roof
0d32038150
Adds tests/e2e/ with three layers of E2E coverage: - API layer (tests/e2e/api/): unauthenticated access, admin endpoints, peer endpoints, access control enforcement — 24 tests - Playwright UI (tests/e2e/ui/): login flows, admin navigation, peer dashboard/services, role-based ACL, password change — 60+ tests - WireGuard connectivity (tests/e2e/wg/): tunnel up/down, DNS resolution through VPN, service ACL enforcement via iptables, full-tunnel routing Shared helpers: PicAPIClient, WGInterface, playwright_login, cleanup. Makefile targets: test-e2e-api, test-e2e-ui, test-e2e-wg, test-e2e. Adds scripts/reset_admin_password.py for test bootstrap. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
30 lines
1.1 KiB
Python
30 lines
1.1 KiB
Python
import pytest
|
|
import subprocess
|
|
|
|
pytestmark = pytest.mark.wg
|
|
|
|
|
|
def test_dns_resolves_via_vpn(connected_peer, admin_client):
|
|
"""Scenario 27: DNS queries for cell domain resolve via 10.0.0.1 (CoreDNS)."""
|
|
# Get the configured domain
|
|
r = admin_client.get('/api/config')
|
|
domain = r.json().get('domain', 'cell') if r.status_code == 200 else 'cell'
|
|
|
|
# Query CoreDNS at the server VPN IP
|
|
result = subprocess.run(
|
|
['dig', f'@10.0.0.1', f'mail.{domain}', '+short', '+time=5'],
|
|
capture_output=True, text=True, timeout=10
|
|
)
|
|
# CoreDNS should respond (not necessarily with an IP — just not SERVFAIL)
|
|
assert result.returncode == 0, f"DNS query failed: {result.stderr}"
|
|
|
|
|
|
def test_dns_server_reachable_via_vpn(connected_peer):
|
|
"""CoreDNS port 53 is reachable from within the VPN."""
|
|
result = subprocess.run(
|
|
['dig', '@10.0.0.1', 'health.check', '+time=2'],
|
|
capture_output=True, text=True, timeout=5
|
|
)
|
|
# Even a NXDOMAIN response means DNS is up
|
|
assert 'SERVFAIL' not in result.stdout or result.returncode == 0 or 'status:' in result.stdout
|