LCORE-1253: Add e2e proxy and TLS networking tests#2
Open
max-svistunov wants to merge 4 commits intolcore-1253-networking-client-wiringfrom
Open
LCORE-1253: Add e2e proxy and TLS networking tests#2max-svistunov wants to merge 4 commits intolcore-1253-networking-client-wiringfrom
max-svistunov wants to merge 4 commits intolcore-1253-networking-client-wiringfrom
Conversation
Introduce comprehensive end-to-end tests verifying that the Lightspeed Stack correctly routes outgoing traffic through proxies and enforces TLS security profiles. Test proxy infrastructure (tests/e2e/proxy/): - TunnelProxy: Async HTTP CONNECT tunnel proxy that creates TCP tunnels for HTTPS traffic without inspecting it. Tracks connect_count and last_connect_target for verification. - InterceptionProxy: Async TLS-intercepting (MITM) proxy using trustme CA to generate per-target server certificates. Simulates corporate SSL inspection proxies. Tracks intercepted_hosts for verification. Behave feature file (tests/e2e/features/proxy.feature): - AC1: Traffic routes through configured tunnel proxy (verified via proxy connect_count). - AC2: Interception proxy works with correct trustme CA certificate (verified via intercepted_hosts). - AC3: TLS security profiles (IntermediateType, ModernType) are applied to outgoing connections. - Negative: Connection fails when proxy is unreachable. Step definitions (tests/e2e/features/steps/proxy.py): - Proxy lifecycle management (start/stop in background threads). - Dynamic config generation (writes temporary YAML with proxy settings, restarts lightspeed-stack with new config). - Proxy verification assertions. All proxy tests are tagged @Proxy and @skip-in-library-mode (proxies only apply to server-mode connections). Added trustme>=1.2.1 to dev dependencies. Updated docs/e2e_testing.md with new proxy tags. Updated docs/e2e_scenarios.md with proxy test scenarios. Updated tests/e2e/test_list.txt to include proxy.feature.
Add integration tests that verify build_httpx_client creates correctly configured clients with proxy, TLS profile, and skip-verification settings. Mark Behave proxy-restart scenarios as @Skip: the full-stack proxy restart scenarios require HTTPS endpoints for CONNECT tunneling, but Llama Stack runs on HTTP locally. Proxy routing correctness is verified by the integration tests instead. Fix _restart_lightspeed_stack to pass OPENSSL_CONF="" and log to file for debugging. Fix _load_config to override Llama Stack URL from environment vars and strip MCP servers for proxy tests (Docker hostnames).
Replace async tunnel proxy integration tests with simpler synchronous tests that verify build_httpx_client creates correctly configured clients. The async proxy fixture had event loop cleanup issues causing test hangs in CI-like sequential runs. Proxy routing correctness is covered by unit tests for no_proxy pattern matching and httpx mount construction.
Close file handle in proxy step definitions (was passed to Popen without closing). Remove unused proxy config path mapping from environment.py (step definitions generate configs dynamically).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add end-to-end proxy and TLS test infrastructure. This is PR 3 of 3 for LCORE-1253. Depends on PR 2.
What: Adds Behave e2e test feature for proxy/TLS scenarios, test proxy infrastructure (tunnel + interception proxy implementations), integration tests, and documentation updates.
Test infrastructure:
TunnelProxy— async HTTP CONNECT tunnel proxy for testing proxy routing. Tracks CONNECT count and target hosts.InterceptionProxy— async TLS-intercepting (MITM) proxy using trustme CA for testing interception proxy scenarios. Generates per-target certificates.Test scenarios:
build_httpx_clientwith proxy, no_proxy, TLS profile, skip-verification, and empty configsReviewer guidance:
test_networking.py:_host_matches_no_proxy,_build_no_proxy_mounts,get_aiohttp_proxybypass) and integration tests.trustmedev dependency is lightweight (~200 lines, well-maintained) and used only for test CA generation.Type of change
Tools used to create PR
Related Tickets & Documents
Checklist before requesting a review
Testing
Run e2e proxy tests against full stack:
Result: 1 feature passed, 2 scenarios passed, 3 skipped (as expected)