integration-tests/test_proxy.py

"""tests for the proxy"""
import os
import shutil
import ssl
import time
from subprocess import check_call

import pytest
import toml
from tornado.httpclient import HTTPClient, HTTPClientError, HTTPRequest

from tljh.config import (
    CONFIG_DIR,
    CONFIG_FILE,
    STATE_DIR,
    reload_component,
    set_config_value,
)


def send_request(url, max_sleep, validate_cert=True, username=None, password=None):
    for i in range(max_sleep):
        try:
            req = HTTPRequest(
                url,
                method="GET",
                auth_username=username,
                auth_password=password,
                validate_cert=validate_cert,
                follow_redirects=True,
                max_redirects=15,
            )
            return HTTPClient().fetch(req)
        except Exception as e:
            if i + 1 == max_sleep:
                raise
            print(e)
            time.sleep(i)


def test_manual_https(preserve_config):
    ssl_dir = "/etc/tljh-ssl-test"
    key = ssl_dir + "/ssl.key"
    cert = ssl_dir + "/ssl.cert"
    os.makedirs(ssl_dir, exist_ok=True)
    os.chmod(ssl_dir, 0o600)
    # generate key and cert
    check_call(
        [
            "openssl",
            "req",
            "-nodes",
            "-newkey",
            "rsa:2048",
            "-keyout",
            key,
            "-x509",
            "-days",
            "1",
            "-out",
            cert,
            "-subj",
            "/CN=tljh.jupyer.org",
        ]
    )
    set_config_value(CONFIG_FILE, "https.enabled", True)
    set_config_value(CONFIG_FILE, "https.tls.key", key)
    set_config_value(CONFIG_FILE, "https.tls.cert", cert)
    reload_component("proxy")
    for i in range(10):
        time.sleep(i)
        try:
            server_cert = ssl.get_server_certificate(("127.0.0.1", 443))
        except Exception as e:
            print(e)
        else:
            break
    with open(cert) as f:
        file_cert = f.read()

    # verify that our certificate was loaded by traefik
    assert server_cert == file_cert

    # verify that we can still connect to the hub
    resp = send_request(
        url="https://127.0.0.1/hub/api", max_sleep=10, validate_cert=False
    )
    assert resp.code == 200

    # cleanup
    shutil.rmtree(ssl_dir)
    set_config_value(CONFIG_FILE, "https.enabled", False)

    reload_component("proxy")


def test_extra_traefik_config():
    extra_static_config_dir = os.path.join(CONFIG_DIR, "traefik_config.d")
    os.makedirs(extra_static_config_dir, exist_ok=True)

    dynamic_config_dir = os.path.join(STATE_DIR, "rules")
    os.makedirs(dynamic_config_dir, exist_ok=True)

    extra_static_config = {
        "entryPoints": {"alsoHub": {"address": "127.0.0.1:9999"}},
    }

    extra_dynamic_config = {
        "http": {
            "middlewares": {
                "testHubStripPrefix": {
                    "stripPrefix": {"prefixes": ["/the/hub/runs/here/too"]}
                }
            },
            "routers": {
                "test1": {
                    "rule": "PathPrefix(`/hub`)",
                    "entryPoints": ["alsoHub"],
                    "service": "test",
                },
                "test2": {
                    "rule": "PathPrefix(`/the/hub/runs/here/too`)",
                    "middlewares": ["testHubStripPrefix"],
                    "entryPoints": ["http"],
                    "service": "test",
                },
            },
            "services": {
                "test": {
                    "loadBalancer": {
                        # forward requests to the hub
                        "servers": [{"url": "http://127.0.0.1:15001"}]
                    }
                }
            },
        },
    }

    success = False
    for i in range(5):
        try:
            with pytest.raises(HTTPClientError, match="HTTP 401: Unauthorized"):
                # The default api entrypoint requires authentication, so it should fail
                HTTPClient().fetch("http://localhost:8099/api")
            success = True
            break
        except Exception as e:
            print(e)
            time.sleep(i)

    assert success == True

    # write the extra static config
    with open(
        os.path.join(extra_static_config_dir, "extra.toml"), "w+"
    ) as extra_config_file:
        toml.dump(extra_static_config, extra_config_file)

    # write the extra dynamic config
    with open(
        os.path.join(dynamic_config_dir, "extra_rules.toml"), "w+"
    ) as extra_config_file:
        toml.dump(extra_dynamic_config, extra_config_file)

    # load the extra config
    reload_component("proxy")

    # check hub page
    # the new dashboard entrypoint shouldn't require authentication anymore
    resp = send_request(url="http://127.0.0.1:9999/hub/login", max_sleep=5)
    assert resp.code == 200

    # test extra dynamic config
    resp = send_request(url="http://127.0.0.1/the/hub/runs/here/too", max_sleep=5)
    assert resp.code == 200
    assert "http://127.0.0.1/hub/login" in resp.effective_url

    # cleanup
    os.remove(os.path.join(extra_static_config_dir, "extra.toml"))
    os.remove(os.path.join(dynamic_config_dir, "extra_rules.toml"))
    open(os.path.join(STATE_DIR, "traefik.toml"), "w").close()
test manual https setup adds integration test for manual https certs 2018-08-28 12:09:05 +02:00			`"""tests for the proxy"""`
			`import os`
			`import shutil`
			`import ssl`
			`import time`
[pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci 2023-05-15 08:51:35 +00:00			`from subprocess import check_call`
test manual https setup adds integration test for manual https certs 2018-08-28 12:09:05 +02:00
Add proxy integration test 2020-06-08 11:42:10 +03:00			`import pytest`
[pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci 2023-05-15 08:51:35 +00:00			`import toml`
			`from tornado.httpclient import HTTPClient, HTTPClientError, HTTPRequest`
test manual https setup adds integration test for manual https certs 2018-08-28 12:09:05 +02:00
Allow extending traefik dynamic config 2020-06-18 17:29:50 +03:00			`from tljh.config import (`
			`CONFIG_DIR,`
[pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci 2023-05-15 08:51:35 +00:00			`CONFIG_FILE,`
Allow extending traefik dynamic config 2020-06-18 17:29:50 +03:00			`STATE_DIR,`
[pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci 2023-05-15 08:51:35 +00:00			`reload_component,`
			`set_config_value,`
Allow extending traefik dynamic config 2020-06-18 17:29:50 +03:00			`)`
test manual https setup adds integration test for manual https certs 2018-08-28 12:09:05 +02:00

Refactor proxy tests 2020-06-20 02:05:53 +03:00			`def send_request(url, max_sleep, validate_cert=True, username=None, password=None):`
			`for i in range(max_sleep):`
			`try:`
			`req = HTTPRequest(`
			`url,`
			`method="GET",`
			`auth_username=username,`
			`auth_password=password,`
			`validate_cert=validate_cert,`
			`follow_redirects=True,`
			`max_redirects=15,`
			`)`
update for traefik v2, treafik-proxy v1 - tls config is no longer allowed in static config file, add separate dynamic config - no longer need to persist auth config ourselves (TraefikProxy handles this) - make sure to reload proxy before reloading hub in tests 2023-05-15 10:53:53 +02:00			`return HTTPClient().fetch(req)`
Refactor proxy tests 2020-06-20 02:05:53 +03:00			`except Exception as e:`
update for traefik v2, treafik-proxy v1 - tls config is no longer allowed in static config file, add separate dynamic config - no longer need to persist auth config ourselves (TraefikProxy handles this) - make sure to reload proxy before reloading hub in tests 2023-05-15 10:53:53 +02:00			`if i + 1 == max_sleep:`
			`raise`
Refactor proxy tests 2020-06-20 02:05:53 +03:00			`print(e)`
update for traefik v2, treafik-proxy v1 - tls config is no longer allowed in static config file, add separate dynamic config - no longer need to persist auth config ourselves (TraefikProxy handles this) - make sure to reload proxy before reloading hub in tests 2023-05-15 10:53:53 +02:00			`time.sleep(i)`
Refactor proxy tests 2020-06-20 02:05:53 +03:00

test manual https setup adds integration test for manual https certs 2018-08-28 12:09:05 +02:00			`def test_manual_https(preserve_config):`
			`ssl_dir = "/etc/tljh-ssl-test"`
			`key = ssl_dir + "/ssl.key"`
			`cert = ssl_dir + "/ssl.cert"`
			`os.makedirs(ssl_dir, exist_ok=True)`
			`os.chmod(ssl_dir, 0o600)`
			`# generate key and cert`
			`check_call(`
			`[`
			`"openssl",`
			`"req",`
			`"-nodes",`
			`"-newkey",`
			`"rsa:2048",`
			`"-keyout",`
			`key,`
			`"-x509",`
			`"-days",`
			`"1",`
			`"-out",`
			`cert,`
			`"-subj",`
			`"/CN=tljh.jupyer.org",`
			`]`
			`)`
			`set_config_value(CONFIG_FILE, "https.enabled", True)`
			`set_config_value(CONFIG_FILE, "https.tls.key", key)`
			`set_config_value(CONFIG_FILE, "https.tls.cert", cert)`
			`reload_component("proxy")`
			`for i in range(10):`
			`time.sleep(i)`
			`try:`
			`server_cert = ssl.get_server_certificate(("127.0.0.1", 443))`
			`except Exception as e:`
			`print(e)`
			`else:`
			`break`
			`with open(cert) as f:`
			`file_cert = f.read()`

			`# verify that our certificate was loaded by traefik`
			`assert server_cert == file_cert`

Refactor proxy tests 2020-06-20 02:05:53 +03:00			`# verify that we can still connect to the hub`
			`resp = send_request(`
			`url="https://127.0.0.1/hub/api", max_sleep=10, validate_cert=False`
			`)`
Add proxy integration test 2020-06-08 11:42:10 +03:00			`assert resp.code == 200`
test manual https setup adds integration test for manual https certs 2018-08-28 12:09:05 +02:00
			`# cleanup`
			`shutil.rmtree(ssl_dir)`
Refactor proxy tests 2020-06-20 02:05:53 +03:00			`set_config_value(CONFIG_FILE, "https.enabled", False)`

			`reload_component("proxy")`
Add proxy integration test 2020-06-08 11:42:10 +03:00

Group tests for fewer reloads 2020-06-21 13:55:52 +03:00			`def test_extra_traefik_config():`
Refactor proxy tests 2020-06-20 02:05:53 +03:00			`extra_static_config_dir = os.path.join(CONFIG_DIR, "traefik_config.d")`
			`os.makedirs(extra_static_config_dir, exist_ok=True)`
Add proxy integration test 2020-06-08 11:42:10 +03:00
Group tests for fewer reloads 2020-06-21 13:55:52 +03:00			`dynamic_config_dir = os.path.join(STATE_DIR, "rules")`
			`os.makedirs(dynamic_config_dir, exist_ok=True)`

Refactor proxy tests 2020-06-20 02:05:53 +03:00			`extra_static_config = {`
update for traefik v2, treafik-proxy v1 - tls config is no longer allowed in static config file, add separate dynamic config - no longer need to persist auth config ourselves (TraefikProxy handles this) - make sure to reload proxy before reloading hub in tests 2023-05-15 10:53:53 +02:00			`"entryPoints": {"alsoHub": {"address": "127.0.0.1:9999"}},`
Add proxy integration test 2020-06-08 11:42:10 +03:00			`}`

Group tests for fewer reloads 2020-06-21 13:55:52 +03:00			`extra_dynamic_config = {`
update for traefik v2, treafik-proxy v1 - tls config is no longer allowed in static config file, add separate dynamic config - no longer need to persist auth config ourselves (TraefikProxy handles this) - make sure to reload proxy before reloading hub in tests 2023-05-15 10:53:53 +02:00			`"http": {`
			`"middlewares": {`
			`"testHubStripPrefix": {`
			`"stripPrefix": {"prefixes": ["/the/hub/runs/here/too"]}`
			`}`
			`},`
			`"routers": {`
			`"test1": {`
			"rule": "PathPrefix(`/hub`)",
			`"entryPoints": ["alsoHub"],`
			`"service": "test",`
Group tests for fewer reloads 2020-06-21 13:55:52 +03:00			`},`
update for traefik v2, treafik-proxy v1 - tls config is no longer allowed in static config file, add separate dynamic config - no longer need to persist auth config ourselves (TraefikProxy handles this) - make sure to reload proxy before reloading hub in tests 2023-05-15 10:53:53 +02:00			`"test2": {`
			"rule": "PathPrefix(`/the/hub/runs/here/too`)",
			`"middlewares": ["testHubStripPrefix"],`
			`"entryPoints": ["http"],`
			`"service": "test",`
			`},`
			`},`
			`"services": {`
			`"test": {`
			`"loadBalancer": {`
			`# forward requests to the hub`
			`"servers": [{"url": "http://127.0.0.1:15001"}]`
			`}`
			`}`
			`},`
Group tests for fewer reloads 2020-06-21 13:55:52 +03:00			`},`
			`}`

Add proxy integration test 2020-06-08 11:42:10 +03:00			`success = False`
			`for i in range(5):`
			`try:`
			`with pytest.raises(HTTPClientError, match="HTTP 401: Unauthorized"):`
update for traefik v2, treafik-proxy v1 - tls config is no longer allowed in static config file, add separate dynamic config - no longer need to persist auth config ourselves (TraefikProxy handles this) - make sure to reload proxy before reloading hub in tests 2023-05-15 10:53:53 +02:00			`# The default api entrypoint requires authentication, so it should fail`
			`HTTPClient().fetch("http://localhost:8099/api")`
Add proxy integration test 2020-06-08 11:42:10 +03:00			`success = True`
			`break`
update for traefik v2, treafik-proxy v1 - tls config is no longer allowed in static config file, add separate dynamic config - no longer need to persist auth config ourselves (TraefikProxy handles this) - make sure to reload proxy before reloading hub in tests 2023-05-15 10:53:53 +02:00			`except Exception as e:`
			`print(e)`
			`time.sleep(i)`
Add proxy integration test 2020-06-08 11:42:10 +03:00
			`assert success == True`

Refactor proxy tests 2020-06-20 02:05:53 +03:00			`# write the extra static config`
			`with open(`
			`os.path.join(extra_static_config_dir, "extra.toml"), "w+"`
			`) as extra_config_file:`
			`toml.dump(extra_static_config, extra_config_file)`

			`# write the extra dynamic config`
Allow extending traefik dynamic config 2020-06-18 17:29:50 +03:00			`with open(`
			`os.path.join(dynamic_config_dir, "extra_rules.toml"), "w+"`
			`) as extra_config_file:`
Refactor proxy tests 2020-06-20 02:05:53 +03:00			`toml.dump(extra_dynamic_config, extra_config_file)`

			`# load the extra config`
Allow extending traefik dynamic config 2020-06-18 17:29:50 +03:00			`reload_component("proxy")`

update for traefik v2, treafik-proxy v1 - tls config is no longer allowed in static config file, add separate dynamic config - no longer need to persist auth config ourselves (TraefikProxy handles this) - make sure to reload proxy before reloading hub in tests 2023-05-15 10:53:53 +02:00			`# check hub page`
Group tests for fewer reloads 2020-06-21 13:55:52 +03:00			`# the new dashboard entrypoint shouldn't require authentication anymore`
update for traefik v2, treafik-proxy v1 - tls config is no longer allowed in static config file, add separate dynamic config - no longer need to persist auth config ourselves (TraefikProxy handles this) - make sure to reload proxy before reloading hub in tests 2023-05-15 10:53:53 +02:00			`resp = send_request(url="http://127.0.0.1:9999/hub/login", max_sleep=5)`
Group tests for fewer reloads 2020-06-21 13:55:52 +03:00			`assert resp.code == 200`

Refactor proxy tests 2020-06-20 02:05:53 +03:00			`# test extra dynamic config`
			`resp = send_request(url="http://127.0.0.1/the/hub/runs/here/too", max_sleep=5)`
Allow extending traefik dynamic config 2020-06-18 17:29:50 +03:00			`assert resp.code == 200`
Update proxy test for latest jh version 2020-12-23 18:02:45 +02:00			`assert "http://127.0.0.1/hub/login" in resp.effective_url`
Allow extending traefik dynamic config 2020-06-18 17:29:50 +03:00
			`# cleanup`
Group tests for fewer reloads 2020-06-21 13:55:52 +03:00			`os.remove(os.path.join(extra_static_config_dir, "extra.toml"))`
Refactor proxy tests 2020-06-20 02:05:53 +03:00			`os.remove(os.path.join(dynamic_config_dir, "extra_rules.toml"))`
Group tests for fewer reloads 2020-06-21 13:55:52 +03:00			`open(os.path.join(STATE_DIR, "traefik.toml"), "w").close()`