Fix RBAC pyright type errors and add unit tests#553
Open
swinney wants to merge 1 commit into
Open
Conversation
Fix 3 pre-existing pyright type errors in the RBAC subsystem: - registry.py: `visited: Set[str] = None` → `Optional[Set[str]]` - jwt_parser.py: `original_roles: List[str] = None` → `Optional[List[str]]` - decorators.py: 8 call sites passing `request.endpoint` (Optional[str]) to `log_permission_check(endpoint: str)` — use fallback `or '<unknown>'` Add 46 unit tests across 5 new test files covering: - RBACRegistry: permission resolution, inheritance, wildcards, config validation (circular/empty/undefined), filter_valid_roles, properties - Permissions: has_permission, is_admin, is_expert with explicit roles - Audit: log_authentication_event, log_permission_check, log_role_assignment levels and structured output - JWT Parser: extract_roles_from_token (resource_access, fallback, edge cases), get_user_roles with default fallback - Decorators: require_permission, require_any_permission, check_sso_required via Flask test client Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
swinney
pushed a commit
to fasrc/archi
that referenced
this pull request
Apr 14, 2026
Fix 3 pre-existing pyright type errors and add 46 unit tests for the RBAC subsystem. See archi-physics#552, archi-physics#553. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses pre-existing Pyright typing issues in the RBAC subsystem and adds a focused unit test suite for RBAC behavior (registry, permissions utilities, JWT role extraction, decorators, and audit logging).
Changes:
- Fix Pyright type errors by making
visited/original_rolesparameters properlyOptional[...]and by providing a non-Nonefallback forrequest.endpointin audit logging call sites. - Add 5 new unit test modules (46 tests) covering RBAC permission resolution, config validation, role extraction/fallback, decorator behavior via Flask test client, and audit log formatting/levels.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/utils/rbac/registry.py | Fixes a typing issue by making visited optional in _resolve_permissions. |
| src/utils/rbac/jwt_parser.py | Fixes a typing issue by making original_roles optional in assign_default_role. |
| src/utils/rbac/decorators.py | Ensures endpoint passed to audit logger is always a str via request.endpoint or '<unknown>'. |
| tests/unit/test_rbac_registry.py | Adds unit tests for RBACRegistry permission resolution, validation, filtering, and properties. |
| tests/unit/test_rbac_permissions.py | Adds unit tests for permission utility functions with patched registry access. |
| tests/unit/test_rbac_jwt_parser.py | Adds unit tests for role extraction from token shapes and default-role fallback behavior. |
| tests/unit/test_rbac_decorators.py | Adds Flask-based tests for RBAC decorators (401/403/200 behavior). |
| tests/unit/test_rbac_audit.py | Adds tests validating audit logging level usage and message/JSON structure. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #552
registry.py,jwt_parser.py, anddecorators.pysrc/utils/rbac/andtests/unit/test_rbac_*— no functional behavior changesChanges
Type Fixes (3 files, 10 line changes)
registry.py:148_resolve_permissionsSet[str] = None→Optional[Set[str]] = Nonejwt_parser.py:158assign_default_roleList[str] = None→Optional[List[str]] = Nonedecorators.pyrequest.endpoint→request.endpoint or '<unknown>'New Tests (5 files, 655 lines, 46 tests)
test_rbac_registry.pytest_rbac_permissions.pyhas_permission,is_admin,is_expertwith explicit rolestest_rbac_audit.pytest_rbac_jwt_parser.pyextract_roles_from_token(4 scenarios),get_user_rolesdefault fallbacktest_rbac_decorators.pyrequire_permission,require_any_permission,check_sso_requiredvia Flask test clientTest plan
pyrightreports 0 errors on all 3 modified source filespytest tests/unit/test_rbac_*.py)🤖 Generated with Claude Code