Commit 84d022b
Add OIDC authentication to integration tests
Deploys Dex (OIDC provider) and a Python/ldaptor in-memory LDAP server
alongside CTS in the EaaS pipeline and exercises the full
mod_auth_openidc → load_openidc_user → get_user_info → query_ldap_groups
→ has_role auth stack end-to-end.
Pipeline changes (.tekton/integration-test-eaas.yaml):
- New deploy-openldap task: in-memory LDAP server (ldaptor) serving the
cts-builders posixGroup, runs without root on any UID
- New deploy-dex task: Dex with TLS (self-signed CA), password connector,
static OAuth2 client cts-integration
- Updated deploy-cts: AUTH_BACKEND=oidc_or_kerberos, httpd.conf with
AuthType oauth20 / OIDCOAuthVerifyJwksUri / OIDCCABundlePath for bearer
token validation; SetEnv OIDC_CLAIM_scope scoped to Bearer requests only
- Updated run-tests: passes AUTH_BACKEND=oidc_or_kerberos; installs
requests; writes Dex CA to /tmp and sets REQUESTS_CA_BUNDLE
Test changes (tests/test_integration_api.py):
- AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer
- _get_oidc_token(): obtains a real access token from Dex via ROPC grant
- _make_ssl_context(): builds an SSLContext from REQUESTS_CA_BUNDLE for
use with urllib.request.urlopen
- write_http_client fixture: returns AuthHTTPClient under OIDC or plain
HTTPClient in noauth mode; pre-existing workflow tests use it
- Four new tests (all four explicitly skip when not _is_oidc_backend()):
- test_auth_unauthenticated_write_returns_401
- test_auth_builder_can_post_compose
- test_auth_unauthorized_user_returns_403
- test_auth_get_endpoints_accessible_without_token
Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)1 parent 7c45869 commit 84d022b
2 files changed
Lines changed: 686 additions & 34 deletions
0 commit comments