Update wcs docker file to use descope (#368)

* Update wcs docker file to use descope

* Update test checks

* Add auth tests for trailing 3 vers also

* Remove 1.34 for now

* Expose grpc ports correctly in tests

* Improve skipping of auth tests

* Remove hard-coded refresh token error

* Remove extra auth tests to avoid rate limit issues

---------

Co-authored-by: Tommy Smith <tommy@weaviate.io>

Author: dirkkul

.github/workflows/main.yaml

@@ -80,7 +80,7 @@ jobs:
       fail-fast: false
       matrix:
         versions: [
-          { node: "22.x", weaviate: $WEAVIATE_130}
+          { node: "22.x", weaviate: $WEAVIATE_133},
         ]
     steps:
     - uses: actions/checkout@v3

ci/docker-compose-wcs.yml

@@ -13,15 +13,17 @@ services:
     image: semitechnologies/weaviate:${WEAVIATE_VERSION}
     ports:
       - 8085:8085
+      - 50056:50056
     restart: on-failure:0
     environment:
+      GRPC_PORT: 50056
       PERSISTENCE_DATA_PATH: '/var/lib/weaviate'
       AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false'
       AUTHENTICATION_OIDC_ENABLED: 'true'
-      AUTHENTICATION_OIDC_CLIENT_ID: 'wcs'
-      AUTHENTICATION_OIDC_ISSUER: 'https://auth.wcs.api.weaviate.io/auth/realms/SeMI'
+      AUTHENTICATION_OIDC_CLIENT_ID: 'Peuc12y02UA0eAED1dqSjE5HtGUrpBsx'
+      AUTHENTICATION_OIDC_ISSUER: 'https://auth.weaviate.cloud/Peuc12y02UA0eAED1dqSjE5HtGUrpBsx'
       AUTHENTICATION_OIDC_USERNAME_CLAIM: 'email'
-      AUTHENTICATION_OIDC_GROUPS_CLAIM: 'groups'
+      AUTHENTICATION_OIDC_GROUPS_CLAIM: 'roles'
       AUTHORIZATION_ADMINLIST_ENABLED: 'true'
       AUTHORIZATION_ADMINLIST_USERS: 'oidc-test-user@weaviate.io'
       AUTHENTICATION_OIDC_SCOPES: 'openid,email'

src/connection/auth.ts

@@ -289,14 +289,7 @@ class AccessTokenAuthenticator implements OidcAuthFlow {
       });
   };
 
-  validateOpenidConfig = () => {
-    if (
-      this.openidConfig.provider.grant_types_supported === undefined ||
-      !this.openidConfig.provider.grant_types_supported.includes('refresh_token')
-    ) {
-      throw new Error('grant_type refresh_token not supported');
-    }
-  };
+  validateOpenidConfig = () => {};
 
   requestAccessToken = () => {
     const url = this.openidConfig.provider.token_endpoint;

src/connection/journey.test.ts

@@ -9,31 +9,38 @@ import Connection from './index.js';
 import { WeaviateStartUpError } from '../errors.js';
 import weaviate from '../index.js';
 
-describe('connection', () => {
-  it('makes a logged-in request when client host param has trailing slashes', async () => {
-    if (process.env.WCS_DUMMY_CI_PW == undefined || process.env.WCS_DUMMY_CI_PW == '') {
-      console.warn('Skipping because `WCS_DUMMY_CI_PW` is not set');
-      return Promise.resolve();
-    }
-
-    const client = await weaviate.connectToLocal({
-      port: 8085,
-      authCredentials: new AuthUserPasswordCredentials({
-        username: 'oidc-test-user@weaviate.io',
-        password: process.env.WCS_DUMMY_CI_PW,
-        silentRefresh: false,
-      }),
-    });
+const check = (cred?: string) => {
+  if (cred == undefined || cred == '') {
+    console.warn('Skipping because `WCS_DUMMY_CI_PW` is not set');
+    return it.skip;
+  } else {
+    return it;
+  }
+};
 
-    return client
-      .getMeta()
-      .then((res) => {
-        expect(res.version).toBeDefined();
-      })
-      .catch((e) => {
-        throw new Error('it should not have errord: ' + e);
+describe('connection', () => {
+  check(process.env.WCS_DUMMY_CI_PW)(
+    'makes a logged-in request when client host param has trailing slashes',
+    async () => {
+      const client = await weaviate.connectToLocal({
+        port: 8085,
+        authCredentials: new AuthUserPasswordCredentials({
+          username: 'oidc-test-user@weaviate.io',
+          password: process.env.WCS_DUMMY_CI_PW,
+          silentRefresh: false,
+        }),
       });
-  });
+
+      return client
+        .getMeta()
+        .then((res) => {
+          expect(res.version).toBeDefined();
+        })
+        .catch((e) => {
+          throw new Error('it should not have errord: ' + e);
+        });
+    }
+  );
 
   // it('makes an Azure logged-in request with client credentials', async () => {
   //   if (process.env.AZURE_CLIENT_SECRET == undefined || process.env.AZURE_CLIENT_SECRET == '') {
@@ -59,37 +66,30 @@ describe('connection', () => {
   //     });
   // });
 
-  it('makes an Okta logged-in request with client credentials', async () => {
-    if (process.env.OKTA_CLIENT_SECRET == undefined || process.env.OKTA_CLIENT_SECRET == '') {
-      console.warn('Skipping because `OKTA_CLIENT_SECRET` is not set');
-      return Promise.resolve();
-    }
-
-    const client = await weaviate.connectToLocal({
-      port: 8082,
-      authCredentials: new AuthClientCredentials({
-        clientSecret: process.env.OKTA_CLIENT_SECRET,
-        scopes: ['some_scope'],
-        silentRefresh: false,
-      }),
-    });
-
-    return client
-      .getMeta()
-      .then((res) => {
-        expect(res.version).toBeDefined();
-      })
-      .catch((e) => {
-        throw new Error('it should not have errord: ' + e);
+  check(process.env.OKTA_CLIENT_SECRET)(
+    'makes an Okta logged-in request with client credentials',
+    async () => {
+      const client = await weaviate.connectToLocal({
+        port: 8082,
+        authCredentials: new AuthClientCredentials({
+          clientSecret: process.env.OKTA_CLIENT_SECRET!,
+          scopes: ['some_scope'],
+          silentRefresh: false,
+        }),
       });
-  });
 
-  it('makes an Okta logged-in request with username/password', async () => {
-    if (process.env.OKTA_DUMMY_CI_PW == undefined || process.env.OKTA_DUMMY_CI_PW == '') {
-      console.warn('Skipping because `OKTA_DUMMY_CI_PW` is not set');
-      return Promise.resolve();
+      return client
+        .getMeta()
+        .then((res) => {
+          expect(res.version).toBeDefined();
+        })
+        .catch((e) => {
+          throw new Error('it should not have errord: ' + e);
+        });
     }
+  );
 
+  check(process.env.OKTA_DUMMY_CI_PW)('makes an Okta logged-in request with username/password', async () => {
     const client = await weaviate.connectToLocal({
       port: 8083,
       authCredentials: new AuthUserPasswordCredentials({
@@ -109,12 +109,7 @@ describe('connection', () => {
       });
   });
 
-  it('makes a WCS logged-in request with username/password', async () => {
-    if (process.env.WCS_DUMMY_CI_PW == undefined || process.env.WCS_DUMMY_CI_PW == '') {
-      console.warn('Skipping because `WCS_DUMMY_CI_PW` is not set');
-      return Promise.resolve();
-    }
-
+  check(process.env.WCS_DUMMY_CI_PW)('makes a WCS logged-in request with username/password', async () => {
     const client = await weaviate.connectToLocal({
       port: 8085,
       authCredentials: new AuthUserPasswordCredentials({
@@ -137,6 +132,7 @@ describe('connection', () => {
   it('makes a logged-in request with API key', async () => {
     const client = await weaviate.connectToLocal({
       port: 8085,
+      grpcPort: 50056,
       authCredentials: new ApiKey('my-secret-key'),
     });
 
@@ -153,6 +149,7 @@ describe('connection', () => {
   it('makes a logged-in request with API key as string', async () => {
     const client = await weaviate.connectToLocal({
       port: 8085,
+      grpcPort: 50056,
       authCredentials: 'my-secret-key',
     });
 
@@ -166,12 +163,7 @@ describe('connection', () => {
       });
   });
 
-  it('makes a logged-in request with access token', async () => {
-    if (process.env.WCS_DUMMY_CI_PW == undefined || process.env.WCS_DUMMY_CI_PW == '') {
-      console.warn('Skipping because `WCS_DUMMY_CI_PW` is not set');
-      return;
-    }
-
+  check(process.env.WCS_DUMMY_CI_PW)('makes a logged-in request with access token', async () => {
     const dummy = new Connection({
       scheme: 'http',
       host: 'localhost:8085',
@@ -188,6 +180,7 @@ describe('connection', () => {
     const accessToken = (dummy as any).oidcAuth?.accessToken || '';
     const client = await weaviate.connectToLocal({
       port: 8085,
+      grpcPort: 50056,
       authCredentials: new AuthAccessTokenCredentials({
         accessToken: accessToken,
         expiresIn: 900,
@@ -205,12 +198,7 @@ describe('connection', () => {
       });
   });
 
-  it('uses refresh token to fetch new access token', async () => {
-    if (process.env.WCS_DUMMY_CI_PW == undefined || process.env.WCS_DUMMY_CI_PW == '') {
-      console.warn('Skipping because `WCS_DUMMY_CI_PW` is not set');
-      return;
-    }
-
+  check(process.env.WCS_DUMMY_CI_PW)('uses refresh token to fetch new access token', async () => {
     const dummy = new Connection({
       scheme: 'http',
       host: 'localhost:8085',
@@ -237,23 +225,22 @@ describe('connection', () => {
     // force the use of refreshToken
     (conn as any).oidcAuth?.resetExpiresAt();
 
-    return conn
-      .login()
-      .then((resp) => {
-        expect(resp).toBeDefined();
-        expect(resp != '').toBeTruthy();
-        conn.oidcAuth?.stopTokenRefresh();
-      })
-      .catch((e: any) => {
-        throw new Error('it should not have errord: ' + e);
-      });
+    return conn.login().then((resp) => {
+      expect(resp).toBeDefined();
+      expect(resp != '').toBeTruthy();
+      conn.oidcAuth?.stopTokenRefresh();
+    });
+    // .catch((e: any) => {
+    //   throw new Error('it should not have errord: ' + e);
+    // });
   });
 
   it('fails to access auth-enabled server without client auth', async () => {
     expect.assertions(3);
     try {
       await weaviate.connectToLocal({
         port: 8085,
+        grpcPort: 50056,
       });
       throw new Error('Promise should have been rejected');
     } catch (error: any) {

src/misc/journey.test.ts

@@ -92,7 +92,7 @@ describe('misc endpoints', () => {
       .openidConfigurationGetter()
       .do()
       .then((res: any) => {
-        expect(res.clientId).toEqual('wcs');
+        expect(res.clientId).toEqual('Peuc12y02UA0eAED1dqSjE5HtGUrpBsx');
         expect(res.href).toContain('.well-known/openid-configuration');
         expect(res.scopes).toEqual(['openid', 'email']);
       });