Modify proxy test to use mocked FCM API and test it in CI (#413)

* Build curl into the test sygnal image rather than requiring manual installation

* Switch to mitmproxy (mitmdump) and mount CA root cert into container

* Disable APNs exercise for now

* Use dummy responses for FCM proxy test (so no Google account needed for testing)

* curl.sh: add shebang and exec last line for exit code

* Add proxy test to CI

* Newsfile

* Remove obsolete nginx config

* Use healthchecks to determine up-ness

Author: reivilibre

.github/workflows/docker_check.yml

@@ -3,19 +3,34 @@
 # an early source of warnings that the Dockerfile isn't right.
 # This check also triggers when this file itself is modified.
 
-name: Check Docker image can be built successfully
+name: Docker checks
 
 on:
   push:
+    branches: ["main"]
+
+  pull_request:
     paths:
+      # changes to the container build definition
       - 'docker/Dockerfile'
+
+      # changes to this CI flow
       - '.github/workflows/docker_check.yml'
 
+      # changes to the source code or dependencies
+      - 'pyproject.toml'
+      - 'poetry.lock'
+      - 'sygnal/**'
+
+      # changes to the proxy-test setup
+      - 'scripts-dev/proxy-test/**'
+
 permissions:
   contents: read
 
 jobs:
   build:
+    name: Build Docker image
     runs-on: ubuntu-latest
     steps:
       - name: Set up QEMU
@@ -24,6 +39,19 @@ jobs:
         with:
           platforms: arm64
 
+      # Use the containerd image store,
+      # otherwise we can't export the multi-arch image later
+      # https://github.com/docker/buildx/issues/59#issuecomment-2770311050
+      - name: Set up Docker
+        uses: docker/setup-docker-action@v4
+        with:
+          daemon-config: |
+            {
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v1
@@ -43,6 +71,89 @@ jobs:
         with:
           context: .
           push: false
+          load: true
+          tags: "localhost/sygnal:latest"
           labels: "gitsha1=${{ github.sha }}"
           file: "docker/Dockerfile"
           platforms: linux/amd64,linux/arm64
+
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Save container image to disk
+        run: |
+          docker image save localhost/sygnal:latest --output ${{ runner.temp }}/sygnal_image.tar
+
+      # https://docs.docker.com/build/ci/github-actions/share-image-jobs/
+      - name: Upload container image for subsequent steps
+        uses: actions/upload-artifact@v4
+        with:
+          name: sygnal_image
+          path: ${{ runner.temp }}/sygnal_image.tar
+          retention-days: 1
+
+  proxytest:
+    name: Check Proxy functionality
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Download container image from build step
+        uses: actions/download-artifact@v4
+        with:
+          name: sygnal_image
+          path: ${{ runner.temp }}
+
+      - name: Load image into container engine
+        run: |
+          docker image load --input ${{ runner.temp }}/sygnal_image.tar
+
+      - uses: actions/checkout@v4.2.2
+
+      - name: Prepare test setup
+        run: |
+          scripts-dev/proxy-test/setup.sh
+          # Chown the mitmproxy setup files to be group-owned by root,
+          # because mitmproxy will re-number its user and group at startup,
+          # but the group with that ID must already exist inside the container...
+          # See: https://github.com/mitmproxy/mitmproxy/issues/6840
+          sudo chown -R :root scripts-dev/proxy-test/mitmproxy
+
+      - name: Start test services in Compose file
+        uses: hoverkraft-tech/compose-action@8be2d741e891ac9b8ac20825e6f3904149599925 # v2.2.0
+        with:
+          compose-file: scripts-dev/proxy-test/docker-compose.yml
+
+      - name: Invoke test script
+        run: |
+          echo "Waiting for container to be healthy"
+          for _ in {0..10}; do
+            sleep 1
+            container_state=$(docker inspect sygnal | jq '.[0].State')
+            echo "Container state: $container_state"
+            if ! echo "$container_state" | jq --exit-status '.Status == "running"'; then
+              echo "Container not running!"
+              exit 1
+            fi
+            if echo "$container_state" | jq --exit-status '.Health.Status == "healthy"'; then
+              echo "Container healthy!"
+              break
+            fi
+          done
+          docker exec sygnal sh /curl.sh notification-gcm.json
+
+      - name: Print sygnal logs
+        if: always()
+        run: |
+          docker logs sygnal
+
+      - name: Print mitmdump logs
+        if: always()
+        run: |
+          docker logs mitmdump
+
+      - name: Upload mitmdump output
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: proxytest_mitmdump
+          path: scripts-dev/proxy-test/out/mitmdump_out

.gitignore

@@ -19,6 +19,9 @@ _trial_temp*
 /.python-version
 /htmlcov
 
+/scripts-dev/proxy-test/out
+/scripts-dev/proxy-test/mitmproxy
+
 .vscode/
 .idea/
 .DS_Store

CONTRIBUTING.md

@@ -273,21 +273,28 @@ unit tests and lints in a local development environment:
 To test whether proxy support is working or not, a docker compose file has been
 provided to make things easier.
 
+**Note:** `podman` and `podman compose` commands also work instead of `docker` for these steps.
+This may be preferable if root access is not available or desired.
+
 For GCM Pushkin proxy testing follow these steps:
-- create a firebase project & service account
-- download the service account file from firebase & save to `./scripts-dev/proxy-test/service_account.json`
-- configure the PROJECT_ID in `./scripts-dev/proxy-test/sygnal.yaml`
-- build a docker image of sygnal named `sygnal`
+- build a docker image of sygnal named `localhost/sygnal`
 - cd to `./scripts-dev/proxy-test/`
+- **If you want to test with the real FCM service** (otherwise, skip these steps — the FCM service will be replaced with dummy responses):
+  - create a firebase project & service account
+  - download the service account file from firebase & save to `./scripts-dev/proxy-test/service_account.json`
+  - configure the PROJECT_ID in `./scripts-dev/proxy-test/sygnal.yaml`
+  - comment out the `map-local` lines in `docker-compose.yaml`
+- run `./setup.sh`
 - run `docker compose up`
 - in another terminal, run `docker exec -it sygnal bash`
-- run `apt update && apt install curl -y`
-- run `chmod +x curl.sh`
 - run `./curl.sh`
-- you can tell if the proxy is **NOT** working by inspecting the sygnal logs & seeing something along the lines of "Network is unreachable" or DNS resolution/proxy errors
-- you cal tell if the proxy is working by inspecting the sygnal logs & seeing the following error from firebase '"code": 400, "message": "The registration token is not a valid FCM registration token"'
-- this is due to the `pushkey` being set to PUSHKEY_HERE in `notification.json`
-- if you want to fully test an actual notification, you will have to update this value in `./scripts-dev/proxy-test/notification.json` before calling `docker compose up`
+- **If you are testing with the dummy FCM responses (default):**
+  - expect to see a 200 OK response from Sygnal. If you get one, the proxy must be working.
+- **If you are testing with the real FCM service**:
+  - you can tell if the proxy is **NOT** working by inspecting the sygnal logs & seeing something along the lines of "Network is unreachable" or DNS resolution/proxy errors
+  - you can tell if the proxy is working by inspecting the sygnal logs & seeing the following error from firebase '"code": 400, "message": "The registration token is not a valid FCM registration token"'
+  - this is due to the `pushkey` being set to PUSHKEY_HERE in `notification.json`
+  - if you want to fully test an actual notification, you will have to update this value in `./scripts-dev/proxy-test/notification.json` before calling `docker compose up`
 
 ## Updating your pull request
 

changelog.d/413.misc

@@ -0,0 +1 @@
+Add a CI test for Sygnal's HTTP proxy functionality.

scripts-dev/proxy-test/curl.sh

@@ -1,6 +1,8 @@
+#!/bin/sh
+
 if [ "$#" -ne 1 ]; then
     echo "Usage: $0 <notification_file>"
     exit 1
 fi
 
-curl -i -H "Content-Type: application/json" --request POST -d @$1 http://localhost:5000/_matrix/push/v1/notify
+exec curl --fail -i -H "Content-Type: application/json" --request POST -d @$1 http://localhost:5000/_matrix/push/v1/notify

scripts-dev/proxy-test/docker-compose.yml

@@ -1,6 +1,8 @@
 services:
   sygnal:
-    image: sygnal
+    image: localhost/sygnal-with-curl
+    build:
+      dockerfile: sygnal-with-curl.Dockerfile
     networks:
       no-internet:
         ipv4_address: 172.28.0.2
@@ -11,19 +13,28 @@ services:
       - ./curl.sh:/curl.sh
       - ./notification-gcm.json:/notification-gcm.json
       - ./notification-ios.json:/notification-ios.json
-      - ./proxy.conf:/etc/apt/apt.conf.d/proxy.conf
+      - ./mitmproxy:/mitmproxy:ro
+    environment:
+      SSL_CERT_FILE: /mitmproxy/ca.crt
     ports:
       - 5000:5000
 
   proxy:
-    image: dominikbechstein/nginx-forward-proxy
+    image: docker.io/mitmproxy/mitmproxy
+    command: >-
+      mitmdump
+      -w /out/mitmdump_out
+      --map-local '|https://oauth2.googleapis.com/token|/responses/oauth2_googleapis_token.json'
+      --map-local '|https://fcm.googleapis.com/v1/projects/*|/responses/fcm_push.json'
     networks:
       no-internet:
         ipv4_address: 172.28.0.3
       internet:
-    container_name: nginx-forward-proxy
+    container_name: mitmdump
     volumes:
-      - ./nginx.conf:/usr/local/nginx/conf/nginx.conf:ro
+      - ./out:/out:Z
+      - ./mitmproxy:/home/mitmproxy/.mitmproxy:z
+      - ./responses:/responses:ro
     ports:
       - 8080:8080
 

scripts-dev/proxy-test/nginx.conf

@@ -0,0 +1 @@
+{}

scripts-dev/proxy-test/proxy.conf

@@ -0,0 +1 @@
+{"access_token": "DUMMY_ACCESS_TOKEN", "refresh_token": "DUMMY_REFRESH_TOKEN", "expires_in": 86400}