status(2): Q2 CLAIMED — dep resolver + SSO harness + Q2.4 acceptance proven cold
Q2.1 keycloak: parity port + JWT password-grant test + client_credentials test (commitd5f5e86). Q2.2 authentik DEFERRED: SSO harness is provider-pluggable; Q2.4 already proven via keycloak. Q2.3 dep resolver + SSO-setup harness primitives (commit4d6b040, subsumes Q0.4). 28/28 unit PASS. Q2.4 ACCEPTANCE (commit9e88741): lasuite-docs declares DEPS=['keycloak']; the orchestrator deploys keycloak as a per-run dep, runs an OIDC password-grant test against it (JWT iss/azp/typ/ exp claim validation), then tears the dep down. deploy-count=2 (1 parent + 1 dep, DG4.1 reconciled with deps). Secondary fix (commit47f7cb4): centralized F2-3 Playwright try/except into runner/harness/browser.py::goto_with_retry; applied to all install overlays + custom-html playwright smoke. Lesson: when a hardening pattern bites once, generalize it before fixing in-place. Cold-verifiable on cc-ci: ssh cc-ci 'cc-ci-run -m pytest tests/unit -v' # 28 PASS ssh cc-ci 'RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py' # DEPS resolves -> keycloak deploys -> install PASS -> OIDC test PASS -> dep teardown clean # deploy-count = 2 (expect 2) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -42,17 +42,19 @@ Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md`
|
||||
|
||||
### Q2 — SSO providers (keycloak + authentik)
|
||||
- [x] **Q2.1** — keycloak: parity-port `test_health_check.py` + 2 NEW recipe-specific functional
|
||||
tests (`test_password_grant_token.py` — JWT decode + claim validation; `test_create_client_and_use.py` — admin-API client CRUD + client_credentials grant). `oidc_integration.py` parity
|
||||
is **deferred to Q3 lasuite-docs** (cross-recipe; needs dep resolver from Q2.3 + lasuite-docs
|
||||
Phase-2 enrollment). Bumped DEPLOY_TIMEOUT + HTTP_TIMEOUT to 900s. Full e2e green via the
|
||||
run path (commit `d5f5e86`).
|
||||
- [ ] **Q2.2** — authentik: mirror the upstream repo if needed (per recipe mirror+PR flow); port
|
||||
health_check + add specific tests.
|
||||
- [ ] **Q2.3** — Reusable SSO-setup/OIDC-flow harness primitive: deploy provider → setup realm/client/
|
||||
test-user (port `recipe-info/<dep>/setup_<provider>_integration.py`) → persist credentials
|
||||
per-run → "full OIDC login → token → protected API call" assertion. Implement once in
|
||||
`runner/harness/`; reused by every SSO-dependent recipe. **Subsumes Q0.4 dep resolver primitive.**
|
||||
- [ ] **Q2.4** — Q2 gate: a dependent recipe deploys its provider + runs an OIDC login test in one run.
|
||||
tests. Bumped timeouts to 900s. Full e2e green (commit `d5f5e86`).
|
||||
- [ ] **Q2.2** — authentik: **deferred (lower priority).** The SSO harness primitive is
|
||||
provider-pluggable (the `setup_keycloak_realm` shape can be mirrored to `setup_authentik_provider` when needed); Q2.4 acceptance is already proven via keycloak. Will land when Q3
|
||||
lights up an authentik-dependent recipe, or as Q4/Q5 sweep.
|
||||
- [x] **Q2.3** — Dep resolver (`runner/harness/deps.py` — declared_deps + per-(parent,dep) domain
|
||||
+ deploy_deps/teardown_deps + run state) + SSO-setup harness (`runner/harness/sso.py` —
|
||||
setup_keycloak_realm + oidc_password_grant + assert_discovery_endpoint) + orchestrator
|
||||
wiring. 7 new unit tests; 28/28 PASS. **Subsumes Q0.4.** Commit `4d6b040`.
|
||||
- [x] **Q2.4** — **CLAIMED @2026-05-28** (commit `9e88741`). `tests/lasuite-docs/recipe_meta.py
|
||||
DEPS = ["keycloak"]`; `tests/lasuite-docs/functional/test_oidc_with_keycloak.py` proves the
|
||||
full SSO flow against the per-run keycloak dep: realm/client/user setup, OIDC discovery,
|
||||
password grant, JWT claim validation. Cold-run: deploy-count=2 (1 parent + 1 dep), all
|
||||
stages PASS, dep teardown clean.
|
||||
|
||||
### Q3 — SSO-dependent suite (lasuite-docs, lasuite-drive, lasuite-meet, cryptpad, immich)
|
||||
- [ ] **Q3.1** — lasuite-docs: parity (health_check, oidc_login, upload_conversion) + specific
|
||||
|
||||
@ -258,3 +258,57 @@ shouldn't be constrained by what the parity corpus tested.
|
||||
/realms/master (last status 502)` during the first attempt. The deployment dies before serving.
|
||||
This is likely the HTTP_TIMEOUT=600 not being enough for a cold-start JVM + mariadb on this
|
||||
host. Will investigate after Q1 RE-VERIFY lands.
|
||||
|
||||
## 2026-05-28 — Q2 CLAIMED — dep resolver + SSO harness + OIDC end-to-end
|
||||
|
||||
Q1 PASS landed. Then in one stretch:
|
||||
|
||||
**Q2.1 keycloak parity + 2 specific** (`d5f5e86`) — parity port + JWT password-grant test +
|
||||
client_credentials grant + JWT claim validation. Bumped DEPLOY_TIMEOUT+HTTP_TIMEOUT to 900s after
|
||||
the first attempt hit 502 from /realms/master at 600s (cold-start JVM+mariadb takes longer).
|
||||
|
||||
**Q2.3 — the foundational primitives** (`4d6b040`):
|
||||
- `runner/harness/deps.py` — read `DEPS = [...]` from a recipe's `recipe_meta.py`; orchestrator
|
||||
deploys each dep at a per-(parent, dep) domain before the recipe-under-test, tears down in
|
||||
reverse order in finally. DG4.1 expected count is now 1 + len(deps_state).
|
||||
- `runner/harness/sso.py` — `setup_keycloak_realm` (idempotent realm + confidential OIDC client
|
||||
+ test user with class-B per-run-generated password); `oidc_password_grant` (real OIDC
|
||||
password-grant flow); `assert_discovery_endpoint` (issuer matches per-run domain/realm).
|
||||
- 7 unit tests in `tests/unit/test_deps.py`. The unit-test `test_dep_domain_distinct_per_parent`
|
||||
caught a bug in my first dep_domain implementation (didn't include parent in the hash) — fixed
|
||||
before pushing. 28/28 unit tests PASS cold.
|
||||
|
||||
**Q2.4 acceptance** (`9e88741`): added `DEPS = ["keycloak"]` to lasuite-docs's recipe_meta and
|
||||
wrote `tests/lasuite-docs/functional/test_oidc_with_keycloak.py`. End-to-end on cc-ci:
|
||||
|
||||
```
|
||||
RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py
|
||||
===== DEPS: ['keycloak'] =====
|
||||
dep: deploying keycloak -> keyc-c12afe.ci.commoninternet.net
|
||||
dep: keycloak ready @ keyc-c12afe.ci.commoninternet.net
|
||||
===== TIER: install ===== 2 PASS (generic + cc-ci overlay)
|
||||
===== TIER: custom ===== 1 PASS (test_oidc_password_grant_against_dep_keycloak)
|
||||
===== DEPS teardown =====
|
||||
===== RUN SUMMARY =====
|
||||
deploy-count = 2 (expect 2)
|
||||
```
|
||||
|
||||
The OIDC test asserts iss/azp/typ/exp on a real JWT — non-vacuous. The "dependent recipe deploys
|
||||
its provider and runs an OIDC login test in one run" gate acceptance is met.
|
||||
|
||||
**Q2.2 authentik DEFERRED.** Q2 acceptance is keycloak-proven; authentik enrollment is
|
||||
provider-pluggable (mirror the setup_keycloak_realm shape into a setup_authentik_provider when
|
||||
a recipe declares authentik as its dep). Logged in BACKLOG-2; will land when Q3 lights up an
|
||||
authentik-dependent recipe.
|
||||
|
||||
**Secondary fix during the stretch — F2-3 systemic** (`47f7cb4`): the same Playwright-error
|
||||
escape that bit n8n bit custom-html during the deps-smoke test. Centralized the fix in
|
||||
`runner/harness/browser.py::goto_with_retry` and applied to ALL install overlays + the
|
||||
custom-html playwright smoke. Cold-verified on custom-html (all 5 stages PASS).
|
||||
|
||||
**Lesson:** the F2-3 fix should have been centralized the first time, not just patched
|
||||
in-place on n8n. The cost of the rework was ~50 lines and one extra cold run. Worth it for the
|
||||
generality. From now on: when a recipe-overlay needs a robustness pattern, ask if it generalizes
|
||||
to a shared helper BEFORE fixing in-place.
|
||||
|
||||
Q2 CLAIMED; awaiting Adversary cold-verify. Continuing on Q3 (SSO-dependent suite) in parallel.
|
||||
|
||||
@ -49,12 +49,76 @@ tree must carry:
|
||||
- **Q5** — Completeness + docs; flip `## DONE`.
|
||||
|
||||
## In flight
|
||||
**Q2 — SSO providers (keycloak + authentik).** Q1 Adversary PASS landed. Keycloak Phase-2 content
|
||||
drafted (PARITY.md + 3 functional tests: parity health_check + password_grant_token + create_client_and_use); e2e in flight (background task `bxnhxrolk`, log `/root/ccci-q2-keycloak-r2.log`).
|
||||
First e2e attempt (`bmdkj7egr`) failed with `not healthy over HTTPS /realms/master (last status
|
||||
502)` at 600s; bumped DEPLOY_TIMEOUT + HTTP_TIMEOUT to 900s in `tests/keycloak/recipe_meta.py`.
|
||||
Working toward Q3 (SSO-dependent suite). Q2 fully claimed pending Adversary verify (see Gate
|
||||
below). Q2.1 keycloak (parity + JWT password-grant + client_credentials), Q2.3 dep resolver +
|
||||
SSO-setup harness primitives, Q2.4 acceptance (lasuite-docs + keycloak dep + OIDC password grant)
|
||||
all landed. Q2.2 authentik enrollment is the remaining open item — deferred pending Adversary's
|
||||
Q2 PASS as it's lower-priority (the SSO harness is provider-pluggable and Q2.4 acceptance is
|
||||
already proven via keycloak).
|
||||
|
||||
## Gate
|
||||
**Gate: Q2 — CLAIMED, awaiting Adversary @2026-05-28** (commits `d5f5e86` Q2.1 keycloak; `4d6b040`
|
||||
Q2.3 dep resolver + SSO harness primitives; `47f7cb4` harness.browser hardening across all install
|
||||
overlays; `9e88741` Q2.4 acceptance). Acceptance per plan §6 Q2: "a dependent recipe deploys its
|
||||
provider + runs an OIDC login test in one run." Proven cold:
|
||||
|
||||
**Objective evidence pointers (Q2):**
|
||||
- **Q2.1 keycloak parity + 2 NEW specific tests** — commit `d5f5e86`:
|
||||
- `tests/keycloak/functional/test_health_check.py` — parity port.
|
||||
- `tests/keycloak/functional/test_password_grant_token.py` — password grant, JWT decoded, claims
|
||||
(iss/azp/typ/exp/iat) validated.
|
||||
- `tests/keycloak/functional/test_create_client_and_use.py` — admin-API client CRUD +
|
||||
client_credentials grant + JWT azp/iss validation + idempotent cleanup.
|
||||
- `oidc_integration.py` parity deferred to Q3 (cross-recipe; see PARITY.md note).
|
||||
- Bumped DEPLOY_TIMEOUT + HTTP_TIMEOUT to 900s.
|
||||
- Cold e2e (log `/root/ccci-q2-keycloak-r3.log`): all 5 stages PASS, deploy-count=1,
|
||||
`head_ref=666649a6 == chaos-version=666649a6`, version `10.7.0+26.6.1 → 10.7.1+26.6.2`.
|
||||
|
||||
- **Q2.3 dep resolver + SSO-setup harness primitives** — commit `4d6b040`:
|
||||
- `runner/harness/deps.py` — declared_deps + dep_domain + deploy_deps + teardown_deps + JSON
|
||||
run state. Subsumes Q0.4 (dep resolver).
|
||||
- `runner/harness/sso.py` — setup_keycloak_realm + oidc_password_grant +
|
||||
assert_discovery_endpoint. Reusable by every SSO-dependent recipe (Q3 will exercise).
|
||||
- `runner/run_recipe_ci.py` — wired in dep deploy BEFORE recipe-under-test, dep teardown
|
||||
AFTER in finally (reverse order). DG4.1 expected count = 1 + len(deps).
|
||||
- `tests/conftest.py` — `deps_apps` fixture exposes dep domains to dependent tests.
|
||||
- 7 new unit tests in `tests/unit/test_deps.py`; **28/28 unit tests PASS** cold.
|
||||
|
||||
- **Q2.4 acceptance (the gate)** — commit `9e88741`, log `/root/ccci-q24-lasuite-keycloak.log`:
|
||||
- `tests/lasuite-docs/recipe_meta.py` declares `DEPS = ["keycloak"]`.
|
||||
- `tests/lasuite-docs/functional/test_oidc_with_keycloak.py`:
|
||||
- Asserts `deps_apps["keycloak"]` is the per-run dep domain.
|
||||
- Calls `harness.sso.setup_keycloak_realm` → realm/client/user.
|
||||
- GETs OIDC discovery; asserts `issuer == https://<kc>/realms/lasuite-docs`.
|
||||
- Performs password grant → JWT; asserts iss/azp/typ/exp claims.
|
||||
- Cold-run output:
|
||||
```
|
||||
===== DEPS: ['keycloak'] =====
|
||||
dep: deploying keycloak -> keyc-c12afe.ci.commoninternet.net
|
||||
dep: keycloak ready @ keyc-c12afe.ci.commoninternet.net
|
||||
===== TIER: install ===== 2 PASS (generic + cc-ci overlay)
|
||||
===== TIER: custom ===== 1 PASS (test_oidc_password_grant_against_dep_keycloak)
|
||||
===== DEPS teardown =====
|
||||
===== RUN SUMMARY =====
|
||||
deploy-count = 2 (expect 2)
|
||||
```
|
||||
|
||||
- **F2-3 systemic fix** — commit `47f7cb4`: `runner/harness/browser.py::goto_with_retry`
|
||||
centralizes the F2-3 try/except PlaywrightError pattern; applied to **all** install overlays
|
||||
using page.goto (custom-html, n8n, keycloak, cryptpad, lasuite-docs) + the custom-html
|
||||
playwright/test_browser_smoke. Cold e2e (custom-html, log `/root/ccci-q2-customhtml-r2.log`):
|
||||
all 5 stages PASS, deploy-count=1, HC1 non-vacuous.
|
||||
|
||||
**Reference command for Adversary (cold, on cc-ci):**
|
||||
```
|
||||
ssh cc-ci 'cd /root/<your-clone> && \
|
||||
cc-ci-run -m pytest tests/unit -v && \
|
||||
RECIPE=keycloak cc-ci-run runner/run_recipe_ci.py && \
|
||||
RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py'
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**Gate: Q1 — Adversary PASS @2026-05-28** (REVIEW-2 `## Q1 — PASS @2026-05-28 (re-verify after
|
||||
F2-3 + F2-4 fixes)`; cold e2e on `/root/adv-verify` HEAD `fc89552` → all 5 stages PASS,
|
||||
deploy-count=1, HC1 non-vacuous; F2-3 + F2-4 CLOSED; NO VETO). Builder may advance to Q2.
|
||||
|
||||
Reference in New Issue
Block a user