Skip to content

test: add missing regression coverage for data-mask and saml-auth#13684

Open
shreemaan-abhishek wants to merge 1 commit into
apache:masterfrom
shreemaan-abhishek:test/parity-test-backports
Open

test: add missing regression coverage for data-mask and saml-auth#13684
shreemaan-abhishek wants to merge 1 commit into
apache:masterfrom
shreemaan-abhishek:test/parity-test-backports

Conversation

@shreemaan-abhishek

Copy link
Copy Markdown
Contributor

Description

Adds regression tests for two behaviors that APISIX already implements but that no test exercises. Both are pure test additions; no plugin or schema code changes.

data-mask - apisix/plugins/data-mask.lua handles two edge cases that are currently untested:

  • a query parameter repeated multiple times arrives as a table, and the regex action is applied per entry (data-mask.lua:124-137);
  • a JSON field whose value is not a string is skipped with a warning rather than crashing the regex action (data-mask.lua:190-199).

This adds four blocks covering both paths (multi-value masking, and regex-skipped-without-crash). The existing access-log tests move from TEST 15/16 to TEST 19/20; they are unchanged otherwise.

saml-auth - auth_protocol_binding_method = "HTTP-POST" is currently only reached by schema-validation tests (t/plugin/saml-auth.t TEST 4 and TEST 7). The integration tests all run the default HTTP-Redirect binding, so the POST binding has no end-to-end coverage.

This adds t/plugin/saml-auth-post.t with six blocks: login and logout, single logout across two service providers, a wrong login_callback_uri, and a failed login. It reuses the existing t/lib/keycloak_saml.lua helper (no changes needed - it already implements the HTTP-POST branch) and the apisix_keycloak_saml service that ci/pod/docker-compose.plugin.yml and ci/init-plugin-test-service.sh already start and configure.

Which issue(s) this PR fixes

Not tied to a GitHub issue. Both gaps were found while comparing test coverage between APISIX and a downstream fork; the code being tested is upstream's and is already correct.

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change - not applicable, no user-facing behavior changes
  • I have verified that this change is backward compatible

Verification

prove -I. t/plugin/data-mask.t - the four new blocks (TEST 15-18) pass, and the renumbered access-log blocks are unchanged.

t/plugin/saml-auth-post.t is an integration test and runs against the apisix_keycloak_saml service configured by ci/kcadm_configure_saml.sh; it relies on 127.0.0.2 resolving to loopback, as several existing plugin tests already do.

Both cases are already-supported behavior that no test exercised.

data-mask: the plugin handles multi-value query parameters (a table-valued
arg, apisix/plugins/data-mask.lua:124-137) and skips the regex action for a
non-string JSON field instead of crashing (:190-199). Neither path had a
test. Adds four blocks covering both, renumbering the existing access-log
tests to TEST 19/20.

saml-auth: the HTTP-POST binding was only covered by schema validation; the
end-to-end login, single-logout, wrong-callback and login-failure flows ran
only against the default HTTP-Redirect binding. Adds saml-auth-post.t, which
uses the existing t/lib/keycloak_saml.lua helper and the apisix_keycloak_saml
CI service.
@dosubot dosubot Bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants