test(e2e): add comprehensive e2e tests for rh-identity authentication

tests/e2e/configuration/library-mode/lightspeed-stack-auth-rh-identity.yaml

@@ -0,0 +1,24 @@
+name: Lightspeed Core Service (LCS) - RH Identity Auth
+service:
+  host: 0.0.0.0
+  port: 8080
+  auth_enabled: true
+  workers: 1
+  color_log: true
+  access_log: true
+llama_stack:
+  use_as_library_client: true
+  library_client_config_path: run.yaml
+user_data_collection:
+  feedback_enabled: true
+  feedback_storage: "/tmp/data/feedback"
+  transcripts_enabled: true
+  transcripts_storage: "/tmp/data/transcripts"
+conversation_cache:
+  type: "sqlite"
+  sqlite:
+    db_path: "/tmp/data/conversation-cache.db"
+authentication:
+  module: "rh-identity"
+  rh_identity_config:
+    required_entitlements: ["rhel"]

tests/e2e/configuration/server-mode/lightspeed-stack-auth-rh-identity.yaml

@@ -0,0 +1,25 @@
+name: Lightspeed Core Service (LCS) - RH Identity Auth
+service:
+  host: 0.0.0.0
+  port: 8080
+  auth_enabled: true
+  workers: 1
+  color_log: true
+  access_log: true
+llama_stack:
+  use_as_library_client: false
+  url: http://llama-stack:8321
+  api_key: xyzzy
+user_data_collection:
+  feedback_enabled: true
+  feedback_storage: "/tmp/data/feedback"
+  transcripts_enabled: true
+  transcripts_storage: "/tmp/data/transcripts"
+conversation_cache:
+  type: "sqlite"
+  sqlite:
+    db_path: "/tmp/data/conversation-cache.db"
+authentication:
+  module: "rh-identity"
+  rh_identity_config:
+    required_entitlements: ["rhel"]

tests/e2e/features/authorized_rh_identity.feature

@@ -0,0 +1,293 @@
+@RHIdentity
+Feature: Authorized endpoint API tests for the rh-identity authentication module
+
+  Background:
+    Given The service is started locally
+      And REST API service prefix is /v1
+
+  Scenario: Request fails when x-rh-identity header is missing
+    Given The system is in default state
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 401
+      And The body of the response is the following
+          """
+            {"detail": "Missing x-rh-identity header"}
+          """
+
+  Scenario: Request fails when x-rh-identity header has invalid base64
+    Given The system is in default state
+      And I set the x-rh-identity header to raw value "not-valid-base64!!!"
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains Invalid base64 encoding
+
+  Scenario: Request fails when x-rh-identity header has invalid JSON
+    Given The system is in default state
+      And I set the x-rh-identity header with base64 encoded value "{not valid json"
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains Invalid JSON
+
+  Scenario: Request fails when identity field is missing
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {"entitlements": {"rhel": {"is_entitled": true}}}
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'identity' field"
+
+  Scenario: Request fails when identity field is null
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {"identity": null, "entitlements": {"rhel": {"is_entitled": true}}}
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'identity' field"
+
+  Scenario: Request fails when identity type field is missing
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {"identity": {"org_id": "321"}, "entitlements": {"rhel": {"is_entitled": true}}}
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing identity 'type' field"
+
+  Scenario: Request fails with unsupported identity type
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {"identity": {"type": "Unknown", "org_id": "123"}}
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains Unsupported identity type
+
+  Scenario: Request succeeds with valid User identity and required entitlements
+    Given The system is in default state
+      And I set the x-rh-identity header with valid User identity
+          | field        | value               |
+          | user_id      | test-user-123       |
+          | username     | testuser@redhat.com |
+          | org_id       | 321                 |
+          | entitlements | rhel                |
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 200
+
+  Scenario: Request succeeds with valid System identity and required entitlements
+    Given The system is in default state
+      And I set the x-rh-identity header with valid System identity
+          | field          | value                                |
+          | cn             | c87dcb4c-8af1-40dd-878e-60c744edddd0 |
+          | account_number | 456                                  |
+          | org_id         | 654                                  |
+          | entitlements   | rhel                                 |
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 200
+
+  Scenario: Request fails when required entitlement is missing
+    Given The system is in default state
+      And I set the x-rh-identity header with valid User identity
+          | field        | value               |
+          | user_id      | test-user-123       |
+          | username     | testuser@redhat.com |
+          | org_id       | 321                 |
+          | entitlements | ansible             |
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 403
+      And The body of the response contains Missing required entitlement
+
+  Scenario: Request fails when user has no entitlements
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "User",
+          "org_id": "321",
+          "user": {"user_id": "test-user-123", "username": "testuser@redhat.com"}
+        },
+        "entitlements": {}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 403
+      And The body of the response contains Missing required entitlement
+
+  Scenario: Request fails when entitlement exists but is_entitled is false
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "User",
+          "org_id": "321",
+          "user": {"user_id": "test-user-123", "username": "testuser@redhat.com"}
+        },
+        "entitlements": {"rhel": {"is_entitled": false, "is_trial": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 403
+      And The body of the response contains Missing required entitlement
+
+  Scenario: Request fails when User identity is missing user field
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "User",
+          "org_id": "321"
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'user' field for User type"
+
+  Scenario: Request fails when User identity is missing user_id
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "User",
+          "org_id": "321",
+          "user": {"username": "testuser@redhat.com"}
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'user_id' in user data"
+
+  Scenario: Request fails when User identity is missing username
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "User",
+          "org_id": "321",
+          "user": {"user_id": "test-user-123"}
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'username' in user data"
+
+  Scenario: Request fails when System identity is missing system field
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "System",
+          "account_number": "456",
+          "org_id": "654"
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'system' field for System type"
+
+  Scenario: Request fails when System identity is missing cn
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "System",
+          "account_number": "456",
+          "org_id": "654",
+          "system": {}
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'cn' in system data"
+
+  Scenario: Request fails when System identity is missing account_number
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "System",
+          "org_id": "654",
+          "system": {"cn": "c87dcb4c-8af1-40dd-878e-60c744edddd0"}
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'account_number' for System type"

tests/e2e/features/environment.py

@@ -251,6 +251,15 @@ def before_feature(context: Context, feature: Feature) -> None:
         switch_config(context.feature_config)
         restart_container("lightspeed-stack")
 
+    if "RHIdentity" in feature.tags:
+        mode_dir = "library-mode" if context.is_library_mode else "server-mode"
+        context.feature_config = (
+            f"tests/e2e/configuration/{mode_dir}/lightspeed-stack-auth-rh-identity.yaml"
+        )
+        context.default_config_backup = create_config_backup("lightspeed-stack.yaml")
+        switch_config(context.feature_config)
+        restart_container("lightspeed-stack")
+
     if "Feedback" in feature.tags:
         context.hostname = os.getenv("E2E_LSC_HOSTNAME", "localhost")
         context.port = os.getenv("E2E_LSC_PORT", "8080")
@@ -273,6 +282,11 @@ def after_feature(context: Context, feature: Feature) -> None:
         restart_container("lightspeed-stack")
         remove_config_backup(context.default_config_backup)
 
+    if "RHIdentity" in feature.tags:
+        switch_config(context.default_config_backup)
+        restart_container("lightspeed-stack")
+        remove_config_backup(context.default_config_backup)
+
     if "Feedback" in feature.tags:
         for conversation_id in context.feedback_conversations:
             url = f"http://{context.hostname}:{context.port}/v1/conversations/{conversation_id}"