[authz] remove expectorate for authz coverage test (#9761)

smklein · david-crespo · web-flow · commit 363d7a74ad00 · 2026-02-01T01:16:53.000Z
Depends on #9760 Fixes #9748 --------- Co-authored-by: David Crespo <david.crespo@oxidecomputer.com>
diff --git a/nexus/tests/integration_tests/audit_log.rs b/nexus/tests/integration_tests/audit_log.rs
@@ -401,7 +401,6 @@ async fn test_audit_log_create_delete_ops(ctx: &ControlPlaneTestContext) {
 #[nexus_test]
 async fn test_audit_log_coverage(ctx: &ControlPlaneTestContext) {
     use super::endpoints::{AllowedMethod, VERIFY_ENDPOINTS};
-    use expectorate::assert_contents;
     use nexus_test_utils::http_testing::{AuthnMode, NexusRequest};
     use openapiv3::OpenAPI;
     use std::collections::BTreeMap;
@@ -564,16 +563,22 @@ async fn test_audit_log_coverage(ctx: &ControlPlaneTestContext) {
             "If the endpoint is read-only despite using POST (like the timeseries"
         );
         eprintln!(
-            "query endpoints), rerun the test with EXPECTORATE=overwrite to update"
+            "query endpoints), add it to uncovered-audit-log-endpoints.txt."
         );
-        eprintln!("the list of uncovered endpoints.");
         eprintln!(
             "======================================================================="
         );
         eprintln!();
     }
 
-    assert_contents(expected_path, &output);
+    // NOTE: We intentionally do NOT use expectorate's assert_contents here
+    // because we don't want EXPECTORATE=overwrite to allow people to
+    // accidentally add uncovered endpoints to the allowlist.
+    similar_asserts::assert_eq!(
+        expected,
+        output,
+        "left: uncovered-audit-log-endpoints.txt, right: actual"
+    );
 
     // Check for GET endpoints that unexpectedly have audit logging
     let mut get_output = String::from("GET endpoints with audit logging:\n");
@@ -610,16 +615,21 @@ async fn test_audit_log_coverage(ctx: &ControlPlaneTestContext) {
         eprintln!(
             "modify state. If this endpoint was intentionally audited (rare),"
         );
-        eprintln!(
-            "rerun the test with EXPECTORATE=overwrite to update the list."
-        );
+        eprintln!("add it to audited-get-endpoints.txt.");
         eprintln!(
             "======================================================================="
         );
         eprintln!();
     }
 
-    assert_contents(get_expected_path, &get_output);
+    // NOTE: We intentionally do NOT use expectorate's assert_contents here
+    // because we don't want EXPECTORATE=overwrite to allow people to
+    // accidentally add audited GET endpoints to the list.
+    similar_asserts::assert_eq!(
+        get_expected,
+        get_output,
+        "left: audited-get-endpoints.txt, right: actual"
+    );
 }
 
 fn verify_entry(
diff --git a/nexus/tests/integration_tests/unauthorized_coverage.rs b/nexus/tests/integration_tests/unauthorized_coverage.rs
@@ -126,25 +126,35 @@ fn test_unauthorized_coverage() {
         ));
     }
 
-    // If you're here because this assertion failed, check that if you've added
-    // any API operations to Nexus, you've also added a corresponding test in
-    // "unauthorized.rs" so that it will automatically be checked for its
-    // behavior for unauthenticated and unauthorized users.  DO NOT SKIP THIS.
-    // Even if you're just adding a stub, see [`Nexus::unimplemented_todo()`].
-    // If you _added_ a test that covered an endpoint from the allowlist --
-    // hooray!  Just delete the corresponding line from this file.  (Why is this
-    // not `expectorate::assert_contents`?  Because we only expect this file to
-    // ever shrink, which is easy enough to fix by hand, and we don't want to
-    // make it easy to accidentally add things to the allowlist.)
-    // let expected_uncovered_endpoints =
-    //     std::fs::read_to_string("tests/output/uncovered-authz-endpoints.txt")
-    //         .expect("failed to load file of allowed uncovered endpoints");
-
-    // TODO: Update this to remove overwrite capabilities
-    // See https://github.com/oxidecomputer/expectorate/pull/12
-    assert_contents(
-        "tests/output/uncovered-authz-endpoints.txt",
-        uncovered_endpoints.as_str(),
+    // If you're here because this assertion failed, you've added an API
+    // operation to Nexus without adding a corresponding test in
+    // "unauthorized.rs" to check its behavior for unauthenticated and
+    // unauthorized users. DO NOT SKIP THIS. Even if you're just adding a stub,
+    // see [`Nexus::unimplemented_todo()`].
+    //
+    // To fix this:
+    // 1. Add a VerifyEndpoint entry in endpoints.rs for your new endpoint
+    // 2. Run the test_unauthorized test to verify it works
+    //
+    // The allowed uncovered endpoints file should only ever SHRINK (when you
+    // add coverage for an endpoint). It should never grow. If you've added
+    // coverage for an endpoint, you can remove it from the allowlist file.
+    //
+    // NOTE: We intentionally do NOT use expectorate's assert_contents here
+    // because we don't want EXPECTORATE=overwrite to allow people to
+    // accidentally add uncovered endpoints to the allowlist.
+    let expected_uncovered_endpoints =
+        std::fs::read_to_string("tests/output/uncovered-authz-endpoints.txt")
+            .expect("failed to read uncovered-authz-endpoints.txt");
+    assert!(
+        uncovered_endpoints == expected_uncovered_endpoints,
+        "Uncovered endpoints list doesn't match expected.\n\n\
+         If you ADDED a new endpoint, add authz coverage in endpoints.rs.\n\n\
+         If you ADDED coverage for an existing endpoint, remove it from \
+         tests/output/uncovered-authz-endpoints.txt.\n\n\
+         Expected:\n{}\n\nActual:\n{}",
+        expected_uncovered_endpoints,
+        uncovered_endpoints
     );
 }
 
