recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3568754e64f099d7087f1923ffe080dc9cf4ac32
cc-ci/tests/lasuite-docs/PARITY.md
autonomic-bot 44e02425ab
Some checks failed
continuous-integration/drone/push Build is failing
Details
feat(cfold): canonicalize custom test layout
2026-06-12 16:08:18 +00:00

4.9 KiB
Raw Blame History

Parity — lasuite-docs

Phase-2 P2 mapping table. The Adversary cold-verifies parity by reading the source recipe-info/lasuite-docs/tests/<file> and the cc-ci file side-by-side.

recipe-maintainer file cc-ci file what's verified status
recipe-info/lasuite-docs/tests/health_check.py tests/lasuite-docs/custom/test_health_check.py The app serves over HTTPS and returns a successful response (200/301/302). The cc-ci port preserves the assertion shape, adapted to the ephemeral per-run domain via live_app. ported
recipe-info/lasuite-docs/tests/oidc_login.py tests/lasuite-docs/custom/test_oidc_with_keycloak.py (Q2.4 acceptance, partial port) + test_auth_required.py (proves the gate is wired) The original's flow: deploy keycloak + setup realm/client/user + obtain JWT + use it against lasuite-docs's protected API. The cc-ci pair: (a) test_oidc_with_keycloak deploys keycloak as a Q2.3 dep, sets up realm/client/user, obtains a real JWT, validates iss/azp/typ/exp claims; (b) test_auth_required proves lasuite-docs's backend API requires auth (401). Step-(c) — actually USING the JWT against lasuite-docs — requires wiring the dep keycloak's client_secret + OIDC env into lasuite-docs's .env at install time; see "Deferred (Q3.1 follow-up)" below. partial; see follow-up
recipe-info/lasuite-docs/tests/upload_conversion.py (Q3.1 follow-up — needs OIDC env wired into lasuite-docs first) The original uploads .md + .docx via authenticated POST /api/v1.0/documents/<id>/upload and asserts the y-provider + docspec conversion paths fire. The cc-ci port requires authentication, which requires OIDC env wiring (see below). deferred

Recipe-specific tests (Phase-2 P3, ≥2 beyond parity)

cc-ci file what's verified rationale
tests/lasuite-docs/custom/test_oidc_with_keycloak.py Deploys keycloak as a per-run dep (Q2.3 resolver via DEPS = ["keycloak"]), sets up a realm/client/user, exercises the OIDC discovery endpoint + the password-grant flow against the dep keycloak, validates the returned JWT's iss/azp/typ/exp claims. The recipe is OIDC-dependent by design; proving the SSO provider deploys + issues tokens + the JWT contract is intact is a defining lasuite-docs behavior (and the Q2 gate acceptance test).
tests/lasuite-docs/custom/test_auth_required.py GETs /api/v1.0/users/me/ without a token; asserts 401 Unauthorized (or 403). Non-vacuous: distinguishes a correctly-wired OIDC gate (401) from anonymous access (200), missing route (404), and broken backend (5xx). Proves lasuite-docs's own auth posture (distinct from the SSO provider's token issuance). Together with test_oidc_with_keycloak this exercises both sides of the OIDC flow's plumbing.

Two specific tests — the ≥2 floor is met. Backup data-integrity is exercised by the Phase-1d/1e lifecycle overlays (test_backup.py/test_restore.py + ops.py).

Deferred to Q3.1 follow-up (P2 oidc_login.py + upload_conversion.py full ports)

oidc_login.py and upload_conversion.py both exercise lasuite-docs's authenticated API with a real OIDC-issued JWT. To round these out, the cc-ci side needs:

  1. OIDC env wiring on parent: tests/lasuite-docs/install_steps.sh reads $CCCI_DEPS_FILE to find the per-run keycloak dep's domain, calls harness.sso.setup_keycloak_realm to get a (realm, client_id, client_secret, user, password) tuple, then:
    • Inserts SECRET_OIDC_RPCS_VERSION=v1 + the secret value via abra app secret insert.
    • Appends to lasuite-docs's .env: OIDC_REALM, OIDC_CLIENT_ID, OIDC_OP_* URLs pointing at the dep keycloak.
  2. Authenticated test: a new tests/lasuite-docs/custom/test_create_doc.py performs the password grant against the dep keycloak, presents the JWT to lasuite-docs's POST /api/v1.0/documents/ (create a doc), asserts the doc is fetched back via GET /api/v1.0/documents/<id>/ — the §4.3 prescribed create-and-read-back.
  3. upload_conversion.py port as a separate file exercising the .md + .docx upload paths once auth is wired.

These items are tracked in BACKLOG-2.md and will land before the Q3 gate is claimed.

Backup data-integrity (P4)

Already exercised by the Phase-1d/1e lifecycle overlays (tests/lasuite-docs/{test_backup.py,test_restore.py,ops.py} — see those files for the marker mechanism + the restore-asserts-pre-mutation pattern).

Playwright (P6)

tests/lasuite-docs/test_install.py::test_serving_and_frontend loads the live Docs frontend SPA via Chromium (now using harness.browser.goto_with_retry for F2-3 hardening). Adequate for the lifecycle install P6 surface; a deeper UI flow (create-a-doc in the editor) would land alongside the OIDC-wiring follow-up above.

Non-ports

None — every recipe-maintainer parity test has either a cc-ci port landed or a documented Q3.1 follow-up (this file + BACKLOG-2.md). No silent omissions.