test_trr_preemptive_proxy_auth.js

Enable keyboard shortcuts

/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

// Verifies that a TRRServiceChannel preemptively sends Proxy-Authorization

// when the nsIProxyInfo returned by the registered proxy filter carries a

// bearer token (as IPPChannelFilter constructs via newProxyInfo's

// aProxyAuthorizationHeader argument).

//

// The HTTP/2 proxy is started in auth-required mode: a CONNECT without a

// Proxy-Authorization header is answered with 407 and the stream is closed.

// TRRServiceChannel has no nsHttpChannelAuthProvider, so it cannot retry

// after a 407. Therefore a successful DNS resolution through the proxy is

// only possible if the channel includes Proxy-Authorization on the first

// CONNECT.

"use strict";

/* import-globals-from head_trr.js */

/* import-globals-from head_channels.js */

const { NodeHTTP2ProxyServer } = ChromeUtils.importESModule(

  "resource://testing-common/NodeServer.sys.mjs"

);

const BEARER_TOKEN = "Bearer trr-preemptive-test-token";

// Mirrors IPPChannelFilter.applyFilter: returns an nsIProxyInfo whose

// proxyAuthorizationHeader is the bearer token. The TRRServiceChannel under

// test should then copy that onto its request head before the CONNECT goes

// out (see TRRServiceChannel::OnProxyAvailable).

class BearerProxyChannelFilter {

  QueryInterface = ChromeUtils.generateQI(["nsIProtocolProxyChannelFilter"]);

  constructor(host, port, trrUriPrefix) {

    this._host = host;

    this._port = port;

    this._trrUriPrefix = trrUriPrefix;

  applyFilter(channel, defaultPI, cb) {

    // Only proxy the TRR DoH endpoint. Anything else (e.g. cert revocation

    // lookups for the proxy itself) stays direct.

    if (!channel.URI.spec.startsWith(this._trrUriPrefix)) {

      cb.onProxyFilterResult(defaultPI);

      return;

    const pps = Cc["@mozilla.org/network/protocol-proxy-service;1"].getService(

      Ci.nsIProtocolProxyService

);

    cb.onProxyFilterResult(

      pps.newProxyInfo(

        "https",

        this._host,

        this._port,

        BEARER_TOKEN, // aProxyAuthorizationHeader

        "", // aConnectionIsolationKey

        Ci.nsIProxyInfo.TRANSPARENT_PROXY_RESOLVES_HOST,

        10, // failover timeout

        null

);

let pps;

let proxy;

let trrServer;

let filter;

add_setup(async function setup() {

  trr_test_setup();

  const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(

    Ci.nsIX509CertDB

);

  addCertFromFile(certdb, "http2-ca.pem", "CTu,u,u");

  addCertFromFile(certdb, "proxy-ca.pem", "CTu,u,u");

  trrServer = new TRRServer();

  await trrServer.start();

  await trrServer.registerDoHAnswers("test.proxy.com", "A", {

    answers: [

        name: "test.proxy.com",

        ttl: 55,

        type: "A",

        flush: false,

        data: "3.3.3.3",

},

],

});

  // Wrap the DoH handler so we can assert that the inner DoH request the

  // server sees does NOT carry Proxy-Authorization. That header is for the

  // proxy hop only and must never reach the origin.

  await trrServer.execute(`

    global.dnsQuerySawProxyAuth = false;

    global.originalDnsQueryHandler = global.path_handlers["/dns-query"];

`);

  await trrServer.registerPathHandler("/dns-query", function (req, resp) {

    if (req.headers["proxy-authorization"]) {

      global.dnsQuerySawProxyAuth = true;

    return global.originalDnsQueryHandler(req, resp);

});

  proxy = new NodeHTTP2ProxyServer();

  // auth=true: reject CONNECT requests without Proxy-Authorization with 407.

  // Skip the proxy's built-in proxy filter; we install our own that carries

  // the bearer token.

  await proxy.startWithoutProxyFilter(0, true);

  pps = Cc["@mozilla.org/network/protocol-proxy-service;1"].getService(

    Ci.nsIProtocolProxyService

);

  filter = new BearerProxyChannelFilter(

    "localhost",

    proxy.port(),

    `https://foo.example.com:${trrServer.port()}/dns-query`

);

  pps.registerChannelFilter(filter, 0);

  registerCleanupFunction(async () => {

    if (filter) {

      pps.unregisterChannelFilter(filter);

      filter = null;

    if (proxy) {

      await proxy.stop();

      proxy = null;

    if (trrServer) {

      await trrServer.stop();

      trrServer = null;

    trr_clear_prefs();

});

});

add_task(async function test_trr_preemptive_proxy_auth() {

  Services.prefs.setIntPref("network.trr.mode", 3);

  Services.prefs.setIntPref(

    "network.trr.request_timeout_mode_trronly_ms",

);

  Services.prefs.setCharPref(

    "network.trr.uri",

    `https://foo.example.com:${trrServer.port()}/dns-query`

);

  Services.dns.clearCache(true);

  // If the bearer is not attached to the CONNECT, the proxy answers 407 and

  // TRR cannot retry — the listener would observe a failure here.

  await new TRRDNSListener("test.proxy.com", "3.3.3.3");

  Assert.ok(

    !(await trrServer.execute("global.dnsQuerySawProxyAuth")),

    "Proxy-Authorization must not leak through to the DoH server"

);

});