test(BA-4897): add unit service + component tests for PermissionController and Domain#9697
test(BA-4897): add unit service + component tests for PermissionController and Domain#9697HyeockJinKim merged 7 commits intomainfrom
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds automated test coverage for RBAC/Domain service layers and RBAC REST API behavior to support BA-4897.
Changes:
- Introduces unit tests for
PermissionControllerServicemethods using a mocked repository layer. - Introduces unit tests for
DomainServicemethods (including input validation and error propagation). - Adds a component-level RBAC role lifecycle test suite covering create/assign/revoke/delete/purge flows plus pagination/filtering checks.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/manager/services/permission_controller/test_permission_controller_service.py | New unit tests for PermissionControllerService (mocked repository interactions and action results). |
| tests/unit/manager/services/domain/test_domain_service.py | New unit tests for DomainService, including domain name validation and repository delegation. |
| tests/unit/manager/services/domain/init.py | Adds package marker for the new domain service unit test package. |
| tests/unit/manager/services/domain/BUILD | Adds Pants target to run the new domain service unit tests. |
| tests/component/rbac/test_rbac_role_lifecycle.py | Adds component tests validating end-to-end RBAC role lifecycle and search/pagination behaviors via SDK v2. |
| changes/9697.test.md | Adds changelog entry documenting the new tests. |
| DEVIATION.md | Documents deviations/alternatives from the original BA-4897 testing plan. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| async def test_revoke_nonexistent_assignment_raises_error( | ||
| self, | ||
| admin_registry: BackendAIClientRegistry, | ||
| role_factory: RoleFactory, | ||
| ) -> None: | ||
| created = await role_factory() | ||
| with pytest.raises(Exception): | ||
| await admin_registry.rbac.revoke_role( | ||
| RevokeRoleRequest( | ||
| user_id=uuid.uuid4(), | ||
| role_id=created.role.id, | ||
| ) | ||
| ) | ||
|
|
There was a problem hiding this comment.
pytest.raises(Exception) is too broad here and can hide unexpected failures. The RBAC client maps HTTP 400 to ai.backend.client.v2.exceptions.InvalidRequestError, so this test should assert that specific exception (or another concrete expected exception type).
DEVIATION.md
Outdated
| | Item | Type | Reason / Alternative | | ||
| |------|------|----------------------| | ||
| | CheckPermissionAction component test | Alternative applied | `check_permission` is not exposed via REST API or client SDK v2. Lifecycle test verifies assignment/revocation via `search_assigned_users` instead. | | ||
| | Scope chain (GLOBAL/DOMAIN/USER inheritance through AUTO edges) | Not implemented | Scope chain inheritance is internal service/repository behavior not testable at the HTTP API layer. Scope type discovery is tested instead. | | ||
| | Domain + permission integration (cascade behavior) | Alternative applied | Permission CRUD APIs (create_permission, update_role_permissions) are not exposed via REST API. Domain creation requires separate route registration not available in RBAC conftest. Role lifecycle with soft-delete exclusion from search is tested as alternative. | |
There was a problem hiding this comment.
The markdown table rows start with ||, which creates an empty leading column and renders oddly. Use a standard markdown table format (| Item | Type | Reason / Alternative | and | --- | --- | --- |) for consistent rendering.
| assert result.data.created_at is not None | ||
| assert result.data.updated_at is not None | ||
| assert result.data.created_at <= now or result.data.created_at >= now | ||
|
|
There was a problem hiding this comment.
The assertion created_at <= now or created_at >= now is tautologically true and does not validate anything. Replace it with a meaningful check (e.g., assert the timestamp is timezone-aware, within a reasonable delta of now, or that created_at == updated_at when created).
| @@ -0,0 +1,1042 @@ | |||
| """ | |||
| Unit tests for PermissionControllerService. | |||
| Tests all 21 service methods using mocked repository layer. | |||
There was a problem hiding this comment.
This module docstring claims it "Tests all 21 service methods", but this file does not include coverage for get_scope_types and search_scopes (those appear to be in a different test module). Please reword the docstring to avoid stating full coverage in this file, or add the missing tests here and remove the separate module.
| Tests all 21 service methods using mocked repository layer. | |
| Covers service methods using a mocked repository layer. |
…tions) Add comprehensive unit tests for all 21 PermissionControllerService methods covering role CRUD, assignment/revocation, permission management, search operations, entity types, and element associations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Full lifecycle: create -> assign -> verify -> revoke -> verify -> delete - Create -> update -> purge lifecycle with verification - Soft-deleted roles excluded from search - Assignment audit trail (granted_at tracking) - Multiple roles assigned independently to same user - Scope and entity type discovery tests - Search pagination and status filtering - Error handling (nonexistent role, nonexistent assignment) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Soft delete sets role status to DELETED but search_roles doesn't auto-exclude deleted roles. Updated test to use statuses=[ACTIVE] filter and verify DELETED status appears with correct filter. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… var-annotated Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary
Test plan
pants test tests/unit/manager/services/permission_controller::pants test tests/unit/manager/services/domain::pants test tests/component/rbac::Resolves BA-4897