"""lasuite-docs — Q2 SSO-flow acceptance test (operator-2026-05-28 SSO-dep plan). Refactored to the refined SSO-dep model: - The orchestrator deploys a per-run keycloak dep AFTER generic tiers and provisions a fresh realm/client/user via `harness.sso.setup_keycloak_realm`. The creds are written to `$CCCI_DEPS_FILE` (read here via the `deps_creds` fixture). - This test no longer calls `setup_keycloak_realm` itself — that's the orchestrator's job in the setup_custom_tests step. We just consume the credentials and exercise the OIDC flow. - Marked `@pytest.mark.requires_deps` so if setup_custom_tests failed, this test SKIPs with a clear `deps-not-ready` reason rather than red-flagging a non-recipe failure. """ from __future__ import annotations import base64 import json import os import re import sys import time import pytest sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner")) from harness import sso # noqa: E402 def _b64url_decode(seg: str) -> bytes: pad = "=" * ((4 - len(seg) % 4) % 4) return base64.urlsafe_b64decode(seg + pad) @pytest.mark.requires_deps def test_oidc_password_grant_against_dep_keycloak(live_app, deps_creds): """The dep keycloak issues a JWT for the pre-provisioned test user via OIDC password grant.""" assert "keycloak" in deps_creds, ( f"keycloak creds not in deps_creds; got {list(deps_creds.keys())}. " "setup_custom_tests should have populated this." ) kc = deps_creds["keycloak"] # Sanity-check the creds shape — orchestrator-written assert kc["domain"] # WC1: realm is per-run namespaced "-<6hex>" so concurrent dependents never collide. assert re.fullmatch(r"lasuite-docs-[0-9a-f]{6}", kc["realm"]), ( f"realm {kc['realm']!r} not the per-run namespaced form lasuite-docs-<6hex>" ) assert kc["client_id"] == "lasuite-docs" assert isinstance(kc["client_secret"], str) and len(kc["client_secret"]) >= 16 assert isinstance(kc["password"], str) and len(kc["password"]) >= 16 # Build a creds dict in the shape sso.* primitives expect creds = { "provider": "keycloak", "provider_domain": kc["domain"], "realm": kc["realm"], "client_id": kc["client_id"], "client_secret": kc["client_secret"], "user": kc["user"], "password": kc["password"], "email": kc["email"], "discovery_url": kc["discovery_url"], "token_url": kc["token_url"], "auth_url": kc["auth_url"], "userinfo_url": kc["userinfo_url"], } # OIDC discovery endpoint advertises the realm discovery = sso.assert_discovery_endpoint(creds) expected_iss = f"https://{kc['domain']}/realms/{kc['realm']}" assert discovery.get("issuer") == expected_iss assert discovery.get("token_endpoint", "").startswith(expected_iss + "/") assert discovery.get("authorization_endpoint", "").startswith(expected_iss + "/") # Password grant → real JWT token = sso.oidc_password_grant(creds) assert isinstance(token, str) and token.count(".") == 2, ( f"access_token is not a JWT: {token!r}" ) payload = json.loads(_b64url_decode(token.split(".")[1])) assert payload.get("iss") == expected_iss, f"JWT iss={payload.get('iss')!r} != {expected_iss!r}" assert payload.get("azp") == kc["client_id"], ( f"JWT azp={payload.get('azp')!r} != {kc['client_id']!r}" ) assert payload.get("typ") == "Bearer", f"JWT typ={payload.get('typ')!r} != 'Bearer'" exp = payload.get("exp") assert isinstance(exp, int) and exp > time.time(), ( f"JWT exp={exp!r} not a future timestamp (now={time.time():.0f})" )