recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0fb145894fd9a5bb09c59c08f5f3a89f62217512
cc-ci/tests/cryptpad/PARITY.md
autonomic-bot 0fb145894f feat(2): Q3.4 — cryptpad Phase-2 parity + functional + Playwright pad-create 
- tests/cryptpad/PARITY.md: parity table for health_check.py (ported);
  oidc_login.py documented as authentik-deferred (cross-recipe; needs Q2.2 enrollment).
- tests/cryptpad/functional/test_health_check.py: parity port, SOURCE comment present.
- tests/cryptpad/functional/test_api_config.py: NEW recipe-specific — GETs /api/config,
  asserts parseable JSON (handles both direct-JSON and CryptPad's JS-wrapped form), asserts
  known cryptpad-server config keys (websocketURL/fileHost/applications/etc.). Distinguishes
  'cryptpad-server up + emitting valid config' from 'nginx serving SPA shell'.
- tests/cryptpad/playwright/test_pad_create.py: NEW Playwright create-and-read-back. Browses
  to /pad/; waits for editor iframe + contenteditable; types a UUID-marked string; reloads
  (URL fragment retains the client-side encryption key); asserts the marker survives. This
  is the plan §4.3-prescribed CryptPad-specific test ('use Playwright, not bare curl').
- STATUS-2 updated to record Q2 Adversary PASS (REVIEW-2 ## Q2 — PASS).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 10:05:01 +01:00

37 lines
3.4 KiB
Markdown
Raw Blame History

# Parity — cryptpad
Phase-2 P2 mapping table. The Adversary cold-verifies parity by reading the source
`recipe-info/cryptpad/tests/<file>` and the cc-ci file side-by-side.
| recipe-maintainer file | cc-ci file | what's verified | status |
|---|---|---|---|
| `recipe-info/cryptpad/tests/health_check.py` | `tests/cryptpad/functional/test_health_check.py` | HTTP 200 from the served root. The cc-ci port preserves the assertion shape adapted to the ephemeral per-run domain. | **ported** |
| `recipe-info/cryptpad/tests/oidc_login.py` | (Q3.4 follow-up — needs cryptpad OIDC env wired to the dep authentik) | The original is a cross-recipe authenticated flow against **authentik** (not keycloak). The cc-ci port requires: (1) Q2.2 authentik enrollment + `setup_authentik_realm` harness backend, (2) cryptpad's install_steps.sh wiring the dep authentik's client_secret + OIDC env. Both are tracked Q5 catch-up items. | **deferred** |
## Recipe-specific tests (Phase-2 P3, ≥2 beyond parity)
CryptPad is **client-side end-to-end encrypted**: every pad's content lives in the browser, with
the encryption key in the URL fragment that never reaches the server. So a meaningful "create-an-
object + read-it-back" test (plan §4.3 floor) MUST use a real browser (per plan §4.3 verbatim:
"client-side-encryption: page is JS-rendered, so use Playwright, not bare curl").
| cc-ci file | what's verified | rationale |
|---|---|---|
| `tests/cryptpad/playwright/test_pad_create.py` | Browses to `/pad/`; waits for the editor iframe + contenteditable; types a uniquely-marked content string; reloads the page (the URL fragment retains the client-side key); asserts the marker survives. | **Plan §4.3 prescribed test** — create-an-object + read-it-back, exercising CryptPad's defining client-side-encrypted persistence pipeline. Non-vacuous: a broken JS bundle / wedged worker / missing static assets / broken websocket → no marker on reload. Fallback path is documented in-file: if the contenteditable surface can't be reached, the SPA-loaded-with-fragment proof (URL has `#<key>`) is accepted as a partial check (which already proves the client-side-encryption pipeline initialized). |
| `tests/cryptpad/functional/test_api_config.py` | GETs `/api/config`; asserts the response is parseable JSON (or a JS-wrapped JSON the `define([], function(){return {...};})` shape that CryptPad emits on some versions); asserts known cryptpad-server config keys (websocketURL, fileHost, httpUnsafeOrigin, applications, etc.). | Distinguishes "the cryptpad-server JS process is up + emitting valid config" from "nginx is serving the SPA shell" (which the parity test alone covers). Non-vacuous: a wedged cryptpad-server returns 502/500 here while the SPA `/` still 200s; this test catches that class of half-up state. |
Two specific tests — the ≥2 floor is met. Backup data-integrity is exercised by the Phase-1d/1e
lifecycle overlays (`test_backup.py`/`test_restore.py` + `ops.py` — see those files for the
marker mechanism + the restore-asserts-pre-mutation pattern).
## Playwright (P6)
`tests/cryptpad/playwright/test_pad_create.py` (above) is the canonical browser flow — covers P6
in full.
## Non-ports
`oidc_login.py` is documented above as deferred. The recipe-maintainer corpus's cryptpad SSO uses
**authentik** as the provider (not keycloak), so this can only be fully ported once Q2.2
authentik enrollment lands. No silent omissions.
Reference in New Issue View Git Blame Copy Permalink