is proxy somehow stopping playwright installing deps?

ably · Apr 18, 2024 · 8e1ffc3 · 8e1ffc3
1 parent 8202458
commit 8e1ffc3
Showing 1 changed file with 44 additions and 44 deletions.
diff --git a/.github/workflows/test-browser.yml b/.github/workflows/test-browser.yml
@@ -88,53 +88,53 @@ jobs:
         run: |
           sudo cp /home/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem .
 
-      - name: Set up iptables rules
-        run: |
-          # The rules suggested by mitmproxy etc are aimed at intercepting _all_ the outgoing traffic on a machine. I don’t want that, given that we want to be able to run this test suite on developers’ machines in a non-invasive manner. Instead we just want to target traffic generated by the process that contains the Ably SDK, which we’ll make identifable by iptables by running that process as a specific user created for that purpose (ably-test-user).
-          #
-          # Relevant parts of iptables documentation:
-          #
-          # nat:
-          # > This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
-          #
-          # owner:
-          # > This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.
-          #
-          # REDIRECT:
-          # > This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address). It takes one option:
-          # >
-          # > --to-ports port[-port]
-          # > This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies -p tcp or -p udp.
+          #      - name: Set up iptables rules
+          #        run: |
+          #          # The rules suggested by mitmproxy etc are aimed at intercepting _all_ the outgoing traffic on a machine. I don’t want that, given that we want to be able to run this test suite on developers’ machines in a non-invasive manner. Instead we just want to target traffic generated by the process that contains the Ably SDK, which we’ll make identifable by iptables by running that process as a specific user created for that purpose (ably-test-user).
+          #          #
+          #          # Relevant parts of iptables documentation:
+          #          #
+          #          # nat:
+          #          # > This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
+          #          #
+          #          # owner:
+          #          # > This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.
+          #          #
+          #          # REDIRECT:
+          #          # > This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address). It takes one option:
+          #          # >
+          #          # > --to-ports port[-port]
+          #          # > This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies -p tcp or -p udp.
+          #          #
+          #          # I don’t exactly understand what the nat table means; I assume its rules apply to all _subsequent_ packets in the connection, too?
+          #          #
+          #          # So, what I expect to happen:
+          #          #
+          #          # 1. iptables rule causes default-port HTTP(S) datagram from test process to get its destination IP rewritten to 127.0.0.1, and rewrites the TCP header’s destination port to 8080
+          #          # 2. 127.0.0.1 destination causes OS’s routing to send this datagram on the loopback interface
+          #          # 3. nature of the loopback interface means that this datagram is then received on the loopback interface
+          #          # 4. mitmproxy, listening on port 8080 (not sure how or why it uses a single port for both non-TLS and TLS traffic) receives these datagrams, and uses Host header or SNI to figure out where they were originally destined.
+          #          #
+          #          # TODO (how) do we achieve the below on macOS? I have a feeling that it’s currently just working by accident; e.g. it's because the TCP connection to the control server exists before we start mitmproxy and hence the connection doesn’t get passed to its NETransparentProxyProvider or something. To be on the safe side, though, I’ve added a check in the mitmproxy addon so that we only mess with stuff for ports 80 or 443
+          #          #
+          #          # Note that in the current setup with ably-js, the test suite and the Ably SDK run in the same process. We want to make sure that we don’t intercept the test suite’s WebSocket communications with the interception proxy’s control API  (which it serves at 127.0.0.1:8001), hence only targeting the default HTTP(S) ports. (TODO consider that Realtime team also run a Realtime on non-default ports when testing locally)
+          #          sudo iptables  --table nat --append OUTPUT --match owner --uid-owner ably-test-user --protocol tcp --destination-port 80  --jump REDIRECT --to-ports 8080
+          #          sudo iptables  --table nat --append OUTPUT --match owner --uid-owner ably-test-user --protocol tcp --destination-port 443 --jump REDIRECT --to-ports 8080
+          #          sudo ip6tables --table nat --append OUTPUT --match owner --uid-owner ably-test-user --protocol tcp --destination-port 80  --jump REDIRECT --to-ports 8080
+          #          sudo ip6tables --table nat --append OUTPUT --match owner --uid-owner ably-test-user --protocol tcp --destination-port 443 --jump REDIRECT --to-ports 8080
           #
-          # I don’t exactly understand what the nat table means; I assume its rules apply to all _subsequent_ packets in the connection, too?
+          #        # TODO how will this behave with:
+          #        #
+          #        # 1. the WebSocket connection from test suite to control API (see above note; not a problem in this CI setup, think about it on macOS)
+          #        # 2. the WebSocket connection from mitmproxy to control API (not an issue on Linux or macOS with our current setup since we don’t intercept any traffic from mitmproxy)
+          #        # 3. the WebSocket connections that mitmproxy proxies to the interception proxy (which it sends to localhost:8002) (ditto 2)
+          #        # 4. the WebSocket connections for which interception proxy is a client (not an issue for Linux or macOS with our current setup since we don’t intercept any traffic from interception proxy)
           #
-          # So, what I expect to happen:
-          #
-          # 1. iptables rule causes default-port HTTP(S) datagram from test process to get its destination IP rewritten to 127.0.0.1, and rewrites the TCP header’s destination port to 8080
-          # 2. 127.0.0.1 destination causes OS’s routing to send this datagram on the loopback interface
-          # 3. nature of the loopback interface means that this datagram is then received on the loopback interface
-          # 4. mitmproxy, listening on port 8080 (not sure how or why it uses a single port for both non-TLS and TLS traffic) receives these datagrams, and uses Host header or SNI to figure out where they were originally destined.
-          #
-          # TODO (how) do we achieve the below on macOS? I have a feeling that it’s currently just working by accident; e.g. it's because the TCP connection to the control server exists before we start mitmproxy and hence the connection doesn’t get passed to its NETransparentProxyProvider or something. To be on the safe side, though, I’ve added a check in the mitmproxy addon so that we only mess with stuff for ports 80 or 443
-          #
-          # Note that in the current setup with ably-js, the test suite and the Ably SDK run in the same process. We want to make sure that we don’t intercept the test suite’s WebSocket communications with the interception proxy’s control API  (which it serves at 127.0.0.1:8001), hence only targeting the default HTTP(S) ports. (TODO consider that Realtime team also run a Realtime on non-default ports when testing locally)
-          sudo iptables  --table nat --append OUTPUT --match owner --uid-owner ably-test-user --protocol tcp --destination-port 80  --jump REDIRECT --to-ports 8080
-          sudo iptables  --table nat --append OUTPUT --match owner --uid-owner ably-test-user --protocol tcp --destination-port 443 --jump REDIRECT --to-ports 8080
-          sudo ip6tables --table nat --append OUTPUT --match owner --uid-owner ably-test-user --protocol tcp --destination-port 80  --jump REDIRECT --to-ports 8080
-          sudo ip6tables --table nat --append OUTPUT --match owner --uid-owner ably-test-user --protocol tcp --destination-port 443 --jump REDIRECT --to-ports 8080
-
-        # TODO how will this behave with:
-        #
-        # 1. the WebSocket connection from test suite to control API (see above note; not a problem in this CI setup, think about it on macOS)
-        # 2. the WebSocket connection from mitmproxy to control API (not an issue on Linux or macOS with our current setup since we don’t intercept any traffic from mitmproxy)
-        # 3. the WebSocket connections that mitmproxy proxies to the interception proxy (which it sends to localhost:8002) (ditto 2)
-        # 4. the WebSocket connections for which interception proxy is a client (not an issue for Linux or macOS with our current setup since we don’t intercept any traffic from interception proxy)
-
-      # This runs the proxy as the mitmproxyuser user created above (see start-interception-proxy script).
-      - name: Start interception proxy server
-        run: ./start-interception-proxy
+          #      # This runs the proxy as the mitmproxyuser user created above (see start-interception-proxy script).
+          #      - name: Start interception proxy server
+          #        run: ./start-interception-proxy
 
-      # We don’t use --with-deps flag because installing dependencies uses sudo to elevate to root, and sudoers isn’t configured to allow ably-test-user to do this
+      # We don’t use --with-deps flag because installing dependencies uses sudo to run as root, and sudoers isn’t configured to allow ably-test-user to do this
       - name: Install Playwright system dependencies
         run: npx playwright install-deps