Issue #112 move auth_entitlement_check config to AggregatorBackendConfig

auth_entitlement_check is currently unused, so no migration path necessary

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 
 The format is roughly based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [0.18.3]
+
+- Move `auth_entitlement_check` config to `AggregatorBackendConfig`  ([#112](https://github.com/Open-EO/openeo-aggregator/issues/112))
+
 ## [0.18.2]
 
 - Add support for standard `OpenEoBackendConfig.oidc_providers` and deprecate `AggregatorConfig.configured_oidc_providers` ([#112](https://github.com/Open-EO/openeo-aggregator/issues/112))

src/openeo_aggregator/about.py

@@ -2,7 +2,7 @@
 import sys
 from typing import Optional
 
-__version__ = "0.18.2a1"
+__version__ = "0.18.3a1"
 
 
 def log_version_info(logger: Optional[logging.Logger] = None):

src/openeo_aggregator/backend.py

@@ -1319,7 +1319,7 @@ def __init__(self, backends: MultiBackendConnection, config: AggregatorConfig):
         self._configured_oidc_providers: List[OidcProvider] = (
             get_backend_config().oidc_providers or config.configured_oidc_providers
         )
-        self._auth_entitlement_check: Union[bool, dict] = config.auth_entitlement_check
+        self._auth_entitlement_check: Union[bool, dict] = get_backend_config().auth_entitlement_check
 
         self._memoizer: Memoizer = memoizer_from_config(config=config, namespace="general")
         self._backends.on_connections_change.add(self._memoizer.invalidate)

src/openeo_aggregator/config.py

@@ -47,8 +47,6 @@ class AggregatorConfig(dict):
     # TODO #112 `configured_oidc_providers` is deprecated, use `OpenEoBackendConfig.oidc_providers` instead
     configured_oidc_providers: List[OidcProvider] = dict_item(default=[])
 
-    auth_entitlement_check: Union[bool, dict] = dict_item(default=False)
-
     partitioned_job_tracking = dict_item(default=None)
     zookeeper_prefix = dict_item(default="/openeo-aggregator/")
     kazoo_client_factory = dict_item(default=None)
@@ -138,6 +136,7 @@ class AggregatorBackendConfig(OpenEoBackendConfig):
 
     streaming_chunk_size: int = STREAM_CHUNK_SIZE_DEFAULT
 
+    auth_entitlement_check: Union[bool, dict] = False
 
 # Internal singleton
 _config_getter = ConfigGetter(expected_class=AggregatorBackendConfig)

tests/conftest.py

@@ -14,7 +14,11 @@
     MultiBackendConnection,
 )
 from openeo_aggregator.config import AggregatorConfig
-from openeo_aggregator.testing import DummyKazooClient, MetadataBuilder
+from openeo_aggregator.testing import (
+    DummyKazooClient,
+    MetadataBuilder,
+    config_overrides,
+)
 
 pytest_plugins = "pytester"
 
@@ -121,8 +125,6 @@ def base_config(
     # conf.flask_error_handling = False  # Temporary disable flask error handlers to simplify debugging (better stack traces).
 
     conf.configured_oidc_providers = configured_oidc_providers
-    # Disable OIDC/EGI entitlement check by default.
-    conf.auth_entitlement_check = False
 
     conf.memoizer = memoizer_config
     conf.connections_cache_ttl = connections_cache_ttl
@@ -202,8 +204,10 @@ def api100(flask_app: flask.Flask) -> ApiTester:
 
 @pytest.fixture
 def api100_with_entitlement_check(config: AggregatorConfig) -> ApiTester:
-    config.auth_entitlement_check = {"oidc_issuer_whitelist": {"https://egi.test", "https://egi.test/oidc"}}
-    return get_api100(get_flask_app(config))
+    with config_overrides(
+        auth_entitlement_check={"oidc_issuer_whitelist": {"https://egi.test", "https://egi.test/oidc"}}
+    ):
+        yield get_api100(get_flask_app(config))
 
 
 def assert_dict_subset(d1: dict, d2: dict):

tests/test_views.py

@@ -490,15 +490,6 @@ def test_oidc_enrolled(self, api100_with_entitlement_check, requests_mock, edupe
         assert data["roles"] == expected_roles
         assert "default_plan" not in data
 
-    @pytest.fixture
-    def override_oidc_providers(self, oidc_issuer: str):
-        with config_overrides(
-            oidc_providers=[
-                OidcProvider(id="egi", issuer=oidc_issuer, title="EGI"),
-            ]
-        ):
-            yield
-
     @pytest.mark.parametrize(
         ["whitelist", "oidc_issuer", "success"],
         [
@@ -512,18 +503,8 @@ def override_oidc_providers(self, oidc_issuer: str):
         ],
     )
     def test_issuer_url_normalization(
-        self,
-        config,
-        requests_mock,
-        backend1,
-        backend2,
-        whitelist,
-        override_oidc_providers,
-        oidc_issuer,
-        success,
-        caplog,
+        self, config, requests_mock, backend1, backend2, whitelist, oidc_issuer, success, caplog
     ):
-        config.auth_entitlement_check = {"oidc_issuer_whitelist": whitelist}
 
         requests_mock.get(
             backend1 + "/credentials/oidc", json={"providers": [{"id": "egi", "issuer": oidc_issuer, "title": "EGI"}]}
@@ -540,7 +521,12 @@ def test_issuer_url_normalization(
                 "urn:mace:egi.eu:group:vo.openeo.cloud:role=early_adopter#aai.egi.eu",
             ])
         )
-        api100 = get_api100(get_flask_app(config))
+        with config_overrides(
+            oidc_providers=[OidcProvider(id="egi", issuer=oidc_issuer, title="EGI")],
+            auth_entitlement_check={"oidc_issuer_whitelist": whitelist},
+        ):
+            api100 = get_api100(get_flask_app(config))
+
         api100.set_auth_bearer_token(token="oidc/egi/funiculifunicula")
 
         if success: