mirror of
https://github.com/SigNoz/signoz.git
synced 2026-07-02 12:50:37 +01:00
* chore(authz): delete the deprecated authz apis * test(authz): rework role integration tests onto the new CRUD APIs Migrate the role integration suite off the deprecated PATCH endpoints and onto the current declarative role CRUD APIs (Create/Get/List/Update/Delete with full transactionGroups). - role/01_register.py: verify managed roles via GetRole's transactionGroups against a golden matrix in testdata/role/managed_role_grants.json (no more DB tuple assertions). - role/02_crud.py (new): custom-role CRUD lifecycle, declarative update, validation (naming, invalid verb/type/kind/selector, duplicate, managed immutability, delete-with-assignee), and license gating. - role/03_fga.py: resource FGA allow/deny via declarative grant sets. - role/02_user.py: deleted; user role-membership is covered by the passwordauthn suite. - serviceaccount/06_fga.py: migrated to declarative grant PUTs. - fixtures/role.py: pure data helpers + find_role_id fixture; tests make their HTTP calls directly. * test(authz): scope role/SA FGA tests to fine-grained selectors - role FGA: grant read/update/delete on a specific role name (not "*") and assert allowed-on-granted vs forbidden-on-other; create is collection-scoped; list on "*" returns every role. - serviceaccount FGA: grant on a specific SA id (with a second SA to prove cross-instance denial); dual attach/detach scoped to SA id + role name. - add create_role fixture (alongside find_role_id) for happy-path role creation; validation/failure cases stay inline. - underscore-prefix file-local constants in both FGA modules. * test(authz): rename grants terminology to transactions in role tests