pi3c/blog.pyaqa.ru
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(api): add full API test suite with get_keycloak_client async fix

Browse Source 
Add 45 API tests covering all 12 post endpoints (CRUD, publish/unpublish) with RBAC policy coverage across guest, user, admin roles.

Fix get_keycloak_client() in deps.py to be async - Dishka's async container requires await on get(), without it a coroutine object was returned instead of the actual client.
This commit is contained in:
Сергей Ванюшкин
2026-05-10 14:08:23 +03:00
committed by Сергей Ванюшкин
parent 448da0396a
commit c9b380c601
7 changed files with 1216 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
tests/FEATURE_RBAC.md
View File

@@ -157,7 +157,7 @@ unit tests for the web layer.
| Role definitions | Unit | Enum values and permission mapping fully tested |
| Permission checks | Unit | `has_permission` and `get_effective_role` fully tested |
| Web-level enforcement | E2E | Visibility and ownership rules tested via browser |
| API-level enforcement | — | No API tests exist after refactor |
| API-level enforcement | API | All RBAC policies tested via API (TC-API-001 to TC-API-025) |
## Gaps (Not Yet Covered)
@@ -165,8 +165,18 @@ unit tests for the web layer.
- [x] TC-UNIT-114: Web deps — `can_edit_post` for owner vs non-owner
- [x] TC-UNIT-115: Web deps — `can_delete_post` for owner vs non-owner
- [x] TC-UNIT-116: Web deps — `can_see_draft` for each role combination
- [ ] TC-API-101: API POST create — unauthorized (no token)
- [ ] TC-API-102: API POST create — forbidden (guest token)
- [ ] TC-API-103: API GET unpublished post — forbidden (other user)
- [x] TC-API-101: API POST create — unauthorized (no token)
- [x] TC-API-102: API POST create — forbidden (guest token)
- [x] TC-API-103: API GET unpublished post — forbidden (other user)
- [x] TC-API-104: API list posts include_unpublished — user forbidden
- [x] TC-API-105: API list posts include_unpublished — guest forbidden
- [x] TC-API-106: API update other user's post — forbidden
- [x] TC-API-107: API delete other user's post — forbidden
- [x] TC-API-108: API publish other user's post — forbidden
- [x] TC-API-109: API unpublish other user's post — forbidden
- [x] TC-API-110: API admin can update any post (policy override)
- [x] TC-API-111: API admin can delete any post (policy override)
- [x] TC-API-112: API admin can publish any post (policy override)
- [x] TC-API-113: API admin can unpublish any post (policy override)
- [ ] TC-E2E-104: Admin can delete any post via web UI
- [ ] TC-E2E-105: User cannot delete other user's post via web UI