From db19e1073bb0944f2e68791b664301a1b459e68f Mon Sep 17 00:00:00 2001
From: Erik Sundell <erik@sundellopensource.se>
Date: Sat, 16 May 2020 12:29:37 +0200
Subject: [PATCH] netpol: add dedicated test of DNS functionality

---
 images/singleuser-sample/Dockerfile |  2 ++
 tests/test_spawn.py                 | 22 ++++++++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/images/singleuser-sample/Dockerfile b/images/singleuser-sample/Dockerfile
index 6e3aa6071e..29bcee28a6 100644
--- a/images/singleuser-sample/Dockerfile
+++ b/images/singleuser-sample/Dockerfile
@@ -14,7 +14,9 @@ ARG JUPYTERHUB_VERSION=1.1.*
 # NOTE: git is already available in the jupyter/minimal-notebook image.
 USER root
 RUN apt-get update && apt-get install --yes --no-install-recommends \
+    dnsutils \
     git \
+    iputils-ping \
  && rm -rf /var/lib/apt/lists/*
 USER $NB_USER
 
diff --git a/tests/test_spawn.py b/tests/test_spawn.py
index 1ad2ee5a23..f276931f9c 100644
--- a/tests/test_spawn.py
+++ b/tests/test_spawn.py
@@ -162,6 +162,24 @@ def test_singleuser_netpol(api_request, jupyter_user, request_data):
         print(server_model)
         pod_name = server_model["state"]["pod_name"]
 
+        c = subprocess.run([
+            "kubectl", "exec", pod_name,
+            "--namespace", os.environ["Z2JH_KUBE_NAMESPACE"],
+            "--context", os.environ["Z2JH_KUBE_CONTEXT"],
+            "--",
+            "nslookup", "hub",
+        ])
+        assert c.returncode == 0, "DNS issue: failed to resolve 'hub' from a singleuser-server"
+
+        c = subprocess.run([
+            "kubectl", "exec", pod_name,
+            "--namespace", os.environ["Z2JH_KUBE_NAMESPACE"],
+            "--context", os.environ["Z2JH_KUBE_CONTEXT"],
+            "--",
+            "nslookup", "jupyter.org",
+        ])
+        assert c.returncode == 0, "DNS issue: failed to resolve 'jupyter.org' from a singleuser-server"
+
         # Must match CIDR in singleuser.networkPolicy.egress.
         allowed_url = "http://jupyter.org"
         blocked_url = "http://mybinder.org"
@@ -173,14 +191,14 @@ def test_singleuser_netpol(api_request, jupyter_user, request_data):
             "--",
             "wget", "--quiet", "--tries=1", "--timeout=3", allowed_url,
         ])
-        assert c.returncode == 0, "Unable to get allowed domain (or failed to resolve the domain name)"
+        assert c.returncode == 0, "Unable to get allowed domain"
 
         c = subprocess.run([
             "kubectl", "exec", pod_name,
             "--namespace", os.environ["Z2JH_KUBE_NAMESPACE"],
             "--context", os.environ["Z2JH_KUBE_CONTEXT"],
             "--",
-            "wget", "--quiet", "--tries=1", "--timeout=3", blocked_url,
+            "wget", "--quiet", "--server-response", "-O-", "--tries=1", "--timeout=3", blocked_url,
         ])
         assert c.returncode > 0, "Blocked domain was allowed"