test: rework nginx partial download fixture, move nginx config snippets to dedicated files #188
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is preparation for a new authentication method mTLS being introduced in a future commit. Move the SSL options up, so mTLS options can be added before bailing out due to no valid authentication option set. Also move the existence check for auth/gateway token into a new variable, so we can check for them in a combined fashion. Signed-off-by: Robin van der Gracht <[email protected]> Signed-off-by: Bastian Krause <[email protected]>
Add support for mutual TLS authentication. This is the preferred method of authentication for bosch-iot-suite.com's hawkBit instance and the only one that allows keeping the authenticator in a (f)TPM. Optionally, an OpenSSL engine can be configured if required for access to the SSL private key. Signed-off-by: Robin van der Gracht <[email protected]> Signed-off-by: Bastian Krause <[email protected]>
This works by passing the client key and cert on to RAUC's "tls-key"/"tls-cert" properties. Signed-off-by: Robin van der Gracht <[email protected]> Signed-off-by: Bastian Krause <[email protected]>
A future commit will set up a nginx reverse proxy between rauc-hawkbit-updater and hawkbit for mTLS testing. server.forward-headers-strategy=NATIVE makes Hawkbit take the X-Forwarded-For/X-Forwarded-Proto headers into account. Signed-off-by: Florian Bezannier <[email protected]> Signed-off-by: Robin van der Gracht <[email protected]> Signed-off-by: Bastian Krause <[email protected]>
Inspired by https://eclipse.dev/hawkbit/concepts/authentication/ . The files in test/pki/ were generated by running this command in the repository's root directory: $ test/gen_pki.sh test/pki Signed-off-by: Florian Bezannier <[email protected]> Signed-off-by: Robin van der Gracht <[email protected]> Signed-off-by: Bastian Krause <[email protected]>
Inspired by https://eclipse.dev/hawkbit/concepts/authentication/, add options to the nginx proxy configuration for mTLS tests and some new infrastructure fixtures to make use of this feature in a future commit. Signed-off-by: Florian Bezannier <[email protected]> Signed-off-by: Robin van der Gracht <[email protected]> Signed-off-by: Bastian Krause <[email protected]>
Based on the work of Florain Bezannier. Client key and certificate are now provided to rauc_dbus_dummy by rauc-hawkbit-updater through arguments of the InstallBundle method call (for streaming installations). This also removes the need for a separate mTLS rauc_dbus_dummy fixture. Signed-off-by: Robin van der Gracht <[email protected]> Signed-off-by: Bastian Krause <[email protected]>
The nginx config is getting rather complex. Future commits will even extend the existing nginx configs with lua scripting. We should not maintain lua scripting inside nginx configs inside python f-strings. So let's move the config to a dedicated file and use Python's template mechanism instead of f-strings and .format(). Signed-off-by: Bastian Krause <[email protected]>
Until now, the partial download tests did not work reliably and relied on implicit nginx behavior: `limit_rate_after 200k;` combined with `limit_rate 70k;` lead to nginx sending "206 Partial Content" responses. As far as I remember, this was found by trial and error. Let's use a more stable solution: lua scripting allows us to control reliable and fine grained what hawkBit artifacts nginx serves. So add a config snippet that makes nginx only serve the first half of the RAUC bundle, then close the connection prematrely and serve the second half via range request only. This is basically what the previous solution tried to achieve in a more reliable fashion. This means we need to add the lua module and its dependencies to the test dependencies. Signed-off-by: Bastian Krause <[email protected]>
The nginx_proxy fixture does not do rate limiting on its own. This was mixed up with the rate_limited_port fixture. So drop that part of the doc string. Signed-off-by: Bastian Krause <[email protected]>
This was referenced Mar 12, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Draft, because this is based on #169.
Until now, the partial download tests did not work reliably and relied on implicit nginx behavior:
limit_rate_after 200k;combined withlimit_rate 70k;lead to nginx sending "206 Partial Content" responses. As far as I remember, this was found by trial and error.Let's use a more stable solution: lua scripting allows us to control reliable and fine grained what hawkBit artifacts nginx serves. So add a config snippet that makes nginx only serve the first half of the RAUC bundle, then close the connection prematrely and serve the second half via range request only. This is basically what the previous solution tried to achieve in a more reliable fashion.
This means we need to add the lua module and its dependencies to the test dependencies.
The nginx config is getting rather complex with this. We should not maintain lua scripting inside nginx configs inside python f-strings. So let's move the config to a dedicated file and use Python's template mechanism instead of f-strings and
.format().