refactor: proxy tests (#131)

* refactor: proxy tests

* ci: fix linter

Author: evgeniy-scherbina

proxy/proxy_framework_test.go

@@ -0,0 +1,182 @@
+package proxy
+
+import (
+	"crypto/tls"
+	"io"
+	"log/slog"
+	"net/http"
+	"os"
+	"os/user"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/coder/boundary/rulesengine"
+	boundary_tls "github.com/coder/boundary/tls"
+	"github.com/stretchr/testify/require"
+)
+
+// ProxyTest is a high-level test framework for proxy tests
+type ProxyTest struct {
+	t              *testing.T
+	server         *Server
+	client         *http.Client
+	port           int
+	useCertManager bool
+	configDir      string
+	startupDelay   time.Duration
+}
+
+// ProxyTestOption is a function that configures ProxyTest
+type ProxyTestOption func(*ProxyTest)
+
+// NewProxyTest creates a new ProxyTest instance
+func NewProxyTest(t *testing.T, opts ...ProxyTestOption) *ProxyTest {
+	pt := &ProxyTest{
+		t:              t,
+		port:           8080,
+		useCertManager: false,
+		configDir:      "/tmp/boundary",
+		startupDelay:   100 * time.Millisecond,
+	}
+
+	// Apply options
+	for _, opt := range opts {
+		opt(pt)
+	}
+
+	return pt
+}
+
+// WithProxyPort sets the proxy server port
+func WithProxyPort(port int) ProxyTestOption {
+	return func(pt *ProxyTest) {
+		pt.port = port
+	}
+}
+
+// WithCertManager enables TLS certificate manager
+func WithCertManager(configDir string) ProxyTestOption {
+	return func(pt *ProxyTest) {
+		pt.useCertManager = true
+		pt.configDir = configDir
+	}
+}
+
+// WithStartupDelay sets how long to wait after starting server before making requests
+func WithStartupDelay(delay time.Duration) ProxyTestOption {
+	return func(pt *ProxyTest) {
+		pt.startupDelay = delay
+	}
+}
+
+// Start starts the proxy server
+func (pt *ProxyTest) Start() *ProxyTest {
+	pt.t.Helper()
+
+	logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+		Level: slog.LevelError,
+	}))
+
+	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
+	require.NoError(pt.t, err, "Failed to parse test rules")
+
+	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
+	auditor := &mockAuditor{}
+
+	var tlsConfig *tls.Config
+	if pt.useCertManager {
+		currentUser, err := user.Current()
+		require.NoError(pt.t, err, "Failed to get current user")
+
+		uid, _ := strconv.Atoi(currentUser.Uid)
+		gid, _ := strconv.Atoi(currentUser.Gid)
+
+		certManager, err := boundary_tls.NewCertificateManager(boundary_tls.Config{
+			Logger:    logger,
+			ConfigDir: pt.configDir,
+			Uid:       uid,
+			Gid:       gid,
+		})
+		require.NoError(pt.t, err, "Failed to create certificate manager")
+
+		tlsConfig, err = certManager.SetupTLSAndWriteCACert()
+		require.NoError(pt.t, err, "Failed to setup TLS")
+	} else {
+		tlsConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
+	}
+
+	pt.server = NewProxyServer(Config{
+		HTTPPort:   pt.port,
+		RuleEngine: ruleEngine,
+		Auditor:    auditor,
+		Logger:     logger,
+		TLSConfig:  tlsConfig,
+	})
+
+	err = pt.server.Start()
+	require.NoError(pt.t, err, "Failed to start server")
+
+	// Give server time to start
+	time.Sleep(pt.startupDelay)
+
+	// Create HTTP client
+	pt.client = &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true, // Skip cert verification for testing
+			},
+		},
+		Timeout: 5 * time.Second,
+	}
+
+	return pt
+}
+
+// Stop gracefully stops the proxy server
+func (pt *ProxyTest) Stop() {
+	if pt.server != nil {
+		err := pt.server.Stop()
+		if err != nil {
+			pt.t.Logf("Failed to stop proxy server: %v", err)
+		}
+	}
+}
+
+// ExpectAllowed makes a request through the proxy and expects it to be allowed with the given response body
+func (pt *ProxyTest) ExpectAllowed(proxyURL, hostHeader, expectedBody string) {
+	pt.t.Helper()
+
+	req, err := http.NewRequest("GET", proxyURL, nil)
+	require.NoError(pt.t, err, "Failed to create request")
+	req.Host = hostHeader
+
+	resp, err := pt.client.Do(req)
+	require.NoError(pt.t, err, "Failed to make request")
+	defer resp.Body.Close() //nolint:errcheck
+
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(pt.t, err, "Failed to read response body")
+
+	require.Equal(pt.t, expectedBody, string(body), "Expected response body does not match")
+}
+
+// ExpectAllowedContains makes a request through the proxy and expects it to be allowed, checking that response contains the given text
+func (pt *ProxyTest) ExpectAllowedContains(proxyURL, hostHeader, containsText string) {
+	pt.t.Helper()
+
+	req, err := http.NewRequest("GET", proxyURL, nil)
+	require.NoError(pt.t, err, "Failed to create request")
+	req.Host = hostHeader
+
+	resp, err := pt.client.Do(req)
+	require.NoError(pt.t, err, "Failed to make request")
+	defer resp.Body.Close() //nolint:errcheck
+
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(pt.t, err, "Failed to read response body")
+
+	require.Contains(pt.t, string(body), containsText, "Response does not contain expected text")
+}

proxy/proxy_test.go

@@ -29,176 +29,34 @@ func (m *mockAuditor) AuditRequest(req audit.Request) {
 
 // TestProxyServerBasicHTTP tests basic HTTP request handling
 func TestProxyServerBasicHTTP(t *testing.T) {
-	// Create test logger
-	logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
-		Level: slog.LevelError,
-	}))
-
-	// Create test rules (allow all for testing)
-	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
-	if err != nil {
-		t.Fatalf("Failed to parse test rules: %v", err)
-	}
-
-	// Create rule engine
-	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
-
-	// Create mock auditor
-	auditor := &mockAuditor{}
-
-	// Create TLS config (minimal for testing)
-	tlsConfig := &tls.Config{
-		MinVersion: tls.VersionTLS12,
-	}
-
-	// Create proxy server
-	server := NewProxyServer(Config{
-		HTTPPort:   8080,
-		RuleEngine: ruleEngine,
-		Auditor:    auditor,
-		Logger:     logger,
-		TLSConfig:  tlsConfig,
-	})
-
-	// Start server
-	err = server.Start()
-	require.NoError(t, err)
-
-	// Give server time to start
-	time.Sleep(100 * time.Millisecond)
+	pt := NewProxyTest(t).
+		Start()
+	defer pt.Stop()
 
-	// Test basic HTTP request
 	t.Run("BasicHTTPRequest", func(t *testing.T) {
-		// Create HTTP client
-		client := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{
-					InsecureSkipVerify: true, // Skip cert verification for testing
-				},
-			},
-			Timeout: 5 * time.Second,
-		}
-
-		// Make request to proxy
-		req, err := http.NewRequest("GET", "http://localhost:8080/todos/1", nil)
-		if err != nil {
-			t.Fatalf("Failed to create request: %v", err)
-		}
-		// Override the Host header
-		req.Host = "jsonplaceholder.typicode.com"
-
-		// Make the request
-		resp, err := client.Do(req)
-		require.NoError(t, err)
-
-		body, err := io.ReadAll(resp.Body)
-		require.NoError(t, err)
-		require.NoError(t, resp.Body.Close())
-
 		expectedResponse := `{
   "userId": 1,
   "id": 1,
   "title": "delectus aut autem",
   "completed": false
 }`
-		require.Equal(t, expectedResponse, string(body))
+		pt.ExpectAllowed("http://localhost:8080/todos/1", "jsonplaceholder.typicode.com", expectedResponse)
 	})
-
-	err = server.Stop()
-	require.NoError(t, err)
 }
 
 // TestProxyServerBasicHTTPS tests basic HTTPS request handling
 func TestProxyServerBasicHTTPS(t *testing.T) {
-	// Create test logger
-	logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
-		Level: slog.LevelError,
-	}))
+	pt := NewProxyTest(t,
+		WithCertManager("/tmp/boundary"),
+	).
+		Start()
+	defer pt.Stop()
 
-	// Create test rules (allow all for testing)
-	testRules, err := rulesengine.ParseAllowSpecs([]string{"method=*"})
-	if err != nil {
-		t.Fatalf("Failed to parse test rules: %v", err)
-	}
-
-	// Create rule engine
-	ruleEngine := rulesengine.NewRuleEngine(testRules, logger)
-
-	// Create mock auditor
-	auditor := &mockAuditor{}
-
-	currentUser, err := user.Current()
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	uid, _ := strconv.Atoi(currentUser.Uid)
-	gid, _ := strconv.Atoi(currentUser.Gid)
-
-	// Create TLS certificate manager
-	certManager, err := boundary_tls.NewCertificateManager(boundary_tls.Config{
-		Logger:    logger,
-		ConfigDir: "/tmp/boundary",
-		Uid:       uid,
-		Gid:       gid,
-	})
-	require.NoError(t, err)
-
-	// Setup TLS to get cert path for jailer
-	tlsConfig, err := certManager.SetupTLSAndWriteCACert()
-	require.NoError(t, err)
-
-	// Create proxy server
-	server := NewProxyServer(Config{
-		HTTPPort:   8080,
-		RuleEngine: ruleEngine,
-		Auditor:    auditor,
-		Logger:     logger,
-		TLSConfig:  tlsConfig,
-	})
-
-	// Start server
-	err = server.Start()
-	require.NoError(t, err)
-
-	// Give server time to start
-	time.Sleep(100 * time.Millisecond)
-
-	// Test basic HTTPS request
 	t.Run("BasicHTTPSRequest", func(t *testing.T) {
-		// Create HTTP client
-		client := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{
-					InsecureSkipVerify: true, // Skip cert verification for testing
-				},
-			},
-			Timeout: 5 * time.Second,
-		}
-
-		// Make request to proxy
-		req, err := http.NewRequest("GET", "https://localhost:8080/api/v2", nil)
-		if err != nil {
-			t.Fatalf("Failed to create request: %v", err)
-		}
-		// Override the Host header
-		req.Host = "dev.coder.com"
-
-		// Make the request
-		resp, err := client.Do(req)
-		require.NoError(t, err)
-
-		body, err := io.ReadAll(resp.Body)
-		require.NoError(t, err)
-		require.NoError(t, resp.Body.Close())
-
 		expectedResponse := `{"message":"👋"}
 `
-		require.Equal(t, expectedResponse, string(body))
+		pt.ExpectAllowed("https://localhost:8080/api/v2", "dev.coder.com", expectedResponse)
 	})
-
-	err = server.Stop()
-	require.NoError(t, err)
 }
 
 // TestProxyServerCONNECT tests HTTP CONNECT method for HTTPS tunneling