2b198a8009
This commit introduces OpenID Connect (OIDC) authentication
support to the DCManager API, allowing requests to be authenticated
using either Keystone tokens or OIDC tokens.
Behavior overview:
- The REST API will authenticate using Keystone when the
`X-Auth-Token` header is provided (existing behavior).
- When the `OIDC-Token` header is provided, OIDC authentication
is performed instead.
- If both tokens are present, default to Keystone authentication.
For OIDC authentication:
- The REST API retrieves OIDC IDP configuration parameters from
`system service-parameters` under `kube-apiserver`:
- `oidc-issuer-url`
- `oidc-client-id`
- `oidc-username-claim`
- `oidc-groups-claim`
- If OIDC parameters are not configured, authentication fails
with an unauthenticated response.
- If configured, the REST API validates the OIDC token with the
IDP issuer and extracts claims.
- OIDC arguments and claims are cached.
- External users and groups are mapped to internal
Project+Role tuples based on StarlingX rolebindings.
Test Plan:
PASS: Authenticate REST API requests with Keystone (`X-Auth-Token`).
PASS: Authenticate REST API requests with OIDC (`OIDC-Token`).
PASS: Verify Keystone is used when both tokens are present.
PASS: Verify unauthenticated response when OIDC parameters are
missing.
PASS: Validate token claims and role mappings are applied correctly.
PASS: Confirm cached tokens continue to authorize during temporary
IDP connectivity loss.
PASS: Force to OIDC token validation to return claims as None and verify
the api returns a NotAuthorized exception.
Depends-On: https://review.opendev.org/c/starlingx/integ/+/970455
Story: 2011646
Task: 53594
Change-Id: I830084fcad9b6413477e703514325030c7dc58a2
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
106 lines
3.1 KiB
INI
106 lines
3.1 KiB
INI
[tox]
|
|
envlist = py39,pep8,pylint,black
|
|
minversion = 4.4.0
|
|
skipsdist = True
|
|
|
|
# move tox work directory out of the source tree
|
|
toxworkdir = /tmp/{env:USER}_dctox
|
|
|
|
[dc]
|
|
stx_config_dir = ../../config
|
|
stx_fault_dir = ../../fault
|
|
|
|
cgtsclient_src_dir = {[dc]stx_config_dir}/sysinv/cgts-client/cgts-client
|
|
fmclient_src_dir = {[dc]stx_fault_dir}/python-fmclient/fmclient
|
|
fm_api_src_dir = {[dc]stx_fault_dir}/fm-api/source
|
|
nfv_client_src_dir = ../../nfv/nfv/nfv-client
|
|
tsconfig_src_dir = {[dc]stx_config_dir}/tsconfig/tsconfig
|
|
software_src_dir = ../../update/software
|
|
sysinv_src_dir = {[dc]stx_config_dir}/sysinv/sysinv/sysinv
|
|
platform_util_src_dir = ../../utilities/utilities/platform-util/platform-util
|
|
|
|
[testenv]
|
|
basepython = python3.9
|
|
sitepackages = False
|
|
setenv =
|
|
VIRTUAL_ENV={envdir}
|
|
OS_STDOUT_CAPTURE=1
|
|
OS_STDERR_CAPTURE=1
|
|
OS_TEST_TIMEOUT=60
|
|
CURRENT_CFG_FILE={toxinidir}/.current.cfg
|
|
SINGLE_REPO=True
|
|
OSLO_LOCK_PATH={toxinidir}
|
|
deps =
|
|
-c{env:UPPER_CONSTRAINTS_FILE:https://opendev.org/starlingx/root/raw/branch/master/build-tools/requirements/debian/upper-constraints.txt}
|
|
-r{toxinidir}/requirements.txt
|
|
-r{toxinidir}/test-requirements.txt
|
|
-e{[dc]cgtsclient_src_dir}
|
|
-e{[dc]fmclient_src_dir}
|
|
-e{[dc]fm_api_src_dir}
|
|
-e{[dc]nfv_client_src_dir}
|
|
-e{[dc]tsconfig_src_dir}
|
|
-e{[dc]software_src_dir}
|
|
-e{[dc]platform_util_src_dir}
|
|
allowlist_externals =
|
|
rm
|
|
find
|
|
|
|
[testenv:py39]
|
|
commands =
|
|
find {toxinidir} -not -path '{toxinidir}/.tox/*' -name '*.py[c|o]' -delete
|
|
python setup.py testr --slowest --testr-args='{posargs}'
|
|
|
|
[testenv:pep8]
|
|
commands = flake8
|
|
|
|
[testenv:cover]
|
|
commands =
|
|
coverage erase
|
|
rm -Rf cover
|
|
rm -f coverage.xml
|
|
find {toxinidir} -not -path '{toxinidir}/.tox/*' -name '*.py[c|o]' -delete
|
|
python setup.py testr --coverage --testr-args='{posargs}'
|
|
coverage html -d cover
|
|
coverage xml --rcfile=.coveragerc_xml
|
|
coverage report
|
|
|
|
[testenv:debug]
|
|
commands = oslo_debug_helper {posargs}
|
|
|
|
[flake8]
|
|
show-source = True
|
|
max-line-length = 88
|
|
# Suppressed flake8 codes
|
|
# E203 whitespace before ':'; conflict with Black
|
|
# E731 do not assign a lambda expression, use a def
|
|
# H216 The unittest.mock module should be used rather than the third party mock package unless actually needed.
|
|
# H301 one import per line; conflict with Black
|
|
# W503 line break before binary operator; conflict with Black
|
|
# W504 line break after binary operator
|
|
# W605 invalid escape sequence
|
|
ignore = E203,E731,H216,H301,W503,W504,W605
|
|
builtins = _
|
|
|
|
[testenv:genconfig]
|
|
commands =
|
|
oslo-config-generator --config-file=tools/config-generator.conf
|
|
|
|
[hacking]
|
|
import_exceptions = dcmanager.common.i18n,dcorch.common.i18n
|
|
|
|
[testenv:pylint]
|
|
setenv =
|
|
{[testenv]setenv}
|
|
PYTHONPATH = {toxinidir}
|
|
commands =
|
|
pylint {posargs} dccommon dcdbsync dcmanager dcorch dcagent dccertmon --rcfile=./.pylintrc
|
|
|
|
[testenv:black]
|
|
# This environment checks and displays the recommended changes by Black for formatting
|
|
# Python files.
|
|
# To apply the format in a specific file, use the following command: black <file_path>
|
|
deps =
|
|
black>=23.11.0 # MIT
|
|
commands =
|
|
black --check --diff .
|