chore(xtest): audit logs assertions

[dmihalcik-virtru]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @dmihalcik-virtru, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the xtest integration test suite by introducing a robust framework for KAS audit log collection and assertion. It also undertakes a major refactoring of the pytest fixture structure, moving towards a more modular and maintainable architecture. These changes aim to improve the test suite's ability to verify security-critical logging and streamline the local development and testing experience.

Highlights

• Audit Log Assertions: Introduced a new framework for collecting and asserting on KAS audit logs during test execution, including AuditLogCollector for background log capture and AuditLogAsserter for test-friendly validations.
• Pytest Fixture Modularization: Refactored conftest.py to modularize domain-specific fixtures into a new fixtures/ directory, improving test organization and maintainability.
• Dedicated otdfctl Wrapper: Extracted otdfctl command-line tool interactions into a new otdfctl.py module, centralizing CLI logic and removing it from abac.py.
• Enhanced Local Development Guide: Added a comprehensive LOCAL_DEVELOPMENT.md guide and a run-local.sh wrapper script to streamline running xtest locally with audit log collection and KAS instance management.
• Python Version Update: Updated the required Python version from 3.12 to 3.14 in xtest/README.md and requirements.txt.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/check.yml
  • .github/workflows/xtest.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive audit log assertion framework and performs a significant and beneficial refactoring of the pytest fixtures. The new framework for audit logs is robust, providing background collection, timestamp marking, and detailed assertion capabilities, which will be very valuable for testing. The refactoring of fixtures from a monolithic conftest.py into a structured fixtures package greatly improves modularity and maintainability. The addition of new documentation and helper scripts for local development is also a welcome improvement. I've identified a few minor issues, mainly related to documentation and a typo, which are detailed in the specific comments. Overall, this is an excellent pull request that significantly enhances the repository's testing infrastructure.

[gemini-code-assist]

The required Python version is listed as 3.14, which is not a released version and appears to be a typo. The latest stable version is 3.12. Please correct this to the intended version.

Suggested change

	- `python 3.14`
	- `python 3.12`

[gemini-code-assist]

The description for abac.py is now outdated due to the refactoring in this PR. The OpentdfCommandLineTool has been moved to its own file, otdfctl.py. I suggest updating this line to reflect that abac.py now only contains the Pydantic models. You should also add a new line for the otdfctl.py file.

Suggested change

	- `abac.py` - Attribute-based access control helpers, otdfctl wrapper
	- `abac.py` - Pydantic models for attribute-based access control (ABAC) policies

[gemini-code-assist]

The removal of the OpentdfCommandLineTool from this file and moving it to xtest/otdfctl.py is a great refactoring. It improves separation of concerns by leaving abac.py to define only the data models. However, this change makes the documentation in CLAUDE.md outdated. Please see my other comment on that file.

[gemini-code-assist]

Moving the fixtures into a dedicated fixtures package and loading them via pytest_plugins is an excellent refactoring. This greatly improves the organization and maintainability of the test suite's fixtures.

[gemini-code-assist]

There is a typo in the function name create_temp_namesapce. It should be create_temp_namespace. This typo is present in both the function definition and its call site within the temporary_namespace fixture.

Suggested change

	def create_temp_namesapce(otdfctl: OpentdfCommandLineTool):
	"""Create a temporary namespace with a random name."""
	random_ns = "".join(random.choices(string.ascii_lowercase, k=8)) + ".com"
	ns = otdfctl.namespace_create(random_ns)
	return ns
	@pytest.fixture(scope="module")
	def temporary_namespace(otdfctl: OpentdfCommandLineTool):
	"""Create a temporary namespace for test attributes."""
	try:
	return create_temp_namesapce(otdfctl)
	except AssertionError as e:
	pytest.skip(f"Failed to create temporary namespace: {e}")
	def create_temp_namespace(otdfctl: OpentdfCommandLineTool):
	"""Create a temporary namespace with a random name."""
	random_ns = "".join(random.choices(string.ascii_lowercase, k=8)) + ".com"
	ns = otdfctl.namespace_create(random_ns)
	return ns
	@pytest.fixture(scope="module")
	def temporary_namespace(otdfctl: OpentdfCommandLineTool):
	"""Create a temporary namespace for test attributes."""
	try:
	return create_temp_namespace(otdfctl)
	except AssertionError as e:
	pytest.skip(f"Failed to create temporary namespace: {e}")

[gemini-code-assist]

Making private_pem optional in kas_registry_import_key is a good improvement, making the function more flexible for cases where only a public key is being imported or is relevant.

[gemini-code-assist]

The addition of audit log checks within assert_decrypt_fails_with_patterns is a great enhancement. It strengthens the assertions by not only checking the client-side error output but also verifying that the expected events are logged on the server side.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud