akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
e8ca351a626e4b2f3ccdb7537962ba7bf08a1126
Charon/docs/reports/qa_crowdsec_startup_test_failure.md
GitHub Actions f936c93896 fix: add missing field handlers in proxy host Update endpoint 
Add handlers for enable_standard_headers, forward_auth_enabled, and waf_disabled fields
in the proxy host Update function. These fields were defined in the model but were not
being processed during updates, causing:

- 500 errors when saving proxy host configurations
- Auth pass-through failures for apps like Seerr/Overseerr due to missing X-Forwarded-* headers

Changes:
- backend: Add field handlers for 3 missing fields in proxy_host_handler.go
- backend: Add 5 comprehensive unit tests for field handling
- frontend: Update TypeScript ProxyHost interface with missing fields
- docs: Document fixes in CHANGELOG.md

Tests: All 1147 tests pass (backend 85.6%, frontend 87.7% coverage)
Security: No vulnerabilities (Trivy + govulncheck clean)

Fixes #16 (auth pass-through)
Fixes #17 (500 error on save)
2025-12-20 01:55:52 +00:00

3.1 KiB
Raw Blame History

QA Report: CrowdSec Startup Integration Test Failure

Date: December 15, 2025 Agent: QA_Security Status: TEST FAILURE - ROOT CAUSE IDENTIFIED Severity: Medium (Test configuration issue, not a product defect)

Executive Summary

The CrowdSec startup integration test (scripts/crowdsec_startup_test.sh) is failing by design, not due to a bug. The test expects CrowdSec LAPI to be available on port 8085, but CrowdSec is intentionally not auto-started in the current architecture. The system uses GUI-controlled lifecycle management instead of environment variable-based auto-start.

Test Failure:

✗ FAIL: LAPI health check failed (port 8085 not responding)

Root Cause: The test script sets CERBERUS_SECURITY_CROWDSEC_MODE=local, expecting CrowdSec to auto-start during container initialization. However, this behavior was intentionally removed in favor of GUI toggle control.

Root Cause Analysis

1. Architecture Change: Environment Variables → GUI Control

File: docker-entrypoint.sh

# CrowdSec Lifecycle Management:
# CrowdSec configuration is initialized above (symlinks, directories, hub updates)
# However, the CrowdSec agent is NOT auto-started in the entrypoint.
# Instead, CrowdSec lifecycle is managed by the backend handlers via GUI controls.

Design Decision:

  • Configuration is initialized during startup
  • Process is NOT started until GUI toggle is used
  • 🎯 Rationale: Consistent UX with other security features

2. Environment Variable Mismatch

Test uses: CERBERUS_SECURITY_CROWDSEC_MODE Entrypoint checks: SECURITY_CROWDSEC_MODE

Impact: Hub items not installed during test initialization.

3. Reconciliation Function Does Not Auto-Start for Fresh Containers

For a fresh container (empty database):

  • No SecurityConfig record exists
  • No Settings record exists
  • 🎯 Result: Reconciliation creates default config with CrowdSecMode = "disabled"

Summary of Actionable Remediation Steps

Immediate (Fix Test Failure)

Priority: P0 (Blocks CI/CD)

  1. Update Test Environment Variable (scripts/crowdsec_startup_test.sh:124)

    # Change from:
-e CERBERUS_SECURITY_CROWDSEC_MODE=local \
# To:
-e SECURITY_CROWDSEC_MODE=local \

  2. Add Database Seeding to Test (after container start, before checks)

    # Pre-seed database to trigger reconciliation
docker exec ${CONTAINER_NAME} sqlite3 /app/data/charon.db \
    "INSERT INTO settings (key, value, category, type) VALUES ('security.crowdsec.enabled', 'true', 'security', 'bool');"

# Restart container to trigger reconciliation
docker restart ${CONTAINER_NAME}
sleep 30  # Wait for CrowdSec to start via reconciliation

  3. Fix Bash Integer Comparisons (lines 152, 221, 247)

    FATAL_ERROR_COUNT=${FATAL_ERROR_COUNT:-0}
if [ "$FATAL_ERROR_COUNT" -ge 1 ] 2>/dev/null; then

Report Prepared By: QA_Security Agent Date: December 15, 2025

Reference in New Issue View Git Blame Copy Permalink