Commit 312f3bb
Agent
Add OIDC authentication to integration tests
Deploys Dex (OIDC provider) and an in-memory ldaptor LDAP server alongside
CTS in the EaaS pipeline and exercises the full mod_auth_openidc ->
load_openidc_user -> get_user_info -> query_ldap_groups -> has_role auth
stack end-to-end.
Pipeline changes (.tekton/integration-test-eaas.yaml):
- New deploy-openldap task: deploys a Python/ldaptor in-memory LDAP server
that runs as an arbitrary UID (no root / SCC changes required) on port 1389.
Uses python3 -m ensurepip before pip to handle images that ship without pip.
Serves cn=cts-builders posixGroup with memberUid=builder for query_ldap_groups.
- New deploy-dex task: generates a self-signed CA + server cert (SAN: DNS:dex),
stores them in dex-tls / dex-ca Secrets, and deploys Dex over HTTPS on 5556.
- Updated deploy-cts: waits for both auxiliary services; sets AUTH_BACKEND=
oidc_or_kerberos, AUTH_OPENIDC_USERINFO_URI, AUTH_LDAP_SERVER/GROUPS, ADMINS,
ALLOWED_BUILDERS. httpd.conf uses OIDCOAuthVerifyJwksUri https://dex:5556/keys
with AuthType split (<If Bearer / <Else>) and OIDCOAuthUnAuthAction pass so
unauthenticated GETs reach the app while unauthenticated POSTs return 401.
SetEnv OIDC_CLAIM_scope "openid" provides the scope fallback Dex omits from
JWT payloads. CTS init container and main container install the Dex CA into
the system trust store.
- Updated run-tests: installs the Dex CA, installs pytest + requests, passes
AUTH_BACKEND=oidc_or_kerberos and DEX_URL=https://dex:5556 to pytest.
Test changes (tests/test_integration_api.py):
- AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer on
every request.
- _get_oidc_token(): obtains an access token from Dex via ROPC grant.
- write_http_client fixture: returns AuthHTTPClient under oidc_or_kerberos,
plain HTTPClient in noauth mode; used by pre-existing workflow tests.
- Four new auth-specific tests (skipped when AUTH_BACKEND is noauth/unset):
unauthenticated write -> 401, authorised write -> 2xx, unauthorised write
-> 403, unauthenticated GET -> 2xx.
Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)1 parent 6552ee2 commit 312f3bb
2 files changed
Lines changed: 659 additions & 34 deletions
0 commit comments