PerimeterX · guyeisenbach · Feb 18, 2024 · Feb 18, 2024 · Feb 18, 2024 · Feb 20, 2024
diff --git a/.github/workflows/ci_e2e.yaml b/.github/workflows/ci_e2e.yaml
@@ -0,0 +1,147 @@
+name: E2E Tests
+
+on:
+  pull_request
+
+jobs:
+
+  extract_metadata:
+    runs-on: ubuntu-latest
+    name: Extract supported_features
+    outputs:
+      supported-features: ${{ steps.supported-features.outputs.value }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.x'
+      - name: extract supported features
+        id: supported-features
+        run: echo "value=$(node -p -e "require('./px_metadata.json').supported_features?.join(' or ') || ''")" >> "$GITHUB_OUTPUT"
+
+
+  CI:
+    name: "E2E tests"
+    env:
+      MOCK_COLLECTOR_IMAGE_TAG: 1.3.5
+      SAMPLE_SITE_IMAGE_TAG: 1.0.0
+      ENFORCER_SPEC_TESTS_IMAGE_TAG: 1.8.1
+
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    needs:
+      - extract_metadata
+
+    steps:
+
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+
+      - name: Set up Docker
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build local cluster
+        run: ./ci_files/build_cluster.sh
+
+      - name: Build Enforcer Docker image
+        run: |
+          docker build . -t localhost:5001/java-enforcer-sample-site:$SAMPLE_SITE_IMAGE_TAG && \
+          docker push localhost:5001/java-enforcer-sample-site:$SAMPLE_SITE_IMAGE_TAG
+
+      - uses: azure/setup-helm@v3
+        with:
+          version: '3.14.1'
+
+      - name: Clone helm charts repo - mock-collector
+        uses: actions/checkout@v4
+        with:
+          repository: PerimeterX/connect-helm-charts
+          token: ${{ secrets.CONNECT_PULL_TOKEN }}
+          ref: mock-collector-0.1.1
+          path: ./deploy_charts/mock-collector
+
+
+      - name: Clone helm charts repo - enforcer-tests
+        uses: actions/checkout@v4
+        with:
+          repository: PerimeterX/connect-helm-charts
+          token: ${{ secrets.CONNECT_PULL_TOKEN }}
+          ref: enforcer-spec-tests-0.7.1
+          path: ./deploy_charts/enforcer-spec-tests
+
+
+      - name: Clone helm charts repo - sample-site
+        uses: actions/checkout@v4
+        with:
+          repository: PerimeterX/connect-helm-charts
+          token: ${{ secrets.CONNECT_PULL_TOKEN }}
+          ref: sample-site-0.5.0
+          path: ./deploy_charts/sample-site
+
+      - name: Set up Google Cloud SDK
+        id: 'auth'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          credentials_json: '${{ secrets.GCR_SA_KEY }}'
+
+      - name: Configure Docker credentials
+        run: |
+          gcloud auth configure-docker gcr.io
+
+      - name: pull mock collector image
+        run: |
+          docker pull gcr.io/px-docker-repo/connecteam/mock-collector:$MOCK_COLLECTOR_IMAGE_TAG && \
+          docker tag gcr.io/px-docker-repo/connecteam/mock-collector:$MOCK_COLLECTOR_IMAGE_TAG localhost:5001/mock-collector:$MOCK_COLLECTOR_IMAGE_TAG && \
+          docker push localhost:5001/mock-collector:$MOCK_COLLECTOR_IMAGE_TAG
+
+      - name: deploy mock collector
+        run: |
+          helm install mock-collector ./deploy_charts/mock-collector/charts/mock-collector \
+            --set image.repository=localhost:5001/mock-collector \
+            --set image.tag=$MOCK_COLLECTOR_IMAGE_TAG \
+            --set imagePullPolicy=Always --wait
+
+      - name: set secrets in enforcer config
+        run: |
+          cat ./ci_files/enforcer-config.json |\
+          jq '.px_app_id="${{ secrets.PX_APP_ID }}"' |\
+          jq '.px_cookie_secret="${{ secrets.TEST_COOKIE_SECRET }}"' |\
+          jq '.px_auth_token="${{ secrets.PX_AUTH_TOKEN }}"' > /tmp/enforcer-config.json
+
+      - name: log enforcer config
+        run: cat /tmp/enforcer-config.json
+
+      - name: deploy java enforcer
+        run: |
+          helm install java-enforcer ./deploy_charts/sample-site/charts/sample-site \
+          -f ./ci_files/enforcer-values.yaml \
+          --set image.name=localhost:5001/java-enforcer-sample-site \
+          --set image.tag=$SAMPLE_SITE_IMAGE_TAG \
+          --set-file enforcerConfig.content=/tmp/enforcer-config.json \
+          --wait
+
+      - name: pull enforcer tests image
+        run: |
+          docker pull gcr.io/px-docker-repo/connecteam/enforcer-specs-tests:$ENFORCER_SPEC_TESTS_IMAGE_TAG && \
+          docker tag gcr.io/px-docker-repo/connecteam/enforcer-specs-tests:$ENFORCER_SPEC_TESTS_IMAGE_TAG localhost:5001/enforcer-spec-tests:$ENFORCER_SPEC_TESTS_IMAGE_TAG && \
+          docker push localhost:5001/enforcer-spec-tests:$ENFORCER_SPEC_TESTS_IMAGE_TAG
+
+      - name: run enforcer tests
+        run: |
+          helm install enforcer-spec-tests ./deploy_charts/enforcer-spec-tests/charts/enforcer-spec-tests \
+            --set image.tag=$ENFORCER_SPEC_TESTS_IMAGE_TAG \
+            --set cookieSecret=${{ secrets.TEST_COOKIE_SECRET }} \
+            --set supportedFeatures="${{ needs.extract_metadata.outputs.supported-features }}" \
+            --set authToken="${{ secrets.PX_AUTH_TOKEN }}" \
+            --set appId=${{ secrets.PX_APP_ID }} \
+            --set-file enforcerMetadataContent=./px_metadata.json \
+            -f ./ci_files/spec-tests-values.yaml \
+            --wait \
+            --timeout 60m0s \
+            --wait-for-jobs
+
+      - name: get tests results
+        if: ${{ always() }}
+        run: kubectl logs job/enforcer-spec-tests
diff --git a/.github/workflows/ci_verify_version.yaml b/.github/workflows/ci_verify_version.yaml
@@ -0,0 +1,44 @@
+name: Verify version
+on:
+  pull_request:
+    branches:
+      - master
+jobs:
+  verify-version:
+    name: Verify version
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code - ${{ github.base_ref }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.base_ref }}
+
+      - name: Get ${{ github.base_ref }} SDK version
+        id: base-version
+        run: echo "project=$( mvn help:evaluate -Dexpression=project.version -q -DforceStdout )" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout code - current commit
+        uses: actions/checkout@v4
+
+      - name: Get current SDK versions
+        id: new-version
+        run: |
+          echo "project=$( mvn help:evaluate -Dexpression=project.version -q -DforceStdout )" >> "$GITHUB_OUTPUT" && \
+          echo "px_metadata=$( cat px_metadata.json | jq -r '.version' )" >> "$GITHUB_OUTPUT" && \
+          echo "demo_app_dependency=$( mvn help:evaluate -Dexpression=com.perimeterx.version -q -DforceStdout -f web/pom.xml)" >> "$GITHUB_OUTPUT"
+
+      - name: Verify same version
+        run: |
+          [ $PROJECT_VERSION = $PX_METADATA_VERSION ] && \
+          [ $PROJECT_VERSION = $DEMO_APP_DEPENDENCY_VERSION ]
+        env:
+          PROJECT_VERSION: ${{ steps.new-version.outputs.project }}
+          PX_METADATA_VERSION: ${{ steps.new-version.outputs.px_metadata }}
+          DEMO_APP_DEPENDENCY_VERSION: ${{ steps.new-version.outputs.demo_app_dependency }}
+
+      - name: Verify version increment
+        run: ./ci_files/verify-version-inc.sh $BASE_VERSION $NEW_VERSION
+        env:
+          NEW_VERSION: ${{ steps.new-version.outputs.project }}
+          BASE_VERSION: ${{ steps.base-version.outputs.project }}
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Change Log
 
+## [vX.XX.X](https://github.com/PerimeterX/perimeterx-java-sdk/compare/X.XX.X...HEAD) (YYYY-MM-DD)
+- Added Dockerfile for web application example. 
+- Bugfix - Sensitive headers are now case-insensitive.
+- Block page HTML align with spec.
+- Automatically running e2e tests on pull request.
+- Automatically verify version on pull request to master.
+
 ## [v6.11.0](https://github.com/PerimeterX/perimeterx-java-sdk/compare/6.11.0...HEAD) (2024-02-18)
 * Added base64-encoded request http method to captcha script query parameters on block pages
 

diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,29 @@
+FROM maven:3.8.6-openjdk-11-slim as builder
+WORKDIR /app
+
+# Building the SDK.
+COPY pom.xml .
+COPY src/main/resources src/main/resources
+RUN mvn verify clean -f pom.xml
+COPY src ./src
+RUN mvn clean install -DskipTests=true
+
+# Building the Demo app.
+COPY web/pom.xml web/pom.xml
+RUN mvn verify clean -f web/pom.xml
+COPY web ./web
+RUN mvn clean install war:war -DskipTests=true -f web/pom.xml
+
+FROM tomcat:9.0.68
+
+COPY --from=builder /app/web/target/web-1.0.0 /usr/local/tomcat/webapps/ROOT
+
+## Enforcer configuration json file is located at:
+## /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/src/main/resources/enforcer_config.json
+COPY web/src/main/resources/ /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/src/main/resources
+
+EXPOSE 8080
+
+ENV CATALINA_OPTS="-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
+
+CMD ["catalina.sh", "run"]
diff --git a/ci_files/build_cluster.sh b/ci_files/build_cluster.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+set -o errexit
+
+
+# 2. Create registry container unless it already exists
+reg_name='kind-registry'
+reg_port='5001'
+if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
+  docker run \
+    -d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \
+    registry:2
+fi
+
+# 3. Create kind cluster with containerd registry config dir enabled
+# extraPortMapping - for mapping traffic from outside the cluster to the localstack inside the cluster.
+# by that, every traffic to localhost:4566 will arrive to the cluster and will be map inside the cluster to port 31566 - localstack.
+cat <<EOF | kind create cluster --config=-
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  extraPortMappings:
+  - containerPort: 31566
+    hostPort: 4566
+containerdConfigPatches:
+- |-
+  [plugins."io.containerd.grpc.v1.cri".registry]
+    config_path = "/etc/containerd/certs.d"
+EOF
+
+# 4. Add the registry config to the nodes
+#
+# This is necessary because localhost resolves to loopback addresses that are
+# network-namespace local.
+# In other words: localhost in the container is not localhost on the host.
+#
+# We want a consistent name that works from both ends, so we tell containerd to
+# alias localhost:${reg_port} to the registry container when pulling images
+REGISTRY_DIR="/etc/containerd/certs.d/localhost:${reg_port}"
+for node in $(kind get nodes); do
+  docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
+  cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
+[host."http://${reg_name}:5000"]
+EOF
+done
+
+# 5. Connect the registry to the cluster network if not already connected
+# This allows kind to bootstrap the network but ensures they're on the same network
+if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
+  docker network connect "kind" "${reg_name}"
+fi
+
+# 6. Document the local registry
+# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: local-registry-hosting
+  namespace: kube-public
+data:
+  localRegistryHosting.v1: |
+    host: "localhost:${reg_port}"
+    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+EOF