WIP

.ci/container_setup.d/10-install-signing-service.sh

@@ -6,6 +6,10 @@ pulp --config "${PULP_CLI_CONFIG}" debug has-plugin --name "deb" && HAS_DEB=true
 pulp --config "${PULP_CLI_CONFIG}" debug has-plugin --name "ansible" && HAS_ANSIBLE=true || HAS_ANSIBLE=""
 if [ "$HAS_DEB" ] || [ "$HAS_ANSIBLE" ]
 then
+  if [ ! -f pytest_pulp_cli/GPG-PRIVATE-KEY-fixture-signing ]
+  then
+    curl -L https://github.com/pulp/pulp-fixtures/raw/master/common/GPG-PRIVATE-KEY-fixture-signing > pytest_pulp_cli/GPG-PRIVATE-KEY-fixture-signing
+  fi
   echo "Setup the signing services"
   if "${CONTAINER_RUNTIME}" exec "pulp-ephemeral" id pulp
   then
@@ -16,7 +20,7 @@ then
   "${CONTAINER_RUNTIME}" exec "pulp-ephemeral" mkdir -p /var/lib/pulp/scripts/
   # Setup key on the Pulp container
   echo "0C1A894EBB86AFAE218424CADDEF3019C2D4A8CF:6:" | "${CONTAINER_RUNTIME}" exec -i "pulp-ephemeral" su "${PULP_USER}" -c "gpg --import-ownertrust"
-  curl -L https://github.com/pulp/pulp-fixtures/raw/master/common/GPG-PRIVATE-KEY-fixture-signing | "${CONTAINER_RUNTIME}" exec -i "pulp-ephemeral" su "${PULP_USER}" -c "gpg --import"
+  "${CONTAINER_RUNTIME}" exec -i "pulp-ephemeral" su "${PULP_USER}" -c "gpg --import" < pytest_pulp_cli/GPG-PRIVATE-KEY-fixture-signing
   if [ "$HAS_DEB" ]
   then
     echo "Setup deb release signing service"

.ci/nginx.conf.j2

@@ -1,9 +1,6 @@
 # Copy from pulp-oci-images.
 # Ideally we can get it upstream again.
 #
-# TODO: Support IPv6.
-# TODO: Maybe serve multiple `location`s, not just one.
-
 # The "nginx" package on fedora creates this user and group.
 user nginx nginx;
 # Gunicorn docs suggest this value.
@@ -24,10 +21,12 @@ http {
     # to build optimal hash types.
     types_hash_max_size 4096;
 
+    {%- if https | default(false) %}
     map $ssl_client_s_dn $ssl_client_s_dn_cn {
         default "";
         ~CN=(?<CN>[^,]+) $CN;
     }
+    {%- endif %}
 
     upstream pulp-content {
          server 127.0.0.1:24816;
@@ -85,7 +84,9 @@ http {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header Host $http_host;
+            {%- if https | default(false) %}
             proxy_set_header Remoteuser $ssl_client_s_dn_cn;
+            {%- endif %}
             # we don't want nginx trying to do something clever with
             # redirects, we set the Host: header above already.
             proxy_redirect off;
@@ -136,6 +137,25 @@ http {
             try_files $uri $uri/ =404;
         }
         {%- endif %}
+        {% if https | default(false) -%}
+        location /oauth2token/ {
+            auth_basic "Tokens, Tokens, Tokens";
+            auth_basic_user_file /etc/pulp/certs/oauth2passwd;
+            if ($request_method !~ POST) {
+                # This still triggers earlier than the auth_basic in the outer block.
+                return 403;
+            }
+            try_files /dev/null @oauth2token;
+        }
+        # Nginx "return" kicks in before basic_auth, so we must use it in a separate block.
+        # https://stackoverflow.com/questions/67975464/why-doesnt-basic-auth-work-with-a-simple-nginx-return-statement
+        location @oauth2token {
+            default_type application/json;
+            charset utf-8;
+
+            return 200 '{"access_token": "DEADBEEF", "token_type": "bearer", "expires_in": 30}';
+        }
+        {%- endif %}
     }
     {%- if https | default(false) %}
     server {

.ci/run_container.sh

@@ -50,7 +50,8 @@ else
 fi;
 
 mkdir -p "${PULP_CLI_TEST_TMPDIR}/settings/certs"
-cp "${BASEPATH}/settings/settings.py" "${PULP_CLI_TEST_TMPDIR}/settings"
+cp "${BASEPATH}/settings/settings.py" "${PULP_CLI_TEST_TMPDIR}/settings/settings.py"
+echo "service_acct:$(openssl passwd secret)" > "${PULP_CLI_TEST_TMPDIR}/settings/certs/oauth2passwd"
 
 if [ -z "${PULP_HTTPS:+x}" ]
 then
@@ -65,19 +66,14 @@ else
   export PULP_CA_BUNDLE="${PULP_CLI_TEST_TMPDIR}/settings/certs/ca.pem"
   ln -fs server.pem "${PULP_CLI_TEST_TMPDIR}/settings/certs/pulp_webserver.crt"
   ln -fs server.key "${PULP_CLI_TEST_TMPDIR}/settings/certs/pulp_webserver.key"
-  {
-    echo "AUTHENTICATION_BACKENDS = '@merge django.contrib.auth.backends.RemoteUserBackend'"
-    echo "MIDDLEWARE  = '@merge django.contrib.auth.middleware.RemoteUserMiddleware'"
-    echo "REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = '@merge pulpcore.app.authentication.PulpRemoteUserAuthentication'"
-    echo "REMOTE_USER_ENVIRON_NAME = 'HTTP_REMOTEUSER'"
-  } >> "${PULP_CLI_TEST_TMPDIR}/settings/settings.py"
 fi
 export PULP_CONTENT_ORIGIN
 
 "${CONTAINER_RUNTIME}" \
   run ${RM:+--rm} \
   --env S6_KEEP_ENV=1 \
   ${PULP_HTTPS:+--env PULP_HTTPS} \
+  ${PULP_OAUTH2:+--env PULP_OAUTH2} \
   ${PULP_API_ROOT:+--env PULP_API_ROOT} \
   --env PULP_CONTENT_ORIGIN \
   --detach \

.ci/settings/settings.py

@@ -1,3 +1,58 @@
+import os
+
 ALLOWED_EXPORT_PATHS = ["/tmp"]
 ANALYTICS = False
 ALLOWED_CONTENT_CHECKSUMS = ["sha1", "sha256", "sha512"]
+
+if os.environ.get("PULP_HTTPS", "false").lower() == "true":
+    AUTHENTICATION_BACKENDS = "@merge django.contrib.auth.backends.RemoteUserBackend"
+    MIDDLEWARE = "@merge django.contrib.auth.middleware.RemoteUserMiddleware"
+    REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = (
+        "@merge pulpcore.app.authentication.PulpRemoteUserAuthentication"
+    )
+    REMOTE_USER_ENVIRON_NAME = "HTTP_REMOTEUSER"
+
+if os.environ.get("PULP_OAUTH2", "false").lower() == "true":
+    assert os.environ.get("PULP_HTTPS", "false").lower() == "true"
+
+    def PulpCliFakeOauth2Authentication(*args, **kwargs):
+        # We need to lazy load this.
+        # Otherwise views may be instanciated, before this configuration is merged.
+
+        from django.contrib.auth import authenticate
+        from drf_spectacular.extensions import OpenApiAuthenticationExtension
+        from rest_framework.authentication import BaseAuthentication
+
+        class _PulpCliFakeOauth2Authentication(BaseAuthentication):
+            def authenticate(self, request):
+                auth_header = request.META.get("HTTP_AUTHORIZATION")
+                if auth_header == "Bearer DEADBEEF":
+                    return authenticate(request, remote_user="admin"), None
+                else:
+                    return None
+
+            def authenticate_header(self, request):
+                return 'Bearer realm="Pulp"'
+
+        class PulpCliFakeOauth2AuthenticationScheme(OpenApiAuthenticationExtension):
+            target_class = _PulpCliFakeOauth2Authentication
+            name = "PulpCliFakeOauth2"
+
+            def get_security_definition(self, auto_schema):
+                return {
+                    "type": "oauth2",
+                    "flows": {
+                        "clientCredentials": {
+                            "tokenUrl": "https://localhost:8080/oauth2token/",
+                            "scopes": {"api.console": "grant_access_to_pulp"},
+                        },
+                    },
+                }
+
+        return _PulpCliFakeOauth2Authentication(*args, **kwargs)
+
+    PULP_CLI_FAKE_OAUTH2_AUTHENTICATION = PulpCliFakeOauth2Authentication
+
+    REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = (
+        "@merge pulpcore.app.settings.PULP_CLI_FAKE_OAUTH2_AUTHENTICATION"
+    )

.github/workflows/test.yml

@@ -19,12 +19,16 @@ jobs:
         include:
           - image_tag: "nightly"
             pulp_api_root: "/relocated/djnd/"
-            pulp_https: true
+            pulp_https: "true"
             python: "3.11"
           - image_tag: "latest"
             python: "3.11"
+          - image_tag: "3.61"
+            pulp_https: "true"
+            pulp_oauth2: "true"
+            python: "3.10"
           - image_tag: "3.49"
-            pulp_https: true
+            pulp_https: "true"
             python: "3.10"
           - image_tag: "3.39"
             python: "3.12"
@@ -70,6 +74,7 @@ jobs:
           FROM_TAG: "${{ matrix.from_tag }}"
           CONTAINER_FILE: "${{ matrix.container_file }}"
           PULP_HTTPS: "${{ matrix.pulp_https }}"
+          PULP_OAUTH2: "${{ matrix.pulp_oauth2 }}"
           PULP_API_ROOT: "${{ matrix.pulp_api_root }}"
         run: |
           .ci/run_container.sh make test

pytest_pulp_cli/__init__.py

@@ -98,22 +98,30 @@ def pulp_cli_settings() -> t.Dict[str, t.Dict[str, t.Any]]:
     pulp_cli_test_tmpdir = pathlib.Path(os.environ.get("PULP_CLI_TEST_TMPDIR", "."))
     with open(os.environ.get("PULP_CLI_CONFIG", "tests/cli.toml"), "rb") as fp:
         settings = {"cli": tomllib.load(fp)["cli"]}
-    if os.environ.get("PULP_HTTPS"):
+    if os.environ.get("PULP_HTTPS", "false").lower() == "true":
         settings["cli"]["base_url"] = settings["cli"]["base_url"].replace("http://", "https://")
-        client_cert_path = pulp_cli_test_tmpdir / "settings" / "certs" / "client.pem"
-        client_key_path = pulp_cli_test_tmpdir / "settings" / "certs" / "client.key"
-        if client_cert_path.exists():
+        if os.environ.get("PULP_OAUTH2", "false").lower() == "true":
             settings["cli"].pop("username", None)
             settings["cli"].pop("password", None)
-            settings["cli"]["cert"] = str(client_cert_path)
-            if client_key_path.exists():
-                settings["cli"]["key"] = str(client_key_path)
+            settings["cli"}["client_id"] = "service_acct"
+            settings["cli"}["client_secret"] = "secret"
+        else:
+            client_cert_path = pulp_cli_test_tmpdir / "settings" / "certs" / "client.pem"
+            client_key_path = pulp_cli_test_tmpdir / "settings" / "certs" / "client.key"
+            if client_cert_path.exists():
+                settings["cli"].pop("username", None)
+                settings["cli"].pop("password", None)
+                settings["cli"]["cert"] = str(client_cert_path)
+                if client_key_path.exists():
+                    settings["cli"]["key"] = str(client_key_path)
 
     if os.environ.get("PULP_API_ROOT"):
         settings["cli"]["api_root"] = os.environ["PULP_API_ROOT"]
 
     settings["cli-noauth"] = {
-        k: v for k, v in settings["cli"].items() if k not in {"username", "password", "cert", "key"}
+        k: v
+        for k, v in settings["cli"].items()
+        if k not in {"username", "password", "cert", "key", "client_id", "client_secret"}
     }
     return settings
 
@@ -125,7 +133,7 @@ def pulp_cli_settings_path(
     settings_path = tmp_path_factory.mktemp("config", numbered=False)
     (settings_path / "pulp").mkdir(parents=True)
     with open(settings_path / "pulp" / "cli.toml", "wb") as fp:
-        tomli_w.dump(pulp_cli_settings, fp)
+        omli_w.dump(pulp_cli_settings, fp)
     return settings_path