Hypercorn HTTP/2 Testing (#1248)

* Move testing cert to testing_support directory

* Add dependencies for hypercorn http2/3 testing

* Add HTTP/2 tests for Hypercorn

* Add generic HTTP/2 and 3 request function based on niquests

* Fix missing fixtures in port fixture

* Clean up testing file

* Linting

* Change HTTP/3 requests to use preset quic_cache

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

Author: TimPansino

tests/adapter_hypercorn/test_hypercorn.py

@@ -15,14 +15,16 @@
 import asyncio
 import threading
 import time
-from urllib.request import HTTPError, urlopen
 
+import niquests
 import pytest
+from testing_support.certs import CERT_PATH
 from testing_support.fixtures import (
     override_application_settings,
     raise_background_exceptions,
     wait_for_background_threads,
 )
+from testing_support.http_23_testing import make_request
 from testing_support.sample_asgi_applications import (
     AppWithCall,
     AppWithCallRaw,
@@ -97,7 +99,9 @@ async def shutdown_trigger():
 
         config = hypercorn.config.Config.from_mapping(
             {
-                "bind": [f"127.0.0.1:{port}"],
+                "bind": [f"localhost:{port}"],
+                "certfile": CERT_PATH,
+                "keyfile": CERT_PATH,
             }
         )
 
@@ -123,7 +127,7 @@ def wait_for_port(port, retries=10):
     status = None
     for _ in range(retries):
         try:
-            status = urlopen(f"http://localhost:{port}/ignored", timeout=1).status  # nosec
+            status = make_request(host="localhost", port=port, path="/ignored", timeout=1).status_code
             assert status == 200
             return
         except Exception as e:
@@ -134,8 +138,9 @@ def wait_for_port(port, retries=10):
     raise RuntimeError(f"Failed to wait for port {port}. Got status {status}")
 
 
+@pytest.mark.parametrize("http_version", [1, 2], ids=["HTTP/1", "HTTP/2"])
 @override_application_settings({"transaction_name.naming_scheme": "framework"})
-def test_hypercorn_200(port, app):
+def test_hypercorn_200(port, app, http_version):
     hypercorn_version = get_package_version("hypercorn")
 
     @validate_transaction_metrics(
@@ -147,19 +152,20 @@ def test_hypercorn_200(port, app):
     @raise_background_exceptions()
     @wait_for_background_threads()
     def response():
-        return urlopen(f"http://localhost:{port}", timeout=10)  # nosec
+        return make_request(host="localhost", port=port, path="/", http_version=http_version, timeout=10)
 
-    assert response().status == 200
+    response().raise_for_status()
 
 
+@pytest.mark.parametrize("http_version", [1, 2], ids=["HTTP/1", "HTTP/2"])
 @override_application_settings({"transaction_name.naming_scheme": "framework"})
-def test_hypercorn_500(port, app):
+def test_hypercorn_500(port, app, http_version):
     @validate_transaction_errors(["builtins:ValueError"])
     @validate_transaction_metrics(callable_name(app))
     @raise_background_exceptions()
     @wait_for_background_threads()
     def _test():
-        with pytest.raises(HTTPError):
-            urlopen(f"http://localhost:{port}/exc")  # nosec
+        with pytest.raises(niquests.exceptions.HTTPError):
+            make_request(host="localhost", port=port, path="/exc", http_version=http_version, timeout=10)
 
     _test()

tests/agent_unittests/test_http_client.py

@@ -17,12 +17,11 @@
 import os.path
 import ssl
 import zlib
-
+from http.server import BaseHTTPRequestHandler, HTTPServer
 from io import StringIO
 
 import pytest
-
-from http.server import BaseHTTPRequestHandler, HTTPServer
+from testing_support.certs import CERT_PATH
 from testing_support.mock_external_http_server import MockExternalHTTPServer
 
 from newrelic.common import certs
@@ -41,9 +40,6 @@
 from newrelic.packages.urllib3.util import Url
 
 
-SERVER_CERT = os.path.join(os.path.dirname(__file__), "cert.pem")
-
-
 def echo_full_request(self):
     self.server.connections.append(self.connection)
     request_line = str(self.requestline).encode("utf-8")
@@ -100,7 +96,7 @@ def __init__(self, *args, **kwargs):
         super(SecureServer, self).__init__(*args, **kwargs)
         try:
             self.context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-            self.context.load_cert_chain(certfile=SERVER_CERT, keyfile=SERVER_CERT)
+            self.context.load_cert_chain(certfile=CERT_PATH, keyfile=CERT_PATH)
             self.httpd.socket = self.context.wrap_socket(
                 sock=self.httpd.socket,
                 server_side=True,
@@ -110,8 +106,8 @@ def __init__(self, *args, **kwargs):
             self.httpd.socket = ssl.wrap_socket(
                 self.httpd.socket,
                 server_side=True,
-                keyfile=SERVER_CERT,
-                certfile=SERVER_CERT,
+                keyfile=CERT_PATH,
+                certfile=CERT_PATH,
                 do_handshake_on_connect=False,
             )
 
@@ -310,7 +306,7 @@ def test_http_payload_compression(server, client_cls, method, threshold):
         ]
         assert internal_metrics["Supportability/Python/Collector/Output/Bytes"][:2] == [
             2,
-            len(payload)*2,
+            len(payload) * 2,
         ]
 
         if threshold < 20:
@@ -320,7 +316,7 @@ def test_http_payload_compression(server, client_cls, method, threshold):
 
             # Verify the compressed payload length is recorded
             assert internal_metrics["Supportability/Python/Collector/method1/ZLIB/Bytes"][:2] == [1, payload_byte_len]
-            assert internal_metrics["Supportability/Python/Collector/ZLIB/Bytes"][:2] == [2, payload_byte_len*2]
+            assert internal_metrics["Supportability/Python/Collector/ZLIB/Bytes"][:2] == [2, payload_byte_len * 2]
 
             assert len(internal_metrics) == 8
         else:
@@ -354,7 +350,7 @@ def test_http_payload_compression(server, client_cls, method, threshold):
 
 
 def test_cert_path(server):
-    with HttpClient("localhost", server.port, ca_bundle_path=SERVER_CERT) as client:
+    with HttpClient("localhost", server.port, ca_bundle_path=CERT_PATH) as client:
         status, data = client.send_request()
 
 
@@ -367,7 +363,7 @@ def test_default_cert_path(monkeypatch, system_certs_available):
         cert_file = None
         ca_path = None
 
-    class DefaultVerifyPaths():
+    class DefaultVerifyPaths:
         cafile = cert_file
         capath = ca_path
 

tests/testing_support/certs/__init__.py

@@ -0,0 +1,17 @@
+# Copyright 2010 New Relic, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+CERT_PATH = os.path.join(os.path.dirname(__file__), "cert.pem")

tests/testing_support/certs/cert.pem

@@ -0,0 +1,51 @@
+This is not a secret key!
+This private key is used only for testing and is not functionally used in the agent.
+To generate a new key and certificate, use the following.
+openssl req -nodes -newkey rsa:2048 -x509 -keyout key.pem -out cert.pem -subj '/CN=localhost' -days 3650
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYF0U/0zXikonW
+Ez532avkDL1QbQ8Yz5ULMwZz8j+cLEhdw/4pQJ7Dox6KEZbsan1nZZqpcZWT0d39
+aY/AQ9udwZT+G4biRCQQHd3IaYdveDuq/MQXEiDmcs1CpCwyWjmfRnjCm2/c8wdW
+JCBaRq1hG/hsZ5UKhJxIA9BUl3qPizr7qU/VwNK8+8QQ28EsnUrkLDPL2x1fkIzy
+XR89d/NO97a02YV7WwEf8GH9gB0KLhIZzDDh/BM3olHc1BRlaqkATcuxPbWqKH53
+HqL5Wi9O8Pxe9OSBXbAOSlBhmRRUVFx4siRNV+Bkv3VOBCUtk2/5SQwJdxfkICbP
+0YlrBPqFAgMBAAECggEBAKzbiJiy0xMIl9w4jqr+4+LMUhBo/T+iph5MVeggK8Q5
+JDZllwXW3GmxLbfStEEwOlqgy2SqKLYTlpmlfMmXPrHmbdILoQ2U5qhBy+0Khb2k
+l06DXjT6Wnkd8pZRj81DoX6IuAcsogJEImVFBuBQU1cwMbw969p7FC0DZ/6TIgZ6
+KHvm5Z43uy/wcbHFa2PoMaVvyutKun1po3NG90FlVMJmQYiph2V4/kxcZo8wWXU2
+hE8cbL2g1pv60ZF3wZTWWhnSZTRB2uesW0opNmpwcqqQjQOczJ91y8B4BIjy1QTD
+ICxUO9pEtOexNi3/JnzreByHxQt5g7wINbYxFk8MR40CgYEA751xj/B6jut3NMmr
+bTLngjE1IAjv/8xEXKhfDAp6fgyU+ATbD8ysIllkch/k2Q0boiIB+XoQ/+KqB/pC
+iGw6cGtY3ZF75u/NokHMhQVtHIu3CDbNYSCCtLekG3osXfZaaD4QJVHSrgBYkmez
+Ty7my+Sub+uqizz4fK2DUmBpDyMCgYEA5t4HJRgCRQzz340ou+H63QoN5P1x5FlP
+M8QpklclpU+dOJsbvmcHzbZJgvuZb6Vt18LuUYLWGeVRrpvUVCapJecklbnNF3wL
+YIehBDIiJd2Qq8rbg+yKjNTElbaDWJP+RqPX8IGfvGr23Lsw34vDj/d7N9Ch6xm5
+XChbVCi6/jcCgYB0RhhnWrB+TfDIotwW307MNIitBOlBXaQGuoV02FjcdcqMF/8d
+SZp2CJ7fam6ojN3N7Wa74uoA4cLUoDJM9QfeqZiz2/cd91v30qomGp357iphSAad
+jSMgAsUVuFFzPypbz1ISagQr/2r7kGrIj9/bLRsgoGFfs7R4+9Hv1WzltQKBgEof
+BKo7IBdtRisC1g4kSneHD9jyKgvHRK95DmPGiPafLfoLiofB6nZ4TPe5sZRvx2lb
+U0pmODkOMABgVXZDB1F8+Xj8s0UT9U8jnGWNdvszPIx7T6j2W7FFamwqsdbRhPTH
+C8BSzacfrGxHyTQsWjgxm6Ta3fFuS92zs0a84PRXAoGANEm47fczWIdWR0SmuEoL
+gIGLBi8b2nKZWIeATNwTyWWvD/jEJJXIdjXYxYMK3iG0CCXIColvfoqzEKfNCkz4
+p5wl5yH6EOI+QVISNq7ovrtgLXpUUPPXA/FjYk74e5ITAd5Ute3nB32bX0jPQCGN
+cXIVO2dC+mN517lRVQyF/GQ=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUbytSUISOZeaoqVCzd/zLDhQgZ1owDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIxMDMwMzAxMzY1MloXDTMxMDMw
+MTAxMzY1MlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA2BdFP9M14pKJ1hM+d9mr5Ay9UG0PGM+VCzMGc/I/nCxI
+XcP+KUCew6MeihGW7Gp9Z2WaqXGVk9Hd/WmPwEPbncGU/huG4kQkEB3dyGmHb3g7
+qvzEFxIg5nLNQqQsMlo5n0Z4wptv3PMHViQgWkatYRv4bGeVCoScSAPQVJd6j4s6
++6lP1cDSvPvEENvBLJ1K5Cwzy9sdX5CM8l0fPXfzTve2tNmFe1sBH/Bh/YAdCi4S
+Gcww4fwTN6JR3NQUZWqpAE3LsT21qih+dx6i+VovTvD8XvTkgV2wDkpQYZkUVFRc
+eLIkTVfgZL91TgQlLZNv+UkMCXcX5CAmz9GJawT6hQIDAQABo1MwUTAdBgNVHQ4E
+FgQUiC/0q2fQCAYC01Opw5iDBfhLNPQwHwYDVR0jBBgwFoAUiC/0q2fQCAYC01Op
+w5iDBfhLNPQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAaxSo
+gJh6X/ywmT3BXcS15MlAXufMm3uybVbMZjPszZ+vIPF65oelAbSnw/+JHp77fF7F
+Erv19MGY8IlMEeUf9agXRF6JNVJD7N3i3zE/2GXoer9UOHQqz5/WWs4F17FAmZW8
+YkzMA70GVa20RedIMreEUxxIyN2eUL8xLfs3E9DEYovOldKfC0Ie1BHFMBhp1tja
+6Ag91xyPqP9Pw9ofgS0DoYq6m2ltDNXLoWep1yi1OTwiTvI+GD6JJhmWbCjK0ofA
+IkJENYq5tKA6yvQ2Roi9o6oixDJP/SGQtUKPGGRoFcN9gqn+IVC2XmvxHzTOxUWr
+/FMyhRqe1k81s3T2hg==
+-----END CERTIFICATE-----

tests/testing_support/http_23_testing.py

@@ -0,0 +1,56 @@
+# Copyright 2010 New Relic, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import niquests
+
+VALID_HTTP_VERSIONS = frozenset((None, 1, 2, 3))
+INVALID_HTTP_INPUT_WARNING = "Invalid HTTP version. Expected an integer (1, 2, or 3) or None for no specific version."
+INVALID_HTTP_VERSION_USED_WARNING = "Incorrect HTTP version used: {}"
+
+def make_request(host, port, path="", method="GET", body=None, http_version=None, timeout=10):
+    assert http_version in VALID_HTTP_VERSIONS, INVALID_HTTP_INPUT_WARNING
+
+    # Disable other HTTP connection types
+    session_kwargs = {}
+    if http_version == 1:
+        session_kwargs["disable_http2"] = True
+        session_kwargs["disable_http3"] = True
+    elif http_version == 2:
+        session_kwargs["disable_http1"] = True
+        session_kwargs["disable_http3"] = True
+    elif http_version == 3:
+        # HTTP/1.1 must remain enabled to allow the session to open
+        session_kwargs["disable_http2"] = True
+
+    # Create session
+    with niquests.Session(**session_kwargs) as session:
+        session.verify = False  # Disable SSL verification
+        if http_version == 3:
+            # Preset quic cache to enable HTTP/3 connections
+            session.quic_cache_layer[(host, port)] = ("", port)
+
+        # Send Request
+        response = session.request(method.upper(), f"https://{host}:{port}{path}", data=body, timeout=timeout)
+        response.ok  # Ensure response is completed
+        response.raise_for_status()  # Check response status code
+
+        # Check HTTP version used was correct
+        if http_version == 1:
+            assert response.http_version in {10, 11}, INVALID_HTTP_VERSION_USED_WARNING.format(response.http_version)
+        elif http_version == 2:
+            assert response.http_version == 20, INVALID_HTTP_VERSION_USED_WARNING.format(response.http_version)
+        elif http_version == 3:
+            assert response.http_version == 30, INVALID_HTTP_VERSION_USED_WARNING.format(response.http_version)
+
+        return response

tox.ini

@@ -206,11 +206,12 @@ deps =
     adapter_gunicorn-aiohttp03-py312: aiohttp==3.9.0rc0
     adapter_gunicorn-gunicorn19: gunicorn<20
     adapter_gunicorn-gunicornlatest: gunicorn
-    adapter_hypercorn-hypercornlatest: hypercorn
-    adapter_hypercorn-hypercorn0013: hypercorn<0.14
-    adapter_hypercorn-hypercorn0012: hypercorn<0.13
-    adapter_hypercorn-hypercorn0011: hypercorn<0.12
-    adapter_hypercorn-hypercorn0010: hypercorn<0.11
+    adapter_hypercorn-hypercornlatest: hypercorn[h3]
+    adapter_hypercorn-hypercorn0013: hypercorn[h3]<0.14
+    adapter_hypercorn-hypercorn0012: hypercorn[h3]<0.13
+    adapter_hypercorn-hypercorn0011: hypercorn[h3]<0.12
+    adapter_hypercorn-hypercorn0010: hypercorn[h3]<0.11
+    adapter_hypercorn: niquests
     adapter_uvicorn-uvicorn014: uvicorn<0.15
     adapter_uvicorn-uvicornlatest: uvicorn
     adapter_uvicorn: typing-extensions