Add GiHub OIDC test

holesch · Aug 10, 2024 · 2b3342a · 2b3342a
1 parent 888c06e
commit 2b3342a
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 1 deletion.
diff --git a/.github/workflows/on-push.yml b/.github/workflows/on-push.yml
@@ -37,6 +37,8 @@ jobs:
       run: git ls-files -z | xargs -0 -- codespell
   test:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     strategy:
       matrix:
         python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
@@ -57,6 +59,8 @@ jobs:
           tinyproxy \
           ;
         pip install .[test]
+    - name: Run GitHub OIDC test
+      run: ./github-actions-test/run.sh
     - name: Allow kvm usage
       run: |
         sudo chmod o+rw /dev/kvm || :

diff --git a/github-actions-test/export-description.toml b/github-actions-test/export-description.toml
@@ -0,0 +1,5 @@
+port = 2192
+
+[[parts]]
+compatible = [ "test" ]
+tcp.test = { host = "127.0.0.1", port = 1234 }
diff --git a/github-actions-test/hub.toml b/github-actions-test/hub.toml
@@ -0,0 +1,12 @@
+log_level = "debug"
+
+[auth]
+issuer = "http://localhost:8080/realms/master"
+client_id = "not-my-board"
+
+[[auth.permissions]]
+claims.actor_id = "8659229"  # holesch
+claims.repository = "holesch/not-my-board"
+claims.workflow = "on-push"
+claims.iss = "https://token.actions.githubusercontent.com"
+roles = ["importer"]
diff --git a/github-actions-test/run.sh b/github-actions-test/run.sh
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+PS4=">>> "
+set -x
+
+script_dir="${0%/*}"
+
+NOT_MY_BOARD_HUB_CONFIG="$script_dir/hub.toml" not-my-board hub &
+hub_pid="$!"
+sleep 1
+
+not-my-board export http://localhost:2092 "$script_dir/export-description.toml" &
+
+sudo `which not-my-board` agent --token-cmd "curl -sH 'Authorization: bearer  $ACTIONS_ID_TOKEN_REQUEST_TOKEN' '$ACTIONS_ID_TOKEN_REQUEST_URL&audience=not-my-board' | jq -r '.value'" http://localhost:2092 &
+sleep 1
+
+sudo `which not-my-board` attach "$script_dir/test.toml"
+sleep 1
+sudo `which not-my-board` status
+sleep 720
+
+kill "$hub_pid"
diff --git a/github-actions-test/test.toml b/github-actions-test/test.toml
@@ -0,0 +1,3 @@
+[parts.test]
+compatible = [ "test" ]
+tcp.test = { local_port = 1236 }
diff --git a/not_my_board/_hub.py b/not_my_board/_hub.py
@@ -221,7 +221,6 @@ async def _connection_context(self, channel):
                 if isinstance(result, Exception):
                     logger.warning("Error while deregistering agent: %s", result)
 
-    @require_role("exporter")
     async def register_place(self, export_desc):
         id_ = connection_id_var.get()
         client_ip = client_ip_var.get()