From 06aa485e1899d9bf012de704f39ff0663a45a4fa Mon Sep 17 00:00:00 2001 From: Jamil Date: Sat, 15 Mar 2025 08:27:22 -0500 Subject: [PATCH] ci: Use search_domain for one resource in CI test (#8393) - Adds a `search_domain` of `httpbin.test` in seeds - Updates one of our DNS resources under CI test to use this --- .github/workflows/_integration_tests.yml | 2 +- docker-compose.yml | 2 +- elixir/apps/domain/priv/repo/seeds.exs | 35 +++++++++++++++++-- scripts/tests/direct-dns-api-down.sh | 2 +- scripts/tests/direct-dns-two-resources.sh | 2 +- scripts/tests/direct-dns.sh | 5 +-- scripts/tests/systemd/dns-systemd-resolved.sh | 5 +-- scripts/tests/tcp-dns.sh | 7 ++-- 8 files changed, 48 insertions(+), 12 deletions(-) diff --git a/.github/workflows/_integration_tests.yml b/.github/workflows/_integration_tests.yml index 8a1b7ff59..21292293a 100644 --- a/.github/workflows/_integration_tests.yml +++ b/.github/workflows/_integration_tests.yml @@ -126,7 +126,7 @@ jobs: fi # Start one-by-one to avoid variability in service startup order - docker compose up -d dns.httpbin httpbin download.httpbin --no-build + docker compose up -d dns.httpbin.search.test httpbin download.httpbin --no-build docker compose up -d api web domain --no-build docker compose up -d otel --no-build docker compose up -d relay-1 --no-build diff --git a/docker-compose.yml b/docker-compose.yml index f1d753d9f..2214752cb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -410,7 +410,7 @@ services: dns_resources: ipv4_address: 172.21.0.101 - dns.httpbin: + dns.httpbin.search.test: image: kennethreitz/httpbin healthcheck: test: ["CMD-SHELL", "ps -C gunicorn"] diff --git a/elixir/apps/domain/priv/repo/seeds.exs b/elixir/apps/domain/priv/repo/seeds.exs index a9d37b0a9..93988622c 100644 --- a/elixir/apps/domain/priv/repo/seeds.exs +++ b/elixir/apps/domain/priv/repo/seeds.exs @@ -37,7 +37,10 @@ defmodule Domain.Repo.Seeds do {:ok, account} = Accounts.create_account(%{ name: "Firezone Account", - slug: "firezone" + slug: "firezone", + config: %{ + search_domain: "httpbin.search.test" + } }) account = @@ -1017,6 +1020,23 @@ defmodule Domain.Repo.Seeds do admin_subject ) + {:ok, search_domain_resource} = + Resources.create_resource( + %{ + type: :dns, + name: "**.httpbin.search.test", + address: "**.httpbin.search.test", + address_description: "http://httpbin/", + connections: [%{gateway_group_id: gateway_group.id}], + filters: [ + %{ports: ["80", "433"], protocol: :tcp}, + %{ports: ["53"], protocol: :udp}, + %{protocol: :icmp} + ] + }, + admin_subject + ) + IO.puts("Created resources:") IO.puts(" #{dns_google_resource.address} - DNS - gateways: #{gateway_name}") IO.puts(" #{address_description_null_resource.address} - DNS - gateways: #{gateway_name}") @@ -1027,6 +1047,7 @@ defmodule Domain.Repo.Seeds do IO.puts(" #{ip_resource.address} - IP - gateways: #{gateway_name}") IO.puts(" #{cidr_resource.address} - CIDR - gateways: #{gateway_name}") IO.puts(" #{dns_httpbin_resource.address} - DNS - gateways: #{gateway_name}") + IO.puts(" #{search_domain_resource.address} - DNS - gateways: #{gateway_name}") IO.puts("") {:ok, _} = @@ -1112,13 +1133,23 @@ defmodule Domain.Repo.Seeds do {:ok, _} = Policies.create_policy( %{ - name: "All Access To dns.httpbin", + name: "All Access To **.httpbin", actor_group_id: everyone_group.id, resource_id: dns_httpbin_resource.id }, admin_subject ) + {:ok, _} = + Policies.create_policy( + %{ + name: "All Access To **.httpbin.search.test", + actor_group_id: everyone_group.id, + resource_id: search_domain_resource.id + }, + admin_subject + ) + IO.puts("Policies Created") IO.puts("") diff --git a/scripts/tests/direct-dns-api-down.sh b/scripts/tests/direct-dns-api-down.sh index 221424666..29b2da624 100755 --- a/scripts/tests/direct-dns-api-down.sh +++ b/scripts/tests/direct-dns-api-down.sh @@ -2,7 +2,7 @@ source "./scripts/tests/lib.sh" -HTTPBIN=dns.httpbin +HTTPBIN=dns function run_test() { echo "# Access httpbin by DNS" diff --git a/scripts/tests/direct-dns-two-resources.sh b/scripts/tests/direct-dns-two-resources.sh index 0ca936ab0..56a0bb813 100755 --- a/scripts/tests/direct-dns-two-resources.sh +++ b/scripts/tests/direct-dns-two-resources.sh @@ -5,7 +5,7 @@ source "./scripts/tests/lib.sh" -RESOURCE1=dns.httpbin +RESOURCE1=dns RESOURCE2=download.httpbin echo "# Try to ping httpbin as DNS resource 1" diff --git a/scripts/tests/direct-dns.sh b/scripts/tests/direct-dns.sh index bff5125ae..2f23478e9 100755 --- a/scripts/tests/direct-dns.sh +++ b/scripts/tests/direct-dns.sh @@ -5,7 +5,8 @@ source "./scripts/tests/lib.sh" -HTTPBIN=dns.httpbin +HTTPBIN=dns +HTTPBIN_FQDN="$HTTPBIN.httpbin.search.test" # Re-up the gateway since a local dev setup may run this back-to-back docker compose up -d gateway --no-build @@ -14,7 +15,7 @@ echo "# check original resolv.conf" client sh -c "cat /etc/resolv.conf.before-firezone" echo "# Make sure gateway can reach httpbin by DNS" -gateway sh -c "curl --fail $HTTPBIN/get" +gateway sh -c "curl --fail $HTTPBIN_FQDN/get" echo "# Try to ping httpbin as a DNS resource" client_ping_resource "$HTTPBIN" diff --git a/scripts/tests/systemd/dns-systemd-resolved.sh b/scripts/tests/systemd/dns-systemd-resolved.sh index ca8006616..2d38f2d01 100755 --- a/scripts/tests/systemd/dns-systemd-resolved.sh +++ b/scripts/tests/systemd/dns-systemd-resolved.sh @@ -25,14 +25,15 @@ create_token_file sudo cp "scripts/tests/systemd/$SERVICE_NAME.service" /usr/lib/systemd/system/ -HTTPBIN=dns.httpbin +HTTPBIN=dns +HTTPBIN_FQDN="$HTTPBIN.httpbin.search.test" # I'm assuming the docker iface name is relatively constant DOCKER_IFACE="docker0" FZ_IFACE="tun-firezone" echo "# Make sure gateway can reach httpbin by DNS" -gateway sh -c "curl --fail $HTTPBIN/get" +gateway sh -c "curl --fail $HTTPBIN_FQDN/get" echo "# Accessing a resource should fail before the client is up" # Force curl to try the Firezone interface. I can't block off the Docker interface yet diff --git a/scripts/tests/tcp-dns.sh b/scripts/tests/tcp-dns.sh index c4c8946e4..656644f7c 100755 --- a/scripts/tests/tcp-dns.sh +++ b/scripts/tests/tcp-dns.sh @@ -4,8 +4,11 @@ source "./scripts/tests/lib.sh" client sh -c "apk add bind-tools" # The compat tests run using the production image which doesn't have `dig`. -echo "Resolving DNS resource over TCP" -client sh -c "dig +tcp dns.httpbin" +echo "Resolving DNS resource over TCP with search domain" +client sh -c "dig +search +tcp dns" + +echo "Resolving DNS resource over TCP with FQDN" +client sh -c "dig +tcp download.httpbin" echo "Resolving non-DNS resource over TCP" client sh -c "dig +tcp example.com"