akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

chore: bump CrowdSec from 1.7.4 to 1.7.5

Browse Source 
Upgrade CrowdSec to maintenance release v1.7.5 with:

PAPI allowlist check before adding decisions
CAPI token reuse improvements
LAPI-only container hub preparation fix
~25 internal refactoring changes
12 dependency updates
Verification completed:

E2E tests: 674/746 passed
Backend coverage: 85.3%
Frontend coverage: 85.04%
Security scans: No new vulnerabilities
CodeQL: Clean (Go + JavaScript)
This commit is contained in:
GitHub Actions
2026-01-22 16:39:50 +00:00
parent 6593aca0ed
commit b60e0be5fb
8 changed files with 2728 additions and 2036 deletions
Download Patch File Download Diff File Expand all files Collapse all files

770
docs/plans/current_spec.md
View File

@@ -1,414 +1,518 @@
# Phase 2: TestDataManager Authentication Fix Implementation Plan
# CrowdSec 1.7.5 Upgrade Verification Plan
**Goal**: Fix TestDataManager to use authenticated API context, enabling 8 skipped tests in user management.
**Target**: Enable all user management E2E tests that are currently skipped due to TestDataManager using unauthenticated API calls.
**Estimated Effort**: 2-3 hours
**Document Type**: Verification Plan
**Version**: 1.7.4 → 1.7.5
**Created**: 2026-01-22
**Status**: Ready for Implementation
---
## Executive Summary
The `testData` fixture in Playwright tests creates a `TestDataManager` instance using an **unauthenticated API context**. This causes all API calls made by `TestDataManager` (like `createUser()`, `deleteUser()`) to fail with "Admin access required" errors. This plan details how to fix the fixture to use authenticated API requests by leveraging the stored authentication state from `playwright/.auth/user.json`.
This document outlines the verification plan for upgrading CrowdSec from version 1.7.4 to 1.7.5 in the Charon project. Based on analysis of the CrowdSec 1.7.5 release notes and the current integration implementation, this upgrade appears to be a **low-risk maintenance release** focused on internal refactoring, improved error handling, and dependency updates.
---
## Table of Contents
## 1. CrowdSec 1.7.5 Release Analysis
1. [Root Cause Analysis](#1-root-cause-analysis)
2. [Proposed Solution](#2-proposed-solution)
3. [Implementation Details](#3-implementation-details)
4. [Tests to Re-Enable](#4-tests-to-re-enable)
5. [Verification Steps](#5-verification-steps)
6. [Dependencies & Prerequisites](#6-dependencies--prerequisites)
7. [Risks & Mitigations](#7-risks--mitigations)
8. [Implementation Checklist](#8-implementation-checklist)
### 1.1 Key Changes Summary
| Category | Count | Risk Level |
|----------|-------|------------|
| Internal Refactoring | ~25 | Low |
| Bug Fixes | 8 | Low |
| Dependency Updates | ~12 | Low |
| New Features | 2 | Low |
### 1.2 Notable Changes Relevant to Charon Integration
#### New Features/Improvements
1. **`ParseKVLax` for Flexible Key-Value Parsing** ([#4007](https://github.com/crowdsecurity/crowdsec/pull/4007))
- Adds more flexible parsing capabilities
- Impact: None - internal parser enhancement
2. **AppSec Transaction ID Header Support** ([#4124](https://github.com/crowdsecurity/crowdsec/pull/4124))
- Enables request tracing via transaction ID header
- Impact: Optional feature, no required changes
3. **Docker Datasource Schema** ([#4206](https://github.com/crowdsecurity/crowdsec/pull/4206))
- Improved Docker acquisition configuration
- Impact: May benefit container monitoring setups
#### Bug Fixes
1. **PAPI Allowlist Check** ([#4196](https://github.com/crowdsecurity/crowdsec/pull/4196))
- Checks if decision is allowlisted before adding
- Impact: Improved decision handling
2. **CAPI Token Reuse** ([#4201](https://github.com/crowdsecurity/crowdsec/pull/4201))
- Always reuses stored token for CAPI
- Impact: Better authentication stability
3. **LAPI-Only Container Hub Fix** ([#4169](https://github.com/crowdsecurity/crowdsec/pull/4169))
- Don't prepare hub in LAPI-only containers
- Impact: Better for containerized deployments
#### Internal Changes (No External Impact)
- Removed `github.com/pkg/errors` dependency - uses `fmt.Errorf` instead
- Replaced syscall with unix/windows packages
- Various linting improvements (golangci-lint 2.8)
- Refactored acquisition and leakybucket packages
- Removed global variables in favor of dependency injection
- Build improvements for Docker (larger runners)
- Updated expr to 1.17.7 (already patched in Charon Dockerfile)
- Updated modernc.org/sqlite
### 1.3 Breaking Changes Assessment
**No Breaking Changes Identified**
The 1.7.5 release contains no API-breaking changes. All modifications are:
- Internal refactoring
- Bug fixes
- Dependency updates
- CI/CD improvements
---
## Supervisor Review: APPROVED ✅
## 2. Current Charon CrowdSec Integration Analysis
**Reviewed by**: Supervisor Agent (Senior Advisor)
**Date**: 2026-01-22
**Verdict**: Plan is ready for implementation
### 2.1 Integration Points
### Review Summary
| Component | Location | Description |
|-----------|----------|-------------|
| **Core Package** | [backend/internal/crowdsec/](backend/internal/crowdsec/) | CrowdSec integration library |
| **API Handler** | [backend/internal/api/handlers/crowdsec_handler.go](backend/internal/api/handlers/crowdsec_handler.go) | REST API endpoints |
| **Startup Service** | [backend/internal/services/crowdsec_startup.go](backend/internal/services/) | Initialization logic |
| **Dockerfile** | [Dockerfile](../../Dockerfile) (lines 199-290) | Source build configuration |
| Criterion | Status | Notes |
|-----------|--------|-------|
| Completeness | ✅ Pass | All changes documented |
| Technical Accuracy | ✅ Pass | Correct Playwright pattern |
| Risk Assessment | ✅ Pass | Adequate with fallbacks |
| Dependencies | ✅ Pass | All verified |
| Verification | ✅ Pass | Comprehensive |
| Edge Cases | 🔸 Minor | Added defensive file existence check |
### 2.2 Key Files in crowdsec Package
### Incorporated Recommendations
| File | Purpose | Functions to Verify |
|------|---------|---------------------|
| `registration.go` | Bouncer registration, LAPI health | `EnsureBouncerRegistered`, `CheckLAPIHealth`, `GetLAPIVersion` |
| `hub_sync.go` | Hub index fetching, preset pull/apply | `FetchIndex`, `Pull`, `Apply`, `extractTarGz` |
| `hub_cache.go` | Preset caching with TTL | `Store`, `Load`, `Evict` |
| `console_enroll.go` | Console enrollment | `Enroll`, `Status`, `checkLAPIAvailable` |
| `presets.go` | Curated preset definitions | `ListCuratedPresets`, `FindPreset` |
1. **Defensive `existsSync()` check**: Added to implementation to verify storage state file exists before use
2. **Import verification**: Clarified import strategy for `playwrightRequest`
3. **Dependent fixture verification**: Added to checklist to verify `adminUser`/`regularUser`/`guestUser` fixtures
### 2.3 Handler Functions (crowdsec_handler.go)
| Handler | Line | API Endpoint |
|---------|------|--------------|
| `Start` | 188 | POST /api/crowdsec/start |
| `Stop` | 290 | POST /api/crowdsec/stop |
| `Status` | 317 | GET /api/crowdsec/status |
| `ImportConfig` | 346 | POST /api/crowdsec/import |
| `ExportConfig` | 417 | GET /api/crowdsec/export |
| `ListFiles` | 486 | GET /api/crowdsec/files |
| `ReadFile` | 513 | GET /api/crowdsec/files/:path |
| `WriteFile` | 540 | PUT /api/crowdsec/files/:path |
| `ListPresets` | 580 | GET /api/crowdsec/presets |
| `PullPreset` | 662 | POST /api/crowdsec/presets/:slug/pull |
| `ApplyPreset` | 748 | POST /api/crowdsec/presets/:slug/apply |
| `ConsoleEnroll` | 876 | POST /api/crowdsec/console/enroll |
| `ConsoleStatus` | 932 | GET /api/crowdsec/console/status |
| `DeleteConsoleEnrollment` | 954 | DELETE /api/crowdsec/console/enrollment |
| `GetCachedPreset` | 975 | GET /api/crowdsec/presets/:slug |
| `GetLAPIDecisions` | 1077 | GET /api/crowdsec/lapi/decisions |
| `CheckLAPIHealth` | 1231 | GET /api/crowdsec/lapi/health |
### 2.4 Docker Configuration
**Dockerfile CrowdSec Section** (lines 199-290):
- Current version: `CROWDSEC_VERSION=1.7.4`
- Build method: Source compilation with Go 1.25.6
- Dependency patches applied:
- `github.com/expr-lang/expr@v1.17.7`
- `golang.org/x/crypto@v0.46.0`
- Fix for expr-lang v1.17.7 compatibility (sed replacement)
**Docker Compose Files**:
- `.docker/compose/docker-compose.yml` - Production config with crowdsec_data volume
- `.docker/compose/docker-compose.local.yml` - Local development
- `.docker/compose/docker-compose.playwright.yml` - E2E testing (crowdsec disabled)
---
## 1. Root Cause Analysis
## 3. Verification Checklist
### Current Problem
### 3.1 Pre-Upgrade Verification
The `testData` fixture in `auth-fixtures.ts` creates a `TestDataManager` instance using the Playwright `request` fixture:
- [ ] **Backup current state**
- Export current CrowdSec configuration
- Document current bouncer registrations
- Note current LAPI version from `/api/crowdsec/lapi/health`
```typescript
// tests/fixtures/auth-fixtures.ts (lines 69-75)
testData: async ({ request }, use, testInfo) => {
const manager = new TestDataManager(request, testInfo.title);
await use(manager);
await manager.cleanup();
},
- [ ] **Review dependency patches**
- Verify if `expr-lang@v1.17.7` patch is still needed (1.7.5 updates to 1.17.7)
- Check if `golang.org/x/crypto@v0.46.0` is still required
### 3.2 Dockerfile Update Checklist
- [ ] Update `CROWDSEC_VERSION=1.7.5` on line 213
- [ ] Update `CROWDSEC_VERSION=1.7.5` on line 267 (fallback stage)
- [ ] Verify expr-lang patch compatibility (line 228-235)
- [ ] Test multi-arch build (amd64, arm64)
### 3.3 Build Verification
```bash
# Build CrowdSec builder stage
docker build --target crowdsec-builder -t charon-crowdsec-test:1.7.5 .
# Verify binaries
docker run --rm charon-crowdsec-test:1.7.5 /crowdsec-out/cscli version
docker run --rm charon-crowdsec-test:1.7.5 /crowdsec-out/crowdsec -version
# Full image build
docker build -t charon:1.7.5-test .
```
The issue: **Playwright's `request` fixture creates an unauthenticated API context**. It does NOT use the `storageState` from `playwright.config.js` that the browser context uses.
### 3.4 Unit Test Verification
When `TestDataManager.createUser()` is called:
1. It posts to `/api/v1/users` using the unauthenticated `request` context
2. The backend requires admin authentication for user creation
3. The request fails with 401/403 "Admin access required"
Run all CrowdSec-related tests:
### Evidence
```bash
# Core package tests
cd backend && go test -v -race ./internal/crowdsec/...
From [user-management.spec.ts](../../tests/settings/user-management.spec.ts#L535-L538):
```typescript
// SKIP: testData.createUser() uses unauthenticated API calls
// The TestDataManager's request context doesn't inherit auth from the browser session
// This causes user creation and cleanup to fail with "Admin access required"
// TODO: Fix by making TestDataManager use authenticated API requests
# Handler tests
go test -v -race ./internal/api/handlers/... -run "Crowdsec"
# Startup tests
go test -v -race ./internal/services/... -run "Crowdsec"
```
**Test Files to Execute**:
| Test File | Purpose |
|-----------|---------|
| `hub_sync_test.go` | Hub fetching and preset application |
| `hub_cache_test.go` | Cache TTL and eviction |
| `registration_test.go` | Bouncer registration |
| `console_enroll_test.go` | Console enrollment |
| `presets_test.go` | Curated preset definitions |
| `crowdsec_handler_test.go` | Handler integration |
| `crowdsec_lapi_test.go` | LAPI communication |
| `crowdsec_decisions_test.go` | Decision handling |
| `crowdsec_startup_test.go` | Service startup |
### 3.5 Integration Test Verification
```bash
# Run integration tests
cd backend && go test -v -tags=integration ./integration/... -run "Crowdsec"
# Run via task
make integration-crowdsec
```
### 3.6 E2E Test Verification
**Test Files**:
| Test File | Status | Purpose |
|-----------|--------|---------||
| `tests/security/crowdsec-config.spec.ts` | Active | CrowdSec configuration UI tests |
| `tests/security/crowdsec-decisions.spec.ts` | Skipped | LAPI decisions tests (requires running CrowdSec) |
> **Note**: `crowdsec-decisions.spec.ts` is currently skipped as it requires a running CrowdSec instance with LAPI enabled. These tests run in CI with full infrastructure.
```bash
# Run Playwright E2E tests (via skill runner - recommended)
.github/skills/scripts/skill-runner.sh test-e2e-playwright
# Or run specific test files
npx playwright test --project=chromium tests/security/crowdsec-config.spec.ts
```
### 3.7 Functional Verification Matrix
| Feature | Test Method | Expected Outcome |
|---------|-------------|------------------|
| **LAPI Health** | GET `/api/crowdsec/lapi/health` | Returns version "1.7.5" |
| **Start/Stop** | POST `/api/crowdsec/start`, `/stop` | Process starts/stops cleanly |
| **Status Check** | GET `/api/crowdsec/status` | Returns running state and PID |
| **Hub Index Fetch** | GET `/api/crowdsec/presets` | Returns preset list |
| **Preset Pull** | POST `/api/crowdsec/presets/base-http-scenarios/pull` | Downloads and caches preset |
| **Preset Apply** | POST `/api/crowdsec/presets/base-http-scenarios/apply` | Applies preset configuration |
| **Console Enroll** | POST `/api/crowdsec/console/enroll` | Sends enrollment request |
| **LAPI Decisions** | GET `/api/crowdsec/lapi/decisions` | Returns decision list |
| **Bouncer Registration** | Automatic on start | API key retrieved/generated |
### 3.8 Dependency Patch Verification
CrowdSec 1.7.5 includes `expr-lang/expr@v1.17.7` natively. Test whether the Dockerfile patch can be removed.
**Verification Steps**:
1. [ ] **Test WITHOUT expr-lang patch**:
```bash
# Temporarily comment out expr-lang patch in Dockerfile (lines 225-229)
# Build and run tests
docker build --target crowdsec-builder -t charon-crowdsec-no-patch:test .
docker run --rm charon-crowdsec-no-patch:test /crowdsec-out/cscli version
```
2. [ ] **If build succeeds without patch**:
- Remove `go get github.com/expr-lang/expr@v1.17.7` line
- Remove the `sed` fix for `program.Source().String()` if not needed
- Keep `golang.org/x/crypto@v0.46.0` patch for security
3. [ ] **If build fails without patch**:
- Retain the patch with updated comment noting it's still required
- Document the specific error for future reference
4. [ ] **Validation**:
- Run full test suite after patch removal
- Verify no regression in CrowdSec functionality
---
## 4. Test Scenarios
### 4.1 Upgrade Smoke Test
```
WHEN the Docker image is built with CROWDSEC_VERSION=1.7.5
THEN the cscli version command reports v1.7.5
AND the crowdsec binary starts successfully
AND the LAPI health endpoint responds
```
### 4.2 Hub Sync Compatibility
```
WHEN hub index is fetched after upgrade
THEN the index format is parsed correctly
AND preset pull operations complete successfully
AND preset apply operations complete without errors
```
### 4.3 Console Enrollment Stability
```
WHEN console enrollment is attempted after upgrade
THEN LAPI availability check succeeds
AND CAPI registration works if needed
AND enrollment request is sent successfully
```
### 4.4 Decision API Compatibility
```
WHEN LAPI decisions are queried after upgrade
THEN the response format is unchanged
AND decisions are correctly parsed
AND filtering by scope/type works
```
### 4.5 Bouncer Registration
```
WHEN a new bouncer is registered after upgrade
THEN cscli bouncers add command succeeds
AND the bouncer appears in cscli bouncers list
AND the API key is correctly returned
```
---
## 2. Proposed Solution
## 5. Rollback Plan
### Approach: Create Authenticated APIRequestContext from Storage State
### 5.1 Quick Rollback
Modify the `testData` fixture to create an authenticated `APIRequestContext` using the stored authentication state from `playwright/.auth/user.json`.
If issues are encountered after upgrade:
### Key Changes
1. **Revert Dockerfile**:
```bash
git checkout HEAD~1 -- Dockerfile
```
| File | Change Type | Description |
|------|-------------|-------------|
| [tests/fixtures/auth-fixtures.ts](../../tests/fixtures/auth-fixtures.ts) | Modify | Update `testData` fixture to use authenticated API context |
| [tests/auth.setup.ts](../../tests/auth.setup.ts) | Reference only | Storage state path already exported |
2. **Rebuild with previous version**:
```bash
docker build --build-arg CROWDSEC_VERSION=1.7.4 -t charon:rollback .
```
3. **Redeploy**:
```bash
docker-compose -f .docker/compose/docker-compose.yml down
docker-compose -f .docker/compose/docker-compose.yml up -d
```
### 5.2 Data Preservation
The `crowdsec_data` volume contains:
- Configuration files
- Acquired scenarios and parsers
- Decision database
- Bouncer registrations
This volume persists across container recreations, ensuring data is preserved during rollback.
---
## 3. Implementation Details
## 6. Files Requiring Updates
### 3.1 File: `tests/fixtures/auth-fixtures.ts`
### 6.1 Must Update
#### Current Implementation (Lines 69-75)
| File | Line(s) | Change |
|------|---------|--------|
| `Dockerfile` | 213 | `CROWDSEC_VERSION=1.7.4` → `1.7.5` |
| `Dockerfile` | 267 | `CROWDSEC_VERSION=1.7.4` → `1.7.5` |
```typescript
/**
* TestDataManager fixture with automatic cleanup
* Creates a unique namespace per test and cleans up all resources after
*/
testData: async ({ request }, use, testInfo) => {
const manager = new TestDataManager(request, testInfo.title);
await use(manager);
await manager.cleanup();
},
### 6.2 May Require Review
| File | Reason |
|------|--------|
| `Dockerfile` (lines 228-235) | Verify expr-lang patch still needed |
| `docs/plans/crowdsec_source_build.md` | Update version reference |
| `docs/implementation/QUICK_FIX_SUPPLY_CHAIN.md` | Update version reference |
### 6.3 No Changes Required (Verified Compatible)
| File | Reason |
|------|--------|
| `backend/internal/crowdsec/*.go` | No API changes in 1.7.5 |
| `backend/internal/api/handlers/crowdsec_handler.go` | No API changes |
| `.docker/compose/*.yml` | Volume/env unchanged |
---
## 7. Dependency Analysis
### 7.1 Current Dockerfile Patches
```dockerfile
# Dockerfile lines 225-229
RUN go get github.com/expr-lang/expr@v1.17.7 && \
go get golang.org/x/crypto@v0.46.0 && \
go mod tidy
```
#### Proposed Implementation
**1.7.5 Status**:
- CrowdSec 1.7.5 already includes `expr@v1.17.7` ([#4150](https://github.com/crowdsecurity/crowdsec/pull/4150))
- The `expr-lang` patch **may be removable** - verify during testing
- The `golang.org/x/crypto` patch should remain for security
```typescript
// Import playwrightRequest directly from @playwright/test (not from coverage wrapper)
// @bgotink/playwright-coverage doesn't re-export request.newContext()
import { request as playwrightRequest } from '@playwright/test';
import { existsSync } from 'fs';
import { STORAGE_STATE } from '../auth.setup';
### 7.2 Compatibility Fix
// ... existing code ...
/**
* TestDataManager fixture with automatic cleanup
*
* FIXED: Now creates an authenticated API context using stored auth state.
* This ensures API calls (like createUser, deleteUser) inherit the admin
* session established by auth.setup.ts.
*
* Previous Issue: The base `request` fixture was unauthenticated, causing
* "Admin access required" errors on protected endpoints.
*/
testData: async ({ baseURL }, use, testInfo) => {
// Defensive check: Verify auth state file exists (created by auth.setup.ts)
if (!existsSync(STORAGE_STATE)) {
throw new Error(
`Auth state file not found at ${STORAGE_STATE}. ` +
'Ensure auth.setup has run first. Check that dependencies: ["setup"] is configured.'
);
}
// Create an authenticated API request context using stored auth state
// This inherits the admin session from auth.setup.ts
const authenticatedContext = await playwrightRequest.newContext({
baseURL,
storageState: STORAGE_STATE,
extraHTTPHeaders: {
Accept: 'application/json',
'Content-Type': 'application/json',
},
});
const manager = new TestDataManager(authenticatedContext, testInfo.title);
try {
await use(manager);
} finally {
// Ensure cleanup runs even if test fails
await manager.cleanup();
// Dispose the API context to release resources
await authenticatedContext.dispose();
}
},
```dockerfile
# Dockerfile lines 232-235
RUN sed -i 's/string(program\.Source())/program.Source().String()/g' pkg/exprhelpers/debugger.go
```
### 3.2 Full Updated Import Section
Add these imports at the top of `auth-fixtures.ts`:
```typescript
import { test as base, expect } from '@bgotink/playwright-coverage';
import { request as playwrightRequest } from '@playwright/test';
import { existsSync } from 'fs';
import { TestDataManager } from '../utils/TestDataManager';
import { STORAGE_STATE } from '../auth.setup';
```
**Note**: `playwrightRequest` is imported from `@playwright/test` directly because `@bgotink/playwright-coverage` does not re-export the `request` module needed for `request.newContext()`.
### 3.3 Verify STORAGE_STATE Export in auth.setup.ts
The current `auth.setup.ts` already exports `STORAGE_STATE`:
```typescript
// tests/auth.setup.ts (lines 20-22)
const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);
export const STORAGE_STATE = join(__dirname, '../playwright/.auth/user.json');
```
**No changes needed to this file.**
**Verification Needed**: Check if this fix is still required in 1.7.5
---
## 4. Tests to Re-Enable
## 8. Implementation Steps
After implementing this fix, the following 8 tests in [tests/settings/user-management.spec.ts](../../tests/settings/user-management.spec.ts) should be re-enabled by removing `test.skip()`:
### Phase 1: Preparation
| # | Test Name | File:Line | Current Skip Reason |
|---|-----------|-----------|---------------------|
| 1 | should open permissions modal | [user-management.spec.ts:496](../../tests/settings/user-management.spec.ts#L496) | Permissions button + testData auth |
| 2 | should update permission mode | [user-management.spec.ts:534](../../tests/settings/user-management.spec.ts#L534) | `testData.createUser()` uses unauthenticated API calls |
| 3 | should add permitted hosts | [user-management.spec.ts:609](../../tests/settings/user-management.spec.ts#L609) | Depends on settings button + testData auth |
| 4 | should remove permitted hosts | [user-management.spec.ts:665](../../tests/settings/user-management.spec.ts#L665) | Same as above |
| 5 | should save permission changes | [user-management.spec.ts:722](../../tests/settings/user-management.spec.ts#L722) | Same as above |
| 6 | should enable/disable user | [user-management.spec.ts:773](../../tests/settings/user-management.spec.ts#L773) | TestDataManager auth + test data pollution |
| 7 | should delete user with confirmation | [user-management.spec.ts:839](../../tests/settings/user-management.spec.ts#L839) | Delete button + testData auth |
| 8 | should change user role | [user-management.spec.ts:899](../../tests/settings/user-management.spec.ts#L899) | Role badge selector + testData auth |
1. [ ] Create feature branch: `feature/crowdsec-1.7.5-upgrade`
2. [ ] Run current test suite to establish baseline
3. [ ] Document current LAPI version and status
### Note on Mixed Skip Reasons
### Phase 2: Update
Some tests have **dual skip reasons** (e.g., "UI not implemented" + "testData auth issue"). After the auth fix, these tests should be evaluated:
4. [ ] Update Dockerfile with version 1.7.5
5. [ ] Test build locally (amd64)
6. [ ] Test build for arm64 (if available)
7. [ ] Verify binaries report correct version
- **If UI is now implemented**: Remove skip entirely
- **If UI is still missing**: Keep skip with updated reason (remove auth-related reason)
### Phase 3: Verification
8. [ ] Run E2E tests first: `.github/skills/scripts/skill-runner.sh test-e2e-playwright`
9. [ ] Run integration tests: `make integration-crowdsec`
10. [ ] Run unit tests: `make test-backend`
11. [ ] Run coverage verification: `make test-backend-coverage`
12. [ ] Manual API verification using functional matrix
### Phase 4: Documentation
12. [ ] Update version references in documentation
13. [ ] Update CHANGELOG.md
14. [ ] Create PR with test results
### Phase 5: Deployment
15. [ ] Merge to main
16. [ ] Monitor CI/CD pipeline
17. [ ] Verify production deployment
18. [ ] Monitor logs for any CrowdSec errors
---
## 5. Verification Steps
## 9. Acceptance Criteria
### 5.1 Pre-Implementation Verification
The upgrade is considered successful when:
1. **Confirm auth state file exists**:
```bash
ls -la playwright/.auth/user.json
```
2. **Verify auth.setup.ts runs before tests**:
```bash
npx playwright test --project=setup --reporter=list
```
### 5.2 Implementation Verification
1. **Run a single testData-dependent test**:
```bash
npx playwright test tests/settings/user-management.spec.ts \
--grep "should update permission mode" \
--project=chromium \
--reporter=list
```
2. **Verify API calls are authenticated** by adding debug logging:
```typescript
// Temporary debug in TestDataManager.createUser()
console.log('Creating user with context:', await this.request.storageState());
```
3. **Run all user-management tests**:
```bash
npx playwright test tests/settings/user-management.spec.ts \
--project=chromium \
--reporter=list
```
### 5.3 Post-Implementation Verification
1. **Verify skip count reduction**:
```bash
grep -c "test.skip" tests/settings/user-management.spec.ts
# Before: ~22 skips
# After: ~14 skips (8 removed for auth fix)
```
2. **Run full E2E suite to check for regressions**:
```bash
npx playwright test --project=chromium
```
3. **Verify cleanup works** (no orphaned test users):
- Check users list in UI after running tests
- All `test-*` prefixed users should be cleaned up
- [ ] All unit tests pass
- [ ] All integration tests pass
- [ ] All E2E tests pass
- [ ] LAPI reports version 1.7.5
- [ ] Start/Stop operations work correctly
- [ ] Hub preset operations complete successfully
- [ ] Console enrollment works (if applicable)
- [ ] No new errors in application logs
- [ ] Docker image builds successfully for amd64 and arm64
- [ ] Coverage report generated
- [ ] Coverage threshold ≥85% maintained
- [ ] Patch coverage 100% for Dockerfile modifications
- [ ] No new CodeQL alerts introduced
---
## 6. Dependencies & Prerequisites
### Dependencies
| Dependency | Status | Notes |
|------------|--------|-------|
| `auth.setup.ts` runs first | ✅ Configured | Via `dependencies: ['setup']` in playwright.config.js |
| `STORAGE_STATE` exported | ✅ Already exported | From auth.setup.ts |
| Storage state file created | ✅ Auto-created | By auth.setup.ts on first run |
### Prerequisites
1. **E2E environment running**: Docker containers must be up
2. **Auth setup successful**: `playwright/.auth/user.json` must exist and be valid
3. **Admin user exists**: The setup user must have admin role
---
## 7. Risks & Mitigations
## 10. Risk Assessment
| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| Storage state file missing/stale | Low | Test failures | Defensive `existsSync()` check added; re-run setup if needed |
| Auth cookie expired mid-test | Low | API 401 errors | Tests are short; setup runs before each run |
| Circular dependency with auth fixtures | Low | Import errors | testData only imports STORAGE_STATE, not auth fixtures |
| Context disposal race condition | Low | Resource leak | Use try/finally pattern (already in proposal) |
| Parallel test isolation | Medium | Test pollution | All tests share admin session; document that `testData` is not parallelism-safe if multiple workers create conflicting resources |
| Build failure | Low | Medium | Fallback stage in Dockerfile |
| API incompatibility | Very Low | High | Comprehensive test coverage |
| Performance regression | Low | Medium | Monitor via observability |
| expr-lang patch conflict | Low | Low | Test without patch first |
| Skipped E2E tests miss regression | Medium | Medium | Integration tests cover LAPI; CI runs full suite |
### Fallback Plan
**Overall Risk Level**: **LOW**
If the storage state approach doesn't work, alternative options:
1. **API Token Approach**: Generate a long-lived API token during setup, pass to TestDataManager
2. **Direct Login in Fixture**: Have testData fixture call login API directly before each test
3. **Shared Admin Session**: Use a dedicated admin user just for TestDataManager operations
The 1.7.5 release is a maintenance update with no breaking changes. The comprehensive test coverage in Charon provides high confidence in upgrade success.
---
## 8. Implementation Checklist
## Appendix A: Quick Reference Commands
### Core Implementation
- [ ] Update `tests/fixtures/auth-fixtures.ts` with authenticated context
- [ ] Add `existsSync` defensive check for storage state file
- [ ] Import `playwrightRequest` from `@playwright/test` (not coverage wrapper)
- [ ] Verify `STORAGE_STATE` import works
### Verification (Supervisor Recommendations)
- [ ] Run single test to verify fix
- [ ] Verify `adminUser`/`regularUser`/`guestUser` dependent fixtures still work
- [ ] Confirm API requests include authentication cookies
### Test Re-enablement
- [ ] Remove `test.skip()` from 8 identified tests
- [ ] Update skip comments in tests that remain skipped (remove auth-related reasons)
### Regression & Documentation
- [ ] Run full user-management test suite
- [ ] Verify no regressions in other test files
- [ ] Update `docs/plans/skipped-tests-remediation.md` with Phase 2 completion status
- [ ] Document any remaining issues
---
## 9. Phase 2 Completion Status
### Implementation Completed ✅
| Item | Status | Notes |
|------|--------|-------|
| Update `auth-fixtures.ts` | ✅ Complete | Authenticated context implemented |
| Add `existsSync` check | ✅ Complete | Defensive file check added |
| Import verification | ✅ Complete | `playwrightRequest` from `@playwright/test` |
| Test re-enablement | 🔸 Partial | 2 tests re-enabled then re-skipped (see blocker) |
### Blocker Discovered: Cookie Domain Mismatch
**Root Cause**: Environment configuration inconsistency prevents authenticated context from working:
1. `playwright.config.js` defaults `baseURL` to `http://localhost:8080`
2. Auth setup creates session cookies for `localhost` domain
3. Tests run against Tailscale IP `http://100.98.12.109:8080`
4. **Cookies aren't sent cross-domain** → API calls remain unauthenticated
**Evidence**:
- Tests pass when run against `localhost:8080`
- Tests fail when run against Tailscale IP due to missing auth cookies
**Fix Required** (separate task):
```bash
# Option 1: Set environment variable consistently
export PLAYWRIGHT_BASE_URL="http://localhost:8080"
# Build and test
make docker-build
make test-backend
make test-crowdsec
# Option 2: Update global-setup.ts default to match playwright.config.js
# tests/global-setup.ts line 8:
-const baseUrl = process.env.PLAYWRIGHT_BASE_URL || 'http://100.98.12.109:8080';
+const baseUrl = process.env.PLAYWRIGHT_BASE_URL || 'http://localhost:8080';
# Run specific test files
cd backend && go test -v ./internal/crowdsec/... -run TestHub
cd backend && go test -v ./internal/crowdsec/... -run TestConsole
cd backend && go test -v ./internal/crowdsec/... -run TestRegistration
# Integration tests
.github/skills/scripts/skill-runner.sh integration-crowdsec
# E2E tests
npx playwright test --project=chromium
# Check CrowdSec version in container
docker exec charon cscli version
docker exec charon curl -s http://127.0.0.1:8085/health
# LAPI health check
curl http://localhost:8080/api/crowdsec/lapi/health
```
### Tests Re-Skipped with Updated Comments
The 2 tests were re-skipped with environment documentation:
- `tests/settings/user-management.spec.ts` - "should update permission mode"
- `tests/settings/user-management.spec.ts` - "should enable/disable user"
---
## 10. Future Improvements
## Appendix B: Related Documentation
After Phase 2 completion, consider:
1. **Environment configuration fix**: Align `global-setup.ts` and `playwright.config.js` default URLs to prevent cookie domain mismatch.
2. **Per-test authentication contexts**: Currently all tests share the same admin session. For true isolation, each test could create its own authenticated context.
3. **Role-based TestDataManager**: Allow TestDataManager to operate as different roles (admin, user, guest) to test permission boundaries.
4. **Parallel-safe user creation**: The current fix uses a single shared auth session. For highly parallel execution, consider per-worker authentication.
---
## Change Log
| Date | Author | Change |
|------|--------|--------|
| 2026-01-22 | Planning Agent | Initial Phase 2 implementation plan |
| 2026-01-22 | Supervisor Agent | Approved with recommendations: defensive checks, import verification, fixture testing |
| 2026-01-22 | Frontend_Dev | Implemented authenticated context in auth-fixtures.ts |
| 2026-01-22 | QA_Security | Discovered cookie domain mismatch blocker |
| 2026-01-22 | Management | Re-skipped tests, documented blocker for future resolution |
- [CrowdSec 1.7.5 Release Notes](https://github.com/crowdsecurity/crowdsec/releases/tag/v1.7.5)
- [CrowdSec Source Build Plan](crowdsec_source_build.md)
- [Supply Chain Remediation](../implementation/SUPPLY_CHAIN_REMEDIATION_PLAN.md)
- [Charon Security Documentation](../../SECURITY.md)