Update IOP tests to support multi RHEL versions

[ColeHiggins2]

SAT-44051

Update IOP tests to support RHEL 8 9 and 10.

Added in Vulnerability packages for RHEL 8 and 9.

Updated tests.

Summary by Sourcery

Generalize RH Cloud IoP vulnerability and recommendations tests to support multiple RHEL major versions instead of only RHEL 10.

New Features:

• Introduce per-RHEL-version vulnerability metadata to drive IoP vulnerability scenarios across RHEL 8, 9, and 10.

Enhancements:

• Update test fixtures and flows to derive vulnerable packages, CVEs, errata, and OS filters dynamically from the host's RHEL version.
• Expand content sync setup to enable and sync BaseOS/AppStream repositories for all supported RHEL versions.
• Relax RHEL version matching on IoP UI and CLI tests to cover all supported versions except RHEL 7 and adjust Satellite/Insights deployment modes accordingly.
• Adjust CLI IoP installation tests to run against an older (N-2) RHEL version baseline.

[sourcery-ai]

Reviewer's Guide

Generalize IoP and vulnerability UI/CLI tests to support RHEL 8, 9, and 10 by parameterizing vulnerable package data, loosening RHEL version markers, and updating content sync and remediation logic to be version-aware.

Sequence diagram for version-aware IoP vulnerability CLI test

sequenceDiagram
    participant TestRunner
    participant IopCliTest
    participant Constants as RobotteloConstants
    participant RhelHost
    participant InsightsService

    TestRunner->>IopCliTest: run_test(rhel_version)
    IopCliTest->>Constants: get VULNERABLE_PACKAGES[rhel_version]
    Constants-->>IopCliTest: rpm, cves, erratum

    IopCliTest->>RhelHost: ensure_content_synced(rhel_version)
    RhelHost-->>IopCliTest: content_available

    IopCliTest->>RhelHost: install_vulnerable_rpm(rpm)
    RhelHost-->>IopCliTest: installation_status

    IopCliTest->>InsightsService: upload_insights_archive(rhel_version)
    InsightsService-->>IopCliTest: analysis_result(cves_detected)

    IopCliTest->>IopCliTest: assert cves_detected contains cves

    IopCliTest->>InsightsService: trigger_remediation(rhel_version)
    InsightsService-->>RhelHost: apply_playbook
    RhelHost-->>InsightsService: remediation_status

    InsightsService-->>IopCliTest: remediation_complete
    IopCliTest->>RhelHost: verify_package_state(rpm)
    RhelHost-->>IopCliTest: package_state

    IopCliTest->>TestRunner: report_result

Loading

File-Level Changes

Change	Details	Files
Make vulnerable host fixture and vulnerability tests version-aware using a shared per-RHEL vulnerable package definition.	Introduce VULNERABLE_PACKAGES mapping in constants to hold rpm, CVE list, and erratum per RHEL major version Update vulnerable_rhel_host fixture to derive rpm and CVEs from VULNERABLE_PACKAGES based on client.os_version.major and assert configuration presence Refactor tests to derive primary CVE, CVE lists, and errata search strings from VULNERABLE_PACKAGES instead of RHEL10-specific constants Adjust test docstrings and expectations to describe generic vulnerable packages and per-version OS filters	robottelo/constants/__init__.py tests/foreman/ui/test_rhcloud_insights_vulnerability.py
Expand content setup and RHEL-version filters so IoP tests run on RHEL 8, 9, and 10 while excluding RHEL 7.	Update setup_content_for_iop to iterate over RHEL 8, 9, and 10 BaseOS/AppStream repo definitions dynamically instead of hardcoding RHEL 10 repos Change pytest rhel_ver_match markers in UI IoP and vulnerability tests from RHEL-10-only or excluding 7 and 8 to a regex that only excludes RHEL 7 Switch certain IoP UI tests to use module_target_sat_insights=True to run against the appropriate Satellite with insights enabled	tests/foreman/ui/test_rhcloud_insights_vulnerability.py tests/foreman/ui/test_rhcloud_iop.py
Align CLI IoP tests to run on older RHEL baselines (N-2) instead of the latest (N-0).	Update rhel_ver_match markers in CLI IoP tests from 'N-0' to 'N-2' to target the desired RHEL version offset	tests/foreman/cli/test_rhcloud_iop.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Accessing constants.VULNERABLE_PACKAGES[rhel_ver] assumes os_version.major is an int; if it is a string (e.g. '8'/'9'), this will raise a KeyError, so consider normalizing the type (e.g. int(os_version.major)) or using consistent string keys in the mapping.
• For RHEL 8 and 9 in VULNERABLE_PACKAGES, erratum is set to an empty string but later used in the apply_erratas search expression, which will generate an invalid/empty search like errata_id == ; it would be safer to either provide real errata IDs or guard the remediation step when no erratum is defined.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Accessing `constants.VULNERABLE_PACKAGES[rhel_ver]` assumes `os_version.major` is an int; if it is a string (e.g. `'8'`/`'9'`), this will raise a `KeyError`, so consider normalizing the type (e.g. `int(os_version.major)`) or using consistent string keys in the mapping.
- For RHEL 8 and 9 in `VULNERABLE_PACKAGES`, `erratum` is set to an empty string but later used in the `apply_erratas` search expression, which will generate an invalid/empty search like `errata_id == `; it would be safer to either provide real errata IDs or guard the remediation step when no erratum is defined.

## Individual Comments

### Comment 1
<location path="tests/foreman/ui/test_rhcloud_insights_vulnerability.py" line_range="256" />
<code_context>

-        # Use the first 2 CVEs from the mariadb package for deterministic bulk edit testing
-        cve_ids = constants.RHEL10_VULNERABLE_MARIADB_CVES[:2]
+        cve_ids = vuln_data['cves'][:2]

         # Bulk edit business risk
</code_context>
<issue_to_address>
**suggestion (testing):** Bulk-edit test may only exercise a single CVE on RHEL versions with fewer CVEs

On RHEL 10, `vuln_data['cves'][:2]` correctly yields two CVEs, but on RHEL 8/9 the list currently has only one element, so this behaves like a single-CVE edit despite the test docstring describing a multi-CVE bulk edit.

To keep the test semantics accurate and ensure we truly exercise bulk behavior on all supported RHEL versions, please either (1) ensure `VULNERABLE_PACKAGES` for RHEL 8/9 includes at least two CVEs, (2) skip/xfail when fewer than two CVEs are available, or (3) parametrize so that bulk assertions only run when `len(cves) >= 2`. Otherwise, the test may overstate our coverage of bulk operations on RHEL 8/9.

Suggested implementation:

```python
    vuln_data = constants.VULNERABLE_PACKAGES[rhel_ver]

    # Ensure we actually exercise bulk behavior; skip when fewer than two CVEs are available
    cves = vuln_data['cves']
    if len(cves) < 2:
        pytest.skip("Bulk edit requires at least two CVEs in VULNERABLE_PACKAGES for this RHEL version")

    with satellite.ui_session() as session:
        session.organization.select(org_name=rhcloud_manifest_org.name)

        cve_ids = cves[:2]

        # Bulk edit business risk

```

This change assumes `pytest` is already imported in `tests/foreman/ui/test_rhcloud_insights_vulnerability.py`.  
If it is not, add `import pytest` near the top of the file alongside the other imports.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (testing): Bulk-edit test may only exercise a single CVE on RHEL versions with fewer CVEs

On RHEL 10, vuln_data['cves'][:2] correctly yields two CVEs, but on RHEL 8/9 the list currently has only one element, so this behaves like a single-CVE edit despite the test docstring describing a multi-CVE bulk edit.

To keep the test semantics accurate and ensure we truly exercise bulk behavior on all supported RHEL versions, please either (1) ensure VULNERABLE_PACKAGES for RHEL 8/9 includes at least two CVEs, (2) skip/xfail when fewer than two CVEs are available, or (3) parametrize so that bulk assertions only run when len(cves) >= 2. Otherwise, the test may overstate our coverage of bulk operations on RHEL 8/9.

Suggested implementation:

    vuln_data = constants.VULNERABLE_PACKAGES[rhel_ver]

    # Ensure we actually exercise bulk behavior; skip when fewer than two CVEs are available
    cves = vuln_data['cves']
    if len(cves) < 2:
        pytest.skip("Bulk edit requires at least two CVEs in VULNERABLE_PACKAGES for this RHEL version")

    with satellite.ui_session() as session:
        session.organization.select(org_name=rhcloud_manifest_org.name)

        cve_ids = cves[:2]

        # Bulk edit business risk

This change assumes pytest is already imported in tests/foreman/ui/test_rhcloud_insights_vulnerability.py.
If it is not, add import pytest near the top of the file alongside the other imports.

[ColeHiggins2]

trigger: test-robottelo
pytest: tests/foreman/ui/test_rhcloud_insights_vulnerability.py

[Satellite-QE]

PRT Result

Build Number: 15302
Build Status: UNSTABLE
PRT Comment: pytest tests/foreman/ui/test_rhcloud_insights_vulnerability.py --external-logging
Test Result : ================= 33 warnings, 38 errors in 3628.73s (1:00:28) =================

[LadislavVasina1]

Changes looks valid to me, I just don't understand why it failing in PRT

[ColeHiggins2]

trigger: test-robottelo
pytest: tests/foreman/ui/test_rhcloud_insights_vulnerability.py

[Satellite-QE]

PRT Result

Build Number: 15358
Build Status: UNSTABLE
PRT Comment: pytest tests/foreman/ui/test_rhcloud_insights_vulnerability.py --external-logging
Test Result : ================= 37 warnings, 38 errors in 3556.94s (0:59:16) =================

[ColeHiggins2]

trigger: test-robottelo
pytest: tests/foreman/ui/test_rhcloud_insights_vulnerability.py

[Satellite-QE]

PRT Result

Build Number: 15388
Build Status: UNSTABLE
PRT Comment: pytest tests/foreman/ui/test_rhcloud_insights_vulnerability.py --external-logging
Test Result : =========== 4 failed, 35 passed, 676 warnings in 32285.42s (8:58:05) ===========

[ColeHiggins2]

trigger: test-robottelo
pytest: tests/foreman/ui/test_rhcloud_insights_vulnerability.py

[nofaralfasi]

This test is in the IoP suite and the docstring says “Set up Satellite with iop enabled,” but [True] here selects hosted Insights behavior from the fixture.
Was this intentional? If this test is meant to validate IoP flow, this should be [False]. Otherwise the test name/docstring should be updated to reflect hosted coverage.

[ColeHiggins2]

trigger: test-robottelo
pytest: tests/foreman/ui/test_rhcloud_insights_vulnerability.py

[Satellite-QE]

PRT Result

Build Number: 15623
Build Status: UNSTABLE
PRT Comment: pytest tests/foreman/ui/test_rhcloud_insights_vulnerability.py --external-logging
Test Result : ========== 12 failed, 27 passed, 702 warnings in 36975.60s (10:16:15) ==========

[ColeHiggins2]

trigger: test-robottelo
pytest: tests/foreman/ui/test_rhcloud_insights_vulnerability.py

[ColeHiggins2]

trigger: test-robottelo
pytest: tests/foreman/ui/test_rhcloud_insights_vulnerability.py

[ColeHiggins2]

trigger: test-robottelo
pytest: tests/foreman/ui/test_rhcloud_insights_vulnerability.py

[Satellite-QE]

PRT Result

Build Number: 15646
Build Status: UNSTABLE
PRT Comment: pytest tests/foreman/ui/test_rhcloud_insights_vulnerability.py --external-logging
Test Result : ========== 12 failed, 27 passed, 667 warnings in 41389.38s (11:29:49) ==========