Skip to content

Add unit and integration tests for Cedar group-based authorization#4964

Merged
rdimitrov merged 1 commit intomainfrom
authz-group-tests-6a
Apr 21, 2026
Merged

Add unit and integration tests for Cedar group-based authorization#4964
rdimitrov merged 1 commit intomainfrom
authz-group-tests-6a

Conversation

@jhrozek
Copy link
Copy Markdown
Contributor

@jhrozek jhrozek commented Apr 21, 2026

Summary

The Cedar authorizer gained dual-claim extraction, dot-notation traversal, and entity merge fixes in #4911, #4901, and #4847, but test coverage for group-based authorization paths was thin — only indirect exercise through higher-level flows. This adds direct unit tests for the helper functions and integration tests that verify the full middleware pipeline with group-based Cedar policies shaped like real IDP tokens.

  • Unit tests for extractGroups covering dual-claim merge, dot-notation nested claims, single-value-to-slice coercion, deduplication, and nil-safety
  • Unit tests for resolveNestedClaim including ambiguous key resolution (literal match wins over traversal)
  • Integration tests for group-based list filtering through the middleware stack with IDP-shaped claim variants (Entra dual-claim, Okta URI-claim, Keycloak nested realm_access.roles)
  • Integration tests for group-based allow/deny on non-list operations (call_tool, get_prompt, read_resource)
  • Integration test for transitive entity hierarchy (THVGroup → THVRole from entities_json)

Type of change

  • New feature

Test plan

  • Unit tests (task test)
  • Linting (task lint-fix)

Does this introduce a user-facing change?

No

Generated with Claude Code

@jhrozek @claude
Add unit and integration tests for Cedar group-based authorization
4846828 
The dual-claim extraction, dot-notation traversal, and merge-order fix
from 88937fce lacked direct unit tests for helper functions and had no
integration tests exercising group-based Cedar policies through the
middleware stack. This closes both gaps.

Tier 1 — unit tests for parseCedarEntityID, sanitizeURIForCedar,
extractClientIDFromClaims, preprocessClaims, preprocessArguments,
mergeContexts, and IsAuthorized entity merge priority. Adds edge cases
to existing TestResolveNestedClaim (ambiguity) and
TestAuthorizeWithJWTClaims_DualClaim (same claim, missing JWT key,
non-array graceful handling, both dot-notation).

Tier 2 — integration tests for group-based list filtering (Entra dual,
Entra groups, Okta URI, Keycloak nested, prompts, resources), non-list
operations (tool call, prompt get, resource read), transitive
THVGroup→THVRole hierarchy through middleware, and upstream provider
group extraction.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions Bot added the size/XL Extra large PR: 1000+ lines changed label Apr 21, 2026
github-actions[bot]
github-actions Bot previously requested changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

This review will be automatically dismissed once you add the justification section.

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 21, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.50%. Comparing base (ccf439d) to head (4846828).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4964   +/-   ##
=======================================
  Coverage   69.49%   69.50%           
=======================================
  Files         551      551           
  Lines       55817    55817           
=======================================
+ Hits        38790    38793    +3     
+ Misses      14037    14033    -4     
- Partials     2990     2991    +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@rdimitrov rdimitrov merged commit cb37b8b into main Apr 21, 2026
41 checks passed
@rdimitrov rdimitrov deleted the authz-group-tests-6a branch April 21, 2026 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdimitrov rdimitrov rdimitrov approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

Assignees

No one assigned

Labels

size/XL Extra large PR: 1000+ lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jhrozek @rdimitrov