Development

Repository

Clone the repository to start developing:

git clone https://github.com/indigo-dc/flaat
cd ./flaat

Testing

We need access token(s) to run tests. We use oidc-agent for handling access tokens. The test suite uses environment variables for configuration. You can configure the test suite using a dotenv file:

cp .env-template .env   # use the template
<editor> .env           # set the correct values in the dotenv file

You should preferably configure two oidc agent accounts: One for an OIDC provider that issues JWTs and one that does not. The following file is the environment template. You will almost certainly need to change OIDC_AGENT_ACCOUNT and NON_JWT_OIDC_AGENT_ACCOUNT:

### JWT ACCESS TOKEN
# the shortname depends on how you setup your oidc agent
export OIDC_AGENT_ACCOUNT="egi"

# the issuer of the oidc agent account
export FLAAT_ISS="https://aai.egi.eu/oidc/"

# These claims must point to two lists of at least two elements in the userinfo
export FLAAT_CLAIM_ENTITLEMENT="eduperson_entitlement"
export FLAAT_CLAIM_GROUP="eduperson_scoped_affiliation"

# To test token introspection we need client id / secret
export FLAAT_CLIENT_ID="oidc-agent"
export FLAAT_CLIENT_SECRET="" # oidc agent needs no secret
### END JWT ACCESS TOKEN

### OPTIONAL NON-JWT ACCESS TOKEN
export NON_JWT_OIDC_AGENT_ACCOUNT="google"
export NON_JWT_FLAAT_ISS="https://accounts.google.com"
### END OPTIONAL NON-JWT ACCESS TOKEN


### OPTIONAL AUD ACCESS TOKEN; OP must support setting AT audience claim
export AUD_OIDC_AGENT_ACCOUNT="wlcg"
export AUD_FLAAT_ISS="https://wlcg.cloud.cnaf.infn.it/"
### END OPTIONAL AUD ACCESS TOKEN

Tox

We use tox to run the tests for supported python versions, lint the code using pylint and build this beautiful documentation:

tox              # Do everything
tox -e docs      # Only build the docs
tox -e pylint    # Only lint the code
tox -e py310     # Run a test for a specific python version

Code conventions

We use pyright for static type checking. Code is formatted using black.

Override auth using environment variables

Important

Be careful with these variables and never use them in production.

You may find setting the following environment variable useful:

  • export DISABLE_AUTHORIZATION_AND_ASSUME_AUTHORIZED_USER=YES

    Bypasses user authorization done by the decorators.

  • export DISABLE_AUTHENTICATION_AND_ASSUME_AUTHENTICATED_USER=YES

    Bypasses user authentication done by the decorators. This also bypasses the authorization.

Releasing to PyPI

To build a new version use:

git tag <new version>   # Tag the release version
git push                # Push the tag

make dist               # build the release
make upload             # upload it to PyPI (needs a valid PyPI account configured in ~/.pypirc)

Read the Docs will automatically update the documentation for the git tag.