Skip to content

Test: Add missing coverage for DatabaseManager, API routes, Sentinel ingest and RAG pipeline#174

Open
emon22-ts wants to merge 3 commits into
openshield-org:devfrom
emon22-ts:feat/test-coverage
Open

Test: Add missing coverage for DatabaseManager, API routes, Sentinel ingest and RAG pipeline#174
emon22-ts wants to merge 3 commits into
openshield-org:devfrom
emon22-ts:feat/test-coverage

Conversation

@emon22-ts

@emon22-ts emon22-ts commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

Closes the four test coverage gaps identified in the audit by adding unit tests for DatabaseManager, five API route files, Sentinel HMAC signing and field mappings, and the RAG pipeline.

Type of change

  • New scan rule
  • Remediation playbook
  • Bug fix
  • Dashboard/front-end work
  • API endpoint
  • Documentation
  • Compliance mapping
  • CI and Testing

Coverage gaps addressed

  • CI-001 — DatabaseManager: tests for init, DSN handling, Finding dataclass, SEVERITY_WEIGHTS and score calculation logic
  • CI-002 — API routes: tests for score, compliance, drift, resources and prioritization endpoints covering 200, 400 and 500 responses
  • CI-003 — Sentinel ingest: tests for HMAC-SHA256 signature correctness, all severity field mappings, missing field defaults and send() retry behaviour
  • CI-004 — RAG pipeline: tests for loader.py document loading, chunker.py splitting and overlap, and retriever.py error handling

Files added

  • tests/test_database_manager.py — 16 tests
  • tests/test_api_routes.py — 17 tests
  • tests/test_sentinel_ingest.py — 13 tests
  • tests/test_rag_pipeline.py — 18 tests

Testing

  • 72 tests passing locally
  • No hardcoded credentials or secrets
  • All tests run without a live database or Azure credentials

Related issue

Closes #174

@Vishnu2707

Copy link
Copy Markdown
Member

@parthrohit22 , @ritiksah141 - assigning the review to u both, seems like you are the code owners and do know the codebase well and what value add this brings in, please do touch base with this.

@Vishnu2707

Copy link
Copy Markdown
Member

Container scan - Broken CI, the push for the fix has been done to dev which triggers in the next commit, hence go ahead without minding that CI response.

@ritiksah141 ritiksah141 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pulled the branch and reviewed it against the current architecture and latest dev. All 72 added tests pass, ruff passes, and the branch has no merge conflicts. The earlier Trivy failure is not part of this review, as requested in the PR discussion.

I found three coverage gaps that should be corrected before approval:

  1. The score tests reproduce arithmetic locally instead of executing DatabaseManager.get_score(), so regressions in production SQL aggregation and floor handling would not be detected.
  2. The Sentinel retry tests only assert the final False result and do not prove that three attempts occurred.
  3. The RAG chunking tests pass a chunk_overlap value but never verify overlap behavior.

Please also update the PR description because Closes #174 refers to this pull request itself rather than a related issue.

class TestScoreCalculation:
"""Tests for score calculation logic."""

def test_score_starts_at_100(self):

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These tests recreate the scoring arithmetic inside the test instead of calling DatabaseManager.get_score(). A regression in the query aggregation or the production floor logic would still pass. Please mock the connection rows and assert results returned by db.get_score(). Also add coverage for at least one persistence method or narrow the stated CRUD scope, since _make_db is currently unused.

with patch("requests.post", return_value=mock_response):
with patch("time.sleep"):
result = ingest.send([ingest.normalise(RAW_FINDING, "scan-001")])
assert result is False

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only verifies the final False result. It would still pass if send() stopped retrying after one request. Keep the requests.post mock and assert call_count == 3. The exception path should make the same assertion so the claimed retry behavior is protected.

long_content = "word " * 300
docs = [self._make_doc(long_content)]
chunks = chunk_documents(docs, chunk_size=100, chunk_overlap=10)
assert len(chunks) > 1

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR says chunk overlap is covered, but this assertion only proves that a long document creates multiple chunks. Please assert that adjacent chunk contents contain the requested overlap, or adjust the stated coverage scope.

@m-khan-97 m-khan-97 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Went through this against the actual source for the three areas Ritik flagged, since I wanted to confirm they're real before piling on rather than just trusting the summary. All three check out:

  1. Score tests never call the real code path. TestScoreCalculation in test_database_manager.py reproduces the arithmetic inline (score -= SEVERITY_WEIGHTS["HIGH"]) instead of calling DatabaseManager.get_score(). A bug in the actual SQL aggregation/floor logic would sail through untouched.
  2. Sentinel retry tests don't verify retry count. I checked sentinel/ingest.py:64send() genuinely does for attempt in range(1, 4) (3 attempts). But test_send_returns_false_after_retries and test_send_retries_on_exception only assert the final False, never mock_post.call_count == 3. Change that loop to range(1, 2) and both tests would still pass.
  3. Chunk overlap is asserted by count, not content. Confirmed in ai/chunker.py:51chunk_overlap directly controls start = split_pos - chunk_overlap for the next chunk. None of the chunker tests check that consecutive chunks actually share the expected overlapping text; they only check chunk count and chunk_index presence.

Agreeing with Ritik's request for changes on this basis — the coverage numbers are real (72 tests, all passing), but for the specific claims this PR makes (CI-001 through CI-004 "closed"), these three gaps mean the corresponding regressions could land undetected. Worth fixing before merge rather than as a fast-follow, since the whole point of this PR is closing coverage gaps precisely so regressions get caught.

One separate housekeeping item, also from Ritik's review and still true: the PR description says "Closes #174" but #174 is this PR's own tracking issue for the coverage gaps — please point it at the actual issue number if there is one, or drop the auto-close keyword if #174 is just this PR.

Nice test for the HMAC signature itself, by the way — test_build_signature_uses_hmac_sha256 independently recomputes the expected signature and compares against the real function's output rather than mocking it away. That's the right pattern; would be good to see the retry-count and chunk-overlap tests follow the same approach.

@Vishnu2707

Copy link
Copy Markdown
Member

@emon22-ts , there are quite some changes to be done, please do touch base with this PR.

@parthrohit22 parthrohit22 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reviewed PR #174 against its four changed test files, the existing review threads, and the underlying testing requirements in issue #153.

I agree with @ritiksah141’s three unresolved findings, which @m-khan-97 also independently confirmed:

  1. The score tests reproduce the arithmetic instead of calling DatabaseManager.get_score().
  2. The Sentinel tests assert only the final False result and do not prove that all three retry attempts occur.
  3. The chunker tests verify the number of chunks but not the configured overlap between adjacent chunks.

I will not repeat those inline comments. I found two additional coverage gaps:

  • Issue #153 explicitly identifies ai/embed.py as part of the untested RAG pipeline, but this PR does not test build_vectorstore() or the vector-store creation path.
  • The drift, resources, and prioritization success tests use empty database results and assert only 200/JSON. Their main comparison, aggregation, ranking, and response-mapping behavior is therefore not exercised.

The DatabaseManager concern is particularly important: this PR’s current head contains a duplicated GROUP BY severity inside get_score(), while all the new tests still pass because none execute the real method. This defect is inherited from the older base rather than introduced by this PR, and updating the branch from current dev should incorporate its correction. A real get_score() test should nevertheless be added to prevent recurrence.

The HMAC-SHA256 test is well designed and independently verifies the production function. Most CI checks are green, and I am not attributing the acknowledged Trivy failure to this PR.

Before approval, please:

  • Address the three existing unresolved review threads.
  • Add non-empty success-path tests for drift, resources, and prioritization.
  • Add mocked coverage for ai/embed.py.
  • Update the branch from dev and rerun CI.
  • Correct the related issue reference: Closes #174 currently refers to this pull request itself; the matching OpenShield testing issue is #153.
  • Correct the per-file test counts to 20 DatabaseManager, 20 API route, 13 Sentinel, and 19 RAG tests, which total the stated 72.

Requesting changes until the claimed coverage gaps and the underlying acceptance criteria are fully addressed.

@TFT444 TFT444 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@emon22-ts fix the following changes. they asking for

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants