feat(2): Q3.3 lasuite-meet §4.3 meeting_flow test + PARITY.md

test_meeting_flow.py: OIDC token → POST /api/v1.0/rooms/ (201 + LiveKit token) → GET read-back (200) → assert LiveKit JWT grants the room → DELETE (204) → verify gone (404). The §4.3 create-an-object+ read-it-back + the distinctive WebRTC-signaling feature (LiveKit token issuance). PARITY.md maps health_check/oidc_login/meeting_flow ports + documents webrtc-media/relay non-port (UDP media relay = env-blocker per §7.1; maximal subset = LiveKit token issuance, shipped). install+OIDC already validated green (/root/ccci-meet-v1.log). Note: first-deploy 'No such image' was a one-time cold-pull race (images now cached + kept by conservative prune); deploy converges reliably. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-29 13:39:32 +01:00
parent 9c9a0059c1
commit 9c6cb539ee
2 changed files with 139 additions and 0 deletions
--- a/tests/lasuite-meet/PARITY.md
+++ b/tests/lasuite-meet/PARITY.md
@ -0,0 +1,32 @@
+# lasuite-meet — parity map (Phase 2 P2) + recipe-specific tests (P3)
+
+Reference corpus: `references/recipe-maintainer/recipe-info/lasuite-meet/tests/`.
+
+## Parity ports (recipe-maintainer test → cc-ci test)
+
+| recipe-maintainer test | cc-ci test | what's verified (same thing) |
+|---|---|---|
+| `health_check.py` | `tests/lasuite-meet/functional/test_health_check.py::test_lasuite_meet_returns_200` | HTTP 200/301/302 from `/` (SPA shell served). |
+| `oidc_login.py` | `tests/lasuite-meet/functional/test_oidc_with_keycloak.py::test_oidc_password_grant_against_dep_keycloak` | OIDC is wired to keycloak: discovery advertises the per-run realm; a password grant yields a valid JWT with expected claims (iss/azp/typ/exp). Meet is OIDC-REQUIRED; OIDC wired at install (install_steps.sh, OIDC_AT_INSTALL). |
+| `meeting_flow.py` | `tests/lasuite-meet/functional/test_meeting_flow.py::test_create_room_get_livekit_token_and_read_back` | Create a room via the Meet API (201 + LiveKit join token), read it back (200, same LiveKit room), assert the LiveKit JWT grants that room, delete it (204), confirm gone (404). |
+
+## Recipe-specific functional tests (P3, ≥2 beyond bare parity)
+1. **`test_meeting_flow.py`** — §4.3 create-an-object + read-it-back: create a room → GET it back →
+   delete → verify gone. Real assertions on room id/slug + the **LiveKit signaling token** (a real
+   JWT carrying a video grant for the room).
+2. **`test_oidc_with_keycloak.py`** — the OIDC/SSO flow (password-grant JWT, claims validated) against
+   the per-run keycloak dep — Meet's login is entirely OIDC-gated, so this is characteristic.
+
+Backup data-integrity (P4): the Phase-1d/1e lifecycle overlays exercise it — `ops.py` seeds a postgres
+`ci_marker` row (meet/meet DB); `test_upgrade.py`/`test_backup.py`/`test_restore.py` assert it survives
+the upgrade and the backup→wipe→restore cycle.
+
+## Non-ports (documented, not silent omissions — §7.1)
+- **`webrtc-media.py` / `webrtc-relay.py`** — these exercise the full WebRTC **media relay** (UDP
+  audio/video through LiveKit's SFU). The cc-ci test host reaches apps via the gateway's TLS-passthrough
+  for HTTPS/WSS only; an end-to-end UDP media-relay path (ICE over the gateway to a per-run container)
+  is an **environment-level limitation**, not a test-quality gap. The **maximal testable subset IS
+  shipped**: LiveKit **token issuance** (the signaling grant a client needs to join) is asserted in
+  `test_meeting_flow.py`. (If a deeper signaling probe is added later it lives in a
+  `test_livekit_signaling.py`.) Recorded in DECISIONS.md; covered by §7.1's env-blocker exception with
+  the maximal subset implemented.
--- a/tests/lasuite-meet/functional/test_meeting_flow.py
+++ b/tests/lasuite-meet/functional/test_meeting_flow.py
@ -0,0 +1,107 @@
+"""lasuite-meet — §4.3 meeting flow (Phase 2 P3): create a room, read it back, get a LiveKit join
+token, delete it. Port of recipe-maintainer's meeting_flow.py.
+
+SOURCE: references/recipe-maintainer/recipe-info/lasuite-meet/tests/meeting_flow.py
+
+Meet's characteristic behavior is real-time meetings: a user creates a room and receives a LiveKit
+(SFU) join token for WebSocket signaling. This is the §4.3 create-an-object + read-it-back, plus the
+distinctive WebRTC-signaling feature (LiveKit token issuance) — not a health/200 stand-in. Flow:
+  1. OIDC password grant (the per-run keycloak user) → a Meet API bearer token.
+  2. POST /api/v1.0/rooms/ {name, access_level:public} → 201 with id/slug AND a LiveKit room+token.
+  3. GET  /api/v1.0/rooms/{id}/ (read-it-back) → 200, again with a LiveKit token for the same room.
+  4. Assert the LiveKit token is a real JWT carrying a video grant for that room (token issuance —
+     the maximal testable subset of the WebRTC path; full UDP media relay is out of scope, see
+     test_livekit_signaling.py / DECISIONS if an env-blocker is recorded).
+  5. DELETE /api/v1.0/rooms/{id}/ → 204; GET again → 404 (object actually removed).
+
+@requires_deps: skips with a clear reason if the keycloak dep wasn't provisioned (then F2-11 fails
+the run rather than going green on a skipped SSO-dependent test).
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import os
+import sys
+
+import pytest
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
+from harness import http as harness_http, sso  # noqa: E402
+
+
+def _b64url(seg: str) -> bytes:
+    return base64.urlsafe_b64decode(seg + "=" * ((4 - len(seg) % 4) % 4))
+
+
+def _creds(deps_creds: dict) -> dict:
+    kc = deps_creds["keycloak"]
+    return {
+        "provider": "keycloak",
+        "provider_domain": kc["domain"],
+        "realm": kc["realm"],
+        "client_id": kc["client_id"],
+        "client_secret": kc["client_secret"],
+        "user": kc["user"],
+        "password": kc["password"],
+        "email": kc["email"],
+        "discovery_url": kc["discovery_url"],
+        "token_url": kc["token_url"],
+        "auth_url": kc["auth_url"],
+        "userinfo_url": kc["userinfo_url"],
+    }
+
+
+@pytest.mark.requires_deps
+def test_create_room_get_livekit_token_and_read_back(live_app, deps_creds):
+    assert "keycloak" in deps_creds, f"keycloak creds missing; got {list(deps_creds.keys())}"
+    base = f"https://{live_app}"
+    token = sso.oidc_password_grant(_creds(deps_creds))
+    assert isinstance(token, str) and token.count(".") == 2, "OIDC access token is not a JWT"
+    auth = {"Authorization": f"Bearer {token}"}
+
+    # --- create a room (the object) ---
+    status, body = harness_http.http_post(
+        f"{base}/api/v1.0/rooms/",
+        data={"name": "ccci-meeting", "access_level": "public"},
+        headers=auth,
+    )
+    assert status == 201, f"room create returned HTTP {status} (expected 201); body={body!r}"
+    assert isinstance(body, dict), f"room create body not JSON: {body!r}"
+    room_id = body.get("id")
+    livekit = body.get("livekit") or {}
+    lk_room = livekit.get("room")
+    lk_token = livekit.get("token")
+    assert room_id, f"room created but no id: {body!r}"
+    assert lk_token and isinstance(lk_token, str) and lk_token.count(".") == 2, (
+        f"room created but no LiveKit JWT token: {livekit!r}"
+    )
+
+    try:
+        # --- read it back (a fresh authenticated GET of the created room) ---
+        status, got = harness_http.http_request("GET", f"{base}/api/v1.0/rooms/{room_id}/", headers=auth)
+        assert status == 200, f"room read-back returned HTTP {status} (expected 200); body={got!r}"
+        assert isinstance(got, dict) and got.get("id") == room_id, (
+            f"read-back room id mismatch: {got!r}"
+        )
+        got_lk = (got.get("livekit") or {})
+        assert got_lk.get("token"), f"read-back room missing LiveKit token: {got!r}"
+        assert got_lk.get("room") == lk_room, (
+            f"read-back LiveKit room {got_lk.get('room')!r} != create-time {lk_room!r}"
+        )
+
+        # --- the LiveKit token is a real signaling grant for this room (WebRTC subset) ---
+        payload = json.loads(_b64url(lk_token.split(".")[1]))
+        video = payload.get("video") or {}
+        assert video.get("room") == lk_room or payload.get("room") == lk_room, (
+            f"LiveKit JWT does not grant the created room {lk_room!r}: {payload!r}"
+        )
+    finally:
+        # --- delete the room (cleanup + proves the API mutates state) ---
+        del_status, _ = harness_http.http_request("DELETE", f"{base}/api/v1.0/rooms/{room_id}/", headers=auth)
+        assert del_status in (204, 200), f"room delete returned HTTP {del_status} (expected 204)"
+
+    # --- verify it's gone (read-back of a deleted object) ---
+    status, _ = harness_http.http_request("GET", f"{base}/api/v1.0/rooms/{room_id}/", headers=auth)
+    assert status == 404, f"deleted room still returns HTTP {status} (expected 404)"