""" WireGuard E2E: domain name resolution and HTTP access through the VPN tunnel. Scenarios covered: 30. All service subdomains resolve to the expected IPs via the CoreDNS server 31. Direct HTTP access to each service IP works through the VPN 32. HTTP access via domain names works through the VPN (DNS + routing) 33. WireGuard config downloaded via /api/peer/services has correct DNS field 34. Peer config DNS points to CoreDNS, not the WireGuard VPN gateway Domain name is read from the live API config — these tests do NOT hardcode .dev or .lan. These tests require a live PIC stack with WireGuard and are marked `wg`. They run via `make test-e2e-wg` or `pytest tests/e2e/wg/ -m wg`. """ import subprocess import pytest pytestmark = pytest.mark.wg # Subdomain → expected offset in ip_utils.CONTAINER_OFFSETS / VIP list. # These are the sub-names, not full FQDNs — the TLD is fetched from config. SUBDOMAINS_TO_IPS = { 'api': '172.20.0.2', # must route through Caddy (not API container direct) 'webui': '172.20.0.2', # must route through Caddy 'calendar': '172.20.0.21', # Caddy VIP for CalDAV 'files': '172.20.0.22', # Caddy VIP for Filegator 'mail': '172.20.0.23', # Caddy VIP for Rainloop 'webmail': '172.20.0.23', # alias for mail VIP 'webdav': '172.20.0.24', # Caddy VIP for WebDAV } # ── helpers ─────────────────────────────────────────────────────────────────── def _config(admin_client) -> dict: r = admin_client.get('/api/config') return r.json() if r.status_code == 200 else {} def _dns_ip(admin_client) -> str: cfg = _config(admin_client) return cfg.get('service_ips', {}).get('dns') or '172.20.0.3' def _domain(admin_client) -> str: """Return the configured cell domain (e.g. 'lan', 'dev', 'home').""" return _config(admin_client).get('domain') or 'lan' def _cell_name(admin_client) -> str: return _config(admin_client).get('cell_name') or 'pic0' # ── Scenario 30: DNS resolution ─────────────────────────────────────────────── @pytest.mark.parametrize('subdomain,expected_ip', list(SUBDOMAINS_TO_IPS.items())) def test_service_domain_resolves_to_expected_ip(connected_peer, admin_client, subdomain, expected_ip): """Each service subdomain resolves to the correct IP via CoreDNS. The full FQDN is built from the configured domain — not hardcoded to any TLD. """ dns_ip = _dns_ip(admin_client) dom = _domain(admin_client) fqdn = f'{subdomain}.{dom}' result = subprocess.run( ['dig', f'@{dns_ip}', fqdn, 'A', '+short', '+time=5'], capture_output=True, text=True, timeout=10, ) assert result.returncode == 0, f"dig failed for {fqdn}: {result.stderr}" resolved = result.stdout.strip() assert resolved == expected_ip, ( f"{fqdn} resolved to {resolved!r}, expected {expected_ip}. " f"DNS server: {dns_ip}, configured domain: {dom!r}" ) def test_cell_hostname_resolves_to_caddy(connected_peer, admin_client): """The cell hostname (e.g. pic0.lan) resolves to Caddy.""" dns_ip = _dns_ip(admin_client) dom = _domain(admin_client) name = _cell_name(admin_client) fqdn = f'{name}.{dom}' result = subprocess.run( ['dig', f'@{dns_ip}', fqdn, 'A', '+short', '+time=5'], capture_output=True, text=True, timeout=10, ) resolved = result.stdout.strip() assert resolved == '172.20.0.2', ( f"{fqdn} should resolve to Caddy (172.20.0.2); got {resolved!r}" ) def test_api_domain_does_not_resolve_to_api_container(connected_peer, admin_client): """api. must route through Caddy — API container listens on :3000, not :80.""" dns_ip = _dns_ip(admin_client) dom = _domain(admin_client) result = subprocess.run( ['dig', f'@{dns_ip}', f'api.{dom}', 'A', '+short', '+time=5'], capture_output=True, text=True, timeout=10, ) resolved = result.stdout.strip() assert resolved != '172.20.0.10', ( f"api.{dom} resolves to 172.20.0.10 (API container direct) — " "this bypasses Caddy so port-80 requests return nothing; must be Caddy 172.20.0.2" ) assert resolved == '172.20.0.2', f"api.{dom} should be Caddy 172.20.0.2; got {resolved}" def test_webui_domain_does_not_resolve_to_webui_container(connected_peer, admin_client): """webui. must route through Caddy.""" dns_ip = _dns_ip(admin_client) dom = _domain(admin_client) result = subprocess.run( ['dig', f'@{dns_ip}', f'webui.{dom}', 'A', '+short', '+time=5'], capture_output=True, text=True, timeout=10, ) resolved = result.stdout.strip() assert resolved == '172.20.0.2', f"webui.{dom} should be Caddy 172.20.0.2; got {resolved}" # ── Scenario 31: HTTP via IP ─────────────────────────────────────────────────── def test_caddy_ip_serves_http(connected_peer): """Caddy at 172.20.0.2 returns an HTTP response through the VPN.""" result = subprocess.run( ['curl', '-s', '-o', '/dev/null', '-w', '%{http_code}', '--connect-timeout', '5', 'http://172.20.0.2/'], capture_output=True, text=True, timeout=10, ) code = result.stdout.strip() assert code not in ('000', ''), f"No HTTP response from 172.20.0.2; curl exit {result.returncode}" # ── Scenario 32: HTTP via domain ────────────────────────────────────────────── def test_http_api_domain_reaches_api(connected_peer, admin_client): """curl http://api./api/status returns a JSON response via Caddy + CoreDNS.""" dom = _domain(admin_client) dns_ip = _dns_ip(admin_client) result = subprocess.run( ['curl', '-s', '--connect-timeout', '5', '--dns-servers', dns_ip, f'http://api.{dom}/api/status'], capture_output=True, text=True, timeout=10, ) assert result.stdout.strip(), ( f"curl http://api.{dom}/api/status returned no output via DNS {dns_ip}. " f"stderr: {result.stderr[:200]}" ) # ── Scenario 33: Config DNS field ───────────────────────────────────────────── def test_peer_services_config_has_coredns_not_vpn_gateway(admin_client, make_peer): """WireGuard config in /api/peer/services must use CoreDNS IP, not 10.0.0.1.""" from helpers.api_client import PicAPIClient import os peer = make_peer('e2etest-dns-config', password='DnsTest123!') peer_client = PicAPIClient(os.environ.get('PIC_API_BASE', 'http://192.168.31.51:3000')) peer_client.login(peer['name'], 'DnsTest123!') r = peer_client.get('/api/peer/services') assert r.status_code == 200, f"peer services returned {r.status_code}: {r.text}" data = r.json() dns = data.get('wireguard', {}).get('dns', '') assert dns != '10.0.0.1', ( "wireguard.dns is 10.0.0.1 — this is the WireGuard VPN gateway, not a DNS server; " "VPN clients using this as DNS will fail to resolve all domain names" ) config = data.get('wireguard', {}).get('config', '') if config: assert 'DNS = 10.0.0.1' not in config, ( "WireGuard client config has DNS = 10.0.0.1 — " "VPN clients will fail to resolve domain names" ) for line in config.splitlines(): if line.strip().startswith('DNS ='): dns_from_config = line.split('=', 1)[1].strip() assert dns_from_config.startswith('172.'), ( f"DNS in config is {dns_from_config} — expected a 172.x.x.x Docker IP; " "CoreDNS lives on the Docker bridge, not the WireGuard VPN subnet" ) break def test_peer_services_caldav_url_uses_configured_domain(admin_client, make_peer): """CalDAV URL must use the configured domain, not hardcode 'radicale.dev:5232'.""" from helpers.api_client import PicAPIClient import os dom = _domain(admin_client) peer = make_peer('e2etest-caldav-url', password='CaldavTest123!') peer_client = PicAPIClient(os.environ.get('PIC_API_BASE', 'http://192.168.31.51:3000')) peer_client.login(peer['name'], 'CaldavTest123!') r = peer_client.get('/api/peer/services') assert r.status_code == 200 url = r.json().get('caldav', {}).get('url', '') assert f'calendar.{dom}' in url, ( f"CalDAV URL {url!r} does not contain 'calendar.{dom}' — " f"must use configured domain '{dom}', not a hardcoded TLD" ) assert 'radicale' not in url, ( f"CalDAV URL {url!r} contains 'radicale' — no radicale. DNS record exists" ) assert ':5232' not in url, ( f"CalDAV URL {url!r} exposes internal port 5232 — use Caddy-proxied URL" ) # ── Scenario 34: DNS reachability from VPN ──────────────────────────────────── def test_coredns_reachable_via_vpn(connected_peer, admin_client): """CoreDNS is reachable through the WireGuard VPN tunnel.""" dns_ip = _dns_ip(admin_client) result = subprocess.run( ['dig', f'@{dns_ip}', 'health.check', '+time=3', '+tries=1'], capture_output=True, text=True, timeout=8, ) # NXDOMAIN means DNS responded — connectivity is what we test here responded = 'status:' in result.stdout or result.returncode in (0, 9) assert responded, ( f"CoreDNS at {dns_ip} did not respond via VPN tunnel. " f"Check that peer AllowedIPs covers the Docker network or 0.0.0.0/0. " f"stdout: {result.stdout[:200]}" )