roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
pic/tests/e2e/wg/test_wg_domain_access.py
T
roof 0c12e3fc97 fix: change domain from dev to lan to avoid browser HSTS preload blocking HTTP 
The .dev TLD has been HSTS preloaded in Chrome/Firefox/Safari/Edge since 2019.
Browsers silently redirect http://anything.dev to https://anything.dev before
making any network request. Since Caddy has auto_https off, all browser-based
access to .dev domains fails with a connection error even though DNS, routing,
and HTTP all work correctly (curl works; browsers don't).

- cell_config.json: domain "dev" -> "lan"
- Caddyfile: all http://*.dev blocks -> http://*.lan
- Corefile: dev zone -> lan zone (file /data/lan.zone)
- data/dns/lan.zone: new zone file (dev.zone removed live)
- test_wg_domain_access.py: remove hardcoded DOMAIN_IPS / .dev references;
  read domain from /api/config at runtime so tests work with any configured TLD

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-27 01:54:33 -04:00

233 lines
9.8 KiB
Python
Raw Permalink Blame History

"""
WireGuard E2E: domain name resolution and HTTP access through the VPN tunnel.
Scenarios covered:
30. All service subdomains resolve to the expected IPs via the CoreDNS server
31. Direct HTTP access to each service IP works through the VPN
32. HTTP access via domain names works through the VPN (DNS + routing)
33. WireGuard config downloaded via /api/peer/services has correct DNS field
34. Peer config DNS points to CoreDNS, not the WireGuard VPN gateway
Domain name is read from the live API config — these tests do NOT hardcode .dev or .lan.
These tests require a live PIC stack with WireGuard and are marked `wg`.
They run via `make test-e2e-wg` or `pytest tests/e2e/wg/ -m wg`.
"""
import subprocess
import pytest
pytestmark = pytest.mark.wg
# Subdomain → expected offset in ip_utils.CONTAINER_OFFSETS / VIP list.
# These are the sub-names, not full FQDNs — the TLD is fetched from config.
SUBDOMAINS_TO_IPS = {
'api': '172.20.0.2', # must route through Caddy (not API container direct)
'webui': '172.20.0.2', # must route through Caddy
'calendar': '172.20.0.21', # Caddy VIP for CalDAV
'files': '172.20.0.22', # Caddy VIP for Filegator
'mail': '172.20.0.23', # Caddy VIP for Rainloop
'webmail': '172.20.0.23', # alias for mail VIP
'webdav': '172.20.0.24', # Caddy VIP for WebDAV
}
# ── helpers ───────────────────────────────────────────────────────────────────
def _config(admin_client) -> dict:
r = admin_client.get('/api/config')
return r.json() if r.status_code == 200 else {}
def _dns_ip(admin_client) -> str:
cfg = _config(admin_client)
return cfg.get('service_ips', {}).get('dns') or '172.20.0.3'
def _domain(admin_client) -> str:
"""Return the configured cell domain (e.g. 'lan', 'dev', 'home')."""
return _config(admin_client).get('domain') or 'lan'
def _cell_name(admin_client) -> str:
return _config(admin_client).get('cell_name') or 'pic0'
# ── Scenario 30: DNS resolution ───────────────────────────────────────────────
@pytest.mark.parametrize('subdomain,expected_ip', list(SUBDOMAINS_TO_IPS.items()))
def test_service_domain_resolves_to_expected_ip(connected_peer, admin_client, subdomain, expected_ip):
"""Each service subdomain resolves to the correct IP via CoreDNS.
The full FQDN is built from the configured domain — not hardcoded to any TLD.
"""
dns_ip = _dns_ip(admin_client)
dom = _domain(admin_client)
fqdn = f'{subdomain}.{dom}'
result = subprocess.run(
['dig', f'@{dns_ip}', fqdn, 'A', '+short', '+time=5'],
capture_output=True, text=True, timeout=10,
)
assert result.returncode == 0, f"dig failed for {fqdn}: {result.stderr}"
resolved = result.stdout.strip()
assert resolved == expected_ip, (
f"{fqdn} resolved to {resolved!r}, expected {expected_ip}. "
f"DNS server: {dns_ip}, configured domain: {dom!r}"
)
def test_cell_hostname_resolves_to_caddy(connected_peer, admin_client):
"""The cell hostname (e.g. pic0.lan) resolves to Caddy."""
dns_ip = _dns_ip(admin_client)
dom = _domain(admin_client)
name = _cell_name(admin_client)
fqdn = f'{name}.{dom}'
result = subprocess.run(
['dig', f'@{dns_ip}', fqdn, 'A', '+short', '+time=5'],
capture_output=True, text=True, timeout=10,
)
resolved = result.stdout.strip()
assert resolved == '172.20.0.2', (
f"{fqdn} should resolve to Caddy (172.20.0.2); got {resolved!r}"
)
def test_api_domain_does_not_resolve_to_api_container(connected_peer, admin_client):
"""api.<domain> must route through Caddy — API container listens on :3000, not :80."""
dns_ip = _dns_ip(admin_client)
dom = _domain(admin_client)
result = subprocess.run(
['dig', f'@{dns_ip}', f'api.{dom}', 'A', '+short', '+time=5'],
capture_output=True, text=True, timeout=10,
)
resolved = result.stdout.strip()
assert resolved != '172.20.0.10', (
f"api.{dom} resolves to 172.20.0.10 (API container direct) — "
"this bypasses Caddy so port-80 requests return nothing; must be Caddy 172.20.0.2"
)
assert resolved == '172.20.0.2', f"api.{dom} should be Caddy 172.20.0.2; got {resolved}"
def test_webui_domain_does_not_resolve_to_webui_container(connected_peer, admin_client):
"""webui.<domain> must route through Caddy."""
dns_ip = _dns_ip(admin_client)
dom = _domain(admin_client)
result = subprocess.run(
['dig', f'@{dns_ip}', f'webui.{dom}', 'A', '+short', '+time=5'],
capture_output=True, text=True, timeout=10,
)
resolved = result.stdout.strip()
assert resolved == '172.20.0.2', f"webui.{dom} should be Caddy 172.20.0.2; got {resolved}"
# ── Scenario 31: HTTP via IP ───────────────────────────────────────────────────
def test_caddy_ip_serves_http(connected_peer):
"""Caddy at 172.20.0.2 returns an HTTP response through the VPN."""
result = subprocess.run(
['curl', '-s', '-o', '/dev/null', '-w', '%{http_code}', '--connect-timeout', '5',
'http://172.20.0.2/'],
capture_output=True, text=True, timeout=10,
)
code = result.stdout.strip()
assert code not in ('000', ''), f"No HTTP response from 172.20.0.2; curl exit {result.returncode}"
# ── Scenario 32: HTTP via domain ──────────────────────────────────────────────
def test_http_api_domain_reaches_api(connected_peer, admin_client):
"""curl http://api.<domain>/api/status returns a JSON response via Caddy + CoreDNS."""
dom = _domain(admin_client)
dns_ip = _dns_ip(admin_client)
result = subprocess.run(
['curl', '-s', '--connect-timeout', '5',
'--dns-servers', dns_ip,
f'http://api.{dom}/api/status'],
capture_output=True, text=True, timeout=10,
)
assert result.stdout.strip(), (
f"curl http://api.{dom}/api/status returned no output via DNS {dns_ip}. "
f"stderr: {result.stderr[:200]}"
)
# ── Scenario 33: Config DNS field ─────────────────────────────────────────────
def test_peer_services_config_has_coredns_not_vpn_gateway(admin_client, make_peer):
"""WireGuard config in /api/peer/services must use CoreDNS IP, not 10.0.0.1."""
from helpers.api_client import PicAPIClient
import os
peer = make_peer('e2etest-dns-config', password='DnsTest123!')
peer_client = PicAPIClient(os.environ.get('PIC_API_BASE', 'http://192.168.31.51:3000'))
peer_client.login(peer['name'], 'DnsTest123!')
r = peer_client.get('/api/peer/services')
assert r.status_code == 200, f"peer services returned {r.status_code}: {r.text}"
data = r.json()
dns = data.get('wireguard', {}).get('dns', '')
assert dns != '10.0.0.1', (
"wireguard.dns is 10.0.0.1 — this is the WireGuard VPN gateway, not a DNS server; "
"VPN clients using this as DNS will fail to resolve all domain names"
)
config = data.get('wireguard', {}).get('config', '')
if config:
assert 'DNS = 10.0.0.1' not in config, (
"WireGuard client config has DNS = 10.0.0.1 — "
"VPN clients will fail to resolve domain names"
)
for line in config.splitlines():
if line.strip().startswith('DNS ='):
dns_from_config = line.split('=', 1)[1].strip()
assert dns_from_config.startswith('172.'), (
f"DNS in config is {dns_from_config} — expected a 172.x.x.x Docker IP; "
"CoreDNS lives on the Docker bridge, not the WireGuard VPN subnet"
)
break
def test_peer_services_caldav_url_uses_configured_domain(admin_client, make_peer):
"""CalDAV URL must use the configured domain, not hardcode 'radicale.dev:5232'."""
from helpers.api_client import PicAPIClient
import os
dom = _domain(admin_client)
peer = make_peer('e2etest-caldav-url', password='CaldavTest123!')
peer_client = PicAPIClient(os.environ.get('PIC_API_BASE', 'http://192.168.31.51:3000'))
peer_client.login(peer['name'], 'CaldavTest123!')
r = peer_client.get('/api/peer/services')
assert r.status_code == 200
url = r.json().get('caldav', {}).get('url', '')
assert f'calendar.{dom}' in url, (
f"CalDAV URL {url!r} does not contain 'calendar.{dom}'"
f"must use configured domain '{dom}', not a hardcoded TLD"
)
assert 'radicale' not in url, (
f"CalDAV URL {url!r} contains 'radicale' — no radicale.<domain> DNS record exists"
)
assert ':5232' not in url, (
f"CalDAV URL {url!r} exposes internal port 5232 — use Caddy-proxied URL"
)
# ── Scenario 34: DNS reachability from VPN ────────────────────────────────────
def test_coredns_reachable_via_vpn(connected_peer, admin_client):
"""CoreDNS is reachable through the WireGuard VPN tunnel."""
dns_ip = _dns_ip(admin_client)
result = subprocess.run(
['dig', f'@{dns_ip}', 'health.check', '+time=3', '+tries=1'],
capture_output=True, text=True, timeout=8,
)
# NXDOMAIN means DNS responded — connectivity is what we test here
responded = 'status:' in result.stdout or result.returncode in (0, 9)
assert responded, (
f"CoreDNS at {dns_ip} did not respond via VPN tunnel. "
f"Check that peer AllowedIPs covers the Docker network or 0.0.0.0/0. "
f"stdout: {result.stdout[:200]}"
)
Reference in New Issue View Git Blame Copy Permalink