feat(2): Q3.3 lasuite-meet — install_steps (OIDC-at-install) + lifecycle overlays + health/OIDC parity tests
Mirrors lasuite-drive machinery (sibling La Suite recipe): install_steps.sh wires OIDC at install
(client_id from deps, scopes 'openid email'); ops.py + test_{install,upgrade,backup,restore}.py
lifecycle overlays (postgres meet/meet ci_marker data-integrity); functional/test_health_check.py
(parity) + test_oidc_with_keycloak.py (password-grant JWT vs dep keycloak, realm lasuite-meet-<6hex>).
§4.3 meeting_flow + webrtc specifics next (after install+OIDC validated). No setup_custom_tests.sh
(no post-deploy step — OIDC at install, no minio/collabora).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
26
tests/lasuite-meet/functional/test_health_check.py
Normal file
26
tests/lasuite-meet/functional/test_health_check.py
Normal file
@ -0,0 +1,26 @@
|
||||
"""lasuite-meet — parity port of recipe-maintainer's health_check.py (Phase 2 P2).
|
||||
|
||||
SOURCE: references/recipe-maintainer/recipe-info/lasuite-meet/tests/health_check.py
|
||||
|
||||
The original asserted HTTP 200 from `https://lasuite-meet.<DOMAIN_SUFFIX>`. The cc-ci port preserves
|
||||
the assertion shape — non-error HTTP from the served root — adapted to the ephemeral per-run domain
|
||||
via the `live_app` fixture. Runs in the custom tier against the shared post-install deployment."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import sys
|
||||
|
||||
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
|
||||
from harness import http as harness_http # noqa: E402
|
||||
|
||||
|
||||
def test_lasuite_meet_returns_200(live_app):
|
||||
"""Parity with recipe-info/lasuite-meet/tests/health_check.py: HTTP 200 from `/`."""
|
||||
url = f"https://{live_app}/"
|
||||
status, _ = harness_http.retry_http_get(
|
||||
url, expect_status=(200, 301, 302), max_wait=60, interval=3
|
||||
)
|
||||
assert status in (200, 301, 302), (
|
||||
f"lasuite-meet at {url} returned HTTP {status} (expected 200/301/302)"
|
||||
)
|
||||
92
tests/lasuite-meet/functional/test_oidc_with_keycloak.py
Normal file
92
tests/lasuite-meet/functional/test_oidc_with_keycloak.py
Normal file
@ -0,0 +1,92 @@
|
||||
"""lasuite-meet — Q3.3 SSO-flow test (operator-2026-05-28 SSO-dep plan).
|
||||
|
||||
Meet (La Suite Meet) is OIDC-required: login is gated by an external OpenID Connect provider.
|
||||
Mirrors the proven lasuite-docs SSO model:
|
||||
- The orchestrator deploys a per-run keycloak dep AFTER the generic tiers and provisions a fresh
|
||||
realm/client/user via `harness.sso.setup_keycloak_realm`; `setup_custom_tests.sh` then wires the
|
||||
OIDC env + client secret into the running drive app and redeploys. Creds land in `$CCCI_DEPS_FILE`
|
||||
(read here via the `deps_creds` fixture).
|
||||
- This test consumes those creds and exercises the real OIDC flow against the dep keycloak: discovery
|
||||
endpoint advertises the realm, and a password grant yields a valid JWT with the expected claims.
|
||||
- Marked `@pytest.mark.requires_deps` so if setup_custom_tests failed the test SKIPs with a clear
|
||||
`deps-not-ready` reason — and (per F2-11) the orchestrator then fails the run rather than going
|
||||
green on a skipped SSO test.
|
||||
|
||||
SOURCE: adapted from tests/lasuite-docs/functional/test_oidc_with_keycloak.py (Q2.4 acceptance).
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import base64
|
||||
import json
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
import time
|
||||
|
||||
import pytest
|
||||
|
||||
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
|
||||
from harness import sso # noqa: E402
|
||||
|
||||
|
||||
def _b64url_decode(seg: str) -> bytes:
|
||||
pad = "=" * ((4 - len(seg) % 4) % 4)
|
||||
return base64.urlsafe_b64decode(seg + pad)
|
||||
|
||||
|
||||
@pytest.mark.requires_deps
|
||||
def test_oidc_password_grant_against_dep_keycloak(live_app, deps_creds):
|
||||
"""The dep keycloak issues a JWT for the pre-provisioned test user via OIDC password grant."""
|
||||
assert "keycloak" in deps_creds, (
|
||||
f"keycloak creds not in deps_creds; got {list(deps_creds.keys())}. "
|
||||
"setup_custom_tests should have populated this."
|
||||
)
|
||||
kc = deps_creds["keycloak"]
|
||||
|
||||
# Creds shape. WC1: realm is per-run namespaced "<parent>-<6hex>"; client_id stays the parent.
|
||||
assert kc["domain"]
|
||||
assert re.fullmatch(r"lasuite-meet-[0-9a-f]{6}", kc["realm"]), (
|
||||
f"realm {kc['realm']!r} not the per-run namespaced form lasuite-meet-<6hex>"
|
||||
)
|
||||
assert kc["client_id"] == "lasuite-meet"
|
||||
assert isinstance(kc["client_secret"], str) and len(kc["client_secret"]) >= 16
|
||||
assert isinstance(kc["password"], str) and len(kc["password"]) >= 16
|
||||
|
||||
creds = {
|
||||
"provider": "keycloak",
|
||||
"provider_domain": kc["domain"],
|
||||
"realm": kc["realm"],
|
||||
"client_id": kc["client_id"],
|
||||
"client_secret": kc["client_secret"],
|
||||
"user": kc["user"],
|
||||
"password": kc["password"],
|
||||
"email": kc["email"],
|
||||
"discovery_url": kc["discovery_url"],
|
||||
"token_url": kc["token_url"],
|
||||
"auth_url": kc["auth_url"],
|
||||
"userinfo_url": kc["userinfo_url"],
|
||||
}
|
||||
|
||||
# OIDC discovery endpoint advertises the realm
|
||||
discovery = sso.assert_discovery_endpoint(creds)
|
||||
expected_iss = f"https://{kc['domain']}/realms/{kc['realm']}"
|
||||
assert discovery.get("issuer") == expected_iss
|
||||
assert discovery.get("token_endpoint", "").startswith(expected_iss + "/")
|
||||
assert discovery.get("authorization_endpoint", "").startswith(expected_iss + "/")
|
||||
|
||||
# Password grant → real JWT
|
||||
token = sso.oidc_password_grant(creds)
|
||||
assert isinstance(token, str) and token.count(".") == 2, (
|
||||
f"access_token is not a JWT: {token!r}"
|
||||
)
|
||||
payload = json.loads(_b64url_decode(token.split(".")[1]))
|
||||
assert payload.get("iss") == expected_iss, f"JWT iss={payload.get('iss')!r} != {expected_iss!r}"
|
||||
assert payload.get("azp") == kc["client_id"], (
|
||||
f"JWT azp={payload.get('azp')!r} != {kc['client_id']!r}"
|
||||
)
|
||||
assert payload.get("typ") == "Bearer", f"JWT typ={payload.get('typ')!r} != 'Bearer'"
|
||||
exp = payload.get("exp")
|
||||
assert isinstance(exp, int) and exp > time.time(), (
|
||||
f"JWT exp={exp!r} not a future timestamp (now={time.time():.0f})"
|
||||
)
|
||||
Reference in New Issue
Block a user