DECNET/tests/api/test_rbac_contract.py at testing

Files

anti e53b580767 test(api): RBAC contract test — viewer JWT on every classified route

New test walks app.routes, classifies each APIRoute as admin/viewer/open
by identity-matching require_admin / require_viewer closures inside the
route's dependency tree, then asserts:
  - admin routes return 403 to a viewer JWT
  - viewer routes return neither 401 nor 403 to a viewer JWT
SSE routes skipped (separate scope under F6). Role hints deliberately
NOT encoded in the OpenAPI spec — classification stays server-side so
/openapi.json can't be used to enumerate admin routes.

Resolves THREAT_MODEL F2/I + F5/E; paired with the existing
test_schemathesis.py::test_auth_enforcement (401-half coverage).

2026-04-24 14:00:12 -04:00

6.1 KiB

Raw Permalink Blame History

View Raw

6.1 KiB Raw Permalink Blame History

6.1 KiB

Raw Permalink Blame History