Auth-server tests are broken AND excluded from CI — repair test infrastructure, then re-enable in CI

[dfcoffin]

Summary

The openespi-authserver module's tests are (1) substantially broken and (2) not executed by CI at all. The combination means the module has had zero automated test signal — broken tests that never run give false confidence and let regressions through (e.g. all of the defects fixed in #125 / #128 reached main despite "passing" CI).

Discovered while doing the stock-repository swap (#127) during Phase 2.0 bring-up (#122).

Evidence: CI does not run authserver tests

.github/workflows/ci.yml:

- name: Build all modules
  run: mvn clean install -DskipTests          # compiles authserver, runs NO tests

- name: Run tests - openespi-common
  run: mvn test -pl openespi-common -am
- name: Run tests - openespi-datacustodian
  run: mvn test -pl openespi-datacustodian -am

# - name: Run tests - openespi-authserver       # <-- COMMENTED OUT
#   run: mvn test -pl openespi-authserver -am
#     SPRING_PROFILES_ACTIVE: test

- name: Run tests - openespi-thirdparty
  run: mvn test -pl openespi-thirdparty -am

- name: Run integration tests with TestContainers
  run: mvn verify -Pintegration-tests -pl openespi-common,openespi-datacustodian,openespi-thirdparty   # authserver omitted

SonarCloud step likewise runs -pl openespi-common,openespi-datacustodian,openespi-thirdparty -am — authserver omitted.

Net effect: mvn clean install -DskipTests compiles authserver (so compile breakage is caught), but no authserver unit or integration test ever executes in CI.

Evidence: the tests are broken as written

Running mvn test -pl openespi-authserver locally:

AuthorizationServerConfigTest — ~21 of 25 errors

Unit tests that mock(HttpSecurity.class) and call the filter-chain @Bean methods directly (e.g. config.authorizationServerSecurityFilterChain(httpSecurity)). Driving http.build() against a mocked HttpSecurity is a category error — the real builder does extensive internal wiring and NPEs against a mock. These tests assert framework behavior ("Spring builds a chain / a bean exists"), not application logic. Most have nothing to do with any recent change; they error on JWK, settings, bean-creation, and filter-chain construction alike.

OAuthAdminControllerTest — 4 security tests fail

shouldDenyUnauthenticatedAccessToAdminEndpoints, shouldDenyUserRoleAccessToAdminEndpoints, shouldDenyCustomerRoleAccessToAdminEndpoints, shouldDenyAccessToTokensWithUserRole. They use MockMvcBuilders.standaloneSetup(controller), which deliberately omits the Spring Security filter chain, so @PreAuthorize is never enforced. Asserting 401/403 under standaloneSetup is impossible by construction — they expect 401/403 but get 200/404.

Proper fix

1. Repair AuthorizationServerConfigTest

• Delete the mock-HttpSecurity filter-chain tests — they test the framework, not our code.
• Replace with a thin @SpringBootTest (or sliced) context-load assertion that the application context starts and the expected beans/endpoints exist. The end-to-end behaviour (token mint + introspection) is better covered by an integration test (below).

2. Repair OAuthAdminControllerTest security tests

• Convert standaloneSetup() to a real MockMvc via @WebMvcTest(OAuthAdminController.class) + spring-security-test's SecurityMockMvcConfigurers.springSecurity(), importing the real security configuration, so @PreAuthorize is genuinely exercised. Then 401/403 assertions become meaningful.

3. Add an end-to-end integration test (TestContainers)

• Mirror what was verified manually in fix(authserver): canonical Spring Security 7.x filter chain + Jackson modules on custom repo #128/Swap custom JdbcRegisteredClientRepository for Spring's stock implementation #127: boot against a MySQL TestContainer, POST /oauth2/token (client_credentials) returns a 200 opaque token, POST /oauth2/introspect returns the RFC 7662 response. This is the test that would actually have caught the fix(authserver): six pre-existing defects blocking dev-mysql boot #125/fix(authserver): canonical Spring Security 7.x filter chain + Jackson modules on custom repo #128 defects.

4. Re-enable authserver in CI — ONLY AFTER 1–3 are green

• Uncomment the Run tests - openespi-authserver step in .github/workflows/ci.yml.
• Add openespi-authserver to the -Pintegration-tests -pl list and the SonarCloud -pl list.
• Order matters: do not re-enable CI before the tests are repaired, or the pipeline goes red immediately.

Acceptance criteria

• AuthorizationServerConfigTest mock-HttpSecurity tests removed/replaced; class is green
• OAuthAdminControllerTest security tests run under real Spring Security and pass (401/403 enforced)
• New TestContainers integration test covers token mint + introspection end-to-end
• mvn test -pl openespi-authserver is green locally
• .github/workflows/ci.yml runs authserver unit + integration tests; authserver added to Sonar
• CI is green with authserver tests enabled

Related

• Phase 2.0 — Stand up auth-server in dev with opaque tokens + subscription-bound introspection (Phase 2 precursor) #122 Phase 2.0 auth-server bring-up (umbrella)
• fix(authserver): six pre-existing defects blocking dev-mysql boot #125 / fix(authserver): canonical Spring Security 7.x filter chain + Jackson modules on custom repo #128 — defects that reached main partly because authserver had no CI test signal
• Swap custom JdbcRegisteredClientRepository for Spring's stock implementation #127 — stock-repository swap (touched these test files; left them no worse: 5→4 failures, all pre-existing)
• Auth-server SecurityFilterChain: replace non-canonical pattern with Spring Authorization Server canonical config #124 — filter chain (the canonical-pattern change a real context-load test would have validated)