wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-23 04:13:20 +02:00
Code Issues Projects Releases Wiki Activity
algo/tests
History
Dan Guido 454faa96b1
fix: Prevent sensitive information from being logged (#14779) 
* fix: Add no_log to tasks handling sensitive information

- Add no_log: true to OpenSSL commands that contain passwords/passphrases
- Add no_log: true to WireGuard key generation commands
- Add no_log: true to password/CA password generation tasks
- Add no_log: true to AWS credential handling tasks
- Add no_log: true to QR code generation that contains full configs

This prevents sensitive information like passwords, private keys, and
WireGuard configurations from being logged to syslog/journald.

Fixes #1617

* feat: Comprehensive privacy enhancements

- Add no_log directives to all cloud provider credential handling
- Set privacy-focused defaults (StrongSwan logging disabled, DNSCrypt syslog off)
- Implement privacy role with log rotation, history clearing, and log filtering
- Add Privacy Considerations section to README
- Make all privacy features configurable and enabled by default

This update significantly reduces Algo's logging footprint to enhance user privacy
while maintaining the ability to enable logging for debugging when needed.

* docs: Move privacy documentation from README to FAQ

- Remove Privacy Considerations section from README
- Add expanded 'Does Algo support zero logging?' question to FAQ
- Better placement alongside existing logging/monitoring questions
- More detailed explanation of privacy features and limitations

* fix: Remove invalid 'bool' filter from Jinja2 template

The privacy-monitor.sh.j2 template was using '| bool' which is not a valid
Jinja2 filter. The 'bool' is a built-in Python function, not a Jinja2 filter.

Fixed by removing the '| bool' filter and directly outputting the boolean
variables as they will be rendered correctly by Jinja2.

This resolves the template syntax error that was causing CI tests to fail:
"No filter named 'bool'" error in privacy monitoring script template.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Fix YAML linting issues in privacy role

* Fix linting warnings: shellcheck and ansible-lint issues

- Fixed all shellcheck warnings in test scripts:
  - Quoted variables to prevent word splitting
  - Replaced A && B || C constructs with proper if-then-else
  - Changed unused loop variable to _
  - Added shellcheck directives for FreeBSD rc.d script

- Fixed ansible-lint risky-file-permissions warnings:
  - Added explicit file permissions for sensitive files (mode 0600)
  - Added permissions for config files and certificates (mode 0644)
  - Set proper permissions for directories (mode 0755)

- Fixed yamllint compatibility with ansible-lint:
  - Added required octal-values configuration
  - Quoted all octal mode values to prevent YAML misinterpretation
  - Added comments-indentation: false as required

All tests pass and functionality remains unchanged.

* Remove algo.egg-info from version control

This directory is generated by Python package tools (pip/setuptools) and
should not be tracked in git. It's already listed in .gitignore but was
accidentally committed. The directory contains build metadata that is
regenerated when the package is installed.

* Restructure privacy documentation for clarity

- Simplified FAQ entry to be concise with link to README for details
- Added comprehensive Privacy and Logging section to README
- Clarified what IS logged by default vs what is not
- Explained two separate privacy settings (strongswan_log_level and privacy_enhancements_enabled)
- Added clear debugging instructions (need to change both settings)
- Removed confusing language about "enabling additional features"
- Made documentation more natural and less AI-generated sounding

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Fix Ubuntu 22.04 iptables deployment issues and simplify config.cfg

Issues fixed:
1. Added base 'iptables' package to batch installation list (was missing, only iptables-persistent was included)
2. Fixed alternatives configuration for Ubuntu 22.04+ - only configure main iptables/ip6tables alternatives, not save/restore (they're handled as slaves)

Config.cfg improvements:
- Reduced from 308 to 198 lines (35% reduction)
- Moved privacy settings above "Advanced users only" line for better accessibility
- Clarified algo_no_log is for Ansible output, not server privacy
- Simplified verbose comments throughout
- Moved experimental performance options to commented section at end
- Better organized into logical sections

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Add privacy features to README and improve feature descriptions

- Added privacy-focused feature bullet highlighting minimal logging and privacy enhancements
- Simplified IKEv2 bullet (removed redundant platform list)
- Updated helper scripts description to be more comprehensive
- Specified Ubuntu 22.04 LTS and automatic security updates
- Made feature list more concise and accurate

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Fix logrotate duplicate entries error in privacy role

The privacy role was creating logrotate configs that duplicated the default
Ubuntu rsyslog logrotate rules, causing deployment failures with errors like
'duplicate log entry for /var/log/syslog'.

Changes:
- Disable default rsyslog logrotate config before applying privacy configs
- Consolidate system log rotation into single config file
- Add missingok flag to handle logs that may not exist on all systems
- Remove forced immediate rotation that was triggering the error

This ensures privacy-enhanced log rotation works without conflicts.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Fix 'history: not found' error in privacy role

The 'history -c' command was failing because history is a bash built-in
that doesn't exist in /bin/sh (Ubuntu's default shell for scripts).

Changes:
- Removed the 'Clear current session history' task since it's ineffective
  in Ansible context (each task runs in a new shell)
- History files are already cleared by the existing file removal tasks
- Added explanatory comment about why session history clearing is omitted

This fixes the deployment failure while maintaining all effective history
clearing functionality.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Fix BPF JIT sysctl error in privacy role

The net.core.bpf_jit_enable sysctl parameter was failing on some systems
because BPF JIT support is not available in all kernel configurations.

Changes:
- Separated BPF JIT setting into its own task with ignore_errors
- Made BPF JIT disabling optional since it's not critical for privacy
- Added explanatory comments about kernel support variability
- Both runtime sysctl and persistent config now handle missing parameter

This allows deployments to succeed on systems without BPF JIT support
while still applying the setting where available.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
2025-08-17 15:58:19 -04:00
..
fixtures feat: Add comprehensive performance optimizations to reduce deployment time by 30-60% 2025-08-03 16:42:17 -07:00
integration feat: Add comprehensive performance optimizations to reduce deployment time by 30-60% 2025-08-03 16:42:17 -07:00
legacy-lxd fix: Prevent sensitive information from being logged (#14779) 2025-08-17 15:58:19 -04:00
unit Fix AWS Lightsail deployment error (boto3 parameter) (#14823) 2025-08-16 03:39:00 -04:00
README.md Implement self-bootstrapping uv setup to resolve issue #14776 (#14814) 2025-08-06 22:10:56 -07:00
test-aws-credentials.yml feat: Add comprehensive performance optimizations to reduce deployment time by 30-60% 2025-08-03 16:42:17 -07:00
test-local-config.sh Implement self-bootstrapping uv setup to resolve issue #14776 (#14814) 2025-08-06 22:10:56 -07:00
test-wireguard-async.yml Fix IPv6 address selection on BSD systems (#14786) 2025-08-03 17:15:27 -07:00
test-wireguard-fix.yml Fix IPv6 address selection on BSD systems (#14786) 2025-08-03 17:15:27 -07:00
test-wireguard-real-async.yml Fix IPv6 address selection on BSD systems (#14786) 2025-08-03 17:15:27 -07:00
test_bsd_ipv6.yml Fix IPv6 address selection on BSD systems (#14786) 2025-08-03 17:15:27 -07:00
test_cloud_init_template.py feat: Add comprehensive performance optimizations to reduce deployment time by 30-60% 2025-08-03 16:42:17 -07:00
test_package_preinstall.py feat: Add comprehensive performance optimizations to reduce deployment time by 30-60% 2025-08-03 16:42:17 -07:00
validate_jinja2_templates.py Implement self-bootstrapping uv setup to resolve issue #14776 (#14814) 2025-08-06 22:10:56 -07:00

README.md

Algo VPN Test Suite

Current Test Coverage

What We Test Now

  1. Basic Sanity (test_basic_sanity.py)

    • Python version >= 3.11
    • pyproject.toml exists and has dependencies
    • config.cfg is valid YAML
    • Ansible playbook syntax
    • Shell scripts pass shellcheck
    • Dockerfile exists and is valid

  2. Docker Build (test_docker_build.py)

    • Docker image builds successfully
    • Container can start
    • Ansible is available in container

  3. Configuration Generation (test-local-config.sh)

    • Ansible templates render without errors
    • Basic configuration can be generated

  4. Config Validation (test_config_validation.py)

    • WireGuard config format validation
    • Base64 key format checking
    • IP address and CIDR notation
    • Mobile config XML validation
    • Port range validation

  5. Certificate Validation (test_certificate_validation.py)

    • OpenSSL availability
    • Certificate subject formats
    • Key file permissions (600)
    • Password complexity
    • IPsec cipher suite security

  6. User Management (test_user_management.py) - Addresses #14745, #14746, #14738, #14726

    • User list parsing from config
    • Server selection string parsing
    • SSH key preservation
    • CA password handling
    • User config path generation
    • Duplicate user detection

  7. OpenSSL Compatibility (test_openssl_compatibility.py) - Addresses #14755, #14718

    • OpenSSL version detection
    • Legacy flag support detection
    • Apple device key format compatibility
    • Certificate generation compatibility
    • PKCS#12 export for mobile devices

  8. Cloud Provider Configs (test_cloud_provider_configs.py) - Addresses #14752, #14730, #14762

    • Cloud provider configuration validation
    • Hetzner server type updates (cx11 → cx22)
    • Azure dependency compatibility
    • Region format validation
    • Server size naming conventions
    • OS image naming validation

What We DON'T Test Yet

1. VPN Functionality

  • WireGuard configuration validation
    • Private/public key generation
    • Client config file format
    • QR code generation
    • Mobile config profiles
  • IPsec configuration validation
    • Certificate generation and validation
    • StrongSwan config format
    • Apple profile generation
  • SSH tunnel configuration
    • Key generation
    • SSH config file format

2. Cloud Provider Integrations

  • DigitalOcean API interactions
  • AWS EC2/Lightsail deployments
  • Azure deployments
  • Google Cloud deployments
  • Other providers (Vultr, Hetzner, etc.)

3. User Management

  • Adding new users
  • Removing users
  • Updating user configurations

4. Advanced Features

  • DNS ad-blocking configuration
  • On-demand VPN settings
  • MTU calculations
  • IPv6 configuration

5. Security Validations

  • Certificate constraints
  • Key permissions
  • Password generation
  • Firewall rules

Potential Improvements

Short Term (Easy Wins)

  1. Add job names to fix zizmor warnings

  2. Test configuration file generation without deployment:

    def test_wireguard_config_format():
    # Generate a test config
    # Validate it has required sections
    # Check key format with regex

  3. Test user management scripts in isolation:

    # Test that update-users generates valid YAML
./algo update-users --dry-run

  4. Add XML validation for mobile configs:

    xmllint --noout generated_configs/*.mobileconfig

Medium Term

  1. Mock cloud provider APIs to test deployment logic
  2. Container-based integration tests using Docker Compose
  3. Test certificate generation without full deployment
  4. Validate generated configs against schemas

Long Term

  1. End-to-end tests with actual VPN connections (using network namespaces)
  2. Performance testing for large user counts
  3. Upgrade path testing (old configs → new configs)
  4. Multi-platform client testing

Security Improvements (from zizmor)

Current status: No security issues found

Recommendations:

  1. Add explicit job names for better workflow clarity
  2. Consider pinning Ubuntu runner versions to specific releases
  3. Add GITHUB_TOKEN with minimal permissions when needed for API checks

Test Philosophy

Our approach focuses on:

  1. Fast feedback - Tests run in < 3 minutes
  2. No flaky tests - Avoid complex networking setups
  3. Test what matters - Config generation, not VPN protocols
  4. Progressive enhancement - Start simple, add coverage gradually