akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
f2afe73a4636ea35d0004e920600d77137e00f12
Charon/docs/reports/e2e_triage_report.md
GitHub Actions 0da6f7620c fix: restore PATCH endpoints used by E2E + emergency-token fallback 
register PATCH /api/v1/settings and PATCH /api/v1/security/acl (E2E expectations)
add emergency-token-aware shortcut handlers (validate X-Emergency-Token → set admin context → invoke handler)
preserve existing POST handlers and backward compatibility
rebuild & redeploy E2E image, verified backend build success
Why: unblocked failing Playwright E2E tests that returned 404s and were blocking the hotfix release
2026-01-27 22:43:33 +00:00

448 lines
18 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# E2E Test Triage Report
**Generated:** 2026-01-27
**Test Suite:** Playwright E2E (Chromium)
**Command:** `npx playwright test --project=chromium`
---
## Executive Summary
### Test Results Overview
| Metric | Count | Percentage |
|--------|-------|------------|
| **Total Tests** | 159 | 100% |
| **Passed** | 116 | 73% |
| **Failed** | 21 | 13% |
| **Skipped** | 22 | 14% |
### Critical Findings
🔴 **BLOCKING ISSUE IDENTIFIED**: Security teardown failure causing cascading test failures due to missing or invalid `CHARON_EMERGENCY_TOKEN` in `.env` file.
**Impact Severity:** HIGH - Blocks 20 out of 21 test failures
**Environment:** All security enforcement tests
**Root Cause:** Configuration issue - emergency token not properly set
---
## Failure Categories
### 🔴 Category 1: Test Infrastructure - Security Teardown (CRITICAL)
**Impact:** PRIMARY ROOT CAUSE - Cascades to all other failures
**Severity:** BLOCKING
**Affected Tests:** 1 core + 20 cascading failures
#### Primary Failure
**Test:** `[security-teardown] tests/security-teardown.setup.ts:20:1 disable-all-security-modules`
**File:** [tests/security-teardown.setup.ts](../tests/security-teardown.setup.ts#L20)
**Duration:** 1.1s
**Error Message:**
```
TypeError: Cannot read properties of undefined (reading 'join')
at file:///projects/Charon/tests/security-teardown.setup.ts:85:60
```
**Root Cause Analysis:**
- The security teardown script attempts to disable all security modules before tests begin
- When API calls fail with 403 (ACL blocking), it tries to use the emergency reset endpoint
- The emergency reset fails because `CHARON_EMERGENCY_TOKEN` is not properly configured in `.env`
- This leaves ACL and other security modules enabled, blocking all subsequent API calls
**Impact:**
- All security enforcement tests receive 403 "Blocked by access control list" errors
- Tests cannot enable/disable security modules for testing
- Tests cannot retrieve security status
- Entire security test suite becomes non-functional
**Immediate Observations:**
- Console output shows: `Fix: ensure CHARON_EMERGENCY_TOKEN is set in .env file`
- The teardown script has error handling but fails on the emergency reset fallback
- Line 85 in security-teardown.setup.ts attempts to join an undefined errors array
**Fix Required:**
1. ✅ Ensure `CHARON_EMERGENCY_TOKEN` is set in `.env` file with valid 64-character token
2. ✅ Fix error handling in security-teardown.setup.ts line 85 to handle undefined errors array
3. ✅ Add validation to ensure emergency token is loaded before tests begin
---
### 🟡 Category 2: Backend Issues - ACL Blocking (CASCADING)
**Impact:** SECONDARY - Caused by Category 1 failure
**Severity:** HIGH (but not root cause)
**Affected Tests:** 20 tests across multiple suites
#### Failed Tests List
All failures follow the same pattern: API calls blocked by ACL that should have been disabled in teardown.
##### ACL Enforcement Tests (5 failures)
1. **should verify ACL is enabled**
File: [tests/security-enforcement/acl-enforcement.spec.ts](../tests/security-enforcement/acl-enforcement.spec.ts#L81)
Error: `Failed to get security status: 403 {"error":"Blocked by access control list"}`
2. **should return security status with ACL mode**
File: [tests/security-enforcement/acl-enforcement.spec.ts](../tests/security-enforcement/acl-enforcement.spec.ts#L87)
Error: `expect(response.ok()).toBe(true)` - Received: false (403 response)
3. **should list access lists when ACL enabled**
File: [tests/security-enforcement/acl-enforcement.spec.ts](../tests/security-enforcement/acl-enforcement.spec.ts#L97)
Error: `expect(response.ok()).toBe(true)` - Received: false (403 response)
4. **should test IP against access list**
File: [tests/security-enforcement/acl-enforcement.spec.ts](../tests/security-enforcement/acl-enforcement.spec.ts#L105)
Error: `expect(listResponse.ok()).toBe(true)` - Received: false (403 response)
##### Combined Enforcement Tests (5 failures)
5. **should enable all security modules simultaneously**
File: [tests/security-enforcement/combined-enforcement.spec.ts](../tests/security-enforcement/combined-enforcement.spec.ts#L66)
Error: `Failed to set cerberus to true: 403 {"error":"Blocked by access control list"}`
6. **should log security events to audit log**
File: [tests/security-enforcement/combined-enforcement.spec.ts](../tests/security-enforcement/combined-enforcement.spec.ts#L121)
Error: `Failed to set cerberus to true: 403 {"error":"Blocked by access control list"}`
7. **should handle rapid module toggle without race conditions**
File: [tests/security-enforcement/combined-enforcement.spec.ts](../tests/security-enforcement/combined-enforcement.spec.ts#L144)
Error: `Failed to set cerberus to true: 403 {"error":"Blocked by access control list"}`
8. **should persist settings across API calls**
File: [tests/security-enforcement/combined-enforcement.spec.ts](../tests/security-enforcement/combined-enforcement.spec.ts#L172)
Error: `Failed to set cerberus to true: 403 {"error":"Blocked by access control list"}`
9. **should enforce correct priority when multiple modules enabled**
File: [tests/security-enforcement/combined-enforcement.spec.ts](../tests/security-enforcement/combined-enforcement.spec.ts#L197)
Error: `Failed to set cerberus to true: 403 {"error":"Blocked by access control list"}`
##### CrowdSec Enforcement Tests (3 failures)
10. **should verify CrowdSec is enabled**
File: [tests/security-enforcement/crowdsec-enforcement.spec.ts](../tests/security-enforcement/crowdsec-enforcement.spec.ts#L77)
Error: `Failed to get security status: 403 {"error":"Blocked by access control list"}`
11. **should list CrowdSec decisions**
File: [tests/security-enforcement/crowdsec-enforcement.spec.ts](../tests/security-enforcement/crowdsec-enforcement.spec.ts#L83)
Error: `expect([500, 502, 503]).toContain(response.status())` - Received: 403 (expected 500/502/503)
Note: Different error pattern - test expects CrowdSec LAPI unavailable, gets ACL block instead
12. **should return CrowdSec status with mode and API URL**
File: [tests/security-enforcement/crowdsec-enforcement.spec.ts](../tests/security-enforcement/crowdsec-enforcement.spec.ts#L102)
Error: `expect(response.ok()).toBe(true)` - Received: false (403 response)
##### Rate Limit Enforcement Tests (3 failures)
13. **should verify rate limiting is enabled**
File: [tests/security-enforcement/rate-limit-enforcement.spec.ts](../tests/security-enforcement/rate-limit-enforcement.spec.ts#L80)
Error: `Failed to get security status: 403 {"error":"Blocked by access control list"}`
14. **should return rate limit presets**
File: [tests/security-enforcement/rate-limit-enforcement.spec.ts](../tests/security-enforcement/rate-limit-enforcement.spec.ts#L86)
Error: `expect(response.ok()).toBe(true)` - Received: false (403 response)
15. **should document threshold behavior when rate exceeded**
File: [tests/security-enforcement/rate-limit-enforcement.spec.ts](../tests/security-enforcement/rate-limit-enforcement.spec.ts#L103)
Error: `Failed to get security status: 403 {"error":"Blocked by access control list"}`
##### WAF Enforcement Tests (4 failures)
16. **should verify WAF is enabled**
File: [tests/security-enforcement/waf-enforcement.spec.ts](../tests/security-enforcement/waf-enforcement.spec.ts#L81)
Error: `Failed to get security status: 403 {"error":"Blocked by access control list"}`
17. **should return WAF configuration from security status**
File: [tests/security-enforcement/waf-enforcement.spec.ts](../tests/security-enforcement/waf-enforcement.spec.ts#L87)
Error: `expect(response.ok()).toBe(true)` - Received: false (403 response)
18. **should detect SQL injection patterns in request validation**
File: [tests/security-enforcement/waf-enforcement.spec.ts](../tests/security-enforcement/waf-enforcement.spec.ts#L97)
Error: `Failed to get security status: 403 {"error":"Blocked by access control list"}`
19. **should document XSS blocking behavior**
File: [tests/security-enforcement/waf-enforcement.spec.ts](../tests/security-enforcement/waf-enforcement.spec.ts#L119)
Error: `Failed to get security status: 403 {"error":"Blocked by access control list"}`
#### Common Error Pattern
**Location:** [tests/utils/security-helpers.ts](../tests/utils/security-helpers.ts#L97)
```typescript
// Function: getSecurityStatus()
if (!response.ok()) {
throw new Error(
`Failed to get security status: ${response.status()} ${await response.text()}`
);
}
```
All 20 cascading failures originate from ACL blocking legitimate test API calls because security teardown failed to disable ACL.
---
### 🟡 Category 3: Test Implementation Issue (STANDALONE)
**Impact:** Single test failure - not related to teardown
**Severity:** MEDIUM
**Affected Tests:** 1
#### Test Details
**Test:** `Emergency Token Break Glass Protocol Test 1: Emergency token bypasses ACL`
**File:** [tests/security-enforcement/emergency-token.spec.ts](../tests/security-enforcement/emergency-token.spec.ts#L16)
**Duration:** 55ms
**Error Message:**
```
Failed to create access list: {"error":"Blocked by access control list"}
```
**Location:** [tests/utils/TestDataManager.ts](../tests/utils/TestDataManager.ts#L267)
**Root Cause:**
- Test attempts to create an access list to set up test data
- ACL is blocking the setup call (this is actually the expected security behavior)
- Test design issue: attempts to use regular API to set up ACL test conditions while ACL is enabled
**Fix Required:**
- Test should use emergency token endpoint for setup when testing emergency bypass functionality
- Alternative: Test should run in environment where ACL is initially disabled
- This is a test design issue, not an application bug
**Severity Justification:**
- This is the ONLY test that fails due to its own logic issue
- All other emergency token tests (Tests 2-8) pass successfully
- Tests 2-8 properly validate emergency token behavior without creating new test data
---
## Passing Tests Analysis
### ✅ Successful Test Categories
**Emergency Security Features:** 7/8 tests passed (87.5%)
- Emergency security reset protocol working correctly
- Emergency token validation working correctly
- Audit logging for emergency events working correctly
- IP restrictions documented and testable
- Token length validation documented
- Token stripping for security working correctly
- Idempotency of reset operations verified
**Security Headers:** 4/4 tests passed (100%)
- X-Content-Type-Options header enforcement working
- X-Frame-Options header enforcement working
- HSTS behavior properly documented
- CSP configuration properly documented
**Other Test Suites:** 105 additional tests passed in other areas
---
## Investigation Priority
### 🔴 HIGH Priority (Must Fix Immediately)
1. **Security Teardown Configuration**
- **Action:** Add/verify `CHARON_EMERGENCY_TOKEN` in `.env` file
- **Validation:** Token must be 64 characters minimum
- **Test:** Run `npx playwright test tests/security-teardown.setup.ts` to verify
- **Blocking:** Prevents all security enforcement tests from running
2. **Security Teardown Error Handling**
- **Action:** Fix error array handling at line 85 in security-teardown.setup.ts
- **Issue:** `TypeError: Cannot read properties of undefined (reading 'join')`
- **Fix:** Initialize errors array or add null check before join operation
- **Test:** Intentionally trigger teardown failure to verify error message displays correctly
### 🟡 MEDIUM Priority (Fix Soon)
3. **Emergency Token Test Design**
- **Action:** Refactor Test 1 in emergency-token.spec.ts to use emergency endpoint for setup
- **Issue:** Test tries to create test data while ACL is blocking (chicken-and-egg problem)
- **Fix:** Use emergency token to bypass ACL for test setup, or disable ACL in beforeAll
- **Validation:** Test should pass after security teardown is fixed AND test is refactored
4. **CrowdSec Test Error Expectation**
- **Action:** Update crowdsec-enforcement.spec.ts line 98 to handle 403 as valid response
- **Issue:** Test expects [500, 502, 503] but can receive 403 if ACL is still enabled
- **Fix:** Add 403 to acceptable error codes or ensure ACL is disabled before test runs
- **Note:** This may be a secondary symptom of teardown failure
### 🟢 LOW Priority (Nice to Have)
5. **Test Execution Time Optimization**
- Total execution time: 3.9 minutes
- Consider parallelization or selective test execution strategies
6. **Console Warning/Error Cleanup**
- Multiple "Failed to capture original security state" warnings during test setup
- These are expected during teardown but could be suppressed for cleaner output
---
## Security & Data Integrity Concerns
### 🔒 Security Observations
**POSITIVE FINDINGS:**
1. **ACL Protection Working as Designed**
- All 20 cascading failures are due to ACL correctly blocking API calls
- This proves the security mechanism is functioning properly in production mode
- Tests fail because they can't disable security, not because security is broken
2. **Emergency Token Protocol Validated**
- 7 out of 8 emergency token tests pass
- Emergency reset functionality works correctly
- Audit logging captures emergency events
- Token validation and minimum length enforcement working
3. **Security Headers Properly Enforced**
- All 4 security header tests pass
- X-Content-Type-Options, X-Frame-Options working
- HSTS and CSP behavior properly implemented
**CONCERNS:**
1. **Emergency Token Configuration**
- 🔴 **CRITICAL**: Emergency token not configured in test environment
- This prevents "break-glass" emergency access when needed
- Must be addressed before production deployment
- Recommendation: Add CI/CD check to verify emergency token is set
2. **Error Message Exposure**
- Error responses include `{"error":"Blocked by access control list"}`
- This is acceptable for authenticated admin API
- Verify this error message is not exposed to unauthenticated users
3. **Test Environment Security**
- Security modules should be disabled in test environment by default
- Current setup has ACL enabled from start, requiring emergency override
- Recommendation: Add test-specific environment configuration
**NO DATA INTEGRITY CONCERNS IDENTIFIED:**
- All failures are authentication/authorization related
- No test failures indicate data corruption or loss
- No test failures indicate race conditions in data access
- Emergency reset is properly idempotent (Test 8 validates this)
---
## Recommended Next Steps
### Immediate Actions (Today)
1.**Configure Emergency Token**
```bash
# Generate a secure 64-character token
openssl rand -hex 32 > /tmp/emergency_token.txt
# Add to .env file
echo "CHARON_EMERGENCY_TOKEN=$(cat /tmp/emergency_token.txt)" >> .env
# Verify token is set
grep CHARON_EMERGENCY_TOKEN .env
```
2. ✅ **Fix Error Handling in Teardown**
```bash
# Edit tests/security-teardown.setup.ts
# Line 85: Add null check before join
# From: errors.join('\n ')
# To: (errors || ['Unknown error']).join('\n ')
```
3. ✅ **Verify Fix**
```bash
# Run security teardown test
npx playwright test tests/security-teardown.setup.ts
# If successful, run full security suite
npx playwright test tests/security-enforcement/
```
### Short Term (This Week)
4. ✅ **Refactor Emergency Token Test 1**
- Update test to use emergency endpoint for setup
- Add documentation explaining why emergency endpoint is used for setup
- Validate test passes after refactor
5. ✅ **Update CrowdSec Test Expectations**
- Review error code expectations in crowdsec-enforcement.spec.ts
- Ensure test handles both "CrowdSec unavailable" and "ACL blocking" scenarios
- Add documentation explaining acceptable error codes
6. ✅ **CI/CD Integration Check**
- Verify emergency token is set in CI/CD environment variables
- Add pre-test validation step to check required environment variables
- Fail fast with clear error if emergency token is missing
### Long Term (Next Sprint)
7. **Test Environment Configuration**
- Create test-specific security configuration
- Default to security disabled in test environment
- Add flag to run tests with security enabled for integration testing
8. **Test Suite Organization**
- Split security tests into "security disabled" and "security enabled" groups
- Run setup/teardown only for security-enabled group
- Improve test isolation and reduce interdependencies
9. **Monitoring & Alerting**
- Add test result metrics to CI/CD dashboard
- Alert on security test failures
- Track test execution time trends
---
## Test Output Artifacts
### Available for Review
- **Full Playwright Report:** `http://localhost:9323` (when serving)
- **Test Results Directory:** `test-results/`
- **Screenshots:** Check `test-results/` for failure screenshots
- **Traces:** Check `test-results/traces/` for detailed execution traces
- **Console Logs:** Full output captured in this triage report
### Recommended Analysis Tools
```bash
# View HTML report
npx playwright show-report
# View specific test trace
npx playwright show-trace test-results/.../trace.zip
# Re-run failed tests only
npx playwright test --last-failed --project=chromium
# Run tests with debug
npx playwright test --debug tests/security-teardown.setup.ts
```
---
## Conclusion
**Root Cause:** Missing or invalid `CHARON_EMERGENCY_TOKEN` configuration causes security teardown failure, leading to cascading ACL blocking errors across 20 tests.
**Resolution Path:**
1. Configure emergency token (5 minutes)
2. Fix error handling (5 minutes)
3. Verify fixes (10 minutes)
4. Address medium-priority test design issues (30-60 minutes)
**Expected Outcome:** After fixes, expect 20/21 failures to resolve, bringing test success rate from 73% to 99% (157/159 passed).
**Timeline:** All HIGH priority fixes can be completed in under 30 minutes. MEDIUM priority fixes within 1-2 hours.
---
**Report Generated:** 2026-01-27
**Report Author:** QA Security Testing Agent
**Next Review:** After fixes are applied and tests re-run
Reference in New Issue View Git Blame Copy Permalink