akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
87590ac4e89498a2d9f1b848f1e2d4004b609042
Charon/docs/plans/archive/e2e-test-triage-quick-start.md
GitHub Actions 27c252600a chore: git cache cleanup
2026-03-04 18:34:49 +00:00

8.2 KiB
Raw Blame History

E2E Test Triage - Quick Start Guide

Status: ROOT CAUSE IDENTIFIED

Date: February 3, 2026 Test Suite: Cross-browser Playwright (Chromium, Firefox, WebKit) Total Tests: 2,737

Critical Finding

Design Intent (CONFIRMED)

Cerberus should be ENABLED during E2E tests to test the break glass feature:

  • Cerberus framework stays ON throughout test suite
  • All Cerberus tests run first (toggles, navigation, etc.)
  • Break glass test runs LAST to validate emergency override

Problem

13 E2E tests are conditionally skipping at runtime because:

  • Toggle buttons are disabled when Cerberus framework is off
  • Emergency security reset is disabling Cerberus itself (bug)
  • Tests check toggle.isDisabled() and skip when true

Root Cause

The /emergency/security-reset endpoint (used in tests/global-setup.ts) is incorrectly disabling:

  • security.acl.enabled = false ← CORRECT (module disabled)
  • security.waf.enabled = false ← CORRECT (module disabled)
  • security.rate_limit.enabled = false ← CORRECT (module disabled)
  • security.crowdsec.enabled = false ← CORRECT (module disabled)
  • feature.cerberus.enabled = false ← BUG (framework should stay enabled)

Expected Behavior (CONFIRMED)

For E2E tests, Cerberus should be:

  • Framework Enabled: feature.cerberus.enabled = true (allows testing)
  • Modules Disabled: Individual security modules off for clean state
  • Test Order: All Cerberus tests → Break glass test (LAST)

Affected Tests (13 Total)

Category 1: Security Dashboard - Toggle Actions (5 tests)

  • Test 77: Toggle ACL enabled/disabled
  • Test 78: Toggle WAF enabled/disabled
  • Test 79: Toggle Rate Limiting enabled/disabled
  • Test 80/214: Persist toggle state after page reload

Category 2: Security Dashboard - Navigation (4 tests)

  • Test 81/250: Navigate to CrowdSec config
  • Test 83/309: Navigate to WAF config
  • Test 84/335: Navigate to Rate Limiting config

Category 3: Rate Limiting Config (1 test)

  • Test 57/70: Toggle rate limiting on/off

Category 4: CrowdSec Decisions (13 tests - SKIP OK)

  • Tests 42-53: Explicitly skipped with test.describe.skip()
  • No action needed - these require CrowdSec running (integration tests)

Immediate Action Plan

Step 1: Verify Current State CONFIRMED

Design Intent: Cerberus should be enabled for break glass testing Test Flow: Global setup → All Cerberus tests → Break glass test (LAST) Problem: Emergency reset incorrectly disables Cerberus framework

Run diagnostic script:

./scripts/diagnose-test-env.sh

Expected output shows:

  • ✓ Container running
  • ✗ Cerberus state unknown (no settings endpoint on emergency server)

Step 2: Check Cerberus State via Main API

# Requires authentication - use your test user credentials
curl -H "Authorization: Bearer <token>" http://localhost:8080/api/v1/security/config | jq '.cerberus // .feature.cerberus'

Step 3: Review Emergency Handler Code (INVESTIGATE)

File: backend/internal/api/handlers/emergency_handler.go

Find the SecurityReset function and check what it's disabling:

grep -A 20 "func.*SecurityReset" backend/internal/api/handlers/emergency_handler.go

Step 4: Fix Emergency Reset Bug

Goal: Keep Cerberus enabled while disabling security modules

Option A: Backend Fix (Recommended) Modify emergency_handler.go SecurityReset to:

  • REMOVE: feature.cerberus.enabled = false (this is the bug)
  • KEEP: Disable individual security modules
  • KEEP: security.{acl,waf,rate_limit,crowdsec}.enabled = false

Expected behavior:

  • Framework stays enabled for testing
  • Modules disabled for clean slate
  • Break glass test can run last to validate emergency override

Option B: Frontend State Reset (Workaround) Add post-reset call in tests/global-setup.ts:

// After emergency reset, re-enable Cerberus framework
// (Workaround for backend bug where reset disables Cerberus)
const enableResponse = await requestContext.patch('/api/v1/settings', {
  data: { 'feature.cerberus.enabled': true }
});

Step 5: Validate Fix

# Rebuild E2E environment
.github/skills/scripts/skill-runner.sh docker-rebuild-e2e

# Run affected tests
npm run test:e2e -- tests/security/security-dashboard.spec.ts --project=chromium

# Verify toggles are enabled (not disabled)
# Tests should now executed, not skip

Files to Review/Modify

Backend

  • backend/internal/api/handlers/emergency_handler.go - SecurityReset function
  • backend/internal/services/settings_service.go - Settings update logic

Tests

  • tests/global-setup.ts - Emergency reset call
  • tests/security/security-dashboard.spec.ts - Toggle tests
  • tests/security/rate-limiting.spec.ts - Toggle test

Documentation

  • docs/plans/e2e-test-triage-plan.md - Full triage plan (COMPLETE)
  • scripts/diagnose-test-env.sh - Diagnostic script (CREATED)
  • Update after fix is implemented

Success Criteria

Before Fix

Running 2737 tests using 2 workers
  ✓  pass  - Tests that run successfully
  -  skip  - Tests that conditionally skip (13 affected)

After Fix

Running 2737 tests using 2 workers
  ✓  pass  - All 13 previously-skipped tests now execute
  -  skip  - Only explicitly skipped tests (test.describe.skip)

Validation Checklist

  • Emergency reset keeps Cerberus enabled
  • Emergency reset disables all security modules
  • Toggle buttons are enabled (not disabled)
  • Configure buttons are enabled (not disabled)
  • Tests execute instead of skip
  • Tests pass (or have actionable failures)
  • CI/CD pipeline updated if needed

Next Steps

  1. Investigate Backend (30 min)

    • Read emergency_handler.go SecurityReset implementation
    • Determine what settings are being modified
    • Document current behavior

  2. Design Fix (30 min)

    • Choose Option A (backend) or Option B (frontend)
    • Create implementation plan
    • Review with team if needed

  3. Implement Fix (1-2 hours)

    • Make code changes
    • Add comments explaining the behavior
    • Test locally

  4. Validate (30 min)

    • Run full E2E test suite
    • Check that skip count decreases
    • Verify tests pass

  5. Document (15 min)

    • Update triage plan with resolution
    • Add decision record
    • Update any affected documentation

Risk Assessment

Low Risk Fix (Recommended)

  • Modify emergency reset to keep Cerberus enabled
  • Only affects test environment behavior
  • No production impact
  • Easy to rollback

Rollback Plan

git checkout HEAD^ -- backend/internal/api/handlers/emergency_handler.go
git checkout HEAD^ -- tests/global-setup.ts
.github/skills/scripts/skill-runner.sh docker-rebuild-e2e

Questions for Investigation

  1. Why does emergency reset disable Cerberus? ANSWERED

    • CONFIRMED BUG: This is incorrect behavior
    • Design Intent: Cerberus should stay enabled for break glass testing
    • Fix Required: Remove line that disables feature.cerberus.enabled

  2. What should the test environment look like? ANSWERED

    • Cerberus Framework: ENABLED (feature.cerberus.enabled = true)
    • Security Modules: DISABLED (clean slate for testing)
    • Test Order: All Cerberus tests → Break glass test (LAST)

  3. Are there other tests affected?

    • Run full suite after fix
    • Check for cascading test failures
    • Validate assumptions

Resources

Contact

For questions or clarification, see:

  • Triage Plan: Full analysis and categorization
  • Testing protocols: E2E test execution guidelines
  • Architecture docs: Cerberus security framework

Status: Ready for implementation - Root cause identified

Reference in New Issue View Git Blame Copy Permalink