OIDCAuthenticator: add capabilities, scope option

The OIDC Authenticator can be configured to specify scope(s).
By default, use scopes "openid profile", the smallest subset of scopes
supported by all OpenID Connect Identity Providers.

Add a basic capability register for the web service. This is simply
meant to expose configuration details that can be public, so that
other services (namely zuul web-app) can access them through the REST
API.

Fix capability 'job_history' by setting it to True if a SQL driver is
active.

Change-Id: I6ec0338cc0f7c0756c0cb26d6e5b3732c3ca655c

3 files changed, 105 insertions, 28 deletions

diff --git a/tests/base.py b/tests/base.py
index aa43ab2e7..2412ceef9 100644
--- a/tests/base.py
+++ b/tests/base.py
@@ -3179,7 +3179,7 @@ class ZuulWebFixture(fixtures.Fixture):
         self.authenticators = zuul.lib.auth.AuthenticatorRegistry()
         self.authenticators.configure(config)
         if info is None:
-            self.info = zuul.model.WebInfo()
+            self.info = zuul.model.WebInfo.fromConfig(config)
         else:
             self.info = info
         self.zk_hosts = zk_hosts
diff --git a/tests/fixtures/zuul-admin-web-oidc.conf b/tests/fixtures/zuul-admin-web-oidc.conf
new file mode 100644
index 000000000..33e5136b5
--- /dev/null
+++ b/tests/fixtures/zuul-admin-web-oidc.conf
@@ -0,0 +1,45 @@
+[gearman]
+server=127.0.0.1
+
+[scheduler]
+tenant_config=main.yaml
+relative_priority=true
+
+[merger]
+git_dir=/tmp/zuul-test/merger-git
+git_user_email=zuul@example.com
+git_user_name=zuul
+
+[executor]
+git_dir=/tmp/zuul-test/executor-git
+
+[connection gerrit]
+driver=gerrit
+server=review.example.com
+user=jenkins
+sshkey=fake_id_rsa_path
+
+[web]
+static_cache_expiry=1200
+
+[auth zuul_operator]
+driver=HS256
+allow_authz_override=true
+realm=zuul.example.com
+client_id=zuul.example.com
+issuer_id=zuul_operator
+secret=NoDanaOnlyZuul
+
+[auth myOIDC1]
+driver=OpenIDConnect
+realm=myOIDC1
+default=true
+client_id=zuul
+issuer_id=http://oidc1
+
+[auth myOIDC2]
+driver=OpenIDConnect
+realm=myOIDC2
+client_id=zuul
+issuer_id=http://oidc2
+scope=openid profile email special-scope
diff --git a/tests/unit/test_web.py b/tests/unit/test_web.py
index 200a50e39..c0695fa7b 100644
--- a/tests/unit/test_web.py
+++ b/tests/unit/test_web.py
@@ -969,7 +969,9 @@ class TestWebSecrets(BaseTestWeb):
         self.assertEqual([secret], run[0]['secrets'])
 
 
-class TestInfo(BaseTestWeb):
+class TestInfo(ZuulDBTestCase, BaseTestWeb):
+
+    config_file = 'zuul-sql-driver.conf'
 
     def setUp(self):
         super(TestInfo, self).setUp()
@@ -979,40 +981,70 @@ class TestInfo(BaseTestWeb):
         statsd_config = self.config_ini_data.get('statsd', {})
         self.stats_prefix = statsd_config.get('prefix')
 
+    def _expected_info(self):
+        return {
+            "info": {
+                "capabilities": {
+                    "job_history": True,
+                    "auth": {
+                        "realms": {},
+                        "default_realm": None
+                    }
+                },
+                "stats": {
+                    "url": self.stats_url,
+                    "prefix": self.stats_prefix,
+                    "type": "graphite",
+                },
+                "websocket_url": self.websocket_url,
+            }
+        }
+
     def test_info(self):
         info = self.get_url("api/info").json()
         self.assertEqual(
-            info, {
-                "info": {
-                    "capabilities": {
-                        "job_history": False
-                    },
-                    "stats": {
-                        "url": self.stats_url,
-                        "prefix": self.stats_prefix,
-                        "type": "graphite",
-                    },
-                    "websocket_url": self.websocket_url,
-                }
-            })
+            info, self._expected_info())
 
     def test_tenant_info(self):
         info = self.get_url("api/tenant/tenant-one/info").json()
+        expected_info = self._expected_info()
+        expected_info['info']['tenant'] = 'tenant-one'
         self.assertEqual(
-            info, {
-                "info": {
-                    "tenant": "tenant-one",
-                    "capabilities": {
-                        "job_history": False
-                    },
-                    "stats": {
-                        "url": self.stats_url,
-                        "prefix": self.stats_prefix,
-                        "type": "graphite",
-                    },
-                    "websocket_url": self.websocket_url,
+            info, expected_info)
+
+
+class TestWebCapabilitiesInfo(TestInfo):
+
+    config_file = 'zuul-admin-web-oidc.conf'
+
+    def _expected_info(self):
+        info = super(TestWebCapabilitiesInfo, self)._expected_info()
+        info['info']['capabilities']['auth'] = {
+            'realms': {
+                'myOIDC1': {
+                    'authority': 'http://oidc1',
+                    'client_id': 'zuul',
+                    'type': 'JWT',
+                    'scope': 'openid profile',
+                    'driver': 'OpenIDConnect',
+                },
+                'myOIDC2': {
+                    'authority': 'http://oidc2',
+                    'client_id': 'zuul',
+                    'type': 'JWT',
+                    'scope': 'openid profile email special-scope',
+                    'driver': 'OpenIDConnect',
+                },
+                'zuul.example.com': {
+                    'authority': 'zuul_operator',
+                    'client_id': 'zuul.example.com',
+                    'type': 'JWT',
+                    'driver': 'HS256',
                 }
-            })
+            },
+            'default_realm': 'myOIDC1'
+        }
+        return info
 
 
 class TestTenantInfoConfigBroken(BaseTestWeb):