Extract updater image building for easier testing

We had many things going on in `Updater`, and it was hiding some things that the class itself should not expose, but that I did want to be able to test in isolation, namely, the networking setup for the updater images that the class created. This extracts that into the ContainerService, and adds the tests against the final container this service now returns. While extracting I also spotted a few small optimizations by moving storing the input and cert input into this new builder method.
github · Oct 25, 2021 · 2eef128 · 2eef128
1 parent a4826a3
commit 2eef128
Show file tree

Hide file tree

Showing 5 changed files with 254 additions and 120 deletions.
diff --git a/__tests__/container-service-integration.test.ts b/__tests__/container-service-integration.test.ts
@@ -0,0 +1,97 @@
+import {PROXY_IMAGE_NAME, UPDATER_IMAGE_NAME} from '../src/main'
+import {ContainerService} from '../src/container-service'
+import {ImageService} from '../src/image-service'
+import {removeDanglingUpdaterContainers} from './helpers'
+import Docker from 'dockerode'
+import {Credential, JobDetails} from '../src/api-client'
+import {ProxyBuilder} from '../src/proxy'
+import path from 'path'
+import fs from 'fs'
+import {JobParameters} from '../src/inputs'
+
+describe('ContainerService', () => {
+  // Skip the test when we haven't preloaded the updater image
+  if (process.env.SKIP_INTEGRATION_TESTS) {
+    return
+  }
+
+  const docker = new Docker()
+  const credentials: Credential[] = [
+    {
+      type: 'git_source',
+      host: 'github.com',
+      username: 'x-access-token',
+      password: 'ghp_some_token'
+    }
+  ]
+
+  const details: JobDetails = {
+    'allowed-updates': [],
+    id: '1',
+    'package-manager': 'npm_and_yarn'
+  }
+
+  const workingDirectory = path.join(
+    __dirname,
+    '..',
+    'tmp',
+    './integration_working_directory'
+  )
+
+  beforeAll(async () => {
+    await ImageService.pull(PROXY_IMAGE_NAME)
+    await ImageService.pull(UPDATER_IMAGE_NAME)
+
+    fs.mkdirSync(workingDirectory)
+  })
+
+  afterEach(async () => {
+    await removeDanglingUpdaterContainers()
+    fs.rmdirSync(workingDirectory, {recursive: true})
+  })
+
+  it('createUpdaterContainer returns a container only connected to the internal network', async () => {
+    const outputPath = path.join(workingDirectory, 'output')
+    const repoPath = path.join(workingDirectory, 'repo')
+    fs.mkdirSync(outputPath)
+    fs.mkdirSync(repoPath)
+
+    const proxy = await new ProxyBuilder(docker, PROXY_IMAGE_NAME).run(
+      1,
+      credentials
+    )
+    await proxy.container.start()
+    const input = {job: details}
+    const params = new JobParameters(
+      1,
+      'job-token',
+      'cred-token',
+      'https://example.com',
+      '172.17.0.1',
+      workingDirectory
+    )
+    const container = await ContainerService.createUpdaterContainer(
+      'updater-image-test',
+      params,
+      docker,
+      input,
+      outputPath,
+      proxy,
+      repoPath,
+      'fetch_files',
+      UPDATER_IMAGE_NAME
+    )
+
+    const containerInfo = await container.inspect()
+
+    const networkNames = Object.keys(containerInfo.NetworkSettings.Networks)
+    expect(networkNames).toEqual(['dependabot-job-1-internal-network'])
+
+    const network = docker.getNetwork(networkNames[0])
+    const networkInfo = await network.inspect()
+    expect(networkInfo.Internal).toBe(true)
+
+    await proxy.shutdown()
+    await container.remove()
+  })
+})
diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/dist/main/index.js.map b/dist/main/index.js.map
diff --git a/src/container-service.ts b/src/container-service.ts
@@ -1,12 +1,86 @@
 import * as core from '@actions/core'
-import {Container} from 'dockerode'
+import Docker, {Container} from 'dockerode'
 import {pack} from 'tar-stream'
 import {FileFetcherInput, FileUpdaterInput, ProxyConfig} from './config-types'
+import {JobParameters} from './inputs'
+import {Proxy} from './proxy'
 import {outStream, errStream} from './utils'
 
+const JOB_OUTPUT_FILENAME = 'output.json'
+const JOB_OUTPUT_PATH = '/home/dependabot/dependabot-updater/output'
+const JOB_INPUT_FILENAME = 'job.json'
+const JOB_INPUT_PATH = `/home/dependabot/dependabot-updater`
+const REPO_CONTENTS_PATH = '/home/dependabot/dependabot-updater/repo'
+const CA_CERT_INPUT_PATH = '/usr/local/share/ca-certificates'
+const CA_CERT_FILENAME = 'dbot-ca.crt'
+const UPDATER_MAX_MEMORY = 8 * 1024 * 1024 * 1024 // 8GB in bytes
+
 class ContainerRuntimeError extends Error {}
 
 export const ContainerService = {
+  async createUpdaterContainer(
+    containerName: string,
+    jobParams: JobParameters,
+    docker: Docker,
+    input: FileFetcherInput | FileUpdaterInput,
+    outputHostPath: string,
+    proxy: Proxy,
+    repoHostPath: string,
+    updaterCommand: string,
+    updaterImage: string
+  ): Promise<Container> {
+    const cmd = `(echo > /etc/ca-certificates.conf) &&\
+     rm -Rf /usr/share/ca-certificates/ &&\
+      /usr/sbin/update-ca-certificates &&\
+       $DEPENDABOT_HOME/dependabot-updater/bin/run ${updaterCommand}`
+
+    const container = await docker.createContainer({
+      Image: updaterImage,
+      name: containerName,
+      AttachStdout: true,
+      AttachStderr: true,
+      Env: [
+        `DEPENDABOT_JOB_ID=${jobParams.jobId}`,
+        `DEPENDABOT_JOB_TOKEN=${jobParams.jobToken}`,
+        `DEPENDABOT_JOB_PATH=${JOB_INPUT_PATH}/${JOB_INPUT_FILENAME}`,
+        `DEPENDABOT_OUTPUT_PATH=${JOB_OUTPUT_PATH}/${JOB_OUTPUT_FILENAME}`,
+        `DEPENDABOT_REPO_CONTENTS_PATH=${REPO_CONTENTS_PATH}`,
+        `DEPENDABOT_API_URL=${jobParams.dependabotApiDockerUrl}`,
+        `SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt`,
+        `http_proxy=${proxy.url}`,
+        `HTTP_PROXY=${proxy.url}`,
+        `https_proxy=${proxy.url}`,
+        `HTTPS_PROXY=${proxy.url}`
+      ],
+      Cmd: ['sh', '-c', cmd],
+      HostConfig: {
+        Memory: UPDATER_MAX_MEMORY,
+        NetworkMode: proxy.networkName,
+        Binds: [
+          `${outputHostPath}:${JOB_OUTPUT_PATH}:rw`,
+          `${repoHostPath}:${REPO_CONTENTS_PATH}:rw`
+        ]
+      }
+    })
+
+    await ContainerService.storeCert(
+      CA_CERT_FILENAME,
+      CA_CERT_INPUT_PATH,
+      container,
+      proxy.cert
+    )
+
+    await ContainerService.storeInput(
+      JOB_INPUT_FILENAME,
+      JOB_INPUT_PATH,
+      container,
+      input
+    )
+
+    core.info(`Created ${updaterCommand} container: ${container.id}`)
+    return container
+  },
+
   async storeInput(
     name: string,
     path: string,