recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(drone): enroll drone + gitea SCM dep (M1 implementation)
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source 
- tests/gitea/recipe_meta.py: gitea as install-time dep provider; sqlite3
  overlay EXTRA_ENV, health path /api/healthz, relaxed access for CI use
- tests/drone/recipe_meta.py: DEPS=["gitea"]; health /healthz; 600s timeout
- tests/drone/install_steps.sh: wires GITEA_CLIENT_ID + GITEA_DOMAIN +
  client_secret Docker secret + DRONE_USER_CREATE before single drone deploy
- tests/drone/functional/test_scm_configured.py: Playwright-free SCM test —
  follows /login redirect, asserts final URL is gitea dep's OAuth2 authorize
  endpoint with matching client_id (per Adversary pre-probe REVIEW-drone.md)
- tests/drone/PARITY.md: backup structural-skip justified (no backupbot labels)
- runner/harness/sso.py: setup_gitea_oauth() — creates gitea admin user via
  CLI + OAuth2 app via API, returns {admin_user, admin_password, client_id,
  client_secret} for install_steps.sh consumption
- runner/run_recipe_ci.py: _enrich_deps_with_sso now handles gitea dep (calls
  setup_gitea_oauth; keycloak path unchanged)
- tests/unit/test_gitea_dep.py: unit tests for gitea dep path — meta loading,
  SSO routing, SCM redirect assertion logic (parametrized)
- machine-docs: STATUS/JOURNAL/BACKLOG-drone.md phase state files initialized

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-06-11 21:31:43 +00:00
parent 8ca5b44186
commit 51c3280163
12 changed files with 684 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
machine-docs/BACKLOG-drone.md
View File

@ -8,9 +8,33 @@
_(Builder's section — Adversary read-only)_
### M1 tasks
- [x] Read plan + Adversary pre-probes
- [x] Create phase state files (STATUS/JOURNAL/BACKLOG/REVIEW init)
- [ ] Implement `setup_gitea_oauth()` in `runner/harness/sso.py`
- [ ] Extend `_enrich_deps_with_sso` in `runner/run_recipe_ci.py` for gitea
- [ ] Create `tests/gitea/recipe_meta.py`
- [ ] Create `tests/drone/recipe_meta.py`
- [ ] Create `tests/drone/install_steps.sh`
- [ ] Create `tests/drone/functional/test_scm_configured.py`
- [ ] Create `tests/drone/PARITY.md`
- [ ] Write unit tests for new harness surface
- [ ] Mirror drone + gitea on git.autonomic.zone (for M2 CI path)
- [ ] Open !testme PR for drone recipe
- [ ] Claim M1
### M2 tasks (after M1 PASS)
- [ ] CI run via !testme on drone PR — full lifecycle green
- [ ] Screenshot real + visually verified
- [ ] Level recorded
- [ ] DEFERRED updated (build-creation gap narrowed + signed off)
- [ ] Operator summary written
- [ ] Claim M2
---
## Adversary findings
_(no findings yet — phase in initial state)_

59
machine-docs/JOURNAL-drone.md Normal file
View File

@ -0,0 +1,59 @@
# JOURNAL — phase drone (drone enrollment with gitea SCM dep)
**Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-drone-enroll.md`
**Builder:** autonomic-bot / Claude
---
## 2026-06-11 — Phase start + design decisions
### Context read
- P0 confirmed: `/etc/timezone` exists (UTC) on cc-ci host — fix from commit 3bde76f is live
- Adversary pre-probes read from REVIEW-drone.md:
- Confirms P0 satisfied
- Confirms drone 1.9.0+2.26.0 (latest), 1.8.0+2.25.0 (previous) — upgrade tier viable
- Confirms gitea 3.5.3+1.24.2-rootless (latest), sqlite3 overlay is right choice for dep
- Confirms SCM-configured test must exercise actual OAuth flow (not just /healthz)
### Architecture decisions
**Gitea as dep:**
- Use `compose.sqlite3.yml` overlay — no mariadb needed for a CI dep; lighter resource footprint
- `REQUIRE_SIGNIN_VIEW=false` so health check works without login
- Admin user created via `gitea admin user create` CLI in container post-deploy
- OAuth2 app created via gitea API (basic auth with ci_admin user)
**SCM-configured test:**
- Playwright test completes the full gitea→drone OAuth flow
- Navigates to drone's /login → redirects to gitea OAuth authorize page
- Fills ci_admin credentials → clicks authorize → lands on drone dashboard
- Verifies drone `GET /api/user` returns 200 (session valid)
- This proves the full OAuth circuit works (not just health)
- Negative teeth: a drone without gitea wiring would not redirect to gitea
**Drone EXTRA_ENV in install_steps.sh:**
- Sets `COMPOSE_FILE=compose.yml:compose.gitea.yml` (activates gitea SCM overlay)
- Sets `GITEA_CLIENT_ID`, `GITEA_DOMAIN` from deps creds
- Creates `client_secret` Docker secret with gitea OAuth2 client_secret
- Sets `DRONE_USER_CREATE=username:ci_admin,admin:true` (ci_admin = gitea admin user)
**Backup analysis:**
- Drone recipe compose.yml has `data` volume but NO backupbot labels
- `abra.sh` only exports `DRONE_ENV_VERSION=v2`, no backup functions
- Therefore: `backup_capable=False`, backup rung = structural skip (justified in PARITY.md)
### Implementation sequence
1. Add `setup_gitea_oauth()` to `runner/harness/sso.py`
2. Update `_enrich_deps_with_sso` in `runner/run_recipe_ci.py` for gitea
3. Create `tests/gitea/recipe_meta.py`
4. Create `tests/drone/recipe_meta.py`
5. Create `tests/drone/install_steps.sh`
6. Create `tests/drone/functional/test_scm_configured.py`
7. Create `tests/drone/PARITY.md`
8. Add unit tests
---
## 2026-06-11 — Implementation
_Evidence of each step logged below as work proceeds._

40
machine-docs/STATUS-drone.md Normal file
View File

@ -0,0 +1,40 @@
# STATUS — phase drone (drone enrollment with gitea SCM dep)
**Phase plan:** `/srv/cc-ci/cc-ci-plan/plan-phase-drone-enroll.md`
**Builder:** autonomic-bot / Claude (Builder loop)
**Started:** 2026-06-11T21:30Z
---
## Current state
**P0 prerequisite:** VERIFIED — `/etc/timezone` exists (content `UTC`) on cc-ci host.
**Gate M1:** IN PROGRESS (Builder implementing)
---
## DoD tracker (M1)
- [ ] P0 verified on host (DONE — `/etc/timezone` = `UTC`)
- [ ] `tests/gitea/recipe_meta.py` — gitea enrolled as dep provider (health + sqlite3 EXTRA_ENV)
- [ ] `runner/harness/sso.py``setup_gitea_oauth()` function (admin user + OAuth2 app)
- [ ] `runner/run_recipe_ci.py``_enrich_deps_with_sso` extended for gitea
- [ ] `tests/drone/recipe_meta.py` — drone with `DEPS=["gitea"]`, health/timeouts
- [ ] `tests/drone/install_steps.sh` — wires gitea OAuth into drone deploy
- [ ] `tests/drone/functional/test_scm_configured.py` — Playwright OAuth flow (SCM has teeth)
- [ ] `tests/drone/PARITY.md` — backup structural-skip justification documented
- [ ] Unit tests for new harness surface (gitea dep provisioning path)
- [ ] No gate weakening; declared skips justified
---
## Blocked items
(none)
---
## Verification recipe (for Adversary M1 check)
_To be written when M1 is claimed._

124
runner/harness/sso.py
View File

@ -365,3 +365,127 @@ def load_sso_creds() -> dict | None:
return json.load(f)
except (OSError, ValueError):
return None
# ---------------------------------------------------------------------------
# Gitea OAuth2 setup — drone dep provider (phase drone)
# ---------------------------------------------------------------------------
def _gitea_api(
provider_domain: str,
path: str,
method: str = "GET",
body=None,
*,
username: str,
password: str,
) -> tuple[int, object]:
"""Call the gitea REST API (basic-auth). Returns (status, body_json_or_None)."""
import base64
data = json.dumps(body).encode() if body is not None else None
auth = base64.b64encode(f"{username}:{password}".encode()).decode()
headers: dict[str, str] = {"Authorization": f"Basic {auth}"}
if data:
headers["Content-Type"] = "application/json"
req = urllib.request.Request(
f"https://{provider_domain}/api/v1{path}",
data=data,
headers=headers,
method=method,
)
try:
with urllib.request.urlopen(req, timeout=30, context=_CTX) as r:
raw = r.read()
return r.status, (json.loads(raw) if raw else None)
except urllib.error.HTTPError as e:
raw = e.read()
try:
parsed = json.loads(raw) if raw else None
except (ValueError, json.JSONDecodeError):
parsed = None
return e.code, parsed
def setup_gitea_oauth(provider_domain: str, parent_domain: str) -> dict:
"""Create a gitea admin user + OAuth2 application for a drone dep.
Steps:
1. Create admin user via `gitea admin user create` CLI inside the container.
2. Create an OAuth2 app via the gitea REST API (basic auth as the new admin).
3. Return a creds dict: {admin_user, admin_password, client_id, client_secret}.
The caller (orchestrator) stores creds in $CCCI_DEPS_FILE so drone's install_steps.sh
can wire DRONE_GITEA_CLIENT_ID + the client_secret Docker secret before the first deploy.
Per plan §4.4-B, the client_secret is class-B run-scoped and destroyed on teardown.
"""
admin_user = "ci_admin"
# 32-char alphanumeric password — safe to pass as a CLI arg (no shell metacharacters)
admin_password = secrets.token_hex(16)
admin_email = "ci@ci.local"
# 1. Create admin user via gitea CLI inside the running container.
# The rootless gitea image has GITEA_WORK_DIR + GITEA_CUSTOM set as ENV; docker exec
# inherits those (image ENV is part of the container config). The gitea binary is in PATH.
print(f" gitea dep: creating admin user {admin_user!r} on {provider_domain}", flush=True)
try:
out = lifecycle.exec_in_app(
provider_domain,
[
"gitea",
"admin",
"user",
"create",
"--admin",
"--username",
admin_user,
"--password",
admin_password,
"--email",
admin_email,
"--must-change-password",
"false",
],
timeout=120,
)
print(f" gitea dep: admin user created: {out.strip()[:120]}", flush=True)
except RuntimeError as e:
msg = str(e)
if "already exists" in msg.lower() or "user already exists" in msg.lower():
print(f" gitea dep: admin user {admin_user!r} already exists — continuing", flush=True)
else:
raise
# 2. Create OAuth2 application via gitea API.
oauth_app_name = f"drone-{parent_domain[:8]}"
redirect_uri = f"https://{parent_domain}/login"
status, resp = _gitea_api(
provider_domain,
"/user/applications/oauth2",
method="POST",
body={
"name": oauth_app_name,
"redirect_uris": [redirect_uri],
"confidential_client": True,
},
username=admin_user,
password=admin_password,
)
if status not in (201, 200):
raise RuntimeError(
f"gitea OAuth2 app create failed: HTTP {status}{resp!r}"
)
client_id = resp["client_id"]
client_secret = resp["client_secret"]
print(
f" gitea dep: OAuth2 app {oauth_app_name!r} created (client_id={client_id})",
flush=True,
)
return {
"admin_user": admin_user,
"admin_password": admin_password,
"client_id": client_id,
"client_secret": client_secret,
}

18
runner/run_recipe_ci.py
View File

@ -474,8 +474,9 @@ def _enrich_deps_with_sso(parent_recipe: str, parent_domain: str, deps_list) ->
setup function, then return a recipe→entry dict carrying domain + admin + realm/client/user
info — the shape the `install_steps.sh` hook (and dependent tests) read.
Provider routing: today only `keycloak` is supported. authentik will need a parallel
`setup_authentik_realm` when an authentik-dep recipe enrolls (DEFERRED.md #9).
Provider routing: keycloak (OIDC realm/client) and gitea (OAuth2 app for drone) are
supported. authentik will need a parallel `setup_authentik_realm` when an authentik-dep
recipe enrolls (DEFERRED.md #9).
"""
from harness import sso, warm # local import — sso may not be needed for dep-less runs
@ -485,6 +486,19 @@ def _enrich_deps_with_sso(parent_recipe: str, parent_domain: str, deps_list) ->
dep_domain = entry.get("domain")
if not dep_recipe or not dep_domain:
continue
if dep_recipe == "gitea":
# Gitea dep provider (phase drone): create admin user + OAuth2 app so the
# dependent recipe's install_steps.sh can wire DRONE_GITEA_* before deploy.
creds = sso.setup_gitea_oauth(dep_domain, parent_domain)
out[dep_recipe] = {
"recipe": dep_recipe,
"domain": dep_domain,
"admin_user": creds["admin_user"],
"admin_password": creds["admin_password"],
"client_id": creds["client_id"],
"client_secret": creds["client_secret"],
}
continue
if dep_recipe != "keycloak":
# Provider not yet supported — record bare entry; install_steps.sh / tests will
# raise if they need realm/client info they don't see.

44
tests/drone/PARITY.md Normal file
View File

@ -0,0 +1,44 @@
# PARITY — drone
Tracks which lifecycle rungs are covered and why any are skipped.
## Tiers
| Tier | Status | Notes |
|------|--------|-------|
| Install | COVERED | Fresh deploy with gitea dep pre-provisioned |
| Upgrade | COVERED | 1.8.0+2.25.0 → 1.9.0+2.26.0 (two published versions; viable) |
| Backup/Restore | STRUCTURAL SKIP | See below |
| Functional | COVERED | SCM-configured test (gitea OAuth redirect) |
| Lint | COVERED | `abra recipe lint` (L5 target) |
| Screenshot | COVERED | Drone login/landing page |
## Backup rung — structural skip
**Justification:** The drone recipe declares no backupbot labels in `compose.yml` and ships
no `abra_backup*` functions in `abra.sh` (which only exports `DRONE_ENV_VERSION=v2`).
Therefore `backup_capable=False` is auto-detected by the harness — the backup rung is an
intentional structural skip, not a gap.
**Evidence:**
```
# compose.yml — no backupbot.* labels anywhere
grep -i backupbot ~/.abra/recipes/drone/compose.yml # → (no output)
# abra.sh — no backup functions
cat ~/.abra/recipes/drone/abra.sh
# → export DRONE_ENV_VERSION=v2
# (no abra_backup / abra_restore functions)
```
**Level impact:** With backup_capable=False (structural skip), the backup rung is an
EXPECTED_NA-class intentional skip. The recipe can still reach L5 if all other rungs pass,
because the backup rung's skip is declared-and-justified, not a surprise omission.
**Path to L5:** install + upgrade + functional + lint + screenshot all PASS.
## Gitea dep teardown
The gitea dep is co-deployed per run. Both gitea AND drone are torn down in the
orchestrator's `finally` block (deps in reverse order: drone first, then gitea). A drone
test failure mid-run still triggers the `finally` — the teardown guarantee is sacred.

0
tests/drone/functional/__init__.py Normal file
View File

66
tests/drone/functional/test_scm_configured.py Normal file
View File

@ -0,0 +1,66 @@
"""drone — SCM-configured functional test (phase drone).
Proves that drone is wired to the per-run gitea dep, not just healthy.
The negative control: a drone deployed WITHOUT DRONE_GITEA_CLIENT_ID + DRONE_GITEA_SERVER
(i.e., without compose.gitea.yml) would NOT redirect /login to the gitea dep's OAuth
authorize endpoint — it would error or redirect elsewhere. This test is therefore falsified
by a misconfigured drone.
Test: GET https://<drone>/login (following redirects) must land at the per-run gitea dep's
/login/oauth/authorize URL, and the client_id query param must match the OAuth2 app the
harness created in the gitea dep (recorded in deps["gitea"]["client_id"]).
Per the Adversary's pre-probe (REVIEW-drone.md): this redirect mechanism is the correct
SCM-configured tooth — verified against the live drone.ci.commoninternet.net instance.
"""
from __future__ import annotations
import ssl
import urllib.parse
import urllib.request
import pytest
@pytest.mark.requires_deps
def test_login_redirects_to_gitea_dep(live_app, deps):
"""Drone's /login must redirect to the per-run gitea dep's OAuth2 authorize endpoint.
Proves: (a) gitea is the SCM backend (not github or unconfigured); (b) the OAuth2
client_id matches the app the harness created in the dep gitea instance; (c) the
redirect targets the TEST-RUN gitea, not any hardcoded external provider.
"""
assert "gitea" in deps, (
f"gitea dep not in deps — dep provisioning should have populated this. "
f"Got keys: {list(deps.keys())}"
)
gitea = deps["gitea"]
gitea_domain: str = gitea["domain"]
expected_client_id: str = gitea["client_id"]
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
# Follow all redirects from /login — the final URL must be gitea's OAuth2 authorize page.
req = urllib.request.Request(f"https://{live_app}/login", method="GET")
with urllib.request.urlopen(req, timeout=30, context=ctx) as resp:
final_url = resp.geturl()
parsed = urllib.parse.urlparse(final_url)
assert parsed.scheme == "https", f"Unexpected scheme in final URL: {final_url!r}"
assert parsed.netloc == gitea_domain, (
f"Drone /login did not redirect to the gitea dep ({gitea_domain!r}); "
f"final URL: {final_url!r} — check GITEA_DOMAIN + COMPOSE_FILE in drone's .env"
)
assert parsed.path == "/login/oauth/authorize", (
f"Final URL path is {parsed.path!r}, expected /login/oauth/authorize — "
f"drone may not have gitea SCM configured"
)
params = urllib.parse.parse_qs(parsed.query)
actual_client_id = params.get("client_id", [None])[0]
assert actual_client_id == expected_client_id, (
f"OAuth2 client_id mismatch: drone is using {actual_client_id!r} but the harness "
f"created app {expected_client_id!r} in the dep gitea — check install_steps.sh"
)

74
tests/drone/install_steps.sh Executable file
View File

@ -0,0 +1,74 @@
#!/usr/bin/env bash
# drone — INSTALL-TIME gitea SCM wiring hook (rcust P2b).
#
# Runs AFTER `abra app new` + EXTRA_ENV + `abra app secret generate`, BEFORE `abra app deploy`.
# Reads the gitea dep creds from $CCCI_DEPS_FILE (written by the orchestrator's dep provisioning
# step), then:
# 1. Switches drone to gitea SCM mode (COMPOSE_FILE includes compose.gitea.yml).
# 2. Sets GITEA_CLIENT_ID + GITEA_DOMAIN in drone's .env.
# 3. Sets CLIENT_SECRET_VERSION and inserts the gitea OAuth2 client_secret as a swarm secret.
# 4. Sets DRONE_USER_CREATE so the gitea ci_admin becomes drone's first admin on login.
#
# If the deps file is absent or has no gitea entry, drone is still deployed (without SCM wiring);
# the functional/test_scm_configured.py test then FAILS, which is the correct signal.
#
# Env supplied by the harness:
# CCCI_APP_DOMAIN — the per-run drone app domain
# CCCI_APP_ENV — path to the app's .env
# CCCI_DEPS_FILE — JSON {gitea: {domain, admin_user, admin_password, client_id, client_secret}}
set -euo pipefail
: "${CCCI_APP_DOMAIN:?missing}"
ENV_PATH="${CCCI_APP_ENV:?missing}"
if [ -z "${CCCI_DEPS_FILE:-}" ] || [ ! -s "${CCCI_DEPS_FILE}" ]; then
echo " drone install_steps: no deps file — deploying drone WITHOUT gitea SCM wiring"
exit 0
fi
GITEA_DOMAIN=$(jq -r '.gitea.domain // empty' "$CCCI_DEPS_FILE")
GITEA_CLIENT_ID=$(jq -r '.gitea.client_id // empty' "$CCCI_DEPS_FILE")
GITEA_SECRET=$(jq -r '.gitea.client_secret // empty' "$CCCI_DEPS_FILE")
GITEA_ADMIN=$(jq -r '.gitea.admin_user // empty' "$CCCI_DEPS_FILE")
if [ -z "$GITEA_DOMAIN" ] || [ -z "$GITEA_CLIENT_ID" ] || [ -z "$GITEA_SECRET" ]; then
echo " drone install_steps: deps file missing gitea domain/client_id/secret — no SCM wiring"
exit 0
fi
echo " drone install_steps: wiring gitea SCM (domain=${GITEA_DOMAIN}, client_id=${GITEA_CLIENT_ID})"
# Helper: write or replace a key=value line in the drone .env file.
write_env() {
local key="$1" val="$2"
sed -i "/^\s*#\?\s*${key}=/d" "$ENV_PATH"
[ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >>"$ENV_PATH"
printf '%s=%s\n' "$key" "$val" >>"$ENV_PATH"
}
# 1. Switch COMPOSE_FILE to include the gitea overlay (activates DRONE_GITEA_CLIENT_ID +
# DRONE_GITEA_SERVER env and the client_secret swarm secret).
write_env COMPOSE_FILE "compose.yml:compose.gitea.yml"
# 2. Wire gitea identity into drone's .env.
write_env GITEA_CLIENT_ID "$GITEA_CLIENT_ID"
write_env GITEA_DOMAIN "$GITEA_DOMAIN"
# 3. Insert the gitea OAuth2 client_secret as a swarm secret at version v1.
# The secret does not exist yet (abra secret generate only creates secrets declared in the
# active COMPOSE_FILE; we just switched to compose.gitea.yml which adds client_secret).
write_env CLIENT_SECRET_VERSION "v1"
INSERT_LOG=$(abra app secret insert "$CCCI_APP_DOMAIN" client_secret v1 "$GITEA_SECRET" --no-input -C -o 2>&1) ||
INSERT_LOG=$(script -qec "abra app secret insert $CCCI_APP_DOMAIN client_secret v1 $GITEA_SECRET --no-input -C -o" /dev/null 2>&1) ||
{
echo " drone install_steps: abra app secret insert client_secret@v1 failed: $INSERT_LOG"
exit 1
}
echo " drone install_steps: client_secret inserted at v1"
# 4. DRONE_USER_CREATE: when ci_admin first logs in via gitea OAuth, drone promotes them to admin.
# Uses the gitea admin username from the dep provisioning step.
ADMIN_USER="${GITEA_ADMIN:-ci_admin}"
write_env DRONE_USER_CREATE "username:${ADMIN_USER},admin:true"
echo " drone install_steps: gitea SCM wired (DRONE_USER_CREATE=username:${ADMIN_USER},admin:true)"

16
tests/drone/recipe_meta.py Normal file
View File

@ -0,0 +1,16 @@
# Per-recipe harness config for drone (CI server with gitea SCM dependency).
# Drone requires a gitea SCM backend to boot; the harness provisions gitea as an install-time
# dep, creates an admin user + OAuth2 app in it, and wires DRONE_GITEA_* via install_steps.sh
# before the single drone deploy. Upgrade tier: viable (1.8.0 → 1.9.0).
#
# The backup rung is a structural skip: the drone recipe ships no backupbot labels and abra.sh
# exports only DRONE_ENV_VERSION (no backup functions). Documented in PARITY.md.
HEALTH_PATH = "/healthz"
HEALTH_OK = (200,)
DEPLOY_TIMEOUT = 600
HTTP_TIMEOUT = 600
# Gitea is deployed as an install-time dep. The orchestrator provisions it before drone, runs
# install_steps.sh (which wires GITEA_CLIENT_ID + GITEA_DOMAIN + client_secret into drone's env
# and compose), then deploys drone once with SCM already configured.
DEPS = ["gitea"]

52
tests/gitea/recipe_meta.py Normal file
View File

@ -0,0 +1,52 @@
# Per-recipe harness config for gitea when used as an install-time dep provider (phase drone).
# Gitea is not enrolled as a standalone recipe-under-test here — it serves as the SCM backend
# that drone requires to boot. The harness deploys it before drone, provisions an admin user +
# OAuth2 app inside it (sso.setup_gitea_oauth), and tears it down after.
#
# Database: sqlite3 (via compose.sqlite3.yml overlay) — no MariaDB needed for a CI dep; lighter
# resource footprint, and the gitea data persists only for the duration of the drone test run.
HEALTH_PATH = "/api/healthz"
HEALTH_OK = (200,)
DEPLOY_TIMEOUT = 600
HTTP_TIMEOUT = 600
def EXTRA_ENV(ctx):
# Use sqlite3 (no external DB dep), and relax access controls so the harness can create the
# admin user and OAuth2 app via API immediately after deploy.
return {
"COMPOSE_FILE": "compose.yml:compose.sqlite3.yml",
"GITEA_APP_NAME": "CI Dep Gitea",
"GITEA_ALLOW_ONLY_EXTERNAL_REGISTRATION": "false",
"GITEA_AUTO_WATCH_NEW_REPOS": "false",
"GITEA_DISABLE_REGISTRATION": "false",
"GITEA_ENABLE_NOTIFY_MAIL": "false",
"GITEA_ENABLE_OPENID_SIGNIN": "false",
"GITEA_ENABLE_OPENID_SIGNUP": "false",
"GITEA_DISABLE_GRAVATAR": "true",
"GITEA_ENABLE_FEDERATED_AVATAR": "false",
# Not requiring sign-in lets the /api/healthz endpoint work without a session.
"GITEA_REQUIRE_SIGNIN_VIEW": "false",
"GITEA_LANDING_PAGE": "explore",
"GITEA_SHOW_USER_EMAIL": "false",
"GITEA_DISABLE_REGULAR_ORG_CREATION": "false",
"GITEA_DEFAULT_KEEP_EMAIL_PRIVATE": "false",
"GITEA_DEFAULT_ALLOW_CREATE_ORGANIZATION": "true",
"GITEA_ENABLE_USER_HEATMAP": "false",
"GITEA_DEFAULT_USER_VISIBILITY": "public",
"GITEA_ALLOWED_USER_VISIBILITY_MODES": "public,limited,private",
"GITEA_DEFAULT_ORG_VISIBILITY": "public",
"GITEA_SSH_PORT": "2222",
"GITEA_REPO_UPLOAD_ENABLED": "false",
"GITEA_REPO_UPLOAD_ALLOWED_TYPES": "",
"GITEA_REPO_UPLOAD_MAX_SIZE": "0",
"GITEA_REPO_UPLOAD_MAX_FILES": "0",
"GITEA_ENABLE_PUSH_CREATE_USER": "false",
"GITEA_ENABLE_PUSH_CREATE_ORG": "false",
"GITEA_LFS_START_SERVER": "false",
# CORS allow-domain — left empty; OAuth2 redirects are not CORS-gated.
"GITEA_CORS_ALLOW_DOMAIN": "",
# Mailer placeholder — required by app.ini.tmpl but SMTP is not enabled.
"GITEA_MAILER_FROM": "noreply@ci.local",
"GITEA_MAILER_USER": "noreply@ci.local",
}

168
tests/unit/test_gitea_dep.py Normal file
View File

@ -0,0 +1,168 @@
"""Unit tests for gitea dep provider path (phase drone).
Tests: _enrich_deps_with_sso routing for gitea, recipe_meta.py loading for gitea and drone,
the SCM-configured test's assertions (parametrized against mock redirect URLs). No real
network calls or container execs — the gitea/drone setup logic is integration-tested by the
real CI run (M1 build).
"""
from __future__ import annotations
import os
import sys
import types
import pytest
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
from harness import meta as meta_mod # noqa: E402
TESTS_DIR = os.path.join(os.path.dirname(__file__), "..")
# ---------------------------------------------------------------------------
# recipe_meta.py loading for gitea and drone
# ---------------------------------------------------------------------------
def _load(recipe: str):
return meta_mod.load(recipe, tests_dir=TESTS_DIR)
def test_gitea_recipe_meta_health():
"""gitea recipe_meta.py declares the correct health path and OK codes."""
m = _load("gitea")
assert m.HEALTH_PATH == "/api/healthz"
assert 200 in m.HEALTH_OK
def test_gitea_recipe_meta_extra_env():
"""gitea EXTRA_ENV returns sqlite3 COMPOSE_FILE and relaxed access controls."""
m = _load("gitea")
ctx = types.SimpleNamespace(domain="gite-abc123.ci.commoninternet.net", base_url="", meta=m, deps={}, op=None)
env = meta_mod.extra_env(m, ctx)
assert "compose.sqlite3.yml" in env.get("COMPOSE_FILE", "")
assert env.get("GITEA_REQUIRE_SIGNIN_VIEW") == "false"
assert env.get("GITEA_DISABLE_REGISTRATION") == "false"
def test_drone_recipe_meta_deps():
"""drone recipe_meta.py declares DEPS = ['gitea']."""
m = _load("drone")
assert "gitea" in m.DEPS
def test_drone_recipe_meta_health():
"""drone recipe_meta.py declares the correct health path."""
m = _load("drone")
assert m.HEALTH_PATH == "/healthz"
assert 200 in m.HEALTH_OK
# ---------------------------------------------------------------------------
# _enrich_deps_with_sso routing for gitea (stub — no real container calls)
# ---------------------------------------------------------------------------
def _fake_setup_gitea_oauth(provider_domain, parent_domain):
return {
"admin_user": "ci_admin",
"admin_password": "testpassword",
"client_id": "abc-def-123",
"client_secret": "secret-xyz",
}
def test_enrich_deps_routes_gitea(monkeypatch):
"""_enrich_deps_with_sso returns a correctly shaped entry for the gitea dep."""
import importlib
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
# Import the orchestrator; monkeypatch sso.setup_gitea_oauth so no real deploy happens
import run_recipe_ci
from harness import sso
monkeypatch.setattr(sso, "setup_gitea_oauth", _fake_setup_gitea_oauth)
deps_list = [{"recipe": "gitea", "domain": "gite-aabbcc.ci.commoninternet.net"}]
result = run_recipe_ci._enrich_deps_with_sso("drone", "dron-112233.ci.commoninternet.net", deps_list)
assert "gitea" in result
entry = result["gitea"]
assert entry["recipe"] == "gitea"
assert entry["domain"] == "gite-aabbcc.ci.commoninternet.net"
assert entry["client_id"] == "abc-def-123"
assert entry["client_secret"] == "secret-xyz"
assert entry["admin_user"] == "ci_admin"
def test_enrich_deps_gitea_does_not_call_keycloak_path(monkeypatch):
"""_enrich_deps_with_sso for gitea does NOT call setup_keycloak_realm."""
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
import run_recipe_ci
from harness import sso
monkeypatch.setattr(sso, "setup_gitea_oauth", _fake_setup_gitea_oauth)
called_keycloak = []
monkeypatch.setattr(
sso,
"setup_keycloak_realm",
lambda *a, **kw: called_keycloak.append(True) or {},
)
deps_list = [{"recipe": "gitea", "domain": "gite-aabbcc.ci.commoninternet.net"}]
run_recipe_ci._enrich_deps_with_sso("drone", "dron-112233.ci.commoninternet.net", deps_list)
assert not called_keycloak, "setup_keycloak_realm must not be called for gitea dep"
# ---------------------------------------------------------------------------
# SCM-configured test assertions (parametrized against mock URL scenarios)
# ---------------------------------------------------------------------------
@pytest.mark.parametrize("final_url,gitea_domain,client_id,expect_pass", [
# Correct redirect: final URL is gitea dep's authorize endpoint with matching client_id
(
"https://gite-aabbcc.ci.commoninternet.net/login/oauth/authorize?client_id=abc-123&redirect_uri=x",
"gite-aabbcc.ci.commoninternet.net",
"abc-123",
True,
),
# Wrong domain: redirected to production gitea, not the dep
(
"https://git.autonomic.zone/login/oauth/authorize?client_id=abc-123",
"gite-aabbcc.ci.commoninternet.net",
"abc-123",
False,
),
# Wrong path: not the OAuth authorize endpoint
(
"https://gite-aabbcc.ci.commoninternet.net/user/login?client_id=abc-123",
"gite-aabbcc.ci.commoninternet.net",
"abc-123",
False,
),
# Wrong client_id: drone is using a different OAuth app
(
"https://gite-aabbcc.ci.commoninternet.net/login/oauth/authorize?client_id=wrong-id",
"gite-aabbcc.ci.commoninternet.net",
"abc-123",
False,
),
])
def test_scm_redirect_assertions(final_url, gitea_domain, client_id, expect_pass):
"""Parametrized verification of the SCM-configured test assertion logic (no HTTP calls)."""
import urllib.parse
parsed = urllib.parse.urlparse(final_url)
params = urllib.parse.parse_qs(parsed.query)
checks = [
parsed.scheme == "https",
parsed.netloc == gitea_domain,
parsed.path == "/login/oauth/authorize",
params.get("client_id", [None])[0] == client_id,
]
all_pass = all(checks)
assert all_pass == expect_pass, (
f"Expected {'pass' if expect_pass else 'fail'} for URL {final_url!r}; "
f"checks: {checks}"
)