WIP Test DNS monitor

build-system/pr-check/checks.js

@@ -28,6 +28,7 @@ const {
   stopTimer,
   stopTimedJob,
   timedExecOrDie: timedExecOrDieBase,
+  timedExecOrDieWithDnsMonitor: timedExecOrDieWithDnsMonitorBase,
 } = require('./utils');
 const {determineBuildTargets} = require('./build-targets');
 const {isTravisPullRequestBuild} = require('../common/travis');
@@ -37,6 +38,8 @@ const {runYarnChecks} = require('./yarn-checks');
 const FILENAME = 'checks.js';
 const timedExecOrDie = (cmd, unusedFileName) =>
   timedExecOrDieBase(cmd, FILENAME);
+const timedExecOrDieWithDnsMonitor = (cmd, unusedFileName) =>
+  timedExecOrDieWithDnsMonitorBase(cmd, FILENAME);
 
 async function main() {
   const startTime = startTimer(FILENAME, FILENAME);
@@ -61,12 +64,12 @@ async function main() {
     printChangeSummary(FILENAME);
     const buildTargets = determineBuildTargets(FILENAME);
     await reportAllExpectedTests(buildTargets);
-    timedExecOrDie('gulp update-packages');
+    await timedExecOrDieWithDnsMonitor('gulp update-packages');
 
-    timedExecOrDie('gulp check-exact-versions');
-    timedExecOrDie('gulp lint');
-    timedExecOrDie('gulp prettify');
-    timedExecOrDie('gulp presubmit');
+    await timedExecOrDieWithDnsMonitor('gulp check-exact-versions');
+    await timedExecOrDieWithDnsMonitor('gulp lint');
+    await timedExecOrDieWithDnsMonitor('gulp prettify');
+    await timedExecOrDieWithDnsMonitor('gulp presubmit');
 
     if (buildTargets.has('AVA')) {
       timedExecOrDie('gulp ava');

build-system/pr-check/local-tests.js

@@ -28,6 +28,7 @@ const {
   startTimer,
   stopTimer,
   timedExecOrDie: timedExecOrDieBase,
+  timedExecOrDieWithDnsMonitor: timedExecOrDieWithDnsMonitorBase,
 } = require('./utils');
 const {determineBuildTargets} = require('./build-targets');
 const {isTravisPullRequestBuild} = require('../common/travis');
@@ -36,15 +37,21 @@ const FILENAME = 'local-tests.js';
 const FILELOGPREFIX = colors.bold(colors.yellow(`${FILENAME}:`));
 const timedExecOrDie = (cmd, unusedFileName) =>
   timedExecOrDieBase(cmd, FILENAME);
+const timedExecOrDieWithDnsMonitor = (cmd, unusedFileName) =>
+  timedExecOrDieWithDnsMonitorBase(cmd, FILENAME);
 
-function main() {
+async function main() {
   const startTime = startTimer(FILENAME, FILENAME);
 
   if (!isTravisPullRequestBuild()) {
     downloadBuildOutput(FILENAME);
     timedExecOrDie('gulp update-packages');
-    timedExecOrDie('gulp integration --nobuild --headless --coverage');
-    timedExecOrDie('gulp unit --nobuild --headless --coverage');
+    await timedExecOrDieWithDnsMonitor(
+      'gulp integration --nobuild --headless --coverage'
+    );
+    await timedExecOrDieWithDnsMonitor(
+      'gulp unit --nobuild --headless --coverage'
+    );
     timedExecOrDie('gulp codecov-upload');
   } else {
     printChangeSummary(FILENAME);
@@ -69,19 +76,25 @@ function main() {
     timedExecOrDie('gulp update-packages');
 
     if (buildTargets.has('RUNTIME') || buildTargets.has('UNIT_TEST')) {
-      timedExecOrDie('gulp unit --nobuild --headless --local_changes');
+      await timedExecOrDieWithDnsMonitor(
+        'gulp unit --nobuild --headless --local_changes'
+      );
     }
 
     if (
       buildTargets.has('RUNTIME') ||
       buildTargets.has('FLAG_CONFIG') ||
       buildTargets.has('INTEGRATION_TEST')
     ) {
-      timedExecOrDie('gulp integration --nobuild --headless --coverage');
+      await timedExecOrDieWithDnsMonitor(
+        'gulp integration --nobuild --headless --coverage'
+      );
     }
 
     if (buildTargets.has('RUNTIME') || buildTargets.has('UNIT_TEST')) {
-      timedExecOrDie('gulp unit --nobuild --headless --coverage');
+      await timedExecOrDieWithDnsMonitor(
+        'gulp unit --nobuild --headless --coverage'
+      );
     }
 
     if (buildTargets.has('RUNTIME')) {

build-system/pr-check/utils.js

@@ -17,6 +17,12 @@
 
 const colors = require('ansi-colors');
 const requestPromise = require('request-promise');
+const {
+  execOrDie,
+  execScriptAsync,
+  execWithError,
+  exec,
+} = require('../common/exec');
 const {
   gitBranchCreationPoint,
   gitBranchName,
@@ -31,7 +37,6 @@ const {
   travisBuildNumber,
   travisPullRequestSha,
 } = require('../common/travis');
-const {execOrDie, execWithError, exec} = require('../common/exec');
 const {replaceUrls, signalDistUpload} = require('../tasks/pr-deploy-bot-utils');
 
 const BUILD_OUTPUT_FILE = isTravisBuild()
@@ -131,6 +136,29 @@ async function startSauceConnect(functionName) {
   execOrDie(startScCmd);
 }
 
+/**
+ * Start DNS monitor
+ * @return {!Promise}
+ */
+function startDnsMonitor_() {
+  // if (!isTravisBuild()) {
+  //   return Promise.resolve(null);
+  // }
+
+  let resolver;
+  const deferred = new Promise(resolverIn => {
+    resolver = resolverIn;
+  });
+
+  const dnsProcess = execScriptAsync('gulp dns-monitor --nonblocking');
+
+  // Wait for the heartbeat from stderr before starting the test
+  dnsProcess.stderr.on('data', () => {
+    resolver(dnsProcess);
+  });
+  return deferred;
+}
+
 /**
  * Stops connection to Sauce Labs
  * @param {string} functionName
@@ -233,6 +261,35 @@ function timedExecOrDie(cmd, fileName = 'utils.js') {
   stopTimer(cmd, fileName, startTime);
 }
 
+/**
+ * Executes the command and check unpermitted DNS requests in the interim. In
+ * case if failure, it terminates.
+ * @param {string} cmd
+ * @param {string} fileName
+ */
+async function timedExecOrDieWithDnsMonitor(cmd, fileName = 'utils.js') {
+  return startDnsMonitor_().then(dnsMonitor => {
+    timedExecOrDie(cmd, fileName);
+    if (dnsMonitor) {
+      dnsMonitor.stdout.pipe(process.stdout);
+      dnsMonitor.stderr.pipe(process.stderr);
+      dnsMonitor.on('exit', code => {
+        if (code) {
+          process.exit(1);
+        }
+        resolver();
+      });
+      dnsMonitor.kill('SIGTERM');
+      let resolver;
+      return new Promise(resolverIn => {
+        resolver = resolverIn;
+      });
+    } else {
+      return Promise.resolve();
+    }
+  });
+}
+
 /**
  * Download output helper
  * @param {string} functionName
@@ -387,6 +444,7 @@ module.exports = {
   stopTimedJob,
   timedExec,
   timedExecOrDie,
+  timedExecOrDieWithDnsMonitor,
   timedExecWithError,
   uploadBuildOutput,
   uploadDistOutput,

build-system/pr-check/xxx.js

@@ -0,0 +1,42 @@
+/**
+ * Copyright 2019 The AMP HTML Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS-IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+'use strict';
+
+/**
+ * @fileoverview
+ * This script performs quick checks on the source code
+ * prior to running unit and integration tests.
+ * This is run during the CI stage = build; job = checks.
+ */
+
+const {
+  timedExecOrDieWithDnsMonitor: timedExecOrDieWithDnsMonitorBase,
+} = require('./utils');
+
+const FILENAME = 'checks.js';
+const timedExecOrDieWithDnsMonitor = (cmd, unusedFileName) =>
+  timedExecOrDieWithDnsMonitorBase(cmd, FILENAME);
+
+async function main() {
+  await timedExecOrDieWithDnsMonitor('gulp update-packages');
+
+  await timedExecOrDieWithDnsMonitor('gulp check-exact-versions');
+  await timedExecOrDieWithDnsMonitor('gulp lint');
+  await timedExecOrDieWithDnsMonitor('gulp prettify');
+  await timedExecOrDieWithDnsMonitor('gulp presubmit');
+}
+
+main();

build-system/tasks/dns-monitor.js

@@ -0,0 +1,123 @@
+/**
+ * Copyright 2020 The AMP HTML Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS-IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const argv = require('minimist')(process.argv.slice(2));
+const colors = require('ansi-colors');
+const log = require('fancy-log');
+const readline = require('readline');
+const {execScriptAsync} = require('../common/exec');
+
+const PERMITTED_DOMAIN_REGEXES = [
+  /\.internal$/, // Travis use
+  /^(amp-test-status-bot)\.appspot\.com$/, // Infra team use
+  /\.test$/, // .test TLD is safe to use for tests
+];
+
+const TCPDUMP_DNS_REGEX = /^(\d{2}:\d{2}:\d{2})\.\d{6} IP6? [^ ]+ > [^ ]+: \d+\+ (A|AAAA)\? ([^ ]+)\. \(\d+\)$/;
+
+/**
+ * Monitor DNS requests
+ * @return {!Promise}
+ */
+function dnsMonitor() {
+  let resolver;
+  const deferred = new Promise(resolverIn => {
+    resolver = resolverIn;
+  });
+
+  const monProcess = execScriptAsync('sudo tcpdump -l port 53');
+  console.log(monProcess.pid);
+  monProcess.unref();
+  console.log(monProcess.pid);
+  const domainAccesses = new Map();
+
+  const onFinish = () => {
+    if (domainAccesses.size) {
+      log(
+        'Tests that send requests to external domains might slow',
+        'down the tests and cause flakiness.'
+      );
+      log(
+        'If possible, please change them to a *.test domain since',
+        'they never resolve.'
+      );
+      log(
+        'If these requests are indeed necessary to the test, go to',
+        colors.cyan('build-system/tasks/dns-monitor.js'),
+        'to permit it.'
+      );
+      if (!argv.nonblocking) {
+        process.exitCode = 1;
+      }
+    } else {
+      log(colors.green('No impermissible external requests found'));
+    }
+    for (const [domain, ts] of domainAccesses.entries()) {
+      log(ts, 'Request(s) to', colors.red(domain), 'recorded.');
+    }
+
+    execScriptAsync('sudo ps -ef').stdout.pipe(process.stdout);
+    const killAll = execScriptAsync('sudo killall tcpdump');
+    killAll.stdout.pipe(process.stdout);
+    killAll.stderr.pipe(process.stderr);
+    resolver();
+  };
+  process.on('SIGTERM', () => {
+    log(colors.red('SIGTERM'));
+    onFinish();
+  });
+  process.on('SIGINT', onFinish);
+
+  console.error('DNS Ready'); // To signal that the monitor is up.
+  readline
+    .createInterface({
+      input: monProcess.stdout,
+    })
+    .on('line', line => {
+      handleLog_(line, domainAccesses);
+    });
+  return deferred;
+}
+
+function handleLog_(line, domainAccesses) {
+  const match = TCPDUMP_DNS_REGEX.exec(line);
+  if (
+    match &&
+    !domainAccesses.has(match[3]) &&
+    !matchOneOfRegexes(match[3], PERMITTED_DOMAIN_REGEXES)
+  ) {
+    domainAccesses.set(match[3], match[1]);
+  }
+}
+
+function matchOneOfRegexes(testStr, regexes) {
+  for (let i = 0; i < regexes.length; i++) {
+    if (regexes[i].exec(testStr)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+module.exports = {
+  dnsMonitor,
+};
+
+dnsMonitor.description =
+  'Check if there are unpermitted DNS requests (requires sudo)';
+dnsMonitor.flags = {
+  'nonblocking': 'Do not block the test even if the test fails',
+};

gulpfile.js

@@ -51,6 +51,7 @@ const {csvifySize} = require('./build-system/tasks/csvify-size');
 const {depCheck} = require('./build-system/tasks/dep-check');
 const {devDashboardTests} = require('./build-system/tasks/dev-dashboard-tests');
 const {dist} = require('./build-system/tasks/dist');
+const {dnsMonitor} = require('./build-system/tasks/dns-monitor');
 const {e2e} = require('./build-system/tasks/e2e');
 const {firebase} = require('./build-system/tasks/firebase');
 const {getZindex} = require('./build-system/tasks/get-zindex');
@@ -141,6 +142,7 @@ createTask('default', defaultTask);
 createTask('dep-check', depCheck);
 createTask('dev-dashboard-tests', devDashboardTests);
 createTask('dist', dist);
+createTask('dns-monitor', dnsMonitor);
 createTask('e2e', e2e);
 createTask('firebase', firebase);
 createTask('generate-vendor-jsons', generateVendorJsons);