mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-19 10:23:11 +02:00
72900d3cc7
* Fix Ansible 12.0.0 boolean type checking issue
Ansible 12.0.0 enforces strict type checking for conditionals and no longer
automatically converts string values "true"/"false" to booleans. This was
causing deployment failures after the recent Ansible version bump.
Changes:
- Fix ipv6_support to use 'is defined' which returns boolean instead of string
- Fix algo_* variables in input.yml to use {{ false }} instead of string "false"
- Add comprehensive tests to prevent regression
- Add mutation testing to verify tests catch the issue
The fix uses native boolean expressions instead of string literals, ensuring
compatibility with Ansible 12's strict type checking while maintaining backward
compatibility.
Fixes #14833
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix Python linting issues in test files
- Fix import sorting and remove unused imports
- Remove trailing whitespace and blank lines with whitespace
- Use underscore prefix for unused loop variables
- Remove unnecessary file open mode arguments
- Add newlines at end of files
- Remove unused variable assignments
All ruff checks now pass.
---------
Co-authored-by: Claude <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| fixtures | ||
| integration | ||
| legacy-lxd | ||
| unit | ||
| README.md | ||
| test-aws-credentials.yml | ||
| test-local-config.sh | ||
| test-wireguard-async.yml | ||
| test-wireguard-fix.yml | ||
| test-wireguard-real-async.yml | ||
| test_bsd_ipv6.yml | ||
| test_cloud_init_template.py | ||
| test_package_preinstall.py | ||
| validate_jinja2_templates.py | ||
Algo VPN Test Suite
Current Test Coverage
What We Test Now
-
Basic Sanity (
test_basic_sanity.py)- Python version >= 3.11
- pyproject.toml exists and has dependencies
- config.cfg is valid YAML
- Ansible playbook syntax
- Shell scripts pass shellcheck
- Dockerfile exists and is valid
-
Docker Build (
test_docker_build.py)- Docker image builds successfully
- Container can start
- Ansible is available in container
-
Configuration Generation (
test-local-config.sh)- Ansible templates render without errors
- Basic configuration can be generated
-
Config Validation (
test_config_validation.py)- WireGuard config format validation
- Base64 key format checking
- IP address and CIDR notation
- Mobile config XML validation
- Port range validation
-
Certificate Validation (
test_certificate_validation.py)- OpenSSL availability
- Certificate subject formats
- Key file permissions (600)
- Password complexity
- IPsec cipher suite security
-
User Management (
test_user_management.py) - Addresses #14745, #14746, #14738, #14726- User list parsing from config
- Server selection string parsing
- SSH key preservation
- CA password handling
- User config path generation
- Duplicate user detection
-
OpenSSL Compatibility (
test_openssl_compatibility.py) - Addresses #14755, #14718- OpenSSL version detection
- Legacy flag support detection
- Apple device key format compatibility
- Certificate generation compatibility
- PKCS#12 export for mobile devices
-
Cloud Provider Configs (
test_cloud_provider_configs.py) - Addresses #14752, #14730, #14762- Cloud provider configuration validation
- Hetzner server type updates (cx11 → cx22)
- Azure dependency compatibility
- Region format validation
- Server size naming conventions
- OS image naming validation
What We DON'T Test Yet
1. VPN Functionality
- WireGuard configuration validation
- Private/public key generation
- Client config file format
- QR code generation
- Mobile config profiles
- IPsec configuration validation
- Certificate generation and validation
- StrongSwan config format
- Apple profile generation
- SSH tunnel configuration
- Key generation
- SSH config file format
2. Cloud Provider Integrations
- DigitalOcean API interactions
- AWS EC2/Lightsail deployments
- Azure deployments
- Google Cloud deployments
- Other providers (Vultr, Hetzner, etc.)
3. User Management
- Adding new users
- Removing users
- Updating user configurations
4. Advanced Features
- DNS ad-blocking configuration
- On-demand VPN settings
- MTU calculations
- IPv6 configuration
5. Security Validations
- Certificate constraints
- Key permissions
- Password generation
- Firewall rules
Potential Improvements
Short Term (Easy Wins)
-
Add job names to fix zizmor warnings
-
Test configuration file generation without deployment:
def test_wireguard_config_format(): # Generate a test config # Validate it has required sections # Check key format with regex -
Test user management scripts in isolation:
# Test that update-users generates valid YAML ./algo update-users --dry-run -
Add XML validation for mobile configs:
xmllint --noout generated_configs/*.mobileconfig
Medium Term
- Mock cloud provider APIs to test deployment logic
- Container-based integration tests using Docker Compose
- Test certificate generation without full deployment
- Validate generated configs against schemas
Long Term
- End-to-end tests with actual VPN connections (using network namespaces)
- Performance testing for large user counts
- Upgrade path testing (old configs → new configs)
- Multi-platform client testing
Security Improvements (from zizmor)
Current status: ✅ No security issues found
Recommendations:
- Add explicit job names for better workflow clarity
- Consider pinning Ubuntu runner versions to specific releases
- Add GITHUB_TOKEN with minimal permissions when needed for API checks
Test Philosophy
Our approach focuses on:
- Fast feedback - Tests run in < 3 minutes
- No flaky tests - Avoid complex networking setups
- Test what matters - Config generation, not VPN protocols
- Progressive enhancement - Start simple, add coverage gradually