hash-of-wisdom/test/integration/slowloris_test.go

package integration

import (
	"net"
	"testing"
	"time"

	"hash-of-wisdom/internal/protocol"
	"hash-of-wisdom/internal/server"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestSlowlorisProtection_SlowReader(t *testing.T) {
	// Setup server with very short read timeout for testing
	config := server.DefaultConfig()
	config.Address = ":0"
	config.Timeouts.Read = 100 * time.Millisecond
	config.Timeouts.Write = 5 * time.Second
	config.Timeouts.Connection = 15 * time.Second

	srv := setupTestServerWithConfig(t, config)
	defer srv.Stop()

	// Connect to server
	conn, err := net.Dial("tcp", srv.Address())
	require.NoError(t, err)
	defer conn.Close()

	// Send partial message header very slowly (slowloris attack)
	_, err = conn.Write([]byte{0x01}) // Challenge request type
	require.NoError(t, err)

	// Wait longer than read timeout before sending length
	time.Sleep(200 * time.Millisecond)

	// Try to send more data - connection should be timed out
	_, err = conn.Write([]byte{0x00, 0x00, 0x00, 0x00}) // Payload length

	// Verify connection is closed by trying to read
	buffer := make([]byte, 1024)
	conn.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
	_, err = conn.Read(buffer)
	assert.Error(t, err, "Connection should be closed due to slow reading")
}

func TestSlowlorisProtection_SlowWriter(t *testing.T) {
	// Setup server with very short write timeout for testing
	config := server.DefaultConfig()
	config.Address = ":0"
	config.Timeouts.Read = 5 * time.Second
	config.Timeouts.Write = 100 * time.Millisecond
	config.Timeouts.Connection = 15 * time.Second

	srv := setupTestServerWithConfig(t, config)
	defer srv.Stop()

	// Connect to server but don't read responses (simulate slow writer client)
	conn, err := net.Dial("tcp", srv.Address())
	require.NoError(t, err)
	defer conn.Close()

	// Send a complete challenge request
	challengeReq := &protocol.ChallengeRequest{}
	err = challengeReq.Encode(conn)
	require.NoError(t, err)

	// Don't read the response to simulate slow writer
	// Server should timeout when trying to write response
	time.Sleep(200 * time.Millisecond)

	// Try to send another request - connection should be closed
	err = challengeReq.Encode(conn)
	assert.Error(t, err, "Connection should be closed due to slow writing")
}

func TestSlowlorisProtection_ConnectionTimeout(t *testing.T) {
	// Setup server with very short connection timeout
	config := server.DefaultConfig()
	config.Address = ":0"
	config.Timeouts.Read = 5 * time.Second
	config.Timeouts.Write = 5 * time.Second
	config.Timeouts.Connection = 100 * time.Millisecond

	srv := setupTestServerWithConfig(t, config)
	defer srv.Stop()

	// Connect to server
	conn, err := net.Dial("tcp", srv.Address())
	require.NoError(t, err)
	defer conn.Close()

	// Wait longer than connection timeout without sending any data
	time.Sleep(200 * time.Millisecond)

	// Try to read from connection - should get EOF or connection reset
	buffer := make([]byte, 1024)
	conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond))
	_, err = conn.Read(buffer)
	assert.Error(t, err, "Connection should be closed due to connection timeout")
}

func TestSlowlorisProtection_MultipleSlowConnections(t *testing.T) {
	// Setup server with short timeouts
	config := server.DefaultConfig()
	config.Address = ":0"
	config.Timeouts.Read = 50 * time.Millisecond
	config.Timeouts.Write = 50 * time.Millisecond
	config.Timeouts.Connection = 200 * time.Millisecond

	srv := setupTestServerWithConfig(t, config)
	defer srv.Stop()

	// Create multiple slow connections (simulating slowloris attack)
	var conns []net.Conn
	for i := 0; i < 3; i++ {
		conn, err := net.Dial("tcp", srv.Address())
		require.NoError(t, err)
		conns = append(conns, conn)

		// Send partial data to trigger slow reader behavior
		_, err = conn.Write([]byte{0x01}) // Just message type
		require.NoError(t, err)
	}

	// Clean up connections
	defer func() {
		for _, conn := range conns {
			conn.Close()
		}
	}()

	// Wait for read timeouts to kick in
	time.Sleep(100 * time.Millisecond)

	// Verify slow connections are closed by trying to read from them
	for i, conn := range conns {
		buffer := make([]byte, 1024)
		conn.SetReadDeadline(time.Now().Add(50 * time.Millisecond))
		_, err := conn.Read(buffer)
		assert.Error(t, err, "Slow connection %d should be closed", i)
	}
}

func TestSlowlorisProtection_NormalOperationWithinTimeouts(t *testing.T) {
	// Setup server with reasonable timeouts
	config := server.DefaultConfig()
	config.Address = ":0"

	srv := setupTestServerWithConfig(t, config)
	defer srv.Stop()

	// Connect and complete normal flow quickly
	conn, err := net.Dial("tcp", srv.Address())
	require.NoError(t, err)
	defer conn.Close()

	// Request challenge
	challengeReq := &protocol.ChallengeRequest{}
	err = challengeReq.Encode(conn)
	require.NoError(t, err)

	// Should receive challenge response without timeout
	decoder := protocol.NewMessageDecoder()
	msg, err := decoder.Decode(conn)
	require.NoError(t, err)
	assert.Equal(t, protocol.ChallengeResponseType, msg.Type)
	assert.Greater(t, msg.PayloadLength, uint32(0), "Challenge payload should not be empty")
}

func TestSlowlorisProtection_PartialHeaderAttack(t *testing.T) {
	// Setup server with short read timeout
	config := server.DefaultConfig()
	config.Address = ":0"
	config.Timeouts.Read = 100 * time.Millisecond

	srv := setupTestServerWithConfig(t, config)
	defer srv.Stop()

	// Connect to server
	conn, err := net.Dial("tcp", srv.Address())
	require.NoError(t, err)
	defer conn.Close()

	// Send only message type byte, then stall
	_, err = conn.Write([]byte{0x01})
	require.NoError(t, err)

	// Wait for read timeout
	time.Sleep(200 * time.Millisecond)

	// Try to read from connection - should be closed
	buffer := make([]byte, 1024)
	conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond))
	_, err = conn.Read(buffer)
	assert.Error(t, err, "Connection should be closed due to partial header")
}