From 7e546ec9e3f859351223cc7f97302b62c0340507 Mon Sep 17 00:00:00 2001 From: defiQUG Date: Sat, 28 Mar 2026 17:29:50 -0700 Subject: [PATCH] feat(e2e): add SSO, docs.d-bis, blockscout.defi-oracle to routing verifier - DOMAIN_TYPES_ALL: keycloak/admin/portal/dash, docs.d-bis.org, blockscout.defi-oracle.io (web) - E2E_OPTIONAL_WHEN_FAIL: same set for soft failures off-LAN - Optional Blockscout /api/v2/stats for blockscout.defi-oracle.io - print-gitea-actions-urls.sh: browser URLs (Actions API not relied on) - E2E_ENDPOINTS_LIST + FQDN inventory alignment updated Made-with: Cursor --- docs/04-configuration/E2E_ENDPOINTS_LIST.md | 17 ++++++++++++++++- .../04-configuration/FQDN_EXPECTED_CONTENT.md | 2 +- scripts/verify/print-gitea-actions-urls.sh | 16 ++++++++++++++++ scripts/verify/verify-end-to-end-routing.sh | 19 ++++++++++++++----- 4 files changed, 47 insertions(+), 7 deletions(-) create mode 100755 scripts/verify/print-gitea-actions-urls.sh diff --git a/docs/04-configuration/E2E_ENDPOINTS_LIST.md b/docs/04-configuration/E2E_ENDPOINTS_LIST.md index 06deff8..e48f82f 100644 --- a/docs/04-configuration/E2E_ENDPOINTS_LIST.md +++ b/docs/04-configuration/E2E_ENDPOINTS_LIST.md @@ -4,7 +4,8 @@ **List from CLI (public):** `./scripts/verify/verify-end-to-end-routing.sh --list-endpoints --profile=public` **List from CLI (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --list-endpoints --profile=private` **Run E2E (public profile recommended):** `./scripts/verify/verify-end-to-end-routing.sh --profile=public` (from LAN with DNS or use `E2E_USE_SYSTEM_RESOLVER=1` and `/etc/hosts` per [E2E_DNS_FROM_LAN_RUNBOOK.md](E2E_DNS_FROM_LAN_RUNBOOK.md)). -**Run E2E (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --profile=private`. +**Run E2E (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --profile=private`. +**Gitea Actions (umbrella / cc-*):** no stable unauthenticated REST for all Gitea versions — print UI URLs with `./scripts/verify/print-gitea-actions-urls.sh` and confirm jobs in the browser after push. **What each hostname should present (operator narrative):** [FQDN_EXPECTED_CONTENT.md](FQDN_EXPECTED_CONTENT.md). @@ -38,6 +39,12 @@ | the-order.sankofa.nexus | web | https://the-order.sankofa.nexus | OSJ management portal (secure auth); app **the_order** at `~/projects/the_order`. NPM upstream default: **order-haproxy** VMID **10210** `http://192.168.11.39:80` → portal **192.168.11.51:3000** (`provision-order-haproxy-10210.sh`). Override with `THE_ORDER_UPSTREAM_*` for direct portal if 10210 is down. | | www.the-order.sankofa.nexus | web | https://www.the-order.sankofa.nexus | **301** to `https://the-order.sankofa.nexus` (canonical apex; NPM `advanced_config`). | | studio.sankofa.nexus | web | https://studio.sankofa.nexus | Sankofa Studio (FusionAI Creator) at VMID 7805. | +| keycloak.sankofa.nexus | web | https://keycloak.sankofa.nexus | Keycloak IdP (VMID 7802); client SSO for admin/portal. | +| admin.sankofa.nexus | web | https://admin.sankofa.nexus | Client SSO: access administration (hostname intent; NPM upstream TBD). | +| portal.sankofa.nexus | web | https://portal.sankofa.nexus | Client SSO: portal / marketplace (typical upstream VMID 7801). | +| dash.sankofa.nexus | web | https://dash.sankofa.nexus | Operator systems dashboard (IP allowlist + MFA intent; upstream TBD). | +| docs.d-bis.org | web | https://docs.d-bis.org | Docs on explorer nginx where configured. | +| blockscout.defi-oracle.io | web | https://blockscout.defi-oracle.io | Generic Blockscout hostname (often VMID 5000); not canonical Chain 138 **explorer.d-bis.org**. | | cacti-alltra.d-bis.org | web | https://cacti-alltra.d-bis.org | Cacti monitoring UI for Alltra. | | cacti-hybx.d-bis.org | web | https://cacti-hybx.d-bis.org | Cacti monitoring UI for HYBX. | | mifos.d-bis.org | web | https://mifos.d-bis.org | Mifos X / Fineract banking and microfinance platform (VMID 5800). | @@ -85,6 +92,12 @@ | the-order.sankofa.nexus | https://the-order.sankofa.nexus | | www.the-order.sankofa.nexus | https://www.the-order.sankofa.nexus | | studio.sankofa.nexus | https://studio.sankofa.nexus | +| keycloak.sankofa.nexus | https://keycloak.sankofa.nexus | +| admin.sankofa.nexus | https://admin.sankofa.nexus | +| portal.sankofa.nexus | https://portal.sankofa.nexus | +| dash.sankofa.nexus | https://dash.sankofa.nexus | +| docs.d-bis.org | https://docs.d-bis.org | +| blockscout.defi-oracle.io | https://blockscout.defi-oracle.io | | cacti-alltra.d-bis.org | https://cacti-alltra.d-bis.org | | cacti-hybx.d-bis.org | https://cacti-hybx.d-bis.org | | mifos.d-bis.org | https://mifos.d-bis.org | @@ -169,6 +182,8 @@ When running from outside LAN or when backends are down, the following endpoints | studio.sankofa.nexus | Historically 404 when the proxy misses `/studio/` or backend `192.168.11.72:8000`; verifier checks `/studio/`. Passed on 2026-03-26 after the NPMplus host update | | phoenix.sankofa.nexus, www.phoenix.sankofa.nexus | (Resolved in verifier) Phoenix API (7800) is API-first; `verify-end-to-end-routing.sh` checks `https://…/health` (200), not `/`. A separate **marketing** site on the apex hostname (if desired) needs another upstream or app routes—NPM still points `phoenix.sankofa.nexus` at the Fastify API today. | | the-order.sankofa.nexus | 502 if **10210** HAProxy or backend portal is down. NPM defaults upstream to **192.168.11.39:80** (order-haproxy). Fallback: `THE_ORDER_UPSTREAM_IP` / `THE_ORDER_UPSTREAM_PORT` = portal **192.168.11.51:3000** | +| keycloak.sankofa.nexus, admin.sankofa.nexus, portal.sankofa.nexus, dash.sankofa.nexus | DNS/SSL/HTTPS **warn** or **skip** when NPM or backends are unwired; listed in `E2E_OPTIONAL_WHEN_FAIL` so the public profile still exits **0**. | +| docs.d-bis.org, blockscout.defi-oracle.io | Same optional-when-fail behavior; **blockscout.defi-oracle.io** also runs optional `/api/v2/stats` like **explorer.d-bis.org**. | **Verifier behavior (2026-03):** `openssl s_client` is wrapped with `timeout` (`E2E_OPENSSL_TIMEOUT` default 15s, `E2E_OPENSSL_X509_TIMEOUT` default 5s) so `--profile=private` / `--profile=all` cannot hang. **`--profile=all`** merges private and public `E2E_OPTIONAL_WHEN_FAIL` lists for temporary regressions. Install **`wscat`** (`npm install -g wscat`) for full WSS JSON-RPC checks; the script uses `wscat -n` to match `curl -k`, and now treats a clean `wscat` exit as a successful full WebSocket check even when the tool prints no JSON output. diff --git a/docs/04-configuration/FQDN_EXPECTED_CONTENT.md b/docs/04-configuration/FQDN_EXPECTED_CONTENT.md index aaa8585..ce82f9c 100644 --- a/docs/04-configuration/FQDN_EXPECTED_CONTENT.md +++ b/docs/04-configuration/FQDN_EXPECTED_CONTENT.md @@ -126,4 +126,4 @@ --- -**Inventory alignment:** Public hostnames above follow `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` plus `keycloak.sankofa.nexus`, `docs.d-bis.org`, `blockscout.defi-oracle.io`, and xom-dev hosts. **`portal.sankofa.nexus`** is expected to terminate on **VMID 7801** when NPM is configured (see **Deployment Status** in [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md)). **`admin.sankofa.nexus`** and **`dash.sankofa.nexus`** remain **hostname intent** until pinned in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md) and NPM. **`blockscout.defi-oracle.io`** aligns with **VMID 5000** in routing summaries (parallel Blockscout-class UI, not **`explorer.d-bis.org`** product branding). Extend `verify-end-to-end-routing.sh` when new proxy rows are production-required. +**Inventory alignment:** `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` includes **`keycloak.sankofa.nexus`**, **`admin.sankofa.nexus`**, **`portal.sankofa.nexus`**, **`dash.sankofa.nexus`**, **`docs.d-bis.org`**, and **`blockscout.defi-oracle.io`** (see [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md); `--list-endpoints --profile=public`). They are in **`E2E_OPTIONAL_WHEN_FAIL`** so unwired NPM or off-LAN runs still exit **0**. **`portal.sankofa.nexus`** is expected on **VMID 7801** when NPM is configured ( **Deployment Status** in [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md)). **`admin.sankofa.nexus`** and **`dash.sankofa.nexus`** remain **hostname intent** until pinned in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). **`blockscout.defi-oracle.io`** aligns with **VMID 5000** in routing summaries (not **`explorer.d-bis.org`** branding). **xom-dev** hostnames are not in the E2E list yet—add when NPM routes are stable. diff --git a/scripts/verify/print-gitea-actions-urls.sh b/scripts/verify/print-gitea-actions-urls.sh new file mode 100755 index 0000000..0315b1d --- /dev/null +++ b/scripts/verify/print-gitea-actions-urls.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# Print Gitea Actions UI URLs (no token). Use after pushing complete-credential / cc-* repos. +# Gitea REST "actions runs" APIs vary by version; the web UI is the reliable check. +set -euo pipefail +GITEA_URL="${GITEA_URL:-https://gitea.d-bis.org}" +ORG="${GITEA_ORG:-DBIS}" +REPOS=( + complete-credential + cc-shared-authz + cc-audit-ledger + cc-eidas-connector +) +echo "Open in browser (Actions tab):" +for r in "${REPOS[@]}"; do + echo " ${GITEA_URL}/${ORG}/${r}/actions" +done diff --git a/scripts/verify/verify-end-to-end-routing.sh b/scripts/verify/verify-end-to-end-routing.sh index d526165..10cabb1 100755 --- a/scripts/verify/verify-end-to-end-routing.sh +++ b/scripts/verify/verify-end-to-end-routing.sh @@ -83,6 +83,14 @@ declare -A DOMAIN_TYPES_ALL=( ["the-order.sankofa.nexus"]="web" # OSJ portal (secure auth); app: ~/projects/the_order ["www.the-order.sankofa.nexus"]="web" # 301 → https://the-order.sankofa.nexus ["studio.sankofa.nexus"]="web" + # Client SSO / IdP / operator dash (FQDN_EXPECTED_CONTENT + EXPECTED_WEB_CONTENT Deployment Status) + ["keycloak.sankofa.nexus"]="web" + ["admin.sankofa.nexus"]="web" + ["portal.sankofa.nexus"]="web" + ["dash.sankofa.nexus"]="web" + # d-bis.org docs on explorer nginx where configured; generic Blockscout hostname (VMID 5000 when proxied) + ["docs.d-bis.org"]="web" + ["blockscout.defi-oracle.io"]="web" ["rpc.public-0138.defi-oracle.io"]="rpc-http" ["rpc.defi-oracle.io"]="rpc-http" ["wss.defi-oracle.io"]="rpc-ws" @@ -166,7 +174,7 @@ else fi # Domains that are optional when any test fails (off-LAN, 502, unreachable); fail → skip so run passes. -_PUB_OPTIONAL_WHEN_FAIL="dapp.d-bis.org mifos.d-bis.org explorer.d-bis.org dbis-admin.d-bis.org dbis-api.d-bis.org dbis-api-2.d-bis.org secure.d-bis.org sankofa.nexus www.sankofa.nexus phoenix.sankofa.nexus www.phoenix.sankofa.nexus the-order.sankofa.nexus www.the-order.sankofa.nexus studio.sankofa.nexus mim4u.org www.mim4u.org secure.mim4u.org training.mim4u.org rpc-http-pub.d-bis.org rpc.d-bis.org rpc2.d-bis.org rpc.public-0138.defi-oracle.io rpc.defi-oracle.io ws.rpc.d-bis.org ws.rpc2.d-bis.org" +_PUB_OPTIONAL_WHEN_FAIL="dapp.d-bis.org mifos.d-bis.org explorer.d-bis.org dbis-admin.d-bis.org dbis-api.d-bis.org dbis-api-2.d-bis.org secure.d-bis.org sankofa.nexus www.sankofa.nexus phoenix.sankofa.nexus www.phoenix.sankofa.nexus the-order.sankofa.nexus www.the-order.sankofa.nexus studio.sankofa.nexus keycloak.sankofa.nexus admin.sankofa.nexus portal.sankofa.nexus dash.sankofa.nexus docs.d-bis.org blockscout.defi-oracle.io mim4u.org www.mim4u.org secure.mim4u.org training.mim4u.org rpc-http-pub.d-bis.org rpc.d-bis.org rpc2.d-bis.org rpc.public-0138.defi-oracle.io rpc.defi-oracle.io ws.rpc.d-bis.org ws.rpc2.d-bis.org" _PRIV_OPTIONAL_WHEN_FAIL="rpc-http-prv.d-bis.org rpc-ws-prv.d-bis.org rpc-fireblocks.d-bis.org ws.rpc-fireblocks.d-bis.org" if [[ -z "${E2E_OPTIONAL_WHEN_FAIL:-}" ]]; then if [[ "$PROFILE" == "private" ]]; then @@ -410,15 +418,16 @@ test_domain() { result=$(echo "$result" | jq --arg time "$time_total" '.tests.https = {"status": "fail", "response_time_seconds": ($time | tonumber)}') fi # Optional: Blockscout API check for explorer.d-bis.org (does not affect E2E pass/fail) - if [ "$domain" = "explorer.d-bis.org" ] && [ "${SKIP_BLOCKSCOUT_API:-0}" != "1" ]; then + if { [ "$domain" = "explorer.d-bis.org" ] || [ "$domain" = "blockscout.defi-oracle.io" ]; } && [ "${SKIP_BLOCKSCOUT_API:-0}" != "1" ]; then log_info "Test 3b: Blockscout API (optional)" - api_body_file="$OUTPUT_DIR/explorer_d-bis_org_blockscout_api.txt" + api_safe="${domain//./_}" + api_body_file="$OUTPUT_DIR/${api_safe}_blockscout_api.txt" api_code=$(curl -s -o "$api_body_file" -w "%{http_code}" -k --connect-timeout 10 "https://$domain/api/v2/stats" 2>/dev/null || echo "000") if [ "$api_code" = "200" ] && [ -s "$api_body_file" ] && (grep -qE '"total_blocks"|"total_transactions"' "$api_body_file" 2>/dev/null); then - log_success "Blockscout API: /api/v2/stats returned 200 with stats" + log_success "Blockscout API: $domain /api/v2/stats returned 200 with stats" result=$(echo "$result" | jq '.tests.blockscout_api = {"status": "pass", "http_code": 200}') else - log_warn "Blockscout API: HTTP $api_code or invalid response (optional; run from LAN if backend unreachable)" + log_warn "Blockscout API: $domain HTTP $api_code or invalid response (optional; run from LAN if backend unreachable)" result=$(echo "$result" | jq --arg code "$api_code" '.tests.blockscout_api = {"status": "skip", "http_code": $code}') fi fi