LVPN-8307: Update tests for consent (#932)

Author: devzbysiu

.github/workflows/ci-gitlab.yml

@@ -18,4 +18,4 @@ jobs:
       project-id: ${{ secrets.PROJECT_ID }}
     with:
       cancel-outdated-pipelines: ${{ github.ref_name != 'main' }}
-      triggered-ref: v1.1.0
+      triggered-ref: v1.1.1

ci/docker/tester-selenium/requirements.txt

@@ -1,2 +1,3 @@
 selenium==4.19.0
-pytest-html==4.1.1
+pytest-html==4.1.1
+pexpect==4.8.0

ci/docker/tester/requirements.txt

@@ -11,3 +11,4 @@ protobuf==5.28.3
 selenium==4.26.0
 grpcio==1.68.1
 pytest-html==4.1.1
+pexpect==4.8.0

cli/messages.go

@@ -371,6 +371,8 @@ Provide a [transfer_id] argument to list files in the specified transfer.`
 	SetPqAndMeshnetServer  = "Meshnet isn’t compatible with post-quantum encryption. Reconnect to the VPN to fully disable post-quantum protection and try again."
 	SetPqUsageText         = "Enables or disables post-quantum encryption. When enabled, the encryption protects your VPN connection against potential quantum computer attacks.\nNote: Currently, post-quantum encryption works only with standard NordLynx servers, so it won’t activate when you use a dedicated IP, OpenVPN, NordWhisper or obfuscated servers.\nThe feature is not compatible with Meshnet."
 
+	SetDefaultsLogoutFlagText = " Log out after restoring settings to their default values. Example: nordvpn set defaults --logout"
+
 	AnalyticsPolicyLink = "https://my.nordaccount.com/legal/privacy-policy/?utm_medium=app&utm_source=nordvpn-linux-cli&utm_campaign=settings_account-privacy_policy&nm=app&ns=nordvpn-linux-cli&nc=settings-privacy_policy"
 	MsgConsentAgreement = `We value your privacy.
 

daemon/userconsent.go

@@ -160,7 +160,7 @@ func (acc *AnalyticsConsentChecker) consentModeFromUserLocation() consentMode {
 	}
 
 	mode := modeForCountryCode(core.NewCountryCode(cc))
-	log.Printf(internal.DebugPrefix+" consent mode for country code '%s': %s", insights.CountryCode, mode)
+	log.Printf(internal.DebugPrefix+" consent mode for country code '%s': %s\n", cc, mode)
 	return mode
 }
 

magefiles/mage.go

@@ -23,7 +23,7 @@ const (
 	imageSnapPackager      = registryPrefix + "snaper:1.0.0"
 	imageProtobufGenerator = registryPrefix + "generator:1.4.1"
 	imageScanner           = registryPrefix + "scanner:1.1.0"
-	imageTester            = registryPrefix + "tester:1.4.0"
+	imageTester            = registryPrefix + "tester:1.5.0"
 	imageQAPeer            = registryPrefix + "qa-peer:1.0.4"
 	imageRuster            = registryPrefix + "ruster:1.3.1"
 

test/qa/lib/__init__.py

@@ -144,6 +144,28 @@
 ]
 
 
+EXPECTED_CONSENT_MESSAGE = """
+We value your privacy.
+
+That's why we want to be transparent about what data you agree to give us. We only collect the bare minimum of information required to offer a smooth and stable VPN experience.
+
+By pressing "y" (yes), you allow us to collect and use limited app performance data. This helps us keep our features relevant to your needs and fix issues faster, as explained in our Privacy Policy.
+https://my.nordaccount.com/legal/privacy-policy/?utm_medium=app&utm_source=nordvpn-linux-cli&utm_campaign=settings_account-privacy_policy&nm=app&ns=nordvpn-linux-cli&nc=settings-privacy_policy
+
+Press "n" (no) to send only the essential data our app needs to work.
+
+Your browsing activities remain private, regardless of your choice.
+"""
+WE_VALUE_YOUR_PRIVACY_MSG = "We value your privacy"
+USER_CONSENT_PROMPT = "Do you allow us to collect and use limited app performance data\? \(y/n\)"
+
+
+class UserConsentMode(str, Enum):
+    ENABLED = "enabled"
+    DISABLED = "disabled"
+    UNDEFINED = "undefined"
+
+
 class Protocol(Enum):
     UDP = "UDP"
     TCP = "TCP"
@@ -385,3 +407,8 @@ def technology_to_upper_camel_case(tech: str) -> str:
             return "OpenVPN"
         case "NORDWHISPER":
             return "NordWhisper"
+
+
+def squash_whitespace(text: str) -> str:
+    """Normalize whitespace by collapsing all sequences of whitespace into single spaces."""
+    return ' '.join(text.split())

test/qa/lib/login.py

@@ -1,9 +1,11 @@
 import json
 import os
+import io
+import pexpect
 
 import sh
 
-from . import logging, ssh
+from . import UserConsentMode, logging, ssh, squash_whitespace, WE_VALUE_YOUR_PRIVACY_MSG, USER_CONSENT_PROMPT
 
 
 class Credentials:
@@ -33,12 +35,59 @@ def get_credentials(key) -> Credentials:
             password=creds.get("password", None))
 
 
-def login_as(username, ssh_client: ssh.Ssh = None):
-    """login_as specified user with optional delay before calling login."""
+def login_as(username, ssh_client: ssh.Ssh = None, with_user_consent: UserConsentMode = UserConsentMode.ENABLED):
+    """login_as specified user, optional SSH connection and option for setting user consent before calling login."""
     token = get_credentials(username).token
 
     logging.log(f"logging in as {token}")
 
     if ssh_client is not None:
+        if with_user_consent != UserConsentMode.UNDEFINED:
+            ssh_client.exec_command(f"nordvpn set analytics {_analytics_value(with_user_consent)}")
         return ssh_client.exec_command(f"nordvpn login --token {token}")
+
+    if with_user_consent != UserConsentMode.UNDEFINED:
+        sh.nordvpn.set.analytics(_analytics_value(with_user_consent))
     return sh.nordvpn.login("--token", token)
+
+
+def _analytics_value(mode: UserConsentMode) -> str:
+    if mode == UserConsentMode.UNDEFINED:
+        raise Exception("can't set analytics with undefined consent")
+
+    if mode == UserConsentMode.ENABLED:
+        return "on"
+
+    if mode == UserConsentMode.DISABLED:
+        return "off"
+
+    msg = f"not supported consent mode: {mode}"
+    raise Exception(msg)
+
+
+def spawn_nordvpn_login():
+    """Spawns the nordvpn login process and sets up an output buffer."""
+    buffer = io.StringIO()
+    cli = pexpect.spawn("nordvpn", args=["login"], encoding="utf-8", timeout=10)
+    cli.logfile_read = buffer
+    return cli, buffer
+
+
+def wait_for_consent_prompt(cli):
+    """Waits for the consent prompt to appear."""
+    cli.expect(USER_CONSENT_PROMPT)
+
+
+def get_new_output(buffer, old_output=""):
+    """Returns only the newly added output since old_output."""
+    return buffer.getvalue()[len(old_output):]
+
+
+def assert_prompt_present(output, message=WE_VALUE_YOUR_PRIVACY_MSG):
+    """Asserts that the consent message is in the output."""
+    assert message in squash_whitespace(output)
+
+
+def assert_prompt_absent(output, message=WE_VALUE_YOUR_PRIVACY_MSG):
+    """Asserts that the consent message is not in the output."""
+    assert message not in squash_whitespace(output)

test/qa/lib/settings.py

@@ -2,6 +2,8 @@
 
 import sh
 
+from . import UserConsentMode
+
 
 MSG_AUTOCONNECT_ENABLE_SUCCESS = "Auto-connect is set to 'enabled' successfully."
 MSG_AUTOCONNECT_DISABLE_SUCCESS = "Auto-connect is set to 'disabled' successfully."
@@ -109,9 +111,25 @@ def is_dns_disabled():
     return Settings().get("DNS") == "disabled"
 
 
-def are_analytics_enabled():
-    """Returns True, if Analytics are enabled in application settings."""
-    return Settings().get("Analytics") == "enabled"
+def is_user_consent_granted():
+    """
+    Returns True, if User Consent is enabled, False if it's disabled.
+
+    If the consent was not declared. It raises an exception.
+    """
+    user_consent = Settings().get("user consent")
+    if user_consent == UserConsentMode.ENABLED:
+        return True
+
+    if user_consent == UserConsentMode.DISABLED:
+        return False
+
+    raise Exception("user consent is undefined")
+
+
+def is_user_consent_declared():
+    """Returns True, if User Consent is enabled or disabled, False if it is undefined in application settings."""
+    return Settings().get("user consent") != UserConsentMode.UNDEFINED
 
 
 def is_virtual_location_enabled():
@@ -132,7 +150,8 @@ def app_has_defaults_settings():
         "Firewall: enabled" in settings and
         "Firewall Mark: 0xe1f1" in settings and
         "Routing: enabled" in settings and
-        "Analytics: enabled" in settings and
+        # User Consent is not restored to default on reset
+        ("User Consent: enabled" in settings or "User Consent: disabled" in settings) and
         "Kill Switch: disabled" in settings and
         "Threat Protection Lite: disabled" in settings and
         "Notify: enabled" in settings and

test/qa/test_login.py

@@ -1,4 +1,5 @@
 import pytest
+import pexpect
 import sh
 
 import lib
@@ -8,6 +9,7 @@
     logging,
     login,
     network,
+    settings,
 )
 
 
@@ -28,6 +30,65 @@ def teardown_function(function):  # noqa: ARG001
     logging.log()
 
 
+def test_user_consent_is_displayed_on_login():
+    cli, _ = login.spawn_nordvpn_login()
+    login.wait_for_consent_prompt(cli)
+
+    full_output = cli.before + cli.after  # everything printed so far, including the last line
+
+    assert (
+        lib.squash_whitespace(lib.EXPECTED_CONSENT_MESSAGE)
+        in lib.squash_whitespace(full_output)
+    ), "Consent message did not match expected full output"
+
+
+def test_invalid_input_repeats_consent_prompt_only():
+    cli, buffer = login.spawn_nordvpn_login()
+    login.wait_for_consent_prompt(cli)
+    first_output = buffer.getvalue()
+
+    cli.sendline("blah")
+    login.wait_for_consent_prompt(cli)
+    second_output = login.get_new_output(buffer, first_output)
+
+    login.assert_prompt_present(first_output)
+    login.assert_prompt_absent(second_output)
+    assert "Invalid response" in lib.squash_whitespace(second_output)
+    assert "(y/n)" in lib.squash_whitespace(second_output)
+
+
+def test_user_consent_prompt_reappears_after_ctrl_c_interrupt():
+    cli1, buffer1 = login.spawn_nordvpn_login()
+    login.wait_for_consent_prompt(cli1)
+    cli1.sendintr()
+    cli1.expect(pexpect.EOF)
+    output1 = buffer1.getvalue()
+    login.assert_prompt_present(output1)
+
+    cli2, buffer2 = login.spawn_nordvpn_login()
+    login.wait_for_consent_prompt(cli2)
+    output2 = buffer2.getvalue()
+    login.assert_prompt_present(output2)
+
+
+def test_user_consent_granted_after_pressing_y_and_does_not_appear_again():
+    cli, _ = login.spawn_nordvpn_login()
+    login.wait_for_consent_prompt(cli)
+
+    assert not settings.is_user_consent_declared(), "Consent should not be declared before interaction"
+    cli.sendline("y")
+    cli.expect(pexpect.EOF)
+    assert settings.is_user_consent_granted(), "Consent should be recorded after pressing 'y'"
+
+    cli2, _ = login.spawn_nordvpn_login()
+    try:
+        cli2.expect(lib.USER_CONSENT_PROMPT)
+        raise AssertionError("Consent prompt appeared again after it was already granted")
+    except (pexpect.exceptions.TIMEOUT, pexpect.exceptions.EOF):
+        pass  # Good, prompt did not appear
+    cli2.expect(pexpect.EOF)
+
+
 def test_login():
     with lib.Defer(lambda: sh.nordvpn.logout("--persist-token")):
         output = login.login_as("default")

test/qa/test_login_nordaccount.py

@@ -73,6 +73,7 @@ def test_selenium_login_callback(login_flag):
     browser = sel.browser_get()
 
     with lib.Defer(sel.browser_kill):
+        sh.nordvpn.set.analytics("on")
         # Get login link from NordVPN app, trim all spaces & chars after link itself
         login_link = sh.nordvpn.login(login_flag, _tty_out=False).strip().split(": ")[1]
         print(f"Login link: {login_link}\n")

test/qa/test_meshnet_other.py

@@ -82,7 +82,7 @@ def test_set_defaults_when_logged_out_1st_set(tech, proto, obfuscated):
     assert "0xe1f1" not in  sh_no_tty.nordvpn.settings()
     assert daemon.is_killswitch_on()
     assert settings.is_lan_discovery_enabled()
-    assert not settings.are_analytics_enabled()
+    assert settings.is_user_consent_declared()
     assert settings.is_tpl_enabled()
 
     if obfuscated == "on":

test/qa/test_settings.py

@@ -1,5 +1,6 @@
 import pytest
 import sh
+import pexpect
 
 import lib
 from lib import daemon, dns, info, logging, login, network, settings
@@ -81,7 +82,7 @@ def test_set_defaults_when_logged_in_1st_set(tech, proto, obfuscated):
     assert not settings.is_firewall_enabled()
     assert not settings.is_routing_enabled()
     assert not settings.is_dns_disabled()
-    assert not settings.are_analytics_enabled()
+    assert settings.is_user_consent_declared()
     assert settings.is_notify_enabled()
     assert not settings.is_virtual_location_enabled()
 
@@ -154,7 +155,7 @@ def test_set_defaults_when_connected_1st_set(tech, proto, obfuscated):
 
     assert not settings.is_routing_enabled()
     assert not settings.is_dns_disabled()
-    assert not settings.are_analytics_enabled()
+    assert settings.is_user_consent_declared()
     assert settings.is_lan_discovery_enabled()
     assert not settings.is_virtual_location_enabled()
 
@@ -225,6 +226,34 @@ def test_is_custom_dns_removed_after_setting_defaults(tech, proto, obfuscated, n
     assert not dns.is_set_for(nameserver)
 
 
+def test_set_analytics_starts_prompt_even_if_completed_before():
+    # first run: see prompt and respond
+    cli1 = pexpect.spawn("nordvpn", args=["set", "analytics"], encoding='utf-8', timeout=10)
+    cli1.expect(lib.USER_CONSENT_PROMPT)
+    output1 = cli1.before + cli1.after
+
+    assert (
+        lib.squash_whitespace(lib.EXPECTED_CONSENT_MESSAGE)
+        in lib.squash_whitespace(output1)
+    ), "Consent message did not match expected full output on first run"
+
+    cli1.sendline("n")
+    cli1.expect(pexpect.EOF)
+
+    # second run: should see the prompt again
+    cli2 = pexpect.spawn("nordvpn", args=["set", "analytics"], encoding='utf-8', timeout=10)
+    cli2.expect(lib.USER_CONSENT_PROMPT)
+    output2 = cli2.before + cli2.after
+
+    assert (
+        lib.squash_whitespace(lib.EXPECTED_CONSENT_MESSAGE)
+        in lib.squash_whitespace(output2)
+    ), "Consent message did not appear again on second run"
+
+    cli2.sendline("y")
+    cli2.expect(pexpect.EOF)
+
+
 def test_set_defaults_no_logout():
     sh.nordvpn.set.defaults()
 
@@ -234,10 +263,10 @@ def test_set_defaults_no_logout():
 def test_set_analytics_off_on():
 
     assert "Analytics is set to 'disabled' successfully." in sh.nordvpn.set.analytics("off")
-    assert not settings.are_analytics_enabled()
+    assert not settings.is_user_consent_granted()
 
     assert "Analytics is set to 'enabled' successfully." in sh.nordvpn.set.analytics("on")
-    assert settings.are_analytics_enabled()
+    assert settings.is_user_consent_granted()
 
 
 def test_set_analytics_on_off_repeated():