recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ccc0d1c34922eea7b3f96ea7130fb50f0c85b2b
cc-ci/tests/lasuite-docs/functional/test_auth_required.py
autonomic-bot 9a7772563a style: repo-wide lint pass — make the lint gate green again 
Push builds have been RED on the lint step since ~build 209 from accumulated
formatting drift. This is the mechanical cleanup: ruff format + ruff --fix
(UP038 isinstance unions, SIM105 contextlib.suppress, UP031 f-strings, SIM115
tempfile context manager), shfmt -i 2 -ci, nixpkgs-fmt/statix/deadnix (merged
attrsets, dropped unused lib args), yamllint, and shell quoting fixes in
tests/lasuite-docs/setup_custom_tests.sh. No behaviour changes intended;
lint: PASS, unit tests: 138 passed.
2026-06-09 21:56:15 +00:00

36 lines
1.8 KiB
Python
Raw Blame History

"""lasuite-docs — recipe-specific functional test (Phase 2 P3, ≥2 beyond parity).
The defining property of lasuite-docs as configured by the recipe is that its **backend API is
auth-protected** — OIDC tokens authorize access; anonymous requests are rejected. This test
proves the auth middleware is wired correctly: a sample backend endpoint (`/api/v1.0/users/me/`)
returns 401 Unauthorized without a token. Non-vacuous: a misconfigured backend serving anonymous
access would return 200; a broken auth middleware would return 500; a wrong route would return
404 — only a correctly-wired OIDC gate returns 401.
Distinct from the OIDC password-grant test against the keycloak dep (`test_oidc_with_keycloak`):
this proves **lasuite-docs's** own auth posture; that test proves the **SSO provider** can issue
tokens. Together they exercise both sides of the OIDC flow's plumbing.
Runs in the custom tier against the shared post-install deployment.
"""
from __future__ import annotations
import os
import sys
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
from harness import http as harness_http # noqa: E402
def test_users_me_requires_auth(live_app):
"""GET /api/v1.0/users/me/ without a Bearer token must return 401, not 200/404/500."""
url = f"https://{live_app}/api/v1.0/users/me/"
# Retry with broad acceptance: any 4xx (or specific 401) indicates the route exists + auth is
# required. Reject 200 (anonymous access) and 5xx (broken backend).
status, _ = harness_http.retry_http_get(url, expect_status=(401, 403), max_wait=60, interval=3)
assert status in (401, 403), (
f"GET {url} returned {status}, expected 401 (auth required). "
f"200 = anonymous access leaked; 404 = route missing; 5xx = backend broken."
)
Reference in New Issue View Git Blame Copy Permalink