@singbox-iac/cli 0.1.18 → 0.1.19

package/dist/modules/verification/index.js

@@ -1,10 +1,11 @@
 import { spawn } from "node:child_process";
 import { constants } from "node:fs";
 import { access } from "node:fs/promises";
-import { mkdir, mkdtemp, readFile, writeFile } from "node:fs/promises";
+import { chmod, mkdir, mkdtemp, readFile, writeFile } from "node:fs/promises";
 import net from "node:net";
 import { tmpdir } from "node:os";
 import path from "node:path";
+import { isProcessRoot } from "../desktop-runtime/index.js";
 import { checkConfig, resolveSingBoxBinary } from "../manager/index.js";
 import { resolveChromeDependency } from "../runtime-dependencies/index.js";
 export function assertVerificationReportPassed(report) {
@@ -16,6 +17,7 @@ export function assertVerificationReportPassed(report) {
         .map((scenario) => `- ${scenario.name}\n  url: ${scenario.url}\n  details: ${scenario.details}`)
         .join("\n")}`);
 }
+const nativeProcessProbeUrl = "https://example.com/";
 export async function verifyConfigRoutes(input) {
     const singBoxBinary = await resolveSingBoxBinary(input.singBoxBinary);
     const requestBinary = await resolveCurlBinary();
@@ -98,6 +100,120 @@ export function verifyAppPlan(plan, config) {
         details: describeProcessAwareRouteResult(rules, check),
     }));
 }
+export async function verifyNativeProcessE2E(input) {
+    const nativeChecks = input.plan.appChecks.filter((check) => check.expectedCaptureBackend === "native-process");
+    if (nativeChecks.length === 0) {
+        return [];
+    }
+    if (!isProcessRoot()) {
+        return nativeChecks.map((check) => ({
+            app: check.app,
+            status: "SKIP",
+            expectedOutboundGroup: check.expectedOutboundGroup,
+            details: "Native-process e2e requires root. Re-run `sudo singbox-iac verify app -c <builder.config.yaml>`.",
+        }));
+    }
+    const singBoxBinary = await resolveSingBoxBinary(input.singBoxBinary);
+    const cCompilerBinary = await resolveCCompilerBinary();
+    const rawConfig = JSON.parse(await readFile(input.configPath, "utf8"));
+    const results = [];
+    for (const check of nativeChecks) {
+        const prepared = await prepareVerificationConfig(rawConfig);
+        const conflictingOutbound = chooseConflictingOutbound(prepared.config, check.expectedOutboundGroup);
+        if (!conflictingOutbound) {
+            results.push({
+                app: check.app,
+                status: "SKIP",
+                expectedOutboundGroup: check.expectedOutboundGroup,
+                details: "No conflicting fallback outbound is available in the compiled config for native-process e2e.",
+            });
+            continue;
+        }
+        injectNativeProcessProbeRule(prepared.config, conflictingOutbound);
+        const processName = selectNativeProcessProbeName(prepared.config, check.expectedOutboundGroup);
+        if (!processName) {
+            results.push({
+                app: check.app,
+                status: "SKIP",
+                expectedOutboundGroup: check.expectedOutboundGroup,
+                details: "No concrete process_name matcher was available for native-process e2e. Add a plain processName matcher to the bundle or explicit process policy.",
+            });
+            continue;
+        }
+        const runDir = await mkdtemp(path.join(tmpdir(), "singbox-iac-native-process-"));
+        const verifyConfigPath = path.join(runDir, "native-process.config.json");
+        const logPath = path.join(runDir, "native-process.log");
+        const probeBinaryPath = path.join(runDir, processName);
+        await compileNativeProcessProbe({
+            runDir,
+            compilerBinary: cCompilerBinary,
+            probeBinaryPath,
+        });
+        injectNativeProcessPathProbeRule(prepared.config, probeBinaryPath, check.expectedOutboundGroup);
+        await writeFile(verifyConfigPath, `${JSON.stringify(prepared.config, null, 2)}\n`, "utf8");
+        await checkConfig({ configPath: verifyConfigPath, singBoxBinary });
+        const logBuffer = { text: "" };
+        const appender = async (chunk) => {
+            const text = chunk.toString();
+            logBuffer.text += text;
+            await writeFile(logPath, text, { encoding: "utf8", flag: "a" });
+        };
+        const child = spawn(singBoxBinary, ["run", "-c", verifyConfigPath], {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        child.stdout.on("data", (chunk) => void appender(chunk));
+        child.stderr.on("data", (chunk) => void appender(chunk));
+        const exitPromise = new Promise((resolve, reject) => {
+            child.on("error", reject);
+            child.on("close", (code) => resolve(code ?? 0));
+        });
+        try {
+            await waitForLog(logBuffer, /sing-box started/, 15_000, "Timed out waiting for sing-box startup during native-process verification.");
+            const scenario = await verifyNativeProcessRuntimeScenario({
+                id: `native-process-${slugifyProcessName(processName)}`,
+                name: `native-process e2e for ${check.app}`,
+                url: nativeProcessProbeUrl,
+                inboundTag: "in-tun",
+                proxyPort: prepared.mixedPort,
+                expectedOutboundGroup: check.expectedOutboundGroup,
+                processName,
+                probeBinaryPath,
+            }, logBuffer);
+            results.push({
+                app: check.app,
+                status: scenario.passed ? "PASS" : "FAIL",
+                expectedOutboundGroup: check.expectedOutboundGroup,
+                processName,
+                details: scenario.passed
+                    ? `Probe binary=${probeBinaryPath}; compiled process_name=${processName}; conflicting fallback=${conflictingOutbound}. ${scenario.details}`
+                    : `Probe binary=${probeBinaryPath}; compiled process_name=${processName}; conflicting fallback=${conflictingOutbound}. ${scenario.details}`,
+            });
+        }
+        catch (error) {
+            results.push({
+                app: check.app,
+                status: "FAIL",
+                expectedOutboundGroup: check.expectedOutboundGroup,
+                processName,
+                details: error instanceof Error ? error.message : String(error),
+            });
+        }
+        finally {
+            child.kill("SIGINT");
+            await Promise.race([exitPromise, new Promise((resolve) => setTimeout(resolve, 2_000))]);
+        }
+    }
+    return results;
+}
+export function assertNativeProcessE2EPassed(results) {
+    const failures = results.filter((result) => result.status === "FAIL");
+    if (failures.length === 0) {
+        return;
+    }
+    throw new Error(`Native-process e2e failed:\n${failures
+        .map((result) => `- ${result.app}${result.processName ? ` (${result.processName})` : ""}: ${result.details}`)
+        .join("\n")}`);
+}
 function hasExpectedProcessAwareRoute(rules, check) {
     switch (check.expectedCaptureBackend) {
         case "fallback":
@@ -318,6 +434,52 @@ async function verifyRuntimeScenario(scenario, logBuffer, requestBinary) {
         expectedOutboundTag: scenario.expectedOutboundTag,
     };
 }
+async function verifyNativeProcessRuntimeScenario(scenario, logBuffer) {
+    const hostname = new URL(scenario.url).hostname;
+    const inboundLog = new RegExp(`inbound/mixed\\[${escapeRegExp(scenario.inboundTag)}\\]: inbound connection to ${escapeRegExp(hostname)}:443`);
+    const routeLogAlternatives = [
+        new RegExp(`router: match\\[\\d+\\].*process_path[^\\n]*${escapeRegExp(scenario.probeBinaryPath)}[^\\n]*=> route\\(${escapeRegExp(scenario.expectedOutboundGroup)}\\)`),
+        new RegExp(`router: match\\[\\d+\\].*process_path[^\\n]*${escapeRegExp(path.basename(scenario.probeBinaryPath))}[^\\n]*=> route\\(${escapeRegExp(scenario.expectedOutboundGroup)}\\)`),
+        new RegExp(`router: match\\[\\d+\\].*process_name[^\\n]*${escapeRegExp(scenario.processName)}[^\\n]*=> route\\(${escapeRegExp(scenario.expectedOutboundGroup)}\\)`),
+    ];
+    let lastFailure = `Expected native-process logs were not observed for ${hostname} within the timeout.`;
+    for (let attempt = 1; attempt <= 2; attempt += 1) {
+        const offset = logBuffer.text.length;
+        const requestResult = await runNativeProcessProbeScenario({
+            probeBinaryPath: scenario.probeBinaryPath,
+            proxyPort: scenario.proxyPort,
+            targetHost: hostname,
+            targetPort: 443,
+        });
+        const excerpt = await waitForScenarioLogsWithAlternatives(logBuffer, offset, [inboundLog], routeLogAlternatives, 20_000);
+        const requestFailure = detectRequestFailure(requestResult);
+        if (excerpt !== undefined) {
+            return {
+                name: scenario.name,
+                passed: true,
+                details: requestFailure === undefined
+                    ? excerpt.trim()
+                    : `${excerpt.trim()}\nRequest note: ${requestFailure}`,
+                url: scenario.url,
+                inboundTag: scenario.inboundTag,
+                expectedOutboundTag: scenario.expectedOutboundGroup,
+            };
+        }
+        lastFailure =
+            requestFailure ?? `Expected native-process logs were not observed for ${hostname} within the timeout.`;
+        if (attempt < 2) {
+            await sleep(500);
+        }
+    }
+    return {
+        name: scenario.name,
+        passed: false,
+        details: lastFailure,
+        url: scenario.url,
+        inboundTag: scenario.inboundTag,
+        expectedOutboundTag: scenario.expectedOutboundGroup,
+    };
+}
 export function isRouteLevelProxySuccess(scenario, requestResult) {
     if (scenario.inboundTag !== "in-proxifier") {
         return false;
@@ -385,6 +547,22 @@ export async function resolveCurlBinary(explicitPath) {
     }
     throw new Error("Unable to find a usable curl binary for route verification.");
 }
+export async function resolveCCompilerBinary(explicitPath) {
+    const candidates = [
+        explicitPath,
+        process.env.CC,
+        "/usr/bin/cc",
+        "/usr/bin/clang",
+        ...resolvePathCandidates("cc"),
+        ...resolvePathCandidates("clang"),
+    ].filter((candidate) => typeof candidate === "string" && candidate.length > 0);
+    for (const candidate of candidates) {
+        if (await isExecutable(candidate)) {
+            return candidate;
+        }
+    }
+    throw new Error("Unable to find a usable C compiler for native-process verification.");
+}
 export async function prepareVerificationConfig(config) {
     const cloned = structuredClone(config);
     const mixedPort = await findAvailablePort();
@@ -431,9 +609,16 @@ export async function prepareVerificationConfig(config) {
             tag: "dns-local-verify",
         },
     ];
+    dns.rules = [];
     dns.final = "dns-local-verify";
+    dns.reverse_mapping = false;
     const route = asObject(cloned.route, "Config is missing route.");
     route.default_domain_resolver = "dns-local-verify";
+    if (typeof cloned.experimental === "object" && cloned.experimental !== null) {
+        const experimental = asObject(cloned.experimental, "Config has an invalid experimental block.");
+        const { cache_file: _cacheFile, ...remaining } = experimental;
+        cloned.experimental = Object.keys(remaining).length === 0 ? undefined : remaining;
+    }
     const outbounds = ensureArray(cloned.outbounds, "Config is missing outbounds.");
     const globalIndex = outbounds.findIndex((outbound) => outbound.tag === "Global");
     if (globalIndex >= 0) {
@@ -455,6 +640,59 @@ export async function prepareVerificationConfig(config) {
         proxifierPort,
     };
 }
+export function chooseConflictingOutbound(config, expectedOutboundGroup) {
+    const outbounds = ensureArray(config.outbounds, "Config is missing outbounds.");
+    const preferred = ["direct", "Global", "AI-Out", "Dev-Common-Out", "Stitch-Out", "Process-Proxy"];
+    for (const tag of preferred) {
+        if (tag === expectedOutboundGroup) {
+            continue;
+        }
+        if (outbounds.some((outbound) => outbound.tag === tag)) {
+            return tag;
+        }
+    }
+    return outbounds
+        .map((outbound) => (typeof outbound.tag === "string" ? outbound.tag : undefined))
+        .find((tag) => typeof tag === "string" && tag !== expectedOutboundGroup);
+}
+export function injectNativeProcessProbeRule(config, conflictingOutbound) {
+    const route = asObject(config.route, "Config is missing route.");
+    const rules = ensureArray(route.rules, "Route is missing rules.");
+    const probeHost = new URL(nativeProcessProbeUrl).hostname;
+    const insertionIndex = findLastProcessAwareRuleIndex(rules) + 1;
+    rules.splice(insertionIndex, 0, {
+        domain: [probeHost],
+        action: "route",
+        outbound: conflictingOutbound,
+    });
+}
+export function injectNativeProcessPathProbeRule(config, probeBinaryPath, expectedOutboundGroup) {
+    const route = asObject(config.route, "Config is missing route.");
+    const rules = ensureArray(route.rules, "Route is missing rules.");
+    const insertionIndex = findLastProcessAwareRuleIndex(rules) + 1;
+    rules.splice(insertionIndex, 0, {
+        process_path: [probeBinaryPath],
+        action: "route",
+        outbound: expectedOutboundGroup,
+    });
+}
+export function selectNativeProcessProbeName(config, expectedOutboundGroup) {
+    const route = asObject(config.route, "Config is missing route.");
+    const rules = ensureArray(route.rules, "Route is missing rules.");
+    for (const rule of rules) {
+        if (rule.outbound !== expectedOutboundGroup || !Array.isArray(rule.process_name)) {
+            continue;
+        }
+        const candidate = rule.process_name.find((value) => typeof value === "string" &&
+            value.length > 0 &&
+            !value.includes("/") &&
+            !value.includes("*"));
+        if (candidate) {
+            return candidate;
+        }
+    }
+    return undefined;
+}
 export function validateConfigInvariants(config) {
     const route = asObject(config.route, "Config is missing route.");
     const rules = ensureArray(route.rules, "Route is missing rules.");
@@ -526,6 +764,16 @@ export function validateConfigInvariants(config) {
         .join(", ")}`));
     return checks;
 }
+function findLastProcessAwareRuleIndex(rules) {
+    return rules.reduce((lastIndex, rule, index) => Array.isArray(rule.process_name) ||
+        Array.isArray(rule.process_path) ||
+        Array.isArray(rule.process_path_regex)
+        ? index
+        : lastIndex, -1);
+}
+function slugifyProcessName(processName) {
+    return processName.replaceAll(/[^A-Za-z0-9._-]+/g, "-");
+}
 export function resolveDefaultLeafOutboundTag(config, tag) {
     const outbounds = ensureArray(config.outbounds, "Config is missing outbounds.");
     const byTag = new Map();
@@ -562,20 +810,44 @@ export function resolveDefaultLeafOutboundTag(config, tag) {
     }
 }
 function buildRuntimeScenarios(config, mixedPort, proxifierPort, configuredScenarios) {
-    const sourceScenarios = configuredScenarios && configuredScenarios.length > 0
+    const sourceScenarios = normalizeConfiguredVerificationScenarios(config, configuredScenarios && configuredScenarios.length > 0
         ? configuredScenarios
-        : defaultConfiguredScenarios;
-    return sourceScenarios.map((scenario) => ({
+        : defaultConfiguredScenarios);
+    const fallbackScenarios = sourceScenarios.length > 0
+        ? sourceScenarios
+        : normalizeConfiguredVerificationScenarios(config, defaultConfiguredScenarios);
+    return fallbackScenarios.map((scenario) => ({
         id: scenario.id,
         name: scenario.name,
         url: scenario.url,
         inboundTag: scenario.inbound,
         proxyPort: scenario.inbound === "in-proxifier" ? proxifierPort : mixedPort,
-        expectedOutboundTag: scenario.expectedOutbound === "direct" || scenario.expectedOutbound === "block"
-            ? scenario.expectedOutbound
-            : resolveDefaultLeafOutboundTag(config, scenario.expectedOutbound),
+        expectedOutboundTag: resolveExpectedVerificationOutboundTag(config, scenario.expectedOutbound),
     }));
 }
+export function resolveExpectedVerificationOutboundTag(config, expectedOutboundTag) {
+    return expectedOutboundTag === "direct" || expectedOutboundTag === "block"
+        ? expectedOutboundTag
+        : resolveDefaultLeafOutboundTag(config, expectedOutboundTag);
+}
+export function normalizeConfiguredVerificationScenarios(config, scenarios) {
+    const availableInbounds = new Set(ensureArray(config.inbounds, "Config is missing inbounds.")
+        .map((inbound) => inbound.tag)
+        .filter((tag) => typeof tag === "string" && tag.length > 0));
+    const hasTun = availableInbounds.has("in-tun");
+    const hasMixed = availableInbounds.has("in-mixed");
+    const hasProxifier = availableInbounds.has("in-proxifier");
+    const prefersTunFallback = hasTun && !hasMixed && !hasProxifier;
+    return scenarios.flatMap((scenario) => {
+        if (availableInbounds.has(scenario.inbound)) {
+            return [scenario];
+        }
+        if (scenario.inbound === "in-mixed" && (hasTun || prefersTunFallback)) {
+            return [{ ...scenario, inbound: "in-tun" }];
+        }
+        return [];
+    });
+}
 const defaultConfiguredScenarios = [
     {
         id: "stitch",
@@ -632,11 +904,49 @@ async function runProxyRequestScenario(input) {
         "5",
         "--proxy",
         `http://127.0.0.1:${input.proxyPort}`,
+        "--noproxy",
+        "",
         input.url,
     ];
     return new Promise((resolve, reject) => {
         const child = spawn(input.requestBinary, args, {
             stdio: ["ignore", "pipe", "pipe"],
+            env: buildVerificationRequestEnv(),
+        });
+        let stdout = "";
+        let stderr = "";
+        let timedOut = false;
+        const timeout = setTimeout(() => {
+            timedOut = true;
+            child.kill("SIGKILL");
+        }, 12_000);
+        child.stdout.on("data", (chunk) => {
+            stdout += chunk.toString();
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += chunk.toString();
+        });
+        child.on("error", (error) => {
+            clearTimeout(timeout);
+            reject(error);
+        });
+        child.on("close", (code) => {
+            clearTimeout(timeout);
+            resolve({
+                exitCode: code ?? 0,
+                stdout,
+                stderr,
+                timedOut,
+            });
+        });
+    });
+}
+async function runNativeProcessProbeScenario(input) {
+    const args = ["127.0.0.1", String(input.proxyPort), input.targetHost, String(input.targetPort)];
+    return new Promise((resolve, reject) => {
+        const child = spawn(input.probeBinaryPath, args, {
+            stdio: ["ignore", "pipe", "pipe"],
+            env: buildVerificationRequestEnv(),
         });
         let stdout = "";
         let stderr = "";
@@ -681,11 +991,12 @@ async function runJsonRequestScenario(input) {
         input.url,
     ];
     if (typeof input.proxyPort === "number") {
-        args.splice(args.length - 1, 0, "--proxy", `http://127.0.0.1:${input.proxyPort}`);
+        args.splice(args.length - 1, 0, "--proxy", `http://127.0.0.1:${input.proxyPort}`, "--noproxy", "");
     }
     return new Promise((resolve, reject) => {
         const child = spawn(input.requestBinary, args, {
             stdio: ["ignore", "pipe", "pipe"],
+            env: buildVerificationRequestEnv(),
         });
         let stdout = "";
         let stderr = "";
@@ -805,6 +1116,18 @@ async function waitForScenarioLogs(buffer, offset, patterns, timeoutMs) {
     }
     return undefined;
 }
+async function waitForScenarioLogsWithAlternatives(buffer, offset, requiredPatterns, alternativePatterns, timeoutMs) {
+    const startedAt = Date.now();
+    while (Date.now() - startedAt < timeoutMs) {
+        const excerpt = buffer.text.slice(offset);
+        if (requiredPatterns.every((pattern) => pattern.test(excerpt)) &&
+            alternativePatterns.some((pattern) => pattern.test(excerpt))) {
+            return excerpt;
+        }
+        await sleep(250);
+    }
+    return undefined;
+}
 async function waitForLog(buffer, pattern, timeoutMs, errorMessage) {
     const startedAt = Date.now();
     while (Date.now() - startedAt < timeoutMs) {
@@ -855,6 +1178,124 @@ function makeCheck(name, passed, details) {
 function escapeRegExp(input) {
     return input.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
+export function buildVerificationRequestEnv(baseEnv = process.env) {
+    const stripped = {};
+    for (const [key, value] of Object.entries(baseEnv)) {
+        if (/^(http_proxy|https_proxy|all_proxy|no_proxy)$/i.test(key)) {
+            continue;
+        }
+        stripped[key] = value;
+    }
+    return stripped;
+}
+async function compileNativeProcessProbe(input) {
+    const sourcePath = path.join(input.runDir, "native-process-probe.c");
+    await writeFile(sourcePath, buildNativeProcessProbeSource(), "utf8");
+    await new Promise((resolve, reject) => {
+        const child = spawn(input.compilerBinary, ["-O2", "-Wall", "-Wextra", "-o", input.probeBinaryPath, sourcePath], {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stderr = "";
+        child.stdout.on("data", () => {
+            // ignore compiler stdout
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += chunk.toString();
+        });
+        child.on("error", reject);
+        child.on("close", (code) => {
+            if ((code ?? 0) === 0) {
+                resolve();
+                return;
+            }
+            reject(new Error(`Failed to compile native-process probe with ${input.compilerBinary}.\n${stderr.trim()}`));
+        });
+    });
+    await chmod(input.probeBinaryPath, 0o755);
+}
+function buildNativeProcessProbeSource() {
+    return `#include <arpa/inet.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <unistd.h>
+
+int main(int argc, char **argv) {
+  if (argc != 5) {
+    fprintf(stderr, "usage: %s <proxy-host> <proxy-port> <target-host> <target-port>\\n", argv[0]);
+    return 2;
+  }
+
+  const char *proxyHost = argv[1];
+  const char *proxyPort = argv[2];
+  const char *targetHost = argv[3];
+  const char *targetPort = argv[4];
+
+  int socketFd = socket(AF_INET, SOCK_STREAM, 0);
+  if (socketFd < 0) {
+    perror("socket");
+    return 3;
+  }
+
+  struct timeval timeout;
+  timeout.tv_sec = 3;
+  timeout.tv_usec = 0;
+  setsockopt(socketFd, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout));
+  setsockopt(socketFd, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout));
+
+  struct sockaddr_in proxyAddress;
+  memset(&proxyAddress, 0, sizeof(proxyAddress));
+  proxyAddress.sin_family = AF_INET;
+  proxyAddress.sin_port = htons((uint16_t) atoi(proxyPort));
+
+  if (inet_pton(AF_INET, proxyHost, &proxyAddress.sin_addr) != 1) {
+    fprintf(stderr, "invalid proxy host: %s\\n", proxyHost);
+    close(socketFd);
+    return 4;
+  }
+
+  if (connect(socketFd, (struct sockaddr *) &proxyAddress, sizeof(proxyAddress)) != 0) {
+    perror("connect");
+    close(socketFd);
+    return 5;
+  }
+
+  char request[1024];
+  int written = snprintf(
+    request,
+    sizeof(request),
+    "CONNECT %s:%s HTTP/1.1\\r\\nHost: %s:%s\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n",
+    targetHost,
+    targetPort,
+    targetHost,
+    targetPort
+  );
+  if (written < 0 || written >= (int) sizeof(request)) {
+    fprintf(stderr, "failed to encode request\\n");
+    close(socketFd);
+    return 6;
+  }
+
+  ssize_t sent = send(socketFd, request, (size_t) written, 0);
+  if (sent < 0) {
+    perror("send");
+    close(socketFd);
+    return 7;
+  }
+
+  char response[512];
+  recv(socketFd, response, sizeof(response) - 1, 0);
+  usleep(250000);
+  close(socketFd);
+  return 0;
+}
+`;
+}
 async function isExecutable(filePath) {
     try {
         await access(filePath, constants.X_OK);