Skip to content

Fix flaky oidc tests #2000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jsdt merged 4 commits into from
Nov 20, 2024
Merged

Fix flaky oidc tests #2000

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
24c1e05
Wait for server to start responding and add logging in tests
jsdt Nov 18, 2024
ffb1c3e
fmt
jsdt Nov 18, 2024
e563431
Fix encoding of key params in tests
jsdt Nov 19, 2024
784aeac
Merge branch 'master' into jsdt/token-test-fix
jsdt Nov 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions crates/core/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,3 +128,4 @@ env_logger.workspace = true
pretty_assertions.workspace = true
jsonwebtoken.workspace = true
axum.workspace = true
reqwest.workspace = true
68 changes: 62 additions & 6 deletions crates/core/src/auth/token_validation.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,14 @@ impl TokenValidator for OidcTokenValidator {
let raw_issuer = get_raw_issuer(token)?;
// TODO: Consider checking for trailing slashes or requiring a scheme.
let oidc_url = format!("{}/.well-known/openid-configuration", raw_issuer);
let keys = Jwks::from_oidc_url(oidc_url).await?;
log::debug!("Fetching key for issuer {}", raw_issuer.clone());
let key_or_error = Jwks::from_oidc_url(oidc_url).await;
// TODO: We should probably add debouncing to avoid spamming the logs.
// Alternatively we could add a backoff before retrying.
if let Err(e) = &key_or_error {
log::warn!("Error fetching public key for issuer {}: {:?}", raw_issuer, e);
}
let keys = key_or_error?;
let validator = JwksValidator {
issuer: raw_issuer,
keyset: keys,
Expand Down Expand Up @@ -317,6 +324,8 @@ impl TokenValidator for JwksValidator {

#[cfg(test)]
mod tests {
use std::time::Duration;

use crate::auth::identity::{IncomingClaims, SpacetimeIdentityClaims};
use crate::auth::token_validation::{
BasicTokenValidator, CachingOidcTokenValidator, FullTokenValidator, OidcTokenValidator, TokenSigner,
Expand Down Expand Up @@ -533,6 +542,29 @@ mod tests {
.unwrap();
});

// Wait for server to be ready
let client = reqwest::Client::new();
let health_check_url = format!("{}/ok", base_url);

let mut attempts = 0;
const MAX_ATTEMPTS: u32 = 10;
const DELAY_MS: u64 = 50;

while attempts < MAX_ATTEMPTS {
match client.get(&health_check_url).send().await {
Ok(response) if response.status().is_success() => break,
_ => {
log::debug!("Server not ready. Waiting...");
tokio::time::sleep(Duration::from_millis(DELAY_MS)).await;
attempts += 1;
}
}
}

if attempts == MAX_ATTEMPTS {
return Err(anyhow::anyhow!("Server failed to start after maximum attempts"));
}

Ok(OIDCServerHandle {
base_url,
shutdown_tx,
Expand Down Expand Up @@ -590,13 +622,19 @@ mod tests {

#[tokio::test]
async fn test_oidc_flow() -> anyhow::Result<()> {
run_oidc_test(OidcTokenValidator).await
for _ in 0..10 {
run_oidc_test(OidcTokenValidator).await?
}
Ok(())
}

#[tokio::test]
async fn test_caching_oidc_flow() -> anyhow::Result<()> {
let v = CachingOidcTokenValidator::get_default();
run_oidc_test(v).await
for _ in 0..10 {
let v = CachingOidcTokenValidator::get_default();
run_oidc_test(v).await?;
}
Ok(())
}

#[tokio::test]
Expand Down Expand Up @@ -639,8 +677,26 @@ mod tests {
let mut y = openssl::bn::BigNum::new()?;
eck.public_key().affine_coordinates(&group, &mut x, &mut y, &mut ctx)?;

let x_b64 = base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(x.to_vec());
let y_b64 = base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(y.to_vec());
let x_bytes = x.to_vec();
let y_bytes = y.to_vec();

let x_padded = if x_bytes.len() < 32 {
let mut padded = vec![0u8; 32];
padded[32 - x_bytes.len()..].copy_from_slice(&x_bytes);
padded
} else {
x_bytes
};

let y_padded = if y_bytes.len() < 32 {
let mut padded = vec![0u8; 32];
padded[32 - y_bytes.len()..].copy_from_slice(&y_bytes);
padded
} else {
y_bytes
};
let x_b64 = base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(x_padded);
let y_b64 = base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(y_padded);

let mut jwks = serde_json::json!(
{
Expand Down
Loading