mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-09 21:44:13 +02:00
b821080eba
* Fix AWS Lightsail deployment error by removing deprecated boto3 parameter Remove the deprecated boto3 parameter from get_aws_connection_info() call in the lightsail_region_facts module. This parameter has been non-functional since amazon.aws collection 4.0.0 and was removed in recent versions bundled with Ansible 11.x, causing deployment failures. The function works correctly without this parameter as the module already properly imports and validates boto3 availability. Closes #14822 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Update uv.lock to fix Docker build failure The lockfile was out of sync after the Ansible 11.8.0 to 11.9.0 upgrade. This regenerates the lockfile to include: - ansible 11.9.0 (was 11.8.0) - ansible-core 2.18.8 (was 2.18.7) This fixes the Docker build CI failure where uv sync --locked was failing due to lockfile mismatch. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Jinja spacing linter issues correctly - Add spacing in lookup('env', 'VAR') calls - Fix spacing around pipe operators within Jinja expressions only - Preserve YAML block scalar syntax (prompt: |) - Fix array indexing spacing within Jinja expressions - All changes pass yamllint and ansible-lint tests 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add algo.egg-info to .gitignore * Add unit test for AWS Lightsail boto3 parameter fix - Tests that get_aws_connection_info() is called without boto3 parameter - Verifies the module can be imported successfully - Checks source code doesn't contain boto3=True - Regression test specifically for issue #14822 - All 4 test cases pass This ensures the fix remains in place and prevents regression. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Python linting issues in test file - Sort imports according to ruff standards - Remove trailing whitespace from blank lines - Remove unnecessary 'r' mode argument from open() - Add trailing newline at end of file All tests still pass after linting fixes. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| fixtures | ||
| integration | ||
| legacy-lxd | ||
| unit | ||
| README.md | ||
| test-aws-credentials.yml | ||
| test-local-config.sh | ||
| test-wireguard-async.yml | ||
| test-wireguard-fix.yml | ||
| test-wireguard-real-async.yml | ||
| test_bsd_ipv6.yml | ||
| test_cloud_init_template.py | ||
| test_package_preinstall.py | ||
| validate_jinja2_templates.py | ||
Algo VPN Test Suite
Current Test Coverage
What We Test Now
-
Basic Sanity (
test_basic_sanity.py)- Python version >= 3.11
- pyproject.toml exists and has dependencies
- config.cfg is valid YAML
- Ansible playbook syntax
- Shell scripts pass shellcheck
- Dockerfile exists and is valid
-
Docker Build (
test_docker_build.py)- Docker image builds successfully
- Container can start
- Ansible is available in container
-
Configuration Generation (
test-local-config.sh)- Ansible templates render without errors
- Basic configuration can be generated
-
Config Validation (
test_config_validation.py)- WireGuard config format validation
- Base64 key format checking
- IP address and CIDR notation
- Mobile config XML validation
- Port range validation
-
Certificate Validation (
test_certificate_validation.py)- OpenSSL availability
- Certificate subject formats
- Key file permissions (600)
- Password complexity
- IPsec cipher suite security
-
User Management (
test_user_management.py) - Addresses #14745, #14746, #14738, #14726- User list parsing from config
- Server selection string parsing
- SSH key preservation
- CA password handling
- User config path generation
- Duplicate user detection
-
OpenSSL Compatibility (
test_openssl_compatibility.py) - Addresses #14755, #14718- OpenSSL version detection
- Legacy flag support detection
- Apple device key format compatibility
- Certificate generation compatibility
- PKCS#12 export for mobile devices
-
Cloud Provider Configs (
test_cloud_provider_configs.py) - Addresses #14752, #14730, #14762- Cloud provider configuration validation
- Hetzner server type updates (cx11 → cx22)
- Azure dependency compatibility
- Region format validation
- Server size naming conventions
- OS image naming validation
What We DON'T Test Yet
1. VPN Functionality
- WireGuard configuration validation
- Private/public key generation
- Client config file format
- QR code generation
- Mobile config profiles
- IPsec configuration validation
- Certificate generation and validation
- StrongSwan config format
- Apple profile generation
- SSH tunnel configuration
- Key generation
- SSH config file format
2. Cloud Provider Integrations
- DigitalOcean API interactions
- AWS EC2/Lightsail deployments
- Azure deployments
- Google Cloud deployments
- Other providers (Vultr, Hetzner, etc.)
3. User Management
- Adding new users
- Removing users
- Updating user configurations
4. Advanced Features
- DNS ad-blocking configuration
- On-demand VPN settings
- MTU calculations
- IPv6 configuration
5. Security Validations
- Certificate constraints
- Key permissions
- Password generation
- Firewall rules
Potential Improvements
Short Term (Easy Wins)
-
Add job names to fix zizmor warnings
-
Test configuration file generation without deployment:
def test_wireguard_config_format(): # Generate a test config # Validate it has required sections # Check key format with regex -
Test user management scripts in isolation:
# Test that update-users generates valid YAML ./algo update-users --dry-run -
Add XML validation for mobile configs:
xmllint --noout generated_configs/*.mobileconfig
Medium Term
- Mock cloud provider APIs to test deployment logic
- Container-based integration tests using Docker Compose
- Test certificate generation without full deployment
- Validate generated configs against schemas
Long Term
- End-to-end tests with actual VPN connections (using network namespaces)
- Performance testing for large user counts
- Upgrade path testing (old configs → new configs)
- Multi-platform client testing
Security Improvements (from zizmor)
Current status: ✅ No security issues found
Recommendations:
- Add explicit job names for better workflow clarity
- Consider pinning Ubuntu runner versions to specific releases
- Add GITHUB_TOKEN with minimal permissions when needed for API checks
Test Philosophy
Our approach focuses on:
- Fast feedback - Tests run in < 3 minutes
- No flaky tests - Avoid complex networking setups
- Test what matters - Config generation, not VPN protocols
- Progressive enhancement - Start simple, add coverage gradually