diff --git a/.circleci/config.yml b/.circleci/config.yml index fe81dd272c1..0a9c842f882 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -171,23 +171,24 @@ jobs: - run: name: "Check code formatting" command: | - sudo -u lightning mix format --check-formatted || touch /tmp/lint_failed + sudo -u lightning mix format --check-formatted || echo "format" >> /tmp/lint_failed - run: name: "Check code style with Credo" when: always command: | - sudo -u lightning mix credo --strict --all || touch /tmp/lint_failed + sudo -u lightning mix credo --strict --all || echo "credo" >> /tmp/lint_failed - run: name: "Check for security vulnerabilities" when: always command: | - sudo -u lightning mix sobelow --threshold medium || touch /tmp/lint_failed + sudo -u lightning mix sobelow --threshold medium || echo "sobelow" >> /tmp/lint_failed - run: name: "Verify all checks passed" when: always command: | if [ -f /tmp/lint_failed ]; then - echo "One or more lint checks failed" + echo "The following checks failed:" + cat /tmp/lint_failed exit 1 fi diff --git a/benchmarking/channels/README.md b/benchmarking/channels/README.md new file mode 100644 index 00000000000..08f17ca49ed --- /dev/null +++ b/benchmarking/channels/README.md @@ -0,0 +1,361 @@ +# Channel Proxy Benchmarking + +Pure Elixir tools for testing the channel proxy's performance and memory +behaviour. No external dependencies (k6, etc.) — just `elixir` and a running +Lightning instance. + +## Prerequisites + +- Elixir installed (Mix.install handles all script dependencies) +- A running Lightning instance started as a named Erlang node +- The channel proxy feature enabled (routes at `/channels/:id/*path`) + +## Quick Start + +Three terminals: + +```bash +# Terminal 1 — Mock sink (simulates the downstream HTTP service) +elixir benchmarking/channels/mock_sink.exs + +# Terminal 2 — Lightning (as a named node) +iex --sname lightning --cookie bench -S mix phx.server + +# Terminal 3 — Load test (single scenario) +elixir --sname loadtest --cookie bench \ + benchmarking/channels/load_test.exs \ + --scenario happy_path --concurrency 20 --duration 30 + +# Or run all scenarios in sequence: +benchmarking/channels/run_all.sh --duration 30 --concurrency 20 +``` + +The load test will automatically create a "load-test" project and channel +pointing at the mock sink, then drive traffic through the proxy and report +results. + +## File Structure + +``` +benchmarking/channels/ +├── load_test.exs # Entry point (~20 lines): Mix.install, loads modules, calls main() +├── mock_sink.exs # Standalone mock HTTP sink server +├── run_all.sh # Runs all 7 scenarios in sequence +├── lib/ +│ ├── load_test/ +│ │ ├── config.exs # LoadTest.Config — CLI parsing and validation +│ │ ├── metrics.exs # LoadTest.Metrics — Agent-based latency/error collector +│ │ ├── setup.exs # LoadTest.Setup — BEAM connection, channel creation, telemetry deploy +│ │ ├── runner.exs # LoadTest.Runner — Scenario execution (steady, ramp-up, direct) +│ │ ├── report.exs # LoadTest.Report — Results formatting and CSV output +│ │ └── main.exs # LoadTest — Orchestrator (ties everything together) +│ └── telemetry_collector.exs # Bench.TelemetryCollector — Deployed to Lightning for server-side timing +└── results/ + └── .gitignore +``` + +The entry point (`load_test.exs`) installs deps via `Mix.install`, loads all +modules via `Code.require_file` in dependency order, then calls +`LoadTest.main(System.argv())`. + +## Mock Sink (`mock_sink.exs`) + +A standalone Bandit HTTP server that accepts all requests and responds according +to the configured mode. + +```bash +elixir benchmarking/channels/mock_sink.exs [options] +``` + +### Options + +| Option | Default | Description | +| ------------------- | ------- | -------------------------- | +| `--port PORT` | 4001 | Listen port | +| `--mode MODE` | fixed | Response mode (see below) | +| `--status CODE` | 200 | HTTP status for fixed mode | +| `--body-size BYTES` | 256 | Response body size | + +### Modes + +| Mode | Behaviour | +| ----------- | ------------------------------------------------------------------------------- | +| **fixed** | Returns `--status` with `--body-size` body (respects `?delay=N`) | +| **timeout** | Accepts connection, never responds | +| **auth** | 401 if no `Authorization` header, 403 if invalid, 200 for `Bearer test-api-key` | +| **mixed** | 80% fast 200, 10% slow 200 (2s delay), 10% 503 | + +### Query Parameters + +The mock sink supports per-request overrides via query parameters: + +| Parameter | Description | +| ------------------ | ----------------------------------------------- | +| `?response_size=N` | Override `--body-size` for this request (bytes) | +| `?delay=N` | Add a response delay for this request (ms) | +| `?status=N` | Override `--status` for this request (e.g. 503) | + +This lets the load test control response sizes and delays without restarting the +sink: + +```bash +# Default body size +curl http://localhost:4001/test + +# Override to 5000 bytes for this request +curl "http://localhost:4001/test?response_size=5000" + +# 500ms delay +curl "http://localhost:4001/test?delay=500" + +# Combine both +curl "http://localhost:4001/test?delay=500&response_size=5000" +``` + +### Examples + +```bash +# Default: fast 200 responses +elixir benchmarking/channels/mock_sink.exs + +# Simulate flaky upstream +elixir benchmarking/channels/mock_sink.exs --mode mixed + +# Large response bodies (5MB) +elixir benchmarking/channels/mock_sink.exs --body-size 5000000 + +# Require authentication +elixir benchmarking/channels/mock_sink.exs --mode auth + +# Slow responses via query param (no restart needed) +curl "http://localhost:4001/test?delay=2000" +``` + +## Load Test (`load_test.exs`) + +Drives HTTP traffic through the channel proxy, collects metrics, and reports +latency percentiles, throughput, error rates, BEAM memory usage, and server-side +telemetry timing breakdown. + +```bash +elixir --sname loadtest --cookie COOKIE \ + benchmarking/channels/load_test.exs [options] +``` + +**Important:** Must be run as a named Erlang node (`--sname`) so it can connect +to the Lightning BEAM for channel setup, memory sampling, and telemetry. + +### Options + +| Option | Default | Description | +| ----------------------- | ----------------------- | ---------------------------------------------------- | +| `--target URL` | `http://localhost:4000` | Lightning base URL | +| `--sink URL` | `http://localhost:4001` | Mock sink URL (for channel creation) | +| `--node NODE` | `lightning@hostname` | Lightning node name | +| `--cookie COOKIE` | — | Erlang cookie (also settable via `elixir --cookie`) | +| `--channel NAME` | `load-test` | Channel name to find/create | +| `--scenario NAME` | `happy_path` | Test scenario (see below) | +| `--concurrency N` | 10 | Concurrent virtual users | +| `--duration SECS` | 30 | Test duration | +| `--payload-size BYTES` | 1024 | Request body size | +| `--response-size BYTES` | — | Response body size override (via `?response_size=N`) | +| `--delay MS` | — (slow_sink: 2000) | Sink response delay (via `?delay=N`) | +| `--csv PATH` | — | Optional CSV output file | + +### Scenarios + +| Scenario | Description | Mock sink mode | +| ------------------ | ----------------------------------------------- | --------------------- | +| **happy_path** | Sustained POST requests at constant concurrency | `fixed` (default) | +| **ramp_up** | Linearly ramp from 1 → N VUs over duration | `fixed` | +| **large_payload** | POST with large request bodies (default 1MB) | `fixed` | +| **large_response** | GET requests with large response bodies | `fixed --body-size N` | +| **mixed_methods** | Rotate through GET, POST, PUT, PATCH, DELETE | `fixed` | +| **slow_sink** | Measure latency with a slow upstream | `fixed` + `?delay=N` | +| **direct_sink** | Hit mock sink directly (baseline measurement) | `fixed` (default) | + +### Examples + +```bash +# Basic throughput test +elixir --sname lt --cookie bench \ + benchmarking/channels/load_test.exs \ + --concurrency 20 --duration 30 + +# Memory test with 1MB payloads +elixir --sname lt --cookie bench \ + benchmarking/channels/load_test.exs \ + --scenario large_payload --payload-size 1048576 --duration 30 + +# Ramp up to 50 VUs with CSV output +elixir --sname lt --cookie bench \ + benchmarking/channels/load_test.exs \ + --scenario ramp_up --concurrency 50 --duration 60 --csv results.csv + +# Slow upstream latency test (delay applied via query param, no sink restart) +elixir --sname lt --cookie bench \ + benchmarking/channels/load_test.exs \ + --scenario slow_sink --delay 2000 --concurrency 10 --duration 30 + +# Baseline: hit mock sink directly (no Lightning needed, no --sname required) +elixir benchmarking/channels/load_test.exs \ + --scenario direct_sink --concurrency 20 --duration 10 + +# Large response test with explicit response size +elixir --sname lt --cookie bench \ + benchmarking/channels/load_test.exs \ + --scenario large_response --response-size 1048576 --duration 30 +``` + +## Run All Scenarios (`run_all.sh`) + +Runs all 7 scenarios in sequence, logging output to a timestamped file and +appending CSV rows for each scenario. Assumes Lightning and mock sink are +already running. Bails on first failure. + +```bash +benchmarking/channels/run_all.sh [options] +``` + +### Options + +| Option | Default | Description | +| ----------------- | ------- | --------------------- | +| `--sname NAME` | lt | Erlang short name | +| `--cookie COOKIE` | bench | Erlang cookie | +| `--duration SECS` | 30 | Per-scenario duration | +| `--concurrency N` | 20 | Virtual users | + +### Scenario Order + +| # | Scenario | Extra flags | +| --- | ---------------- | ------------------------- | +| 1 | `direct_sink` | (none — baseline) | +| 2 | `happy_path` | (none) | +| 3 | `ramp_up` | (none) | +| 4 | `large_payload` | `--payload-size 1048576` | +| 5 | `large_response` | `--response-size 1048576` | +| 6 | `mixed_methods` | (none) | +| 7 | `slow_sink` | `--delay 2000` | + +### Examples + +```bash +# Quick smoke test (10s per scenario, 5 VUs) +benchmarking/channels/run_all.sh --duration 10 --concurrency 5 + +# Full run with defaults (30s per scenario, 20 VUs) +benchmarking/channels/run_all.sh + +# Custom node/cookie +benchmarking/channels/run_all.sh --sname mynode --cookie mysecret +``` + +Results are written to `/tmp/channel-bench-results/`: + +- `YYYY.MM.DD-HH.MM.log` — full console output +- `YYYY.MM.DD-HH.MM.csv` — one row per scenario for analysis + +## Interpreting Results + +The load test prints a summary like: + +``` +═══════════════════════════════════════ + Channel Load Test Results +═══════════════════════════════════════ + Scenario: happy_path + Concurrency: 20 VUs + Duration: 30s +─────────────────────────────────────── + Requests: 15432 + Throughput: 514.4 req/s + Errors: 0 (0.0%) +─────────────────────────────────────── + Latency: + p50: 12.3ms + p95: 45.7ms + p99: 89.2ms +─────────────────────────────────────── + Memory (Lightning BEAM): + start: 128.5 MB + end: 131.2 MB + max: 135.0 MB + delta: +2.7 MB +═══════════════════════════════════════ +``` + +### Telemetry Timing Breakdown + +When running through Lightning (not `direct_sink`), the load test automatically +deploys a telemetry collector onto the Lightning BEAM node. After the test, it +prints a server-side timing breakdown: + +``` +─────────────────────────────────────── + Channel Proxy Timing (server-side): + Total request p50=12.3ms, p95=45.7ms, p99=89.2ms, n=15432 + DB lookup p50=0.2ms, p95=0.5ms, p99=1.1ms, n=15432 + Upstream proxy p50=11.8ms, p95=44.9ms, p99=87.5ms, n=15432 +``` + +This tells you exactly where time is spent inside the channel proxy: + +| Metric | What it measures | +| ------------------ | -------------------------------------------------------------------- | +| **Total request** | Entire `ChannelProxyPlug.call/2` — DB lookup + proxy + plug overhead | +| **DB lookup** | `Ecto.UUID.cast` + `Repo.get` to find the channel | +| **Upstream proxy** | `Weir.proxy` call — HTTP to the sink + response streaming back | +| **Plug overhead** | `Total request` - `DB lookup` - `Upstream proxy` = plug/header work | + +If `Total request` is much larger than `Upstream proxy`, the overhead is in the +Plug pipeline or DB lookup. If `Upstream proxy` dominates, the time is in the +network hop to the sink. + +The telemetry collector uses ETS with `:public` access and `write_concurrency` +for minimal overhead — handlers run in the connection processes, not through a +GenServer bottleneck. + +### What "good" looks like + +- **Memory delta** is the key metric for proxy correctness. If the proxy is + streaming properly, memory should stay roughly flat regardless of payload + size. A delta under **50 MB** for a 30-second test with 1MB payloads indicates + correct streaming behaviour. A growing delta suggests the proxy is buffering + entire request/response bodies in memory. + +- **Throughput** depends heavily on your machine and the mock sink + configuration. With a fast local sink and 20 VUs, expect 500+ req/s on modern + hardware. + +- **Latency p95** should be close to p50 for the `happy_path` scenario (no + artificial delays). A large gap indicates contention or resource exhaustion. + +- **Error rate** should be 0% for `happy_path` and `large_payload` scenarios. + Non-zero errors suggest proxy bugs or resource limits. + +### Measuring proxy overhead with `direct_sink` + +The `direct_sink` scenario hits the mock sink directly, bypassing Lightning +entirely. This gives a baseline for the test harness + mock sink latency: + +``` +proxy_overhead = happy_path_latency - direct_sink_latency +``` + +Run both and compare: + +```bash +# Baseline (no Lightning needed) +elixir benchmarking/channels/load_test.exs \ + --scenario direct_sink --concurrency 20 --duration 10 + +# Through proxy +elixir --sname lt --cookie bench \ + benchmarking/channels/load_test.exs \ + --scenario happy_path --concurrency 20 --duration 10 +``` + +The difference tells you exactly what the proxy pipeline (plugs, DB lookup, +Weir, second HTTP hop) costs per request. The telemetry breakdown further +decomposes that cost into DB lookup vs upstream proxy vs plug overhead. diff --git a/benchmarking/channels/lib/load_test/config.exs b/benchmarking/channels/lib/load_test/config.exs new file mode 100644 index 00000000000..a237b2874bf --- /dev/null +++ b/benchmarking/channels/lib/load_test/config.exs @@ -0,0 +1,191 @@ +# benchmarking/channels/lib/load_test/config.exs +# +# CLI argument parsing and validation for the channel load test. + +defmodule LoadTest.Config do + @moduledoc false + + @scenarios ~w(happy_path ramp_up saturation large_payload large_response mixed_methods slow_sink direct_sink) + + @defaults %{ + target: "http://localhost:4000", + sink: "http://localhost:4001", + node: nil, + cookie: nil, + channel: "load-test", + scenario: "happy_path", + concurrency: 10, + duration: 30, + payload_size: 1024, + response_size: nil, + delay: nil, + csv: nil, + charts: false + } + + @help """ + Usage: elixir --sname loadtest --cookie COOKIE \\ + benchmarking/channels/load_test.exs [options] + + Options: + --target URL Lightning base URL (default: http://localhost:4000) + --sink URL Mock sink URL for channel creation (default: http://localhost:4001) + --node NODE Lightning node name (default: lightning@hostname) + --cookie COOKIE Erlang cookie (can also use --cookie flag on elixir command) + --channel NAME Channel name to find/create (default: load-test) + --scenario SCENARIO Test scenario (default: happy_path) + --concurrency N Concurrent virtual users (default: 10) + --duration SECS Test duration in seconds (default: 30) + --payload-size BYTES Request body size (default: 1024) + --response-size BYTES Response body size override via query param (default: none) + --delay MS Sink response delay via query param (default: none; slow_sink: 2000) + --csv PATH Optional CSV output file for results + --charts Generate gnuplot charts (PNG files in /tmp or next to --csv) + --help Show this help + + Scenarios: + happy_path Sustained POST requests at --concurrency VUs for --duration seconds + ramp_up Ramp from 1 to --concurrency VUs over --duration seconds + saturation Ramp through concurrency levels, report per-step (find throughput ceiling) + large_payload POST with --payload-size bodies (default 1MB), check memory stays flat + large_response GET requests; mock sink returns large bodies. Reports memory + mixed_methods Rotate through GET, POST, PUT, PATCH, DELETE + slow_sink Sink with --delay ms (default 2000); measures TTFB and latency + direct_sink Hit mock sink directly (no Lightning), baseline measurement + + Note: Most scenarios require a named node (--sname) to connect to Lightning. + The direct_sink scenario does not require --sname or a running Lightning instance. + The --cookie flag on the elixir command sets the Erlang cookie. The + script also accepts --cookie in its own args as a convenience. + """ + + def parse(args) do + case parse_args(args, @defaults) do + :help -> + IO.puts(@help) + System.halt(0) + + {:error, message} -> + IO.puts(:stderr, "error: #{message}\n") + IO.puts(:stderr, @help) + System.halt(1) + + config -> + config + |> apply_defaults() + |> validate!() + end + end + + defp parse_args([], acc), do: acc + defp parse_args(["--help" | _], _acc), do: :help + + defp parse_args(["--target", value | rest], acc), + do: parse_args(rest, %{acc | target: String.trim_trailing(value, "/")}) + + defp parse_args(["--sink", value | rest], acc), + do: parse_args(rest, %{acc | sink: String.trim_trailing(value, "/")}) + + defp parse_args(["--node", value | rest], acc), + do: parse_args(rest, %{acc | node: value}) + + defp parse_args(["--cookie", value | rest], acc), + do: parse_args(rest, %{acc | cookie: value}) + + defp parse_args(["--channel", value | rest], acc), + do: parse_args(rest, %{acc | channel: value}) + + defp parse_args(["--scenario", value | rest], acc) do + if value in @scenarios do + parse_args(rest, %{acc | scenario: value}) + else + {:error, + "unknown scenario: #{value}. Expected one of: #{Enum.join(@scenarios, ", ")}"} + end + end + + defp parse_args(["--concurrency", value | rest], acc) do + case Integer.parse(value) do + {n, ""} when n > 0 -> parse_args(rest, %{acc | concurrency: n}) + _ -> {:error, "invalid concurrency: #{value}"} + end + end + + defp parse_args(["--duration", value | rest], acc) do + case Integer.parse(value) do + {n, ""} when n > 0 -> parse_args(rest, %{acc | duration: n}) + _ -> {:error, "invalid duration: #{value}"} + end + end + + defp parse_args(["--payload-size", value | rest], acc) do + case Integer.parse(value) do + {n, ""} when n > 0 -> parse_args(rest, %{acc | payload_size: n}) + _ -> {:error, "invalid payload-size: #{value}"} + end + end + + defp parse_args(["--response-size", value | rest], acc) do + case Integer.parse(value) do + {n, ""} when n > 0 -> parse_args(rest, %{acc | response_size: n}) + _ -> {:error, "invalid response-size: #{value}"} + end + end + + defp parse_args(["--delay", value | rest], acc) do + case Integer.parse(value) do + {n, ""} when n >= 0 -> parse_args(rest, %{acc | delay: n}) + _ -> {:error, "invalid delay: #{value}"} + end + end + + defp parse_args(["--csv", value | rest], acc), + do: parse_args(rest, %{acc | csv: value}) + + defp parse_args(["--charts" | rest], acc), + do: parse_args(rest, %{acc | charts: true}) + + defp parse_args([unknown | _], _acc), + do: {:error, "unknown option: #{unknown}"} + + defp apply_defaults(%{node: nil} = config) do + {:ok, hostname} = :inet.gethostname() + %{config | node: "lightning@#{hostname}"} + end + + defp apply_defaults(config), do: config + + defp apply_defaults_for_scenario( + %{scenario: "large_payload", payload_size: 1024} = config + ) do + %{config | payload_size: 1_048_576} + end + + defp apply_defaults_for_scenario( + %{scenario: "large_response", response_size: nil} = config + ) do + %{config | response_size: 1_048_576} + end + + defp apply_defaults_for_scenario(%{scenario: "slow_sink", delay: nil} = config) do + %{config | delay: 2_000} + end + + defp apply_defaults_for_scenario(config), do: config + + defp validate!(config) do + config = apply_defaults_for_scenario(config) + + if config.scenario == "direct_sink" or Node.alive?() do + config + else + IO.puts(:stderr, """ + error: This script must be run as a named Erlang node. + + Use: elixir --sname loadtest --cookie COOKIE benchmarking/channels/load_test.exs + """) + + System.halt(1) + end + end +end diff --git a/benchmarking/channels/lib/load_test/main.exs b/benchmarking/channels/lib/load_test/main.exs new file mode 100644 index 00000000000..2656a90cdba --- /dev/null +++ b/benchmarking/channels/lib/load_test/main.exs @@ -0,0 +1,172 @@ +# benchmarking/channels/lib/load_test/main.exs +# +# Orchestrator — ties together Config, Metrics, Setup, Runner, and Report. + +defmodule LoadTest do + @moduledoc false + + def main(args) do + # Capture the raw argv before parsing so we can reproduce the invocation + command = reconstruct_command(args) + + opts = LoadTest.Config.parse(args) + + opts = + if opts[:charts] do + prefix = LoadTest.Report.generate_output_prefix(opts) + Map.put(opts, :output_prefix, prefix) + else + opts + end + + # Start the Finch HTTP client pool + {:ok, _} = + Finch.start_link( + name: LoadTest.Finch, + pools: %{ + default: [size: opts[:concurrency], count: 1] + } + ) + + # Start the metrics collector + {:ok, _} = LoadTest.Metrics.start_link() + + # Pre-flight: verify mock sink is reachable + LoadTest.Setup.preflight_sink!(opts) + + direct? = opts[:scenario] == "direct_sink" + + # Build the target URL + {channel_url, node} = + if direct? do + {"#{opts[:sink]}/test", nil} + else + # Connect to the Lightning BEAM + node = LoadTest.Setup.connect!(opts) + + # Ensure test channel exists + channel = + LoadTest.Setup.ensure_channel!(node, opts) + + {"#{opts[:target]}/channels/#{channel.id}/test", node} + end + + # Append query params (?response_size=N&delay=N) when configured + channel_url = append_query_params(channel_url, opts) + + # Deploy telemetry collector (skip for direct_sink) + telemetry_ok? = + if not direct? and node do + LoadTest.Setup.deploy_telemetry_collector!(node) == :ok + else + false + end + + # Print test banner + duration_label = + if opts[:scenario] == "saturation", + do: "#{opts[:duration]}s (per step)", + else: "#{opts[:duration]}s" + + IO.puts(""" + + Starting load test... + URL: #{channel_url} + Scenario: #{opts[:scenario]} + Concurrency: #{opts[:concurrency]} VUs + Duration: #{duration_label} + Payload: #{opts[:payload_size]} bytes#{format_response_size(opts[:response_size])}#{format_delay(opts[:delay])} + Telemetry: #{if telemetry_ok?, do: "enabled", else: "disabled"} + Command: #{command} + """) + + # Run the scenario + if direct? do + LoadTest.Runner.run_direct(opts[:scenario], channel_url, opts) + print_standard_results(opts, command, node, telemetry_ok?) + else + result = LoadTest.Runner.run(opts[:scenario], channel_url, opts) + + if opts[:scenario] == "saturation" do + LoadTest.Report.print_saturation(result, opts, command) + + # Charts need a CSV to read from; auto-create one if --charts without --csv + opts_with_csv = + if opts[:charts] and is_nil(opts[:csv]), + do: Map.put(opts, :csv, opts[:output_prefix] <> ".csv"), + else: opts + + LoadTest.Report.write_saturation_csv(result, opts_with_csv) + + if opts[:charts] do + csv_path = opts_with_csv[:csv] + LoadTest.Report.write_saturation_charts(csv_path) + end + + if telemetry_ok? do + LoadTest.Setup.teardown_telemetry_collector!(node) + end + else + print_standard_results(opts, command, node, telemetry_ok?) + end + end + end + + defp print_standard_results(opts, command, node, telemetry_ok?) do + summary = LoadTest.Metrics.summary() + LoadTest.Report.print(summary, opts, command) + + if telemetry_ok? do + telemetry = LoadTest.Setup.get_telemetry_summary(node) + LoadTest.Report.print_telemetry(telemetry) + LoadTest.Setup.teardown_telemetry_collector!(node) + end + + LoadTest.Report.write_csv(summary, opts) + + if opts[:charts] do + timeseries = LoadTest.Metrics.latency_timeseries() + LoadTest.Report.write_standard_charts(timeseries, opts) + end + end + + defp reconstruct_command(args) do + script = "benchmarking/channels/load_test.exs" + argv = Enum.join(args, " ") + + node_part = + case Node.self() do + :nonode@nohost -> "" + node -> " --sname #{node}" + end + + cookie_part = + case Node.get_cookie() do + :nocookie -> "" + cookie -> " --cookie #{cookie}" + end + + "elixir#{node_part}#{cookie_part} #{script} #{argv}" + |> String.trim() + end + + defp append_query_params(url, opts) do + params = + [ + if(opts[:response_size], do: "response_size=#{opts[:response_size]}"), + if(opts[:delay], do: "delay=#{opts[:delay]}") + ] + |> Enum.reject(&is_nil/1) + + case params do + [] -> url + parts -> "#{url}?#{Enum.join(parts, "&")}" + end + end + + defp format_response_size(nil), do: "" + defp format_response_size(n), do: "\n Response: #{n} bytes" + + defp format_delay(nil), do: "" + defp format_delay(n), do: "\n Delay: #{n}ms" +end diff --git a/benchmarking/channels/lib/load_test/metrics.exs b/benchmarking/channels/lib/load_test/metrics.exs new file mode 100644 index 00000000000..ee4d76b64d0 --- /dev/null +++ b/benchmarking/channels/lib/load_test/metrics.exs @@ -0,0 +1,163 @@ +# benchmarking/channels/lib/load_test/metrics.exs +# +# Agent-based metrics collector for request latencies, status codes, +# errors, and BEAM memory samples. + +defmodule LoadTest.Metrics do + @moduledoc false + + use Agent + + def start_link do + Agent.start_link( + fn -> + %{ + latencies: [], + status_codes: %{}, + errors: 0, + error_reasons: %{}, + memory_samples: [], + start_time: System.monotonic_time(:microsecond) + } + end, + name: __MODULE__ + ) + end + + def record_request(latency_us, status) do + Agent.update(__MODULE__, fn state -> + elapsed_us = System.monotonic_time(:microsecond) - state.start_time + + state + |> Map.update!(:latencies, &[{elapsed_us, latency_us} | &1]) + |> Map.update!(:status_codes, fn codes -> + Map.update(codes, status, 1, &(&1 + 1)) + end) + end) + end + + def record_error(reason) do + key = inspect(reason) + + Agent.update(__MODULE__, fn state -> + state + |> Map.update!(:errors, &(&1 + 1)) + |> Map.update!(:error_reasons, fn reasons -> + Map.update(reasons, key, 1, &(&1 + 1)) + end) + end) + end + + def reset do + Agent.update(__MODULE__, fn state -> + %{ + state + | latencies: [], + status_codes: %{}, + errors: 0, + error_reasons: %{}, + start_time: System.monotonic_time(:microsecond) + } + end) + end + + def record_memory(bytes) do + timestamp = System.monotonic_time(:microsecond) + + Agent.update(__MODULE__, fn state -> + Map.update!(state, :memory_samples, &[{timestamp, bytes} | &1]) + end) + end + + def summary do + Agent.get(__MODULE__, fn state -> + now = System.monotonic_time(:microsecond) + elapsed_us = now - state.start_time + elapsed_s = max(elapsed_us / 1_000_000, 0.001) + + latencies = state.latencies |> Enum.map(&elem(&1, 1)) |> Enum.sort() + total = length(latencies) + + memory_samples = + state.memory_samples + |> Enum.reverse() + + %{ + total_requests: total, + rps: if(total > 0, do: Float.round(total / elapsed_s, 1), else: 0.0), + error_count: state.errors, + error_rate: + if(total + state.errors > 0, + do: Float.round(state.errors / (total + state.errors) * 100, 1), + else: 0.0 + ), + error_reasons: state.error_reasons, + status_codes: state.status_codes, + p50: percentile(latencies, 50), + p95: percentile(latencies, 95), + p99: percentile(latencies, 99), + min: List.first(latencies, 0), + max: List.last(latencies, 0), + duration_s: Float.round(elapsed_s, 1), + memory_start: memory_start(memory_samples), + memory_end: memory_end(memory_samples), + memory_max: memory_max(memory_samples), + memory_delta: memory_delta(memory_samples) + } + end) + end + + def latency_timeseries(bucket_s \\ 1.0) do + Agent.get(__MODULE__, fn state -> + bucket_us = round(bucket_s * 1_000_000) + + state.latencies + |> Enum.group_by(fn {elapsed_us, _lat} -> div(elapsed_us, bucket_us) end) + |> Enum.sort_by(fn {bucket, _} -> bucket end) + |> Enum.map(fn {bucket, entries} -> + lats = entries |> Enum.map(&elem(&1, 1)) |> Enum.sort() + + %{ + t: Float.round((bucket + 1) * bucket_s, 1), + p50: percentile(lats, 50), + p95: percentile(lats, 95), + p99: percentile(lats, 99), + count: length(lats) + } + end) + end) + end + + defp percentile([], _p), do: 0 + + defp percentile(sorted, p) do + k = max(round(length(sorted) * p / 100) - 1, 0) + Enum.at(sorted, k, 0) + end + + defp memory_start([{_ts, bytes} | _]), do: bytes + defp memory_start([]), do: nil + + defp memory_end(samples) do + case List.last(samples) do + {_ts, bytes} -> bytes + nil -> nil + end + end + + defp memory_max(samples) do + case samples do + [] -> nil + _ -> samples |> Enum.map(&elem(&1, 1)) |> Enum.max() + end + end + + defp memory_delta(samples) do + with {_ts1, start_bytes} <- List.first(samples), + {_ts2, end_bytes} <- List.last(samples) do + end_bytes - start_bytes + else + _ -> nil + end + end +end diff --git a/benchmarking/channels/lib/load_test/report.exs b/benchmarking/channels/lib/load_test/report.exs new file mode 100644 index 00000000000..3215a79f423 --- /dev/null +++ b/benchmarking/channels/lib/load_test/report.exs @@ -0,0 +1,474 @@ +# benchmarking/channels/lib/load_test/report.exs +# +# Formats and prints metrics summary, including telemetry timing breakdown. + +defmodule LoadTest.Report do + @moduledoc false + + def print(summary, opts, command \\ nil) do + direct? = opts[:scenario] == "direct_sink" + + scenario_label = + if direct?, do: "#{opts[:scenario]} (baseline)", else: opts[:scenario] + + memory_section = format_memory_section(summary, direct?) + + IO.puts(""" + + \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 + Channel Load Test Results + \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 + Scenario: #{scenario_label} + Concurrency: #{opts[:concurrency]} VUs + Duration: #{summary.duration_s}s + Command: #{command} + \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 + Requests: #{summary.total_requests} + Throughput: #{summary.rps} req/s + Errors: #{summary.error_count} (#{summary.error_rate}%) + #{format_status_codes(summary.status_codes)}\ + #{format_error_reasons(summary.error_reasons)}\ + \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 + Latency: + p50: #{format_us(summary.p50)} + p95: #{format_us(summary.p95)} + p99: #{format_us(summary.p99)} + min: #{format_us(summary.min)} + max: #{format_us(summary.max)} + \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 + #{memory_section}\ + \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 + """) + end + + @doc """ + Print telemetry timing breakdown from the remote collector. + Shows server-side timing for the channel proxy pipeline. + """ + def print_telemetry(nil), do: :ok + + def print_telemetry(telemetry) when map_size(telemetry) == 0 do + IO.puts(""" + Channel Proxy Timing (server-side): + No telemetry data collected + """) + end + + def print_telemetry(telemetry) do + # Display order: total request, then sub-spans + rows = [ + {:request, "Total request", Map.get(telemetry, :request)}, + {:fetch_channel, " DB lookup", Map.get(telemetry, :fetch_channel)}, + {:upstream, " Upstream proxy", Map.get(telemetry, :upstream)} + ] + + lines = + rows + |> Enum.filter(fn {_key, _label, stats} -> stats != nil end) + |> Enum.map(fn {_key, label, stats} -> + " #{String.pad_trailing(label, 18)} " <> + "p50=#{format_us(stats.p50)}, " <> + "p95=#{format_us(stats.p95)}, " <> + "p99=#{format_us(stats.p99)}, " <> + "n=#{stats.count}" + end) + |> Enum.join("\n") + + IO.puts(""" + \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 + Channel Proxy Timing (server-side): + #{lines} + """) + end + + # -- Saturation output -- + + def print_saturation(results, opts, command \\ nil) do + header = """ + + \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 + Saturation Test Results + \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 + Max VUs: #{opts[:concurrency]} + Per-step: #{opts[:duration]}s + Steps: #{length(results)} + Command: #{command} + \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 + """ + + table_header = + " #{pad_r("VUs", 6)} #{pad_r("RPS", 9)} #{pad_r("Reqs", 8)} " <> + "#{pad_r("Errors", 8)} #{pad_r("p50", 10)} #{pad_r("p95", 10)} #{pad_r("p99", 10)}" + + separator = + " #{String.duplicate("\u2500", 5)} " <> + "#{String.duplicate("\u2500", 8)} " <> + "#{String.duplicate("\u2500", 7)} " <> + "#{String.duplicate("\u2500", 7)} " <> + "#{String.duplicate("\u2500", 9)} " <> + "#{String.duplicate("\u2500", 9)} " <> + "#{String.duplicate("\u2500", 9)}" + + rows = + results + |> Enum.map(fn %{concurrency: c, summary: s} -> + " #{pad_r(to_string(c), 6)} " <> + "#{pad_r(to_string(s.rps), 9)} " <> + "#{pad_r(to_string(s.total_requests), 8)} " <> + "#{pad_r(to_string(s.error_count), 8)} " <> + "#{pad_r(format_us(s.p50), 10)} " <> + "#{pad_r(format_us(s.p95), 10)} " <> + "#{pad_r(format_us(s.p99), 10)}" + end) + |> Enum.join("\n") + + footer = + "\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550" + + IO.puts(header) + IO.puts(table_header) + IO.puts(separator) + IO.puts(rows) + IO.puts(" #{footer}") + + # Print server-side telemetry table if any step has it + if Enum.any?(results, fn %{telemetry: t} -> t != nil and map_size(t) > 0 end) do + print_saturation_telemetry(results) + end + end + + defp print_saturation_telemetry(results) do + IO.puts(""" + + \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 + Server-side Timing (per step): + """) + + for %{concurrency: c, telemetry: t} <- results, t != nil, map_size(t) > 0 do + request = Map.get(t, :request) + db = Map.get(t, :fetch_channel) + upstream = Map.get(t, :upstream) + + parts = + [ + if(request, + do: "req p50=#{format_us(request.p50)}/p95=#{format_us(request.p95)}" + ), + if(db, do: "db p50=#{format_us(db.p50)}"), + if(upstream, do: "up p50=#{format_us(upstream.p50)}") + ] + |> Enum.reject(&is_nil/1) + |> Enum.join(", ") + + IO.puts(" #{pad_r("#{c} VUs:", 10)} #{parts}") + end + end + + def write_saturation_csv(results, opts) do + case opts[:csv] do + nil -> + :ok + + path -> + IO.write("Writing saturation CSV to #{path}... ") + + header = + "step,concurrency,duration_s,requests,rps,errors,error_rate," <> + "p50_us,p95_us,p99_us,min_us,max_us,memory_end_bytes," <> + "server_request_p50_us,server_request_p95_us," <> + "server_db_p50_us,server_upstream_p50_us\n" + + rows = + results + |> Enum.with_index(1) + |> Enum.map(fn {%{concurrency: c, summary: s, telemetry: t}, step} -> + tel_request = if t, do: Map.get(t, :request) + tel_db = if t, do: Map.get(t, :fetch_channel) + tel_upstream = if t, do: Map.get(t, :upstream) + + [ + step, + c, + s.duration_s, + s.total_requests, + s.rps, + s.error_count, + s.error_rate, + s.p50, + s.p95, + s.p99, + s.min, + s.max, + s.memory_end || "", + if(tel_request, do: tel_request.p50, else: ""), + if(tel_request, do: tel_request.p95, else: ""), + if(tel_db, do: tel_db.p50, else: ""), + if(tel_upstream, do: tel_upstream.p50, else: "") + ] + |> Enum.join(",") + end) + |> Enum.join("\n") + + content = + if File.exists?(path) do + rows <> "\n" + else + header <> rows <> "\n" + end + + mode = if File.exists?(path), do: [:append], else: [:write] + File.write!(path, content, mode) + IO.puts("ok") + end + end + + def write_saturation_charts(csv_path) do + basename = Path.rootname(csv_path) + script_path = basename <> ".gnuplot" + throughput_png = basename <> "_throughput.png" + latency_png = basename <> "_latency.png" + + # Build latency plot with gnuplot line continuations. + # Can't use \\ at end-of-line in heredocs (Elixir treats \ as continuation), + # so we concatenate the pieces explicitly. + latency_plot = + "plot '#{csv_path}' every ::1 using 2:($8/1000) with linespoints pt 7 lw 2 title 'p50', \\\n" <> + " '' every ::1 using 2:($9/1000) with linespoints pt 5 lw 2 title 'p95', \\\n" <> + " '' every ::1 using 2:($10/1000) with linespoints pt 9 lw 2 title 'p99'\n" + + script = + """ + set datafile separator ',' + set terminal pngcairo size 1024,600 enhanced font 'sans,11' + set grid + set xlabel 'Concurrency (VUs)' + + # Chart 1: Throughput + set output '#{throughput_png}' + set title 'Saturation: Throughput vs Concurrency' + set ylabel 'Throughput (req/s)' + plot '#{csv_path}' every ::1 using 2:5 with linespoints pt 7 ps 1.2 lw 2 title 'RPS' + + # Chart 2: Latency + set output '#{latency_png}' + set title 'Saturation: Latency vs Concurrency' + set ylabel 'Latency (ms)' + set key top left + """ <> latency_plot + + File.write!(script_path, script) + + run_gnuplot(script_path, [throughput_png, latency_png]) + end + + def write_standard_charts(timeseries, opts) do + prefix = + if opts[:output_prefix] do + opts[:output_prefix] + else + Path.rootname(opts[:csv]) + end + + script_path = prefix <> "_latency.gnuplot" + latency_png = prefix <> "_latency.png" + + # columns: t p50_ms p95_ms p99_ms rps + data_lines = + timeseries + |> Enum.map(fn %{t: t, p50: p50, p95: p95, p99: p99, count: count} -> + p50_ms = Float.round(p50 / 1_000, 2) + p95_ms = Float.round(p95 / 1_000, 2) + p99_ms = Float.round(p99 / 1_000, 2) + "#{t} #{p50_ms} #{p95_ms} #{p99_ms} #{count}" + end) + |> Enum.join("\n") + + title = + "#{opts[:scenario]}: Throughput & Latency (#{opts[:concurrency]} VUs)" + + # Build plot command with gnuplot line continuations. + # Can't use \\ at end-of-line in heredocs (Elixir treats \ as continuation), + # so we concatenate explicitly. + # RPS as filled area on y2 (background), latency lines on y1 (foreground). + plot_cmd = + "plot $DATA using 1:5 axes x1y2 with filledcurves x1 fs transparent solid 0.15 lc rgb '#999999' title 'RPS', \\\n" <> + " '' using 1:2 axes x1y1 with linespoints pt 7 lw 2 title 'p50', \\\n" <> + " '' using 1:3 axes x1y1 with linespoints pt 5 lw 2 title 'p95', \\\n" <> + " '' using 1:4 axes x1y1 with linespoints pt 9 lw 2 title 'p99'\n" + + script = + """ + $DATA << EOD + #{data_lines} + EOD + + set terminal pngcairo size 1024,600 enhanced font 'sans,11' + set output '#{latency_png}' + set title '#{title}' + set xlabel 'Time (s)' + set ylabel 'Latency (ms)' + set y2label 'Throughput (req/s)' + set y2tics + set ytics nomirror + set grid + set key top left + """ <> plot_cmd + + File.write!(script_path, script) + + run_gnuplot(script_path, [latency_png]) + end + + def generate_output_prefix(opts) do + timestamp = Calendar.strftime(DateTime.utc_now(), "%Y%m%d_%H%M%S") + "/tmp/loadtest_#{opts[:scenario]}_#{timestamp}" + end + + defp run_gnuplot(script_path, png_paths) do + case System.cmd("gnuplot", [script_path], stderr_to_stdout: true) do + {_, 0} -> + [first | rest] = png_paths + IO.puts("Charts: #{first}") + Enum.each(rest, fn path -> IO.puts(" #{path}") end) + + {output, _} -> + IO.puts("gnuplot script: #{script_path}") + IO.puts(" Run manually: gnuplot #{script_path}") + + if output =~ "not found" or output =~ "No such file" do + IO.puts(" Install: pacman -S gnuplot (or apt install gnuplot)") + end + end + rescue + ErlangError -> + IO.puts("gnuplot script: #{script_path}") + + IO.puts( + " gnuplot not found — install: pacman -S gnuplot (or apt install gnuplot)" + ) + end + + # -- Standard CSV -- + + def write_csv(summary, opts) do + case opts[:csv] do + nil -> + :ok + + path -> + IO.write("Writing CSV to #{path}... ") + + header = + "scenario,concurrency,duration_s,total_requests,rps," <> + "error_count,error_rate,p50_us,p95_us,p99_us,min_us,max_us," <> + "memory_start_bytes,memory_end_bytes,memory_max_bytes,memory_delta_bytes\n" + + row = + [ + opts[:scenario], + opts[:concurrency], + summary.duration_s, + summary.total_requests, + summary.rps, + summary.error_count, + summary.error_rate, + summary.p50, + summary.p95, + summary.p99, + summary.min, + summary.max, + summary.memory_start || "", + summary.memory_end || "", + summary.memory_max || "", + summary.memory_delta || "" + ] + |> Enum.join(",") + + content = + if File.exists?(path) do + # Append without header if file exists + row <> "\n" + else + header <> row <> "\n" + end + + mode = if File.exists?(path), do: [:append], else: [:write] + File.write!(path, content, mode) + IO.puts("ok") + end + end + + # -- Formatting helpers -- + + defp format_memory_section(_summary, true = _direct?) do + " Memory: n/a (direct sink baseline)" + end + + defp format_memory_section(summary, _direct?) do + """ + Memory (Lightning BEAM): + start: #{format_bytes(summary.memory_start)} + end: #{format_bytes(summary.memory_end)} + max: #{format_bytes(summary.memory_max)} + delta: #{format_bytes_delta(summary.memory_delta)}\ + """ + end + + defp format_us(0), do: "n/a" + + defp format_us(us) when us < 1_000, + do: "#{us}us" + + defp format_us(us) when us < 1_000_000, + do: "#{Float.round(us / 1_000, 1)}ms" + + defp format_us(us), + do: "#{Float.round(us / 1_000_000, 2)}s" + + defp format_bytes(nil), do: "n/a" + + defp format_bytes(bytes) when bytes < 1_024, + do: "#{bytes} B" + + defp format_bytes(bytes) when bytes < 1_048_576, + do: "#{Float.round(bytes / 1_024, 1)} KB" + + defp format_bytes(bytes), + do: "#{Float.round(bytes / 1_048_576, 1)} MB" + + defp format_bytes_delta(nil), do: "n/a" + defp format_bytes_delta(0), do: "0 B" + + defp format_bytes_delta(bytes) when bytes > 0, + do: "+#{format_bytes(bytes)}" + + defp format_bytes_delta(bytes), + do: "-#{format_bytes(abs(bytes))}" + + defp format_status_codes(codes) when map_size(codes) == 0, do: "" + + defp format_status_codes(codes) do + lines = + codes + |> Enum.sort_by(fn {code, _} -> code end) + |> Enum.map(fn {code, count} -> " #{code}: #{count}" end) + |> Enum.join("\n") + + " Status codes:\n#{lines}\n" + end + + defp format_error_reasons(reasons) when map_size(reasons) == 0, do: "" + + defp format_error_reasons(reasons) do + lines = + reasons + |> Enum.sort_by(fn {_, count} -> -count end) + |> Enum.take(5) + |> Enum.map(fn {reason, count} -> " #{reason}: #{count}" end) + |> Enum.join("\n") + + " Top errors:\n#{lines}\n" + end + + defp pad_r(str, width), do: String.pad_trailing(str, width) +end diff --git a/benchmarking/channels/lib/load_test/runner.exs b/benchmarking/channels/lib/load_test/runner.exs new file mode 100644 index 00000000000..2328761514c --- /dev/null +++ b/benchmarking/channels/lib/load_test/runner.exs @@ -0,0 +1,301 @@ +# benchmarking/channels/lib/load_test/runner.exs +# +# Executes test scenarios: steady-state, ramp-up, and direct sink. + +defmodule LoadTest.Runner do + @moduledoc false + + @methods [:get, :post, :put, :patch, :delete] + + def run(scenario, channel_url, opts) do + duration_ms = opts[:duration] * 1_000 + node = String.to_atom(opts[:node]) + + # Saturation manages its own memory sampling and returns per-step results + if scenario == "saturation" do + run_saturation(channel_url, opts) + else + # Start memory sampler in background + memory_task = + Task.async(fn -> sample_memory_loop(node, duration_ms) end) + + case scenario do + "ramp_up" -> run_ramp_up(channel_url, opts, duration_ms) + _ -> run_steady(scenario, channel_url, opts, duration_ms) + end + + Task.await(memory_task, :infinity) + end + end + + def run_direct(scenario, channel_url, opts) do + duration_ms = opts[:duration] * 1_000 + # No memory sampling — there is no Lightning BEAM to sample + run_steady(scenario, channel_url, opts, duration_ms) + end + + # -- Steady-state scenarios (constant concurrency) -- + + defp run_steady(scenario, channel_url, opts, duration_ms) do + concurrency = opts[:concurrency] + payload = generate_payload(opts[:payload_size]) + + work_stream(duration_ms) + |> Task.async_stream( + fn _tick -> + execute_request(scenario, channel_url, payload, opts) + end, + max_concurrency: concurrency, + timeout: 60_000 + ) + |> Stream.each(fn + {:ok, {latency_us, status}} -> + LoadTest.Metrics.record_request(latency_us, status) + + {:exit, reason} -> + LoadTest.Metrics.record_error(reason) + end) + |> Stream.run() + end + + # -- Ramp-up scenario (increasing concurrency) -- + + defp run_ramp_up(channel_url, opts, duration_ms) do + max_concurrency = opts[:concurrency] + payload = generate_payload(opts[:payload_size]) + + # Divide duration into 10 steps, each at increasing concurrency + steps = 10 + step_duration_ms = div(duration_ms, steps) + + for step <- 1..steps do + concurrency = max(1, div(max_concurrency * step, steps)) + + IO.puts( + " [ramp] Step #{step}/#{steps}: #{concurrency} VUs for #{div(step_duration_ms, 1000)}s" + ) + + work_stream(step_duration_ms) + |> Task.async_stream( + fn _tick -> + execute_request("happy_path", channel_url, payload, opts) + end, + max_concurrency: concurrency, + timeout: 60_000 + ) + |> Stream.each(fn + {:ok, {latency_us, status}} -> + LoadTest.Metrics.record_request(latency_us, status) + + {:exit, reason} -> + LoadTest.Metrics.record_error(reason) + end) + |> Stream.run() + end + end + + # -- Saturation scenario (increasing concurrency with per-step metrics) -- + + @saturation_levels [1, 2, 5, 10, 20, 50, 100, 200, 500, 1000] + + defp run_saturation(channel_url, opts) do + max_concurrency = opts[:concurrency] + duration_ms = opts[:duration] * 1_000 + payload = generate_payload(opts[:payload_size]) + node = String.to_atom(opts[:node]) + + # Build step sequence: standard levels up to max, always include max + steps = + @saturation_levels + |> Enum.filter(&(&1 <= max_concurrency)) + |> then(fn levels -> + if max_concurrency in levels, + do: levels, + else: levels ++ [max_concurrency] + end) + + IO.puts(" Steps: #{inspect(steps)}\n") + + # Start memory sampler for the full duration (all steps) + total_duration_ms = duration_ms * length(steps) + + memory_task = + Task.async(fn -> sample_memory_loop(node, total_duration_ms) end) + + results = + steps + |> Enum.with_index(1) + |> Enum.map(fn {concurrency, step_num} -> + # Reset metrics for this step + LoadTest.Metrics.reset() + LoadTest.Setup.reset_telemetry_collector(node) + + IO.write( + " [saturation] Step #{step_num}/#{length(steps)}: " <> + "#{concurrency} VUs for #{opts[:duration]}s... " + ) + + # Run the work loop at this concurrency level + work_stream(duration_ms) + |> Task.async_stream( + fn _tick -> + execute_request("happy_path", channel_url, payload, opts) + end, + max_concurrency: concurrency, + timeout: 60_000 + ) + |> Stream.each(fn + {:ok, {latency_us, status}} -> + LoadTest.Metrics.record_request(latency_us, status) + + {:exit, reason} -> + LoadTest.Metrics.record_error(reason) + end) + |> Stream.run() + + # Capture step results + summary = LoadTest.Metrics.summary() + telemetry = LoadTest.Setup.get_telemetry_summary(node) + + IO.puts( + "#{summary.rps} rps, p50=#{format_us_inline(summary.p50)}, " <> + "#{summary.error_count} errors" + ) + + %{concurrency: concurrency, summary: summary, telemetry: telemetry} + end) + + Task.await(memory_task, :infinity) + results + end + + defp format_us_inline(0), do: "n/a" + defp format_us_inline(us) when us < 1_000, do: "#{us}us" + + defp format_us_inline(us) when us < 1_000_000, + do: "#{Float.round(us / 1_000, 1)}ms" + + defp format_us_inline(us), do: "#{Float.round(us / 1_000_000, 2)}s" + + # -- Work stream generator -- + + defp work_stream(duration_ms) do + deadline = System.monotonic_time(:millisecond) + duration_ms + + Stream.repeatedly(fn -> :go end) + |> Stream.take_while(fn _ -> + System.monotonic_time(:millisecond) < deadline + end) + end + + # -- Request execution -- + + defp execute_request(scenario, channel_url, payload, _opts) do + method = pick_method(scenario) + start = System.monotonic_time(:microsecond) + + case do_http_request(method, channel_url, payload) do + {:ok, status} -> + latency_us = System.monotonic_time(:microsecond) - start + {latency_us, status} + + {:error, reason} -> + LoadTest.Metrics.record_error(reason) + # Return a synthetic latency so the caller does not crash + latency_us = System.monotonic_time(:microsecond) - start + {latency_us, :error} + end + end + + defp pick_method("happy_path"), do: :post + defp pick_method("ramp_up"), do: :post + defp pick_method("saturation"), do: :post + defp pick_method("large_payload"), do: :post + defp pick_method("large_response"), do: :get + defp pick_method("slow_sink"), do: :post + defp pick_method("direct_sink"), do: :post + + defp pick_method("mixed_methods") do + Enum.random(@methods) + end + + defp do_http_request(method, url, payload) do + body = if method in [:post, :put, :patch], do: payload, else: nil + headers = [{"content-type", "application/json"}] + + request = Finch.build(method, url, headers, body) + + case Finch.request(request, LoadTest.Finch, receive_timeout: 30_000) do + {:ok, %Finch.Response{status: status}} -> {:ok, status} + {:error, reason} -> {:error, reason} + end + end + + # -- Payload generation -- + + defp generate_payload(size) do + base = + Jason.encode!(%{ + timestamp: DateTime.to_iso8601(DateTime.utc_now()), + source: "load_test" + }) + + base_size = byte_size(base) + + cond do + base_size >= size -> + binary_part(base, 0, size) + + true -> + # Pad with a "data" field to reach the target size + # Account for the JSON wrapper: {"timestamp":"...","source":"...","data":"PADDING"} + # We need to rebuild with the padding included + padding_needed = size - base_size - 11 + + padding = + if padding_needed > 0, + do: String.duplicate("x", padding_needed), + else: "" + + result = + Jason.encode!(%{ + timestamp: DateTime.to_iso8601(DateTime.utc_now()), + source: "load_test", + data: padding + }) + + # Trim to exact size if JSON overhead caused overshoot + if byte_size(result) > size do + binary_part(result, 0, size) + else + result + end + end + end + + # -- Memory sampling -- + + defp sample_memory_loop(node, duration_ms) do + deadline = System.monotonic_time(:millisecond) + duration_ms + + Stream.repeatedly(fn -> + Process.sleep(1_000) + :sample + end) + |> Stream.take_while(fn _ -> + System.monotonic_time(:millisecond) < deadline + end) + |> Enum.each(fn _ -> + case :rpc.call(node, :erlang, :memory, [:total]) do + {:badrpc, _reason} -> :ok + bytes when is_integer(bytes) -> LoadTest.Metrics.record_memory(bytes) + end + end) + + # Final sample + case :rpc.call(node, :erlang, :memory, [:total]) do + {:badrpc, _} -> :ok + bytes when is_integer(bytes) -> LoadTest.Metrics.record_memory(bytes) + end + end +end diff --git a/benchmarking/channels/lib/load_test/setup.exs b/benchmarking/channels/lib/load_test/setup.exs new file mode 100644 index 00000000000..4ca0fe7969a --- /dev/null +++ b/benchmarking/channels/lib/load_test/setup.exs @@ -0,0 +1,290 @@ +# benchmarking/channels/lib/load_test/setup.exs +# +# Connect to Lightning BEAM, find/create channel, and manage telemetry +# collector deployment on the remote node. + +defmodule LoadTest.Setup do + @moduledoc false + + @telemetry_events [ + [:lightning, :channel_proxy, :request], + [:lightning, :channel_proxy, :fetch_channel], + [:lightning, :channel_proxy, :upstream] + ] + + # -- Connection & channel setup -- + + def connect!(opts) do + node = String.to_atom(opts[:node]) + + if opts[:cookie] do + Node.set_cookie(String.to_atom(opts[:cookie])) + end + + IO.write("Connecting to #{node}... ") + + case Node.connect(node) do + true -> + IO.puts("ok") + node + + false -> + IO.puts(:stderr, "\nerror: Could not connect to #{node}") + + IO.puts(:stderr, """ + + Make sure: + 1. Lightning is running as a named node (e.g. --sname lightning) + 2. The cookie matches (e.g. --cookie SECRET) + 3. Both nodes are on the same network/machine + """) + + System.halt(1) + + :ignored -> + IO.puts( + :stderr, + "\nerror: Node.connect returned :ignored. Is this node alive?" + ) + + System.halt(1) + end + end + + def ensure_channel!(node, opts) do + channel_name = opts[:channel] + sink_url = opts[:sink] + + IO.write("Looking up channel '#{channel_name}'... ") + + case rpc!(node, Lightning.Repo, :get_by, [ + Lightning.Channels.Channel, + [name: channel_name] + ]) do + nil -> + IO.puts("not found, creating") + project = ensure_project!(node) + create_channel!(node, channel_name, sink_url, project.id) + + %{enabled: false} = channel -> + IO.puts("found (disabled), enabling") + enable_channel!(node, channel) + + channel -> + IO.puts("found (id: #{short_id(channel.id)})") + channel + end + end + + def preflight_sink!(opts) do + sink_url = opts[:sink] + IO.write("Checking mock sink at #{sink_url}... ") + + request = Finch.build(:get, sink_url) + + case Finch.request(request, LoadTest.Finch, receive_timeout: 5_000) do + {:ok, %Finch.Response{status: status}} when status < 500 -> + IO.puts("ok (status #{status})") + + {:ok, %Finch.Response{status: status}} -> + IO.puts(:stderr, "\nwarning: Mock sink returned #{status}") + + {:error, reason} -> + IO.puts(:stderr, "\nerror: Could not reach mock sink at #{sink_url}") + IO.puts(:stderr, " Reason: #{inspect(reason)}") + + IO.puts(:stderr, """ + + Start the mock sink first: + elixir benchmarking/channels/mock_sink.exs + """) + + System.halt(1) + end + end + + # -- Telemetry collector deployment -- + + @doc """ + Deploy the Bench.TelemetryCollector onto the remote Lightning node. + Reads the collector source, evals it on the remote node, and starts it. + """ + def deploy_telemetry_collector!(node) do + IO.write("Deploying telemetry collector... ") + + # __ENV__.file is .../lib/load_test/setup.exs — go up 2 to .../lib/ + lib_dir = Path.dirname(Path.dirname(__ENV__.file)) + source = File.read!(Path.join(lib_dir, "telemetry_collector.exs")) + + case :rpc.call(node, Code, :eval_string, [source]) do + {:badrpc, reason} -> + IO.puts(:stderr, "\nwarning: Failed to deploy telemetry collector") + IO.puts(:stderr, " Reason: #{inspect(reason)}") + :error + + _ -> + case :rpc.call(node, Bench.TelemetryCollector, :start, [ + @telemetry_events + ]) do + {:ok, _pid} -> + IO.puts("ok") + :ok + + {:badrpc, reason} -> + IO.puts(:stderr, "\nwarning: Failed to start telemetry collector") + IO.puts(:stderr, " Reason: #{inspect(reason)}") + :error + end + end + end + + @doc """ + Fetch the telemetry summary from the remote node. + Returns a map of event_key => stats, or nil on failure. + """ + def get_telemetry_summary(node) do + case :rpc.call(node, Bench.TelemetryCollector, :summary, []) do + {:badrpc, _reason} -> nil + summary when is_map(summary) -> summary + end + end + + @doc """ + Reset the telemetry collector on the remote node (between saturation steps). + """ + def reset_telemetry_collector(node) do + case :rpc.call(node, Bench.TelemetryCollector, :reset, []) do + {:badrpc, _} -> :error + :ok -> :ok + end + end + + @doc """ + Stop and clean up the telemetry collector on the remote node. + """ + def teardown_telemetry_collector!(node) do + IO.write("Tearing down telemetry collector... ") + + case :rpc.call(node, Bench.TelemetryCollector, :stop, []) do + {:badrpc, _} -> IO.puts("skipped (not running)") + _ -> IO.puts("ok") + end + end + + # -- Private helpers -- + + defp ensure_project!(node) do + case rpc!(node, Lightning.Repo, :get_by, [ + Lightning.Projects.Project, + [name: "load-test"] + ]) do + nil -> + IO.write(" Creating 'load-test' project... ") + user = ensure_user!(node) + + case rpc!(node, Lightning.Projects, :create_project, [ + %{ + name: "load-test", + project_users: [%{user_id: user.id, role: :owner}] + }, + false + ]) do + {:ok, project} -> + IO.puts("ok (id: #{short_id(project.id)})") + project + + {:error, changeset} -> + IO.puts(:stderr, "\nerror: Failed to create project") + IO.puts(:stderr, " #{inspect(changeset.errors)}") + System.halt(1) + end + + project -> + IO.puts( + " Using existing 'load-test' project (id: #{short_id(project.id)})" + ) + + project + end + end + + defp ensure_user!(node) do + email = "load-test@openfn.org" + + case rpc!(node, Lightning.Repo, :get_by, [ + Lightning.Accounts.User, + [email: email] + ]) do + nil -> + IO.write(" Creating load-test user... ") + + {:ok, user} = + rpc!(node, Lightning.Accounts, :register_user, [ + %{ + first_name: "Load", + last_name: "Test", + email: email, + password: "load-test-password-12345" + } + ]) + + IO.puts("ok") + user + + user -> + user + end + end + + defp create_channel!(node, name, sink_url, project_id) do + IO.write(" Creating channel '#{name}'... ") + + case rpc!(node, Lightning.Channels, :create_channel, [ + %{name: name, sink_url: sink_url, project_id: project_id} + ]) do + {:ok, channel} -> + IO.puts("ok (id: #{short_id(channel.id)})") + channel + + {:error, changeset} -> + IO.puts(:stderr, "\nerror: Failed to create channel") + IO.puts(:stderr, " #{inspect(changeset.errors)}") + System.halt(1) + end + end + + defp enable_channel!(node, channel) do + case rpc!(node, Lightning.Channels, :update_channel, [ + channel, + %{enabled: true} + ]) do + {:ok, channel} -> + IO.puts(" Enabled channel (id: #{short_id(channel.id)})") + channel + + {:error, changeset} -> + IO.puts(:stderr, "\nerror: Failed to enable channel") + IO.puts(:stderr, " #{inspect(changeset.errors)}") + System.halt(1) + end + end + + defp rpc!(node, mod, fun, args) do + case :rpc.call(node, mod, fun, args) do + {:badrpc, reason} -> + IO.puts( + :stderr, + "\nerror: RPC call failed: #{mod}.#{fun}/#{length(args)}" + ) + + IO.puts(:stderr, " Reason: #{inspect(reason)}") + System.halt(1) + + result -> + result + end + end + + defp short_id(id) when is_binary(id), do: String.slice(id, 0, 8) <> "..." + defp short_id(id), do: inspect(id) +end diff --git a/benchmarking/channels/lib/telemetry_collector.exs b/benchmarking/channels/lib/telemetry_collector.exs new file mode 100644 index 00000000000..eb9e9fdfbd3 --- /dev/null +++ b/benchmarking/channels/lib/telemetry_collector.exs @@ -0,0 +1,162 @@ +# benchmarking/channels/lib/telemetry_collector.exs +# +# A lightweight telemetry collector designed to be deployed onto a remote +# Lightning BEAM node via :rpc.call(node, Code, :eval_string, [source]). +# +# Uses ETS with :public access and write_concurrency so telemetry handlers +# (running in connection processes) can write directly without going through +# the GenServer. The GenServer owns the table lifetime and handles cleanup. +# +# Usage (from load test): +# source = File.read!("lib/telemetry_collector.exs") +# :rpc.call(node, Code, :eval_string, [source]) +# :rpc.call(node, Bench.TelemetryCollector, :start, [events]) +# ...run test... +# :rpc.call(node, Bench.TelemetryCollector, :summary, []) +# :rpc.call(node, Bench.TelemetryCollector, :stop, []) + +defmodule Bench.TelemetryCollector do + use GenServer + + @table :bench_telemetry + @handler_id "bench_telemetry_collector" + + # -- Public API -- + + @doc """ + Start the collector and attach to the :stop events for the given event + prefixes. Idempotent — if already running, resets and re-attaches. + """ + def start(events) do + case GenServer.start(__MODULE__, events, name: __MODULE__) do + {:ok, pid} -> + {:ok, pid} + + {:error, {:already_started, pid}} -> + reset() + {:ok, pid} + end + end + + @doc """ + Stop the collector, detach handlers, and delete the ETS table. + """ + def stop do + GenServer.stop(__MODULE__, :normal) + catch + :exit, _ -> :ok + end + + @doc """ + Clear all collected data (between scenarios). + """ + def reset do + if :ets.info(@table) != :undefined do + :ets.delete_all_objects(@table) + end + + :ok + end + + @doc """ + Aggregate collected data into a summary map. Each event gets: + count, min, max, mean, p50, p95, p99 (all in microseconds). + """ + def summary do + if :ets.info(@table) == :undefined do + %{} + else + @table + |> :ets.tab2list() + |> Enum.group_by(&elem(&1, 0), &elem(&1, 1)) + |> Enum.into(%{}, fn {event_key, durations} -> + sorted = Enum.sort(durations) + count = length(sorted) + + stats = %{ + count: count, + min: List.first(sorted, 0), + max: List.last(sorted, 0), + mean: + if(count > 0, + do: Float.round(Enum.sum(sorted) / count, 1), + else: 0.0 + ), + p50: percentile(sorted, 50), + p95: percentile(sorted, 95), + p99: percentile(sorted, 99) + } + + {event_key, stats} + end) + end + end + + # -- GenServer callbacks -- + + @impl true + def init(events) do + # Create ETS table: :duplicate_bag allows multiple entries per key + # (including identical {key, value} pairs — :bag would deduplicate those), + # :public lets handler processes write directly, + # write_concurrency optimizes for concurrent inserts. + table = + :ets.new(@table, [ + :duplicate_bag, + :named_table, + :public, + write_concurrency: true + ]) + + # Attach to :stop events for each prefix + stop_events = Enum.map(events, &(&1 ++ [:stop])) + + :telemetry.attach_many( + @handler_id, + stop_events, + &__MODULE__.handle_event/4, + nil + ) + + {:ok, %{table: table}} + end + + @impl true + def terminate(_reason, _state) do + :telemetry.detach(@handler_id) + + if :ets.info(@table) != :undefined do + :ets.delete(@table) + end + + :ok + catch + _, _ -> :ok + end + + # -- Telemetry handler (runs in the calling process, not GenServer) -- + + def handle_event(event, %{duration: duration}, _metadata, _config) do + # event is e.g. [:lightning, :channel_proxy, :request, :stop] + # Convert to a key like :request, :fetch_channel, :upstream + event_key = event |> Enum.at(-2) + + # duration is in native units, convert to microseconds + duration_us = System.convert_time_unit(duration, :native, :microsecond) + + if :ets.info(@table) != :undefined do + :ets.insert(@table, {event_key, duration_us}) + end + end + + def handle_event(_event, _measurements, _metadata, _config), do: :ok + + # -- Private helpers -- + + defp percentile([], _p), do: 0 + + defp percentile(sorted, p) do + k = max(round(length(sorted) * p / 100) - 1, 0) + Enum.at(sorted, k, 0) + end +end diff --git a/benchmarking/channels/load_test.exs b/benchmarking/channels/load_test.exs new file mode 100644 index 00000000000..2e6e0506d18 --- /dev/null +++ b/benchmarking/channels/load_test.exs @@ -0,0 +1,22 @@ +# benchmarking/channels/load_test.exs +# +# Entry point for the channel proxy load test. Installs dependencies, +# loads all modules in dependency order, and runs the test. +# +# Usage: +# elixir --sname loadtest --cookie SECRET \ +# benchmarking/channels/load_test.exs [options] +# +# Run with --help for full usage information. + +Mix.install([:finch, :jason]) + +base = Path.dirname(__ENV__.file) + +for file <- ~w(config metrics setup runner report main) do + Code.require_file("lib/load_test/#{file}.exs", base) +end + +Code.require_file("lib/telemetry_collector.exs", base) + +LoadTest.main(System.argv()) diff --git a/benchmarking/channels/mock_sink.exs b/benchmarking/channels/mock_sink.exs new file mode 100644 index 00000000000..30012cfa09e --- /dev/null +++ b/benchmarking/channels/mock_sink.exs @@ -0,0 +1,344 @@ +# benchmarking/channels/mock_sink.exs +# +# A standalone HTTP sink server for testing the channel proxy. +# Accepts all requests on any path and responds according to the +# configured mode. Useful for integration tests, load tests, and +# manual exploration of the proxy pipeline. +# +# Usage: +# elixir benchmarking/channels/mock_sink.exs [options] +# +# Examples: +# elixir benchmarking/channels/mock_sink.exs +# elixir benchmarking/channels/mock_sink.exs --port 9000 --status 201 +# elixir benchmarking/channels/mock_sink.exs --mode auth +# elixir benchmarking/channels/mock_sink.exs --mode mixed + +Mix.install([:bandit, :plug, :jason]) + +defmodule MockSink.Config do + @moduledoc """ + Parses CLI arguments into a configuration map and prints help text. + """ + + @defaults %{ + port: 4001, + mode: "fixed", + status: 200, + body_size: 256 + } + + @help """ + Usage: elixir benchmarking/channels/mock_sink.exs [options] + + A configurable HTTP sink server for testing the channel proxy. + + Options: + --port PORT Listen port (default: 4001) + --mode MODE Response mode (default: fixed) + Modes: fixed, timeout, auth, mixed + --status CODE Response status code for fixed mode (default: 200) + --body-size BYTES Response body size in bytes (default: 256) + --help Show this help + + Query parameters (per-request overrides): + ?response_size=N Override --body-size for this request (bytes) + ?delay=N Add a response delay for this request (ms) + ?status=N Override --status for this request (100-599) + + Modes: + fixed Returns --status with --body-size body. + timeout Accepts the connection but never responds. + auth Checks Authorization header. 401 if missing, 403 if invalid, + 200 if valid. Expected: "Bearer test-api-key". + mixed 80% fast 200, 10% slow 200 (2s delay), 10% 503. + """ + + def parse(args) do + case parse_args(args, @defaults) do + :help -> + IO.puts(@help) + System.halt(0) + + {:error, message} -> + IO.puts(:stderr, "error: #{message}\n") + IO.puts(:stderr, @help) + System.halt(1) + + config -> + validate!(config) + end + end + + defp parse_args([], acc), do: acc + + defp parse_args(["--help" | _rest], _acc), do: :help + + defp parse_args(["--port", value | rest], acc) do + case Integer.parse(value) do + {port, ""} when port > 0 -> parse_args(rest, %{acc | port: port}) + _ -> {:error, "invalid port: #{value}"} + end + end + + defp parse_args(["--mode", value | rest], acc) do + if value in ~w(fixed timeout auth mixed) do + parse_args(rest, %{acc | mode: value}) + else + {:error, "unknown mode: #{value}. Expected: fixed, timeout, auth, mixed"} + end + end + + defp parse_args(["--status", value | rest], acc) do + case Integer.parse(value) do + {code, ""} when code >= 100 and code < 600 -> + parse_args(rest, %{acc | status: code}) + + _ -> + {:error, "invalid status code: #{value}"} + end + end + + defp parse_args(["--body-size", value | rest], acc) do + case Integer.parse(value) do + {bytes, ""} when bytes >= 0 -> parse_args(rest, %{acc | body_size: bytes}) + _ -> {:error, "invalid body-size: #{value}"} + end + end + + defp parse_args([unknown | _rest], _acc) do + {:error, "unknown option: #{unknown}"} + end + + defp validate!(config) when is_map(config), do: config +end + +defmodule MockSink.Logger do + @moduledoc """ + Simple request logging to stdout. + """ + + def log_request(method, path, status, elapsed_ms) do + timestamp = Calendar.strftime(DateTime.utc_now(), "%Y-%m-%d %H:%M:%S.%f") + + IO.puts( + "[#{timestamp}] #{String.upcase(method)} #{path} -> #{status} (#{elapsed_ms}ms)" + ) + end +end + +defmodule MockSink.Body do + @moduledoc """ + Generates response bodies of the configured size. + Small payloads (<= 1024 bytes) get a JSON envelope; larger ones are + padded with a repeated character to hit the exact byte count. + """ + + def generate(body_size) when body_size <= 1024 do + json = + Jason.encode!(%{ + ok: true, + server: "mock_sink", + timestamp: DateTime.to_iso8601(DateTime.utc_now()), + padding: String.duplicate("x", max(body_size - 80, 0)) + }) + + # Trim or pad to reach the target size exactly. + byte_size = byte_size(json) + + cond do + byte_size == body_size -> json + byte_size > body_size -> binary_part(json, 0, body_size) + true -> json <> String.duplicate(" ", body_size - byte_size) + end + end + + def generate(body_size) do + String.duplicate("x", body_size) + end +end + +defmodule MockSink.Router do + @moduledoc """ + Plug router that handles all incoming requests according to the + configured mode. Config is injected via `conn.private[:mock_config]`. + """ + + use Plug.Router + + plug :put_config + plug :match + + plug Plug.Parsers, + parsers: [:urlencoded, :json], + json_decoder: Jason, + pass: ["*/*"] + + plug :dispatch + + # ------------------------------------------------------------------ + # Plug: inject config into conn.private so downstream handlers can + # read it without global state. + # ------------------------------------------------------------------ + def put_config(conn, _opts) do + Plug.Conn.put_private(conn, :mock_config, conn.assigns[:mock_config]) + end + + @impl Plug.Router + def init(config) do + config + end + + @impl Plug.Router + def call(conn, config) do + conn + |> Plug.Conn.assign(:mock_config, config) + |> super(config) + end + + # ------------------------------------------------------------------ + # Catch-all route + # ------------------------------------------------------------------ + match _ do + config = conn.private[:mock_config] + config = apply_query_overrides(conn, config) + start = System.monotonic_time(:millisecond) + + {status, body, content_type} = handle_mode(conn, config) + + elapsed = System.monotonic_time(:millisecond) - start + + MockSink.Logger.log_request( + conn.method, + conn.request_path, + status, + elapsed + ) + + conn + |> Plug.Conn.put_resp_content_type(content_type) + |> Plug.Conn.send_resp(status, body) + end + + # ------------------------------------------------------------------ + # Query param overrides + # ------------------------------------------------------------------ + defp apply_query_overrides(conn, config) do + conn = Plug.Conn.fetch_query_params(conn) + + config + |> override_param(conn, "response_size", :body_size) + |> override_param(conn, "delay", :delay) + |> override_param(conn, "status", :status) + end + + defp override_param(config, conn, param, key) do + case conn.query_params[param] do + nil -> + config + + value -> + case Integer.parse(value) do + {n, ""} when n >= 0 -> Map.put(config, key, n) + _ -> config + end + end + end + + # ------------------------------------------------------------------ + # Mode handlers + # ------------------------------------------------------------------ + defp handle_mode(_conn, %{mode: "fixed"} = config) do + delay = Map.get(config, :delay, 0) + if delay > 0, do: Process.sleep(delay) + body = MockSink.Body.generate(config.body_size) + {config.status, body, content_type(config.body_size)} + end + + defp handle_mode(_conn, %{mode: "timeout"}) do + # Accept the connection but never respond. + # The client will eventually time out. + Process.sleep(:infinity) + # Unreachable, but keeps the typespec happy. + {200, "", "text/plain"} + end + + defp handle_mode(conn, %{mode: "auth"} = config) do + case Plug.Conn.get_req_header(conn, "authorization") do + [] -> + body = Jason.encode!(%{error: "missing authorization header"}) + {401, body, "application/json"} + + ["Bearer test-api-key"] -> + body = MockSink.Body.generate(config.body_size) + {200, body, content_type(config.body_size)} + + [_invalid] -> + body = Jason.encode!(%{error: "invalid credentials"}) + {403, body, "application/json"} + + _ -> + body = Jason.encode!(%{error: "invalid authorization header"}) + {400, body, "application/json"} + end + end + + defp handle_mode(_conn, %{mode: "mixed"} = config) do + roll = :rand.uniform() + + cond do + # 10% — 503 Service Unavailable + roll > 0.9 -> + body = Jason.encode!(%{error: "service unavailable"}) + {503, body, "application/json"} + + # 10% — slow 200 (2 second delay) + roll > 0.8 -> + Process.sleep(2000) + body = MockSink.Body.generate(config.body_size) + {200, body, content_type(config.body_size)} + + # 80% — fast 200 + true -> + body = MockSink.Body.generate(config.body_size) + {200, body, content_type(config.body_size)} + end + end + + defp content_type(body_size) when body_size <= 1024, do: "application/json" + defp content_type(_body_size), do: "application/octet-stream" +end + +defmodule MockSink do + @moduledoc """ + Entry point. Parses CLI args, prints a banner, and starts Bandit. + """ + + def main(args) do + config = MockSink.Config.parse(args) + + IO.puts(""" + + =================================================== + MockSink starting on port #{config.port} + Mode: #{config.mode} + Status: #{config.status} + Body size: #{config.body_size} bytes + =================================================== + """) + + {:ok, _} = + Bandit.start_link( + plug: {MockSink.Router, config}, + port: config.port, + thousand_island_options: [ + num_acceptors: 10 + ] + ) + + # Block the script forever so the server stays up. + Process.sleep(:infinity) + end +end + +MockSink.main(System.argv()) diff --git a/benchmarking/channels/results/.gitignore b/benchmarking/channels/results/.gitignore new file mode 100644 index 00000000000..d6b7ef32c84 --- /dev/null +++ b/benchmarking/channels/results/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/benchmarking/channels/run_all.sh b/benchmarking/channels/run_all.sh new file mode 100755 index 00000000000..bc2bf0ac833 --- /dev/null +++ b/benchmarking/channels/run_all.sh @@ -0,0 +1,177 @@ +#!/usr/bin/env bash +# benchmarking/channels/run_all.sh +# +# Runs all channel proxy load test scenarios in sequence, logging output +# to a timestamped file. Assumes Lightning and mock sink are already running. +# Bails on first failure. +# +# Usage: +# benchmarking/channels/run_all.sh [options] +# +# Options: +# --sname NAME Erlang short name (default: lt) +# --cookie COOKIE Erlang cookie (default: bench) +# --duration SECS Per-scenario duration (default: 30) +# --concurrency N Virtual users (default: 20) +# +# Environment: +# RESULTS_DIR Output directory (default: /tmp/channel-bench-results) +# +# Examples: +# benchmarking/channels/run_all.sh +# benchmarking/channels/run_all.sh --duration 60 --concurrency 50 +# benchmarking/channels/run_all.sh --sname mynode --cookie mysecret + +set -euo pipefail + +# ── Defaults ────────────────────────────────────────────────────── +SNAME="lt" +COOKIE="bench" +DURATION=30 +CONCURRENCY=20 + +# ── Parse args ──────────────────────────────────────────────────── +while [[ $# -gt 0 ]]; do + case "$1" in + --sname) SNAME="$2"; shift 2 ;; + --cookie) COOKIE="$2"; shift 2 ;; + --duration) DURATION="$2"; shift 2 ;; + --concurrency) CONCURRENCY="$2"; shift 2 ;; + --help|-h) + sed -n '2,/^$/s/^# \?//p' "$0" + exit 0 + ;; + *) + echo "error: unknown option: $1" >&2 + echo "Run with --help for usage." >&2 + exit 1 + ;; + esac +done + +# ── Log setup ───────────────────────────────────────────────────── +RESULTS_DIR="${RESULTS_DIR:-/tmp/channel-bench-results}" +mkdir -p "$RESULTS_DIR" + +TIMESTAMP="$(date +%Y.%m.%d-%H.%M)" +LOG="$RESULTS_DIR/$TIMESTAMP.log" +CSV="$RESULTS_DIR/$TIMESTAMP.csv" + +# ── Preflight checks ───────────────────────────────────────────── +echo "=== Channel Proxy Load Test Suite ===" +echo "" +echo " sname: $SNAME" +echo " cookie: $COOKIE" +echo " duration: ${DURATION}s per scenario" +echo " concurrency: $CONCURRENCY VUs" +echo " log: $LOG" +echo " csv: $CSV" +echo "" + +echo -n "Checking mock sink at http://localhost:4001... " +if curl -sf http://localhost:4001/ > /dev/null 2>&1; then + echo "ok" +else + echo "FAILED" + echo "error: Mock sink is not reachable at http://localhost:4001" >&2 + echo "Start it first: elixir benchmarking/channels/mock_sink.exs" >&2 + exit 1 +fi + +echo -n "Checking Lightning at http://localhost:4000... " +if curl -sf http://localhost:4000/ > /dev/null 2>&1; then + echo "ok" +else + echo "FAILED" + echo "error: Lightning is not reachable at http://localhost:4000" >&2 + echo "Start it first: iex --sname lightning --cookie $COOKIE -S mix phx.server" >&2 + exit 1 +fi + +echo "" + +# ── Scenario runner ─────────────────────────────────────────────── +SCRIPT="benchmarking/channels/load_test.exs" +PASS=0 +FAIL=0 + +run_scenario() { + local name="$1" + shift + local extra_flags=("$@") + + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | tee -a "$LOG" + echo " Scenario: $name" | tee -a "$LOG" + echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | tee -a "$LOG" + + local cmd=( + elixir --sname "${SNAME}-${name}" --cookie "$COOKIE" + "$SCRIPT" + --scenario "$name" + --concurrency "$CONCURRENCY" + --duration "$DURATION" + --csv "$CSV" + "${extra_flags[@]}" + ) + + echo " ${cmd[*]}" | tee -a "$LOG" + echo "" | tee -a "$LOG" + + if "${cmd[@]}" 2>&1 | tee -a "$LOG"; then + PASS=$((PASS + 1)) + echo "" | tee -a "$LOG" + else + FAIL=$((FAIL + 1)) + echo "" | tee -a "$LOG" + echo "FATAL: scenario '$name' failed (exit $?). Stopping." | tee -a "$LOG" + echo "" + echo "Results so far: $PASS passed, $FAIL failed" + echo "Log: $LOG" + echo "CSV: $CSV" + exit 1 + fi +} + +# ── Run scenarios ───────────────────────────────────────────────── + +# 1. Baseline — hit mock sink directly (no Lightning, no --sname) +echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | tee -a "$LOG" +echo " Scenario: direct_sink" | tee -a "$LOG" +echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | tee -a "$LOG" + +DIRECT_CMD=( + elixir "$SCRIPT" + --scenario direct_sink + --concurrency "$CONCURRENCY" + --duration "$DURATION" + --csv "$CSV" +) +echo " ${DIRECT_CMD[*]}" | tee -a "$LOG" +echo "" | tee -a "$LOG" + +if "${DIRECT_CMD[@]}" 2>&1 | tee -a "$LOG"; then + PASS=$((PASS + 1)) + echo "" | tee -a "$LOG" +else + FAIL=$((FAIL + 1)) + echo "" | tee -a "$LOG" + echo "FATAL: scenario 'direct_sink' failed. Stopping." | tee -a "$LOG" + echo "Log: $LOG" + exit 1 +fi + +# 2-7. Scenarios that go through Lightning +run_scenario happy_path +run_scenario ramp_up +run_scenario large_payload --payload-size 1048576 +run_scenario large_response --response-size 1048576 +run_scenario mixed_methods +run_scenario slow_sink --delay 2000 + +# ── Summary ─────────────────────────────────────────────────────── +echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | tee -a "$LOG" +echo " All scenarios complete: $PASS passed, $FAIL failed" | tee -a "$LOG" +echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | tee -a "$LOG" +echo "" +echo "Log: $LOG" +echo "CSV: $CSV" diff --git a/config/config.exs b/config/config.exs index bf2a1de80c3..21adce41c40 100644 --- a/config/config.exs +++ b/config/config.exs @@ -179,6 +179,8 @@ config :lightning, LightningWeb, allow_credential_transfer: false config :tesla, adapter: {Tesla.Adapter.Finch, name: Lightning.Finch} +config :weir, finch_name: Lightning.Finch + config :lightning, :is_resettable_demo, false config :lightning, :default_retention_period, nil config :lightning, :claim_work_mem, nil diff --git a/lib/lightning/application.ex b/lib/lightning/application.ex index b8eb925ab1b..2ab64a218a0 100644 --- a/lib/lightning/application.ex +++ b/lib/lightning/application.ex @@ -28,6 +28,17 @@ defmodule Lightning.Application do }) end + # :logger.add_handler(:file_log, :logger_std_h, %{ + # level: :warning, + # config: %{ + # file: ~c"log/lightning.log", + # max_no_bytes: 10_000_000, + # max_no_files: 5, + # compress_on_rotate: true + # }, + # formatter: Logger.Formatter.new() + # }) + adaptor_registry_childspec = {Lightning.AdaptorRegistry, Application.get_env(:lightning, Lightning.AdaptorRegistry, [])} diff --git a/lib/lightning/channels.ex b/lib/lightning/channels.ex new file mode 100644 index 00000000000..4b3cb4d1812 --- /dev/null +++ b/lib/lightning/channels.ex @@ -0,0 +1,325 @@ +defmodule Lightning.Channels do + @moduledoc """ + Context for managing Channels — HTTP proxy configurations that forward + requests from a source to a sink. + """ + + import Ecto.Query + + alias Ecto.Multi + alias Lightning.Accounts.User + alias Lightning.Channels.Audit + alias Lightning.Channels.Channel + alias Lightning.Channels.ChannelAuthMethod + alias Lightning.Channels.ChannelRequest + alias Lightning.Channels.ChannelSnapshot + alias Lightning.Repo + + @doc """ + Returns all channels for a project, ordered by name. + """ + def list_channels_for_project(project_id) do + from(c in Channel, + where: c.project_id == ^project_id, + order_by: [asc: :name] + ) + |> Repo.all() + end + + @doc """ + Returns channels for a project with aggregate stats from channel_requests. + + Each entry is a map with keys: + - all Channel fields (via struct) + - `:request_count` — total number of requests + - `:last_activity` — datetime of most recent request, or nil + """ + def list_channels_for_project_with_stats(project_id) do + from(c in Channel, + where: c.project_id == ^project_id, + left_join: cr in ChannelRequest, + on: cr.channel_id == c.id, + group_by: c.id, + order_by: [asc: c.name], + select: %{ + channel: c, + request_count: count(cr.id), + last_activity: max(cr.started_at) + } + ) + |> Repo.all() + end + + @doc """ + Returns aggregate stats for all channels in a project. + + Returns a map with: + - `:total_channels` — number of channels in the project + - `:total_requests` — total channel requests across all channels + + Uses a single query with a LEFT JOIN so both counts are fetched in one + database round-trip. + """ + def get_channel_stats_for_project(project_id) do + from(c in Channel, + where: c.project_id == ^project_id, + left_join: cr in ChannelRequest, + on: cr.channel_id == c.id, + select: %{ + total_channels: count(c.id, :distinct), + total_requests: count(cr.id) + } + ) + |> Repo.one() + end + + @doc """ + Gets a single channel by ID. Returns nil if not found. + """ + def get_channel(id) do + Repo.get(Channel, id) + end + + @doc """ + Gets a channel by ID with all auth methods preloaded. + + Preloads source auth methods (with webhook_auth_method) and sink auth + methods (with project_credential → credential). Returns nil if not found. + + Used by ChannelProxyPlug for source authentication and sink credential resolution. + """ + def get_channel_with_auth(id) do + from(c in Channel, + where: c.id == ^id, + left_join: src in assoc(c, :source_auth_methods), + left_join: wam in assoc(src, :webhook_auth_method), + left_join: snk in assoc(c, :sink_auth_methods), + left_join: pc in assoc(snk, :project_credential), + left_join: cred in assoc(pc, :credential), + preload: [ + source_auth_methods: {src, webhook_auth_method: wam}, + sink_auth_methods: {snk, project_credential: {pc, credential: cred}} + ] + ) + |> Repo.one() + end + + @doc """ + Gets a single channel. Raises if not found. + """ + def get_channel!(id, opts \\ []) do + preloads = Keyword.get(opts, :include, []) + Repo.get!(Channel, id) |> Repo.preload(preloads) + end + + @doc """ + Gets a channel by ID scoped to a project. Returns `nil` if the channel + does not exist or belongs to a different project. + """ + def get_channel_for_project(project_id, channel_id) do + Repo.get_by(Channel, id: channel_id, project_id: project_id) + end + + @doc """ + Creates a channel. + """ + @spec create_channel(map(), actor: User.t()) :: + {:ok, Channel.t()} | {:error, Ecto.Changeset.t()} + def create_channel(attrs, actor: %User{} = actor) do + changeset = Channel.changeset(%Channel{}, attrs) + + Multi.new() + |> Multi.insert(:channel, changeset) + |> Multi.insert(:audit, fn %{channel: channel} -> + Audit.event("created", channel.id, actor, changeset) + end) + |> maybe_audit_auth_method_changes(changeset, actor) + |> Repo.transaction() + |> case do + {:ok, %{channel: channel}} -> {:ok, channel} + {:error, :channel, changeset, _} -> {:error, changeset} + end + end + + @doc """ + Updates a channel's config fields, bumping lock_version. + """ + @spec update_channel(Channel.t(), map(), actor: User.t()) :: + {:ok, Channel.t()} | {:error, Ecto.Changeset.t()} + def update_channel(%Channel{} = channel, attrs, actor: %User{} = actor) do + changeset = Channel.changeset(channel, attrs) + + Multi.new() + |> Multi.update(:channel, changeset, stale_error_field: :lock_version) + |> Multi.insert(:audit, fn %{channel: updated} -> + Audit.event("updated", updated.id, actor, changeset) + end) + |> maybe_audit_auth_method_changes(changeset, actor) + |> Repo.transaction() + |> case do + {:ok, %{channel: channel}} -> {:ok, channel} + {:error, :channel, changeset, _} -> {:error, changeset} + end + end + + @doc """ + Deletes a channel. + + Returns `{:error, changeset}` if the channel has snapshots + (due to `:restrict` FK on `channel_snapshots`). + """ + @spec delete_channel(Channel.t(), actor: User.t()) :: + {:ok, Channel.t()} | {:error, Ecto.Changeset.t()} + def delete_channel(%Channel{} = channel, actor: %User{} = actor) do + changeset = + channel + |> Ecto.Changeset.change() + |> Ecto.Changeset.foreign_key_constraint(:channel_snapshots, + name: "channel_snapshots_channel_id_fkey", + message: "has history that must be retained" + ) + + Multi.new() + |> Multi.insert(:audit, Audit.event("deleted", channel.id, actor, %{})) + |> Multi.delete(:channel, changeset) + |> Repo.transaction() + |> case do + {:ok, %{channel: channel}} -> {:ok, channel} + {:error, :channel, changeset, _} -> {:error, changeset} + end + end + + # Emits one "auth_method_added" or "auth_method_removed" audit step per + # association change. No-op when the changeset has no auth method changes + # (e.g. the toggle handler, which passes no "channel_auth_methods" key). + defp maybe_audit_auth_method_changes(multi, changeset, actor) do + auth_changes = + Ecto.Changeset.get_change(changeset, :channel_auth_methods, []) + + inserted = Enum.filter(auth_changes, &(&1.action == :insert)) + deleted = Enum.filter(auth_changes, &(&1.action == :delete)) + + multi + |> add_auth_method_added_audits(inserted, actor) + |> add_auth_method_removed_audits(deleted, actor) + end + + defp add_auth_method_added_audits(multi, inserted, actor) do + inserted + |> Enum.with_index() + |> Enum.reduce(multi, fn {cs, idx}, acc -> + role = Ecto.Changeset.get_field(cs, :role) + fields = auth_method_fields_for(cs, role) + + Multi.insert( + acc, + :"audit_auth_method_added_#{idx}", + fn %{channel: channel} -> + Audit.event("auth_method_added", channel.id, actor, %{ + before: nil, + after: fields + }) + end + ) + end) + end + + defp add_auth_method_removed_audits(multi, deleted, actor) do + deleted + |> Enum.with_index() + |> Enum.reduce(multi, fn {cs, idx}, acc -> + role = cs.data.role + fields = auth_method_fields_for(cs, role) + + Multi.insert( + acc, + :"audit_auth_method_removed_#{idx}", + fn %{channel: channel} -> + Audit.event("auth_method_removed", channel.id, actor, %{ + before: fields, + after: nil + }) + end + ) + end) + end + + defp auth_method_fields_for(cs, :source) do + %{ + role: "source", + webhook_auth_method_id: + Ecto.Changeset.get_field(cs, :webhook_auth_method_id) + } + end + + defp auth_method_fields_for(cs, :sink) do + %{ + role: "sink", + project_credential_id: Ecto.Changeset.get_field(cs, :project_credential_id) + } + end + + @doc """ + Returns all ChannelAuthMethod records for a channel, preloading + their associated webhook_auth_method and project_credential (with credential). + """ + def list_channel_auth_methods(%Channel{} = channel) do + from(cam in ChannelAuthMethod, + where: cam.channel_id == ^channel.id, + preload: [:webhook_auth_method, project_credential: :credential] + ) + |> Repo.all() + end + + @doc """ + Get or create a snapshot for the channel's current lock_version. + + Returns an existing snapshot if one matches, or creates a minimal one from + the current channel config. Handles concurrent creation race via + ON CONFLICT DO NOTHING + re-fetch. + + Full snapshot lifecycle management is in #4406. + """ + def get_or_create_current_snapshot(%Channel{} = channel) do + case Repo.get_by(ChannelSnapshot, + channel_id: channel.id, + lock_version: channel.lock_version + ) do + %ChannelSnapshot{} = snapshot -> + {:ok, snapshot} + + nil -> + attrs = %{ + channel_id: channel.id, + lock_version: channel.lock_version, + name: channel.name, + sink_url: channel.sink_url, + enabled: channel.enabled + } + + %ChannelSnapshot{} + |> ChannelSnapshot.changeset(attrs) + |> Repo.insert( + on_conflict: :nothing, + conflict_target: [:channel_id, :lock_version] + ) + |> case do + {:ok, %ChannelSnapshot{id: nil}} -> + # ON CONFLICT DO NOTHING returns struct with nil id; re-fetch + snapshot = + Repo.get_by!(ChannelSnapshot, + channel_id: channel.id, + lock_version: channel.lock_version + ) + + {:ok, snapshot} + + {:ok, snapshot} -> + {:ok, snapshot} + + {:error, changeset} -> + {:error, changeset} + end + end + end +end diff --git a/lib/lightning/channels/audit.ex b/lib/lightning/channels/audit.ex new file mode 100644 index 00000000000..187463ea865 --- /dev/null +++ b/lib/lightning/channels/audit.ex @@ -0,0 +1,15 @@ +defmodule Lightning.Channels.Audit do + @moduledoc """ + Audit trail for channel CRUD operations. + """ + use Lightning.Auditing.Audit, + repo: Lightning.Repo, + item: "channel", + events: [ + "created", + "updated", + "deleted", + "auth_method_added", + "auth_method_removed" + ] +end diff --git a/lib/lightning/channels/channel.ex b/lib/lightning/channels/channel.ex new file mode 100644 index 00000000000..8ae47340eeb --- /dev/null +++ b/lib/lightning/channels/channel.ex @@ -0,0 +1,62 @@ +defmodule Lightning.Channels.Channel do + @moduledoc """ + Schema for a Channel — an HTTP proxy configuration that forwards + requests from a source endpoint to a sink URL. + """ + use Lightning.Schema + + alias Lightning.Projects.Project + alias Lightning.Validators + + @type t :: %__MODULE__{ + id: Ecto.UUID.t(), + project_id: Ecto.UUID.t(), + name: String.t(), + sink_url: String.t(), + enabled: boolean(), + lock_version: integer(), + inserted_at: DateTime.t(), + updated_at: DateTime.t() + } + + schema "channels" do + field :name, :string + field :sink_url, :string + field :enabled, :boolean, default: true + field :lock_version, :integer, default: 0 + + belongs_to :project, Project + + has_many :channel_auth_methods, Lightning.Channels.ChannelAuthMethod + + has_many :source_auth_methods, Lightning.Channels.ChannelAuthMethod, + where: [role: :source] + + has_many :sink_auth_methods, Lightning.Channels.ChannelAuthMethod, + where: [role: :sink] + + has_many :channel_snapshots, Lightning.Channels.ChannelSnapshot + has_many :channel_requests, Lightning.Channels.ChannelRequest + + timestamps() + end + + def changeset(channel, attrs) do + channel + |> cast(attrs, [ + :name, + :sink_url, + :project_id, + :enabled + ]) + |> validate_required([:name, :sink_url, :project_id]) + |> Validators.validate_url(:sink_url) + |> assoc_constraint(:project) + |> unique_constraint([:project_id, :name], + error_key: :name, + message: "A channel with this name already exists in this project" + ) + |> optimistic_lock(:lock_version) + |> cast_assoc(:channel_auth_methods) + end +end diff --git a/lib/lightning/channels/channel_auth_method.ex b/lib/lightning/channels/channel_auth_method.ex new file mode 100644 index 00000000000..649805ecae9 --- /dev/null +++ b/lib/lightning/channels/channel_auth_method.ex @@ -0,0 +1,93 @@ +defmodule Lightning.Channels.ChannelAuthMethod do + @moduledoc """ + Join table connecting channels to auth method implementations. + + Each record has a `role` (:source or :sink) and points to exactly one + of `webhook_auth_method` (for source/inbound auth) or + `project_credential` (for sink/outbound auth). + """ + use Lightning.Schema + + alias Lightning.Channels.Channel + alias Lightning.Projects.ProjectCredential + alias Lightning.Validators + alias Lightning.Workflows.WebhookAuthMethod + + @roles [:source, :sink] + + schema "channel_auth_methods" do + field :role, Ecto.Enum, values: @roles + field :delete, :boolean, virtual: true + + belongs_to :channel, Channel + belongs_to :webhook_auth_method, WebhookAuthMethod + belongs_to :project_credential, ProjectCredential + + timestamps() + end + + def changeset(struct, attrs) do + struct + |> cast(attrs, [ + :role, + :webhook_auth_method_id, + :project_credential_id, + :delete + ]) + |> validate_required([:role]) + |> Validators.validate_exclusive( + [:webhook_auth_method_id, :project_credential_id], + "webhook_auth_method_id and project_credential_id are mutually exclusive" + ) + |> Validators.validate_one_required( + [:webhook_auth_method_id, :project_credential_id], + "must reference either a webhook auth method or a project credential" + ) + |> validate_role_target_consistency() + |> assoc_constraint(:channel) + |> foreign_key_constraint(:webhook_auth_method_id) + |> foreign_key_constraint(:project_credential_id) + |> unique_constraint(:webhook_auth_method_id, + name: :channel_auth_methods_wam_unique + ) + |> unique_constraint(:project_credential_id, + name: :channel_auth_methods_pc_unique + ) + |> then(fn changeset -> + if get_change(changeset, :delete) do + %{changeset | action: :delete} + else + changeset + end + end) + end + + defp validate_role_target_consistency(changeset) do + case get_field(changeset, :role) do + :source -> + if get_field(changeset, :project_credential_id) do + add_error( + changeset, + :project_credential_id, + "source auth must use a webhook auth method, not a project credential" + ) + else + changeset + end + + :sink -> + if get_field(changeset, :webhook_auth_method_id) do + add_error( + changeset, + :webhook_auth_method_id, + "sink auth must use a project credential, not a webhook auth method" + ) + else + changeset + end + + _ -> + changeset + end + end +end diff --git a/lib/lightning/channels/channel_event.ex b/lib/lightning/channels/channel_event.ex new file mode 100644 index 00000000000..8944b3d200b --- /dev/null +++ b/lib/lightning/channels/channel_event.ex @@ -0,0 +1,74 @@ +defmodule Lightning.Channels.ChannelEvent do + @moduledoc """ + Schema for a ChannelEvent — a detailed log entry recording HTTP + request/response data for a channel request. + """ + use Lightning.Schema + + alias Lightning.Channels.ChannelRequest + + @type t :: %__MODULE__{ + id: Ecto.UUID.t(), + channel_request_id: Ecto.UUID.t(), + type: :source_received | :sink_request | :sink_response | :error, + request_method: String.t() | nil, + request_path: String.t() | nil, + request_headers: String.t() | nil, + request_body_preview: String.t() | nil, + request_body_hash: String.t() | nil, + response_status: integer() | nil, + response_headers: String.t() | nil, + response_body_preview: String.t() | nil, + response_body_hash: String.t() | nil, + latency_ms: integer() | nil, + ttfb_ms: integer() | nil, + error_message: String.t() | nil, + inserted_at: DateTime.t() + } + + schema "channel_events" do + field :type, Ecto.Enum, + values: [:source_received, :sink_request, :sink_response, :error] + + field :request_method, :string + field :request_path, :string + field :request_headers, :string + field :request_body_preview, :string + field :request_body_hash, :string + + field :response_status, :integer + field :response_headers, :string + field :response_body_preview, :string + field :response_body_hash, :string + + field :latency_ms, :integer + field :ttfb_ms, :integer + field :error_message, :string + + belongs_to :channel_request, ChannelRequest + + timestamps(updated_at: false) + end + + def changeset(event, attrs) do + event + |> cast(attrs, [ + :channel_request_id, + :type, + :request_method, + :request_path, + :request_headers, + :request_body_preview, + :request_body_hash, + :response_status, + :response_headers, + :response_body_preview, + :response_body_hash, + :latency_ms, + :ttfb_ms, + :error_message + ]) + |> validate_required([:channel_request_id, :type]) + |> assoc_constraint(:channel_request) + end +end diff --git a/lib/lightning/channels/channel_request.ex b/lib/lightning/channels/channel_request.ex new file mode 100644 index 00000000000..97cf9989715 --- /dev/null +++ b/lib/lightning/channels/channel_request.ex @@ -0,0 +1,61 @@ +defmodule Lightning.Channels.ChannelRequest do + @moduledoc """ + Schema for a ChannelRequest — tracks the lifecycle of a single proxied + HTTP request through a channel. + """ + use Lightning.Schema + + alias Lightning.Channels.Channel + alias Lightning.Channels.ChannelEvent + alias Lightning.Channels.ChannelSnapshot + + @type t :: %__MODULE__{ + id: Ecto.UUID.t(), + channel_id: Ecto.UUID.t(), + channel_snapshot_id: Ecto.UUID.t(), + request_id: String.t(), + client_identity: String.t() | nil, + state: :pending | :success | :failed | :timeout | :error, + started_at: DateTime.t(), + completed_at: DateTime.t() | nil + } + + schema "channel_requests" do + field :request_id, :string + field :client_identity, :string + + field :state, Ecto.Enum, + values: [:pending, :success, :failed, :timeout, :error] + + field :started_at, :utc_datetime_usec + field :completed_at, :utc_datetime_usec + + belongs_to :channel, Channel + belongs_to :channel_snapshot, ChannelSnapshot + + has_many :channel_events, ChannelEvent + end + + def changeset(request, attrs) do + request + |> cast(attrs, [ + :channel_id, + :channel_snapshot_id, + :request_id, + :client_identity, + :state, + :started_at, + :completed_at + ]) + |> validate_required([ + :channel_id, + :channel_snapshot_id, + :request_id, + :state, + :started_at + ]) + |> assoc_constraint(:channel) + |> assoc_constraint(:channel_snapshot) + |> unique_constraint(:request_id) + end +end diff --git a/lib/lightning/channels/channel_snapshot.ex b/lib/lightning/channels/channel_snapshot.ex new file mode 100644 index 00000000000..a0604a1d787 --- /dev/null +++ b/lib/lightning/channels/channel_snapshot.ex @@ -0,0 +1,52 @@ +defmodule Lightning.Channels.ChannelSnapshot do + @moduledoc """ + Schema for a ChannelSnapshot — an immutable point-in-time copy of a + channel's configuration, created when a request is proxied. + """ + use Lightning.Schema + + alias Lightning.Channels.Channel + + @type t :: %__MODULE__{ + id: Ecto.UUID.t(), + channel_id: Ecto.UUID.t(), + lock_version: integer(), + name: String.t(), + sink_url: String.t(), + enabled: boolean(), + inserted_at: DateTime.t() + } + + schema "channel_snapshots" do + field :lock_version, :integer + field :name, :string + field :sink_url, :string + field :enabled, :boolean + + belongs_to :channel, Channel + + has_many :channel_requests, Lightning.Channels.ChannelRequest + + timestamps(updated_at: false) + end + + def changeset(snapshot, attrs) do + snapshot + |> cast(attrs, [ + :channel_id, + :lock_version, + :name, + :sink_url, + :enabled + ]) + |> validate_required([ + :channel_id, + :lock_version, + :name, + :sink_url, + :enabled + ]) + |> assoc_constraint(:channel) + |> unique_constraint([:channel_id, :lock_version]) + end +end diff --git a/lib/lightning/channels/handler.ex b/lib/lightning/channels/handler.ex new file mode 100644 index 00000000000..8dfe9e64f11 --- /dev/null +++ b/lib/lightning/channels/handler.ex @@ -0,0 +1,198 @@ +defmodule Lightning.Channels.Handler do + @moduledoc """ + Weir handler that persists every proxied Channel request. + + ## Lifecycle + + Weir invokes three callbacks during the proxy lifecycle: + + 1. `handle_request_started` — creates a `ChannelRequest` record + synchronously. If the insert fails, the request is rejected with 503. + + 2. `handle_response_started` — captures TTFB and response headers into + handler state. **May not be called** — see below. + + 3. `handle_response_finished` — creates a `ChannelEvent` and updates + the `ChannelRequest` state. + + ## Skipped `handle_response_started` + + `handle_response_started` fires when the first response bytes arrive from + the upstream (TTFB). If the upstream never sends a response, the callback + is skipped entirely and `handle_response_finished` receives handler state + from `handle_request_started` only — without `ttfb_us`, `response_status`, + or `response_headers`. + + This happens when: + + - DNS resolution fails (`:nxdomain`) + - The upstream refuses the connection (`:econnrefused`) + - The host or network is unreachable (`:ehostunreach`, `:enetunreach`) + - The connection times out before any response (`:connect_timeout`) + - The response times out before headers arrive (`:timeout`) + - TLS handshake fails + + All fields derived from `handle_response_started` are accessed via + `Map.get/2` with `nil` fallbacks, so this is safe. The `classify_error/1` + function translates known Weir error shapes into stable string identifiers + for persistence. + """ + + use Weir.Handler + + alias Lightning.Channels.ChannelEvent + alias Lightning.Channels.ChannelRequest + alias Lightning.Repo + + require Logger + + @redacted_headers ~w(authorization x-api-key) + + @known_transport_errors ~w( + nxdomain econnrefused ehostunreach enetunreach + closed econnreset econnaborted epipe + )a + + @impl true + def handle_request_started(metadata, state) do + attrs = %{ + channel_id: state.channel.id, + channel_snapshot_id: state.snapshot.id, + request_id: state.request_id, + client_identity: state.client_identity, + state: :pending, + started_at: state.started_at + } + + case %ChannelRequest{} |> ChannelRequest.changeset(attrs) |> Repo.insert() do + {:ok, channel_request} -> + {:ok, + Map.merge(state, %{ + channel_request: channel_request, + request_headers: redact_headers(metadata.headers), + request_method: metadata.method + })} + + {:error, _changeset} -> + Logger.warning("Failed to create ChannelRequest for #{state.request_id}") + + {:reject, 503, "Service Unavailable", state} + end + end + + @impl true + def handle_response_started(metadata, state) do + {:ok, + Map.merge(state, %{ + ttfb_us: metadata.time_to_first_byte_us, + response_status: metadata.status, + response_headers: redact_headers(metadata.headers) + })} + end + + @impl true + def handle_response_finished(result, state) do + persist_completion(result, state) + {:ok, state} + end + + defp persist_completion(result, state) do + request_state = derive_request_state(result) + event_type = derive_event_type(result) + + event_attrs = %{ + channel_request_id: state.channel_request.id, + type: event_type, + request_method: state.request_method, + request_path: state.request_path, + request_headers: encode_headers(state.request_headers), + request_body_preview: get_in(result, [:request_observation, :preview]), + request_body_hash: get_in(result, [:request_observation, :hash]), + response_status: result.status, + response_headers: encode_headers(Map.get(state, :response_headers)), + response_body_preview: get_in(result, [:response_observation, :preview]), + response_body_hash: get_in(result, [:response_observation, :hash]), + latency_ms: div(result.duration_us, 1000), + ttfb_ms: state |> Map.get(:ttfb_us) |> maybe_div(1000), + error_message: if(result.error, do: classify_error(result.error)) + } + + request_update = %{ + state: request_state, + completed_at: DateTime.utc_now() + } + + with {:ok, _event} <- + %ChannelEvent{} + |> ChannelEvent.changeset(event_attrs) + |> Repo.insert(), + {:ok, _request} <- + state.channel_request + |> ChannelRequest.changeset(request_update) + |> Repo.update() do + :ok + else + {:error, changeset} -> + Logger.warning( + "Failed to persist channel observation for request " <> + "#{state.channel_request.request_id}: #{inspect(changeset.errors)}" + ) + + state.channel_request + |> ChannelRequest.changeset(%{ + state: :error, + completed_at: DateTime.utc_now() + }) + |> Repo.update() + end + end + + defp derive_request_state(result) do + cond do + match?({:timeout, _}, result.error) -> :timeout + result.error != nil -> :error + result.status in 200..299 -> :success + result.status in 400..599 -> :failed + true -> :error + end + end + + defp derive_event_type(result) do + if result.error != nil, do: :error, else: :sink_response + end + + defp redact_headers(headers) when is_list(headers) do + Enum.map(headers, fn {key, value} -> + if String.downcase(key) in @redacted_headers do + {key, "[REDACTED]"} + else + {key, value} + end + end) + end + + defp redact_headers(nil), do: nil + + defp encode_headers(nil), do: nil + + # Encodes as array-of-pairs rather than a map because HTTP allows + # duplicate header keys (e.g. multiple Set-Cookie headers). + defp encode_headers(headers) do + headers + |> Enum.map(fn {k, v} -> [k, v] end) + |> Jason.encode!() + end + + defp classify_error({:timeout, :connect_timeout}), do: "connect_timeout" + defp classify_error({:timeout, :timeout}), do: "response_timeout" + defp classify_error({:timeout, {:closed, :timeout}}), do: "timeout" + + defp classify_error(%{reason: reason}) + when reason in @known_transport_errors, + do: Atom.to_string(reason) + + defp classify_error(error), do: inspect(error) + + defp maybe_div(nil, _), do: nil + defp maybe_div(us, divisor), do: div(us, divisor) +end diff --git a/lib/lightning/channels/sink_auth.ex b/lib/lightning/channels/sink_auth.ex new file mode 100644 index 00000000000..4435dc8b676 --- /dev/null +++ b/lib/lightning/channels/sink_auth.ex @@ -0,0 +1,74 @@ +defmodule Lightning.Channels.SinkAuth do + @moduledoc """ + Maps a credential's schema type and body to an outbound HTTP Authorization header. + + ## Supported Schemas + + - `"http"` — Bearer token (`access_token`) or Basic auth (`username`+`password`) + - `"dhis2"` — DHIS2 ApiToken (`pat`) or Basic auth (`username`+`password`) + - `"oauth"` — Bearer token (`access_token`, with auto-refresh via `resolve_credential_body`) + + Schemas not in this list are rejected at config time. If an unsupported schema + somehow reaches runtime, `build_auth_header/2` returns an error. + """ + + @supported_schemas ~w(http dhis2 oauth) + + @doc """ + Returns the list of credential schema types that can be used for sink auth. + Used for config-time validation. + """ + @spec supported_schemas() :: [String.t()] + def supported_schemas, do: @supported_schemas + + @doc """ + Given a credential schema name and decrypted body map, returns the + Authorization header value to set on the outbound request. + + Returns: + - `{:ok, header_value}` — e.g., `"Bearer tok123"` or `"Basic dTpw"` + - `{:error, :no_auth_fields}` — credential body missing required auth fields + - `{:error, {:unsupported_schema, schema}}` — schema not in supported list + """ + @spec build_auth_header(String.t(), map()) :: + {:ok, String.t()} + | {:error, :no_auth_fields | {:unsupported_schema, String.t()}} + def build_auth_header("http", body) do + cond do + token = body["access_token"] -> + {:ok, "Bearer #{token}"} + + body["username"] && body["password"] -> + {:ok, + "Basic #{Base.encode64("#{body["username"]}:#{body["password"]}")}"} + + true -> + {:error, :no_auth_fields} + end + end + + def build_auth_header("dhis2", body) do + cond do + token = body["pat"] -> + {:ok, "ApiToken #{token}"} + + body["username"] && body["password"] -> + {:ok, + "Basic #{Base.encode64("#{body["username"]}:#{body["password"]}")}"} + + true -> + {:error, :no_auth_fields} + end + end + + def build_auth_header("oauth", body) do + case body["access_token"] do + nil -> {:error, :no_auth_fields} + token -> {:ok, "Bearer #{token}"} + end + end + + def build_auth_header(schema, _body) do + {:error, {:unsupported_schema, schema}} + end +end diff --git a/lib/lightning/config/bootstrap.ex b/lib/lightning/config/bootstrap.ex index 11df8cadbee..6d822a81775 100644 --- a/lib/lightning/config/bootstrap.ex +++ b/lib/lightning/config/bootstrap.ex @@ -53,6 +53,29 @@ defmodule Lightning.Config.Bootstrap do if config_env() == :dev do enabled = env!("LIVE_DEBUGGER", &Utils.ensure_boolean/1, true) config :live_debugger, :disabled?, not enabled + + live_debugger_ip = + env!( + "LIVE_DEBUGGER_IP", + fn address -> + address + |> String.split(".") + |> Enum.map(&String.to_integer/1) + |> List.to_tuple() + end, + nil + ) + + if live_debugger_ip do + config :live_debugger, :ip, live_debugger_ip + end + + live_debugger_external_url = + env!("LIVE_DEBUGGER_EXTERNAL_URL", :string, nil) + + if live_debugger_external_url do + config :live_debugger, :external_url, live_debugger_external_url + end end # Load storage and webhook retry config early so endpoint can respect it. diff --git a/lib/lightning/policies/project_users.ex b/lib/lightning/policies/project_users.ex index 507cc201203..647092700db 100644 --- a/lib/lightning/policies/project_users.ex +++ b/lib/lightning/policies/project_users.ex @@ -28,6 +28,9 @@ defmodule Lightning.Policies.ProjectUsers do | :initiate_github_sync | :create_collection | :publish_template + | :create_channel + | :delete_channel + | :update_channel @doc """ authorize/3 takes an action, a user, and a project. It checks the user's role @@ -110,7 +113,10 @@ defmodule Lightning.Policies.ProjectUsers do :delete_workflow, :run_workflow, :create_project_credential, - :initiate_github_sync + :initiate_github_sync, + :create_channel, + :delete_channel, + :update_channel ] def authorize( diff --git a/lib/lightning/projects/project.ex b/lib/lightning/projects/project.ex index 8691a120f5b..5f1b0e1364d 100644 --- a/lib/lightning/projects/project.ex +++ b/lib/lightning/projects/project.ex @@ -50,6 +50,7 @@ defmodule Lightning.Projects.Project do has_many :credentials, through: [:project_credentials, :credential] has_many :collections, Lightning.Collections.Collection + has_many :channels, Lightning.Channels.Channel timestamps() end diff --git a/lib/lightning/setup_utils.ex b/lib/lightning/setup_utils.ex index 86d57d498a8..dea4ba789a2 100644 --- a/lib/lightning/setup_utils.ex +++ b/lib/lightning/setup_utils.ex @@ -813,6 +813,9 @@ defmodule Lightning.SetupUtils do Lightning.Projects.File, Lightning.Projects.ProjectOauthClient, Lightning.Credentials.OauthClient, + Lightning.Channels.ChannelRequest, + Lightning.Channels.ChannelSnapshot, + Lightning.Channels.Channel, Lightning.Projects.Project, Lightning.Collaboration.DocumentState ]) diff --git a/lib/lightning_web/auth.ex b/lib/lightning_web/auth.ex new file mode 100644 index 00000000000..b55e7822e3b --- /dev/null +++ b/lib/lightning_web/auth.ex @@ -0,0 +1,75 @@ +defmodule LightningWeb.Auth do + @moduledoc """ + Shared HTTP request authentication functions. + + Validates inbound requests against `WebhookAuthMethod` records using + API key (`x-api-key` header) or Basic Auth (`authorization` header). + Used by both `WebhookAuth` plug (triggers) and `ChannelProxyPlug` + (channels). + + All comparisons use `Plug.Crypto.secure_compare/2` to prevent + timing attacks. + """ + import Plug.Conn, only: [get_req_header: 2] + + alias Lightning.Workflows.WebhookAuthMethod + + @doc """ + Returns true if the request's `x-api-key` header matches any + `:api`-type auth method in the list. + """ + def valid_key?(conn, methods) do + Enum.any?(methods, &key_matches?(conn, &1)) + end + + @doc """ + Returns true if the request's Basic Auth credentials match any + `:basic`-type auth method in the list. + """ + def valid_user?(conn, methods) do + Enum.any?(methods, &user_matches?(conn, &1)) + end + + @doc """ + Returns true if the request contains an `x-api-key` or + `authorization` header (regardless of whether the value is correct). + """ + def has_credentials?(conn) do + get_req_header(conn, "x-api-key") != [] or + get_req_header(conn, "authorization") != [] + end + + defp key_matches?( + conn, + %WebhookAuthMethod{auth_type: :api, api_key: key} + ) do + get_req_header(conn, "x-api-key") + |> Enum.any?(fn header_value -> + Plug.Crypto.secure_compare(header_value, key) + end) + end + + defp key_matches?(_, _), do: false + + defp user_matches?(conn, %WebhookAuthMethod{ + auth_type: :basic, + username: expected_user, + password: expected_pass + }) do + get_req_header(conn, "authorization") + |> Enum.find_value(false, fn auth -> + with [scheme, b64] <- String.split(auth, " ", parts: 2), + true <- String.downcase(scheme) == "basic", + {:ok, decoded} <- Base.decode64(b64), + [user, pass] <- String.split(decoded, ":", parts: 2), + true <- Plug.Crypto.secure_compare(user, expected_user), + true <- Plug.Crypto.secure_compare(pass, expected_pass) do + true + else + _ -> false + end + end) + end + + defp user_matches?(_, _), do: false +end diff --git a/lib/lightning_web/endpoint.ex b/lib/lightning_web/endpoint.ex index 40add7babd5..c08f1af12c9 100644 --- a/lib/lightning_web/endpoint.ex +++ b/lib/lightning_web/endpoint.ex @@ -68,6 +68,9 @@ defmodule LightningWeb.Endpoint do plug Plug.RequestId + # Channel proxy — must be before Plug.Parsers to preserve raw body + plug LightningWeb.ChannelProxyPlug + plug Plugs.PromexWrapper @pre_parsers_plugs Application.compile_env( diff --git a/lib/lightning_web/live/channel_live/form_component.ex b/lib/lightning_web/live/channel_live/form_component.ex new file mode 100644 index 00000000000..1639bb3d636 --- /dev/null +++ b/lib/lightning_web/live/channel_live/form_component.ex @@ -0,0 +1,276 @@ +defmodule LightningWeb.ChannelLive.FormComponent do + @moduledoc false + use LightningWeb, :live_component + + alias Lightning.Channels + alias Lightning.Channels.Channel + alias Lightning.Projects + alias Lightning.WebhookAuthMethods + + @impl true + def update( + %{channel: channel, project: project, on_close: _} = assigns, + socket + ) do + changeset = Channel.changeset(channel, %{}) + + wams = WebhookAuthMethods.list_for_project(project) + pcs = Projects.list_project_credentials(project) + + current_source_ids = + channel.channel_auth_methods + |> Enum.filter(&(&1.role == :source)) + |> Enum.map(& &1.webhook_auth_method_id) + + current_sink_ids = + channel.channel_auth_methods + |> Enum.filter(&(&1.role == :sink)) + |> Enum.map(& &1.project_credential_id) + + source_selections = + Map.new(wams, fn wam -> {wam.id, wam.id in current_source_ids} end) + + sink_selections = + Map.new(pcs, fn pc -> {pc.id, pc.id in current_sink_ids} end) + + {:ok, + socket + |> assign(assigns) + |> assign( + changeset: changeset, + webhook_auth_methods: wams, + project_credentials: pcs, + source_selections: source_selections, + sink_selections: sink_selections + )} + end + + @impl true + def handle_event("validate", %{"channel" => params}, socket) do + changeset = + socket.assigns.channel + |> Channel.changeset(params) + |> Map.put(:action, :validate) + + source_selections = + merge_selections( + socket.assigns.source_selections, + Map.get(params, "source_auth_methods", %{}) + ) + + sink_selections = + merge_selections( + socket.assigns.sink_selections, + Map.get(params, "sink_auth_methods", %{}) + ) + + {:noreply, + assign(socket, + changeset: changeset, + source_selections: source_selections, + sink_selections: sink_selections + )} + end + + def handle_event("save", %{"channel" => params}, socket) do + save_channel(socket, socket.assigns.action, params) + end + + @impl true + def render(assigns) do + assigns = + assign_new(assigns, :title, fn -> + case assigns.action do + :new -> "New Channel" + :edit -> "Edit Channel" + end + end) + + ~H""" +
+ <.modal show id={"#{@id}-modal"} width="w-full max-w-lg" on_close={@on_close}> + <:title> +
+ {@title} + +
+ + + <.form + :let={f} + for={to_form(@changeset)} + id={"channel-form-#{if @action == :edit, do: @channel.id, else: "new"}"} + phx-target={@myself} + phx-change="validate" + phx-submit="save" + > +
+ <.input field={f[:name]} label="Name" type="text" phx-debounce="300" /> + + <.input + field={f[:sink_url]} + label="Sink URL" + type="text" + phx-debounce="300" + /> + + <.input field={f[:enabled]} label="Enabled" type="toggle" /> + +
+
+

+ Source Authentication Methods +

+ <.link + navigate={~p"/projects/#{@project}/settings#webhook_security"} + class="text-xs link" + > + Create a new one in project settings. + +
+
+ <.input + :for={wam <- @webhook_auth_methods} + id={"source_auth_#{wam.id}"} + name={"#{f.name}[source_auth_methods][#{wam.id}]"} + type="checkbox" + value={Map.get(@source_selections, wam.id, false)} + label={wam.name} + /> +
+
+ +
+
+

+ Sink Credentials +

+ <.link + navigate={~p"/projects/#{@project}/settings#credentials"} + class="text-xs link" + > + Create a new one in project settings. + +
+
+ <.input + :for={pc <- @project_credentials} + id={"sink_auth_#{pc.id}"} + name={"#{f.name}[sink_auth_methods][#{pc.id}]"} + type="checkbox" + value={Map.get(@sink_selections, pc.id, false)} + label={pc.credential.name} + /> +
+
+
+ + <.modal_footer> + <.button type="submit" theme="primary" phx-target={@myself}> + Save + + <.button theme="secondary" type="button" phx-click={@on_close}> + Cancel + + + + +
+ """ + end + + defp save_channel(socket, :new, params) do + params = + Map.merge(params, %{ + "project_id" => socket.assigns.project.id, + "channel_auth_methods" => build_auth_method_params(params, []) + }) + + case Channels.create_channel(params, actor: socket.assigns.current_user) do + {:ok, _channel} -> + {:noreply, + socket + |> put_flash(:info, "Channel created successfully.") + |> push_patch(to: ~p"/projects/#{socket.assigns.project}/channels")} + + {:error, changeset} -> + {:noreply, assign(socket, changeset: changeset)} + end + end + + defp save_channel(socket, :edit, params) do + params = + Map.put( + params, + "channel_auth_methods", + build_auth_method_params( + params, + socket.assigns.channel.channel_auth_methods + ) + ) + + case Channels.update_channel( + socket.assigns.channel, + params, + actor: socket.assigns.current_user + ) do + {:ok, _channel} -> + {:noreply, + socket + |> put_flash(:info, "Channel updated successfully.") + |> push_patch(to: ~p"/projects/#{socket.assigns.project}/channels")} + + {:error, changeset} -> + {:noreply, assign(socket, changeset: changeset)} + end + end + + defp merge_selections(current, submitted) do + Map.new(current, fn {k, _v} -> + {k, Map.get(submitted, k, "false") == "true"} + end) + end + + defp build_auth_method_params(params, current_auth_methods) do + build_auth_method_list(params, :source, current_auth_methods) ++ + build_auth_method_list(params, :sink, current_auth_methods) + end + + defp build_auth_method_list(params, role, current_auth_methods) do + id_field = auth_method_id_field(role) + + params + |> Map.get(auth_method_param_key(role), %{}) + |> Enum.reduce([], fn {k, v}, acc -> + existing_record = + Enum.find(current_auth_methods, &(Map.get(&1, id_field) == k)) + + case {existing_record, v} do + {%{}, "true"} -> [%{id: existing_record.id} | acc] + {nil, "true"} -> [%{id_field => k, role: to_string(role)} | acc] + {%{}, _} -> [%{id: existing_record.id, delete: true} | acc] + {nil, _} -> acc + end + end) + end + + defp auth_method_id_field(:source), do: :webhook_auth_method_id + defp auth_method_id_field(:sink), do: :project_credential_id + + defp auth_method_param_key(:source), do: "source_auth_methods" + defp auth_method_param_key(:sink), do: "sink_auth_methods" +end diff --git a/lib/lightning_web/live/channel_live/index.ex b/lib/lightning_web/live/channel_live/index.ex new file mode 100644 index 00000000000..91f759417b7 --- /dev/null +++ b/lib/lightning_web/live/channel_live/index.ex @@ -0,0 +1,363 @@ +defmodule LightningWeb.ChannelLive.Index do + @moduledoc false + use LightningWeb, :live_view + + alias Lightning.Channels + alias Lightning.Policies.Permissions + alias Lightning.Policies.ProjectUsers + alias LightningWeb.ChannelLive.FormComponent + alias LightningWeb.Components.Common + + on_mount {LightningWeb.Hooks, :project_scope} + on_mount {LightningWeb.Hooks, :check_limits} + + @impl true + def render(assigns) do + ~H""" + + <:banner> + + + <:header> + + <:breadcrumbs> + + + + <:label>{@page_title} + + + + + + + <.channel_metrics channel_stats={@channel_stats} /> +
+
+

+ Channels + ({length(@channels)}) +

+ <.link + :if={@can_create_channel} + patch={~p"/projects/#{@project}/channels/new"} + > + <.button id="new-channel-button" theme="primary"> + New Channel + + + <.button + :if={!@can_create_channel} + id="new-channel-button" + theme="primary" + disabled + tooltip="You are not authorized to perform this action." + > + New Channel + +
+ <.channels_table + id="channels-table" + channels={@channels} + can_edit_channel={@can_edit_channel} + can_delete_channel={@can_delete_channel} + project={@project} + /> +
+ + + <.live_component + :if={@live_action in [:new, :edit]} + module={FormComponent} + id={ + (@selected_channel && @selected_channel.id && + "edit-channel-#{@selected_channel.id}") || :new + } + action={@live_action} + channel={@selected_channel} + project={@project} + current_user={@current_user} + on_close={JS.patch(~p"/projects/#{@project}/channels")} + /> + """ + end + + @impl true + def mount(_params, _session, socket) do + %{current_user: current_user, project: project} = socket.assigns + + can_create_channel = + ProjectUsers + |> Permissions.can?(:create_channel, current_user, project) + + can_edit_channel = + ProjectUsers + |> Permissions.can?(:update_channel, current_user, project) + + can_delete_channel = + ProjectUsers + |> Permissions.can?(:delete_channel, current_user, project) + + {:ok, + socket + |> assign( + active_menu_item: :channels, + can_create_channel: can_create_channel, + can_edit_channel: can_edit_channel, + can_delete_channel: can_delete_channel, + channels: [], + channel_stats: %{total_channels: 0, total_requests: 0} + )} + end + + @impl true + def handle_params(params, _url, socket) do + {:noreply, apply_action(socket, socket.assigns.live_action, params)} + end + + defp apply_action(socket, :index, _params) do + project_id = socket.assigns.project.id + + socket + |> assign( + page_title: "Channels", + channels: Channels.list_channels_for_project_with_stats(project_id), + channel_stats: Channels.get_channel_stats_for_project(project_id), + selected_channel: nil + ) + end + + defp apply_action(socket, :new, _params) do + if socket.assigns.can_create_channel do + socket + |> assign( + page_title: "New Channel", + selected_channel: %Lightning.Channels.Channel{channel_auth_methods: []} + ) + else + socket + |> put_flash(:error, "You are not authorized to create channels.") + |> push_navigate(to: ~p"/projects/#{socket.assigns.project.id}/channels") + end + end + + defp apply_action(socket, :edit, %{"id" => id}) do + if socket.assigns.can_edit_channel do + channel = Channels.get_channel!(id, include: [:channel_auth_methods]) + + socket + |> assign( + page_title: "Edit Channel", + selected_channel: channel + ) + else + socket + |> put_flash(:error, "You are not authorized to edit channels.") + |> push_navigate(to: ~p"/projects/#{socket.assigns.project.id}/channels") + end + end + + @impl true + def handle_event( + "toggle_channel_state", + %{"channel_state" => enabled?, "value_key" => channel_id}, + socket + ) do + with :ok <- check_can_edit_channel(socket), + {:ok, channel} <- fetch_project_channel(socket, channel_id) do + case Channels.update_channel(channel, %{enabled: enabled?}, + actor: socket.assigns.current_user + ) do + {:ok, _channel} -> + socket + |> put_flash(:info, "Channel updated") + |> push_patch(to: ~p"/projects/#{socket.assigns.project.id}/channels") + |> noreply() + + {:error, _changeset} -> + socket + |> put_flash(:error, "Failed to update channel. Please try again.") + |> noreply() + end + end + end + + @impl true + def handle_event("delete_channel", %{"id" => id}, socket) do + with :ok <- check_can_delete_channel(socket), + {:ok, channel} <- fetch_project_channel(socket, id) do + case Channels.delete_channel(channel, actor: socket.assigns.current_user) do + {:ok, _} -> + socket + |> put_flash(:info, "Channel deleted.") + |> push_patch(to: ~p"/projects/#{socket.assigns.project.id}/channels") + |> noreply() + + {:error, changeset} -> + message = + if Keyword.has_key?(changeset.errors, :channel_snapshots), + do: + "Cannot delete \"#{channel.name}\" — it has request history that must be retained.", + else: "Failed to delete channel. Please try again." + + socket |> put_flash(:error, message) |> noreply() + end + end + end + + defp check_can_edit_channel(socket) do + if socket.assigns.can_edit_channel do + :ok + else + socket + |> put_flash(:error, "You are not authorized to perform this action.") + |> noreply() + end + end + + defp check_can_delete_channel(socket) do + if socket.assigns.can_delete_channel do + :ok + else + socket + |> put_flash(:error, "You are not authorized to perform this action.") + |> noreply() + end + end + + defp fetch_project_channel(socket, channel_id) do + case Channels.get_channel_for_project(socket.assigns.project.id, channel_id) do + %{} = channel -> {:ok, channel} + nil -> socket |> put_flash(:error, "Channel not found.") |> noreply() + end + end + + # --- Private components --- + + attr :channel_stats, :map, required: true + + defp channel_metrics(assigns) do + ~H""" +
+
+

Total Channels

+
+ {@channel_stats.total_channels} +
+
+
+

Total Requests

+
+ {@channel_stats.total_requests} +
+
+
+ """ + end + + attr :id, :string, required: true + attr :channels, :list, required: true + attr :project, :map, required: true + attr :can_edit_channel, :boolean, default: false + attr :can_delete_channel, :boolean, default: false + + defp channels_table(%{channels: []} = assigns) do + ~H""" +
+

No channels found.

+
+ """ + end + + defp channels_table(assigns) do + ~H""" + <.table id={@id}> + <:header> + <.tr> + <.th>Name + <.th>Sink URL + <.th>Requests + <.th>Last Activity + <.th>Enabled + <.th>Actions + + + <:body> + <%= for %{channel: channel, request_count: count, last_activity: last_at} <- + @channels do %> + <.tr id={"channel-#{channel.id}"}> + <.td class="wrap-break-word max-w-[15rem]"> + + {channel.name} + + + <.td class="wrap-break-word max-w-[20rem] text-sm text-gray-600 font-mono"> + {channel.sink_url} + + <.td class="text-gray-700"> + {count} + + <.td class="text-gray-500 text-sm"> + <%= if last_at do %> + + <% else %> + Never + <% end %> + + <.td> + <%= if @can_edit_channel do %> + <.input + id={channel.id} + type="toggle" + name="channel_state" + value={channel.enabled} + tooltip={unless channel.enabled, do: "#{channel.name} (disabled)"} + on_click="toggle_channel_state" + value_key={channel.id} + /> + <% else %> + + {if channel.enabled, do: "Enabled", else: "Disabled"} + + <% end %> + + <.td class="text-right"> +
+ <.link + :if={@can_edit_channel} + patch={~p"/projects/#{@project}/channels/#{channel.id}/edit"} + > + <.button theme="secondary" size="sm">Edit + + <.button + :if={@can_delete_channel} + theme="danger" + size="sm" + phx-click="delete_channel" + phx-value-id={channel.id} + data-confirm={"Delete \"#{channel.name}\"? This cannot be undone."} + > + Delete + +
+ + + <% end %> + + + """ + end +end diff --git a/lib/lightning_web/live/components/icon.ex b/lib/lightning_web/live/components/icon.ex index 5b5add09130..272fa321869 100644 --- a/lib/lightning_web/live/components/icon.ex +++ b/lib/lightning_web/live/components/icon.ex @@ -37,6 +37,8 @@ defmodule LightningWeb.Components.Icon do def sandboxes(assigns), do: Heroicons.beaker(assigns) + def channels(assigns), do: Heroicons.arrows_right_left(assigns) + def branches(assigns) do ~H""" <%= if Lightning.Accounts.experimental_features_enabled?(@current_user) do %> + <.menu_item + to={~p"/projects/#{@project_id}/channels"} + active={@active_menu_item == :channels} + > + + Channels + + <.menu_item to={~p"/projects/#{@project_id}/sandboxes"} active={@active_menu_item == :sandboxes} diff --git a/lib/lightning_web/plugs/channel_proxy_plug.ex b/lib/lightning_web/plugs/channel_proxy_plug.ex new file mode 100644 index 00000000000..a1a5141a844 --- /dev/null +++ b/lib/lightning_web/plugs/channel_proxy_plug.ex @@ -0,0 +1,289 @@ +defmodule LightningWeb.ChannelProxyPlug do + @moduledoc false + @behaviour Plug + + import Plug.Conn + import Phoenix.Controller, only: [json: 2] + + alias Lightning.Channels + alias Lightning.Channels.ChannelEvent + alias Lightning.Channels.ChannelRequest + alias Lightning.Repo + alias LightningWeb.Auth + + require Logger + + @impl true + def init(opts), do: opts + + @impl true + def call(%Plug.Conn{path_info: ["channels", channel_id | rest]} = conn, _opts) do + metadata = %{channel_id: channel_id} + + :telemetry.span( + [:lightning, :channel_proxy, :request], + metadata, + fn -> + result = do_proxy(conn, channel_id, rest) + {result, metadata} + end + ) + end + + def call(conn, _opts), do: conn + + defp do_proxy(conn, channel_id, rest) do + with {:ok, channel} <- fetch_channel_with_telemetry(channel_id), + :ok <- authenticate_source(conn, channel) do + proxy_with_auth(conn, channel, rest) + else + :not_found -> error_response(conn, :not_found, "Not Found") + :unauthorized -> error_response(conn, :unauthorized, "Unauthorized") + end + end + + defp proxy_with_auth(conn, channel, rest) do + with {:ok, auth_header} <- resolve_sink_auth(channel), + {:ok, snapshot} <- Channels.get_or_create_current_snapshot(channel) do + forward_path = build_forward_path(rest) + + conn + |> proxy_upstream(channel, snapshot, forward_path, auth_header) + |> halt() + else + {:credential_error, reason} -> + handle_credential_error(conn, channel, reason) + + {:error, _} -> + error_response(conn, :internal_server_error, "Internal Server Error") + end + end + + defp authenticate_source(conn, channel) do + methods = + channel.source_auth_methods + |> Enum.map(& &1.webhook_auth_method) + |> Enum.reject(&is_nil/1) + + case methods do + [] -> :ok + _ -> check_source_auth(conn, methods) + end + end + + defp check_source_auth(conn, auth_methods) do + cond do + Auth.valid_key?(conn, auth_methods) or + Auth.valid_user?(conn, auth_methods) -> + :ok + + Auth.has_credentials?(conn) -> + :not_found + + true -> + :unauthorized + end + end + + defp fetch_channel_with_telemetry(channel_id) do + metadata = %{channel_id: channel_id} + + :telemetry.span( + [:lightning, :channel_proxy, :fetch_channel], + metadata, + fn -> + result = fetch_channel(channel_id) + {result, metadata} + end + ) + end + + defp proxy_upstream(conn, channel, snapshot, forward_path, auth_header) do + request_id = + conn + |> Plug.Conn.get_resp_header("x-request-id") + |> List.first() + + outbound_headers = build_outbound_headers(conn, auth_header) + + handler_state = %{ + channel: channel, + snapshot: snapshot, + request_id: request_id, + started_at: DateTime.utc_now(), + request_path: forward_path, + client_identity: get_client_identity(conn) + } + + metadata = %{ + channel_id: channel.id, + sink_url: channel.sink_url, + path: forward_path + } + + :telemetry.span( + [:lightning, :channel_proxy, :upstream], + metadata, + fn -> + result = + Weir.proxy(conn, + upstream: channel.sink_url, + path: forward_path, + headers: outbound_headers, + handler: {Lightning.Channels.Handler, handler_state} + ) + + {result, metadata} + end + ) + end + + defp fetch_channel(id) do + with {:ok, uuid} <- Ecto.UUID.cast(id), + %Channels.Channel{enabled: true} = channel <- + Channels.get_channel_with_auth(uuid) do + {:ok, channel} + else + _ -> :not_found + end + end + + defp build_forward_path([]), do: "/" + defp build_forward_path(segments), do: "/" <> Enum.join(segments, "/") + + defp get_client_identity(conn) do + case get_req_header(conn, "x-forwarded-for") do + [xff | _] -> xff |> String.split(",") |> List.first() |> String.trim() + [] -> conn.remote_ip |> :inet.ntoa() |> to_string() + end + end + + defp build_proxy_headers(conn) do + original_host = get_req_header(conn, "host") |> List.first("") + remote_ip = conn.remote_ip |> :inet.ntoa() |> to_string() + + existing_xff = get_req_header(conn, "x-forwarded-for") |> List.first() + + xff_value = + if existing_xff, do: "#{existing_xff}, #{remote_ip}", else: remote_ip + + [ + {"x-forwarded-for", xff_value}, + {"x-forwarded-host", original_host}, + {"x-forwarded-proto", to_string(conn.scheme)} + ] + end + + defp build_outbound_headers(conn, auth_header) do + proxy_headers = build_proxy_headers(conn) + + conn.req_headers + |> Kernel.++(proxy_headers) + |> maybe_set_auth(auth_header) + end + + defp maybe_set_auth(headers, nil), do: headers + + defp maybe_set_auth(headers, value) do + headers + |> Enum.reject(fn {k, _} -> String.downcase(k) == "authorization" end) + |> Kernel.++([{"authorization", value}]) + end + + defp resolve_sink_auth(channel) do + case channel.sink_auth_methods do + [] -> + {:ok, nil} + + [%{project_credential: %{credential: credential}}] -> + with {:ok, body} <- + Lightning.Credentials.resolve_credential_body( + credential, + "main" + ), + {:ok, header} <- + Channels.SinkAuth.build_auth_header(credential.schema, body) do + {:ok, header} + else + {:error, reason} -> {:credential_error, reason} + end + end + end + + defp handle_credential_error(conn, channel, reason) do + error_message = classify_credential_error(reason) + + case Channels.get_or_create_current_snapshot(channel) do + {:ok, snapshot} -> + record_credential_error(conn, channel, snapshot, error_message) + + {:error, _} -> + Logger.error( + "Failed to create snapshot for credential error on channel #{channel.id}" + ) + + error_response(conn, :bad_gateway, "Bad Gateway") + end + end + + defp record_credential_error(conn, channel, snapshot, error_message) do + now = DateTime.utc_now() + + request_id = + conn + |> Plug.Conn.get_resp_header("x-request-id") + |> List.first() + + with {:ok, channel_request} <- + %ChannelRequest{} + |> ChannelRequest.changeset(%{ + channel_id: channel.id, + channel_snapshot_id: snapshot.id, + request_id: request_id, + client_identity: get_client_identity(conn), + state: :error, + started_at: now, + completed_at: now + }) + |> Repo.insert(), + {:ok, _event} <- + %ChannelEvent{} + |> ChannelEvent.changeset(%{ + channel_request_id: channel_request.id, + type: :error, + request_method: conn.method, + request_path: conn.request_path, + error_message: error_message + }) + |> Repo.insert() do + :ok + else + {:error, changeset} -> + Logger.warning( + "Failed to record credential error for channel #{channel.id}: " <> + "#{inspect(changeset.errors)}" + ) + end + + error_response(conn, :bad_gateway, "Bad Gateway") + end + + defp error_response(conn, status, message) do + conn |> put_status(status) |> json(%{"error" => message}) |> halt() + end + + defp classify_credential_error(:environment_not_found), + do: "credential_environment_not_found" + + defp classify_credential_error(:no_auth_fields), + do: "credential_missing_auth_fields" + + defp classify_credential_error({:unsupported_schema, schema}), + do: "unsupported_credential_schema:#{schema}" + + defp classify_credential_error(:temporary_failure), + do: "oauth_refresh_failed" + + defp classify_credential_error(:reauthorization_required), + do: "oauth_reauthorization_required" +end diff --git a/lib/lightning_web/plugs/webhook_auth.ex b/lib/lightning_web/plugs/webhook_auth.ex index cad97d23985..5c5e521fcde 100644 --- a/lib/lightning_web/plugs/webhook_auth.ex +++ b/lib/lightning_web/plugs/webhook_auth.ex @@ -7,7 +7,7 @@ defmodule LightningWeb.Plugs.WebhookAuth do alias Lightning.Retry alias Lightning.Workflows - alias Lightning.Workflows.WebhookAuthMethod + alias LightningWeb.Auth require Logger @@ -92,10 +92,11 @@ defmodule LightningWeb.Plugs.WebhookAuth do defp check_auth(conn, auth_methods, trigger) do cond do - valid_key?(conn, auth_methods) or valid_user?(conn, auth_methods) -> + Auth.valid_key?(conn, auth_methods) or + Auth.valid_user?(conn, auth_methods) -> successful_response(conn, trigger) - authenticated_request(conn) -> + Auth.has_credentials?(conn) -> not_found_response(conn) true -> @@ -103,11 +104,6 @@ defmodule LightningWeb.Plugs.WebhookAuth do end end - defp authenticated_request(conn) do - conn |> get_req_header("x-api-key") != [] or - conn |> get_req_header("authorization") != [] - end - defp unauthorized_response(conn) do conn |> put_status(:unauthorized) @@ -121,46 +117,4 @@ defmodule LightningWeb.Plugs.WebhookAuth do |> json(%{"error" => "Webhook not found"}) |> halt() end - - defp valid_key?(conn, methods) do - Enum.any?(methods, &key_matches?(conn, &1)) - end - - defp key_matches?( - conn, - %WebhookAuthMethod{auth_type: :api, api_key: key} - ) do - get_req_header(conn, "x-api-key") - |> Enum.any?(fn header_value -> - Plug.Crypto.secure_compare(header_value, key) - end) - end - - defp key_matches?(_, _), do: false - - defp valid_user?(conn, methods) do - Enum.any?(methods, &user_matches?(conn, &1)) - end - - defp user_matches?(conn, %WebhookAuthMethod{ - auth_type: :basic, - username: expected_user, - password: expected_pass - }) do - get_req_header(conn, "authorization") - |> Enum.find_value(false, fn auth -> - with [scheme, b64] <- String.split(auth, " ", parts: 2), - true <- String.downcase(scheme) == "basic", - {:ok, decoded} <- Base.decode64(b64), - [user, pass] <- String.split(decoded, ":", parts: 2), - true <- Plug.Crypto.secure_compare(user, expected_user), - true <- Plug.Crypto.secure_compare(pass, expected_pass) do - true - else - _ -> false - end - end) - end - - defp user_matches?(_, _), do: false end diff --git a/lib/lightning_web/router.ex b/lib/lightning_web/router.ex index 1b3ac330598..8088d652d0c 100644 --- a/lib/lightning_web/router.ex +++ b/lib/lightning_web/router.ex @@ -244,6 +244,10 @@ defmodule LightningWeb.Router do live "/w/:id/legacy", WorkflowLive.Edit, :edit live "/w/:id", WorkflowLive.Collaborate, :edit + live "/channels", ChannelLive.Index, :index + live "/channels/new", ChannelLive.Index, :new + live "/channels/:id/edit", ChannelLive.Index, :edit + live "/sandboxes", SandboxLive.Index, :index live "/sandboxes/new", SandboxLive.Index, :new live "/sandboxes/:id/edit", SandboxLive.Index, :edit diff --git a/mix.exs b/mix.exs index 1dff9478c1c..01177f11163 100644 --- a/mix.exs +++ b/mix.exs @@ -152,11 +152,20 @@ defmodule Lightning.MixProject do {:eventually, "~> 1.1", only: [:test]}, {:benchee, "~> 1.5.0", only: :dev}, {:statistics, "~> 0.6", only: :dev}, + weir_dep(), {:y_ex, "~> 0.8.0"}, {:chameleon, "~> 2.5"} ] end + defp weir_dep do + if path = System.get_env("WEIR_PATH") do + {:weir, path: path} + else + {:weir, github: "OpenFn/weir"} + end + end + # Aliases are shortcuts or tasks specific to the current project. # For example, to install project dependencies and perform other setup tasks, run: # diff --git a/mix.lock b/mix.lock index 1ff96a874b5..86f8d95ef52 100644 --- a/mix.lock +++ b/mix.lock @@ -153,6 +153,7 @@ "unsafe": {:hex, :unsafe, "1.0.2", "23c6be12f6c1605364801f4b47007c0c159497d0446ad378b5cf05f1855c0581", [:mix], [], "hexpm", "b485231683c3ab01a9cd44cb4a79f152c6f3bb87358439c6f68791b85c2df675"}, "websock": {:hex, :websock, "0.5.3", "2f69a6ebe810328555b6fe5c831a851f485e303a7c8ce6c5f675abeb20ebdadc", [:mix], [], "hexpm", "6105453d7fac22c712ad66fab1d45abdf049868f253cf719b625151460b8b453"}, "websock_adapter": {:hex, :websock_adapter, "0.5.9", "43dc3ba6d89ef5dec5b1d0a39698436a1e856d000d84bf31a3149862b01a287f", [:mix], [{:bandit, ">= 0.6.0", [hex: :bandit, repo: "hexpm", optional: true]}, {:plug, "~> 1.14", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 2.6", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:websock, "~> 0.5", [hex: :websock, repo: "hexpm", optional: false]}], "hexpm", "5534d5c9adad3c18a0f58a9371220d75a803bf0b9a3d87e6fe072faaeed76a08"}, + "weir": {:git, "https://github.com/OpenFn/weir.git", "41e20bfd70845f29b15fed52f441de4719b48b27", []}, "y_ex": {:hex, :y_ex, "0.8.0", "e1591d97a487a15fe93eb29b88685d0ccb6f76403cdd2b8c60e9cebb9a2d204e", [:mix], [{:rustler, ">= 0.0.0", [hex: :rustler, repo: "hexpm", optional: true]}, {:rustler_precompiled, ">= 0.6.0", [hex: :rustler_precompiled, repo: "hexpm", optional: false]}], "hexpm", "d2ce875481c28896d5d9037d8cb5d859ddbcfb047dcfebdcd0d33c6ebfd3d506"}, "yex": {:hex, :yex, "0.0.1", "99ad1448ac9f7482b40fea8fc5ba23c92933a435b96935b079854e362e8b2353", [:mix], [{:rustler, "~> 0.32.1", [hex: :rustler, repo: "hexpm", optional: false]}], "hexpm", "8304c754ea0856f88f5f1f089191641393fae2791780a8b8865f7b4f9c6069b6"}, } diff --git a/priv/repo/migrations/20260210120112_create_channels_tables.exs b/priv/repo/migrations/20260210120112_create_channels_tables.exs new file mode 100644 index 00000000000..1bc548504ed --- /dev/null +++ b/priv/repo/migrations/20260210120112_create_channels_tables.exs @@ -0,0 +1,158 @@ +defmodule Lightning.Repo.Migrations.CreateChannelsTables do + use Ecto.Migration + + def change do + # --- channels --- + create table(:channels, primary_key: false) do + add :id, :binary_id, primary_key: true + + add :project_id, + references(:projects, type: :binary_id, on_delete: :delete_all), + null: false + + add :name, :string, null: false + add :sink_url, :string, null: false + + add :sink_project_credential_id, + references(:project_credentials, + type: :binary_id, + on_delete: :nilify_all + ) + + add :enabled, :boolean, null: false, default: true + add :lock_version, :integer, null: false, default: 0 + + timestamps() + end + + create index(:channels, [:project_id]) + create index(:channels, [:sink_project_credential_id]) + create unique_index(:channels, [:project_id, :name]) + + # --- channel_auth_methods --- + create table(:channel_auth_methods, primary_key: false) do + add :id, :binary_id, primary_key: true + + add :channel_id, + references(:channels, type: :binary_id, on_delete: :delete_all), + null: false + + add :role, :string, null: false + + add :webhook_auth_method_id, + references(:webhook_auth_methods, + type: :binary_id, + on_delete: :delete_all + ) + + add :project_credential_id, + references(:project_credentials, + type: :binary_id, + on_delete: :delete_all + ) + + timestamps() + end + + create index(:channel_auth_methods, [:channel_id]) + create index(:channel_auth_methods, [:webhook_auth_method_id]) + create index(:channel_auth_methods, [:project_credential_id]) + + create unique_index( + :channel_auth_methods, + [:channel_id, :role, :webhook_auth_method_id], + where: "webhook_auth_method_id IS NOT NULL", + name: :channel_auth_methods_wam_unique + ) + + create unique_index( + :channel_auth_methods, + [:channel_id, :role, :project_credential_id], + where: "project_credential_id IS NOT NULL", + name: :channel_auth_methods_pc_unique + ) + + # --- channel_snapshots --- + create table(:channel_snapshots, primary_key: false) do + add :id, :binary_id, primary_key: true + + add :channel_id, + references(:channels, type: :binary_id, on_delete: :restrict), + null: false + + add :lock_version, :integer, null: false + add :name, :string, null: false + add :sink_url, :string, null: false + add :sink_project_credential_id, :binary_id + add :sink_credential_name, :string + add :enabled, :boolean, null: false + + add :inserted_at, :utc_datetime_usec, null: false + end + + create unique_index(:channel_snapshots, [:channel_id, :lock_version]) + create index(:channel_snapshots, [:channel_id]) + + # --- channel_requests --- + create table(:channel_requests, primary_key: false) do + add :id, :binary_id, primary_key: true + + add :channel_id, + references(:channels, type: :binary_id, on_delete: :delete_all), + null: false + + add :channel_snapshot_id, + references(:channel_snapshots, + type: :binary_id, + on_delete: :restrict + ), + null: false + + add :request_id, :string, null: false + add :client_identity, :string + add :state, :string, null: false, default: "pending" + add :started_at, :utc_datetime_usec, null: false + add :completed_at, :utc_datetime_usec + end + + create index(:channel_requests, [:channel_id]) + create index(:channel_requests, [:channel_id, :started_at]) + create index(:channel_requests, [:channel_snapshot_id]) + create index(:channel_requests, [:state]) + create unique_index(:channel_requests, [:request_id]) + + # --- channel_events --- + create table(:channel_events, primary_key: false) do + add :id, :binary_id, primary_key: true + + add :channel_request_id, + references(:channel_requests, + type: :binary_id, + on_delete: :delete_all + ), + null: false + + add :type, :string, null: false + + add :request_method, :string + add :request_path, :string + add :request_headers, :text + add :request_body_preview, :text + add :request_body_hash, :string, size: 64 + + add :response_status, :smallint + add :response_headers, :text + add :response_body_preview, :text + add :response_body_hash, :string, size: 64 + + add :latency_ms, :integer + add :ttfb_ms, :integer + add :error_message, :text + + add :inserted_at, :utc_datetime_usec, null: false + end + + create index(:channel_events, [:channel_request_id]) + create index(:channel_events, [:type]) + end +end diff --git a/priv/repo/migrations/20260219121000_remove_sink_credential_direct_fk.exs b/priv/repo/migrations/20260219121000_remove_sink_credential_direct_fk.exs new file mode 100644 index 00000000000..5bd117296e3 --- /dev/null +++ b/priv/repo/migrations/20260219121000_remove_sink_credential_direct_fk.exs @@ -0,0 +1,14 @@ +defmodule Lightning.Repo.Migrations.RemoveSinkCredentialDirectFk do + use Ecto.Migration + + def change do + alter table(:channels) do + remove :sink_project_credential_id, references(:project_credentials) + end + + alter table(:channel_snapshots) do + remove :sink_project_credential_id, :binary_id + remove :sink_credential_name, :string + end + end +end diff --git a/test/lightning/channels/channel_auth_method_test.exs b/test/lightning/channels/channel_auth_method_test.exs new file mode 100644 index 00000000000..48039787f0e --- /dev/null +++ b/test/lightning/channels/channel_auth_method_test.exs @@ -0,0 +1,133 @@ +defmodule Lightning.Channels.ChannelAuthMethodTest do + use Lightning.DataCase, async: true + + alias Lightning.Channels.ChannelAuthMethod + + import Lightning.Factories + + describe "changeset/2" do + test "valid source auth method with webhook_auth_method" do + channel = insert(:channel) + wam = insert(:webhook_auth_method, project: channel.project) + + changeset = + ChannelAuthMethod.changeset(%ChannelAuthMethod{}, %{ + role: :source, + channel_id: channel.id, + webhook_auth_method_id: wam.id + }) + + assert changeset.valid? + end + + test "valid sink auth method with project_credential" do + channel = insert(:channel) + project_credential = insert(:project_credential, project: channel.project) + + changeset = + ChannelAuthMethod.changeset(%ChannelAuthMethod{}, %{ + role: :sink, + channel_id: channel.id, + project_credential_id: project_credential.id + }) + + assert changeset.valid? + end + + test "rejects both FKs set (exclusive)" do + channel = insert(:channel) + wam = insert(:webhook_auth_method, project: channel.project) + project_credential = insert(:project_credential, project: channel.project) + + changeset = + ChannelAuthMethod.changeset(%ChannelAuthMethod{}, %{ + role: :source, + channel_id: channel.id, + webhook_auth_method_id: wam.id, + project_credential_id: project_credential.id + }) + + refute changeset.valid? + + assert %{webhook_auth_method_id: [msg]} = errors_on(changeset) + assert msg =~ "mutually exclusive" + end + + test "rejects neither FK set (one_required)" do + channel = insert(:channel) + + changeset = + ChannelAuthMethod.changeset(%ChannelAuthMethod{}, %{ + role: :source, + channel_id: channel.id + }) + + refute changeset.valid? + + assert %{webhook_auth_method_id: [msg]} = errors_on(changeset) + assert msg =~ "must reference either" + end + + test "rejects source role with project_credential_id" do + channel = insert(:channel) + project_credential = insert(:project_credential, project: channel.project) + + changeset = + ChannelAuthMethod.changeset(%ChannelAuthMethod{}, %{ + role: :source, + channel_id: channel.id, + project_credential_id: project_credential.id + }) + + refute changeset.valid? + + assert %{project_credential_id: [msg]} = errors_on(changeset) + assert msg =~ "source auth must use a webhook auth method" + end + + test "rejects sink role with webhook_auth_method_id" do + channel = insert(:channel) + wam = insert(:webhook_auth_method, project: channel.project) + + changeset = + ChannelAuthMethod.changeset(%ChannelAuthMethod{}, %{ + role: :sink, + channel_id: channel.id, + webhook_auth_method_id: wam.id + }) + + refute changeset.valid? + + assert %{webhook_auth_method_id: [msg]} = errors_on(changeset) + assert msg =~ "sink auth must use a project credential" + end + + test "requires role" do + changeset = ChannelAuthMethod.changeset(%ChannelAuthMethod{}, %{}) + + refute changeset.valid? + assert %{role: _} = errors_on(changeset) + end + + test "unique constraint on channel + role + webhook_auth_method_id" do + channel = insert(:channel) + wam = insert(:webhook_auth_method, project: channel.project) + + insert(:channel_auth_method, + channel: channel, + role: :source, + webhook_auth_method: wam + ) + + assert {:error, changeset} = + %ChannelAuthMethod{channel_id: channel.id} + |> ChannelAuthMethod.changeset(%{ + role: :source, + webhook_auth_method_id: wam.id + }) + |> Lightning.Repo.insert() + + assert %{webhook_auth_method_id: _} = errors_on(changeset) + end + end +end diff --git a/test/lightning/channels/handler_test.exs b/test/lightning/channels/handler_test.exs new file mode 100644 index 00000000000..433e6e83e41 --- /dev/null +++ b/test/lightning/channels/handler_test.exs @@ -0,0 +1,234 @@ +defmodule Lightning.Channels.HandlerTest do + use Lightning.DataCase, async: true + + alias Lightning.Channels.Handler + alias Lightning.Channels.{ChannelRequest, ChannelEvent} + + import Lightning.Factories + + setup do + channel = insert(:channel) + + snapshot = + insert(:channel_snapshot, + channel: channel, + lock_version: channel.lock_version + ) + + initial_state = %{ + channel: channel, + snapshot: snapshot, + request_id: Ecto.UUID.generate(), + started_at: DateTime.utc_now(), + request_path: "/test/path", + client_identity: "127.0.0.1" + } + + %{channel: channel, snapshot: snapshot, state: initial_state} + end + + describe "handle_request_started/2" do + test "creates a ChannelRequest in pending state", %{state: state} do + metadata = request_metadata() + + assert {:ok, new_state} = Handler.handle_request_started(metadata, state) + + assert %ChannelRequest{} = new_state.channel_request + assert new_state.channel_request.state == :pending + assert new_state.channel_request.request_id == state.request_id + assert new_state.channel_request.channel_id == state.channel.id + assert new_state.channel_request.channel_snapshot_id == state.snapshot.id + assert new_state.channel_request.client_identity == "127.0.0.1" + + # Persisted in DB + assert Repo.get!(ChannelRequest, new_state.channel_request.id) + end + + test "rejects with 503 on DB failure", %{state: state} do + bad_state = %{state | channel: %{state.channel | id: Ecto.UUID.generate()}} + metadata = request_metadata() + + assert {:reject, 503, "Service Unavailable", ^bad_state} = + Handler.handle_request_started(metadata, bad_state) + end + + test "redacts sensitive headers in state", %{state: state} do + metadata = + request_metadata( + headers: [ + {"authorization", "Bearer secret-token"}, + {"x-api-key", "my-api-key"}, + {"content-type", "application/json"} + ] + ) + + assert {:ok, new_state} = Handler.handle_request_started(metadata, state) + + assert [ + {"authorization", "[REDACTED]"}, + {"x-api-key", "[REDACTED]"}, + {"content-type", "application/json"} + ] = new_state.request_headers + end + + test "stores request method in state", %{state: state} do + metadata = request_metadata(method: "POST") + + assert {:ok, new_state} = Handler.handle_request_started(metadata, state) + assert new_state.request_method == "POST" + end + end + + describe "handle_response_started/2" do + test "captures TTFB and response headers", %{state: state} do + metadata = %{ + status: 200, + headers: [ + {"content-type", "application/json"}, + {"authorization", "Bearer upstream-token"} + ], + content_type: "application/json", + time_to_first_byte_us: 15_000 + } + + assert {:ok, new_state} = + Handler.handle_response_started(metadata, state) + + assert new_state.ttfb_us == 15_000 + assert new_state.response_status == 200 + + assert [ + {"content-type", "application/json"}, + {"authorization", "[REDACTED]"} + ] = new_state.response_headers + end + end + + describe "handle_response_finished/2" do + setup %{state: state} do + # Create a ChannelRequest first, since handle_response_finished needs it + metadata = request_metadata() + {:ok, state} = Handler.handle_request_started(metadata, state) + + # Add response_started state + state = + Map.merge(state, %{ + ttfb_us: 10_000, + response_status: 200, + response_headers: [{"content-type", "text/plain"}] + }) + + %{state: state} + end + + test "creates ChannelEvent with correct fields", %{state: state} do + result = finished_result(status: 200, duration_us: 50_000) + + assert {:ok, _state} = Handler.handle_response_finished(result, state) + + event = Repo.one!(ChannelEvent) + assert event.channel_request_id == state.channel_request.id + assert event.type == :sink_response + assert event.request_method == state.request_method + assert event.request_path == "/test/path" + assert event.response_status == 200 + assert event.latency_ms == 50 + assert event.ttfb_ms == 10 + assert event.error_message == nil + end + + test "updates ChannelRequest state to success for 2xx", %{state: state} do + result = finished_result(status: 200) + Handler.handle_response_finished(result, state) + + request = Repo.get!(ChannelRequest, state.channel_request.id) + assert request.state == :success + assert request.completed_at != nil + end + + test "updates ChannelRequest state to failed for 4xx", %{state: state} do + state = %{state | response_status: 404} + result = finished_result(status: 404) + Handler.handle_response_finished(result, state) + + request = Repo.get!(ChannelRequest, state.channel_request.id) + assert request.state == :failed + end + + test "updates ChannelRequest state to timeout on timeout error", %{ + state: state + } do + result = finished_result(status: nil, error: {:timeout, :recv_response}) + Handler.handle_response_finished(result, state) + + request = Repo.get!(ChannelRequest, state.channel_request.id) + assert request.state == :timeout + end + + test "updates ChannelRequest state to error on other errors", %{ + state: state + } do + result = + finished_result( + status: nil, + error: %Mint.TransportError{reason: :econnrefused} + ) + + Handler.handle_response_finished(result, state) + + request = Repo.get!(ChannelRequest, state.channel_request.id) + assert request.state == :error + end + + test "creates error event type when error present", %{state: state} do + result = finished_result(status: nil, error: :some_error) + Handler.handle_response_finished(result, state) + + event = Repo.one!(ChannelEvent) + assert event.type == :error + assert event.error_message != nil + end + end + + # Helpers + + defp request_metadata(overrides \\ []) do + %{ + upstream_url: + Keyword.get(overrides, :upstream_url, "http://localhost:4999"), + method: Keyword.get(overrides, :method, "GET"), + headers: + Keyword.get(overrides, :headers, [ + {"content-type", "application/json"}, + {"host", "localhost"} + ]), + content_type: Keyword.get(overrides, :content_type, "application/json"), + started_at: + Keyword.get(overrides, :started_at, System.monotonic_time(:microsecond)) + } + end + + defp finished_result(overrides) do + observation = %{ + hash: "abc123", + size: 100, + body: nil, + preview: "test body", + duration_us: 1000, + time_to_first_byte_us: 500 + } + + %{ + request_observation: + Keyword.get(overrides, :request_observation, observation), + response_observation: + Keyword.get(overrides, :response_observation, observation), + error: Keyword.get(overrides, :error, nil), + upstream_url: + Keyword.get(overrides, :upstream_url, "http://localhost:4999"), + method: Keyword.get(overrides, :method, "GET"), + status: Keyword.get(overrides, :status, 200), + duration_us: Keyword.get(overrides, :duration_us, 10_000) + } + end +end diff --git a/test/lightning/channels/sink_auth_test.exs b/test/lightning/channels/sink_auth_test.exs new file mode 100644 index 00000000000..b1c21b86ad8 --- /dev/null +++ b/test/lightning/channels/sink_auth_test.exs @@ -0,0 +1,115 @@ +defmodule Lightning.Channels.SinkAuthTest do + use ExUnit.Case, async: true + + alias Lightning.Channels.SinkAuth + + describe "supported_schemas/0" do + test "returns expected schemas" do + assert SinkAuth.supported_schemas() == ["http", "dhis2", "oauth"] + end + end + + describe "build_auth_header/2 with http schema" do + test "Bearer token from access_token" do + assert {:ok, "Bearer tok-123"} = + SinkAuth.build_auth_header("http", %{"access_token" => "tok-123"}) + end + + test "Basic auth from username and password" do + expected = "Basic #{Base.encode64("user:pass")}" + + assert {:ok, ^expected} = + SinkAuth.build_auth_header("http", %{ + "username" => "user", + "password" => "pass" + }) + end + + test "access_token takes priority over username/password" do + assert {:ok, "Bearer tok-priority"} = + SinkAuth.build_auth_header("http", %{ + "access_token" => "tok-priority", + "username" => "user", + "password" => "pass" + }) + end + + test "error when no auth fields present" do + assert {:error, :no_auth_fields} = + SinkAuth.build_auth_header("http", %{ + "baseUrl" => "https://example.com" + }) + end + + test "error when body is empty" do + assert {:error, :no_auth_fields} = + SinkAuth.build_auth_header("http", %{}) + end + end + + describe "build_auth_header/2 with dhis2 schema" do + test "ApiToken from pat" do + assert {:ok, "ApiToken d2pat_abc"} = + SinkAuth.build_auth_header("dhis2", %{"pat" => "d2pat_abc"}) + end + + test "Basic auth from username and password" do + expected = "Basic #{Base.encode64("admin:secret")}" + + assert {:ok, ^expected} = + SinkAuth.build_auth_header("dhis2", %{ + "username" => "admin", + "password" => "secret" + }) + end + + test "pat takes priority over username/password" do + assert {:ok, "ApiToken my-pat"} = + SinkAuth.build_auth_header("dhis2", %{ + "pat" => "my-pat", + "username" => "admin", + "password" => "secret" + }) + end + + test "error when no auth fields present" do + assert {:error, :no_auth_fields} = + SinkAuth.build_auth_header("dhis2", %{ + "hostUrl" => "https://play.dhis2.org" + }) + end + end + + describe "build_auth_header/2 with oauth schema" do + test "Bearer token from access_token" do + assert {:ok, "Bearer oauth-tok"} = + SinkAuth.build_auth_header("oauth", %{ + "access_token" => "oauth-tok" + }) + end + + test "error when no access_token" do + assert {:error, :no_auth_fields} = + SinkAuth.build_auth_header("oauth", %{ + "refresh_token" => "refresh-only" + }) + end + + test "error when body is empty" do + assert {:error, :no_auth_fields} = + SinkAuth.build_auth_header("oauth", %{}) + end + end + + describe "build_auth_header/2 with unsupported schemas" do + test "raw schema returns unsupported error" do + assert {:error, {:unsupported_schema, "raw"}} = + SinkAuth.build_auth_header("raw", %{"key" => "val"}) + end + + test "postgresql schema returns unsupported error" do + assert {:error, {:unsupported_schema, "postgresql"}} = + SinkAuth.build_auth_header("postgresql", %{"host" => "localhost"}) + end + end +end diff --git a/test/lightning/channels_test.exs b/test/lightning/channels_test.exs new file mode 100644 index 00000000000..9a28187ceb9 --- /dev/null +++ b/test/lightning/channels_test.exs @@ -0,0 +1,792 @@ +defmodule Lightning.ChannelsTest do + use Lightning.DataCase, async: true + + import Ecto.Query + + alias Lightning.Auditing.Audit + alias Lightning.Channels + alias Lightning.Channels.Channel + alias Lightning.Channels.ChannelAuthMethod + alias Lightning.Channels.ChannelRequest + alias Lightning.Channels.ChannelSnapshot + + describe "list_channels_for_project/1" do + test "returns channels for a project ordered by name" do + project = insert(:project) + insert(:channel, project: project, name: "bravo") + insert(:channel, project: project, name: "alpha") + insert(:channel, project: build(:project), name: "other") + + channels = Channels.list_channels_for_project(project.id) + + assert length(channels) == 2 + assert [%Channel{name: "alpha"}, %Channel{name: "bravo"}] = channels + end + + test "returns empty list when project has no channels" do + project = insert(:project) + assert Channels.list_channels_for_project(project.id) == [] + end + end + + describe "list_channels_for_project_with_stats/1" do + test "returns empty list for project with no channels" do + project = insert(:project) + + assert Channels.list_channels_for_project_with_stats(project.id) == [] + end + + test "returns correct request_count and last_activity for a channel with requests" do + project = insert(:project) + channel = insert(:channel, project: project) + {:ok, snapshot} = Channels.get_or_create_current_snapshot(channel) + + t1 = ~U[2025-01-01 10:00:00.000000Z] + t2 = ~U[2025-01-02 12:00:00.000000Z] + + Lightning.Repo.insert!(%ChannelRequest{ + channel_id: channel.id, + channel_snapshot_id: snapshot.id, + request_id: "req-stats-1", + state: :success, + started_at: t1 + }) + + Lightning.Repo.insert!(%ChannelRequest{ + channel_id: channel.id, + channel_snapshot_id: snapshot.id, + request_id: "req-stats-2", + state: :success, + started_at: t2 + }) + + results = Channels.list_channels_for_project_with_stats(project.id) + + assert [ + %{ + channel: %Channel{id: channel_id}, + request_count: 2, + last_activity: ^t2 + } + ] = results + + assert channel_id == channel.id + end + + test "last_activity is nil when no requests exist" do + project = insert(:project) + insert(:channel, project: project) + + [result] = Channels.list_channels_for_project_with_stats(project.id) + + assert %{request_count: 0, last_activity: nil} = result + end + + test "returns multiple channels ordered by name with independent stats" do + project = insert(:project) + channel_b = insert(:channel, project: project, name: "bravo") + channel_a = insert(:channel, project: project, name: "alpha") + + {:ok, snapshot_b} = Channels.get_or_create_current_snapshot(channel_b) + + Lightning.Repo.insert!(%ChannelRequest{ + channel_id: channel_b.id, + channel_snapshot_id: snapshot_b.id, + request_id: "req-stats-3", + state: :success, + started_at: ~U[2025-06-01 00:00:00.000000Z] + }) + + results = Channels.list_channels_for_project_with_stats(project.id) + + assert [ + %{channel: %Channel{name: "alpha"}, request_count: 0}, + %{channel: %Channel{name: "bravo"}, request_count: 1} + ] = results + + assert Enum.find(results, &(&1.channel.id == channel_a.id)).last_activity == + nil + end + + test "excludes channels from other projects" do + project = insert(:project) + other_project = insert(:project) + insert(:channel, project: project, name: "mine") + insert(:channel, project: other_project, name: "theirs") + + results = Channels.list_channels_for_project_with_stats(project.id) + + assert length(results) == 1 + assert hd(results).channel.name == "mine" + end + end + + describe "get_channel!/1" do + test "returns the channel" do + channel = insert(:channel) + assert Channels.get_channel!(channel.id).id == channel.id + end + + test "raises on not found" do + assert_raise Ecto.NoResultsError, fn -> + Channels.get_channel!(Ecto.UUID.generate()) + end + end + end + + describe "create_channel/2" do + setup do + %{user: insert(:user)} + end + + test "emits 'auth_method_added' for each auth method on create", %{ + user: user + } do + project = insert(:project) + wam = insert(:webhook_auth_method, project: project) + + attrs = %{ + name: "my channel", + sink_url: "https://example.com", + project_id: project.id, + channel_auth_methods: [ + %{webhook_auth_method_id: wam.id, role: :source} + ] + } + + {:ok, channel} = Channels.create_channel(attrs, actor: user) + + events = + Repo.all( + from a in Audit, + where: a.item_id == ^channel.id and a.item_type == "channel" + ) + + added = Enum.filter(events, &(&1.event == "auth_method_added")) + + assert length(added) == 1 + + assert hd(added).changes.after == %{ + "role" => "source", + "webhook_auth_method_id" => wam.id + } + end + + test "does not emit auth method audit events when created with no auth methods", + %{user: user} do + project = insert(:project) + + attrs = %{ + name: "bare", + sink_url: "https://example.com", + project_id: project.id + } + + {:ok, channel} = Channels.create_channel(attrs, actor: user) + + events = + Repo.all( + from a in Audit, + where: a.item_id == ^channel.id and a.item_type == "channel" + ) + + refute Enum.any?( + events, + &(&1.event in ["auth_method_added", "auth_method_removed"]) + ) + end + + test "creates a channel with valid attrs and records audit event", %{ + user: user + } do + project = insert(:project) + + assert {:ok, %Channel{} = channel} = + Channels.create_channel( + %{ + name: "my-channel", + sink_url: "https://example.com/sink", + project_id: project.id + }, + actor: user + ) + + assert %{ + name: "my-channel", + enabled: true, + lock_version: 1 + } = channel + + assert [audit] = + Repo.all( + from a in Audit, + where: a.item_id == ^channel.id and a.item_type == "channel" + ) + + assert %{event: "created", actor_id: actor_id} = audit + assert actor_id == user.id + end + + test "returns error on missing required fields", %{user: user} do + assert {:error, changeset} = + Channels.create_channel(%{}, actor: user) + + assert %{name: _, sink_url: _, project_id: _} = errors_on(changeset) + end + + test "returns error for non-URL sink_url", %{user: user} do + project = insert(:project) + + assert {:error, changeset} = + Channels.create_channel( + %{ + name: "bad-sink", + sink_url: "not a url", + project_id: project.id + }, + actor: user + ) + + assert %{sink_url: ["must be a valid URL"]} = errors_on(changeset) + end + + test "returns error for non-http scheme sink_url", %{user: user} do + project = insert(:project) + + assert {:error, changeset} = + Channels.create_channel( + %{ + name: "ftp-sink", + sink_url: "ftp://example.com", + project_id: project.id + }, + actor: user + ) + + assert %{sink_url: ["must be either a http or https URL"]} = + errors_on(changeset) + end + + test "accepts valid http and https sink_urls", %{user: user} do + project = insert(:project) + + assert {:ok, _} = + Channels.create_channel( + %{ + name: "http-sink", + sink_url: "http://example.com/path", + project_id: project.id + }, + actor: user + ) + + assert {:ok, _} = + Channels.create_channel( + %{ + name: "https-sink", + sink_url: "https://example.com/path", + project_id: project.id + }, + actor: user + ) + end + + test "returns error on duplicate name within project", %{user: user} do + channel = insert(:channel) + + assert {:error, changeset} = + Channels.create_channel( + %{ + name: channel.name, + sink_url: "https://example.com/other", + project_id: channel.project_id + }, + actor: user + ) + + assert %{project_id: _} = errors_on(changeset) + end + end + + describe "update_channel/3" do + setup do + %{user: insert(:user)} + end + + test "emits 'auth_method_added' for each added source auth method", %{ + user: user + } do + project = insert(:project) + wam = insert(:webhook_auth_method, project: project) + + channel = + insert(:channel, project: project) + |> Repo.preload(:channel_auth_methods) + + params = %{ + "channel_auth_methods" => [ + %{"webhook_auth_method_id" => wam.id, "role" => "source"} + ] + } + + {:ok, _} = Channels.update_channel(channel, params, actor: user) + + events = + Repo.all( + from a in Audit, + where: a.item_id == ^channel.id and a.item_type == "channel" + ) + + added = Enum.filter(events, &(&1.event == "auth_method_added")) + + assert length(added) == 1 + + assert %{ + changes: %{ + after: %{"role" => "source", "webhook_auth_method_id" => wam_id}, + before: nil + } + } = hd(added) + + assert wam_id == wam.id + end + + test "emits 'auth_method_added' for each added sink auth method", %{ + user: user + } do + project = insert(:project) + pc = insert(:project_credential, project: project) + + channel = + insert(:channel, project: project) + |> Repo.preload(:channel_auth_methods) + + params = %{ + "channel_auth_methods" => [ + %{"project_credential_id" => pc.id, "role" => "sink"} + ] + } + + {:ok, _} = Channels.update_channel(channel, params, actor: user) + + events = + Repo.all( + from a in Audit, + where: a.item_id == ^channel.id and a.item_type == "channel" + ) + + added = Enum.filter(events, &(&1.event == "auth_method_added")) + + assert length(added) == 1 + + assert %{ + changes: %{ + after: %{"role" => "sink", "project_credential_id" => pc_id}, + before: nil + } + } = hd(added) + + assert pc_id == pc.id + end + + test "emits 'auth_method_removed' for each removed source auth method", %{ + user: user + } do + project = insert(:project) + wam = insert(:webhook_auth_method, project: project) + channel = insert(:channel, project: project) + + cam = + insert(:channel_auth_method, + channel: channel, + webhook_auth_method: wam, + role: :source + ) + + channel = Repo.preload(channel, :channel_auth_methods) + + params = %{ + "channel_auth_methods" => [ + %{"id" => cam.id, "delete" => "true"} + ] + } + + {:ok, _} = Channels.update_channel(channel, params, actor: user) + + events = + Repo.all( + from a in Audit, + where: a.item_id == ^channel.id and a.item_type == "channel" + ) + + removed = Enum.filter(events, &(&1.event == "auth_method_removed")) + + assert length(removed) == 1 + + assert %{ + changes: %{ + before: %{ + "role" => "source", + "webhook_auth_method_id" => wam_id + }, + after: nil + } + } = hd(removed) + + assert wam_id == wam.id + end + + test "emits 'auth_method_removed' for each removed sink auth method", %{ + user: user + } do + project = insert(:project) + pc = insert(:project_credential, project: project) + channel = insert(:channel, project: project) + + cam = + insert(:channel_auth_method, + channel: channel, + webhook_auth_method: nil, + project_credential: pc, + role: :sink + ) + + channel = Repo.preload(channel, :channel_auth_methods) + + params = %{ + "channel_auth_methods" => [ + %{"id" => cam.id, "delete" => "true"} + ] + } + + {:ok, _} = Channels.update_channel(channel, params, actor: user) + + events = + Repo.all( + from a in Audit, + where: a.item_id == ^channel.id and a.item_type == "channel" + ) + + removed = Enum.filter(events, &(&1.event == "auth_method_removed")) + + assert length(removed) == 1 + + assert %{ + changes: %{ + before: %{"role" => "sink", "project_credential_id" => pc_id}, + after: nil + } + } = hd(removed) + + assert pc_id == pc.id + end + + test "does not emit auth method audit events when no auth methods change", %{ + user: user + } do + project = insert(:project) + channel = insert(:channel, project: project) + + {:ok, _} = + Channels.update_channel(channel, %{name: "new name"}, actor: user) + + events = + Repo.all( + from a in Audit, + where: a.item_id == ^channel.id and a.item_type == "channel" + ) + + refute Enum.any?( + events, + &(&1.event in ["auth_method_added", "auth_method_removed"]) + ) + end + + test "updates config fields, bumps lock_version, and records audit event", + %{user: user} do + channel = insert(:channel) + + assert {:ok, updated} = + Channels.update_channel(channel, %{name: "new-name"}, actor: user) + + assert %{name: "new-name", lock_version: lock_version} = updated + assert lock_version == channel.lock_version + 1 + + assert [audit] = + Repo.all( + from a in Audit, + where: + a.item_id == ^channel.id and a.item_type == "channel" and + a.event == "updated" + ) + + assert audit.actor_id == user.id + end + + test "returns stale error on lock_version conflict", %{user: user} do + channel = insert(:channel) + + # Simulate concurrent update by updating lock_version in DB + {1, _} = + Lightning.Repo.update_all( + from(c in Channel, where: c.id == ^channel.id), + set: [lock_version: channel.lock_version + 1] + ) + + assert {:error, changeset} = + Channels.update_channel(channel, %{name: "stale-update"}, + actor: user + ) + + assert changeset.errors[:lock_version] + end + end + + describe "delete_channel/2" do + setup do + %{user: insert(:user)} + end + + test "deletes a channel with no snapshots and records audit event", %{ + user: user + } do + channel = insert(:channel) + channel_id = channel.id + + assert {:ok, %Channel{}} = Channels.delete_channel(channel, actor: user) + + assert_raise Ecto.NoResultsError, fn -> + Channels.get_channel!(channel_id) + end + + assert [audit] = + Repo.all( + from a in Audit, + where: + a.item_id == ^channel_id and a.item_type == "channel" and + a.event == "deleted" + ) + + assert audit.actor_id == user.id + end + + test "returns error when channel has snapshots", %{user: user} do + channel = insert(:channel) + insert(:channel_snapshot, channel: channel) + + assert {:error, changeset} = Channels.delete_channel(channel, actor: user) + assert %{channel_snapshots: _} = errors_on(changeset) + end + end + + describe "get_channel_with_auth/1" do + test "returns channel with preloaded source auth methods" do + project = insert(:project) + + channel = + insert(:channel, + project: project, + channel_auth_methods: [ + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :api, + api_key: "test-key" + ) + ) + ] + ) + + result = Channels.get_channel_with_auth(channel.id) + + assert result.id == channel.id + assert length(result.source_auth_methods) == 1 + + [cam] = result.source_auth_methods + assert cam.role == :source + assert cam.webhook_auth_method.auth_type == :api + assert cam.webhook_auth_method.api_key == "test-key" + end + + test "returns channel with empty source_auth_methods when none configured" do + channel = insert(:channel) + + result = Channels.get_channel_with_auth(channel.id) + + assert result.id == channel.id + assert result.source_auth_methods == [] + end + + test "returns nil for non-existent channel" do + assert Channels.get_channel_with_auth(Ecto.UUID.generate()) == nil + end + end + + describe "list_channel_auth_methods/1" do + test "returns empty list for a channel with no auth methods" do + channel = insert(:channel) + assert Channels.list_channel_auth_methods(channel) == [] + end + + test "returns preloaded source and sink records for a channel with both" do + project = insert(:project) + wam = insert(:webhook_auth_method, project: project) + pc = insert(:project_credential, project: project) + + channel = + insert(:channel, + project: project, + channel_auth_methods: [ + build(:channel_auth_method, + role: :source, + webhook_auth_method: wam + ), + build(:channel_auth_method, + role: :sink, + webhook_auth_method: nil, + project_credential: pc + ) + ] + ) + + cams = Channels.list_channel_auth_methods(channel) + + assert length(cams) == 2 + + source = Enum.find(cams, &(&1.role == :source)) + sink = Enum.find(cams, &(&1.role == :sink)) + + assert %ChannelAuthMethod{ + role: :source, + webhook_auth_method_id: wam_id, + webhook_auth_method: %{id: preloaded_wam_id} + } = source + + assert wam_id == wam.id + assert preloaded_wam_id == wam.id + + assert %ChannelAuthMethod{ + role: :sink, + project_credential_id: pc_id, + project_credential: %{id: preloaded_pc_id} + } = sink + + assert pc_id == pc.id + assert preloaded_pc_id == pc.id + end + end + + describe "get_channel_stats_for_project/1" do + test "returns zeros for a project with no channels" do + project = insert(:project) + + assert %{total_channels: 0, total_requests: 0} = + Channels.get_channel_stats_for_project(project.id) + end + + test "counts channels correctly" do + project = insert(:project) + insert(:channel, project: project) + insert(:channel, project: project) + + assert %{total_channels: 2} = + Channels.get_channel_stats_for_project(project.id) + end + + test "sums requests across all channels" do + project = insert(:project) + channel1 = insert(:channel, project: project) + channel2 = insert(:channel, project: project) + {:ok, snapshot1} = Channels.get_or_create_current_snapshot(channel1) + {:ok, snapshot2} = Channels.get_or_create_current_snapshot(channel2) + + Lightning.Repo.insert!(%ChannelRequest{ + channel_id: channel1.id, + channel_snapshot_id: snapshot1.id, + request_id: "stats-r1", + state: :success, + started_at: DateTime.utc_now() + }) + + Lightning.Repo.insert!(%ChannelRequest{ + channel_id: channel1.id, + channel_snapshot_id: snapshot1.id, + request_id: "stats-r2", + state: :success, + started_at: DateTime.utc_now() + }) + + Lightning.Repo.insert!(%ChannelRequest{ + channel_id: channel2.id, + channel_snapshot_id: snapshot2.id, + request_id: "stats-r3", + state: :success, + started_at: DateTime.utc_now() + }) + + assert %{total_requests: 3} = + Channels.get_channel_stats_for_project(project.id) + end + + test "does not count requests from other projects" do + project = insert(:project) + other_channel = insert(:channel) + {:ok, snapshot} = Channels.get_or_create_current_snapshot(other_channel) + + Lightning.Repo.insert!(%ChannelRequest{ + channel_id: other_channel.id, + channel_snapshot_id: snapshot.id, + request_id: "stats-other-r1", + state: :success, + started_at: DateTime.utc_now() + }) + + assert %{total_requests: 0} = + Channels.get_channel_stats_for_project(project.id) + end + end + + describe "get_or_create_current_snapshot/1" do + setup do + %{user: insert(:user)} + end + + test "creates snapshot on first call" do + channel = insert(:channel) + + assert {:ok, %ChannelSnapshot{} = snapshot} = + Channels.get_or_create_current_snapshot(channel) + + assert snapshot.channel_id == channel.id + assert snapshot.lock_version == channel.lock_version + assert snapshot.name == channel.name + assert snapshot.sink_url == channel.sink_url + assert snapshot.enabled == channel.enabled + end + + test "returns existing snapshot on same lock_version" do + channel = insert(:channel) + + {:ok, snapshot1} = Channels.get_or_create_current_snapshot(channel) + {:ok, snapshot2} = Channels.get_or_create_current_snapshot(channel) + + assert snapshot1.id == snapshot2.id + end + + test "creates new snapshot on different lock_version", %{user: user} do + channel = insert(:channel) + {:ok, snapshot1} = Channels.get_or_create_current_snapshot(channel) + + {:ok, updated} = + Channels.update_channel(channel, %{name: "updated-name"}, actor: user) + + {:ok, snapshot2} = Channels.get_or_create_current_snapshot(updated) + + assert snapshot1.id != snapshot2.id + assert snapshot2.lock_version == updated.lock_version + assert snapshot2.name == "updated-name" + end + end +end diff --git a/test/lightning/config/bootstrap_test.exs b/test/lightning/config/bootstrap_test.exs index aef252cbdb4..ec4ca192cf6 100644 --- a/test/lightning/config/bootstrap_test.exs +++ b/test/lightning/config/bootstrap_test.exs @@ -747,6 +747,50 @@ defmodule Lightning.Config.BootstrapTest do end end + describe "live debugger (dev)" do + test "does not set :ip or :external_url by default" do + Dotenvy.source([%{}]) + Bootstrap.configure() + + assert get_env(:live_debugger, :ip) == nil + assert get_env(:live_debugger, :external_url) == nil + end + + test "LIVE_DEBUGGER_IP is parsed into a tuple" do + Dotenvy.source([%{"LIVE_DEBUGGER_IP" => "0.0.0.0"}]) + Bootstrap.configure() + + assert get_env(:live_debugger, :ip) == {0, 0, 0, 0} + end + + test "LIVE_DEBUGGER_EXTERNAL_URL is stored as a string" do + Dotenvy.source([ + %{"LIVE_DEBUGGER_EXTERNAL_URL" => "http://dev-elixir.local:4007"} + ]) + + Bootstrap.configure() + + assert get_env(:live_debugger, :external_url) == + "http://dev-elixir.local:4007" + end + + test "both env vars can be set together" do + Dotenvy.source([ + %{ + "LIVE_DEBUGGER_IP" => "0.0.0.0", + "LIVE_DEBUGGER_EXTERNAL_URL" => "http://dev-elixir.local:4007" + } + ]) + + Bootstrap.configure() + + assert get_env(:live_debugger, :ip) == {0, 0, 0, 0} + + assert get_env(:live_debugger, :external_url) == + "http://dev-elixir.local:4007" + end + end + # Helpers to read the in-process config that Config writes defp get_env(app) do Process.get(@config_key) diff --git a/test/lightning_web/auth_test.exs b/test/lightning_web/auth_test.exs new file mode 100644 index 00000000000..4b24df1d873 --- /dev/null +++ b/test/lightning_web/auth_test.exs @@ -0,0 +1,134 @@ +defmodule LightningWeb.AuthTest do + use ExUnit.Case, async: true + + alias LightningWeb.Auth + alias Lightning.Workflows.WebhookAuthMethod + + import Plug.Test, only: [conn: 2] + + defp api_method(key) do + %WebhookAuthMethod{auth_type: :api, api_key: key} + end + + defp basic_method(username, password) do + %WebhookAuthMethod{auth_type: :basic, username: username, password: password} + end + + defp with_header(conn, key, value) do + Plug.Conn.put_req_header(conn, key, value) + end + + describe "valid_key?/2" do + test "returns true for correct API key" do + conn = conn(:get, "/") |> with_header("x-api-key", "my-secret") + + assert Auth.valid_key?(conn, [api_method("my-secret")]) + end + + test "returns false for wrong API key" do + conn = conn(:get, "/") |> with_header("x-api-key", "wrong") + + refute Auth.valid_key?(conn, [api_method("my-secret")]) + end + + test "returns false when no x-api-key header" do + conn = conn(:get, "/") + + refute Auth.valid_key?(conn, [api_method("my-secret")]) + end + + test "ignores non-api auth methods" do + conn = conn(:get, "/") |> with_header("x-api-key", "anything") + + refute Auth.valid_key?(conn, [basic_method("user", "pass")]) + end + + test "matches any of multiple API key methods" do + conn = conn(:get, "/") |> with_header("x-api-key", "key-2") + + assert Auth.valid_key?(conn, [ + api_method("key-1"), + api_method("key-2") + ]) + end + end + + describe "valid_user?/2" do + test "returns true for correct Basic Auth credentials" do + encoded = Base.encode64("admin:secret123") + conn = conn(:get, "/") |> with_header("authorization", "Basic #{encoded}") + + assert Auth.valid_user?(conn, [basic_method("admin", "secret123")]) + end + + test "returns false for wrong credentials" do + encoded = Base.encode64("admin:wrong") + conn = conn(:get, "/") |> with_header("authorization", "Basic #{encoded}") + + refute Auth.valid_user?(conn, [basic_method("admin", "secret123")]) + end + + test "returns false for wrong username" do + encoded = Base.encode64("notadmin:secret123") + conn = conn(:get, "/") |> with_header("authorization", "Basic #{encoded}") + + refute Auth.valid_user?(conn, [basic_method("admin", "secret123")]) + end + + test "returns false when no authorization header" do + conn = conn(:get, "/") + + refute Auth.valid_user?(conn, [basic_method("admin", "pass")]) + end + + test "returns false for malformed Authorization header" do + conn = + conn(:get, "/") |> with_header("authorization", "Basic !!!notbase64") + + refute Auth.valid_user?(conn, [basic_method("admin", "pass")]) + end + + test "returns false for non-Basic scheme" do + conn = conn(:get, "/") |> with_header("authorization", "Bearer token123") + + refute Auth.valid_user?(conn, [basic_method("admin", "pass")]) + end + + test "ignores non-basic auth methods" do + encoded = Base.encode64("admin:pass") + conn = conn(:get, "/") |> with_header("authorization", "Basic #{encoded}") + + refute Auth.valid_user?(conn, [api_method("some-key")]) + end + + test "matches any of multiple basic methods" do + encoded = Base.encode64("user2:pass2") + conn = conn(:get, "/") |> with_header("authorization", "Basic #{encoded}") + + assert Auth.valid_user?(conn, [ + basic_method("user1", "pass1"), + basic_method("user2", "pass2") + ]) + end + end + + describe "has_credentials?/1" do + test "detects x-api-key header" do + conn = conn(:get, "/") |> with_header("x-api-key", "anything") + + assert Auth.has_credentials?(conn) + end + + test "detects authorization header" do + conn = conn(:get, "/") |> with_header("authorization", "Basic abc") + + assert Auth.has_credentials?(conn) + end + + test "returns false when no auth headers present" do + conn = conn(:get, "/") + + refute Auth.has_credentials?(conn) + end + end +end diff --git a/test/lightning_web/live/channel_live/index_test.exs b/test/lightning_web/live/channel_live/index_test.exs new file mode 100644 index 00000000000..4fb3f4de351 --- /dev/null +++ b/test/lightning_web/live/channel_live/index_test.exs @@ -0,0 +1,603 @@ +defmodule LightningWeb.ChannelLive.IndexTest do + use LightningWeb.ConnCase, async: true + + import Ecto.Query + import Phoenix.LiveViewTest + import Lightning.Factories + + alias Lightning.Auditing.Audit + alias Lightning.Channels + alias Lightning.Channels.ChannelRequest + alias Lightning.Repo + + setup :register_and_log_in_user + setup :create_project_for_current_user + + describe "access control" do + test "redirects unauthenticated users to login", %{project: project} do + conn = Phoenix.ConnTest.build_conn() + + assert {:error, {:redirect, %{to: "/users/log_in"}}} = + live(conn, ~p"/projects/#{project.id}/channels") + end + + test "renders the channels index for a project member", %{ + conn: conn, + project: project + } do + insert(:channel, project: project, name: "my-channel") + + {:ok, _view, html} = + live(conn, ~p"/projects/#{project.id}/channels") + + assert html =~ "Channels" + assert html =~ "my-channel" + end + + @tag role: :viewer + test "New Channel button is disabled for viewer role", %{ + conn: conn, + project: project + } do + {:ok, view, _html} = live(conn, ~p"/projects/#{project.id}/channels") + + assert has_element?(view, "#new-channel-button:disabled") + end + + @tag role: :editor + test "New Channel button is enabled for editor role", %{ + conn: conn, + project: project + } do + {:ok, view, _html} = live(conn, ~p"/projects/#{project.id}/channels") + + refute has_element?(view, "#new-channel-button:disabled") + assert has_element?(view, "#new-channel-button") + end + end + + describe "channel metrics" do + test "shows Total Channels and Total Requests stat cards", %{ + conn: conn, + project: project + } do + {:ok, _view, html} = live(conn, ~p"/projects/#{project.id}/channels") + + assert html =~ "Total Channels" + assert html =~ "Total Requests" + end + end + + describe "channel list rendering" do + test "shows empty state when project has no channels", %{ + conn: conn, + project: project + } do + {:ok, _view, html} = live(conn, ~p"/projects/#{project.id}/channels") + + assert html =~ "No channels found." + end + + test "shows channel columns with zero requests and Never for last activity", + %{ + conn: conn, + project: project + } do + channel = + insert(:channel, + project: project, + name: "test-channel", + sink_url: "https://sink.example.com/data" + ) + + {:ok, view, _html} = live(conn, ~p"/projects/#{project.id}/channels") + + assert has_element?(view, "tr#channel-#{channel.id}") + + html = render(view) + + assert html =~ "test-channel" + assert html =~ "https://sink.example.com/data" + assert html =~ "Never" + end + + test "shows request count and last activity when requests exist", %{ + conn: conn, + project: project + } do + channel = insert(:channel, project: project, name: "active-channel") + {:ok, snapshot} = Channels.get_or_create_current_snapshot(channel) + t1 = ~U[2025-03-01 10:00:00.000000Z] + t2 = ~U[2025-03-05 14:30:00.000000Z] + + Repo.insert!(%ChannelRequest{ + channel_id: channel.id, + channel_snapshot_id: snapshot.id, + request_id: "req-lv-1", + state: :success, + started_at: t1 + }) + + Repo.insert!(%ChannelRequest{ + channel_id: channel.id, + channel_snapshot_id: snapshot.id, + request_id: "req-lv-2", + state: :success, + started_at: t2 + }) + + {:ok, view, _html} = live(conn, ~p"/projects/#{project.id}/channels") + + html = render(view) + + assert html =~ "active-channel" + assert html =~ "2" + refute html =~ "Never" + end + + test "does not show channels from other projects", %{ + conn: conn, + project: project + } do + insert(:channel, project: project, name: "mine") + other_project = insert(:project) + insert(:channel, project: other_project, name: "theirs") + + {:ok, _view, html} = live(conn, ~p"/projects/#{project.id}/channels") + + assert html =~ "mine" + refute html =~ "theirs" + end + end + + describe "toggle channel enabled state" do + @tag role: :editor + test "toggling a channel updates it, shows flash, and records audit event", + %{ + conn: conn, + project: project, + user: user + } do + channel = + insert(:channel, project: project, name: "toggle-me", enabled: true) + + {:ok, view, _html} = live(conn, ~p"/projects/#{project.id}/channels") + + assert has_element?(view, "tr#channel-#{channel.id}") + + html = + view + |> element("#toggle-control-#{channel.id}") + |> render_click() + + assert html =~ "Channel updated" + + updated = Channels.get_channel!(channel.id) + assert updated.enabled == false + + assert [audit] = + Repo.all( + from a in Audit, + where: + a.item_id == ^channel.id and a.item_type == "channel" and + a.event == "updated" + ) + + assert audit.actor_id == user.id + end + + @tag role: :editor + test "can re-enable a disabled channel", %{ + conn: conn, + project: project + } do + channel = + insert(:channel, project: project, name: "disabled-one", enabled: false) + + {:ok, view, _html} = live(conn, ~p"/projects/#{project.id}/channels") + + view + |> element("#toggle-control-#{channel.id}") + |> render_click() + + assert Channels.get_channel!(channel.id).enabled == true + end + end + + describe "new channel form" do + @tag role: :editor + test "navigating to /channels/new shows the form modal", %{ + conn: conn, + project: project + } do + {:ok, view, html} = + live(conn, ~p"/projects/#{project.id}/channels/new") + + assert html =~ "New Channel" + assert has_element?(view, "#new-modal") + end + + @tag role: :editor + test "submitting valid params creates channel and shows success flash", %{ + conn: conn, + project: project + } do + {:ok, view, _html} = + live(conn, ~p"/projects/#{project.id}/channels/new") + + form_id = "channel-form-new" + + view + |> form("##{form_id}", + channel: %{ + name: "new-channel", + sink_url: "https://example.com/sink" + } + ) + |> render_submit() + + assert_patch(view, ~p"/projects/#{project.id}/channels") + + html = render(view) + assert html =~ "Channel created successfully" + assert html =~ "new-channel" + + assert Channels.list_channels_for_project(project.id) + |> Enum.any?(&(&1.name == "new-channel")) + end + + @tag role: :editor + test "submitting with a source auth method saves the association", %{ + conn: conn, + project: project + } do + wam = insert(:webhook_auth_method, project: project) + + {:ok, view, _html} = + live(conn, ~p"/projects/#{project.id}/channels/new") + + view + |> form("#channel-form-new", + channel: %{ + name: "channel-with-auth", + sink_url: "https://example.com/sink", + source_auth_methods: %{wam.id => "true"} + } + ) + |> render_submit() + + assert_patch(view, ~p"/projects/#{project.id}/channels") + + channel = + Channels.list_channels_for_project(project.id) + |> Enum.find(&(&1.name == "channel-with-auth")) + + assert channel + + assert [cam] = Channels.list_channel_auth_methods(channel) + assert cam.role == :source + assert cam.webhook_auth_method_id == wam.id + end + + @tag role: :editor + test "submitting with missing name shows inline validation error", %{ + conn: conn, + project: project + } do + {:ok, view, _html} = + live(conn, ~p"/projects/#{project.id}/channels/new") + + form_id = "channel-form-new" + + html = + view + |> form("##{form_id}", channel: %{name: "", sink_url: ""}) + |> render_submit() + + assert html =~ "can't be blank" + end + + @tag role: :editor + test "submitting with a duplicate name shows inline validation error", %{ + conn: conn, + project: project + } do + channel = + insert(:channel, + project: project, + name: "existing", + sink_url: "https://old.example.com" + ) + + {:ok, view, _html} = + live(conn, ~p"/projects/#{project.id}/channels/new") + + form_id = "channel-form-new" + + html = + view + |> form("##{form_id}", + channel: %{name: channel.name, sink_url: "https://example.com"} + ) + |> render_submit() + + assert html =~ "A channel with this name already exists in this project" + end + + @tag role: :viewer + test "viewer is redirected when accessing /channels/new", %{ + conn: conn, + project: project + } do + assert {:error, {:live_redirect, %{to: redirect_to}}} = + live(conn, ~p"/projects/#{project.id}/channels/new") + + assert redirect_to == ~p"/projects/#{project.id}/channels" + end + end + + describe "edit channel form" do + @tag role: :editor + test "/channels/:id/edit mounts form pre-populated with channel values", %{ + conn: conn, + project: project + } do + channel = + insert(:channel, + project: project, + name: "edit-me", + sink_url: "https://old.example.com" + ) + + {:ok, view, _html} = + live(conn, ~p"/projects/#{project.id}/channels/#{channel.id}/edit") + + html = render(view) + assert html =~ "Edit Channel" + assert html =~ "edit-me" + assert html =~ "https://old.example.com" + end + + @tag role: :editor + test "saving valid changes updates the channel and shows success flash", %{ + conn: conn, + project: project + } do + channel = + insert(:channel, + project: project, + name: "old-name", + sink_url: "https://old.example.com" + ) + + {:ok, view, _html} = + live(conn, ~p"/projects/#{project.id}/channels/#{channel.id}/edit") + + form_id = "channel-form-#{channel.id}" + + view + |> form("##{form_id}", + channel: %{name: "updated-name", sink_url: "https://new.example.com"} + ) + |> render_submit() + + assert_patch(view, ~p"/projects/#{project.id}/channels") + + html = render(view) + assert html =~ "Channel updated successfully" + assert html =~ "updated-name" + + updated = Channels.get_channel!(channel.id) + assert updated.name == "updated-name" + end + + @tag role: :editor + test "shows settings links even when auth methods and credentials exist", + %{conn: conn, project: project, user: user} do + wam = insert(:webhook_auth_method, project: project) + credential = insert(:credential, project: project, user: user) + _pc = insert(:project_credential, project: project, credential: credential) + channel = insert(:channel, project: project) + + {:ok, _view, html} = + live(conn, ~p"/projects/#{project.id}/channels/#{channel.id}/edit") + + # Checkboxes for existing items are rendered + assert html =~ wam.name + assert html =~ credential.name + # Settings links are still present alongside the checkboxes + assert html =~ "/settings#webhook_security" + assert html =~ "/settings#credentials" + end + end + + describe "edit channel with existing auth methods" do + @tag role: :editor + test "pre-selects existing source and sink auth methods", %{ + conn: conn, + project: project, + user: user + } do + wam = insert(:webhook_auth_method, project: project) + credential = insert(:credential, project: project, user: user) + pc = insert(:project_credential, project: project, credential: credential) + + channel = insert(:channel, project: project) + + insert(:channel_auth_method, + channel: channel, + role: :source, + webhook_auth_method: wam + ) + + insert(:channel_auth_method, + channel: channel, + role: :sink, + webhook_auth_method: nil, + project_credential: pc + ) + + {:ok, view, _html} = + live(conn, ~p"/projects/#{project.id}/channels/#{channel.id}/edit") + + assert has_element?(view, "label", wam.name) + assert has_element?(view, "label", credential.name) + assert has_element?(view, "#source_auth_#{wam.id}[value='true']") + assert has_element?(view, "#sink_auth_#{pc.id}[value='true']") + end + + @tag role: :editor + test "saving can remove, keep, and add auth methods in a single save", %{ + conn: conn, + project: project, + user: user + } do + wam1 = insert(:webhook_auth_method, project: project) + wam2 = insert(:webhook_auth_method, project: project) + credential = insert(:credential, project: project, user: user) + pc = insert(:project_credential, project: project, credential: credential) + + channel = insert(:channel, project: project) + + insert(:channel_auth_method, + channel: channel, + role: :source, + webhook_auth_method: wam1 + ) + + insert(:channel_auth_method, + channel: channel, + role: :sink, + webhook_auth_method: nil, + project_credential: pc + ) + + {:ok, view, _html} = + live(conn, ~p"/projects/#{project.id}/channels/#{channel.id}/edit") + + # Remove wam1, keep pc (sink), add wam2 as a new source + view + |> form("#channel-form-#{channel.id}", + channel: %{ + name: channel.name, + source_auth_methods: %{wam1.id => "false", wam2.id => "true"}, + sink_auth_methods: %{pc.id => "true"} + } + ) + |> render_change() + + view + |> form("#channel-form-#{channel.id}") + |> render_submit() + + updated = + Channels.get_channel!(channel.id, include: [:channel_auth_methods]) + + source_cams = + Enum.filter(updated.channel_auth_methods, &(&1.role == :source)) + + sink_cams = Enum.filter(updated.channel_auth_methods, &(&1.role == :sink)) + + assert length(source_cams) == 1 + assert hd(source_cams).webhook_auth_method_id == wam2.id + + assert length(sink_cams) == 1 + assert hd(sink_cams).project_credential_id == pc.id + end + end + + describe "delete channel" do + @tag role: :editor + test "delete button uses data-confirm attribute (not phx-confirm)", %{ + conn: conn, + project: project + } do + _channel = insert(:channel, project: project, name: "confirm-me") + + {:ok, view, _html} = live(conn, ~p"/projects/#{project.id}/channels") + + assert has_element?( + view, + "[phx-click='delete_channel'][data-confirm]" + ) + + refute has_element?( + view, + "[phx-click='delete_channel'][phx-confirm]" + ) + end + + @tag role: :viewer + test "Edit and Delete buttons are absent for viewer role", %{ + conn: conn, + project: project + } do + channel = insert(:channel, project: project, name: "viewer-channel") + + {:ok, view, _html} = live(conn, ~p"/projects/#{project.id}/channels") + + refute has_element?( + view, + "[phx-click='delete_channel'][phx-value-id='#{channel.id}']" + ) + + refute has_element?( + view, + "a[patch$='/channels/#{channel.id}/edit']" + ) + end + + @tag role: :editor + test "deleting a channel removes it and shows success flash", %{ + conn: conn, + project: project + } do + channel = + insert(:channel, project: project, name: "delete-me") + + {:ok, view, _html} = live(conn, ~p"/projects/#{project.id}/channels") + + assert has_element?(view, "tr#channel-#{channel.id}") + + view + |> element("[phx-click='delete_channel'][phx-value-id='#{channel.id}']") + |> render_click() + + assert_patch(view, ~p"/projects/#{project.id}/channels") + + html = render(view) + assert html =~ "Channel deleted." + refute html =~ "delete-me" + + assert_raise Ecto.NoResultsError, fn -> + Channels.get_channel!(channel.id) + end + end + + @tag role: :editor + test "successful delete records audit event with actor", %{ + conn: conn, + project: project, + user: user + } do + channel = insert(:channel, project: project, name: "audit-delete") + channel_id = channel.id + + {:ok, view, _html} = live(conn, ~p"/projects/#{project.id}/channels") + + view + |> element("[phx-click='delete_channel'][phx-value-id='#{channel.id}']") + |> render_click() + + assert [audit] = + Repo.all( + from a in Audit, + where: + a.item_id == ^channel_id and a.item_type == "channel" and + a.event == "deleted" + ) + + assert audit.actor_id == user.id + end + end +end diff --git a/test/lightning_web/plugs/channel_proxy_plug_test.exs b/test/lightning_web/plugs/channel_proxy_plug_test.exs new file mode 100644 index 00000000000..dd7b84169ea --- /dev/null +++ b/test/lightning_web/plugs/channel_proxy_plug_test.exs @@ -0,0 +1,890 @@ +defmodule LightningWeb.ChannelProxyPlugTest do + use LightningWeb.ConnCase, async: true + + alias Lightning.Channels.{ChannelRequest, ChannelEvent} + + import Ecto.Query + import Lightning.Factories + import Plug.Test, only: [conn: 2, conn: 3] + + setup do + bypass = Bypass.open() + project = insert(:project) + + channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true + ) + + disabled_channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: false + ) + + {:ok, bypass: bypass, channel: channel, disabled_channel: disabled_channel} + end + + describe "proxying requests" do + test "GET proxied to sink with correct path", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + Bypass.expect_once(bypass, "GET", "/test", fn conn -> + Plug.Conn.send_resp(conn, 200, "ok from sink") + end) + + resp = get(conn, "/channels/#{channel.id}/test") + + assert resp.status == 200 + assert resp.resp_body == "ok from sink" + end + + test "POST with body arrives at sink unchanged", %{ + bypass: bypass, + channel: channel + } do + body = Jason.encode!(%{"hello" => "world"}) + + Bypass.expect_once(bypass, "POST", "/api/data", fn conn -> + {:ok, received, conn} = Plug.Conn.read_body(conn) + assert received == body + Plug.Conn.send_resp(conn, 201, "created") + end) + + resp = + conn(:post, "/channels/#{channel.id}/api/data", body) + |> put_req_header("content-type", "application/json") + |> put_req_header("content-length", "#{byte_size(body)}") + |> send_to_endpoint() + + assert resp.status == 201 + assert resp.resp_body == "created" + end + + test "PUT method forwarded", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + Bypass.expect_once(bypass, "PUT", "/resource", fn conn -> + Plug.Conn.send_resp(conn, 200, "updated") + end) + + resp = + conn + |> put_req_header("content-type", "application/json") + |> put("/channels/#{channel.id}/resource", "{}") + + assert resp.status == 200 + end + + test "PATCH method forwarded", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + Bypass.expect_once(bypass, "PATCH", "/resource", fn conn -> + Plug.Conn.send_resp(conn, 200, "patched") + end) + + resp = + conn + |> put_req_header("content-type", "application/json") + |> patch("/channels/#{channel.id}/resource", "{}") + + assert resp.status == 200 + end + + test "DELETE method forwarded", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + Bypass.expect_once(bypass, "DELETE", "/resource", fn conn -> + Plug.Conn.send_resp(conn, 204, "") + end) + + resp = delete(conn, "/channels/#{channel.id}/resource") + + assert resp.status == 204 + end + + test "query parameters preserved", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + Bypass.expect_once(bypass, "GET", "/search", fn conn -> + assert conn.query_string == "q=foo&page=2" + Plug.Conn.send_resp(conn, 200, "results") + end) + + resp = get(conn, "/channels/#{channel.id}/search?q=foo&page=2") + + assert resp.status == 200 + end + + test "nested path forwarded correctly", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + Bypass.expect_once(bypass, "GET", "/nested/path/here", fn conn -> + Plug.Conn.send_resp(conn, 200, "deep") + end) + + resp = get(conn, "/channels/#{channel.id}/nested/path/here") + + assert resp.status == 200 + end + + test "path traversal in channel_id position fails UUID validation", %{ + conn: conn + } do + # A path like /channels/../../secret would have ".." as channel_id, + # which fails Ecto.UUID.cast and returns 404. + resp = get(conn, "/channels/../../secret") + + assert resp.status == 404 + end + + test "path traversal segments in subpath are forwarded as-is", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + # In production, HTTP clients (browsers) normalize "../" segments + # before sending the request, so they never reach the server. + # If they do arrive (e.g. from a programmatic client), they are + # forwarded to the upstream as-is — the upstream is responsible + # for its own path handling. + Bypass.expect_once(bypass, "GET", "/foo/../safe", fn conn -> + Plug.Conn.send_resp(conn, 200, "ok") + end) + + resp = get(conn, "/channels/#{channel.id}/foo/../safe") + + assert resp.status == 200 + end + + test "root path (no trailing path) proxies to /", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + Bypass.expect_once(bypass, "GET", "/", fn conn -> + Plug.Conn.send_resp(conn, 200, "root") + end) + + resp = get(conn, "/channels/#{channel.id}") + + assert resp.status == 200 + assert resp.resp_body == "root" + end + + test "proxy headers forwarded to sink", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + Bypass.expect_once(bypass, "GET", "/test", fn conn -> + xff = Plug.Conn.get_req_header(conn, "x-forwarded-for") + xfh = Plug.Conn.get_req_header(conn, "x-forwarded-host") + xfp = Plug.Conn.get_req_header(conn, "x-forwarded-proto") + + assert xff != [] + assert xfh != [] + assert xfp != [] + + Plug.Conn.send_resp(conn, 200, "ok") + end) + + resp = get(conn, "/channels/#{channel.id}/test") + + assert resp.status == 200 + end + + test "response headers from sink forwarded to client", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + Bypass.expect_once(bypass, "GET", "/test", fn conn -> + conn + |> Plug.Conn.put_resp_header("x-custom-header", "custom-value") + |> Plug.Conn.send_resp(200, "ok") + end) + + resp = get(conn, "/channels/#{channel.id}/test") + + assert resp.status == 200 + + assert Plug.Conn.get_resp_header(resp, "x-custom-header") == [ + "custom-value" + ] + end + end + + describe "error cases" do + test "disabled channel returns 404", %{ + conn: conn, + disabled_channel: disabled_channel + } do + resp = get(conn, "/channels/#{disabled_channel.id}/test") + + assert resp.status == 404 + assert %{"error" => "Not Found"} = json_response(resp, 404) + end + + test "non-existent channel returns 404", %{conn: conn} do + resp = get(conn, "/channels/#{Ecto.UUID.generate()}/test") + + assert %{"error" => "Not Found"} = json_response(resp, 404) + end + + test "invalid UUID returns 404", %{conn: conn} do + resp = get(conn, "/channels/not-a-uuid/test") + + assert %{"error" => "Not Found"} = json_response(resp, 404) + end + + test "sink timeout returns 502", %{ + conn: conn, + channel: channel + } do + # Channel's sink_url points to a port with nothing running + port = Enum.random(59_000..59_999) + + channel + |> Ecto.Changeset.change(sink_url: "http://localhost:#{port}") + |> Lightning.Repo.update!() + + resp = get(conn, "/channels/#{channel.id}/test") + + assert resp.status in [502, 504] + end + end + + describe "handler persistence" do + test "creates ChannelRequest and ChannelEvent on successful proxy", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + Bypass.expect_once(bypass, "GET", "/persisted", fn conn -> + Plug.Conn.send_resp(conn, 200, "persisted response") + end) + + resp = get(conn, "/channels/#{channel.id}/persisted") + assert resp.status == 200 + + request = + Lightning.Repo.one!( + from(r in ChannelRequest, where: r.channel_id == ^channel.id) + ) + + assert request.state == :success + assert request.completed_at != nil + + event = + Lightning.Repo.one!( + from(e in ChannelEvent, where: e.channel_request_id == ^request.id) + ) + + assert event.type == :sink_response + assert event.response_status == 200 + assert event.latency_ms != nil + assert event.request_method == "GET" + assert event.request_path == "/persisted" + end + + test "creates error-state request on connection failure", %{ + conn: conn, + channel: channel + } do + port = Enum.random(59_000..59_999) + + channel + |> Ecto.Changeset.change(sink_url: "http://localhost:#{port}") + |> Lightning.Repo.update!() + + resp = get(conn, "/channels/#{channel.id}/fail") + assert resp.status in [502, 504] + + request = + Lightning.Repo.one!( + from(r in ChannelRequest, where: r.channel_id == ^channel.id) + ) + + assert request.state in [:error, :timeout] + assert request.completed_at != nil + end + end + + describe "source authentication" do + test "no auth methods configured — request passes through", %{ + conn: conn, + bypass: bypass, + channel: channel + } do + # Channel has no channel_auth_methods, so it's publicly accessible + Bypass.expect_once(bypass, "GET", "/open", fn conn -> + Plug.Conn.send_resp(conn, 200, "public") + end) + + resp = get(conn, "/channels/#{channel.id}/open") + + assert resp.status == 200 + assert resp.resp_body == "public" + end + + test "API key auth — correct key allows request", %{ + bypass: bypass + } do + project = insert(:project) + + channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true, + channel_auth_methods: [ + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :api, + api_key: "valid-api-key" + ) + ) + ] + ) + + Bypass.expect_once(bypass, "GET", "/protected", fn conn -> + Plug.Conn.send_resp(conn, 200, "authenticated") + end) + + resp = + conn(:get, "/channels/#{channel.id}/protected") + |> put_req_header("x-api-key", "valid-api-key") + |> send_to_endpoint() + + assert resp.status == 200 + assert resp.resp_body == "authenticated" + end + + test "API key auth — wrong key returns 404", %{bypass: bypass} do + project = insert(:project) + + channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true, + channel_auth_methods: [ + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :api, + api_key: "correct-key" + ) + ) + ] + ) + + resp = + conn(:get, "/channels/#{channel.id}/protected") + |> put_req_header("x-api-key", "wrong-key") + |> send_to_endpoint() + + assert resp.status == 404 + assert %{"error" => "Not Found"} = json_response(resp, 404) + end + + test "API key auth — no key sent returns 401", %{bypass: bypass} do + project = insert(:project) + + channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true, + channel_auth_methods: [ + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :api, + api_key: "some-key" + ) + ) + ] + ) + + resp = + conn(:get, "/channels/#{channel.id}/protected") + |> send_to_endpoint() + + assert resp.status == 401 + assert %{"error" => "Unauthorized"} = json_response(resp, 401) + end + + test "Basic auth — correct credentials allows request", %{bypass: bypass} do + project = insert(:project) + + channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true, + channel_auth_methods: [ + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :basic, + username: "admin", + password: "secret" + ) + ) + ] + ) + + Bypass.expect_once(bypass, "GET", "/basic", fn conn -> + Plug.Conn.send_resp(conn, 200, "basic-ok") + end) + + encoded = Base.encode64("admin:secret") + + resp = + conn(:get, "/channels/#{channel.id}/basic") + |> put_req_header("authorization", "Basic #{encoded}") + |> send_to_endpoint() + + assert resp.status == 200 + assert resp.resp_body == "basic-ok" + end + + test "Basic auth — wrong credentials returns 404", %{bypass: bypass} do + project = insert(:project) + + channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true, + channel_auth_methods: [ + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :basic, + username: "admin", + password: "secret" + ) + ) + ] + ) + + encoded = Base.encode64("admin:wrong") + + resp = + conn(:get, "/channels/#{channel.id}/basic") + |> put_req_header("authorization", "Basic #{encoded}") + |> send_to_endpoint() + + assert resp.status == 404 + assert %{"error" => "Not Found"} = json_response(resp, 404) + end + + test "Basic auth — no auth header returns 401", %{bypass: bypass} do + project = insert(:project) + + channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true, + channel_auth_methods: [ + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :basic, + username: "admin", + password: "secret" + ) + ) + ] + ) + + resp = + conn(:get, "/channels/#{channel.id}/basic") + |> send_to_endpoint() + + assert resp.status == 401 + assert %{"error" => "Unauthorized"} = json_response(resp, 401) + end + + test "multiple auth methods — either matches allows request", %{ + bypass: bypass + } do + project = insert(:project) + + channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true, + channel_auth_methods: [ + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :api, + api_key: "key-one" + ) + ), + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :api, + api_key: "key-two" + ) + ) + ] + ) + + Bypass.expect_once(bypass, "GET", "/multi", fn conn -> + Plug.Conn.send_resp(conn, 200, "multi-ok") + end) + + # Use the second key — should still match + resp = + conn(:get, "/channels/#{channel.id}/multi") + |> put_req_header("x-api-key", "key-two") + |> send_to_endpoint() + + assert resp.status == 200 + assert resp.resp_body == "multi-ok" + end + + test "mixed types (API + Basic) — API key matches allows request", %{ + bypass: bypass + } do + project = insert(:project) + + channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true, + channel_auth_methods: [ + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :api, + api_key: "mixed-key" + ) + ), + build(:channel_auth_method, + role: :source, + webhook_auth_method: + build(:webhook_auth_method, + project: project, + auth_type: :basic, + username: "user", + password: "pass" + ) + ) + ] + ) + + Bypass.expect_once(bypass, "GET", "/mixed", fn conn -> + Plug.Conn.send_resp(conn, 200, "mixed-ok") + end) + + resp = + conn(:get, "/channels/#{channel.id}/mixed") + |> put_req_header("x-api-key", "mixed-key") + |> send_to_endpoint() + + assert resp.status == 200 + assert resp.resp_body == "mixed-ok" + end + end + + describe "sink authentication" do + defp create_sink_auth_channel(bypass, schema, body) do + project = insert(:project) + user = insert(:user) + + credential = + insert(:credential, schema: schema, name: "sink-cred", user: user) + |> with_body(%{body: body}) + + project_credential = + insert(:project_credential, + project: project, + credential: credential + ) + + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true, + channel_auth_methods: [ + build(:channel_auth_method, + role: :sink, + webhook_auth_method: nil, + project_credential: project_credential + ) + ] + ) + end + + test "Bearer token sent to upstream when channel has http credential with access_token", + %{bypass: bypass} do + channel = + create_sink_auth_channel(bypass, "http", %{ + "access_token" => "tok-123" + }) + + Bypass.expect_once(bypass, "GET", "/test", fn conn -> + auth = Plug.Conn.get_req_header(conn, "authorization") + assert auth == ["Bearer tok-123"] + Plug.Conn.send_resp(conn, 200, "ok") + end) + + resp = + conn(:get, "/channels/#{channel.id}/test") + |> send_to_endpoint() + + assert resp.status == 200 + end + + test "Basic auth sent when channel has http credential with username/password", + %{bypass: bypass} do + channel = + create_sink_auth_channel(bypass, "http", %{ + "username" => "u", + "password" => "p" + }) + + expected = "Basic #{Base.encode64("u:p")}" + + Bypass.expect_once(bypass, "GET", "/test", fn conn -> + auth = Plug.Conn.get_req_header(conn, "authorization") + assert auth == [expected] + Plug.Conn.send_resp(conn, 200, "ok") + end) + + resp = + conn(:get, "/channels/#{channel.id}/test") + |> send_to_endpoint() + + assert resp.status == 200 + end + + test "ApiToken sent when channel has dhis2 credential with pat", + %{bypass: bypass} do + channel = + create_sink_auth_channel(bypass, "dhis2", %{ + "pat" => "d2pat_abc" + }) + + Bypass.expect_once(bypass, "GET", "/test", fn conn -> + auth = Plug.Conn.get_req_header(conn, "authorization") + assert auth == ["ApiToken d2pat_abc"] + Plug.Conn.send_resp(conn, 200, "ok") + end) + + resp = + conn(:get, "/channels/#{channel.id}/test") + |> send_to_endpoint() + + assert resp.status == 200 + end + + test "no authorization header when channel has no sink auth methods", + %{bypass: bypass, channel: channel} do + Bypass.expect_once(bypass, "GET", "/test", fn conn -> + auth = Plug.Conn.get_req_header(conn, "authorization") + assert auth == [] + Plug.Conn.send_resp(conn, 200, "ok") + end) + + resp = + conn(:get, "/channels/#{channel.id}/test") + |> send_to_endpoint() + + assert resp.status == 200 + end + + test "authorization header redacted in persisted ChannelEvent", + %{bypass: bypass} do + channel = + create_sink_auth_channel(bypass, "http", %{ + "access_token" => "secret-token" + }) + + Bypass.expect_once(bypass, "GET", "/redact-test", fn conn -> + Plug.Conn.send_resp(conn, 200, "ok") + end) + + resp = + conn(:get, "/channels/#{channel.id}/redact-test") + |> send_to_endpoint() + + assert resp.status == 200 + + event = + Lightning.Repo.one!( + from(e in ChannelEvent, + join: r in ChannelRequest, + on: r.id == e.channel_request_id, + where: r.channel_id == ^channel.id + ) + ) + + # The handler redacts authorization headers before persisting + headers = Jason.decode!(event.request_headers) + + auth_header = + Enum.find(headers, fn [k, _v] -> k == "authorization" end) + + assert auth_header == ["authorization", "[REDACTED]"] + end + + test "credential environment_not_found returns 502 with observable error", + %{bypass: bypass} do + # Create a credential with NO credential_body for "main" environment + project = insert(:project) + user = insert(:user) + + credential = + insert(:credential, schema: "http", name: "no-body", user: user) + + # Don't call with_body — no CredentialBody exists + + project_credential = + insert(:project_credential, + project: project, + credential: credential + ) + + channel = + insert(:channel, + project: project, + sink_url: "http://localhost:#{bypass.port}", + enabled: true, + channel_auth_methods: [ + build(:channel_auth_method, + role: :sink, + webhook_auth_method: nil, + project_credential: project_credential + ) + ] + ) + + resp = + conn(:get, "/channels/#{channel.id}/test") + |> send_to_endpoint() + + assert resp.status == 502 + assert %{"error" => "Bad Gateway"} = json_response(resp, 502) + + request = + Lightning.Repo.one!( + from(r in ChannelRequest, where: r.channel_id == ^channel.id) + ) + + assert request.state == :error + + event = + Lightning.Repo.one!( + from(e in ChannelEvent, where: e.channel_request_id == ^request.id) + ) + + assert event.error_message == "credential_environment_not_found" + end + + test "credential with missing auth fields returns 502 with observable error", + %{bypass: bypass} do + channel = + create_sink_auth_channel(bypass, "http", %{ + "baseUrl" => "https://example.com" + }) + + resp = + conn(:get, "/channels/#{channel.id}/test") + |> send_to_endpoint() + + assert resp.status == 502 + assert %{"error" => "Bad Gateway"} = json_response(resp, 502) + + request = + Lightning.Repo.one!( + from(r in ChannelRequest, where: r.channel_id == ^channel.id) + ) + + assert request.state == :error + + event = + Lightning.Repo.one!( + from(e in ChannelEvent, where: e.channel_request_id == ^request.id) + ) + + assert event.error_message == "credential_missing_auth_fields" + end + + test "proxy headers (x-forwarded-*) still forwarded alongside auth header", + %{bypass: bypass} do + channel = + create_sink_auth_channel(bypass, "http", %{ + "access_token" => "tok-with-proxy" + }) + + Bypass.expect_once(bypass, "GET", "/test", fn conn -> + auth = Plug.Conn.get_req_header(conn, "authorization") + xff = Plug.Conn.get_req_header(conn, "x-forwarded-for") + xfh = Plug.Conn.get_req_header(conn, "x-forwarded-host") + xfp = Plug.Conn.get_req_header(conn, "x-forwarded-proto") + + assert auth == ["Bearer tok-with-proxy"] + assert xff != [] + assert xfh != [] + assert xfp != [] + + Plug.Conn.send_resp(conn, 200, "ok") + end) + + resp = + conn(:get, "/channels/#{channel.id}/test") + |> send_to_endpoint() + + assert resp.status == 200 + end + end + + defp send_to_endpoint(conn) do + LightningWeb.Endpoint.call(conn, LightningWeb.Endpoint.init([])) + end +end diff --git a/test/support/factories.ex b/test/support/factories.ex index ba81fe5cdc2..7790d4f976c 100644 --- a/test/support/factories.ex +++ b/test/support/factories.ex @@ -858,4 +858,43 @@ defmodule Lightning.Factories do def sandbox_for(parent, attrs \\ %{}) do build(:project, Map.merge(%{parent: parent}, attrs)) end + + def channel_factory do + %Lightning.Channels.Channel{ + project: build(:project), + name: sequence(:channel_name, &"channel-#{&1}"), + sink_url: sequence(:channel_sink_url, &"https://example.com/sink/#{&1}"), + enabled: true + } + end + + def channel_auth_method_factory do + %Lightning.Channels.ChannelAuthMethod{ + role: :source, + webhook_auth_method: build(:webhook_auth_method) + } + end + + def channel_snapshot_factory do + %Lightning.Channels.ChannelSnapshot{ + lock_version: 1, + name: sequence(:channel_snapshot_name, &"channel-#{&1}"), + sink_url: "https://example.com/sink", + enabled: true + } + end + + def channel_request_factory do + %Lightning.Channels.ChannelRequest{ + request_id: sequence(:channel_request_id, &"req-#{&1}"), + state: :pending, + started_at: DateTime.utc_now() + } + end + + def channel_event_factory do + %Lightning.Channels.ChannelEvent{ + type: :source_received + } + end end