test: add direct-mode E2E tests with real Telethon session (#64)

dvershinin · dvershinin · commit 1a1f26950d2d · 2026-03-26T23:29:24.000+08:00
Add test_direct_e2e.py that connects through a direct-mode proxy
using a real Telegram session and calls get_me() to verify the full
data path works. Tests both obfuscated2 (dd-prefix) and fake-TLS
(ee-prefix) transport modes.

New CI job `test-direct-e2e` starts two proxy instances with the
`--direct` flag and runs the E2E tests. Skips gracefully on fork
PRs where secrets are unavailable.

Rename misleading `test-direct` to `test-native-build` — it never
actually used `--direct`, running in ME relay mode instead.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -55,7 +55,7 @@ jobs:
         export MTPROXY_SECRET=$(head -c 16 /dev/urandom | xxd -ps)
         make test-tls
 
-  test-direct:
+  test-native-build:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
@@ -87,30 +87,26 @@ jobs:
 
     - name: Setup and Run Proxy
       run: |
-        # Debug: Check connectivity to Telegram DC
         echo "Checking connectivity to Telegram DC (149.154.175.50:443)..."
         nc -zv 149.154.175.50 443 || echo "Failed to connect to Telegram DC 149.154.175.50:443"
-        
+
         mkdir -p mtproxy-run
         cp objs/bin/mtproto-proxy mtproxy-run/
-        
+
         cd mtproxy-run
-        
-        # Download config/secret 
+
+        # Download config/secret (ME relay mode)
         curl --connect-timeout 10 --max-time 30 --retry 3 -fsSL https://core.telegram.org/getProxySecret -o proxy-secret
         curl --connect-timeout 10 --max-time 30 --retry 3 -fsSL https://core.telegram.org/getProxyConfig -o proxy-multi.conf
-        
-        # Generate a random secret for testing using xxd (from vim-common)
+
         SECRET=$(head -c 16 /dev/urandom | xxd -ps)
         echo "Using secret: $SECRET"
-        
-        # Start proxy in background (use port 8443 to avoid permission issues)
+
+        # ME relay mode proxy
         ./mtproto-proxy -u nobody -p 8888 -H 8443 -S $SECRET --http-stats --aes-pwd proxy-secret proxy-multi.conf -M 1 &
-        
-        # Export SECRET for the test step
+
         echo "MTPROXY_SECRET=$SECRET" >> $GITHUB_ENV
-        
-        # Wait for it to start
+
         sleep 5
 
     - name: Run Python Tests
@@ -120,18 +116,16 @@ jobs:
         export MTPROXY_PORT=8443
         python3 tests/test_proxy.py
 
-    - name: Run TLS E2E Tests (Direct)
+    - name: Run TLS E2E Tests (ME Relay)
       run: |
         source .venv/bin/activate
 
-        # Start a second proxy instance with -D ya.ru for TLS testing
         cd mtproxy-run
         ./mtproto-proxy -p 9888 -H 9443 -S $MTPROXY_SECRET \
           --http-stats --aes-pwd proxy-secret proxy-multi.conf -D ya.ru -M 0 &
         TLS_PID=$!
         cd ..
 
-        # Wait for TLS proxy to be ready
         for i in $(seq 1 30); do
           curl -sf http://localhost:9888/stats >/dev/null 2>&1 && break
           sleep 2
@@ -143,6 +137,75 @@ jobs:
 
         kill $TLS_PID 2>/dev/null || true
 
+  test-direct-e2e:
+    runs-on: ubuntu-latest
+    # Only run when secrets are available (skip on fork PRs)
+    if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Install Dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y build-essential libssl-dev zlib1g-dev git curl vim-common python3 python3-pip python3-venv netcat-openbsd
+        python3 -m venv .venv
+        source .venv/bin/activate
+        pip install requests telethon TelethonFakeTLS
+
+    - name: Build MTProxy
+      run: |
+        make clean && make -j$(nproc)
+
+    - name: Start Direct-Mode Proxies
+      run: |
+        echo "Checking connectivity to Telegram DC (149.154.167.51:443)..."
+        nc -zv 149.154.167.51 443 || echo "WARNING: Cannot reach Telegram DC"
+
+        mkdir -p mtproxy-run
+        cp objs/bin/mtproto-proxy mtproxy-run/
+        cd mtproxy-run
+
+        SECRET=$(head -c 16 /dev/urandom | xxd -ps)
+        echo "Using secret: $SECRET"
+        echo "MTPROXY_SECRET=$SECRET" >> $GITHUB_ENV
+
+        # Obfuscated2 direct-mode proxy (no proxy-secret/proxy-multi.conf needed)
+        ./mtproto-proxy -u nobody -p 8888 -H 8443 -S $SECRET \
+          --http-stats --direct -M 0 &
+        echo "Started obfs2 direct-mode proxy on port 8443"
+
+        # Fake-TLS direct-mode proxy
+        ./mtproto-proxy -u nobody -p 9888 -H 9443 -S $SECRET \
+          --http-stats --direct -D ya.ru -M 0 &
+        echo "Started fake-TLS direct-mode proxy on port 9443"
+
+        # Wait for both proxies to be ready
+        for port in 8888 9888; do
+          for i in $(seq 1 30); do
+            curl -sf http://localhost:$port/stats >/dev/null 2>&1 && break
+            sleep 2
+          done
+          curl -sf http://localhost:$port/stats >/dev/null 2>&1 || {
+            echo "ERROR: Proxy on stats port $port not ready after 60s"
+            exit 1
+          }
+        done
+        echo "Both proxies are ready"
+
+    - name: Run Direct Mode E2E Tests
+      env:
+        TG_STRING_SESSION: ${{ secrets.TG_STRING_SESSION }}
+      run: |
+        source .venv/bin/activate
+        DIRECT_HOST=localhost \
+        DIRECT_OBFS2_PORT=8443 \
+        DIRECT_TLS_PORT=9443 \
+        MTPROXY_SECRET=$MTPROXY_SECRET \
+        EE_DOMAIN=ya.ru \
+        python3 tests/test_direct_e2e.py
+
   test-asan:
     runs-on: ubuntu-latest
     steps:
diff --git a/tests/Dockerfile b/tests/Dockerfile
@@ -3,6 +3,6 @@ WORKDIR /app
 COPY requirements.txt .
 RUN pip install -r requirements.txt
 ENV PYTHONUNBUFFERED=1
-COPY test_proxy.py test_tls_e2e.py test_multi_secret_tls.py test_ip_acl.py ./
+COPY test_proxy.py test_tls_e2e.py test_multi_secret_tls.py test_ip_acl.py test_direct_e2e.py ./
 CMD ["python", "test_proxy.py"]
 
diff --git a/tests/test_direct_e2e.py b/tests/test_direct_e2e.py
@@ -0,0 +1,204 @@
+#!/usr/bin/env python3
+"""E2E tests for MTProxy direct mode.
+
+Starts a real Telethon session through a direct-mode MTProxy and calls
+get_me() to verify the full data path works.  Tests both obfuscated2
+(dd-prefix) and fake-TLS (ee-prefix) transport modes.
+
+Requires the TG_STRING_SESSION environment variable (Telethon StringSession).
+Skips gracefully when the secret is absent (fork PRs, external contributors).
+
+Usage:
+    TG_STRING_SESSION=... MTPROXY_SECRET=... python3 tests/test_direct_e2e.py
+
+Environment variables:
+    TG_STRING_SESSION   Telethon StringSession string (required)
+    MTPROXY_SECRET      32-char hex proxy secret (required)
+    DIRECT_HOST         Proxy hostname (default: localhost)
+    DIRECT_OBFS2_PORT   Obfuscated2 proxy port (default: 8443)
+    DIRECT_TLS_PORT     Fake-TLS proxy port (default: 9443)
+    EE_DOMAIN           Domain for fake-TLS mode (default: ya.ru)
+"""
+
+import asyncio
+import os
+import sys
+
+# Official Telegram macOS client credentials (public, well-known).
+API_ID = 2834
+API_HASH = "68875f756c9b437a8b916ca3de215815"
+
+
+def _patch_telethon_faketls():
+    """Patch TelethonFakeTLS bugs.
+
+    1. read_server_hello: upstream only reads the first encrypted record,
+       but the proxy computes HMAC over all records.
+    2. FakeTLSStreamWriter: upstream never sends CCS (ChangeCipherSpec)
+       before the first data record, but the proxy requires it.
+    """
+    import TelethonFakeTLS.FakeTLS.TLSInOut as tls_io
+
+    async def _read_server_hello(self):
+        buf = bytearray(await self.upstream.readexactly(133))
+        while True:
+            try:
+                header = await asyncio.wait_for(
+                    self.upstream.readexactly(5), timeout=0.5
+                )
+            except (asyncio.TimeoutError, EOFError):
+                break
+            buf += header
+            if header[:3] != b"\x17\x03\x03":
+                break
+            rec_len = int.from_bytes(header[3:5], "big")
+            buf += await self.upstream.readexactly(rec_len)
+        return bytes(buf)
+
+    tls_io.FakeTLSStreamReader.read_server_hello = _read_server_hello
+
+    _orig_write = tls_io.FakeTLSStreamWriter.write
+    _ccs_sent_writers = set()
+
+    def _writer_write_with_ccs(self, data, extra={}):
+        if id(self) not in _ccs_sent_writers:
+            _ccs_sent_writers.add(id(self))
+            self.upstream.write(b"\x14\x03\x03\x00\x01\x01")
+        return _orig_write(self, data, extra)
+
+    tls_io.FakeTLSStreamWriter.write = _writer_write_with_ccs
+
+
+async def test_obfs2_get_me(host, port, secret, session_str):
+    """Connect via obfuscated2 (dd-prefix) and call get_me()."""
+    from telethon import TelegramClient
+    from telethon.network.connection import (
+        ConnectionTcpMTProxyRandomizedIntermediate,
+    )
+    from telethon.sessions import StringSession
+
+    print(f"[obfs2] Connecting to {host}:{port} ...", flush=True)
+
+    client = TelegramClient(
+        StringSession(session_str),
+        api_id=API_ID,
+        api_hash=API_HASH,
+        connection=ConnectionTcpMTProxyRandomizedIntermediate,
+        proxy=(host, port, "dd" + secret),
+    )
+
+    try:
+        await asyncio.wait_for(client.connect(), timeout=30)
+        if not client.is_connected():
+            print("[obfs2] FAIL: client did not connect")
+            return False
+
+        me = await asyncio.wait_for(client.get_me(), timeout=15)
+        if me is None:
+            print("[obfs2] FAIL: get_me() returned None")
+            return False
+
+        print(f"[obfs2] OK: get_me() returned user_id={me.id}")
+        return True
+    except Exception as e:
+        print(f"[obfs2] FAIL: {type(e).__name__}: {e}")
+        return False
+    finally:
+        try:
+            await client.disconnect()
+        except Exception:
+            pass
+
+
+async def test_faketls_get_me(host, port, secret, domain, session_str):
+    """Connect via fake-TLS (ee-prefix) and call get_me()."""
+    try:
+        from TelethonFakeTLS import ConnectionTcpMTProxyFakeTLS
+    except ImportError:
+        print("[fake-tls] SKIP: TelethonFakeTLS not installed")
+        return True
+
+    from telethon import TelegramClient
+    from telethon.sessions import StringSession
+
+    _patch_telethon_faketls()
+
+    proxy_secret = secret + domain.encode().hex()
+    print(f"[fake-tls] Connecting to {host}:{port} (domain={domain}) ...",
+          flush=True)
+
+    client = TelegramClient(
+        StringSession(session_str),
+        api_id=API_ID,
+        api_hash=API_HASH,
+        connection=ConnectionTcpMTProxyFakeTLS,
+        proxy=(host, port, proxy_secret),
+    )
+
+    try:
+        await asyncio.wait_for(client.connect(), timeout=30)
+        if not client.is_connected():
+            print("[fake-tls] FAIL: client did not connect")
+            return False
+
+        me = await asyncio.wait_for(client.get_me(), timeout=15)
+        if me is None:
+            print("[fake-tls] FAIL: get_me() returned None")
+            return False
+
+        print(f"[fake-tls] OK: get_me() returned user_id={me.id}")
+        return True
+    except Exception as e:
+        print(f"[fake-tls] FAIL: {type(e).__name__}: {e}")
+        return False
+    finally:
+        try:
+            await client.disconnect()
+        except Exception:
+            pass
+
+
+def main():
+    session_str = os.environ.get("TG_STRING_SESSION", "")
+    if not session_str:
+        print("SKIP: TG_STRING_SESSION not set (secrets not available)")
+        sys.exit(0)
+
+    secret = os.environ.get("MTPROXY_SECRET", "")
+    if not secret:
+        print("ERROR: MTPROXY_SECRET required")
+        sys.exit(1)
+
+    host = os.environ.get("DIRECT_HOST", "localhost")
+    obfs2_port = int(os.environ.get("DIRECT_OBFS2_PORT", "8443"))
+    tls_port = int(os.environ.get("DIRECT_TLS_PORT", "9443"))
+    domain = os.environ.get("EE_DOMAIN", "ya.ru")
+
+    results = []
+
+    print("=== Direct Mode E2E Tests ===\n")
+
+    # Test 1: obfuscated2
+    ok = asyncio.run(test_obfs2_get_me(host, obfs2_port, secret, session_str))
+    results.append(("obfs2", ok))
+    print()
+
+    # Test 2: fake-TLS
+    ok = asyncio.run(
+        test_faketls_get_me(host, tls_port, secret, domain, session_str)
+    )
+    results.append(("fake-tls", ok))
+
+    print("\n=== Results ===")
+    all_ok = True
+    for name, ok in results:
+        status = "PASS" if ok else "FAIL"
+        print(f"  {name}: {status}")
+        if not ok:
+            all_ok = False
+
+    sys.exit(0 if all_ok else 1)
+
+
+if __name__ == "__main__":
+    main()
