Skip to content

Commit 4ee03a6

Browse files
author
Agent
committed
Add OIDC authentication to integration tests
Deploy Dex (OIDC provider) and a Python/ldaptor in-memory LDAP server alongside CTS in the EaaS pipeline, and exercise the full mod_auth_openidc → load_openidc_user → get_user_info → query_ldap_groups → has_role auth stack end-to-end. LDAP server: use a Python/ldaptor in-memory server instead of osixia/openldap:1.5.0. The osixia image requires root and crashes immediately in OpenShift's restricted-v2 SCC (exit code 0, 'Killing all processes...'). ldaptor runs as an arbitrary UID on a non-privileged port (1389), so no SCC changes are needed. The server is seeded at startup with the cts-builders posixGroup (memberUid:builder) needed for LDAP group resolution. Pipeline changes (.tekton/integration-test-eaas.yaml): - New deploy-openldap task: deploys an in-memory LDAP server using ldaptor/Twisted via a ConfigMap-mounted Python script, running in the same appstudio-utils image used elsewhere in the pipeline. Listens on port 1389 (non-privileged). - New deploy-dex task: generates a self-signed CA + server cert (SAN: DNS:dex), stores them in Secrets, and deploys Dex with HTTPS. - Updated deploy-cts: depends on deploy-openldap and deploy-dex; sets AUTH_BACKEND=oidc_or_kerberos, AUTH_LDAP_SERVER pointing to ldap://openldap:1389, AUTH_OPENIDC_USERINFO_URI, ADMINS, and ALLOWED_BUILDERS. Installs the Dex CA into the system trust store. httpd.conf uses OIDCOAuthVerifyJwksUri (AuthType auth-openidc for Bearer requests), SetEnv OIDC_CLAIM_scope, and a RequireAny block that passes unauthenticated GETs while requiring valid-user for writes. - Updated run-tests: installs requests alongside pytest, passes AUTH_BACKEND=oidc_or_kerberos and DEX_URL to pytest. Test changes (tests/test_integration_api.py): - AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer. - _get_oidc_token(): obtains a real access token from Dex via ROPC grant. - write_http_client fixture: uses AuthHTTPClient under OIDC, plain HTTPClient under noauth; updates existing workflow tests. - Four new test functions covering: unauthenticated POST → 401, authenticated builder POST → 200, readonly user POST → 403, unauthenticated GET → 200. Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)
1 parent 6552ee2 commit 4ee03a6

2 files changed

Lines changed: 658 additions & 34 deletions

File tree

0 commit comments

Comments
 (0)