test: close auth-route regression gaps for previously-open routes (PER-15250)#326
Conversation
…R-15250) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
🔍 Vulnerabilities of
|
| digest | sha256:6693b9350bc254ad30c807a55658cf2a1b6fa3467a560c370e8510c24cc4934d |
| vulnerabilities | |
| platform | linux/amd64 |
| size | 225 MB |
| packages | 264 |
📦 Base Image python:3.10-alpine3.22
| also known as |
|
| digest | sha256:c8f94b3bb77e6ea9015ccd091b7f8aec1b1fcbca95159675235d9a93788797cd |
| vulnerabilities |
Description
Description
Description
Description
Description
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description
Description
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description
Description
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description
|
There was a problem hiding this comment.
Pull request overview
Adds missing integration-test coverage for previously open/auth-regressed routes in the Horizon PDP test suite, completing PER-15250 without changing production code.
Changes:
- Strengthens OPAL trigger-route “valid token” tests to assert real
200 {"status":"ok"}responses by boundary-mocking OPAL updaters, instead of only asserting “not 401”. - Adds parameterized malformed-
Authorizationheader coverage to ensure gated routes return401(and never500), including legacy update aliases and all protected enforcer endpoints. - Tightens legacy-route missing-header assertions from a transitional
(401|422)allowance to strict401+ expected detail message.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| horizon/tests/test_opal_trigger_auth.py | Replaces the “!= 401” valid-token assertion with deterministic 200 tests by AsyncMock’ing OPAL updater calls. |
| horizon/tests/test_legacy_update_routes.py | Tightens missing-header checks to 401 and adds malformed-header param tests ensuring updater methods are not awaited. |
| horizon/tests/test_enforcer_api.py | Adds malformed-header param test across all protected enforcer endpoints to pin 401 behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…eviously-open-routes-missing-bad
Closes PER-15250.
What & why
PER-15250 asked for integration tests covering the routes that were gated by the auth-hardening work (PER-15244/15245/15246). Those PRs (#317/#320/#321) shipped most of the requested coverage alongside the fixes; this PR closes the two remaining gaps and tightens now-obsolete assertions. No production code changes — tests only.
Changes
1. Trigger routes now assert a real
200, not just!= 401(test_opal_trigger_auth.py)The valid-token test previously only asserted the request wasn't blocked. Replaced it with two tests that boundary-mock the real (unstarted) updater instances on
_sidecar._opaland assert an actual200 {"status": "ok"}with the correct awaited kwargs (force_full_update=True/data_fetch_reason="request from sdk"). Docstring updated to match.2. Malformed-
Authorization-header coverage on every gated route (test_legacy_update_routes.py,test_enforcer_api.py)Parametrized
["garbage", "Bearer", "Bearer ", "Bearer a b c"]→ 401, never 500 for the legacy aliases (asserting the updater is never awaited) and across all 9PROTECTED_ENFORCER_ENDPOINTS(covers/kong,/allowed, etc.). Pins the header-safe handling from PER-15245.3. Tightened obsolete dual-regime assertions (
test_legacy_update_routes.py)assert status in (401, 422)→== 401(+ detail) now thatenforce_pdp_tokendefaults its credentials param; removed the stale merge-order comments.Issue-case → test map
test_trigger_route_without_token_is_401,test_trigger_route_with_wrong_token_is_401test_{policy,data}_updater_trigger_route_with_valid_token_returns_200test_update_policy*(missing-token check tightened here)/kong401 (integration off & on), 200 w/ token+OPA, 503 orderingtest_kong_endpoint_*,test_enforcer_endpoint_{missing,invalid}_token_returns_401[/kong]/healthstays publictest_health_endpoint_is_public,test_health_is_public/allowedspot-checktest_enforce_endpoint[/allowed]test_*_malformed_header_is_401_not_500(three files)test_route_auth_audit.py(pre-existing)Deliberate deviation from the issue text
The issue (written before its blockers merged) specified a new file
test_unauthenticated_routes_regression.py. Those blockers created purpose-built test files that already carry the exact fixtures these cases need, so the new cases are appended next to the routes they gate rather than duplicating a fourthMockPermitPDPscaffold. The issue'senforce_pdp_tokensplit(" ")→ValueErrorpremise and itsmock_opafixture reference are also stale (superseded byHTTPBearer(auto_error=False)and theaioresponsespattern).Verification
python -m pytest horizon/tests/ -q→ 162 passed, 0 failedruff format --checkandruff check→ clean🤖 Generated with Claude Code