gfwleak/tsg-tsg-diagnose
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature:TSG-12014:新增适配k3s的功能

Browse Source
This commit is contained in:
fumingwei
2022-09-21 19:19:52 +08:00
parent 8c7e9cc7d5
commit ecdc9a2123
6 changed files with 337 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
images_build/client/dign_client/bin/client.py
View File

@@ -169,7 +169,7 @@ DNS_SERVER_ALLOW_TTL = 60
DNS_SERVER_REDIRECT_TTL = 333
DNS_SERVER_REDIRECT_RANGE_LOW = 400
DNS_SERVER_REDIRECT_RANGE_HIGH = 500
DNS_SERVER_IP = ["192.0.2.135"]
DNS_SERVER_IP = ["192.0.2.101"]
DnsRequestFirewallDenyDrop = "Dns request timeout is deny drop sucess"
DnsARequestFireWallDenyRedirect = "Dns rdtype A request is deny reidrect sucess"
DnsAAAARequestFireWallDenyRedirect = "Dns rdtype AAAA request is deny redirect sucess"
@@ -180,7 +180,55 @@ DnsAAAARequestFirewallAllow = "Dns rdtype AAAA request data is sucess"
DnsCNAMERequestFirewallAllow = "Dns rdtype CNAME request data is sucess"
REQUEST_RESOLVE = ['sha384.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\
'sha256.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\
'expired.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\
'self-signed.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\
'untrusted-root.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\
'web-replay.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\
'web-replay.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\
'testing-download.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\
'http.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\
'http-credit-card.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\
'http-dynamic-login.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\
'http-login.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\
'sha512.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\
'rsa2048.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\
'rsa4096.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\
'testing-firewall-filter-host.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\
'testing-firewall-filter-url.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\
'testing-proxy-filter-host.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\
'testing-proxy-filter-url.badssl.selftest.gdnt-cloud.website:80:192.0.2.101']
def set_http_request_resolve(id_service_function):
global REQUEST_RESOLVE
ip_left_edge = 100
ip_http_server = ip_left_edge + id_service_function
REQUEST_RESOLVE = ['sha384.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\
'sha256.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\
'expired.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\
'self-signed.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\
'untrusted-root.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\
'web-replay.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\
'web-replay.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\
'testing-download.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\
'http.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\
'http-credit-card.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\
'http-dynamic-login.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\
'http-login.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\
'sha512.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\
'rsa2048.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\
'rsa4096.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\
'testing-firewall-filter-host.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\
'testing-firewall-filter-url.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\
'testing-proxy-filter-host.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\
'testing-proxy-filter-url.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server]
def set_dns_server_ip(id_service_function):
global DNS_SERVER_IP
ip_left_edge = 100
ip_dns_server = ip_left_edge + id_service_function
DNS_SERVER_IP = ['192.0.2.%d' % ip_dns_server]
class _WritelnDecorator(object):
"""Used to decorate file-like objects with a handy 'writeln' method"""
@@ -532,6 +580,7 @@ class SSLCheckRequestBuild:
self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
self.conn.setopt(self.conn.OPT_CERTINFO, 1)
self.conn.setopt(self.conn.SSL_VERIFYPEER, False)
self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE)
def _set_conn_opt(self,test_suite_name, url):
self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large']))
@@ -583,6 +632,7 @@ class SslInterceptRequestBuild:
self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
self.conn.setopt(self.conn.OPT_CERTINFO, 1)
self.conn.setopt(self.conn.SSL_VERIFYPEER, False)
self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE)
def _set_conn_opt(self,test_suite_name,url):
self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large']))
@@ -631,6 +681,7 @@ class ProxyRequestBuild:
self.bodyBuf = BytesIO()
self.conn = pycurl.Curl()
self.conn.setopt(self.conn.ENCODING, "gzip,deflate")
self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE)
def _cert_verify(self, certs, isSsl):
if isSsl == True:
@@ -770,6 +821,7 @@ class SSLFileDownloadBuild:
self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
self.conn.setopt(self.conn.SSL_VERIFYPEER, False)
self.conn.setopt(self.conn.OPT_CERTINFO, 1)
self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE)
def _get_conninfo(self,conn):
dictconninfo = {}
@@ -831,6 +883,7 @@ class HttpFirewallActionBuild:
def __init__(self):
self.conn = pycurl.Curl()
self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE)
def _set_conn_opt(self,test_suite_name, url):
self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large']))
@@ -894,6 +947,7 @@ class SslFirewallActionBuild:
self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
self.conn.setopt(self.conn.OPT_CERTINFO, 1)
self.conn.setopt(self.conn.SSL_VERIFYPEER, False)
self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE)
def _set_conn_opt(self,test_suite_name, url):
self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large']))
@@ -939,6 +993,7 @@ class FilterTestingBuild:
def __init__(self):
self.conn = pycurl.Curl()
self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE)
def _set_conn_opt(self,test_suite_name, url):
self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large']))
@@ -1209,6 +1264,7 @@ class TsgDiagnose:
self.client = None
self.config_dict = {}
self.dign_duration = 0
self.count_service_function = 1
def _get_dign_option(self):
parser = argparse.ArgumentParser(description="Tsg Tools - tsg diagnose", epilog = "Example:help")
@@ -1216,11 +1272,13 @@ class TsgDiagnose:
parser.add_argument('-c','--count', type = int, default = 1, help='Specifies the count of tsg diagnoses ,range:1-65535')
parser.add_argument('-p','--configpath', type = str, default = '/opt/dign_client/etc/client.conf',help='Specifies the config file, default /opt/dign_client/etc/client.conf')
parser.add_argument('-l','--loop', action='store_true', default = False, help='Tsg diagnose loop, exit when recv a signal')
parser.add_argument('-C','--count_service_function', type = int, default = 1, help='Specifies the counts of service_function ,range:1-256')
args = parser.parse_args()
self.interval = args.interval
self.loop = args.loop
self.count = args.count
self.config = args.configpath
self.count_service_function = args.count_service_function
if self.count == 0:
print("Error: bad number of tsg diagnose and will exit")
parser.print_help()
@@ -1292,8 +1350,8 @@ class TsgDiagnose:
self._add_suite('test_proxyDenyFilterHost_http')
self._add_suite('test_proxyDenyFilterURL_http')
def _dign_running(self):
print(format(("Test start time: " + time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())),'#^70s'))
def _dign_running(self,id_service_function):
print(format(("Service function id:" + str(id_service_function) + ",Test start time: " + time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())),'#^70s'))
runningLogPath = "/opt/dign_client/log/tsg-diagnose.log" + '.' + time.strftime("%Y-%m-%d", time.localtime())
#runningLogger = get_logger("running",runningLogPath, False)
#runningLogger.debug("Diagnose Start,the It will take up to %d seconds" %(self.dign_duration))
@@ -1308,7 +1366,14 @@ class TsgDiagnose:
f.write(time.strftime("%a %b %d %H:%M:%S %Y", time.localtime()) + "Diagnose end, Testing results:" + "\n" + result_stream.getvalue())
f.close()
#runningLogger.debug("Diagnose end, Testing results:" + "\n" + result_stream.getvalue())
print(format(("Test end time: " + time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())),'=^70s'))
print(format(("Service function id:" + str(id_service_function) + ",Test end time: " + time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())),'=^70s'))
def _dign_service_function_running(self):
for id_service_function in range(1,self.count_service_function + 1):
set_http_request_resolve(id_service_function)
set_dns_server_ip(id_service_function)
#print(REQUEST_RESOLVE)
self._dign_running(id_service_function)
def dign_exec(self):
self._get_dign_option()
@@ -1322,7 +1387,7 @@ class TsgDiagnose:
int(self.config_dict['start_time_random_delay_range']['right_edge'])))
while True:
print("\nRUN %d" %(dign_counter + 1))
self._dign_running()
self._dign_service_function_running()
dign_counter = dign_counter + 1
if not self.loop:
if dign_counter >= self.count:

4
images_build/server_web/Dockerfile
View File

@@ -15,8 +15,8 @@ RUN sed -i s@/archive.ubuntu.com/@/mirrors.163.com/@g /etc/apt/sources.list \
libffi-dev \
make \
nginx \
ruby2.5 \
ruby2.5-dev \
ruby2.6 \
ruby2.6-dev \
net-tools \
iputils-ping \
faketime \

78
k8s-resource/dign-client.yml Normal file
View File

@@ -0,0 +1,78 @@
---
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: macvlan-client
spec:
config: '{
"cniVersion": "0.3.0",
"type": "macvlan",
"master": "ens4f1",
"mode": "bridge",
"ipam": {
"type": "host-local",
"ranges": [
[ {
"subnet": "192.0.2.0/24",
"rangeStart": "192.0.2.211",
"rangeEnd": "192.0.2.220",
"gateway": "192.0.2.1"
} ]
]
}
}'
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dign-client
labels:
app: dign-client
spec:
replicas: 1
selector:
matchLabels:
app: dign-client
template:
metadata:
labels:
app: dign-client
annotations:
k8s.v1.cni.cncf.io/networks: macvlan-client
spec:
containers:
- name: dign-client
image: "dign-client:latest"
imagePullPolicy: Never
workingDir: /opt/dign_client
command: ["/bin/sh", "-c", "update-ca-certificates; tail -f /dev/null"]
securityContext:
privileged: true
volumeMounts:
- name: localtime-node
mountPath: /etc/localtime
readOnly: true
- name: ca-cert-file
mountPath: /usr/local/share/ca-certificates
- name: log-path
mountPath: /opt/dign_client/log
- name: config-path
mountPath: /opt/dign_client/etc/client.conf
subPath: "client.conf"
volumes:
- name: localtime-node
hostPath:
path: /etc/localtime
- name: ca-cert-file
hostPath:
path: /opt/tsg/tsg-diagnose/etc/.certs_import/certs/sets/current/gen/crt
- name: log-path
hostPath:
path: /opt/tsg/tsg-diagnose/log
- name: config-path
hostPath:
path: /opt/tsg/tsg-diagnose/etc
---

99
k8s-resource/dign-server.yml Normal file
View File

@@ -0,0 +1,99 @@
---
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: macvlan-server
spec:
config: '{
"cniVersion": "0.3.0",
"type": "macvlan",
"master": "ens4f0",
"mode": "bridge",
"ipam": {
"type": "host-local",
"ranges": [
[ {
"subnet": "192.0.2.0/24",
"rangeStart": "192.0.2.201",
"rangeEnd": "192.0.2.210",
"gateway": "192.0.2.1"
} ]
]
}
}'
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dign-server
labels:
app: dign-server
spec:
replicas: 1
selector:
matchLabels:
app: dign-server
template:
metadata:
labels:
app: dign-server
annotations:
k8s.v1.cni.cncf.io/networks: macvlan-server
spec:
containers:
- name: dign-server-dns
image: "dign-server-dns:latest"
imagePullPolicy: Never
command: ["/bin/sh", "-c", "echo 66.66.66.66 www.1testanswer-cname.com >> /etc/hosts; webproc --config /etc/dnsmasq.conf -- dnsmasq --no-daemon"]
securityContext:
privileged: true
volumeMounts:
- name: localtime-node
mountPath: /etc/localtime
readOnly: true
- name: config-path
mountPath: /etc/dnsmasq.conf
subPath: dnsmasq.conf
readOnly: true
- name: dign-server-web
image: "dign-server-web:latest"
imagePullPolicy: Never
command: ["/bin/bash", "-c", "make inside-docker;nginx;tail -f /dev/null"]
securityContext:
privileged: true
volumeMounts:
- name: localtime-node
mountPath: /etc/localtime
readOnly: true
- name: certs-path
mountPath: /badssl.com/certs
readOnly: true
- name: common-path
mountPath: /badssl.com/common
readOnly: true
initContainers:
- name: tsg-dign-init
image: "dign-server-dns:latest"
imagePullPolicy: Never
command: ["/bin/sh","-c","i=1;while [ \"$i\" -le 32 ]; do ip_suffix=$(( i + 100 ));ifconfig net1:$i 192.0.2.$ip_suffix;i=$(( i + 1 ));done;"]
securityContext:
privileged: true
volumes:
- name: localtime-node
hostPath:
path: /etc/localtime
- name: config-path
hostPath:
path: /opt/tsg/tsg-diagnose/etc/
- name: certs-path
hostPath:
path: /opt/tsg/tsg-diagnose/etc/.certs_import/certs
- name: common-path
hostPath:
path: /opt/tsg/tsg-diagnose/etc/.certs_import/common
---

47
scripts/tsg-diagnose-oneshot
View File

@@ -1,4 +1,45 @@
#!/bin/bash -e
systemctl start tsg-diagnose
sleep 10
docker exec -it dign-client /bin/sh -c "python bin/client.py"
K3S_BIN_PATH="/usr/bin/k3s"
count_service_function=1
ARGS=`getopt -a -o c:h -l count-service-function:,help -- "$@"`
eval set -- "${ARGS}"
usage(){
echo ""
echo "usage: tsg-diagnose-oneshot [option]"
echo ""
echo "Options:"
echo " -h --help Detailed usage syntax"
echo " -c --count-service-function Count of service-function,default:1"
exit 0
}
function get_args(){
while true
do
case "$1" in
-c|--count-sf)
export count_service_function=$2
;;
-h|--help)
usage
;;
--)
shift
break
;;
esac
shift
done
}
get_args $@
if [ -f "$K3S_BIN_PATH" ]; then
kubectl exec -it daemonset/dign-client -- python bin/client.py -C $count_service_function
else
systemctl start tsg-diagnose
sleep 10
docker exec -it dign-client /bin/sh -c "python bin/client.py"
fi

47
scripts/tsg-diagnose-periodical
View File

@@ -1,4 +1,45 @@
#!/bin/bash -e
systemctl start tsg-diagnose
sleep 10
docker exec -it dign-client /bin/sh -c "python bin/client.py -l"
K3S_BIN_PATH="/usr/bin/k3s"
count_service_function=1
ARGS=`getopt -a -o c:h -l count-service-function:,help -- "$@"`
eval set -- "${ARGS}"
usage(){
echo ""
echo "usage: tsg-diagnose-oneshot [option]"
echo ""
echo "Options:"
echo " -h --help Detailed usage syntax"
echo " -c --count-service-function Count of service-function,default:1"
exit 0
}
function get_args(){
while true
do
case "$1" in
-c|--count-sf)
export count_service_function=$2
;;
-h|--help)
usage
;;
--)
shift
break
;;
esac
shift
done
}
get_args $@
if [ -f "$K3S_BIN_PATH" ]; then
kubectl exec -it daemonset/dign-client -- python bin/client.py -C $count_service_function
else
systemctl start tsg-diagnose
sleep 10
docker exec -it dign-client /bin/sh -c "python bin/client.py -l"
fi