From 1280dbb517665b8729f350f0ca16443cb3fc18ff Mon Sep 17 00:00:00 2001 From: Ryc O'Chet Date: Sun, 12 Apr 2026 21:42:43 +0100 Subject: [PATCH] Initial thoughts --- e2e/README.md | 28 +++++++++++++++++++++ e2e/compose.base.yaml | 10 ++++++++ e2e/compose.traefik.yaml | 44 +++++++++++++++++++++++++++++++++ e2e/compose.yaml | 53 ++++++++++++++++++++++++++++++++++++++++ e2e/test.sh | 2 ++ 5 files changed, 137 insertions(+) create mode 100644 e2e/README.md create mode 100644 e2e/compose.base.yaml create mode 100644 e2e/compose.traefik.yaml create mode 100644 e2e/compose.yaml create mode 100644 e2e/test.sh diff --git a/e2e/README.md b/e2e/README.md new file mode 100644 index 0000000..33f7121 --- /dev/null +++ b/e2e/README.md @@ -0,0 +1,28 @@ +# E2E Framework + +[Project link](https://github.com/orgs/tinyauthapp/projects/1/views/1) + +This is designed as an E2E framework to be able to test for changes in common proxy and application apps that tinyauth users are likely to use. + +This is **not** designed to test functionality, it is a [Canary](https://en.wikipedia.org/wiki/Sentinel_species#Canaries). All functionailty testing is already done by Unit tests within the standard tinyauth PR / release workflows. + +## Design + +Primary testing is via Docker, although a minimal Kubernetes stack is also planned. + +Initially this is being created to test the proxy connection, and ability to login. + +Testing of endpoints and providers will be done via `traefik`. + +It requires at least two endpoints, one will be `whoami` as an easy "is this working", but it also later requires an OIDC test (TBD), and a nested HTTP Auth (TBD). + +It should test against all "known" Oauth providers (ie, the ones that are specifically mentioned in the documentation, including community supplied if possible). + +> [!NOTE] +> This requires having both Google and Github logins for the built-in providers, so security for those on a public E2E setup must be taken into account. + +## Running + +Run the <./test.sh> script, this handles everything for all tests. + +TODO: Implement options to limit testing to specific proxies and auth services. diff --git a/e2e/compose.base.yaml b/e2e/compose.base.yaml new file mode 100644 index 0000000..2935eca --- /dev/null +++ b/e2e/compose.base.yaml @@ -0,0 +1,10 @@ +# This contains base apps without any proxy information + +services: + tinyauth: + image: ${TINYAUTH_IMAGE:-ghcr.io/steveiliop56/tinyauth}:${TINYAUTH_IMAGE_TAG:-v5} + environment: + TINYAUTH_ANALYTICS_ENABLED: "false" + TINYAUTH_APPURL: "https://tinyauth.${DOMAIN:-local}" + volumes: + - "./config:/data" diff --git a/e2e/compose.traefik.yaml b/e2e/compose.traefik.yaml new file mode 100644 index 0000000..bba27ee --- /dev/null +++ b/e2e/compose.traefik.yaml @@ -0,0 +1,44 @@ +# This contains Traefik proxy versions +# All apps must be prefixed by `traefik-` + +services: + traefik: + container_name: traefik + image: ${TRAEFIK_IMAGE:-traefik}:${TRAEFIK_IMAGE_TAG:-v3} + networks: + - e2e + environment: + TZ: "${TZ:-Europe/London}" + PUID: "${PUID:-1000}" + PGID: "${PGID:-1000}" + UMASK: "000" + command: + - "--entryPoints.web.address=:80" + - "--entryPoints.web.http.redirections.entryPoint.scheme=https" + - "--entrypoints.web.http.redirections.entryPoint.to=websecure" + - "--entryPoints.websecure.address=:443" + - "--providers.docker=true" + - "--providers.docker.endpoint=/var/run/docker.sock" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "./.ssl/key.pem:/run/secrets/key.pem:ro" + - "./.ssl/cert.pem:/run/secrets/cert.pem:ro" + - "./config:/etc/traefik" + + traefik-tinyauth: + container_name: traefik-tinyauth + extends: + file: ../compose.base.yaml + service: tinyauth + networks: + e2e-external: + e2e: + aliases: + - "traefik-tinyauth.$DOMAIN" + labels: + - "traefik.enable=true" + - "traefik.http.routers.tinyauth.rule=Host(`tinyauth.$DOMAIN`)" + - "traefik.http.services.tinyauth.loadbalancer.server.port=3000" + - "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik" + - "traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders=X-Forwarded-User" + - "traefik.http.middlewares.tinyauth.forwardauth.maxResponseBodySize=32768" diff --git a/e2e/compose.yaml b/e2e/compose.yaml new file mode 100644 index 0000000..a10eff4 --- /dev/null +++ b/e2e/compose.yaml @@ -0,0 +1,53 @@ +name: tinyauth-e2e + +services: + traefik-tinyauth: + container_name: traefik-tinyauth + extends: + file: ../compose.base.yaml + service: tinyauth + networks: + e2e-external: + e2e: + aliases: + - "traefik-tinyauth.$DOMAIN" + labels: + - "traefik.enable=true" + - "traefik.http.routers.tinyauth.rule=Host(`tinyauth.$DOMAIN`)" + - "traefik.http.services.tinyauth.loadbalancer.server.port=3000" + - "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik" + - "traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders=X-Forwarded-User" + - "traefik.http.middlewares.tinyauth.forwardauth.maxResponseBodySize=32768" + + traefik-tinyauth-google: + container_name: traefik-tinyauth-google + secrets: + - google_client_secret + environment: + TINYAUTH_OAUTH_PROVIDERS_GOOGLE_CLIENTID: "$GOOGLE_CLIENT_ID" + TINYAUTH_OAUTH_PROVIDERS_GOOGLE_CLIENTSECRETFILE: "/run/secrets/google_client_secret" + TINYAUTH_OAUTH_WHITELIST: "${WHITELIST:?Set the WHITELIST to your google email address!}" + + whoami: + image: traefik/whoami:latest + networks: + e2e: + aliases: + - "whoami.$DOMAIN" + labels: + traefik.enable: true + traefik.http.routers.whoami.rule: Host(`whoami.$DOMAIN`) + traefik.http.routers.whoami.middlewares: tinyauth + +networks: + e2e-external: + name: "e2e-external" + driver: bridge + enable_ipv4: true + enable_ipv6: true + e2e: + name: "e2e" + driver: bridge + internal: true + enable_ipv4: true + enable_ipv6: false diff --git a/e2e/test.sh b/e2e/test.sh new file mode 100644 index 0000000..f682536 --- /dev/null +++ b/e2e/test.sh @@ -0,0 +1,2 @@ +#! /bin/bash +