Skip to content

Commit 37bad18

Browse files
lubomirAgent
andauthored
Add OIDC authentication to integration tests (#75)
* Add OIDC authentication to integration tests Deploys Dex (OIDC provider) and a Python/ldaptor in-memory LDAP server alongside CTS in the EaaS pipeline and exercises the full mod_auth_openidc → load_openidc_user → get_user_info → query_ldap_groups → has_role auth stack end-to-end. Pipeline changes (.tekton/integration-test-eaas.yaml): - New deploy-openldap task: in-memory LDAP server (ldaptor) serving the cts-builders posixGroup, runs without root on any UID - New deploy-dex task: Dex with TLS (self-signed CA), password connector, static OAuth2 client cts-integration - Updated deploy-cts: AUTH_BACKEND=oidc_or_kerberos, httpd.conf with AuthType oauth20 / OIDCOAuthVerifyJwksUri / OIDCCABundlePath for bearer token validation; SetEnv OIDC_CLAIM_scope scoped to Bearer requests only - Updated run-tests: passes AUTH_BACKEND=oidc_or_kerberos; installs requests; writes Dex CA to /tmp and sets REQUESTS_CA_BUNDLE Test changes (tests/test_integration_api.py): - AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer - _get_oidc_token(): obtains a real access token from Dex via ROPC grant - _make_ssl_context(): builds an SSLContext from REQUESTS_CA_BUNDLE for use with urllib.request.urlopen - write_http_client fixture: returns AuthHTTPClient under OIDC or plain HTTPClient in noauth mode; pre-existing workflow tests use it - Four new tests (all four explicitly skip when not _is_oidc_backend()): - test_auth_unauthenticated_write_returns_401 - test_auth_builder_can_post_compose - test_auth_unauthorized_user_returns_403 - test_auth_get_endpoints_accessible_without_token Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default) * Eliminate duplication in integration test http client The authenticated client only needs to add an extra header, no need to duplicate the whole method. A hook is added that allows subclasses to modify the request before it gets sent. Assisted-By: OpenCode (google-vertex-anthropic/claude-opus-4-6) * Drop unused test skips Two integration tests are already skipped on non-OIDC run by the fixtures. There's no need to explicitly skip in the test itself too. The test for validating unauthenticated GET request drops the skip too. The behavior makes sense even in noauth mode, GET request should still succeed. The only test that really needs the explicit skip is the unauthenticated POST, which would otherwise fail in noauth mode (the request would be allowed). Assisted-By: OpenCode (google-vertex-anthropic/claude-opus-4-6) --------- Co-authored-by: Agent <noreply@redhat.com>
1 parent 2d303e8 commit 37bad18

2 files changed

Lines changed: 657 additions & 34 deletions

File tree

0 commit comments

Comments
 (0)