Skip to content

feat(cli): Namespaced migration tests.#3324

Merged
c-r33d merged 8 commits into
DSPX-2655-migrate-otdfctlfrom
e2e-migration-tests
Apr 21, 2026
Merged

feat(cli): Namespaced migration tests.#3324
c-r33d merged 8 commits into
DSPX-2655-migrate-otdfctlfrom
e2e-migration-tests

Conversation

@c-r33d

@c-r33d c-r33d commented Apr 20, 2026

Copy link
Copy Markdown
Contributor

Proposed Changes

1.) Add E2E tests for migrating namespaced policy.
2.) Breakup namespaced policy migration tests from original suite invocation, due to parallelization complications and migration logic.
3.) Add the ability to choose whether or not the startup action should provision fixtures or not. Default to true, but require false for otdfctl tests.

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

Summary by CodeRabbit

  • Tests

    • Added comprehensive test suite for namespaced policy migration covering actions, subject-condition-sets, and subject-mappings with idempotency validation.
    • Improved test execution workflow with staged test execution and aggregated result reporting.
  • Chores

    • Updated test fixture provisioning to be configurable via workflow input.
    • Enhanced ignore patterns for credential files.

@c-r33d
c-r33d requested a review from a team as a code owner April 20, 2026 15:08
@coderabbitai

coderabbitai Bot commented Apr 20, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 412a2c97-ef87-47d8-a2cd-796ae52393e5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR enhances test infrastructure by introducing conditional policy fixture provisioning and splitting test execution into tagged phases. A comprehensive new BATS test suite validates namespaced policy migration across three scopes. Changes also update git ignores and workflow configurations.

Changes

Cohort / File(s) Summary
Workflow Configuration
.github/workflows/checks.yaml, test/start-up-with-containers/action.yaml
Added provision-policy-fixtures input (default "true") to control fixture provisioning behavior. Workflow step now conditionally executes fixture provisioning based on input value.
Gitignore Updates
.gitignore
Added pattern otdfctl/**/creds.json to additionally ignore credentials files nested within otdfctl directories.
E2E Test Infrastructure
otdfctl/e2e/action.yaml
Split BATS test execution into two phases: first runs tests tagged namespaced_policy_migration, second runs remaining tests with !namespaced_policy_migration filter, supporting both parallel and sequential execution modes. Results aggregated into single TAP output file.
Namespaced Policy Migration Test Suite
otdfctl/e2e/migrate-namespaced-policy.bats
New comprehensive BATS test suite (895 lines) validating migrate namespaced-policy behavior across three scopes (actions, subject-condition-sets, subject-mappings). Includes setup/teardown fixtures, helper functions for plan execution/parsing, and idempotency verification.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Poem

🐰 A migration tale, so carefully told,
With fixtures and tags, a sight to behold,
Two phases of testing, splitting with care,
Namespaced policies dance through the air,
Conditional fixtures and creds tucked away,
The tests are prepared for a glorious day!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat(cli): Namespaced migration tests.' directly and clearly summarizes the main change—adding E2E tests for namespaced policy migration, which is the primary focus of the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch e2e-migration-tests

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces end-to-end testing for the namespaced policy migration process. To ensure test reliability, the CI pipeline has been modified to execute these migration tests separately from the main parallel test suite, preventing potential conflicts with unnamespaced policy fixtures.

Highlights

  • New E2E Test Suite: Added a new BATS test file to verify the migration of namespaced policies.
  • CI Pipeline Update: Updated the CI test execution logic to run the new migration tests in isolation before the parallel test suite to prevent fixture pollution.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


Tests run in a line, so clean and so bright, Migration of policies, done in the light. No parallel chaos to cloud up the view, A robust new suite, for the work that we do.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new end-to-end test suite for namespaced-policy migration and updates the CI workflow to execute these tests in isolation. The isolation prevents conflicts between the migration planner's global object discovery and other parallel tests. The review feedback highlights several opportunities to improve the robustness of the shell scripts and BATS tests, including enabling pipefail in CI, avoiding word-splitting issues in command wrappers, ensuring proper error handling for CLI calls within tests, and using more secure methods for temporary directory creation.

Comment thread otdfctl/e2e/action.yaml
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 201.308284ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 101.98479ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 393.46171ms
Throughput 254.15 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 41.057623441s
Average Latency 409.059589ms
Throughput 121.78 requests/second

@c-r33d
c-r33d requested review from a team as code owners April 20, 2026 15:46
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 206.09363ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 99.853506ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 397.226078ms
Throughput 251.75 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 41.893108095s
Average Latency 416.924303ms
Throughput 119.35 requests/second

@alkalescent
alkalescent force-pushed the DSPX-2655-migrate-otdfctl branch from 73dba6c to 6475ea0 Compare April 20, 2026 17:47
@alkalescent
alkalescent requested a review from a team as a code owner April 20, 2026 17:47
@c-r33d
c-r33d force-pushed the e2e-migration-tests branch from 3e7b640 to 2cbaa72 Compare April 20, 2026 18:37
@c-r33d
c-r33d force-pushed the e2e-migration-tests branch from 2cbaa72 to 33fcda0 Compare April 20, 2026 18:42
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 157.790788ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 85.76541ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 418.202691ms
Throughput 239.12 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.171123892s
Average Latency 449.69535ms
Throughput 110.69 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 207.699861ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 103.974015ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 413.670075ms
Throughput 241.74 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 42.923120733s
Average Latency 427.368099ms
Throughput 116.49 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 186.415901ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 105.526318ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 412.635722ms
Throughput 242.34 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 43.106314104s
Average Latency 429.1441ms
Throughput 115.99 requests/second

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 202.247634ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 96.852013ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 408.281338ms
Throughput 244.93 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 42.845993363s
Average Latency 427.190207ms
Throughput 116.70 requests/second

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 200.750991ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 104.642138ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 421.836399ms
Throughput 237.06 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.260502951s
Average Latency 441.158302ms
Throughput 112.97 requests/second

@c-r33d

c-r33d commented Apr 20, 2026

Copy link
Copy Markdown
Contributor Author

@gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new end-to-end test suite for namespaced-policy migration and updates the CI configuration to run these tests in isolation. Key changes include updates to .gitignore, a new BATS test file with extensive helper functions, and a toggle for provisioning policy fixtures in the test platform. Feedback focuses on improving the robustness of the CI script to ensure all tests run even if the migration suite fails, and refining the BATS test helpers by removing unnecessary sh -c wrappers and utilizing BATS's run mechanism for better error reporting during CLI calls.

Comment thread otdfctl/e2e/action.yaml
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
@c-r33d

c-r33d commented Apr 20, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Apr 20, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@otdfctl/e2e/action.yaml`:
- Around line 50-63: The namespaced_policy_migration pipeline must not
short-circuit the rest of the job under pipefail; wrap the migration pipeline so
its exit code is captured without propagating (e.g. temporarily disable pipefail
or use PIPESTATUS), run the remainder of the suite regardless, capture its exit
code too, and then fail the step if either phase failed. Concretely: around the
migration command "bats --tap e2e --filter-tags namespaced_policy_migration |
tee e2e/bats-results.tap" temporarily disable pipefail (or run then read
PIPESTATUS[0]) into a variable like migration_exit, run the remaining commands
("bats --tap e2e --filter-tags '!namespaced_policy_migration' ... | tee -a
e2e/bats-results.tap") capturing remainder_exit, then at the end check "if [
$migration_exit -ne 0 ] || [ $remainder_exit -ne 0 ]; then exit 1; fi" so both
phases always execute but the step still fails if either failed.

In `@otdfctl/e2e/migrate-namespaced-policy.bats`:
- Around line 718-720: Replace the ephemeral inline note ("! We should change
this to RR and Obligation Trigger...") with a trackable TODO referencing a
ticket/issue ID and, if not already created, open a follow-up issue describing
the intended switch from three subject mappings to Registered Resources +
Obligation Triggers for the actions-scope test fixtures; update the comment to
TODO(<ticket-number>): describe the change briefly and link the issue so
reviewers can find and close it later, and leave the existing
create_legacy_subject_mapping calls (create_legacy_subject_mapping) unchanged
until the follow-up is implemented.
- Around line 627-628: The extraction using jq -r '.id' into NS_A_ID combined
with assert_not_equal "$NS_A_ID" "" can silently accept the literal string
"null"; update every ID-extraction site (e.g., where NS_A_ID is set) to fail
fast by using jq in "error-on-missing" mode or a small helper (suggested name:
jq_required) that returns non-zero when the field is missing or equals "null",
and then assert the returned value; alternatively, add an explicit
assert_not_equal "$NS_A_ID" "null" check alongside the empty-string check so any
missing JSON field causes the test to fail immediately.
- Around line 667-685: The teardown function silently swallows errors for
deletions (subject-mappings, scs, actions) via "|| true", which can hide
transient failures and leave FK-linked resources undeleted; update teardown to
capture each delete command's stdout/stderr and exit code (for the commands
invoked with ./otdfctl using TRACKED_SUBJECT_MAPPING_IDS, TRACKED_SCS_IDS,
TRACKED_ACTION_IDS), and if a delete returns non-zero, emit a clear error/log
message including the resource id, the command output, and the exit code so
failures are visible (do not just ignore them), optionally retry transient
errors a few times before giving up.
- Around line 16-30: The helpers run_otdfctl_migrate, run_otdfctl_action,
run_otdfctl_sm and run_otdfctl_scs currently embed "$*" into a double-quoted sh
-c string which forces re-splitting and breaks args with spaces; update each
helper to invoke the command with an argv-safe form (e.g. avoid embedding
expanded args into a single sh -c string and instead pass arguments through
position parameters or use "$@" directly so quoting is preserved) so that
./otdfctl receives the original arguments intact (refer to the functions
run_otdfctl_migrate, run_otdfctl_action, run_otdfctl_sm, run_otdfctl_scs and
replace the sh -c "$... $*" pattern with a form that forwards $HOST,
$WITH_CREDS, the subcommand (migrate|policy actions|policy
subject-mappings|policy scs) and "$@" without re-splitting).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fb408110-f33e-485e-84e4-01aba706164a

📥 Commits

Reviewing files that changed from the base of the PR and between 6475ea0 and 47e5a03.

📒 Files selected for processing (5)
  • .github/workflows/checks.yaml
  • .gitignore
  • otdfctl/e2e/action.yaml
  • otdfctl/e2e/migrate-namespaced-policy.bats
  • test/start-up-with-containers/action.yaml

Comment thread otdfctl/e2e/action.yaml
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 202.660137ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 101.743467ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 417.665597ms
Throughput 239.43 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 43.723076767s
Average Latency 435.752858ms
Throughput 114.36 requests/second

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 203.254463ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 99.67385ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 413.048404ms
Throughput 242.10 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 43.581049553s
Average Latency 434.088065ms
Throughput 114.73 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

  • examples
  • otdfctl
  • sdk
  • service
  • lib/fixtures
  • tests-bdd

See the workflow run for details.

@c-r33d
c-r33d merged commit 5a5778e into DSPX-2655-migrate-otdfctl Apr 21, 2026
34 of 35 checks passed
@c-r33d
c-r33d deleted the e2e-migration-tests branch April 21, 2026 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants