Skip to content

HYPERFLEET-1303 - feat: add JWT authentication E2E test suite#147

Closed
kuudori wants to merge 1 commit into
mainfrom
feat/HYPERFLEET-1303-jwt-e2e-validation
Closed

HYPERFLEET-1303 - feat: add JWT authentication E2E test suite#147
kuudori wants to merge 1 commit into
mainfrom
feat/HYPERFLEET-1303-jwt-e2e-validation

Conversation

@kuudori

@kuudori kuudori commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

What

Add new e2e/auth/ test suite validating JWT authentication enforcement, multi-issuer identity, token renewal, and upgrade path configuration.

Why

HYPERFLEET-1303 requires E2E validation that JWT authentication is correctly enforced across the deployed HyperFleet system - covering unauthenticated rejection, invalid tokens, multi-issuer support, token renewal across reconciliation cycles, and upgrade path configuration.

Changes

New test files (e2e/auth/)

  • helpers.go - RequestEditorFn helpers (withoutAuth, withBearerToken) that override the client's default auth header, plus JWT crafting utilities for negative auth tests
  • jwt_enforcement.go - Tier0/Negative tests: unauthenticated GET/POST rejection (AUT-001), invalid signature (AUT-002), expired token, malformed token
  • multi_issuer.go - Tier0 tests: audit field population (created_by/updated_by/deleted_by), unconfigured issuer rejection, multi-SA acceptance, adapter identity verification
  • token_renewal.go - Tier1/Slow tests: Sentinel and Adapter continue operating across token refresh boundaries
  • upgrade_path.go - Tier0/Upgrade test: validates all 4 JWT upgrade config items (jwt.enabled, identity_claim, Sentinel auth, jwk_cert_ca_file) in a single flow

Supporting changes

  • pkg/helper/matchers.go - HaveRFC9457Error Gomega matcher for RFC 9457 Problem Details validation with exact media type checking via mime.ParseMediaType
  • pkg/helper/matchers_test.go - Unit tests for HaveRFC9457Error
  • pkg/labels/labels.go - Auth label for test filtering
  • e2e/e2e.go - Register auth suite via blank import
  • go.mod/go.sum - Add golang-jwt/jwt/v5 dependency

Acceptance Criteria

  • make check passes (vet, lint, unit tests)
  • Auth E2E tests pass against a JWT-enabled deployment

Add new e2e/auth/ test suite validating JWT authentication enforcement,
multi-issuer identity, token renewal, and upgrade path configuration.

New files:
- e2e/auth/helpers.go: RequestEditorFn helpers (withoutAuth, withBearerToken)
  and JWT crafting utilities for negative auth tests
- e2e/auth/jwt_enforcement.go: Tier0 tests for unauthenticated, invalid
  signature, expired, and malformed token rejection
- e2e/auth/multi_issuer.go: Tier0 tests for audit field population,
  unconfigured issuer rejection, multi-SA acceptance, adapter identity
- e2e/auth/token_renewal.go: Tier1 tests for Sentinel and Adapter token
  refresh across reconciliation cycles
- e2e/auth/upgrade_path.go: Tier0 test validating all 4 JWT upgrade config
  items in a single end-to-end flow

Supporting changes:
- pkg/helper/matchers.go: HaveRFC9457Error matcher for RFC 9457 Problem
  Details validation with mime.ParseMediaType content-type checking
- pkg/helper/matchers_test.go: unit tests for HaveRFC9457Error
- pkg/labels/labels.go: Auth label for test filtering
- e2e/e2e.go: register auth suite via blank import
- go.mod/go.sum: add golang-jwt/jwt/v5 dependency
@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tirthct for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (2)
  • do-not-merge/work-in-progress
  • do-not-merge/hold

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1d321bbb-16bf-44ca-8446-28b0b8f8adb9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/HYPERFLEET-1303-jwt-e2e-validation
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch feat/HYPERFLEET-1303-jwt-e2e-validation

Comment @coderabbitai help to get the list of available commands.

@kuudori kuudori closed this Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant