Skip to content

test(auth): add Dex-backed OIDC authorizer integration test#388

Merged
aparajon merged 2 commits into
mainfrom
aparajon/auth-dex-e2e
Jun 17, 2026
Merged

test(auth): add Dex-backed OIDC authorizer integration test#388
aparajon merged 2 commits into
mainfrom
aparajon/auth-dex-e2e

Conversation

@aparajon

@aparajon aparajon commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Why this matters — Auth is a tier-0 safety gate. The unit tests verify the tier policy against an in-process JWKS stub, but nothing yet proves SchemaBot interoperates with a real OIDC provider's discovery, key set, and token shape.

What it does — Adds an integration test that stands up a real Dex container, mints a genuine signed, groups-bearing token via the auth-code flow, and asserts the read/write tier policy end-to-end:

Case Read (GET /api/status) Write (POST /api/apply)
token in admin group 200 200
valid token, not admin 200 403
no token 401
garbage token 401

How it moves toward the northstar — Locks in OIDC provider compatibility before the CLI Bearer/login work builds on it, so a provider-shape regression fails CI instead of surfacing in production.

Mechanics worth noting for review:

  • Dex's static-password connector emits no groups claim, so the test uses the mockCallback connector (a fixed identity in group authors) driven through the auth-code flow to get a token that actually carries groups.
  • The OIDC issuer URL is baked into Dex's config and must match what clients discover, so the test reserves a free host port and pins Dex's published port to it.
  • //go:build integration; runs under make test-integration.

🤖 Generated with Claude Code

@aparajon @claude
test(auth): add Dex-backed OIDC authorizer integration test
62686f8 
Exercises the OIDC authorizer end-to-end against a real Dex container: Dex
issues a real signed, groups-bearing token (via the mockCallback connector and
the auth-code flow, since static passwords carry no groups), and the test
asserts the tier policy holds — read open to any valid token, write gated on an
admin group (403 otherwise), and missing/garbage tokens rejected (401). Pins
Dex to a reserved host port so the issuer URL is known before startup (it must
match what clients discover). Complements the unit tests by proving real OIDC
discovery, JWKS, and claim-shape compatibility.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 16, 2026 22:34
Copilot AI reviewed Jun 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an integration-level, real-OIDC-provider test to validate SchemaBot’s OIDC authorizer interoperability (discovery + JWKS + signed token + groups claim) using a Dex container, ensuring the read/write tier policy holds end-to-end under make test-integration.

Changes:

  • Added //go:build integration Dex-backed end-to-end authorizer test covering valid admin token, valid non-admin token, missing token, and garbage token cases.
  • Updated go.mod to make the Docker client dependency direct (needed by the new integration test’s container HostConfig modifier).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File Description
pkg/auth/dex_integration_test.go New integration test that spins up Dex via testcontainers, mints a token via auth-code flow, and asserts OIDC tier enforcement through the middleware.
go.mod Promotes github.com/docker/docker to a direct dependency for the new test’s Docker HostConfig types.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/auth/dex_integration_test.go
Comment thread pkg/auth/dex_integration_test.go
Comment thread pkg/auth/dex_integration_test.go Outdated
Comment thread pkg/auth/dex_integration_test.go Outdated
Comment thread pkg/auth/dex_integration_test.go
Comment thread pkg/auth/dex_integration_test.go Outdated
@aparajon @claude
test(auth): harden Dex integration test per review
d164cf9 
- bound every HTTP call with an explicit client timeout so a hung Dex or
  network fails fast instead of blocking until the test timeout
- reuse the configured client for the token exchange instead of the default
- retry Dex startup with a freshly reserved port to absorb the inherent
  reserve-then-bind TOCTOU race
- terminate the container with a fresh context in cleanup (t.Context() is
  already cancelled by then)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@aparajon aparajon force-pushed the aparajon/auth-dex-e2e branch from 1caa1b9 to d164cf9 Compare June 17, 2026 01:24
@aparajon aparajon marked this pull request as ready for review June 17, 2026 02:43
@aparajon aparajon requested review from Kiran01bm and morgo as code owners June 17, 2026 02:43
@aparajon aparajon merged commit cfeae88 into main Jun 17, 2026
29 checks passed
@aparajon aparajon deleted the aparajon/auth-dex-e2e branch June 17, 2026 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@morgo morgo morgo approved these changes

@Kiran01bm Kiran01bm Awaiting requested review from Kiran01bm Kiran01bm is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aparajon @morgo