github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
bb121c3b76f1e1c066e377108952dfffd830c078
zot/test/blackbox/openid_claim_mapping.bats
T
Ramkumar Chinchani 64829f9502 feat: allow claim mapping for user name with oidc (#3540) 
* feat: allow claim mapping for user name with oidc

* feat: bats test for claim mapping

* test: fix dex config in openid mapping test

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* test: add panva idp

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* fix: address copilot comments

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
Co-authored-by: Sky Moore <i@msky.me>
2025-11-20 08:54:56 -08:00

400 lines
12 KiB
Bash
Executable File
Raw Blame History

# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
# Makefile target installs & checks all necessary tooling
# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
load helpers_zot
load helpers_wait
load ../port_helper
function verify_prerequisites {
if [ ! $(command -v curl) ]; then
echo "you need to install curl as a prerequisite to running the tests" >&3
return 1
fi
if [ ! $(command -v jq) ]; then
echo "you need to install jq as a prerequisite to running the tests" >&3
return 1
fi
if [ ! $(command -v docker) ]; then
echo "you need to install docker as a prerequisite to running the tests" >&3
return 1
fi
return 0
}
IDP_PID=""
function setup_file() {
# Verify prerequisites are available
if ! $(verify_prerequisites); then
exit 1
fi
# Pre-allocate all ports we'll need
idp_port=$(get_free_port_for_service "idp")
echo ${idp_port} > ${BATS_FILE_TMPDIR}/idp.port
# Setup oidc provider
npm link oidc-provider express
node ${ROOT_DIR}/test/scripts/panva-idp.js ${idp_port} > ${BATS_FILE_TMPDIR}/idp.log 2>&1 &
IDP_PID=$!
# Wait for oidc provider to be ready
echo "Waiting for idp to be ready on port ${idp_port}..." >&3
local idp_url=http://127.0.0.1:${idp_port}/.well-known/openid-configuration
local max_attempts=60
local attempt=0
while [ $attempt -lt $max_attempts ]; do
if curl -f -s -o /dev/null ${idp_url} 2>&1; then
echo "oidc idp is ready!" >&3
break
fi
attempt=$((attempt + 1))
sleep 2
done
if [ $attempt -eq $max_attempts ]; then
echo "idp failed to start within timeout" >&3
return 1
fi
}
function teardown_file() {
zot_stop_all
kill ${IDP_PID} 2>/dev/null || true
if [ -f "${BATS_FILE_TMPDIR}/idp.log" ]; then
echo "--- IDP LOG ---"
cat ${BATS_FILE_TMPDIR}/idp.log
echo "--- END IDP LOG ---"
fi
}
function teardown() {
# conditionally printing on failure is possible from teardown but not from teardown_file
if [ -f "${BATS_FILE_TMPDIR}/zot-preferred-username.log" ]; then
cat ${BATS_FILE_TMPDIR}/zot-preferred-username.log
fi
if [ -f "${BATS_FILE_TMPDIR}/zot-email.log" ]; then
cat ${BATS_FILE_TMPDIR}/zot-email.log
fi
if [ -f "${BATS_FILE_TMPDIR}/zot-sub.log" ]; then
cat ${BATS_FILE_TMPDIR}/zot-sub.log
fi
if [ -f "${BATS_FILE_TMPDIR}/zot-default.log" ]; then
cat ${BATS_FILE_TMPDIR}/zot-default.log
fi
if [ -f "${BATS_FILE_TMPDIR}/idp.log" ]; then
echo "--- IDP LOG (teardown) ---"
cat ${BATS_FILE_TMPDIR}/idp.log
echo "--- END IDP LOG ---"
fi
}
function idp_session() {
local zot_port=${1}
local idp_port=$(cat ${BATS_FILE_TMPDIR}/idp.port)
# With the auto-login enabled IDP, we just need to hit the login endpoint and follow redirects.
# We use a cookie jar to handle the session cookies during the redirects.
curl -v -L -c ${BATS_FILE_TMPDIR}/cookies "http://127.0.0.1:${zot_port}/zot/auth/login?provider=oidc"
}
@test "test OIDC claim mapping with preferred_username" {
local zot_root_dir=${BATS_FILE_TMPDIR}/zot-preferred-username
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config_preferred_username.json
local zot_credentials_file=${BATS_FILE_TMPDIR}/zot_credentials_preferred_username.json
local idp_port=$(cat ${BATS_FILE_TMPDIR}/idp.port)
zot_port=$(get_free_port_for_service "zot_preferred_username")
mkdir -p ${zot_root_dir}
cat > ${zot_credentials_file}<<EOF
{
"clientid": "zot-client",
"clientsecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
}
EOF
cat > ${zot_config_file}<<EOF
{
"distSpecVersion": "1.1.1",
"storage": {
"rootDirectory": "${zot_root_dir}",
"dedupe": true
},
"http": {
"address": "127.0.0.1",
"port": "${zot_port}",
"realm": "zot",
"auth": {
"openid": {
"providers": {
"oidc": {
"name": "panva",
"issuer": "http://127.0.0.1:${idp_port}/",
"credentialsFile": "${zot_credentials_file}",
"scopes": ["openid", "profile", "email", "groups"],
"claimMapping": {
"username": "preferred_username"
}
}
}
},
"failDelay": 5
},
"accessControl": {
"repositories": {
"**": {
"policies": [
{
"users": ["alice"],
"actions": ["read", "create", "update", "delete"]
}
],
"defaultPolicy": ["read"]
}
}
}
},
"log": {
"level": "debug",
"output": "${BATS_FILE_TMPDIR}/zot-preferred-username.log"
}
}
EOF
zot_serve ${ZOT_PATH} ${zot_config_file}
wait_zot_reachable ${zot_port}
run idp_session ${zot_port}
[ "$status" -eq 0 ]
echo "$output"
# Verify that the log contains the preferred_username claim being used
log_output ${BATS_FILE_TMPDIR}/zot-preferred-username.log | jq 'contains("extracted username from configured claim")' | grep true
! log_output ${BATS_FILE_TMPDIR}/zot-preferred-username.log | grep -q "using email as username (fallback)"
}
@test "test OIDC claim mapping with email" {
local zot_root_dir=${BATS_FILE_TMPDIR}/zot-email
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config_email.json
local zot_credentials_file=${BATS_FILE_TMPDIR}/zot_credentials_email.json
local idp_port=$(cat ${BATS_FILE_TMPDIR}/idp.port)
zot_port=$(get_free_port_for_service "zot_email")
mkdir -p ${zot_root_dir}
cat > ${zot_credentials_file}<<EOF
{
"clientid": "zot-client",
"clientsecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
}
EOF
cat > ${zot_config_file}<<EOF
{
"distSpecVersion": "1.1.1",
"storage": {
"rootDirectory": "${zot_root_dir}",
"dedupe": true
},
"http": {
"address": "127.0.0.1",
"port": "${zot_port}",
"realm": "zot",
"auth": {
"openid": {
"providers": {
"oidc": {
"name": "panva",
"issuer": "http://127.0.0.1:${idp_port}/",
"credentialsFile": "${zot_credentials_file}",
"scopes": ["openid", "profile", "email", "groups"],
"claimMapping": {
"username": "email"
}
}
}
},
"failDelay": 5
},
"accessControl": {
"repositories": {
"**": {
"policies": [
{
"users": ["alice@example.com"],
"actions": ["read", "create", "update", "delete"]
}
],
"defaultPolicy": ["read"]
}
}
}
},
"log": {
"level": "debug",
"output": "${BATS_FILE_TMPDIR}/zot-email.log"
}
}
EOF
zot_serve ${ZOT_PATH} ${zot_config_file}
wait_zot_reachable ${zot_port}
run idp_session ${zot_port}
[ "$status" -eq 0 ]
echo "$output"
# Verify that the log contains email claim being used
grep -q "extracted username from configured claim" ${BATS_FILE_TMPDIR}/zot-email.log
! grep -q "using email as username (fallback)" ${BATS_FILE_TMPDIR}/zot-email.log
}
@test "test OIDC claim mapping with sub" {
local zot_root_dir=${BATS_FILE_TMPDIR}/zot-sub
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config_sub.json
local zot_credentials_file=${BATS_FILE_TMPDIR}/zot_credentials_sub.json
local idp_port=$(cat ${BATS_FILE_TMPDIR}/idp.port)
zot_port=$(get_free_port_for_service "zot_sub")
mkdir -p ${zot_root_dir}
cat > ${zot_credentials_file}<<EOF
{
"clientid": "zot-client",
"clientsecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
}
EOF
cat > ${zot_config_file}<<EOF
{
"distSpecVersion": "1.1.1",
"storage": {
"rootDirectory": "${zot_root_dir}",
"dedupe": true
},
"http": {
"address": "127.0.0.1",
"port": "${zot_port}",
"realm": "zot",
"auth": {
"openid": {
"providers": {
"oidc": {
"name": "panva",
"issuer": "http://127.0.0.1:${idp_port}/",
"credentialsFile": "${zot_credentials_file}",
"scopes": ["openid", "profile", "email", "groups"],
"claimMapping": {
"username": "sub"
}
}
}
},
"failDelay": 5
},
"accessControl": {
"repositories": {
"**": {
"defaultPolicy": ["read"]
}
}
}
},
"log": {
"level": "debug",
"output": "${BATS_FILE_TMPDIR}/zot-sub.log"
}
}
EOF
zot_serve ${ZOT_PATH} ${zot_config_file}
wait_zot_reachable ${zot_port}
run idp_session ${zot_port}
[ "$status" -eq 0 ]
echo "$output"
# Verify that the log contains sub claim being used
log_output ${BATS_FILE_TMPDIR}/zot-sub.log | jq 'contains("extracted username from configured claim")' | grep true
! log_output ${BATS_FILE_TMPDIR}/zot-sub.log | grep -q "using email as username (fallback)"
}
@test "test OIDC with no claim mapping (default to email)" {
local zot_root_dir=${BATS_FILE_TMPDIR}/zot-default
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config_default.json
ZOT_LOG_FILE=${BATS_FILE_TMPDIR}/zot-default.log
local zot_credentials_file=${BATS_FILE_TMPDIR}/zot_credentials_default.json
local idp_port=$(cat ${BATS_FILE_TMPDIR}/idp.port)
zot_port=$(get_free_port_for_service "zot_default")
mkdir -p ${zot_root_dir}
cat > ${zot_credentials_file}<<EOF
{
"clientid": "zot-client",
"clientsecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
}
EOF
# Note: No claimMapping section - should default to email
cat > ${zot_config_file}<<EOF
{
"distSpecVersion": "1.1.1",
"storage": {
"rootDirectory": "${zot_root_dir}",
"dedupe": true
},
"http": {
"address": "127.0.0.1",
"port": "${zot_port}",
"realm": "zot",
"auth": {
"openid": {
"providers": {
"oidc": {
"name": "panva",
"issuer": "http://127.0.0.1:${idp_port}/",
"credentialsFile": "${zot_credentials_file}",
"scopes": ["openid", "profile", "email", "groups"]
}
}
},
"failDelay": 5
},
"accessControl": {
"repositories": {
"**": {
"policies": [
{
"users": ["alice@example.com"],
"actions": ["read", "create", "update", "delete"]
}
],
"defaultPolicy": ["read"]
}
}
}
},
"log": {
"level": "debug",
"output": "${ZOT_LOG_FILE}"
}
}
EOF
zot_serve ${ZOT_PATH} ${zot_config_file}
wait_zot_reachable ${zot_port}
run idp_session ${zot_port}
[ "$status" -eq 0 ]
echo "$output"
# Verify that the log contains email claim being used (default behavior)
log_output ${ZOT_LOG_FILE} | jq 'contains("using email as username (fallback)")' | grep true
}
Reference in New Issue View Git Blame Copy Permalink