Skip to content

Commit a25eee8

Browse files
author
Agent
committed
Add OIDC authentication to integration tests
Deploys Dex (OIDC provider) and a Python/ldaptor in-memory LDAP server alongside CTS in the EaaS pipeline and exercises the full mod_auth_openidc → load_openidc_user → get_user_info → query_ldap_groups → has_role auth stack end-to-end. Pipeline changes (.tekton/integration-test-eaas.yaml): - deploy-openldap task: runs a lightweight in-memory LDAP server using Python/ldaptor, serving the cts-builders posixGroup with anonymous-read access. Sets HOME=/tmp before ensurepip so pip can install to /tmp without hitting the /tekton permission denied error under restricted-v2 SCC. - deploy-dex task: generates a self-signed CA and server certificate, stores them in Kubernetes Secrets, and deploys Dex v2.41.1 over HTTPS. - deploy-cts task: configures CTS with AUTH_BACKEND=oidc_or_kerberos, uses OIDCOAuthVerifyJwksUri for JWT-local bearer token validation, and adds a conditional AuthType block so bearer requests use auth-openidc while browser flows use openid-connect. SetEnv OIDC_CLAIM_scope guarantees the scope variable is always present. - run-tests task: installs the Dex CA cert, passes AUTH_BACKEND=oidc_or_kerberos and DEX_URL to pytest. Test changes (tests/test_integration_api.py): - AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer. - _get_oidc_token(): obtains a real access token from Dex via ROPC grant. - write_http_client fixture: returns AuthHTTPClient in OIDC mode or a plain HTTPClient in noauth mode, used by workflow tests. - Four new auth tests: unauthenticated POST → 401, builder POST → 200, readonly POST → 403, unauthenticated GET → 200. Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)
1 parent 6552ee2 commit a25eee8

2 files changed

Lines changed: 661 additions & 34 deletions

File tree

0 commit comments

Comments
 (0)