From 2b3342a6a3ba21939ed3ae6d24af6fdd2f18d14b Mon Sep 17 00:00:00 2001 From: Simon Holesch Date: Sat, 10 Aug 2024 13:00:44 +0200 Subject: [PATCH] Add GiHub OIDC test --- .github/workflows/on-push.yml | 4 ++++ github-actions-test/export-description.toml | 5 +++++ github-actions-test/hub.toml | 12 ++++++++++++ github-actions-test/run.sh | 21 +++++++++++++++++++++ github-actions-test/test.toml | 3 +++ not_my_board/_hub.py | 1 - 6 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 github-actions-test/export-description.toml create mode 100644 github-actions-test/hub.toml create mode 100755 github-actions-test/run.sh create mode 100644 github-actions-test/test.toml diff --git a/.github/workflows/on-push.yml b/.github/workflows/on-push.yml index 646a7d2..1fb6184 100644 --- a/.github/workflows/on-push.yml +++ b/.github/workflows/on-push.yml @@ -37,6 +37,8 @@ jobs: run: git ls-files -z | xargs -0 -- codespell test: runs-on: ubuntu-latest + permissions: + id-token: write strategy: matrix: python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"] @@ -57,6 +59,8 @@ jobs: tinyproxy \ ; pip install .[test] + - name: Run GitHub OIDC test + run: ./github-actions-test/run.sh - name: Allow kvm usage run: | sudo chmod o+rw /dev/kvm || : diff --git a/github-actions-test/export-description.toml b/github-actions-test/export-description.toml new file mode 100644 index 0000000..6cef39b --- /dev/null +++ b/github-actions-test/export-description.toml @@ -0,0 +1,5 @@ +port = 2192 + +[[parts]] +compatible = [ "test" ] +tcp.test = { host = "127.0.0.1", port = 1234 } diff --git a/github-actions-test/hub.toml b/github-actions-test/hub.toml new file mode 100644 index 0000000..af4d7a0 --- /dev/null +++ b/github-actions-test/hub.toml @@ -0,0 +1,12 @@ +log_level = "debug" + +[auth] +issuer = "http://localhost:8080/realms/master" +client_id = "not-my-board" + +[[auth.permissions]] +claims.actor_id = "8659229" # holesch +claims.repository = "holesch/not-my-board" +claims.workflow = "on-push" +claims.iss = "https://token.actions.githubusercontent.com" +roles = ["importer"] diff --git a/github-actions-test/run.sh b/github-actions-test/run.sh new file mode 100755 index 0000000..01ef58e --- /dev/null +++ b/github-actions-test/run.sh @@ -0,0 +1,21 @@ +#!/bin/sh -e +PS4=">>> " +set -x + +script_dir="${0%/*}" + +NOT_MY_BOARD_HUB_CONFIG="$script_dir/hub.toml" not-my-board hub & +hub_pid="$!" +sleep 1 + +not-my-board export http://localhost:2092 "$script_dir/export-description.toml" & + +sudo `which not-my-board` agent --token-cmd "curl -sH 'Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN' '$ACTIONS_ID_TOKEN_REQUEST_URL&audience=not-my-board' | jq -r '.value'" http://localhost:2092 & +sleep 1 + +sudo `which not-my-board` attach "$script_dir/test.toml" +sleep 1 +sudo `which not-my-board` status +sleep 720 + +kill "$hub_pid" diff --git a/github-actions-test/test.toml b/github-actions-test/test.toml new file mode 100644 index 0000000..de13580 --- /dev/null +++ b/github-actions-test/test.toml @@ -0,0 +1,3 @@ +[parts.test] +compatible = [ "test" ] +tcp.test = { local_port = 1236 } diff --git a/not_my_board/_hub.py b/not_my_board/_hub.py index 670b7a6..213fb87 100644 --- a/not_my_board/_hub.py +++ b/not_my_board/_hub.py @@ -221,7 +221,6 @@ async def _connection_context(self, channel): if isinstance(result, Exception): logger.warning("Error while deregistering agent: %s", result) - @require_role("exporter") async def register_place(self, export_desc): id_ = connection_id_var.get() client_ip = client_ip_var.get()