feat(tests): integration tests

Author: mickael-garrido

.github/workflows/docker-image.yml

@@ -1,9 +1,9 @@
-name: CI
+name: "build-docker-image"
 
 on:
   push:
     tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+*'
+      - "v[0-9]+.[0-9]+.[0-9]+*"
 
 jobs:
   bake:

.github/workflows/tests.yml

@@ -0,0 +1,15 @@
+name: "tests"
+
+on:
+  pull_request_target: # Use pull_request_target
+    branches: [main]
+
+jobs:
+  run-specs:
+    name: run specs
+    runs-on: ubuntu-22.04
+    steps:
+      - name: deploy
+        run: ./vagrant-deploy.sh
+      - name: tests
+        run: ./vagrant-tests.sh

Dockerfile

@@ -2,13 +2,13 @@ ARG BASE_IMAGE="openresty-proxy-connect"
 
 FROM ${BASE_IMAGE}
 
-ADD generate-certificate.sh /generate-certificate.sh
-ADD entrypoint.sh /entrypoint.sh
+COPY generate-certificate.sh /generate-certificate.sh
+COPY entrypoint.sh /entrypoint.sh
 
-ADD nginx.conf /opt/openresty/nginx/conf/nginx.conf
-ADD nginx.manifest.common.conf /opt/openresty/nginx/conf/nginx.manifest.common.conf
-ADD nginx.manifest.stale.conf /opt/openresty/nginx/conf/nginx.manifest.stale.conf
-ADD proxy_auth.lua /opt/openresty/nginx/conf/proxy_auth.lua
+COPY nginx.conf /opt/openresty/nginx/conf/nginx.conf
+COPY nginx.manifest.common.conf /opt/openresty/nginx/conf/nginx.manifest.common.conf
+COPY nginx.manifest.stale.conf /opt/openresty/nginx/conf/nginx.manifest.stale.conf
+COPY proxy_auth.lua /opt/openresty/nginx/conf/proxy_auth.lua
 
 RUN apk add --no-cache --update bash openssl \
   && mkdir -p /docker_mirror_cache /certs /opt/openresty/nginx/tmp \

Vagrantfile

@@ -0,0 +1,12 @@
+Vagrant.configure('2') do |config|
+  config.vm.box = 'ubuntu/focal64'
+
+  config.vm.define 'docker-registry-cache' do |node|
+    node.vm.hostname = 'docker-registry-cache'
+    node.vm.provision 'shell', inline: '/vagrant/tests/vagrant-deploy.sh'
+    node.vm.provision 'shell', inline: '/vagrant/tests/vagrant-tests.sh', run: 'always'
+    node.vm.provider 'virtualbox' do |v|
+      v.memory = 2048
+    end
+  end
+end

nginx.conf

@@ -101,6 +101,7 @@ http {
     }
 
     # A map to force http scheme for some docker registries if needed.
+    # nosemgrep
     map $host $targetScheme {
         hostnames;
         include /opt/openresty/nginx/conf/docker.targetScheme.map;
@@ -306,6 +307,7 @@ http {
 
         # by default, dont cache anything.
         location / {
+            # nosemgrep
             proxy_pass $targetScheme://$targetHost;
             proxy_cache off;
         }

nginx.manifest.common.conf

@@ -1,6 +1,7 @@
     # nginx config fragment included in every manifest-related location{} block.
     add_header X-Docker-Registry-Proxy-Cache-Upstream-Status "$upstream_cache_status";
     add_header X-Docker-Registry-Proxy-Cache-Type "$docker_proxy_request_type";
+    # nosemgrep
     proxy_pass $targetScheme://$targetHost;
     proxy_cache cache;
     proxy_cache_key   $uri;

tests/docker_test.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+
+function test_success_docker_debian_pull() {
+  function foo() {
+    return 0
+  }
+
+  docker pull debian:13-slim
+
+  assert_successful_code
+}
+
+function test_success_docker_tag_debian_image() {
+  function foo() {
+    return 0
+  }
+
+  docker tag debian:13-slim my-registry.local:443/debian:13-slim
+
+  assert_successful_code
+}
+
+function test_success_docker_push_debian_image_to_local_registry_through_proxy() {
+  function foo() {
+    return 0
+  }
+
+  docker push my-registry.local:443/debian:13-slim
+
+  assert_successful_code
+}
+
+function test_success_docker_rm_local_debian_images() {
+  function foo() {
+    return 0
+  }
+
+  docker rmi debian:13-slim my-registry.local:443/debian:13-slim
+
+  assert_successful_code
+}
+
+function test_success_docker_pull_debian_image_from_local_registry_through_proxy() {
+  function foo() {
+    return 0
+  }
+
+  docker pull my-registry.local:443/debian:13-slim
+
+  assert_successful_code
+}
+
+function test_failed_docker_pull_debian_image_from_unknown_registry_through_proxy() {
+  function foo() {
+    return 0
+  }
+
+  docker pull my-registryX.local:443/debian:13-slim
+
+  assert_unsuccessful_code
+}
+
+function test_failed_curl_request_to_unknwon_registry_through_proxy() {
+  function foo() {
+    return 0
+  }
+
+  assert_equals "403" "$(curl -I -x https://user1:password1@my-proxy.local:3128 https://my-registry-x.local:443/v2/_catalog 2> /dev/null | head -n 1 | cut -d' ' -f2)"
+}
+
+function test_failed_curl_request_to_proxy_without_user() {
+  function foo() {
+    return 0
+  }
+
+  assert_equals "407" "$(curl -I -x https://my-proxy.local:3128 https://my-registry.local:443/v2/_catalog 2> /dev/null | head -n 1 | cut -d' ' -f2)"
+}
+
+function test_failed_curl_request_to_proxy_with_wrong_creds() {
+  function foo() {
+    return 0
+  }
+
+  assert_equals "401" "$(curl -I -x https://user1:dummy@my-proxy.local:3128 https://my-registry.local:443/v2/_catalog 2> /dev/null | head -n 1 | cut -d' ' -f2)"
+}

tests/vagrant-deploy.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+
+# Vars
+CERTS_PATH="/root/certs"
+DOCKER_PATH="/var/lib/docker"
+DOCKER_MIRROR_CACHE_PATH="/docker_mirror_cache"
+
+# Add proxy to docker
+if [ ! -d /etc/systemd/system/docker.service.d ]; then
+  mkdir /etc/systemd/system/docker.service.d
+  cat << 'EOF' > /etc/systemd/system/docker.service.d/proxy.conf
+[Service]
+Environment="NO_PROXY=*.docker.io,*.cloudflarestorage.com"
+Environment="HTTPS_PROXY=https://user1:password1@my-proxy.local:3128"
+EOF
+fi
+
+# Install packages
+apt-get update
+apt-get install -y docker.io docker-compose docker-buildx apache2-utils
+
+# Start and enable docker
+systemctl is-active --quiet docker || systemctl enable docker
+systemctl is-active --quiet docker || systemctl start docker
+
+if [ ! -f ${CERTS_PATH}/custom_ca.key ]; then
+  # Generate certificates
+  mkdir -p ${CERTS_PATH}
+  ## CA
+  openssl genrsa -out ${CERTS_PATH}/custom_ca.key 4096
+  openssl req -x509 -new -nodes -key ${CERTS_PATH}/custom_ca.key -sha256 -days 3650 -subj "/C=AU/ST=Some-State/O=MyOrg/CN=local"  -out ${CERTS_PATH}/custom_ca.crt
+
+  ## Proxy CRT
+  openssl genrsa -out ${CERTS_PATH}/proxy_server.key 4096
+  openssl req -new -sha256 \
+    -key ${CERTS_PATH}/proxy_server.key \
+    -subj "/C=AU/ST=Some-State/O=ORG/OU=ORG_UNIT/CN=my-proxy.local" \
+    -reqexts SAN \
+    -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:my-proxy.local")) \
+    -out ${CERTS_PATH}/proxy_server.csr
+  openssl x509 -req -extfile <(printf "subjectAltName=DNS:my-proxy.local") -days 3650 -in ${CERTS_PATH}/proxy_server.csr -CA ${CERTS_PATH}/custom_ca.crt -CAkey ${CERTS_PATH}/custom_ca.key -CAcreateserial -out ${CERTS_PATH}/proxy_server.crt -sha256
+
+  ## Docker-registry CRT
+  openssl genrsa -out ${CERTS_PATH}/server.key 4096
+  openssl req -new -sha256 \
+    -key ${CERTS_PATH}/server.key \
+    -subj "/C=AU/ST=Some-State/O=ORG/OU=ORG_UNIT/CN=my-registry.local" \
+    -reqexts SAN \
+    -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:my-registry.local")) \
+    -out ${CERTS_PATH}/server.csr
+  openssl x509 -req -extfile <(printf "subjectAltName=DNS:my-registry.local") -days 3650 -in ${CERTS_PATH}/server.csr -CA ${CERTS_PATH}/custom_ca.crt -CAkey ${CERTS_PATH}/custom_ca.key -CAcreateserial -out ${CERTS_PATH}/server.crt -sha256
+
+  #Add ca-cert to system
+  cp ${CERTS_PATH}/custom_ca.crt /usr/local/share/ca-certificates
+  update-ca-certificates
+fi
+
+grep -q "my-proxy.local" /etc/hosts
+if [[ $? != 0 ]]; then
+  echo "127.0.0.1 my-proxy.local" >> /etc/hosts
+fi
+
+# Build image
+docker buildx bake --file /vagrant/docker-bake.hcl --set *.context=/vagrant
+
+# Create docker network
+docker network inspect registry >/dev/null 2>&1 || docker network create registry
+
+# Run docker registry container
+if [ ! "$(docker ps -a -q -f name=my-registry)" ]; then
+  docker run -dit --name my-registry \
+    --hostname my-registry.local \
+    -v ${CERTS_PATH}:/certs \
+    -v ${DOCKER_MIRROR_CACHE_PATH}/docker-registry:/var/lib/registry \
+    -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
+    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
+    -e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
+    --network registry \
+    registry:2
+fi
+
+# Run docker registry cache container
+if [ ! "$(docker ps -a -q -f name=openresty_docker_registry_proxy)" ]; then
+  mkdir ${DOCKER_MIRROR_CACHE_PATH}/docker-cache/
+  chown 1001:1001 ${DOCKER_MIRROR_CACHE_PATH}/docker-cache/
+  chown 1001:1001 ${CERTS_PATH}/*server.{crt,key}
+  docker run -dit --name openresty_docker_registry_proxy \
+    -p 3128:3128 \
+    -v ${DOCKER_MIRROR_CACHE_PATH}/docker-cache/:/docker_mirror_cache \
+    -v ${CERTS_PATH}:/certs \
+    -e VERIFY_SSL=false \
+    -e CACHE_MAX_SIZE=5G \
+    -e ALLOW_PUSH=true \
+    -e ENABLE_MANIFEST_CACHE=false \
+    -e REGISTRIES=my-registry.local \
+    -e ALLOW_UNKNOWN_REGISTRIES=false \
+    -e HTPASSWD=$(htpasswd -nbB user1 password1) \
+    --network registry \
+    docker-registry-proxy-cache:latest
+fi

tests/vagrant-tests.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+curl -s https://bashunit.typeddevs.com/install.sh | bash
+
+./lib/bashunit /vagrant/tests