WIP UNTESTED: maybe fix posting waivers with Bodhi (release-engineeri…

…ng#219)

Signed-off-by: Adam Williamson <[email protected]>

Dockerfile

@@ -1,4 +1,4 @@
-FROM registry.fedoraproject.org/fedora:38 as builder
+FROM registry.fedoraproject.org/fedora:40 as builder
 
 # hadolint ignore=DL3033,DL4006,SC2039,SC3040
 RUN set -exo pipefail \
@@ -17,7 +17,7 @@ RUN set -exo pipefail \
     # install runtime dependencies
     && yum install -y \
         --installroot=/mnt/rootfs \
-        --releasever=38 \
+        --releasever=40 \
         --setopt install_weak_deps=false \
         --nodocs \
         --disablerepo=* \

tests/test_auth.py

@@ -25,7 +25,7 @@
 
 
 @pytest.fixture
-def oidc_token(app):
+def oidc_auth_profile(app):
     with app.test_request_context('/api/v1.0/waivers/new'):
         with mock.patch.dict(session, {'oidc_auth_profile': {
             'active': True,
@@ -36,6 +36,18 @@ def oidc_token(app):
             yield mocked['oidc_auth_profile']
 
 
+@pytest.fixture
+def oidc_token(app):
+    with app.test_request_context('/api/v1.0/waivers/new'):
+        with mock.patch.dict(session, {'oidc_auth_token': {
+            'active': True,
+            'username': 'testuser',
+            'preferred_username': 'testuser',
+            'scope': 'openid waiverdb_scope',
+        }, 'oidc_auth_profile': {}}) as mocked:
+            yield mocked['oidc_auth_token']
+
+
 @pytest.fixture
 def verify_authorization():
     with mock.patch("waiverdb.api_v1.verify_authorization") as mocked:
@@ -93,15 +105,19 @@ def test_get_user_no_auth_methods(self):
                 waiverdb.auth.get_user(request)
         assert "Authenticated user required. No methods specified." in str(excinfo.value)
 
-    def test_get_user_without_token(self, app):
+    def test_get_user_without_profile(self, app):
         with app.test_request_context('/api/v1.0/waivers/new'):
             with pytest.raises(Unauthorized) as excinfo:
                 waiverdb.auth.get_user(request)
         assert self.auth_missing_error in str(excinfo.value)
 
-    def test_get_user_good(self, oidc_token):
+    def test_get_user_good_profile(self, oidc_auth_profile):
+        user, header = waiverdb.auth.get_user(request)
+        assert user == oidc_auth_profile["preferred_username"]
+
+    def test_get_user_good_token(self, oidc_token):
         user, header = waiverdb.auth.get_user(request)
-        assert user == oidc_token["username"]
+        assert user == oidc_token["preferred_username"]
 
     # tests only redirect of deprecated resource
     # not working, causing an exception in flask_oidc library:

waiverdb/auth.py

@@ -60,13 +60,19 @@ def get_user(request: Request) -> tuple[str, dict[str, str]]:
 
 
 def get_oidc_userinfo(field: str) -> str:
-    fields = session.get("oidc_auth_profile", {})
-    if field not in fields:
-        current_app.logger.error(
-            "User info field %r is unavailable; available are: %s", field, fields.keys()
-        )
-        raise Unauthorized("Failed to retrieve username")
-    return fields[field]
+    pfields = session.get("oidc_auth_profile", {})
+    if field in pfields:
+        return pfields[field]
+    tfields = session.get("oidc_auth_token", {})
+    if field in tfields:
+        return tfields[field]
+    current_app.logger.error(
+        "User info field %r is unavailable; available are: %s (auth profile), %s (token)",
+        field,
+        pfields.keys(),
+        tfields.keys(),
+    )
+    raise Unauthorized("Failed to retrieve username")
 
 
 def get_user_by_method(request: Request, auth_method: str) -> tuple[str, dict[str, str]]: