File: README_INTEGRATION.md

package info (click to toggle)
scitokens-cpp 1.3.0-2
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 1,172 kB
  • sloc: cpp: 11,717; ansic: 596; sh: 161; python: 132; makefile: 22
file content (137 lines) | stat: -rw-r--r-- 4,636 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
 
# Integration Tests

This directory contains integration tests for scitokens-cpp that use a full end-to-end testing environment.

## Overview

The integration test framework provides:

1. **TLS Infrastructure**: Automatic generation of CA certificates and server certificates for HTTPS testing
2. **Key Management**: EC key generation and JWKS creation for token signing
3. **Test Server**: Python-based HTTPS server hosting JWKS and supporting OIDC discovery
4. **CTest Fixtures**: Automated setup and teardown using CTest fixture framework

## Architecture

The integration tests use a CTest fixture pattern with three components:

### Setup (`integration-test-setup.sh`)

The setup script:
- Creates a temporary test run directory
- Generates TLS certificates (CA and server certificate)
- Generates EC P-256 signing keys
- Converts public key to JWKS format
- Starts a Python HTTPS server on a dynamic port (port 0)
- Writes environment configuration to `build/tests/integration/setup.sh`

The setup script writes the following information to `setup.sh`:
- `ISSUER_URL`: The HTTPS URL of the test issuer (e.g., `https://localhost:12345`)
- `SERVER_PID`: Process ID of the running server
- `CA_CERT`: Path to the CA certificate for TLS verification
- `SIGNING_KEY`: Path to the EC private key
- `SIGNING_PUB`: Path to the EC public key
- `JWKS_FILE`: Path to the JWKS file

### Test (`integration_test.cpp`)

The integration test program:
- Reads configuration from `build/tests/integration/setup.sh`
- Configures scitokens to trust the test CA certificate
- Creates and signs tokens using the test issuer
- Verifies tokens using JWKS discovery from the test server
- Tests the enforcer functionality with dynamically issued tokens

Three test cases are included:
1. **CreateAndSignToken**: Verifies basic token creation and signing
2. **VerifyTokenWithJWKSDiscovery**: Tests token verification using JWKS discovery from the HTTPS server
3. **EnforcerWithDynamicIssuer**: Tests the enforcer API with tokens from the dynamic test issuer

### Teardown (`integration-test-teardown.sh`)

The teardown script:
- Reads the server PID from `setup.sh`
- Gracefully stops the server (SIGTERM, then SIGKILL if needed)
- Cleans up the test environment

## Running the Tests

### Build with Integration Tests

```bash
mkdir build
cd build
cmake -DSCITOKENS_BUILD_UNITTESTS=ON ..
make
```

### Run Integration Tests Only

```bash
ctest -R integration --output-on-failure
```

### Run All Tests

```bash
ctest --output-on-failure
```

## Test Server

The Python test server (`jwks_server.py`) implements:

- **OIDC Discovery**: Serves `.well-known/openid-configuration`
- **JWKS Endpoint**: Serves the JWKS at `/oauth2/certs`
- **HTTPS Support**: Uses TLS with generated certificates
- **Dynamic Port Allocation**: Binds to port 0 for automatic port selection

The server is designed to be minimal and focused solely on the requirements for integration testing.

## Requirements

- Python 3.6+ (for the test server)
- OpenSSL command-line tools
- scitokens-generate-jwks (built from this repository)

## Troubleshooting

### Server fails to start

Check that Python 3 is available:
```bash
python3 --version
```

### Missing scitokens-generate-jwks

If the setup script fails because `scitokens-generate-jwks` is not found, rebuild the project:
```bash
make scitokens-generate-jwks
```

### TLS certificate errors

The test automatically generates self-signed certificates. The scitokens library is configured to trust the test CA certificate via the `tls.ca_file` configuration option.

### Server doesn't shut down cleanly

The teardown script will wait up to 10 seconds for graceful shutdown, then send SIGKILL. If tests are interrupted, you may need to manually kill the server process:
```bash
ps aux | grep jwks_server
kill <PID>
```

## Design Decisions

1. **Dynamic Port Allocation**: Using port 0 ensures tests can run in parallel and don't conflict with existing services.

2. **Self-Signed Certificates**: Generated on-the-fly to avoid committing secrets to the repository and to test the full TLS stack.

3. **HTTPS Required**: SciTokens requires HTTPS issuers, so we use HTTPS even for local testing.

4. **CTest Fixtures**: Using CTest's fixture framework ensures proper setup and teardown ordering, even when tests run in parallel.

5. **Detached Server Process**: The server runs detached from the shell to avoid blocking the setup script.

6. **Minimal Python Server**: Using Python's built-in `http.server` keeps dependencies minimal. JWKS generation is handled by the `scitokens-generate-jwks` tool built from this repository.