Merge pull request #113 from dfinity/igor/improve-tests

Add `ic-boundary` to integration tests

Author: blind-oracle

.github/workflows/test.yml

@@ -8,6 +8,7 @@ on:
 
 env:
   CARGO_TERM_COLOR: never
+  GH_TOKEN: ${{ github.token }}
 
 defaults:
   run:

run-tests.sh

@@ -1,9 +1,14 @@
 #!/usr/bin/env bash
 set -eEuo pipefail
 
+# Get the latest IC master hash that passed "CI Main".
+# This hash should have binaries published.
+readonly IC_COMMIT=$(gh run list --repo dfinity/ic --branch master --workflow "CI Main" --json headSha,status --jq '.[] | select(.status == "completed") | .headSha' | head -n 1)
+
 readonly POCKETIC_VERSION="9.0.1"
 readonly POCKETIC_URL="https://github.com/dfinity/pocketic/releases/download/${POCKETIC_VERSION}/pocket-ic-x86_64-linux.gz"
 readonly POCKETIC_CHECKSUM="237272216498074e5250a0685813b96632963ff9abbc51a7030d9b625985028d"
+readonly IC_BOUNDARY_URL="https://download.dfinity.systems/ic/${IC_COMMIT}/binaries/x86_64-linux/ic-boundary.gz"
 readonly ASSET_WASM_URL="https://github.com/dfinity/sdk/raw/fec030f53814e7eaa2f869189e8852b5c0e60e5e/src/distributed/assetstorage.wasm.gz"
 readonly ASSET_WASM_CHECKSUM="865eb25df5a6d857147e078bb33c727797957247f7af2635846d65c5397b36a6"
 readonly LARGE_ASSETS_WASM_URL="https://github.com/dfinity/http-gateway/raw/42408f658199d7278d8ff3293504a06e1b0ef61d/examples/http-gateway/canister/http_gateway_canister_custom_assets.wasm.gz"
@@ -30,6 +35,11 @@ chmod +x "${POCKETIC_BIN}" || { log "Failed to make PocketIC executable"; exit 1
 export POCKET_IC_BIN="${POCKETIC_BIN}"
 log "PocketIC setup completed"
 
+log "Downloading ic-boundary"
+curl -fsSL --retry 3 --retry-delay 5 "${IC_BOUNDARY_URL}" -o ic-boundary.gz
+gzip -d ic-boundary.gz
+chmod +x ic-boundary
+
 log "Building ic-gateway"
 cargo build || { log "ic-gateway build failed"; exit 1; }
 export CARGO_TARGET_DIR
@@ -64,3 +74,5 @@ export ASSET_CANISTER_DIR="${CANISTER_DIR}"
 log "Running all tests"
 cargo test --all-features --profile dev --workspace -- --nocapture || { log "Tests failed"; exit 1; }
 log "All tests completed successfully"
+
+rm -rf ic-boundary denylist_seed.json pocket-ic canister_wasms

src/routing/ic/handler.rs

@@ -62,7 +62,7 @@ pub async fn handler(
     // HTTP2 lacks it, but canisters might expect it to be present.
     if parts.headers.get(HOST).is_none() {
         let host = ctx.authority.to_string();
-        if let Ok(v) = HeaderValue::from_str(&host) {
+        if let Ok(v) = HeaderValue::from_maybe_shared(Bytes::from(host)) {
             parts.headers.insert(HOST, v);
         }
     }

test_data/cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6TCCAdGgAwIBAgIUK60AjMl8YTJ5nWViMweY043y6/EwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEbm92ZzAeFw0yMzAxMDkyMTM5NTZaFw0zMzAxMDYyMTM5
+NTZaMA8xDTALBgNVBAMMBG5vdmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCd/7NXWeENaITmYU+eWMJEJMZa6v74g70RpZlprQzx148U0QOKEw/r6mmd
+SlbN4wsbb9lUu3zmXXpvYDAHYuOTYsDWcuNJXP/gCnPrD2wU8lJt3C5blmeU/9+0
+U6/ppRmu6kf/jmm7CMBnowI0+kdvTF7sbpiUBXTDujXNsqtX0FaksILc9ZAqpUCC
+2gqRcOXahzT2vnvJ2N+2bhveG+eB0/5oZcKgx0D4QgjR9k1+thWOQZUCJMg32OYS
+k4e57WhOQxu9Kh5N2MU1Ff3fhCYXzg7/GhJtWyDmjt1vNBwGW9Zn0BicySdcVFPC
+mRW3/rZrSpnwvsEnpIuyKGq+NMSXAgMBAAGjPTA7MAkGA1UdEwQCMAAwDwYDVR0R
+BAgwBoIEbm92ZzAdBgNVHQ4EFgQUYHN6l0ihbfbLQXqnKPltmv9DWDkwDQYJKoZI
+hvcNAQELBQADggEBAFBvyns/lJZ+zB4/Tmx3YUryji20XUNwhtlBC6V7rdWCXneY
+kqKVgbyDZ+XAYX2eL3o1gcv+XJxQgHfL+OqHJCVbK2kkYVSCW38WNVZb+oeTp/w3
+pgtmg91JcCjFEw2doqImLZLQDX6KK1gDGdTQ2dtisFcxGEkMUyjzqmZmZNzl+u7d
+JeDygLfGrMleO7ij2hP2vEfgkGbbvM+JCTav0B91Rj8/CbJHBwr8/CW4BJTjsqZC
+mglNb9+hY8N6XAxntoqZsFzuDyDx7ZSxeAW0yVRemrIPSgcPwpLDBFm4dCSwUHJN
+ujBjp7DRCQgg8uUq+0FMQ63ioZoR5mXQ5hzmTqk=
+-----END CERTIFICATE-----

test_data/key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCd/7NXWeENaITm
+YU+eWMJEJMZa6v74g70RpZlprQzx148U0QOKEw/r6mmdSlbN4wsbb9lUu3zmXXpv
+YDAHYuOTYsDWcuNJXP/gCnPrD2wU8lJt3C5blmeU/9+0U6/ppRmu6kf/jmm7CMBn
+owI0+kdvTF7sbpiUBXTDujXNsqtX0FaksILc9ZAqpUCC2gqRcOXahzT2vnvJ2N+2
+bhveG+eB0/5oZcKgx0D4QgjR9k1+thWOQZUCJMg32OYSk4e57WhOQxu9Kh5N2MU1
+Ff3fhCYXzg7/GhJtWyDmjt1vNBwGW9Zn0BicySdcVFPCmRW3/rZrSpnwvsEnpIuy
+KGq+NMSXAgMBAAECggEAKYtxTFAxWZW4kF1ZEqFzH3juAT0WYyE8x1WcY8mhhDvy
+fv5AqH8/qgBe2gGQlp2TL5k2881C184PohaQOnj5rykB3MGj2wgNrgsBlPberBlV
+rFZ/iAyh2u93EpMIx+5mNPScjumTCp+P/BBERcrjmrPhp9ii3RUcMVUWzaoj3Lhc
+wa5trC1r7UqbUZeO7NaVA7cGETZLVm8U7NaL8ccb1dKASUzrC9QCy9VVekJbb2S7
+h38MELR9wvTGS7s4hXQGejb8vEDuXcZzWIFg3YMkJPIyGLAEaRynfeAHm/ji48U0
+zh1ba3CWE/6z6nayDPqWqrwic4Hff6Mz+SIWAz2LyQKBgQDcdeWweNRVXhVkcFUP
+JNpUiLOF5j3f4nqZwk7j5hQBxcXilYO/lmrcimvhvJ3ox97GfqCkvEQM8thTnPmi
+JBagynOfIaUK2qdVwS1BbZ2JpYe3k/rO+iSKtRO4mF94cHgFIafPb5qt0fFz9bDS
+7D2lnWSbveMvb+mZsp/+FZx2DwKBgQC3eBhAbOSrSGuh7KOuWsav8pROMdcsESpz
+j8el1iEklRsklYiNrVsztlZtNUXE2zSHeNPsGENDGlvKG8qD/vbcdTFsYa1H8Hk5
+NydTLAb0/Bm256Xee1Dm5Wt2yG2aLfc9eG0trJz8VgBDhDlulnjo2kavhWIpTBNm
+0WmkMQsQ+QKBgQDYXd1PlUbPgcb9DEJu2nxs+r02bQHM+TnaLhm/EdAQ7UmJV7Q2
+FCpMyI2YvsU78O1zYlPHWf5vtucZKLbXqxOKOye+xgZ04KPaRf1keXBj51GLmnBN
+MrMqbw0r3l/UlI02fBF2RNJKRgHzDO6+E51tLUvQjkyqAewCLI1ZkVw9gQKBgD0F
+J2O+E+vX4VxwnRvvOyfn0WWUdBFHAEyBJJDGgC1vniBzz3/3iV7QpTwbPMI1eeoY
+yLs8cpqN2LuGtLtkAGzgWXjHn99OXrMl4eFqwkGW22KW9vbhIs44vZ47GSDvasy6
+Ee3f/DJ81AegoY1jZIFln57fCP/dOpK20aD3YsvZAoGBAKgaWVYbROCRJ6C8CQGd
+yetoZ8n25E7O5JtyKSNGwiQyD0IURgLuotiBpQvCCz9HGS53E6HLzBCc4jZc3GDq
+qVDS5cIgcfWAOBalBQ+JxoHsnLRGXeBBKwvaJB+EzlrV8st1dCmM4gukElBJm/PZ
+TvEPeiHG81OgB1RPgUt3DVIf
+-----END PRIVATE KEY-----

tests/all_tests.rs

@@ -1,3 +1,6 @@
+mod helpers;
+mod integration_tests;
+
 use helpers::TestEnv;
 use integration_tests::{
     api_proxy_test::proxy_api_calls_test,
@@ -7,20 +10,21 @@ use integration_tests::{
     http_gateway_test::{basic_http_gateway_test, large_assets_http_gateway_test},
 };
 
-mod helpers;
-mod integration_tests;
-
 const IC_GATEWAY_DOMAIN: &str = "ic0.app";
-const IC_GATEWAY_ADDR: &str = "127.0.0.1:8080";
+const IC_GATEWAY_ADDR: &str = "127.0.0.1:18080";
+const IC_BOUNDARY_PORT: &str = "18081";
 
 #[tokio::test]
-async fn all_intergration_tests() {
-    let env = TestEnv::new(IC_GATEWAY_ADDR, IC_GATEWAY_DOMAIN).await;
+async fn all_intergration_tests() -> anyhow::Result<()> {
+    let env = TestEnv::new(IC_GATEWAY_ADDR, IC_GATEWAY_DOMAIN, IC_BOUNDARY_PORT).await;
+
     // run all integration tests sequentially
-    basic_http_gateway_test(&env).await.unwrap();
-    content_type_headers_test(&env).await.unwrap();
-    cors_headers_test(&env).await.unwrap();
-    proxy_api_calls_test(&env).await.unwrap();
-    large_assets_http_gateway_test(&env).await.unwrap();
-    denylist_test(&env).await.unwrap();
+    basic_http_gateway_test(&env).await?;
+    content_type_headers_test(&env).await?;
+    cors_headers_test(&env).await?;
+    proxy_api_calls_test(&env).await?;
+    large_assets_http_gateway_test(&env).await?;
+    denylist_test(&env).await?;
+
+    Ok(())
 }

tests/helpers.rs

@@ -1,3 +1,15 @@
+use std::{
+    collections::HashMap,
+    env,
+    fs::{self, File},
+    io::Read,
+    net::SocketAddr,
+    path::PathBuf,
+    process::{Child, Command, ExitStatus},
+    str::FromStr,
+    time::{Duration, Instant},
+};
+
 use anyhow::anyhow;
 use candid::{Encode, Principal};
 use hex::encode;
@@ -13,21 +25,11 @@ use nix::{
 };
 use pocket_ic::{
     PocketIcBuilder,
+    common::rest::HttpsConfig,
     nonblocking::{PocketIc, update_candid_as},
 };
 use reqwest::Response;
 use sha2::{Digest, Sha256};
-use std::{
-    collections::HashMap,
-    env, fs,
-    fs::File,
-    io::Read,
-    net::SocketAddr,
-    path::PathBuf,
-    process::{Child, Command},
-    str::FromStr,
-    time::{Duration, Instant},
-};
 use tokio::time::sleep;
 use tracing::info;
 
@@ -258,6 +260,7 @@ pub async fn upload_asset_to_asset_canister(
             }),
         ],
     };
+
     update_candid_as::<_, ((),)>(
         pic,
         canister_id,
@@ -269,6 +272,41 @@ pub async fn upload_asset_to_asset_canister(
     .unwrap();
 }
 
+fn stop_process(p: &mut Child) -> ExitStatus {
+    let pid = p.id() as i32;
+    match signal::kill(Pid::from_raw(pid), Signal::SIGINT) {
+        Ok(_) => info!("Sent SIGINT to process {pid}"),
+        Err(e) => info!("Failed to send SIGINT: {}", e),
+    }
+    p.wait().expect("failed to wait on child process")
+}
+
+pub fn start_ic_boundary(port: &str, replica_addr: &str) -> Child {
+    info!("ic-boundary service starting ...");
+    let mut cmd = Command::new("./ic-boundary");
+    cmd.args([
+        "--listen-http-port",
+        port,
+        "--registry-stub-replica",
+        replica_addr,
+        "--http-client-timeout-connect",
+        "3s",
+        "--skip-replica-tls-verification",
+    ]);
+
+    let child = cmd.spawn().expect("failed to start ic-boundary service");
+    info!("ic-boundary service started");
+    child
+}
+
+pub fn stop_ic_boundary(process: &mut Child) {
+    info!("gracefully terminating ic-boundary process");
+    info!(
+        "ic-boundary process exited with: {:?}",
+        stop_process(process)
+    );
+}
+
 pub fn start_ic_gateway(
     addr: &str,
     domain: &str,
@@ -291,36 +329,46 @@ pub fn start_ic_gateway(
         cmd.arg(denylist_seed_path.unwrap().to_str().unwrap());
     }
     cmd.arg("--listen-insecure-serve-http-only");
+
     let child = cmd.spawn().expect("failed to start ic-gateway service");
     info!("ic-gateway service started");
     child
 }
 
 pub fn stop_ic_gateway(process: &mut Child) {
     info!("gracefully terminating ic-gateway process");
-    let pid = process.id() as i32;
-    match signal::kill(Pid::from_raw(pid), Signal::SIGINT) {
-        Ok(_) => info!("Sent SIGINT to process {pid}"),
-        Err(e) => info!("Failed to send SIGINT: {}", e),
-    }
-    let exit_status = process.wait().expect("failed to wait on child process");
-    info!("ic-gateway process exited with: {:?}", exit_status);
+    info!(
+        "ic-gateway process exited with: {:?}",
+        stop_process(process)
+    );
 }
 
 pub struct TestEnv {
     pub pic: PocketIc,
     pub ic_gateway_process: Child,
+    pub ic_boundary_process: Child,
     pub ic_gateway_addr: SocketAddr,
     pub ic_gateway_domain: String,
+    pub root_key: Vec<u8>,
 }
 
 impl TestEnv {
-    pub async fn new(ic_gateway_addr: &str, ic_gateway_domain: &str) -> Self {
+    pub async fn new(
+        ic_gateway_addr: &str,
+        ic_gateway_domain: &str,
+        ic_boundary_port: &str,
+    ) -> Self {
         init_logging();
 
         info!("pocket-ic server starting ...");
-        let pic = PocketIcBuilder::new().with_nns_subnet().build_async().await;
-        pic.auto_progress().await;
+        let mut pic = PocketIcBuilder::new().with_nns_subnet().build_async().await;
+        let https_config = HttpsConfig {
+            cert_path: "test_data/cert.pem".into(),
+            key_path: "test_data/key.pem".into(),
+        };
+        let ic_url = pic
+            .make_live_with_params(None, None, None, Some(https_config))
+            .await;
         info!("pocket-ic server started");
 
         // fetch the root key of "local" IC and save it to a file
@@ -341,29 +389,36 @@ impl TestEnv {
         fs::write(DENYLIST_FILE, &denylist_seed.as_bytes())
             .expect("failed to write denylist to file");
 
+        let ic_boundary_process = start_ic_boundary(
+            ic_boundary_port,
+            &format!("127.0.0.1:{}", ic_url.port_or_known_default().unwrap()),
+        );
+
         let ic_gateway_addr =
             SocketAddr::from_str(ic_gateway_addr).expect("failed to parse address");
-        let ic_url = format!("{}instances/{}/", pic.get_server_url(), pic.instance_id);
-        let process = start_ic_gateway(
+        let ic_gateway_process = start_ic_gateway(
             &ic_gateway_addr.to_string(),
             ic_gateway_domain,
-            &ic_url,
+            &format!("http://127.0.0.1:{ic_boundary_port}"),
             ROOT_KEY_FILE.into(),
             Some(DENYLIST_FILE.into()),
         );
 
         Self {
-            ic_gateway_process: process,
+            ic_gateway_process,
+            ic_boundary_process,
             ic_gateway_addr,
             ic_gateway_domain: ic_gateway_domain.to_string(),
             pic,
+            root_key,
         }
     }
 }
 
 impl Drop for TestEnv {
     fn drop(&mut self) {
         stop_ic_gateway(&mut self.ic_gateway_process);
+        stop_ic_boundary(&mut self.ic_boundary_process);
         let _ = std::fs::remove_file("root_key.der");
     }
 }

tests/integration_tests/api_proxy_test.rs

@@ -40,8 +40,12 @@ pub async fn proxy_api_calls_test(env: &TestEnv) -> anyhow::Result<()> {
         .build()?;
 
     info!("test proxying of various API calls ...");
-    info!("api/v2/status - implicit status to fetch the root key");
-    agent.fetch_root_key().await?;
+    info!("api/v2/status - status call");
+    let status = agent.status().await?;
+    assert_eq!(status.replica_health_status, Some("healthy".into()));
+
+    // Set the actual root key
+    agent.set_root_key(env.root_key.clone());
 
     info!("api/v2/query - query counter");
     let out = agent.query(&canister_id, "read").call().await?;

tests/integration_tests/content_type_headers_test.rs

@@ -1,13 +1,14 @@
-use crate::helpers::TestEnv;
-use crate::helpers::{
-    ExpectedResponse, RETRY_INTERVAL, RETRY_TIMEOUT, check_response, retry_async,
-};
+use std::collections::HashMap;
+
 use anyhow::{Context, anyhow};
 use http::{Method, StatusCode};
 use reqwest::{Client, Request};
-use std::collections::HashMap;
 use url::Url;
 
+use crate::helpers::{
+    ExpectedResponse, RETRY_INTERVAL, RETRY_TIMEOUT, TestEnv, check_response, retry_async,
+};
+
 // Test scenario:
 // - make an HTTP GET request to http://ic0.app/api/v2/status
 // - verify necessary headers are present in response: [content-type, x-content-type-options, x-frame-options]

tests/integration_tests/cors_headers_test.rs

@@ -1,8 +1,5 @@
 use std::collections::HashMap;
 
-use crate::helpers::{
-    ExpectedResponse, RETRY_INTERVAL, RETRY_TIMEOUT, TestEnv, check_response, retry_async,
-};
 use anyhow::{Context, anyhow};
 use candid::Principal;
 use http::{Method, StatusCode};
@@ -11,6 +8,10 @@ use reqwest::{Client, Request};
 use tracing::info;
 use url::Url;
 
+use crate::helpers::{
+    ExpectedResponse, RETRY_INTERVAL, RETRY_TIMEOUT, TestEnv, check_response, retry_async,
+};
+
 // Test scenario:
 // - install counter canister
 // - make various HTTP requests OPTIONS/GET/POST and verify the CORS headers of the responses