Add OIDC authentication to integration tests by lubomir · Pull Request #75 · release-engineering/cts

lubomir · 2026-06-03T13:10:45Z

🤖 This was posted automatically by an AI agent.

Add OIDC authentication to integration tests

Deploys Dex (OIDC provider) and an in-memory LDAP server (ldaptor) alongside CTS
in the EaaS pipeline and exercises the full mod_auth_openidc → load_openidc_user
→ get_user_info → query_ldap_groups → has_role auth stack end-to-end.

Pipeline changes (`.tekton/integration-test-eaas.yaml`)

New deploy-openldap task (runs in parallel with deploy-dex after
provision-environment): creates a ConfigMap with an in-memory LDAP server
script (using ldaptor/Twisted) defining two users (builder / readonly) and
two groups (cts-builders / readonly-users), then deploys the server on port
1389.
New deploy-dex task (parallel with deploy-openldap): generates a
self-signed CA and TLS certificate for Dex, creates a ConfigMap with a Dex
config using the password connector and a static OAuth2 client
(cts-integration), then deploys Dex on port 5556.
Updated deploy-cts: runAfter now includes deploy-openldap and
deploy-dex. The cts-config ConfigMap sets AUTH_BACKEND=oidc_or_kerberos,
AUTH_OPENIDC_USERINFO_URI, AUTH_LDAP_SERVER (pointing to openldap:1389),
AUTH_LDAP_GROUPS, ADMINS, and ALLOWED_BUILDERS. The httpd.conf gains
mod_auth_openidc directives (OIDCProviderMetadataURL,
OIDCOAuthVerifyJwksUri, OIDCClientID/Secret, OIDCRemoteUserClaim,
OIDCCABundlePath) and a <RequireAny> block that allows unauthenticated
GET requests while requiring a valid Bearer token for writes.
Updated run-tests: installs requests alongside pytest, retrieves the
Dex CA certificate, and passes AUTH_BACKEND=oidc_or_kerberos and
DEX_URL=https://dex:5556 to the test runner so the auth tests are not skipped.

Test changes (`tests/test_integration_api.py`)

AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer
on every request.
_get_oidc_token(): obtains a real access token from Dex via the ROPC grant;
used by auth_http_client_builder and auth_http_client_readonly fixtures.
write_http_client fixture: returns an AuthHTTPClient (as builder) when
OIDC is active, or a plain HTTPClient in noauth mode. Existing workflow tests
that perform writes are updated to use this fixture.
Four new test functions (skipped when AUTH_BACKEND is not openidc or
oidc_or_kerberos):
- test_auth_unauthenticated_write_returns_401 – bare POST → 401
- test_auth_builder_can_post_compose – builder Bearer token → 200
- test_auth_unauthorized_user_returns_403 – readonly Bearer token → 403
- test_auth_get_endpoints_accessible_without_token – unauthenticated GET → 200

All pre-existing tests continue to pass unchanged under AUTH_BACKEND=noauth.

codecov-commenter · 2026-06-05T13:06:50Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.69%. Comparing base (7c45869) to head (84d022b).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #75      +/-   ##
==========================================
+ Coverage   81.95%   83.69%   +1.74%     
==========================================
  Files          13       13              
  Lines        1302     1325      +23     
==========================================
+ Hits         1067     1109      +42     
+ Misses        235      216      -19

Flag	Coverage Δ
unit-tests	`83.69% <ø> (+1.74%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Deploys Dex (OIDC provider) and a Python/ldaptor in-memory LDAP server alongside CTS in the EaaS pipeline and exercises the full mod_auth_openidc → load_openidc_user → get_user_info → query_ldap_groups → has_role auth stack end-to-end. Pipeline changes (.tekton/integration-test-eaas.yaml): - New deploy-openldap task: in-memory LDAP server (ldaptor) serving the cts-builders posixGroup, runs without root on any UID - New deploy-dex task: Dex with TLS (self-signed CA), password connector, static OAuth2 client cts-integration - Updated deploy-cts: AUTH_BACKEND=oidc_or_kerberos, httpd.conf with AuthType oauth20 / OIDCOAuthVerifyJwksUri / OIDCCABundlePath for bearer token validation; SetEnv OIDC_CLAIM_scope scoped to Bearer requests only - Updated run-tests: passes AUTH_BACKEND=oidc_or_kerberos; installs requests; writes Dex CA to /tmp and sets REQUESTS_CA_BUNDLE Test changes (tests/test_integration_api.py): - AuthHTTPClient: HTTPClient subclass that injects Authorization: Bearer - _get_oidc_token(): obtains a real access token from Dex via ROPC grant - _make_ssl_context(): builds an SSLContext from REQUESTS_CA_BUNDLE for use with urllib.request.urlopen - write_http_client fixture: returns AuthHTTPClient under OIDC or plain HTTPClient in noauth mode; pre-existing workflow tests use it - Four new tests (all four explicitly skip when not _is_oidc_backend()): - test_auth_unauthenticated_write_returns_401 - test_auth_builder_can_post_compose - test_auth_unauthorized_user_returns_403 - test_auth_get_endpoints_accessible_without_token Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)

lubomir added the needs-review label Jun 3, 2026

lubomir force-pushed the overseer/71 branch 11 times, most recently from dcf859a to 55b79f8 Compare June 4, 2026 10:21

lubomir added the on-hold label Jun 4, 2026

lubomir force-pushed the overseer/71 branch from 55b79f8 to 9a88bf2 Compare June 4, 2026 10:56

lubomir removed the on-hold label Jun 4, 2026

lubomir force-pushed the overseer/71 branch 10 times, most recently from c59b61b to 0ab890a Compare June 5, 2026 11:04

lubomir added the on-hold label Jun 5, 2026

lubomir force-pushed the overseer/71 branch from 0ab890a to 8d8c072 Compare June 5, 2026 11:24

lubomir removed the on-hold label Jun 5, 2026

lubomir force-pushed the overseer/71 branch 2 times, most recently from c4d005d to 9c35910 Compare June 5, 2026 12:12

lubomir force-pushed the overseer/71 branch from 3be9d25 to db1569f Compare June 5, 2026 13:03

lubomir added needs-review and removed needs-changes labels Jun 5, 2026

lubomir added agent-approved needs-changes and removed needs-review labels Jun 5, 2026

lubomir force-pushed the overseer/71 branch from db1569f to 468a5b9 Compare June 5, 2026 13:59

lubomir added needs-review agent-approved and removed agent-approved needs-changes needs-review labels Jun 5, 2026

lubomir added needs-changes and removed agent-approved labels Jun 24, 2026

lubomir force-pushed the overseer/71 branch from 468a5b9 to 2df35e2 Compare June 24, 2026 09:36

lubomir added needs-review agent-approved needs-changes and removed needs-changes needs-review labels Jun 24, 2026

lubomir force-pushed the overseer/71 branch from 2df35e2 to d7f946c Compare June 26, 2026 08:04

lubomir added needs-review agent-approved and removed agent-approved needs-changes needs-review labels Jun 26, 2026

lubomir force-pushed the overseer/71 branch from d7f946c to 84d022b Compare June 29, 2026 08:26

lubomir requested a review from guillermodotn June 29, 2026 09:13

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add OIDC authentication to integration tests#75

Add OIDC authentication to integration tests#75
lubomir wants to merge 1 commit into
mainfrom
overseer/71

lubomir commented Jun 3, 2026 •

edited

Loading

Uh oh!

codecov-commenter commented Jun 5, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

lubomir commented Jun 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!