Add Redis Storage Integration Tests with Testcontainers

[tgrunnagle]

Depends on #3639
Closes #3629

Summary

Adds comprehensive integration tests for the Redis Sentinel storage backend using testcontainers-go. These tests validate the RedisStorage implementation against a real Redis Sentinel cluster (1 primary + 2 replicas + 3 sentinels), covering behavior that cannot be verified with the miniredis mock used in unit tests—including Sentinel failover, ACL authentication, real TTL expiration, and concurrent access under actual network conditions.

Changes Made

Integration Test Suite (pkg/authserver/storage/redis_integration_test.go)

• Added testcontainers-based Redis Sentinel cluster setup (1 primary, 2 replicas, 3 sentinels) with Docker network isolation
• Configured ACL user authentication (~thv:* key pattern restriction) on all Redis nodes
• Implemented custom Dialer address translation to work around Docker-internal IPs being unreachable from macOS hosts
• Used TestMain for shared cluster lifecycle with graceful skip when Docker is unavailable

Storage Interface Coverage

• Full CRUD tests for all Storage interface methods: clients, authorization codes, access tokens, refresh tokens, PKCE, upstream tokens, pending authorizations, users, and provider identities
• Token rotation and revocation tests (including grace period revocation)
• Session round-trip test verifying JWT claims survive serialization through real Redis
• Cascade deletion test (deleting a user removes associated identities and upstream tokens)

Sentinel-Specific Tests

• Sentinel connection verification (write/read through Sentinel-routed connection)
• Failover test: writes data, waits for replication (WAIT 1 5000), triggers failover, verifies data survives and new writes succeed on the promoted primary

ACL Authentication Tests

• Valid credentials succeed for thv:* key operations
• Invalid username and invalid password are rejected
• Key pattern restriction enforced (writes to non-thv:* keys are denied)

TTL and Expiration Tests

• Access tokens expire via real Redis TTL (not cleanup goroutine)
• JTI entries expire and become valid again after TTL
• Redis TTL values match session expiration times

Concurrent Access Tests

• 50 concurrent writes to different keys with verification
• Mixed concurrent reads and writes
• Concurrent client registration and lookup

Edge Cases

• Unicode characters in user IDs and provider subjects (CJK, accented, emoji)

Implementation Details

• Tests use //go:build integration tag, excluded from task test by default
• Each subtest gets an isolated key prefix via DeriveKeyPrefix("inttest", sanitizedTestName) to prevent cross-test interference
• All subtests run in parallel via the withIntegrationStorage helper
• The failover test is intentionally non-parallel since it modifies cluster topology

Testing

• 18 test functions covering all Storage interface methods plus Sentinel, ACL, TTL, concurrency, and Unicode edge cases
• Run with: go test -tags integration -v -timeout 5m ./pkg/authserver/storage/
• Tests skip gracefully when Docker is unavailable
• testcontainers-go dependency added to go.mod

Large PR Justification

• Adds integration test suite for a single interface

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.83%. Comparing base (c8f2254) to head (c3ca707).
⚠️ Report is 16 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3785      +/-   ##
==========================================
+ Coverage   66.78%   66.83%   +0.05%     
==========================================
  Files         437      438       +1     
  Lines       43002    43321     +319     
==========================================
+ Hits        28718    28954     +236     
- Misses      12078    12123      +45     
- Partials     2206     2244      +38     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

[jhrozek]

I think it's fine merging the test as-is but it wasn't clear to me how the tests are ran..