LCORE-598: RBAC E2E tests

[radofuchs]

Description

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue LCORE-598: Add authorization e2e tests #636
• Closes LCORE-598: Add authorization e2e tests #636

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• New Features

  • Added role-based access control (RBAC) with configurable roles (Admin, User, Viewer, Query-only) and enforced authorization rules.
  • Added a mock JWKS authentication service for testing token-based flows.

• Tests

  • Added comprehensive end-to-end RBAC test suite validating authentication and role-specific authorization.
  • Added test utilities to generate and serve tokens and manage RBAC test setup/teardown.

• Chores

  • Updated container/networking and added persistent storage support for tests.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds RBAC end-to-end tests and supporting infra: a mock JWKS server (container, Dockerfile, server, token generator), RBAC configs for library/server modes, BDD feature/step files to fetch/use test tokens, docker-compose changes (service, network, volume), and test hooks to swap/restore RBAC configs.

Changes

Cohort / File(s)	Summary
Docker Compose / Volumes docker-compose.yaml, docker-compose-library.yaml	Add mock-jwks service (build context tests/e2e/mock_jwks_server, port 8000, healthcheck) and lightspeednet network; attach lightspeed-stack to network; add top-level volume llama-storage; adjust volume bind modes/paths.
RBAC Configurations tests/e2e/configuration/library-mode/lightspeed-stack-rbac.yaml, tests/e2e/configuration/server-mode/lightspeed-stack-rbac.yaml	New RBAC-enabled configurations: jwk-token/JWKS auth, jsonpath-based role extraction rules, and role→action authorization mappings.
E2E Features & Hooks tests/e2e/features/rbac.feature, tests/e2e/features/environment.py	New RBAC BDD scenarios (Admin, User, Viewer, Query-only, No-role) and environment hooks to swap/restore RBAC configs around RBAC-tagged features.
Step Definitions tests/e2e/features/steps/rbac.py	Add get_test_tokens() to fetch tokens from mock JWKS server and authenticate_as_role(context, role) step to set Authorization header from returned tokens.
Mock JWKS Server tests/e2e/mock_jwks_server/server.py, tests/e2e/mock_jwks_server/generate_tokens.py, tests/e2e/mock_jwks_server/Dockerfile	New lightweight HTTP server exposing /.well-known/jwks.json, /tokens, /health; token generation script producing RS256-signed test JWTs and JWKS; Dockerfile to run server.
Test Registry tests/e2e/test_list.txt	Add rbac.feature to E2E test list.

Sequence Diagram(s)

sequenceDiagram
    actor Test
    participant JWKS as Mock JWKS Server
    participant Stack as Lightspeed Stack
    participant DB as Storage/Config

    Test->>JWKS: GET /tokens
    JWKS-->>Test: {role: token, ...}
    Test->>Test: Set Authorization: Bearer <token>
    Test->>Stack: HTTP request (e.g., POST /query) with Authorization
    Stack->>Stack: Parse Authorization header
    Stack->>JWKS: GET /.well-known/jwks.json
    JWKS-->>Stack: JWKS {keys: [...]}
    Stack->>Stack: Verify signature, extract claims, resolve role
    Stack->>DB: Enforce authorization & process request
    DB-->>Stack: Result or error
    alt allowed
        Stack-->>Test: 200 OK (result)
    else denied
        Stack-->>Test: 403 Forbidden
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Add support for JWT Token authentication with JWK #243 — Adds a mock JWKS server and JWKS-backed RBAC test configs; directly complements token/JWKS handling.
• LCORE-488: Add E2E tests for query endpoint #616 — Adds auth-aware test steps and Authorization header handling used by these RBAC tests.
• LCORE-306: setup e2e test env #306 — Modifies Docker Compose test environment and networking similar to the new mock-jwks service/network additions.

Suggested labels

ok-to-test

Suggested reviewers

• tisnik
• umago

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR adds RBAC-specific tests but the linked issue #636 explicitly requires JWK-based authorization tests with config file 'lightspeed-stack-auth-jwk.yaml', yet the PR introduces 'lightspeed-stack-rbac.yaml' instead, indicating scope deviation.	Verify whether the RBAC implementation supersedes or coexists with JWK-based testing; align implementation filenames and approach with #636 requirements or update the issue objectives.
Linked Issues check	❓ Inconclusive	The PR implements RBAC E2E tests but the linked issue #636 requests JWK-based authorization tests with different config file names and implementation approach, creating misalignment between objectives.	Clarify whether this PR fully addresses #636 or if it represents a different/evolved approach; verify all coding objectives from #636 are met or document deliberate deviations.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'LCORE-598: RBAC E2E tests' directly and concisely summarizes the main change—adding Role-Based Access Control end-to-end tests to the repository.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@docker-compose-library.yaml`:
- Around line 66-70: The healthcheck block currently uses curl (test key) which
isn't available in the python:3.12-slim image; update the healthcheck "test" to
invoke Python (python -c) and use the stdlib urllib.request.urlopen to GET
/health so the command succeeds on HTTP 200 and fails (non-zero exit) on errors,
replacing the curl-based invocation in the healthcheck test entry.

🧹 Nitpick comments (2)

tests/e2e/mock_jwks_server/generate_tokens.py (1)

14-20: default_backend() is deprecated in recent cryptography versions.

Since cryptography 3.x, default_backend() is no longer needed—the backend parameter can be omitted entirely. This is a minor issue for a one-time utility script.

🔧 Suggested simplification

-from cryptography.hazmat.backends import default_backend
 
 # Generate RSA key pair
 private_key = rsa.generate_private_key(
-    public_exponent=65537, key_size=2048, backend=default_backend()
+    public_exponent=65537, key_size=2048
 )

tests/e2e/features/steps/rbac.py (1)

12-33: Consider using logging instead of print for diagnostic output.

Per coding guidelines, modules should use logger = logging.getLogger(__name__) pattern. However, for BDD step definitions that run in behave's context, print statements are commonly used and captured by behave's output handling.