test: add automated Pale Moon tests (#903)

* test: start work on Pale Moon tests

Signed-off-by: Xe Iaso <me@xeiaso.net>

* test(palemoon): rewrite to use ci-images

Signed-off-by: Xe Iaso <me@xeiaso.net>

* ci: enable palemoon tests

Signed-off-by: Xe Iaso <me@xeiaso.net>

* test(palemoon): add some variables

Signed-off-by: Xe Iaso <me@xeiaso.net>

* fix: disable tmate

Signed-off-by: Xe Iaso <me@xeiaso.net>

* test(palemoon): disable i386 for now

Signed-off-by: Xe Iaso <me@xeiaso.net>

* chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
This commit is contained in:
Xe Iaso 2025-07-25 11:42:08 -04:00 committed by GitHub
parent 0ef3461816
commit bf42014ac3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
18 changed files with 646 additions and 9 deletions

5
test/palemoon/README.md Normal file
View file

@ -0,0 +1,5 @@
# Pale Moon CI tests
Pale Moon has exposed [some pretty bad bugs](https://anubis.techaro.lol/blog/release/v1.21.1#fix-event-loop-thrashing-when-solving-a-proof-of-work-challenge) in Anubis. As such, we're running Pale Moon against Anubis in CI to ensure that it keeps working.
This test is a fork of [dtinth/xtigervnc-docker](https://github.com/dtinth/xtigervnc-docker) but focused on Pale Moon.

View file

@ -0,0 +1,50 @@
services:
display:
image: ghcr.io/techarohq/ci-images/xserver:latest
pull_policy: always
ports:
- 5900:5900
anubis:
image: ko.local/anubis
environment:
BIND: ":3000"
TARGET: http://$TARGET
POLICY_FNAME: /cfg/anubis.yaml
SLOG_LEVEL: DEBUG
volumes:
- ../anubis:/cfg
depends_on:
- relayd
relayd:
image: ghcr.io/xe/x/relayd
environment:
BIND: :443
CERT_DIR: /techaro/pki
CERT_FNAME: cert.pem
KEY_FNAME: key.pem
PROXY_TO: http://anubis:3000
volumes:
- ../../pki/relayd:/techaro/pki:ro
# novnc:
# image: geek1011/easy-novnc
# command: -a :5800 -h display --no-url-password
# ports:
# - 5800:5800
palemoon:
platform: linux/amd64
init: true
image: ghcr.io/techarohq/ci-images/palemoon:latest
command: sleep inf
environment:
DISPLAY: display:0
volumes:
- ../../pki:/usr/local/share/ca-certificates/minica:ro
- ../scripts:/hack/scripts:ro
depends_on:
- anubis
- relayd
- display

30
test/palemoon/amd64/test.sh Executable file
View file

@ -0,0 +1,30 @@
#!/usr/bin/env bash
export VERSION=$GITHUB_COMMIT-test
export KO_DOCKER_REPO=ko.local
function capture_vnc_snapshots() {
sudo apt-get update && sudo apt-get install -y gvncviewer
mkdir -p ./var
while true; do
timestamp=$(date +"%Y%m%d%H%M%S")
gvnccapture localhost:0 ./var/snapshot_$timestamp.png 2>/dev/null
sleep 1
done
}
source ../../lib/lib.sh
if [ "$GITHUB_ACTIONS" = "true" ]; then
capture_vnc_snapshots &
fi
set -euo pipefail
build_anubis_ko
mint_cert relayd
go run ../../cmd/cipra/ --compose-name $(basename $(pwd))
docker compose down -t 1 || :
docker compose rm -f || :

2
test/palemoon/amd64/var/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
*
!.gitignore

View file

@ -0,0 +1,12 @@
bots:
- name: palemoon
user_agent_regex: PaleMoon
action: CHALLENGE
challenge:
difficulty: 2
report_as: 2
algorithm: fast
status_codes:
CHALLENGE: 401
DENY: 403

View file

@ -0,0 +1,44 @@
services:
display:
image: ghcr.io/techarohq/ci-images/xserver:latest
pull_policy: always
ports:
- 5900:5900
anubis:
image: ko.local/anubis
environment:
BIND: ":3000"
TARGET: http://$TARGET
POLICY_FNAME: /cfg/anubis.yaml
SLOG_LEVEL: DEBUG
volumes:
- ../anubis:/cfg
relayd:
image: ghcr.io/xe/x/relayd
environment:
BIND: :443
CERT_DIR: /techaro/pki
CERT_FNAME: cert.pem
KEY_FNAME: key.pem
PROXY_TO: http://anubis:3000
volumes:
- ../../pki/relayd:/techaro/pki:ro
# novnc:
# image: geek1011/easy-novnc
# command: -a :5800 -h display --no-url-password
# ports:
# - 5800:5800
palemoon:
platform: linux/386
init: true
image: ghcr.io/techarohq/ci-images/palemoon:latest
command: sleep inf
environment:
DISPLAY: display:0
volumes:
- ../../pki:/usr/local/share/ca-certificates/minica:ro
- ../scripts:/hack/scripts:ro

30
test/palemoon/i386/test.sh Executable file
View file

@ -0,0 +1,30 @@
#!/usr/bin/env bash
export VERSION=$GITHUB_COMMIT-test
export KO_DOCKER_REPO=ko.local
function capture_vnc_snapshots() {
sudo apt-get update && sudo apt-get install -y gvncviewer
mkdir -p ./var
while true; do
timestamp=$(date +"%Y%m%d%H%M%S")
gvnccapture localhost:0 ./var/snapshot_$timestamp.png 2>/dev/null
sleep 1
done
}
source ../../lib/lib.sh
if [ "$GITHUB_ACTIONS" = "true" ]; then
capture_vnc_snapshots &
fi
set -euo pipefail
build_anubis_ko
mint_cert relayd
go run ../../cmd/cipra/ --compose-name $(basename $(pwd))
docker compose down -t 1 || :
docker compose rm -f || :

2
test/palemoon/i386/var/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
*
!.gitignore

View file

@ -0,0 +1,103 @@
#!/usr/bin/env bash
set -euo pipefail
CERT_PATH="/usr/local/share/ca-certificates/minica/minica.pem"
CERT_NAME="minica"
TRUST_FLAGS="C,,"
FIREFOX_DIR="$HOME/.mozilla/firefox"
PALEMOON_DIR="$HOME/.moonchild productions/pale moon"
echo "🔄 Updating system CA certificates..."
update-ca-certificates
# 🌀 Trigger Pale Moon to create its profile if needed
if command -v palemoon &>/dev/null; then
echo "🚀 Launching Pale Moon to initialize profile..."
palemoon &>/dev/null &
PALEMOON_PID=$!
# Wait up to 20 seconds for prefs.js to be created
for i in {1..20}; do
set +e
PROFILE_DIR=$(grep Path ~/.moonchild\ productions/pale\ moon/profiles.ini | cut -d= -f2)
PREFS_FILE="$HOME/.moonchild productions/pale moon/$PROFILE_DIR/prefs.js"
if [[ -f "$PREFS_FILE" ]]; then
set -e
echo "✅ prefs.js found at: $PREFS_FILE"
break
fi
sleep 5
done
kill $PALEMOON_PID 2>/dev/null || true
wait $PALEMOON_PID 2>/dev/null || true
if [[ ! -f "$PREFS_FILE" ]]; then
echo "❌ prefs.js not found. Pale Moon did not fully initialize."
exit 1
fi
else
echo "⚠️ Pale Moon is not installed or not in PATH. Skipping profile bootstrap."
fi
echo 'user_pref("security.cert_pinning.enforcement_level", 0);' >>"$PREFS_FILE"
echo "✅ TLS cert validation disabled in Pale Moon profile: $PROFILE_DIR"
# 🔧 Ensure certutil is installed
if ! command -v certutil &>/dev/null; then
if [ -f /etc/debian_version ]; then
echo "🔧 'certutil' not found. Installing via apt..."
apt-get update
apt-get install -y libnss3-tools
else
echo "❌ 'certutil' not found and install is only supported on Debian-based systems."
exit 1
fi
fi
import_cert_to_profiles() {
local base_dir="$1"
local browser_name="$2"
local profile_glob="$3"
if [ ! -d "$base_dir" ]; then
echo "⚠️ $browser_name profile directory not found: $base_dir"
return
fi
echo "📌 Searching for $browser_name profiles in: $base_dir"
local found=0
for profile in "$base_dir"/$profile_glob; do
if [ ! -d "$profile" ]; then
continue
fi
found=1
local db_path="sql:$profile"
echo "🔍 Processing $browser_name profile: $profile"
if certutil -L -d "$db_path" | grep -q "^$CERT_NAME"; then
echo " ✅ Certificate '$CERT_NAME' already exists in profile."
continue
fi
certutil -A -n "$CERT_NAME" -t "$TRUST_FLAGS" -i "$CERT_PATH" -d "$db_path"
echo " Added certificate '$CERT_NAME' to $browser_name profile."
done
if [ "$found" -eq 0 ]; then
echo "⚠️ No $browser_name profiles found in: $base_dir"
fi
}
import_cert_to_profiles "$FIREFOX_DIR" "Firefox" "*.default*"
import_cert_to_profiles "$PALEMOON_DIR" "Pale Moon" "*.*"
echo "✅ Done. Firefox and Pale Moon profiles updated with '$CERT_NAME' certificate."