Skip to content

Commit ca477c4

Browse files
committed
chore: Enhance documentation for E2E testing:
- Added clarity and structure to README files, including recent updates and getting started sections. - Improved manual verification documentation for CrowdSec authentication, emphasizing expected outputs and success criteria. - Updated debugging guide with detailed output examples and automatic trace capture information. - Refined best practices for E2E tests, focusing on efficient polling, locator strategies, and state management. - Documented triage report for DNS Provider feature tests, highlighting issues fixed and test results before and after improvements. - Revised E2E test writing guide to include when to use specific helper functions and patterns for better test reliability. - Enhanced troubleshooting documentation with clear resolutions for common issues, including timeout and token configuration problems. - Updated tests README to provide quick links and best practices for writing robust tests.
1 parent 7d986f2 commit ca477c4

52 files changed

Lines changed: 983 additions & 198 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

ARCHITECTURE.md

Lines changed: 73 additions & 0 deletions
Large diffs are not rendered by default.

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,16 +30,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
3030
- See [Notification Guide](docs/features/notifications.md) for setup instructions
3131

3232
### CI/CD
33+
3334
- **Supply Chain**: Optimized verification workflow to prevent redundant builds
3435
- Change: Removed direct Push/PR triggers; now waits for 'Docker Build' via `workflow_run`
3536

3637
### Security
38+
3739
- **Supply Chain**: Enhanced PR verification workflow stability and accuracy
3840
- **Vulnerability Reporting**: Eliminated false negatives ("0 vulnerabilities") by enforcing strict failure conditions
3941
- **Tooling**: Switched to manual Grype installation ensuring usage of latest stable binary
4042
- **Observability**: Improved debugging visibility for vulnerability scans and SARIF generation
4143

4244
### Performance
45+
4346
- **E2E Tests**: Reduced feature flag API calls by 90% through conditional polling optimization (Phase 2)
4447
- Conditional skip: Exits immediately if flags already in expected state (~50% of cases)
4548
- Request coalescing: Shares in-flight API requests between parallel test workers
@@ -51,6 +54,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
5154
- Prevents timeout errors in Firefox/WebKit caused by strict label matching
5255

5356
### Fixed
57+
5458
- **TCP Monitor Creation**: Fixed misleading form UX that caused silent HTTP 500 errors when creating TCP monitors
5559
- Corrected URL placeholder to show `host:port` format instead of the incorrect `tcp://host:port` prefix
5660
- Added dynamic per-type placeholder and helper text (HTTP monitors show a full URL example; TCP monitors show `host:port`)
@@ -72,6 +76,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7276
- **Test Performance**: Reduced system settings test execution time by 31% (from 23 minutes to 16 minutes)
7377

7478
### Changed
79+
7580
- **Testing Infrastructure**: Enhanced E2E test helpers with better synchronization and error handling
7681
- **CI**: Optimized E2E workflow shards [Reduced from 4 to 3]
7782

CONTRIBUTING.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,8 +45,6 @@ brew install lefthook
4545
go install github.com/evilmartians/lefthook@latest
4646
```
4747

48-
49-
5048
```bash
5149
# Option 1: Homebrew (macOS/Linux)
5250
brew install golangci-lint
@@ -84,17 +82,20 @@ For local development, install go 1.26.0+ from [go.dev/dl](https://go.dev/dl/).
8482
When the project's Go version is updated (usually by Renovate):
8583

8684
1. **Pull the latest changes**
85+
8786
```bash
8887
git pull
8988
```
9089

9190
2. **Update your local Go installation**
91+
9292
```bash
9393
# Run the Go update skill (downloads and installs the new version)
9494
.github/skills/scripts/skill-runner.sh utility-update-go-version
9595
```
9696

9797
3. **Rebuild your development tools**
98+
9899
```bash
99100
# This fixes lefthook hook errors and IDE issues
100101
./scripts/rebuild-go-tools.sh

README.md

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,7 @@ services:
9494
retries: 3
9595
start_period: 40s
9696
```
97+
9798
> **Docker Socket Access:** Charon runs as a non-root user. If you mount the Docker socket for container discovery, the container needs permission to read it. Find your socket's group ID and add it to the compose file:
9899
>
99100
> ```bash
@@ -107,26 +108,34 @@ services:
107108
> - "998"
108109
> ```
109110

110-
### 2️⃣ Generate encryption key:
111+
### 2️⃣ Generate encryption key
112+
111113
```bash
112114
openssl rand -base64 32
113115
```
114-
### 3️⃣ Start Charon:
116+
117+
### 3️⃣ Start Charon
118+
115119
```bash
116120
docker-compose up -d
117121
```
118-
### 4️⃣ Access the dashboard:
122+
123+
### 4️⃣ Access the dashboard
124+
119125
Open your browser and navigate to `http://localhost:8080` to access the dashboard and create your admin account.
126+
120127
```code
121128
http://localhost:8080
122129
```
123-
### Getting Started:
124-
Full setup instructions and documentation are available at [https://wikid82.github.io/Charon/docs/getting-started.html](https://wikid82.github.io/Charon/docs/getting-started.html).
125130

131+
### Getting Started
132+
133+
Full setup instructions and documentation are available at [https://wikid82.github.io/Charon/docs/getting-started.html](https://wikid82.github.io/Charon/docs/getting-started.html).
126134

127135
--- ## ✨ Top 10 Features
128136

129137
### 🎯 **Point & Click Management**
138+
130139
No config files. No terminal commands. Just click, type your domain name, and you're live. If you can use a website, you can run Charon.
131140

132141
### 🔐 **Automatic HTTPS Certificates**
@@ -160,6 +169,7 @@ See exactly what's happening with live request logs, uptime monitoring, and inst
160169
### 📥 **Migration Made Easy**
161170

162171
Already invested in another reverse proxy? Bring your work with you by importing your existing configurations with one click:
172+
163173
- **Caddyfile** — Migrate from other Caddy setups
164174
- **Nginx** — Import from Nginx based configurations (Coming Soon)
165175
- **Traefik** - Import from Traefik based configurations (Coming Soon)

SECURITY.md

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -41,16 +41,19 @@ container image. The binaries were compiled against Go 1.25.6, which contains th
4141
Charon's own application code, compiled with Go 1.26.1, is unaffected.
4242

4343
**Who**
44+
4445
- Discovered by: Automated scan (Grype)
4546
- Reported: 2026-03-20
4647
- Affects: CrowdSec Agent component within the container; not directly exposed through Charon's
4748
primary application interface
4849

4950
**Where**
51+
5052
- Component: CrowdSec Agent (bundled `cscli` and `crowdsec` binaries)
5153
- Versions affected: Charon container images with CrowdSec binaries compiled against Go < 1.25.7
5254

5355
**When**
56+
5457
- Discovered: 2026-03-20
5558
- Disclosed (if public): Not yet publicly disclosed
5659
- Target fix: When `golang:1.26.2-alpine` is published on Docker Hub
@@ -82,16 +85,19 @@ configuration includes the `DEFAULT` keyword, potentially allowing downgrade to
8285
suites. Affects Alpine 3.23.3 packages `libcrypto3` and `libssl3` at version 3.5.5-r0.
8386

8487
**Who**
88+
8589
- Discovered by: Automated scan (Grype)
8690
- Reported: 2026-03-20
8791
- Affects: Container runtime environment; Caddy reverse proxy TLS negotiation could be affected
8892
if default key group configuration is used
8993

9094
**Where**
95+
9196
- Component: Alpine 3.23.3 base image (`libcrypto3` 3.5.5-r0, `libssl3` 3.5.5-r0)
9297
- Versions affected: Alpine 3.23.3 prior to a patched `openssl` APK release
9398

9499
**When**
100+
95101
- Discovered: 2026-03-20
96102
- Disclosed (if public): 2026-03-13 (OpenSSL advisory)
97103
- Target fix: When Alpine Security publishes a patched `openssl` APK
@@ -103,7 +109,7 @@ does not use the `DEFAULT` keyword, which limits practical exploitability. The p
103109
present in the base image regardless of Caddy's configuration.
104110

105111
**Planned Remediation**
106-
Monitor https://security.alpinelinux.org/vuln/CVE-2026-2673 for a patched Alpine APK. Once
112+
Monitor <https://security.alpinelinux.org/vuln/CVE-2026-2673> for a patched Alpine APK. Once
107113
available, update the pinned `ALPINE_IMAGE` digest in the Dockerfile, or add an explicit
108114
`RUN apk upgrade --no-cache libcrypto3 libssl3` to the runtime stage.
109115

@@ -126,16 +132,19 @@ tracked separately above). All issues resolve when CrowdSec is rebuilt against G
126132
Charon's own application code is unaffected.
127133

128134
**Who**
135+
129136
- Discovered by: Automated scan (Trivy, Grype)
130137
- Reported: 2025-12-01 (original cluster); expanded 2026-03-20
131138
- Affects: CrowdSec Agent component within the container; not directly exposed through Charon's
132139
primary application interface
133140

134141
**Where**
142+
135143
- Component: CrowdSec Agent (bundled `cscli` and `crowdsec` binaries)
136144
- Versions affected: All Charon versions shipping CrowdSec binaries compiled against Go < 1.26.2
137145

138146
**When**
147+
139148
- Discovered: 2025-12-01
140149
- Disclosed (if public): Not yet publicly disclosed
141150
- Target fix: When `golang:1.26.2-alpine` is published on Docker Hub
@@ -168,16 +177,19 @@ loop with no termination condition when given a specially crafted input, causing
168177
(CWE-1284).
169178

170179
**Who**
180+
171181
- Discovered by: 7aSecurity audit (commissioned by OSTIF)
172182
- Reported: 2026-02-17
173183
- Affects: Any component in the container that calls `crc32_combine`-family functions with
174184
attacker-controlled input; not directly exposed through Charon's application interface
175185

176186
**Where**
187+
177188
- Component: Alpine 3.23.3 base image (`zlib` package, version 1.3.1-r2)
178189
- Versions affected: zlib < 1.3.2; all current Charon images using Alpine 3.23.3
179190

180191
**When**
192+
181193
- Discovered: 2026-02-17 (NVD published 2026-02-17)
182194
- Disclosed (if public): 2026-02-17
183195
- Target fix: When Alpine 3.23 publishes a patched `zlib` APK (requires zlib 1.3.2)
@@ -188,7 +200,7 @@ to the `crc32_combine`-family functions. This code path is not invoked by Charon
188200
or backend API. The vulnerability is non-blocking under the project's CI severity policy.
189201

190202
**Planned Remediation**
191-
Monitor https://security.alpinelinux.org/vuln/CVE-2026-27171 for a patched Alpine APK. Once
203+
Monitor <https://security.alpinelinux.org/vuln/CVE-2026-27171> for a patched Alpine APK. Once
192204
available, update the pinned `ALPINE_IMAGE` digest in the Dockerfile, or add an explicit
193205
`RUN apk upgrade --no-cache zlib` to the runtime stage. Remove the `.trivyignore` entry at
194206
that time.
@@ -211,14 +223,17 @@ Seven HIGH-severity CVEs in Debian Trixie base image system libraries (`glibc`,
211223
available from the Debian Security Team.
212224

213225
**Who**
226+
214227
- Discovered by: Automated scan (Trivy)
215228
- Reported: 2026-02-04
216229

217230
**Where**
231+
218232
- Component: Debian Trixie base image (`libc6`, `libc-bin`, `libtasn1-6`, `libtiff`)
219233
- Versions affected: Charon container images built on Debian Trixie base (prior to Alpine migration)
220234

221235
**When**
236+
222237
- Discovered: 2026-02-04
223238
- Patched: 2026-03-20
224239
- Time to patch: 44 days
@@ -256,14 +271,17 @@ by CrowdSec for expression evaluation. Malicious regular expressions in CrowdSec
256271
parsers could cause CPU exhaustion and service degradation through exponential backtracking.
257272

258273
**Who**
274+
259275
- Discovered by: Automated scan (Trivy)
260276
- Reported: 2026-01-11
261277

262278
**Where**
279+
263280
- Component: CrowdSec (via `expr-lang/expr` dependency)
264281
- Versions affected: CrowdSec versions using `expr-lang/expr` < v1.17.7
265282

266283
**When**
284+
267285
- Discovered: 2026-01-11
268286
- Patched: 2026-01-11
269287
- Time to patch: 0 days

VERSION.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,10 @@ Example: `0.1.0-alpha`, `1.0.0-beta.1`, `2.0.0-rc.2`
2424
1. **Create and push a release tag**:
2525

2626
```bash
27+
2728
git tag -a v1.0.0 -m "Release v1.0.0"
2829
git push origin v1.0.0
30+
2931
```
3032

3133
2. **GitHub Actions automatically**:
@@ -51,10 +53,12 @@ Use it only when you need local/version-file parity checks:
5153
echo "1.0.0" > .version
5254
```
5355

54-
2. **Validate `.version` matches the latest tag**:
56+
1. **Validate `.version` matches the latest tag**:
5557

5658
```bash
59+
5760
bash scripts/check-version-match-tag.sh
61+
5862
```
5963

6064
### Deterministic Rollout Verification Gates (Mandatory)

docs/SECURITY_PRACTICES.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ logger.Infof("API Key: %s", apiKey)
5353
```
5454

5555
Charon's masking rules:
56+
5657
- Empty: `[empty]`
5758
- Short (< 16 chars): `[REDACTED]`
5859
- Normal (≥ 16 chars): `abcd...xyz9` (first 4 + last 4)
@@ -68,6 +69,7 @@ if !validateAPIKeyFormat(apiKey) {
6869
```
6970

7071
Requirements:
72+
7173
- Length: 16-128 characters
7274
- Charset: Alphanumeric + underscore + hyphen
7375
- No spaces or special characters
@@ -99,6 +101,7 @@ Rotate secrets regularly:
99101
### What to Log
100102

101103
**Safe to log**:
104+
102105
- Timestamps
103106
- User IDs (not usernames if PII)
104107
- IP addresses (consider GDPR implications)
@@ -108,6 +111,7 @@ Rotate secrets regularly:
108111
- Performance metrics
109112

110113
**Never log**:
114+
111115
- Passwords or password hashes
112116
- API keys or tokens (use masking)
113117
- Session IDs (full values)
@@ -139,6 +143,7 @@ logger.Infof("Login attempt: username=%s password=%s", username, password)
139143
### Log Aggregation
140144

141145
If using external log services (CloudWatch, Splunk, Datadog):
146+
142147
- Ensure logs are encrypted in transit (TLS)
143148
- Ensure logs are encrypted at rest
144149
- Redact sensitive data before shipping
@@ -333,6 +338,7 @@ limiter := rate.NewLimiter(rate.Every(36*time.Second), 100)
333338
```
334339

335340
**Critical endpoints** (require stricter limits):
341+
336342
- Login: 5 attempts per 15 minutes
337343
- Password reset: 3 attempts per hour
338344
- API key generation: 5 per day
@@ -369,13 +375,15 @@ return c.JSON(401, gin.H{"error": "invalid API key: abc123"})
369375
**Applicable if**: Processing data of EU residents
370376

371377
**Requirements**:
378+
372379
1. **Data minimization**: Collect only necessary data
373380
2. **Purpose limitation**: Use data only for stated purposes
374381
3. **Storage limitation**: Delete data when no longer needed
375382
4. **Security**: Implement appropriate technical measures (encryption, masking)
376383
5. **Breach notification**: Report breaches within 72 hours
377384

378385
**Implementation**:
386+
379387
- ✅ Charon masks API keys in logs (prevents exposure of personal data)
380388
- ✅ Secure file permissions (0600) protect sensitive data
381389
- ✅ Log retention policies prevent indefinite storage
@@ -390,12 +398,14 @@ return c.JSON(401, gin.H{"error": "invalid API key: abc123"})
390398
**Applicable if**: Processing, storing, or transmitting credit card data
391399

392400
**Requirements**:
401+
393402
1. **Requirement 3.4**: Render PAN unreadable (encryption, masking)
394403
2. **Requirement 8.2**: Strong authentication
395404
3. **Requirement 10.2**: Audit trails
396405
4. **Requirement 10.7**: Retain audit logs for 1 year
397406

398407
**Implementation**:
408+
399409
- ✅ Charon uses masking for sensitive credentials (same principle for PAN)
400410
- ✅ Secure file permissions align with access control requirements
401411
- ⚠️ Charon doesn't handle payment cards directly (delegated to payment processors)
@@ -409,12 +419,14 @@ return c.JSON(401, gin.H{"error": "invalid API key: abc123"})
409419
**Applicable if**: SaaS providers, cloud services
410420

411421
**Trust Service Criteria**:
422+
412423
1. **CC6.1**: Logical access controls (authentication, authorization)
413424
2. **CC6.6**: Encryption of data in transit
414425
3. **CC6.7**: Encryption of data at rest
415426
4. **CC7.2**: Monitoring and detection (logging, alerting)
416427

417428
**Implementation**:
429+
418430
- ✅ API key validation ensures strong credentials (CC6.1)
419431
- ✅ File permissions (0600) protect data at rest (CC6.7)
420432
- ✅ Masked logging enables monitoring without exposing secrets (CC7.2)
@@ -429,12 +441,14 @@ return c.JSON(401, gin.H{"error": "invalid API key: abc123"})
429441
**Applicable to**: Any organization implementing ISMS
430442

431443
**Key Controls**:
444+
432445
1. **A.9.4.3**: Password management systems
433446
2. **A.10.1.1**: Cryptographic controls
434447
3. **A.12.4.1**: Event logging
435448
4. **A.18.1.5**: Protection of personal data
436449

437450
**Implementation**:
451+
438452
- ✅ API key format validation (minimum 16 chars, charset restrictions)
439453
- ✅ Key rotation procedures documented
440454
- ✅ Secure storage with file permissions (0600)
@@ -491,6 +505,7 @@ grep -i "api[_-]key\|token\|password" playwright-report/index.html
491505
**Recommended schedule**: Annual or after major releases
492506

493507
**Focus areas**:
508+
494509
1. Authentication bypass
495510
2. Authorization vulnerabilities
496511
3. SQL injection

0 commit comments

Comments
 (0)