RSPEED-2429: Add health probe skip to RH Identity auth plugin

[major]

Description

RSPEED-2429: The RH Identity auth plugin was missing the skip_for_health_probes check that exists in the K8s auth plugin (LCORE-694). When skip_for_health_probes is enabled and the rh_identity auth module is active, health probe requests to /readiness and /liveness receive a 401 because they don't carry the x-rh-identity header.

This fix adds the same probe-skip logic to RHIdentityAuthDependency.__call__ so that requests to /readiness and /liveness bypass auth when skip_for_health_probes is configured.

Type of change

• Bug fix

Tools used to create PR

• Assisted-by: Claude (code review + implementation)
• Generated by: N/A

Related Tickets & Documents

• Related Issue RSPEED-2429
• Parent Epic RSPEED-2229

Summary by CodeRabbit

• New Features

  • Added configurable authentication bypass for health-check endpoints so readiness and liveness probes can optionally skip authentication, improving compatibility with monitoring and orchestration tools.

• Tests

  • Added comprehensive tests covering probe bypass enabled/disabled scenarios and ensuring non-probe paths still require authentication.

[coderabbitai]

Walkthrough

Adds an early-return health-probe bypass to RHIdentityAuthDependency: when the x-rh-identity header is absent and configuration.authentication_configuration.skip_for_health_probes is true, requests to /readiness or /liveness return NO_AUTH_TUPLE instead of performing normal authentication. Tests added to cover enabled/disabled and non-probe cases.

Changes

Cohort / File(s)	Summary
RH Identity Authentication src/authentication/rh_identity.py	Added health-probe skip branch: if header missing and path is /readiness or /liveness and skip_for_health_probes is enabled, return NO_AUTH_TUPLE early.
RH Identity Tests tests/unit/authentication/test_rh_identity.py	New tests (TestRHIdentityHealthProbeSkip) mocking configuration to verify bypass behavior when enabled, enforcement when disabled, and that non-probe paths still require authentication.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client
    participant Auth as RHIdentityAuthDependency
    participant Config as Configuration
    participant App as Application

    Client->>Auth: Request (no x-rh-identity header)
    Auth->>Config: read authentication_configuration.skip_for_health_probes
    alt path is /readiness or /liveness and skip enabled
        Auth-->>Client: return NO_AUTH_TUPLE (bypass)
        Client->>App: proceed with NO_AUTH_TUPLE
    else otherwise
        Auth->>Auth: attempt header extraction/decoding
        alt header absent or invalid
            Auth-->>Client: raise authentication error
        else valid header
            Auth-->>App: return user tuple
        end
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• LCORE-261: Add RH identity header auth #814: Modifies the same RHIdentity authentication code paths that this change extends.
• LCORE-694: auth skip for health probes #992: Implements similar health-probe auth-skip behavior (NO_AUTH_TUPLE) in the k8s authentication backend.

Suggested labels

ok-to-test

Suggested reviewers

• tisnik

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding health probe skip functionality to the RH Identity auth plugin, which matches the core objective of fixing 401 errors on health probe requests.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/unit/authentication/test_rh_identity.py (1)

360-370: ⚠️ Potential issue | 🟠 Major

This existing test will break due to the new configuration access path.

As noted in the source file review, the new health-probe skip logic accesses configuration.authentication_configuration before the 401 raise. This test doesn't mock configuration, so it will fail with a LogicError. If the source code is restructured per the suggestion, no change is needed here. Otherwise, add configuration mocking:

Alternative: mock configuration in this test

     `@pytest.mark.asyncio`
-    async def test_missing_header(self) -> None:
+    async def test_missing_header(self, mocker: MockerFixture) -> None:
         """Test authentication fails when header is missing."""
+        mock_config = mocker.MagicMock()
+        mock_config.authentication_configuration.skip_for_health_probes = False
+        mocker.patch("authentication.rh_identity.configuration", mock_config)
+
         auth_dep = RHIdentityAuthDependency()
         request = create_request_with_header(None)

🤖 Fix all issues with AI agents

In `@src/authentication/rh_identity.py`:
- Around line 216-223: Reorder the early-auth checks in the RH identity handler
so the request path is checked before accessing configuration: first test if
request.url.path is one of "/readiness" or "/liveness", then check
request.headers.get("x-rh-identity"), and only if header is missing consult
configuration.authentication_configuration.skip_for_health_probes to decide
returning NO_AUTH_TUPLE; also remove the duplicate
request.headers.get("x-rh-identity") call and keep the existing 401 raise
behavior (affecting the code around identity_header, NO_AUTH_TUPLE, and the
missing-header path used by test_missing_header).

🧹 Nitpick comments (1)

tests/unit/authentication/test_rh_identity.py (1)

477-484: Assert against the imported NO_AUTH_TUPLE constant instead of hardcoded values.

Lines 481–484 duplicate the contents of NO_AUTH_TUPLE. If that constant changes, these assertions will silently become stale. The file already imports from constants; consider importing NO_AUTH_TUPLE from authentication.interface and asserting directly:

Suggested change

+from authentication.interface import NO_AUTH_TUPLE
 ...
-        user_id, username, skip_userid_check, token = await auth_dep(request)
-
-        assert user_id == "00000000-0000-0000-0000-000"
-        assert username == "lightspeed-user"
-        assert skip_userid_check is True
-        assert token == ""
+        result = await auth_dep(request)
+        assert result == NO_AUTH_TUPLE

[tisnik]

LGTM