|
| 1 | +#!/usr/bin/env bash |
| 2 | +# Integration test for docker-compose.yml (mcp-js + OPA) |
| 3 | +# |
| 4 | +# Asserts: |
| 5 | +# 1. JavaScript execution works |
| 6 | +# 2. fetch() to an allowed domain succeeds |
| 7 | +# 3. fetch() to a blocked domain is denied by OPA policy |
| 8 | +# 4. Heap snapshots are created and can be restored |
| 9 | +# |
| 10 | +# Usage: |
| 11 | +# ./tests/docker-compose-integration.sh |
| 12 | +# |
| 13 | +# Prerequisites: docker compose, curl, jq |
| 14 | + |
| 15 | +set -euo pipefail |
| 16 | + |
| 17 | +COMPOSE_FILE="docker-compose.yml" |
| 18 | +BASE_URL="http://localhost:3000" |
| 19 | +PASSED=0 |
| 20 | +FAILED=0 |
| 21 | + |
| 22 | +# ── Helpers ────────────────────────────────────────────────────────────────── |
| 23 | + |
| 24 | +cleanup() { |
| 25 | + echo "" |
| 26 | + echo "==> Tearing down containers..." |
| 27 | + docker compose -f "$COMPOSE_FILE" down -v --remove-orphans 2>/dev/null || true |
| 28 | +} |
| 29 | +trap cleanup EXIT |
| 30 | + |
| 31 | +fail() { |
| 32 | + echo " FAIL: $1" |
| 33 | + FAILED=$((FAILED + 1)) |
| 34 | +} |
| 35 | + |
| 36 | +pass() { |
| 37 | + echo " PASS: $1" |
| 38 | + PASSED=$((PASSED + 1)) |
| 39 | +} |
| 40 | + |
| 41 | +wait_for_ready() { |
| 42 | + local url="$1" |
| 43 | + local retries=30 |
| 44 | + local i=0 |
| 45 | + echo "==> Waiting for mcp-js to be ready..." |
| 46 | + while [ $i -lt $retries ]; do |
| 47 | + if curl -sf -o /dev/null -X POST "$url/api/exec" \ |
| 48 | + -H "Content-Type: application/json" \ |
| 49 | + -d '{"code":"1"}' 2>/dev/null; then |
| 50 | + echo " mcp-js is ready." |
| 51 | + return 0 |
| 52 | + fi |
| 53 | + sleep 2 |
| 54 | + i=$((i + 1)) |
| 55 | + done |
| 56 | + echo " ERROR: mcp-js did not become ready in time." |
| 57 | + echo "" |
| 58 | + echo "==> Container status:" |
| 59 | + docker compose -f "$COMPOSE_FILE" ps |
| 60 | + echo "" |
| 61 | + echo "==> mcp-js logs:" |
| 62 | + docker compose -f "$COMPOSE_FILE" logs mcp-js |
| 63 | + echo "" |
| 64 | + echo "==> opa logs:" |
| 65 | + docker compose -f "$COMPOSE_FILE" logs opa |
| 66 | + exit 1 |
| 67 | +} |
| 68 | + |
| 69 | +exec_js() { |
| 70 | + local payload="$1" |
| 71 | + curl -sf -X POST "$BASE_URL/api/exec" \ |
| 72 | + -H "Content-Type: application/json" \ |
| 73 | + -d "$payload" |
| 74 | +} |
| 75 | + |
| 76 | +# ── Start services ─────────────────────────────────────────────────────────── |
| 77 | + |
| 78 | +echo "==> Starting docker-compose services..." |
| 79 | +docker compose -f "$COMPOSE_FILE" up -d |
| 80 | + |
| 81 | +wait_for_ready "$BASE_URL" |
| 82 | + |
| 83 | +# ── Test 1: Basic JavaScript execution ─────────────────────────────────────── |
| 84 | + |
| 85 | +echo "" |
| 86 | +echo "==> Test 1: Basic JavaScript execution" |
| 87 | +RESULT=$(exec_js '{"code":"const x = 2 + 3; x;"}') |
| 88 | +OUTPUT=$(echo "$RESULT" | jq -r '.output') |
| 89 | +if [ "$OUTPUT" = "5" ]; then |
| 90 | + pass "JS execution returned 5" |
| 91 | +else |
| 92 | + fail "Expected output '5', got '$OUTPUT'" |
| 93 | +fi |
| 94 | + |
| 95 | +# ── Test 2: fetch() to allowed domain succeeds ────────────────────────────── |
| 96 | + |
| 97 | +echo "" |
| 98 | +echo "==> Test 2: fetch() to allowed domain (registry.npmjs.org)" |
| 99 | +RESULT=$(exec_js '{"code":"(async () => { const r = await fetch(\"https://registry.npmjs.org/\"); return r.ok; })()"}') |
| 100 | +OUTPUT=$(echo "$RESULT" | jq -r '.output') |
| 101 | +if [ "$OUTPUT" = "true" ]; then |
| 102 | + pass "fetch() to allowed domain returned ok=true" |
| 103 | +else |
| 104 | + fail "Expected output 'true', got '$OUTPUT' (full response: $RESULT)" |
| 105 | +fi |
| 106 | + |
| 107 | +# ── Test 3: fetch() to blocked domain is denied by OPA ────────────────────── |
| 108 | + |
| 109 | +echo "" |
| 110 | +echo "==> Test 3: fetch() to blocked domain (evil.example.com)" |
| 111 | +HTTP_CODE=$(curl -s -o /tmp/mcp-test-deny.json -w "%{http_code}" -X POST "$BASE_URL/api/exec" \ |
| 112 | + -H "Content-Type: application/json" \ |
| 113 | + -d '{"code":"(async () => { const r = await fetch(\"https://evil.example.com/\"); return r.ok; })()"}') |
| 114 | +BODY=$(cat /tmp/mcp-test-deny.json) |
| 115 | +if [ "$HTTP_CODE" = "500" ] && echo "$BODY" | grep -qi "denied\|policy"; then |
| 116 | + pass "fetch() to blocked domain was denied by policy (HTTP $HTTP_CODE)" |
| 117 | +else |
| 118 | + fail "Expected HTTP 500 with policy denial, got HTTP $HTTP_CODE: $BODY" |
| 119 | +fi |
| 120 | + |
| 121 | +# ── Test 4: Heap snapshot created and restorable ───────────────────────────── |
| 122 | + |
| 123 | +echo "" |
| 124 | +echo "==> Test 4: Heap snapshot persistence" |
| 125 | + |
| 126 | +# 4a: Execute code that sets state, capture the heap hash |
| 127 | +RESULT=$(exec_js '{"code":"var counter = 42;"}') |
| 128 | +HEAP=$(echo "$RESULT" | jq -r '.heap') |
| 129 | +if [ -z "$HEAP" ] || [ "$HEAP" = "null" ]; then |
| 130 | + fail "No heap hash returned from initial execution" |
| 131 | +else |
| 132 | + pass "Heap hash returned: ${HEAP:0:16}..." |
| 133 | + |
| 134 | + # 4b: Restore the heap and read the persisted state |
| 135 | + RESULT2=$(exec_js "{\"code\":\"counter;\",\"heap\":\"$HEAP\"}") |
| 136 | + OUTPUT2=$(echo "$RESULT2" | jq -r '.output') |
| 137 | + if [ "$OUTPUT2" = "42" ]; then |
| 138 | + pass "Heap restored successfully, counter = 42" |
| 139 | + else |
| 140 | + fail "Expected counter=42 after heap restore, got '$OUTPUT2'" |
| 141 | + fi |
| 142 | +fi |
| 143 | + |
| 144 | +# ── Summary ────────────────────────────────────────────────────────────────── |
| 145 | + |
| 146 | +echo "" |
| 147 | +echo "==============================" |
| 148 | +echo "Results: $PASSED passed, $FAILED failed" |
| 149 | +echo "==============================" |
| 150 | + |
| 151 | +if [ "$FAILED" -gt 0 ]; then |
| 152 | + exit 1 |
| 153 | +fi |
0 commit comments