Integrate LATTE

.gitlab-ci.yml

@@ -4,6 +4,7 @@ include:
   - /ci/jobs/package.yml
   - /ci/jobs/test.yml
   - /ci/jobs/coverage.yml
+  - /ci/jobs/latte.yml
 
 variables:
   ARCH: "amd64"
@@ -43,6 +44,8 @@ stages:
   - package
   - analyse
   - test
+  - latte-record
+  - latte-replay
   - coverage
   - installation_tests
   - upload_packages

ci/docker/tester/Dockerfile

@@ -16,18 +16,21 @@ RUN apt-get update \
     # install python packages for tests
     && python3 -m pip install -r /tmp/requirements.txt \
     # install thsark
-    DEBIAN_FRONTEND=noninteractive apt-get install -y tshark \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y tshark \
     # make sure, that Docker does not hang during installation, when we get TUI screen
-    yes yes | DEBIAN_FRONTEND=teletype dpkg-reconfigure wireshark-common \
+    && yes yes | DEBIAN_FRONTEND=teletype dpkg-reconfigure wireshark-common \
     # cleanup
     && apt-get clean
 
 ARG USER_ID=1000
 ARG GROUP_ID=1000
 
+# yq is used by LATTE proxy
+RUN curl -L -o /usr/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 \
+    && chmod +x /usr/bin/yq 
+
 RUN groupadd --system nordvpn && groupadd -g ${GROUP_ID} qa && useradd -l -m -u ${USER_ID} -g qa -G nordvpn qa && echo "qa ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
 RUN usermod -a -G wireshark qa
 
 USER qa
-
 CMD ["exec", "$@"]

ci/docker/tester/requirements.txt

@@ -22,6 +22,7 @@ pyparsing==2.4.7
 pytest==7.2.0
 pytest-rerunfailures==10.2.0
 pytest-timeout==2.0.1
+python-gitlab == 3.14.0
 python-jsonrpc-server==0.4.0
 python-language-server==0.36.2
 python-lsp-jsonrpc==1.0.0

ci/jobs/.cond.yml

@@ -16,6 +16,10 @@
   rules:
     # merge request was created with at least one commit or a commit was pushed
     - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+.cond/proxy-record:
+  rules:
+    # manual pipeline was created to record proxy-replay DB
+    - if: $RECORD == '1'
 .cond/on-click:
   rules:
     # catch all if for basic and merge request pipelines

ci/jobs/analyse.yml

@@ -99,9 +99,7 @@ analyse/security2:
   variables:
     GITLAB_TOKEN: ${CI_JOB_TOKEN}
   image: !reference [cx-scan, image]
-  script: 
-    - curl $DISCOVER_IP_URL
-    - !reference [cx-scan, script]
+  script: !reference [cx-scan, script]
   dependencies: []
   tags:
     - mountain-gitlab-runner

ci/jobs/build.yml

@@ -7,6 +7,7 @@ build/binaries:
     - !reference [.cond/on-main, rules]
     - !reference [.cond/on-version-tag, rules]
     - !reference [.cond/on-merge-request, rules]
+    - !reference [.cond/proxy-record, rules]
   variables:
     BUILD_FLAGS: -cover
   script: $CI_PROJECT_DIR/ci/compile.sh
@@ -40,7 +41,7 @@ build/openvpn:
     - !reference [.cond/on-main, rules]
     - !reference [.cond/on-version-tag, rules]
     - !reference [.cond/on-merge-request, rules]
-    - !reference [.cond/on-click, rules]
+    - !reference [.cond/proxy-record, rules]
   script: $CI_PROJECT_DIR/build/openvpn/build.sh
   dependencies: []
   artifacts:
@@ -56,7 +57,7 @@ build/data:
     - !reference [.cond/on-main, rules]
     - !reference [.cond/on-version-tag, rules]
     - !reference [.cond/on-merge-request, rules]
-    - !reference [.cond/on-click, rules]
+    - !reference [.cond/proxy-record, rules]
   script: $CI_PROJECT_DIR/ci/data.sh
   dependencies: []
   artifacts:
@@ -69,7 +70,7 @@ build/licenses:
     - !reference [.cond/on-main, rules]
     - !reference [.cond/on-version-tag, rules]
     - !reference [.cond/on-merge-request, rules]
-    - !reference [.cond/on-click, rules]
+    - !reference [.cond/proxy-record, rules]
   script: $CI_PROJECT_DIR/ci/licenses.sh
   dependencies: []
   artifacts:

ci/jobs/coverage.yml

@@ -1,12 +1,17 @@
 include: /ci/jobs/.cond.yml
 
-coverage/integration:
-  stage: coverage
-  image: ghcr.io/nordsecurity/nordvpn-linux/builder:1.0.0
+.latte-rules:
+  rules:
+    - !reference [.cond/on-merge-request, rules]
+
+.no-latte-rules:  
   rules:
     - !reference [.cond/on-main, rules]
     - !reference [.cond/on-version-tag, rules]
-    - !reference [.cond/on-merge-request, rules]
+
+.coverage/integration:
+  stage: coverage
+  image: ghcr.io/nordsecurity/nordvpn-linux/builder:1.0.0
   script:
     - $CI_PROJECT_DIR/ci/qa_test_coverage.sh
   dependencies: 
@@ -22,13 +27,30 @@ coverage/integration:
     - test/deb-fileshare
   allow_failure: true
   coverage: '/Total coverage: (\d+\.\d+)%/'
-coverage/combined:
+
+coverage/integration-latte:
+  extends: 
+    - .coverage/integration
+    - .latte-rules
+  dependencies:
+    - latte/deb-replay
+    - latte/deb-connect1-replay
+    - latte/deb-connect2-replay
+    - latte/deb-combinations-replay
+    - test/deb-manual
+    - latte/deb-autoconnect1-replay
+    - latte/deb-autoconnect2-replay
+    - test/deb-meshnet
+    - test/deb-fileshare
+
+coverage/integration-regular:
+  extends: 
+    - .coverage/integration
+    - .no-latte-rules
+
+.coverage/combined:
   stage: coverage
   image: ghcr.io/nordsecurity/nordvpn-linux/builder:1.0.0
-  rules:
-    - !reference [.cond/on-main, rules]
-    - !reference [.cond/on-version-tag, rules]
-    - !reference [.cond/on-merge-request, rules]
   script:
     - $CI_PROJECT_DIR/ci/combined_coverage.sh
   dependencies: 
@@ -44,4 +66,24 @@ coverage/combined:
     - test/deb-meshnet
     - test/deb-fileshare
   allow_failure: true
-  coverage: '/Total coverage: (\d+\.\d+)%/'
+  coverage: '/Total coverage: (\d+\.\d+)%/'
+
+coverage/combined-latte:
+  extends: 
+    - .coverage/combined
+    - .latte-rules
+  dependencies:
+    - latte/deb-replay
+    - latte/deb-connect1-replay
+    - latte/deb-connect2-replay
+    - latte/deb-combinations-replay
+    - test/deb-manual
+    - latte/deb-autoconnect1-replay
+    - latte/deb-autoconnect2-replay
+    - test/deb-meshnet
+    - test/deb-fileshare
+
+coverage/combined-regular:
+  extends: 
+    - .coverage/combined
+    - .no-latte-rules

ci/jobs/latte.yml

@@ -0,0 +1,184 @@
+variables:
+  LATTE_DB_VERSION: v1.0.1
+  USER: qa
+  PROXY_URL: $PROXY_URL
+
+include: /ci/jobs/.cond.yml
+
+.job-template:
+  image: ghcr.io/nordsecurity/nordvpn-linux/tester:1.1.1
+  variables:
+    REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
+    LATTE: '1'
+  rules:
+    - !reference [.cond/on-merge-request, rules]
+  dependencies:
+    - "package/deb: [amd64]"
+  before_script:
+    - git clone --branch v1.0.0 https://gitlab-ci-token:${CI_JOB_TOKEN}@$PROXY_URL $CI_PROJECT_DIR/3rd-party/proxy
+    - cd $CI_PROJECT_DIR/3rd-party/proxy
+    - ./proxy.sh -i
+  after_script:
+    - cp /opt/proxy/databases/_test.db $CI_PROJECT_DIR/dist/recorded.db
+    - cp /opt/proxy/_dump/proxylogs.log $CI_PROJECT_DIR/proxylogs.log
+  artifacts:
+    when: always
+    paths:
+      - $CI_PROJECT_DIR/dist/recorded.db
+      - $CI_PROJECT_DIR/dist/logs/daemon.log
+      - $CI_PROJECT_DIR/covdatafiles
+      - $CI_PROJECT_DIR/proxylogs.log
+
+.record-job-template:
+  stage: latte-record
+  extends: .job-template
+  rules:
+    - !reference [.cond/proxy-record, rules]
+
+
+.replay-job-template:
+  stage: latte-replay
+  extends: .job-template
+  needs:
+    - "latte/download-db"
+    - "package/deb: [amd64]"
+  dependencies:
+    - "latte/download-db"
+    - "package/deb: [amd64]"
+
+
+.setup-proxy-record:
+  script:
+    - $CI_PROJECT_DIR/ci/setup_proxy.sh --record
+    - cd $CI_PROJECT_DIR
+
+.setup-proxy-replay:
+  script:
+    - $CI_PROJECT_DIR/ci/setup_proxy.sh --replay
+    - cd $CI_PROJECT_DIR
+
+.copy-record:
+  script:
+    - sudo cp $CI_PROJECT_DIR/dist/recorded.db /opt/proxy/databases/_test.db
+    - sudo chown -R mitmproxyuser:mitmproxyuser /opt/proxy/databases/_test.db
+
+.copy-replay:
+  script:
+    - cp $CI_PROJECT_DIR/dist/latte.db /opt/proxy/databases/_test.db
+
+.enable_ipv6:
+  script:
+    - echo "enable ipv6 (it is needed for transport_test)"
+    - sudo sysctl net.ipv6.conf.all.disable_ipv6=0
+
+latte/download-db:
+  stage: latte-replay
+  image: ghcr.io/nordsecurity/nordvpn-linux/tester:1.1.1
+  rules:
+    - !reference [.cond/on-merge-request, rules]
+  script:
+    - mkdir $CI_PROJECT_DIR/dist
+    - | 
+      python3 $CI_PROJECT_DIR/ci/remote_gitlab_package.py \
+          download \
+          --package-name=LATTE_DB \
+          --project=$CI_PROJECT_ID \
+          --file=latte.db \
+          --version=$LATTE_DB_VERSION \
+          --output=$CI_PROJECT_DIR/dist/latte.db
+  dependencies: []
+  artifacts:
+    when: always
+    paths:
+      - $CI_PROJECT_DIR/dist/latte.db
+
+latte/deb-replay:
+  extends: .replay-job-template
+  script:
+    - !reference [.enable_ipv6, script]
+    - !reference [.copy-replay, script]
+    - !reference [.setup-proxy-replay, script]
+    - $CI_PROJECT_DIR/ci/test_deb.sh $TEST
+  parallel:
+    matrix:
+      - TEST: [connect6, dns, dns6, login, misc, routing, settings]
+
+latte/deb-autoconnect1-replay:
+  extends: .replay-job-template
+  script:
+    - !reference [.copy-replay, script]
+    - !reference [.setup-proxy-replay, script]
+    - $CI_PROJECT_DIR/ci/test_deb.sh autoconnect 'test_autoconnect_default or test_not_autoconnect or test_autoconnect_to_country'
+
+latte/deb-autoconnect2-replay:
+  extends: .replay-job-template
+  script:
+    - !reference [.copy-replay, script]
+    - !reference [.setup-proxy-replay, script]
+    - $CI_PROJECT_DIR/ci/test_deb.sh autoconnect 'test_autoconnect_to_city or test_autoconnect_to_random_server_by_name or test_autoconnect_to_standard_group or test_autoconnect_to_additional_group'
+
+latte/deb-combinations-replay:
+  extends: .replay-job-template
+  script:
+    - !reference [.copy-replay, script]
+    - !reference [.setup-proxy-replay, script]
+    - $CI_PROJECT_DIR/ci/test_deb.sh combinations $PATTERN
+  parallel:
+    matrix:
+      - PATTERN: [test_reconnect_matrix_standard, test_reconnect_matrix_obfuscated, test_connect_country_and_city]
+
+latte/deb-connect1-replay:
+  extends: .replay-job-template
+  script:
+    - !reference [.copy-replay, script]
+    - !reference [.setup-proxy-replay, script]
+    - $CI_PROJECT_DIR/ci/test_deb.sh connect 'test_quick_connect or test_double_quick_connect_only or test_connect_to_absent_server or test_mistype_connect or test_connect_to_invalid_group or test_connect_to_group_flag_standard or test_connect_to_group_flag_additional or test_connect_without_internet_access'
+
+latte/deb-connect2-replay:
+  extends: .replay-job-template
+  script:
+    - !reference [.copy-replay, script]
+    - !reference [.setup-proxy-replay, script]
+    - $CI_PROJECT_DIR/ci/test_deb.sh connect 'test_connect_to_random_server_by_name or test_connection_recovers_from_network_restart or test_double_quick_connect_disconnect or test_connect_to_city or test_connect_to_country or test_connect_to_code_country or test_connect_to_group_standard or test_connect_to_group_additional'
+
+latte/deb-autoconnect-record:
+  extends: .record-job-template
+  script:
+    - !reference [.setup-proxy-record, script]
+    - $CI_PROJECT_DIR/ci/test_deb.sh autoconnect
+  dependencies:  
+    - "package/deb: [amd64]"
+  needs:  
+    - "package/deb: [amd64]"
+
+latte/deb-misc-record:
+  extends: .record-job-template
+  dependencies:  
+    - "latte/deb-autoconnect-record"
+    - "package/deb: [amd64]"
+  needs:  
+    - "latte/deb-autoconnect-record"
+    - "package/deb: [amd64]"
+  script:
+    - !reference [.copy-record, script]
+    - !reference [.setup-proxy-record, script]
+    - $CI_PROJECT_DIR/ci/test_deb.sh misc
+
+latte/upload-db:
+  stage: latte-record
+  image: ghcr.io/nordsecurity/nordvpn-linux/tester:1.1.1
+  rules:
+    - !reference [.cond/proxy-record, rules]
+  dependencies:
+    - "latte/deb-misc-record"
+  needs:  
+    - "latte/deb-misc-record"
+  script:
+    - mv $CI_PROJECT_DIR/dist/recorded.db $CI_PROJECT_DIR/dist/latte.db
+    - | 
+      python3 $CI_PROJECT_DIR/ci/remote_gitlab_package.py \
+          upload \
+          --package-name=LATTE_DB \
+          --project=$CI_PROJECT_ID \
+          --file=$CI_PROJECT_DIR/dist/latte.db \
+          --version=$LATTE_DB_VERSION 

ci/jobs/package.yml

@@ -9,7 +9,7 @@ package/deb:
     - !reference [.cond/on-main, rules]
     - !reference [.cond/on-version-tag, rules]
     - !reference [.cond/on-merge-request, rules]
-    - !reference [.cond/on-click, rules]
+    - !reference [.cond/proxy-record, rules]
   script: $CI_PROJECT_DIR/ci/nfpm/build_packages_resources.sh deb
   dependencies:
     - build/data