test(e2e): add comprehensive e2e tests for rh-identity authentication

[major]

Description

Add comprehensive end-to-end tests for the rh-identity authentication module. These tests cover critical validation paths in src/authentication/rh_identity.py, ensuring proper error handling for malformed headers, missing fields, and entitlement validation.

Test Scenarios (9 total)

Header-level validation:

• Missing x-rh-identity header (401)

Identity structure validation:

• Missing identity field (400)

User identity validation:

• Missing user_id (400)
• Missing username (400)

System identity validation:

• Missing cn (400)

Entitlement validation:

• Missing required entitlement (403)
• Entitlement with is_entitled=false (403)

Success cases:

• Valid User identity with required entitlements (200) - validates response body
• Valid System identity with required entitlements (200) - validates response body

Type of change

• End to end tests improvement

Tools used to create PR

• Assisted-by: Claude (Anthropic)
• Generated by: N/A

Related Tickets & Documents

• Related Issue # N/A
• Closes # N/A

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

1. Run the e2e tests with rh-identity feature:

   uv run behave tests/e2e/features/authorized_rh_identity.feature

2. Or run all e2e tests:

   uv run make test-e2e

3. All 9 scenarios should pass, validating each error path and success case in the rh-identity authentication module.

Summary by CodeRabbit

• Tests
  • Added comprehensive end-to-end coverage for RH Identity authentication: header formats, identity field validation, entitlement checks, and positive/negative flows; new feature included in test run.
  • Added helpers to construct and base64-encode RH Identity headers for varied test cases.
• Chores
  • Added mode-specific test configurations and test-harness setup/teardown to enable RH Identity scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds end-to-end RH Identity auth support: two mode-specific Lightspeed config files, a Gherkin feature exercising x-rh-identity scenarios, environment hooks to swap configs and restart the service during RHIdentity-tagged tests, and step helpers to construct/encode x-rh-identity headers for tests.

Changes

Cohort / File(s)	Summary
Configuration Files tests/e2e/configuration/library-mode/lightspeed-stack-auth-rh-identity.yaml, tests/e2e/configuration/server-mode/lightspeed-stack-auth-rh-identity.yaml	New LCS YAML configs enabling RH Identity auth: server settings, logging, worker counts, library vs server modes, user-data collection paths, SQLite conversation cache, and required entitlements.
Feature Test Definition tests/e2e/features/authorized_rh_identity.feature	New Gherkin feature covering missing/invalid/malformed x-rh-identity headers, User/System identity success cases, entitlement checks, and field validation errors.
Test Environment Setup tests/e2e/features/environment.py	Adds RHIdentity feature-tag hooks that backup current config, apply mode-specific RH Identity config, restart lightspeed-stack, and restore config after the feature.
Test Step Implementations tests/e2e/features/steps/auth.py	Adds _encode_rh_identity helper and steps to set/remove x-rh-identity headers in raw/base64/JSON/User/System forms; adds Authorization header removal helper and minor doc/log refinement.
Test Registry tests/e2e/test_list.txt	Registers the new feature file in the E2E test list.

Sequence Diagram(s)

(omitted — changes are test/config additions and do not introduce a new multi-component runtime control flow requiring visualization)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Possibly related PRs

• LCORE-261: Add RH identity header auth #814 — Adds RH Identity authentication implementation that these tests exercise.
• LCORE-598: RBAC E2E tests #1017 — Modifies test environment hooks and config switching similar to the environment.py changes.
• LCORE-166: add e2e tests for the endpoints #425 — Updates E2E auth step handlers and authorized-endpoint tests overlapping steps/auth.py.

Suggested labels

ok-to-test

Suggested reviewers

• tisnik

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'test(e2e): add comprehensive e2e tests for rh-identity authentication' clearly and specifically summarizes the main change—adding end-to-end tests for RH Identity authentication.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@tests/e2e/features/authorized_rh_identity.feature`:
- Around line 1-163: Add two E2E scenarios to the existing
authorized_rh_identity.feature to cover invalid base64 and invalid JSON
handling: one scenario using the step set_rh_identity_header_raw() to set a
non-base64 string in x-rh-identity and another using
set_rh_identity_header_base64_raw() to set a base64 string that decodes to
invalid JSON; both should POST to the "authorized" endpoint and assert a 400
status code and that the response body contains the appropriate error message
(e.g., "Invalid base64 in x-rh-identity header" for the raw case and "Invalid
JSON in x-rh-identity header" for the decoded JSON case) so the BDD feature
matches the unit-tested behavior.

In `@tests/e2e/features/steps/auth.py`:
- Around line 132-138: The entitlements parsing currently adds an empty-string
key when the entitlements cell is blank; update the code that builds
entitlements (the loop over fields["entitlements"].split(",") which trims into
ent) to skip any ent that is empty after strip (e.g., continue if not ent), so
only non-empty entitlement names are added to the entitlements dict (apply the
same guard to the other identical block that populates entitlements).

[major]

@radofuchs I think this matches what we met about earlier. :)

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/e2e/features/steps/auth.py (1)

25-35: Avoid logging full Authorization header values.

Line 35 prints the entire header; this can leak secrets in CI logs. Prefer redaction.

🔒 Proposed redaction

-    print(f"🔑 Set Authorization header to: {header_value}")
+    token_type = header_value.split(" ", 1)[0] if header_value else "<empty>"
+    print(f"🔑 Set Authorization header to: {token_type} <redacted>")

♻️ Duplicate comments (1)

tests/e2e/features/authorized_rh_identity.feature (1)

1-163: Add invalid base64/JSON scenarios for x-rh-identity.

The feature still lacks explicit cases for malformed base64 and invalid JSON payloads.

[radofuchs]

LGTM