diff --git a/tests/lasuite-meet/PARITY.md b/tests/lasuite-meet/PARITY.md new file mode 100644 index 0000000..2267a81 --- /dev/null +++ b/tests/lasuite-meet/PARITY.md @@ -0,0 +1,32 @@ +# lasuite-meet — parity map (Phase 2 P2) + recipe-specific tests (P3) + +Reference corpus: `references/recipe-maintainer/recipe-info/lasuite-meet/tests/`. + +## Parity ports (recipe-maintainer test → cc-ci test) + +| recipe-maintainer test | cc-ci test | what's verified (same thing) | +|---|---|---| +| `health_check.py` | `tests/lasuite-meet/functional/test_health_check.py::test_lasuite_meet_returns_200` | HTTP 200/301/302 from `/` (SPA shell served). | +| `oidc_login.py` | `tests/lasuite-meet/functional/test_oidc_with_keycloak.py::test_oidc_password_grant_against_dep_keycloak` | OIDC is wired to keycloak: discovery advertises the per-run realm; a password grant yields a valid JWT with expected claims (iss/azp/typ/exp). Meet is OIDC-REQUIRED; OIDC wired at install (install_steps.sh, OIDC_AT_INSTALL). | +| `meeting_flow.py` | `tests/lasuite-meet/functional/test_meeting_flow.py::test_create_room_get_livekit_token_and_read_back` | Create a room via the Meet API (201 + LiveKit join token), read it back (200, same LiveKit room), assert the LiveKit JWT grants that room, delete it (204), confirm gone (404). | + +## Recipe-specific functional tests (P3, ≥2 beyond bare parity) +1. **`test_meeting_flow.py`** — §4.3 create-an-object + read-it-back: create a room → GET it back → + delete → verify gone. Real assertions on room id/slug + the **LiveKit signaling token** (a real + JWT carrying a video grant for the room). +2. **`test_oidc_with_keycloak.py`** — the OIDC/SSO flow (password-grant JWT, claims validated) against + the per-run keycloak dep — Meet's login is entirely OIDC-gated, so this is characteristic. + +Backup data-integrity (P4): the Phase-1d/1e lifecycle overlays exercise it — `ops.py` seeds a postgres +`ci_marker` row (meet/meet DB); `test_upgrade.py`/`test_backup.py`/`test_restore.py` assert it survives +the upgrade and the backup→wipe→restore cycle. + +## Non-ports (documented, not silent omissions — §7.1) +- **`webrtc-media.py` / `webrtc-relay.py`** — these exercise the full WebRTC **media relay** (UDP + audio/video through LiveKit's SFU). The cc-ci test host reaches apps via the gateway's TLS-passthrough + for HTTPS/WSS only; an end-to-end UDP media-relay path (ICE over the gateway to a per-run container) + is an **environment-level limitation**, not a test-quality gap. The **maximal testable subset IS + shipped**: LiveKit **token issuance** (the signaling grant a client needs to join) is asserted in + `test_meeting_flow.py`. (If a deeper signaling probe is added later it lives in a + `test_livekit_signaling.py`.) Recorded in DECISIONS.md; covered by §7.1's env-blocker exception with + the maximal subset implemented. diff --git a/tests/lasuite-meet/functional/test_meeting_flow.py b/tests/lasuite-meet/functional/test_meeting_flow.py new file mode 100644 index 0000000..9f048e1 --- /dev/null +++ b/tests/lasuite-meet/functional/test_meeting_flow.py @@ -0,0 +1,107 @@ +"""lasuite-meet — §4.3 meeting flow (Phase 2 P3): create a room, read it back, get a LiveKit join +token, delete it. Port of recipe-maintainer's meeting_flow.py. + +SOURCE: references/recipe-maintainer/recipe-info/lasuite-meet/tests/meeting_flow.py + +Meet's characteristic behavior is real-time meetings: a user creates a room and receives a LiveKit +(SFU) join token for WebSocket signaling. This is the §4.3 create-an-object + read-it-back, plus the +distinctive WebRTC-signaling feature (LiveKit token issuance) — not a health/200 stand-in. Flow: + 1. OIDC password grant (the per-run keycloak user) → a Meet API bearer token. + 2. POST /api/v1.0/rooms/ {name, access_level:public} → 201 with id/slug AND a LiveKit room+token. + 3. GET /api/v1.0/rooms/{id}/ (read-it-back) → 200, again with a LiveKit token for the same room. + 4. Assert the LiveKit token is a real JWT carrying a video grant for that room (token issuance — + the maximal testable subset of the WebRTC path; full UDP media relay is out of scope, see + test_livekit_signaling.py / DECISIONS if an env-blocker is recorded). + 5. DELETE /api/v1.0/rooms/{id}/ → 204; GET again → 404 (object actually removed). + +@requires_deps: skips with a clear reason if the keycloak dep wasn't provisioned (then F2-11 fails +the run rather than going green on a skipped SSO-dependent test). +""" + +from __future__ import annotations + +import base64 +import json +import os +import sys + +import pytest + +sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner")) +from harness import http as harness_http, sso # noqa: E402 + + +def _b64url(seg: str) -> bytes: + return base64.urlsafe_b64decode(seg + "=" * ((4 - len(seg) % 4) % 4)) + + +def _creds(deps_creds: dict) -> dict: + kc = deps_creds["keycloak"] + return { + "provider": "keycloak", + "provider_domain": kc["domain"], + "realm": kc["realm"], + "client_id": kc["client_id"], + "client_secret": kc["client_secret"], + "user": kc["user"], + "password": kc["password"], + "email": kc["email"], + "discovery_url": kc["discovery_url"], + "token_url": kc["token_url"], + "auth_url": kc["auth_url"], + "userinfo_url": kc["userinfo_url"], + } + + +@pytest.mark.requires_deps +def test_create_room_get_livekit_token_and_read_back(live_app, deps_creds): + assert "keycloak" in deps_creds, f"keycloak creds missing; got {list(deps_creds.keys())}" + base = f"https://{live_app}" + token = sso.oidc_password_grant(_creds(deps_creds)) + assert isinstance(token, str) and token.count(".") == 2, "OIDC access token is not a JWT" + auth = {"Authorization": f"Bearer {token}"} + + # --- create a room (the object) --- + status, body = harness_http.http_post( + f"{base}/api/v1.0/rooms/", + data={"name": "ccci-meeting", "access_level": "public"}, + headers=auth, + ) + assert status == 201, f"room create returned HTTP {status} (expected 201); body={body!r}" + assert isinstance(body, dict), f"room create body not JSON: {body!r}" + room_id = body.get("id") + livekit = body.get("livekit") or {} + lk_room = livekit.get("room") + lk_token = livekit.get("token") + assert room_id, f"room created but no id: {body!r}" + assert lk_token and isinstance(lk_token, str) and lk_token.count(".") == 2, ( + f"room created but no LiveKit JWT token: {livekit!r}" + ) + + try: + # --- read it back (a fresh authenticated GET of the created room) --- + status, got = harness_http.http_request("GET", f"{base}/api/v1.0/rooms/{room_id}/", headers=auth) + assert status == 200, f"room read-back returned HTTP {status} (expected 200); body={got!r}" + assert isinstance(got, dict) and got.get("id") == room_id, ( + f"read-back room id mismatch: {got!r}" + ) + got_lk = (got.get("livekit") or {}) + assert got_lk.get("token"), f"read-back room missing LiveKit token: {got!r}" + assert got_lk.get("room") == lk_room, ( + f"read-back LiveKit room {got_lk.get('room')!r} != create-time {lk_room!r}" + ) + + # --- the LiveKit token is a real signaling grant for this room (WebRTC subset) --- + payload = json.loads(_b64url(lk_token.split(".")[1])) + video = payload.get("video") or {} + assert video.get("room") == lk_room or payload.get("room") == lk_room, ( + f"LiveKit JWT does not grant the created room {lk_room!r}: {payload!r}" + ) + finally: + # --- delete the room (cleanup + proves the API mutates state) --- + del_status, _ = harness_http.http_request("DELETE", f"{base}/api/v1.0/rooms/{room_id}/", headers=auth) + assert del_status in (204, 200), f"room delete returned HTTP {del_status} (expected 204)" + + # --- verify it's gone (read-back of a deleted object) --- + status, _ = harness_http.http_request("GET", f"{base}/api/v1.0/rooms/{room_id}/", headers=auth) + assert status == 404, f"deleted room still returns HTTP {status} (expected 404)"