Skip to content

Commit

Permalink
Improve SSL mode testing (#913)
Browse files Browse the repository at this point in the history
  • Loading branch information
nyurik authored Oct 1, 2023
1 parent ae8e070 commit 64d652f
Show file tree
Hide file tree
Showing 6 changed files with 191 additions and 65 deletions.
142 changes: 98 additions & 44 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,68 @@ defaults:
shell: bash

jobs:
docker:
lint-debug-test:
name: Lint and Unit test
runs-on: ubuntu-latest
env:
PGDATABASE: test
PGHOST: localhost
PGUSER: postgres
PGPASSWORD: postgres
services:
postgres:
image: postgis/postgis:16-3.4
ports:
# will assign a random free host port
- 5432/tcp
# Sadly there is currently no way to pass arguments to the service image other than this hack
# See also https://stackoverflow.com/a/62720566/177275
options: >-
-e POSTGRES_DB=test
-e POSTGRES_USER=postgres
-e POSTGRES_PASSWORD=postgres
-e PGDATABASE=test
-e PGUSER=postgres
-e PGPASSWORD=postgres
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
--entrypoint sh
postgis/postgis:16-3.4
-c "exec docker-entrypoint.sh postgres -c ssl=on -c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Rust Versions
run: rustc --version && cargo --version
- uses: Swatinem/rust-cache@v2
if: github.event_name != 'release' && github.event_name != 'workflow_dispatch'
- run: cargo fmt --all -- --check
- run: cargo clippy --package martin-tile-utils -- -D warnings
- run: cargo clippy --package martin-mbtiles --no-default-features -- -D warnings
- run: cargo clippy --package martin-mbtiles -- -D warnings
- run: cargo clippy --package martin -- -D warnings
- run: cargo clippy --package martin --features bless-tests -- -D warnings
- run: cargo doc --no-deps --workspace
env:
RUSTDOCFLAGS: "-D warnings"
- name: Init database
run: tests/fixtures/initdb.sh
env:
PGPORT: ${{ job.services.postgres.ports[5432] }}
- name: Run cargo test
run: |
set -x
cargo test --package martin-tile-utils
cargo test --package martin-mbtiles --no-default-features
cargo test --package martin-mbtiles
cargo test --package martin
cargo test --doc
env:
DATABASE_URL: postgres://${{ env.PGUSER }}:${{ env.PGUSER }}@${{ env.PGHOST }}:${{ job.services.postgres.ports[5432] }}/${{ env.PGDATABASE }}?sslmode=require

docker-build-test:
name: Build and test docker images
runs-on: ubuntu-latest
env:
Expand All @@ -39,10 +100,7 @@ jobs:
postgres:
image: postgis/postgis:15-3.3
ports:
# will assign a random free host port
- 5432/tcp
# Sadly there is currently no way to pass arguments to the service image other than this hack
# See also https://stackoverflow.com/a/62720566/177275
options: >-
-e POSTGRES_DB=test
-e POSTGRES_USER=postgres
Expand All @@ -68,7 +126,7 @@ jobs:
# Install latest cross version from git (disabled as it is probably less stable)
# cargo install cross --git https://github.com/cross-rs/cross
cross --version
- name: Setup database
- name: Init database
run: tests/fixtures/initdb.sh
env:
PGPORT: ${{ job.services.postgres.ports[5432] }}
Expand Down Expand Up @@ -207,19 +265,10 @@ jobs:
run: rustc --version && cargo --version
- uses: Swatinem/rust-cache@v2
if: github.event_name != 'release' && github.event_name != 'workflow_dispatch'
- name: Lint (Linux)
if: matrix.target == 'x86_64-unknown-linux-gnu'
run: |
set -x
cargo fmt --all -- --check
cargo clippy --package martin-tile-utils -- -D warnings
cargo clippy --package martin-mbtiles --no-default-features -- -D warnings
cargo clippy --package martin-mbtiles -- -D warnings
cargo clippy --package martin -- -D warnings
cargo clippy --package martin --features bless-tests -- -D warnings
- name: Build (.deb)
if: matrix.target == 'debian-x86_64'
run: |
set -x
sudo apt-get install -y dpkg dpkg-dev liblzma-dev
cargo install cargo-deb
cargo deb -v -p martin --output target/debian/debian-x86_64.deb
Expand All @@ -233,7 +282,6 @@ jobs:
export RUSTFLAGS='-C strip=debuginfo'
cargo build --release --target ${{ matrix.target }} --package martin-mbtiles
cargo build --release --target ${{ matrix.target }} --package martin
mkdir -p target_releases
mv target/${{ matrix.target }}/release/mbtiles${{ matrix.ext }} target_releases/
mv target/${{ matrix.target }}/release/martin${{ matrix.ext }} target_releases/
Expand All @@ -243,8 +291,8 @@ jobs:
name: build-${{ matrix.target }}
path: target_releases/*

test:
name: Test ${{ matrix.target }}
test-multi-os:
name: Test on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
needs: [ build ]
strategy:
Expand Down Expand Up @@ -279,19 +327,6 @@ jobs:
tests/fixtures/initdb.sh
env:
DATABASE_URL: ${{ steps.pg.outputs.connection-uri }}
- name: Unit Tests (Linux)
if: matrix.target == 'x86_64-unknown-linux-gnu'
run: |
set -x
cargo test --package martin-tile-utils
cargo test --package martin-mbtiles --no-default-features
cargo test --package martin-mbtiles
cargo test --package martin
cargo test --doc
RUSTDOCFLAGS="-D warnings" cargo doc --no-deps --workspace
cargo clean
env:
DATABASE_URL: ${{ steps.pg.outputs.connection-uri }}
- name: Download build artifact build-${{ matrix.target }}
uses: actions/download-artifact@v3
with:
Expand Down Expand Up @@ -337,39 +372,44 @@ jobs:
path: tests/output/*
retention-days: 5

test-legacy:
name: Test Legacy DB
test-with-svc:
name: Test postgis:${{ matrix.img_ver }} sslmode=${{ matrix.sslmode }}
runs-on: ubuntu-latest
needs: [ build ]
strategy:
fail-fast: true
matrix:
include:
# These must match the versions of postgres used in the docker-compose.yml
- image: postgis/postgis:11-3.0-alpine
- img_ver: 11-3.0-alpine
args: postgres
sslmode: disable
- image: postgis/postgis:14-3.3-alpine
- img_ver: 14-3.3-alpine
args: postgres
sslmode: disable
# alpine images don't support SSL, so for this we use the debian images
- image: postgis/postgis:15-3.3
- img_ver: 15-3.3
args: postgres -c ssl=on -c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
sslmode: require
#
# FIXME!
# DISABLED because Rustls fails to validate name (CN?) with the NotValidForName error
#- img_ver: 15-3.3
# args: postgres -c ssl=on -c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# sslmode: verify-ca
#- img_ver: 15-3.3
# args: postgres -c ssl=on -c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# sslmode: verify-full
env:
# PG_* variables are used by psql
PGDATABASE: test
PGHOST: localhost
PGUSER: postgres
PGPASSWORD: postgres
services:
postgres:
image: ${{ matrix.image }}
image: postgis/postgis:${{ matrix.img_ver }}
ports:
# will assign a random free host port
- 5432/tcp
# Sadly there is currently no way to pass arguments to the service image other than this hack
# See also https://stackoverflow.com/a/62720566/177275
options: >-
-e POSTGRES_DB=test
-e POSTGRES_USER=postgres
Expand All @@ -382,24 +422,34 @@ jobs:
--health-timeout 5s
--health-retries 5
--entrypoint sh
${{ matrix.image }}
postgis/postgis:${{ matrix.img_ver }}
-c "exec docker-entrypoint.sh ${{ matrix.args }}"
steps:
- name: Checkout sources
uses: actions/checkout@v4
- uses: Swatinem/rust-cache@v2
if: github.event_name != 'release' && github.event_name != 'workflow_dispatch'
- name: Setup database
- name: Init database
run: tests/fixtures/initdb.sh
env:
PGPORT: ${{ job.services.postgres.ports[5432] }}
- name: Get DB SSL cert (sslmode=verify-*)
if: matrix.sslmode == 'verify-ca' || matrix.sslmode == 'verify-full'
run: |
set -x
mkdir -p target/certs
docker cp ${{ job.services.postgres.id }}:/etc/ssl/certs/ssl-cert-snakeoil.pem target/certs/server.crt
docker cp ${{ job.services.postgres.id }}:/etc/ssl/private/ssl-cert-snakeoil.key target/certs/server.key
- name: Download build artifact build-x86_64-unknown-linux-gnu
uses: actions/download-artifact@v3
with:
name: build-x86_64-unknown-linux-gnu
path: target_releases/
- name: Integration Tests
run: |
if [[ "${{ matrix.sslmode }}" == "verify-ca" || "${{ matrix.sslmode }}" == "verify-full" ]]; then
export PGSSLROOTCERT=target/certs/server.crt
fi
export MARTIN_BUILD=-
export MARTIN_BIN=target_releases/martin
export MBTILES_BUILD=-
Expand All @@ -417,6 +467,9 @@ jobs:
- name: Tests Debian package
run: |
sudo dpkg -i target_releases/debian-x86_64.deb
if [[ "${{ matrix.sslmode }}" == "verify-ca" || "${{ matrix.sslmode }}" == "verify-full" ]]; then
export PGSSLROOTCERT=target/certs/server.crt
fi
export MARTIN_BUILD=-
export MARTIN_BIN=/usr/bin/martin
export MBTILES_BUILD=-
Expand All @@ -427,6 +480,7 @@ jobs:
env:
DATABASE_URL: postgres://${{ env.PGUSER }}:${{ env.PGUSER }}@${{ env.PGHOST }}:${{ job.services.postgres.ports[5432] }}/${{ env.PGDATABASE }}?sslmode=${{ matrix.sslmode }}
- name: Unit Tests
if: matrix.sslmode != 'verify-ca' && matrix.sslmode != 'verify-full'
run: |
echo "Running unit tests, connecting to DATABASE_URL=$DATABASE_URL"
echo "Same but as base64 to prevent GitHub obfuscation (this is not a secret):"
Expand All @@ -447,7 +501,7 @@ jobs:
package:
name: Package ${{ matrix.target }}
runs-on: ${{ matrix.os }}
needs: [ docker, test, test-legacy ]
needs: [ lint-debug-test, docker-build-test, test-multi-os, test-with-svc ]
strategy:
fail-fast: true
matrix:
Expand Down
28 changes: 14 additions & 14 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 28 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,34 @@ services:
- ./tests/fixtures/initdb-dc-ssl.sh:/docker-entrypoint-initdb.d/10_martin.sh
- ./tests/fixtures/initdb-dc.sh:/docker-entrypoint-initdb.d/20_martin.sh

db-ssl-cert:
# This should match the version of postgres used in the CI workflow
image: postgis/postgis:15-3.3
command:
- "postgres"
- "-c"
- "ssl=on"
- "-c"
- "ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem"
- "-c"
- "ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key"
restart: unless-stopped
ports:
- "${PGPORT:-5411}:5432"
environment:
# POSTGRES_* variables are used by the postgis/postgres image
# PG_* variables are used by psql
- POSTGRES_DB=db
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=postgres
- PGDATABASE=db
- PGUSER=postgres
- PGPASSWORD=postgres
volumes:
- ./tests/fixtures:/fixtures
- ./tests/fixtures/initdb-dc-ssl-cert.sh:/docker-entrypoint-initdb.d/10_martin.sh
- ./tests/fixtures/initdb-dc.sh:/docker-entrypoint-initdb.d/20_martin.sh

db-legacy:
# This should match the version of postgres used in the CI workflow
image: postgis/postgis:11-3.0-alpine
Expand Down
Loading

0 comments on commit 64d652f

Please sign in to comment.