Build: Fix bug where reroute response is served to reqs with valid keys

Krinkle · Krinkle · commit 4caf7cf4112d · 2021-08-21T20:59:59.000+01:00
Ref https://github.com/jquery/infrastructure/issues/474.
diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
@@ -8,7 +8,7 @@ on:
   pull_request:
 
 jobs:
-  docker-test:
+  docker-test-dev:
     # Includes PHP 7.4, Python 3, Node 14
     # https://github.com/actions/virtual-environments/blob/ubuntu20/20210816.1/images/linux/Ubuntu2004-README.md
     runs-on: ubuntu-20.04
@@ -26,6 +26,22 @@ jobs:
           # once GitHub's images come with curl 7.71.0+, use --retry-all-errors
           # instead of hardcoded sleep. --krinkle 2021-08-21
           sleep 1
-          curl -f --retry 5 --retry-delay 1 --retry-connrefused http://127.0.0.1:4000/jquery-3.0.0.js > /dev/null
-          curl -I http://127.0.0.1:4000/jquery-3.0.0.js
-          php test/cfg-test.php
+          curl -f --retry 5 --retry-delay 1 --retry-connrefused -I http://127.0.0.1:4000/jquery-3.0.0.js
+          php test/static-dev.php
+
+  docker-test-strict:
+    runs-on: ubuntu-20.04
+    env:
+      CDN_ACCESS_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Build the image
+        run: docker build -t codeorigin-strict:$GITHUB_SHA --build-arg "CDN_ACCESS_KEY=$CDN_ACCESS_KEY" ./
+
+      - name: Test the container
+        run: |
+          docker run --rm -p 4000:80/tcp --detach codeorigin-strict:$GITHUB_SHA
+          sleep 1
+          curl -f --retry 5 --retry-delay 1 --retry-connrefused -I http://127.0.0.1:4000/jquery-3.0.0.js
+          php test/static-strict.php
diff --git a/cfg/default.conf b/cfg/default.conf
@@ -47,7 +47,10 @@ server {
     # https://stackoverflow.com/a/6475493/319266
     gzip_types text/plain text/xml application/xml text/css text/javascript application/javascript application/x-javascript text/x-component application/json application/xhtml+xml application/rss+xml application/atom+xml application/vnd.ms-fontobject image/svg+xml application/x-font-ttf font/opentype;
 
-    add_header Cache-Control public;
+    # Proxies must not mix up differently keyed responses
+    add_header Vary "x-cdn-access";
+
+    add_header Cache-Control "public, no-transform";
     add_header Access-Control-Allow-Origin *;
     expires max;
     gzip on;
@@ -57,8 +60,10 @@ server {
     # Applies to charset_types (mainly for JS and CSS)
     charset utf-8;
 
+    # Let rerouting responses be cached for a shorter time for fast recovery
+    #
     # Do not change the following line. The Dockerfile will remove the line if needed.
-    if ($reroute_to_cdn) { return 301 https://code.jquery.com$uri; } #REQUIRE_XCDNACCESS
+    if ($reroute_to_cdn) { expires 5m; return 301 https://code.jquery.com$uri; } #REQUIRE_XCDNACCESS
   }
 
   # Legacy redirects for renamed files
diff --git a/test/Unit.php b/test/Unit.php
@@ -0,0 +1,81 @@
+<?php
+
+function jq_req( $url, array $reqHeaders = [] ) {
+	print "# $url\n";
+	$ch = curl_init( $url );
+	$resp = [ 'headers' => [], 'body' => null ];
+	curl_setopt_array( $ch, [
+		CURLOPT_HTTPHEADER => $reqHeaders,
+		CURLOPT_RETURNTRANSFER => 1,
+		CURLOPT_FOLLOWLOCATION => 0,
+		CURLOPT_HEADERFUNCTION => function( $ch, $header ) use ( &$resp ) {
+			$len = strlen( $header );
+			if ( preg_match( "/^(HTTP\/(?:1\.[01]|2)) (\d{3} .*)/", $header, $m ) ) {
+				$resp['headers'] = [];
+				$resp['headers']['status'] = trim( $m[2] );
+			} else {
+				$parts = explode( ':', $header, 2 );
+				if ( count( $parts ) === 2 ) {
+					$name = strtolower( $parts[0] );
+					$val = trim( $parts[1] );
+					if ( isset( $resp['headers'][$name] ) ) {
+						$resp['headers'][$name] .= ", $val";
+					} else {
+						$resp['headers'][$name] = $val;
+					}
+				}
+			}
+			return $len;
+		},
+	] );
+	try {
+		$ret = curl_exec( $ch );
+		if ( $ret === false ) {
+			throw new Exception( curl_error( $ch ) );
+		}
+		$resp['body'] = $ret;
+		return $resp;
+	} finally {
+		curl_close( $ch );
+	}
+}
+
+class Unit {
+	static $i = 0;
+	static $pass = true;
+
+	public static function start() {
+		error_reporting( E_ALL );
+		print "TAP version 13\n";
+	}
+
+	public static function test( $name, $actual, $expected ) {
+		$num = ++self::$i;
+		if ( $actual === $expected ) {
+			print "ok $num $name\n";
+		} else {
+			self::$pass = false;
+			print "not ok $num $name\n  ---\n  actual:   "
+				. json_encode( $actual, JSON_UNESCAPED_SLASHES ) . "\n  expected: "
+				. json_encode( $expected, JSON_UNESCAPED_SLASHES ) . "\n";
+		}
+	}
+
+	public static function testHttp( $server, $path, array $reqHeaders = [], array $expectHeaders, $expectBody = null ) {
+		try {
+			$resp = jq_req( "http://{$server}{$path}", $reqHeaders );
+			foreach ( $expectHeaders as $key => $val ) {
+				self::test( "GET $path > header $key", @$resp['headers'][$key], $val );
+			}
+		} catch ( Exception $e ) {
+			self::test( "GET $path > error", $e->getMessage(), null );
+		}
+	}
+
+	public static function end() {
+		print '1..' . self::$i . "\n";
+		if ( !self::$pass ) {
+			exit( 1 );
+		}
+	}
+}
diff --git a/test/static-dev.php b/test/static-dev.php
@@ -2,56 +2,57 @@
 /**
  * Usage:
  *
- *     $ php test/cfp-php.php
- *     $ php test/cfp-php.php "localhost:4000"
- *     $ TEST_SERVER="localhost:4000" php test/cfp-php.php
+ *     $ php test/static-dev.php
+ *
+ *     $ php test/static-dev.php "localhost:4000"
  */
 
-$server = getenv( 'TEST_SERVER' ) ?: @$argv[1] ?: 'localhost:4000';
+require_once __DIR__ . '/Unit.php';
+$server = @$argv[1] ?: 'localhost:4000';
 
 Unit::start();
 
 // Domain root
 
-Unit::testHttp( $server, '/', [
+Unit::testHttp( $server, '/', [], [
 	'status' => '301 Moved Permanently',
 	'server' => 'nginx',
 	'location' => 'https://releases.jquery.com/',
 ] );
 
 // Static assets
 
-Unit::testHttp( $server, '/jquery-3.0.0.js', [
+Unit::testHttp( $server, '/jquery-3.0.0.js', [], [
 	'status' => '200 OK',
 	'server' => 'nginx',
 	'content-type' => 'application/javascript; charset=utf-8',
 	'content-length' => '263268',
 	'last-modified' => 'Fri, 18 Oct 1991 12:00:00 GMT',
 	'connection' => 'keep-alive',
-	'vary' => 'Accept-Encoding',
+	'vary' => 'Accept-Encoding, x-cdn-access',
 	'etag' => '"28feccc0-40464"',
 	'expires' => 'Thu, 31 Dec 2037 23:55:55 GMT',
-	'cache-control' => 'max-age=315360000, public',
+	'cache-control' => 'max-age=315360000, public, no-transform',
 	'access-control-allow-origin' => '*',
 	'accept-ranges' => 'bytes',
 ] );
 
-Unit::testHttp( $server, '/qunit/qunit-2.0.0.css', [
+Unit::testHttp( $server, '/qunit/qunit-2.0.0.css', [], [
 	'status' => '200 OK',
 	'server' => 'nginx',
 	'content-type' => 'text/css',
 	'content-length' => '7456',
 	'last-modified' => 'Fri, 18 Oct 1991 12:00:00 GMT',
 	'connection' => 'keep-alive',
-	'vary' => 'Accept-Encoding',
+	'vary' => 'Accept-Encoding, x-cdn-access',
 	'etag' => '"28feccc0-1d20"',
 	'expires' => 'Thu, 31 Dec 2037 23:55:55 GMT',
-	'cache-control' => 'max-age=315360000, public',
+	'cache-control' => 'max-age=315360000, public, no-transform',
 	'access-control-allow-origin' => '*',
 	'accept-ranges' => 'bytes',
 ] );
 
-Unit::testHttp( $server, '/ui/1.10.0/themes/base/images/ui-icons_222222_256x240.png', [
+Unit::testHttp( $server, '/ui/1.10.0/themes/base/images/ui-icons_222222_256x240.png', [], [
 	'status' => '200 OK',
 	'server' => 'nginx',
 	'content-type' => 'image/png',
@@ -60,12 +61,12 @@
 	'connection' => 'keep-alive',
 	'etag' => '"28feccc0-1111"',
 	'expires' => 'Thu, 31 Dec 2037 23:55:55 GMT',
-	'cache-control' => 'max-age=315360000, public',
+	'cache-control' => 'max-age=315360000, public, no-transform',
 	'access-control-allow-origin' => '*',
 	'accept-ranges' => 'bytes',
 ] );
 
-Unit::testHttp( $server, '/jquery-2.0.0.min.map', [
+Unit::testHttp( $server, '/jquery-2.0.0.min.map', [], [
 	'status' => '200 OK',
 	'server' => 'nginx',
 	'content-type' => 'application/octet-stream',
@@ -74,156 +75,77 @@
 	'connection' => 'keep-alive',
 	'etag' => '"28feccc0-1ec81"',
 	'expires' => 'Thu, 31 Dec 2037 23:55:55 GMT',
-	'cache-control' => 'max-age=315360000, public',
+	'cache-control' => 'max-age=315360000, public, no-transform',
 	'access-control-allow-origin' => '*',
 	'accept-ranges' => 'bytes',
 ] );
 
 // Renamed files
 
-Unit::testHttp( $server, '/jquery-git2.js', [
+Unit::testHttp( $server, '/jquery-git2.js', [], [
 	'status' => '301 Moved Permanently',
 	'server' => 'nginx',
 	'location' => 'https://code.jquery.com/jquery-git.js',
 ] );
 
 // Moved to releases, WordPress page
 
-Unit::testHttp( $server, '/jquery/', [
+Unit::testHttp( $server, '/jquery/', [], [
 	'status' => '301 Moved Permanently',
 	'server' => 'nginx',
 	'location' => 'https://releases.jquery.com/jquery/',
 ] );
 
 // Moved to releases, WordPress page without trailing slash
 
-Unit::testHttp( $server, '/jquery', [
+Unit::testHttp( $server, '/jquery', [], [
 	'status' => '301 Moved Permanently',
 	'server' => 'nginx',
 	'location' => 'https://releases.jquery.com/jquery/',
 ] );
 
 // Moved to releases, root -git file
 
-Unit::testHttp( $server, '/jquery-git.js', [
+Unit::testHttp( $server, '/jquery-git.js', [], [
 	'status' => '301 Moved Permanently',
 	'server' => 'nginx',
 	'location' => 'https://releases.jquery.com/git/jquery-git.js',
 ] );
 
 // Moved to releases, nested -git file
 
-Unit::testHttp( $server, '/color/jquery.color-git.min.js', [
+Unit::testHttp( $server, '/color/jquery.color-git.min.js', [], [
 	'status' => '301 Moved Permanently',
 	'server' => 'nginx',
 	'location' => 'https://releases.jquery.com/git/color/jquery.color-git.min.js',
 ] );
 
-Unit::testHttp( $server, '/qunit/qunit-git.css', [
+Unit::testHttp( $server, '/qunit/qunit-git.css', [], [
 	'status' => '301 Moved Permanently',
 	'server' => 'nginx',
 	'location' => 'https://releases.jquery.com/git/qunit/qunit-git.css',
 ] );
 
-Unit::testHttp( $server, '/mobile/git/jquery.mobile-git.min.map', [
+Unit::testHttp( $server, '/mobile/git/jquery.mobile-git.min.map', [], [
 	'status' => '301 Moved Permanently',
 	'server' => 'nginx',
 	'location' => 'https://releases.jquery.com/git/mobile/git/jquery.mobile-git.min.map',
 ] );
 
 // Moved to releases, any file under /mobile/git
 
-Unit::testHttp( $server, '/mobile/git/images/icons-png/power-black.png', [
+Unit::testHttp( $server, '/mobile/git/images/icons-png/power-black.png', [], [
 	'status' => '301 Moved Permanently',
 	'server' => 'nginx',
 	'location' => 'https://releases.jquery.com/git/mobile/git/images/icons-png/power-black.png',
 ] );
 
 // Moved to releases, any file under /git (new-style URL)
 
-Unit::testHttp( $server, '/git/qunit/qunit-git.css', [
+Unit::testHttp( $server, '/git/qunit/qunit-git.css', [], [
 	'status' => '301 Moved Permanently',
 	'server' => 'nginx',
 	'location' => 'https://releases.jquery.com/git/qunit/qunit-git.css',
 ] );
 
 Unit::end();
-
-function jq_req( $url ) {
-	print "# $url\n";
-	$ch = curl_init( $url );
-	$resp = [ 'headers' => [], 'body' => null ];
-	curl_setopt_array( $ch, [
-		CURLOPT_RETURNTRANSFER => 1,
-		CURLOPT_FOLLOWLOCATION => 0,
-		CURLOPT_HEADERFUNCTION => function( $ch, $header ) use ( &$resp ) {
-			$len = strlen( $header );
-			if ( preg_match( "/^(HTTP\/(?:1\.[01]|2)) (\d{3} .*)/", $header, $m ) ) {
-				$resp['headers'] = [];
-				$resp['headers']['status'] = trim( $m[2] );
-			} else {
-				$parts = explode( ':', $header, 2 );
-				if ( count( $parts ) === 2 ) {
-					$name = strtolower( $parts[0] );
-					$val = trim( $parts[1] );
-					if ( isset( $resp['headers'][$name] ) ) {
-						$resp['headers'][$name] .= ", $val";
-					} else {
-						$resp['headers'][$name] = $val;
-					}
-				}
-			}
-			return $len;
-		},
-	] );
-	try {
-		$ret = curl_exec( $ch );
-		if ( $ret === false ) {
-			throw new Exception( curl_error( $ch ) );
-		}
-		$resp['body'] = $ret;
-		return $resp;
-	} finally {
-		curl_close( $ch );
-	}
-}
-
-class Unit {
-	static $i = 0;
-	static $pass = true;
-
-	public static function start() {
-		error_reporting( E_ALL );
-		print "TAP version 13\n";
-	}
-
-	public static function test( $name, $actual, $expected ) {
-		$num = ++self::$i;
-		if ( $actual === $expected ) {
-			print "ok $num $name\n";
-		} else {
-			self::$pass = false;
-			print "not ok $num $name\n  ---\n  actual:   "
-				. json_encode( $actual, JSON_UNESCAPED_SLASHES ) . "\n  expected: "
-				. json_encode( $expected, JSON_UNESCAPED_SLASHES ) . "\n";
-		}
-	}
-
-	public static function testHttp( $server, $path, array $expectHeaders, $expectBody = null ) {
-		try {
-			$resp = jq_req( "http://{$server}{$path}" );
-			foreach ( $expectHeaders as $key => $val ) {
-				self::test( "GET $path > header $key", @$resp['headers'][$key], $val );
-			}
-		} catch ( Exception $e ) {
-			self::test( "GET $path > error", $e->getMessage(), null );
-		}
-	}
-
-	public static function end() {
-		print '1..' . self::$i . "\n";
-		if ( !self::$pass ) {
-			exit( 1 );
-		}
-	}
-}
diff --git a/test/static-strict.php b/test/static-strict.php
