akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
1b1b3a70b103e8fdf06b2b06cf66f0427abd0d6a
Charon/.docker/compose/docker-compose.playwright.yml
GitHub Actions 892b89fc9d feat: break-glass security reset 
Implement dual-registry container publishing to both GHCR and Docker Hub
for maximum distribution reach. Add emergency security reset endpoint
("break-glass" mechanism) to recover from ACL lockout situations.

Key changes:

Docker Hub + GHCR dual publishing with Cosign signing and SBOM
Emergency reset endpoint POST /api/v1/emergency/security-reset
Token-based authentication bypasses Cerberus middleware
Rate limited (5/hour) with audit logging
30 new security enforcement E2E tests covering ACL, WAF, CrowdSec,
Rate Limiting, Security Headers, and Combined scenarios
Fixed container startup permission issue (tmpfs directory ownership)
Playwright config updated with testIgnore for browser projects
Security: Token via CHARON_EMERGENCY_TOKEN env var (32+ chars recommended)
Tests: 689 passed, 86% backend coverage, 85% frontend coverage
2026-01-25 20:14:06 +00:00

140 lines
5.1 KiB
YAML
Raw Blame History

# Playwright E2E Test Environment
# ================================
# This configuration is specifically designed for Playwright E2E testing,
# both for local development and CI/CD pipelines.
#
# Usage:
# # Start basic E2E environment
# docker compose -f .docker/compose/docker-compose.playwright.yml up -d
#
# # Start with security testing services (CrowdSec)
# docker compose -f .docker/compose/docker-compose.playwright.yml --profile security-tests up -d
#
# # Start with notification testing services (MailHog)
# docker compose -f .docker/compose/docker-compose.playwright.yml --profile notification-tests up -d
#
# # Start with all optional services
# docker compose -f .docker/compose/docker-compose.playwright.yml --profile security-tests --profile notification-tests up -d
#
# The setup API will be available since no users exist in the fresh database.
# The auth.setup.ts fixture will create a test admin user automatically.
services:
# =============================================================================
# Charon Application - Core E2E Testing Service
# =============================================================================
charon-app:
build:
context: ../..
dockerfile: Dockerfile
container_name: charon-playwright
restart: "no"
ports:
- "8080:8080" # Management UI (Charon)
environment:
# Core configuration
- CHARON_ENV=test
- CHARON_DEBUG=0
- TZ=UTC
# E2E testing encryption key - 32 bytes base64 encoded (not for production!)
# Encryption key - MUST be provided via environment variable
# Generate with: export CHARON_ENCRYPTION_KEY=$(openssl rand -base64 32)
- CHARON_ENCRYPTION_KEY=${CHARON_ENCRYPTION_KEY:?CHARON_ENCRYPTION_KEY is required}
# Emergency reset token - for break-glass recovery when locked out by ACL
# Generate with: openssl rand -hex 32
- CHARON_EMERGENCY_TOKEN=${CHARON_EMERGENCY_TOKEN:-test-emergency-token-for-e2e-32chars}
# Server settings
- CHARON_HTTP_PORT=8080
- CHARON_DB_PATH=/app/data/charon.db
- CHARON_FRONTEND_DIR=/app/frontend/dist
# Caddy settings
- CHARON_CADDY_ADMIN_API=http://localhost:2019
- CHARON_CADDY_CONFIG_DIR=/app/data/caddy
- CHARON_CADDY_BINARY=caddy
# ACME settings (staging for E2E tests)
- CHARON_ACME_STAGING=true
# Security features - disabled by default for faster tests
# Enable via profile: --profile security-tests
# FEATURE_CERBERUS_ENABLED deprecated - Cerberus enabled by default
- CHARON_SECURITY_CROWDSEC_MODE=disabled
# SMTP for notification tests (connects to MailHog when profile enabled)
- CHARON_SMTP_HOST=mailhog
- CHARON_SMTP_PORT=1025
- CHARON_SMTP_AUTH=false
volumes:
# Named volume for test data persistence during test runs
- playwright_data:/app/data
- playwright_caddy_data:/data
- playwright_caddy_config:/config
healthcheck:
test: ["CMD", "curl", "-sf", "http://localhost:8080/api/v1/health"]
interval: 5s
timeout: 3s
retries: 12
start_period: 10s
networks:
- playwright-network
# =============================================================================
# CrowdSec - Security Testing Service (Optional Profile)
# =============================================================================
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: charon-playwright-crowdsec
profiles:
- security-tests
restart: "no"
environment:
- COLLECTIONS=crowdsecurity/nginx crowdsecurity/http-cve
- BOUNCER_KEY_charon=test-bouncer-key-for-e2e
# Disable online features for isolated testing
- DISABLE_ONLINE_API=true
volumes:
- playwright_crowdsec_data:/var/lib/crowdsec/data
- playwright_crowdsec_config:/etc/crowdsec
healthcheck:
test: ["CMD", "cscli", "version"]
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
networks:
- playwright-network
# =============================================================================
# MailHog - Email Testing Service (Optional Profile)
# =============================================================================
mailhog:
image: mailhog/mailhog:latest
container_name: charon-playwright-mailhog
profiles:
- notification-tests
restart: "no"
ports:
- "1025:1025" # SMTP server
- "8025:8025" # Web UI for viewing emails
networks:
- playwright-network
# =============================================================================
# Named Volumes
# =============================================================================
volumes:
playwright_data:
driver: local
playwright_caddy_data:
driver: local
playwright_caddy_config:
driver: local
playwright_crowdsec_data:
driver: local
playwright_crowdsec_config:
driver: local
# =============================================================================
# Networks
# =============================================================================
networks:
playwright-network:
driver: bridge
Reference in New Issue View Git Blame Copy Permalink