Don’t reduce dispatcher testing to an afterthought

Transcript

1. EUROPE'S LEADING AEM DEVELOPER CONFERENCE 25th – 27th SEPTEMBER 2023

   Don’t reduce dispatcher testing to an afterthought Jakub Wądołowski, diva-e (@jwadolowski)

2. Is dispatcher testing worth it? ▪ “Dispatcher is a one-off

   setup” ▪ “It doesn’t do much” ▪ “An over-engineering?” https://flic.kr/p/anyLkn

3. Project recap ▪ e-commerce platform ▪ AEMaaCS as a headless

   content API (JSON) ▪ Stateless API ▪ 100% cacheable ▪ Numerous HTTP clients https://flic.kr/p/djkkPw
4. None
5. None

6. What could possibly go wrong? ▪ Request/response modifications ▪ Caching

   (dispatcher/CDN) ▪ Cache bypassing ▪ Request filtering / security ▪ Error handling ▪ … https://flic.kr/p/jdZ178

7. The right tool for the job ▪ Simple ▪ Fast

   (AEM mocks) ▪ Easy to maintain & extend ▪ CI/CD friendly https://flic.kr/p/9Z1Q9Q
8. None

9. The tools ▪ Hurl ▪ command-line HTTP client ▪ HTTP

   test tool ▪ Rust + libcurl ▪ Dispatcher ▪ official SDK Docker image ▪ mitmproxy ▪ powerful man-in-the-middle proxy (Python) https://flic.kr/p/jPY82T

10. Basic HTTP flow ▪ 1st request expectations ▪ 200 OK

    ▪ valid JSON ▪ cached by dispatcher ▪ 2nd request expectations ▪ conditional GET (304 Not Modified) ▪ empty body ▪ served from cache (no AEM request) https://flic.kr/p/9v71eS
11. None
12. None
13. None
14. None
15. None
16. None
17. None
18. None
19. None
20. None
21. None
22. None
23. None
24. None

25. Hurl reporting ▪ Verbose flag(s) ▪ JUnit ▪ HTML https://flic.kr/p/dgge8U

26. None

27. What about compression? https://flic.kr/p/E3DufC

28. None
29. None
30. None
31. None
32. None

33. Broken conditional GETs ▪ GET response ▪ Read response body

    ▪ Calculate ETag (mod_core; “FileETag Digest”) ▪ Compress (mod_deflate; “-gzip” suffix in ETag) ▪ Conditional GET request ▪ Read request ▪ Compare If-None-Match and ETag (mod_core) ▪ “abcde-gzip” != “abcde” https://flic.kr/p/8rihKK
34. None

35. Cache hit or miss? https://flic.kr/p/FEzhCB

36. Let dispatcher talk! https://flic.kr/p/2jyA3fL

37. None
38. None
39. None

40. ETag - the hard way https://flic.kr/p/F3JzM

41. None
42. None
43. None
44. None
45. None
46. None
47. None
48. None
49. None

50. What went wrong? ▪ No browser cache - no problem

    ▪ CDN supports multiple variations per URL ▪ Browser stores only one variation ▪ Not all headers are mandatory in 304 response ▪ ETag’s fault again? https://flic.kr/p/6VBNjW

51. ETag rules ▪ ETag and Vary must come hand in

    hand ▪ Response body checksum is not enough ▪ Cover all variations ▪ CORS headers ▪ Encoding ▪ Language ▪ … https://flic.kr/p/qwVMGS
52. None
53. None
54. None
55. None

56. AEMaaCS domains & layers ▪ Domain landscape ▪ adobeaemcloud.com (CDN)

    ▪ custom ones (CDN) ▪ adobeaemcloud.net (k8s ingress) ▪ localhost (k8s pod) ▪ and a few more :) ▪ Layers: CDN / k8s ingress / Dispatcher / AEM https://flic.kr/p/bNVzTz

57. Dispatcher cache poisoning ▪ Absolute URLs in response body ▪

    External domain sources ▪ Host header ▪ OSGi config (CM variable) ▪ API crawling functional test https://flic.kr/p/kDBhHa
58. None
59. None
60. None
61. None
62. None
63. None

64. Cache poisoning learnings ▪ Functional tests must bypass dispatcher cache

    ▪ Normalise Host header https://flic.kr/p/6kH5V8

65. Links ▪ https://hurl.dev/ ▪ https://mitmproxy.org/ https://flic.kr/p/83eFJY

66. Thank you!