From 662c772a0f83f85c6b8b7fe3a7ee8760e2c4772e Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Thu, 16 Oct 2025 13:02:31 +0000 Subject: [PATCH 01/51] failing test: csp-report: handle upstream Sentry errors --- test/nginx/mock-http-server/bad-cert.pem | 19 +++++++ test/nginx/mock-http-server/bad-key.pem | 28 +++++++++++ test/nginx/mock-http-server/good-cert.pem | 20 ++++++++ test/nginx/mock-http-server/good-key.pem | 28 +++++++++++ test/nginx/mock-http-server/index.js | 60 ++++++++++++++++++++++- test/nginx/nginx.test.docker-compose.yml | 13 ++++- test/nginx/test-nginx.js | 38 ++++++++++++++ 7 files changed, 203 insertions(+), 3 deletions(-) create mode 100644 test/nginx/mock-http-server/bad-cert.pem create mode 100644 test/nginx/mock-http-server/bad-key.pem create mode 100644 test/nginx/mock-http-server/good-cert.pem create mode 100644 test/nginx/mock-http-server/good-key.pem diff --git a/test/nginx/mock-http-server/bad-cert.pem b/test/nginx/mock-http-server/bad-cert.pem new file mode 100644 index 000000000..fc825be5e --- /dev/null +++ b/test/nginx/mock-http-server/bad-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFzCCAf+gAwIBAgIUQX7dvQ1eABbaHSg6SNI8hLa3yQkwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQYmFkLmV4YW1wbGUudGVzdDAeFw0yNTEwMTYxMjMxNDha +Fw0yNjEwMTYxMjMxNDhaMBsxGTAXBgNVBAMMEGJhZC5leGFtcGxlLnRlc3QwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS0q55gE75/ntd0a5APTdhLbSt +Ues0UcJiFeAvBFsZyHonmDGpt8jfsLQKd4Z0vE23Dg2cDt0DhhC13xukUhv2faiV +G9S//UfQKcnFKfh9ZyJruazz2TFGWYEDUx1SqjxsXZaO1788AJb9JtwdjwiDhgmg +gKFjuPR2rt6IJTjnTuGDv5ejRtjM0aCP2OZJGb6jpN8VI+N42KdTCr3smndbzUYd +pA26Ter4MBpuWldYFFzNjzAliZ373cpF616ODfmKnGfeoR538jmu8qwszG1EDxfY +NVfMZmRL5m/BqCMq7emwZoito59wykfgExZsRn4ZdrgsJObpWjCILiF+7R/dAgMB +AAGjUzBRMB0GA1UdDgQWBBTSQ6/r2BkJfAP1R/zSF/eR1XsGWDAfBgNVHSMEGDAW +gBTSQ6/r2BkJfAP1R/zSF/eR1XsGWDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQBwJWtAErfnJRpgKASTiUAksNe1x1STExsygBM92YZtvwhPZBtL +PZ3FeLGaSyL0K+H1m+P0DF0Rbqigmdzr95NCBB7ZJNfRtzJoDf/2BkFNgr6uOtrc +1JSw793Ql0o7RcjHWoN9PwotrKwOp6E8ywagvncx5+QOnQNwHSa0KCuoCZ4KIC6D +Z33AKWX2/CnB+uhpL8JxdNYqcyomAnKUw3Xgqhb3HVfTO24axVH/lo3wGQkX0jS6 +S+qCs1ul0ALc/d2W3VQPTmcaGSHpTY/ab02Ww+ohQIV+k/JM4xRGEACHZEHsgrLD +EDeD182brp031W6lxZ9nZuw/891PdQ9Hsrnc +-----END CERTIFICATE----- diff --git a/test/nginx/mock-http-server/bad-key.pem b/test/nginx/mock-http-server/bad-key.pem new file mode 100644 index 000000000..8fc06c29f --- /dev/null +++ b/test/nginx/mock-http-server/bad-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDS0q55gE75/ntd +0a5APTdhLbStUes0UcJiFeAvBFsZyHonmDGpt8jfsLQKd4Z0vE23Dg2cDt0DhhC1 +3xukUhv2faiVG9S//UfQKcnFKfh9ZyJruazz2TFGWYEDUx1SqjxsXZaO1788AJb9 +JtwdjwiDhgmggKFjuPR2rt6IJTjnTuGDv5ejRtjM0aCP2OZJGb6jpN8VI+N42KdT +Cr3smndbzUYdpA26Ter4MBpuWldYFFzNjzAliZ373cpF616ODfmKnGfeoR538jmu +8qwszG1EDxfYNVfMZmRL5m/BqCMq7emwZoito59wykfgExZsRn4ZdrgsJObpWjCI +LiF+7R/dAgMBAAECggEACV58i4DEwb5p/B7j6A3wZpyx4Vv5IG+bvGEtf9lpNQmg +SB8u4dR9lFdVgPuT2Z8+supod21/q/bqyjJal6BghsFJ2yqL92ZJqToaMe1uEiCh +unjbc1DNLEuw/JVWgcR3//beyIVVBdUe4Kw37wZawgGUbvIYegaPsrCNyi4hS8I0 +hEqtLq6pZvjWp5EahsUNdJ/4xCbhZDmmucDgW7/fiBOHCZja5oL/15xsMp2Y/Y0A +ZSnQf4Y/vBUNe6XyerwFeUEkO9f+/V50k8YaSIh11u5SUWpAqOck3vEueRoJ+ATb +ghMwb789YNZvrdMlxN4Oxt9OAYm7fRyk8IF0daB7gQKBgQDplVwkvaZnvPYR89va +p4q7tplI+XTpE0NE3NVLg5njcrR8JkJg0xeHJB0oojZrtqlWazsZhBUS63Fy6eOs +5IFFj0BOg9iYe8LbbHGqfFHSKnxZwT85FG1moJogpco1dcpwnTORSrVjJtfgNlz6 +gW2bq7kq+47jWZ2xpDcADe0snQKBgQDnDiVwlILx3PzyYXhmklhzmCSlhfAmYUXX +l8bGVzoJpys8v7VPQrjXiPyXb5pO8OvuPeuyT3g2TWYBxiv79pddP0tEjqqQrSuj +Jp/w+h19fPh2IA1zN8rG5tf8G/QpCG+tYTC5VjbIkM7koSgaa/ut1Bbdld3HiqBo +dqy6mEA8QQKBgAkd+VC9zkbySzB8MjKgo3ucLvN4OSX3yIJhlDm0U0dbbMwDukeJ +Nbvinvi9DB68LHPhD5d5XlE0u2Le2jIfYSRT6RCneMbK3douq2kaHR905RGjx1H1 +CCgfUKTBk9juVg57NE4Rem76TybDOHHWp26SD1IsK3GYR91tKXBpGr7JAoGAflFQ +jKTUlc/gBc7d2Q3HB6M03b1E1ma1nTEf/c0wMJjQ3YxdXjC3BzagCVZ9QQ0bnwsB +MWGa8e0MiInEACMHC3aP+rIYc7IIulBifobu2m0ZFNNfJw9ob6dCi1To/gnbrCkH +TzvgBXSNd5bXauKAHL9npMrLDc0u9w1yTyzvaUECgYAzv8eME44+/Z66kYnzhPAu +ZIU6TA0iNQGgnSUflh6RoZG+fol5TGrhwqF3eBWLfBuqCjKWzR+dk0UGsPzgWAbj +PWEz6MJtmne6jW48PybGikhzqmmFKZueJNXJ1/bxa9gXE53JT5q0npjIR/aOLDS6 +IL/EeFzttWUHyslXOvaFoA== +-----END PRIVATE KEY----- diff --git a/test/nginx/mock-http-server/good-cert.pem b/test/nginx/mock-http-server/good-cert.pem new file mode 100644 index 000000000..c6b3dfc4d --- /dev/null +++ b/test/nginx/mock-http-server/good-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDLTCCAhWgAwIBAgIUXDxRk8BeksLqR/9TPhl2VxdaSBQwDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbby1mYWtlLWRzbi5pbmdlc3Quc2VudHJ5LmlvMB4XDTI1 +MTAxNjExNDg0N1oXDTI2MTAxNjExNDg0N1owJjEkMCIGA1UEAwwbby1mYWtlLWRz +bi5pbmdlc3Quc2VudHJ5LmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA1rL27rORMllMDc4/1ngoOjw/uZRvPZCGAXdKZKE+QT7q5+ZvfGS28KLdugxb +0H2rbMBsSjxw5u5CCXTE3gGZ+T9d+9mL6OCisP+UIo0OtnZsqeQKmt93Ucf8Bnl9 +EfmYvPM/SaNt7tEVG0w4qYR0e4Bdk5AS+A4gj0dEZNrO052zlPkCLgPlCtCHjLqD +57Tu/VOuMRbbGnoDKrzPZKKeRgngghNTq1JMYtSKt3Ji3m+w/V8yqSyuaPTJO2kW +3nCHlEI+kBLDsQ5NRZxbvLltptaw2KEXA94WUSdlMDpq4tUuMKOlWp9E9GsMDQyL +B5YKdDj49fgPbSZ+8OVH6Gcn8QIDAQABo1MwUTAdBgNVHQ4EFgQUUzNTJKVdOiwE +b4jyPZvzjfq5PgwwHwYDVR0jBBgwFoAUUzNTJKVdOiwEb4jyPZvzjfq5PgwwDwYD +VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKdUlX3/kIGV7JEaywOTA +VxY+oEFgXWklEDdtoBE9X2SqrfypTuG3vk7tkmUIgY5MNEx3RKKhQanwtimwz+mJ +dYqQAQ2OLaDV++m7tf6BK0ZVKQIN47pAzuCC9QO0Ep7fWpyWtxCb+RmjCgElfVmu +7A9Gj7d9fzJlDbSHDXy15gWjDga3KjEIJ7erhxB/nKLzOykMEsBzDZC3gx6Y8RIx +8yFUkXxftWECqj+cuSovbhEhy8O7LyHtnVOXd5ljhirBBM/VqS8CZPEjKXtsQbvI +RvdRZgVAQKzvbsosqPTZV94l0h2opCS5aR/1V6AXKaKhtuDJ4W7hncjQpuRSm9E0 +cQ== +-----END CERTIFICATE----- diff --git a/test/nginx/mock-http-server/good-key.pem b/test/nginx/mock-http-server/good-key.pem new file mode 100644 index 000000000..b517bd47c --- /dev/null +++ b/test/nginx/mock-http-server/good-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDWsvbus5EyWUwN +zj/WeCg6PD+5lG89kIYBd0pkoT5BPurn5m98ZLbwot26DFvQfatswGxKPHDm7kIJ +dMTeAZn5P1372Yvo4KKw/5QijQ62dmyp5Aqa33dRx/wGeX0R+Zi88z9Jo23u0RUb +TDiphHR7gF2TkBL4DiCPR0Rk2s7TnbOU+QIuA+UK0IeMuoPntO79U64xFtsaegMq +vM9kop5GCeCCE1OrUkxi1Iq3cmLeb7D9XzKpLK5o9Mk7aRbecIeUQj6QEsOxDk1F +nFu8uW2m1rDYoRcD3hZRJ2UwOmri1S4wo6Van0T0awwNDIsHlgp0OPj1+A9tJn7w +5UfoZyfxAgMBAAECggEABbOTNefQGmiPadrxLEx80f4VWaPo19dRjbKpp7Y1+WTW +t2GR0pl4l7eVgIoxOn5J2f2aqpaED4fiek6O50/e00UE5YojimPDwkRJPmklS8Bl +lpXjF7WJPUNcrJ3Xjc2Fajgh9T5JLjNAdpz9sLe/IaP5KDDmZg62++MSPITogutT +1QvzHFq+XcaWviAu0w8Dx9zy3XaWwJXNAEIl0+sit/pwOeYpZpHMVpjDSM5Xz0kr +tMM1JNL02x3v0tp0WWye5CnSHSEGc0WINGNT+ya23bb+pNejdUYXfjUWVUhIRYcN +MG99zM5fxtL2WAtdL4vzd3t11ggSHHOfyqVuAN3R+QKBgQD7WMDfjTSvS6hi347F +1H8GM70MXWtKtSXyBr2ZNrXh705M2WtlYgF4Cl5IaBAiUbYYyKjcFO+hmeZSfSws +6NluUv1/OBPdU1jaO86Ohc1DzM4bAScxPG88HNZ/nES4+KPVZ3GWPxTa5LQXHCzd +rIUfmzoBT9/dwdbDm6irWt9s6QKBgQDarIV742jazXMyFe6A1GgJf0pLDcw5Yc8G +hc+5YM54G1tdenKs2bJd6bi1SpDrWDJXlgJ97BgtI/XtF+NXFa3/v1WV9lwJM8Vg +ONBzQDKQbIYKh7pH53SflHLxeZzg69GE/WM6QScmYxUN6MV14Juk5UCZLaylk5g2 +tKZ6ttpdyQKBgAgM0KiYSi6vGqaICHeXlbXqJEzoFQ6gfKWix6HHmc2xr21QrVri +568jjd99zb57pXxnuNjLpt0jI7hSn/6UOpqI9+uCLUiyaa8bqULxUCCyx4sf31R5 +Xgqr1cbih2TxObYVCRNJ0+4q0wXGdj1nUCAyBYqTN1VP5wP+0UkjsPI5AoGBAJ2O +eI8PB1m/diS8UKBaaquNH4Z8Zo1hv7y/ZS/4ZEt9ypLLyxxnrnCkGgXluA0Z+wvI +dfssxS6hHmy6LX9ti3Ud8xid7SpkNu5hgS/JLaWJy/qCWOG+DvV8DGWYbkRRJSFh +QMGUeBTchysCcGPCdeKVm7nCgwa6FY41E06PuT6hAoGBAJnq0Lj0fhrfYjbaziC1 +NfYtffe6tMRD3E79KUk4/73Ria4m24VI3iIZKDgLL7CWZYJz3zyefL6NZ6zr56yl +HoXVcfyg10IorEbzbc091NQx8409YxtONSzs+ddi2hh6Gjq+wRl0p3LpXm2AT6fc +a7hoG1+xFK0JQw17i/vN4Qjr +-----END PRIVATE KEY----- diff --git a/test/nginx/mock-http-server/index.js b/test/nginx/mock-http-server/index.js index cf89779b5..710cdcd43 100644 --- a/test/nginx/mock-http-server/index.js +++ b/test/nginx/mock-http-server/index.js @@ -1,6 +1,7 @@ const express = require('express'); const port = process.env.PORT || 80; +const mode = process.env.MODE || 'http'; const log = (...args) => console.log('[mock-http-server]', ...args); const requests = []; @@ -9,6 +10,33 @@ const app = express(); app.use((req, res, next) => { console.log(new Date(), req.method, req.originalUrl); + if(req.socket.encrypted) { + // Get the local certificate (the server's certificate) + const certificate = req.socket.getCertificate(); + + if(certificate) { + console.log('--- Secure Context Details ---'); + console.log('Subject:', certificate.subject.CN); // Common Name + console.log('Issuer:', certificate.issuer.CN); + console.log('Valid From:', certificate.valid_from); + console.log('Valid To:', certificate.valid_to); + console.log('Serial Number:', certificate.serialNumber); + // ... and more details + console.log('------------------------------'); + + if(certificate.subject.CN !== 'o-fake-dsn.ingest.sentry.io') { + // try to simulate an SNI / connection error + console.log('Destroying connection...'); + return req.socket.destroy(); + } + } else { + console.log('Secure connection, but no local certificate found (unexpected for server-side TLS)'); + } + } else { + // This part runs if you are running an HTTP server or if a proxy + // is terminating SSL before Express (see note below). + console.log('Insecure HTTP request.'); + } next(); }); @@ -47,6 +75,34 @@ app.get('/v1/projects', (_, res) => { res.send('OK'); })); -app.listen(port, () => { - log(`Listening on port: ${port}`); +const server = (() => { + if(mode === 'http') { + return app; + } else if(mode === 'https') { + const { readFileSync } = require('node:fs'); + const { createServer } = require('node:https'); + const { createSecureContext } = require('node:tls'); + + const pem = name => readFileSync(`${name}.pem`, 'utf8'); + const creds = name => ({ key:pem(`${name}-key`), cert:pem(`${name}-cert`) }); + + const goodCreds = creds('good'); + + const opts = { + ...creds('bad'), + SNICallback: (servername, cb) => { + console.log('SNICallback:', servername); + cb(null, createSecureContext(goodCreds)); + }, + }; + + return createServer(opts, app); + } else { + console.error(`Unrecognised mode: '${mode}'; should be one of http, https. Cannot start server.`); + process.exit(1); + } +})(); + +server.listen(port, () => { + log(`Listening with ${mode} on port: ${port}`, server === app); }); diff --git a/test/nginx/nginx.test.docker-compose.yml b/test/nginx/nginx.test.docker-compose.yml index 0eb23a133..98b52d735 100644 --- a/test/nginx/nginx.test.docker-compose.yml +++ b/test/nginx/nginx.test.docker-compose.yml @@ -13,6 +13,14 @@ services: - "8383:8383" environment: - PORT=8383 + sentry-mock: + build: + dockerfile: mock-http-service.dockerfile + ports: + - "443:443" + environment: + - MODE=https + - PORT=443 nginx: build: context: ../.. @@ -22,10 +30,13 @@ services: depends_on: - service - enketo + - sentry-mock + extra_hosts: + - o-fake-dsn.ingest.sentry.io:host-gateway environment: - DOMAIN=odk-nginx.example.test - SENTRY_KEY=example-sentry-key - - SENTRY_ORG_SUBDOMAIN=example-sentry-org-subdomain + - SENTRY_ORG_SUBDOMAIN=o-fake-dsn - SENTRY_PROJECT=example-sentry-project - SSL_TYPE=selfsign - OIDC_ENABLED=false diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 6544c4864..ada09ee6a 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -572,6 +572,44 @@ describe('nginx config', () => { }); }); }); + + describe('/csp-report', () => { + // This initial test is the control - Sentry will reject requests + // made directly to their IP address. + it('upstream should reject requests by IP address', async () => { + // given + let caught; + + // when + try { + await fetch('https://127.0.0.1'); + } catch(err) { + caught = err; + } + + // then + assert.isOk(caught); + assert.instanceOf(caught, TypeError); + assert.equal(caught.message, 'fetch failed'); + // and + assert.isOk(caught.cause); + assert.equal(caught.cause.name, 'SocketError'); + assert.equal(caught.cause.message, 'other side closed'); + }); + + it('should forward requests to Sentry, verbatim', async () => { + // when + const res = await fetchHttps('/csp-report', { + method: 'POST', + headers: { 'Content-Type':'application/json' }, + body: JSON.stringify({ hiya:'sentry' }), + }); + + // then + assert.equal(res.status, 200); + assert.equal(await res.text(), 'OK'); + }); + }); }); function fetchHttp(path, options) { From 459c0e611115298a399a02b3042e4f66dd6793cb Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Thu, 16 Oct 2025 13:08:33 +0000 Subject: [PATCH 02/51] don't hardcode https host --- test/nginx/mock-http-server/index.js | 26 ++++++-------------------- 1 file changed, 6 insertions(+), 20 deletions(-) diff --git a/test/nginx/mock-http-server/index.js b/test/nginx/mock-http-server/index.js index 710cdcd43..b53018f68 100644 --- a/test/nginx/mock-http-server/index.js +++ b/test/nginx/mock-http-server/index.js @@ -2,6 +2,7 @@ const express = require('express'); const port = process.env.PORT || 80; const mode = process.env.MODE || 'http'; +const httpsHost = process.env.HTTPS_HOST; const log = (...args) => console.log('[mock-http-server]', ...args); const requests = []; @@ -11,31 +12,14 @@ const app = express(); app.use((req, res, next) => { console.log(new Date(), req.method, req.originalUrl); if(req.socket.encrypted) { - // Get the local certificate (the server's certificate) const certificate = req.socket.getCertificate(); - if(certificate) { - console.log('--- Secure Context Details ---'); - console.log('Subject:', certificate.subject.CN); // Common Name - console.log('Issuer:', certificate.issuer.CN); - console.log('Valid From:', certificate.valid_from); - console.log('Valid To:', certificate.valid_to); - console.log('Serial Number:', certificate.serialNumber); - // ... and more details - console.log('------------------------------'); - - if(certificate.subject.CN !== 'o-fake-dsn.ingest.sentry.io') { + if(certificate.subject.CN !== httpsHost) { // try to simulate an SNI / connection error - console.log('Destroying connection...'); + console.log('Bad HTTPS cert used; destroying connection...'); return req.socket.destroy(); } - } else { - console.log('Secure connection, but no local certificate found (unexpected for server-side TLS)'); } - } else { - // This part runs if you are running an HTTP server or if a proxy - // is terminating SSL before Express (see note below). - console.log('Insecure HTTP request.'); } next(); }); @@ -79,6 +63,8 @@ const server = (() => { if(mode === 'http') { return app; } else if(mode === 'https') { + if(!httpsHost) throw new Error('Env var HTTPS_HOST is required for MODE=https'); + const { readFileSync } = require('node:fs'); const { createServer } = require('node:https'); const { createSecureContext } = require('node:tls'); @@ -91,7 +77,7 @@ const server = (() => { const opts = { ...creds('bad'), SNICallback: (servername, cb) => { - console.log('SNICallback:', servername); + if(servername !== httpsHost) return cb(new Error(`Unexpected SNI host: ${servername}`)); cb(null, createSecureContext(goodCreds)); }, }; From fa210019e9c436a9c5e776aa59e09d9bd97b836a Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Thu, 16 Oct 2025 13:10:20 +0000 Subject: [PATCH 03/51] ignore non socket error? --- test/nginx/test-nginx.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index ada09ee6a..cfc4afe5d 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -593,7 +593,7 @@ describe('nginx config', () => { assert.equal(caught.message, 'fetch failed'); // and assert.isOk(caught.cause); - assert.equal(caught.cause.name, 'SocketError'); + //assert.equal(caught.cause.name, 'SocketError'); assert.equal(caught.cause.message, 'other side closed'); }); From 6c2e7b4d5c7b1ee747abc62dfdaf1b2638ecd9b8 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Thu, 16 Oct 2025 13:17:50 +0000 Subject: [PATCH 04/51] Update error expewctations --- test/nginx/test-nginx.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index cfc4afe5d..fca4e4ab9 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -593,8 +593,8 @@ describe('nginx config', () => { assert.equal(caught.message, 'fetch failed'); // and assert.isOk(caught.cause); - //assert.equal(caught.cause.name, 'SocketError'); - assert.equal(caught.cause.message, 'other side closed'); + // The cause seems to differ based on unknown factors: + assert.match(caught.toString(), /^(SocketError: other side closed)|(Error: ECONNREFUSED 127.0.0.1:443)$/); }); it('should forward requests to Sentry, verbatim', async () => { From 2503c9a689998fcb1e757edac6417d2f8b83dedb Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Thu, 16 Oct 2025 13:18:15 +0000 Subject: [PATCH 05/51] check correct errr --- test/nginx/test-nginx.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index fca4e4ab9..61da76e54 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -594,7 +594,7 @@ describe('nginx config', () => { // and assert.isOk(caught.cause); // The cause seems to differ based on unknown factors: - assert.match(caught.toString(), /^(SocketError: other side closed)|(Error: ECONNREFUSED 127.0.0.1:443)$/); + assert.match(caught.cause.toString(), /^(SocketError: other side closed)|(Error: ECONNREFUSED 127.0.0.1:443)$/); }); it('should forward requests to Sentry, verbatim', async () => { From bcdca8d8d89709efa6675668a7dbaaeaf1def2a7 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Thu, 16 Oct 2025 13:19:54 +0000 Subject: [PATCH 06/51] tweak error expectation --- test/nginx/test-nginx.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 61da76e54..8e4da15c9 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -594,7 +594,7 @@ describe('nginx config', () => { // and assert.isOk(caught.cause); // The cause seems to differ based on unknown factors: - assert.match(caught.cause.toString(), /^(SocketError: other side closed)|(Error: ECONNREFUSED 127.0.0.1:443)$/); + assert.match(caught.cause.toString(), /^(SocketError: other side closed)|(Error: connect ECONNREFUSED 127.0.0.1:443)$/); }); it('should forward requests to Sentry, verbatim', async () => { From 6b97d58139777d21cb251f915e577cea8903a45d Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Thu, 16 Oct 2025 13:21:40 +0000 Subject: [PATCH 07/51] set proxy_ssl_server_name --- files/nginx/odk.conf.template | 1 + 1 file changed, 1 insertion(+) diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index 171f1306d..c654f8b6a 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -179,5 +179,6 @@ server { location /csp-report { proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY}; + proxy_ssl_server_name on; } } From 04e241852e533094dfe1a276ad78c12ac09ac5a5 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Thu, 16 Oct 2025 13:26:25 +0000 Subject: [PATCH 08/51] try force hostname --- files/nginx/odk.conf.template | 1 + 1 file changed, 1 insertion(+) diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index c654f8b6a..f12930a5d 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -179,6 +179,7 @@ server { location /csp-report { proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY}; + proxy_ssl_name ${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io; proxy_ssl_server_name on; } } From 82f9ec6a5ddc02892091bef9ae7397d2aed39b4f Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Sat, 18 Oct 2025 08:02:37 +0000 Subject: [PATCH 09/51] add HTTPS_HOST env var --- test/nginx/nginx.test.docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/test/nginx/nginx.test.docker-compose.yml b/test/nginx/nginx.test.docker-compose.yml index 98b52d735..8f79aea20 100644 --- a/test/nginx/nginx.test.docker-compose.yml +++ b/test/nginx/nginx.test.docker-compose.yml @@ -20,6 +20,7 @@ services: - "443:443" environment: - MODE=https + - HTTPS_HOST=o-fake-dsn.ingest.sentry.io - PORT=443 nginx: build: From b2cc8c8c38ed917e35d4571bbe34043b73d3471e Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Sat, 18 Oct 2025 08:03:34 +0000 Subject: [PATCH 10/51] remove explicit proxy_ssl_name --- files/nginx/odk.conf.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index f12930a5d..7eaa6d0b3 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -179,7 +179,7 @@ server { location /csp-report { proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY}; - proxy_ssl_name ${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io; + #proxy_ssl_name ${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io; proxy_ssl_server_name on; } } From 7569e546366a203c2b13249d826b9131c93b5f99 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Sat, 18 Oct 2025 08:04:07 +0000 Subject: [PATCH 11/51] remove proxy_ssl_server_name --- files/nginx/odk.conf.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index 7eaa6d0b3..17ce8d1a9 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -180,6 +180,6 @@ server { location /csp-report { proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY}; #proxy_ssl_name ${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io; - proxy_ssl_server_name on; + #proxy_ssl_server_name on; } } From 34ff36cf835a5b9d017b4c05f867f355080ef413 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Sat, 18 Oct 2025 08:05:17 +0000 Subject: [PATCH 12/51] use correct setting --- files/nginx/odk.conf.template | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index 17ce8d1a9..c654f8b6a 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -179,7 +179,6 @@ server { location /csp-report { proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY}; - #proxy_ssl_name ${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io; - #proxy_ssl_server_name on; + proxy_ssl_server_name on; } } From 8022d1c928e230e5a8732fd847e4c23ce6ec12e3 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Sat, 18 Oct 2025 08:08:33 +0000 Subject: [PATCH 13/51] test tidy-up --- test/nginx/test-nginx.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 8e4da15c9..9aaadd92d 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -573,10 +573,10 @@ describe('nginx config', () => { }); }); - describe('/csp-report', () => { + describe('CSP reports', () => { // This initial test is the control - Sentry will reject requests // made directly to their IP address. - it('upstream should reject requests by IP address', async () => { + it('upstream (Sentry) should reject requests by IP address', async () => { // given let caught; @@ -597,12 +597,12 @@ describe('nginx config', () => { assert.match(caught.cause.toString(), /^(SocketError: other side closed)|(Error: connect ECONNREFUSED 127.0.0.1:443)$/); }); - it('should forward requests to Sentry, verbatim', async () => { + it('/csp-report should successfully forward requests to Sentry', async () => { // when const res = await fetchHttps('/csp-report', { method: 'POST', headers: { 'Content-Type':'application/json' }, - body: JSON.stringify({ hiya:'sentry' }), + body: JSON.stringify({}), }); // then From fa34900b8d2043042c5fb27962e457b9fec864e2 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Tue, 21 Oct 2025 07:32:08 +0000 Subject: [PATCH 14/51] test fake DNS with _correct_ SNI host --- test/nginx/test-nginx.js | 59 +++++++++++++++++++++++++++------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 9aaadd92d..df4b01cc1 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -1,3 +1,4 @@ +const https = require('node:https'); const tls = require('node:tls'); const { Readable } = require('stream'); const { assert } = require('chai'); @@ -574,27 +575,47 @@ describe('nginx config', () => { }); describe('CSP reports', () => { - // This initial test is the control - Sentry will reject requests - // made directly to their IP address. - it('upstream (Sentry) should reject requests by IP address', async () => { - // given - let caught; + describe('Sentry behaviour', () => { + // These tests are a control to demonstrate that the local fake Sentry is + // behaving similarly to sentry.io. - // when - try { - await fetch('https://127.0.0.1'); - } catch(err) { - caught = err; - } + const requestWithSniHost = servername => new Promise((resolve, reject) => { + const opts = { hostname:'127.0.0.1', servername }; - // then - assert.isOk(caught); - assert.instanceOf(caught, TypeError); - assert.equal(caught.message, 'fetch failed'); - // and - assert.isOk(caught.cause); - // The cause seems to differ based on unknown factors: - assert.match(caught.cause.toString(), /^(SocketError: other side closed)|(Error: connect ECONNREFUSED 127.0.0.1:443)$/); + const req = https.request(opts, res => { + res.on('data', () => {}); // ensure response stream is consumed + res.on('end', resolve); + res.on('error', reject); + }); + + req.on('error', reject); + + req.end(); + }); + + it('should accept requests with correct SNI host', async () => { + // when + await requestWithSniHost('o-fake-dsn.ingest.sentry.io'); + + // then + // No error was thrown :¬) + }); + + it('should reject requests without SNI host', async () => { + // given + let caught; + + // when + try { + await requestWithSniHost(undefined); + } catch(err) { + caught = err; + } + + // then + assert.isOk(caught); + assert.equal(caught.code, 'ECONNRESET'); + }); }); it('/csp-report should successfully forward requests to Sentry', async () => { From 042107fad8253133586c6d7d215dabfe4631558a Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Tue, 21 Oct 2025 07:36:07 +0000 Subject: [PATCH 15/51] refactor initHttpsServer() --- test/nginx/mock-http-server/index.js | 58 +++++++++++++++------------- 1 file changed, 31 insertions(+), 27 deletions(-) diff --git a/test/nginx/mock-http-server/index.js b/test/nginx/mock-http-server/index.js index b53018f68..d41b2696d 100644 --- a/test/nginx/mock-http-server/index.js +++ b/test/nginx/mock-http-server/index.js @@ -60,35 +60,39 @@ app.get('/v1/projects', (_, res) => { })); const server = (() => { - if(mode === 'http') { - return app; - } else if(mode === 'https') { - if(!httpsHost) throw new Error('Env var HTTPS_HOST is required for MODE=https'); - - const { readFileSync } = require('node:fs'); - const { createServer } = require('node:https'); - const { createSecureContext } = require('node:tls'); - - const pem = name => readFileSync(`${name}.pem`, 'utf8'); - const creds = name => ({ key:pem(`${name}-key`), cert:pem(`${name}-cert`) }); - - const goodCreds = creds('good'); - - const opts = { - ...creds('bad'), - SNICallback: (servername, cb) => { - if(servername !== httpsHost) return cb(new Error(`Unexpected SNI host: ${servername}`)); - cb(null, createSecureContext(goodCreds)); - }, - }; - - return createServer(opts, app); - } else { - console.error(`Unrecognised mode: '${mode}'; should be one of http, https. Cannot start server.`); - process.exit(1); + switch(mode) { + case 'http': return app; + case 'https': return initHttpsServer(); + default: + console.error(`Unrecognised mode: '${mode}'; should be one of http, https. Cannot start server.`); + process.exit(1); } -})(); +}); server.listen(port, () => { log(`Listening with ${mode} on port: ${port}`, server === app); }); + + +function initHttpsServer() { + if(!httpsHost) throw new Error('Env var HTTPS_HOST is required for MODE=https'); + + const { readFileSync } = require('node:fs'); + const { createServer } = require('node:https'); + const { createSecureContext } = require('node:tls'); + + const pem = name => readFileSync(`${name}.pem`, 'utf8'); + const creds = name => ({ key:pem(`${name}-key`), cert:pem(`${name}-cert`) }); + + const goodCreds = creds('good'); + + const opts = { + ...creds('bad'), + SNICallback: (servername, cb) => { + if(servername !== httpsHost) return cb(new Error(`Unexpected SNI host: ${servername}`)); + cb(null, createSecureContext(goodCreds)); + }, + }; + + return createServer(opts, app); +} From e2d91d636c409e0feeefce36806c60639025b962 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Tue, 21 Oct 2025 07:41:30 +0000 Subject: [PATCH 16/51] fix refactor --- test/nginx/mock-http-server/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/mock-http-server/index.js b/test/nginx/mock-http-server/index.js index d41b2696d..269b552db 100644 --- a/test/nginx/mock-http-server/index.js +++ b/test/nginx/mock-http-server/index.js @@ -67,7 +67,7 @@ const server = (() => { console.error(`Unrecognised mode: '${mode}'; should be one of http, https. Cannot start server.`); process.exit(1); } -}); +})(); server.listen(port, () => { log(`Listening with ${mode} on port: ${port}`, server === app); From de32ff4c1fb07f8877138ea7324ef3ba1f47b2ad Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Tue, 21 Oct 2025 07:56:37 +0000 Subject: [PATCH 17/51] generate PEM files --- test/nginx/mock-http-server/bad-cert.pem | 19 ------------- test/nginx/mock-http-server/bad-key.pem | 28 ------------------- test/nginx/mock-http-server/good-cert.pem | 20 ------------- test/nginx/mock-http-server/good-key.pem | 28 ------------------- test/nginx/mock-http-server/index.js | 34 ++++++++++++++++++++--- test/nginx/mock-http-service.dockerfile | 5 ++++ 6 files changed, 35 insertions(+), 99 deletions(-) delete mode 100644 test/nginx/mock-http-server/bad-cert.pem delete mode 100644 test/nginx/mock-http-server/bad-key.pem delete mode 100644 test/nginx/mock-http-server/good-cert.pem delete mode 100644 test/nginx/mock-http-server/good-key.pem diff --git a/test/nginx/mock-http-server/bad-cert.pem b/test/nginx/mock-http-server/bad-cert.pem deleted file mode 100644 index fc825be5e..000000000 --- a/test/nginx/mock-http-server/bad-cert.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDFzCCAf+gAwIBAgIUQX7dvQ1eABbaHSg6SNI8hLa3yQkwDQYJKoZIhvcNAQEL -BQAwGzEZMBcGA1UEAwwQYmFkLmV4YW1wbGUudGVzdDAeFw0yNTEwMTYxMjMxNDha -Fw0yNjEwMTYxMjMxNDhaMBsxGTAXBgNVBAMMEGJhZC5leGFtcGxlLnRlc3QwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS0q55gE75/ntd0a5APTdhLbSt -Ues0UcJiFeAvBFsZyHonmDGpt8jfsLQKd4Z0vE23Dg2cDt0DhhC13xukUhv2faiV -G9S//UfQKcnFKfh9ZyJruazz2TFGWYEDUx1SqjxsXZaO1788AJb9JtwdjwiDhgmg -gKFjuPR2rt6IJTjnTuGDv5ejRtjM0aCP2OZJGb6jpN8VI+N42KdTCr3smndbzUYd -pA26Ter4MBpuWldYFFzNjzAliZ373cpF616ODfmKnGfeoR538jmu8qwszG1EDxfY -NVfMZmRL5m/BqCMq7emwZoito59wykfgExZsRn4ZdrgsJObpWjCILiF+7R/dAgMB -AAGjUzBRMB0GA1UdDgQWBBTSQ6/r2BkJfAP1R/zSF/eR1XsGWDAfBgNVHSMEGDAW -gBTSQ6/r2BkJfAP1R/zSF/eR1XsGWDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 -DQEBCwUAA4IBAQBwJWtAErfnJRpgKASTiUAksNe1x1STExsygBM92YZtvwhPZBtL -PZ3FeLGaSyL0K+H1m+P0DF0Rbqigmdzr95NCBB7ZJNfRtzJoDf/2BkFNgr6uOtrc -1JSw793Ql0o7RcjHWoN9PwotrKwOp6E8ywagvncx5+QOnQNwHSa0KCuoCZ4KIC6D -Z33AKWX2/CnB+uhpL8JxdNYqcyomAnKUw3Xgqhb3HVfTO24axVH/lo3wGQkX0jS6 -S+qCs1ul0ALc/d2W3VQPTmcaGSHpTY/ab02Ww+ohQIV+k/JM4xRGEACHZEHsgrLD -EDeD182brp031W6lxZ9nZuw/891PdQ9Hsrnc ------END CERTIFICATE----- diff --git a/test/nginx/mock-http-server/bad-key.pem b/test/nginx/mock-http-server/bad-key.pem deleted file mode 100644 index 8fc06c29f..000000000 --- a/test/nginx/mock-http-server/bad-key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDS0q55gE75/ntd -0a5APTdhLbStUes0UcJiFeAvBFsZyHonmDGpt8jfsLQKd4Z0vE23Dg2cDt0DhhC1 -3xukUhv2faiVG9S//UfQKcnFKfh9ZyJruazz2TFGWYEDUx1SqjxsXZaO1788AJb9 -JtwdjwiDhgmggKFjuPR2rt6IJTjnTuGDv5ejRtjM0aCP2OZJGb6jpN8VI+N42KdT -Cr3smndbzUYdpA26Ter4MBpuWldYFFzNjzAliZ373cpF616ODfmKnGfeoR538jmu -8qwszG1EDxfYNVfMZmRL5m/BqCMq7emwZoito59wykfgExZsRn4ZdrgsJObpWjCI -LiF+7R/dAgMBAAECggEACV58i4DEwb5p/B7j6A3wZpyx4Vv5IG+bvGEtf9lpNQmg -SB8u4dR9lFdVgPuT2Z8+supod21/q/bqyjJal6BghsFJ2yqL92ZJqToaMe1uEiCh -unjbc1DNLEuw/JVWgcR3//beyIVVBdUe4Kw37wZawgGUbvIYegaPsrCNyi4hS8I0 -hEqtLq6pZvjWp5EahsUNdJ/4xCbhZDmmucDgW7/fiBOHCZja5oL/15xsMp2Y/Y0A -ZSnQf4Y/vBUNe6XyerwFeUEkO9f+/V50k8YaSIh11u5SUWpAqOck3vEueRoJ+ATb -ghMwb789YNZvrdMlxN4Oxt9OAYm7fRyk8IF0daB7gQKBgQDplVwkvaZnvPYR89va -p4q7tplI+XTpE0NE3NVLg5njcrR8JkJg0xeHJB0oojZrtqlWazsZhBUS63Fy6eOs -5IFFj0BOg9iYe8LbbHGqfFHSKnxZwT85FG1moJogpco1dcpwnTORSrVjJtfgNlz6 -gW2bq7kq+47jWZ2xpDcADe0snQKBgQDnDiVwlILx3PzyYXhmklhzmCSlhfAmYUXX -l8bGVzoJpys8v7VPQrjXiPyXb5pO8OvuPeuyT3g2TWYBxiv79pddP0tEjqqQrSuj -Jp/w+h19fPh2IA1zN8rG5tf8G/QpCG+tYTC5VjbIkM7koSgaa/ut1Bbdld3HiqBo -dqy6mEA8QQKBgAkd+VC9zkbySzB8MjKgo3ucLvN4OSX3yIJhlDm0U0dbbMwDukeJ -Nbvinvi9DB68LHPhD5d5XlE0u2Le2jIfYSRT6RCneMbK3douq2kaHR905RGjx1H1 -CCgfUKTBk9juVg57NE4Rem76TybDOHHWp26SD1IsK3GYR91tKXBpGr7JAoGAflFQ -jKTUlc/gBc7d2Q3HB6M03b1E1ma1nTEf/c0wMJjQ3YxdXjC3BzagCVZ9QQ0bnwsB -MWGa8e0MiInEACMHC3aP+rIYc7IIulBifobu2m0ZFNNfJw9ob6dCi1To/gnbrCkH -TzvgBXSNd5bXauKAHL9npMrLDc0u9w1yTyzvaUECgYAzv8eME44+/Z66kYnzhPAu -ZIU6TA0iNQGgnSUflh6RoZG+fol5TGrhwqF3eBWLfBuqCjKWzR+dk0UGsPzgWAbj -PWEz6MJtmne6jW48PybGikhzqmmFKZueJNXJ1/bxa9gXE53JT5q0npjIR/aOLDS6 -IL/EeFzttWUHyslXOvaFoA== ------END PRIVATE KEY----- diff --git a/test/nginx/mock-http-server/good-cert.pem b/test/nginx/mock-http-server/good-cert.pem deleted file mode 100644 index c6b3dfc4d..000000000 --- a/test/nginx/mock-http-server/good-cert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDLTCCAhWgAwIBAgIUXDxRk8BeksLqR/9TPhl2VxdaSBQwDQYJKoZIhvcNAQEL -BQAwJjEkMCIGA1UEAwwbby1mYWtlLWRzbi5pbmdlc3Quc2VudHJ5LmlvMB4XDTI1 -MTAxNjExNDg0N1oXDTI2MTAxNjExNDg0N1owJjEkMCIGA1UEAwwbby1mYWtlLWRz -bi5pbmdlc3Quc2VudHJ5LmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEA1rL27rORMllMDc4/1ngoOjw/uZRvPZCGAXdKZKE+QT7q5+ZvfGS28KLdugxb -0H2rbMBsSjxw5u5CCXTE3gGZ+T9d+9mL6OCisP+UIo0OtnZsqeQKmt93Ucf8Bnl9 -EfmYvPM/SaNt7tEVG0w4qYR0e4Bdk5AS+A4gj0dEZNrO052zlPkCLgPlCtCHjLqD -57Tu/VOuMRbbGnoDKrzPZKKeRgngghNTq1JMYtSKt3Ji3m+w/V8yqSyuaPTJO2kW -3nCHlEI+kBLDsQ5NRZxbvLltptaw2KEXA94WUSdlMDpq4tUuMKOlWp9E9GsMDQyL -B5YKdDj49fgPbSZ+8OVH6Gcn8QIDAQABo1MwUTAdBgNVHQ4EFgQUUzNTJKVdOiwE -b4jyPZvzjfq5PgwwHwYDVR0jBBgwFoAUUzNTJKVdOiwEb4jyPZvzjfq5PgwwDwYD -VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKdUlX3/kIGV7JEaywOTA -VxY+oEFgXWklEDdtoBE9X2SqrfypTuG3vk7tkmUIgY5MNEx3RKKhQanwtimwz+mJ -dYqQAQ2OLaDV++m7tf6BK0ZVKQIN47pAzuCC9QO0Ep7fWpyWtxCb+RmjCgElfVmu -7A9Gj7d9fzJlDbSHDXy15gWjDga3KjEIJ7erhxB/nKLzOykMEsBzDZC3gx6Y8RIx -8yFUkXxftWECqj+cuSovbhEhy8O7LyHtnVOXd5ljhirBBM/VqS8CZPEjKXtsQbvI -RvdRZgVAQKzvbsosqPTZV94l0h2opCS5aR/1V6AXKaKhtuDJ4W7hncjQpuRSm9E0 -cQ== ------END CERTIFICATE----- diff --git a/test/nginx/mock-http-server/good-key.pem b/test/nginx/mock-http-server/good-key.pem deleted file mode 100644 index b517bd47c..000000000 --- a/test/nginx/mock-http-server/good-key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDWsvbus5EyWUwN -zj/WeCg6PD+5lG89kIYBd0pkoT5BPurn5m98ZLbwot26DFvQfatswGxKPHDm7kIJ -dMTeAZn5P1372Yvo4KKw/5QijQ62dmyp5Aqa33dRx/wGeX0R+Zi88z9Jo23u0RUb -TDiphHR7gF2TkBL4DiCPR0Rk2s7TnbOU+QIuA+UK0IeMuoPntO79U64xFtsaegMq -vM9kop5GCeCCE1OrUkxi1Iq3cmLeb7D9XzKpLK5o9Mk7aRbecIeUQj6QEsOxDk1F -nFu8uW2m1rDYoRcD3hZRJ2UwOmri1S4wo6Van0T0awwNDIsHlgp0OPj1+A9tJn7w -5UfoZyfxAgMBAAECggEABbOTNefQGmiPadrxLEx80f4VWaPo19dRjbKpp7Y1+WTW -t2GR0pl4l7eVgIoxOn5J2f2aqpaED4fiek6O50/e00UE5YojimPDwkRJPmklS8Bl -lpXjF7WJPUNcrJ3Xjc2Fajgh9T5JLjNAdpz9sLe/IaP5KDDmZg62++MSPITogutT -1QvzHFq+XcaWviAu0w8Dx9zy3XaWwJXNAEIl0+sit/pwOeYpZpHMVpjDSM5Xz0kr -tMM1JNL02x3v0tp0WWye5CnSHSEGc0WINGNT+ya23bb+pNejdUYXfjUWVUhIRYcN -MG99zM5fxtL2WAtdL4vzd3t11ggSHHOfyqVuAN3R+QKBgQD7WMDfjTSvS6hi347F -1H8GM70MXWtKtSXyBr2ZNrXh705M2WtlYgF4Cl5IaBAiUbYYyKjcFO+hmeZSfSws -6NluUv1/OBPdU1jaO86Ohc1DzM4bAScxPG88HNZ/nES4+KPVZ3GWPxTa5LQXHCzd -rIUfmzoBT9/dwdbDm6irWt9s6QKBgQDarIV742jazXMyFe6A1GgJf0pLDcw5Yc8G -hc+5YM54G1tdenKs2bJd6bi1SpDrWDJXlgJ97BgtI/XtF+NXFa3/v1WV9lwJM8Vg -ONBzQDKQbIYKh7pH53SflHLxeZzg69GE/WM6QScmYxUN6MV14Juk5UCZLaylk5g2 -tKZ6ttpdyQKBgAgM0KiYSi6vGqaICHeXlbXqJEzoFQ6gfKWix6HHmc2xr21QrVri -568jjd99zb57pXxnuNjLpt0jI7hSn/6UOpqI9+uCLUiyaa8bqULxUCCyx4sf31R5 -Xgqr1cbih2TxObYVCRNJ0+4q0wXGdj1nUCAyBYqTN1VP5wP+0UkjsPI5AoGBAJ2O -eI8PB1m/diS8UKBaaquNH4Z8Zo1hv7y/ZS/4ZEt9ypLLyxxnrnCkGgXluA0Z+wvI -dfssxS6hHmy6LX9ti3Ud8xid7SpkNu5hgS/JLaWJy/qCWOG+DvV8DGWYbkRRJSFh -QMGUeBTchysCcGPCdeKVm7nCgwa6FY41E06PuT6hAoGBAJnq0Lj0fhrfYjbaziC1 -NfYtffe6tMRD3E79KUk4/73Ria4m24VI3iIZKDgLL7CWZYJz3zyefL6NZ6zr56yl -HoXVcfyg10IorEbzbc091NQx8409YxtONSzs+ddi2hh6Gjq+wRl0p3LpXm2AT6fc -a7hoG1+xFK0JQw17i/vN4Qjr ------END PRIVATE KEY----- diff --git a/test/nginx/mock-http-server/index.js b/test/nginx/mock-http-server/index.js index 269b552db..a9f3831ff 100644 --- a/test/nginx/mock-http-server/index.js +++ b/test/nginx/mock-http-server/index.js @@ -1,3 +1,5 @@ +const { execSync } = require('node:child_process'); + const express = require('express'); const port = process.env.PORT || 80; @@ -81,13 +83,37 @@ function initHttpsServer() { const { createServer } = require('node:https'); const { createSecureContext } = require('node:tls'); - const pem = name => readFileSync(`${name}.pem`, 'utf8'); - const creds = name => ({ key:pem(`${name}-key`), cert:pem(`${name}-cert`) }); + const encoding = 'utf8'; + + const pem = path => readFileSync(path, { encoding }); + const creds = commonName => { + const keyPath = `${commonName}-key.pem`; + const certPath = `${commonName}-cert.pem`; + + execSync( + [ + 'openssl', + 'req -x509', + '-nodes', + '-days 365', + '-newkey rsa:2048', + `-keyout ${keyPath}`, + `-out ${certPath}`, + `-subj /CN=${commonName}`, + ].join(' '), + { encoding }, + ); + + return { + key: readFileSync(keyPath, { encoding }), + cert: readFileSync(certPath, { encoding }), + }; + }; - const goodCreds = creds('good'); + const goodCreds = creds(httpsHost); const opts = { - ...creds('bad'), + ...creds('localhost'), SNICallback: (servername, cb) => { if(servername !== httpsHost) return cb(new Error(`Unexpected SNI host: ${servername}`)); cb(null, createSecureContext(goodCreds)); diff --git a/test/nginx/mock-http-service.dockerfile b/test/nginx/mock-http-service.dockerfile index 4f7021a08..3786ded33 100644 --- a/test/nginx/mock-http-service.dockerfile +++ b/test/nginx/mock-http-service.dockerfile @@ -1,5 +1,10 @@ FROM node:20.12.2-slim +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + openssl \ + && rm -rf /var/lib/apt/lists/* + WORKDIR /workspace COPY ./mock-http-server . From 0486ef8d75d656b3925d643912382ee18314c72c Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Tue, 21 Oct 2025 07:59:19 +0000 Subject: [PATCH 18/51] remove unused fn --- test/nginx/mock-http-server/index.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/nginx/mock-http-server/index.js b/test/nginx/mock-http-server/index.js index a9f3831ff..970515aa6 100644 --- a/test/nginx/mock-http-server/index.js +++ b/test/nginx/mock-http-server/index.js @@ -85,9 +85,8 @@ function initHttpsServer() { const encoding = 'utf8'; - const pem = path => readFileSync(path, { encoding }); const creds = commonName => { - const keyPath = `${commonName}-key.pem`; + const keyPath = `${commonName}-key.pem`; const certPath = `${commonName}-cert.pem`; execSync( From 24b7ccaf2b980033112b3a58401ac07372f6304a Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 13:47:09 +0000 Subject: [PATCH 19/51] introduce specific mock-sentry docker thingy --- test/nginx/mock-sentry.dockerfile | 12 + test/nginx/mock-sentry/.gitignore | 1 + test/nginx/mock-sentry/index.js | 123 ++++ test/nginx/mock-sentry/package-lock.json | 747 +++++++++++++++++++++++ test/nginx/mock-sentry/package.json | 9 + test/nginx/nginx.test.docker-compose.yml | 2 +- 6 files changed, 893 insertions(+), 1 deletion(-) create mode 100644 test/nginx/mock-sentry.dockerfile create mode 100644 test/nginx/mock-sentry/.gitignore create mode 100644 test/nginx/mock-sentry/index.js create mode 100644 test/nginx/mock-sentry/package-lock.json create mode 100644 test/nginx/mock-sentry/package.json diff --git a/test/nginx/mock-sentry.dockerfile b/test/nginx/mock-sentry.dockerfile new file mode 100644 index 000000000..c1ce8e3d5 --- /dev/null +++ b/test/nginx/mock-sentry.dockerfile @@ -0,0 +1,12 @@ +FROM node:22.21.0-slim + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + openssl \ + && rm -rf /var/lib/apt/lists/* + +WORKDIR /workspace + +COPY ./mock-http-server . +RUN npm clean-install +ENTRYPOINT ["npm", "run", "start"] diff --git a/test/nginx/mock-sentry/.gitignore b/test/nginx/mock-sentry/.gitignore new file mode 100644 index 000000000..2ccbe4656 --- /dev/null +++ b/test/nginx/mock-sentry/.gitignore @@ -0,0 +1 @@ +/node_modules/ diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js new file mode 100644 index 000000000..970515aa6 --- /dev/null +++ b/test/nginx/mock-sentry/index.js @@ -0,0 +1,123 @@ +const { execSync } = require('node:child_process'); + +const express = require('express'); + +const port = process.env.PORT || 80; +const mode = process.env.MODE || 'http'; +const httpsHost = process.env.HTTPS_HOST; +const log = (...args) => console.log('[mock-http-server]', ...args); + +const requests = []; + +const app = express(); + +app.use((req, res, next) => { + console.log(new Date(), req.method, req.originalUrl); + if(req.socket.encrypted) { + const certificate = req.socket.getCertificate(); + if(certificate) { + if(certificate.subject.CN !== httpsHost) { + // try to simulate an SNI / connection error + console.log('Bad HTTPS cert used; destroying connection...'); + return req.socket.destroy(); + } + } + } + next(); +}); + +// Enketo express returns response with Vary and Cache-Control headers +app.use('/-/', (req, res, next) => { + res.set('Vary', 'Accept-Encoding'); + res.set('Cache-Control', 'public, max-age=0'); + next(); +}); + +app.get('/health', (req, res) => res.send('OK')); +app.get('/request-log', (req, res) => res.json(requests)); +app.get('/reset', (req, res) => { + requests.length = 0; + res.json('OK'); +}); + +app.get('/v1/reflect-headers', (req, res) => res.json(req.headers)); + +// Central-Backend can set Cache headers and those should have highest precedence +app.get('/v1/projects', (_, res) => { + res.set('Vary', 'Cookie'); + res.set('Cache-Control', 'private, max-age=3600'); + res.send('OK'); +}); + +[ + 'delete', + 'get', + 'patch', + 'post', + 'put', + // TODO add more methods as required +].forEach(method => app[method]('/{*splat}', (req, res) => { + requests.push({ method:req.method, path:req.originalUrl }); + res.send('OK'); +})); + +const server = (() => { + switch(mode) { + case 'http': return app; + case 'https': return initHttpsServer(); + default: + console.error(`Unrecognised mode: '${mode}'; should be one of http, https. Cannot start server.`); + process.exit(1); + } +})(); + +server.listen(port, () => { + log(`Listening with ${mode} on port: ${port}`, server === app); +}); + + +function initHttpsServer() { + if(!httpsHost) throw new Error('Env var HTTPS_HOST is required for MODE=https'); + + const { readFileSync } = require('node:fs'); + const { createServer } = require('node:https'); + const { createSecureContext } = require('node:tls'); + + const encoding = 'utf8'; + + const creds = commonName => { + const keyPath = `${commonName}-key.pem`; + const certPath = `${commonName}-cert.pem`; + + execSync( + [ + 'openssl', + 'req -x509', + '-nodes', + '-days 365', + '-newkey rsa:2048', + `-keyout ${keyPath}`, + `-out ${certPath}`, + `-subj /CN=${commonName}`, + ].join(' '), + { encoding }, + ); + + return { + key: readFileSync(keyPath, { encoding }), + cert: readFileSync(certPath, { encoding }), + }; + }; + + const goodCreds = creds(httpsHost); + + const opts = { + ...creds('localhost'), + SNICallback: (servername, cb) => { + if(servername !== httpsHost) return cb(new Error(`Unexpected SNI host: ${servername}`)); + cb(null, createSecureContext(goodCreds)); + }, + }; + + return createServer(opts, app); +} diff --git a/test/nginx/mock-sentry/package-lock.json b/test/nginx/mock-sentry/package-lock.json new file mode 100644 index 000000000..4ea664a1c --- /dev/null +++ b/test/nginx/mock-sentry/package-lock.json @@ -0,0 +1,747 @@ +{ + "name": "mock-http-server", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "mock-http-server", + "dependencies": { + "express": "^5.1.0" + } + }, + "node_modules/accepts": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz", + "integrity": "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==", + "dependencies": { + "mime-types": "^3.0.0", + "negotiator": "^1.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/body-parser": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.0.tgz", + "integrity": "sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg==", + "dependencies": { + "bytes": "^3.1.2", + "content-type": "^1.0.5", + "debug": "^4.4.0", + "http-errors": "^2.0.0", + "iconv-lite": "^0.6.3", + "on-finished": "^2.4.1", + "qs": "^6.14.0", + "raw-body": "^3.0.0", + "type-is": "^2.0.0" + }, + "engines": { + "node": ">=18" + } + }, + "node_modules/bytes": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", + "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/call-bind-apply-helpers": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz", + "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==", + "dependencies": { + "es-errors": "^1.3.0", + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/call-bound": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz", + "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "get-intrinsic": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/content-disposition": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.0.tgz", + "integrity": "sha512-Au9nRL8VNUut/XSzbQA38+M78dzP4D+eqg3gfJHMIHHYa3bg067xj1KxMUWj+VULbiZMowKngFFbKczUrNJ1mg==", + "dependencies": { + "safe-buffer": "5.2.1" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/content-type": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz", + "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie": { + "version": "0.7.1", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz", + "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie-signature": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz", + "integrity": "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==", + "engines": { + "node": ">=6.6.0" + } + }, + "node_modules/debug": { + "version": "4.4.0", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz", + "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/depd": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", + "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/dunder-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz", + "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==", + "dependencies": { + "call-bind-apply-helpers": "^1.0.1", + "es-errors": "^1.3.0", + "gopd": "^1.2.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/ee-first": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", + "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==" + }, + "node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/es-define-property": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz", + "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-errors": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz", + "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-object-atoms": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz", + "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==", + "dependencies": { + "es-errors": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/escape-html": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", + "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==" + }, + "node_modules/etag": { + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", + "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/express": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/express/-/express-5.1.0.tgz", + "integrity": "sha512-DT9ck5YIRU+8GYzzU5kT3eHGA5iL+1Zd0EutOmTE9Dtk+Tvuzd23VBU+ec7HPNSTxXYO55gPV/hq4pSBJDjFpA==", + "dependencies": { + "accepts": "^2.0.0", + "body-parser": "^2.2.0", + "content-disposition": "^1.0.0", + "content-type": "^1.0.5", + "cookie": "^0.7.1", + "cookie-signature": "^1.2.1", + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "finalhandler": "^2.1.0", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "merge-descriptors": "^2.0.0", + "mime-types": "^3.0.0", + "on-finished": "^2.4.1", + "once": "^1.4.0", + "parseurl": "^1.3.3", + "proxy-addr": "^2.0.7", + "qs": "^6.14.0", + "range-parser": "^1.2.1", + "router": "^2.2.0", + "send": "^1.1.0", + "serve-static": "^2.2.0", + "statuses": "^2.0.1", + "type-is": "^2.0.1", + "vary": "^1.1.2" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/finalhandler": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.0.tgz", + "integrity": "sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q==", + "dependencies": { + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "on-finished": "^2.4.1", + "parseurl": "^1.3.3", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/forwarded": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz", + "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/fresh": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/fresh/-/fresh-2.0.0.tgz", + "integrity": "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/function-bind": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", + "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-intrinsic": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz", + "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "es-define-property": "^1.0.1", + "es-errors": "^1.3.0", + "es-object-atoms": "^1.1.1", + "function-bind": "^1.1.2", + "get-proto": "^1.0.1", + "gopd": "^1.2.0", + "has-symbols": "^1.1.0", + "hasown": "^2.0.2", + "math-intrinsics": "^1.1.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz", + "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==", + "dependencies": { + "dunder-proto": "^1.0.1", + "es-object-atoms": "^1.0.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/gopd": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz", + "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/has-symbols": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz", + "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/hasown": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", + "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "dependencies": { + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/http-errors": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz", + "integrity": "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==", + "dependencies": { + "depd": "2.0.0", + "inherits": "2.0.4", + "setprototypeof": "1.2.0", + "statuses": "2.0.1", + "toidentifier": "1.0.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/iconv-lite": { + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz", + "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==", + "dependencies": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" + }, + "node_modules/ipaddr.js": { + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", + "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==", + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/is-promise": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz", + "integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==" + }, + "node_modules/math-intrinsics": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz", + "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/media-typer": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz", + "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/merge-descriptors": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-2.0.0.tgz", + "integrity": "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==", + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/mime-types": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.1.tgz", + "integrity": "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==", + "dependencies": { + "mime-db": "^1.54.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" + }, + "node_modules/negotiator": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz", + "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/object-inspect": { + "version": "1.13.4", + "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz", + "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/on-finished": { + "version": "2.4.1", + "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz", + "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==", + "dependencies": { + "ee-first": "1.1.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/parseurl": { + "version": "1.3.3", + "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz", + "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/path-to-regexp": { + "version": "8.2.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.2.0.tgz", + "integrity": "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ==", + "engines": { + "node": ">=16" + } + }, + "node_modules/proxy-addr": { + "version": "2.0.7", + "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", + "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==", + "dependencies": { + "forwarded": "0.2.0", + "ipaddr.js": "1.9.1" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/qs": { + "version": "6.14.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", + "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==", + "dependencies": { + "side-channel": "^1.1.0" + }, + "engines": { + "node": ">=0.6" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/range-parser": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", + "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/raw-body": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.0.tgz", + "integrity": "sha512-RmkhL8CAyCRPXCE28MMH0z2PNWQBNk2Q09ZdxM9IOOXwxwZbN+qbWaatPkdkWIKL2ZVDImrN/pK5HTRz2PcS4g==", + "dependencies": { + "bytes": "3.1.2", + "http-errors": "2.0.0", + "iconv-lite": "0.6.3", + "unpipe": "1.0.0" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/router": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz", + "integrity": "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==", + "dependencies": { + "debug": "^4.4.0", + "depd": "^2.0.0", + "is-promise": "^4.0.0", + "parseurl": "^1.3.3", + "path-to-regexp": "^8.0.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" + }, + "node_modules/send": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/send/-/send-1.2.0.tgz", + "integrity": "sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==", + "dependencies": { + "debug": "^4.3.5", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "mime-types": "^3.0.1", + "ms": "^2.1.3", + "on-finished": "^2.4.1", + "range-parser": "^1.2.1", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/serve-static": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.0.tgz", + "integrity": "sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ==", + "dependencies": { + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "parseurl": "^1.3.3", + "send": "^1.2.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/setprototypeof": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz", + "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==" + }, + "node_modules/side-channel": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz", + "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3", + "side-channel-list": "^1.0.0", + "side-channel-map": "^1.0.1", + "side-channel-weakmap": "^1.0.2" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-list": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz", + "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-map": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz", + "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-weakmap": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz", + "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3", + "side-channel-map": "^1.0.1" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/statuses": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz", + "integrity": "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/toidentifier": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", + "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", + "engines": { + "node": ">=0.6" + } + }, + "node_modules/type-is": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz", + "integrity": "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==", + "dependencies": { + "content-type": "^1.0.5", + "media-typer": "^1.1.0", + "mime-types": "^3.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/unpipe": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", + "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/vary": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz", + "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" + } + } +} diff --git a/test/nginx/mock-sentry/package.json b/test/nginx/mock-sentry/package.json new file mode 100644 index 000000000..25ab1da6d --- /dev/null +++ b/test/nginx/mock-sentry/package.json @@ -0,0 +1,9 @@ +{ + "name": "mock-http-server", + "scripts": { + "start": "node index.js" + }, + "dependencies": { + "express": "^5.1.0" + } +} diff --git a/test/nginx/nginx.test.docker-compose.yml b/test/nginx/nginx.test.docker-compose.yml index 8f79aea20..bce073912 100644 --- a/test/nginx/nginx.test.docker-compose.yml +++ b/test/nginx/nginx.test.docker-compose.yml @@ -15,7 +15,7 @@ services: - PORT=8383 sentry-mock: build: - dockerfile: mock-http-service.dockerfile + dockerfile: mock-sentry.dockerfile ports: - "443:443" environment: From 48c97e1ee5d5c465b86665e160aef891b1c94274 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 13:48:15 +0000 Subject: [PATCH 20/51] fix path --- test/nginx/mock-sentry.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/mock-sentry.dockerfile b/test/nginx/mock-sentry.dockerfile index c1ce8e3d5..29d8f1844 100644 --- a/test/nginx/mock-sentry.dockerfile +++ b/test/nginx/mock-sentry.dockerfile @@ -7,6 +7,6 @@ RUN apt-get update \ WORKDIR /workspace -COPY ./mock-http-server . +COPY ./mock-sentry . RUN npm clean-install ENTRYPOINT ["npm", "run", "start"] From 4a5dd59d078b51a68b0dcb63540f51cc6dc2ba78 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 13:48:52 +0000 Subject: [PATCH 21/51] Add comment re sentry port --- test/nginx/nginx.test.docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/test/nginx/nginx.test.docker-compose.yml b/test/nginx/nginx.test.docker-compose.yml index bce073912..36e2dfdda 100644 --- a/test/nginx/nginx.test.docker-compose.yml +++ b/test/nginx/nginx.test.docker-compose.yml @@ -17,6 +17,7 @@ services: build: dockerfile: mock-sentry.dockerfile ports: + # Sentry port is not currently configurable in nginx config, so use default HTTPS port - "443:443" environment: - MODE=https From 77d2772716f42763ec86e50c8bfd93425ae31712 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 13:49:28 +0000 Subject: [PATCH 22/51] revert changes to mock http server --- test/nginx/mock-http-server/index.js | 75 +------------------------ test/nginx/mock-http-service.dockerfile | 5 -- 2 files changed, 2 insertions(+), 78 deletions(-) diff --git a/test/nginx/mock-http-server/index.js b/test/nginx/mock-http-server/index.js index 970515aa6..cf89779b5 100644 --- a/test/nginx/mock-http-server/index.js +++ b/test/nginx/mock-http-server/index.js @@ -1,10 +1,6 @@ -const { execSync } = require('node:child_process'); - const express = require('express'); const port = process.env.PORT || 80; -const mode = process.env.MODE || 'http'; -const httpsHost = process.env.HTTPS_HOST; const log = (...args) => console.log('[mock-http-server]', ...args); const requests = []; @@ -13,16 +9,6 @@ const app = express(); app.use((req, res, next) => { console.log(new Date(), req.method, req.originalUrl); - if(req.socket.encrypted) { - const certificate = req.socket.getCertificate(); - if(certificate) { - if(certificate.subject.CN !== httpsHost) { - // try to simulate an SNI / connection error - console.log('Bad HTTPS cert used; destroying connection...'); - return req.socket.destroy(); - } - } - } next(); }); @@ -61,63 +47,6 @@ app.get('/v1/projects', (_, res) => { res.send('OK'); })); -const server = (() => { - switch(mode) { - case 'http': return app; - case 'https': return initHttpsServer(); - default: - console.error(`Unrecognised mode: '${mode}'; should be one of http, https. Cannot start server.`); - process.exit(1); - } -})(); - -server.listen(port, () => { - log(`Listening with ${mode} on port: ${port}`, server === app); +app.listen(port, () => { + log(`Listening on port: ${port}`); }); - - -function initHttpsServer() { - if(!httpsHost) throw new Error('Env var HTTPS_HOST is required for MODE=https'); - - const { readFileSync } = require('node:fs'); - const { createServer } = require('node:https'); - const { createSecureContext } = require('node:tls'); - - const encoding = 'utf8'; - - const creds = commonName => { - const keyPath = `${commonName}-key.pem`; - const certPath = `${commonName}-cert.pem`; - - execSync( - [ - 'openssl', - 'req -x509', - '-nodes', - '-days 365', - '-newkey rsa:2048', - `-keyout ${keyPath}`, - `-out ${certPath}`, - `-subj /CN=${commonName}`, - ].join(' '), - { encoding }, - ); - - return { - key: readFileSync(keyPath, { encoding }), - cert: readFileSync(certPath, { encoding }), - }; - }; - - const goodCreds = creds(httpsHost); - - const opts = { - ...creds('localhost'), - SNICallback: (servername, cb) => { - if(servername !== httpsHost) return cb(new Error(`Unexpected SNI host: ${servername}`)); - cb(null, createSecureContext(goodCreds)); - }, - }; - - return createServer(opts, app); -} diff --git a/test/nginx/mock-http-service.dockerfile b/test/nginx/mock-http-service.dockerfile index c1ce8e3d5..de9783e3b 100644 --- a/test/nginx/mock-http-service.dockerfile +++ b/test/nginx/mock-http-service.dockerfile @@ -1,10 +1,5 @@ FROM node:22.21.0-slim -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - openssl \ - && rm -rf /var/lib/apt/lists/* - WORKDIR /workspace COPY ./mock-http-server . From 1d05f3ccb787a09963512be267b93d61c1dd3fc4 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 13:52:29 +0000 Subject: [PATCH 23/51] reduce unused stuff --- test/nginx/mock-sentry/index.js | 49 +++++---------------------------- 1 file changed, 7 insertions(+), 42 deletions(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index 970515aa6..4d9b644fa 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -2,10 +2,9 @@ const { execSync } = require('node:child_process'); const express = require('express'); -const port = process.env.PORT || 80; -const mode = process.env.MODE || 'http'; +const port = process.env.PORT || 443; const httpsHost = process.env.HTTPS_HOST; -const log = (...args) => console.log('[mock-http-server]', ...args); +const log = (...args) => console.log('[mock-sentry]', ...args); const requests = []; @@ -26,29 +25,6 @@ app.use((req, res, next) => { next(); }); -// Enketo express returns response with Vary and Cache-Control headers -app.use('/-/', (req, res, next) => { - res.set('Vary', 'Accept-Encoding'); - res.set('Cache-Control', 'public, max-age=0'); - next(); -}); - -app.get('/health', (req, res) => res.send('OK')); -app.get('/request-log', (req, res) => res.json(requests)); -app.get('/reset', (req, res) => { - requests.length = 0; - res.json('OK'); -}); - -app.get('/v1/reflect-headers', (req, res) => res.json(req.headers)); - -// Central-Backend can set Cache headers and those should have highest precedence -app.get('/v1/projects', (_, res) => { - res.set('Vary', 'Cookie'); - res.set('Cache-Control', 'private, max-age=3600'); - res.send('OK'); -}); - [ 'delete', 'get', @@ -62,21 +38,6 @@ app.get('/v1/projects', (_, res) => { })); const server = (() => { - switch(mode) { - case 'http': return app; - case 'https': return initHttpsServer(); - default: - console.error(`Unrecognised mode: '${mode}'; should be one of http, https. Cannot start server.`); - process.exit(1); - } -})(); - -server.listen(port, () => { - log(`Listening with ${mode} on port: ${port}`, server === app); -}); - - -function initHttpsServer() { if(!httpsHost) throw new Error('Env var HTTPS_HOST is required for MODE=https'); const { readFileSync } = require('node:fs'); @@ -120,4 +81,8 @@ function initHttpsServer() { }; return createServer(opts, app); -} +})(); + +server.listen(port, () => { + log(`Listening with ${mode} on port: ${port}`, server === app); +}); From 1c651a185a68e33840677a637f915c8e8bbaf519 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 13:53:03 +0000 Subject: [PATCH 24/51] simpler? --- test/nginx/mock-sentry/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index 4d9b644fa..5a71c33ad 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -84,5 +84,5 @@ const server = (() => { })(); server.listen(port, () => { - log(`Listening with ${mode} on port: ${port}`, server === app); + log(`Listening with HTTPS on port: ${port}`); }); From 619487c4507fc9190f8006239f24ce2ecd35d28f Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 13:54:41 +0000 Subject: [PATCH 25/51] simpler --- test/nginx/mock-sentry/index.js | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index 5a71c33ad..0c4a760a3 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -12,14 +12,15 @@ const app = express(); app.use((req, res, next) => { console.log(new Date(), req.method, req.originalUrl); - if(req.socket.encrypted) { - const certificate = req.socket.getCertificate(); - if(certificate) { - if(certificate.subject.CN !== httpsHost) { - // try to simulate an SNI / connection error - console.log('Bad HTTPS cert used; destroying connection...'); - return req.socket.destroy(); - } + + if(!req.socket.encrypted) return next(new Error('req.socket.encrypted was falsy')); + + const certificate = req.socket.getCertificate(); + if(certificate) { + if(certificate.subject.CN !== httpsHost) { + // try to simulate an SNI / connection error + console.log('Bad HTTPS cert used; destroying connection...'); + return req.socket.destroy(); } } next(); From 447670a1d7fc518c1f7276e5efbb10654226b007 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 13:56:16 +0000 Subject: [PATCH 26/51] parameterise tests to use other hostnames --- test/nginx/test-nginx.js | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index a6142d0ae..e6b38d528 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -619,20 +619,22 @@ describe('nginx config', () => { // No error was thrown :¬) }); - it('should reject requests without SNI host', async () => { - // given - let caught; + [ undefined, 'bad.example.test' ].forEach(servername => { + it(`should reject requests with SNI host: ${servername}`, async () => { + // given + let caught; - // when - try { - await requestWithSniHost(undefined); - } catch(err) { - caught = err; - } + // when + try { + await requestWithSniHost(undefined); + } catch(err) { + caught = err; + } - // then - assert.isOk(caught); - assert.equal(caught.code, 'ECONNRESET'); + // then + assert.isOk(caught); + assert.equal(caught.code, 'ECONNRESET'); + }); }); }); From fec386a3685bd51820578e013e9090d2adc8a7d9 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 13:59:02 +0000 Subject: [PATCH 27/51] Check sentry actually received the CSP report --- test/nginx/mock-sentry/index.js | 1 + test/nginx/test-nginx.js | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index 0c4a760a3..fcb5e326a 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -26,6 +26,7 @@ app.use((req, res, next) => { next(); }); +app.get('/request-log', (req, res) => res.json(requests)); [ 'delete', 'get', diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index e6b38d528..2ef1d2db2 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -643,12 +643,14 @@ describe('nginx config', () => { const res = await fetchHttps('/csp-report', { method: 'POST', headers: { 'Content-Type':'application/json' }, - body: JSON.stringify({}), + body: JSON.stringify({ example:1 }), }); // then assert.equal(res.status, 200); assert.equal(await res.text(), 'OK'); + // and + assertSentryReceived( { example:1 }); }); }); }); @@ -698,6 +700,12 @@ function resetBackendMock() { return resetMock(8383); } +function assertSentryReceived(...expectedRequests) { + const res = await request(`https://localhost/request-log`); + assert.isTrue(res.ok); + assert.deepEqual(expectedRequests, await res.json()); +} + async function resetMock(port) { const res = await request(`http://localhost:${port}/reset`); assert.isTrue(res.ok); From ea31312d4953322e744eb15380fd0f01de5befa5 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 13:59:47 +0000 Subject: [PATCH 28/51] assert sentry received reuqerst --- test/nginx/test-nginx.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 2ef1d2db2..ad75e687f 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -700,8 +700,8 @@ function resetBackendMock() { return resetMock(8383); } -function assertSentryReceived(...expectedRequests) { - const res = await request(`https://localhost/request-log`); +async function assertSentryReceived(...expectedRequests) { + const res = await request('https://localhost/request-log'); assert.isTrue(res.ok); assert.deepEqual(expectedRequests, await res.json()); } From 555ded57c176e059f0f855a7b15dda2a04be2668 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 14:27:53 +0000 Subject: [PATCH 29/51] add more infra --- test/nginx/mock-sentry/index.js | 37 +++++++++++++++------------ test/nginx/test-nginx.js | 45 +++++++++++++++++++++++++++------ 2 files changed, 58 insertions(+), 24 deletions(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index fcb5e326a..9062ac03b 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -9,35 +9,40 @@ const log = (...args) => console.log('[mock-sentry]', ...args); const requests = []; const app = express(); +app.use(express.json()); +app.get('/request-log', (req, res) => res.json(requests)); +app.get('/reset', (req, res) => { + requests.length = 0; + res.json('OK'); +}); +app.use('/api', (req, res, next) => { + log(new Date(), req.method, req.originalUrl); -app.use((req, res, next) => { - console.log(new Date(), req.method, req.originalUrl); - - if(!req.socket.encrypted) return next(new Error('req.socket.encrypted was falsy')); + if(!req.socket.encrypted) throw new Error('req.socket.encrypted was falsy'); const certificate = req.socket.getCertificate(); - if(certificate) { + if(!certificate) { + log('No certificate provided. That seems weird. TODO either throw here, or explain why this is expected.'); + } else { if(certificate.subject.CN !== httpsHost) { // try to simulate an SNI / connection error console.log('Bad HTTPS cert used; destroying connection...'); return req.socket.destroy(); } } + next(); }); +app.get('/api/check-cert', (req, res) => { + res.send('OK'); +}); +app.post('/api/example-sentry-project/security/', (req, res) => { + if(req.query.sentry_key !== 'example-sentry-key') throw new Error('bad sentry key!'); + + requests.push(req.body); -app.get('/request-log', (req, res) => res.json(requests)); -[ - 'delete', - 'get', - 'patch', - 'post', - 'put', - // TODO add more methods as required -].forEach(method => app[method]('/{*splat}', (req, res) => { - requests.push({ method:req.method, path:req.originalUrl }); res.send('OK'); -})); +}); const server = (() => { if(!httpsHost) throw new Error('Env var HTTPS_HOST is required for MODE=https'); diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index ad75e687f..3234d54f1 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -593,12 +593,16 @@ describe('nginx config', () => { }); describe('CSP reports', () => { + beforeEach(() => Promise.all([ + resetSentryMock(), + ])); + describe('Sentry behaviour', () => { // These tests are a control to demonstrate that the local fake Sentry is // behaving similarly to sentry.io. const requestWithSniHost = servername => new Promise((resolve, reject) => { - const opts = { hostname:'127.0.0.1', servername }; + const opts = { hostname:'127.0.0.1', servername, path:'/api/check-cert' }; const req = https.request(opts, res => { res.on('data', () => {}); // ensure response stream is consumed @@ -650,8 +654,39 @@ describe('nginx config', () => { assert.equal(res.status, 200); assert.equal(await res.text(), 'OK'); // and - assertSentryReceived( { example:1 }); + await assertSentryReceived({ example:1 }); }); + + async function resetSentryMock() { + const res = await requestSentryMock('/reset'); + assert.isTrue(res.ok); + } + async function assertSentryReceived(...expectedRequests) { + const { ok, body } = await requestSentryMock('/request-log'); + assert.isTrue(ok); + assert.deepEqual(expectedRequests, JSON.parse(body)); + } + function requestSentryMock(path) { + return new Promise((resolve, reject) => { + const req = https.request( + { path, servername:'o-fake-dsn.ingest.sentry.io' }, + res => { + let body = ''; + res.on('data', data => body += data); // ensure response stream is consumed + res.on('end', () => { + try { + resolve({ ok:res.statusCode === 200, body }); + } catch(err) { + reject(err); + } + }); + res.on('error', reject); + }, + ); + req.on('error', reject); + req.end(); + }); + } }); }); @@ -700,12 +735,6 @@ function resetBackendMock() { return resetMock(8383); } -async function assertSentryReceived(...expectedRequests) { - const res = await request('https://localhost/request-log'); - assert.isTrue(res.ok); - assert.deepEqual(expectedRequests, await res.json()); -} - async function resetMock(port) { const res = await request(`http://localhost:${port}/reset`); assert.isTrue(res.ok); From 975129341854f972526d212f9ba4aaa78e022299 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 14:29:57 +0000 Subject: [PATCH 30/51] die if no cert --- test/nginx/mock-sentry/index.js | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index 9062ac03b..c792a4931 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -22,13 +22,17 @@ app.use('/api', (req, res, next) => { const certificate = req.socket.getCertificate(); if(!certificate) { - log('No certificate provided. That seems weird. TODO either throw here, or explain why this is expected.'); - } else { - if(certificate.subject.CN !== httpsHost) { - // try to simulate an SNI / connection error - console.log('Bad HTTPS cert used; destroying connection...'); - return req.socket.destroy(); - } + log(` + !!! No certificate found at all. + !!! This is completely unexpected. Server will be terminated immediately. + `); + process.exit(1); + } + + if(certificate.subject.CN !== httpsHost) { + // try to simulate an SNI / connection error + console.log('Bad HTTPS cert used; destroying connection...'); + return req.socket.destroy(); } next(); From 848b38b17ec75c1d201cc9a98b40920c70da2c69 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 14:30:57 +0000 Subject: [PATCH 31/51] neater --- test/nginx/mock-sentry/index.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index c792a4931..a11bd009b 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -37,9 +37,7 @@ app.use('/api', (req, res, next) => { next(); }); -app.get('/api/check-cert', (req, res) => { - res.send('OK'); -}); +app.get('/api/check-cert', (req, res) => res.send('OK')); app.post('/api/example-sentry-project/security/', (req, res) => { if(req.query.sentry_key !== 'example-sentry-key') throw new Error('bad sentry key!'); From fa3acce174dc50e87697516416c5a110414451ef Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 14:38:11 +0000 Subject: [PATCH 32/51] more comment --- test/nginx/test-nginx.js | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 3234d54f1..f4aebbc32 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -593,27 +593,19 @@ describe('nginx config', () => { }); describe('CSP reports', () => { + // servername is used to send + // See: https://nodejs.org/api/https.html#new-agentoptions + beforeEach(() => Promise.all([ resetSentryMock(), ])); - describe('Sentry behaviour', () => { + describe('Sentry behaviour with unexpected SNI values', () => { // These tests are a control to demonstrate that the local fake Sentry is - // behaving similarly to sentry.io. - - const requestWithSniHost = servername => new Promise((resolve, reject) => { - const opts = { hostname:'127.0.0.1', servername, path:'/api/check-cert' }; - - const req = https.request(opts, res => { - res.on('data', () => {}); // ensure response stream is consumed - res.on('end', resolve); - res.on('error', reject); - }); - - req.on('error', reject); - - req.end(); - }); + // behaving similarly to sentry.io, which rejects requests which contain + // an unexpected hostname in the Server Name Indiciation (SNI) extension + // during TLS/HTTPS handshake. + // See: https://en.wikipedia.org/wiki/Server_Name_Indication it('should accept requests with correct SNI host', async () => { // when @@ -640,6 +632,22 @@ describe('nginx config', () => { assert.equal(caught.code, 'ECONNRESET'); }); }); + + function requestWithSniHost(servername) { + return new Promise((resolve, reject) => { + const opts = { servername, path:'/api/check-cert' }; + + const req = https.request(opts, res => { + res.on('data', () => {}); // ensure response stream is consumed + res.on('end', resolve); + res.on('error', reject); + }); + + req.on('error', reject); + + req.end(); + }); + } }); it('/csp-report should successfully forward requests to Sentry', async () => { From 54d2fc58c6497c56b42eabb19a9301ab67ffee29 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 14:50:16 +0000 Subject: [PATCH 33/51] tidy --- test/nginx/test-nginx.js | 48 +++++++++++++++------------------------- 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index f4aebbc32..821ddb7f7 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -593,9 +593,6 @@ describe('nginx config', () => { }); describe('CSP reports', () => { - // servername is used to send - // See: https://nodejs.org/api/https.html#new-agentoptions - beforeEach(() => Promise.all([ resetSentryMock(), ])); @@ -609,20 +606,20 @@ describe('nginx config', () => { it('should accept requests with correct SNI host', async () => { // when - await requestWithSniHost('o-fake-dsn.ingest.sentry.io'); + await requestSentryMock({ servername:'o-fake-dsn.ingest.sentry.io' }); // then // No error was thrown :¬) }); - [ undefined, 'bad.example.test' ].forEach(servername => { - it(`should reject requests with SNI host: ${servername}`, async () => { + [ '', 'bad.example.test' ].forEach(servername => { + it(`should reject requests with SNI host: "${servername}"`, async () => { // given let caught; // when try { - await requestWithSniHost(undefined); + await requestSentryMock({ servername }); } catch(err) { caught = err; } @@ -632,22 +629,6 @@ describe('nginx config', () => { assert.equal(caught.code, 'ECONNRESET'); }); }); - - function requestWithSniHost(servername) { - return new Promise((resolve, reject) => { - const opts = { servername, path:'/api/check-cert' }; - - const req = https.request(opts, res => { - res.on('data', () => {}); // ensure response stream is consumed - res.on('end', resolve); - res.on('error', reject); - }); - - req.on('error', reject); - - req.end(); - }); - } }); it('/csp-report should successfully forward requests to Sentry', async () => { @@ -666,24 +647,31 @@ describe('nginx config', () => { }); async function resetSentryMock() { - const res = await requestSentryMock('/reset'); - assert.isTrue(res.ok); + const res = await requestSentryMock({ path:'/reset' }); + assert.equal(res.status, 200); } async function assertSentryReceived(...expectedRequests) { - const { ok, body } = await requestSentryMock('/request-log'); - assert.isTrue(ok); + const { status, body } = await requestSentryMock({ path:'/request-log' }); + assert.equal(status, 200); assert.deepEqual(expectedRequests, JSON.parse(body)); } - function requestSentryMock(path) { + function requestSentryMock(opts) { + // servername: SNI extension value - https://nodejs.org/api/https.html#new-agentoptions + const { + method = 'GET', + path = '/api/check-cert', + servername = 'o-fake-dsn.ingest.sentry.io', + } = opts; + return new Promise((resolve, reject) => { const req = https.request( - { path, servername:'o-fake-dsn.ingest.sentry.io' }, + { method, path, servername }, res => { let body = ''; res.on('data', data => body += data); // ensure response stream is consumed res.on('end', () => { try { - resolve({ ok:res.statusCode === 200, body }); + resolve({ status:res.statusCode, body }); } catch(err) { reject(err); } From e5595e99951906c469c3e9044747421cde170a02 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 14:51:22 +0000 Subject: [PATCH 34/51] rename reports --- test/nginx/mock-sentry/index.js | 8 ++++---- test/nginx/test-nginx.js | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index a11bd009b..ab682cfc2 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -6,13 +6,13 @@ const port = process.env.PORT || 443; const httpsHost = process.env.HTTPS_HOST; const log = (...args) => console.log('[mock-sentry]', ...args); -const requests = []; +const reports = []; const app = express(); app.use(express.json()); -app.get('/request-log', (req, res) => res.json(requests)); +app.get('/report-log', (req, res) => res.json(reports)); app.get('/reset', (req, res) => { - requests.length = 0; + reports.length = 0; res.json('OK'); }); app.use('/api', (req, res, next) => { @@ -41,7 +41,7 @@ app.get('/api/check-cert', (req, res) => res.send('OK')); app.post('/api/example-sentry-project/security/', (req, res) => { if(req.query.sentry_key !== 'example-sentry-key') throw new Error('bad sentry key!'); - requests.push(req.body); + reports.push(req.body); res.send('OK'); }); diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 821ddb7f7..17e7b5b50 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -651,7 +651,7 @@ describe('nginx config', () => { assert.equal(res.status, 200); } async function assertSentryReceived(...expectedRequests) { - const { status, body } = await requestSentryMock({ path:'/request-log' }); + const { status, body } = await requestSentryMock({ path:'/report-log' }); assert.equal(status, 200); assert.deepEqual(expectedRequests, JSON.parse(body)); } From a4af3722ddd249867976f688322cb1ae22dec81f Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:06:09 +0000 Subject: [PATCH 35/51] assert errors too --- test/nginx/mock-sentry/index.js | 42 ++++++++++++++++++++------------- test/nginx/test-nginx.js | 26 +++++++++++++++++--- 2 files changed, 49 insertions(+), 19 deletions(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index ab682cfc2..a7572bdb9 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -6,32 +6,29 @@ const port = process.env.PORT || 443; const httpsHost = process.env.HTTPS_HOST; const log = (...args) => console.log('[mock-sentry]', ...args); -const reports = []; +const events = []; const app = express(); app.use(express.json()); -app.get('/report-log', (req, res) => res.json(reports)); +app.get('/event-log', (req, res) => res.json(events)); app.get('/reset', (req, res) => { - reports.length = 0; + events.length = 0; res.json('OK'); }); app.use('/api', (req, res, next) => { log(new Date(), req.method, req.originalUrl); - if(!req.socket.encrypted) throw new Error('req.socket.encrypted was falsy'); + if(!req.socket.encrypted) fatalError('req.socket.encrypted was falsy'); const certificate = req.socket.getCertificate(); - if(!certificate) { - log(` - !!! No certificate found at all. - !!! This is completely unexpected. Server will be terminated immediately. - `); - process.exit(1); - } + if(!certificate) fatalError('No certificate found at all.'); - if(certificate.subject.CN !== httpsHost) { + const { CN } = certificate.subject; + if(CN !== httpsHost) { + const error = `Server cert had unexpected CN: '${CN}'`; + events.push({ error }); + log(error); // try to simulate an SNI / connection error - console.log('Bad HTTPS cert used; destroying connection...'); return req.socket.destroy(); } @@ -41,7 +38,7 @@ app.get('/api/check-cert', (req, res) => res.send('OK')); app.post('/api/example-sentry-project/security/', (req, res) => { if(req.query.sentry_key !== 'example-sentry-key') throw new Error('bad sentry key!'); - reports.push(req.body); + events.push({ report:req.body }); res.send('OK'); }); @@ -82,9 +79,14 @@ const server = (() => { const goodCreds = creds(httpsHost); const opts = { - ...creds('localhost'), + ...creds('default'), SNICallback: (servername, cb) => { - if(servername !== httpsHost) return cb(new Error(`Unexpected SNI host: ${servername}`)); + if(servername !== httpsHost) { + const error = `SNICallback: rejecting unexpected servername: ${servername}`; + log(error); + events.push({ error }); + return cb(new Error(error)); + } cb(null, createSecureContext(goodCreds)); }, }; @@ -95,3 +97,11 @@ const server = (() => { server.listen(port, () => { log(`Listening with HTTPS on port: ${port}`); }); + +function fatalError(description) { + log(` + !!! ${description} + !!! This is completely unexpected. Server will be terminated immediately. + `); + process.exit(1); +} diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 17e7b5b50..0860c7383 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -612,7 +612,25 @@ describe('nginx config', () => { // No error was thrown :¬) }); - [ '', 'bad.example.test' ].forEach(servername => { + it('should reject requests without SNI host', async () => { + // given + let caught; + + // when + try { + await requestSentryMock({ servername:'' }); + } catch(err) { + caught = err; + } + + // then + assert.isOk(caught); + assert.equal(caught.code, 'ECONNRESET'); + // and + await assertSentryReceived({ error:`Server cert had unexpected CN: 'default'` }); + }); + + [ 'bad.example.test' ].forEach(servername => { it(`should reject requests with SNI host: "${servername}"`, async () => { // given let caught; @@ -627,6 +645,8 @@ describe('nginx config', () => { // then assert.isOk(caught); assert.equal(caught.code, 'ECONNRESET'); + // and + await assertSentryReceived({ error:`SNICallback: rejecting unexpected servername: ${servername}` }); }); }); }); @@ -643,7 +663,7 @@ describe('nginx config', () => { assert.equal(res.status, 200); assert.equal(await res.text(), 'OK'); // and - await assertSentryReceived({ example:1 }); + await assertSentryReceived({ report:{ example:1 } }); }); async function resetSentryMock() { @@ -651,7 +671,7 @@ describe('nginx config', () => { assert.equal(res.status, 200); } async function assertSentryReceived(...expectedRequests) { - const { status, body } = await requestSentryMock({ path:'/report-log' }); + const { status, body } = await requestSentryMock({ path:'/event-log' }); assert.equal(status, 200); assert.deepEqual(expectedRequests, JSON.parse(body)); } From 5c918c557e699b6404f66ee15940a75ab23355a5 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:07:50 +0000 Subject: [PATCH 36/51] tidy --- test/nginx/mock-sentry/index.js | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index a7572bdb9..bd482db64 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -7,6 +7,10 @@ const httpsHost = process.env.HTTPS_HOST; const log = (...args) => console.log('[mock-sentry]', ...args); const events = []; +const logErrorEvent(error) { + log('ERROR', error); + events.push({ error }); +} const app = express(); app.use(express.json()); @@ -25,9 +29,7 @@ app.use('/api', (req, res, next) => { const { CN } = certificate.subject; if(CN !== httpsHost) { - const error = `Server cert had unexpected CN: '${CN}'`; - events.push({ error }); - log(error); + logErrorEvent(`Server cert had unexpected CN: '${CN}'`); // try to simulate an SNI / connection error return req.socket.destroy(); } @@ -83,8 +85,7 @@ const server = (() => { SNICallback: (servername, cb) => { if(servername !== httpsHost) { const error = `SNICallback: rejecting unexpected servername: ${servername}`; - log(error); - events.push({ error }); + logErrorEvent(error); return cb(new Error(error)); } cb(null, createSecureContext(goodCreds)); From 1c0d4f21f61602f6b05378793986b6e0669e777c Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:08:10 +0000 Subject: [PATCH 37/51] wip --- test/nginx/mock-sentry/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index bd482db64..f885bb309 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -7,7 +7,7 @@ const httpsHost = process.env.HTTPS_HOST; const log = (...args) => console.log('[mock-sentry]', ...args); const events = []; -const logErrorEvent(error) { +const logErrorEvent = error => { log('ERROR', error); events.push({ error }); } From 0377eb7dee86adf8a99c4b0ca1c724ffc6f77b7f Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:08:27 +0000 Subject: [PATCH 38/51] fix --- test/nginx/mock-sentry/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index f885bb309..cb48c9550 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -10,7 +10,7 @@ const events = []; const logErrorEvent = error => { log('ERROR', error); events.push({ error }); -} +}; const app = express(); app.use(express.json()); From 9d60707bb66125f0496658d91688219243a7252a Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:10:57 +0000 Subject: [PATCH 39/51] more commentary --- test/nginx/test-nginx.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 0860c7383..89fb1ab3a 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -670,11 +670,15 @@ describe('nginx config', () => { const res = await requestSentryMock({ path:'/reset' }); assert.equal(res.status, 200); } + async function assertSentryReceived(...expectedRequests) { const { status, body } = await requestSentryMock({ path:'/event-log' }); assert.equal(status, 200); assert.deepEqual(expectedRequests, JSON.parse(body)); } + + // This function makes DIRECT requests to sentry-mock. IRL these requests + // would be performed by nginx when a client POSTs to /csp-report. function requestSentryMock(opts) { // servername: SNI extension value - https://nodejs.org/api/https.html#new-agentoptions const { From 2aa2f22cb493a9703566357eede68578e1d4ca84 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:12:25 +0000 Subject: [PATCH 40/51] coment SNICallback --- test/nginx/mock-sentry/index.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index cb48c9550..7dda4cd30 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -82,6 +82,8 @@ const server = (() => { const opts = { ...creds('default'), + // SNICallback is called IFF the client sends an SNI extension in the TLS handshake. + // See: https://nodejs.org/api/tls.html#tlscreateserveroptions-secureconnectionlistener SNICallback: (servername, cb) => { if(servername !== httpsHost) { const error = `SNICallback: rejecting unexpected servername: ${servername}`; From 71065e671897d7094bc595ebe4612028e99d1ecf Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:13:46 +0000 Subject: [PATCH 41/51] move requires to top --- test/nginx/mock-sentry/index.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index 7dda4cd30..a55b72d1d 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -1,4 +1,8 @@ const { execSync } = require('node:child_process'); +const { readFileSync } = require('node:fs'); +const { createServer } = require('node:https'); +const { createSecureContext } = require('node:tls'); + const express = require('express'); @@ -48,10 +52,6 @@ app.post('/api/example-sentry-project/security/', (req, res) => { const server = (() => { if(!httpsHost) throw new Error('Env var HTTPS_HOST is required for MODE=https'); - const { readFileSync } = require('node:fs'); - const { createServer } = require('node:https'); - const { createSecureContext } = require('node:tls'); - const encoding = 'utf8'; const creds = commonName => { From ec2c0d5f2e0bcf2216d6bcd3b6f191f585df7403 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:16:48 +0000 Subject: [PATCH 42/51] handle bad API key better --- test/nginx/mock-sentry/index.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index a55b72d1d..f57ef13ec 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -42,7 +42,11 @@ app.use('/api', (req, res, next) => { }); app.get('/api/check-cert', (req, res) => res.send('OK')); app.post('/api/example-sentry-project/security/', (req, res) => { - if(req.query.sentry_key !== 'example-sentry-key') throw new Error('bad sentry key!'); + const { sentry_key } = req.query; + if(sentry_key !== 'example-sentry-key') { + logError(`Bad sentry API key received: '${sentry_key}'`); + return res.sendStatus(403); + } events.push({ report:req.body }); From 8afb2c03569908f13cebe4d997765df5c3787f78 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:17:48 +0000 Subject: [PATCH 43/51] change test order --- test/nginx/test-nginx.js | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 89fb1ab3a..fc3891ecc 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -597,6 +597,21 @@ describe('nginx config', () => { resetSentryMock(), ])); + it('/csp-report should successfully forward requests to Sentry', async () => { + // when + const res = await fetchHttps('/csp-report', { + method: 'POST', + headers: { 'Content-Type':'application/json' }, + body: JSON.stringify({ example:1 }), + }); + + // then + assert.equal(res.status, 200); + assert.equal(await res.text(), 'OK'); + // and + await assertSentryReceived({ report:{ example:1 } }); + }); + describe('Sentry behaviour with unexpected SNI values', () => { // These tests are a control to demonstrate that the local fake Sentry is // behaving similarly to sentry.io, which rejects requests which contain @@ -651,21 +666,6 @@ describe('nginx config', () => { }); }); - it('/csp-report should successfully forward requests to Sentry', async () => { - // when - const res = await fetchHttps('/csp-report', { - method: 'POST', - headers: { 'Content-Type':'application/json' }, - body: JSON.stringify({ example:1 }), - }); - - // then - assert.equal(res.status, 200); - assert.equal(await res.text(), 'OK'); - // and - await assertSentryReceived({ report:{ example:1 } }); - }); - async function resetSentryMock() { const res = await requestSentryMock({ path:'/reset' }); assert.equal(res.status, 200); From ead44e0d3b5645f03e6abc7d2fe5f2c3c73aa4e6 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:18:15 +0000 Subject: [PATCH 44/51] outdated comment --- test/nginx/test-nginx.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index fc3891ecc..61336bc23 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -692,7 +692,7 @@ describe('nginx config', () => { { method, path, servername }, res => { let body = ''; - res.on('data', data => body += data); // ensure response stream is consumed + res.on('data', data => body += data); res.on('end', () => { try { resolve({ status:res.statusCode, body }); From 46e6d0a7a782506f4fec80922b9d0e8dfc9fbe90 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:19:21 +0000 Subject: [PATCH 45/51] simplify end() --- test/nginx/test-nginx.js | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 61336bc23..0e5349768 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -693,13 +693,7 @@ describe('nginx config', () => { res => { let body = ''; res.on('data', data => body += data); - res.on('end', () => { - try { - resolve({ status:res.statusCode, body }); - } catch(err) { - reject(err); - } - }); + res.on('end', () => resolve({ status:res.statusCode, body })); res.on('error', reject); }, ); From d6d592a4a8a9d2781b9cf8e0582d7d60f4f7c96d Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:19:43 +0000 Subject: [PATCH 46/51] fix --- test/nginx/mock-sentry/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/mock-sentry/index.js b/test/nginx/mock-sentry/index.js index f57ef13ec..19777953f 100644 --- a/test/nginx/mock-sentry/index.js +++ b/test/nginx/mock-sentry/index.js @@ -44,7 +44,7 @@ app.get('/api/check-cert', (req, res) => res.send('OK')); app.post('/api/example-sentry-project/security/', (req, res) => { const { sentry_key } = req.query; if(sentry_key !== 'example-sentry-key') { - logError(`Bad sentry API key received: '${sentry_key}'`); + logErrorEvent(`Bad sentry API key received: '${sentry_key}'`); return res.sendStatus(403); } From 567026ece3d03927b79fbaa1701f476921a12eb4 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:21:29 +0000 Subject: [PATCH 47/51] name --- test/nginx/test-nginx.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 0e5349768..36bae6acf 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -597,7 +597,7 @@ describe('nginx config', () => { resetSentryMock(), ])); - it('/csp-report should successfully forward requests to Sentry', async () => { + it('POST /csp-report should forward requests to Sentry', async () => { // when const res = await fetchHttps('/csp-report', { method: 'POST', From b0034b5f01eb68ec2859e522446019241208ff68 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:23:21 +0000 Subject: [PATCH 48/51] update comments --- test/nginx/test-nginx.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 36bae6acf..8714aaa34 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -614,9 +614,9 @@ describe('nginx config', () => { describe('Sentry behaviour with unexpected SNI values', () => { // These tests are a control to demonstrate that the local fake Sentry is - // behaving similarly to sentry.io, which rejects requests which contain - // an unexpected hostname in the Server Name Indiciation (SNI) extension - // during TLS/HTTPS handshake. + // behaving similarly to sentry.io, which rejects requests which do not + // include a Server Name Indiciation (SNI) extension during TLS/HTTPS. + // We also test for an unexpected value in the SNI extension. // See: https://en.wikipedia.org/wiki/Server_Name_Indication it('should accept requests with correct SNI host', async () => { From 589f3bc6ad51c4ebe01a71579dea3e5daa45870c Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:24:33 +0000 Subject: [PATCH 49/51] lol --- test/nginx/test-nginx.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 8714aaa34..6579c9159 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -678,7 +678,9 @@ describe('nginx config', () => { } // This function makes DIRECT requests to sentry-mock. IRL these requests - // would be performed by nginx when a client POSTs to /csp-report. + // would be performed by nginx when a client POSTs to /csp-report. This + // function is for used in test setup/assertions, except when confirming the + // behaviour of the mock Sentry implementation. function requestSentryMock(opts) { // servername: SNI extension value - https://nodejs.org/api/https.html#new-agentoptions const { From 9529a717150a9eaeb16bc0cd208527d49f61c7a9 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:28:19 +0000 Subject: [PATCH 50/51] remove unused method parma --- test/nginx/test-nginx.js | 1 - 1 file changed, 1 deletion(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 6579c9159..179840ffb 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -684,7 +684,6 @@ describe('nginx config', () => { function requestSentryMock(opts) { // servername: SNI extension value - https://nodejs.org/api/https.html#new-agentoptions const { - method = 'GET', path = '/api/check-cert', servername = 'o-fake-dsn.ingest.sentry.io', } = opts; From 681dce18b7182a8a8b59cc2f84b21209a97b8132 Mon Sep 17 00:00:00 2001 From: alxndrsn Date: Wed, 26 Nov 2025 15:29:34 +0000 Subject: [PATCH 51/51] lint --- test/nginx/test-nginx.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/nginx/test-nginx.js b/test/nginx/test-nginx.js index 179840ffb..44d93dba6 100644 --- a/test/nginx/test-nginx.js +++ b/test/nginx/test-nginx.js @@ -690,7 +690,7 @@ describe('nginx config', () => { return new Promise((resolve, reject) => { const req = https.request( - { method, path, servername }, + { path, servername }, res => { let body = ''; res.on('data', data => body += data);