999e622113
- Created a comprehensive runbook for emergency token rotation, detailing when to rotate, prerequisites, and step-by-step procedures. - Included methods for generating secure tokens, updating configurations, and verifying new tokens. - Added an automation script for token rotation to streamline the process. - Implemented compliance checklist and troubleshooting sections for better guidance. test: Implement E2E tests for emergency server and token functionality - Added tests for the emergency server to ensure it operates independently of the main application. - Verified that the emergency server can bypass security controls and reset security settings. - Implemented tests for emergency token validation, rate limiting, and audit logging. - Documented expected behaviors for emergency access and security enforcement. refactor: Introduce security test fixtures for better test management - Created a fixtures file to manage security-related test data and functions. - Included helper functions for enabling/disabling security modules and testing emergency access. - Improved test readability and maintainability by centralizing common logic. test: Enhance emergency token tests for robustness and coverage - Expanded tests to cover various scenarios including token validation, rate limiting, and idempotency. - Ensured that emergency token functionality adheres to security best practices. - Documented expected behaviors and outcomes for clarity in test results.
53 lines
2.3 KiB
YAML
53 lines
2.3 KiB
YAML
# Docker Compose for E2E Testing
|
|
#
|
|
# This configuration runs Charon with a fresh, isolated database specifically for
|
|
# Playwright E2E tests. Use this to ensure tests start with a clean state.
|
|
#
|
|
# Usage:
|
|
# docker compose -f .docker/compose/docker-compose.e2e.yml up -d
|
|
#
|
|
# The setup API will be available since no users exist in the fresh database.
|
|
# The auth.setup.ts fixture will create a test admin user automatically.
|
|
|
|
services:
|
|
charon-e2e:
|
|
image: charon:local
|
|
container_name: charon-e2e
|
|
restart: "no"
|
|
ports:
|
|
- "8080:8080" # Management UI (Charon)
|
|
- "2020:2020" # Emergency server (DO NOT expose publicly in production!)
|
|
environment:
|
|
- CHARON_ENV=e2e # Enable lenient rate limiting (50 attempts/min) for E2E tests
|
|
- CHARON_DEBUG=0
|
|
- TZ=UTC
|
|
# Encryption key - MUST be provided via environment variable
|
|
# Generate with: export CHARON_ENCRYPTION_KEY=$(openssl rand -base64 32)
|
|
- CHARON_ENCRYPTION_KEY=${CHARON_ENCRYPTION_KEY:?CHARON_ENCRYPTION_KEY is required}
|
|
# Emergency reset token - for break-glass recovery when locked out by ACL
|
|
# Generate with: openssl rand -hex 32
|
|
- CHARON_EMERGENCY_TOKEN=${CHARON_EMERGENCY_TOKEN:-test-emergency-token-for-e2e-32chars}
|
|
# Emergency server (Tier 2 break glass) - separate port bypassing all security
|
|
- CHARON_EMERGENCY_SERVER_ENABLED=true
|
|
- CHARON_EMERGENCY_BIND=0.0.0.0:2020 # Bind to all interfaces in container (avoid Caddy's 2019)
|
|
- CHARON_EMERGENCY_USERNAME=admin
|
|
- CHARON_EMERGENCY_PASSWORD=${CHARON_EMERGENCY_PASSWORD:-changeme}
|
|
- CHARON_HTTP_PORT=8080
|
|
- CHARON_DB_PATH=/app/data/charon.db
|
|
- CHARON_FRONTEND_DIR=/app/frontend/dist
|
|
- CHARON_CADDY_ADMIN_API=http://localhost:2019
|
|
- CHARON_CADDY_CONFIG_DIR=/app/data/caddy
|
|
- CHARON_CADDY_BINARY=caddy
|
|
- CHARON_ACME_STAGING=true
|
|
# FEATURE_CERBERUS_ENABLED deprecated - Cerberus enabled by default
|
|
tmpfs:
|
|
# True tmpfs for E2E test data - fresh on every run, in-memory only
|
|
# mode=1777 allows any user to write (container runs as non-root)
|
|
- /app/data:size=100M,mode=1777
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 10
|
|
start_period: 10s
|