commit 4de9ae90859b2aeb35571ec349af98a08a94a0d1 Author: Arturo Filastò art@fuffa.org Date: Wed Aug 13 17:02:05 2014 +0200
Re-indent and fix markup of spec --- test-decks/td-spec.md | 293 +++++++++++++++++++++++++++++-------------------- 1 file changed, 175 insertions(+), 118 deletions(-)
diff --git a/test-decks/td-spec.md b/test-decks/td-spec.md index 5e65f3d..83075b5 100644 --- a/test-decks/td-spec.md +++ b/test-decks/td-spec.md @@ -1,139 +1,196 @@ # 0. Terminology - Analyst: The person who writes a deck. - - Collector: A machine running the ooni-backend that collects the reports generated by the execution of ooni-probe. - - Nettest: A test whose execution by ooniprobe creates a report sent later to the collector if provided. - - Ooni: Open observatory of network interference. - - Ooni-probe: The client side of ooni used to execute a set of nettests. - - Tester: The person who executes ooni-probe. - - YAML: A human-readable data serialization format. +Analyst: The person who writes a deck. + +Collector: A machine running the ooni-backend that collects the reports +generated by the execution of ooni-probe. + +Nettest: A test whose execution by ooniprobe creates a report sent later to the +collector if provided. + +Ooni: Open observatory of network interference. + +Ooni-probe: The client side of ooni used to execute a set of nettests. + +Tester: The person who executes ooni-probe. + +YAML: A human-readable data serialization format.
# 1. Rationale
- To ease the execution of nettests, the ooni developers came up with the idea of a container that would allow a tester to easily execute a bunch of configured nettests. That container was called a deck. - - This way, an analyst interested in a particular behaviour would write a deck; then, she would distribute that deck to every tester interested in the ongoing analysis. Finally, the tester would execute ooni-probe with that deck to properly create and send the nettests' reports. - - Unfortunately, right now both the deck format and ooni-probe don't allow that level of automation. The way we want to solve this situation is by writing a new spec for the deck format that would allow us to write, with great confidence, the given functionality to ooni-probe. The document that you're reading is that spec. - +To ease the execution of nettests, the ooni developers came up with the idea of +a container that would allow a tester to easily execute a bunch of configured +nettests.That container was called a deck. + +This way, an analyst interested in a particular behaviour would write a deck; +then, she would distribute that deck to every tester interested in the ongoing +analysis. Finally, the tester would execute ooni-probe with that deck to +properly create and send the nettests' reports. + +Unfortunately, right now both the deck format and ooni-probe don't allow that +level of automation. The way we want to solve this situation is by writing a +new spec for the deck format that would allow us to write, with great +confidence, the given functionality to ooni-probe. The document that you're +reading is that spec. + # 2. Goals
- Allow an analyst to reuse well written and tested nettests in an easy way. - - Allow a tester to execute easily a battery of nettests with a complex configuration. - - Grant privacy of the tester. +Allow an analyst to reuse well written and tested nettests in an easy way. + +Allow a tester to execute easily a battery of nettests with a complex +configuration. + +Grant privacy of the tester.
# 3. The data format
- Every deck is a yaml file composed of two major sections: the header and the body. - - The header is a dictionary that provides all the shared and global configuration of every nettest included in the deck. Its main purpose is to reduce boilerplate by letting the analyst express common behaviour in one section instead of in every nettest execution. The ooni-probe options allowed in this section are: - - 1. collector: Address of the collector of test results. - 2. bouncer: Address of the bouncer for test helpers. - 3. annotations: Annotate the report with a key:value[, key:value] format. - 4. no-collector: Disable the collector. (FLAG) - 5. no-geoip: Disable the geoip support. (FLAG) - - Every option of the header section is a dictionary's key except that labeled with a FLAG, which are members of a list called flags. So for example a valid header section is the following: - - header: - collector: 'http://localhost' - annotations: - key1: value1 - key2: value2 - flags: - - no-collector - - The body is a list composed of one element per nettest execution. Every nettest execution is a dictionary composed of the following three keys: - - 1. nettest: name of the nettest to execute (MANDATORY) - 2. local_options: local_options of the test execution (OPTIONAL) - 3. global_options: global options of the test execution (OPTIONAL) - - In the same way that with the header, every option can be a member of a flag list if that options doesn't have any arguments. A valid body can be: - - body: - - nettest: manipulation/http_request - local_options: - url: 'http://torproject.org' - global_options: - collector: 'http://localhost' - flags: - - no-geoip - - nettest: manipulation/captiveportal - +Every deck is a yaml file composed of two major sections: the header and the +body. + +The header is a dictionary that provides all the shared and global +configuration of every nettest included in the deck. Its main purpose is to +reduce boilerplate by letting the analyst express common behaviour in one +section instead of in every nettest execution. The ooni-probe options allowed +in this section are: + +1. collector: Address of the collector of test results. +2. bouncer: Address of the bouncer for test helpers. +3. annotations: Annotate the report with a key:value[, key:value] format. +4. no-collector: Disable the collector. (FLAG) +5. no-geoip: Disable the geoip support. (FLAG) + +Every option of the header section is a dictionary's key except that labeled +with a FLAG, which are members of a list called flags. So for example a valid +header section is the following: + +``` +header: +collector: 'http://localhost' +annotations: +key1: value1 +key2: value2 +flags: +- no-collector +``` + +The body is a list composed of one element per nettest execution. Every nettest +execution is a dictionary composed of the following three keys: + +1. nettest: name of the nettest to execute (MANDATORY) +2. local_options: local_options of the test execution (OPTIONAL) +3. global_options: global options of the test execution (OPTIONAL) + +In the same way that with the header, every option can be a member of a flag +list if that options doesn't have any arguments. A valid body can be: + +``` +body: +- nettest: manipulation/http_request +local_options: +url: 'http://torproject.org' +global_options: +collector: 'http://localhost' +flags: +- no-geoip +- nettest: manipulation/captiveportal +``` + # 3. Implementation details
## 3.1 Introduction
- Each execution of a nettest in ooniprobe needs four main inputs. - - 1. The global config file - 2. The global cmd options - 3. The nettest/deck - 4. The local options for each nettest - - The first three ones are mandatory to run a nettest, the last one depends on the nettest. - - When a single nettest is executed, all options except the first one are passed in the cmd line. - - The difference between the global config options and the global cmd options is that the second one has some shared options with the config file plus some additional subcommands to ooniprobe. - - When a deck is involved in the execution, the last three inputs are meant to be passed (at least partially) in the deck. In fact, the deck is no more than the three last inputs, with some subtleties that I expect to explain in the following sections. - +Each execution of a nettest in ooniprobe needs four main inputs. + +1. The global config file +2. The global cmd options +3. The nettest/deck +4. The local options for each nettest + +The first three ones are mandatory to run a nettest, the last one depends on +the nettest. + +When a single nettest is executed, all options except the first one are +passed in the cmd line. + +The difference between the global config options and the global cmd options +is that the second one has some shared options with the config file plus some +additional subcommands to ooniprobe. + +When a deck is involved in the execution, the last three inputs are meant to +be passed (at least partially) in the deck. In fact, the deck is no more than +the three last inputs, with some subtleties that I expect to explain in the +following sections. + ## 3.2 Who overwrites who - - In a single-nettest execution, the global config is parsed and a global object is built. Then the cmd line is parsed and it overwrites the global configs. This is done to allow the setting of the most dynamic options in the console without the need of writing them each time to the config file. - - All the ooni-probe's code base is allowed to access that global object, included the nettests. So, the global options affect the way ooni-probe behaves but also can affect the way the executing nettest behaves. That's the reason why the deck must provide the specification of some global options, but not all because there are some powerful options that would put in danger the tester. The allowed options are listed in the section [3. The data format]. - - In a deck-nettest execution, the header section of the deck is parsed first and a global object is built. Then the config file is parsed and the object is overwritten when it applies. Finally the cmd line of the ooni-probe is parsed and the object is overwritten. - - We read the header section first to avoid the analyst overwrite some sensitive options of the config file, which only should be modified by the tester. - + +In a single-nettest execution, the global config is parsed and a global object +is built. Then the cmd line is parsed and it overwrites the global configs. +This is done to allow the setting of the most dynamic options in the console +without the need of writing them each time to the config file. + +All the ooni-probe's code base is allowed to access that global object, +included the nettests. So, the global options affect the way ooni-probe behaves +but also can affect the way the executing nettest behaves. That's the reason +why the deck must provide the specification of some global options, but not all +because there are some powerful options that would put in danger the tester. +The allowed options are listed in the section [3. The data format]. + +In a deck-nettest execution, the header section of the deck is parsed first and +a global object is built. Then the config file is parsed and the object is +overwritten when it applies. Finally the cmd line of the ooni-probe is parsed +and the object is overwritten. + +We read the header section first to avoid the analyst overwrite some sensitive +options of the config file, which only should be modified by the tester. + ## 3.3 Copy-on-write
- To reduce the boilerplate in the deck, the file is splitted into a shared section for all nettests and a local one for each nettest. - - The idea is to allow the writer of the deck to express common and global behaviour of all the nettests in the header of the deck and to put specific and local options in each nettest element, as was already explained in [3. The data format]. - - What this means for the execution of the nettests is that when a nettest overwrites a global configuration of the header, this change is only visible to this nettest, not to every nettest who may ever execute in the same instance of ooni-probe. So what follows is that every change to the global options of ooni-probe in the local section of a deck should attend a copy-on-write policy regarding the global config object. - +To reduce the boilerplate in the deck, the file is splitted into a shared +section for all nettests and a local one for each nettest. + +The idea is to allow the writer of the deck to express common and global +behaviour of all the nettests in the header of the deck and to put specific and +local options in each nettest element, as was already explained in [3. The data +format]. + +What this means for the execution of the nettests is that when a nettest +overwrites a global configuration of the header, this change is only visible to +this nettest, not to every nettest who may ever execute in the same instance of +ooni-probe. So what follows is that every change to the global options of +ooni-probe in the local section of a deck should attend a copy-on-write policy +regarding the global config object. + ## 3.4 The input file
- Ooni-probe invokes every nettest method with the information saved in a file called the input file. This file is part of the local configuration of every test, and therefore must be provided with the deck. - - So the deck should be a compressed container which includes both the deck file and every input file necessary to every nettest included in the deck. Otherwise, the analyst would have to send to the tester the input files separately, which is unacceptable. - - The container proposed is tar+gzip because it's well supported in python. +Ooni-probe invokes every nettest method with the information saved in a file +called the input file. This file is part of the local configuration of every +test, and therefore must be provided with the deck. + +So the deck should be a compressed container which includes both the deck file +and every input file necessary to every nettest included in the deck. +Otherwise, the analyst would have to send to the tester the input files +separately, which is unacceptable. + +The container proposed is tar+gzip because it's well supported in python.
# 5. Example deck
- The complete.deck provided with each installation of ooni-probe would be: - - header: - flags: - - no-collector - - body: - - nettest: blocking/http_request - input_file: 'httpo://ihiderha53f36lsd.onion/input/37e60e13536f6afe47a830bfb6b371b5cf65da66d7ad65137344679b24fdccd1' - - - nettest: blocking/dns_consistency - input_file: 'httpo://ihiderha53f36lsd.onion/input/37e60e13536f6afe47a830bfb6b371b5cf65da66d7ad65137344679b24fdccd1' - - - nettest: manipulation/http_invalid_request_line - - - nettest: manipulation/http_header_field_manipulation - - - nettest: manipulation/traceroute - - - nettest: blocking/http_host - input_file: 'httpo://ihiderha53f36lsd.onion/input/37e60e13536f6afe47a830bfb6b371b5cf65da66d7ad65137344679b24fdccd1' +The complete.deck provided with each installation of ooni-probe would be: + +``` +header: +body: +- nettest: blocking/http_request +input_file: 'httpo://ihiderha53f36lsd.onion/input/37e60e13536f6afe47a830bfb6b371b5cf65da66d7ad65137344679b24fdccd1' + +- nettest: blocking/dns_consistency +input_file: 'httpo://ihiderha53f36lsd.onion/input/37e60e13536f6afe47a830bfb6b371b5cf65da66d7ad65137344679b24fdccd1' + +- nettest: manipulation/http_invalid_request_line + +- nettest: manipulation/http_header_field_manipulation + +- nettest: manipulation/traceroute + +- nettest: blocking/http_host +input_file: 'httpo://ihiderha53f36lsd.onion/input/37e60e13536f6afe47a830bfb6b371b5cf65da66d7ad65137344679b24fdccd1' +```
tor-commits@lists.torproject.org