diff options
author | Matthieu Huin <mhuin@redhat.com> | 2020-01-13 18:46:35 +0100 |
---|---|---|
committer | Matthieu Huin <mhuin@redhat.com> | 2020-03-27 16:47:21 +0000 |
commit | b001fa8fa3cdcced6d1568ec107c2fb50ba8b6b6 (patch) | |
tree | 0d7ab512955a262cd69d20e408ded2bf58a2b185 /tests | |
parent | b9f885e2a7e3fd4c44c53d22815d270ebeb41431 (diff) | |
download | zuul-b001fa8fa3cdcced6d1568ec107c2fb50ba8b6b6.tar.gz |
OIDCAuthenticator: add capabilities, scope option
The OIDC Authenticator can be configured to specify scope(s).
By default, use scopes "openid profile", the smallest subset of scopes
supported by all OpenID Connect Identity Providers.
Add a basic capability register for the web service. This is simply
meant to expose configuration details that can be public, so that
other services (namely zuul web-app) can access them through the REST
API.
Fix capability 'job_history' by setting it to True if a SQL driver is
active.
Change-Id: I6ec0338cc0f7c0756c0cb26d6e5b3732c3ca655c
Diffstat (limited to 'tests')
-rw-r--r-- | tests/base.py | 2 | ||||
-rw-r--r-- | tests/fixtures/zuul-admin-web-oidc.conf | 45 | ||||
-rw-r--r-- | tests/unit/test_web.py | 86 |
3 files changed, 105 insertions, 28 deletions
diff --git a/tests/base.py b/tests/base.py index aa43ab2e7..2412ceef9 100644 --- a/tests/base.py +++ b/tests/base.py @@ -3179,7 +3179,7 @@ class ZuulWebFixture(fixtures.Fixture): self.authenticators = zuul.lib.auth.AuthenticatorRegistry() self.authenticators.configure(config) if info is None: - self.info = zuul.model.WebInfo() + self.info = zuul.model.WebInfo.fromConfig(config) else: self.info = info self.zk_hosts = zk_hosts diff --git a/tests/fixtures/zuul-admin-web-oidc.conf b/tests/fixtures/zuul-admin-web-oidc.conf new file mode 100644 index 000000000..33e5136b5 --- /dev/null +++ b/tests/fixtures/zuul-admin-web-oidc.conf @@ -0,0 +1,45 @@ +[gearman] +server=127.0.0.1 + +[scheduler] +tenant_config=main.yaml +relative_priority=true + +[merger] +git_dir=/tmp/zuul-test/merger-git +git_user_email=zuul@example.com +git_user_name=zuul + +[executor] +git_dir=/tmp/zuul-test/executor-git + +[connection gerrit] +driver=gerrit +server=review.example.com +user=jenkins +sshkey=fake_id_rsa_path + +[web] +static_cache_expiry=1200 + +[auth zuul_operator] +driver=HS256 +allow_authz_override=true +realm=zuul.example.com +client_id=zuul.example.com +issuer_id=zuul_operator +secret=NoDanaOnlyZuul + +[auth myOIDC1] +driver=OpenIDConnect +realm=myOIDC1 +default=true +client_id=zuul +issuer_id=http://oidc1 + +[auth myOIDC2] +driver=OpenIDConnect +realm=myOIDC2 +client_id=zuul +issuer_id=http://oidc2 +scope=openid profile email special-scope diff --git a/tests/unit/test_web.py b/tests/unit/test_web.py index 200a50e39..c0695fa7b 100644 --- a/tests/unit/test_web.py +++ b/tests/unit/test_web.py @@ -969,7 +969,9 @@ class TestWebSecrets(BaseTestWeb): self.assertEqual([secret], run[0]['secrets']) -class TestInfo(BaseTestWeb): +class TestInfo(ZuulDBTestCase, BaseTestWeb): + + config_file = 'zuul-sql-driver.conf' def setUp(self): super(TestInfo, self).setUp() @@ -979,40 +981,70 @@ class TestInfo(BaseTestWeb): statsd_config = self.config_ini_data.get('statsd', {}) self.stats_prefix = statsd_config.get('prefix') + def _expected_info(self): + return { + "info": { + "capabilities": { + "job_history": True, + "auth": { + "realms": {}, + "default_realm": None + } + }, + "stats": { + "url": self.stats_url, + "prefix": self.stats_prefix, + "type": "graphite", + }, + "websocket_url": self.websocket_url, + } + } + def test_info(self): info = self.get_url("api/info").json() self.assertEqual( - info, { - "info": { - "capabilities": { - "job_history": False - }, - "stats": { - "url": self.stats_url, - "prefix": self.stats_prefix, - "type": "graphite", - }, - "websocket_url": self.websocket_url, - } - }) + info, self._expected_info()) def test_tenant_info(self): info = self.get_url("api/tenant/tenant-one/info").json() + expected_info = self._expected_info() + expected_info['info']['tenant'] = 'tenant-one' self.assertEqual( - info, { - "info": { - "tenant": "tenant-one", - "capabilities": { - "job_history": False - }, - "stats": { - "url": self.stats_url, - "prefix": self.stats_prefix, - "type": "graphite", - }, - "websocket_url": self.websocket_url, + info, expected_info) + + +class TestWebCapabilitiesInfo(TestInfo): + + config_file = 'zuul-admin-web-oidc.conf' + + def _expected_info(self): + info = super(TestWebCapabilitiesInfo, self)._expected_info() + info['info']['capabilities']['auth'] = { + 'realms': { + 'myOIDC1': { + 'authority': 'http://oidc1', + 'client_id': 'zuul', + 'type': 'JWT', + 'scope': 'openid profile', + 'driver': 'OpenIDConnect', + }, + 'myOIDC2': { + 'authority': 'http://oidc2', + 'client_id': 'zuul', + 'type': 'JWT', + 'scope': 'openid profile email special-scope', + 'driver': 'OpenIDConnect', + }, + 'zuul.example.com': { + 'authority': 'zuul_operator', + 'client_id': 'zuul.example.com', + 'type': 'JWT', + 'driver': 'HS256', } - }) + }, + 'default_realm': 'myOIDC1' + } + return info class TestTenantInfoConfigBroken(BaseTestWeb): |