Test hub.loadRoles access with scoped api token

jupyterhub · Sep 30, 2021 · 3ff3f7a · 3ff3f7a
1 parent 9d481b9
commit 3ff3f7a
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 10 deletions.
diff --git a/dev-config-local-chart-extra-config.yaml b/dev-config-local-chart-extra-config.yaml
@@ -11,13 +11,11 @@
 hub:
   # FIXME: move loadRoles to dev-config.yaml after 2.0.0 is released.
   loadRoles:
-    test-role-1:
-      description: Access to users' information and group membership
-      scopes: [users, groups]
-      users: [cyclops, gandalf]
-      services: [test]
-      groups: []
-    test-role-2-explicit-name:
+    test-scoped-access:
+      description: Used to JupyterHub 2.0.0+ RBAC scoped access, currently to the /hub/api/info endpoint via read:hub.
+      scopes: [read:hub]
+      services: [test-with-scoped-access]
+    test-role-with-explicit-name:
       name: test-role-2
       description: Access to users' information and group membership
       scopes: [users, groups]

diff --git a/dev-config.yaml b/dev-config.yaml
@@ -41,6 +41,8 @@ hub:
     test:
       admin: true
       apiToken: give-pytest-control
+    test-with-scoped-access:
+      apiToken: give-pytest-scoped-control
     test-hub-existing-secret:
       apiToken: dddd4444
     test-explicit-name:

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -28,16 +28,31 @@ def pytest_configure(config):
 
 
 @pytest.fixture(scope="module")
-def request_data():
+def admin_api_token():
     base_dir = os.path.dirname(os.path.dirname(__file__))
     with open(os.path.join(base_dir, "dev-config.yaml")) as f:
         y = yaml.safe_load(f)
     token = y["hub"]["services"]["test"]["apiToken"]
+    return token
+
+
+@pytest.fixture(scope="module")
+def scoped_api_token():
+    """This token is granted a limited scope"""
+    base_dir = os.path.dirname(os.path.dirname(__file__))
+    with open(os.path.join(base_dir, "dev-config.yaml")) as f:
+        y = yaml.safe_load(f)
+    token = y["hub"]["services"]["test-with-scoped-access"]["apiToken"]
+    return token
+
+
+@pytest.fixture(scope="module")
+def request_data(admin_api_token):
     hub_url = os.environ.get("HUB_URL", "https://local.jovyan.org:30443")
     return {
-        "token": token,
+        "token": admin_api_token,
         "hub_url": f'{hub_url.rstrip("/")}/hub/api',
-        "headers": {"Authorization": f"token {token}"},
+        "headers": {"Authorization": f"token {admin_api_token}"},
         "test_timeout": 60,
         "request_timeout": 25,
     }

diff --git a/tests/test_hub.py b/tests/test_hub.py
@@ -53,6 +53,22 @@ def test_api_info(api_request):
     assert result["spawner"]["class"] == "kubespawner.spawner.KubeSpawner"
 
 
+def test_api_info_with_scoped_token(api_request, scoped_api_token):
+    """
+    Test access to the hub api's /info endpoint with an hub api token defined
+    via hub.services and that is granted the permissions of a role via
+    hub.loadRoles chart configuration.
+
+    A typical jupyterhub logging response to this test:
+
+        [I 2019-09-25 12:03:12.086 JupyterHub log:174] 200 GET /hub/api/info (test@127.0.0.1) 10.21ms
+    """
+
+    print("asking for the hub information using a dedicated token with read:hub scope")
+    r = api_request.get("/info", headers={"Authorization": f"token {scoped_api_token}"})
+    assert r.status_code == 200
+
+
 def test_api_create_and_get_user(api_request, jupyter_user):
     """
     Tests the hub api's /users/:user endpoint, both POST and GET.