From b9d2fa8277b8442d930a8bbceee4ee9c5df4c5bb Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sun, 4 Jan 2026 03:01:56 -0300
Subject: [PATCH] test(portal): improve e2e auth errors

---
 scripts/tests/test_portal_onboarding_flow.py  | 33 ++++++++++++-------
 .../portal-onboarding-e2e-test-job.yaml       |  2 +-
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/scripts/tests/test_portal_onboarding_flow.py b/scripts/tests/test_portal_onboarding_flow.py
index 504cfd1..2b5ff68 100644
--- a/scripts/tests/test_portal_onboarding_flow.py
+++ b/scripts/tests/test_portal_onboarding_flow.py
@@ -100,7 +100,7 @@ def _keycloak_client_token(keycloak_base: str, realm: str, client_id: str, clien
     )
     token = payload.get("access_token")
     if not isinstance(token, str) or not token:
-        raise SystemExit("keycloak admin token response missing access_token")
+        raise SystemExit("keycloak token response missing access_token")
     return token
 
 
@@ -254,7 +254,10 @@ def main() -> int:
     imap_keycloak_username = os.environ.get("E2E_IMAP_KEYCLOAK_USERNAME", "robotuser").strip()
     imap_wait_sec = int(os.environ.get("E2E_IMAP_WAIT_SECONDS", "90"))
 
-    token = _keycloak_client_token(keycloak_base, realm, kc_admin_client_id, kc_admin_client_secret)
+    try:
+        token = _keycloak_client_token(keycloak_base, realm, kc_admin_client_id, kc_admin_client_secret)
+    except SystemExit as exc:
+        raise SystemExit(f"failed to fetch keycloak token for admin client {kc_admin_client_id!r}: {exc}")
     mailbox_user = _keycloak_find_user(keycloak_base, realm, token, imap_keycloak_username)
     if not mailbox_user:
         raise SystemExit(f"unable to locate Keycloak mailbox user {imap_keycloak_username!r}")
@@ -316,16 +319,22 @@ def main() -> int:
     if not isinstance(portal_admin_user_id, str) or not portal_admin_user_id:
         raise SystemExit("portal admin user missing id")
 
-    e2e_subject_token = _keycloak_client_token(keycloak_base, realm, portal_e2e_client_id, portal_e2e_client_secret)
-    portal_bearer = _keycloak_token_exchange(
-        keycloak_base=keycloak_base,
-        realm=realm,
-        client_id=portal_e2e_client_id,
-        client_secret=portal_e2e_client_secret,
-        subject_token=e2e_subject_token,
-        requested_subject=portal_admin_user_id,
-        audience=portal_target_client_id,
-    )
+    try:
+        e2e_subject_token = _keycloak_client_token(keycloak_base, realm, portal_e2e_client_id, portal_e2e_client_secret)
+    except SystemExit as exc:
+        raise SystemExit(f"failed to fetch keycloak token for E2E client {portal_e2e_client_id!r}: {exc}")
+    try:
+        portal_bearer = _keycloak_token_exchange(
+            keycloak_base=keycloak_base,
+            realm=realm,
+            client_id=portal_e2e_client_id,
+            client_secret=portal_e2e_client_secret,
+            subject_token=e2e_subject_token,
+            requested_subject=portal_admin_user_id,
+            audience=portal_target_client_id,
+        )
+    except SystemExit as exc:
+        raise SystemExit(f"failed to exchange token for portal approval as {portal_admin_username!r}: {exc}")
 
     approve_url = f"{portal_base}/api/admin/access/requests/{urllib.parse.quote(username, safe='')}/approve"
     approve_resp = _request_json("POST", approve_url, portal_bearer, payload=None, timeout_s=60)
diff --git a/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml b/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml
index 568457d..6b9eb7d 100644
--- a/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml
+++ b/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: portal-onboarding-e2e-test-9
+  name: portal-onboarding-e2e-test-10
   namespace: bstein-dev-home
 spec:
   backoffLimit: 0