From ebc5ab3cdac69fe33a9baf7ba28de59757d51e66 Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Thu, 28 Nov 2024 12:33:23 +0100 Subject: [PATCH] QA test for curl redirect --- .github/qa-nginx-redirecting/compose.yml | 13 ++++ .github/qa-nginx-redirecting/nginx.conf | 32 ++++++++++ .github/qa-sq-behind-ngix/nginx.conf | 11 ---- .github/workflows/qa.yml | 81 ++++++++++++++++++++++++ 4 files changed, 126 insertions(+), 11 deletions(-) create mode 100644 .github/qa-nginx-redirecting/compose.yml create mode 100644 .github/qa-nginx-redirecting/nginx.conf diff --git a/.github/qa-nginx-redirecting/compose.yml b/.github/qa-nginx-redirecting/compose.yml new file mode 100644 index 0000000..1b2a919 --- /dev/null +++ b/.github/qa-nginx-redirecting/compose.yml @@ -0,0 +1,13 @@ +services: + https-proxy: + image: nginx + ports: + - 8080:8080 + volumes: + - $GITHUB_WORKSPACE/.github/qa-nginx-redirecting/nginx.conf:/etc/nginx/nginx.conf:ro + healthcheck: + test: ["CMD", "curl", "--fail", "localhost:8080/health"] + interval: 10s + timeout: 5s + retries: 20 + start_period: 2m \ No newline at end of file diff --git a/.github/qa-nginx-redirecting/nginx.conf b/.github/qa-nginx-redirecting/nginx.conf new file mode 100644 index 0000000..d1df2e6 --- /dev/null +++ b/.github/qa-nginx-redirecting/nginx.conf @@ -0,0 +1,32 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + sendfile on; + + keepalive_timeout 65; + + include /etc/nginx/conf.d/*.conf; + + server { + listen 8080; + + location /health { + add_header 'Content-Type' 'text/plain'; + return 200 "healthy\n"; + } + + location ~ /clientRedirectToSonarBinaries/(.*) { + return 301 "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/$1"; + } + } +} diff --git a/.github/qa-sq-behind-ngix/nginx.conf b/.github/qa-sq-behind-ngix/nginx.conf index fd588d6..893ac04 100644 --- a/.github/qa-sq-behind-ngix/nginx.conf +++ b/.github/qa-sq-behind-ngix/nginx.conf @@ -2,7 +2,6 @@ user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; -pid /var/run/nginx.pid; events { worker_connections 1024; @@ -12,12 +11,6 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - sendfile on; keepalive_timeout 65; @@ -28,7 +21,6 @@ http { listen 8080; location /health { - access_log off; add_header 'Content-Type' 'text/plain'; return 200 "healthy\n"; } @@ -40,9 +32,6 @@ http { ssl_protocols TLSv1.1 TLSv1.2; ssl_certificate /etc/nginx/server.crt; ssl_certificate_key /etc/nginx/server.key; - - access_log /var/log/nginx/localhost; - error_log /var/log/nginx/localhost.error debug; location / { proxy_pass http://sonarqube:9000; diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index d06fb58..bd375c1 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -116,6 +116,56 @@ jobs: - name: Assert Sonar Scanner CLI was not executed run: | ./test/assertFileDoesntExist ./output.properties + scannerBinariesUrlIsEscapedWithWget: + name: > + 'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with scannerBinariesUrl + id: runTest + uses: ./ + continue-on-error: true + with: + scannerBinariesUrl: 'http://some_uri;touch file.txt;' + env: + NO_CACHE: true + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}' + - name: Assert file.txt does not exist + run: | + ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt" + scannerBinariesUrlIsEscapedWithCurl: + name: > + 'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Remove wget + run: sudo apt-get remove -y wget + - name: Assert wget is not available + run: | + if command -v wget 2>&1 >/dev/null + then + exit 1 + fi + - name: Run action with scannerBinariesUrl + id: runTest + uses: ./ + continue-on-error: true + with: + scannerBinariesUrl: 'http://some_uri http://another_uri''; touch file.txt;' + env: + NO_CACHE: true + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}' + - name: Assert file.txt does not exist + run: | + ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt" dontFailGradleTest: name: > Don't fail on Gradle project @@ -376,6 +426,37 @@ jobs: - name: Assert failure of previous step if: steps.runTest.outcome == 'success' run: exit 1 + curlPerformsRedirect: + name: > + curl performs redirect when scannerBinariesUrl returns 3xx + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Remove wget + run: sudo apt-get remove -y wget + - name: Assert wget is not available + run: | + if command -v wget 2>&1 >/dev/null + then + exit 1 + fi + - name: Start nginx via Docker Compose + run: docker compose up -d --wait + working-directory: .github/qa-nginx-redirecting + - name: Run action with scannerBinariesUrl + id: runTest + uses: ./ + with: + scannerBinariesUrl: http://localhost:8080/clientRedirectToSonarBinaries + env: + NO_CACHE: true + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}' + - name: Assert Sonar Scanner CLI was downloaded + run: | + ./test/assertFileExists "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.2.1.4610-linux-x64.zip" useSslCertificate: name: > 'SONAR_ROOT_CERT' is converted to truststore