9.6 KiB

Raw Blame History

k6 API tests

完整的 Gateway API smoke + journey 測試套件。所有對外端點都至少在 smoke/ 或 journeys/ 裡有一發（含登入 MFA、忘記/改密碼、註冊 resume）。

TL;DR

make k6-up           # docker：mongo + redis + mailhog + postgres + zitadel
make k6-wait         # 等 ZITADEL ready + 把 PAT 寫到 env file
make k6-gateway &    # 起 gateway（背景；吃 etc/gateway.k6.yaml）
make k6-seed-admin   # （rbac journey 才需要）seed tenant_admin user
make k6-all          # 跑 smoke + journey
make k6-down         # 清掉

單跑一個檔（記得先載入環境變數）：

source deploy/zitadel/machinekey/k6.env
k6 run test/k6/smoke/health.js
k6 run test/k6/journeys/email_register_full.js

環境變數

變數	預設	說明
`BASE_URL`	`http://localhost:8888`	Gateway base URL
`MAILHOG_URL`	`http://localhost:8025`	MailHog HTTP API（撈 email OTP）
`REDIS_ADDR`	`localhost:6379`	Redis 位址（撈 SMS OTP）
`TENANT_SLUG`	`k6-tenant`	register payload tenant
`INVITE_CODE`	`K6INVITE`	tenant 開啟 invite 時用
`ADMIN_EMAIL` / `ADMIN_PASSWORD`	—	rbac journey seeded admin
`OTP_POLL_INTERVAL_MS`	`300`	OTP poll 頻率
`OTP_POLL_TIMEOUT_MS`	`5000`	OTP poll 超時
`RESEND_COOLDOWN_SECONDS`	`60`	與 `gateway.k6.yaml` OTP 重送冷卻一致（cooldown smoke 會 sleep）

目錄結構

test/k6/
├── README.md
├── lib/                          # 共用 helper
│   ├── config.js                 # 環境變數 + unique() + SUCCESS_CODE
│   ├── http.js                   # get/post/...、checkEnvelope、withBearer
│   ├── otp.js                    # fetchEmailOTP (MailHog) / fetchSMSOTP (Redis)
│   ├── totp.js                   # HMAC-SHA1 TOTP（P4）
│   ├── auth.js                   # register / confirm / login / MFA / password helper
│   ├── member.js                 # TOTP enroll / change password helper
│   └── seed.js                   # tenant + invite + admin role bootstrap（P5）
├── smoke/                        # 每個端點至少一發
│   ├── health.js                 # GET /api/v1/health
│   ├── auth_public.js            # register / login / refresh / social-start (+negative)
│   ├── auth_register_resume.js   # register/resume（happy + 404/409/429/400）
│   ├── auth_password.js          # password/forgot + reset（happy + 各種 negative）
│   ├── auth_login_mfa.js         # login/mfa（MFA 前置 + negative）
│   ├── auth_bearer.js            # logout
│   ├── member.js                 # me / patch / verify / TOTP / change-password negative
│   ├── permission_read.js        # catalog / me
│   └── permission_admin.js       # roles CRUD / role-permissions / user-roles / mappings / policy reload
└── journeys/                     # 完整流程
    ├── email_register_full.js    # register → confirm OTP(MailHog) → me → patch → logout
    ├── register_resume_full.js   # register → resume → confirm → me
    ├── password_forgot_reset_full.js # forgot → reset → login（新密碼）
    ├── login_mfa_full.js         # enroll TOTP → login MFA → me
    ├── change_password_full.js   # change password → login（新密碼）
    ├── login_refresh.js          # login → refresh → me → logout
    ├── email_verify.js           # register → confirm → email verify start → confirm
    ├── phone_verify.js           # register → confirm → phone verify (Redis OTP)
    ├── totp_full.js              # enroll → confirm → verify → backup-codes → disable
    ├── rbac_admin.js             # role CRUD → assign → policy reload → me/permissions
    └── token_exchange.js         # ZITADEL id_token → CloudEP JWT

OTP 怎麼撈

Email → make k6-up 含 MailHog（:1025 SMTP / :8025 HTTP API）。Gateway 把 OTP 寄到 MailHog；k6 透過 /api/v2/search?kind=to&query=<email> 撈到信件，從 body 抓 6 位數。
SMS → mock provider 把 body 寫到 dev:notification:last:sms:<phone>（見 mock_sender.go WithMockRedis），k6 用 k6/experimental/redis 直接讀。

兩者都有 OTP_POLL_TIMEOUT_MS（預設 5 秒）保護，超時直接 fail。

覆蓋率（39 endpoints）

模組	端點	覆蓋
Normal	`GET /api/v1/health`	smoke/health
Auth 公開	`POST /register`	journeys/email_register_full + smoke/auth_public
Auth 公開	`POST /register/confirm`	journeys/email_register_full
Auth 公開	`POST /register/resend`	smoke/auth_public
Auth 公開	`POST /register/resume`	smoke/auth_register_resume + journeys/register_resume_full
Auth 公開	`POST /password/forgot`	smoke/auth_password + journeys/password_forgot_reset_full
Auth 公開	`POST /password/reset`	smoke/auth_password + journeys/password_forgot_reset_full
Auth 公開	`POST /login/mfa`	smoke/auth_login_mfa + journeys/login_mfa_full
Auth 公開	`POST /register/social/start`	smoke/auth_public (happy)
Auth 公開	`GET /register/social/callback`	smoke/auth_public (negative — TODO happy)
Auth 公開	`POST /login`	journeys/login_refresh + smoke/auth_public (negative)
Auth 公開	`POST /token/refresh`	journeys/login_refresh + smoke/auth_public (negative)
Auth 公開	`POST /token/exchange`	journeys/token_exchange (negative — TODO happy)
Auth 公開	`POST /login/social/start`	smoke/auth_public (happy)
Auth 公開	`GET /login/social/callback`	smoke/auth_public (negative — TODO happy)
Auth Bearer	`POST /logout`	smoke/auth_bearer + journeys/email_register_full
Member	`GET /me`	smoke/member + all journeys
Member	`PATCH /me`	smoke/member + journeys/email_register_full
Member	`POST /me/verifications/email/start`	smoke/member + journeys/email_verify
Member	`POST /me/verifications/email/confirm`	smoke/member (negative) + journeys/email_verify (happy)
Member	`POST /me/verifications/phone/start`	smoke/member + journeys/phone_verify
Member	`POST /me/verifications/phone/confirm`	smoke/member (negative) + journeys/phone_verify (happy)
Member	`GET /me/totp`	smoke/member + journeys/totp_full
Member	`POST /me/totp/enroll-start`	smoke/member + journeys/totp_full
Member	`POST /me/totp/enroll-confirm`	smoke/member (negative) + journeys/totp_full (happy)
Member	`POST /me/totp/verify`	smoke/member (negative) + journeys/totp_full (happy)
Member	`POST /me/totp/backup-codes`	smoke/member (negative) + journeys/totp_full (happy)
Member	`DELETE /me/totp`	smoke/member + journeys/totp_full
Member	`POST /me/password`	smoke/member (negative) + journeys/change_password_full
Perm 讀	`GET /permissions/catalog`	smoke/permission_read + journeys/rbac_admin
Perm 讀	`GET /permissions/me`	smoke/permission_read + journeys/rbac_admin
Perm 管理	`GET /roles`	smoke/permission_admin + journeys/rbac_admin
Perm 管理	`POST /roles`	smoke/permission_admin + journeys/rbac_admin
Perm 管理	`PATCH /roles/:id`	smoke/permission_admin + journeys/rbac_admin
Perm 管理	`DELETE /roles/:id`	smoke/permission_admin + journeys/rbac_admin
Perm 管理	`GET /roles/:id/permissions`	smoke/permission_admin + journeys/rbac_admin
Perm 管理	`PUT /roles/:id/permissions`	smoke/permission_admin + journeys/rbac_admin
Perm 管理	`GET /users/:uid/roles`	smoke/permission_admin + journeys/rbac_admin
Perm 管理	`POST /users/:uid/roles`	smoke/permission_admin + journeys/rbac_admin
Perm 管理	`DELETE /users/:uid/roles/:role_id`	smoke/permission_admin + journeys/rbac_admin
Perm 管理	`GET /role-mappings`	smoke/permission_admin
Perm 管理	`PUT /role-mappings`	smoke/permission_admin
Perm 管理	`DELETE /role-mappings`	smoke/permission_admin
Perm 管理	`POST /policy/reload`	smoke/permission_admin + journeys/rbac_admin

RBAC 系列（需 admin seed）

journeys/rbac_admin.js 需要 ADMIN_EMAIL / ADMIN_PASSWORD 環境變數。make k6-seed-admin 會跑 cmd/k6-seed-admin：

用 API 註冊一個固定的 k6-admin@k6.local
從 MailHog 撈 OTP 完成 confirm
寫入 permission catalog + 預設 system roles（透過 internal/model/permission/seed）
指派 tenant_admin 給該 UID
把 ADMIN_EMAIL / ADMIN_PASSWORD / ADMIN_UID 寫到 k6.env

k6-seed-admin 是冪等的，重跑沒事。

沒跑 seed 時，rbac_admin.js 會印 skip notice 並 exit 0（admin endpoint 的路由存在性已由 smoke/permission_admin.js 涵蓋）。

已知無法純 k6 跑的

GET /api/v1/auth/register/social/callback 與 GET /api/v1/auth/login/social/callback happy path 需要 Google OAuth UI 跳轉，純 k6 無法走完。Smoke 只覆蓋 negative（無效 state → 400）。
POST /api/v1/auth/token/exchange happy path 需要一個來自 ZITADEL 的有效 id_token；目前 make k6-up 的 ZITADEL bootstrap 只建 service account PAT，沒有開 OIDC client password grant，因此 happy 路徑 TODO，smoke 只跑 negative。要開：在 deploy/zitadel/steps.yaml 加 Application + password grant，再用 /oauth/v2/token 拿 id_token。

不要 commit 的東西

deploy/zitadel/machinekey/zitadel-admin-sa.token / .json 已在 .gitignore。
etc/gateway.k6.yaml 內的 secret 都是固定 dev 值，本機 / CI 可用，勿上 prod。

9.6 KiB Raw Blame History Unescape Escape