Commit 37bad18
Add OIDC authentication to integration tests (#75)
* Add OIDC authentication to integration tests
Deploys Dex (OIDC provider) and a Python/ldaptor in-memory LDAP server
alongside CTS in the EaaS pipeline and exercises the full
mod_auth_openidc → load_openidc_user → get_user_info → query_ldap_groups
→ has_role auth stack end-to-end.
Pipeline changes (.tekton/integration-test-eaas.yaml):
- New deploy-openldap task: in-memory LDAP server (ldaptor) serving the
cts-builders posixGroup, runs without root on any UID
- New deploy-dex task: Dex with TLS (self-signed CA), password connector,
static OAuth2 client cts-integration
- Updated deploy-cts: AUTH_BACKEND=oidc_or_kerberos, httpd.conf with
AuthType oauth20 / OIDCOAuthVerifyJwksUri / OIDCCABundlePath for bearer
token validation; SetEnv OIDC_CLAIM_scope scoped to Bearer requests only
- Updated run-tests: passes AUTH_BACKEND=oidc_or_kerberos; installs
requests; writes Dex CA to /tmp and sets REQUESTS_CA_BUNDLE
Test changes (tests/test_integration_api.py):
- AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer
- _get_oidc_token(): obtains a real access token from Dex via ROPC grant
- _make_ssl_context(): builds an SSLContext from REQUESTS_CA_BUNDLE for
use with urllib.request.urlopen
- write_http_client fixture: returns AuthHTTPClient under OIDC or plain
HTTPClient in noauth mode; pre-existing workflow tests use it
- Four new tests (all four explicitly skip when not _is_oidc_backend()):
- test_auth_unauthenticated_write_returns_401
- test_auth_builder_can_post_compose
- test_auth_unauthorized_user_returns_403
- test_auth_get_endpoints_accessible_without_token
Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)
* Eliminate duplication in integration test http client
The authenticated client only needs to add an extra header, no need to
duplicate the whole method. A hook is added that allows subclasses to
modify the request before it gets sent.
Assisted-By: OpenCode (google-vertex-anthropic/claude-opus-4-6)
* Drop unused test skips
Two integration tests are already skipped on non-OIDC run by the
fixtures. There's no need to explicitly skip in the test itself too.
The test for validating unauthenticated GET request drops the skip too.
The behavior makes sense even in noauth mode, GET request should still
succeed.
The only test that really needs the explicit skip is the unauthenticated
POST, which would otherwise fail in noauth mode (the request would be
allowed).
Assisted-By: OpenCode (google-vertex-anthropic/claude-opus-4-6)
---------
Co-authored-by: Agent <noreply@redhat.com>1 parent 2d303e8 commit 37bad18
2 files changed
Lines changed: 657 additions & 34 deletions
0 commit comments