Page MenuHomeSoftware Heritage

Expose a pytest plugin for swh.auth.keycloak
ClosedPublic

Authored by ardumont on Mar 3 2021, 6:50 PM.

Details

Summary

This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)

Related to T3079

Diff Detail

Event Timeline

Build is green

Patch application report for D5194 (id=18579)

Could not rebase; Attempt merge onto a750b58718...

Updating a750b58..9d8e662
Fast-forward
 MANIFEST.in                   |   1 +
 conftest.py                   |   6 +
 swh/auth/pytest_plugin.py     | 160 ++++++++++++++++++++++++
 swh/auth/sample_data.py       | 144 +++++++++++++++++++++
 swh/auth/tests/conftest.py    |  39 ------
 swh/auth/tests/sample_data.py | 284 ------------------------------------------
 swh/auth/tests/test_auth.py   |  86 +++++++------
 7 files changed, 353 insertions(+), 367 deletions(-)
 create mode 100644 conftest.py
 create mode 100644 swh/auth/pytest_plugin.py
 create mode 100644 swh/auth/sample_data.py
 delete mode 100644 swh/auth/tests/conftest.py
 delete mode 100644 swh/auth/tests/sample_data.py
Changes applied before test
commit 9d8e662302a24a754cbc180d38dfe622a1a42f8f
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date:   Wed Mar 3 18:47:31 2021 +0100

    Expose a pytest plugin for swh.auth
    
    This will be required for module depending on it

commit 2d3a37d54c4eff3c1421f2e9b093cf1c6118cdb5
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date:   Wed Mar 3 17:41:29 2021 +0100

    auth: Rework tests logic and add coverage to decode_token endpoint
    
    This reworks the tests logic as well to reuse the way web tests are written.
    
    This is a first step to actually use the mock class defined here as fixture for future
    modules which will depend on swh-auth (swh-web-client, swh-web and swh-deposit).
    
    Related to T3079

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/5/ for more details.

I think you should leave the sample_data module inside the tests folder, create a keycloak_mock.py module (also in tests) containing the Keycloak mocked class and simply declare the keycloak_mock fixture in the pytest_plugin file.

I think you should leave the sample_data module inside the tests folder, create a keycloak_mock.py module (also in tests) containing the Keycloak mocked class and simply declare the keycloak_mock fixture in the pytest_plugin file.

makes more sense than the current proposed diff, thanks

I think you should leave the sample_data module inside the tests folder, create a keycloak_mock.py module (also in tests) containing the Keycloak mocked class and simply declare the keycloak_mock fixture in the pytest_plugin file.

makes more sense than the current proposed diff, thanks

mmm, except we have some hard-coded sample like USER_INFO, OIDC_PROFILE, ...

Rework according to review

This:

  • makes the factory even more generic.
  • instantiates the fixture we want depending on sample data (which is defined only in swh.auth.tests only)

Build is green

Patch application report for D5194 (id=18584)

Rebasing onto d2f211feb9...

Current branch diff-target is up to date.
Changes applied before test
commit 16d3e0ae12117e5b4a1e02baedc6781c15b33c57
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date:   Wed Mar 3 18:47:31 2021 +0100

    Expose a pytest plugin for swh.auth.keycloak
    
    This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
    
    Related to T3079

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/8/ for more details.

swh/auth/tests/sample_data.py
142

unused ^ so i dropped it.

swh/auth/tests/test_keycloak.py
31

i could also define this in ./conftest.py ^
But i thought to leave it here so it avoids one more indirection (sample_data got split up already [1])

[1] While it's more readable that way, it's still one more jump to do when on actually want to check up those variables ¯\_(ツ)_/¯.

ardumont retitled this revision from Expose a pytest plugin for swh.auth to Expose a pytest plugin for swh.auth.keycloak.Mar 4 2021, 10:25 AM
ardumont edited the summary of this revision. (Show Details)
ardumont edited the summary of this revision. (Show Details)

Update docstring on attributes missing explanation.

Fix sphinx typo :py:data: for module attribute [1]

[1] https://www.sphinx-doc.org/en/master/usage/restructuredtext/domains.html#python-roles

Build is green

Patch application report for D5194 (id=18585)

Rebasing onto d2f211feb9...

Current branch diff-target is up to date.
Changes applied before test
commit e07dab6095ff8c6473201c1994914e69e7af55a4
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date:   Wed Mar 3 18:47:31 2021 +0100

    Expose a pytest plugin for swh.auth.keycloak
    
    This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
    
    Related to T3079

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/9/ for more details.

See inline comment.

swh/auth/pytest_plugin.py
41–43

I am not a big fan to provide those data as parameter of the Keycloak mock as it will complicate the writing of tests in client modules.

I think it will be simpler to override the JWT data that Keycloak returns directly in the decode_token method. For instance, you can override the client_id value in the adequate fields of the decoded token.

Nevertheless we can keep those parameters for flexibility in tests implementation but at least they should have default values taken from the sample_data module.

This revision now requires changes to proceed.Mar 4 2021, 12:23 PM
swh/auth/pytest_plugin.py
41–43

I am not a big fan to provide those data as parameter of the Keycloak mock as it will complicate the writing of tests in client modules.

not really if one defines the mock instance they wants once
and use that all around in their tests?

I think it will be simpler to override the JWT data that Keycloak returns directly in the decode_token method. For instance, you can override the client_id value in the adequate fields of the decoded token.

erf, "a pas compris" ¯\_(ツ)_/¯

I did not get it (yet?)

Nevertheless we can keep those parameters for flexibility in tests implementation but at least they should have default values taken from the sample_data module

where should be the sample-data defined then?
(It's currently in test to not expose it in the main swh.auth tree)

Adapt according to review/discussion

Allow re-definition of oidc_profile, user_info, raw_realm_public_key but let there be a
default from sample data.

When needed, the mock can be adapted so the decode_token method does the right and
expected thing for the tester.

Build is green

Patch application report for D5194 (id=18601)

Rebasing onto d2f211feb9...

Current branch diff-target is up to date.
Changes applied before test
commit bbd8b85e21ae94275ca678396ca31a4cbd098159
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date:   Wed Mar 3 18:47:31 2021 +0100

    Expose a pytest plugin for swh.auth.keycloak
    
    This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
    
    Related to T3079

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/10/ for more details.

Add missing type on user groups and permissions

Build is green

Patch application report for D5194 (id=18602)

Rebasing onto d2f211feb9...

Current branch diff-target is up to date.
Changes applied before test
commit 13c984d7089c6300d89e16259097f72d5ea738d2
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date:   Wed Mar 3 18:47:31 2021 +0100

    Expose a pytest plugin for swh.auth.keycloak
    
    This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
    
    Related to T3079

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/11/ for more details.

Just a couple of small changes to add and we should be good here.

swh/auth/pytest_plugin.py
22–29

You should also add some setter methods for those values.

In a same manner than with the set_auth_success one, client of the fixture
will simply call these methods at the beginning of their test to override
groups, permissions or token expiration date..

101

the azp field must also be set to self.client_id

swh/auth/tests/sample_data.py
8

I think you can safely change the value to "client-id".

This revision now requires changes to proceed.Mar 4 2021, 3:44 PM
ardumont added inline comments.
swh/auth/pytest_plugin.py
22–29

I initially agreed, although i was unsure at how many setters you proposed (all, only a subset?).

Now, i'm wondering if it's not enough that callers can simply use:

instance.user_groups = wanted_user_groups
instance.user_permissions = ...

That sounds pythonic enough ^, what do you think?

41–43

agreed and adapted according to antoine's suggestion btw

101

good catch

swh/auth/tests/sample_data.py
8

I thought so but the decode-token part is complaining about invalid audience

Most likely the:

super().decode_token(token, options)

call which ends up with:

jose.exceptions.JWTClaimsError: Invalid audience
swh/auth/tests/sample_data.py
8

data from decoded-token:

claims = {'acr': '1', 'allowed-origins': ['*'], 'aud': ['swh-web', 'account'], 'auth_time': 1582723100, ...}, audience = 'client-id'
swh/auth/tests/sample_data.py
8

patching it to bypass that step works.

Adapt according to suggestions:

  • generic client id (means we add to patch a bit further the decoding-token step)
  • fix azp key entry

I did not modify the setters yet.

Build is green

Patch application report for D5194 (id=18610)

Rebasing onto d2f211feb9...

Current branch diff-target is up to date.
Changes applied before test
commit 31a3a4fc9e25ee823aeb41bd76cdc4957d286ec3
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date:   Wed Mar 3 18:47:31 2021 +0100

    Expose a pytest plugin for swh.auth.keycloak
    
    This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
    
    Related to T3079

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/12/ for more details.

A small little change and we are good.

swh/auth/pytest_plugin.py
22–29

Fair enough, this is equivalent indeed. Using methods could have allowed to pass datetime objects for the expiration date but not a big deal.

92–93

Use option["verify_aud"] = False instead

swh/auth/tests/sample_data.py
8

I also think we can bypass the audience check as the expiration date one by setting the verify_aud option for the decode_token method to False

This revision now requires changes to proceed.Mar 4 2021, 5:26 PM
swh/auth/pytest_plugin.py
92–93

\o/
way better, thanks.

swh/auth/pytest_plugin.py
92–93

also "d'oh", that's what just before my eyes for the expiration check...

Adapt according to last and way better implementation suggestion about the check
audience step (thanks!)

Build is green

Patch application report for D5194 (id=18611)

Rebasing onto d2f211feb9...

Current branch diff-target is up to date.
Changes applied before test
commit 63b28edb1f40ddcfe16859156ee5c61ad9bc834b
Author: Antoine R. Dumont (@ardumont) <antoine.romain.dumont@gmail.com>
Date:   Wed Mar 3 18:47:31 2021 +0100

    Expose a pytest plugin for swh.auth.keycloak
    
    This will be required for modules depending on it (swh.web, swh.web.client, swh.deposit)
    
    Related to T3079

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/13/ for more details.

This revision is now accepted and ready to land.Mar 4 2021, 5:38 PM