potiuk commented on PR #67628:
URL: https://github.com/apache/airflow/pull/67628#issuecomment-4627518418
Done — replaced the per-endpoint test with the structural dual you
described. `test_routes_with_task_instance_id_param_enforce_ti_self` now
asserts every operation exposing a `{task_instance_id}` path param requires the
`ti:self` scope (or is on an explicit, currently-empty
`TI_ID_ROUTES_WITHOUT_TI_SELF` allowlist), and dropped
`test_mismatched_subject_is_rejected`.
One implementation note: I couldn't do it by walking `app.routes` like the
existing forward test — the execution API assembles routes per version, so in
the test harness static route introspection only surfaces a single top-level
route. So it checks the served OpenAPI spec (`security` per operation) across
every version in the bundle instead. Verified it's non-vacuous (12 such paths)
and that it actually catches the gap: reverting the `ti:self` dependency makes
it fail, listing `GET /task-reschedules/{task_instance_id}/start_date` across
all versions.
Side note from that: the existing
`test_ti_self_routes_have_task_instance_id_param` (forward direction) appears
to be effectively vacuous for the same route-introspection reason — happy to
convert it to the OpenAPI approach in a follow-up if you agree.
---
Drafted-by: Claude Code (Opus 4.8); reviewed by @potiuk before posting
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
