pic/tests/e2e/wg/test_wg_domain_access.py

"""
WireGuard E2E: domain name resolution and HTTP access through the VPN tunnel.

Scenarios covered:
  30. All *.dev domains resolve to the expected IPs via the CoreDNS server
  31. Direct HTTP access to each service IP works through the VPN
  32. HTTP access via domain names works through the VPN (DNS + routing)
  33. WireGuard config downloaded via /api/peer/services has correct DNS field
  34. Peer config DNS points to CoreDNS, not the WireGuard VPN gateway

These tests require a live PIC stack with WireGuard and are marked `wg`.
They run via `make test-e2e-wg` or `pytest tests/e2e/wg/ -m wg`.
"""

import subprocess
import pytest

pytestmark = pytest.mark.wg

# Expected domain→IP mapping for the current default config
DOMAIN_IPS = {
    'pic0':    '172.20.0.2',   # Caddy (main cell domain)
    'api':     '172.20.0.2',   # Caddy reverse-proxy for API
    'webui':   '172.20.0.2',   # Caddy reverse-proxy for WebUI
    'calendar': '172.20.0.21', # Caddy VIP for CalDAV
    'files':   '172.20.0.22',  # Caddy VIP for Filegator
    'mail':    '172.20.0.23',  # Caddy VIP for Rainloop
    'webmail': '172.20.0.23',  # alias for mail VIP
    'webdav':  '172.20.0.24',  # Caddy VIP for WebDAV
}


def _dns_ip(admin_client) -> str:
    r = admin_client.get('/api/config')
    if r.status_code == 200:
        ips = r.json().get('service_ips', {})
        if ips.get('dns'):
            return ips['dns']
    return '172.20.0.3'


def _domain(admin_client) -> str:
    r = admin_client.get('/api/config')
    if r.status_code == 200:
        return r.json().get('domain', 'dev')
    return 'dev'


# ── Scenario 30: DNS resolution ───────────────────────────────────────────────

@pytest.mark.parametrize('subdomain,expected_ip', list(DOMAIN_IPS.items()))
def test_dev_domain_resolves_to_expected_ip(connected_peer, admin_client, subdomain, expected_ip):
    """Every .dev subdomain resolves to the correct IP via CoreDNS."""
    dns_ip = _dns_ip(admin_client)
    dom = _domain(admin_client)
    fqdn = f'{subdomain}.{dom}'
    result = subprocess.run(
        ['dig', f'@{dns_ip}', fqdn, 'A', '+short', '+time=5'],
        capture_output=True, text=True, timeout=10,
    )
    assert result.returncode == 0, f"dig failed for {fqdn}: {result.stderr}"
    resolved = result.stdout.strip()
    assert resolved == expected_ip, (
        f"{fqdn} resolved to {resolved!r}, expected {expected_ip}. "
        f"DNS server: {dns_ip}"
    )


def test_api_domain_does_not_resolve_to_api_container(connected_peer, admin_client):
    """api.dev must route through Caddy (172.20.0.2) — API container listens on :3000, not :80."""
    dns_ip = _dns_ip(admin_client)
    dom = _domain(admin_client)
    result = subprocess.run(
        ['dig', f'@{dns_ip}', f'api.{dom}', 'A', '+short', '+time=5'],
        capture_output=True, text=True, timeout=10,
    )
    resolved = result.stdout.strip()
    assert resolved != '172.20.0.10', (
        f"api.{dom} resolves to 172.20.0.10 (API container direct) — "
        "this bypasses Caddy so HTTP requests to api.{dom}:80 return nothing; "
        "must resolve to Caddy 172.20.0.2"
    )
    assert resolved == '172.20.0.2', (
        f"api.{dom} should resolve to Caddy 172.20.0.2; got {resolved}"
    )


def test_webui_domain_does_not_resolve_to_webui_container(connected_peer, admin_client):
    """webui.dev must route through Caddy — WebUI container also doesn't listen on :80 directly."""
    dns_ip = _dns_ip(admin_client)
    dom = _domain(admin_client)
    result = subprocess.run(
        ['dig', f'@{dns_ip}', f'webui.{dom}', 'A', '+short', '+time=5'],
        capture_output=True, text=True, timeout=10,
    )
    resolved = result.stdout.strip()
    assert resolved == '172.20.0.2', (
        f"webui.{dom} should resolve to Caddy 172.20.0.2; got {resolved}"
    )


# ── Scenario 31: HTTP via IP ───────────────────────────────────────────────────

def test_caddy_ip_serves_http(connected_peer):
    """Caddy IP 172.20.0.2 returns an HTTP response (not connection refused)."""
    result = subprocess.run(
        ['curl', '-s', '-o', '/dev/null', '-w', '%{http_code}', '--connect-timeout', '5',
         'http://172.20.0.2/'],
        capture_output=True, text=True, timeout=10,
    )
    code = result.stdout.strip()
    assert code not in ('000', ''), f"No HTTP response from 172.20.0.2; curl exit {result.returncode}"


# ── Scenario 32: HTTP via domain ──────────────────────────────────────────────

def test_http_api_domain_reaches_api(connected_peer, admin_client):
    """curl http://api.dev/api/status returns a JSON response via Caddy."""
    dom = _domain(admin_client)
    dns_ip = _dns_ip(admin_client)
    result = subprocess.run(
        ['curl', '-s', '--connect-timeout', '5',
         f'--dns-servers', dns_ip,
         f'http://api.{dom}/api/status'],
        capture_output=True, text=True, timeout=10,
    )
    # Any valid JSON response is acceptable (200, 401, etc.)
    assert result.stdout.strip(), (
        f"curl http://api.{dom}/api/status returned no output via DNS {dns_ip}. "
        f"stderr: {result.stderr[:200]}"
    )


# ── Scenario 33: Config DNS field ─────────────────────────────────────────────

def test_peer_services_config_has_coredns(admin_client, make_peer):
    """Config returned by /api/peer/services must use CoreDNS IP, not WireGuard VPN gateway."""
    from helpers.api_client import PicAPIClient
    import os

    peer = make_peer('e2etest-dns-config', password='DnsTest123!')

    peer_client = PicAPIClient(os.environ.get('PIC_API_BASE', 'http://192.168.31.51:3000'))
    peer_client.login(peer['name'], 'DnsTest123!')

    r = peer_client.get('/api/peer/services')
    assert r.status_code == 200, f"peer services returned {r.status_code}: {r.text}"
    data = r.json()

    dns = data.get('wireguard', {}).get('dns', '')
    assert dns != '10.0.0.1', (
        "wireguard.dns is 10.0.0.1 — this is the WireGuard VPN gateway, NOT a DNS server; "
        "VPN clients using this as DNS will fail to resolve any domain"
    )

    config = data.get('wireguard', {}).get('config', '')
    if config:
        assert 'DNS = 10.0.0.1' not in config, (
            "WireGuard config has DNS = 10.0.0.1 — VPN clients will fail to resolve domains"
        )
        # DNS should be reachable from VPN (must be on the Docker network, not VPN subnet)
        dns_from_config = None
        for line in config.splitlines():
            if line.strip().startswith('DNS ='):
                dns_from_config = line.split('=', 1)[1].strip()
                break
        if dns_from_config:
            assert dns_from_config.startswith('172.'), (
                f"DNS in config is {dns_from_config} — expected a 172.x.x.x Docker network IP "
                f"(CoreDNS is on the Docker bridge, not the WireGuard VPN subnet)"
            )


# ── Scenario 34: DNS reachability from VPN ────────────────────────────────────

def test_coredns_reachable_via_vpn(connected_peer, admin_client):
    """CoreDNS at 172.20.0.3 is reachable through the VPN tunnel."""
    dns_ip = _dns_ip(admin_client)
    result = subprocess.run(
        ['dig', f'@{dns_ip}', 'health.check', '+time=3', '+tries=1'],
        capture_output=True, text=True, timeout=8,
    )
    # NXDOMAIN means DNS responded — that's a success (connectivity is what we're testing)
    responded = 'status:' in result.stdout or result.returncode in (0, 9)
    assert responded, (
        f"CoreDNS at {dns_ip} did not respond via VPN tunnel. "
        f"Check that AllowedIPs in peer config covers 172.20.0.0/16 or 0.0.0.0/0. "
        f"stdout: {result.stdout[:200]}"
    )