feat(jans-cedarling): Update Tests, Examples, and Benchmarks After Core Changes

[haileyesus2433]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #13441

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ed0bdcf3-7250-4422-991a-c4786a4d0e42

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jans-cedarling-13441

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use Trivy to scan for security misconfigurations and secrets in Infrastructure as Code files.

Add a .trivyignore file to your project to customize which findings Trivy reports.

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[olehbozhok]

It would be great to have 2 files for profiling. For the unsigned, you already made. Can you make authorize_multi_issuer profiling?

[olehbozhok]

@coderabbitai can you verify if changes in jans-cedarling/flask-sidecar/main/base/cedarling/cedarling.py are valid?

[olehbozhok]

@SafinWasi, can you take a look and verify if changes in jans-cedarling/flask-sidecar/main/base/cedarling/cedarling.py are OK?

[olehbozhok]

You also need to remove outdated fields/entities in testing files (folder test_files). And remove unused files

[haileyesus2433]

You also need to remove outdated fields/entities in testing files (folder test_files). And remove unused files

oh ok i forgot about those thanks, its a huge refactor and need help in spotting things i missed thanks

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Let me gather the file contents and diff to verify the changes.

---

🏁 Script executed:

#!/bin/bash
# Read the current content of cedarling.py
fd "cedarling.py" --full-path | grep "flask-sidecar" | head -5

cat jans-cedarling/flask-sidecar/main/base/cedarling/cedarling.py 2>/dev/null || echo "File not found at that path"

# Also look for the file in alternative paths
fd "cedarling.py" jans-cedarling/flask-sidecar/

Length of output: 8159

---

Now let me check the Python bindings .pyi files to verify these API calls.

---

🏁 Script executed:

#!/bin/bash
# List and read the .pyi stub files
fd "\.pyi$" jans-cedarling/bindings/cedarling_python/

echo "=== Reading all .pyi files ==="
fd "\.pyi$" jans-cedarling/bindings/cedarling_python/ --exec cat {} \;

echo "=== Check for AuthorizeMultiIssuerRequest ==="
rg -n "AuthorizeMultiIssuerRequest|authorize_multi_issuer|TokenInput|EntityData|AuthorizeResultResponse" jans-cedarling/bindings/cedarling_python/ -A2

echo "=== Check for get_logs_by_request_id_and_tag ==="
rg -n "get_logs_by_request_id|request_id|is_allowed|response\b" jans-cedarling/bindings/cedarling_python/ -A2

echo "=== Check diagnostics / decision ==="
rg -n "diagnostics|decision|reason|errors" jans-cedarling/bindings/cedarling_python/ -A2

Length of output: 123334

---

@olehbozhok: I've reviewed jans-cedarling/flask-sidecar/main/base/cedarling/cedarling.py against the Python binding .pyi stubs and Rust source. Here is my findings:

---

✅ API Usage — All Valid

Call in cedarling.py	Binding interface	Status
BootstrapConfig.from_env()	from_env(options: Dict | None = None)	✅
BootstrapConfig.load_from_json(str)	load_from_json(config_json: str)	✅
EntityData.from_dict({cedar_entity_mapping: {entity_type, id}, ...})	Documented dict structure	✅
TokenInput(mapping=..., payload=...)	__init__(mapping: str, payload: str)	✅
AuthorizeMultiIssuerRequest(tokens, action, resource, context)	__init__(tokens, action, resource, context=None)	✅
cedarling.authorize_multi_issuer(request) → MultiIssuerAuthorizeResult	Matches .pyi	✅
authorize_result.request_id()	MultiIssuerAuthorizeResult.request_id() -> str	✅
cedarling.get_logs_by_request_id_and_tag(request_id, tag)	Matches .pyi	✅
authorize_result.is_allowed()	MultiIssuerAuthorizeResult.is_allowed() -> bool	✅
authorize_result.response()	MultiIssuerAuthorizeResult.response() -> AuthorizeResultResponse	✅
resp.decision.value	Decision.value: str	✅
resp.diagnostics.reason / .errors	Diagnostics.reason: set[str], .errors: List[PolicyEvaluationError]	✅

---

⚠️ One Concern — Token Mapping Case Mismatch

In cedarling.py, the TokenInput mapping strings use lowercase 't':

TokenInput(mapping="Jans::Access_token", payload=access_token)
TokenInput(mapping="Jans::Id_token",     payload=id_token)
TokenInput(mapping="Jans::Userinfo_token", payload=userinfo_token)

But the binding tests (test_authorize_multi_issuer.py) and example.py consistently use uppercase 'T':

TokenInput(mapping="Jans::Access_Token", payload=ACCESS_TOKEN)
TokenInput(mapping="Jans::Id_Token",     payload=ID_TOKEN)
TokenInput(mapping="Jans::Userinfo_Token", payload=USERINFO_TOKEN)

Since mapping is an entity type name resolved against the Cedar schema, and Cedar is case-sensitive, using "Jans::Access_token" instead of "Jans::Access_Token" will cause a runtime entity resolution failure if the schema defines these types with uppercase 'T'. This should be confirmed against the actual Cedar schema being used by the sidecar.

---

🧠 Learnings used

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2026-03-04T18:43:54.762Z
Learning: Applies to jans-cedarling/bindings/cedarling_python/**/*.pyi : After making changes to `bindings/cedarling_python`, validate the `.pyi` files in `bindings/cedarling_python/cedarling_python` to ensure type hints match Rust interface changes

---

Learnt from: SafinWasi
Repo: JanssenProject/jans PR: 13463
File: jans-cedarling/flask-sidecar/README.md:21-22
Timestamp: 2026-03-12T06:56:13.094Z
Learning: In `jans-cedarling/flask-sidecar/README.md`, the cedarling Python binding wheel filename (e.g., `cedarling_python-0.0.0-cp311-cp311-manylinux_2_34_x86_64.whl`) is intentionally hardcoded because the sidecar is pinned to Python 3.11. The filename only changes if the Python version of the sidecar changes, so do not flag it as needing a glob or dynamic substitution note.

---

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2026-03-04T18:43:54.762Z
Learning: Applies to jans-cedarling/bindings/cedarling_python/**/*.py : Use `mypy` to validate type annotations in Python bindings: `mypy cedarling_python`

---

Learnt from: moabu
Repo: JanssenProject/jans PR: 13060
File: CHANGELOG.md:25-26
Timestamp: 2026-01-22T14:33:53.554Z
Learning: Repo: JanssenProject/jans — For Release Please-generated PRs (chore(main): release …), CHANGELOG.md is auto-generated; avoid suggesting manual edits (e.g., duplicate/formatting cleanups) and ignore minor nits in that file.

---

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2026-03-04T18:43:54.762Z
Learning: Applies to jans-cedarling/**/*.rs : Include both positive and negative test cases for all tests

---

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2026-03-04T18:43:54.762Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns). Focus on "why" not "what", include examples for complex functionality, and keep documentation concise.

[haileyesus2433]

You also need to remove outdated fields/entities in testing files (folder test_files). And remove unused files

resolved in f677cb5

[olehbozhok]

@haileyesus2433 I removed some outdated fields from the code and merged the last changes from main. Testing code still has some problems, pls analyze them and fix if needed.