Allow larger logs from acceptance tests and implement experimental OIDC refresh

Author: nfx

acceptance/ecosystem/report.go

@@ -29,11 +29,16 @@ func (tr TestResult) Failed() bool {
 	return !tr.Pass && !tr.Skip
 }
 
-func (tr TestResult) Summary() string {
+func (tr TestResult) Summary(cap int) string {
+	out, padding := tr.Output, 512
+	diff := len(out) + padding - cap
+	if diff > 0 {
+		out = fmt.Sprintf("... (skipped %d bytes)\n%s", diff, out[diff:])
+	}
 	res := []string{}
 	res = append(res, "<details>")
 	res = append(res, fmt.Sprintf("<summary>%s</summary>", tr))
-	res = append(res, fmt.Sprintf("\n```\n%s\n```\n", tr.Output))
+	res = append(res, fmt.Sprintf("\n```\n%s\n```\n", out))
 	res = append(res, "</details>")
 	return strings.Join(res, "\n")
 }
@@ -148,13 +153,24 @@ func (r TestReport) String() string {
 	return fmt.Sprintf("%s %s", emoji, strings.Join(parts, ", "))
 }
 
+const CommentMaxSize = 65536
+
 func (r TestReport) StepSummary() string {
-	res := []string{r.String()}
+	res, failures, maybeOutput, padding := []string{r.String()}, []TestResult{}, 0, 1024
 	for _, v := range r {
 		if !v.Failed() {
 			continue
 		}
-		res = append(res, v.Summary())
+		failures = append(failures, v)
+		maybeOutput += len(v.Summary(CommentMaxSize))
+	}
+	summaryCap := CommentMaxSize - len(strings.Join(res, "\n")) - padding
+	if maybeOutput > (CommentMaxSize - padding) {
+		// if the output is too large, truncate the summaries up to a fraction of the total size
+		summaryCap /= len(failures)
+	}
+	for _, v := range failures {
+		res = append(res, v.Summary(summaryCap))
 	}
 	if r.Flaky() {
 		res = append(res, "\nFlaky tests:\n")

acceptance/main.go

@@ -148,7 +148,7 @@ func (a *acceptance) notifyIfNeeded(ctx context.Context, alert *notify.Notificat
 				}
 				err := a.CreateOrCommentOnIssue(ctx, github.NewIssue{
 					Title:  fmt.Sprintf("Test failure: `%s`", v.Name),
-					Body:   v.Summary(),
+					Body:   v.Summary(ecosystem.CommentMaxSize),
 					Labels: []string{"bug"},
 				})
 				if err != nil {

acceptance/shim.js

@@ -1,4 +1,4 @@
-const version = 'v0.2.2';
+const version = 'v0.3.0';
 const action = 'acceptance';
 
 const { createWriteStream, chmodSync } = require('fs');

acceptance/testenv/githubOidc.go

@@ -23,27 +23,38 @@ func NewWithGitHubOIDC(a *githubactions.Action, vaultURI string) *vaultEnv {
 	}
 }
 
-type ghOidcCreds struct {
-	a *githubactions.Action
+type ghOidcProxy struct {
+	ctx      context.Context
+	a        *githubactions.Action
+	resource string
 }
 
-func (c *ghOidcCreds) oidcTokenSource(ctx context.Context, resource string) (oauth2.TokenSource, error) {
-	// TODO: at the moment, ID token expires in 1 hour, so we need to rewrite the logic to refresh it
-	clientAssertion, err := c.a.GetIDToken(ctx, "api://AzureADTokenExchange")
+func (c *ghOidcProxy) Token() (*oauth2.Token, error) {
+	clientAssertion, err := c.a.GetIDToken(c.ctx, "api://AzureADTokenExchange")
 	if err != nil {
 		return nil, fmt.Errorf("id token: %w", err)
 	}
 	clientID := c.a.Getenv("ARM_CLIENT_ID")
 	tenantID := c.a.Getenv("ARM_TENANT_ID")
-	return (&clientcredentials.Config{
+	creds := (&clientcredentials.Config{
 		ClientID: clientID,
 		TokenURL: fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/token", tenantID),
 		EndpointParams: url.Values{
 			"client_assertion_type": []string{"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},
 			"client_assertion":      []string{clientAssertion},
-			"resource":              []string{resource},
+			"resource":              []string{c.resource},
 		},
-	}).TokenSource(ctx), nil
+	}).TokenSource(c.ctx)
+	refresher := oauth2.ReuseTokenSource(nil, creds)
+	return refresher.Token()
+}
+
+type ghOidcCreds struct {
+	a *githubactions.Action
+}
+
+func (c *ghOidcCreds) oidcTokenSource(ctx context.Context, resource string) (oauth2.TokenSource, error) {
+	return &ghOidcProxy{ctx: ctx, a: c.a, resource: resource}, nil
 }
 
 func (c *ghOidcCreds) Name() string {

acceptance/testenv/loaded.go

@@ -2,6 +2,7 @@ package testenv
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -150,15 +151,47 @@ func (l *loadedEnv) metadataServer(seed *config.Config) *httptest.Server {
 				Message:   "Wrong Authorization header",
 			})
 		}
+		// try parse expiry date from JWT token
+		exp, err := l.parseExpiryDate(ctx, accessToken)
+		if err != nil {
+			logger.Errorf(ctx, "parse expiry date: %s", err)
+			exp = time.Now().Add(2 * time.Minute).Unix()
+		}
 		l.replyJson(ctx, w, 200, msiToken{
 			TokenType:   tokenType,
 			AccessToken: accessToken,
-			// TODO: get the real expiry of the token (if we can)
-			ExpiresOn: json.Number(fmt.Sprint(time.Now().Add(2 * time.Minute).Unix())),
+			ExpiresOn:   json.Number(fmt.Sprint(exp)),
 		})
 	}))
 }
 
+func (l *loadedEnv) parseExpiryDate(ctx context.Context, tokenString string) (int64, error) {
+	parts := strings.Split(tokenString, ".")
+	if len(parts) != 3 {
+		return 0, fmt.Errorf("invalid token format")
+	}
+	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return 0, fmt.Errorf("payload: %v", err)
+	}
+	var claims map[string]interface{}
+	err = json.Unmarshal(payload, &claims)
+	if err != nil {
+		return 0, fmt.Errorf("json: %v", err)
+	}
+	exp, ok := claims["exp"].(float64)
+	if ok {
+		logger.Debugf(ctx, "exp is float64: %d", exp)
+		return int64(exp), nil
+	}
+	expInt, ok := claims["exp"].(int64)
+	if ok {
+		logger.Debugf(ctx, "exp is int64: %d", expInt)
+		return expInt, nil
+	}
+	return 0, fmt.Errorf("not found")
+}
+
 func (l *loadedEnv) replyJson(ctx context.Context, w http.ResponseWriter, status int, body any) {
 	msg := "<token response>"
 	apiErrBody, ok := body.(apierr.APIErrorBody)