Add `force_direct` flag to API override

author: Markus Pettersson <markus.pettersson@mullvad.net> 2024-02-14 09:50:06 +0100
committer: Markus Pettersson <markus.pettersson@mullvad.net> 2024-02-15 16:28:38 +0100
commit: 25f0f2ede5cc241741988586cc549d600d34460d (patch)
tree: bb4038e1c3e8d7e9e1e63aa2bd8dadcf5c008c3b
parent: 02c2042bedc65de21847213204651c55c9dd6f6e (diff)
download: mullvadvpn-25f0f2ede5cc241741988586cc549d600d34460d.tar.xz
mullvadvpn-25f0f2ede5cc241741988586cc549d600d34460d.zip
2 files changed, 49 insertions, 27 deletions
diff --git a/mullvad-api/src/lib.rs b/mullvad-api/src/lib.rs
index 17e80b66c0..d714d5ee3f 100644
--- a/mullvad-api/src/lib.rs
+++ b/mullvad-api/src/lib.rs
@@ -104,6 +104,13 @@ impl<T> Deref for LazyManual<T> {
     }
 }
 
+pub mod env {
+    pub const API_HOST_VAR: &str = "MULLVAD_API_HOST";
+    pub const API_ADDR_VAR: &str = "MULLVAD_API_ADDR";
+    pub const API_FORCE_DIRECT_VAR: &str = "MULLVAD_API_FORCE_DIRECT";
+    pub const DISABLE_TLS_VAR: &str = "MULLVAD_API_DISABLE_TLS";
+}
+
 /// A hostname and socketaddr to reach the Mullvad REST API over.
 #[derive(Debug)]
 pub struct ApiEndpoint {
@@ -128,6 +135,23 @@ pub struct ApiEndpoint {
     pub disable_address_cache: bool,
     #[cfg(feature = "api-override")]
     pub disable_tls: bool,
+    #[cfg(feature = "api-override")]
+    /// Whether bridges/proxies can be used to access the API or not. This is
+    /// useful primarily for testing purposes.
+    ///
+    /// * If `force_direct` is `true`, bridges and proxies will not be used to
+    /// reach the API.
+    /// * If `force_direct` is `false`, bridges and proxies can be used to reach the API.
+    ///
+    /// # Note
+    ///
+    /// By default, `force_direct` will be `true` if the `api-override` feature
+    /// is enabled. This is supposedely less error prone, as common targets such
+    /// as Devmole might be unreachable from behind a bridge server.
+    ///
+    /// To disable `force_direct`, set the environment variable
+    /// `MULLVAD_API_FORCE_DIRECT=0` before starting the daemon.
+    pub force_direct: bool,
 }
 
 impl ApiEndpoint {
@@ -135,10 +159,6 @@ impl ApiEndpoint {
     const API_IP_DEFAULT: IpAddr = IpAddr::V4(Ipv4Addr::new(45, 83, 223, 196));
     const API_PORT_DEFAULT: u16 = 443;
 
-    const API_HOST_VAR: &'static str = "MULLVAD_API_HOST";
-    const API_ADDR_VAR: &'static str = "MULLVAD_API_ADDR";
-    const DISABLE_TLS_VAR: &'static str = "MULLVAD_API_DISABLE_TLS";
-
     /// Returns the endpoint to connect to the API over.
     ///
     /// # Panics
@@ -147,15 +167,19 @@ impl ApiEndpoint {
     /// `MULLVAD_API_DISABLE_TLS` has invalid contents.
     #[cfg(feature = "api-override")]
     pub fn from_env_vars() -> ApiEndpoint {
-        let host_var = Self::read_var(ApiEndpoint::API_HOST_VAR);
-        let address_var = Self::read_var(ApiEndpoint::API_ADDR_VAR);
-        let disable_tls_var = Self::read_var(ApiEndpoint::DISABLE_TLS_VAR);
+        let host_var = Self::read_var(env::API_HOST_VAR);
+        let address_var = Self::read_var(env::API_ADDR_VAR);
+        let disable_tls_var = Self::read_var(env::DISABLE_TLS_VAR);
+        let force_direct = Self::read_var(env::API_FORCE_DIRECT_VAR);
 
         let mut api = ApiEndpoint {
             host: None,
             address: None,
             disable_address_cache: true,
             disable_tls: false,
+            force_direct: force_direct
+                .map(|force_direct_env| force_direct_env.to_lowercase() != "0")
+                .unwrap_or(true),
         };
 
         match (host_var, address_var) {
@@ -164,8 +188,8 @@ impl ApiEndpoint {
                 use std::net::ToSocketAddrs;
                 log::debug!(
                     "{api_addr} not found. Resolving API IP address from {api_host}={host}",
-                    api_addr = ApiEndpoint::API_ADDR_VAR,
-                    api_host = ApiEndpoint::API_HOST_VAR
+                    api_addr = env::API_ADDR_VAR,
+                    api_host = env::API_HOST_VAR
                 );
                 api.address = format!("{}:{}", host, ApiEndpoint::API_PORT_DEFAULT)
                     .to_socket_addrs()
@@ -181,7 +205,7 @@ impl ApiEndpoint {
                 let addr = address.parse().unwrap_or_else(|_| {
                     panic!(
                         "{api_addr}={address} is not a valid socketaddr",
-                        api_addr = ApiEndpoint::API_ADDR_VAR,
+                        api_addr = env::API_ADDR_VAR,
                     )
                 });
                 api.address = Some(addr);
@@ -193,9 +217,9 @@ impl ApiEndpoint {
             if disable_tls_var.is_some() {
                 log::warn!(
                     "{disable_tls} is ignored since {api_host} and {api_addr} are not set",
-                    disable_tls = ApiEndpoint::DISABLE_TLS_VAR,
-                    api_host = ApiEndpoint::API_HOST_VAR,
-                    api_addr = ApiEndpoint::API_ADDR_VAR,
+                    disable_tls = env::DISABLE_TLS_VAR,
+                    api_host = env::API_HOST_VAR,
+                    api_addr = env::API_ADDR_VAR,
                 );
             }
         } else {
@@ -226,16 +250,17 @@ impl ApiEndpoint {
     /// `MULLVAD_API_DISABLE_TLS` has invalid contents.
     #[cfg(not(feature = "api-override"))]
     pub fn from_env_vars() -> ApiEndpoint {
-        let host_var = Self::read_var(ApiEndpoint::API_HOST_VAR);
-        let address_var = Self::read_var(ApiEndpoint::API_ADDR_VAR);
-        let disable_tls_var = Self::read_var(ApiEndpoint::DISABLE_TLS_VAR);
+        let env_vars = [
+            env::API_HOST_VAR,
+            env::API_ADDR_VAR,
+            env::DISABLE_TLS_VAR,
+            env::API_FORCE_DIRECT_VAR,
+        ];
 
-        if host_var.is_some() || address_var.is_some() || disable_tls_var.is_some() {
+        if env_vars.map(Self::read_var).iter().any(Option::is_some) {
             log::warn!(
-                "These variables are ignored in production builds: {api_host}, {api_addr}, {disable_tls}",
-                api_host = ApiEndpoint::API_HOST_VAR,
-                api_addr = ApiEndpoint::API_ADDR_VAR,
-                disable_tls = ApiEndpoint::DISABLE_TLS_VAR
+                "These variables are ignored in production builds: {env_vars_pretty}",
+                env_vars_pretty = env_vars.join(", ")
             );
         }
 
diff --git a/mullvad-daemon/src/api.rs b/mullvad-daemon/src/api.rs
index 5db03c2008..1e6ba296a3 100644
--- a/mullvad-daemon/src/api.rs
+++ b/mullvad-daemon/src/api.rs
@@ -328,10 +328,7 @@ impl AccessModeSelector {
         #[cfg(feature = "api-override")]
         {
             use mullvad_api::API;
-            // If the API address has been explicitly overridden, it should
-            // always be used. This implies that a direct API connection mode is
-            // used.
-            if API.address.is_some() {
+            if API.force_direct {
                 log::debug!("API proxies are disabled");
                 let endpoint = resolve_allowed_endpoint(
                     &ApiConnectionMode::Direct,
@@ -350,8 +347,8 @@ impl AccessModeSelector {
             }
 
             log::debug!(
-                "The `api-override` feature is enabled, but the API address \
-                 was not overridden. Selecting API access methods as normal"
+                "The `api-override` feature is enabled, but a direct connection \
+                 is not enforced. Selecting API access methods as normal"
             );
         }
author	Markus Pettersson <markus.pettersson@mullvad.net>	2024-02-14 09:50:06 +0100
committer	Markus Pettersson <markus.pettersson@mullvad.net>	2024-02-15 16:28:38 +0100
commit	25f0f2ede5cc241741988586cc549d600d34460d (patch)
tree	bb4038e1c3e8d7e9e1e63aa2bd8dadcf5c008c3b
parent	02c2042bedc65de21847213204651c55c9dd6f6e (diff)
download	mullvadvpn-25f0f2ede5cc241741988586cc549d600d34460d.tar.xz mullvadvpn-25f0f2ede5cc241741988586cc549d600d34460d.zip