-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathci-tests.sh
More file actions
executable file
·241 lines (193 loc) · 7.46 KB
/
Copy pathci-tests.sh
File metadata and controls
executable file
·241 lines (193 loc) · 7.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
#!/bin/bash
set -euo pipefail
# In CI, we do not have TLS/DNS set up. Docker requires TLS, so we cannot do
# proper functional tests until post deployment. And most tools require DNS in
# order to hit the right vhost in nginx.
#
# So we use curl's --resolve option to query the base APIs to check we get the
# appropriate responses at the http level.
#
# see also: full-tests.sh, which can be run post deploy
#
BASE_DOMAIN=${BASE_DOMAIN:-opensafely.org}
GITHUB_PROXY_HOST=github-proxy.${BASE_DOMAIN}
DOCKER_PROXY_HOST=docker-proxy.${BASE_DOMAIN}
UBUNTU_ARCHIVE_PROXY_HOST=archive-ubuntu.${BASE_DOMAIN}
UBUNTU_SECURITY_PROXY_HOST=security-ubuntu.${BASE_DOMAIN}
#CHANGELOGS_PROXY_HOST=changelogs.${BASE_DOMAIN}
url=
body=$(mktemp)
headers=$(mktemp)
return_code=0
last_test_failed=0
fail() {
echo "FAIL: $*"
last_test_failed=1
return_code=1
cat "$headers"
cat "$body"
}
ok() {
echo "OK: $*"
last_test_failed=0
}
try() {
# reset tests
last_test_failed=0
# global
url=$1
local expected=$2
local token=${3:-}
local user_agent=${4:-}
local curl_args=()
curl_args+=(-s --verbose --output "$body")
curl_args+=(--write-out "%{http_code}")
curl_args+=(--connect-to "${GITHUB_PROXY_HOST}:80:127.0.0.1:8080")
curl_args+=(--connect-to "${DOCKER_PROXY_HOST}:80:127.0.0.1:8080")
curl_args+=(--connect-to "${UBUNTU_ARCHIVE_PROXY_HOST}:80:127.0.0.1:8080")
curl_args+=(--connect-to "${UBUNTU_SECURITY_PROXY_HOST}:80:127.0.0.1:8080")
#curl_args+=(--connect-to "${CHANGELOGS_PROXY_HOST}:80:127.0.0.1:8080")
# Conditionally token if set. Only used for docker-proxy tests.
if test -n "${token}"; then
curl_args+=(-H "Authorization: Bearer $token")
fi
# Conditionally set user agent; only used for APT proxy tests
if test -n "${user_agent}"; then
curl_args+=(--user-agent "$user_agent")
fi
curl_args+=("$url") # Add the URL
# Call curl with the arguments
code=$(curl "${curl_args[@]}" 2> "$headers")
if test "$code" != "$expected"; then
fail "$url returned $code, not $expected"
else
ok "$url returned $code"
fi
}
git-post() {
# reset tests
last_test_failed=0
type_=$1
url=$2
local expected=$3
code="$(
curl --verbose --output "$body" -X POST \
-H "accept-encoding: deflate, gzip, br, zstd" \
-H "content-type: application/x-$type_-request" \
-H "accept: application/x-$type_-result" \
-H "git-protocol: version=2" \
--connect-to "${GITHUB_PROXY_HOST}:80:127.0.0.1:8080" \
--write-out "%{http_code}"\
"$url" \
2> "$headers"
)"
if test "$code" != "$expected"; then
fail "$url returned $code, not $expected"
else
ok "$url returned $code"
fi
}
assert-in-body() {
if test "$last_test_failed" = "1"; then
echo "SKIP assert body"
return
fi
local expected=$1
if grep -sq -F "$expected" "$body"; then
ok "$url returned expected body"
else
fail "$url returned unexpected body"
fi
}
assert-header() {
if test "$last_test_failed" = "1"; then
echo "SKIP assert header"
return
fi
local expected=$1
if grep -sq "$1" "$headers"; then
ok "$url returned expected header $1"
else
fail "$url did not return header $1"
fi
}
### $GITHUB_PROXY_HOST ###
# test robots is disallowed
try "${GITHUB_PROXY_HOST}/robots.txt" 200
assert-in-body 'User-agent: *'
assert-in-body 'Disallow: /'
assert-header 'Content-Type: text/plain; charset=UTF-8'
# test we can query the clone metadata endpoint
try "${GITHUB_PROXY_HOST}/opensafely/documentation/info/refs?service=git-upload-pack" 200
assert-header 'X-GitHub-Request-Id:'
# test we can query the actul clone endpoint on public repo
git-post git-upload-pack "${GITHUB_PROXY_HOST}/opensafely/documentation/git-upload-pack" 200
assert-header 'X-GitHub-Request-Id:'
# test we can query the actul clone endpoint on private repo
git-post git-upload-pack "${GITHUB_PROXY_HOST}/opensafely/server-instructions/git-upload-pack" 401
assert-header 'X-GitHub-Request-Id:'
# test we cannot query the push metadata endpoint
try "${GITHUB_PROXY_HOST}/opensafely/documentation/info/refs?service=git-receive-pack" 403
# test we cannot query the actual push endpoint
git-post git-recieve-pack "${GITHUB_PROXY_HOST}/opensafely/documentation/git-receive-pack" 403
# test we cannot access other parts of the repo
try "${GITHUB_PROXY_HOST}/opensafely/documentation" 403
# test we cannot access other /info/refs queries
try "${GITHUB_PROXY_HOST}/opensafely/documentation/info/refs?foo=bar" 403
# test we cannot access other parts of the repo
try "${GITHUB_PROXY_HOST}/opensafely-core/job-runner" 403
# test for opensafely-actions org
try "${GITHUB_PROXY_HOST}/opensafely-actions/safetab/info/refs?service=git-upload-pack" 200
assert-header 'X-GitHub-Request-Id:'
# test other orgs are 403'd, even when they exist
try "${GITHUB_PROXY_HOST}/torvalds/linux/info/refs?service=git-upload-pack" 403
assert-in-body 'This proxy only supports fetching commits from specific github organisations.'
assert-header 'Content-Type: text/plain; charset=UTF-8'
# test keys
try "${GITHUB_PROXY_HOST}/bloodearnest.keys" 200
assert-in-body ed25519
### $DOCKER_PROXY_HOST ###
# test robots is disallowed
try "${DOCKER_PROXY_HOST}/robots.txt" 200
assert-in-body 'User-agent: *'
assert-in-body 'Disallow: /'
assert-header 'Content-Type: text/plain; charset=UTF-8'
# test the initial docker request is rewritten correctly
try "${DOCKER_PROXY_HOST}/v2/" 401
assert-in-body '{"errors":[{"code":"UNAUTHORIZED","message":"authentication required"}]}'
assert-header 'X-GitHub-Request-Id:'
assert-header "Www-Authenticate: Bearer realm=\"https://${DOCKER_PROXY_HOST}/token\",service=\"${DOCKER_PROXY_HOST}\",scope=\"repository:user/image:pull\""
# test other projects are 404'd
try "${DOCKER_PROXY_HOST}/v2/other/project" 404
assert-in-body '{ "errors": [{"code": "NAME_UNKNOWN", "message": "only opensafely repositories allowed" }] }';
assert-header 'Content-Type: application/json; charset=UTF-8'
# test the anonlymous login dance. ffs.
# get a token
try "${DOCKER_PROXY_HOST}/token?scope=repository%3Aopensafely-core%2Fairlock%3Apull&service=ghcr.io" 200
token=$(jq -r .token < "$body")
# use the token to get the manifest
try "${DOCKER_PROXY_HOST}/v2/opensafely-core/busybox/manifests/latest" 200 "$token"
digest=$(jq -r .config.digest < "$body")
# try download a content blob, which will test our internal redirect handling,
# including the strict ssl/host config
try "${DOCKER_PROXY_HOST}/v2/opensafely-core/busybox/blobs/$digest?" 200 "$token"
### $UBUNTU_ARCHIVE_PROXY_HOST ###
try "${UBUNTU_ARCHIVE_PROXY_HOST}/ubuntu/" 200
assert-in-body 'archive.ubuntu.com'
assert-in-body 'dists/'
try "${UBUNTU_ARCHIVE_PROXY_HOST}/ubuntu/" 403 '' 'Googlebot'
### $UBUNTU_SECURITY_PROXY_HOST ###
try "${UBUNTU_SECURITY_PROXY_HOST}/ubuntu/" 200
assert-in-body 'security.ubuntu.com'
assert-in-body 'dists/'
try "${UBUNTU_SECURITY_PROXY_HOST}/ubuntu/" 403 '' 'Googlebot'
### $CHANGELOGS_PROXY_HOST ###
# This allows us to use the do-release-upgrade tool to perform major backend OS upgrades.
# Disabled as we don't typically needed unless we are using do-release-upgrade
#try "${CHANGELOGS_PROXY_HOST}/meta-release-lts" 200
# test robots is disallowed
# try "${CHANGELOGS_PROXY_HOST}/robots.txt" 200
# assert-in-body 'User-agent: *'
# assert-in-body 'Disallow: /'
# assert-header 'Content-Type: text/plain; charset=UTF-8'
exit $return_code