review(drone): pre-probe — SCM-configured test design; /login redirect is the correct tooth
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
autonomic-bot
@ -67,17 +67,31 @@ when `DRONE_GITEA_CLIENT_ID` is set. So the install hook must:
|
||||
### Pre-probe: SCM-configured test teeth
|
||||
|
||||
The drone health endpoint `/healthz` returns `OK` regardless of SCM connectivity. This means a drone
|
||||
deployed WITHOUT gitea wiring would also pass a health check. The "SCM-configured" test must therefore
|
||||
use the Drone API to prove OAuth/gitea connectivity — specifically:
|
||||
- `GET /api/user` with a drone user token (obtained via drone CLI `drone auth login` or by minting
|
||||
a user token after gitea OAuth login completes in the browser) returns 200 with user info only if
|
||||
drone's gitea OAuth is configured and working
|
||||
- Alternatively, `GET /api/user` on an un-wired drone returns 401 — this is the negative control
|
||||
- The test must exercise the actual gitea→drone OAuth flow, not just the health endpoint
|
||||
deployed WITHOUT gitea wiring would also pass a health check.
|
||||
|
||||
**Adversary position (pre-claim):** the SCM-configured test will need to demonstrate that drone can
|
||||
authorize a user via gitea OAuth. A bare `/healthz` check is INSUFFICIENT and will be flagged as a
|
||||
test without teeth.
|
||||
**Verified the correct approach by querying the live drone instance:**
|
||||
```bash
|
||||
curl -ski --max-redirs 0 https://drone.ci.commoninternet.net/login | grep location
|
||||
# → location: https://git.autonomic.zone/login/oauth/authorize?client_id=ab4cdb9d-...&redirect_uri=...
|
||||
```
|
||||
|
||||
`GET /login` (no-follow) → **303 redirect** to `<gitea-domain>/login/oauth/authorize?client_id=<id>&...`
|
||||
|
||||
**The correct "SCM-configured" test:**
|
||||
1. `GET https://<drone-domain>/login` with `allow_redirects=False`
|
||||
2. Assert response is 302/303
|
||||
3. Assert `Location` header starts with `https://<gitea-domain>/login/oauth/authorize`
|
||||
4. Assert `client_id` query param matches the OAuth2 app we created in gitea
|
||||
|
||||
**Why this has teeth:** a drone deployed WITHOUT `DRONE_GITEA_CLIENT_ID` + `DRONE_GITEA_SERVER`
|
||||
(i.e., just the base `compose.yml` without `compose.gitea.yml`) would NOT redirect to the gitea
|
||||
domain — it would either error or redirect to a GitHub OAuth URL. The test is falsified by a
|
||||
misconfigured drone.
|
||||
|
||||
**Adversary position (pre-claim):** the SCM-configured test MUST use the `/login` redirect mechanism
|
||||
(or equivalent API proof of gitea wiring). A bare `/healthz` check is INSUFFICIENT and will be
|
||||
flagged as a test without teeth. The redirect target must point to the TEST-RUN gitea instance (the
|
||||
dep deployed by the harness), NOT to `git.autonomic.zone` (that would prove nothing).
|
||||
|
||||
### Pre-probe: recipe mirrors
|
||||
|
||||
|
||||
Reference in New Issue
Block a user