feat(cfold): canonicalize custom test layout
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
87
tests/lasuite-docs/custom/test_oidc_with_keycloak.py
Normal file
87
tests/lasuite-docs/custom/test_oidc_with_keycloak.py
Normal file
@ -0,0 +1,87 @@
|
||||
"""lasuite-docs — Q2 SSO-flow acceptance test (operator-2026-05-28 SSO-dep plan).
|
||||
|
||||
Refactored to the refined SSO-dep model:
|
||||
- The orchestrator deploys a per-run keycloak dep AFTER generic tiers and provisions a fresh
|
||||
realm/client/user via `harness.sso.setup_keycloak_realm`. The creds are written to
|
||||
`$CCCI_DEPS_FILE` (read here via the `deps` fixture).
|
||||
- This test no longer calls `setup_keycloak_realm` itself — that's the orchestrator's job in
|
||||
the dep-provisioning step. We just consume the credentials and exercise the OIDC flow.
|
||||
- Marked `@pytest.mark.requires_deps` so if dep provisioning failed, this test SKIPs with a
|
||||
clear `deps-not-ready` reason rather than red-flagging a non-recipe failure.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import base64
|
||||
import json
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
import time
|
||||
|
||||
import pytest
|
||||
|
||||
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
|
||||
from harness import sso # noqa: E402
|
||||
|
||||
|
||||
def _b64url_decode(seg: str) -> bytes:
|
||||
pad = "=" * ((4 - len(seg) % 4) % 4)
|
||||
return base64.urlsafe_b64decode(seg + pad)
|
||||
|
||||
|
||||
@pytest.mark.requires_deps
|
||||
def test_oidc_password_grant_against_dep_keycloak(live_app, deps):
|
||||
"""The dep keycloak issues a JWT for the pre-provisioned test user via OIDC password grant."""
|
||||
assert "keycloak" in deps, (
|
||||
f"keycloak creds not in deps; got {list(deps.keys())}. "
|
||||
"dep provisioning should have populated this."
|
||||
)
|
||||
kc = deps["keycloak"]
|
||||
|
||||
# Sanity-check the creds shape — orchestrator-written
|
||||
assert kc["domain"]
|
||||
# WC1: realm is per-run namespaced "<parent>-<6hex>" so concurrent dependents never collide.
|
||||
assert re.fullmatch(
|
||||
r"lasuite-docs-[0-9a-f]{6}", kc["realm"]
|
||||
), f"realm {kc['realm']!r} not the per-run namespaced form lasuite-docs-<6hex>"
|
||||
assert kc["client_id"] == "lasuite-docs"
|
||||
assert isinstance(kc["client_secret"], str) and len(kc["client_secret"]) >= 16
|
||||
assert isinstance(kc["password"], str) and len(kc["password"]) >= 16
|
||||
|
||||
# Build a creds dict in the shape sso.* primitives expect
|
||||
creds = {
|
||||
"provider": "keycloak",
|
||||
"provider_domain": kc["domain"],
|
||||
"realm": kc["realm"],
|
||||
"client_id": kc["client_id"],
|
||||
"client_secret": kc["client_secret"],
|
||||
"user": kc["user"],
|
||||
"password": kc["password"],
|
||||
"email": kc["email"],
|
||||
"discovery_url": kc["discovery_url"],
|
||||
"token_url": kc["token_url"],
|
||||
"auth_url": kc["auth_url"],
|
||||
"userinfo_url": kc["userinfo_url"],
|
||||
}
|
||||
|
||||
# OIDC discovery endpoint advertises the realm
|
||||
discovery = sso.assert_discovery_endpoint(creds)
|
||||
expected_iss = f"https://{kc['domain']}/realms/{kc['realm']}"
|
||||
assert discovery.get("issuer") == expected_iss
|
||||
assert discovery.get("token_endpoint", "").startswith(expected_iss + "/")
|
||||
assert discovery.get("authorization_endpoint", "").startswith(expected_iss + "/")
|
||||
|
||||
# Password grant → real JWT
|
||||
token = sso.oidc_password_grant(creds)
|
||||
assert isinstance(token, str) and token.count(".") == 2, f"access_token is not a JWT: {token!r}"
|
||||
payload = json.loads(_b64url_decode(token.split(".")[1]))
|
||||
assert payload.get("iss") == expected_iss, f"JWT iss={payload.get('iss')!r} != {expected_iss!r}"
|
||||
assert (
|
||||
payload.get("azp") == kc["client_id"]
|
||||
), f"JWT azp={payload.get('azp')!r} != {kc['client_id']!r}"
|
||||
assert payload.get("typ") == "Bearer", f"JWT typ={payload.get('typ')!r} != 'Bearer'"
|
||||
exp = payload.get("exp")
|
||||
assert (
|
||||
isinstance(exp, int) and exp > time.time()
|
||||
), f"JWT exp={exp!r} not a future timestamp (now={time.time():.0f})"
|
||||
Reference in New Issue
Block a user