mirror of https://github.com/trailofbits/algo.git synced 2025-09-23 20:25:38 +02:00

History

Dan Guido 4bb13a5ce8 Fix Ansible 12 double-templating and Jinja2 spacing issues (#14836 ) * Fix Ansible 12 double-templating and Jinja2 spacing issues This PR fixes critical deployment issues and improves code consistency for Ansible 12 compatibility. ## Fixed Issues ### 1. Double-templating bug (Issue #14835) Fixed 7 instances of invalid double-templating that breaks deployments: - Changed `{{ lookup('file', '{{ var }}') }}` to `{{ lookup('file', var) }}` - Affects Azure, DigitalOcean, GCE, Linode, and IPsec configurations - Added comprehensive test to prevent regression ### 2. Jinja2 spacing inconsistencies Fixed 33+ spacing issues for better code quality: - Removed spaces between Jinja2 blocks: `}} {%` → `}}{%` - Fixed operator spacing: `int -1` → `int - 1` - Fixed filter spacing: `\|b64encode` → `\| b64encode` - Consolidated multiline expressions to single lines ### 3. Test suite improvements Enhanced boolean type checking test to be more targeted: - Excludes external dependencies and CloudFormation templates - Only tests Algo's actual codebase - Verified with mutation testing - Added comprehensive documentation ## Testing - All 87 unit tests pass - 0 Jinja2 spacing issues remaining (verified by ansible-lint) - Ansible syntax checks pass for all playbooks - Mutation testing confirms tests catch real issues 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Python linting issue - Remove unnecessary f-string prefix where no placeholders are used - Fixes ruff F541 error * Fix line length linting issues - Break long lines to stay within 120 character limit - Extract variables for better readability - Fixes ruff E501 errors --------- Co-authored-by: Claude <noreply@anthropic.com>		2025-09-15 09:54:45 -04:00
..
fixtures	Fix VPN routing on multi-homed systems by specifying output interface (#14826 )	2025-08-17 22:12:23 -04:00
integration	Fix VPN routing on multi-homed systems by specifying output interface (#14826 )	2025-08-17 22:12:23 -04:00
legacy-lxd	fix: Prevent sensitive information from being logged (#14779 )	2025-08-17 15:58:19 -04:00
unit	Fix Ansible 12 double-templating and Jinja2 spacing issues (#14836 )	2025-09-15 09:54:45 -04:00
README.md	Implement self-bootstrapping uv setup to resolve issue #14776 (#14814 )	2025-08-06 22:10:56 -07:00
test-aws-credentials.yml	feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%	2025-08-03 16:42:17 -07:00
test-local-config.sh	Implement self-bootstrapping uv setup to resolve issue #14776 (#14814 )	2025-08-06 22:10:56 -07:00
test-wireguard-async.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test-wireguard-fix.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test-wireguard-real-async.yml	Fix IPv6 address selection on BSD systems (#14786 )	2025-08-03 17:15:27 -07:00
test_cloud_init_template.py	Fix VPN routing on multi-homed systems by specifying output interface (#14826 )	2025-08-17 22:12:23 -04:00
test_package_preinstall.py	Fix VPN routing on multi-homed systems by specifying output interface (#14826 )	2025-08-17 22:12:23 -04:00
validate_jinja2_templates.py	Fix VPN routing on multi-homed systems by specifying output interface (#14826 )	2025-08-17 22:12:23 -04:00

README.md

Algo VPN Test Suite

Current Test Coverage

What We Test Now

Basic Sanity (test_basic_sanity.py)
- Python version >= 3.11
- pyproject.toml exists and has dependencies
- config.cfg is valid YAML
- Ansible playbook syntax
- Shell scripts pass shellcheck
- Dockerfile exists and is valid
Docker Build (test_docker_build.py)
- Docker image builds successfully
- Container can start
- Ansible is available in container
Configuration Generation (test-local-config.sh)
- Ansible templates render without errors
- Basic configuration can be generated
Config Validation (test_config_validation.py)
- WireGuard config format validation
- Base64 key format checking
- IP address and CIDR notation
- Mobile config XML validation
- Port range validation
Certificate Validation (test_certificate_validation.py)
- OpenSSL availability
- Certificate subject formats
- Key file permissions (600)
- Password complexity
- IPsec cipher suite security
User Management (test_user_management.py) - Addresses #14745, #14746, #14738, #14726
- User list parsing from config
- Server selection string parsing
- SSH key preservation
- CA password handling
- User config path generation
- Duplicate user detection
OpenSSL Compatibility (test_openssl_compatibility.py) - Addresses #14755, #14718
- OpenSSL version detection
- Legacy flag support detection
- Apple device key format compatibility
- Certificate generation compatibility
- PKCS#12 export for mobile devices
Cloud Provider Configs (test_cloud_provider_configs.py) - Addresses #14752, #14730, #14762
- Cloud provider configuration validation
- Hetzner server type updates (cx11 → cx22)
- Azure dependency compatibility
- Region format validation
- Server size naming conventions
- OS image naming validation

What We DON'T Test Yet

1. VPN Functionality

WireGuard configuration validation
- Private/public key generation
- Client config file format
- QR code generation
- Mobile config profiles
IPsec configuration validation
- Certificate generation and validation
- StrongSwan config format
- Apple profile generation
SSH tunnel configuration
- Key generation
- SSH config file format

2. Cloud Provider Integrations

DigitalOcean API interactions
AWS EC2/Lightsail deployments
Azure deployments
Google Cloud deployments
Other providers (Vultr, Hetzner, etc.)

3. User Management

Adding new users
Removing users
Updating user configurations

4. Advanced Features

DNS ad-blocking configuration
On-demand VPN settings
MTU calculations
IPv6 configuration

5. Security Validations

Certificate constraints
Key permissions
Password generation
Firewall rules

Potential Improvements

Short Term (Easy Wins)

Add job names to fix zizmor warnings

Test configuration file generation without deployment:

def test_wireguard_config_format():
    # Generate a test config
    # Validate it has required sections
    # Check key format with regex

Test user management scripts in isolation:

# Test that update-users generates valid YAML
./algo update-users --dry-run

Add XML validation for mobile configs:

xmllint --noout generated_configs/*.mobileconfig

Medium Term

Mock cloud provider APIs to test deployment logic
Container-based integration tests using Docker Compose
Test certificate generation without full deployment
Validate generated configs against schemas

Long Term

End-to-end tests with actual VPN connections (using network namespaces)
Performance testing for large user counts
Upgrade path testing (old configs → new configs)
Multi-platform client testing

Security Improvements (from zizmor)

Current status: ✅ No security issues found

Recommendations:

Add explicit job names for better workflow clarity
Consider pinning Ubuntu runner versions to specific releases
Add GITHUB_TOKEN with minimal permissions when needed for API checks

Test Philosophy

Our approach focuses on:

Fast feedback - Tests run in < 3 minutes
No flaky tests - Avoid complex networking setups
Test what matters - Config generation, not VPN protocols
Progressive enhancement - Start simple, add coverage gradually