test(e2e): add comprehensive e2e tests for rh-identity authentication #1045
+343
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
WalkthroughAdds end-to-end RH Identity auth support: two mode-specific Lightspeed config files, a Gherkin feature exercising Changes
Sequence Diagram(s)(omitted — changes are test/config additions and do not introduce a new multi-component runtime control flow requiring visualization) Estimated code review effort🎯 3 (Moderate) | ⏱️ ~30 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Add configuration files for e2e testing with rh-identity authentication module enabled for both server-mode and library-mode deployments. Both configs require the 'rhel' entitlement for validation testing. Signed-off-by: Major Hayden <major@redhat.com>
major
force-pushed
the
e2e-rh-identity-auth-tests
branch
from
686d53b to
266e6d4
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In `@tests/e2e/features/authorized_rh_identity.feature`:
- Around line 1-163: Add two E2E scenarios to the existing
authorized_rh_identity.feature to cover invalid base64 and invalid JSON
handling: one scenario using the step set_rh_identity_header_raw() to set a
non-base64 string in x-rh-identity and another using
set_rh_identity_header_base64_raw() to set a base64 string that decodes to
invalid JSON; both should POST to the "authorized" endpoint and assert a 400
status code and that the response body contains the appropriate error message
(e.g., "Invalid base64 in x-rh-identity header" for the raw case and "Invalid
JSON in x-rh-identity header" for the decoded JSON case) so the BDD feature
matches the unit-tested behavior.
In `@tests/e2e/features/steps/auth.py`:
- Around line 132-138: The entitlements parsing currently adds an empty-string
key when the entitlements cell is blank; update the code that builds
entitlements (the loop over fields["entitlements"].split(",") which trims into
ent) to skip any ent that is empty after strip (e.g., continue if not ent), so
only non-empty entitlement names are added to the entitlements dict (apply the
same guard to the other identical block that populates entitlements).
266e6d4 to
32aed2f
Compare
Add step definitions to set x-rh-identity headers in various formats: - Raw string values (for invalid base64 testing) - Base64-encoded raw strings (for invalid JSON testing) - Base64-encoded JSON objects - Valid User identity with configurable fields - Valid System identity with configurable fields Includes helper function to encode identity data to base64. Signed-off-by: Major Hayden <major@redhat.com>
Register @RHIdentity tag in before_feature and after_feature hooks to switch configuration to rh-identity auth mode during feature execution and restore the original configuration afterwards. Signed-off-by: Major Hayden <major@redhat.com>
Contributor
Author
|
@radofuchs I think this matches what we met about earlier. :) |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
tests/e2e/features/steps/auth.py (1)
25-35: Avoid logging full Authorization header values.Line 35 prints the entire header; this can leak secrets in CI logs. Prefer redaction.
🔒 Proposed redaction
- print(f"🔑 Set Authorization header to: {header_value}") + token_type = header_value.split(" ", 1)[0] if header_value else "<empty>" + print(f"🔑 Set Authorization header to: {token_type} <redacted>")
♻️ Duplicate comments (1)
tests/e2e/features/authorized_rh_identity.feature (1)
1-163: Add invalid base64/JSON scenarios for x-rh-identity.The feature still lacks explicit cases for malformed base64 and invalid JSON payloads.
major
force-pushed
the
e2e-rh-identity-auth-tests
branch
from
32aed2f to
8ca8553
Compare
Add comprehensive e2e test scenarios covering all validation paths in the rh-identity authentication module: - Missing x-rh-identity header (401) - Invalid base64 encoding (400) - Invalid JSON content (400) - Missing/null identity field (400) - Missing identity type field (400) - Unsupported identity type (400) - User identity: missing user field (400) - User identity: missing user_id (400) - User identity: missing username (400) - System identity: missing system field (400) - System identity: missing cn (400) - System identity: missing account_number (400) - Missing required entitlements (403) - Empty entitlements (403) - Entitlement with is_entitled=false (403) - Valid User identity with entitlements (200) - Valid System identity with entitlements (200) Signed-off-by: Major Hayden <major@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add comprehensive end-to-end tests for the
rh-identityauthentication module. These tests cover critical validation paths insrc/authentication/rh_identity.py, ensuring proper error handling for malformed headers, missing fields, and entitlement validation.Test Scenarios (9 total)
Header-level validation:
Identity structure validation:
User identity validation:
System identity validation:
Entitlement validation:
Success cases:
Type of change
Tools used to create PR
Related Tickets & Documents
Checklist before requesting a review
Testing
Run the e2e tests with rh-identity feature:
Or run all e2e tests:
All 9 scenarios should pass, validating each error path and success case in the rh-identity authentication module.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.