListener.AcceptSocks to ptxSockListener.AcceptSocks.
-func (la *ptxSocksListenerAdapter) AcceptSocks() (ptxSocksConn, error) {
+func (la *ptxSocksListenerAdapter) AcceptSocks() (SocksConn, error) {
 	return la.SocksListener.AcceptSocks()
 }
 
@@ -307,11 +308,11 @@ func (lst *Listener) Stop() {
 // Assuming that we are listening at 127.0.0.1:12345, then this
 // function will return the following string:
 //
-//     obfs4 socks5 127.0.0.1:12345
+//	obfs4 socks5 127.0.0.1:12345
 //
 // The correct configuration line for the `torrc` would be:
 //
-//     ClientTransportPlugin obfs4 socks5 127.0.0.1:12345
+//	ClientTransportPlugin obfs4 socks5 127.0.0.1:12345
 //
 // Since we pass configuration to tor using the command line, it
 // is more convenient to us to avoid including ClientTransportPlugin

internal/ptx/ptx_test.go

@@ -73,7 +73,7 @@ func TestListenerWorksWithFakeDialer(t *testing.T) {
 func TestListenerCannotListen(t *testing.T) {
 	expected := errors.New("mocked error")
 	lst := &Listener{
-		overrideListenSocks: func(network, laddr string) (ptxSocksListener, error) {
+		ListenSocks: func(network, laddr string) (SocksListener, error) {
 			return nil, expected
 		},
 	}
@@ -193,7 +193,7 @@ func TestListenerForwardWithNaturalTermination(t *testing.T) {
 // mockableSocksListener is a mockable ptxSocksListener.
 type mockableSocksListener struct {
 	// MockAcceptSocks allows to mock AcceptSocks.
-	MockAcceptSocks func() (ptxSocksConn, error)
+	MockAcceptSocks func() (SocksConn, error)
 
 	// MockAddr allows to mock Addr.
 	MockAddr func() net.Addr
@@ -203,7 +203,7 @@ type mockableSocksListener struct {
 }
 
 // AcceptSocks implemements ptxSocksListener.AcceptSocks.
-func (m *mockableSocksListener) AcceptSocks() (ptxSocksConn, error) {
+func (m *mockableSocksListener) AcceptSocks() (SocksConn, error) {
 	return m.MockAcceptSocks()
 }
 
@@ -220,7 +220,7 @@ func (m *mockableSocksListener) Close() error {
 func TestListenerLoopWithTemporaryError(t *testing.T) {
 	isclosed := &atomicx.Int64{}
 	sl := &mockableSocksListener{
-		MockAcceptSocks: func() (ptxSocksConn, error) {
+		MockAcceptSocks: func() (SocksConn, error) {
 			if isclosed.Load() > 0 {
 				return nil, io.EOF
 			}

internal/tunnel/config.go

@@ -10,6 +10,7 @@ import (
 	"github.com/cretz/bine/control"
 	"github.com/cretz/bine/tor"
 	"github.com/ooni/probe-cli/v3/internal/model"
+	"github.com/ooni/probe-cli/v3/internal/ptx"
 	"golang.org/x/sys/execabs"
 )
 
@@ -28,6 +29,10 @@ type Config struct {
 	// of obtaining a valid psiphon configuration.
 	Session Session
 
+	// SnowflakeRendezvous is the OPTIONAL rendezvous
+	// method for snowflake
+	SnowflakeRendezvous string
+
 	// TunnelDir is the MANDATORY directory in which the tunnel SHOULD
 	// store its state, if any. If this field is empty, the
 	// Start function fails with ErrEmptyTunnelDir.
@@ -56,6 +61,18 @@ type Config struct {
 	// testNetListen allows us to mock net.Listen in testing code.
 	testNetListen func(network string, address string) (net.Listener, error)
 
+	// testSfListenSocks is OPTIONAL and allows to override the
+	// ListenSocks field of a ptx.Listener.
+	testSfListenSocks func(network string, laddr string) (ptx.SocksListener, error)
+
+	// testSfNewPTXListener is OPTIONAL and allows us to wrap the
+	// constructed ptx.Listener for testing purposes.
+	testSfWrapPTXListener func(torsfPTXListener) torsfPTXListener
+
+	// testSfTorStart is OPTIONAL and allows us to override the
+	// call to torStart inside the torsf tunnel.
+	testSfTorStart func(ctx context.Context, config *Config) (Tunnel, DebugInfo, error)
+
 	// testSocks5New allows us to mock socks5.New in testing code.
 	testSocks5New func(conf *socks5.Config) (*socks5.Server, error)
 
@@ -74,6 +91,14 @@ type Config struct {
 	testTorGetInfo func(ctrl *control.Conn, keys ...string) ([]*control.KeyVal, error)
 }
 
+// snowflakeRendezvousMethod returns the rendezvous method that snowflake should use
+func (c *Config) snowflakeRendezvousMethod() string {
+	if c.SnowflakeRendezvous != "" {
+		return c.SnowflakeRendezvous
+	}
+	return "domain_fronting"
+}
+
 // logger returns the logger to use.
 func (c *Config) logger() model.Logger {
 	if c.Logger != nil {