Adjust cookiecutters

pulp · Oct 10, 2024 · 5e6c573 · 5e6c573
1 parent 0621810
commit 5e6c573
Showing 5 changed files with 87 additions and 11 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -67,7 +67,7 @@ jobs:
             pip install dist/pulp_cli-*.whl pulp-glue/dist/pulp_glue-*.whl -r test_requirements.txt -c lower_bounds_constraints.lock
           elif [ "${{matrix.upper_bounds}}" ]
           then
-            .ci/scripts/calc_constraints.py pyproject.toml --upper > upper_bounds_constraints.lock
+            .ci/scripts/calc_constraints.py pyproject.toml pulp-glue/pyproject.toml  --upper > upper_bounds_constraints.lock
             pip install dist/pulp_cli-*.whl pulp-glue/dist/pulp_glue-*.whl -r test_requirements.txt -c upper_bounds_constraints.lock
           else
             pip install dist/pulp_cli-*.whl pulp-glue/dist/pulp_glue-*.whl -r test_requirements.txt

diff --git a/cookiecutter/ci/{{ cookiecutter.__project_name }}/.ci/nginx.conf.j2 b/cookiecutter/ci/{{ cookiecutter.__project_name }}/.ci/nginx.conf.j2
@@ -1,9 +1,6 @@
 # Copy from pulp-oci-images.
 # Ideally we can get it upstream again.
 #
-# TODO: Support IPv6.
-# TODO: Maybe serve multiple `location`s, not just one.
-
 # The "nginx" package on fedora creates this user and group.
 user nginx nginx;
 # Gunicorn docs suggest this value.
@@ -24,10 +21,12 @@ http {
     # to build optimal hash types.
     types_hash_max_size 4096;
 
+    {%- if https | default(false) %}
     map $ssl_client_s_dn $ssl_client_s_dn_cn {
         default "";
         ~CN=(?<CN>[^,]+) $CN;
     }
+    {%- endif %}
 
     upstream pulp-content {
          server 127.0.0.1:24816;
@@ -85,7 +84,9 @@ http {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header Host $http_host;
+            {%- if https | default(false) %}
             proxy_set_header Remoteuser $ssl_client_s_dn_cn;
+            {%- endif %}
             # we don't want nginx trying to do something clever with
             # redirects, we set the Host: header above already.
             proxy_redirect off;
@@ -136,6 +137,25 @@ http {
             try_files $uri $uri/ =404;
         }
         {%- endif %}
+        {% if https | default(false) -%}
+        location /oauth2token/ {
+            auth_basic "Tokens, Tokens, Tokens";
+            auth_basic_user_file /etc/pulp/certs/oauth2passwd;
+            if ($request_method !~ POST) {
+                # This still triggers earlier than the auth_basic in the outer block.
+                return 403;
+            }
+            try_files /dev/null @oauth2token;
+        }
+        # Nginx "return" kicks in before basic_auth, so we must use it in a separate block.
+        # https://stackoverflow.com/questions/67975464/why-doesnt-basic-auth-work-with-a-simple-nginx-return-statement
+        location @oauth2token {
+            default_type application/json;
+            charset utf-8;
+
+            return 200 '{"access_token": "DEADBEEF", "token_type": "bearer", "expires_in": 30}';
+        }
+        {%- endif %}
     }
     {%- if https | default(false) %}
     server {

diff --git a/cookiecutter/ci/{{ cookiecutter.__project_name }}/.ci/run_container.sh b/cookiecutter/ci/{{ cookiecutter.__project_name }}/.ci/run_container.sh
@@ -50,7 +50,8 @@ else
 fi;
 
 mkdir -p "${PULP_CLI_TEST_TMPDIR}/settings/certs"
-cp "${BASEPATH}/settings/settings.py" "${PULP_CLI_TEST_TMPDIR}/settings"
+cp "${BASEPATH}/settings/settings.py" "${PULP_CLI_TEST_TMPDIR}/settings/settings.py"
+echo "service_acct:$(openssl passwd secret)" > "${PULP_CLI_TEST_TMPDIR}/settings/certs/oauth2passwd"
 
 if [ -z "${PULP_HTTPS:+x}" ]
 then
@@ -65,19 +66,14 @@ else
   export PULP_CA_BUNDLE="${PULP_CLI_TEST_TMPDIR}/settings/certs/ca.pem"
   ln -fs server.pem "${PULP_CLI_TEST_TMPDIR}/settings/certs/pulp_webserver.crt"
   ln -fs server.key "${PULP_CLI_TEST_TMPDIR}/settings/certs/pulp_webserver.key"
-  {
-    echo "AUTHENTICATION_BACKENDS = '@merge django.contrib.auth.backends.RemoteUserBackend'"
-    echo "MIDDLEWARE  = '@merge django.contrib.auth.middleware.RemoteUserMiddleware'"
-    echo "REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = '@merge pulpcore.app.authentication.PulpRemoteUserAuthentication'"
-    echo "REMOTE_USER_ENVIRON_NAME = 'HTTP_REMOTEUSER'"
-  } >> "${PULP_CLI_TEST_TMPDIR}/settings/settings.py"
 fi
 export PULP_CONTENT_ORIGIN
 
 "${CONTAINER_RUNTIME}" \
   run ${RM:+--rm} \
   --env S6_KEEP_ENV=1 \
   ${PULP_HTTPS:+--env PULP_HTTPS} \
+  ${PULP_OAUTH2:+--env PULP_OAUTH2} \
   ${PULP_API_ROOT:+--env PULP_API_ROOT} \
   --env PULP_CONTENT_ORIGIN \
   --detach \

diff --git a/cookiecutter/ci/{{ cookiecutter.__project_name }}/.ci/settings/settings.py b/cookiecutter/ci/{{ cookiecutter.__project_name }}/.ci/settings/settings.py
@@ -1,3 +1,58 @@
+import os
+
 ALLOWED_EXPORT_PATHS = ["/tmp"]
 ANALYTICS = False
 ALLOWED_CONTENT_CHECKSUMS = ["sha1", "sha256", "sha512"]
+
+if os.environ.get("PULP_HTTPS", "false").lower() == "true":
+    AUTHENTICATION_BACKENDS = "@merge django.contrib.auth.backends.RemoteUserBackend"
+    MIDDLEWARE = "@merge django.contrib.auth.middleware.RemoteUserMiddleware"
+    REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = (
+        "@merge pulpcore.app.authentication.PulpRemoteUserAuthentication"
+    )
+    REMOTE_USER_ENVIRON_NAME = "HTTP_REMOTEUSER"
+
+if os.environ.get("PULP_OAUTH2", "false").lower() == "true":
+    assert os.environ.get("PULP_HTTPS", "false").lower() == "true"
+
+    def PulpCliFakeOauth2Authentication(*args, **kwargs):
+        # We need to lazy load this.
+        # Otherwise views may be instanciated, before this configuration is merged.
+
+        from django.contrib.auth import authenticate
+        from drf_spectacular.extensions import OpenApiAuthenticationExtension
+        from rest_framework.authentication import BaseAuthentication
+
+        class _PulpCliFakeOauth2Authentication(BaseAuthentication):
+            def authenticate(self, request):
+                auth_header = request.META.get("HTTP_AUTHORIZATION")
+                if auth_header == "Bearer DEADBEEF":
+                    return authenticate(request, remote_user="admin"), None
+                else:
+                    return None
+
+            def authenticate_header(self, request):
+                return 'Bearer realm="Pulp"'
+
+        class PulpCliFakeOauth2AuthenticationScheme(OpenApiAuthenticationExtension):
+            target_class = _PulpCliFakeOauth2Authentication
+            name = "PulpCliFakeOauth2"
+
+            def get_security_definition(self, auto_schema):
+                return {
+                    "type": "oauth2",
+                    "flows": {
+                        "clientCredentials": {
+                            "tokenUrl": "https://localhost:8080/oauth2token/",
+                            "scopes": {"api.console": "grant_access_to_pulp"},
+                        },
+                    },
+                }
+
+        return _PulpCliFakeOauth2Authentication(*args, **kwargs)
+
+    PULP_CLI_FAKE_OAUTH2_AUTHENTICATION = PulpCliFakeOauth2Authentication
+
+    REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = (
+        "@merge pulpcore.app.settings.PULP_CLI_FAKE_OAUTH2_AUTHENTICATION"
+    )
diff --git a/cookiecutter/ci/{{ cookiecutter.__project_name }}/.github/workflows/test.yml b/cookiecutter/ci/{{ cookiecutter.__project_name }}/.github/workflows/test.yml
@@ -38,6 +38,10 @@ jobs:
           if [ "{{ "${{matrix.lower_bounds}}" }}" ]
           then
             pip install dist/pulp_cli{{ cookiecutter.__app_label_suffix | replace("-", "_") }}-*.whl {%- if cookiecutter.glue %} pulp-glue{{ cookiecutter.__app_label_suffix }}/dist/pulp_glue{{ cookiecutter.__app_label_suffix | replace("-", "_") }}-*.whl {%- endif %} -r test_requirements.txt -c lower_bounds_constraints.lock
+          elif [ "{{ "${{matrix.upper_bounds}}" }}" ]
+          then
+            .ci/scripts/calc_constraints.py pyproject.toml {%- if cookiecutter.glue %} pulp-glue{{ cookiecutter.__app_label_suffix }}/pyproject.toml {%- endif %}  --upper > upper_bounds_constraints.lock
+            pip install dist/pulp_cli{{ cookiecutter.__app_label_suffix | replace("-", "_") }}-*.whl {%- if cookiecutter.glue %} pulp-glue{{ cookiecutter.__app_label_suffix }}/dist/pulp_glue{{ cookiecutter.__app_label_suffix | replace("-", "_") }}-*.whl {%- endif %} -r test_requirements.txt -c upper_bounds_constraints.lock
           else
             pip install dist/pulp_cli{{ cookiecutter.__app_label_suffix | replace("-", "_") }}-*.whl {%- if cookiecutter.glue %} pulp-glue{{ cookiecutter.__app_label_suffix }}/dist/pulp_glue{{ cookiecutter.__app_label_suffix | replace("-", "_") }}-*.whl {%- endif %} -r test_requirements.txt
           fi
@@ -49,6 +53,7 @@ jobs:
           FROM_TAG: "${{ matrix.from_tag }}"
           CONTAINER_FILE: "${{ matrix.container_file }}"
           PULP_HTTPS: "${{ matrix.pulp_https }}"
+          PULP_OAUTH2: "${{ matrix.pulp_oauth2 }}"
           PULP_API_ROOT: "${{ matrix.pulp_api_root }}"
           {%- endraw %}
         run: |