From 12abc8228da7fdd51d98de4780bdabf4579f41ad Mon Sep 17 00:00:00 2001
From: Dmitry <b4tm4n@mail.ru>
Date: Tue, 23 Jan 2024 22:45:13 +0300
Subject: [PATCH] sslbump: rootless (#125)

sslbump: shell script instead of long cmd

add 'ssl-bump' image test

add access_for_localnet for image test

allow_all instead of localnet for test

change test conf

fix test compose
---
 .github/workflows/dockerimage.yml | 31 ++++++++++++++++++++++++++++---
 docker-compose.test.yml           |  2 ++
 ssl-bump/Dockerfile               |  5 +++--
 ssl-bump/run.sh                   | 14 ++++++++++++++
 test_localnet.conf                | 11 +++++++++++
 5 files changed, 58 insertions(+), 5 deletions(-)
 create mode 100644 ssl-bump/run.sh
 create mode 100644 test_localnet.conf

diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
index 3fd4040..5e157b6 100644
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
@@ -65,13 +65,38 @@ jobs:
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
 
       - name: Test image
-        run: docker compose -f docker-compose.test.yml up --pull never sut
+        run: |
+          set -ex
+          docker compose -f docker-compose.test.yml up --pull never sut --exit-code-from sut
+          docker compose -f docker-compose.test.yml down
 
-      - name: Build 'ssl-bump' image     
+      - name: set base image for 'ssl-bump'
         run: |
           sed -i "s%FROM b4tman/squid%FROM $TEST_TAG%" ssl-bump/Dockerfile
-          docker build ssl-bump
+      
+      - name: Build 'ssl-bump' image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          load: true
+          tags: ${{ env.TEST_TAG }}-ssl-bump
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
 
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+          
+      - name: Test 'ssl-bump' image
+        run: |
+          set -ex
+          TEST_TAG="${TEST_TAG}-ssl-bump" docker compose -f docker-compose.test.yml up --pull never sut --exit-code-from sut
+          docker compose -f docker-compose.test.yml down
   push:
     needs: test
     runs-on: ubuntu-20.04
diff --git a/docker-compose.test.yml b/docker-compose.test.yml
index ecfb78b..7acf030 100644
--- a/docker-compose.test.yml
+++ b/docker-compose.test.yml
@@ -2,6 +2,8 @@ version: '2.3'
 services:
   proxy:
     image: "${TEST_TAG}"
+    volumes:
+      - './test_localnet.conf:/etc/squid/conf.d/test_localnet.conf:ro'
     healthcheck:
       test: ["CMD", "sh", "-exc", "squidclient -T 3 mgr:info 2> /dev/null | grep -qF '200 OK'"]
       interval: 5s
diff --git a/ssl-bump/Dockerfile b/ssl-bump/Dockerfile
index 3c77751..1c0f081 100644
--- a/ssl-bump/Dockerfile
+++ b/ssl-bump/Dockerfile
@@ -1,4 +1,5 @@
 FROM b4tman/squid
 
-USER root
-CMD ["sh", "-c", "(test -d /var/cache/squid/ssl_db || /usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB) && /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -z && exec /usr/sbin/squid -f ${SQUID_CONFIG_FILE} --foreground -YCd 1"]
\ No newline at end of file
+COPY run.sh /
+
+CMD ["/run.sh"]
\ No newline at end of file
diff --git a/ssl-bump/run.sh b/ssl-bump/run.sh
new file mode 100644
index 0000000..025c182
--- /dev/null
+++ b/ssl-bump/run.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -x
+
+# init ssl_db
+if [ ! -d /var/cache/squid/ssl_db ]; then
+	/usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB
+fi
+
+# init cache
+/usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -z
+
+# run squid
+exec /usr/sbin/squid -f "${SQUID_CONFIG_FILE}" --foreground -YCd 1
diff --git a/test_localnet.conf b/test_localnet.conf
new file mode 100644
index 0000000..dedc763
--- /dev/null
+++ b/test_localnet.conf
@@ -0,0 +1,11 @@
+acl localnet1 src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
+acl localnet1 src 10.0.0.0/8            # RFC 1918 local private network (LAN)
+acl localnet1 src 100.64.0.0/10         # RFC 6598 shared address space (CGN)
+acl localnet1 src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
+acl localnet1 src 172.16.0.0/12         # RFC 1918 local private network (LAN)
+acl localnet1 src 192.168.0.0/16                # RFC 1918 local private network (LAN)
+acl localnet1 src fc00::/7              # RFC 4193 local private network range
+acl localnet1 src fe80::/10             # RFC 4291 link-local (directly plugged) machines
+
+http_access allow localnet1
+http_access allow localhost manager