Merge pull request #826 from tisnik/lcore-1027-unit-tests-for-rh-identity

tisnik · web-flow · commit a8bc9a1cdb04 · 2025-11-23T11:41:49.000+01:00
LCORE-1027: Unit tests for RH identity authentication plugin
diff --git a/tests/unit/models/config/test_authentication_configuration.py b/tests/unit/models/config/test_authentication_configuration.py
@@ -10,6 +10,7 @@
     AuthenticationConfiguration,
     Configuration,
     JwkConfiguration,
+    RHIdentityConfiguration,
     LlamaStackConfiguration,
     ServiceConfiguration,
     UserDataCollection,
@@ -19,6 +20,7 @@
     AUTH_MOD_NOOP,
     AUTH_MOD_K8S,
     AUTH_MOD_JWK_TOKEN,
+    AUTH_MOD_RH_IDENTITY,
 )
 
 
@@ -36,6 +38,7 @@ def test_authentication_configuration() -> None:
     assert auth_config.skip_tls_verification is False
     assert auth_config.k8s_ca_cert_path is None
     assert auth_config.k8s_cluster_api is None
+    assert auth_config.rh_identity_config is None
 
     # try to retrieve JWK configuration
     with pytest.raises(
@@ -45,6 +48,92 @@ def test_authentication_configuration() -> None:
         _ = auth_config.jwk_configuration
 
 
+def test_authentication_configuration_rh_identity() -> None:
+    """Test the AuthenticationConfiguration with RH identity token."""
+
+    auth_config = AuthenticationConfiguration(
+        module=AUTH_MOD_RH_IDENTITY,
+        skip_tls_verification=False,
+        k8s_ca_cert_path=None,
+        k8s_cluster_api=None,
+        rh_identity_config=RHIdentityConfiguration(required_entitlements=[]),
+    )
+    assert auth_config is not None
+    assert auth_config.module == AUTH_MOD_RH_IDENTITY
+    assert auth_config.skip_tls_verification is False
+    assert auth_config.k8s_ca_cert_path is None
+    assert auth_config.k8s_cluster_api is None
+    assert auth_config.rh_identity_config is not None
+
+
+def test_authentication_configuration_rh_identity_default_value() -> None:
+    """Test the AuthenticationConfiguration with RH identity token."""
+
+    auth_config = AuthenticationConfiguration(
+        module=AUTH_MOD_RH_IDENTITY,
+        skip_tls_verification=False,
+        k8s_ca_cert_path=None,
+        k8s_cluster_api=None,
+        rh_identity_config=RHIdentityConfiguration(),
+    )
+    assert auth_config is not None
+    assert auth_config.module == AUTH_MOD_RH_IDENTITY
+    assert auth_config.skip_tls_verification is False
+    assert auth_config.k8s_ca_cert_path is None
+    assert auth_config.k8s_cluster_api is None
+    assert auth_config.rh_identity_config is not None
+
+
+def test_authentication_configuration_rh_identity_one_entitlement() -> None:
+    """Test the AuthenticationConfiguration with RH identity token."""
+
+    auth_config = AuthenticationConfiguration(
+        module=AUTH_MOD_RH_IDENTITY,
+        skip_tls_verification=False,
+        k8s_ca_cert_path=None,
+        k8s_cluster_api=None,
+        rh_identity_config=RHIdentityConfiguration(required_entitlements=["foo"]),
+    )
+    assert auth_config is not None
+    assert auth_config.module == AUTH_MOD_RH_IDENTITY
+    assert auth_config.skip_tls_verification is False
+    assert auth_config.k8s_ca_cert_path is None
+    assert auth_config.k8s_cluster_api is None
+    assert auth_config.rh_identity_config is not None
+
+
+def test_authentication_configuration_rh_identity_more_entitlements() -> None:
+    """Test the AuthenticationConfiguration with RH identity token."""
+
+    auth_config = AuthenticationConfiguration(
+        module=AUTH_MOD_RH_IDENTITY,
+        skip_tls_verification=False,
+        k8s_ca_cert_path=None,
+        k8s_cluster_api=None,
+        rh_identity_config=RHIdentityConfiguration(
+            required_entitlements=["foo", "bar", "baz"]
+        ),
+    )
+    assert auth_config is not None
+    assert auth_config.module == AUTH_MOD_RH_IDENTITY
+    assert auth_config.skip_tls_verification is False
+    assert auth_config.k8s_ca_cert_path is None
+    assert auth_config.k8s_cluster_api is None
+    assert auth_config.rh_identity_config is not None
+
+
+def test_authentication_configuration_rh_identity_but_insufficient_config() -> None:
+    """Test the AuthenticationConfiguration with RH identity token."""
+
+    with pytest.raises(ValidationError, match="RH"):
+        AuthenticationConfiguration(
+            module=AUTH_MOD_RH_IDENTITY,
+            skip_tls_verification=False,
+            k8s_ca_cert_path=None,
+            k8s_cluster_api=None,
+        )
+
+
 def test_authentication_configuration_jwk_token() -> None:
     """Test the AuthenticationConfiguration with JWK token."""
 
@@ -140,7 +229,7 @@ def test_authentication_configuration_module_unsupported() -> None:
         )
 
 
-def test_authentication_configuration_in_config() -> None:
+def test_authentication_configuration_in_config_noop() -> None:
     """Test the authentication configuration in main config."""
     # pylint: disable=no-member
     cfg = Configuration(
@@ -161,7 +250,11 @@ def test_authentication_configuration_in_config() -> None:
     assert cfg.authentication.k8s_ca_cert_path is None
     assert cfg.authentication.k8s_cluster_api is None
 
-    cfg2 = Configuration(
+
+def test_authentication_configuration_in_config_k8s() -> None:
+    """Test the authentication configuration in main config."""
+    # pylint: disable=no-member
+    cfg = Configuration(
         name="test_name",
         service=ServiceConfiguration(),
         llama_stack=LlamaStackConfiguration(
@@ -179,10 +272,66 @@ def test_authentication_configuration_in_config() -> None:
             k8s_cluster_api=None,
         ),
     )
-    assert cfg2.authentication is not None
-    assert cfg2.authentication.module == AUTH_MOD_K8S
-    assert cfg2.authentication.skip_tls_verification is True
-    assert cfg2.authentication.k8s_ca_cert_path == Path(
-        "tests/configuration/server.crt"
+    assert cfg.authentication is not None
+    assert cfg.authentication.module == AUTH_MOD_K8S
+    assert cfg.authentication.skip_tls_verification is True
+    assert cfg.authentication.k8s_ca_cert_path == Path("tests/configuration/server.crt")
+    assert cfg.authentication.k8s_cluster_api is None
+
+
+def test_authentication_configuration_in_config_rh_identity() -> None:
+    """Test the authentication configuration in main config."""
+    # pylint: disable=no-member
+    cfg = Configuration(
+        name="test_name",
+        service=ServiceConfiguration(),
+        llama_stack=LlamaStackConfiguration(
+            use_as_library_client=True,
+            library_client_config_path="tests/configuration/run.yaml",
+        ),
+        user_data_collection=UserDataCollection(
+            feedback_enabled=False, feedback_storage=None
+        ),
+        mcp_servers=[],
+        authentication=AuthenticationConfiguration(
+            module=AUTH_MOD_RH_IDENTITY,
+            skip_tls_verification=True,
+            k8s_ca_cert_path="tests/configuration/server.crt",
+            k8s_cluster_api=None,
+            rh_identity_config=RHIdentityConfiguration(required_entitlements=[]),
+        ),
+    )
+    assert cfg.authentication is not None
+    assert cfg.authentication.module == AUTH_MOD_RH_IDENTITY
+    assert cfg.authentication.skip_tls_verification is True
+    assert cfg.authentication.k8s_ca_cert_path == Path("tests/configuration/server.crt")
+    assert cfg.authentication.k8s_cluster_api is None
+
+
+def test_authentication_configuration_in_config_jwktoken() -> None:
+    """Test the authentication configuration in main config."""
+    # pylint: disable=no-member
+    cfg = Configuration(
+        name="test_name",
+        service=ServiceConfiguration(),
+        llama_stack=LlamaStackConfiguration(
+            use_as_library_client=True,
+            library_client_config_path="tests/configuration/run.yaml",
+        ),
+        user_data_collection=UserDataCollection(
+            feedback_enabled=False, feedback_storage=None
+        ),
+        mcp_servers=[],
+        authentication=AuthenticationConfiguration(
+            module=AUTH_MOD_JWK_TOKEN,
+            skip_tls_verification=True,
+            k8s_ca_cert_path="tests/configuration/server.crt",
+            k8s_cluster_api=None,
+            jwk_config=JwkConfiguration(url="http://foo.bar.baz"),
+        ),
     )
-    assert cfg2.authentication.k8s_cluster_api is None
+    assert cfg.authentication is not None
+    assert cfg.authentication.module == AUTH_MOD_JWK_TOKEN
+    assert cfg.authentication.skip_tls_verification is True
+    assert cfg.authentication.k8s_ca_cert_path == Path("tests/configuration/server.crt")
+    assert cfg.authentication.k8s_cluster_api is None
