Commit 4ee03a6
Agent
Add OIDC authentication to integration tests
Deploy Dex (OIDC provider) and a Python/ldaptor in-memory LDAP server
alongside CTS in the EaaS pipeline, and exercise the full
mod_auth_openidc → load_openidc_user → get_user_info → query_ldap_groups
→ has_role auth stack end-to-end.
LDAP server: use a Python/ldaptor in-memory server instead of
osixia/openldap:1.5.0. The osixia image requires root and crashes
immediately in OpenShift's restricted-v2 SCC (exit code 0,
'Killing all processes...'). ldaptor runs as an arbitrary UID on a
non-privileged port (1389), so no SCC changes are needed. The server
is seeded at startup with the cts-builders posixGroup (memberUid:builder)
needed for LDAP group resolution.
Pipeline changes (.tekton/integration-test-eaas.yaml):
- New deploy-openldap task: deploys an in-memory LDAP server using
ldaptor/Twisted via a ConfigMap-mounted Python script, running in
the same appstudio-utils image used elsewhere in the pipeline.
Listens on port 1389 (non-privileged).
- New deploy-dex task: generates a self-signed CA + server cert
(SAN: DNS:dex), stores them in Secrets, and deploys Dex with HTTPS.
- Updated deploy-cts: depends on deploy-openldap and deploy-dex;
sets AUTH_BACKEND=oidc_or_kerberos, AUTH_LDAP_SERVER pointing to
ldap://openldap:1389, AUTH_OPENIDC_USERINFO_URI, ADMINS, and
ALLOWED_BUILDERS. Installs the Dex CA into the system trust store.
httpd.conf uses OIDCOAuthVerifyJwksUri (AuthType auth-openidc for
Bearer requests), SetEnv OIDC_CLAIM_scope, and a RequireAny block
that passes unauthenticated GETs while requiring valid-user for writes.
- Updated run-tests: installs requests alongside pytest, passes
AUTH_BACKEND=oidc_or_kerberos and DEX_URL to pytest.
Test changes (tests/test_integration_api.py):
- AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer.
- _get_oidc_token(): obtains a real access token from Dex via ROPC grant.
- write_http_client fixture: uses AuthHTTPClient under OIDC, plain
HTTPClient under noauth; updates existing workflow tests.
- Four new test functions covering: unauthenticated POST → 401,
authenticated builder POST → 200, readonly user POST → 403,
unauthenticated GET → 200.
Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)1 parent 6552ee2 commit 4ee03a6
2 files changed
Lines changed: 658 additions & 34 deletions
0 commit comments