LCORE-598: RBAC E2E tests

[radofuchs]

Description

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue LCORE-598: Add authorization e2e tests #636
• Closes LCORE-598: Add authorization e2e tests #636

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• New Features

  • Added role-based access control (Admin, User, Viewer, Query-only) with token-based authentication via a mock JWKS service.

• Tests

  • Added comprehensive end-to-end RBAC test suite, test token/server utilities, and setup/teardown support for RBAC scenarios.
  • Marked several flaky scenarios to be skipped by default.

• Chores

  • Updated container/network configuration and added a persistent test storage volume.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds RBAC end-to-end tests and supporting infra: a mock JWKS server (container, Dockerfile, server, token generator), RBAC configs for library/server modes, BDD feature/step files that fetch/use test tokens, docker-compose changes (service/network/volume), and test hooks to swap/restore RBAC configs.

Changes

Cohort / File(s)	Summary
Docker Compose / Volumes docker-compose.yaml, docker-compose-library.yaml	Add mock-jwks service (build context tests/e2e/mock_jwks_server, port 8000, healthcheck), add lightspeednet network, attach lightspeed-stack to the network, and declare new volume llama-storage; adjust volume bind paths/modes.
RBAC Configurations tests/e2e/configuration/library-mode/lightspeed-stack-rbac.yaml, tests/e2e/configuration/server-mode/lightspeed-stack-rbac.yaml	New RBAC-enabled configs: JWK-based auth (jwks/jwk-token), jsonpath role extraction rules, and role→action authorization mappings.
E2E Features & Hooks tests/e2e/features/rbac.feature, tests/e2e/features/environment.py	Add RBAC BDD scenarios and environment hooks to swap/restore RBAC configs around RBAC-tagged features (backup, replace config, restart container, restore).
Step Definitions tests/e2e/features/steps/rbac.py	Add get_test_tokens() to fetch tokens from mock JWKS server and authenticate_as_role(context, role) to set Authorization header for chosen role.
Mock JWKS Server tests/e2e/mock_jwks_server/*	Add server.py serving /.well-known/jwks.json, /tokens, /health; generate_tokens.py to produce JWKS and RS256 test JWTs; and Dockerfile to run the server.
Test Registry & Minor Test Skips tests/e2e/test_list.txt, tests/e2e/features/*.feature	Add rbac.feature to test list; add @skip annotations/comments to select existing scenarios.

Sequence Diagram(s)

sequenceDiagram
    actor Test
    participant JWKS as "Mock JWKS Server"
    participant Stack as "Lightspeed Stack"
    participant DB as "Storage/Config"

    Test->>JWKS: GET /tokens
    JWKS-->>Test: {role: token, ...}
    Test->>Test: Set Authorization: Bearer <token>
    Test->>Stack: HTTP request (e.g., POST /query) with Authorization
    Stack->>JWKS: GET /.well-known/jwks.json
    JWKS-->>Stack: JWKS {keys: [...]}
    Stack->>Stack: Verify signature, extract claims, resolve role
    Stack->>DB: Enforce authorization & process request
    DB-->>Stack: Result or error
    alt allowed
        Stack-->>Test: 200 OK (result)
    else denied
        Stack-->>Test: 403 Forbidden
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• LCORE-1016: add files required for library mode tests run #864 — Overlaps e2e environment/config changes and touches features/environment.py.
• LCORE-758: add additional e2e test for streaming query endpoint and enable color output #745 — Adds/adjusts auth handling in tests; related to Authorization header and JWKS usage.
• LCORE-492: E2E tests for feedback endpoint #613 — Modifies e2e config-switching and test utilities used for auth-aware tests.

Suggested labels

ok-to-test

Suggested reviewers

• tisnik
• asimurka

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR implements comprehensive RBAC E2E testing infrastructure including mock JWKS server, configuration files, test features, and step definitions, but some linked issue requirements are not addressed.	Address missing requirements: update .gitignore for backup/JWK files, update testing documentation with e2e instructions, add support for CONTAINER_CMD environment variable, and ensure all configuration files match issue specifications.
Out of Scope Changes check	⚠️ Warning	The PR includes out-of-scope changes: skipping scenarios in info.feature, query.feature, and streaming_query.feature that are unrelated to the core RBAC E2E testing objectives.	Remove the @skip annotations and related comments from info.feature, query.feature, and streaming_query.feature as they are not part of the RBAC E2E testing implementation requirements.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'LCORE-598: RBAC E2E tests' clearly summarizes the main change: adding Role-Based Access Control end-to-end tests, which aligns with the primary objective in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@docker-compose-library.yaml`:
- Around line 66-70: The healthcheck block currently uses curl (test key) which
isn't available in the python:3.12-slim image; update the healthcheck "test" to
invoke Python (python -c) and use the stdlib urllib.request.urlopen to GET
/health so the command succeeds on HTTP 200 and fails (non-zero exit) on errors,
replacing the curl-based invocation in the healthcheck test entry.

🧹 Nitpick comments (2)

tests/e2e/mock_jwks_server/generate_tokens.py (1)

14-20: default_backend() is deprecated in recent cryptography versions.

Since cryptography 3.x, default_backend() is no longer needed—the backend parameter can be omitted entirely. This is a minor issue for a one-time utility script.

🔧 Suggested simplification

-from cryptography.hazmat.backends import default_backend
 
 # Generate RSA key pair
 private_key = rsa.generate_private_key(
-    public_exponent=65537, key_size=2048, backend=default_backend()
+    public_exponent=65537, key_size=2048
 )

tests/e2e/features/steps/rbac.py (1)

12-33: Consider using logging instead of print for diagnostic output.

Per coding guidelines, modules should use logger = logging.getLogger(__name__) pattern. However, for BDD step definitions that run in behave's context, print statements are commonly used and captured by behave's output handling.