Commit a25eee8
Agent
Add OIDC authentication to integration tests
Deploys Dex (OIDC provider) and a Python/ldaptor in-memory LDAP server
alongside CTS in the EaaS pipeline and exercises the full
mod_auth_openidc → load_openidc_user → get_user_info → query_ldap_groups
→ has_role auth stack end-to-end.
Pipeline changes (.tekton/integration-test-eaas.yaml):
- deploy-openldap task: runs a lightweight in-memory LDAP server using
Python/ldaptor, serving the cts-builders posixGroup with anonymous-read
access. Sets HOME=/tmp before ensurepip so pip can install to /tmp without
hitting the /tekton permission denied error under restricted-v2 SCC.
- deploy-dex task: generates a self-signed CA and server certificate, stores
them in Kubernetes Secrets, and deploys Dex v2.41.1 over HTTPS.
- deploy-cts task: configures CTS with AUTH_BACKEND=oidc_or_kerberos,
uses OIDCOAuthVerifyJwksUri for JWT-local bearer token validation, and
adds a conditional AuthType block so bearer requests use auth-openidc while
browser flows use openid-connect. SetEnv OIDC_CLAIM_scope guarantees the
scope variable is always present.
- run-tests task: installs the Dex CA cert, passes AUTH_BACKEND=oidc_or_kerberos
and DEX_URL to pytest.
Test changes (tests/test_integration_api.py):
- AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer.
- _get_oidc_token(): obtains a real access token from Dex via ROPC grant.
- write_http_client fixture: returns AuthHTTPClient in OIDC mode or a plain
HTTPClient in noauth mode, used by workflow tests.
- Four new auth tests: unauthenticated POST → 401, builder POST → 200,
readonly POST → 403, unauthenticated GET → 200.
Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)1 parent 6552ee2 commit a25eee8
2 files changed
Lines changed: 661 additions & 34 deletions
0 commit comments