test: setup conformance test suite #60
Conversation
raynerljm
changed the title
| ``` | ||
| to setup a Python virtual env | ||
| - Run `cat .env.example > .env` and repalce the `CONFORMANCE_TOKEN` with your [conformance testing permanent token](https://www.certification.openid.net/tokens.html) to setup your environment variables | ||
| - Run `pip install -r requirements.txt` to install the requirements |
There was a problem hiding this comment.
have we considered running these tests as part of our CI/CD pipeline? if we've decided against it, might be good to document why, probably in the PR description or in this README
There was a problem hiding this comment.
thanks for the comment - documented in the README here aebdb25
There was a problem hiding this comment.
overall, as I said before, tbh I'm still not convinced that the payoff-to-maintainability ratio is worth it for this, for a few reasons:
- the conformance tests are not doing anything special that we can't do ourselves in unit tests, e.g. testing for invalid sub, invalid signature. the fact that they are published by the OpenID Foundation does not make them magical.
- the conformance tests are opinionated (e.g. enforcing discovery, which is optional as per spec), and as a result we have to determine which tests are okay to fail based on the spec anyway. we might as well just write our own unit tests by referring to the spec itself.
- the conformance tests require a lot of code to maintain, including a whole full stack web app, test driver code and monkey-patching of our own SDK, as seen in this PR. if the tests break in a year's time, it will be hard for us to figure out what's wrong.
- the tests are extremely costly in terms of time, as they take 6.5 minutes to run. our CI currently takes 30-40 seconds.
will leave the final decision to jiehao!
| 1. In the `test/conformance/demo-rp` directory, run `npm run dev` | ||
| 1. In a new terminal in the `test/conformance/suite` directory | ||
| - If you have not activate your Python venv, run `source .venv/bin/activate` | ||
| - Run `python test.py` |
There was a problem hiding this comment.
I ran this and got the following:
Failed modules: 3 / 25
['oidcc-client-test-discovery-openid-config', 'oidcc-client-test-signing-key-rotation-just-before-signing', 'oidcc-client-test-signing-key-rotation']
is that expected?
There was a problem hiding this comment.
sorry that i wasn't terribly clear about the expected behaviour. in this change a1dab4f, I've added code-level comments to the modules.py file with the name, description, and expected behaviour (+ comments) for each test module
I've also commented out the test modules that are
- not supported by sgID (i.e. Webfinger, open id config from discovery, Aggregated/Distributed claims)
- not currently supported with the way the test suite is ran (i.e.
oidcc-client-test-signing-key-rotation)
I've updated the PR description with the above-mentioned limitations of the test suite
so right now all the tests should be passing
| } | ||
|
|
||
| // Request user info with access token | ||
| const { data } = await sgidClient.userinfo({ |
There was a problem hiding this comment.
does the decryption always fail because the test payload isn't encrypted? might be good to reflect that in a comment
There was a problem hiding this comment.
the OIDC server returns an empty object for the userinfo payload
as a result, the decryptPayload function will not be called during execution of the test suite.
here is a test that proves that it is not actually called
modified SDK code:
server logs:
thanks for the comment though! I'll make a note of this in the README + make a code level comment about this behaviour
There was a problem hiding this comment.
added the comments in the README and code level here aebdb25
additionally removed images from conformance testing demo app to remove bloat additionally fixed typos in the conformance testing README
i chose the Next.js app (more specifically the CSR one) as the demo RP for the following reasons
this is why the implementation of the demo RP is essentially just the Next.js CSR example app but with a modified to facilitate the discussion, do you have any suggestions for a demo RP that could potentially be easier to maintain? |
additionally add comments to README and `userinfo` endpoint about how the decryption of the payload will not be attempted
another couple of options (not mutually exclusive):
agree that NextJS does more stuff for you, but imo it'll be harder to maintain in future as NextJS and React keep upgrading. Express may upgrade too but if we just use it for a backend + static files, we'd have very little surface area which might be affected by breaking changes. |
Personally I think that it's worth it to maintain these conformance tests. The main reason for doing so is to offload the burden of maintaining the test cases to OpenID Foundation. Quick response to the points you've raised:
Also keen to hear your thoughts @raynerljm ! |
Additionally renamed `callback.ts` to `redirect.ts` to follow the Next.js CSR example. Also renamed `result` to `expected-result`. Updated README to explain how the test suite works
|
i was previously more on the fence on whether we should merge these tests as I wasn't sure whether it was wise to bog down the however, after refactoring the suite code into its own repository and leaving the monkey patch code in the relevant SDK, I believe its fine to continue with the merge + with the maintenance of the conformance suite. in the event that we do find that the cost is not worth the benefit, we can just stop using the suite and leave the repository alone instead of having to delete this portion in every single SDK. |
test/conformance/README.md
Outdated
| - Run `pip install -r requirements.txt` to install the requirements | ||
| - Run `cat .env.example > .env` and replace the `CONFORMANCE_TOKEN` with your [conformance testing permanent token](https://www.certification.openid.net/tokens.html) to setup your environment variables | ||
| 5. Additional notes | ||
| - Please ensure that the value of `test_plan_config.alias` in `test/conformance/suite/test.py` is the same as the last path parameter in `hostname` in `test/conformance/demo-rp/src/lib/sgidClient.ts` (e.g. `sgid-sdk-conformance-test`) |
There was a problem hiding this comment.
This refers to a file which no longer exists - test/conformance/suite/test.py
There was a problem hiding this comment.
thanks for the catch! 🎉 - updated in 71be529
Problem
As part of ensuring security and quality for sgID, we would like to ensure that our SDKs are conformant to the OIDC specifications. OIDC provides a conformance testing tool to check whether a relying party/server adheres to the standards laid out.
So far, we have been testing our TypeScript and Python SDK manually before releases as a sanity check (Tests are outlined and documented here. However, in an effort to improve efficiency and maintainability (especially if we decide to develop more SDKs), we would like automate these tests.
Related to #44
Solution
The
demo-rpdirectory contains the demo app that will be interacting with the conformance tests.examples/nextjs-csr.test/conformance/demo-rp/src/lib/sgidClient.ts).The
suitedirectory contains the scripts that interact with the conformance test server to start the test plan and test modules, and interact with the demo app through API calls.test.pyis the main test runner that defines the config of the conformance test plan and runs each test moduleconformance.py(modified based off this tutorial) is a wrapper over the API calls to the conformance test server and also includes the logic to interact with the locally hosted demo appmodules.pyspecifies the test modules (in theoidcc-client-test-plantest plan) to run and their expected final statuses and resultsLimitations of the test suite
oidcc-client-test-signing-key-rotation) require the authorization flow to be ran twice which is currently not supported with the way the test suite is built - Therefore the test modules are commented outScreenshots
Tests
You can run the conformance suite by following the instructions under
test/conformance/README.mdThe tests will be run manually when needed and will not be integrated into our CI/CD pipeline because of the following reasons (which are also outlined in the README)
New environment variables:
CONFORMANCE_TOKEN: permanent token from OpenID certification to interact with the conformance suite server