tlspretense 0.6.1

data/spec/packetthief/impl/ipfw_spec.rb

@@ -0,0 +1,98 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'..','..','spec_helper'))
+
+module PacketThief
+module Impl
+  describe Ipfw do
+    before(:each) do
+      Ipfw.stub(:system).and_return(:true)
+    end
+
+    describe ".redirect" do
+      context "when it is told to redirect TCP port 443 traffic to localhost port 654321" do
+        it "calls ipfw with a rule that performs the diversion" do
+
+          Ipfw.should_receive(:system).with(*%W{/sbin/ipfw add set 30 fwd 127.0.0.1,65432 tcp from any to any dst-port 443}).and_return true
+
+          Ipfw.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443).run
+        end
+      end
+
+      context "when it is run on a Mac OS X system" do
+        it "calls sysctl to set net.inet.ip.scopedroute to 0" do
+          with_constants :RUBY_PLATFORM => "x86_darwin10" do
+
+            Ipfw.should_receive(:system).with(*%W{/usr/sbin/sysctl -w net.inet.ip.scopedroute=0}).ordered.and_return(true)
+            Ipfw.should_receive(:system).ordered.and_return(true)
+
+            Ipfw.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443).run
+          end
+        end
+
+        context "when the system is Lion and setting net.inet.ip.scopedroute fails" do
+          before(:each) do
+            Ipfw.should_receive(:system).with(*%W{/usr/sbin/sysctl -w net.inet.ip.scopedroute=0}).and_return(false)
+          end
+          it "does not raise an exception" do
+            with_constants :RUBY_PLATFORM => "x86_64-darwin11" do
+              expect do
+                Ipfw.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443).run
+              end.to_not raise_error
+            end
+          end
+          it "logs the error" do
+            with_constants :RUBY_PLATFORM => "x86_64-darwin11" do
+              Ipfw.should_receive(:logerror)
+
+              Ipfw.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443).run
+            end
+          end
+        end
+      end
+
+      context "when it is told to watch a particular interface" do
+        it "calls ipfw with a rule that performs the diversion" do
+          Ipfw.should_receive(:system).with(*%W{/sbin/ipfw add set 30 fwd 127.0.0.1,65432 tcp from any to any dst-port 443 recv eth1}).and_return true
+
+          Ipfw.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443, :in_interface => 'eth1').run
+        end
+      end
+
+    end
+
+
+    describe ".revert" do
+      context "when a rule has been previously added" do
+        before(:each) do
+          Ipfw.redirect(:to_ports => 3234).where(:protocol => :tcp, :dest_port => 80).run
+        end
+        it "removes the rule" do
+          Ipfw.should_receive(:system).with(*%W{/sbin/ipfw del set 30}).and_return true
+
+          Ipfw.revert
+        end
+      end
+    end
+
+    describe ".original_dest" do
+      context "when passed an object that implements Socket's #getsockname" do
+        it "returns the destination socket's details" do
+          @socket = double("socket")
+          @socket.stub(:getsockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+
+          Ipfw.original_dest(@socket).should == [16178, "10.101.96.97"]
+        end
+      end
+
+      context "when passed an object that implements EM::Connection's #getsockname" do
+        it "returns the destination connection's details" do
+          @socket = double("EM::Connection")
+          @socket.stub(:get_sockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+
+          Ipfw.original_dest(@socket).should == [16178, "10.101.96.97"]
+        end
+      end
+
+    end
+  end
+end
+end

data/spec/packetthief/impl/manual_spec.rb

@@ -0,0 +1,65 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'..','..','spec_helper'))
+
+module PacketThief
+  module Impl
+    describe Manual do
+      before(:each) do
+        subject.stub(:system).and_return(:true)
+      end
+
+      subject {Manual}
+
+      describe ".redirect" do
+        context "when it is told to redirect TCP port 443 traffic to localhost port 654321" do
+          it "does not call a external command" do
+            subject.should_not_receive(:system)
+
+            subject.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443).run
+          end
+        end
+
+        context "when it is told to watch a particular interface" do
+          it "does not call a external command" do
+            subject.should_not_receive(:system)
+
+            subject.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443).run
+          end
+        end
+      end
+
+      describe ".revert" do
+        context "when a rule has been previously added" do
+          before(:each) do
+            subject.redirect(:to_ports => 3234).where(:protocol => :tcp, :dest_port => 80).run
+          end
+          it "does not call a external command" do
+            subject.should_not_receive(:system)
+
+            subject.revert
+          end
+        end
+      end
+
+      describe ".original_dest" do
+        after(:each) do
+          subject.set_dest(nil, nil)
+        end
+
+        context "when .set_dest(host, port) has not been set" do
+          it "raises an error" do
+            expect { subject.original_dest(double('socket')) }.to raise_error
+          end
+        end
+
+        context "when .set_dest(host, port) has been set" do
+          before(:each) { subject.set_dest('somehost', 1234) }
+
+          it "returns the specified port and host" do
+            subject.original_dest(double('socket')).should == [1234, 'somehost']
+          end
+        end
+      end
+
+    end
+  end
+end

data/spec/packetthief/impl/netfilter_spec.rb

@@ -0,0 +1,66 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'..','..','spec_helper'))
+
+module PacketThief
+module Impl
+  describe Netfilter do
+    describe ".redirect" do
+      it { Netfilter.redirect.table.should == 'nat' }
+      it { Netfilter.redirect.chain.should == 'PREROUTING' }
+
+      context "when it is told to redirect TCP port 443 traffic to localhost port 654321" do
+        it "calls iptables with a rule that performs the diversion" do
+          Netfilter.should_receive(:system).with(*%W{/sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 65432}).and_return true
+
+          Netfilter.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443).run
+        end
+      end
+
+      context "when it is told to watch a particular interface" do
+        it "calls iptables with a rule that performs the diversion" do
+          Netfilter.should_receive(:system).with(*%W{/sbin/iptables -t nat -A PREROUTING -p tcp --destination-port 443 --in-interface eth1 -j REDIRECT --to-ports 65432}).and_return true
+
+          Netfilter.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443, :in_interface => 'eth1').run
+        end
+      end
+
+    end
+
+
+    describe ".revert" do
+      context "when a rule has been previously added" do
+        before(:each) do
+          Netfilter.stub(:system).and_return(:true)
+          Netfilter.redirect(:to_ports => 3234).where(:protocol => :tcp, :dest_port => 80).run
+        end
+        it "removes the rule" do
+          Netfilter.should_receive(:system).with(*%W{/sbin/iptables -t nat -D PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 3234}).and_return true
+
+          Netfilter.revert
+        end
+      end
+    end
+
+    describe ".original_dest" do
+      context "when passed an object that implements Socket's #getsockopt" do
+        it "returns the destination socket's details" do
+          @socket = double("socket")
+          @socket.should_receive(:getsockopt).with(Socket::IPPROTO_IP, Netfilter::SO_ORIGINAL_DST).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+
+          Netfilter.original_dest(@socket).should == [16178, "10.101.96.97"]
+        end
+      end
+
+      context "when passed an object that implements EM::Connection's #get_sock_opt" do
+        it "returns the destination connection's details" do
+          @socket = double("EM::Connection")
+          @socket.should_receive(:get_sock_opt).with(Socket::IPPROTO_IP, Netfilter::SO_ORIGINAL_DST).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+
+          Netfilter.original_dest(@socket).should == [16178, "10.101.96.97"]
+        end
+      end
+
+    end
+
+  end
+end
+end

data/spec/packetthief/impl/pf_divert_spec.rb

@@ -0,0 +1,82 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'..','..','spec_helper'))
+
+module PacketThief
+module Impl
+  describe PFDivert do
+    subject { PFDivert }
+
+    before(:each) do
+      subject.stub(:system).and_return(:true)
+    end
+
+    # Either write our current ruleset to a file, or echo it into pfctl.
+    describe ".redirect" do
+      after(:each) do
+        subject.revert
+      end
+      context "when it is told to redirect TCP port 443 traffic to localhost port 65432" do
+        it "calls pfctl with a rule that performs the diversion" do
+
+          subject.should_receive(:system).with(*['echo', 'pass in proto tcp from any to any port 443 divert-to 127.0.0.1 port 65432']+%W{| pfctl -a packetthief -f -}).and_return true
+
+          subject.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443).run
+        end
+      end
+
+      context "when it is told to watch a particular interface" do
+        it "calls pf with a rule that performs the diversion" do
+          subject.should_receive(:system).with(*['echo', 'pass in on eth1 proto tcp from any to any port 443 divert-to 127.0.0.1 port 65432']+%W{| pfctl -a packetthief -f -}).and_return true
+
+          subject.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443, :in_interface => 'eth1').run
+        end
+      end
+
+      context "when it is called with two rules" do
+        it "sends both rules to pfctl on the second invocation" do
+          subject.should_receive(:system).with(*['echo', 'pass in proto tcp from any to any port 80 divert-to 127.0.0.1 port 65432']+%W{| pfctl -a packetthief -f -}).ordered.and_return true
+          subject.should_receive(:system).with(*['echo', "pass in proto tcp from any to any port 80 divert-to 127.0.0.1 port 65432\npass in proto tcp from any to any port 443 divert-to 127.0.0.1 port 65433"]+%W{| pfctl -a packetthief -f -}).ordered.and_return true
+
+          subject.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 80).run
+          subject.redirect(:to_ports => 65433).where(:protocol => :tcp, :dest_port => 443).run
+        end
+      end
+
+    end
+
+
+    describe ".revert" do
+      context "when a rule has been previously added" do
+        before(:each) do
+          subject.redirect(:to_ports => 3234).where(:protocol => :tcp, :dest_port => 80).run
+        end
+        it "removes the packetthief anchor" do
+          subject.should_receive(:system).with(*%W{pfctl -a packetthief -F rules}).and_return true
+
+          subject.revert
+        end
+      end
+    end
+
+    describe ".original_dest" do
+      context "when passed an object that implements Socket's #getsockname" do
+        it "returns the destination socket's details" do
+          @socket = double("socket")
+          @socket.stub(:getsockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+
+          subject.original_dest(@socket).should == [16178, "10.101.96.97"]
+        end
+      end
+
+      context "when passed an object that implements EM::Connection's #getsockname" do
+        it "returns the destination connection's details" do
+          @socket = double("EM::Connection")
+          @socket.stub(:get_sockname).and_return("\020\002?2\ne`a\000\000\000\000\000\000\000\000")
+
+          subject.original_dest(@socket).should == [16178, "10.101.96.97"]
+        end
+      end
+
+    end
+  end
+end
+end

data/spec/packetthief/impl/pf_rdr_spec.rb

@@ -0,0 +1,133 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'..','..','spec_helper'))
+
+module PacketThief
+  module Impl
+    describe PFRdr do
+      subject { PFRdr }
+
+      before(:each) do
+        subject.stub(:system).and_return(:true)
+        IO.stub(:popen)
+      end
+
+      # Either write our current ruleset to a file, or echo it into pfctl.
+      describe ".redirect" do
+        after(:each) do
+          subject.revert
+        end
+        context "when it is told to redirect TCP port 443 traffic to localhost port 65432" do
+          it "calls pfctl with a rule that performs the diversion" do
+            @pfctlio = double('pfctl io')
+            IO.should_receive(:popen) do |args, &block|
+              args.should == %W{pfctl -q -a packetthief -f -}
+              block.call(@pfctlio)
+              `true`
+              $?.exitstatus.should == 0
+            end
+            @pfctlio.should_receive(:puts).with("rdr proto tcp from any to any port 443 -> 127.0.0.1 port 65432")
+
+            subject.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443).run
+          end
+        end
+
+        context "when it is told to watch a particular interface" do
+          it "calls pf with a rule that performs the diversion" do
+            @pfctlio = double('pfctl io')
+            IO.should_receive(:popen) do |args, &block|
+              args.should == %W{pfctl -q -a packetthief -f -}
+              block.call(@pfctlio)
+              `true`
+              $?.exitstatus.should == 0
+            end
+            @pfctlio.should_receive(:puts).with("rdr on eth1 proto tcp from any to any port 443 -> 127.0.0.1 port 65432")
+
+            subject.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 443, :in_interface => 'eth1').run
+          end
+        end
+
+        context "when it is called with two rules" do
+          it "sends both rules to pfctl on the second invocation" do
+            @pfctlio = double('pfctl io')
+            @pfctlio2 = double('pfctl io')
+            IO.should_receive(:popen).ordered do |args, &block|
+              args.should == %W{pfctl -q -a packetthief -f -}
+              block.call(@pfctlio)
+              `true`
+              $?.exitstatus.should == 0
+            end
+            @pfctlio.should_receive(:puts).with("rdr proto tcp from any to any port 80 -> 127.0.0.1 port 65432")
+            IO.should_receive(:popen).ordered do |args, &block|
+              args.should == %W{pfctl -q -a packetthief -f -}
+              block.call(@pfctlio2)
+              `true`
+              $?.exitstatus.should == 0
+            end
+            @pfctlio2.should_receive(:puts).with("rdr proto tcp from any to any port 80 -> 127.0.0.1 port 65432").ordered
+            @pfctlio2.should_receive(:puts).with("rdr proto tcp from any to any port 443 -> 127.0.0.1 port 65433").ordered
+
+            subject.redirect(:to_ports => 65432).where(:protocol => :tcp, :dest_port => 80).run
+            subject.redirect(:to_ports => 65433).where(:protocol => :tcp, :dest_port => 443).run
+          end
+        end
+
+      end
+
+      describe ".revert" do
+        context "when a rule has been previously added" do
+          before(:each) do
+            subject.redirect(:to_ports => 3234).where(:protocol => :tcp, :dest_port => 80).run
+          end
+          it "removes the packetthief anchor" do
+            subject.should_receive(:system).with(*%W{pfctl -q -a packetthief -F all}).and_return true
+
+            subject.revert
+          end
+        end
+      end
+
+      describe ".original_dest" do
+        context "when passed an object that implements Socket's #getsockname and #getpeername" do
+          let(:peername) { double('peername') }
+          let(:sockname) { double('sockname') }
+          let(:socket) { double('socket', :getpeername => peername, :getsockname => sockname) }
+
+          before(:each) do
+            Socket.stub(:unpack_sockaddr_in).with(peername).and_return([52999, '192.168.2.2'])
+            Socket.stub(:unpack_sockaddr_in).with(sockname).and_return([54321, '127.0.0.1'])
+          end
+
+          context "when `pfctl -s state` returns info that includes the current connection" do
+            let(:statetable) do
+              <<-QUOTE.gsub(/^\s*/, '')
+                No ALTQ support in kernel
+                ALTQ related functions disabled
+                ALL tcp 13.37.13.37:80 <- 192.168.2.2:52995       ESTABLISHED:ESTABLISHED
+                ALL tcp 192.168.2.2:52995 -> 10.0.1.2:33596 -> 74.125.224.68:80       ESTABLISHED:ESTABLISHED
+                ALL tcp 127.0.0.1:54321 <- 173.194.79.147:443 <- 192.168.2.2:52998       CLOSED:SYN_SENT
+                ALL tcp 127.0.0.1:54321 <- 173.194.79.147:443 <- 192.168.2.2:52999       CLOSED:SYN_SENT
+                ALL tcp 127.0.0.1:54321 <- 173.194.79.147:443 <- 192.168.2.2:53000       CLOSED:SYN_SENT
+                ALL tcp 127.0.0.1:54321 <- 173.194.79.147:443 <- 192.168.2.2:53001       CLOSED:SYN_SENT
+                ALL udp 192.168.2.1:53 <- 192.168.2.2:53690       SINGLE:MULTIPLE
+                ALL tcp 74.125.224.105:80 <- 192.168.2.2:53002       ESTABLISHED:ESTABLISHED
+                ALL tcp 192.168.2.2:53002 -> 10.0.1.2:38466 -> 74.125.224.105:80       ESTABLISHED:ESTABLISHED
+                ALL udp 224.0.0.251:5353 <- 10.0.1.4:5353       NO_TRAFFIC:SINGLE
+                ALL udp ff02::fb[5353] <- fe80::72de:e2ff:fe41:5ddd[5353]       NO_TRAFFIC:SINGLE
+              QUOTE
+            end
+
+            before(:each) do
+              subject.stub(:`).with(/pfctl -q -s state/).and_return(statetable)
+            end
+
+            it "returns the original destination" do
+              subject.original_dest(socket).should == [443, '173.194.79.147']
+            end
+
+          end
+
+        end
+
+      end
+    end
+  end
+end