This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
Related to T3079
Details
Details
- Reviewers
anlambert - Group Reviewers
Reviewers - Maniphest Tasks
- T3079: Boostrap swh-auth module for authentication
- Commits
- rDAUTH63b28edb1f40: Expose a pytest plugin for swh.auth.keycloak
Diff Detail
Diff Detail
- Repository
- rDAUTH Common authentication libraries
- Lint
Automatic diff as part of commit; lint not applicable. - Unit
Automatic diff as part of commit; unit tests not applicable.
Event Timeline
Comment Actions
Build is green
Patch application report for D5194 (id=18579)
Could not rebase; Attempt merge onto a750b58718...
Updating a750b58..9d8e662 Fast-forward MANIFEST.in | 1 + conftest.py | 6 + swh/auth/pytest_plugin.py | 160 ++++++++++++++++++++++++ swh/auth/sample_data.py | 144 +++++++++++++++++++++ swh/auth/tests/conftest.py | 39 ------ swh/auth/tests/sample_data.py | 284 ------------------------------------------ swh/auth/tests/test_auth.py | 86 +++++++------ 7 files changed, 353 insertions(+), 367 deletions(-) create mode 100644 conftest.py create mode 100644 swh/auth/pytest_plugin.py create mode 100644 swh/auth/sample_data.py delete mode 100644 swh/auth/tests/conftest.py delete mode 100644 swh/auth/tests/sample_data.py
Changes applied before test
commit 9d8e662302a24a754cbc180d38dfe622a1a42f8f
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date: Wed Mar 3 18:47:31 2021 +0100
Expose a pytest plugin for swh.auth
This will be required for module depending on it
commit 2d3a37d54c4eff3c1421f2e9b093cf1c6118cdb5
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date: Wed Mar 3 17:41:29 2021 +0100
auth: Rework tests logic and add coverage to decode_token endpoint
This reworks the tests logic as well to reuse the way web tests are written.
This is a first step to actually use the mock class defined here as fixture for future
modules which will depend on swh-auth (swh-web-client, swh-web and swh-deposit).
Related to T3079See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/5/ for more details.
Comment Actions
I think you should leave the sample_data module inside the tests folder, create a keycloak_mock.py module (also in tests) containing the Keycloak mocked class and simply declare the keycloak_mock fixture in the pytest_plugin file.
Comment Actions
I think you should leave the sample_data module inside the tests folder, create a keycloak_mock.py module (also in tests) containing the Keycloak mocked class and simply declare the keycloak_mock fixture in the pytest_plugin file.
makes more sense than the current proposed diff, thanks
Comment Actions
Rework according to review
This:
- makes the factory even more generic.
- instantiates the fixture we want depending on sample data (which is defined only in swh.auth.tests only)
Comment Actions
Build is green
Patch application report for D5194 (id=18584)
Rebasing onto d2f211feb9...
Current branch diff-target is up to date.
Changes applied before test
commit 16d3e0ae12117e5b4a1e02baedc6781c15b33c57
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date: Wed Mar 3 18:47:31 2021 +0100
Expose a pytest plugin for swh.auth.keycloak
This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
Related to T3079See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/8/ for more details.
| swh/auth/tests/sample_data.py | ||
|---|---|---|
| 142 | unused ^ so i dropped it. | |
| swh/auth/tests/test_keycloak.py | ||
| 30 | i could also define this in ./conftest.py ^ [1] While it's more readable that way, it's still one more jump to do when on actually want to check up those variables ¯\_(ツ)_/¯. | |
Comment Actions
Update docstring on attributes missing explanation.
Fix sphinx typo :py:data: for module attribute [1]
[1] https://www.sphinx-doc.org/en/master/usage/restructuredtext/domains.html#python-roles
Comment Actions
Build is green
Patch application report for D5194 (id=18585)
Rebasing onto d2f211feb9...
Current branch diff-target is up to date.
Changes applied before test
commit e07dab6095ff8c6473201c1994914e69e7af55a4
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date: Wed Mar 3 18:47:31 2021 +0100
Expose a pytest plugin for swh.auth.keycloak
This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
Related to T3079See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/9/ for more details.
Comment Actions
See inline comment.
| swh/auth/pytest_plugin.py | ||
|---|---|---|
| 46–48 | I am not a big fan to provide those data as parameter of the Keycloak mock as it will complicate the writing of tests in client modules. I think it will be simpler to override the JWT data that Keycloak returns directly in the decode_token method. For instance, you can override the client_id value in the adequate fields of the decoded token. Nevertheless we can keep those parameters for flexibility in tests implementation but at least they should have default values taken from the sample_data module. | |
| swh/auth/pytest_plugin.py | ||
|---|---|---|
| 46–48 |
not really if one defines the mock instance they wants once
erf, "a pas compris" ¯\_(ツ)_/¯ I did not get it (yet?)
where should be the sample-data defined then? | |
Comment Actions
Adapt according to review/discussion
Allow re-definition of oidc_profile, user_info, raw_realm_public_key but let there be a
default from sample data.
When needed, the mock can be adapted so the decode_token method does the right and
expected thing for the tester.
Comment Actions
Build is green
Patch application report for D5194 (id=18601)
Rebasing onto d2f211feb9...
Current branch diff-target is up to date.
Changes applied before test
commit bbd8b85e21ae94275ca678396ca31a4cbd098159
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date: Wed Mar 3 18:47:31 2021 +0100
Expose a pytest plugin for swh.auth.keycloak
This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
Related to T3079See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/10/ for more details.
Comment Actions
Build is green
Patch application report for D5194 (id=18602)
Rebasing onto d2f211feb9...
Current branch diff-target is up to date.
Changes applied before test
commit 13c984d7089c6300d89e16259097f72d5ea738d2
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date: Wed Mar 3 18:47:31 2021 +0100
Expose a pytest plugin for swh.auth.keycloak
This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
Related to T3079See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/11/ for more details.
Comment Actions
Just a couple of small changes to add and we should be good here.
| swh/auth/pytest_plugin.py | ||
|---|---|---|
| 27–35 | You should also add some setter methods for those values. In a same manner than with the set_auth_success one, client of the fixture | |
| 108 | the azp field must also be set to self.client_id | |
| swh/auth/tests/sample_data.py | ||
| 7–8 | I think you can safely change the value to "client-id". | |
| swh/auth/pytest_plugin.py | ||
|---|---|---|
| 27–35 | I initially agreed, although i was unsure at how many setters you proposed (all, only a subset?). Now, i'm wondering if it's not enough that callers can simply use: instance.user_groups = wanted_user_groups instance.user_permissions = ... That sounds pythonic enough ^, what do you think? | |
| 46–48 | agreed and adapted according to antoine's suggestion btw | |
| 108 | good catch | |
| swh/auth/tests/sample_data.py | ||
| 7–8 | I thought so but the decode-token part is complaining about invalid audience Most likely the: super().decode_token(token, options) call which ends up with: jose.exceptions.JWTClaimsError: Invalid audience | |
| swh/auth/tests/sample_data.py | ||
|---|---|---|
| 7–8 | data from decoded-token: claims = {'acr': '1', 'allowed-origins': ['*'], 'aud': ['swh-web', 'account'], 'auth_time': 1582723100, ...}, audience = 'client-id' | |
| swh/auth/tests/sample_data.py | ||
|---|---|---|
| 7–8 | patching it to bypass that step works. | |
Comment Actions
Adapt according to suggestions:
- generic client id (means we add to patch a bit further the decoding-token step)
- fix azp key entry
I did not modify the setters yet.
Comment Actions
Build is green
Patch application report for D5194 (id=18610)
Rebasing onto d2f211feb9...
Current branch diff-target is up to date.
Changes applied before test
commit 31a3a4fc9e25ee823aeb41bd76cdc4957d286ec3
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date: Wed Mar 3 18:47:31 2021 +0100
Expose a pytest plugin for swh.auth.keycloak
This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
Related to T3079See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/12/ for more details.
Comment Actions
A small little change and we are good.
| swh/auth/pytest_plugin.py | ||
|---|---|---|
| 27–35 | Fair enough, this is equivalent indeed. Using methods could have allowed to pass datetime objects for the expiration date but not a big deal. | |
| 99–100 | Use option["verify_aud"] = False instead | |
| swh/auth/tests/sample_data.py | ||
| 7–8 | I also think we can bypass the audience check as the expiration date one by setting the verify_aud option for the decode_token method to False | |
| swh/auth/pytest_plugin.py | ||
|---|---|---|
| 99–100 | \o/ | |
| swh/auth/pytest_plugin.py | ||
|---|---|---|
| 99–100 | also "d'oh", that's what just before my eyes for the expiration check... | |
Comment Actions
Adapt according to last and way better implementation suggestion about the check
audience step (thanks!)
Comment Actions
Build is green
Patch application report for D5194 (id=18611)
Rebasing onto d2f211feb9...
Current branch diff-target is up to date.
Changes applied before test
commit 63b28edb1f40ddcfe16859156ee5c61ad9bc834b
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date: Wed Mar 3 18:47:31 2021 +0100
Expose a pytest plugin for swh.auth.keycloak
This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
Related to T3079See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/13/ for more details.