m/rdp-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

рабочий вариант, но скороть 10 МБит
build / backend (push) Has been cancelled
Details
build / node-agent (push) Has been cancelled
Details
build / worker (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Mikhail
2026-05-22 21:46:49 +03:00
parent 469fa0e860
commit 20d361a886
280 changed files with 954890 additions and 18524 deletions
Download Patch File Download Diff File Expand all files Collapse all files
agents/rap-node-agent/internal/supervisor/supervisor_test.go
+68 -25
View File
@@ -2,7 +2,16 @@ package supervisor
import (
"context"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"os"
"path/filepath"
"testing"
"time"
"github.com/example/remote-access-platform/agents/rap-node-agent/internal/client"
"github.com/example/remote-access-platform/agents/rap-node-agent/internal/webingress"
@@ -56,7 +65,7 @@ func TestStubSupervisorRunsInternalSyntheticEchoWorkload(t *testing.T) {
func TestStubSupervisorReportsBuiltinFabricServicesRunning(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{ServiceType: "core-mesh", DesiredState: "enabled", RuntimeMode: "container"},
{ServiceType: "mesh-listener", DesiredState: "enabled", RuntimeMode: "container"},
{ServiceType: "fabric-listener", DesiredState: "enabled", RuntimeMode: "container"},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
@@ -88,7 +97,7 @@ func TestStubSupervisorReportsVPNFabricOnlyContractsRunning(t *testing.T) {
},
},
{
ServiceType: "vpn-client",
ServiceType: "ipv4-ingress",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
@@ -117,14 +126,18 @@ func TestStubSupervisorReportsVPNFabricOnlyContractsRunning(t *testing.T) {
if status.StatusPayload["backend_relay_fallback"] != false {
t.Fatalf("backend_relay_fallback = %v", status.StatusPayload["backend_relay_fallback"])
}
if status.StatusPayload["legacy_protocol_compatibility"] != false {
t.Fatalf("legacy_protocol_compatibility = %v", status.StatusPayload["legacy_protocol_compatibility"])
if status.StatusPayload["compat_protocol_compatibility"] != false {
t.Fatalf("compat_protocol_compatibility = %v", status.StatusPayload["compat_protocol_compatibility"])
}
}
if statuses[0].StatusPayload["role"] != "ipv4-egress" || statuses[0].StatusPayload["internet_egress"] != true {
t.Fatalf("ipv4 egress payload = %#v", statuses[0].StatusPayload)
}
if statuses[1].StatusPayload["role"] != "vpn-client" || statuses[1].StatusPayload["android_node_supported"] != true {
if statuses[1].StatusPayload["role"] != "ipv4-ingress" ||
statuses[1].StatusPayload["legacy_role_alias"] != "vpn-client" ||
statuses[1].StatusPayload["android_node_supported"] != true ||
statuses[1].StatusPayload["linux_node_supported"] != true ||
statuses[1].StatusPayload["windows_node_supported"] != true {
t.Fatalf("vpn client payload = %#v", statuses[1].StatusPayload)
}
exitBinding := statuses[0].StatusPayload["service_binding"].(map[string]any)
@@ -132,9 +145,12 @@ func TestStubSupervisorReportsVPNFabricOnlyContractsRunning(t *testing.T) {
t.Fatalf("ipv4 egress binding = %#v", exitBinding)
}
clientBinding := statuses[1].StatusPayload["service_binding"].(map[string]any)
if clientBinding["type"] != "local_ipv4_ingress" || clientBinding["preferred_exit_pool_id"] != "us-los-angeles-ipv4" || clientBinding["legacy_protocol_listener"] != false {
if clientBinding["type"] != "local_ipv4_ingress" || clientBinding["preferred_exit_pool_id"] != "us-los-angeles-ipv4" || clientBinding["compat_protocol_listener"] != false {
t.Fatalf("vpn client binding = %#v", clientBinding)
}
if clientBinding["traffic_visibility"] != "opaque_ipv4_packets" || clientBinding["flow_distribution"] != "opaque_packet_hash_shards" {
t.Fatalf("ipv4 ingress binding should be opaque: %#v", clientBinding)
}
if got := clientBinding["listen_tcp_ports"].([]int); len(got) != 2 || got[0] != 443 || got[1] != 8443 {
t.Fatalf("listen_tcp_ports = %#v", got)
}
@@ -150,11 +166,10 @@ func TestStubSupervisorReportsWebIngressContractReady(t *testing.T) {
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"listen_http_port": 80,
"listen_https_port": 443,
"tls_mode": "terminate",
"scope": "platform",
"service_classes": []any{"platform_admin", "cluster_admin"},
"service_classes": []any{"admin-ingress", "admin-ingress"},
},
},
})
@@ -175,9 +190,9 @@ func TestStubSupervisorReportsWebIngressContractReady(t *testing.T) {
payload["ports_opened_by_stub"] != false {
t.Fatalf("unexpected payload: %#v", payload)
}
roles, ok := payload["runtime_roles_required"].([]string)
if !ok || !containsString(roles, "global-admin-runtime") || !containsString(roles, "policy-authority") {
t.Fatalf("runtime roles = %#v", payload["runtime_roles_required"])
functions, ok := payload["runtime_fabric_functions"].([]string)
if !ok || !containsString(functions, "admin-ingress") {
t.Fatalf("runtime fabric functions = %#v", payload["runtime_fabric_functions"])
}
}
@@ -188,11 +203,10 @@ func TestStubSupervisorBlocksWebIngressRealListenerWithoutRuntimeGate(t *testing
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"listen_http_port": 80,
"listen_https_port": 443,
"tls_mode": "terminate",
"scope": "platform",
"service_classes": []any{"platform_admin"},
"service_classes": []any{"admin-ingress"},
"real_listener_enabled": true,
},
},
@@ -220,11 +234,10 @@ func TestStubSupervisorAllowsWebIngressRealListenerGateButDoesNotOpenPorts(t *te
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"listen_http_port": 80,
"listen_https_port": 443,
"tls_mode": "terminate",
"scope": "platform",
"service_classes": []any{"platform_admin"},
"service_classes": []any{"admin-ingress"},
"real_listener_enabled": true,
},
},
@@ -245,6 +258,8 @@ func TestStubSupervisorAllowsWebIngressRealListenerGateButDoesNotOpenPorts(t *te
}
func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing.T) {
dir := t.TempDir()
certFile, keyFile := writeSelfSignedCert(t, dir)
manager := webingress.NewManager()
statuses, err := (StubSupervisor{Version: "test", WebIngressRuntimeEnabled: true, WebIngressManager: manager}).Apply(context.Background(), []client.DesiredWorkload{
{
@@ -252,13 +267,13 @@ func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"listen_http_port": 80,
"listen_https_port": 443,
"listen_http_addr": "127.0.0.1:0",
"listen_https_addr": "127.0.0.1:0",
"tls_mode": "terminate",
"tls_cert_file": certFile,
"tls_key_file": keyFile,
"scope": "platform",
"service_classes": []any{"platform_admin"},
"service_classes": []any{"admin-ingress"},
"real_listener_enabled": true,
},
},
@@ -266,7 +281,7 @@ func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "degraded" {
if statuses[0].ReportedState != "running" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
payload := statuses[0].StatusPayload
@@ -274,15 +289,44 @@ func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing
if !ok {
t.Fatalf("listener_status = %#v", payload["listener_status"])
}
if !listenerStatus.HTTPRunning || listenerStatus.HTTPSRunning || listenerStatus.HTTPAddr == "" {
if !listenerStatus.HTTPSRunning || listenerStatus.HTTPSAddr == "" {
t.Fatalf("listener status = %+v", listenerStatus)
}
if payload["reason"] != "web_ingress_listener_partial" || payload["ports_opened_by_runtime"] != true || payload["ports_opened_by_stub"] != false {
if payload["reason"] != "web_ingress_contract_ready" || payload["ports_opened_by_runtime"] != true || payload["ports_opened_by_stub"] != false {
t.Fatalf("payload = %#v", payload)
}
_ = manager.Stop(context.Background())
}
func writeSelfSignedCert(t *testing.T, dir string) (string, string) {
t.Helper()
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("generate key: %v", err)
}
template := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{CommonName: "localhost"},
NotBefore: time.Now().Add(-time.Hour),
NotAfter: time.Now().Add(time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
DNSNames: []string{"localhost"},
}
der, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
if err != nil {
t.Fatalf("create cert: %v", err)
}
certFile := filepath.Join(dir, "cert.pem")
keyFile := filepath.Join(dir, "key.pem")
if err := os.WriteFile(certFile, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}), 0o600); err != nil {
t.Fatalf("write cert: %v", err)
}
if err := os.WriteFile(keyFile, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}), 0o600); err != nil {
t.Fatalf("write key: %v", err)
}
return certFile, keyFile
}
func TestStubSupervisorBlocksInvalidWebIngressContract(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{
@@ -290,10 +334,9 @@ func TestStubSupervisorBlocksInvalidWebIngressContract(t *testing.T) {
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"listen_http_port": 8080,
"listen_https_port": 443,
"listen_https_port": 444,
"scope": "organization",
"service_classes": []any{"platform_admin"},
"service_classes": []any{"admin-ingress"},
},
},
})
@@ -308,7 +351,7 @@ func TestStubSupervisorBlocksInvalidWebIngressContract(t *testing.T) {
t.Fatalf("unexpected payload: %#v", payload)
}
missing, ok := payload["missing_checks"].([]string)
if !ok || !containsString(missing, "listen_http_port_must_be_80") || !containsString(missing, "service_class_not_allowed:platform_admin") {
if !ok || !containsString(missing, "listen_https_port_must_be_443") || !containsString(missing, "service_class_not_allowed:admin-ingress") {
t.Fatalf("missing checks = %#v", payload["missing_checks"])
}
}