Skip to content

Add strict-mode smoke test lane (HTTPS + signature verification)#650

Open
sij411 wants to merge 5 commits intofedify-dev:mainfrom
sij411:feat/smoke-strict
Open

Add strict-mode smoke test lane (HTTPS + signature verification)#650
sij411 wants to merge 5 commits intofedify-dev:mainfrom
sij411:feat/smoke-strict

Conversation

@sij411
Copy link
Copy Markdown
Contributor

@sij411 sij411 commented Mar 28, 2026

Summary

What this adds

Architecture

A standalone Docker Compose file (docker-compose.strict.yml) with:

  • Caddy TLS proxies (caddy-harness, caddy-mastodon) that terminate
    TLS using per-run self-signed certificates
  • Renamed backend services (fedify-harness-backend,
    mastodon-web-backend) to avoid DNS collisions with Caddy aliases
  • CA trusted via SSL_CERT_FILE (Ruby/Mastodon) and DENO_CERT (Deno)

Key differences from non-strict lane

Aspect Non-strict Strict
Protocol HTTP HTTPS (Caddy TLS termination)
Signature verification skipSignatureVerification: true skipSignatureVerification: false
Account discovery DB pre-registration WebFinger via ResolveAccountService
Trigger Push to main/next/maintenance Nightly schedule + workflow_dispatch

Shared harness changes

  • STRICT_MODE env var toggles http:// vs https:// for inbox URLs
    (backdoor.ts) and scheme rewriting in Follow Accept handler
    (federation.ts)

CI reliability improvements

  • Caddy images pinned to caddy:2.11.2-alpine
  • Healthchecks added to both Caddy proxy services
  • mastodon-sidekiq depends on caddy-harness (not backend directly)
    to ensure TLS proxy is ready before HTTPS deliveries
  • Connectivity check fails the step on error (aligned with non-strict)

Test plan

  • All 6 scenarios pass locally (Follow, Create Note, Reply, Unfollow
    in both directions)
  • CI workflow smoke-mastodon-strict passes via workflow_dispatch

Related to #615 and #481

🤖 Generated with Claude Code

sij411 and others added 4 commits March 27, 2026 21:56
@sij411 @claude
Add interoperability smoke tests for Mastodon
97d1e57 
Add an end-to-end smoke test suite that spins up a Mastodon instance via
Docker Compose and verifies that Fedify can correctly exchange ActivityPub
messages with it.

The suite includes a lightweight Fedify test harness that runs inside the
Docker network alongside Mastodon, and an orchestrator that drives six
scenarios through the Mastodon API and harness backdoor endpoints:

 -  Mastodon → Fedify (Follow)
 -  Fedify → Mastodon (Follow)
 -  Fedify → Mastodon (Create Note)
 -  Mastodon → Fedify (Reply)
 -  Mastodon → Fedify (Unfollow)
 -  Fedify → Mastodon (Unfollow)

Each follow scenario includes precondition checks (ensureNotFollowing /
assertNotFollowing) to verify the relationship starts clean.

Mastodon-specific files live in test/smoke/mastodon/ to support adding
other server targets (e.g. Misskey) in sibling directories later.

See: fedify-dev#481

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sij411 @claude
Add strict-mode smoke test lane (HTTPS + signature verification)
ffdb001 
Add a second smoke test lane that validates Fedify's interoperability
with Mastodon over HTTPS with HTTP signature verification enabled.
The non-strict lane tests basic ActivityPub over HTTP; this lane adds
TLS termination via Caddy proxies and a self-signed CA to verify the
full signature chain works end-to-end.

Architecture:

- Standalone Docker Compose file with renamed backend services to avoid
  DNS collisions with Caddy TLS proxy aliases
- Self-signed CA generated per CI run, trusted via SSL_CERT_FILE (Ruby)
  and DENO_CERT (Deno)
- WebFinger-based account discovery in provisioning instead of DB
  pre-registration
- STRICT_MODE env var toggles signature verification and URL scheme in
  the shared harness code

Runs on nightly schedule and workflow_dispatch, not on every push.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sij411 @claude
Align strict-mode connectivity check with non-strict lane
29c2c9e 
Add mastodon-web-backend health check alongside the existing
mastodon-sidekiq check, and make curl failures fail the step
immediately instead of silently continuing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sij411 @claude
Pin Caddy images, add healthchecks, and fix sidekiq dependency
a8099b8 
- Pin Caddy images to 2.11.2-alpine for reproducible CI builds
- Add healthchecks to caddy-harness and caddy-mastodon so
  docker compose --wait blocks until proxies are ready
- Make mastodon-sidekiq depend on caddy-harness (instead of
  fedify-harness-backend directly) to ensure TLS proxy is ready
  before Sidekiq attempts HTTPS deliveries

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@issues-auto-labeler issues-auto-labeler bot added component/ci CI/CD workflows and GitHub Actions component/federation Federation object related component/signatures OIP or HTTP/LD Signatures related component/testing Testing utilities (@fedify/testing) labels Mar 28, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a "strict mode" for smoke tests to support HTTPS and mandatory signature verification. Key changes include a new standalone Docker Compose configuration using Caddy as a TLS proxy, scripts for certificate generation and provisioning, and updates to the test harness for environment-based protocol switching. Feedback identifies an invalid Deno Docker image tag in the new compose file and suggests removing stderr redirection in the certificate generation script to facilitate debugging.

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 28, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sij411 @claude
Update deno.lock
a10197b 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sij411
Copy link
Copy Markdown
Contributor Author

sij411 commented Mar 28, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a 'strict mode' for Mastodon smoke tests, enabling HTTPS and signature verification. It adds a new Docker Compose configuration (docker-compose.strict.yml), Caddy proxy configurations, a certificate generation script, and a specialized provisioning script. The fedify-harness and federation logic were also updated to toggle between HTTP and HTTPS based on the STRICT_MODE environment variable. However, the Docker images specified for Deno and Caddy in the new Compose file use invalid version tags, which will prevent the services from starting.

@sij411 sij411 marked this pull request as ready for review March 28, 2026 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

component/ci CI/CD workflows and GitHub Actions component/federation Federation object related component/signatures OIP or HTTP/LD Signatures related component/testing Testing utilities (@fedify/testing)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sij411