feat(2): Q3.2 lasuite-drive SSO iteration — keycloak dep + OIDC test + MinIO storage round-trip

- recipe_meta: DEPS=[keycloak] enabled (base proven cold-green). - setup_custom_tests.sh: wire OIDC env (explicit keycloak realm endpoints) + insert oidc_rpcs secret at bumped version + clear FranceConnect eidas1 acr + in-place redeploy (adapted from the proven lasuite-docs hook). - functional/test_oidc_with_keycloak.py: SSO discovery + password grant + JWT claims vs dep keycloak realm 'lasuite-drive' (@requires_deps; F2-11 fails run on skip). - functional/test_minio_storage.py: §4.3 specific — drive-media-storage bucket present + real upload->list->download round-trip via mc inside the minio container. - PARITY.md: OIDC + MinIO rows landed; backup data-integrity (ci_marker) already real. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-28 22:28:35 +01:00
parent 5f1ce47593
commit 6557197858
5 changed files with 244 additions and 15 deletions
--- a/tests/lasuite-drive/functional/test_minio_storage.py
+++ b/tests/lasuite-drive/functional/test_minio_storage.py
@ -0,0 +1,61 @@
+"""lasuite-drive — Q3.2 recipe-specific functional test (plan §4.3: "upload a file to a workspace,
+list/download it; MinIO bucket present").
+
+Drive stores all uploaded documents in MinIO (S3) — the `minio` service, bucket `drive-media-storage`
+(created by the `minio-createbuckets` one-shot, versioning enabled). This exercises that storage
+backend end-to-end at the S3 layer: it (1) confirms the bucket exists, and (2) does a real
+upload → list → download round-trip and asserts the bytes survive.
+
+It runs `mc` (bundled in the minio/minio image) INSIDE the `minio` service container, authenticating
+with the in-container root creds (`/run/secrets/minio_{ru,rp}`) — the same path the recipe's own
+createbuckets job uses. No dep on keycloak, so it runs on the base deploy regardless of SSO state.
+
+NOT health-only: a drive whose object store is missing the bucket, or that can't persist/serve an
+object, fails here even though the SPA at `/` returns 200.
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+import uuid
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
+from harness import lifecycle  # noqa: E402
+
+BUCKET = "drive-media-storage"
+
+
+def _mc(domain: str, script: str) -> str:
+    """Run an `mc` shell script inside the minio container (root creds from /run/secrets)."""
+    prelude = (
+        'set -e; '
+        'U=$(cat /run/secrets/minio_ru); P=$(cat /run/secrets/minio_rp); '
+        'mc alias set ccci http://localhost:9000 "$U" "$P" >/dev/null 2>&1; '
+    )
+    return lifecycle.exec_in_app(domain, ["sh", "-c", prelude + script], service="minio")
+
+
+def test_minio_bucket_present_and_object_roundtrip(live_app):
+    domain = live_app  # per-run drive app domain
+
+    # 1) The drive media bucket exists (mc ls returns 0; set -e raises otherwise).
+    _mc(domain, f"mc ls ccci/{BUCKET} >/dev/null")
+
+    # 2) Real upload -> list -> download round-trip with a unique marker.
+    marker = f"ccci-drive-probe-{uuid.uuid4().hex}"
+    key = f"ccci-probe/{marker}.txt"
+    out = _mc(
+        domain,
+        # upload via stdin; list the object; read it back (tagged); then delete.
+        f'printf %s "{marker}" | mc pipe ccci/{BUCKET}/{key} >/dev/null 2>&1; '
+        f'mc ls ccci/{BUCKET}/{key}; '
+        f'echo "READBACK:$(mc cat ccci/{BUCKET}/{key})"; '
+        f'mc rm ccci/{BUCKET}/{key} >/dev/null 2>&1',
+    )
+
+    # The object was listed (its key appears) and its content round-tripped intact.
+    assert f"{marker}.txt" in out, f"uploaded object not listed in bucket: {out!r}"
+    assert f"READBACK:{marker}" in out, (
+        f"object content did not round-trip through MinIO; got: {out!r}"
+    )
--- a/tests/lasuite-drive/functional/test_oidc_with_keycloak.py
+++ b/tests/lasuite-drive/functional/test_oidc_with_keycloak.py
@ -0,0 +1,89 @@
+"""lasuite-drive — Q3.2 SSO-flow test (operator-2026-05-28 SSO-dep plan).
+
+Drive (La Suite Drive) is OIDC-required: login is gated by an external OpenID Connect provider.
+Mirrors the proven lasuite-docs SSO model:
+- The orchestrator deploys a per-run keycloak dep AFTER the generic tiers and provisions a fresh
+  realm/client/user via `harness.sso.setup_keycloak_realm`; `setup_custom_tests.sh` then wires the
+  OIDC env + client secret into the running drive app and redeploys. Creds land in `$CCCI_DEPS_FILE`
+  (read here via the `deps_creds` fixture).
+- This test consumes those creds and exercises the real OIDC flow against the dep keycloak: discovery
+  endpoint advertises the realm, and a password grant yields a valid JWT with the expected claims.
+- Marked `@pytest.mark.requires_deps` so if setup_custom_tests failed the test SKIPs with a clear
+  `deps-not-ready` reason — and (per F2-11) the orchestrator then fails the run rather than going
+  green on a skipped SSO test.
+
+SOURCE: adapted from tests/lasuite-docs/functional/test_oidc_with_keycloak.py (Q2.4 acceptance).
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import os
+import sys
+import time
+
+import pytest
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
+from harness import sso  # noqa: E402
+
+
+def _b64url_decode(seg: str) -> bytes:
+    pad = "=" * ((4 - len(seg) % 4) % 4)
+    return base64.urlsafe_b64decode(seg + pad)
+
+
+@pytest.mark.requires_deps
+def test_oidc_password_grant_against_dep_keycloak(live_app, deps_creds):
+    """The dep keycloak issues a JWT for the pre-provisioned test user via OIDC password grant."""
+    assert "keycloak" in deps_creds, (
+        f"keycloak creds not in deps_creds; got {list(deps_creds.keys())}. "
+        "setup_custom_tests should have populated this."
+    )
+    kc = deps_creds["keycloak"]
+
+    # Creds shape — orchestrator names the realm + client after the parent recipe.
+    assert kc["domain"]
+    assert kc["realm"] == "lasuite-drive"
+    assert kc["client_id"] == "lasuite-drive"
+    assert isinstance(kc["client_secret"], str) and len(kc["client_secret"]) >= 16
+    assert isinstance(kc["password"], str) and len(kc["password"]) >= 16
+
+    creds = {
+        "provider": "keycloak",
+        "provider_domain": kc["domain"],
+        "realm": kc["realm"],
+        "client_id": kc["client_id"],
+        "client_secret": kc["client_secret"],
+        "user": kc["user"],
+        "password": kc["password"],
+        "email": kc["email"],
+        "discovery_url": kc["discovery_url"],
+        "token_url": kc["token_url"],
+        "auth_url": kc["auth_url"],
+        "userinfo_url": kc["userinfo_url"],
+    }
+
+    # OIDC discovery endpoint advertises the realm
+    discovery = sso.assert_discovery_endpoint(creds)
+    expected_iss = f"https://{kc['domain']}/realms/{kc['realm']}"
+    assert discovery.get("issuer") == expected_iss
+    assert discovery.get("token_endpoint", "").startswith(expected_iss + "/")
+    assert discovery.get("authorization_endpoint", "").startswith(expected_iss + "/")
+
+    # Password grant → real JWT
+    token = sso.oidc_password_grant(creds)
+    assert isinstance(token, str) and token.count(".") == 2, (
+        f"access_token is not a JWT: {token!r}"
+    )
+    payload = json.loads(_b64url_decode(token.split(".")[1]))
+    assert payload.get("iss") == expected_iss, f"JWT iss={payload.get('iss')!r} != {expected_iss!r}"
+    assert payload.get("azp") == kc["client_id"], (
+        f"JWT azp={payload.get('azp')!r} != {kc['client_id']!r}"
+    )
+    assert payload.get("typ") == "Bearer", f"JWT typ={payload.get('typ')!r} != 'Bearer'"
+    exp = payload.get("exp")
+    assert isinstance(exp, int) and exp > time.time(), (
+        f"JWT exp={exp!r} not a future timestamp (now={time.time():.0f})"
+    )