Development¶
Repository¶
Clone the repository to start developing:
git clone https://github.com/indigo-dc/flaat
cd ./flaat
Testing¶
We need access token(s) to run tests. We use oidc-agent for handling access tokens. The test suite uses environment variables for configuration. You can configure the test suite using a dotenv file:
cp .env-template .env # use the template
<editor> .env # set the correct values in the dotenv file
You should preferably configure two oidc agent accounts: One for an OIDC provider that issues JWTs and one that does not. The following file is the environment template. You will almost certainly need to change OIDC_AGENT_ACCOUNT and NON_JWT_OIDC_AGENT_ACCOUNT:
### JWT ACCESS TOKEN
# the shortname depends on how you setup your oidc agent
export OIDC_AGENT_ACCOUNT="egi"
# the issuer of the oidc agent account
export FLAAT_ISS="https://aai.egi.eu/oidc/"
# These claims must point to two lists of at least two elements in the userinfo
export FLAAT_CLAIM_ENTITLEMENT="eduperson_entitlement"
export FLAAT_CLAIM_GROUP="eduperson_scoped_affiliation"
# To test token introspection we need client id / secret
export FLAAT_CLIENT_ID="oidc-agent"
export FLAAT_CLIENT_SECRET="" # oidc agent needs no secret
### END JWT ACCESS TOKEN
### OPTIONAL NON-JWT ACCESS TOKEN
export NON_JWT_OIDC_AGENT_ACCOUNT="google"
export NON_JWT_FLAAT_ISS="https://accounts.google.com"
### END OPTIONAL NON-JWT ACCESS TOKEN
### OPTIONAL AUD ACCESS TOKEN; OP must support setting AT audience claim
export AUD_OIDC_AGENT_ACCOUNT="wlcg"
export AUD_FLAAT_ISS="https://wlcg.cloud.cnaf.infn.it/"
### END OPTIONAL AUD ACCESS TOKEN
Tox¶
We use tox to run the tests for supported python versions, lint the code using pylint and build this beautiful documentation:
tox # Do everything
tox -e docs # Only build the docs
tox -e pylint # Only lint the code
tox -e py310 # Run a test for a specific python version
Code conventions¶
We use pyright for static type checking. Code is formatted using black.
Override auth using environment variables¶
Important
Be careful with these variables and never use them in production.
You may find setting the following environment variable useful:
- export DISABLE_AUTHORIZATION_AND_ASSUME_AUTHORIZED_USER=YES
Bypasses user authorization done by the decorators.
- export DISABLE_AUTHENTICATION_AND_ASSUME_AUTHENTICATED_USER=YES
Bypasses user authentication done by the decorators. This also bypasses the authorization.
Releasing to PyPI¶
To build a new version use:
git tag <new version> # Tag the release version
git push # Push the tag
make dist # build the release
make upload # upload it to PyPI (needs a valid PyPI account configured in ~/.pypirc)
Read the Docs will automatically update the documentation for the git tag.