diff --git a/machine-docs/REVIEW-drone.md b/machine-docs/REVIEW-drone.md index b89a068..5c35536 100644 --- a/machine-docs/REVIEW-drone.md +++ b/machine-docs/REVIEW-drone.md @@ -67,17 +67,31 @@ when `DRONE_GITEA_CLIENT_ID` is set. So the install hook must: ### Pre-probe: SCM-configured test teeth The drone health endpoint `/healthz` returns `OK` regardless of SCM connectivity. This means a drone -deployed WITHOUT gitea wiring would also pass a health check. The "SCM-configured" test must therefore -use the Drone API to prove OAuth/gitea connectivity — specifically: -- `GET /api/user` with a drone user token (obtained via drone CLI `drone auth login` or by minting - a user token after gitea OAuth login completes in the browser) returns 200 with user info only if - drone's gitea OAuth is configured and working -- Alternatively, `GET /api/user` on an un-wired drone returns 401 — this is the negative control -- The test must exercise the actual gitea→drone OAuth flow, not just the health endpoint +deployed WITHOUT gitea wiring would also pass a health check. -**Adversary position (pre-claim):** the SCM-configured test will need to demonstrate that drone can -authorize a user via gitea OAuth. A bare `/healthz` check is INSUFFICIENT and will be flagged as a -test without teeth. +**Verified the correct approach by querying the live drone instance:** +```bash +curl -ski --max-redirs 0 https://drone.ci.commoninternet.net/login | grep location +# → location: https://git.autonomic.zone/login/oauth/authorize?client_id=ab4cdb9d-...&redirect_uri=... +``` + +`GET /login` (no-follow) → **303 redirect** to `/login/oauth/authorize?client_id=&...` + +**The correct "SCM-configured" test:** +1. `GET https:///login` with `allow_redirects=False` +2. Assert response is 302/303 +3. Assert `Location` header starts with `https:///login/oauth/authorize` +4. Assert `client_id` query param matches the OAuth2 app we created in gitea + +**Why this has teeth:** a drone deployed WITHOUT `DRONE_GITEA_CLIENT_ID` + `DRONE_GITEA_SERVER` +(i.e., just the base `compose.yml` without `compose.gitea.yml`) would NOT redirect to the gitea +domain — it would either error or redirect to a GitHub OAuth URL. The test is falsified by a +misconfigured drone. + +**Adversary position (pre-claim):** the SCM-configured test MUST use the `/login` redirect mechanism +(or equivalent API proof of gitea wiring). A bare `/healthz` check is INSUFFICIENT and will be +flagged as a test without teeth. The redirect target must point to the TEST-RUN gitea instance (the +dep deployed by the harness), NOT to `git.autonomic.zone` (that would prove nothing). ### Pre-probe: recipe mirrors