Update app-tests to use local Gitea server instead of Github (#808)

* Update app-tests to use local Gitea server instead of Github

- Added a minimal Gitea service to the Docker Compose configuration for local testing.
- Updated the `run.sh` script to initialize Gitea and create a test repository with policy files.
- Modified the README to reflect the new testing approach and prerequisites.
- Introduced new policy files and data structures for comprehensive end-to-end testing.
- Improved error handling and logging in the testing scripts for better troubleshooting.

* Rename test-docker job to e2e-tests in GitHub Actions workflow and simplify run script execution by removing unnecessary SSH key setup steps.

* Refactor GitHub Actions workflow to improve script execution format in app-tests job

* Revert

* Revert

---------

Co-authored-by: OPAL Test <[email protected]>

Author: danyi1212

.github/workflows/tests.yml

@@ -52,9 +52,10 @@ jobs:
       run: |
         pytest
 
-  test-docker:
+  e2e-tests:
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    name: E2E Tests
     steps:
       # BUILD PHASE
       - name: Checkout

app-tests/README.md

@@ -1,51 +1,62 @@
-# OPAL Application Tests
+# OPAL E2E Tests
 
-To fully test OPAL's core features as part of our CI flow,
-We're using a bash script and a docker-compose configuration that enables most of OPAL's important features.
+This directory contains end-to-end tests for OPAL using a local Gitea git server instead of relying on external services like GitHub.
 
-## How To Run Locally
+## Overview
 
-### Controlling the image tag
+The tests spin up a complete OPAL environment including:
+- A local Gitea git server to host the policy repository
+- Multiple OPAL server instances (2 replicas)
+- Multiple OPAL client instances (2 replicas)
+- A PostgreSQL database for broadcast communication
+- Policy files loaded from `opal-tests-policy-repo-main/`
 
-By default, tests would run with the `latest` image tag (for both server & client).
+## Prerequisites
 
-To configure another specific version:
+- Docker and Docker Compose
+- Bash shell
+- Basic Unix tools (curl, git, openssl, ssh-keygen)
 
-```bash
-export OPAL_IMAGE_TAG=0.7.1
-```
+## Running the Tests
 
-Or if you want to test locally built images
+Simply run:
 ```bash
-make docker-build-next
-export OPAL_IMAGE_TAG=next
+./run.sh
 ```
 
-### Using a policy repo
+The script will:
+1. Generate authentication keys and tokens
+2. Start a local Gitea server
+3. Create a test repository with initial policy files
+4. Start OPAL servers and clients
+5. Run various tests including:
+   - Policy updates via git push
+   - Data updates via API
+   - Statistics verification
+   - Broadcast channel disconnection handling
 
-To test opal's git tracking capabilities, `run.sh` uses a dedicated GitHub repo ([opal-tests-policy-repo](https://github.com/permitio/opal-tests-policy-repo)) in which it creates branches and pushes new commits.
+## Test Policy Files
 
-If you're not accessible to that repo (not in `Permit.io`), Please fork our public [opal-example-policy-repo](https://github.com/permitio/opal-example-policy-repo), and override the repo URL to be used:
-```bash
-export [email protected]:your-org/your-repo.git
-```
-
-As `run.sh` requires push permissions, and as `opal-server` itself might need to authenticate GitHub (if your repo is private). If your GitHub ssh private key is not stored at `~/.ssh/id_rsa`, provide it using:
-```bash
-# Use an absolute path
-export OPAL_POLICY_REPO_SSH_KEY_PATH=$(realpath ./your_github_ssh_private_key)
-```
+The test policies are stored in `opal-tests-policy-repo-main/` and include:
+- `rbac.rego` - Role-based access control policies
+- `utils.rego` - Utility functions
+- `policy.cedar` - Cedar policy examples
+- `data.json` - Initial data
+- `.manifest` - Repository manifest
 
+## Troubleshooting
 
-### Putting it all together
+If tests fail:
+1. Check Docker logs: `docker compose -f docker-compose-app-tests.yml logs`
+2. Ensure ports 3000, 7002-7003, 7766-7767, 8181-8182 are available
+3. Clean up and retry: `docker compose -f docker-compose-app-tests.yml down -v`
 
-```bash
-make docker-build-next # To locally build opal images
-export OPAL_IMAGE_TAG=next # Otherwise would default to "latest"
+The script automatically retries up to 5 times to handle transient failures.
 
-export [email protected]:your-org/your-repo.git # To use your own repo for testing (if you're not an Permit.io employee yet...)
-export OPAL_POLICY_REPO_SSH_KEY_PATH=$(realpath ./your_github_ssh_private_key) # If your GitHub ssh key isn't in "~.ssh/id_rsa"
+## Cleanup
 
-cd app-tests
-./run.sh
+The script automatically cleans up all resources on exit. Manual cleanup:
+```bash
+docker compose -f docker-compose-app-tests.yml down -v
+rm -rf opal-tests-policy-repo temp-repo gitea-data git-repos .env
 ```

app-tests/docker-compose-app-tests.yml

@@ -1,4 +1,46 @@
 services:
+  # Minimal Gitea for testing - no authentication, stateless
+  gitea:
+    image: gitea/gitea:latest-rootless
+    container_name: gitea
+    environment:
+      - GITEA__server__DOMAIN=localhost
+      - GITEA__server__HTTP_PORT=3000
+      - GITEA__server__ROOT_URL=http://localhost:3000/
+      - GITEA__server__OFFLINE_MODE=true
+      # Security settings - disable all authentication
+      - GITEA__security__INSTALL_LOCK=true
+      - GITEA__security__SECRET_KEY=not-so-secret
+      - GITEA__security__INTERNAL_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
+      # Service settings - allow anonymous access
+      - GITEA__service__DISABLE_REGISTRATION=true
+      - GITEA__service__REQUIRE_SIGNIN_VIEW=false
+      - GITEA__service__ENABLE_NOTIFY_MAIL=false
+      - GITEA__service__ENABLE_CAPTCHA=false
+      - GITEA__service__DEFAULT_ALLOW_CREATE_ORGANIZATION=true
+      - GITEA__service__DEFAULT_ENABLE_DEPENDENCIES=false
+      # Repository settings
+      - GITEA__repository__ENABLE_PUSH_CREATE_USER=true
+      - GITEA__repository__ENABLE_PUSH_CREATE_ORG=true
+      - GITEA__repository__DEFAULT_BRANCH=main
+      - GITEA__repository__DEFAULT_PRIVATE=false
+      # Disable features we don't need
+      - GITEA__webhook__ALLOWED_HOST_LIST=*
+      - GITEA__migrations__ALLOWED_DOMAINS=*
+      - GITEA__federation__ENABLED=false
+      - GITEA__packages__ENABLED=false
+      - GITEA__actions__ENABLED=false
+      # Allow anonymous git operations
+      - GITEA__repository__ENABLE_PUSH_CREATE_USER=true
+      - GITEA__repository__ENABLE_PUSH_CREATE_ORG=true
+      - GITEA__repository__FORCE_PRIVATE=false
+      - GITEA__server__ENABLE_GZIP=false
+    ports:
+      - "3000:3000"
+      - "2222:2222"
+    networks:
+      - default
+
   broadcast_channel:
     image: postgres:alpine
     environment:
@@ -15,9 +57,8 @@ services:
     environment:
       - OPAL_BROADCAST_URI=postgres://postgres:postgres@broadcast_channel:5432/postgres
       - UVICORN_NUM_WORKERS=4
-      - OPAL_POLICY_REPO_URL=${OPAL_POLICY_REPO_URL:[email protected]:permitio/opal-tests-policy-repo.git}
-      - OPAL_POLICY_REPO_MAIN_BRANCH=${POLICY_REPO_BRANCH}
-      - OPAL_POLICY_REPO_SSH_KEY=${OPAL_POLICY_REPO_SSH_KEY}
+      - OPAL_POLICY_REPO_URL=http://gitea:3000/gitea_admin/policy-repo.git
+      - OPAL_POLICY_REPO_MAIN_BRANCH=${POLICY_REPO_BRANCH:-main}
       - OPAL_DATA_CONFIG_SOURCES={"config":{"entries":[{"url":"http://opal_server:7002/policy-data","config":{"headers":{"Authorization":"Bearer ${OPAL_CLIENT_TOKEN}"}},"topics":["policy_data"],"dst_path":"/static"}]}}
       - OPAL_LOG_FORMAT_INCLUDE_PID=true
       - OPAL_POLICY_REPO_WEBHOOK_SECRET=xxxxx
@@ -33,6 +74,7 @@ services:
       - "7002-7003:7002"
     depends_on:
       - broadcast_channel
+      - gitea
 
   opal_client:
     image: permitio/opal-client:${OPAL_IMAGE_TAG:-latest}

app-tests/opal-tests-policy-repo-main/README.md

@@ -0,0 +1 @@
+# opal-tests-policy-repo

app-tests/opal-tests-policy-repo-main/data.json

@@ -0,0 +1,90 @@
+{
+  "users": {
+    "alice": {
+      "roles": ["admin"],
+      "location": {
+        "country": "US",
+        "ip": "8.8.8.8"
+      }
+    },
+    "bob": {
+      "roles": ["employee", "billing"],
+      "location": {
+        "country": "US",
+        "ip": "8.8.8.8"
+      }
+    },
+     "sunil": {
+      "roles": ["guest"],
+      "location": {
+        "country": "US",
+        "ip": "8.8.8.8"
+      }
+    },
+    "eve": {
+      "roles": ["customer"],
+      "location": {
+        "country": "US",
+        "ip": "8.8.8.8"
+      }
+    }
+  },
+  "role_permissions": {
+    "customer": [
+      {
+        "action": "read",
+        "type": "dog"
+      },
+      {
+        "action": "read",
+        "type": "cat"
+      },
+      {
+        "action": "adopt",
+        "type": "dog"
+      },
+      {
+        "action": "adopt",
+        "type": "cat"
+      }
+    ],
+    "employee": [
+      {
+        "action": "read",
+        "type": "dog"
+      },
+      {
+        "action": "read",
+        "type": "cat"
+      },
+      {
+        "action": "update",
+        "type": "dog"
+      },
+      {
+        "action": "update",
+        "type": "cat"
+      }
+    ],
+    "billing": [
+      {
+        "action": "read",
+        "type": "finance"
+      },
+      {
+        "action": "update",
+        "type": "finance"
+      }
+    ],
+    "guest": [
+     {
+       "action": "read",
+       "type": "cat"
+     },
+     {
+       "action": "read",
+       "type": "finance"
+     }
+    ]
+  }
+}

app-tests/opal-tests-policy-repo-main/policy.cedar

@@ -0,0 +1,9 @@
+permit(
+    principal in Role::"Editor",
+    action in [
+        Action::"document:read",
+        Action::"document:write",
+        Action::"document:delete"
+	],
+    resource in ResourceType::"document"
+);

app-tests/opal-tests-policy-repo-main/rbac.rego

@@ -0,0 +1,99 @@
+# Role-based Access Control (RBAC)
+# --------------------------------
+#
+# This example defines an RBAC model for a Pet Store API. The Pet Store API allows
+# users to look at pets, adopt them, update their stats, and so on. The policy
+# controls which users can perform actions on which resources. The policy implements
+# a classic Role-based Access Control model where users are assigned to roles and
+# roles are granted the ability to perform some action(s) on some type of resource.
+#
+# This example shows how to:
+#
+#	* Define an RBAC model in Rego that interprets role mappings represented in JSON.
+#	* Iterate/search across JSON data structures (e.g., role mappings)
+#
+# For more information see:
+#
+#	* Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/
+#	* Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration
+
+package app.rbac
+
+# import data.utils
+
+# By default, deny requests
+default allow = false
+
+# Allow admins to do anything
+allow {
+	user_is_admin
+}
+
+# Allow bob to do anything
+#allow {
+#	input.user == "bob"
+#}
+
+# you can ignore this rule, it's simply here to create a dependency
+# to another rego policy file, so we can demonstate how to work with
+# an explicit manifest file (force order of policy loading).
+#allow {
+#	input.matching_policy.grants
+#	input.roles
+#	utils.hasPermission(input.matching_policy.grants, input.roles)
+#}
+
+# Allow the action if the user is granted permission to perform the action.
+allow {
+	# Find permissions for the user.
+	some permission
+	user_is_granted[permission]
+
+	# Check if the permission permits the action.
+	input.action == permission.action
+	input.type == permission.type
+
+	# unless user location is outside US
+	country := data.users[input.user].location.country
+	country == "US"
+}
+
+# user_is_admin is true if...
+user_is_admin {
+	# for some `i`...
+	some i
+
+	# "admin" is the `i`-th element in the user->role mappings for the identified user.
+	data.users[input.user].roles[i] == "admin"
+}
+
+# user_is_viewer is true if...
+user_is_viewer {
+	# for some `i`...
+	some i
+
+	# "viewer" is the `i`-th element in the user->role mappings for the identified user.
+	data.users[input.user].roles[i] == "viewer"
+}
+
+# user_is_guest is true if...
+user_is_guest {
+	# for some `i`...
+	some i
+
+	# "guest" is the `i`-th element in the user->role mappings for the identified user.
+	data.users[input.user].roles[i] == "guest"
+}
+
+
+# user_is_granted is a set of permissions for the user identified in the request.
+# The `permission` will be contained if the set `user_is_granted` for every...
+user_is_granted[permission] {
+	some i, j
+
+	# `role` assigned an element of the user_roles for this user...
+	role := data.users[input.user].roles[i]
+
+	# `permission` assigned a single permission from the permissions list for 'role'...
+	permission := data.role_permissions[role][j]
+}

app-tests/opal-tests-policy-repo-main/utils.rego

@@ -0,0 +1,4 @@
+package utils
+hasPermission(grants, roles) {
+	grants[_] == roles[_]
+}