test: add comprehensive RBAC regression test suite (373 tests)#2912
Merged
crivetimihai merged 4 commits intomainfrom Feb 13, 2026
Merged
test: add comprehensive RBAC regression test suite (373 tests)#2912crivetimihai merged 4 commits intomainfrom
crivetimihai merged 4 commits intomainfrom
Conversation
Closes #2387 Add systematic RBAC test coverage across 7 new test files: - Permission matrix: 235 parametrized tests for all 5 roles × permissions - Token scoping: 20 tests for normalize_token_teams() truth table - Admin bypass: 11 tests for allow_admin_bypass=True/False enforcement - Fail-closed: 10 tests for error/expired/deactivated role denial - Cross-team isolation: 18 tests including #2900 personal team regression - Endpoint coverage: 69 tests verifying decorator usage across all routers - Management endpoints: 10 HTTP-level integration tests for RBAC admin Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
… and teams Extends test_rbac_permissions.py with 15 new E2E tests covering: - Tool CRUD: developer create (team + all-teams view), viewer denied - Resource CRUD: developer create, viewer denied - Prompt CRUD: developer create, viewer denied - Team management: viewer denied manage members, team_admin granted - REST API: developer/viewer create tool/resource/prompt via API Closes #2387 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
- Prompt form: skip template fill (textarea has default content) - Team management: test POST add-member (viewer denied) + verify team_admin passes RBAC (ownership check is business logic, not RBAC) - REST API viewer deny: assert not in (200, 201) since FastAPI may return 422 (schema validation) before RBAC check runs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
…iles Replace SPDX-License-Identifier: MIT with Apache-2.0 to match the rest of the project. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
suciu-daniel
pushed a commit
that referenced
this pull request
Feb 16, 2026
* test: add comprehensive RBAC regression test suite (373 tests) Closes #2387 Add systematic RBAC test coverage across 7 new test files: - Permission matrix: 235 parametrized tests for all 5 roles × permissions - Token scoping: 20 tests for normalize_token_teams() truth table - Admin bypass: 11 tests for allow_admin_bypass=True/False enforcement - Fail-closed: 10 tests for error/expired/deactivated role denial - Cross-team isolation: 18 tests including #2900 personal team regression - Endpoint coverage: 69 tests verifying decorator usage across all routers - Management endpoints: 10 HTTP-level integration tests for RBAC admin Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: add Playwright E2E tests for RBAC on tools, resources, prompts, and teams Extends test_rbac_permissions.py with 15 new E2E tests covering: - Tool CRUD: developer create (team + all-teams view), viewer denied - Resource CRUD: developer create, viewer denied - Prompt CRUD: developer create, viewer denied - Team management: viewer denied manage members, team_admin granted - REST API: developer/viewer create tool/resource/prompt via API Closes #2387 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: resolve Playwright RBAC test failures for prompts, teams, and API - Prompt form: skip template fill (textarea has default content) - Team management: test POST add-member (viewer denied) + verify team_admin passes RBAC (ownership check is business logic, not RBAC) - REST API viewer deny: assert not in (200, 201) since FastAPI may return 422 (schema validation) before RBAC check runs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: use Apache-2.0 license identifier consistently across all test files Replace SPDX-License-Identifier: MIT with Apache-2.0 to match the rest of the project. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
vishu-bh
pushed a commit
that referenced
this pull request
Feb 18, 2026
* test: add comprehensive RBAC regression test suite (373 tests) Closes #2387 Add systematic RBAC test coverage across 7 new test files: - Permission matrix: 235 parametrized tests for all 5 roles × permissions - Token scoping: 20 tests for normalize_token_teams() truth table - Admin bypass: 11 tests for allow_admin_bypass=True/False enforcement - Fail-closed: 10 tests for error/expired/deactivated role denial - Cross-team isolation: 18 tests including #2900 personal team regression - Endpoint coverage: 69 tests verifying decorator usage across all routers - Management endpoints: 10 HTTP-level integration tests for RBAC admin Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: add Playwright E2E tests for RBAC on tools, resources, prompts, and teams Extends test_rbac_permissions.py with 15 new E2E tests covering: - Tool CRUD: developer create (team + all-teams view), viewer denied - Resource CRUD: developer create, viewer denied - Prompt CRUD: developer create, viewer denied - Team management: viewer denied manage members, team_admin granted - REST API: developer/viewer create tool/resource/prompt via API Closes #2387 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: resolve Playwright RBAC test failures for prompts, teams, and API - Prompt form: skip template fill (textarea has default content) - Team management: test POST add-member (viewer denied) + verify team_admin passes RBAC (ownership check is business logic, not RBAC) - REST API viewer deny: assert not in (200, 201) since FastAPI may return 422 (schema validation) before RBAC check runs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: use Apache-2.0 license identifier consistently across all test files Replace SPDX-License-Identifier: MIT with Apache-2.0 to match the rest of the project. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Vishu Bhatnagar <vishu.bhatnagar@ibm.com>
kcostell06
pushed a commit
to kcostell06/mcp-context-forge
that referenced
this pull request
Feb 24, 2026
) * test: add comprehensive RBAC regression test suite (373 tests) Closes IBM#2387 Add systematic RBAC test coverage across 7 new test files: - Permission matrix: 235 parametrized tests for all 5 roles × permissions - Token scoping: 20 tests for normalize_token_teams() truth table - Admin bypass: 11 tests for allow_admin_bypass=True/False enforcement - Fail-closed: 10 tests for error/expired/deactivated role denial - Cross-team isolation: 18 tests including IBM#2900 personal team regression - Endpoint coverage: 69 tests verifying decorator usage across all routers - Management endpoints: 10 HTTP-level integration tests for RBAC admin Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test: add Playwright E2E tests for RBAC on tools, resources, prompts, and teams Extends test_rbac_permissions.py with 15 new E2E tests covering: - Tool CRUD: developer create (team + all-teams view), viewer denied - Resource CRUD: developer create, viewer denied - Prompt CRUD: developer create, viewer denied - Team management: viewer denied manage members, team_admin granted - REST API: developer/viewer create tool/resource/prompt via API Closes IBM#2387 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: resolve Playwright RBAC test failures for prompts, teams, and API - Prompt form: skip template fill (textarea has default content) - Team management: test POST add-member (viewer denied) + verify team_admin passes RBAC (ownership check is business logic, not RBAC) - REST API viewer deny: assert not in (200, 201) since FastAPI may return 422 (schema validation) before RBAC check runs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: use Apache-2.0 license identifier consistently across all test files Replace SPDX-License-Identifier: MIT with Apache-2.0 to match the rest of the project. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
New Test Files
test_rbac_permission_matrix.pytest_rbac_endpoint_coverage.pytest_token_scoping.pynormalize_token_teams()truth tabletest_rbac_cross_team_isolation.pytest_rbac_admin_bypass.pyallow_admin_bypass=True/Falsebehaviortest_rbac_fail_closed.pytest_rbac_management_endpoints.pyTest plan
Closes #2387