Add OIDC user to the functional test

[npalaska]

PBENCH-1070

To facilitate the removal of the dependency on the internal user API and internal users table we need to update the functional tests to not use the internal APIs.

Functional tests should move to using OIDC tokens by making a Admin REST API request to the OIDC server (Keycloak) directly as the server won't be providing those capabilities on its endpoints.

This PR is currently rebased on top of PR #3114

[npalaska]

Note:

1. These changes introduce the OIDC admin functionality for the client to use where the user directly communicates with the OIDC server and gets the token and the Dashboard is not involved in this handshake.
2. These changes are only related to functional tests and do not update the unit tests to use the OIDC-compliant tokens and users. With PR Further cleanup for the auth module #3114 we segregated the operational Pbench-server where we can either deploy the server with OpenID or the with an internal tokens table. In this effort, we have reverted unit tests to use the internal tokens, I'll fix this in another PR that handles only unit tests changes.

[portante]

We have the Connection class in the lib/pbench/server/auth/__init__.py module which we should probably re-use.

[webbnh]

I'm going to defer reviewing this code until this change is made.

[portante]

We should not re-add the same code that is already in the Connection class.

[portante]

Where is this audience coming from?

[npalaska]

Oops, I forgot to add a comment here.
Basically, if a user logs in with a username and password directly with a Keycloak rest API using private client then the aud claim included in the token is account
for example this request:

requests.post(
        "<token_endpoint>",
        headers=<{headers}>,
        data={"client_id": "pbench-server-client", "client_secret": <secret>,
              "scope": "profile email", "grant_type": "password", "username": user, "password": "123"},
        verify=False
    )

will generate a token that has a payload like following:

{'exp': 1675890382, 
'iat': 1675890082,
'jti': 'a8dc9cca-d734-4758-ab1d-be6510fe85b2', 
'iss': 'http://localhost:8090/realms/pbench-server', 
'aud': 'account', 
'sub': '9202c4a9-5901-46dc-9b8e-2643a5f4372e', 
'typ': 'Bearer', 
'azp': 'pbench-server-client', 
'session_state': '5730b4b1-bdb3-438c-a308-d3c1f8108fd8', ....}

And right now our functional test user is logging in using the Keycloak Rest API, so I had to include this claim to get the functional tests to pass.

[npalaska]

This one should be fixed now. I have added a client scope in the Keycloak configuration that will add the Pbench openid client (pbench-dashboard) in the aud claim by default. So the functional test user tokens should be able to get validated now.

[npalaska]

@portante can we resolve this comment?

[portante]

We don't require comments to be resolved before merging. Forgive me, but I have not had the time to review the changes in detail.

[npalaska]

In that case, can you consider removing your objection to this PR, its blocking the merge.

[dbutenhof]

I don't think I got finished; but I just realized I left comments so I might as well publish them before today ends.

[webbnh]

Based on the dependencies of this PR, should it be moved to draft mode?

[webbnh]

I'm going to defer reviewing this code until this change is made.

[npalaska]

Converted this to the draft mode again, I need to work on the new users table that we talked about in the design sync meeting.

[portante]

Converted this to the draft mode again, I need to work on the new users table that we talked about in the design sync meeting.

Please don't create a new users table. We already have one.

[npalaska]

Converted this to the draft mode again, I need to work on the new users table that we talked about in the design sync meeting.

Please don't create a new users table. We already have one.

Well, we can't use the current users table, it has user credentials information in it. So we have to drop it entirely and create a have a new one without all the user login stuff.

[dbutenhof]

Converted this to the draft mode again, I need to work on the new users table that we talked about in the design sync meeting.

Please don't create a new users table. We already have one.

Well, we can't use the current users table, it has user credentials information in it. So we have to drop it entirely and create a have a new one without all the user login stuff.

That's a semantic distinction I wouldn't worry about. You probably want to drop most of the existing columns. We only need a uuid = Column(String, unique=True) and a username = Column(String)... The new "API key" (similarly reworked/simplified AuthToken table will want a foreign key link, so probably also the same old id = Column(Integer, primary_key=True, autoincrement=True). We might want to capture Pbench-specific "profile" stuff here, and one way would be a simple profile = Column(JSON) where we can store anything we want.

[portante]

Can you rebase this on the openid-connect branch?

[npalaska]

I changed the base but I'll rebase it on the openid-connect in some time.

[webbnh]

Now that you've added support for the json parameter, you should revert the changes to add the str type to the data parameter (I'm hoping there's no reason why you cannot do that...). And, there are a bunch of nits which you should fix. And, I've got some suggestions, questions, and the odd request.

[webbnh]

Looks great, Nikhil.

Just a couple of tiny nits if you are so inclined.

[webbnh]

Ship it!

No longer participating in the review cycle for this PR.