Skip to content

test(BA-4985): add component tests for auth security management#9873

Merged
HyeockJinKim merged 8 commits into
mainfrom
BA-4985
Mar 19, 2026
Merged

test(BA-4985): add component tests for auth security management#9873
HyeockJinKim merged 8 commits into
mainfrom
BA-4985

Conversation

@jopemachine
Copy link
Copy Markdown
Member

@jopemachine jopemachine commented Mar 11, 2026
edited
Loading

Resolves #9843 (BA-4985)

Summary

Merge auth component tests into a single tests/component/auth/test_auth.py, covering verify-auth, role/scope control, authorize, full-name update, password management (including expiry), SSH keypair operations, signup, and cross-domain access enforcement.

Previously split across test_auth.py (basic) and test_auth_security.py (extended), now consolidated with duplicate tests removed and additional coverage added.

Target test file: tests/component/auth/test_auth.py

Test Class Count Test Scenarios
TestVerifyAuth 3 Admin verify-auth with echo round-trip, regular user verify-auth with echo round-trip, domain-admin verify-auth
TestRoleAndScopeAccess 5 Superadmin gets superadmin role, regular user gets user role, domain-admin gets admin role, get role with valid group, get role with nonexistent group raises NotFoundError
TestAuthorize 2 Authorize returns keypair credentials (access_key, secret_key, role), authorize with wrong password raises AuthenticationError
TestUpdateFullName 1 Admin updates full name
TestPasswordChange 5 Self-initiated password change succeeds, wrong old password raises AuthenticationError, confirmation mismatch raises InvalidRequestError, login with new password after change, old password rejected after change
TestPasswordExpiry 4 Expired password login rejected (max_password_age=90d), no-auth renewal with expired password, no-auth rejected when max_password_age not configured, same-password renewal rejected
TestSSHKeypair 7 Initial empty state, generate keypair, get after generate matches, upload custom RSA keypair, upload overwrites existing, regenerate replaces previous, per-user keypair independence
TestSignup 1 Signup creates user with keypair (access_key/secret_key returned)
TestCrossDomainAccess 3 Superadmin authorizes cross-domain user, domain-admin role scoped to own domain, domain-admin cannot query other-domain group role

Total: 31 tests

Key improvements over original PR

  • Merged test_auth.py and test_auth_security.py into a single file (eliminated duplicate tests)
  • Replaced pytest.raises(Exception) with specific exception types (NotFoundError)
  • Replaced manual try/finally config restoration with monkeypatch.setattr in TestPasswordExpiry
  • Extracted RSA keypair generation into rsa_keypair fixture
  • Consolidated all helper types at the top of the file for readability
  • Prefixed internal dataclasses with _ (e.g., _ExpiredPasswordUserData, _CrossDomainFixtureData)
  • Added detailed English docstrings to all test classes and methods

Test plan

  • pants lint passes
  • pants check passes
  • pants test passes

🤖 Generated with Claude Code

@github-actions github-actions Bot added the size:XL 500~ LoC label Mar 11, 2026
@jopemachine jopemachine changed the title test: Add Auth security component tests (WIP) test(BA-4985): Add Auth security component tests (WIP) Mar 11, 2026
@jopemachine jopemachine added this to the 26.3 milestone Mar 11, 2026
@jopemachine jopemachine changed the title test(BA-4985): Add Auth security component tests (WIP) test(BA-4985): add component tests for auth security management Mar 11, 2026
jopemachine added a commit that referenced this pull request Mar 11, 2026
@jopemachine @claude
chore: add news fragment for PR #9873
0389b99 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jopemachine added a commit that referenced this pull request Mar 11, 2026
@jopemachine @claude
chore: add news fragment for PR #9873
0dc9aac 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jopemachine added a commit that referenced this pull request Mar 11, 2026
@jopemachine @claude
chore: add news fragment for PR #9873
a4e5d87 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jopemachine jopemachine modified the milestones: 26.3, 26.4 Mar 18, 2026
@jopemachine jopemachine requested a review from a team March 18, 2026 07:06
@jopemachine jopemachine marked this pull request as ready for review March 18, 2026 07:07
Copilot AI review requested due to automatic review settings March 18, 2026 07:07
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates previously split auth component tests into a single tests/component/auth/test_auth.py, expanding coverage for auth verification, role/scope access control, password management (including expiry), SSH keypair operations, signup, and cross-domain access rules.

Changes:

  • Merged and reorganized auth component tests into one file with shared helper dataclasses/fixtures.
  • Added new fixtures to create expired-password users and a second (“cross”) domain for access-control scenarios.
  • Expanded test coverage across authorize, password-change/expiry flows, SSH keypair CRUD-like behavior, signup, and cross-domain restrictions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
tests/component/auth/test_auth.py Consolidates and expands auth component tests; adds fixtures for expired-password and cross-domain scenarios.
changes/9873.test.md Adds a changelog entry for the new/updated component tests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread tests/component/auth/test_auth.py
Comment thread tests/component/auth/test_auth.py Outdated
Comment thread tests/component/auth/test_auth.py Outdated
jopemachine and others added 2 commits March 18, 2026 17:03
@jopemachine
wip
75a74c2
@jopemachine @claude
fix: skip group membership check for superadmin in get_role
0c01602 
Superadmins have global privileges that extend across domain boundaries,
so they should not be required to be a member of a group to query its role.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the comp:manager Related to Manager component label Mar 18, 2026
@jopemachine @claude
fix: update nonexistent group test to match superadmin bypass behavior
bd143a9 
Split the test into two: superadmin now succeeds (global access),
while regular user still gets NotFoundError for nonexistent groups.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@HyeockJinKim HyeockJinKim merged commit 4d074d0 into main Mar 19, 2026
30 checks passed
@HyeockJinKim HyeockJinKim deleted the BA-4985 branch March 19, 2026 01:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@HyeockJinKim HyeockJinKim HyeockJinKim approved these changes

Assignees

@jopemachine jopemachine

Labels

comp:manager Related to Manager component size:XL 500~ LoC

Projects

None yet

Milestone

26.4

Development

Successfully merging this pull request may close these issues.

Add component tests: Auth security management

3 participants

@jopemachine @HyeockJinKim