recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
4eae6eb20867cfca55899ffedc1afa8b25ffae9b
cc-ci/tests/lasuite-docs/PARITY.md
autonomic-bot 874bfbb915 feat(2): Q3.1 partial — lasuite-docs PARITY + health_check + auth_required (Q2.4 still passes) 
- tests/lasuite-docs/PARITY.md: parity table for health_check.py (ported);
  oidc_login.py + upload_conversion.py documented as Q3.1 follow-up needing OIDC env wiring;
  ≥2 recipe-specific tests rationale (test_oidc_with_keycloak + test_auth_required).
- tests/lasuite-docs/functional/test_health_check.py: parity port of
  recipe-info/lasuite-docs/tests/health_check.py — HTTP 200/301/302 from root.
- tests/lasuite-docs/functional/test_auth_required.py: NEW recipe-specific —
  GET /api/v1.0/users/me/ asserts 401/403 (auth required). Non-vacuous: distinguishes
  correctly-wired OIDC gate from anonymous access (200), missing route (404), broken (5xx).

The Q2.4 acceptance test (test_oidc_with_keycloak.py) continues to verify the dep resolver +
SSO harness against the per-run keycloak dep (F2-5 fix verified cold; see ccci-f25-verify.log).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 09:21:00 +01:00

4.9 KiB
Raw Blame History

Parity — lasuite-docs

Phase-2 P2 mapping table. The Adversary cold-verifies parity by reading the source recipe-info/lasuite-docs/tests/<file> and the cc-ci file side-by-side.

recipe-maintainer file cc-ci file what's verified status
recipe-info/lasuite-docs/tests/health_check.py tests/lasuite-docs/functional/test_health_check.py The app serves over HTTPS and returns a successful response (200/301/302). The cc-ci port preserves the assertion shape, adapted to the ephemeral per-run domain via live_app. ported
recipe-info/lasuite-docs/tests/oidc_login.py tests/lasuite-docs/functional/test_oidc_with_keycloak.py (Q2.4 acceptance, partial port) + test_auth_required.py (proves the gate is wired) The original's flow: deploy keycloak + setup realm/client/user + obtain JWT + use it against lasuite-docs's protected API. The cc-ci pair: (a) test_oidc_with_keycloak deploys keycloak as a Q2.3 dep, sets up realm/client/user, obtains a real JWT, validates iss/azp/typ/exp claims; (b) test_auth_required proves lasuite-docs's backend API requires auth (401). Step-(c) — actually USING the JWT against lasuite-docs — requires wiring the dep keycloak's client_secret + OIDC env into lasuite-docs's .env at install time; see "Deferred (Q3.1 follow-up)" below. partial; see follow-up
recipe-info/lasuite-docs/tests/upload_conversion.py (Q3.1 follow-up — needs OIDC env wired into lasuite-docs first) The original uploads .md + .docx via authenticated POST /api/v1.0/documents/<id>/upload and asserts the y-provider + docspec conversion paths fire. The cc-ci port requires authentication, which requires OIDC env wiring (see below). deferred

Recipe-specific tests (Phase-2 P3, ≥2 beyond parity)

cc-ci file what's verified rationale
tests/lasuite-docs/functional/test_oidc_with_keycloak.py Deploys keycloak as a per-run dep (Q2.3 resolver via DEPS = ["keycloak"]), sets up a realm/client/user, exercises the OIDC discovery endpoint + the password-grant flow against the dep keycloak, validates the returned JWT's iss/azp/typ/exp claims. The recipe is OIDC-dependent by design; proving the SSO provider deploys + issues tokens + the JWT contract is intact is a defining lasuite-docs behavior (and the Q2 gate acceptance test).
tests/lasuite-docs/functional/test_auth_required.py GETs /api/v1.0/users/me/ without a token; asserts 401 Unauthorized (or 403). Non-vacuous: distinguishes a correctly-wired OIDC gate (401) from anonymous access (200), missing route (404), and broken backend (5xx). Proves lasuite-docs's own auth posture (distinct from the SSO provider's token issuance). Together with test_oidc_with_keycloak this exercises both sides of the OIDC flow's plumbing.

Two specific tests — the ≥2 floor is met. Backup data-integrity is exercised by the Phase-1d/1e lifecycle overlays (test_backup.py/test_restore.py + ops.py).

Deferred to Q3.1 follow-up (P2 oidc_login.py + upload_conversion.py full ports)

oidc_login.py and upload_conversion.py both exercise lasuite-docs's authenticated API with a real OIDC-issued JWT. To round these out, the cc-ci side needs:

  1. OIDC env wiring on parent: tests/lasuite-docs/install_steps.sh reads $CCCI_DEPS_FILE to find the per-run keycloak dep's domain, calls harness.sso.setup_keycloak_realm to get a (realm, client_id, client_secret, user, password) tuple, then:
    • Inserts SECRET_OIDC_RPCS_VERSION=v1 + the secret value via abra app secret insert.
    • Appends to lasuite-docs's .env: OIDC_REALM, OIDC_CLIENT_ID, OIDC_OP_* URLs pointing at the dep keycloak.
  2. Authenticated test: a new tests/lasuite-docs/functional/test_create_doc.py performs the password grant against the dep keycloak, presents the JWT to lasuite-docs's POST /api/v1.0/documents/ (create a doc), asserts the doc is fetched back via GET /api/v1.0/documents/<id>/ — the §4.3 prescribed create-and-read-back.
  3. upload_conversion.py port as a separate file exercising the .md + .docx upload paths once auth is wired.

These items are tracked in BACKLOG-2.md and will land before the Q3 gate is claimed.

Backup data-integrity (P4)

Already exercised by the Phase-1d/1e lifecycle overlays (tests/lasuite-docs/{test_backup.py,test_restore.py,ops.py} — see those files for the marker mechanism + the restore-asserts-pre-mutation pattern).

Playwright (P6)

tests/lasuite-docs/test_install.py::test_serving_and_frontend loads the live Docs frontend SPA via Chromium (now using harness.browser.goto_with_retry for F2-3 hardening). Adequate for the lifecycle install P6 surface; a deeper UI flow (create-a-doc in the editor) would land alongside the OIDC-wiring follow-up above.

Non-ports

None — every recipe-maintainer parity test has either a cc-ci port landed or a documented Q3.1 follow-up (this file + BACKLOG-2.md). No silent omissions.