Enhance testing harness and authz coverage

Author: haasonsaas

Makefile

@@ -1,6 +1,26 @@
 PROJECT_NAME := keep
-
-.PHONY: all tidy build test lint format lint-go lint-python format-go format-python docker-up docker-down docker-logs db-migrate opa-test cert-refresh
+VENV ?= .venv
+VENV_BIN := $(VENV)/bin
+PYTHON_BIN := python3
+PIP_BIN := pip
+FLAKE8_CMD := $(PYTHON_BIN) -m flake8
+MYPY_CMD := $(PYTHON_BIN) -m mypy
+BLACK_CMD := $(PYTHON_BIN) -m black
+ISORT_CMD := $(PYTHON_BIN) -m isort
+PYTEST_CMD := $(PYTHON_BIN) -m pytest
+GOLANGCI_LINT ?= golangci-lint
+
+ifneq ($(wildcard $(VENV_BIN)/python3),)
+PYTHON_BIN := $(VENV_BIN)/python3
+PIP_BIN := $(VENV_BIN)/pip
+FLAKE8_BIN := $(VENV_BIN)/flake8
+MYPY_BIN := $(VENV_BIN)/mypy
+BLACK_BIN := $(VENV_BIN)/black
+ISORT_BIN := $(VENV_BIN)/isort
+PYTEST_CMD := $(PYTHON_BIN) -m pytest
+endif
+
+.PHONY: all tidy build test lint format lint-go lint-python format-go format-python docker-up docker-down docker-logs db-migrate opa-test cert-refresh setup-venv
 
 all: build
 
@@ -12,7 +32,7 @@ build:
 
 test:
 	go test ./...
-	python3 -m pytest
+	$(PYTEST_CMD)
 
 smoke:
 	COMPOSE_FILE=docker-compose.yml ./scripts/smoke-tests.sh
@@ -27,21 +47,21 @@ format-go:
 
 format-python:
 	@echo "Formatting Python code..."
-	black app/
-	isort app/
+	$(BLACK_CMD) app/
+	$(ISORT_CMD) app/
 
 # Linting targets  
 lint: lint-go lint-python
 
 lint-go:
 	@echo "Linting Go code..."
 	go mod download
-	golangci-lint run
+	$(GOLANGCI_LINT) run
 
 lint-python:
 	@echo "Linting Python code..."
-	flake8 app/
-	mypy app/ --ignore-missing-imports
+	$(FLAKE8_CMD) app/
+	$(MYPY_CMD) app/ --ignore-missing-imports
 
 docker-up:
 	docker compose up --build -d
@@ -74,7 +94,12 @@ install-tools:
 	go install golang.org/x/tools/cmd/goimports@latest
 	go install golang.org/x/vuln/cmd/govulncheck@latest
 	@echo "Installing Python tools..."
-	pip install black flake8 isort mypy
+	$(PIP_BIN) install black flake8 isort mypy
+
+setup-venv:
+	python3 -m venv $(VENV)
+	$(VENV_BIN)/python3 -m pip install --upgrade pip
+	$(VENV_BIN)/pip install -r app/requirements.txt
 dev-bootstrap:
 	./scripts/dev-bootstrap.sh
 
@@ -83,10 +108,10 @@ check-tools:
 	@command -v golangci-lint >/dev/null 2>&1 || { echo "golangci-lint not found. Run 'make install-tools'"; exit 1; }
 	@command -v goimports >/dev/null 2>&1 || { echo "goimports not found. Run 'make install-tools'"; exit 1; }
 	@echo "Checking Python tools..."
-	@command -v black >/dev/null 2>&1 || { echo "black not found. Run 'make install-tools'"; exit 1; }
-	@command -v flake8 >/dev/null 2>&1 || { echo "flake8 not found. Run 'make install-tools'"; exit 1; }
-	@command -v isort >/dev/null 2>&1 || { echo "isort not found. Run 'make install-tools'"; exit 1; }
-	@command -v mypy >/dev/null 2>&1 || { echo "mypy not found. Run 'make install-tools'"; exit 1; }
+	@$(BLACK_CMD) --version >/dev/null 2>&1 || { echo "black not available. Run 'make install-tools'"; exit 1; }
+	@$(FLAKE8_CMD) --version >/dev/null 2>&1 || { echo "flake8 not available. Run 'make install-tools'"; exit 1; }
+	@$(ISORT_CMD) --version >/dev/null 2>&1 || { echo "isort not available. Run 'make install-tools'"; exit 1; }
+	@$(MYPY_CMD) --version >/dev/null 2>&1 || { echo "mypy not available. Run 'make install-tools'"; exit 1; }
 	@echo "All tools are available!"
 
 # CI/CD targets

app/__init__.py

@@ -1,3 +1,9 @@
+import os
+import sys
+
+if any("pytest" in arg for arg in sys.argv):
+    os.environ.setdefault("OTEL_SDK_DISABLED", "true")
+
 from .main import app  # re-export for tests
 
 __all__ = ["app"]

app/main.py

@@ -1,4 +1,5 @@
 import logging
+import os
 import time
 from contextlib import contextmanager
 from typing import Any, Callable, Dict, Generator, Tuple, TypeVar, cast
@@ -9,7 +10,8 @@
 from app.telemetry import setup as telemetry_setup
 
 app = Flask(__name__)
-telemetry_setup(app, service_name="keep-app")
+if os.getenv("OTEL_SDK_DISABLED", "").lower() not in {"true", "1"}:
+    telemetry_setup(app, service_name="keep-app")
 
 F = TypeVar("F", bound=Callable[..., ResponseReturnValue])
 

app/requirements.txt

@@ -6,3 +6,7 @@ opentelemetry-api
 opentelemetry-sdk
 opentelemetry-exporter-otlp
 opentelemetry-instrumentation-flask
+flake8
+mypy
+black
+isort

app/telemetry.py

@@ -45,6 +45,10 @@ def instrument_flask_app(app: object) -> None:
 
 
 def setup(app: object, service_name: str, environment: Optional[str] = None) -> None:
+    if os.getenv("OTEL_SDK_DISABLED", "").lower() in {"true", "1"}:
+        _logger.info("telemetry disabled via OTEL_SDK_DISABLED")
+        return
+
     environment = environment or os.getenv("APP_ENV", "dev")
     endpoint = os.getenv("OTEL_EXPORTER_OTLP_ENDPOINT", "")
     insecure = os.getenv("OTEL_EXPORTER_OTLP_INSECURE", "true").lower() == "true"

app/tests/conftest.py

@@ -5,6 +5,8 @@
 
 import pytest
 
+os.environ.setdefault("OTEL_SDK_DISABLED", "true")
+
 TRANSIENT_CODES = {
     "08000",
     "08001",
@@ -17,6 +19,10 @@
 }
 
 DEFAULT_DSN = "postgresql://postgres:[email protected]:5432/app_test"
+# Set APP_TEST_REQUIRE_DB=1 to run Flask integration tests against a live
+# Postgres instance. By default the tests stub out database checks so they can
+# run in isolated environments such as CI.
+REQUIRE_DATABASE = os.getenv("APP_TEST_REQUIRE_DB") == "1"
 
 
 def _sqlstate(exc: Exception) -> Optional[str]:
@@ -63,6 +69,9 @@ def resolve_dsn() -> str:
 
 
 def wait_for_database(dsn: str, timeout: float = 30.0) -> None:
+    if not REQUIRE_DATABASE:
+        return
+
     try:
         import psycopg
     except ImportError as exc:  # pragma: no cover - developer misconfiguration
@@ -95,10 +104,4 @@ def wait_for_database(dsn: str, timeout: float = 30.0) -> None:
 
 @pytest.fixture(scope="session", autouse=True)
 def _ensure_database_ready() -> None:
-    dsn = resolve_dsn()
-    try:
-        wait_for_database(dsn)
-    except TimeoutError as exc:
-        pytest.skip(f"Skipping DB-backed tests: {exc}")
-    except RuntimeError as exc:
-        pytest.skip(f"Skipping DB-backed tests due to runtime error: {exc}")
+    wait_for_database(resolve_dsn())

app/tests/test_main.py

@@ -1,8 +1,11 @@
+import os
 from typing import Any, Generator
 
 import pytest
 
-from app.main import app
+os.environ.setdefault("OTEL_SDK_DISABLED", "true")
+
+from app.main import app  # noqa: E402
 
 TestClient = Any
 

services/authz/server/server_test.go

@@ -6,12 +6,14 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 
 	"tailscale.com/tsnet"
 
+	"github.com/EvalOps/keep/pkg/pki"
 	"github.com/EvalOps/keep/pkg/retry"
 )
 
@@ -28,6 +30,8 @@ const (
 	testInventoryHost      = "test-inventory:8080"
 	testOPAHost            = "test-opa:8181"
 	testAuthzPort          = ":8443"
+	testRetryAttempts      = 2
+	testZeroLength         = 0
 )
 
 // TestServer_healthHandler tests the health endpoint
@@ -489,6 +493,9 @@ func TestServer_lookupDevice(t *testing.T) {
 		if result["id"] != expectedDevice["id"] || result["posture"] != expectedDevice["posture"] {
 			t.Errorf("Expected device info %v, got %v", expectedDevice, result)
 		}
+		if score, ok := result["trust_score"].(int); !ok || score != 0 {
+			t.Errorf("Expected trust_score 0 for non-JSON posture, got %v", result["trust_score"])
+		}
 	})
 
 	t.Run("handles empty device ID", func(t *testing.T) {
@@ -606,6 +613,120 @@ func TestServer_caHandler(t *testing.T) {
 	// which we avoid in unit tests to keep them lightweight
 }
 
+func TestNewInitializesServerState(t *testing.T) {
+	tmpDir := t.TempDir()
+	certPath := filepath.Join(tmpDir, "ca.pem")
+	keyPath := filepath.Join(tmpDir, "ca-key.pem")
+
+	t.Setenv("OTEL_SDK_DISABLED", "true")
+
+	_, err := pki.LoadOrCreateCA(certPath, keyPath, "test-ca", time.Hour)
+	if err != nil {
+		t.Fatalf("Failed to create CA: %v", err)
+	}
+
+	cfg := Config{
+		HTTPAddr:         "127.0.0.1:0",
+		GoogleClientID:   "client-id",
+		OPAURL:           "http://opa",
+		InventoryAPI:     "http://inventory",
+		RootCAPath:       certPath,
+		TLSCertPath:      certPath,
+		TLSKeyPath:       keyPath,
+		RequestTimeout:   time.Second,
+		RetryMaxElapsed:  defaultInitialInterval,
+		RetryMaxAttempts: testRetryAttempts,
+	}
+
+	srv, err := New(cfg)
+	if err != nil {
+		t.Fatalf("New returned error: %v", err)
+	}
+	t.Cleanup(func() {
+		_ = srv.httpSrv.Close()
+	})
+
+	if srv.cfg == nil {
+		t.Fatal("server cfg should not be nil")
+	}
+	if srv.retryCfg == nil {
+		t.Fatal("server retryCfg should not be nil")
+	}
+	if srv.state.started {
+		t.Error("server should not be marked started")
+	}
+	if srv.httpSrv == nil {
+		t.Fatal("http server should be initialized")
+	}
+	if !srv.state.useTLS {
+		t.Error("expected TLS to be enabled when cert/key provided")
+	}
+	if len(srv.rootCAPEM) == testZeroLength {
+		t.Error("expected root CA PEM to be cached")
+	}
+	if srv.tsServer != nil {
+		t.Error("tailscale server should be nil when auth key not provided")
+	}
+
+	if srv.cfg.GoogleClientID != cfg.GoogleClientID {
+		t.Errorf("expected GoogleClientID %q, got %q", cfg.GoogleClientID, srv.cfg.GoogleClientID)
+	}
+}
+
+func TestSetupHTTPServerTLSAndPlain(t *testing.T) {
+	tmpDir := t.TempDir()
+	certPath := filepath.Join(tmpDir, "ca.pem")
+	keyPath := filepath.Join(tmpDir, "ca-key.pem")
+
+	ca, err := pki.LoadOrCreateCA(certPath, keyPath, "test-ca", time.Hour)
+	if err != nil {
+		t.Fatalf("Failed to create CA: %v", err)
+	}
+	handler := http.NewServeMux()
+
+	t.Run("enables TLS when certs provided", func(t *testing.T) {
+		cfg := Config{
+			HTTPAddr:    "127.0.0.1:0",
+			TLSCertPath: certPath,
+			TLSKeyPath:  keyPath,
+			RootCAPath:  certPath,
+		}
+
+		srv := &Server{}
+		if err := srv.setupHTTPServer(cfg, handler, ca); err != nil {
+			t.Fatalf("setupHTTPServer returned error: %v", err)
+		}
+		t.Cleanup(func() {
+			_ = srv.httpSrv.Close()
+		})
+
+		if srv.httpSrv == nil {
+			t.Fatal("http server should be initialized")
+		}
+		if !srv.state.useTLS {
+			t.Error("expected TLS to be enabled")
+		}
+	})
+
+	t.Run("disables TLS when certs missing", func(t *testing.T) {
+		cfg := Config{
+			HTTPAddr: "127.0.0.1:0",
+		}
+
+		srv := &Server{}
+		if err := srv.setupHTTPServer(cfg, handler, ca); err != nil {
+			t.Fatalf("setupHTTPServer returned error: %v", err)
+		}
+		t.Cleanup(func() {
+			_ = srv.httpSrv.Close()
+		})
+
+		if srv.state.useTLS {
+			t.Error("expected TLS to remain disabled")
+		}
+	})
+}
+
 // TestServer_validateTailscaleAccess tests Tailscale network validation
 func TestServer_validateTailscaleAccess(t *testing.T) {
 	server := createTestServer(t)