Skip to content

Commit

Permalink
Test hub.loadRoles access with scoped api token
Browse files Browse the repository at this point in the history
  • Loading branch information
consideRatio committed Sep 30, 2021
1 parent 9d481b9 commit 571ec8d
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 10 deletions.
12 changes: 5 additions & 7 deletions dev-config-local-chart-extra-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,11 @@
hub:
# FIXME: move loadRoles to dev-config.yaml after 2.0.0 is released.
loadRoles:
test-role-1:
description: Access to users' information and group membership
scopes: [users, groups]
users: [cyclops, gandalf]
services: [test]
groups: []
test-role-2-explicit-name:
test-scoped-access:
description: Used to JupyterHub 2.0.0+ RBAC scoped access, currently to the /hub/api/info endpoint via read:hub.
scopes: [read:hub]
services: [test-with-scoped-access]
test-role-with-explicit-name:
name: test-role-2
description: Access to users' information and group membership
scopes: [users, groups]
Expand Down
2 changes: 2 additions & 0 deletions dev-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ hub:
test:
admin: true
apiToken: give-pytest-control
test-with-scoped-access:
apiToken: give-pytest-scoped-control
test-hub-existing-secret:
apiToken: dddd4444
test-explicit-name:
Expand Down
21 changes: 18 additions & 3 deletions tests/conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,16 +28,31 @@ def pytest_configure(config):


@pytest.fixture(scope="module")
def request_data():
def admin_api_token():
base_dir = os.path.dirname(os.path.dirname(__file__))
with open(os.path.join(base_dir, "dev-config.yaml")) as f:
y = yaml.safe_load(f)
token = y["hub"]["services"]["test"]["apiToken"]
return token


@pytest.fixture(scope="module")
def scoped_api_token():
"""This token is granted a limited scope"""
base_dir = os.path.dirname(os.path.dirname(__file__))
with open(os.path.join(base_dir, "dev-config.yaml")) as f:
y = yaml.safe_load(f)
token = y["hub"]["services"]["test-with-scoped-access"]["apiToken"]
return token


@pytest.fixture(scope="module")
def request_data(admin_api_token):
hub_url = os.environ.get("HUB_URL", "https://local.jovyan.org:30443")
return {
"token": token,
"token": admin_api_token,
"hub_url": f'{hub_url.rstrip("/")}/hub/api',
"headers": {"Authorization": f"token {token}"},
"headers": {"Authorization": f"token {admin_api_token}"},
"test_timeout": 60,
"request_timeout": 25,
}
Expand Down
16 changes: 16 additions & 0 deletions tests/test_hub.py
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,22 @@ def test_api_info(api_request):
assert result["spawner"]["class"] == "kubespawner.spawner.KubeSpawner"


def test_api_info_with_scoped_token(api_request, scoped_api_token):
"""
Test access to the hub api's /info endpoint with an hub api token defined
via hub.services and that is granted the permissions of a role via
hub.loadRoles chart configuration.
A typical jupyterhub logging response to this test:
[I 2019-09-25 12:03:12.086 JupyterHub log:174] 200 GET /hub/api/info (test@127.0.0.1) 10.21ms
"""

print("asking for the hub information using a dedicated token with read:hub scope")
r = api_request.get("/info", {"Authorization": f"token {scoped_api_token}"})
assert r.status_code == 200


def test_api_create_and_get_user(api_request, jupyter_user):
"""
Tests the hub api's /users/:user endpoint, both POST and GET.
Expand Down

0 comments on commit 571ec8d

Please sign in to comment.