AP-638: Implements e2e tests using Playwright

[danschmidt5189]

Implements end-to-end browser-based testing using Playwright w/Chromium. The initial tests cover the OIDC login flow, ensuring that:

1. Anonymous users are forced to login.
2. Admin/Basic users can view the homepage after logging in, but unauthz'd users are forbidden.
3. Only Admin users can view an admin page (/security/users).

Playwright runs in a new playwright service in the Compose File, executed over-the-wire by pytest running from AirFlow. This introduces some complications around reconciling AirFlow/Keycloak URLs when accessing as a developer (on localhost) vs. as Playwright in the stack. See Slack for a rundown on the approaches I considered. I ultimately settled on extending the Playwright image to include socat, and using that for forward localhost:8080 -> airflow and localhost:8180 -> keycloak within the playwright service.

[Copilot]

Pull request overview

Adds a Playwright-based end-to-end (E2E) auth test suite for the Airflow UI (via Keycloak OIDC), plus Docker/CI wiring to run the browser remotely in a sidecar container.

Changes:

• Introduce test/e2e/ Playwright tests + helpers for the Airflow→Keycloak login flow.
• Add a Playwright sidecar service (Dockerfile + entrypoint) and enable it under a Compose test profile.
• Update pytest configuration/dependencies and CI to start the stack with the test profile and retain Playwright artifacts on failures.

Reviewed changes

Copilot reviewed 9 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
test/e2e/test_auth.py	New E2E tests asserting login is required and role-based access to homepage/admin pages.
test/e2e/helpers.py	Helper to drive the Airflow→Keycloak OIDC login flow in Playwright.
test/e2e/conftest.py	Pytest fixtures to connect to a remote Playwright server and set base_url.
test/e2e/__init__.py	Package marker for the E2E tests.
requirements.txt	Adds Playwright + pytest-playwright dependency pins/hashes.
pyproject.toml	Adds pytest-playwright to test extras; configures pytest Playwright artifact options and marker.
playwright/entrypoint.sh	Starts TCP forwarders (socat) for localhost port parity inside the sidecar container.
playwright/Dockerfile	Builds the Playwright sidecar image (extends MS Playwright image + installs socat).
example.env	Documents E2E env vars for running tests via the Playwright sidecar.
docker-compose.yml	Adds a playwright service under the test profile to run the remote Playwright server.
.github/workflows/build.yml	Starts Compose with --profile test ... --wait so the sidecar is available in CI.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

page.wait_for_url(lambda url: not KEYCLOAK_AUTH_URL_RE.search(url)) can return as soon as navigation leaves /protocol/openid-connect/auth, even if the browser is still on a different Keycloak URL (e.g., login-actions endpoints), which can make the helper return before the post-login redirect back to Airflow completes. Consider waiting until the URL is no longer on the Keycloak base host/port (or matches the Airflow base URL), and/or broadening the Keycloak regex to cover all realm paths so the wait cannot finish while still in Keycloak.

[Copilot]

In the denied case, this test only asserts that the admin users table header is not visible. That can pass for many unintended outcomes (redirect to an error page, a blank page, a 500, etc.). To make the authorization check meaningful and reduce false positives/flakiness, assert the expected denied behavior as well (e.g., URL is the login chooser, or an explicit 403/"Forbidden" marker is shown).

[Copilot]

The Playwright service hard-codes playwright@1.58.0 in the npx command, duplicating the version already pinned via ARG PLAYWRIGHT_VERSION in playwright/Dockerfile. This can drift and also tends to force an npx download on container start. Prefer invoking the Playwright CLI already present in the base image (e.g., playwright run-server ...) and/or eliminate the duplicated version so a single source of truth controls the server/client protocol version.

Suggested change

	command: ["npx", "-y", "playwright@1.58.0", "run-server", "--port", "3000", "--host", "0.0.0.0", "--path", "/ws"]
	command: ["playwright", "run-server", "--port", "3000", "--host", "0.0.0.0", "--path", "/ws"]

[danschmidt5189]

Playwright is pretty lightweight, so I'm not sure we need to gate this behind a profile.

[awilfox]

Some discussion items, but overall a good direction.

[awilfox]

I'm in agreement with Copilot and feel like this is an excellent use of KEYCLOAK_BASE_URL.

Suggested change

	page.wait_for_url(lambda url: not KEYCLOAK_AUTH_URL_RE.search(url))
	page.wait_for_url(lambda url: not url.startswith(KEYCLOAK_BASE_URL))

[awilfox]

Missing module docstring.

[awilfox]

I feel like it would be good to have a decorator for admin and user. Perhaps public too, though that shouldn't be generally useful.

This way, tests could have @as_admin or @as_user later on. Otherwise, there will be a lot of code duplication, and hardcoding the test credentials which we may not want to do.

[awilfox]

Agree with Copilot, this should be explicitly testing for a 403, not just the lack of presence of a table.

[danschmidt5189]

Unfortunately AirFlow makes this much, much harder than it needs to be. A public user is actually redirected to the login page; a regular non-admin user gets an HTTP 200 with a page that says "404"… I'll see what I can do to clean it up but so long as we're actually browsing like a human user the assertion will be messy.

[danschmidt5189]

@jason-raitz @awilfox Re-requesting review after the following major changes:

1. I reverted from table-based access tests (parametrized) to simple tests per user. The table-based tests are seriously complicated by the interaction between the user's status (admin, regular, public) and how AirFlow renders the "auth error" (it doesn't—you get 200, 404, or 3xx depending on the situation). I think it's easier to read this way and it's certainly easier to write.
2. Merged helpers into conftest.py. There wasn't really a good reason to separate them IMO.
3. Added helpers for matching AirFlow and KeyCloak URLs.
4. Removed the --profile=test flag from playwright. As I mentioned in a comment it idles ~200MB and peaks ~500MB when running tests. This simplifies startup (you don't have to remember to allow it, which bit me a few times).

[Copilot]

Pull request overview

Copilot reviewed 7 out of 9 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

#PYTEST_KEYCLOAK_BASE_URL is missing the trailing = (unlike the other commented env vars). As-is, it can’t be uncommented/edited consistently and may confuse copy/paste into a real .env.

Suggested change

	#PYTEST_KEYCLOAK_BASE_URL
	#PYTEST_KEYCLOAK_BASE_URL=

[Copilot]

login is imported from .conftest but never used in this test module. This will trip unused-import checks (e.g., pylint) and adds noise; remove the unused import or use it directly in a test.

Suggested change

	from .conftest import airflow_login_url, airflow_url, login
	from .conftest import airflow_login_url, airflow_url

[awilfox]

Style issues, but structurally sound.

[awilfox]

Suggested change

	"""Walk a fresh page through the Airflow -> Keycloak OIDC login flow.
	"""Walk a fresh instance through the Airflow -> Keycloak OIDC login flow.

?

Suggested change

	"""Walk a fresh page through the Airflow -> Keycloak OIDC login flow.
	"""Walk a fresh browser through the Airflow -> Keycloak OIDC login flow.

?

"page" doesn't seem right here.

[danschmidt5189]

In Playwright terms it's a Page, meaning a fresh tab in a per-test isolated browser. That last part is not obvious (I originally thought pages shared a Browser context); see https://playwright.dev/python/docs/browser-contexts.

[awilfox]

I was thinking of a decorator when I made that example name. With the literate RSpec-like expect, something like public_browser makes more sense to me.

Suggested change

	def test_public_user_cannot_view_homepage(as_public_user) -> None:
	def test_public_user_cannot_view_homepage(public_browser) -> None:

[danschmidt5189]

I considered this, but Browser has a specific meaning and this is really a Page object. Agree that "as_{user}" doesn't feel perfect, but it does encapsulate the credentials used which is my only real goal for now.

I'm accustomed to using fixtures to inject behavior into pytests — what did you have in mind with a raw decorator?

[anarchivist]

rw+c; mine are minor, @awilfox's probably merit more discussion.