test(webrtc): realness sentinels + e2e behind a fake TCP-only SOCKS proxy

Unit sentinels (run in CI) assert the rules a real WebRTC profile must meet: host candidate is mDNS .local (never a raw LAN IP), the synthetic srflx carries the egress IP with a genuine nICEr priority (rejecting the old local_pref 0xFFFF) and a foundation distinct from the host one, and CreepJS's resolver returns the egress (and reads a host-only SDP as blocked). e2e tests launch the binary and check the live gather. "Behind a proxy" is reproduced without any external proxy: an in-process SOCKS5 server relays TCP CONNECT but refuses UDP ASSOCIATE (a TCP-only residential proxy), and the egress IP is injected as an RFC 5737 TEST-NET address. test_not_blocked_behind_tcp_only_socks guards the gather-fails-behind-proxy bug. webrtc-e2e.yml runs the e2e on demand (needs a binary that carries the fixes).
2026-06-07 08:35:12 +02:00 · 2026-06-06 18:35:52 +02:00 · 2026-06-06 18:35:52 +02:00 · 8bf72da40c
commit 8bf72da40c
parent e2bcd0cd4c
2 changed files with 489 additions and 0 deletions
--- a/.github/workflows/webrtc-e2e.yml
+++ b/.github/workflows/webrtc-e2e.yml
@ -0,0 +1,47 @@
+name: webrtc-e2e
+
+# Live WebRTC realness check against the shipped patched binary.
+#
+# Manual (workflow_dispatch) on purpose: it needs a firefox-N binary that
+# carries the WebRTC fixes (synthetic srflx in genuine nICEr form + the
+# default-route fallback behind a proxy). Run it after publishing such a
+# binary — it is the release gate for "WebRTC looks real behind a proxy".
+# Until that binary ships, test_not_blocked_behind_tcp_only_socks is EXPECTED
+# to fail (the old binary is fully blocked behind a SOCKS proxy), which is the
+# whole point of the gate.
+#
+# No smartproxy / credentials: the "behind a proxy" condition is faked by an
+# in-process TCP-only SOCKS5 server (refuses UDP ASSOCIATE) and the egress IP
+# is injected as an RFC 5737 TEST-NET address. Fully self-contained.
+
+on:
+  workflow_dispatch:
+
+jobs:
+  webrtc-e2e:
+    name: webrtc realness (ubuntu, py3.12)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+
+      - name: Install package + dev extras
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Fetch the patched Firefox binary
+        run: python -m invisible_playwright fetch
+
+      - name: Resolve binary path
+        run: echo "STEALTHFOX_E2E_BINARY=$(python -m invisible_playwright path)" >> "$GITHUB_ENV"
+
+      - name: Run WebRTC realness e2e (xvfb for the headless Firefox)
+        run: |
+          sudo apt-get update && sudo apt-get install -y xvfb
+          xvfb-run -a pytest tests/test_webrtc_realness.py -m e2e -o addopts="" -v -rs