test: enforce strict replay sandboxing in e2e fixtures (#79)

Co-authored-by: JY Tan <jy8230@gmail.com>

Author: sohankshirsagar

.github/workflows/e2e.yml

@@ -108,6 +108,39 @@ jobs:
           chmod +x ./drift/instrumentation/${{ matrix.library }}/e2e-tests/run.sh
           cd ./drift/instrumentation/${{ matrix.library }}/e2e-tests && ./run.sh 8000
 
+      - name: Print replay logs for ${{ matrix.library }}
+        if: always()
+        run: |
+          log_dir=./drift/instrumentation/${{ matrix.library }}/e2e-tests/.tusk/logs
+          if ! sudo test -d "$log_dir"; then
+            echo "No replay log directory found"
+            exit 0
+          fi
+
+          sudo chmod -R a+rX "$log_dir" || true
+          sudo chown -R "$(id -u):$(id -g)" "$log_dir" || true
+
+          shopt -s nullglob
+          logs=("$log_dir"/*)
+          if [ ${#logs[@]} -eq 0 ]; then
+            echo "No replay logs found"
+            exit 0
+          fi
+
+          for f in "${logs[@]}"; do
+            echo "=== $f ==="
+            cat "$f"
+          done
+
+      - name: Upload replay logs for ${{ matrix.library }}
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: e2e-${{ matrix.library }}-replay-logs
+          path: ./drift/instrumentation/${{ matrix.library }}/e2e-tests/.tusk/logs
+          if-no-files-found: ignore
+          include-hidden-files: true
+
       - name: Cleanup Docker resources
         if: always()
         run: |
@@ -186,6 +219,39 @@ jobs:
           chmod +x ./drift/stack-tests/${{ matrix.test }}/run.sh
           cd ./drift/stack-tests/${{ matrix.test }} && ./run.sh 8000
 
+      - name: Print replay logs for ${{ matrix.test }}
+        if: always()
+        run: |
+          log_dir=./drift/stack-tests/${{ matrix.test }}/.tusk/logs
+          if ! sudo test -d "$log_dir"; then
+            echo "No replay log directory found"
+            exit 0
+          fi
+
+          sudo chmod -R a+rX "$log_dir" || true
+          sudo chown -R "$(id -u):$(id -g)" "$log_dir" || true
+
+          shopt -s nullglob
+          logs=("$log_dir"/*)
+          if [ ${#logs[@]} -eq 0 ]; then
+            echo "No replay logs found"
+            exit 0
+          fi
+
+          for f in "${logs[@]}"; do
+            echo "=== $f ==="
+            cat "$f"
+          done
+
+      - name: Upload replay logs for ${{ matrix.test }}
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: stack-${{ matrix.test }}-replay-logs
+          path: ./drift/stack-tests/${{ matrix.test }}/.tusk/logs
+          if-no-files-found: ignore
+          include-hidden-files: true
+
       - name: Cleanup Docker resources
         if: always()
         run: |
@@ -257,6 +323,39 @@ jobs:
           chmod +x ./drift/instrumentation/requests/e2e-tests/run.sh
           cd ./drift/instrumentation/requests/e2e-tests && ./run.sh 8000
 
+      - name: Print replay logs for requests smoke test
+        if: always()
+        run: |
+          log_dir=./drift/instrumentation/requests/e2e-tests/.tusk/logs
+          if ! sudo test -d "$log_dir"; then
+            echo "No replay log directory found"
+            exit 0
+          fi
+
+          sudo chmod -R a+rX "$log_dir" || true
+          sudo chown -R "$(id -u):$(id -g)" "$log_dir" || true
+
+          shopt -s nullglob
+          logs=("$log_dir"/*)
+          if [ ${#logs[@]} -eq 0 ]; then
+            echo "No replay logs found"
+            exit 0
+          fi
+
+          for f in "${logs[@]}"; do
+            echo "=== $f ==="
+            cat "$f"
+          done
+
+      - name: Upload replay logs for requests smoke test
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: requests-smoke-replay-logs
+          path: ./drift/instrumentation/requests/e2e-tests/.tusk/logs
+          if-no-files-found: ignore
+          include-hidden-files: true
+
       - name: Cleanup Docker resources
         if: always()
         run: |

drift/instrumentation/aiohttp/e2e-tests/.tusk/config.yaml

@@ -25,4 +25,6 @@ recording:
 
 replay:
   enable_telemetry: false
+  sandbox:
+    mode: strict
 

drift/instrumentation/aiohttp/e2e-tests/docker-compose.yml

@@ -14,6 +14,11 @@ services:
       dockerfile: drift/instrumentation/aiohttp/e2e-tests/Dockerfile
       args:
         - TUSK_CLI_VERSION=${TUSK_CLI_VERSION:-latest}
+    cap_add:
+      - SYS_ADMIN
+    security_opt:
+      - seccomp=unconfined
+      - apparmor=unconfined
     environment:
       - PORT=8000
       - TUSK_ANALYTICS_DISABLED=1

drift/instrumentation/django/e2e-tests/.tusk/config.yaml

@@ -25,3 +25,5 @@ recording:
 
 replay:
   enable_telemetry: false
+  sandbox:
+    mode: strict

drift/instrumentation/django/e2e-tests/docker-compose.yml

@@ -14,6 +14,11 @@ services:
       dockerfile: drift/instrumentation/django/e2e-tests/Dockerfile
       args:
         - TUSK_CLI_VERSION=${TUSK_CLI_VERSION:-latest}
+    cap_add:
+      - SYS_ADMIN
+    security_opt:
+      - seccomp=unconfined
+      - apparmor=unconfined
     environment:
       - PORT=8000
       - TUSK_ANALYTICS_DISABLED=1

drift/instrumentation/e2e_common/Dockerfile.base

@@ -3,7 +3,7 @@
 # This base image contains:
 # - Python 3.9 (minimum supported version)
 # - Tusk CLI (for running replay tests)
-# - System utilities (curl, postgresql-client)
+# - System utilities (curl, postgresql-client, socat, bubblewrap)
 #
 # Build this image before running e2e tests:
 #   docker build -t python-e2e-base:latest -f drift/instrumentation/e2e-common/Dockerfile.base .
@@ -12,38 +12,40 @@ FROM python:3.9-slim
 
 # Install system dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl \
-    postgresql-client \
-    && rm -rf /var/lib/apt/lists/*
+  curl \
+  postgresql-client \
+  socat \
+  bubblewrap \
+  && rm -rf /var/lib/apt/lists/*
 
 # Install Tusk CLI
 # The CLI is downloaded from GitHub releases (tar.gz archives)
 ARG TUSK_CLI_VERSION=latest
 RUN set -ex && \
-    if [ "$TUSK_CLI_VERSION" = "latest" ]; then \
-      # Get the latest version tag
-      VERSION=$(curl -s https://api.github.com/repos/Use-Tusk/tusk-drift-cli/releases/latest | grep '"tag_name"' | cut -d '"' -f 4); \
-    else \
-      VERSION="${TUSK_CLI_VERSION}"; \
-    fi && \
-    # Remove 'v' prefix if present for the filename
-    VERSION_NUM=$(echo "$VERSION" | sed 's/^v//') && \
-    # Detect architecture (x86_64 or arm64)
-    ARCH=$(uname -m) && \
-    case "$ARCH" in \
-      x86_64) ARCH_NAME="x86_64" ;; \
-      aarch64|arm64) ARCH_NAME="arm64" ;; \
-      *) echo "Unsupported architecture: $ARCH" && exit 1 ;; \
-    esac && \
-    # Construct download URL (archives are named like tusk-drift-cli_0.1.35_Linux_x86_64.tar.gz)
-    DOWNLOAD_URL="https://github.com/Use-Tusk/tusk-drift-cli/releases/download/${VERSION}/tusk-drift-cli_${VERSION_NUM}_Linux_${ARCH_NAME}.tar.gz" && \
-    echo "Downloading Tusk CLI from: $DOWNLOAD_URL" && \
-    curl -fsSL "$DOWNLOAD_URL" -o /tmp/tusk.tar.gz && \
-    tar -xzf /tmp/tusk.tar.gz -C /tmp && \
-    mv /tmp/tusk /usr/local/bin/tusk && \
-    chmod +x /usr/local/bin/tusk && \
-    rm -rf /tmp/tusk.tar.gz /tmp/LICENSE /tmp/README.md && \
-    tusk --version
+  if [ "$TUSK_CLI_VERSION" = "latest" ]; then \
+  # Get the latest version tag
+  VERSION=$(curl -s https://api.github.com/repos/Use-Tusk/tusk-drift-cli/releases/latest | grep '"tag_name"' | cut -d '"' -f 4); \
+  else \
+  VERSION="${TUSK_CLI_VERSION}"; \
+  fi && \
+  # Remove 'v' prefix if present for the filename
+  VERSION_NUM=$(echo "$VERSION" | sed 's/^v//') && \
+  # Detect architecture (x86_64 or arm64)
+  ARCH=$(uname -m) && \
+  case "$ARCH" in \
+  x86_64) ARCH_NAME="x86_64" ;; \
+  aarch64|arm64) ARCH_NAME="arm64" ;; \
+  *) echo "Unsupported architecture: $ARCH" && exit 1 ;; \
+  esac && \
+  # Construct download URL (archives are named like tusk-drift-cli_0.1.35_Linux_x86_64.tar.gz)
+  DOWNLOAD_URL="https://github.com/Use-Tusk/tusk-drift-cli/releases/download/${VERSION}/tusk-drift-cli_${VERSION_NUM}_Linux_${ARCH_NAME}.tar.gz" && \
+  echo "Downloading Tusk CLI from: $DOWNLOAD_URL" && \
+  curl -fsSL "$DOWNLOAD_URL" -o /tmp/tusk.tar.gz && \
+  tar -xzf /tmp/tusk.tar.gz -C /tmp && \
+  mv /tmp/tusk /usr/local/bin/tusk && \
+  chmod +x /usr/local/bin/tusk && \
+  rm -rf /tmp/tusk.tar.gz /tmp/LICENSE /tmp/README.md && \
+  tusk --version
 
 # Upgrade pip
 RUN pip install --upgrade pip

drift/instrumentation/fastapi/e2e-tests/.tusk/config.yaml

@@ -25,4 +25,6 @@ recording:
 
 replay:
   enable_telemetry: false
+  sandbox:
+    mode: strict
 

drift/instrumentation/fastapi/e2e-tests/docker-compose.yml

@@ -14,6 +14,11 @@ services:
       dockerfile: drift/instrumentation/fastapi/e2e-tests/Dockerfile
       args:
         - TUSK_CLI_VERSION=${TUSK_CLI_VERSION:-latest}
+    cap_add:
+      - SYS_ADMIN
+    security_opt:
+      - seccomp=unconfined
+      - apparmor=unconfined
     environment:
       - PORT=8000
       - TUSK_ANALYTICS_DISABLED=1

drift/instrumentation/fastapi/e2e-tests/requirements.txt

@@ -2,5 +2,6 @@
 fastapi>=0.115.0
 uvicorn>=0.30.0
 requests>=2.32.5
-httpx>=0.27.0
+# Strict replay sandbox routes outbound HTTP through a SOCKS proxy.
+httpx[socks]>=0.27.0
 

drift/instrumentation/flask/e2e-tests/.tusk/config.yaml

@@ -25,4 +25,6 @@ recording:
 
 replay:
   enable_telemetry: false
+  sandbox:
+    mode: strict