Integration/system tests for DNS plugins

[bmw]

I think we should do more testing beyond our simple unit tests, however, I've been thinking a bit about what that'd look like. Here's a relevant conversation I had with @adferrand about the topic:

[2018-11-01 11:02:29] <bmw> adferrand[m]: One thing I've been thinking about lately is how to better test Certbot's DNS plugins.
[2018-11-01 11:02:49] <bmw> I was curious how your project and Lexicon handle this. Do you maintain accounts with all these different providers?
[2018-11-01 11:30:15] <adferrand[m]> In Lexicon, we use vcrpy. It works with cassettes, which are yaml files that describes a serie of http request and their response. First, a dns provider developer executes the tests against the real dns api, because at this time, the developer has a valid account on it.
[2018-11-01 11:30:46] <adferrand[m]> During this test, cassettes are recorded, and committed in the repo.
[2018-11-01 11:31:57] <adferrand[m]> In all subsequent tests execution, in particular CI, vcrpy will mock transparently any requests emitted by python (vcrpy supports the most used http libraries).
[2018-11-01 11:32:57] <adferrand[m]> If for a given test method, with its related cassette, the request corresponds to the recorded one, vcrpy will return the recorded response.
[2018-11-01 11:46:05] <bmw> Interesting.
[2018-11-01 11:46:28] <bmw> One thing we've struggled with is how to initially test these plugins as well as to regularly run tests to ensure they still work with the provider's current API.
[2018-11-01 11:47:31] <bmw> We were planning to set up accounts, but doing this for every plugin someone writes based on Lexicon isn't very sustainable.
[2018-11-01 12:53:34] <adferrand[m]> Indeed, you cannot. And if I construct a universal lexicon plug-in, it is dozens of accounts to maintain potentially. Here with Lexicon, it is possible.
[2018-11-01 12:55:04] <adferrand[m]> The only limitation, is if an actual API changes its specifications, because cassettes are not relevant anymore, and you do not know it until someone executes again a real request. But APIs of this kind
[2018-11-01 12:55:46] <adferrand[m]> are really stable. It should occurs only from time to time, I think it is doable to correct cassettes when needed.
[2018-11-01 13:08:50] <bmw> Sure.
[2018-11-01 13:09:42] <bmw> The only thing I don't like about it is it would likely be our users who run the real request and hit the bug when things change, but maybe that's not the end of the world.
[2018-11-01 13:34:40] <adferrand[m]> Yes indeed, I was already thinking about this to make something with it. 
[2018-11-01 13:35:42] <adferrand[m]> Because currently, in fact tests on dns plugind are mocking every actual call to lexicon, right?
[2018-11-01 13:36:51] <adferrand[m]> And there is already integrations tests in Lexicon that checks an acme challenge can be written in a txt record.
[2018-11-01 13:37:49] <adferrand[m]> So I thought this particular cassette could be reused during integrations tests on dns certbot plug-in that are based on lexicon.
[2018-11-01 13:38:43] <adferrand[m]> Txt deletion is not done on Lexicon, but this could stay a complete mock of Lexicon call, it is not critical.
[2018-11-01 13:39:14] <adferrand[m]> (I mean a test on txt deletion)
[2018-11-01 13:41:30] <adferrand[m]> And anyway, about your concerns on regressions that could be found only by users. It is already the case in fact, as everything is mocked, so you do not lose a lot in fact.
[2018-11-01 13:42:23] <adferrand[m]> At least with vcrpy, you will execute actual code of Lexicon providers code, and find regressions concerning the interface between Lexicon and Certbot.

[trinopoty]

What kind of tests do you have in mind? The provider APIs themselves almost never change in a breaking way. Even if a version of the API becomes deprecated, it's maintained for a long time to ensure existing software do not need to be modified straight away.
Also, every dns plugin goes through a level of manual testing to ensure full functionality.
Using vcrpy does not protect against a change in live API in most cases.

[adferrand]

In fact currently, lexicon-based dns plugins in certbot are running by mocking the entire lexicon client. So the tests would be unable to detect a breaking change in the interface between Lexicon and Certbot. Or a side effect that could not be catched in Lexicon CI, and occur only when Certbot is instrumenting Lexicon.

So the discussions we had were to move the mocking layer to the requests against the DNS API, like in Lexicon, in a way or another. My idea was to reuse existing cassettes and vcrpy that corresponds to actual requests when a certbot is generated using a dns challenge (typically writing TXT records with the acme hash).

So in fact, all of this is coherent with your remarks. The tests would be sensible only to breaking changes on the DNS API, and as you said, it is very unlikely that would happen.

[adferrand]

And for that matter in fact, certbot plug-ins instrumentale directly the provider classes, while Lexicon is not designed for this usage: providers should not be used directly, but through the Client that mitigates already a lot of side effects.

For instance, certbot makes a smart analysis of the domain provided, to extract all relevant parts and standardize to fqdn, while Lexicon client has already all of this.

So it would be a good first evolution, like calling the Lexicon client then mocking the provider through an smart mock that extends BaseProvider. Ultimately however, I think we should do what I described above.

[trinopoty]

If we're talking about lexicon, it's far easier to write a test for the Lexicon Certbot interface instead of possibly updating plugins. Said test would create a mock lexicon provider and run the tests in dns_test_common_lexicon.py to verify the interface.
If we're talking about dns plugins in general, it's possible to use vcrpy to make a recording and run that in CI but that has the problem of requiring to update the recordings if there's a breaking change in certbot for instance.

[bmw]

How to test our DNS plugins is the single greatest concern I have about them.

In an ideal world, what I'd personally want are end to end tests using Certbot against the live API of each DNS provider we support. This gives us the most confidence the plugins work because they are complete and unhampered tests that everything is working properly.

As of right now, this is still our plan for testing these plugins. While we don't (yet) have regularly running tests that each plugin is still working, we have taken the time and money to set up accounts for each DNS plugin when reviewing them. We're also continuing to maintain and pay for these accounts for many of our plugins with the plan to set up these regularly running tests.

I'm not sure this situation is sustainable though. We currently have 14 DNS plugins with PRs for 12 more. Does it really make sense for us to pay and maintain accounts for 26+ DNS providers? This is somewhat expensive and it's time consuming as there's legal review required of each new TOS we're agreeing to when we sign up for a new account.

Not only that, but as I explain in #6504, I was initially planning for us to happily take on new PRs based on Lexicon. As of writing this, Lexicon supports 47 providers. Perhaps that issue of which DNS plugins we take on is the problem instead of our testing, but I think something has to change.

We could consider not running end to end tests of each DNS plugin. This worries me because EFF/Certbot will be releasing and maintaining software with a major hole in its testing. Maybe this is a bad enough idea that we should end the conversation here and solve other problems with our DNS plugins, but if we were to consider this, what would this look like?

There are suggestions of things like cassettes and vcrpy above which are worth considering. My main concern there is what happens when a PR like #5350 comes around which changes our interaction with many DNS providers? Do we fire up accounts again and recapture a new interaction? I kind of feel like just keeping the account around is easier at that point.

At the end of the day though, if we don't have end to end tests of our DNS libraries, we are placing more of our trust (and reputation) in hoping that the library is well tested and maintained. This might be OK, but I think we'd want to limit the libraries we do this with to either large providers and/or a single library that we build a relationship with like Lexicon.

[zjs]

I agree with @bmw (#6504 (comment), #6178 (comment)) that this issue is the crux of designing a path forward for DNS plugins.

Because of the way Certbot is used (in production environments, running without user interaction, to replace certificates which expire on a relatively short timeline), I think it is important to be able to quickly and reliably identify problems in an automated way.

Given the small size of the Certbot development team, and potential need to coordinate with maintainers of dependencies to solve problems, waiting for users to notice and report an issues seems risky. Even if an issue affects a median-use DNS plugin, that's still potentially hundreds of users (#6504 (comment)).

I think real end-to-end testing of plugins is the best approach to testing. It is the best way to verify changes to code shared by multiple plugins and updates to dependencies, and perhaps the only way to detect breaking changes to DNS provider APIs.

I think real end-to-end testing of plugins becomes even more important if broad support for all Lexicon providers is added; having a user be the first to actually use a plugin "for real" seems undesirable.

[zjs]

I'd propose a multi-step approach to achieving this:

1. Develop end-to-end tests which can be manually executed to validate a plugin, based on the manual testing we've done historically. Going forward, these become a key component of the review process for new DNS plugins and changes which affect existing DNS plugins.
2. Automate execution of these tests for providers accounts are already available for.
3. Consider creative ways to get results for other providers. Some providers may have developer access programs to provide free access to projects integrating with their APIs. In other cases, people with accounts may be willing to "donate" a subdomain and credentials to manage records for that subdomain.
4. Review telemetry data periodically. Consider investing in accounts for higher-use providers where automated testing is not yet available.

[trinopoty]

A complete end-to-end test system has a few but major drawbacks.
First, it would require maintaining accounts with each provider which brings with it stuff like costs.
Also, has the potential to limit the tests that an independent contributor can run.
If you go with the option of maintaining an account on all the supported providers, you will need some way to keep the access keys secure. While keeping the encrypted keys in travis config is easy enough, this would mean that DNS plugin tests will fail on a developer's local system.
These are the only major drawbacks I can think of atm. I'm sure actually sitting over it will give us a few more to deal with.
Also, this option limits running tests in parallel (includes travis and the local systems of multiple developers).

[zjs]

Also, has the potential to limit the tests that an independent contributor can run.

We should be able to trigger tests based on a PR. While less convenient than being able to run tests from a developer's system, this may be a good complement to unit tests.

Also, this option limits running tests in parallel (includes travis and the local systems of multiple developers).

A unique subdomain could be used for each test run to isolate parallel runs from one another.