recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
fca4866ea15cb2cdd58cb54bff89b8e51a46d7db
cc-ci/tests/lasuite-docs/functional/test_auth_required.py
autonomic-bot 874bfbb915 feat(2): Q3.1 partial — lasuite-docs PARITY + health_check + auth_required (Q2.4 still passes) 
- tests/lasuite-docs/PARITY.md: parity table for health_check.py (ported);
  oidc_login.py + upload_conversion.py documented as Q3.1 follow-up needing OIDC env wiring;
  ≥2 recipe-specific tests rationale (test_oidc_with_keycloak + test_auth_required).
- tests/lasuite-docs/functional/test_health_check.py: parity port of
  recipe-info/lasuite-docs/tests/health_check.py — HTTP 200/301/302 from root.
- tests/lasuite-docs/functional/test_auth_required.py: NEW recipe-specific —
  GET /api/v1.0/users/me/ asserts 401/403 (auth required). Non-vacuous: distinguishes
  correctly-wired OIDC gate from anonymous access (200), missing route (404), broken (5xx).

The Q2.4 acceptance test (test_oidc_with_keycloak.py) continues to verify the dep resolver +
SSO harness against the per-run keycloak dep (F2-5 fix verified cold; see ccci-f25-verify.log).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 09:21:00 +01:00

38 lines
1.8 KiB
Python
Raw Blame History

"""lasuite-docs — recipe-specific functional test (Phase 2 P3, ≥2 beyond parity).
The defining property of lasuite-docs as configured by the recipe is that its **backend API is
auth-protected** — OIDC tokens authorize access; anonymous requests are rejected. This test
proves the auth middleware is wired correctly: a sample backend endpoint (`/api/v1.0/users/me/`)
returns 401 Unauthorized without a token. Non-vacuous: a misconfigured backend serving anonymous
access would return 200; a broken auth middleware would return 500; a wrong route would return
404 — only a correctly-wired OIDC gate returns 401.
Distinct from the OIDC password-grant test against the keycloak dep (`test_oidc_with_keycloak`):
this proves **lasuite-docs's** own auth posture; that test proves the **SSO provider** can issue
tokens. Together they exercise both sides of the OIDC flow's plumbing.
Runs in the custom tier against the shared post-install deployment.
"""
from __future__ import annotations
import os
import sys
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
from harness import http as harness_http # noqa: E402
def test_users_me_requires_auth(live_app):
"""GET /api/v1.0/users/me/ without a Bearer token must return 401, not 200/404/500."""
url = f"https://{live_app}/api/v1.0/users/me/"
# Retry with broad acceptance: any 4xx (or specific 401) indicates the route exists + auth is
# required. Reject 200 (anonymous access) and 5xx (broken backend).
status, _ = harness_http.retry_http_get(
url, expect_status=(401, 403), max_wait=60, interval=3
)
assert status in (401, 403), (
f"GET {url} returned {status}, expected 401 (auth required). "
f"200 = anonymous access leaked; 404 = route missing; 5xx = backend broken."
)
Reference in New Issue View Git Blame Copy Permalink