interuss
diff --git a/‎monitoring/prober/infrastructure.py
Lines changed: 1 addition & 1 deletion b/‎monitoring/prober/infrastructure.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎monitoring/uss_qualifier/scenarios/astm/utm/dss/authentication/authentication_validation.md
Lines changed: 132 additions & 0 deletions b/‎monitoring/uss_qualifier/scenarios/astm/utm/dss/authentication/authentication_validation.md
Lines changed: 132 additions & 0 deletions
diff --git a/‎monitoring/uss_qualifier/scenarios/astm/utm/dss/authentication/authentication_validation.py
Lines changed: 63 additions & 1 deletion b/‎monitoring/uss_qualifier/scenarios/astm/utm/dss/authentication/authentication_validation.py
Lines changed: 63 additions & 1 deletion
@@ -100,7 +100,7 @@ def wrapper_default_scope(*args, **kwargs):
 resource_type_code_descriptions: Dict[ResourceType, str] = {}
 
 
-# Next code: 381
+# Next code: 382
 def register_resource_type(code: int, description: str) -> ResourceType:
     """Register that the specified code refers to the described resource.
 
 
@@ -173,6 +173,138 @@ it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../require
 If the DSS does not allow searching for subscriptions when valid credentials are presented,
 it is in violation of **[astm.f3548.v21.DSS0005,5](../../../../../requirements/astm/f3548/v21.md)**.
 
+### Operational intents endpoints authentication test step
+
+#### 🛑 Unauthorized requests return the proper error message body check
+
+If the DSS under test does not return a proper error message body when an unauthorized request is received,
+it fails to properly implement the OpenAPI specification that is part of **[astm.f3548.v21.DSS0005,1](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Create operational intent reference with missing credentials check
+
+If the DSS under test allows the creation of an operational intent without any credentials being presented,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Create operational intent reference with invalid credentials check
+
+If the DSS under test allows the creation of an operational intent with credentials that are well-formed but invalid,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Create operational intent reference with missing scope check
+
+If the DSS under test allows the creation of an operational intent with valid credentials but a missing scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Create operational intent reference with incorrect scope check
+
+If the DSS under test allows the creation of an operational intent with valid credentials but an incorrect scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Create operational intent reference with valid credentials check
+
+If the DSS does not allow the creation of an operational intent when valid credentials are presented,
+it is in violation of **[astm.f3548.v21.DSS0005,1](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Get operational intent reference with missing credentials check
+
+If the DSS under test allows the fetching of an operational intent without any credentials being presented,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Get operational intent reference with invalid credentials check
+
+If the DSS under test allows the fetching of an operational intent with credentials that are well-formed but invalid,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Get operational intent reference with missing scope check
+
+If the DSS under test allows the fetching of an operational intent with valid credentials but a missing scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Get operational intent reference with incorrect scope check
+
+If the DSS under test allows the fetching of an operational intent with valid credentials but an incorrect scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Get operational intent reference with valid credentials check
+
+If the DSS does not allow fetching an operational intent when valid credentials are presented,
+it is in violation of **[astm.f3548.v21.DSS0005,1](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Mutate operational intent reference with missing credentials check
+
+If the DSS under test allows the mutation of an operational intent without any credentials being presented,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Mutate operational intent reference with invalid credentials check
+
+If the DSS under test allows the mutation of an operational intent with credentials that are well-formed but invalid,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Mutate operational intent reference with missing scope check
+
+If the DSS under test allows the mutation of an operational intent with valid credentials but a missing scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Mutate operational intent reference with incorrect scope check
+
+If the DSS under test allows the mutation of an operational intent with valid credentials but an incorrect scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Mutate operational intent reference with valid credentials check
+
+If the DSS does not allow the mutation of an operational intent when valid credentials are presented,
+it is in violation of **[astm.f3548.v21.DSS0005,1](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Delete operational intent reference with missing credentials check
+
+If the DSS under test allows the deletion of an operational intent without any credentials being presented,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Delete operational intent reference with invalid credentials check
+
+If the DSS under test allows the deletion of an operational intent with credentials that are well-formed but invalid,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Delete operational intent reference with missing scope check
+
+If the DSS under test allows the deletion of an operational intent with valid credentials but a missing scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Delete operational intent reference with incorrect scope check
+
+If the DSS under test allows the deletion of an operational intent with valid credentials but an incorrect scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Delete operational intent reference with valid credentials check
+
+If the DSS does not allow the deletion of an operational intent when valid credentials are presented,
+it is in violation of **[astm.f3548.v21.DSS0005,1](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Search operational intent references with missing credentials check
+
+If the DSS under test allows searching for operational intents without any credentials being presented,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Search operational intent references with invalid credentials check
+
+If the DSS under test allows searching for operational intents with credentials that are well-formed but invalid,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Search operational intent references with missing scope check
+
+If the DSS under test allows searching for operational intents with valid credentials but a missing scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Search operational intent references with incorrect scope check
+
+If the DSS under test allows searching for operational intents with valid credentials but an incorrect scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Search operational intent references with valid credentials check
+
+If the DSS does not allow searching for operational intents when valid credentials are presented,
+it is in violation of **[astm.f3548.v21.DSS0005,1](../../../../../requirements/astm/f3548/v21.md)**.
+
 ## [Cleanup](../clean_workspace.md)
 
 The cleanup phase of this test scenario removes the subscription with the known test ID if it has not been removed before.
@@ -6,6 +6,7 @@
 )
 
 from monitoring.monitorlib.auth import InvalidTokenSignatureAuth
+from monitoring.monitorlib.fetch import QueryError
 from monitoring.monitorlib.geotemporal import Volume4D
 from monitoring.monitorlib.infrastructure import UTMClientSession
 from monitoring.prober.infrastructure import register_resource_type
@@ -18,6 +19,9 @@
 from monitoring.uss_qualifier.scenarios.astm.utm.dss.authentication.generic import (
     GenericAuthValidator,
 )
+from monitoring.uss_qualifier.scenarios.astm.utm.dss.authentication.oir_api_validator import (
+    OperationalIntentRefAuthValidator,
+)
 from monitoring.uss_qualifier.scenarios.astm.utm.dss.authentication.sub_api_validator import (
     SubscriptionAuthValidator,
 )
@@ -37,7 +41,7 @@ class AuthenticationValidation(TestScenario):
     """
 
     SUB_TYPE = register_resource_type(
-        380, "Subscription, Operational Entity Id, Constraint"
+        381, "Subscription, Operational Entity Id, Constraint"
     )
 
     # Reuse the same ID for every type of entity.
@@ -132,6 +136,19 @@ def __init__(
             test_missing_scope=self._test_missing_scope,
         )
 
+        self._oir_validator = OperationalIntentRefAuthValidator(
+            scenario=self,
+            generic_validator=generic_validator,
+            dss=self._dss,
+            test_id=self._test_id,
+            planning_area=self._planning_area,
+            planning_area_volume4d=self._planning_area_volume4d,
+            no_auth_session=self._no_auth_session,
+            invalid_token_session=self._invalid_token_session,
+            test_wrong_scope=self._wrong_scope,
+            test_missing_scope=self._test_missing_scope,
+        )
+
     def run(self, context: ExecutionContext):
         self.begin_test_scenario(context)
         self._setup_case()
@@ -152,8 +169,15 @@ def run(self, context: ExecutionContext):
 
         self.begin_test_step("Subscription endpoints authentication")
         self._sub_validator.verify_sub_endpoints_authentication()
+
         self.end_test_step()
 
+        self.begin_test_step("Operational intents endpoints authentication")
+        self._oir_validator.verify_oir_endpoints_authentication()
+        self.end_test_step()
+
+        # TODO consider adding test cases for:
+        #  - valid credentials without the required scopes
         self.end_test_case()
         self.end_test_scenario()
 
@@ -173,6 +197,44 @@ def _ensure_clean_workspace_step(self):
         self.end_test_step()
 
     def _ensure_test_entities_dont_exist(self):
+
+        # Drop OIR's first: subscriptions may be tied to them and can't be deleted
+        # as long as they exist
+        # TODO cleanly move this into the test fragments once most of the open PRs are merged
+        with self.check(
+            "Operational intent references can be queried by ID", self._pid
+        ) as check:
+            try:
+                oir, q = self._dss.get_op_intent_reference(self._test_id)
+                self.record_query(q)
+            except QueryError as qe:
+                self.record_queries(qe.queries)
+                if qe.queries[0].response.status_code == 404:
+                    return  # All is good
+                else:
+                    query = qe.queries[0]
+                    check.record_failed(
+                        summary=f"Could not query OIR {self._test_id}",
+                        details=f"When attempting to query OIR {self._test_id} from the DSS, received {query.response.status_code}: {qe.msg}",
+                        query_timestamps=[query.request.timestamp],
+                    )
+
+        with self.check(
+            "Operational intent references can be deleted by their owner", self._pid
+        ):
+            try:
+                oir, subs, q = self._dss.delete_op_intent(oir.id, oir.ovn)
+                self.record_query(q)
+            except QueryError as qe:
+                self.record_queries(qe.queries)
+                query = qe.queries[0]
+                check.record_failed(
+                    summary=f"Could not remove op intent reference {self._test_id}",
+                    details=f"When attempting to remove op intent reference {self._test_id} from the DSS, received {query.status_code}: {qe.msg}",
+                    query_timestamps=[query.request.timestamp],
+                )
+                self._dss.delete_op_intent(oir.id, oir.ovn)
+
         test_step_fragments.cleanup_sub(self, self._dss, self._test_id)
 
     def _ensure_no_active_subs_exist(self):