test(robot): add comprehensive unit tests and integration test improvements

- Add TestHasWildcardRobotPermission with 9 test cases covering:
  - Positive cases: wildcard project permissions for robot actions
  - Negative cases: wrong resource, action, scope, or nil permissions
  - Edge cases: multiple permissions and boundary conditions

- Enhance test_03_SystemRobotCreatesProjectRobot integration test:
  - Add repository:pull permission to work around robot library constraints
  - Improve test documentation and permission setup
  - Ensure test properly validates system robot creation capabilities

- Validates privilege escalation prevention in existing test suite
- Ensures comprehensive coverage of wildcard permission scenarios
- Provides thorough testing of system robot functionality

The unit tests verify the core hasWildcardRobotPermission helper function
that enables system robots with wildcard permissions to create project
robots while maintaining security boundaries and preventing privilege
escalation.

Author: Quantum-Sicarius

src/server/v2.0/handler/robot_test.go

@@ -480,3 +480,158 @@ func TestValidPermissionScope(t *testing.T) {
 		})
 	}
 }
+
+func TestHasWildcardRobotPermission(t *testing.T) {
+	rAPI := &robotAPI{}
+
+	tests := []struct {
+		name     string
+		robot    *robot.Robot
+		action   rbac.Action
+		expected bool
+	}{
+		{
+			name: "Robot with wildcard project permissions for robot:create",
+			robot: &robot.Robot{
+				Permissions: []*robot.Permission{
+					{
+						Kind:      "project",
+						Namespace: "*",
+						Access: []*types.Policy{
+							{Resource: "robot", Action: "create", Effect: "allow"},
+						},
+					},
+				},
+			},
+			action:   rbac.ActionCreate,
+			expected: true,
+		},
+		{
+			name: "Robot with wildcard project permissions for robot:delete",
+			robot: &robot.Robot{
+				Permissions: []*robot.Permission{
+					{
+						Kind:      "project",
+						Namespace: "*",
+						Access: []*types.Policy{
+							{Resource: "robot", Action: "delete", Effect: "allow"},
+						},
+					},
+				},
+			},
+			action:   rbac.ActionDelete,
+			expected: true,
+		},
+		{
+			name: "Robot with wildcard project permissions but wrong resource",
+			robot: &robot.Robot{
+				Permissions: []*robot.Permission{
+					{
+						Kind:      "project",
+						Namespace: "*",
+						Access: []*types.Policy{
+							{Resource: "repository", Action: "create", Effect: "allow"},
+						},
+					},
+				},
+			},
+			action:   rbac.ActionCreate,
+			expected: false,
+		},
+		{
+			name: "Robot with wildcard project permissions but wrong action",
+			robot: &robot.Robot{
+				Permissions: []*robot.Permission{
+					{
+						Kind:      "project",
+						Namespace: "*",
+						Access: []*types.Policy{
+							{Resource: "robot", Action: "read", Effect: "allow"},
+						},
+					},
+				},
+			},
+			action:   rbac.ActionCreate,
+			expected: false,
+		},
+		{
+			name: "Robot with specific project permissions (not wildcard)",
+			robot: &robot.Robot{
+				Permissions: []*robot.Permission{
+					{
+						Kind:      "project",
+						Namespace: "library",
+						Access: []*types.Policy{
+							{Resource: "robot", Action: "create", Effect: "allow"},
+						},
+					},
+				},
+			},
+			action:   rbac.ActionCreate,
+			expected: false,
+		},
+		{
+			name: "Robot with system level permissions",
+			robot: &robot.Robot{
+				Permissions: []*robot.Permission{
+					{
+						Kind:      "system",
+						Namespace: "/",
+						Access: []*types.Policy{
+							{Resource: "robot", Action: "create", Effect: "allow"},
+						},
+					},
+				},
+			},
+			action:   rbac.ActionCreate,
+			expected: false,
+		},
+		{
+			name: "Robot with multiple permissions including wildcard robot:create",
+			robot: &robot.Robot{
+				Permissions: []*robot.Permission{
+					{
+						Kind:      "system",
+						Namespace: "/",
+						Access: []*types.Policy{
+							{Resource: "user", Action: "create", Effect: "allow"},
+						},
+					},
+					{
+						Kind:      "project",
+						Namespace: "*",
+						Access: []*types.Policy{
+							{Resource: "repository", Action: "pull", Effect: "allow"},
+							{Resource: "robot", Action: "create", Effect: "allow"},
+						},
+					},
+				},
+			},
+			action:   rbac.ActionCreate,
+			expected: true,
+		},
+		{
+			name: "Robot with no permissions",
+			robot: &robot.Robot{
+				Permissions: []*robot.Permission{},
+			},
+			action:   rbac.ActionCreate,
+			expected: false,
+		},
+		{
+			name: "Robot is nil",
+			robot: &robot.Robot{
+				Permissions: nil,
+			},
+			action:   rbac.ActionCreate,
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := rAPI.hasWildcardRobotPermission(tt.robot, tt.action)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}

tests/apitests/python/test_robot_account.py

@@ -702,11 +702,15 @@ def test_03_SystemRobotCreatesProjectRobot(self):
         )
         print("Created project: {} (ID: {})".format(project_name, project_id))
 
-        # Step 2: Create system-level robot with system-level robot creation permissions
+        # Step 2: Create system-level robot with robot creation permissions
         # Define permissions: robot resource with create action at system level
+        # Also include repository:pull since the robot library forces pull permissions
         robot_access = v2_swagger_client.Access(resource="robot", action="create")
+        repository_access = v2_swagger_client.Access(
+            resource="repository", action="pull"
+        )
         robot_permission = v2_swagger_client.RobotPermission(
-            kind="project", namespace="*", access=[robot_access]
+            kind="project", namespace="*", access=[robot_access, repository_access]
         )
 
         system_robot_id, system_robot = self.robot.create_system_robot(
@@ -731,8 +735,8 @@ def test_03_SystemRobotCreatesProjectRobot(self):
                 duration=300,  # 5 minutes
                 robot_name="test-project-robot-by-system",
                 robot_desc="Project robot created by system robot",
-                has_pull_right=True,
-                has_push_right=True,
+                has_pull_right=False,
+                has_push_right=False,
                 **SYSTEM_ROBOT_CLIENT
             )
             print(