-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: address testcontainers vulnerability by replacing with docker-java #1088
Merged
Merged
Changes from 8 commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
af4778a
chore: address testcontainers vulnerability by replacing with docker-…
ianbotsf 5b3fbcd
clean up error handling for Docker containers
ianbotsf 51dd9b1
add support for pulling Docker images which do not exist locally
ianbotsf fd84e93
use the right filter criteria
ianbotsf 51eed2a
wait for image pull completion
ianbotsf 1319a2c
add omitted `actual` minus function for `InstantNative`
ianbotsf df59afc
only run Docker tests on Linux
ianbotsf a3af2c2
lint
ianbotsf c761b62
address PR feedback: clean up version name and add KDocs/comments
ianbotsf File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,7 +24,7 @@ kotest-version = "5.8.0" | |
kotlin-compile-testing-version = "1.5.0" | ||
kotlinx-benchmark-version = "0.4.9" | ||
kotlinx-serialization-version = "1.6.0" | ||
testcontainers-version = "1.19.1" | ||
docker-client-version = "3.3.6" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: |
||
ktor-version = "2.3.6" | ||
kaml-version = "0.55.0" | ||
jsoup-version = "1.16.2" | ||
|
@@ -81,8 +81,8 @@ kotest-assertions-core = { module = "io.kotest:kotest-assertions-core", version. | |
kotest-assertions-core-jvm = { module = "io.kotest:kotest-assertions-core-jvm", version.ref = "kotest-version" } | ||
kotlinx-benchmark-runtime = { module = "org.jetbrains.kotlinx:kotlinx-benchmark-runtime", version.ref = "kotlinx-benchmark-version" } | ||
kotlinx-serialization-json = { module = "org.jetbrains.kotlinx:kotlinx-serialization-json", version.ref = "kotlinx-serialization-version" } | ||
testcontainers = { module = "org.testcontainers:testcontainers", version.ref = "testcontainers-version" } | ||
testcontainers-junit-jupiter = { module = "org.testcontainers:junit-jupiter", version.ref = "testcontainers-version" } | ||
docker-core = { module = "com.github.docker-java:docker-java-core", version.ref = "docker-client-version" } | ||
docker-transport-zerodep = { module = "com.github.docker-java:docker-java-transport-zerodep", version.ref = "docker-client-version" } | ||
|
||
ktor-http-cio = { module = "io.ktor:ktor-http-cio", version.ref = "ktor-version" } | ||
ktor-utils = { module = "io.ktor:ktor-utils", version.ref = "ktor-version" } | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
55 changes: 55 additions & 0 deletions
55
...p-client-engines/test-suite/jvm/test/aws/smithy/kotlin/runtime/http/test/MitmContainer.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
/* | ||
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
package aws.smithy.kotlin.runtime.http.test | ||
|
||
import aws.smithy.kotlin.runtime.http.test.util.Docker | ||
import com.github.dockerjava.api.model.AccessMode | ||
import com.github.dockerjava.api.model.Bind | ||
import com.github.dockerjava.api.model.ExposedPort | ||
import com.github.dockerjava.api.model.Volume | ||
import java.io.Closeable | ||
|
||
private const val CONTAINER_MOUNT_POINT = "/home/mitmproxy/scripts" | ||
private const val CONTAINER_PORT = 8080 | ||
private const val IMAGE_NAME = "mitmproxy/mitmproxy:8.1.0" | ||
private val PROXY_SCRIPT_ROOT = System.getProperty("MITM_PROXY_SCRIPTS_ROOT") // defined by gradle script | ||
|
||
// Port used for communication with container | ||
private val exposedPort = ExposedPort.tcp(CONTAINER_PORT) | ||
|
||
class MitmContainer(vararg options: String) : Closeable { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: missing KDocs |
||
private val delegate: Docker.Container | ||
|
||
init { | ||
val cmd = listOf( | ||
"mitmdump", | ||
"--flow-detail", | ||
"2", | ||
"-s", | ||
"$CONTAINER_MOUNT_POINT/fakeupstream.py", | ||
*options, | ||
).also { println("Initializing container with command: $it") } | ||
|
||
// Make proxy scripts from host available to container | ||
val binding = Bind(PROXY_SCRIPT_ROOT, Volume(CONTAINER_MOUNT_POINT), AccessMode.ro) | ||
|
||
delegate = Docker.Instance.createContainer(IMAGE_NAME, cmd, binding, exposedPort) | ||
|
||
try { | ||
delegate.apply { | ||
start() | ||
waitUntilReady() | ||
} | ||
} catch (e: Throwable) { | ||
close() | ||
throw e | ||
} | ||
} | ||
|
||
val hostPort: Int | ||
get() = delegate.hostPort | ||
|
||
override fun close() = delegate.close() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
173 changes: 173 additions & 0 deletions
173
...ttp-client-engines/test-suite/jvm/test/aws/smithy/kotlin/runtime/http/test/util/Docker.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,173 @@ | ||
/* | ||
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
package aws.smithy.kotlin.runtime.http.test.util | ||
|
||
import com.github.dockerjava.api.async.ResultCallback | ||
import com.github.dockerjava.api.command.AsyncDockerCmd | ||
import com.github.dockerjava.api.command.SyncDockerCmd | ||
import com.github.dockerjava.api.model.* | ||
import com.github.dockerjava.core.DefaultDockerClientConfig | ||
import com.github.dockerjava.core.DockerClientImpl | ||
import com.github.dockerjava.zerodep.ZerodepDockerHttpClient | ||
import java.io.Closeable | ||
import java.io.IOException | ||
import java.net.InetAddress | ||
import java.net.InetSocketAddress | ||
import java.net.Socket | ||
import java.net.URI | ||
import kotlin.time.Duration.Companion.milliseconds | ||
import kotlin.time.Duration.Companion.seconds | ||
import kotlin.time.measureTimedValue | ||
|
||
private val DOCKER_HOST = URI.create("unix:///var/run/docker.sock") | ||
private val MAX_POLL_TIME = 10.seconds | ||
private const val POLL_CONNECT_TIMEOUT_MS = 100 | ||
private val POLL_INTERVAL = 250.milliseconds | ||
|
||
/** | ||
* Wrapper class for the Docker client | ||
*/ | ||
class Docker { | ||
companion object { | ||
val Instance by lazy { Docker() } | ||
} | ||
|
||
private val client = run { | ||
val config = DefaultDockerClientConfig.createDefaultConfigBuilder().build() | ||
|
||
val httpClient = ZerodepDockerHttpClient.Builder() | ||
.dockerHost(DOCKER_HOST) | ||
.build() | ||
|
||
DockerClientImpl.getInstance(config, httpClient) | ||
} | ||
|
||
fun createContainer( | ||
imageName: String, | ||
cmd: List<String>, | ||
bind: Bind, | ||
exposedPort: ExposedPort, | ||
loggingHandler: (String) -> Unit = ::println, | ||
): Container { | ||
ensureImageExists(imageName, loggingHandler) | ||
|
||
val portBinding = PortBinding(Ports.Binding.empty(), exposedPort) | ||
|
||
val hostConfig = HostConfig | ||
.newHostConfig() | ||
.withBinds(bind) | ||
.withPortBindings(portBinding) | ||
|
||
val id = client | ||
.createContainerCmd(imageName) | ||
.withHostConfig(hostConfig) | ||
.withExposedPorts(exposedPort) | ||
.withCmd(cmd) | ||
.execAndMeasure { "Created container ${it.id}" } | ||
.id | ||
.substring(0..<12) // Short container IDs are 12 chars vs full container IDs at 64 chars | ||
|
||
val loggerAdapter = LoggerAdapter<Frame>(loggingHandler) { it.payload.decodeToString() } | ||
|
||
client | ||
.attachContainerCmd(id) | ||
.withFollowStream(true) | ||
.withStdOut(true) | ||
.withStdErr(true) | ||
.withLogs(true) | ||
.execAndMeasure(loggerAdapter) { "Attached logger to container $id" } | ||
.awaitStarted() | ||
|
||
return Container(id, exposedPort) | ||
} | ||
|
||
private fun ensureImageExists(imageName: String, loggingHandler: (String) -> Unit) { | ||
val exists = client | ||
.listImagesCmd() | ||
.withReferenceFilter(imageName) | ||
.execAndMeasure { "Checking for $imageName locally (exists = ${it.any()})" } | ||
.any() | ||
|
||
if (!exists) { | ||
val loggerAdapter = LoggerAdapter<PullResponseItem>(loggingHandler) { it.status } | ||
|
||
client | ||
.pullImageCmd(imageName) | ||
.execAndMeasure(loggerAdapter) { "Started image pull for $imageName" } | ||
.awaitCompletion() | ||
} | ||
} | ||
|
||
inner class Container(val id: String, val exposedPort: ExposedPort) : Closeable { | ||
private val poller = Poller(MAX_POLL_TIME, POLL_INTERVAL) | ||
|
||
override fun close() { | ||
client | ||
.removeContainerCmd(id) | ||
.withForce(true) | ||
.exec() | ||
.also { println("Container $id removed") } | ||
} | ||
|
||
val hostPort: Int by lazy { | ||
poller.pollNotNull("Port $exposedPort in container $id") { | ||
client | ||
.inspectContainerCmd(id) | ||
.exec() | ||
.networkSettings | ||
.ports | ||
.bindings[exposedPort] | ||
?.first() | ||
?.hostPortSpec | ||
?.toInt() | ||
} | ||
} | ||
|
||
private fun isReady() = | ||
Socket().use { socket -> | ||
val endpoint = InetSocketAddress(InetAddress.getLocalHost(), hostPort) | ||
try { | ||
socket.connect(endpoint, POLL_CONNECT_TIMEOUT_MS) | ||
true | ||
} catch (e: IOException) { | ||
false | ||
} | ||
} | ||
|
||
fun start() { | ||
client.startContainerCmd(id).execAndMeasure { "Container $id running" } | ||
} | ||
|
||
fun waitUntilReady() = poller.pollTrue("Socket localHost:$hostPort → $exposedPort on container $id", ::isReady) | ||
} | ||
} | ||
|
||
private class LoggerAdapter<I>( | ||
val handler: (String) -> Unit, | ||
val converter: (I) -> String?, | ||
) : ResultCallback.Adapter<I>() { | ||
override fun onNext(value: I?) { | ||
value?.let(converter)?.let(handler) | ||
} | ||
} | ||
|
||
private fun <T> SyncDockerCmd<T>.execAndMeasure(msg: (T) -> String): T { | ||
val (value, duration) = measureTimedValue { | ||
exec() | ||
} | ||
println("${msg(value)} in $duration") | ||
return value | ||
} | ||
|
||
private fun <C : AsyncDockerCmd<C, T>?, T, I : ResultCallback<T>> AsyncDockerCmd<C, T>.execAndMeasure( | ||
input: I, | ||
msg: (I) -> String, | ||
): I { | ||
val (value, duration) = measureTimedValue { | ||
exec(input) | ||
} | ||
println("${msg(value)} in $duration") | ||
return value | ||
} |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this different from
./gradlew dependencies
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes,
./gradlew dependencies
only shows the dependencies of the target project (root if otherwise unspecified). I initially ran./gradlew dependencies
to grep for where we transitively consumed the Apache Commons Compress library but couldn't find it because it only showed me the root project dependencies.Running
./gradlew :runtime:protocol:http-client-engines:test-suite:dependencies
shows our use of Apache Commons Compress but then you have to know that :runtime:protocol:http-client-engines:test-suite is where to look. This new task registers an effective alias ofdependencies
for every subproject in such a way that it can be invoked at the root project and yield the dependencies for root and every subproject.