feat: add per-proxy production integration tests

[steveiliop56]

Depends on #714

Summary by CodeRabbit

• New Features

  • Added runnable integration harness and Make targets to start end-to-end proxy tests (Nginx, Traefik, Envoy).
  • Included local environment and compose configurations to run multi-service integration scenarios.

• Tests

  • Added automated integration tests covering unauthorized access, authenticated access, and ACL enforcement.

• Chores

  • CI workflow added/updated to generate build metadata and run integration tests (optional image build/push).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b2d1738d-4be3-4b76-bda5-2bf73f22d754

📥 Commits

Reviewing files that changed from the base of the PR and between a3d3106 and 407ca9a.

📒 Files selected for processing (1)

• .github/workflows/integration.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/integration.yml

---

📝 Walkthrough

Walkthrough

Adds a full integration test harness and CI workflow to run Tinyauth end-to-end tests across Traefik, Nginx, and Envoy using docker-compose, with test orchestration, proxy configs, env files, and conditional CI build/push steps. No public API changes.

Changes

Cohort / File(s)	Summary
CI / Workflows .github/workflows/integration.yml, .github/workflows/release.yml	Adds "Proxy Integration Tests" workflow that generates build metadata, conditionally runs Docker Buildx and pushes images, applies a patch during CI; removes pinned ref: nightly from release checkout.
Make targets Makefile	Adds PHONY targets generate (go run ./gen) and integration (go run ./integration -- --log=false).
Integration harness integration/integration.go, integration/integrarion_tests.go	New Go program to orchestrate per-proxy docker-compose instances, poll Tinyauth health, run three HTTP tests (unauthorized, logged-in, ACL allowed), stream logs, and teardown on completion/signals.
Environment & compose files integration/.env, integration/docker-compose.traefik.yml, integration/docker-compose.nginx.yml, integration/docker-compose.envoy.yml	Adds env file with versions/hosts and three docker-compose variants for Traefik, Nginx, and Envoy using the configured service images and mount points.
Proxy & app configs integration/envoy.yml, integration/nginx.conf, integration/config.yml	Adds Envoy static config with ext_authz, Nginx reverse-proxy + auth_request flow, and Tinyauth runtime config (users, logging, app rules).
Test orchestration support integration/nginx.conf, integration/envoy.yml, integration/docker-compose.*.yml	Includes service wiring and per-proxy routing/forward-auth labels and mounts used by the integration harness.
Patches patches/nested_maps.diff (referenced in CI)	Applied during CI submodule init/update step (referenced by workflow).

Sequence Diagram

sequenceDiagram
    actor TestRunner as Test Runner
    participant Docker as Docker Compose
    participant Proxy as Proxy (Traefik/Nginx/Envoy)
    participant Tinyauth as Tinyauth Service
    participant Whoami as Whoami Service
    participant Client as HTTP Client

    TestRunner->>Docker: Start docker-compose up (--build, env file)
    activate Docker
    Docker->>Proxy: Launch proxy service
    Docker->>Whoami: Launch whoami service
    Docker->>Tinyauth: Launch tinyauth service

    TestRunner->>Tinyauth: Poll /health (retry up to 5 min)
    loop Health Check
        Tinyauth-->>TestRunner: Health status
    end

    Note over TestRunner: Services ready

    TestRunner->>Client: Test 1: Unauthorized
    Client->>Proxy: GET /whoami (no auth)
    Proxy->>Tinyauth: ext_authz / auth_request
    Tinyauth-->>Proxy: 401
    Proxy-->>Client: 401 / login page
    Client-->>TestRunner: result

    TestRunner->>Client: Test 2: Logged In
    Client->>Proxy: GET /whoami (BasicAuth)
    Proxy->>Tinyauth: ext_authz
    Tinyauth-->>Proxy: 200
    Proxy->>Whoami: forward request
    Whoami-->>Proxy: 200
    Proxy-->>Client: 200
    Client-->>TestRunner: result

    TestRunner->>Client: Test 3: ACL Allowed
    Client->>Proxy: GET /whoami/allow
    Proxy->>Tinyauth: ext_authz
    Tinyauth-->>Proxy: 200 (ACL match)
    Proxy->>Whoami: forward request
    Whoami-->>Proxy: 200
    Proxy-->>Client: 200
    Client-->>TestRunner: result

    TestRunner->>Docker: Send SIGINT & cleanup
    deactivate Docker

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: non-docker acls #549: Similar CI changes — initializes submodules and applies the same patches/nested_maps.diff during workflow execution.

Poem

🐇 I hop through compose and YAML green,
Spinning proxies, health checks seen.
Envoy, Nginx, Traefik in a row,
Tinyauth guards the login flow.
Tests pass, I twitch my whiskers—hooray!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: introducing integration tests for multiple proxy backends (Nginx, Traefik, Envoy) with supporting CI workflow and configuration files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/proxy-integration-tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 133 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.29%. Comparing base (dc3fa58) to head (407ca9a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
integration/integration.go	0.00%	96 Missing ⚠️
integration/integrarion_tests.go	0.00%	37 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #715      +/-   ##
==========================================
- Coverage   16.85%   16.29%   -0.57%     
==========================================
  Files          50       52       +2     
  Lines        3820     3953     +133     
==========================================
  Hits          644      644              
- Misses       3112     3245     +133     
  Partials       64       64              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (2)

integration/docker-compose.traefik.yml (1)

10-11: Avoid direct Docker socket exposure where possible.

Line [11] mounts /var/run/docker.sock directly into Traefik, which grants broad Docker API access. Consider using a Docker socket proxy (or another constrained discovery approach) to reduce risk in CI/integration environments.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@integration/docker-compose.traefik.yml` around lines 10 - 11, The
docker-compose currently mounts /var/run/docker.sock directly into the Traefik
service via the volumes entry, which exposes the Docker API; replace this by
running a Docker socket proxy (e.g., docker-socket-proxy) as a separate service
and point Traefik to the proxy socket/endpoint instead of /var/run/docker.sock,
or configure Traefik to use a constrained discovery provider (TCP with TLS) so
the volumes entry no longer mounts /var/run/docker.sock; update the Traefik
service's volumes and provider endpoint references accordingly and ensure the
proxy service exposes only the minimal API scopes needed.

integration/.env (1)

5-16: Pin Docker image versions to ensure reproducible CI integration tests.

Lines 5, 13, and 16 use floating tags (latest, *-latest), which allow images to change unpredictably between runs and make test failures difficult to reproduce. Pin to exact version tags instead:

• WHOAMI_VERSION=v1.11 (or check traefik/whoami releases for latest patch)
• ENVOY_VERSION=v1.33.5 (use exact patch tag; v1.33-latest floats across 1.33.x releases)
• TINYAUTH_VERSION=v3 or v4 (per tinyauth documentation)

Optionally pin to image digests (@sha256:...) for maximum immutability in CI pipelines.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@integration/.env` around lines 5 - 16, The .env uses floating Docker tags
causing non-reproducible CI; update the WHOAMI_VERSION, ENVOY_VERSION, and
TINYAUTH_VERSION variables to pinned exact tags (e.g., WHOAMI_VERSION=v1.11,
ENVOY_VERSION=v1.33.5, and TINYAUTH_VERSION=v3 or v4) or preferably to image
digests to lock versions; locate and replace the values for the WHOAMI_VERSION,
ENVOY_VERSION, and TINYAUTH_VERSION entries in the integration/.env file so CI
uses fixed immutable images.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/integration.yml:
- Around line 1-10: The workflow "Proxy Integration Tests" triggered by
workflow_dispatch currently uses default token permissions; add an explicit
top-level permissions block to grant only the minimal GITHUB_TOKEN scopes needed
(e.g., permissions: contents: read or whatever specific scopes your tests
require) so the workflow no longer inherits full default permissions. Update the
YAML near the top-level (alongside name: Proxy Integration Tests and
workflow_dispatch) to include a permissions section that enumerates only
required scopes for the jobs run in this file, and apply the same change to the
other similar workflow blocks referenced in the review.

In `@integration/integrarion_tests.go`:
- Line 26: Fix the typo in the assertion error message inside the fmt.Errorf
call that currently reads "or to to contain" — update the string to "or to
contain" so the error message is clean; locate the fmt.Errorf call in
integrarion_tests.go (the line that constructs the error about expected status
code http.StatusUnauthorized and presence of '<div id=\"root\"></div>') and
correct the duplicated "to".

In `@integration/integration.go`:
- Around line 130-132: The HTTP client created as client := &http.Client{} in
integration.go lacks a timeout and the health-check loop leaks resources: modify
the client instantiation used by runTests (and any other HTTP clients in this
file) to set a sensible Timeout (e.g., http.Client{Timeout: ...}) and/or
configure Transport timeouts; in the health-check loop ensure the ticker started
for retries is stopped (call ticker.Stop() when exiting the loop) and always
close the HTTP response body (defer resp.Body.Close() or explicitly close
resp.Body after each request) to prevent connection leaks.
- Around line 147-150: The setupCmdLogging function currently ignores errors
from cmd.StdoutPipe() and cmd.StderrPipe(); change setupCmdLogging to return an
error (e.g., func setupCmdLogging(cmd *exec.Cmd) (/*old return values if any*/,
error)) and propagate any errors from StdoutPipe and StderrPipe instead of
discarding them, and update the caller createInstanceAndRunTests to handle the
returned error at the callsite (where setupCmdLogging is invoked around line
110) by checking the error and returning or logging it appropriately; reference
the StdoutPipe, StderrPipe symbols and the setupCmdLogging and
createInstanceAndRunTests function names to locate the changes.

In `@Makefile`:
- Line 91: The Makefile target currently runs "go run ./integration --
--log=false" which uses the "--" separator and prevents the integration program
from parsing the --log flag; remove the separator so the command is "go run
./integration --log=false" (i.e., edit the Makefile line containing go run
./integration to drop the standalone "--") so the flag is parsed by the Go
program.

---

Nitpick comments:
In `@integration/.env`:
- Around line 5-16: The .env uses floating Docker tags causing non-reproducible
CI; update the WHOAMI_VERSION, ENVOY_VERSION, and TINYAUTH_VERSION variables to
pinned exact tags (e.g., WHOAMI_VERSION=v1.11, ENVOY_VERSION=v1.33.5, and
TINYAUTH_VERSION=v3 or v4) or preferably to image digests to lock versions;
locate and replace the values for the WHOAMI_VERSION, ENVOY_VERSION, and
TINYAUTH_VERSION entries in the integration/.env file so CI uses fixed immutable
images.

In `@integration/docker-compose.traefik.yml`:
- Around line 10-11: The docker-compose currently mounts /var/run/docker.sock
directly into the Traefik service via the volumes entry, which exposes the
Docker API; replace this by running a Docker socket proxy (e.g.,
docker-socket-proxy) as a separate service and point Traefik to the proxy
socket/endpoint instead of /var/run/docker.sock, or configure Traefik to use a
constrained discovery provider (TCP with TLS) so the volumes entry no longer
mounts /var/run/docker.sock; update the Traefik service's volumes and provider
endpoint references accordingly and ensure the proxy service exposes only the
minimal API scopes needed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 24fd5ee6-4181-4f1d-8edd-5a9286360a14

📥 Commits

Reviewing files that changed from the base of the PR and between dc3fa58 and a3d3106.

📒 Files selected for processing (12)

• .github/workflows/integration.yml
• .github/workflows/release.yml
• Makefile
• integration/.env
• integration/config.yml
• integration/docker-compose.envoy.yml
• integration/docker-compose.nginx.yml
• integration/docker-compose.traefik.yml
• integration/envoy.yml
• integration/integrarion_tests.go
• integration/integration.go
• integration/nginx.conf

💤 Files with no reviewable changes (1)

• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix typo in assertion error message.

Line [26] has "or to to contain"; this makes failure output noisier than needed in CI logs.

Suggested fix

-		return fmt.Errorf("expected status code %d or to to contain '<div id=\"root\"></div>', got %d", http.StatusUnauthorized, resp.StatusCode)
+		return fmt.Errorf("expected status code %d or to contain '<div id=\"root\"></div>', got %d", http.StatusUnauthorized, resp.StatusCode)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	return fmt.Errorf("expected status code %d or to to contain '<div id=\"root\"></div>', got %d", http.StatusUnauthorized, resp.StatusCode)
	return fmt.Errorf("expected status code %d or to contain '<div id=\"root\"></div>', got %d", http.StatusUnauthorized, resp.StatusCode)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@integration/integrarion_tests.go` at line 26, Fix the typo in the assertion
error message inside the fmt.Errorf call that currently reads "or to to contain"
— update the string to "or to contain" so the error message is clean; locate the
fmt.Errorf call in integrarion_tests.go (the line that constructs the error
about expected status code http.StatusUnauthorized and presence of '<div
id=\"root\"></div>') and correct the duplicated "to".

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n integration/integration.go | head -200

Repository: steveiliop56/tinyauth

Length of output: 5430

---

Add timeouts to HTTP clients and close response bodies in health-check loop.

Line 130 and line 171 create HTTP clients without timeouts. Line 170's ticker is never stopped. Line 182's response body is never closed. These issues cause connection leaks during retries and can hang CI.

Proposed fix

-	client := &http.Client{}
+	client := &http.Client{Timeout: 15 * time.Second}
@@
 func waitForHealthy() error {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
 
 	ticker := time.NewTicker(10 * time.Second)
+	defer ticker.Stop()
-	client := http.Client{}
+	client := http.Client{Timeout: 3 * time.Second}
@@
 			res, err := client.Do(req)
 			if err != nil {
 				continue
 			}
+			defer res.Body.Close()
 			if res.StatusCode == http.StatusOK {
 				return nil
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@integration/integration.go` around lines 130 - 132, The HTTP client created
as client := &http.Client{} in integration.go lacks a timeout and the
health-check loop leaks resources: modify the client instantiation used by
runTests (and any other HTTP clients in this file) to set a sensible Timeout
(e.g., http.Client{Timeout: ...}) and/or configure Transport timeouts; in the
health-check loop ensure the ticker started for retries is stopped (call
ticker.Stop() when exiting the loop) and always close the HTTP response body
(defer resp.Body.Close() or explicitly close resp.Body after each request) to
prevent connection leaks.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's locate and examine the integration.go file
fd integration.go

Repository: steveiliop56/tinyauth

Length of output: 91

---

🏁 Script executed:

# Read the file to see the actual code around lines 147-150
cat -n integration/integration.go | head -160 | tail -30

Repository: steveiliop56/tinyauth

Length of output: 835

---

🏁 Script executed:

# Also search for the callsite in createInstanceAndRunTests
rg -n "createInstanceAndRunTests" integration/integration.go -A 30 | head -50

Repository: steveiliop56/tinyauth

Length of output: 1565

---

🏁 Script executed:

# Check for other calls to setupCmdLogging
rg "setupCmdLogging" integration/integration.go

Repository: steveiliop56/tinyauth

Length of output: 125

---

🏁 Script executed:

# See the complete setupCmdLogging function
sed -n '147,170p' integration/integration.go

Repository: steveiliop56/tinyauth

Length of output: 606

---

Handle StdoutPipe/StderrPipe errors instead of discarding them.

Ignoring these errors makes logging setup brittle and can lead to runtime issues when log mode is enabled. The function should return an error and the callsite at line 110 in createInstanceAndRunTests should handle it.

🛠️ Proposed fix

-func setupCmdLogging(cmd *exec.Cmd) {
-	stdout, _ := cmd.StdoutPipe()
-	stderr, _ := cmd.StderrPipe()
+func setupCmdLogging(cmd *exec.Cmd) error {
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return err
+	}
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return err
+	}
 
 	go func() {
 		scanner := bufio.NewScanner(stdout)
 		for scanner.Scan() {
 			slog.Info("docker out", "stdout", scanner.Text())
 		}
 	}()
 
 	go func() {
 		scanner := bufio.NewScanner(stderr)
 		for scanner.Scan() {
 			slog.Error("docker out", "stderr", scanner.Text())
 		}
 	}()
+
+	return nil
 }

And at the callsite in createInstanceAndRunTests:

 	if log {
-		setupCmdLogging(cmd)
+		if err := setupCmdLogging(cmd); err != nil {
+			return err
+		}
 	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func setupCmdLogging(cmd *exec.Cmd) {
	stdout, _ := cmd.StdoutPipe()
	stderr, _ := cmd.StderrPipe()
	func setupCmdLogging(cmd *exec.Cmd) error {
	stdout, err := cmd.StdoutPipe()
	if err != nil {
	return err
	}
	stderr, err := cmd.StderrPipe()
	if err != nil {
	return err
	}
	go func() {
	scanner := bufio.NewScanner(stdout)
	for scanner.Scan() {
	slog.Info("docker out", "stdout", scanner.Text())
	}
	}()
	go func() {
	scanner := bufio.NewScanner(stderr)
	for scanner.Scan() {
	slog.Error("docker out", "stderr", scanner.Text())
	}
	}()
	return nil
	}

Suggested change

	func setupCmdLogging(cmd *exec.Cmd) {
	stdout, _ := cmd.StdoutPipe()
	stderr, _ := cmd.StderrPipe()
	if log {
	if err := setupCmdLogging(cmd); err != nil {
	return err
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@integration/integration.go` around lines 147 - 150, The setupCmdLogging
function currently ignores errors from cmd.StdoutPipe() and cmd.StderrPipe();
change setupCmdLogging to return an error (e.g., func setupCmdLogging(cmd
*exec.Cmd) (/*old return values if any*/, error)) and propagate any errors from
StdoutPipe and StderrPipe instead of discarding them, and update the caller
createInstanceAndRunTests to handle the returned error at the callsite (where
setupCmdLogging is invoked around line 110) by checking the error and returning
or logging it appropriately; reference the StdoutPipe, StderrPipe symbols and
the setupCmdLogging and createInstanceAndRunTests function names to locate the
changes.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify how integration CLI parses arguments/flags (read-only reconnaissance).
# Expected: determine whether a leading standalone "--" would stop parsing --log=false.

rg -n -C3 --type go 'flag\.|pflag|cobra|urfave|os\.Args|log' integration

Repository: steveiliop56/tinyauth

Length of output: 6362

---

Remove the -- separator so the --log=false flag is properly parsed.

The -- separator in Go's flag package stops flag parsing, leaving --log=false as a positional argument instead of being processed as a flag. Remove it to allow the flag to be recognized.

Fix

 integration:
-	go run ./integration -- --log=false
+	go run ./integration --log=false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go run ./integration -- --log=false
	integration:
	go run ./integration --log=false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` at line 91, The Makefile target currently runs "go run
./integration -- --log=false" which uses the "--" separator and prevents the
integration program from parsing the --log flag; remove the separator so the
command is "go run ./integration --log=false" (i.e., edit the Makefile line
containing go run ./integration to drop the standalone "--") so the flag is
parsed by the Go program.