From 78ef92a8a5ff2989a3a1c02f165b93a842f44aa4 Mon Sep 17 00:00:00 2001 From: Tore Martin Hagen Date: Thu, 25 Jun 2026 07:27:42 +0200 Subject: [PATCH 1/4] Added creation of test users which was previously included in the image --- bin/reset-or-start-server.sh | 2 +- .../create_standalone_test_users.py | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100755 server-scripts/create_standalone_test_users.py diff --git a/bin/reset-or-start-server.sh b/bin/reset-or-start-server.sh index efbf34a4e..7509fe63b 100755 --- a/bin/reset-or-start-server.sh +++ b/bin/reset-or-start-server.sh @@ -46,5 +46,5 @@ else fi echo creating test users on server ... -docker exec $container_name /demo/create_standalone_test_users.py +docker exec $container_name /app/test/create_standalone_test_users.py check_success diff --git a/server-scripts/create_standalone_test_users.py b/server-scripts/create_standalone_test_users.py new file mode 100755 index 000000000..ab107d432 --- /dev/null +++ b/server-scripts/create_standalone_test_users.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 + +# Creates the standalone test users used by the Kosli CLI integration tests. +# +# This script is owned by the CLI repo (the test users are CLI test data). It is +# mounted into the server container at /app/test via docker-compose and executed +# there, so it relies on the server's `lib` and `model` packages being importable +# via PYTHONPATH=/app/src. + +import hashlib + +from lib import Sku +from model import Organizations, Users + +# key == person-id, value == api-key +CLI_TEST_USERS = { + "docs-cmd-test-user": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6ImNkNzg4OTg5In0.e8i_lA_QrEhFncb05Xw6E_tkCHU9QfcY4OLTVUCHffY", + "acme-org": "v3OWZiYWu9G2IMQStYg9BcPQUQ88lJNNnTJTNq8jfvmkR1C5wVpHSs7F00JcB5i6OGeUzrKt3CwRq7ndcN4TTfMeo8ASVJ5NdHpZT7DkfRfiFvm8s7GbsIHh2PtiQJYs2UoN13T8DblV5C4oKb6-yWH73h67OhotPlKfVKazR-c", + "iu-org": "qM9u2_grv6pJLbACwsMMMT5LIQy82tQj2k1zjZnlXti1smnFaGwCKW4jzk0La7ae9RrSYvEwCXSsXknD6YZqd-onLaaIUUKtEn6-B6yh53vWIe9EC5u85FCbKZjFbaicp_d0Me0Zcqq_KcCgrAZRX9xggl_pBb2oaCsNdllqNjk", + "system-tests-user": "95-IeGBfyKdTteLdKidiAnXk6uMmV6jTkGM9v3DEtrQ", +} + + +def create_standalone_test_users(test_users): + users = Users() + orgs = Organizations() + + for user_name, api_key in test_users.items(): + uid = hashlib.sha256(user_name.encode("utf-8")).hexdigest()[0:24] + login_data = { + "userId": uid, + "name": user_name, + "email": "default@example.com", + "picture": "", + } + users.create("descope", login_data) + user = users.find_by_auth_user_id(login_data["userId"]) + user.completed_signup = True + user.add_api_key(api_key, user, 0, "") + user.auth_token = "213c18081df7f738ec479107b86f97ec678b1d54" + + orgs.create_shared(f"{user_name}-shared", sku=Sku().existing_orgs, owner=user) + + +if __name__ == "__main__": + create_standalone_test_users(CLI_TEST_USERS) From 88b711faee8600ba1c41e10c17598a8d9cadf174 Mon Sep 17 00:00:00 2001 From: Tore Martin Hagen Date: Thu, 25 Jun 2026 07:34:25 +0200 Subject: [PATCH 2/4] Do not pull down remote server image if running from local image --- bin/reset-or-start-server.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/bin/reset-or-start-server.sh b/bin/reset-or-start-server.sh index 7509fe63b..f51678915 100755 --- a/bin/reset-or-start-server.sh +++ b/bin/reset-or-start-server.sh @@ -24,10 +24,16 @@ check_success() restart_server() { echo restarting server ... - ./bin/docker_login_aws.sh staging + # Only remote (digest-pinned) images need an AWS login and pull. The local-image + # flow uses the plain "merkely" tag, which is built locally — skip both. + if [[ "$KOSLI_SERVER_IMAGE" == *"@sha256:"* ]]; then + ./bin/docker_login_aws.sh staging + docker pull "${KOSLI_SERVER_IMAGE}" || true + else + echo "local image — skipping AWS login and pull" + fi docker compose down || true echo -e "\033[38;5;208musing server image\033[0m ${KOSLI_SERVER_IMAGE}" - docker pull ${KOSLI_SERVER_IMAGE} || true docker compose up -d ./mongo/ip_wait.sh localhost:9010/minio/health/live ./mongo/ip_wait.sh localhost:8001/ready From d62b5e96483e0c7fa05e8d1489ab9624ffaf77fb Mon Sep 17 00:00:00 2001 From: Tore Martin Hagen Date: Thu, 25 Jun 2026 07:46:07 +0200 Subject: [PATCH 3/4] Update after comment from reviewer --- server-scripts/create_standalone_test_users.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server-scripts/create_standalone_test_users.py b/server-scripts/create_standalone_test_users.py index ab107d432..3f9fd45bc 100755 --- a/server-scripts/create_standalone_test_users.py +++ b/server-scripts/create_standalone_test_users.py @@ -36,7 +36,8 @@ def create_standalone_test_users(test_users): users.create("descope", login_data) user = users.find_by_auth_user_id(login_data["userId"]) user.completed_signup = True - user.add_api_key(api_key, user, 0, "") + user.add_api_key(api_key=api_key, setting_user=user, expires_at=0, description="") + # fixed auth_token so tests have a stable session token to authenticate with user.auth_token = "213c18081df7f738ec479107b86f97ec678b1d54" orgs.create_shared(f"{user_name}-shared", sku=Sku().existing_orgs, owner=user) From 5831a8bbf7b2f8565697f1169e32a8cfec286ea2 Mon Sep 17 00:00:00 2001 From: Tore Martin Hagen Date: Thu, 25 Jun 2026 07:51:40 +0200 Subject: [PATCH 4/4] ci: exclude test-user fixture from Snyk Code scan The hardcoded auth_token is fake test data used to seed the local integration-test server, not a real credential. Co-Authored-By: Claude Opus 4.8 (1M context) --- .snyk | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.snyk b/.snyk index 212a26fe5..b7931a355 100644 --- a/.snyk +++ b/.snyk @@ -17,3 +17,7 @@ exclude: # (a graphql `Login` field) as a hardcoded credential. It is a public # identifier in test data, not a secret. See kosli-dev/server#5479. - internal/github/build_pr_evidence_test.go + # False positive: Snyk Code flags the hardcoded test session token (auth_token) + # in this test-user fixture as a secret. It is fake test data, not a real + # credential, and is used only to seed the local integration-test server. + - server-scripts/create_standalone_test_users.py