mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-15 00:13:20 +02:00
554121f0fc
* fix: Add IPv6 support for WireGuard endpoint addresses Fixes issue where IPv6 addresses in WireGuard configuration files were not properly formatted with square brackets when used with port numbers. The WireGuard client configuration template now detects IPv6 addresses using the ansible.utils.ipv6 filter and wraps them in brackets as required by the WireGuard configuration format. Example outputs: - IPv4: 192.168.1.1:51820 - IPv6: [2600:3c01::f03c:91ff:fedf:3b2a]:51820 - Hostname: vpn.example.com:51820 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Use simple colon check for IPv6 detection in WireGuard template The original implementation tried to use `ansible.utils.ipv6` filter which is not available in the current environment. This caused the Smart Test Selection workflow to fail with "No filter named 'ansible.utils.ipv6' found." This change replaces the filter with a simple string check for colons (':') which is a reliable way to detect IPv6 addresses since they contain colons while IPv4 addresses and hostnames typically don't. The fix maintains the same functionality: - IPv6 addresses: `[2600:3c01::f03c:91ff:fedf:3b2a]:51820` - IPv4 addresses: `192.168.1.1:51820` - Hostnames: `vpn.example.com:51820` Fixes failing workflow in PR #14780. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * test: Add IPv6 endpoint formatting tests - Add comprehensive test cases for IPv4, IPv6, and hostname endpoints - Test IPv6 addresses are properly bracketed in WireGuard configs - Verify IPv4 and hostnames are not bracketed - Include edge case test for IPv6 with zone ID --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| fixtures | ||
| legacy-lxd | ||
| unit | ||
| README.md | ||
| test-local-config.sh | ||
Algo VPN Test Suite
Current Test Coverage
What We Test Now
-
Basic Sanity (
test_basic_sanity.py)- Python version >= 3.10
- requirements.txt exists
- config.cfg is valid YAML
- Ansible playbook syntax
- Shell scripts pass shellcheck
- Dockerfile exists and is valid
-
Docker Build (
test_docker_build.py)- Docker image builds successfully
- Container can start
- Ansible is available in container
-
Configuration Generation (
test-local-config.sh)- Ansible templates render without errors
- Basic configuration can be generated
-
Config Validation (
test_config_validation.py)- WireGuard config format validation
- Base64 key format checking
- IP address and CIDR notation
- Mobile config XML validation
- Port range validation
-
Certificate Validation (
test_certificate_validation.py)- OpenSSL availability
- Certificate subject formats
- Key file permissions (600)
- Password complexity
- IPsec cipher suite security
-
User Management (
test_user_management.py) - Addresses #14745, #14746, #14738, #14726- User list parsing from config
- Server selection string parsing
- SSH key preservation
- CA password handling
- User config path generation
- Duplicate user detection
-
OpenSSL Compatibility (
test_openssl_compatibility.py) - Addresses #14755, #14718- OpenSSL version detection
- Legacy flag support detection
- Apple device key format compatibility
- Certificate generation compatibility
- PKCS#12 export for mobile devices
-
Cloud Provider Configs (
test_cloud_provider_configs.py) - Addresses #14752, #14730, #14762- Cloud provider configuration validation
- Hetzner server type updates (cx11 → cx22)
- Azure dependency compatibility
- Region format validation
- Server size naming conventions
- OS image naming validation
What We DON'T Test Yet
1. VPN Functionality
- WireGuard configuration validation
- Private/public key generation
- Client config file format
- QR code generation
- Mobile config profiles
- IPsec configuration validation
- Certificate generation and validation
- StrongSwan config format
- Apple profile generation
- SSH tunnel configuration
- Key generation
- SSH config file format
2. Cloud Provider Integrations
- DigitalOcean API interactions
- AWS EC2/Lightsail deployments
- Azure deployments
- Google Cloud deployments
- Other providers (Vultr, Hetzner, etc.)
3. User Management
- Adding new users
- Removing users
- Updating user configurations
4. Advanced Features
- DNS ad-blocking configuration
- On-demand VPN settings
- MTU calculations
- IPv6 configuration
5. Security Validations
- Certificate constraints
- Key permissions
- Password generation
- Firewall rules
Potential Improvements
Short Term (Easy Wins)
-
Add job names to fix zizmor warnings
-
Test configuration file generation without deployment:
def test_wireguard_config_format(): # Generate a test config # Validate it has required sections # Check key format with regex -
Test user management scripts in isolation:
# Test that update-users generates valid YAML ./algo update-users --dry-run -
Add XML validation for mobile configs:
xmllint --noout generated_configs/*.mobileconfig
Medium Term
- Mock cloud provider APIs to test deployment logic
- Container-based integration tests using Docker Compose
- Test certificate generation without full deployment
- Validate generated configs against schemas
Long Term
- End-to-end tests with actual VPN connections (using network namespaces)
- Performance testing for large user counts
- Upgrade path testing (old configs → new configs)
- Multi-platform client testing
Security Improvements (from zizmor)
Current status: ✅ No security issues found
Recommendations:
- Add explicit job names for better workflow clarity
- Consider pinning Ubuntu runner versions to specific releases
- Add GITHUB_TOKEN with minimal permissions when needed for API checks
Test Philosophy
Our approach focuses on:
- Fast feedback - Tests run in < 3 minutes
- No flaky tests - Avoid complex networking setups
- Test what matters - Config generation, not VPN protocols
- Progressive enhancement - Start simple, add coverage gradually