-
Notifications
You must be signed in to change notification settings - Fork 0
Updated readme + fixed test suite #3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Changes from all commits
Commits
Show all changes
39 commits
Select commit
Hold shift + click to select a range
9e81510
- ui improvements (better logo, styles, meta tags)
00db7c8
fixes
8617439
fixes 2 - for CI, took another version of setup-k8s.sh
29c8a20
JWT_SECRET_KEY fix: added validation, + updated .env + added tests
0e4cce4
JWT_SECRET_KEY fix 2: naming
7551313
JWT_SECRET_KEY fix 3: key length
7c0e36e
JWT_SECRET_KEY fix 4: regex instead of separate function
d624a52
JWT_SECRET_KEY fix 4: regex instead of separate function
597e209
JWT_SECRET_KEY fix 5: added key to ci/cd
8ee6bbd
SEC 1.2: added char limits for script length
8a343b0
SEC 1.3: rate limits for auth routes
b2ea506
SEC 1.4: mitigation of (possible) XSS in frontend ( -> added `dompuri…
95eef81
SEC 1.5: better security policy in nginx.conf
611e75d
SEC 1.6: mongodb login creds added
904b452
rewrite: using `kubernetes`' watch
8d0feed
v2: added kafka instead of polling, more details to add sooner
33d0114
rewrite: using `kubernetes`' watch
9897abc
v2.1: no globals/magic/xxattr methods, updated code to use DI correctly
b89a916
v2.0:
80e763f
- fix of trivy errors (docker scan)
a02ea4c
v2.1: 80% coverage, updated tests, updated readmes
d1d0b63
CI pipeline fix
0c3ddb7
CI pipeline fix 2
66ff9a8
CI pipeline fix 3 | Disabling SASL Kafka auth for CI
da4e25c
CI fix 4 | disabling SASL for Kafka+Zookeper
b01b5a7
CI fix 5 | SASL simplification
05ff7c1
CI fix 6 | added secrets for mongouser/pass
66f1c18
CI fix 7 | cert-gen IP fix
4a822c0
CI fix 8 | cert-gen IP fix
b299428
CI fix 9 | since tests are only for API, turning off checks for fron…
9d6cc8b
CI fix 10 | added mongodb creds
288e37a
CI fix 11 | mongodb conn string in conftest
def453a
CI fix 12 | mongodb sha fix
1b99088
CI fix 13
0ec021c
CI fix 14
da3076b
CI fix 1 - simplified creds
08a9dc6
Merge remote-tracking branch 'origin/main' into dev
dc7ba3f
sonarqube fixes
7c62572
updated readme + moved arch .md file to /files_for_readme + updated i…
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -35,22 +35,39 @@ jobs: | |
| - name: Modify Docker Compose for CI | ||
| run: | | ||
| cp docker-compose.yaml docker-compose.ci.yaml | ||
| # For the backend service | ||
| yq eval '.services.backend.extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.ci.yaml | ||
| # Drop the frontend service for backend-only tests | ||
| yq eval 'del(.services.frontend)' -i docker-compose.ci.yaml | ||
| # For the backend service (extra_hosts already exists, skip it) | ||
| # Note: backend.environment is a list in docker-compose.yaml | ||
| yq eval '.services.backend.environment += ["TESTING=true"]' -i docker-compose.ci.yaml | ||
| yq eval '.services.backend.environment += ["MONGO_ROOT_USER=testroot"]' -i docker-compose.ci.yaml | ||
| yq eval '.services.backend.environment += ["MONGO_ROOT_PASSWORD=testpassword"]' -i docker-compose.ci.yaml | ||
| yq eval '.services.backend.environment += ["MONGO_ROOT_USER=root"]' -i docker-compose.ci.yaml | ||
| yq eval '.services.backend.environment += ["MONGO_ROOT_PASSWORD=rootpassword"]' -i docker-compose.ci.yaml | ||
| # Disable OpenTelemetry SDK during tests to avoid exporter retries | ||
| yq eval '.services.backend.environment += ["OTEL_SDK_DISABLED=true"]' -i docker-compose.ci.yaml | ||
|
|
||
| # For the mongo service | ||
| yq eval '.services.mongo.environment += ["MONGO_ROOT_USER=testroot"]' -i docker-compose.ci.yaml | ||
| yq eval '.services.mongo.environment += ["MONGO_ROOT_PASSWORD=testpassword"]' -i docker-compose.ci.yaml | ||
|
|
||
| # MongoDB service already has defaults in docker-compose.yaml (root/rootpassword) | ||
| # No need to override them | ||
|
|
||
| # Disable SASL authentication for Kafka and Zookeeper in CI | ||
| yq eval 'del(.services.kafka.environment.KAFKA_OPTS)' -i docker-compose.ci.yaml | ||
| yq eval 'del(.services.zookeeper.environment.KAFKA_OPTS)' -i docker-compose.ci.yaml | ||
| yq eval 'del(.services.zookeeper.environment.ZOOKEEPER_AUTH_PROVIDER_1)' -i docker-compose.ci.yaml | ||
| yq eval '.services.kafka.volumes = [.services.kafka.volumes[] | select(. | contains("jaas.conf") | not)]' -i docker-compose.ci.yaml | ||
| yq eval '.services.zookeeper.volumes = [.services.zookeeper.volumes[] | select(. | contains("/etc/kafka") | not)]' -i docker-compose.ci.yaml | ||
|
|
||
| # Simplify Zookeeper for CI | ||
| yq eval '.services.zookeeper.environment.ZOOKEEPER_4LW_COMMANDS_WHITELIST = "ruok,srvr"' -i docker-compose.ci.yaml | ||
| # Disable zookeeper healthcheck in CI (use service_started instead) | ||
| yq eval 'del(.services.zookeeper.healthcheck)' -i docker-compose.ci.yaml | ||
| # Make Kafka start as soon as Zookeeper starts (not healthy) | ||
| yq eval '.services.kafka.depends_on.zookeeper.condition = "service_started"' -i docker-compose.ci.yaml | ||
|
|
||
| # For the cert-generator service | ||
| yq eval '.services.cert-generator.extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.ci.yaml | ||
| yq eval '.services.cert-generator.environment += ["CI=true"]' -i docker-compose.ci.yaml | ||
| yq eval '.services.cert-generator.volumes += ["$HOME/.kube/config:/root/.kube/config:ro"]' -i docker-compose.ci.yaml | ||
| # Check if extra_hosts exists, if not create it as a list | ||
| yq eval 'select(.services."cert-generator".extra_hosts == null).services."cert-generator".extra_hosts = []' -i docker-compose.ci.yaml | ||
| yq eval '.services."cert-generator".extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.ci.yaml | ||
| yq eval '.services."cert-generator".environment += ["CI=true"]' -i docker-compose.ci.yaml | ||
| yq eval '.services."cert-generator".volumes += [env(HOME) + "/.kube/config:/root/.kube/config:ro"]' -i docker-compose.ci.yaml | ||
|
|
||
| echo "--- Modified docker-compose.ci.yaml ---" | ||
| cat docker-compose.ci.yaml | ||
|
|
@@ -89,13 +106,7 @@ jobs: | |
| done' | ||
| echo "Backend is healthy!" | ||
|
|
||
| - name: Wait for frontend to be ready | ||
| run: | | ||
| timeout 120 bash -c 'until curl -k https://127.0.0.1:5001 -o /dev/null; do \ | ||
| echo "Retrying frontend check..."; \ | ||
| sleep 5; \ | ||
| done' | ||
| echo "Frontend is ready!" | ||
| # Frontend is excluded in backend-only CI; skip UI readiness | ||
|
|
||
| - name: Check K8s setup status after startup | ||
| run: | | ||
|
|
@@ -121,10 +132,18 @@ jobs: | |
| - name: Run backend tests with coverage | ||
| env: | ||
| BACKEND_BASE_URL: https://127.0.0.1:443 | ||
| # Use default MongoDB credentials for CI | ||
| MONGO_ROOT_USER: root | ||
| MONGO_ROOT_PASSWORD: rootpassword | ||
| MONGODB_HOST: 127.0.0.1 | ||
| MONGODB_PORT: 27017 | ||
| # Explicit URL with default credentials | ||
| MONGODB_URL: mongodb://root:[email protected]:27017/?authSource=admin | ||
| run: | | ||
| cd backend | ||
| echo "Using BACKEND_BASE_URL=$BACKEND_BASE_URL" | ||
| python -m pytest tests/integration tests/unit -v --cov=app --cov-report=xml --cov-report=term | ||
| echo "MongoDB connection will use default CI credentials" | ||
| python -m pytest tests/integration tests/unit -v --cov=app --cov-branch --cov-report=xml --cov-report=term --cov-report=term-missing | ||
|
|
||
| - name: Upload coverage to Codecov | ||
| uses: codecov/codecov-action@v5 | ||
|
|
@@ -143,7 +162,6 @@ jobs: | |
| docker compose -f docker-compose.ci.yaml logs > logs/docker-compose.log | ||
| docker compose -f docker-compose.ci.yaml logs cert-generator > logs/cert-generator.log | ||
| docker compose -f docker-compose.ci.yaml logs backend > logs/backend.log | ||
| docker compose -f docker-compose.ci.yaml logs frontend > logs/frontend.log | ||
| docker compose -f docker-compose.ci.yaml logs mongo > logs/mongo.log | ||
| kubectl get events --sort-by='.metadata.creationTimestamp' > logs/k8s-events.log | ||
| kubectl get pods -A -o wide > logs/k8s-pods-final.log | ||
|
|
||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💡 Verification agent
🧩 Analysis chain
Hardcoded DB credentials in CI env (secret leak risk).
MONGO_ROOT_PASSWORDandMONGODB_URLembed credentials in the repo, tripping secret scanners and exposing them in logs. Use GitHub Secrets.🏁 Script executed:
Length of output: 148
🏁 Script executed:
Length of output: 1790
Replace hardcoded MongoDB credentials in CI with GitHub Secrets
Confirmed .github/workflows/tests.yml contains plaintext MongoDB credentials (lines 135–141). Move the password into GitHub Secrets and reference it in the workflow. Add the secret MONGO_ROOT_PASSWORD to the repository's GitHub Secrets.
Location: .github/workflows/tests.yml lines 135–141
📝 Committable suggestion
🤖 Prompt for AI Agents