Skip to content

Commit 312f3bb

Browse files
author
Agent
committed
Add OIDC authentication to integration tests
Deploys Dex (OIDC provider) and an in-memory ldaptor LDAP server alongside CTS in the EaaS pipeline and exercises the full mod_auth_openidc -> load_openidc_user -> get_user_info -> query_ldap_groups -> has_role auth stack end-to-end. Pipeline changes (.tekton/integration-test-eaas.yaml): - New deploy-openldap task: deploys a Python/ldaptor in-memory LDAP server that runs as an arbitrary UID (no root / SCC changes required) on port 1389. Uses python3 -m ensurepip before pip to handle images that ship without pip. Serves cn=cts-builders posixGroup with memberUid=builder for query_ldap_groups. - New deploy-dex task: generates a self-signed CA + server cert (SAN: DNS:dex), stores them in dex-tls / dex-ca Secrets, and deploys Dex over HTTPS on 5556. - Updated deploy-cts: waits for both auxiliary services; sets AUTH_BACKEND= oidc_or_kerberos, AUTH_OPENIDC_USERINFO_URI, AUTH_LDAP_SERVER/GROUPS, ADMINS, ALLOWED_BUILDERS. httpd.conf uses OIDCOAuthVerifyJwksUri https://dex:5556/keys with AuthType split (<If Bearer / <Else>) and OIDCOAuthUnAuthAction pass so unauthenticated GETs reach the app while unauthenticated POSTs return 401. SetEnv OIDC_CLAIM_scope "openid" provides the scope fallback Dex omits from JWT payloads. CTS init container and main container install the Dex CA into the system trust store. - Updated run-tests: installs the Dex CA, installs pytest + requests, passes AUTH_BACKEND=oidc_or_kerberos and DEX_URL=https://dex:5556 to pytest. Test changes (tests/test_integration_api.py): - AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer on every request. - _get_oidc_token(): obtains an access token from Dex via ROPC grant. - write_http_client fixture: returns AuthHTTPClient under oidc_or_kerberos, plain HTTPClient in noauth mode; used by pre-existing workflow tests. - Four new auth-specific tests (skipped when AUTH_BACKEND is noauth/unset): unauthenticated write -> 401, authorised write -> 2xx, unauthorised write -> 403, unauthenticated GET -> 2xx. Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)
1 parent 6552ee2 commit 312f3bb

2 files changed

Lines changed: 659 additions & 34 deletions

File tree

0 commit comments

Comments
 (0)