chore: add network extension manager

Author: ethanndickson

Coder Desktop/.swiftlint.yml

@@ -8,3 +8,5 @@ type_name:
 identifier_name:
   allowed_symbols: "_"
   min_length: 1
+cyclomatic_complexity:
+  warning: 15

Coder Desktop/Coder Desktop/Preview Content/PreviewClient.swift

@@ -23,7 +23,7 @@ struct PreviewClient: Client {
                 roles: []
             )
         } catch {
-            throw ClientError.reqError(AFError.explicitlyCancelled)
+            throw .reqError(.explicitlyCancelled)
         }
     }
 }

Coder Desktop/Coder Desktop/SDK/Client.swift

@@ -39,7 +39,7 @@ struct CoderClient: Client {
         case let .success(data):
             return HTTPResponse(resp: out.response!, data: data, req: out.request)
         case let .failure(error):
-            throw ClientError.reqError(error)
+            throw .reqError(error)
         }
     }
 
@@ -58,7 +58,7 @@ struct CoderClient: Client {
         case let .success(data):
             return HTTPResponse(resp: out.response!, data: data, req: out.request)
         case let .failure(error):
-            throw ClientError.reqError(error)
+            throw .reqError(error)
         }
     }
 
@@ -71,9 +71,9 @@ struct CoderClient: Client {
                 method: resp.req?.httpMethod,
                 url: resp.req?.url
             )
-            return ClientError.apiError(out)
+            return .apiError(out)
         } catch {
-            return ClientError.unexpectedResponse(resp.data[...1024])
+            return .unexpectedResponse(resp.data[...1024])
         }
     }
 

Coder Desktop/Coder Desktop/SDK/User.swift

@@ -9,7 +9,7 @@ extension CoderClient {
         do {
             return try CoderClient.decoder.decode(User.self, from: res.data)
         } catch {
-            throw ClientError.unexpectedResponse(res.data[...1024])
+            throw .unexpectedResponse(res.data[...1024])
         }
     }
 }

Coder Desktop/Coder DesktopTests/Util.swift

@@ -68,7 +68,7 @@ struct MockClient: Client {
 struct MockErrorClient: Client {
     init(url _: URL, token _: String?) {}
     func user(_: String) async throws(ClientError) -> Coder_Desktop.User {
-        throw ClientError.reqError(.explicitlyCancelled)
+        throw .reqError(.explicitlyCancelled)
     }
 }
 

Coder Desktop/VPN/Manager.swift

@@ -6,16 +6,113 @@ actor Manager {
     let ptp: PacketTunnelProvider
     let downloader: Downloader
 
-    var tunnelHandle: TunnelHandle?
-    var speaker: Speaker<Vpn_ManagerMessage, Vpn_TunnelMessage>?
+    let tunnelHandle: TunnelHandle
+    let speaker: Speaker<Vpn_ManagerMessage, Vpn_TunnelMessage>
+    var readLoop: Task<Void, Error>!
     // TODO: XPC Speaker
 
     private let dest = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)
         .first!.appending(path: "coder-vpn.dylib")
     private let logger = Logger(subsystem: Bundle.main.bundleIdentifier!, category: "manager")
 
-    init(with: PacketTunnelProvider) {
+    init(with: PacketTunnelProvider, server: URL) async throws(ManagerError) {
         ptp = with
         downloader = Downloader()
+        #if arch(arm64)
+            let dylibPath = server.appending(path: "bin/coder-vpn-arm64.dylib")
+        #elseif arch(x86_64)
+            let dylibPath = server.appending(path: "bin/coder-vpn-amd64.dylib")
+        #else
+            fatalError("unknown architecture")
+        #endif
+        do {
+            try await downloader.download(src: dylibPath, dest: dest)
+        } catch {
+            throw .download(error)
+        }
+        do {
+            try tunnelHandle = TunnelHandle(dylibPath: dest)
+        } catch {
+            throw .tunnelSetup(error)
+        }
+        speaker = await Speaker<Vpn_ManagerMessage, Vpn_TunnelMessage>(
+            writeFD: tunnelHandle.writeHandle,
+            readFD: tunnelHandle.readHandle
+        )
+        // TODO: Handshake
+//        do throws(HandshakeError) {
+//            try await speaker.handshake()
+//        } catch {
+//            throw .handshake(<#T##HandshakeError#>)
+//        }
+        readLoop = Task {
+            for try await m in speaker {
+                switch m {
+                case let .message(msg):
+                    handleMessage(msg)
+                case let .RPC(rpc):
+                    handleRPC(rpc)
+                }
+            }
+        }
     }
+
+    func handleMessage(_ msg: Vpn_TunnelMessage) {
+        guard let msgType = msg.msg else {
+            logger.critical("received message with no type")
+            return
+        }
+        switch msgType {
+        case .peerUpdate:
+            {}() // TODO: Send over XPC
+        case let .log(logMsg):
+            writeVpnLog(logMsg)
+        case .networkSettings, .start, .stop:
+            logger.critical("received unexpected message `\(String(describing: msgType))`")
+        }
+    }
+
+    func handleRPC(_ rpc: RPCRequest<Vpn_ManagerMessage, Vpn_TunnelMessage>) {
+        guard let msgType = rpc.msg.msg else {
+            logger.critical("received rpc with no type")
+            return
+        }
+        switch msgType {
+        case let .networkSettings(ns):
+            let neSettings = convertNetworkSettingsRequest(ns)
+            ptp.setTunnelNetworkSettings(neSettings)
+        case .log, .peerUpdate, .start, .stop:
+            logger.critical("received unexpected rpc: `\(String(describing: msgType))`")
+        }
+    }
+
+    // TODO:
+    func startVPN() throws {}
+    func stopVPN() throws {}
+}
+
+enum ManagerError: Error {
+    case download(DownloadError)
+    case tunnelSetup(TunnelHandleError)
+    case handshake(HandshakeError)
+}
+
+func writeVpnLog(_ log: Vpn_Log) {
+    let level: OSLogType = switch log.level {
+    case .info: .info
+    case .debug: .debug
+    // warn == error
+    case .warn: .error
+    case .error: .error
+    // critical == fatal == fault
+    case .critical: .fault
+    case .fatal: .fault
+    case .UNRECOGNIZED: .info
+    }
+    let logger = Logger(
+        subsystem: "\(Bundle.main.bundleIdentifier!).dylib",
+        category: log.loggerNames.joined(separator: ".")
+    )
+    let fields = log.fields.map { "\($0.name): \($0.value)" }.joined(separator: ", ")
+    logger.log(level: level, "\(log.message): \(fields)")
 }

Coder Desktop/VPN/PacketTunnelProvider.swift

@@ -5,7 +5,7 @@ import os
 let CTLIOCGINFO: UInt = 0xC064_4E03
 
 class PacketTunnelProvider: NEPacketTunnelProvider, @unchecked Sendable {
-    private let logger = Logger(subsystem: Bundle.main.bundleIdentifier!, category: "network-extension")
+    private let logger = Logger(subsystem: Bundle.main.bundleIdentifier!, category: "packet-tunnel-provider")
     private var manager: Manager?
 
     private var tunnelFileDescriptor: Int32? {
@@ -46,7 +46,10 @@ class PacketTunnelProvider: NEPacketTunnelProvider, @unchecked Sendable {
             completionHandler(nil)
             return
         }
-        manager = Manager(with: self)
+        Task {
+            // TODO: Receive access URL w/ Token via Keychain?
+            manager = try await Manager(with: self, server: URL(string: "https://dev.coder.com")!)
+        }
         completionHandler(nil)
     }
 

Coder Desktop/VPN/TunnelHandle.swift

@@ -42,6 +42,7 @@ actor TunnelHandle {
         }
     }
 
+    // This could be an isolated deinit in Swift 6.1
     func close() throws {
         dlclose(dylibHandle)
     }

Coder Desktop/VPNLib/Convert.swift

@@ -0,0 +1,60 @@
+import NetworkExtension
+import os
+
+// swiftlint:disable function_body_length
+public func convertNetworkSettingsRequest(_ req: Vpn_NetworkSettingsRequest) -> NEPacketTunnelNetworkSettings {
+    let networkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: req.tunnelRemoteAddress)
+    networkSettings.tunnelOverheadBytes = NSNumber(value: req.tunnelOverheadBytes)
+    networkSettings.mtu = NSNumber(value: req.mtu)
+
+    if req.hasDnsSettings {
+        let dnsSettings = NEDNSSettings(servers: req.dnsSettings.servers)
+        dnsSettings.searchDomains = req.dnsSettings.searchDomains
+        dnsSettings.domainName = req.dnsSettings.domainName
+        dnsSettings.matchDomains = req.dnsSettings.matchDomains
+        dnsSettings.matchDomainsNoSearch = req.dnsSettings.matchDomainsNoSearch
+        networkSettings.dnsSettings = dnsSettings
+    }
+
+    if req.hasIpv4Settings {
+        let ipv4Settings = NEIPv4Settings(addresses: req.ipv4Settings.addrs, subnetMasks: req.ipv4Settings.subnetMasks)
+        ipv4Settings.router = req.ipv4Settings.router
+        ipv4Settings.includedRoutes = req.ipv4Settings.includedRoutes.map {
+            let route = NEIPv4Route(destinationAddress: $0.destination, subnetMask: $0.mask)
+            route.gatewayAddress = $0.router
+            return route
+        }
+        ipv4Settings.excludedRoutes = req.ipv4Settings.excludedRoutes.map {
+            let route = NEIPv4Route(destinationAddress: $0.destination, subnetMask: $0.mask)
+            route.gatewayAddress = $0.router
+            return route
+        }
+        networkSettings.ipv4Settings = ipv4Settings
+    }
+
+    if req.hasIpv6Settings {
+        let ipv6Settings = NEIPv6Settings(
+            addresses: req.ipv6Settings.addrs,
+            networkPrefixLengths: req.ipv6Settings.prefixLengths.map { NSNumber(value: $0)
+            }
+        )
+        ipv6Settings.includedRoutes = req.ipv6Settings.includedRoutes.map {
+            let route = NEIPv6Route(
+                destinationAddress: $0.destination,
+                networkPrefixLength: NSNumber(value: $0.prefixLength)
+            )
+            route.gatewayAddress = $0.router
+            return route
+        }
+        ipv6Settings.excludedRoutes = req.ipv6Settings.excludedRoutes.map {
+            let route = NEIPv6Route(
+                destinationAddress: $0.destination,
+                networkPrefixLength: NSNumber(value: $0.prefixLength)
+            )
+            route.gatewayAddress = $0.router
+            return route
+        }
+        networkSettings.ipv6Settings = ipv6Settings
+    }
+    return networkSettings
+}

Coder Desktop/VPNLib/Downloader.swift

@@ -2,10 +2,10 @@ import CryptoKit
 import Foundation
 
 public protocol Validator: Sendable {
-    func validate(path: URL) async throws
+    func validate(path: URL) async throws(ValidationError)
 }
 
-public enum ValidationError: LocalizedError {
+public enum ValidationError: Error {
     case fileNotFound
     case unableToCreateStaticCode
     case invalidSignature
@@ -51,58 +51,58 @@ public struct SignatureValidator: Validator {
 
     public init() {}
 
-    public func validate(path: URL) throws {
+    public func validate(path: URL) throws(ValidationError) {
         guard FileManager.default.fileExists(atPath: path.path) else {
-            throw ValidationError.fileNotFound
+            throw .fileNotFound
         }
 
         var staticCode: SecStaticCode?
         let status = SecStaticCodeCreateWithPath(path as CFURL, SecCSFlags(), &staticCode)
         guard status == errSecSuccess, let code = staticCode else {
-            throw ValidationError.unableToCreateStaticCode
+            throw .unableToCreateStaticCode
         }
 
         let validateStatus = SecStaticCodeCheckValidity(code, SecCSFlags(), nil)
         guard validateStatus == errSecSuccess else {
-            throw ValidationError.invalidSignature
+            throw .invalidSignature
         }
 
         var information: CFDictionary?
         let infoStatus = SecCodeCopySigningInformation(code, signInfoFlags, &information)
         guard infoStatus == errSecSuccess, let info = information as? [String: Any] else {
-            throw ValidationError.unableToRetrieveInfo
+            throw .unableToRetrieveInfo
         }
 
         guard let identifier = info[kSecCodeInfoIdentifier as String] as? String,
               identifier == expectedIdentifier
         else {
-            throw ValidationError.invalidIdentifier(identifier: info[kSecCodeInfoIdentifier as String] as? String)
+            throw .invalidIdentifier(identifier: info[kSecCodeInfoIdentifier as String] as? String)
         }
 
         guard let teamIdentifier = info[kSecCodeInfoTeamIdentifier as String] as? String,
               teamIdentifier == expectedTeamIdentifier
         else {
-            throw ValidationError.invalidTeamIdentifier(
+            throw .invalidTeamIdentifier(
                 identifier: info[kSecCodeInfoTeamIdentifier as String] as? String
             )
         }
 
         guard let infoPlist = info[kSecCodeInfoPList as String] as? [String: AnyObject] else {
-            throw ValidationError.missingInfoPList
+            throw .missingInfoPList
         }
 
         guard let plistIdent = infoPlist[infoIdentifierKey] as? String, plistIdent == expectedIdentifier else {
-            throw ValidationError.invalidIdentifier(identifier: infoPlist[infoIdentifierKey] as? String)
+            throw .invalidIdentifier(identifier: infoPlist[infoIdentifierKey] as? String)
         }
 
         guard let plistName = infoPlist[infoNameKey] as? String, plistName == expectedName else {
-            throw ValidationError.invalidIdentifier(identifier: infoPlist[infoNameKey] as? String)
+            throw .invalidIdentifier(identifier: infoPlist[infoNameKey] as? String)
         }
 
         guard let dylibVersion = infoPlist[infoShortVersionKey] as? String,
               minDylibVersion.compare(dylibVersion, options: .numeric) != .orderedDescending
         else {
-            throw ValidationError.invalidVersion(version: infoPlist[infoShortVersionKey] as? String)
+            throw .invalidVersion(version: infoPlist[infoShortVersionKey] as? String)
         }
     }
 }
@@ -113,36 +113,50 @@ public actor Downloader {
         self.validator = validator
     }
 
-    public func download(src: URL, dest: URL) async throws {
+    public func download(src: URL, dest: URL) async throws(DownloadError) {
         var req = URLRequest(url: src)
         if FileManager.default.fileExists(atPath: dest.path) {
             if let existingFileData = try? Data(contentsOf: dest) {
                 req.setValue(etag(data: existingFileData), forHTTPHeaderField: "If-None-Match")
             }
         }
         // TODO: Add Content-Length headers to coderd, add download progress delegate
-        let (tempURL, response) = try await URLSession.shared.download(for: req)
+        let tempURL: URL
+        let response: URLResponse
+        do {
+            (tempURL, response) = try await URLSession.shared.download(for: req)
+        } catch {
+            throw .networkError(error)
+        }
         defer {
             if FileManager.default.fileExists(atPath: dest.path) {
                 do { try FileManager.default.removeItem(at: tempURL) } catch {}
             }
         }
 
         guard let httpResponse = response as? HTTPURLResponse else {
-            throw DownloadError.invalidResponse
+            throw .invalidResponse
         }
         guard httpResponse.statusCode != 304 else {
             return
         }
         guard (200 ..< 300).contains(httpResponse.statusCode) else {
-            throw DownloadError.unexpectedStatusCode(httpResponse.statusCode)
+            throw .unexpectedStatusCode(httpResponse.statusCode)
         }
 
-        if FileManager.default.fileExists(atPath: dest.path) {
-            try FileManager.default.removeItem(at: dest)
+        do {
+            if FileManager.default.fileExists(atPath: dest.path) {
+                try FileManager.default.removeItem(at: dest)
+            }
+            try FileManager.default.moveItem(at: tempURL, to: dest)
+        } catch {
+            throw .fileOpError(error)
+        }
+        do throws(ValidationError) {
+            try await validator.validate(path: dest)
+        } catch {
+            throw .validationError(error)
         }
-        try FileManager.default.moveItem(at: tempURL, to: dest)
-        try await validator.validate(path: dest)
     }
 }
 
@@ -152,14 +166,23 @@ func etag(data: Data) -> String {
     return "\"\(etag)\""
 }
 
-enum DownloadError: LocalizedError {
+public enum DownloadError: Error {
     case unexpectedStatusCode(Int)
     case invalidResponse
+    case networkError(any Error)
+    case fileOpError(any Error)
+    case validationError(ValidationError)
 
     var localizedDescription: String {
         switch self {
         case let .unexpectedStatusCode(code):
-            return "Unexpected status code: \(code)"
+            return "Unexpected HTTP status code: \(code)"
+        case let .networkError(error):
+            return "Network error: \(error.localizedDescription)"
+        case let .fileOpError(error):
+            return "File operation error: \(error.localizedDescription)"
+        case let .validationError(error):
+            return "Validation error: \(error.localizedDescription)"
         case .invalidResponse:
             return "Received non-HTTP response"
         }

Coder Desktop/VPNLib/Receiver.swift

@@ -7,7 +7,7 @@ actor Receiver<RecvMsg: Message> {
     private let dispatch: DispatchIO
     private let queue: DispatchQueue
     private var running = false
-    private let logger = Logger(subsystem: "com.coder.Coder-Desktop", category: "proto")
+    private let logger = Logger(subsystem: Bundle.main.bundleIdentifier!, category: "proto")
 
     /// Creates an instance using the given `DispatchIO` channel and queue.
     init(dispatch: DispatchIO, queue: DispatchQueue) {
@@ -59,7 +59,7 @@ actor Receiver<RecvMsg: Message> {
     /// On read or decoding error, it logs and closes the stream.
     func messages() throws(ReceiveError) -> AsyncStream<RecvMsg> {
         if running {
-            throw ReceiveError.alreadyRunning
+            throw .alreadyRunning
         }
         running = true
         return AsyncStream(

Coder Desktop/VPNLib/Speaker.swift

@@ -22,27 +22,27 @@ enum ProtoRole: String {
 }
 
 /// A version of the VPN protocol that can be negotiated.
-struct ProtoVersion: CustomStringConvertible, Equatable, Codable {
+public struct ProtoVersion: CustomStringConvertible, Equatable, Codable, Sendable {
     let major: Int
     let minor: Int
 
-    var description: String { "\(major).\(minor)" }
+    public var description: String { "\(major).\(minor)" }
 
     init(_ major: Int, _ minor: Int) {
         self.major = major
         self.minor = minor
     }
 
-    init(parse str: String) throws {
+    init(parse str: String) throws(HandshakeError) {
         let parts = str.split(separator: ".").map { Int($0) }
         if parts.count != 2 {
-            throw HandshakeError.invalidVersion(str)
+            throw .invalidVersion(str)
         }
         guard let major = parts[0] else {
-            throw HandshakeError.invalidVersion(str)
+            throw .invalidVersion(str)
         }
         guard let minor = parts[1] else {
-            throw HandshakeError.invalidVersion(str)
+            throw .invalidVersion(str)
         }
         self.major = major
         self.minor = minor
@@ -87,14 +87,14 @@ public actor Speaker<SendMsg: RPCMessage & Message, RecvMsg: RPCMessage & Messag
     }
 
     /// Does the VPN Protocol handshake and validates the result
-    func handshake() async throws {
+    public func handshake() async throws {
         let hndsh = Handshaker(writeFD: writeFD, dispatch: dispatch, queue: queue, role: role)
         // ignore the version for now because we know it can only be 1.0
         try _ = await hndsh.handshake()
     }
 
     /// Send a unary RPC message and handle the response
-    func unaryRPC(_ req: SendMsg) async throws -> RecvMsg {
+    public func unaryRPC(_ req: SendMsg) async throws -> RecvMsg {
         return try await withCheckedThrowingContinuation { continuation in
             Task { [sender, secretary, logger] in
                 let msgID = await secretary.record(continuation: continuation)
@@ -114,15 +114,15 @@ public actor Speaker<SendMsg: RPCMessage & Message, RecvMsg: RPCMessage & Messag
         }
     }
 
-    func closeWrite() {
+    public func closeWrite() {
         do {
             try writeFD.close()
         } catch {
             logger.error("failed to close write file handle: \(error)")
         }
     }
 
-    func closeRead() {
+    public func closeRead() {
         do {
             try readFD.close()
         } catch {
@@ -257,7 +257,7 @@ actor Handshaker {
     }
 }
 
-func pickVersion(ours: [ProtoVersion], theirs: [ProtoVersion]) throws -> ProtoVersion {
+func pickVersion(ours: [ProtoVersion], theirs: [ProtoVersion]) throws(HandshakeError) -> ProtoVersion {
     for our in ours.reversed() {
         for their in theirs.reversed() where our.major == their.major {
             if our.minor < their.minor {
@@ -266,10 +266,10 @@ func pickVersion(ours: [ProtoVersion], theirs: [ProtoVersion]) throws -> ProtoVe
             return their
         }
     }
-    throw HandshakeError.unsupportedVersion(theirs)
+    throw .unsupportedVersion(theirs)
 }
 
-enum HandshakeError: Error {
+public enum HandshakeError: Error {
     case readError(String)
     case invalidHeader(String)
     case wrongRole(String)
@@ -278,15 +278,15 @@ enum HandshakeError: Error {
 }
 
 public struct RPCRequest<SendMsg: RPCMessage & Message, RecvMsg: RPCMessage & Sendable>: Sendable {
-    let msg: RecvMsg
+    public let msg: RecvMsg
     private let sender: Sender<SendMsg>
 
     public init(req: RecvMsg, sender: Sender<SendMsg>) {
         msg = req
         self.sender = sender
     }
 
-    func sendReply(_ reply: SendMsg) async throws {
+    public func sendReply(_ reply: SendMsg) async throws {
         var reply = reply
         reply.rpc.responseTo = msg.rpc.msgID
         try await sender.send(reply)
@@ -326,13 +326,13 @@ actor RPCSecretary<RecvMsg: RPCMessage & Sendable> {
 
     func route(reply: RecvMsg) throws(RPCError) {
         guard reply.hasRpc else {
-            throw RPCError.missingRPC
+            throw .missingRPC
         }
         guard reply.rpc.responseTo != 0 else {
-            throw RPCError.notAResponse
+            throw .notAResponse
         }
         guard let cont = continuations[reply.rpc.responseTo] else {
-            throw RPCError.unknownResponseID(reply.rpc.responseTo)
+            throw .unknownResponseID(reply.rpc.responseTo)
         }
         continuations[reply.rpc.responseTo] = nil
         cont.resume(returning: reply)

Coder Desktop/VPNLibTests/ConvertTests.swift

@@ -0,0 +1,95 @@
+import Testing
+@testable import VPNLib
+
+@Suite(.timeLimit(.minutes(1)))
+struct ConvertTests {
+    @Test
+    // swiftlint:disable function_body_length
+    func convertProtoNetworkSettingsRequest() async throws {
+        let req: Vpn_NetworkSettingsRequest = .with { req in
+            req.tunnelRemoteAddress = "10.0.0.1"
+            req.tunnelOverheadBytes = 20
+            req.mtu = 1400
+
+            req.dnsSettings = .with { dns in
+                dns.servers = ["8.8.8.8"]
+                dns.searchDomains = ["example.com"]
+                dns.domainName = "example.com"
+                dns.matchDomains = ["example.com"]
+                dns.matchDomainsNoSearch = false
+            }
+
+            req.ipv4Settings = .with { ipv4 in
+                ipv4.addrs = ["192.168.1.1"]
+                ipv4.subnetMasks = ["255.255.255.0"]
+                ipv4.router = "192.168.1.254"
+                ipv4.includedRoutes = [
+                    .with { route in
+                        route.destination = "10.0.0.0"
+                        route.mask = "255.0.0.0"
+                        route.router = "192.168.1.254"
+                    },
+                ]
+                ipv4.excludedRoutes = [
+                    .with { route in
+                        route.destination = "172.16.0.0"
+                        route.mask = "255.240.0.0"
+                        route.router = "192.168.1.254"
+                    },
+                ]
+            }
+
+            req.ipv6Settings = .with { ipv6 in
+                ipv6.addrs = ["2001:db8::1"]
+                ipv6.prefixLengths = [64]
+                ipv6.includedRoutes = [
+                    .with { route in
+                        route.destination = "2001:db8::"
+                        route.router = "2001:db8::1"
+                        route.prefixLength = 64
+                    },
+                ]
+                ipv6.excludedRoutes = [
+                    .with { route in
+                        route.destination = "2001:0db8:85a3::"
+                        route.router = "2001:db8::1"
+                        route.prefixLength = 128
+                    },
+                ]
+            }
+        }
+
+        let result = convertNetworkSettingsRequest(req)
+        #expect(result.tunnelRemoteAddress == "10.0.0.1")
+        #expect(result.dnsSettings!.servers == ["8.8.8.8"])
+        #expect(result.dnsSettings!.domainName == "example.com")
+        #expect(result.ipv4Settings!.addresses == ["192.168.1.1"])
+        #expect(result.ipv4Settings!.subnetMasks == ["255.255.255.0"])
+        #expect(result.ipv6Settings!.addresses == ["2001:db8::1"])
+        #expect(result.ipv6Settings!.networkPrefixLengths == [64])
+
+        try #require(result.ipv4Settings!.includedRoutes?.count == 1)
+        let ipv4IncludedRoute = result.ipv4Settings!.includedRoutes![0]
+        #expect(ipv4IncludedRoute.destinationAddress == "10.0.0.0")
+        #expect(ipv4IncludedRoute.destinationSubnetMask == "255.0.0.0")
+        #expect(ipv4IncludedRoute.gatewayAddress == "192.168.1.254")
+
+        try #require(result.ipv4Settings!.excludedRoutes?.count == 1)
+        let ipv4ExcludedRoute = result.ipv4Settings!.excludedRoutes![0]
+        #expect(ipv4ExcludedRoute.destinationAddress == "172.16.0.0")
+        #expect(ipv4ExcludedRoute.destinationSubnetMask == "255.240.0.0")
+        #expect(ipv4ExcludedRoute.gatewayAddress == "192.168.1.254")
+
+        try #require(result.ipv6Settings!.includedRoutes?.count == 1)
+        let ipv6IncludedRoute = result.ipv6Settings!.includedRoutes![0]
+        #expect(ipv6IncludedRoute.destinationAddress == "2001:db8::")
+        #expect(ipv6IncludedRoute.destinationNetworkPrefixLength == 64)
+        #expect(ipv6IncludedRoute.gatewayAddress == "2001:db8::1")
+
+        try #require(result.ipv6Settings!.excludedRoutes?.count == 1)
+        let ipv6ExcludedRoute = result.ipv6Settings!.excludedRoutes![0]
+        #expect(ipv6ExcludedRoute.destinationAddress == "2001:0db8:85a3::")
+        #expect(ipv6ExcludedRoute.destinationNetworkPrefixLength == 128)
+        #expect(ipv6ExcludedRoute.gatewayAddress == "2001:db8::1")
+    }
+}

Coder Desktop/VPNLibTests/DownloaderTests.swift

@@ -4,10 +4,10 @@ import Testing
 @testable import VPNLib
 
 struct NoopValidator: Validator {
-    func validate(path _: URL) async throws {}
+    func validate(path _: URL) async throws(ValidationError) {}
 }
 
-@Suite
+@Suite(.timeLimit(.minutes(1)))
 struct DownloaderTests {
     let downloader = Downloader(validator: NoopValidator())