Skip to content

Update README and template #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: devel
Choose a base branch
from
+144 −223
Open

Update README and template #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
106971d
Update README and template
SergioLangaritaBenitez Oct 22, 2025
c28f023
rename files
SergioLangaritaBenitez Oct 22, 2025
4ebbb16
AAI_VO to AAI_GROUP
SergioLangaritaBenitez Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 23 additions & 13 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,27 +26,37 @@ You can install it by following the [documentation](https://docs.oscar.grycap.ne

### 🧑‍💻 Setting Up the Configuration File

The test suite uses environment variables to store sensitive information such as endpoints and credentials.
The test suite uses environment variables to store sensitive information such as endpoints and credentials. I'd recommend that you have two environment files. The first includes the cluster information, and the second contains the authentication process credentials. This way, you can switch between authentication processes such as EGI-CheckIn or Keycloak. Also, you can create one environment file that contains all the information.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you recommend two environment files, include templates for the two files (now we have a single .env-template.yaml file). Include the attributes in each file with sample fake values. Also, include an example on how to specify the two files to the robot command.


Create a `.env.yaml` file according to the template shown in `env-template.yaml`

The following information is required:

The following information is required about the cluster information:
- `OSCAR_ENDPOINT`: The endpoint of the OSCAR cluster (e.g. https://mycluster.oscar.grycap.net)
- `OSCAR_METRICS`: The endpoint of the OSCAR metrics.
- `OSCAR_DASHBOARD`: The endpoint of the OSCAR UI (dashboard).
- `BASIC_USER:`: Base64-encoded information of the authentication for the 'oscar' user (echo -n "oscar:password" | base64)
- `EGI_AAI_URL`: The base URL of the EGI AAI (Authentication and Authorisation Infrastructure) server.
- For the production server, use `https://aai.egi.eu`.
- For the demo server, use `https://aai-demo.egi.eu`.
- `REFRESH_TOKEN`: The OIDC token used to automate the execution of the test suite. In order to get a Refresh Token, head to the [Check-in Token Portal](https://aai.egi.eu/token/) or [Demo Check-in Token Portal](https://aai-demo.egi.eu/token/), click **Authorise** and then **Create Refresh Token** button to generate a new token.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the description it looks like refresh tokens can only be used with EGI Check-In. These should be possible to use also from Keycloak.

- `EGI_VO`: The virtual organization used to test the OSCAR cluster.
- `FIRST_USER`: User ID
- `FIRST_USER_ID`: Get the first 10 characters of FIRST_USER (e.g. FIRST_USER: 1234567890987654321 -> FIRST_USER_ID: 1234567890)
- `REFRESH_TOKEN_SECOND_USER`: The OIDC token of the second user used to automate the execution
- `SECOND_USER`: User ID of the second user
- `SECOND_USER_ID`: Get the first 10 characters of SECOND_USER

The next parameters are required to configure the authentication process:
- `AUTHENTICATION_PROCESS`: This parameter selects the authentication process between EGI `resources/token-egi.resource` and Keycloak `resources/token-keycloak.resource`. **ALWAYS REQUIRED**.
- `AAI_URL`: The URL token of the AAI (Authentication and Authorisation Infrastructure) server. **ALWAYS REQUIRED**.
- For the EGI production server, use `https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token`.
- For the EGI demo server, use `https://aai-demo.egi.eu/auth/realms/egi/protocol/openid-connect/token`.
- `AAI_GROUP`: The virtual organization used to test the OSCAR cluster. **ALWAYS REQUIRED**.
- `CLIENT_ID`: Client ID of Keycloak. Only needed in Keycloak.
- `SCOPE`: Scope of Keycloak. Only needed in Keycloak.
- `FIRST_USER`: User ID. **ALWAYS REQUIRED**.
- `REFRESH_TOKEN`: The OIDC token used to automate the execution of the test suite. In order to get a Refresh Token, head to the [Check-in Token Portal](https://aai.egi.eu/token/) or [Demo Check-in Token Portal](https://aai-demo.egi.eu/token/), click **Authorise** and then **Create Refresh Token** button to generate a new token. Only used in EGI.
- `KEYCLOAK_USERNAME` and `KEYCLOAK_PASSWORD`: The user/password Keycloak authentication. Only used in Keycloak.

In case you are testing isolation or visibility, you have to add a second user:
- `SECOND_USER`: User ID of the second user. **ALWAYS REQUIRED**.
- `REFRESH_TOKEN_SECOND_USER`: The OIDC token of the second user used to automate the execution.
- `KEYCLOAK_USERNAME_AUX` and `KEYCLOAK_PASSWORD_AUX`: The user/password of a second user in Keycloak.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You used "SECOND_USER" before, and here you are using "AUX" to refer to the second user. I suggest that the second user is referred to as "OTHER_USER" and maintain just "USER" for the first user.


In case you are testing the mount feat using an external OSCAR cluster add,:
- `OSCAR_EXTERNAL`: Endpoint of an external OSCAR cluster.
- `MINIO_EXTERNAL`: MinIO endpoint of external OSCAR cluster.
- `MINIO_SECRET_KEY`: Secret Key of `FIRST_USER` used the `MINIO_EXTERNAL`.


### 🧪 Running Tests
Expand Down
2 changes: 1 addition & 1 deletion resources/files.resource
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Library yaml

*** Variables ***
${OSCAR_ENDPOINT} ${OSCAR_ENDPOINT}
${VO} ${AAI_VO}
${VO} ${AAI_GROUP}
${DATA_DIR} ${EXECDIR}/data
${INVOKE_FILE_NAME} 00-cowsay-invoke-body.json
${INVOKE_FILE} ${DATA_DIR}/${INVOKE_FILE_NAME}
Expand Down
78 changes: 78 additions & 0 deletions resources/token-egi.resource
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
*** Settings ***
Documentation Shared keywords and variables for handling OIDC authentication

Library Collections
Library DateTime
Library Process
Library RequestsLibrary
Library JSONLibrary


*** Variables ***
${REFRESH_TOKEN} ${REFRESH_TOKEN}
${TOKEN_URL} ${AAI_URL}
${CLIENT_ID} token-portal
${SCOPE} openid%20email%20profile%20voperson_id%20eduperson_entitlement


*** Keywords ***
Check Valid OIDC Token
[Documentation] Get the access token
[Tags] create delete
${token}= Get Access Token
Check JWT Expiration ${token}

Get Access Token
[Documentation] Retrieve OIDC token using a refresh token
${result}= Run Process curl -s -X POST '${TOKEN_URL}' -d
... 'grant_type\=refresh_token&refresh_token\=${REFRESH_TOKEN}&client_id\=${CLIENT_ID}&scope\=${SCOPE}'
... shell=True stdout=True stderr=True
${json_output}= Convert String To Json ${result.stdout}
${access_token}= Get Value From Json ${json_output} $.access_token
VAR ${access_token}= ${access_token}[0]
Log Access Token: ${access_token}
VAR &{HEADERS}= Authorization=Bearer ${access_token} Content-Type=text/json Accept=application/json
... scope=SUITE
VAR &{HEADERS_OSCAR}= Authorization=Basic ${BASIC_USER} Content-Type=text/json Accept=application/json
... scope=SUITE
RETURN ${access_token}

Decode JWT Token
[Documentation] Decode a JWT token and returns its payload
[Arguments] ${token}
${decoded}= Evaluate
... jwt.decode('${token}', options={"verify_signature": False}, algorithms=["HS256", "RS256"])
RETURN ${decoded}

Check JWT Expiration
[Documentation] Check if the given JWT token is expired
[Arguments] ${token}
${decoded_token}= Decode JWT Token ${token}
Log ${decoded_token}
${expiry_time}= Get From Dictionary ${decoded_token} exp
Log Token Expiration Time: ${expiry_time}
${current_time}= Get Current Date result_format=epoch
Log Current Time: ${current_time}
Should Be True ${expiry_time} > ${current_time} Token is expired


Checks Valids OIDC Token
[Documentation] Get the access token
${result}= Run Process curl -s -X POST '${TOKEN_URL}' -d
... 'grant_type\=refresh_token&refresh_token\=${REFRESH_TOKEN}&client_id\=${CLIENT_ID}&scope\=${SCOPE}'
... shell=True stdout=True stderr=True
${json_output}= Convert String To Json ${result.stdout}
${token}= Get Value From Json ${json_output} $.access_token
VAR ${token}= ${token}[0]
Check JWT Expiration ${token}
VAR &{HEADERS}= Authorization=Bearer ${token} Content-Type=text/json Accept=application/json
... scope=SUITE
${result}= Run Process curl -s -X POST '${TOKEN_URL}' -d
... 'grant_type\=refresh_token&refresh_token\=${REFRESH_TOKEN_SECOND_USER}&client_id\=${CLIENT_ID}&scope\=${SCOPE}'
... shell=True stdout=True stderr=True
${json_output}= Convert String To Json ${result.stdout}
${token2}= Get Value From Json ${json_output} $.access_token
VAR ${token2}= ${token2}[0]
Check JWT Expiration ${token2}
VAR &{HEADERS2}= Authorization=Bearer ${token2} Content-Type=text/json Accept=application/json
... scope=SUITE
195 changes: 0 additions & 195 deletions tests/oscar_mount_external.robot
View file
Open in desktop

This file was deleted.

Loading