Merge pull request #4874 from Infisical/dynamic-import-nock

fangpenlin · web-flow · commit d272a5e0e513 · 2025-11-20T09:35:27.000-08:00
Move nock to dev deps and include the route only for dev/test builds
diff --git a/.gitignore b/.gitignore
@@ -74,3 +74,4 @@ cli/test/infisical-merge
 backend/bdd/.bdd-infisical-bootstrap-result.json
 
 /npm/bin
+__pycache__
diff --git a/backend/bdd/features/steps/pki_acme.py b/backend/bdd/features/steps/pki_acme.py
@@ -615,13 +615,14 @@ def step_impl(context: Context, var_path: str, jq_query: str, expected: str):
 
 @then('the value {var_path} with jq "{jq_query}" should match pattern {regex}')
 def step_impl(context: Context, var_path: str, jq_query: str, regex: str):
+    actual_regex = replace_vars(regex, context.vars)
     value, result = apply_value_with_jq(
         context=context,
         var_path=var_path,
         jq_query=jq_query,
     )
-    assert re.match(replace_vars(regex, context.vars), result), (
-        f"{json.dumps(value)!r} with jq {jq_query!r}, the result {json.dumps(result)!r} does not match {regex!r}"
+    assert re.match(actual_regex, result), (
+        f"{json.dumps(value)!r} with jq {jq_query!r}, the result {json.dumps(result)!r} does not match {actual_regex!r}"
     )
 
 
diff --git a/backend/bdd/features/steps/utils.py b/backend/bdd/features/steps/utils.py
@@ -15,6 +15,7 @@
 
 ACC_KEY_BITS = 2048
 ACC_KEY_PUBLIC_EXPONENT = 65537
+NOCK_API_PREFIX = "/api/__bdd_nock__"
 logger = logging.getLogger(__name__)
 faker = Faker()
 
@@ -265,7 +266,7 @@ def extension_to_dict(ext):
 def define_nock(context: Context, definitions: list[dict]):
     jwt_token = context.vars["AUTH_TOKEN"]
     response = context.http_client.post(
-        "/api/v1/bdd-nock/define",
+        f"{NOCK_API_PREFIX}/define",
         headers=dict(authorization="Bearer {}".format(jwt_token)),
         json=dict(definitions=definitions),
     )
@@ -275,7 +276,7 @@ def define_nock(context: Context, definitions: list[dict]):
 def restore_nock(context: Context):
     jwt_token = context.vars["AUTH_TOKEN"]
     response = context.http_client.post(
-        "/api/v1/bdd-nock/restore",
+        f"{NOCK_API_PREFIX}/restore",
         headers=dict(authorization="Bearer {}".format(jwt_token)),
         json=dict(),
     )
@@ -285,7 +286,7 @@ def restore_nock(context: Context):
 def clean_all_nock(context: Context):
     jwt_token = context.vars["AUTH_TOKEN"]
     response = context.http_client.post(
-        "/api/v1/bdd-nock/clean-all",
+        f"{NOCK_API_PREFIX}/clean-all",
         headers=dict(authorization="Bearer {}".format(jwt_token)),
         json=dict(),
     )
diff --git a/backend/nodemon.json b/backend/nodemon.json
@@ -1,6 +1,8 @@
 {
-  "watch": ["src"],
+  "watch": [
+    "src"
+  ],
   "ext": ".ts,.js",
   "ignore": [],
-  "exec": "tsx ./src/main.ts | pino-pretty --colorize --colorizeObjects --singleLine"
-}
+  "exec": "tsx --tsconfig=./tsconfig.dev.json --inspect=0.0.0.0:9229 ./src/main.ts | pino-pretty --colorize --colorizeObjects --singleLine"
+}
diff --git a/backend/package.json b/backend/package.json
@@ -32,7 +32,7 @@
     "binary:clean": "rm -rf ./dist && rm -rf ./binary",
     "binary:rename-imports": "ts-node ./scripts/rename-mjs.ts",
     "test": "echo \"Error: no test specified\" && exit 1",
-    "dev": "tsx watch --clear-screen=false ./src/main.ts  | pino-pretty --colorize --colorizeObjects --singleLine",
+    "dev": "tsx watch --clear-screen=false ./src/main.ts  --config tsconfig.dev.json | pino-pretty --colorize --colorizeObjects --singleLine",
     "dev:docker": "nodemon",
     "build": "tsup --sourcemap",
     "build:frontend": "npm run build --prefix ../frontend",
@@ -266,4 +266,4 @@
     "zod": "^3.22.4",
     "zod-to-json-schema": "^3.24.5"
   }
-}
+}
diff --git a/backend/src/lib/config/env.ts b/backend/src/lib/config/env.ts
@@ -400,7 +400,7 @@ const envSchema = z
     isAcmeDevelopmentMode: data.NODE_ENV === "development" && data.ACME_DEVELOPMENT_MODE,
     isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
     isRedisSentinelMode: Boolean(data.REDIS_SENTINEL_HOSTS),
-    isBddNockApiEnabled: data.NODE_ENV === "development" && data.BDD_NOCK_API_ENABLED,
+    isBddNockApiEnabled: data.NODE_ENV !== "production" && data.BDD_NOCK_API_ENABLED,
     REDIS_SENTINEL_HOSTS: data.REDIS_SENTINEL_HOSTS?.trim()
       ?.split(",")
       .map((el) => {
diff --git a/backend/src/server/routes/bdd/bdd-nock-router.dev.ts b/backend/src/server/routes/bdd/bdd-nock-router.dev.ts
@@ -0,0 +1,104 @@
+import type { Definition } from "nock";
+import { z } from "zod";
+
+import { getConfig } from "@app/lib/config/env";
+import { ForbiddenRequestError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+// When running in production, we don't want to even import nock, because it's not needed and it increases memory usage a lots.
+// It once caused an outage in the production environment.
+// This is why we would rather to crash the app if it's not in development mode (in that case, Kubernetes should stop it from rolling out).
+if (process.env.NODE_ENV === "production") {
+  throw new Error("BDD Nock API can only be enabled in development or test mode");
+}
+
+export const registerBddNockRouter = async (server: FastifyZodProvider) => {
+  const appCfg = getConfig();
+  const importNock = async () => {
+    // eslint-disable-next-line import/no-extraneous-dependencies
+    const { default: nock } = await import("nock");
+    return nock;
+  };
+
+  const checkIfBddNockApiEnabled = () => {
+    // Note: Please note that this API is only available in development mode and only for BDD tests.
+    // This endpoint should NEVER BE ENABLED IN PRODUCTION!
+    if (appCfg.NODE_ENV === "production" || !appCfg.isBddNockApiEnabled) {
+      throw new ForbiddenRequestError({ message: "BDD Nock API is not enabled" });
+    }
+  };
+
+  server.route({
+    method: "POST",
+    url: "/define",
+    schema: {
+      body: z.object({ definitions: z.unknown().array() }),
+      response: {
+        200: z.object({ status: z.string() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      checkIfBddNockApiEnabled();
+      const { body } = req;
+      const { definitions } = body;
+      logger.info(definitions, "Defining nock");
+      const processedDefinitions = definitions.map((definition: unknown) => {
+        const { path, ...rest } = definition as Definition;
+        return {
+          ...rest,
+          path:
+            path !== undefined && typeof path === "string"
+              ? path
+              : new RegExp((path as unknown as { regex: string }).regex ?? "")
+        } as Definition;
+      });
+
+      const nock = await importNock();
+      nock.define(processedDefinitions);
+      // Ensure we are activating the nocks, because we could have called `nock.restore()` before this call.
+      if (!nock.isActive()) {
+        nock.activate();
+      }
+      return { status: "ok" };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/clean-all",
+    schema: {
+      response: {
+        200: z.object({ status: z.string() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async () => {
+      checkIfBddNockApiEnabled();
+      logger.info("Cleaning all nocks");
+      const nock = await importNock();
+      nock.cleanAll();
+      return { status: "ok" };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/restore",
+    schema: {
+      response: {
+        200: z.object({ status: z.string() })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async () => {
+      checkIfBddNockApiEnabled();
+      logger.info("Restore network requests from nock");
+      const nock = await importNock();
+      nock.restore();
+      return { status: "ok" };
+    }
+  });
+};
diff --git a/backend/src/server/routes/bdd/bdd-nock-router.ts b/backend/src/server/routes/bdd/bdd-nock-router.ts
@@ -0,0 +1,6 @@
+export const registerBddNockRouter = async () => {
+  // This route is only available in development or test mode.
+  // The actual implementation is in the dev.ts file and will be aliased to that file in development or test mode.
+  // And if somehow we try to enable it in production, we will throw an error.
+  throw new Error("BDD Nock should not be enabled in production");
+};
diff --git a/backend/src/server/routes/index.ts b/backend/src/server/routes/index.ts
@@ -1,3 +1,4 @@
+import { registerBddNockRouter } from "@bdd_routes/bdd-nock-router";
 import { CronJob } from "cron";
 import { Knex } from "knex";
 import { monitorEventLoopDelay } from "perf_hooks";
@@ -2698,6 +2699,12 @@ export const registerRoutes = async (
   await server.register(registerV3Routes, { prefix: "/api/v3" });
   await server.register(registerV4Routes, { prefix: "/api/v4" });
 
+  // Note: This is a special route for BDD tests. It's only available in development mode and only for BDD tests.
+  // This route should NEVER BE ENABLED IN PRODUCTION!
+  if (getConfig().isBddNockApiEnabled) {
+    await server.register(registerBddNockRouter, { prefix: "/api/__bdd_nock__" });
+  }
+
   server.addHook("onClose", async () => {
     cronJobs.forEach((job) => job.stop());
     await telemetryService.flushAll();
diff --git a/backend/src/server/routes/v1/bdd-nock-router.ts b/backend/src/server/routes/v1/bdd-nock-router.ts
diff --git a/backend/src/server/routes/v1/index.ts b/backend/src/server/routes/v1/index.ts
@@ -8,7 +8,6 @@ import { registerSecretSyncRouter, SECRET_SYNC_REGISTER_ROUTER_MAP } from "@app/
 
 import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
-// import { registerBddNockRouter } from "./bdd-nock-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerCaRouter } from "./certificate-authority-router";
 import { CERTIFICATE_AUTHORITY_REGISTER_ROUTER_MAP } from "./certificate-authority-routers";
@@ -238,10 +237,4 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
 
   await server.register(registerEventRouter, { prefix: "/events" });
   await server.register(registerUpgradePathRouter, { prefix: "/upgrade-path" });
-
-  // Note: This is a special route for BDD tests. It's only available in development mode and only for BDD tests.
-  // This route should NEVER BE ENABLED IN PRODUCTION!
-  // if (getConfig().isBddNockApiEnabled) {
-  //   await server.register(registerBddNockRouter, { prefix: "/bdd-nock" });
-  // }
 };
diff --git a/backend/src/services/certificate-profile/certificate-profile-service.test.ts b/backend/src/services/certificate-profile/certificate-profile-service.test.ts
@@ -428,7 +428,13 @@ describe("CertificateProfileService", () => {
         service.createProfile({
           ...mockActor,
           projectId: "project-123",
-          data: validProfileData
+          data: {
+            ...validProfileData,
+            enrollmentType: EnrollmentType.ACME,
+            acmeConfig: {},
+            apiConfig: undefined,
+            estConfig: undefined
+          }
         })
       ).rejects.toThrowError(
         new BadRequestError({
diff --git a/backend/tsconfig.dev.json b/backend/tsconfig.dev.json
@@ -0,0 +1,9 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "paths": {
+      "@app/*": ["./src/*"],
+      "@bdd_routes/bdd-nock-router": ["./src/server/routes/bdd/bdd-nock-router.dev.ts"]
+    }
+  }
+}
diff --git a/backend/tsconfig.json b/backend/tsconfig.json
@@ -24,7 +24,8 @@
     "skipLibCheck": true,
     "baseUrl": ".",
     "paths": {
-      "@app/*": ["./src/*"]
+      "@app/*": ["./src/*"],
+      "@bdd_routes/*": ["./src/server/routes/bdd/*"]
     },
     "jsx": "react-jsx"
   },
diff --git a/backend/tsup.config.js b/backend/tsup.config.js
diff --git a/backend/vitest.e2e.config.mts b/backend/vitest.e2e.config.mts
diff --git a/backend/vitest.unit.config.mts b/backend/vitest.unit.config.mts
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml

Original file line number	Diff line number	Diff line change
`@@ -74,3 +74,4 @@ cli/test/infisical-merge`
`74`	`74`	`backend/bdd/.bdd-infisical-bootstrap-result.json`
`75`	`75`
`76`	`76`	`/npm/bin`
	`77`	`+__pycache__`
Original file line number	Diff line number	Diff line change
`@@ -615,13 +615,14 @@ def step_impl(context: Context, var_path: str, jq_query: str, expected: str):`
`615`	`615`
`616`	`616`	`@then('the value {var_path} with jq "{jq_query}" should match pattern {regex}')`
`617`	`617`	`def step_impl(context: Context, var_path: str, jq_query: str, regex: str):`
	`618`	`+ actual_regex = replace_vars(regex, context.vars)`
`618`	`619`	`value, result = apply_value_with_jq(`
`619`	`620`	`context=context,`
`620`	`621`	`var_path=var_path,`
`621`	`622`	`jq_query=jq_query,`
`622`	`623`	`)`
`623`		`- assert re.match(replace_vars(regex, context.vars), result), (`
`624`		`- f"{json.dumps(value)!r} with jq {jq_query!r}, the result {json.dumps(result)!r} does not match {regex!r}"`
	`624`	`+ assert re.match(actual_regex, result), (`
	`625`	`+ f"{json.dumps(value)!r} with jq {jq_query!r}, the result {json.dumps(result)!r} does not match {actual_regex!r}"`
`625`	`626`	`)`
`626`	`627`
`627`	`628`