rk@tigase.net opened 3 days ago
-
Previous Value Current Value Open
In Progress
-
This issue introduces a Bash-based end-to-end regression test harness that exercises the system using real API calls and Git operations.
The test path validates the full stack:
git client =>Caddy reverse proxy => forward_auth => GitAuthController => authorization service => database => Sztabina Git serviceThe script executes two complementary test suites.
Suite A — Pull Request lifecycle regression
Validates that PR creation and merge workflows continue to work correctly after the authorization changes.
Coverage
Project types:
- LOCAL (Sztabina-hosted repositories)
- EXTERNAL repositories
Merge strategies:
- merge commit
- fast-forward
- squash
- rebase
For LOCAL repositories the script:
- clones the repository via Git
- creates a feature branch
- pushes a commit
- registers the branch in Sztab
- creates a pull request
- auto-approves the PR
- merges using each strategy
For EXTERNAL repositories the script:
- discovers existing branches
- creates and merges PRs without pushing new commits
This ensures that the PR pipeline works for both internal and external repository types.
Suite B — Authorization regression
Validates Git access control across the full authorization matrix.
Git access is tested by hitting the actual Git endpoint through Caddy:
/git/{project}.git/info/refs?service=git-upload-packThis ensures that authorization is validated through the real request path instead of bypassing the reverse proxy.
Tested dimensions
User types:
- anonymous
- internal authenticated user
- external user
Project visibility:
- PRIVATE
- INTERNAL
- PUBLIC
Token scope:
- global PAT
- project-scoped PAT
Expected access model
Scenario Expected Anonymous => PRIVATE 401 Anonymous => INTERNAL 401 Anonymous => PUBLIC 200 Internal user (global PAT) => any project 200 Internal user (scoped PAT) => own project 200 Internal user (scoped PAT) => other project 403 External user => PRIVATE 403 External user => INTERNAL 403 External user => PUBLIC 200 This suite verifies that the GitHub-style authorization rules are correctly enforced.
Additional capabilities
The regression harness also includes:
- automatic environment setup checks (
curl,git,jq) - session-cookie authentication
- automatic project cleanup
- optional external user tests
- direct Git command integration
- database cleanup fallback for failed test runs
-
Time Log
Activity Time Design regression test strategy and test matrix 1h Implement Bash test harness structure and utilities 45m Implement PR lifecycle tests for LOCAL repositories 1h30m Implement EXTERNAL repository PR tests 30m Implement Git access authorization tests via Caddy 45m Implement PAT scope validation and user-type scenarios 1h Debugging and cleanup handling 1h Total: ~5 hours
-
Previous Value Current Value In Progress
Closed
| Type |
Task
|
| Priority |
Major
|
| Assignee | |
| Version |
1.10.0
|
| Sprints |
n/a
|
| Customer |
n/a
|
Description
The introduction of GitHub-style authorization significantly increased the behavioral surface area of Sztab. Authorization decisions now depend on several interacting dimensions:
PRIVATE,INTERNAL,PUBLIC)LOCAL/EXTERNAL)forward_authgatewayManual verification of all combinations is no longer scalable or reliable.
These authZ changes ntroduced a multi-dimensional access model that is difficult to test manually.
Without automated regression coverage:
We need a automated regression test mechanism that provides a repeatable system-level validation tool for the new authorization architecture.