chore: add unit tests for controller authz failures

[niazkhansap]

Summary by CodeRabbit

Release Notes

• Tests
  • Added authorization test suite with integration capabilities for verifying API access control across endpoints.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7a3f8909-62c1-4b9a-8255-ac11781a809e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This change adds authorization testing infrastructure consisting of two components. First, a new integration test in authz_test.go that starts a test database and API server, then validates that restricted endpoints deny access with 403 Forbidden responses for unauthorized roles. Second, a test utility layer in internal/testutils/authz.go provides the RunAuthzFailureTests function and supporting helpers that derive authorization restrictions from policy data, enumerate blocked roles for each endpoint, and execute per-role authorization failure subtests. Together, these additions establish a framework for verifying authorization policy enforcement across the API.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[niazkhansap]

@coderabbitai summary

[coderabbitai]

✅ Actions performed

Summary regeneration triggered.

[minh-nghia]

Seems to be overkill to me. Can we not use uuid.New().String() directly below?

[minh-nghia]

Should this not be in the testutils function? We can declare JSON strings in the test and let the utility do the json marshalling

[minh-nghia]

sv is created by startAPIServer so it's an instance of daemon.ServeMux which wraps http.ServeMux.
There is a function in http.ServeMux called Handler which should know how to do the pattern matching, we shouldn't have to do it again here

I would remove Pattern from the test fixtue and extend daemon.ServeMux with

func (m *ServeMux) Handler(r *http.Request) (http.Handler, string) {
	return m.httpServeMux.Handler(r)
}

and derive the pattern as

func RunAuthzFailureTests(
	t *testing.T,
	sv *daemon.ServeMux,
	tenant string,
	r repo.Repo,
	ctx context.Context,
	endpoints []AuthzTestEndpoint,
) {
	t.Helper()

	for _, ep := range endpoints {
		req := NewHTTPRequest(t, RequestOptions{ //nolint:contextcheck
			Method:   ep.Method,
			Endpoint: ep.Endpoint,
		})

		_, pattern := sv.Handler(req)
		pattern = strings.Replace(pattern, sv.BaseURL, "", 1) // strip /cmk/v1/{tenant}

[minh-nghia]

Np: Can be split to 2 steps for clarity

[jmpTeixeira02]

Use assertify to remain consistant

[jmpTeixeira02]

Why the cast?

[jmpTeixeira02]

This shouldn't be on testutils, these are the tests themselves

[petersbingham]

Would it be worth adding, for sanity, a single test for allowed role?

[petersbingham]

Maybe unauthz_test.go would be a better name?
If the case be leave a commit for the sanity test suggested in other comment to leave a code comment to indicate that positive authz is for sanity test.