feat(2): Q2.4 acceptance — lasuite-docs + keycloak dep + OIDC password grant (cold green)
- tests/lasuite-docs/recipe_meta.py: DEPS = ['keycloak'] declares the SSO provider dep.
Orchestrator deploys a per-run keycloak BEFORE lasuite-docs (Q2.3 dep resolver) and tears it
down AFTER in finally.
- tests/lasuite-docs/functional/test_oidc_with_keycloak.py: Q2 gate acceptance test.
- Asserts deps_apps['keycloak'] is the per-run dep domain.
- Calls harness.sso.setup_keycloak_realm to create realm/client/test-user idempotently.
- GET /.well-known/openid-configuration; asserts issuer = https://<kc>/realms/lasuite-docs.
- harness.sso.oidc_password_grant: password-grant flow; asserts the JWT iss/azp/typ/exp.
- Non-vacuous: each step uses real per-run-generated creds (class-B per §4.4-B), would fail
on broken admin API / token endpoint / wrong claims.
Cold-verifiable on cc-ci (log /root/ccci-q24-lasuite-keycloak.log):
RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py
===== DEPS: ['keycloak'] =====
dep: deploying keycloak -> keyc-c12afe.ci.commoninternet.net
dep: keycloak ready @ keyc-c12afe.ci.commoninternet.net
===== TIER: install ===== 2 PASS (generic + cc-ci overlay)
===== TIER: custom ===== 1 PASS (test_oidc_password_grant_against_dep_keycloak)
===== DEPS teardown =====
===== RUN SUMMARY =====
deploy-count = 2 (expect 2) # 1 parent + 1 dep
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -8,6 +8,12 @@ HEALTH_OK = (200, 301, 302)
|
||||
DEPLOY_TIMEOUT = 900
|
||||
HTTP_TIMEOUT = 600
|
||||
|
||||
# Phase 2 Q2.3 deps: lasuite-docs's recipe-maintainer corpus declares `requires = ["keycloak"]`.
|
||||
# Declaring it here makes the orchestrator deploy a per-run keycloak BEFORE lasuite-docs so the
|
||||
# OIDC-flow functional test (`functional/test_oidc_with_keycloak.py`) can run against a real
|
||||
# provider in the same run. The dep is undeployed AFTER the parent in the orchestrator's `finally`.
|
||||
DEPS = ["keycloak"]
|
||||
|
||||
|
||||
def EXTRA_ENV(domain):
|
||||
# abra's internal per-deploy convergence timeout (the recipe's TIMEOUT env, default 300s) is too
|
||||
|
||||
Reference in New Issue
Block a user