test(e2e): add rh-identity authentication test scenarios

major · major · commit a2c726432fc1 · 2026-01-22T16:47:57.000-06:00
Add comprehensive e2e test scenarios covering all validation paths in
the rh-identity authentication module:

- Missing x-rh-identity header (401)
- Invalid base64 encoding (400)
- Invalid JSON content (400)
- Missing/null identity field (400)
- Missing identity type field (400)
- Unsupported identity type (400)
- User identity: missing user field (400)
- User identity: missing user_id (400)
- User identity: missing username (400)
- System identity: missing system field (400)
- System identity: missing cn (400)
- System identity: missing account_number (400)
- Missing required entitlements (403)
- Empty entitlements (403)
- Entitlement with is_entitled=false (403)
- Valid User identity with entitlements (200)
- Valid System identity with entitlements (200)

Signed-off-by: Major Hayden &lt;major@redhat.com&gt;
diff --git a/tests/e2e/features/authorized_rh_identity.feature b/tests/e2e/features/authorized_rh_identity.feature
@@ -0,0 +1,293 @@
+@RHIdentity
+Feature: Authorized endpoint API tests for the rh-identity authentication module
+
+  Background:
+    Given The service is started locally
+      And REST API service prefix is /v1
+
+  Scenario: Request fails when x-rh-identity header is missing
+    Given The system is in default state
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 401
+      And The body of the response is the following
+          """
+            {"detail": "Missing x-rh-identity header"}
+          """
+
+  Scenario: Request fails when x-rh-identity header has invalid base64
+    Given The system is in default state
+      And I set the x-rh-identity header to raw value "not-valid-base64!!!"
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Invalid base64 encoding"
+
+  Scenario: Request fails when x-rh-identity header has invalid JSON
+    Given The system is in default state
+      And I set the x-rh-identity header with base64 encoded value "{not valid json"
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Invalid JSON"
+
+  Scenario: Request fails when identity field is missing
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {"entitlements": {"rhel": {"is_entitled": true}}}
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'identity' field"
+
+  Scenario: Request fails when identity field is null
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {"identity": null, "entitlements": {"rhel": {"is_entitled": true}}}
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'identity' field"
+
+  Scenario: Request fails when identity type field is missing
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {"identity": {"org_id": "321"}, "entitlements": {"rhel": {"is_entitled": true}}}
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing identity 'type' field"
+
+  Scenario: Request fails with unsupported identity type
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {"identity": {"type": "Unknown", "org_id": "123"}}
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Unsupported identity type"
+
+  Scenario: Request succeeds with valid User identity and required entitlements
+    Given The system is in default state
+      And I set the x-rh-identity header with valid User identity
+          | field        | value               |
+          | user_id      | test-user-123       |
+          | username     | testuser@redhat.com |
+          | org_id       | 321                 |
+          | entitlements | rhel                |
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 200
+
+  Scenario: Request succeeds with valid System identity and required entitlements
+    Given The system is in default state
+      And I set the x-rh-identity header with valid System identity
+          | field          | value                                |
+          | cn             | c87dcb4c-8af1-40dd-878e-60c744edddd0 |
+          | account_number | 456                                  |
+          | org_id         | 654                                  |
+          | entitlements   | rhel                                 |
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 200
+
+  Scenario: Request fails when required entitlement is missing
+    Given The system is in default state
+      And I set the x-rh-identity header with valid User identity
+          | field        | value               |
+          | user_id      | test-user-123       |
+          | username     | testuser@redhat.com |
+          | org_id       | 321                 |
+          | entitlements | ansible             |
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 403
+      And The body of the response contains "Missing required entitlement"
+
+  Scenario: Request fails when user has no entitlements
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "User",
+          "org_id": "321",
+          "user": {"user_id": "test-user-123", "username": "testuser@redhat.com"}
+        },
+        "entitlements": {}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 403
+      And The body of the response contains "Missing required entitlement"
+
+  Scenario: Request fails when entitlement exists but is_entitled is false
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "User",
+          "org_id": "321",
+          "user": {"user_id": "test-user-123", "username": "testuser@redhat.com"}
+        },
+        "entitlements": {"rhel": {"is_entitled": false, "is_trial": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 403
+      And The body of the response contains "Missing required entitlement"
+
+  Scenario: Request fails when User identity is missing user field
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "User",
+          "org_id": "321"
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'user' field for User type"
+
+  Scenario: Request fails when User identity is missing user_id
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "User",
+          "org_id": "321",
+          "user": {"username": "testuser@redhat.com"}
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'user_id' in user data"
+
+  Scenario: Request fails when User identity is missing username
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "User",
+          "org_id": "321",
+          "user": {"user_id": "test-user-123"}
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'username' in user data"
+
+  Scenario: Request fails when System identity is missing system field
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "System",
+          "account_number": "456",
+          "org_id": "654"
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'system' field for System type"
+
+  Scenario: Request fails when System identity is missing cn
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "System",
+          "account_number": "456",
+          "org_id": "654",
+          "system": {}
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'cn' in system data"
+
+  Scenario: Request fails when System identity is missing account_number
+    Given The system is in default state
+      And I set the x-rh-identity header with JSON
+      """
+      {
+        "identity": {
+          "type": "System",
+          "org_id": "654",
+          "system": {"cn": "c87dcb4c-8af1-40dd-878e-60c744edddd0"}
+        },
+        "entitlements": {"rhel": {"is_entitled": true}}
+      }
+      """
+     When I access endpoint "authorized" using HTTP POST method
+     """
+     {"placeholder":"abc"}
+     """
+     Then The status code of the response is 400
+      And The body of the response contains "Missing 'account_number' for System type"
diff --git a/tests/e2e/test_list.txt b/tests/e2e/test_list.txt
@@ -2,6 +2,7 @@ features/faiss.feature
 features/smoketests.feature
 features/authorized_noop.feature
 features/authorized_noop_token.feature
+features/authorized_rh_identity.feature
 features/rbac.feature
 features/conversations.feature
 features/conversation_cache_v2.feature
