From 728c24ae0b1865b680485b5088e28936f47c5494 Mon Sep 17 00:00:00 2001 From: yndu13 Date: Mon, 8 Jul 2024 18:24:02 +0800 Subject: [PATCH] tests: add oidc integration test --- .github/workflows/testPython.yml | 21 ++++++++++++++++++--- tests/test_integration.py | 31 ++++++++++++++++++++++++------- 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/.github/workflows/testPython.yml b/.github/workflows/testPython.yml index 8c3c63d..b5a43b6 100644 --- a/.github/workflows/testPython.yml +++ b/.github/workflows/testPython.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ master ] +permissions: + id-token: write + jobs: build: runs-on: ubuntu-latest @@ -21,16 +24,28 @@ jobs: python-version: ${{ matrix.python-version }} - name: Install dependencies run: pip install alibabacloud-tea coverage pytest + - name: Setup OIDC + run: npm install @actions/core@1.6.0 @actions/http-client + - name: Get Id Token + uses: actions/github-script@v6 + id: idtoken + with: + script: | + const coreDemo = require('@actions/core'); + const idToken = await coreDemo.getIDToken('sts.aliyuncs.com'); + const fsx = require('fs/promises'); + await fsx.writeFile('/tmp/oidc_token', idToken); - name: Test with unittest run: | coverage run -m unittest discover env: SUB_ALIBABA_CLOUD_ACCESS_KEY: ${{ secrets.SUB_ALIBABA_CLOUD_ACCESS_KEY }} SUB_ALIBABA_CLOUD_SECRET_KEY: ${{ secrets.SUB_ALIBABA_CLOUD_SECRET_KEY }} - ALIBABA_CLOUD_ROLE_ARN: ${{ secrets.ALIBABA_CLOUD_ROLE_ARN }} + SUB_ALIBABA_CLOUD_ROLE_ARN: ${{ secrets.ALIBABA_CLOUD_ROLE_ARN }} + ALIBABA_CLOUD_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }} ALIBABA_CLOUD_ROLE_SESSION_NAME: ${{ secrets.ALIBABA_CLOUD_ROLE_SESSION_NAME }} - ALIBABA_CLOUD_OIDC_TOKEN_FILE: ${{ secrets.ALIBABA_CLOUD_OIDC_TOKEN_FILE }} - ALIBABA_CLOUD_OIDC_PROVIDER_ARN: ${{ secrets.ALIBABA_CLOUD_OIDC_PROVIDER_ARN }} + ALIBABA_CLOUD_OIDC_TOKEN_FILE: "/tmp/oidc_token" + ALIBABA_CLOUD_OIDC_PROVIDER_ARN: ${{ secrets.OIDC_PROVIDER_ARN }} - name: Upload Coverage Report uses: codecov/codecov-action@v4 with: diff --git a/tests/test_integration.py b/tests/test_integration.py index f20ec8e..a118a20 100644 --- a/tests/test_integration.py +++ b/tests/test_integration.py @@ -3,7 +3,6 @@ from alibabacloud_credentials import providers, models from alibabacloud_credentials.client import Client -from alibabacloud_credentials.exceptions import CredentialException from alibabacloud_credentials.utils import auth_util @@ -12,7 +11,7 @@ def test_RamRoleArn(self): access_key_id = os.environ.get('SUB_ALIBABA_CLOUD_ACCESS_KEY') access_key_secret = os.environ.get('SUB_ALIBABA_CLOUD_SECRET_KEY') role_session_name = os.environ.get('ALIBABA_CLOUD_ROLE_SESSION_NAME') - role_arn = os.environ.get('ALIBABA_CLOUD_ROLE_ARN') + role_arn = os.environ.get('SUB_ALIBABA_CLOUD_ROLE_ARN') conf = models.Config( access_key_id=access_key_id, @@ -30,8 +29,26 @@ def test_OIDCRoleArn(self): self.assertIsNotNone(auth_util.environment_role_session_name) self.assertIsNotNone(auth_util.environment_oidc_token_file) self.assertTrue(auth_util.enable_oidc_credential) - try: - default_client = Client() - default_client.get_access_key_id() - except CredentialException as e: - self.assertRegex(e.message, 'AuthenticationFail.NoPermission') + default_client = Client() + credential = default_client.get_credential() + self.assertIsNotNone(credential.access_key_id) + self.assertIsNotNone(credential.access_key_secret) + self.assertIsNotNone(credential.security_token) + + role_session_name = os.environ.get('ALIBABA_CLOUD_ROLE_SESSION_NAME') + oidc_role_arn = os.environ.get('ALIBABA_CLOUD_ROLE_ARN') + oidc_provider_arn = os.environ.get('ALIBABA_CLOUD_OIDC_PROVIDER_ARN') + oidc_token_file = os.environ.get('ALIBABA_CLOUD_OIDC_TOKEN_FILE') + config = models.Config( + role_session_name=role_session_name, + role_arn=oidc_role_arn, + oidc_provider_arn=oidc_provider_arn, + oidc_token_file_path=oidc_token_file, + type='oidc_role_arn', + ) + client = Client(config) + credential = client.get_credential() + self.assertIsNotNone(credential.access_key_id) + self.assertIsNotNone(credential.access_key_secret) + self.assertIsNotNone(credential.security_token) + self.assertEqual('oidc_role_arn', credential.type)