Improve advanced configuration tests

[nimsara66]

Description

${subject}

[coderabbitai]

📝 Walkthrough

Summary

This pull request enhances the advanced configuration test suite by adding a new test case to validate proper error handling for invalid JWT authentication.

Changes

Added Test Method: testUpdateTenantConfigurationWithInvalidJWT()

• Verifies that tenant configuration update requests with invalid JWT tokens are properly rejected
• Constructs a custom ApiClient configured with an invalid JWT bearer token
• Attempts to update tenant configuration and validates that the operation fails with HTTP 401 (Unauthorized) status
• Includes assertions that confirm the expected error response

Added Helper Method: createInvalidJWT()

• Private utility method that generates a JWT token with an invalid signature
• Manually constructs JWT components (header, payload, signature) with Base64URL encoding
• Includes standard JWT claims (subject, issuer, expiration, scope, audience) with an intentionally invalid signature
• Used by the test method to generate tokens for validation testing

Impact

The addition improves test coverage by validating that the API properly enforces authentication requirements and rejects requests with malformed or invalid credentials. This contributes to the overall robustness of the integration test suite for tenant configuration management.

Walkthrough

A new test method testUpdateTenantConfigurationWithInvalidJWT() has been added to verify that tenant configuration update requests are rejected when using an invalid JWT token. The test constructs an invalid HS256 JWT, configures an API client with this token in the Authorization header, and attempts to update tenant configuration. The test expects the API to reject the request and return a 401 HTTP status code. A helper method createInvalidJWT() was also added to generate the invalid JWT for testing purposes.

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is empty or contains only a placeholder ('${subject}') and does not provide any meaningful information about the changeset.	Complete the description with details about what was added and why, such as the new JWT validation test and its purpose.
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Improve advanced configuration tests' is vague and does not specifically convey what improvement was made; it lacks concrete details about the test changes.	Provide a more specific title that describes the actual change, such as 'Add invalid JWT validation test to tenant configuration updates'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

all-in-one-apim/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/other/AdvancedConfigurationsTestCase.java (2)

114-150: Use the available nimbus-jose-jwt library instead of hand-rolling JWT creation.

The project already includes nimbus-jose-jwt in the test classpath. The current implementation manually constructs the header, payload, and signature using custom Base64URL encoding with character substitution, which is error-prone. Using the library would make the intent explicit and eliminate the custom encoding logic.

If a minimal change is preferred, use Base64.getUrlEncoder().withoutPadding() to replace the custom Base64URL lambda:

♻️ Minimal cleanup using JDK Base64 URL encoder

-    private String createInvalidJWT() {
-        // Base64URL encoding function (replaces + with -, / with _, removes padding)
-        java.util.function.Function<byte[], String> base64url = (byte[] input) -> {
-            String encoded = Base64.getEncoder().encodeToString(input);
-            encoded = encoded.replace("=", "");
-            encoded = encoded.replace("+", "-");
-            encoded = encoded.replace("/", "_");
-            return encoded;
-        };
+    private String createInvalidJWT() {
+        Base64.Encoder b64Url = Base64.getUrlEncoder().withoutPadding();
+        java.util.function.Function<byte[], String> base64url = b64Url::encodeToString;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@all-in-one-apim/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/other/AdvancedConfigurationsTestCase.java`
around lines 114 - 150, The createInvalidJWT method currently hand-rolls
Base64URL encoding via the local base64url lambda and manual replacements;
replace this with the nimbus-jose-jwt library to construct a JWT (or at minimum
use Base64.getUrlEncoder().withoutPadding() instead of the base64url function),
then produce a token with an invalid signature by building the header/payload
via the library (or encoding with the JDK URL encoder) and appending a bogus
signature; update references in createInvalidJWT (remove base64url,
signingInput, invalidSignature manual logic) to use the library's JWT/JOSE
builders so the token creation is correct and less error-prone.

---

145-149: Use a properly-formed HS256 signature to improve test robustness.

The signature is created as the Base64URL encoding of the ASCII string "invalid_signature" (17 bytes). HS256 signatures are always 32 bytes (HMAC-SHA256 output), making this structurally malformed rather than cryptographically invalid. Different versions or implementations may return 400 (Bad Request) for a malformed signature instead of 401 (Unauthorized), causing the assertion to fail.

The nimbus-jose-jwt library is already available in the project. Consider using it to produce a correctly-shaped signature with an arbitrary key, ensuring the token is well-formed but fails signature verification:

Example approach

// Use HMAC-SHA256 with a known but incorrect key
javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA256");
mac.init(new javax.crypto.spec.SecretKeySpec(
    "wrong-server-secret".getBytes(StandardCharsets.UTF_8), "HmacSHA256"));
byte[] sig = mac.doFinal(signingInput.getBytes(StandardCharsets.US_ASCII));
return signingInput + "." + base64url.apply(sig);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@all-in-one-apim/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/other/AdvancedConfigurationsTestCase.java`
around lines 145 - 149, The test currently appends a Base64URL of the ASCII
string "invalid_signature" to signingInput which produces a structurally
malformed signature; replace that with a properly-sized HS256 MAC so the JWT is
well-formed but fails verification: compute an HmacSHA256 over signingInput
using an arbitrary/wrong key (e.g., "wrong-server-secret") via javax.crypto.Mac,
take mac.doFinal(signingInput.getBytes(...)) and pass that byte[] into
base64url.apply(...) and return signingInput + "." + <that result>; update the
code around the identifiers signingInput and base64url so the signature is 32
bytes and validly encoded.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@all-in-one-apim/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/other/AdvancedConfigurationsTestCase.java`:
- Around line 114-150: The createInvalidJWT method currently hand-rolls
Base64URL encoding via the local base64url lambda and manual replacements;
replace this with the nimbus-jose-jwt library to construct a JWT (or at minimum
use Base64.getUrlEncoder().withoutPadding() instead of the base64url function),
then produce a token with an invalid signature by building the header/payload
via the library (or encoding with the JDK URL encoder) and appending a bogus
signature; update references in createInvalidJWT (remove base64url,
signingInput, invalidSignature manual logic) to use the library's JWT/JOSE
builders so the token creation is correct and less error-prone.
- Around line 145-149: The test currently appends a Base64URL of the ASCII
string "invalid_signature" to signingInput which produces a structurally
malformed signature; replace that with a properly-sized HS256 MAC so the JWT is
well-formed but fails verification: compute an HmacSHA256 over signingInput
using an arbitrary/wrong key (e.g., "wrong-server-secret") via javax.crypto.Mac,
take mac.doFinal(signingInput.getBytes(...)) and pass that byte[] into
base64url.apply(...) and return signingInput + "." + <that result>; update the
code around the identifiers signingInput and base64url so the signature is 32
bytes and validly encoded.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f0edc706-5329-4946-b71c-6181a67df845

📥 Commits

Reviewing files that changed from the base of the PR and between 86f5cae and c002884.

📒 Files selected for processing (1)

• all-in-one-apim/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/am/integration/tests/other/AdvancedConfigurationsTestCase.java