Flask tests fail with different oidc-account in .env

[dianagudu]

My example .env file:

### JWT ACCESS TOKEN
# the shortname depends on how you setup your oidc agent
export OIDC_AGENT_ACCOUNT="helmholtz"

# the issuer of the oidc agent account
export FLAAT_ISS="https://login.helmholtz.de/oauth2"

# These claims must point to two lists of at least two elements in the userinfo
export FLAAT_CLAIM_ENTITLEMENT="eduperson_entitlement"
export FLAAT_CLAIM_GROUP="eduperson_scoped_affiliation"

# To test token introspection we need client id / secret
#export FLAAT_CLIENT_ID="oidc-agent"
#export FLAAT_CLIENT_SECRET="" # oidc agent needs no secret
### END JWT ACCESS TOKEN

### OPTIONAL NON-JWT ACCESS TOKEN
export NON_JWT_OIDC_AGENT_ACCOUNT="google"
export NON_JWT_FLAAT_ISS="https://accounts.google.com"
### END OPTIONAL NON-JWT ACCESS TOKEN

### OPTIONAL AUD ACCESS TOKEN; OP must support setting AT audience claim
export AUD_OIDC_AGENT_ACCOUNT="wlcg"
export AUD_FLAAT_ISS="https://wlcg.cloud.cnaf.infn.it/"
### END OPTIONAL AUD ACCESS TOKEN

The following tests fail:

========================================================= short test summary info ==========================================================
FAILED flaat/flask/flask_test.py::test_authorized[ProductionConfig-ValidToken-/authorized_claim] - assert 401 == 200
FAILED flaat/flask/flask_test.py::test_authorized[ProductionConfig-ValidToken-/authorized_vo] - assert 401 == 200
FAILED flaat/flask/flask_test.py::test_authorized[ProductionConfig-ValidToken-/authorized_level] - assert 401 == 200
FAILED flaat/flask/flask_test.py::test_authorized[ProductionConfig-ValidToken-/authenticated] - assert 401 == 200
FAILED flaat/flask/flask_test.py::test_authorized[ProductionConfig-ValidToken-/authenticated_callback] - assert 401 == 200
FAILED flaat/flask/flask_test.py::test_authorized[ProductionConfig-ValidToken-/info] - assert 401 == 200
================================================= 6 failed, 89 passed, 1 skipped in 23.57s =================================================

Example output from one of the failed tests:

______________________________________ test_authorized[ProductionConfig-ValidToken-/authorized_claim] ______________________________________

client = <FlaskClient <Flask 'examples.example_flask'>>
test_authorized_path_headers = ('/authorized_claim', {'Authorization': 'Bearer eyJ0eXAiOiJhdCtqd3QiL...'})

>   ???

<makefun-gen-12>:2: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
.tox/py39/lib/python3.9/site-packages/pytest_cases/fixture_parametrize_plus.py:1072: in wrapped_test_func
    return test_func(*args, **kwargs)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

client = <FlaskClient <Flask 'examples.example_flask'>>, path = '/authorized_claim'
headers = {'Authorization': 'Bearer eyJ0eXAiOiJhdCtqd3QiL...'}

    @parametrize_with_cases("path, headers", cases=cases.Authorized)
    def test_authorized(client, path, headers):
        response = client.get(path, headers=headers)
>       assert response.status_code == 200
E       assert 401 == 200
E        +  where 401 = <WrapperTestResponse streamed [401 UNAUTHORIZED]>.status_code

flaat/flask/flask_test.py:8: AssertionError
------------------------------------------------------------ Captured log call -------------------------------------------------------------
DEBUG    flaat:__init__.py:440 Mapping exception: User identity could not be determined

I suspect it has something to do with these lines: https://github.com/indigo-dc/flaat/blob/7fe6f3654ec1f39f9a61df83645db5672bb3ad73/flaat/flask/conftest.py#L21-L22

The TRUSTED_OP_LIST of the app contains the EGI OP (from ProductionConfig) instead of the one from the .env file.

@BorjaEst

[BorjaEst]

@dianagudu, indeed the pointed code is an indicator but not the root. I am testing the example, and the example uses in-module-config as described at: https://flask.palletsprojects.com/en/2.1.x/config/

However, it gets in conflict with the .env setup for the example_tests.

What we could do, is that the tests load test_env as configuration instead of the example configuration. I am preparing a patch.

[BorjaEst]

https://github.com/indigo-dc/flaat/pull/73