# Authentik Test Plan

Target: `https://authentik.<DOMAIN_SUFFIX>`

## Services

| Service | Image | Purpose |
|---------|-------|---------|
| app | `ghcr.io/goauthentik/server` | Web server (port 9000) |
| worker | `ghcr.io/goauthentik/server` | Background worker |
| db | `postgres:15` | PostgreSQL database |

## Test Setup

Before running all tests, the following must be in place:

### 1. Deploy authentik

```bash
abra app deploy authentik.<DOMAIN_SUFFIX> --chaos --force --no-input
```

### 2. Deploy the ld2 instance (test dependency)

The OIDC integration test uses a second La Suite Docs instance (`ld2`) as the relying party. This is separate from the primary `lasuite-docs` instance (which uses Keycloak for SSO).

If `ld2` does not exist yet, create it:
```bash
abra app new lasuite-docs --server <SERVER> --domain ld2.<DOMAIN_SUFFIX> --no-input
abra app secret generate ld2.<DOMAIN_SUFFIX> --all -m --no-input
abra app deploy ld2.<DOMAIN_SUFFIX> --chaos --force --no-input
```

If it already exists, just deploy:
```bash
abra app deploy ld2.<DOMAIN_SUFFIX> --chaos --force --no-input
```

### 3. Run the Authentik-Docs integration setup

```bash
python3 recipe-info/authentik/setup_docs_integration.py
```

This configures authentik as the OIDC provider for ld2:
1. Creates an OAuth2 provider (`lasuite-docs`) via the authentik REST API
2. Creates an Application linked to the provider
3. Creates a test user (`testuser` / `testpass123`) with an APP_PASSWORD token
4. Inserts the OIDC client secret into the ld2 Docs app via `abra app secret insert`
5. Updates the ld2 env file with authentik OIDC endpoints
6. Writes credentials to `authentik-test-credentials.<DOMAIN_SUFFIX>.toml`

### 4. Redeploy ld2 with OIDC config

```bash
abra app deploy ld2.<DOMAIN_SUFFIX> --chaos --force --no-input
```

## Automated Tests

- `tests/health_check.py` — HTTP 200 check on the main URL
- `tests/oidc_integration.py` — Full OIDC flow: obtains a token from authentik for a test user, then authenticates against the ld2 La Suite Docs API

### Credentials

| Key | Description |
|-----|-------------|
| `ak_token` | Authentik admin bootstrap token |
| `ak_client_id` / `ak_client_secret` | OIDC client ID and secret |
| `ak_test_user` / `ak_test_pass` | Test user credentials (password for browser login) |
| `ak_test_app_password` | APP_PASSWORD token for password grant (authentik requires this instead of regular passwords) |
| `ak_test_email` | Test user email |

Stored in `authentik-test-credentials.<DOMAIN_SUFFIX>.toml`.

## Manual Verification

1. Open `https://authentik.<DOMAIN_SUFFIX>` in a browser — should show the authentik login page
2. Log in with admin credentials: `akadmin` / `<admin_pass from testsecrets>`
3. Navigate to Admin Interface — should load the admin dashboard
4. Check System → System Tasks — background worker should be processing tasks
5. Navigate to Applications → Providers — verify `lasuite-docs` OAuth2 provider exists
6. Navigate to Applications → Applications — verify `lasuite-docs` application exists
7. Open `https://ld2.<DOMAIN_SUFFIX>` — click Login and verify the OIDC redirect to authentik works
8. Log in as `testuser` / `testpass123` — should redirect back to Docs as the authenticated user