Examine entitlements in CI

b-long · b-long · commit 0514bf6f9cb6 · 2025-08-10T19:30:29.000-04:00
diff --git a/.github/check_entitlements.sh b/.github/check_entitlements.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+
+# Derive additional environment variables
+TOKEN_URL="${OIDC_OP_TOKEN_ENDPOINT}"
+OTDF_HOST_AND_PORT="${OPENTDF_PLATFORM_HOST}"
+OTDF_CLIENT="${OPENTDF_CLIENT_ID}"
+OTDF_CLIENT_SECRET="${OPENTDF_CLIENT_SECRET}"
+
+# Enable debug mode
+DEBUG=1
+
+echo "🔧 Environment Configuration:"
+echo "   TOKEN_URL: ${TOKEN_URL}"
+echo "   OTDF_HOST_AND_PORT: ${OTDF_HOST_AND_PORT}"
+echo "   OTDF_CLIENT: ${OTDF_CLIENT}"
+echo "   OTDF_CLIENT_SECRET: ${OTDF_CLIENT_SECRET}"
+echo ""
+
+get_token() {
+    curl -k --location "$TOKEN_URL" \
+    --header "X-VirtruPubKey;" \
+    --header "Content-Type: application/x-www-form-urlencoded" \
+    --data-urlencode "grant_type=client_credentials" \
+    --data-urlencode "client_id=$OTDF_CLIENT" \
+    --data-urlencode "client_secret=$OTDF_CLIENT_SECRET"
+}
+
+echo "🔐 Getting access token..."
+BEARER=$( get_token | jq -r '.access_token' )
+[[ "${DEBUG:-}" == "1" ]] && echo "Got Access Token: ${BEARER}"
+echo ""
+
+# Array of usernames to check
+USERNAMES=("opentdf" "sample-user" "sample-user-1" "cli-client" "opentdf-sdk")
+
+for USERNAME in "${USERNAMES[@]}"; do
+    echo "👤 Fetching entitlements for username: ${USERNAME}"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+    grpcurl -insecure \
+      -H "authorization: Bearer $BEARER" \
+      -d "{
+      \"entities\": [
+        {
+          \"userName\": \"$USERNAME\"
+        }
+      ]
+    }" \
+      "$OTDF_HOST_AND_PORT" \
+      authorization.AuthorizationService/GetEntitlements
+
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "✅ Entitlements retrieval complete for ${USERNAME}!"
+    echo ""
+done
+
+echo "🎉 All entitlement checks completed!"
diff --git a/.github/workflows/platform-integration-test-new.yaml b/.github/workflows/platform-integration-test-new.yaml
@@ -125,7 +125,7 @@ jobs:
 
       - name: Run all tests, minus integration tests
         env:
-          OPENTDF_CLIENT_ID: "opentdf-sdk"
+          OPENTDF_CLIENT_ID: "opentdf"
           OPENTDF_CLIENT_SECRET: "secret"
           OPENTDF_HOSTNAME: "localhost:8080"
           OIDC_TOKEN_ENDPOINT: "http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token"
@@ -141,7 +141,7 @@ jobs:
 
       - name: Run integration tests
         env:
-          OPENTDF_CLIENT_ID: "opentdf-sdk"
+          OPENTDF_CLIENT_ID: "opentdf"
           OPENTDF_CLIENT_SECRET: "secret"
           OPENTDF_PLATFORM_HOST: "localhost:8080"
           OPENTDF_PLATFORM_URL: "http://localhost:8080"
@@ -151,6 +151,9 @@ jobs:
           TEST_OPENTDF_ATTRIBUTE_1: "https://example.com/attr/attr1/value/value1"
           TEST_OPENTDF_ATTRIBUTE_2: "https://example.com/attr/attr1/value/value2"
         run: |
+          # Run check_entitlements.sh
+          ./.github/check_entitlements.sh
+
           uv sync
           # Skip the tests marked "integration"
           uv run pytest -m "integration" --tb=short -vv tests
