Skip to content

Add OIDC authentication to integration tests#75

Merged
guillermodotn merged 3 commits into
mainfrom
overseer/71
Jul 1, 2026
Merged

Add OIDC authentication to integration tests#75
guillermodotn merged 3 commits into
mainfrom
overseer/71

Conversation

@lubomir

@lubomir lubomir commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

🤖 This was posted automatically by an AI agent.

Add OIDC authentication to integration tests

Deploys Dex (OIDC provider) and an in-memory LDAP server (ldaptor) alongside CTS
in the EaaS pipeline and exercises the full mod_auth_openidcload_openidc_user
get_user_infoquery_ldap_groupshas_role auth stack end-to-end.

Pipeline changes (.tekton/integration-test-eaas.yaml)

  • New deploy-openldap task (runs in parallel with deploy-dex after
    provision-environment): creates a ConfigMap with an in-memory LDAP server
    script (using ldaptor/Twisted) defining two users (builder / readonly) and
    two groups (cts-builders / readonly-users), then deploys the server on port
    1389.
  • New deploy-dex task (parallel with deploy-openldap): generates a
    self-signed CA and TLS certificate for Dex, creates a ConfigMap with a Dex
    config using the password connector and a static OAuth2 client
    (cts-integration), then deploys Dex on port 5556.
  • Updated deploy-cts: runAfter now includes deploy-openldap and
    deploy-dex. The cts-config ConfigMap sets AUTH_BACKEND=oidc_or_kerberos,
    AUTH_OPENIDC_USERINFO_URI, AUTH_LDAP_SERVER (pointing to openldap:1389),
    AUTH_LDAP_GROUPS, ADMINS, and ALLOWED_BUILDERS. The httpd.conf gains
    mod_auth_openidc directives (OIDCProviderMetadataURL,
    OIDCOAuthVerifyJwksUri, OIDCClientID/Secret, OIDCRemoteUserClaim,
    OIDCCABundlePath) and a <RequireAny> block that allows unauthenticated
    GET requests while requiring a valid Bearer token for writes.
  • Updated run-tests: installs requests alongside pytest, retrieves the
    Dex CA certificate, and passes AUTH_BACKEND=oidc_or_kerberos and
    DEX_URL=https://dex:5556 to the test runner so the auth tests are not skipped.

Test changes (tests/test_integration_api.py)

  • AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer
    on every request.
  • _get_oidc_token(): obtains a real access token from Dex via the ROPC grant;
    used by auth_http_client_builder and auth_http_client_readonly fixtures.
  • write_http_client fixture: returns an AuthHTTPClient (as builder) when
    OIDC is active, or a plain HTTPClient in noauth mode. Existing workflow tests
    that perform writes are updated to use this fixture.
  • Four new test functions (skipped when AUTH_BACKEND is not openidc or
    oidc_or_kerberos):
    • test_auth_unauthenticated_write_returns_401 – bare POST → 401
    • test_auth_builder_can_post_composebuilder Bearer token → 200
    • test_auth_unauthorized_user_returns_403readonly Bearer token → 403
    • test_auth_get_endpoints_accessible_without_token – unauthenticated GET → 200

All pre-existing tests continue to pass unchanged under AUTH_BACKEND=noauth.

@lubomir lubomir force-pushed the overseer/71 branch 11 times, most recently from dcf859a to 55b79f8 Compare June 4, 2026 10:21
@lubomir lubomir added the on-hold label Jun 4, 2026
@lubomir lubomir removed the on-hold label Jun 4, 2026
@lubomir lubomir force-pushed the overseer/71 branch 10 times, most recently from c59b61b to 0ab890a Compare June 5, 2026 11:04
@lubomir lubomir added the on-hold label Jun 5, 2026
@lubomir lubomir removed the on-hold label Jun 5, 2026
@lubomir lubomir force-pushed the overseer/71 branch 2 times, most recently from c4d005d to 9c35910 Compare June 5, 2026 12:12
Deploys Dex (OIDC provider) and a Python/ldaptor in-memory LDAP server
alongside CTS in the EaaS pipeline and exercises the full
mod_auth_openidc → load_openidc_user → get_user_info → query_ldap_groups
→ has_role auth stack end-to-end.

Pipeline changes (.tekton/integration-test-eaas.yaml):
- New deploy-openldap task: in-memory LDAP server (ldaptor) serving the
  cts-builders posixGroup, runs without root on any UID
- New deploy-dex task: Dex with TLS (self-signed CA), password connector,
  static OAuth2 client cts-integration
- Updated deploy-cts: AUTH_BACKEND=oidc_or_kerberos, httpd.conf with
  AuthType oauth20 / OIDCOAuthVerifyJwksUri / OIDCCABundlePath for bearer
  token validation; SetEnv OIDC_CLAIM_scope scoped to Bearer requests only
- Updated run-tests: passes AUTH_BACKEND=oidc_or_kerberos; installs
  requests; writes Dex CA to /tmp and sets REQUESTS_CA_BUNDLE

Test changes (tests/test_integration_api.py):
- AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer
- _get_oidc_token(): obtains a real access token from Dex via ROPC grant
- _make_ssl_context(): builds an SSLContext from REQUESTS_CA_BUNDLE for
  use with urllib.request.urlopen
- write_http_client fixture: returns AuthHTTPClient under OIDC or plain
  HTTPClient in noauth mode; pre-existing workflow tests use it
- Four new tests (all four explicitly skip when not _is_oidc_backend()):
  - test_auth_unauthenticated_write_returns_401
  - test_auth_builder_can_post_compose
  - test_auth_unauthorized_user_returns_403
  - test_auth_get_endpoints_accessible_without_token

Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)
Comment thread tests/test_integration_api.py Outdated
Comment thread tests/test_integration_api.py Outdated
export HOME=/tmp
echo "Installing ldaptor and twisted..."
python3 -m ensurepip
python3 -m pip install --target /tmp/ldap-deps --quiet ldaptor twisted

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this is temporary, but these dependencies would be better pre-baked into a container image.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That said, I do not know if it is worth it for just those two dependencies.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good point. The LDAP setup could likely be moved to an image. In fact, the initial attempts were trying to use existing images, but neither really worked in this setup. The image for this setup would not be complicated, but there would be additional overhead about where and how to build it.

For the record, the tried images were:

  • glauth - the blocker was that it doesn't support anonymous binds, so all CTS queries were denied
  • osixia/openldap - doesn't work under OCP restricted-v2 SCC since the image can not run under random UID

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this could be left as a separate cleanup to not blow this PR up even more.

@guillermodotn guillermodotn Jul 1, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding how to build them, I suggest using the Containerfile in this repo, along with a PaC Konflux definition to push it to Quay.

lubomir added 2 commits July 1, 2026 09:19
The authenticated client only needs to add an extra header, no need to
duplicate the whole method. A hook is added that allows subclasses to
modify the request before it gets sent.

Assisted-By: OpenCode (google-vertex-anthropic/claude-opus-4-6)
Two integration tests are already skipped on non-OIDC run by the
fixtures. There's no need to explicitly skip in the test itself too.

The test for validating unauthenticated GET request drops the skip too.
The behavior makes sense even in noauth mode, GET request should still
succeed.

The only test that really needs the explicit skip is the unauthenticated
POST, which would otherwise fail in noauth mode (the request would be
allowed).

Assisted-By: OpenCode (google-vertex-anthropic/claude-opus-4-6)
@guillermodotn guillermodotn merged commit 37bad18 into main Jul 1, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants