Merge pull request #136 from scality/improvement/LOGC-54

dvasilas · web-flow · commit 62d4ffcedd1c · 2026-04-02T21:30:59.000+03:00
LOGC-54: Add e2e test for TLS cipher suite and protocol in access logs
diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml
@@ -39,7 +39,7 @@ jobs:
           password: ${{ github.token }}
 
       - name: Start Workbench
-        uses: scality/workbench@v0.12.0
+        uses: scality/workbench@v0.13.0
 
       - name: Wait for all services
         run: |
@@ -112,6 +112,22 @@ jobs:
           fi
           echo "✓ S3 endpoint available"
 
+          echo "Waiting for S3 frontend (nginx) to be ready..."
+          s3_frontend_ready=false
+          for i in {1..30}; do
+            if curl -sk https://localhost:443 >/dev/null 2>&1; then
+              s3_frontend_ready=true
+              break
+            fi
+            sleep 2
+          done
+          if [ "$s3_frontend_ready" = false ]; then
+            echo "ERROR: S3 frontend (localhost:443) did not become available in time"
+            docker logs workbench-s3-frontend || true
+            exit 1
+          fi
+          echo "✓ S3 frontend available"
+
       - name: Start log-courier
         env:
           LOG_COURIER_IMAGE: ghcr.io/${{ github.repository_owner }}/log-courier:${{ github.sha }}-debug
diff --git a/env/default/values.yaml b/env/default/values.yaml
@@ -4,9 +4,11 @@ global:
 features:
   access_logging:
     enabled: true
+  s3_frontend:
+    enabled: true
 
 cloudserver:
-  image: ghcr.io/scality/cloudserver:9.2.24
+  image: ghcr.io/scality/cloudserver:9.2.32
 
 vault:
   image: ghcr.io/scality/vault:7.84.0
@@ -19,3 +21,6 @@ clickhouse:
 
 fluentbit:
   image: fluent/fluent-bit:3.0.2
+
+nginx:
+  image: nginx:1.27-alpine
diff --git a/test/e2e/tls_fields_test.go b/test/e2e/tls_fields_test.go
@@ -0,0 +1,112 @@
+package e2e_test
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+const (
+	testS3FrontendEndpoint = "https://127.0.0.1:443"
+)
+
+func newTLSS3Client(accessKeyID, secretAccessKey, endpoint string) *s3.Client {
+	transport := &http.Transport{
+		DialContext: (&net.Dialer{
+			Timeout: 10 * time.Second,
+		}).DialContext,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true, //nolint:gosec // self-signed cert in test environment
+		},
+		TLSHandshakeTimeout: 10 * time.Second,
+	}
+
+	return s3.NewFromConfig(aws.Config{
+		Region: testRegion,
+		Credentials: aws.CredentialsProviderFunc(func(ctx context.Context) (aws.Credentials, error) {
+			return aws.Credentials{
+				AccessKeyID:     accessKeyID,
+				SecretAccessKey: secretAccessKey,
+			}, nil
+		}),
+		HTTPClient: &http.Client{Transport: transport},
+	}, func(o *s3.Options) {
+		o.BaseEndpoint = aws.String(endpoint)
+		o.UsePathStyle = true
+	})
+}
+
+var _ = Describe("TLS fields in access logs", func() {
+	var testCtx *E2ETestContext
+
+	BeforeEach(func() {
+		testCtx = setupE2ETest()
+	})
+
+	AfterEach(func() {
+		cleanupE2ETest(testCtx)
+	})
+
+	It("logs CipherSuite and TLSVersion for requests through the S3 frontend", func(ctx context.Context) {
+		endpoint := os.Getenv("E2E_S3_FRONTEND_ENDPOINT")
+		if endpoint == "" {
+			endpoint = testS3FrontendEndpoint
+		}
+
+		accessKey := os.Getenv("E2E_S3_ACCESS_KEY_ID")
+		if accessKey == "" {
+			accessKey = testAccessKeyID
+		}
+
+		secretKey := os.Getenv("E2E_S3_SECRET_ACCESS_KEY")
+		if secretKey == "" {
+			secretKey = testSecretAccessKey
+		}
+
+		tlsClient := newTLSS3Client(accessKey, secretKey, endpoint)
+
+		testKey := "tls-test-object.txt"
+		testContent := []byte("test data for TLS field verification")
+
+		_, err := tlsClient.PutObject(ctx, &s3.PutObjectInput{
+			Bucket: aws.String(testCtx.SourceBucket),
+			Key:    aws.String(testKey),
+			Body:   bytes.NewReader(testContent),
+		})
+		Expect(err).NotTo(HaveOccurred(), "PUT through S3 frontend should succeed")
+
+		_, err = tlsClient.GetObject(ctx, &s3.GetObjectInput{
+			Bucket: aws.String(testCtx.SourceBucket),
+			Key:    aws.String(testKey),
+		})
+		Expect(err).NotTo(HaveOccurred(), "GET through S3 frontend should succeed")
+
+		logs := testCtx.VerifyLogs(
+			testCtx.ObjectOp("REST.PUT.OBJECT", testKey, 200).WithObjectSize(int64(len(testContent))),
+			testCtx.ObjectOp("REST.GET.OBJECT", testKey, 200).WithBytesSent(int64(len(testContent))).WithObjectSize(int64(len(testContent))),
+		)
+
+		for _, log := range logs {
+			Expect(log.CipherSuite).NotTo(Equal("-"),
+				"CipherSuite should be populated for TLS requests (got '-')")
+			Expect(log.CipherSuite).NotTo(BeEmpty(),
+				"CipherSuite should not be empty for TLS requests")
+
+			Expect(log.TLSVersion).NotTo(Equal("-"),
+				"TLSVersion should be populated for TLS requests (got '-')")
+			Expect(log.TLSVersion).NotTo(BeEmpty(),
+				"TLSVersion should not be empty for TLS requests")
+			Expect(log.TLSVersion).To(MatchRegexp(`^TLSv1\.[23]$`),
+				"TLSVersion should be TLSv1.2 or TLSv1.3")
+		}
+	})
+})
