This is the first incarnation of the WLCG JWT compliance testsuite. The objective is to have a Robot framework testsuite to check WLCG JWT profile support at services (starting with the data management services).
The WLCG storage area authorization at SEs tested by this testsuite should be configured as follows:
storage.*
scopes in the token, e.g. a token
with the storage.modify:/
issued by the WLCG token issuer will grant
write access on the whole storage area./protected
folder) is allowed to all members of the WLCG VO, i.e.:
/protected
folder (and sub-folders) is granted to the following principals:
/wlcg/Role=test
role/wlcg/test
groupBasic requirements for running the testsuite are:
wlcg
and registered on the WLCG IAM instance (more details here);/wlcg/test
optional group in the WLCG IAM.This is the recommended way of running the testsuite.
To setup an environment for running the testsuite in docker, run the following commands:
docker-compose up trust # and wait for fetch crl to be done
docker-compose up -d ts
You can now log into the testsuite container:
docker-compose exec ts bash
You will need to initialize oidc-agent inside the container.
$ eval $(oidc-agent --no-autoload)
$ oidc-add wlcg
You can then run the testsuite against one of the registered endpoint
cd test-suite
./run-testsuite.sh se-cnaf-amnesiac-storm
Additional arguments to run-testsuite.sh
are forwarded to robot
, e.g.
./run-testsuite.sh se-cnaf-amnesiac-storm --test "Token with correct audience is accepted"
To add an endpoint, edit the ./test/variables.yaml
file.
Find out all the things you need on your machine by looking at the docker image used to run the testsuite.
The test suite is run on GH actions:
Reports are stored here.
The test suite is also run on the CNAF software develop group Jenkins instance:
Reports can be accessed here