Clone the repository to start developing:
git clone https://github.com/indigo-dc/flaat cd ./flaat
We need access token(s) to run tests. We use oidc-agent for handling access tokens. The test suite uses environment variables for configuration. You can configure the test suite using a dotenv file:
cp .env-template .env # use the template <editor> .env # set the correct values in the dotenv file
You should preferably configure two oidc agent accounts: One for an OIDC provider that issues JWTs and one that does not. The following file is the environment template. You will almost certainly need to change OIDC_AGENT_ACCOUNT and NON_JWT_OIDC_AGENT_ACCOUNT:
### JWT ACCESS TOKEN # the shortname depends on how you setup your oidc agent export OIDC_AGENT_ACCOUNT="egi" # the issuer of the oidc agent account export FLAAT_ISS="https://aai.egi.eu/oidc/" # These claims must point to two lists of at least two elements in the userinfo export FLAAT_CLAIM_ENTITLEMENT="eduperson_entitlement" export FLAAT_CLAIM_GROUP="eduperson_scoped_affiliation" # To test token introspection we need client id / secret export FLAAT_CLIENT_ID="oidc-agent" export FLAAT_CLIENT_SECRET="" # oidc agent needs no secret ### END JWT ACCESS TOKEN ### OPTIONAL NON-JWT ACCESS TOKEN export NON_JWT_OIDC_AGENT_ACCOUNT="google" export NON_JWT_FLAAT_ISS="https://accounts.google.com" ### END OPTIONAL NON-JWT ACCESS TOKEN ### OPTIONAL AUD ACCESS TOKEN; OP must support setting AT audience claim export AUD_OIDC_AGENT_ACCOUNT="wlcg" export AUD_FLAAT_ISS="https://wlcg.cloud.cnaf.infn.it/" ### END OPTIONAL AUD ACCESS TOKEN
We use tox to run the tests for supported python versions, lint the code using pylint and build this beautiful documentation:
tox # Do everything tox -e docs # Only build the docs tox -e pylint # Only lint the code tox -e py310 # Run a test for a specific python version
Override auth using environment variables¶
Be careful with these variables and never use them in production.
You may find setting the following environment variable useful:
- export DISABLE_AUTHORIZATION_AND_ASSUME_AUTHORIZED_USER=YES
Bypasses user authorization done by the decorators.
- export DISABLE_AUTHENTICATION_AND_ASSUME_AUTHENTICATED_USER=YES
Bypasses user authentication done by the decorators. This also bypasses the authorization.
Releasing to PyPI¶
To build a new version use:
git tag <new version> # Tag the release version git push # Push the tag make dist # build the release make upload # upload it to PyPI (needs a valid PyPI account configured in ~/.pypirc)
Read the Docs will automatically update the documentation for the git tag.