Skip to content

Add authorization-failure tests for validate_milestone verifier vs non-verifier #228

Description

@1nonlypiece

📌 Description

validate_milestone requires verifier.require_auth() when a verifier is set,
and creator.require_auth() when it is None. The current suite relies heavily
on env.mock_all_auths(), which masks the negative case: that a non-verifier
(and, in the None case, a non-creator) is actually rejected.

Goal: add tests using real (non-mocked) auth that prove only the designated
party can validate, for both the Some(verifier) and None configurations.

🎯 Requirements and Context

  • Must be deterministic and isolated.
  • Use scoped auth (e.g. mock_auths / per-address auth) instead of
    mock_all_auths() so unauthorized calls genuinely fail.
  • Cover: Some(verifier) validated by a stranger (reject); None validated by a
    non-creator (reject); the corresponding authorized calls (succeed).
  • Assert the rejected calls do not mutate milestone_validated.

🛠️ Suggested Execution

1. Fork the repo and create a branch

git checkout -b feature/validate-auth-negative-tests

2. Implement changes

  • Tests: add tests/validate_auth.rs exercising scoped auth for the four cases.
  • Assert state is unchanged after each rejection via get_vault_state.
  • Docs: update TEST_VERIFIER_SAME_AS_CREATOR.md and TESTING_GUIDE.md to note
    the negative auth coverage.

3. Test and commit

  • Run cargo test and regenerate coverage.
  • Cover edge cases: verifier == creator (still only that party), stranger auth,
    validation after deadline still gated by MilestoneExpired.

Example commit message

test: negative authorization coverage for validate_milestone

✅ Guidelines

  • Minimum 95% test coverage on validate_milestone auth branches.
  • Clear documentation of the negative cases.
  • All tests deterministic and passing.
  • Timeframe: 96 hours.

🏷️ Labels

type-testing · area-contracts · type-security · MAYBE REWARDED ·
GRANTFOX OSS · OFFICIAL CAMPAIGN

💬 Community & Support

  • Join the Disciplr contributor Discord to coordinate, ask questions, and get
    unblocked fast: https://discord.gg/xvNAvMJf
  • Please introduce yourself before you start so we can avoid duplicate work,
    pair you with a reviewer, and merge your PR quickly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    GRANTFOX OSSGrantFox open-source campaignMAYBE REWARDEDEligible for GrantFox rewardOFFICIAL CAMPAIGNOfficial GrantFox campaign issuearea-contractsSmart contract (Soroban/Rust) worktype-securitySecurity review / hardeningtype-testingTests and test coverage

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions