chore: configure proxy acceptance tests for linux amd64 builds

.circleci/config.yml

@@ -105,6 +105,10 @@ executors:
     docker:
       - image: mcr.microsoft.com/cbl-mariner/base/python:3.9.14-6-cm2.0.20230805-arm64
     resource_class: arm.medium
+  cci-ubuntu-machine:
+    machine:
+      image: ubuntu-2204:2024.01.1
+    resource_class: medium
 
 commands:
   install-go:
@@ -494,6 +498,33 @@ workflows:
           executor: docker-amd64
           test_snyk_command: ./binary-releases/snyk-linux
 
+      - acceptance-test-with-proxy:
+          name: acceptance-tests-with-proxy linux amd64
+          executor: cci-ubuntu-machine
+          test_snyk_command: ./binary-releases/snyk-linux
+          context:
+            - nodejs-install
+            - team_hammerhead-cli
+          filters:
+            branches:
+              ignore: main
+          requires:
+            - build linux amd64
+
+      - acceptance-test-with-proxy:
+          name: acceptance-tests-with-proxy fips linux amd64
+          executor: cci-ubuntu-machine
+          test_snyk_command: ./binary-releases/fips/snyk-linux
+          fips: 1
+          context:
+            - nodejs-install
+            - team_hammerhead-cli
+          filters:
+            branches:
+              ignore: main
+          requires:
+            - build linux amd64
+
       - acceptance-tests:
           name: acceptance-tests linux arm64
           context:
@@ -987,6 +1018,34 @@ jobs:
             TEST_SNYK_COMMAND: << parameters.test_snyk_command >>
             TEST_SNYK_DONT_SKIP_ANYTHING: << parameters.dont_skip_tests >>
 
+  acceptance-test-with-proxy:
+    parameters:
+      test_snyk_command:
+        type: string
+      executor:
+        type: string
+      fips:
+        type: integer
+        default: 0
+      dont_skip_tests:
+        type: integer
+        default: 1
+      install_deps_extension:
+        type: string
+        default: 'noop'
+      pre_test_cmds:
+        type: string
+        default: 'echo Running tests'
+    executor: << parameters.executor >>
+    environment:
+      TEST_SNYK_COMMAND: << parameters.test_snyk_command >>
+    steps:
+      - prepare-workspace
+      - install-deps-<< parameters.install_deps_extension >>
+      - run:
+          name: Run proxy tests
+          command: make acceptance-test-with-proxy
+
   regression-tests:
     parameters:
       test_snyk_command:

.github/workflows/create-test-image.yml

@@ -0,0 +1,19 @@
+name: Create Test Image
+
+on:
+  schedule:
+    - cron: '0 4 * * 2'
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: docker/setup-buildx-action@v2
+      - name: Build Docker image
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_BUILDKIT: 1
+        run: scripts/create-test-image.sh

Makefile

@@ -10,6 +10,7 @@ export SHELL=/bin/bash
 WORKING_DIR = $(CURDIR)
 PKG := npx pkg ./ --compress Brotli --options max_old_space_size=32768
 PKG_NODE_VERSION := $(shell head -1 .nvmrc | cut -f1 -d '.')
+ARCH :=$(shell arch)
 BINARY_WRAPPER_DIR = ts-binary-wrapper
 EXTENSIBLE_CLI_DIR = cliv2
 BINARY_RELEASES_FOLDER_TS_CLI = binary-releases
@@ -247,9 +248,10 @@ clean-golang:
 .PHONY: acceptance-test-with-proxy
 acceptance-test-with-proxy: pre-build
 	@echo "-- Running acceptance tests in a proxied environment"
-	@docker build -t acceptance-test-with-proxy -f ./test/acceptance/environments/proxy/Dockerfile .
-	@docker run --rm --cap-add=NET_ADMIN acceptance-test-with-proxy ./node_modules/.bin/jest ./ts-binary-wrapper/test/acceptance/basic.spec.ts
-# TODO: Run all acceptance tests behind a proxy using npm run test:acceptance
+# TODO: docker buildx step can be removed once https://github.com/snyk/cli/pull/5079 is merged and we deploy a test image defined in ./scriptes/create-test-image.sh
+	@docker buildx build --build-arg NODEVERSION=$(PKG_NODE_VERSION) --build-arg ARCH=$(ARCH) -t acceptance-test-with-proxy -f ./scripts/environments/proxy/Dockerfile .
+# TODO: 'acceptance-test-with-proxy' needs to be replaced with the deployed test image defined in ./scriptes/create-test-image.sh
+	@docker run --rm --cap-add=NET_ADMIN --env "TEST_SNYK_COMMAND=$(TEST_SNYK_COMMAND)" --env "TEST_SNYK_TOKEN=$(TEST_SNYK_TOKEN)" acceptance-test-with-proxy npm run test:acceptance
 
 # targets responsible for the CLI release
 .PHONY: release-pre

scripts/create-test-image.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -exuo pipefail # ensures that the script exits on any error, and that all commands are printed before they are executed
+
+# This script is used for building Docker images which in turn build the CLI.
+# It sets up the environment, logs into Docker, and builds images for different architectures.
+
+# Before running the script, ensure DOCKER_USERNAME and DOCKER_PASSWORD environment variables are set.
+# Example usage:
+#   export DOCKER_USERNAME=<your-docker-hub-username>
+#   export DOCKER_PASSWORD=<a-docker-hub-personal-access-token>
+#   ./scripts/create-test-image.sh
+
+# Determine the directory where the script is located.
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+NOW=$(date "+%Y%m%d-%H%M%S")
+
+
+pushd "$SCRIPT_DIR/.."
+  NODEVERSION=$(head -1 .nvmrc)
+  export NODEVERSION
+
+  docker login -u "$DOCKER_USERNAME" -p "$DOCKER_PASSWORD"
+
+  BASE_IMG_NAME=$DOCKER_USERNAME/cli-test
+  docker buildx build \
+    --build-arg NODEVERSION="$NODEVERSION" \
+    --build-arg ARCH="x86_64" \
+    --platform linux/amd64 \
+    --tag "$BASE_IMG_NAME":$NOW \
+    --tag "$BASE_IMG_NAME":latest \
+    --push \
+    --file ./scripts/environments/proxy/Dockerfile .
+
+  BASE_IMG_NAME=$DOCKER_USERNAME/cli-test-arm64
+  docker buildx build \
+    --build-arg NODEVERSION="$NODEVERSION" \
+    --build-arg ARCH="aarch64" \
+    --platform linux/arm64 \
+    --tag "$BASE_IMG_NAME":$NOW \
+    --tag "$BASE_IMG_NAME":latest \
+    --push \
+    --file ./scripts/environments/proxy/Dockerfile .
+
+popd

scripts/environments/proxy/Dockerfile

@@ -0,0 +1,121 @@
+# Copyright 2022-2023 Snyk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM --platform=$TARGETPLATFORM golang:1.20-bullseye
+
+# install "normal" stuff
+
+ARG NODEVERSION
+ARG ARCH
+
+RUN echo "Required Node version: $NODEVERSION"
+RUN curl -sL https://deb.nodesource.com/setup_$(echo $NODEVERSION | cut -f1 -d '.').x | bash -
+RUN apt-get update
+RUN DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    sudo \
+    musl-tools \
+    git \
+    vim \
+    make \
+    maven \
+    gradle \
+    apt-transport-https \
+    curl \
+    gnupg \
+    -yqq \
+    elixir \
+    composer \
+    jq \
+    faketime \
+    zip \
+    nodejs=$(apt-cache policy nodejs | grep nodesource | xargs | cut -d " " -f2) \
+    # convco deps
+    cmake \
+    # python deps
+    python3 \
+    python3-pip \
+    python-is-python3 \
+    python3-requests \
+    python3-yaml \
+    pipenv \
+    # proxy deps
+    squid \
+    traceroute \
+    net-tools \
+    iptables
+
+RUN node -v
+RUN apt-get auto-remove -y && apt-get clean -y && rm -rf /var/lib/apt/
+
+# install aws cli
+ADD .circleci/awscli-publickey.pub awscli-publickey.pub
+RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-$ARCH.zip" -o "awscliv2.zip"
+RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-$ARCH.zip.sig" -o "awscliv2.sig"
+RUN gpg --import awscli-publickey.pub
+RUN gpg --verify awscliv2.sig awscliv2.zip
+RUN unzip awscliv2.zip
+RUN sudo ./aws/install
+RUN rm -rf "awscli*"
+
+RUN useradd circleci --create-home
+RUN echo "circleci ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+# install snyk
+RUN mkdir -p /app
+RUN mkdir -p /target/global-logging
+COPY . /app
+RUN rm -rf /app/build /app/.bin
+RUN cp /app/scripts/environments/proxy/entrypoint.sh /bin
+RUN chmod +x /bin/entrypoint.sh
+RUN chmod 777 /app && chown -R circleci /app
+
+RUN /app/scripts/install-swift.sh $ARCH
+ENV PATH=/usr/local/swift/usr/bin:$PATH
+
+# install openssl3
+RUN /app/scripts/install_openssl3_fips.sh /app/
+ENV PATH=/usr/local/bin/:$PATH
+ENV LD_LIBRARY_PATH=/usr/local/lib/
+
+RUN update-alternatives --set iptables /usr/sbin/iptables-legacy
+USER circleci
+
+# install deps
+RUN cd /app && npm install
+
+# install java & scala
+RUN curl -s "https://get.sdkman.io" | bash
+RUN /app/scripts/jvm-install.sh
+ENV PATH=/home/circleci/.sdkman/candidates/scala/current/bin:/home/circleci/.sdkman/candidates/sbt/current/bin:/home/circleci/.sdkman/candidates/java/current/bin:$PATH
+
+# install dotnet
+RUN curl -sSL https://dot.net/v1/dotnet-install.sh | bash /dev/stdin --channel 8.0
+ENV PATH=/home/circleci/.dotnet:$PATH
+ENV TEMP=/tmp
+ENV TMP=$TEMP
+ENV TMPDIR=$TEMP
+
+# install rust and convco
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+RUN ~/.cargo/bin/cargo install convco
+ENV PATH=/home/circleci/.cargo/bin:$PATH
+
+# setup proxy
+ENV http_proxy="http://localhost:3128"
+ENV https_proxy="http://localhost:3128"
+ENV no_proxy "localhost,127.0.0.1"
+RUN env
+
+WORKDIR /app
+ENTRYPOINT ["/bin/entrypoint.sh"]

scripts/install_openssl3_fips.sh

@@ -1,6 +1,8 @@
 #!/usr/bin/env bash
 set -ex
 
+APP_PATH="${1:-}"
+
 git clone https://github.com/openssl/openssl.git
 
 pushd .
@@ -12,7 +14,7 @@ export PATH=/usr/local/bin/:$PATH
 export LD_LIBRARY_PATH=/usr/local/lib/
 popd
 
-cp scripts/openssl.cnf /usr/local/ssl/openssl_fips_enabled.cnf
+cp ${APP_PATH}scripts/openssl.cnf /usr/local/ssl/openssl_fips_enabled.cnf
 chmod +r /usr/local/ssl/openssl_fips_enabled.cnf
 
 openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so

test/jest/acceptance/iac/helpers.ts

@@ -21,6 +21,7 @@ export async function startMockServer() {
   const SNYK_API = SNYK_HOST + BASE_API;
 
   const env: Record<string, string> = {
+    ...process.env,
     PATH: process.env.PATH ?? '',
     SNYK_TOKEN,
     SNYK_API,