Skip to content

test(auth): add integration tests for group-based role binding enforcement#468

Merged
ironcommit merged 1 commit into
mainfrom
auth-tests-5/rsadler
Jun 25, 2026
Merged

test(auth): add integration tests for group-based role binding enforcement#468
ironcommit merged 1 commit into
mainfrom
auth-tests-5/rsadler

Conversation

@ironcommit

@ironcommit ironcommit commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Add two integration tests verifying that JWT bearer token group claims are correctly evaluated against group-based role bindings in the embedded policy engine:

  • A token carrying the bound group claim gains access (Viewer can read, cannot write)
  • A token whose groups do not include the bound group is denied access

Also updates the test_client fixture to configure AuthConfig with allow_unsigned_jwt and embedded PDP so the tests run without a real identity provider.

Summary by CodeRabbit

  • Tests
    • Added coverage for group-based workspace access using bearer tokens.
    • Verified that users with the correct group claim can read a workspace, while write access remains blocked.
    • Added a denial case to confirm access is rejected when the required group claim is missing.

…ement

Add two integration tests verifying that JWT bearer token group claims
are correctly evaluated against group-based role bindings in the embedded
policy engine:

* A token carrying the bound group claim gains access (Viewer can read,
  cannot write)
* A token whose groups do not include the bound group is denied access

Also updates the test_client fixture to configure AuthConfig with
allow_unsigned_jwt and embedded PDP so the tests run without a real
identity provider.

Signed-off-by: Ryan S <267728323+ironcommit@users.noreply.github.com>
@ironcommit
ironcommit requested a review from maxdubrinsky June 25, 2026 18:30
@ironcommit
ironcommit requested review from a team as code owners June 25, 2026 18:30
@github-actions github-actions Bot added the test conventional-commit type label Jun 25, 2026
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds integration coverage for role-binding propagation with bearer-token groups claims. The test client now uses unsigned JWTs and a faster polling interval. New tests verify matching group claims allow workspace reads but not updates, and non-matching claims are denied.

Changes

Group claim propagation

Layer / File(s) Summary
Test client setup
services/core/auth/tests/integration/test_role_binding_propagation.py
Imports unsigned JWT generation and AuthConfig, then overrides the test client auth/PDP configuration with unsigned JWTs enabled and a shorter propagation poll interval.
Group claim access checks
services/core/auth/tests/integration/test_role_binding_propagation.py
Adds one integration test for matching groups claims that permits GET and rejects PUT, and another that rejects GET when the claim does not match the role binding.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the main change: new auth integration tests for group-based role binding enforcement.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch auth-tests-5/rsadler

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
services/core/auth/tests/integration/test_role_binding_propagation.py (1)

107-148: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Denial test can pass for the wrong reason.

The token carries other_group, which is never bound. A 403 therefore proves nothing about group-claim matching—it also passes if the role binding never propagated at all. Add a positive control: assert the bound group would grant access (e.g., a second token with bound_group gets 200), then assert the non-matching token gets 403.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@services/core/auth/tests/integration/test_role_binding_propagation.py` around
lines 107 - 148, The denial test in
test_group_role_binding_denies_workspace_access_when_group_missing can succeed
for the wrong reason because it only checks that a token with other_group gets
403. Add a positive control in the same test by creating a second bearer token
that includes bound_group and assert it can read the workspace successfully
before checking that the non-matching token is denied. Use the existing helpers
generate_unsigned_jwt, WORKSPACES_PATH, IAM_ROLE_BINDINGS_PATH, and the
workspace access GET to verify both the expected allow and deny paths.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@services/core/auth/tests/integration/test_role_binding_propagation.py`:
- Around line 107-148: The denial test in
test_group_role_binding_denies_workspace_access_when_group_missing can succeed
for the wrong reason because it only checks that a token with other_group gets
403. Add a positive control in the same test by creating a second bearer token
that includes bound_group and assert it can read the workspace successfully
before checking that the non-matching token is denied. Use the existing helpers
generate_unsigned_jwt, WORKSPACES_PATH, IAM_ROLE_BINDINGS_PATH, and the
workspace access GET to verify both the expected allow and deny paths.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 034974db-eeed-4cfe-b198-243f09cc0552

📥 Commits

Reviewing files that changed from the base of the PR and between e5608bf and c4780d6.

📒 Files selected for processing (1)
  • services/core/auth/tests/integration/test_role_binding_propagation.py

@github-actions

Copy link
Copy Markdown
Contributor
Suite Lines Covered Line Rate Branch Rate
Unit Tests 20911/27483 76.1% 61.2%
Integration Tests 12180/26252 46.4% 19.8%

@ironcommit ironcommit changed the title test(auth): add integration tests for group-based role binding enforc… test(auth): add integration tests for group-based role binding enforcement Jun 25, 2026
@ironcommit
ironcommit enabled auto-merge June 25, 2026 19:18
@ironcommit
ironcommit requested a review from mckornfield June 25, 2026 19:18
@ironcommit
ironcommit added this pull request to the merge queue Jun 25, 2026
Merged via the queue into main with commit f823935 Jun 25, 2026
57 checks passed
@ironcommit
ironcommit deleted the auth-tests-5/rsadler branch June 25, 2026 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

test conventional-commit type

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants