Sanitized single-commit public mirror of recipe-maintainer. - Removed test-ssh/.testenv (live creds); added test-ssh/.testenv.example placeholders. - Removed plans/ and planned-updates/ (deployment-planning docs) so no client/ deployment domains appear in the public repo. - All other secret stores were already gitignored. - docs.coopcloud.tech retained as a submodule (public upstream).
101 lines
4.4 KiB
Markdown
101 lines
4.4 KiB
Markdown
# La Suite Drive Tests
|
|
|
|
## Requires
|
|
|
|
- keycloak
|
|
|
|
## Target
|
|
|
|
- **URL:** https://lasuite-drive.<DOMAIN_SUFFIX>
|
|
- **Keycloak:** https://keycloak.<DOMAIN_SUFFIX> (realm: `lasuite-drive`)
|
|
|
|
## Prerequisites
|
|
|
|
Keycloak (`keycloak.<DOMAIN_SUFFIX>`) must be deployed before testing lasuite-drive. The OIDC login test and any manual authentication testing depend on it. If Keycloak is not running, deploy it first with `/recipe-deploy keycloak`.
|
|
|
|
## Automated Checks
|
|
|
|
Run the scripts in `tests/` to perform automated testing:
|
|
|
|
- `tests/health_check.py` — Confirms the instance is reachable and returns HTTP 200.
|
|
- `tests/wopi_configured.py` — Verifies WOPI discovery endpoints are reachable:
|
|
1. Checks Collabora discovery endpoint returns valid WOPI XML
|
|
2. Checks OnlyOffice discovery endpoint returns valid WOPI XML
|
|
|
|
- `tests/wopi_on_startup.py` — Confirms WOPI configuration runs automatically on celery worker startup:
|
|
1. Checks celery worker container logs for the entrypoint WOPI trigger message
|
|
2. Verifies the trigger completed without errors
|
|
|
|
- `tests/celery_beat_wopi.py` — Verifies Celery Beat WOPI scheduling:
|
|
1. Confirms the `celery-beat` service is running
|
|
2. Confirms the old `scheduler` service is removed
|
|
3. Waits up to 90s for the WOPI configuration task to fire and checks logs via SSH
|
|
|
|
**Thorough mode only.** This test sleeps ~15-90 seconds waiting for the Celery Beat scheduler to fire. Skip in quick mode. Requires the test instance to have `WOPI_CONFIGURATION_CRONTAB_MINUTE=*` and `WOPI_CONFIGURATION_CRONTAB_HOUR=*` set so the task fires every minute.
|
|
|
|
- `tests/oidc_login.py` — Tests the full OIDC authentication flow end-to-end:
|
|
1. Verifies Drive's `/api/v1.0/authenticate/` redirects to Keycloak
|
|
2. Obtains an access token from Keycloak via direct access grant (password flow)
|
|
3. Calls Drive's `/api/v1.0/users/me/` with the token and verifies the correct user is returned
|
|
|
|
This test reads credentials from `keycloak-test-credentials.<DOMAIN_SUFFIX>.toml`.
|
|
|
|
## Keycloak OIDC Integration
|
|
|
|
La Suite Drive **requires** an OIDC provider. The test instance uses Keycloak at `keycloak.<DOMAIN_SUFFIX>`.
|
|
|
|
### Setup
|
|
|
|
Run `setup_keycloak_integration.py` to configure everything automatically. The script:
|
|
|
|
1. Creates a `lasuite-drive` realm in Keycloak
|
|
2. Creates a `drive` OIDC client (confidential, standard flow + direct access grants)
|
|
3. Creates a test user (`testuser` / `testpass123`)
|
|
4. Inserts the OIDC client secret into the Drive app via `abra app secret insert`
|
|
5. Updates the Drive env file with `OIDC_REALM`, `AUTH_DOMAIN`, `OIDC_RP_CLIENT_ID`
|
|
6. Writes all credentials to `keycloak-test-credentials.<DOMAIN_SUFFIX>.toml`
|
|
|
|
After running the setup script, redeploy Drive:
|
|
|
|
```
|
|
abra app deploy lasuite-drive.<DOMAIN_SUFFIX> --chaos --force --no-input
|
|
```
|
|
|
|
The script is idempotent — it skips resources that already exist and resets the test user password.
|
|
|
|
### Credentials
|
|
|
|
All Keycloak credentials are stored in `keycloak-test-credentials.<DOMAIN_SUFFIX>.toml` (sourceable):
|
|
|
|
| Variable | Description |
|
|
|----------|-------------|
|
|
| `KC_ADMIN_USER` / `KC_ADMIN_PASS` | Keycloak admin (master realm) |
|
|
| `KC_REALM` | Keycloak realm name (`lasuite-drive`) |
|
|
| `KC_CLIENT_ID` / `KC_CLIENT_SECRET` | OIDC client ID and secret |
|
|
| `KC_TEST_USER` / `KC_TEST_PASS` | Test user credentials |
|
|
| `KC_TEST_EMAIL` | Test user email |
|
|
|
|
### Key Endpoints
|
|
|
|
| Endpoint | Purpose |
|
|
|----------|---------|
|
|
| `https://lasuite-drive.<DOMAIN_SUFFIX>/api/v1.0/authenticate/` | Initiates OIDC login (302 redirect to Keycloak) |
|
|
| `https://lasuite-drive.<DOMAIN_SUFFIX>/api/v1.0/callback/` | OIDC callback (Keycloak redirects here after login) |
|
|
| `https://keycloak.<DOMAIN_SUFFIX>/realms/lasuite-drive/protocol/openid-connect/token` | Keycloak token endpoint |
|
|
|
|
## Post-Deploy Steps
|
|
|
|
After deploying Drive for the first time, run:
|
|
|
|
1. **Migrations:** `script -qefc 'abra app cmd lasuite-drive.<DOMAIN_SUFFIX> backend migrate --no-input' /dev/null`
|
|
2. **Minio buckets:** `abra app restart lasuite-drive.<DOMAIN_SUFFIX> minio-createbuckets --no-input` (will appear to hang — this is expected)
|
|
3. **Keycloak integration:** `python3 setup_keycloak_integration.py` then redeploy
|
|
|
|
## Manual Verification
|
|
|
|
1. Open https://lasuite-drive.<DOMAIN_SUFFIX> in a browser.
|
|
2. Confirm the La Suite Drive landing page loads without errors.
|
|
3. Click "Login" and verify the OIDC redirect to Keycloak works.
|
|
4. Log in with test credentials (`testuser` / `testpass123`).
|
|
5. After logging in, verify you can create and open a document.
|