akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

fix(integration): migrate wget-style curl syntax for Debian compatibility

Browse Source 
After migrating base image from Alpine to Debian Trixie (PR #550),
integration test scripts were using wget-style options with curl
that don't work correctly on Debian.

Changed curl -q -O- (wget syntax) to curl -sf (proper curl):

waf_integration.sh
cerberus_integration.sh
rate_limit_integration.sh
crowdsec_startup_test.sh
install-go-1.25.5.sh
Also added future phase to plan for Playwright security test helpers
to prevent ACL deadlock issues during E2E testing.

Refs: #550
This commit is contained in:
GitHub Actions
2026-01-25 09:17:50 +00:00
parent aa74d37a3a
commit a41cfaae10
12 changed files with 866 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

157
docs/reports/qa_report_waf_integration_fix_2026-01-25.md Normal file
View File

@@ -0,0 +1,157 @@
# QA Report: WAF Integration Fix
**Date**: 2026-01-25
**Branch**: feature/beta-release (merged from development)
**Context**: Fixed integration scripts using wget-style curl syntax
---
## Definition of Done Audit Summary
| Check | Status | Details |
|-------|--------|---------|
| Playwright E2E Tests | ❌ **FAILED** | 230/707 tests failed - ACL blocking test user creation |
| Backend Coverage | ✅ **PASS** | 86.5% (minimum: 85%) |
| Frontend Coverage | ⚠️ **1 FAILURE** | 1499/1500 passed, 1 failed test |
| TypeScript Type Check | ✅ **PASS** | No errors |
| Pre-commit Hooks | ✅ **PASS** | All hooks passed |
| Trivy Security Scan | ⚠️ **WARNING** | 2 HIGH (OS-level, no fix available) |
| Grype Security Scan | ✅ **PASS** | No fixable HIGH/CRITICAL issues |
---
## Detailed Results
### 1. Playwright E2E Tests ❌ FAILED
**Result**: 230 tests failed, 472 passed, 39 skipped
**Root Cause**: All failures show identical error:
```
Error: Failed to create user: {"error":"Blocked by access control list"}
```
**Analysis**: The WAF/ACL configuration is blocking the test fixture's ability to create test users via the API. This is a configuration issue in the Docker container's Cerberus security layer, not a code defect.
**Affected Test Suites**:
- `tests/security/` - Security dashboard, WAF config, rate limiting
- `tests/settings/` - Account settings, user management, notifications, SMTP
- `tests/tasks/` - Backups, imports, logs viewing
**Remediation Required**:
1. Review Cerberus ACL whitelist configuration for test environment
2. Ensure test API endpoints or test user IPs are whitelisted
3. Check if `DISABLE_ACL_FOR_TESTS` environment variable is needed
---
### 2. Backend Coverage ✅ PASS
**Result**: 86.5% statement coverage
- Minimum required: 85%
- All test suites passed
- No test failures
---
### 3. Frontend Coverage ⚠️ 1 FAILURE
**Result**: 1499 passed, 1 failed, 2 skipped
**Failed Test**:
```
FAIL src/components/__tests__/SecurityNotificationSettingsModal.test.tsx
> loads and displays existing settings
AssertionError: expected false to be true
- enableSwitch.checked expected to be true
```
**Analysis**: This appears to be a timing/async issue in the test where the modal's settings aren't loaded before the assertion runs. This is a **test flakiness issue**, not a production bug.
**Remediation**: Add `waitFor` or increase timeout for settings load in the test.
---
### 4. TypeScript Type Check ✅ PASS
**Result**: `tsc --noEmit` completed with zero errors
---
### 5. Pre-commit Hooks ✅ PASS
All hooks passed:
- fix end of files
- trim trailing whitespace
- check yaml
- check for added large files
- dockerfile validation
- Go Vet
- golangci-lint
- .version tag match
- LFS checks
- CodeQL DB artifact prevention
- Frontend TypeScript Check
- Frontend Lint
---
### 6. Security Scans
#### Trivy ⚠️ WARNING
**Findings**: 2 HIGH, 0 CRITICAL
| Library | CVE | Severity | Status | Notes |
|---------|-----|----------|--------|-------|
| libc-bin | CVE-2026-0861 | HIGH | affected | glibc heap corruption - no fix available |
| libc6 | CVE-2026-0861 | HIGH | affected | Same as above |
**Assessment**: These are base OS (Debian 13.3) vulnerabilities in glibc with no upstream fix available. The application code (Go binaries, Caddy, CrowdSec) has **zero vulnerabilities**.
#### Grype ✅ PASS
**Result**: No fixable vulnerabilities found
---
## Issues Blocking Merge
### Critical (Must Fix Before Merge)
1. **Playwright E2E Test ACL Blocking**
- **Issue**: Cerberus ACL blocks test user creation
- **Impact**: 230 E2E tests cannot run
- **Owner**: DevOps/Security configuration
- **Fix**: Whitelist test API or add test environment bypass
### Minor (Can Be Fixed Post-Merge)
2. **Flaky Frontend Test**
- **Issue**: `SecurityNotificationSettingsModal` test timing issue
- **Impact**: 1 test failure
- **Owner**: Frontend team
- **Fix**: Add proper async waiting in test
---
## Recommendations
1. **Immediate**: Investigate and fix the ACL configuration blocking E2E tests
2. **Before Merge**: Re-run full E2E suite after ACL fix
3. **Post-Merge**: Fix the flaky frontend test
4. **Ongoing**: Monitor CVE-2026-0861 for upstream glibc fix
---
## Sign-off
- [ ] ACL blocking issue resolved
- [ ] E2E tests passing (aim: >95%)
- [ ] Frontend flaky test fixed or documented
- [ ] Security scan reviewed and accepted
**Auditor**: GitHub Copilot (Claude Opus 4.5)
**Audit Date**: 2026-01-25