Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use OIDC auth for jenkins test user #6

Closed
soxofaan opened this issue Apr 12, 2023 · 3 comments
Closed

Use OIDC auth for jenkins test user #6

soxofaan opened this issue Apr 12, 2023 · 3 comments
Assignees
@soxofaan

Comments

@soxofaan
Copy link
Member

Current integration tests use basic auth.

We should switch to OIDC auth, which is good test use case for client credentials (aka service accounts) because of pure machine-to-machine communication: Open-EO/openeo-python-driver#168
@soxofaan soxofaan self-assigned this Apr 12, 2023
@soxofaan soxofaan changed the title Use OIDC auth for test user Use OIDC auth for jenkins test user Apr 12, 2023
soxofaan added a commit that referenced this issue Apr 12, 2023
@soxofaan
Issue #6 initial attempt to use client credentials auth from integrat…
b23e1d0 
…ion tests
soxofaan added a commit to Open-EO/openeo-python-driver that referenced this issue Apr 18, 2023
@soxofaan
Start with (file) config system for openeo_driver
d46daf6 
related to #168, Open-EO/openeo-geopyspark-integrationtests#6
@soxofaan soxofaan mentioned this issue Apr 19, 2023
Closed
soxofaan added a commit that referenced this issue Apr 24, 2023
@soxofaan
test_oidc_client_credentials: expect user mapping
b5c46d0 
refs: Open-EO/openeo-python-driver#168 #6
soxofaan added a commit that referenced this issue Apr 24, 2023
@soxofaan
Issue #6 also try to run batch job from client creds
f529b5a
soxofaan added a commit that referenced this issue Apr 27, 2023
@soxofaan
Issue #6: introduce fixtures for connection with client credentials auth
ffe1d7e
soxofaan added a commit that referenced this issue Apr 28, 2023
@soxofaan
Issue #6 disable getting vault token from env for now
d2ba511 
Jenkins run env apparently has some authenticated vault user already, preventing the desired `openeo` user to access `TAP/big_data_services/openeo/jenkins-service-account`
soxofaan added a commit that referenced this issue Apr 28, 2023
@soxofaan
Issue #6 disable client credential auth tests for now
ed34308
soxofaan added a commit that referenced this issue Apr 28, 2023
@soxofaan
Issue #6 another approach to introduce client credentials auth for je…
c683cba 
…nkins

Don't do Vault logic from test suite itself
handle this in Jenkinsfile (through vault support in jenkinslib)
and pass through with env vars
soxofaan added a commit that referenced this issue Apr 28, 2023
@soxofaan
Issue #6: add support for auth with OIDC refresh tokens + device code
167e37f 
for local development
soxofaan added a commit that referenced this issue Apr 28, 2023
@soxofaan
Issue #6 add a bit of documentation about new auth approach
df6da39
soxofaan added a commit that referenced this issue Apr 28, 2023
@soxofaan
fixup! Issue #6: add support for auth with OIDC refresh tokens + devi…
b6083d1 
…ce code
soxofaan added a commit that referenced this issue May 2, 2023
@soxofaan
Issue #6 dummy test to see logging of auth_connection2 fixture setup
93d49f1
soxofaan added a commit that referenced this issue May 2, 2023
@soxofaan
Revert "Issue #6 dummy test to see logging of auth_connection2 fixtur…
8c0ff47 
…e setup"

This reverts commit 93d49f1.
soxofaan added a commit that referenced this issue May 2, 2023
@soxofaan
fixup! Issue #6: add support for auth with OIDC refresh tokens + devi…
689abc4 
…ce code
soxofaan added a commit that referenced this issue May 2, 2023
@soxofaan
Issue #6 Let's see if OPENEO_JENKINS_SERVICE_ACCOUNT_ env vars are se…
2c41760 
…t now
soxofaan added a commit that referenced this issue May 3, 2023
@soxofaan
Issue #6: drop basic auth safeguard from auth_connection2
83491a9
soxofaan added a commit that referenced this issue May 3, 2023
@soxofaan
Issue #6 fully replace basic auth with OIDC auth
9512f5b
@soxofaan
Copy link
Member Author

soxofaan commented May 4, 2023

fully switched auth in integration tests to client credentials

@soxofaan soxofaan closed this as completed May 4, 2023
soxofaan added a commit that referenced this issue May 9, 2023
@soxofaan
Issue #6 fully replace basic auth with OIDC auth for real now
41f0d85
@soxofaan
Copy link
Member Author

openeo python client 0.18.0 now has client credentials support from con.authenticate_oidc, so better switch to that instead of custom implementation

@soxofaan soxofaan reopened this May 31, 2023
soxofaan added a commit that referenced this issue May 31, 2023
@soxofaan
auth_connection: just use authenticate_oidc with builtin client crede…
e3fd7e8 
…ntials support

(since openeo python client 0.18.0)

#6
@soxofaan
Copy link
Member Author

done

@soxofaan soxofaan mentioned this issue Jul 13, 2023
Closed
bossie pushed a commit that referenced this issue Mar 12, 2024
update test_auth_jenkins_oidc_client_credentials_me
ad4aeec 
def test_auth_jenkins_oidc_client_credentials_me(connection, auth_connection):
        """
        WIP for #6: OIDC Client Credentials auth for jenkins user
        """
        # TODO: skip this test automatically when not running in Jenkins context?
        me = connection.describe_account()
        _log.info(f"connection.describe_account -> {me=}")
>       assert me["user_id"] == "openeo-jenkins-service-account"
E       AssertionError: assert 1ff4f5cf-95c...-b5096d95006a == openeo-jenki...rvice-account
E
E         - openeo-jenkins-service-account
E         + 1ff4f5cf-95cc-4bbb-ad8f-b5096d95006a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@soxofaan soxofaan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@soxofaan