Skip to content

feat(cli): Add E2E tests for namespaced policy.#3363

Merged
c-r33d merged 3 commits into
mainfrom
fix-e2e-tests
Apr 22, 2026
Merged

feat(cli): Add E2E tests for namespaced policy.#3363
c-r33d merged 3 commits into
mainfrom
fix-e2e-tests

Conversation

@c-r33d

@c-r33d c-r33d commented Apr 22, 2026

Copy link
Copy Markdown
Contributor

Proposed Changes

1.) Fix E2E tests to not rely on output anymore, but instead just take snapshots of the state of the policy objects in each namespace before and after commits. We validate that state just on the count, not the uniqueness of the objects within. Checking if an object has been created or already migrated is done within other checks.

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

Summary by CodeRabbit

  • Tests
    • Refactored end-to-end migration tests to verify live cluster state instead of relying on plan output files.
    • Added namespace-wide state helpers and label-based lookups to identify migrated objects.
    • Updated assertions to re-resolve targets from live objects, validate “already migrated” via live data, ensure zero namespace deltas on reruns, and remove creation of plan artifact outputs.

@c-r33d
c-r33d requested a review from a team as a code owner April 22, 2026 14:16
@coderabbitai

coderabbitai Bot commented Apr 22, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@c-r33d has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 5 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 50 minutes and 5 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a02997d1-7f51-4a13-9b93-6d35b8435a38

📥 Commits

Reviewing files that changed from the base of the PR and between 74a92a7 and a37f642.

📒 Files selected for processing (1)
  • otdfctl/e2e/migrate-namespaced-policy.bats
📝 Walkthrough

Walkthrough

Refactors the namespaced migration E2E test to stop relying on planner output files and instead verify migration results via live in-cluster queries; adds namespace state and label-based "migrated_from" lookup helpers, and updates assertions and test flow accordingly.

Changes

Cohort / File(s) Summary
Helpers & Lookup Changes
otdfctl/e2e/migrate-namespaced-policy.bats
Added namespace_state_json() and assert_namespace_state_delta() for namespace-wide counts; introduced label-based lookup helpers (*_json_by_migrated_from, *_id_by_migrated_from) for subject-mappings, SCS, registered-resources (and values), and obligation-triggers to identify migrated objects from live cluster state.
Assertions & Test Flow Updates
otdfctl/e2e/migrate-namespaced-policy.bats
Reworked assertion logic to use live otdfctl ... --json list/get results (derive created IDs, validate already-migrated by live object comparison, validate actions via live discovery); removed plan-output-driven assertions and MIGRATION_OUTPUT_DIR handling; dropped output-file arg from run_namespaced_policy_commit(); snapshot pre/post namespace state and assert zero deltas on reruns.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Suggested reviewers

  • alkalescent

Poem

🐰 I hopped through clusters, nose a-gleam,
Plan files gone — I chase the stream.
Labels point where new IDs hide,
Live queries guide my rabbit stride.
Tests now hop true, with joy and theme.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Title check ⚠️ Warning The title 'Add E2E tests for namespaced policy' partially relates to the changeset; however, the primary change involves refactoring existing E2E tests to use live cluster queries instead of plan artifacts, not adding new tests. Update the title to reflect the core change: 'refactor(cli): Refactor E2E tests to verify namespaced policy via live cluster state' or similar.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-e2e-tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the end-to-end testing suite for namespaced policy migrations. By shifting from output-based assertions to state-based snapshots, the tests become more robust and less susceptible to minor formatting changes in the CLI output. The changes also include improved helper functions for verifying object states and delta calculations, ensuring better validation of migration outcomes and idempotency.

Highlights

  • E2E Test Refactoring: Updated end-to-end tests to verify policy object states using snapshots instead of relying on command output, improving test reliability and maintainability.
  • State Verification: Introduced new helper functions to capture and compare namespace states, allowing for precise delta assertions during policy migrations.
  • Test Cleanup: Removed temporary output file generation and cleanup logic, streamlining the test execution process.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


The policy shifts to a new namespace, With snapshots we track every trace. No longer we parse the output so long, Now state-based checks keep the logic strong.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the migrate-namespaced-policy.bats end-to-end tests to verify migration outcomes by querying the live system state directly via otdfctl, removing the dependency on local JSON plan files. The changes include new helper functions for state delta assertions and resource lookups. Review feedback identifies syntax errors in jq sorting expressions, potential runtime failures when iterating over null fields, and suggests refactoring duplicated logic and sorting arrays to prevent flaky test results.

Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats Outdated
@c-r33d

c-r33d commented Apr 22, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Apr 22, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 200.754421ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 102.829568ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 426.369029ms
Throughput 234.54 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.999277661s
Average Latency 447.974621ms
Throughput 111.11 requests/second

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@otdfctl/e2e/migrate-namespaced-policy.bats`:
- Around line 423-441: The helper pairs have inconsistent parameter orders:
subject_mapping_json_by_migrated_from(namespace_filter, source_mapping_id) but
subject_mapping_id_by_migrated_from(source_mapping_id, namespace_filter); change
the id-returning helpers (subject_mapping_id_by_migrated_from,
scs_id_by_migrated_from, registered_resource_id_by_migrated_from,
obligation_trigger_id_by_migrated_from, etc.) to accept (namespace_filter,
source_mapping_id) in the same order as their corresponding *_json_* helpers,
update their internal delegation calls to pass the args in that same order, and
update all call sites to use the unified (namespace_filter, source_mapping_id)
ordering (registered_resource_value_* already matches and needs no change).
- Around line 337-421: The tests silently pass because namespace_state_json and
assert_namespace_state_delta don't check command failures or enable pipefail, so
failed ./otdfctl calls produce empty strings that make jq/--argjson fail
silently; update namespace_state_json to enable set -o pipefail (or run each
./otdfctl call via the test harness run + assert_success) and validate each
parsed total is a non-negative integer (e.g., check the exit status and that
variables actions_total, subject_mappings_total, scs_total,
registered_resources_total, obligation_triggers_total are numeric) before
calling jq -cn; if any check fails, fail fast with an error so
assert_namespace_state_delta receives valid JSON (or bail out) instead of empty
strings.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3671b936-056d-496b-8fca-b2d71a0c1bc8

📥 Commits

Reviewing files that changed from the base of the PR and between f88cb94 and 582f64d.

📒 Files selected for processing (1)
  • otdfctl/e2e/migrate-namespaced-policy.bats

Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 200.884277ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 105.900369ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 401.316831ms
Throughput 249.18 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 43.388307874s
Average Latency 431.867532ms
Throughput 115.24 requests/second

Base automatically changed from summary-output-preview to main April 22, 2026 15:29

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@otdfctl/e2e/migrate-namespaced-policy.bats`:
- Around line 337-378: The namespace_state_json function reads .pagination.total
into variables like actions_total, subject_mappings_total, scs_total,
registered_resources_total, and obligation_triggers_total but doesn't validate
they're numeric before passing to jq --argjson; add a validation step after each
extraction (for actions_total, subject_mappings_total, scs_total,
registered_resources_total, obligation_triggers_total) that checks the value
matches the regex ^[0-9]+$ and if not either set it to 0 or fail the test with a
clear message (e.g., "invalid total for <name>: <value>"), ensuring jq receives
a true JSON number and preventing silent empty JSON output from
namespace_state_json.
- Around line 535-541: The helper obligation_trigger_json_by_id has its
parameters flipped compared to the project's convention; change its signature to
accept (namespace_filter, trigger_id) and update its internals so the jq call
uses the second arg as the trigger ID (e.g., local namespace_filter="$1"; local
trigger_id="$2"), then find and update the three call sites that invoke
obligation_trigger_json_by_id to pass namespace_id first and trigger_id second
so the --namespace flag receives the namespace UUID rather than the trigger ID;
this aligns it with sibling helpers like subject_mapping_*, scs_*,
registered_resource_*, and obligation_trigger_*_by_migrated_from.
- Around line 535-541: The helper obligation_trigger_json_by_id currently calls
list --namespace and thus cannot see legacy triggers with NULL namespace_id;
change the tests to fetch source triggers by id without a namespace filter (use
the policy obligations triggers get --id <id> --json invocation) or add a new
helper (e.g., obligation_trigger_json_by_id_unfiltered) that lists/gets without
--namespace and use that helper in
assert_obligation_trigger_created_in_namespace and
assert_legacy_obligation_trigger_still_exists so comparisons use the real legacy
trigger payloads rather than an empty object.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d14e407a-dd18-4455-b3d7-6b2a543a0e74

📥 Commits

Reviewing files that changed from the base of the PR and between 582f64d and 74a92a7.

📒 Files selected for processing (1)
  • otdfctl/e2e/migrate-namespaced-policy.bats

Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
Comment thread otdfctl/e2e/migrate-namespaced-policy.bats
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 180.045319ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 94.268565ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 425.019176ms
Throughput 235.28 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.966724766s
Average Latency 457.743824ms
Throughput 108.77 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

  • examples
  • otdfctl
  • sdk
  • service
  • lib/fixtures
  • tests-bdd

See the workflow run for details.

@c-r33d
c-r33d added this pull request to the merge queue Apr 22, 2026
Merged via the queue into main with commit e46f07d Apr 22, 2026
39 checks passed
@c-r33d
c-r33d deleted the fix-e2e-tests branch April 22, 2026 17:01
JBCongdon pushed a commit to JBCongdon/platform that referenced this pull request May 24, 2026
🤖 I have created a release *beep* *boop*
---


##
[0.31.0](opentdf/platform@otdfctl/v0.30.0...otdfctl/v0.31.0)
(2026-04-22)


### Features

* **cli:** Add e2e tests and fix bugs.
([opentdf#3353](opentdf#3353))
([213d843](opentdf@213d843))
* **cli:** Add E2E tests for namespaced policy.
([opentdf#3363](opentdf#3363))
([e46f07d](opentdf@e46f07d))
* **cli:** Interactive confirmation
([opentdf#3360](opentdf#3360))
([cd931d9](opentdf@cd931d9))
* **cli:** migrate otdfctl into platform monorepo
([opentdf#3205](opentdf#3205))
([5177bec](opentdf@5177bec))


### Bug Fixes

* **deps:** bump github.com/opentdf/platform/sdk from 0.15.0 to 0.16.0
in /otdfctl ([opentdf#3357](opentdf#3357))
([d829184](opentdf@d829184))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Co-authored-by: Krish Suchak <42231639+alkalescent@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants