From bd05274fa1ef386d8a684a9e00e4ce75331965f5 Mon Sep 17 00:00:00 2001 From: Dirk Kulawiak Date: Thu, 27 Nov 2025 07:04:24 +0100 Subject: [PATCH 1/8] Update wcs docker file to use descope --- ci/docker-compose-wcs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci/docker-compose-wcs.yml b/ci/docker-compose-wcs.yml index f0e6ba74..7eb3b72a 100644 --- a/ci/docker-compose-wcs.yml +++ b/ci/docker-compose-wcs.yml @@ -18,10 +18,10 @@ services: PERSISTENCE_DATA_PATH: '/var/lib/weaviate' AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false' AUTHENTICATION_OIDC_ENABLED: 'true' - AUTHENTICATION_OIDC_CLIENT_ID: 'wcs' - AUTHENTICATION_OIDC_ISSUER: 'https://auth.wcs.api.weaviate.io/auth/realms/SeMI' + AUTHENTICATION_OIDC_CLIENT_ID: 'Peuc12y02UA0eAED1dqSjE5HtGUrpBsx' + AUTHENTICATION_OIDC_ISSUER: 'https://auth.weaviate.cloud/Peuc12y02UA0eAED1dqSjE5HtGUrpBsx' AUTHENTICATION_OIDC_USERNAME_CLAIM: 'email' - AUTHENTICATION_OIDC_GROUPS_CLAIM: 'groups' + AUTHENTICATION_OIDC_GROUPS_CLAIM: 'roles' AUTHORIZATION_ADMINLIST_ENABLED: 'true' AUTHORIZATION_ADMINLIST_USERS: 'oidc-test-user@weaviate.io' AUTHENTICATION_OIDC_SCOPES: 'openid,email' From 78b02990762d7e8af0780d7d25c7b87342997731 Mon Sep 17 00:00:00 2001 From: Dirk Kulawiak Date: Thu, 27 Nov 2025 07:10:27 +0100 Subject: [PATCH 2/8] Update test checks --- src/misc/journey.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/misc/journey.test.ts b/src/misc/journey.test.ts index 4959f639..57e0bc3d 100644 --- a/src/misc/journey.test.ts +++ b/src/misc/journey.test.ts @@ -92,7 +92,7 @@ describe('misc endpoints', () => { .openidConfigurationGetter() .do() .then((res: any) => { - expect(res.clientId).toEqual('wcs'); + expect(res.clientId).toEqual('Peuc12y02UA0eAED1dqSjE5HtGUrpBsx'); expect(res.href).toContain('.well-known/openid-configuration'); expect(res.scopes).toEqual(['openid', 'email']); }); From 6c3232340f55dd9d3db6c84153a9da8166096338 Mon Sep 17 00:00:00 2001 From: Tommy Smith Date: Fri, 28 Nov 2025 09:38:47 +0000 Subject: [PATCH 3/8] Add auth tests for trailing 3 vers also --- .github/workflows/main.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 3979846e..e733b013 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -14,6 +14,7 @@ env: WEAVIATE_131: 1.31.16 WEAVIATE_132: 1.32.10 WEAVIATE_133: 1.33.0 + WEAVIATE_134: 1.34.0 concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -47,9 +48,10 @@ jobs: { node: "22.x", weaviate: $WEAVIATE_130}, { node: "22.x", weaviate: $WEAVIATE_131}, { node: "22.x", weaviate: $WEAVIATE_132}, - { node: "18.x", weaviate: $WEAVIATE_133}, - { node: "20.x", weaviate: $WEAVIATE_133}, { node: "22.x", weaviate: $WEAVIATE_133}, + { node: "18.x", weaviate: $WEAVIATE_134}, + { node: "20.x", weaviate: $WEAVIATE_134}, + { node: "22.x", weaviate: $WEAVIATE_134}, ] steps: - uses: actions/checkout@v3 @@ -80,7 +82,10 @@ jobs: fail-fast: false matrix: versions: [ - { node: "22.x", weaviate: $WEAVIATE_130} + { node: "22.x", weaviate: $WEAVIATE_131}, + { node: "22.x", weaviate: $WEAVIATE_132}, + { node: "22.x", weaviate: $WEAVIATE_133}, + { node: "22.x", weaviate: $WEAVIATE_134}, ] steps: - uses: actions/checkout@v3 From 76446625869569081618b06e538caf1cf3d99f95 Mon Sep 17 00:00:00 2001 From: Tommy Smith Date: Fri, 28 Nov 2025 09:47:13 +0000 Subject: [PATCH 4/8] Remove 1.34 for now --- .github/workflows/main.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index e733b013..d8419ac0 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -14,7 +14,6 @@ env: WEAVIATE_131: 1.31.16 WEAVIATE_132: 1.32.10 WEAVIATE_133: 1.33.0 - WEAVIATE_134: 1.34.0 concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -48,10 +47,9 @@ jobs: { node: "22.x", weaviate: $WEAVIATE_130}, { node: "22.x", weaviate: $WEAVIATE_131}, { node: "22.x", weaviate: $WEAVIATE_132}, + { node: "18.x", weaviate: $WEAVIATE_133}, + { node: "20.x", weaviate: $WEAVIATE_133}, { node: "22.x", weaviate: $WEAVIATE_133}, - { node: "18.x", weaviate: $WEAVIATE_134}, - { node: "20.x", weaviate: $WEAVIATE_134}, - { node: "22.x", weaviate: $WEAVIATE_134}, ] steps: - uses: actions/checkout@v3 @@ -85,7 +83,6 @@ jobs: { node: "22.x", weaviate: $WEAVIATE_131}, { node: "22.x", weaviate: $WEAVIATE_132}, { node: "22.x", weaviate: $WEAVIATE_133}, - { node: "22.x", weaviate: $WEAVIATE_134}, ] steps: - uses: actions/checkout@v3 From 31f8dadcdffade8a8fa323ed8bb3c3f5ef3769e7 Mon Sep 17 00:00:00 2001 From: Tommy Smith Date: Fri, 28 Nov 2025 10:11:19 +0000 Subject: [PATCH 5/8] Expose grpc ports correctly in tests --- ci/docker-compose-wcs.yml | 2 ++ src/connection/journey.test.ts | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/ci/docker-compose-wcs.yml b/ci/docker-compose-wcs.yml index 7eb3b72a..0dd55c94 100644 --- a/ci/docker-compose-wcs.yml +++ b/ci/docker-compose-wcs.yml @@ -13,8 +13,10 @@ services: image: semitechnologies/weaviate:${WEAVIATE_VERSION} ports: - 8085:8085 + - 50056:50056 restart: on-failure:0 environment: + GRPC_PORT: 50056 PERSISTENCE_DATA_PATH: '/var/lib/weaviate' AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false' AUTHENTICATION_OIDC_ENABLED: 'true' diff --git a/src/connection/journey.test.ts b/src/connection/journey.test.ts index fbf8ea1d..0c9355bb 100644 --- a/src/connection/journey.test.ts +++ b/src/connection/journey.test.ts @@ -137,6 +137,7 @@ describe('connection', () => { it('makes a logged-in request with API key', async () => { const client = await weaviate.connectToLocal({ port: 8085, + grpcPort: 50056, authCredentials: new ApiKey('my-secret-key'), }); @@ -153,6 +154,7 @@ describe('connection', () => { it('makes a logged-in request with API key as string', async () => { const client = await weaviate.connectToLocal({ port: 8085, + grpcPort: 50056, authCredentials: 'my-secret-key', }); @@ -188,6 +190,7 @@ describe('connection', () => { const accessToken = (dummy as any).oidcAuth?.accessToken || ''; const client = await weaviate.connectToLocal({ port: 8085, + grpcPort: 50056, authCredentials: new AuthAccessTokenCredentials({ accessToken: accessToken, expiresIn: 900, @@ -254,6 +257,7 @@ describe('connection', () => { try { await weaviate.connectToLocal({ port: 8085, + grpcPort: 50056, }); throw new Error('Promise should have been rejected'); } catch (error: any) { From 96d3bb80d25e4910c4a4294521f7af26cc55f8f1 Mon Sep 17 00:00:00 2001 From: Tommy Smith Date: Fri, 28 Nov 2025 10:27:42 +0000 Subject: [PATCH 6/8] Improve skipping of auth tests --- src/connection/journey.test.ts | 139 +++++++++++++++------------------ 1 file changed, 61 insertions(+), 78 deletions(-) diff --git a/src/connection/journey.test.ts b/src/connection/journey.test.ts index 0c9355bb..82faf438 100644 --- a/src/connection/journey.test.ts +++ b/src/connection/journey.test.ts @@ -9,31 +9,38 @@ import Connection from './index.js'; import { WeaviateStartUpError } from '../errors.js'; import weaviate from '../index.js'; -describe('connection', () => { - it('makes a logged-in request when client host param has trailing slashes', async () => { - if (process.env.WCS_DUMMY_CI_PW == undefined || process.env.WCS_DUMMY_CI_PW == '') { - console.warn('Skipping because `WCS_DUMMY_CI_PW` is not set'); - return Promise.resolve(); - } - - const client = await weaviate.connectToLocal({ - port: 8085, - authCredentials: new AuthUserPasswordCredentials({ - username: 'oidc-test-user@weaviate.io', - password: process.env.WCS_DUMMY_CI_PW, - silentRefresh: false, - }), - }); +const check = (cred?: string) => { + if (cred == undefined || cred == '') { + console.warn('Skipping because `WCS_DUMMY_CI_PW` is not set'); + return it.skip; + } else { + return it; + } +}; - return client - .getMeta() - .then((res) => { - expect(res.version).toBeDefined(); - }) - .catch((e) => { - throw new Error('it should not have errord: ' + e); +describe('connection', () => { + check(process.env.WCS_DUMMY_CI_PW)( + 'makes a logged-in request when client host param has trailing slashes', + async () => { + const client = await weaviate.connectToLocal({ + port: 8085, + authCredentials: new AuthUserPasswordCredentials({ + username: 'oidc-test-user@weaviate.io', + password: process.env.WCS_DUMMY_CI_PW, + silentRefresh: false, + }), }); - }); + + return client + .getMeta() + .then((res) => { + expect(res.version).toBeDefined(); + }) + .catch((e) => { + throw new Error('it should not have errord: ' + e); + }); + } + ); // it('makes an Azure logged-in request with client credentials', async () => { // if (process.env.AZURE_CLIENT_SECRET == undefined || process.env.AZURE_CLIENT_SECRET == '') { @@ -59,37 +66,30 @@ describe('connection', () => { // }); // }); - it('makes an Okta logged-in request with client credentials', async () => { - if (process.env.OKTA_CLIENT_SECRET == undefined || process.env.OKTA_CLIENT_SECRET == '') { - console.warn('Skipping because `OKTA_CLIENT_SECRET` is not set'); - return Promise.resolve(); - } - - const client = await weaviate.connectToLocal({ - port: 8082, - authCredentials: new AuthClientCredentials({ - clientSecret: process.env.OKTA_CLIENT_SECRET, - scopes: ['some_scope'], - silentRefresh: false, - }), - }); - - return client - .getMeta() - .then((res) => { - expect(res.version).toBeDefined(); - }) - .catch((e) => { - throw new Error('it should not have errord: ' + e); + check(process.env.OKTA_CLIENT_SECRET)( + 'makes an Okta logged-in request with client credentials', + async () => { + const client = await weaviate.connectToLocal({ + port: 8082, + authCredentials: new AuthClientCredentials({ + clientSecret: process.env.OKTA_CLIENT_SECRET!, + scopes: ['some_scope'], + silentRefresh: false, + }), }); - }); - it('makes an Okta logged-in request with username/password', async () => { - if (process.env.OKTA_DUMMY_CI_PW == undefined || process.env.OKTA_DUMMY_CI_PW == '') { - console.warn('Skipping because `OKTA_DUMMY_CI_PW` is not set'); - return Promise.resolve(); + return client + .getMeta() + .then((res) => { + expect(res.version).toBeDefined(); + }) + .catch((e) => { + throw new Error('it should not have errord: ' + e); + }); } + ); + check(process.env.OKTA_DUMMY_CI_PW)('makes an Okta logged-in request with username/password', async () => { const client = await weaviate.connectToLocal({ port: 8083, authCredentials: new AuthUserPasswordCredentials({ @@ -109,12 +109,7 @@ describe('connection', () => { }); }); - it('makes a WCS logged-in request with username/password', async () => { - if (process.env.WCS_DUMMY_CI_PW == undefined || process.env.WCS_DUMMY_CI_PW == '') { - console.warn('Skipping because `WCS_DUMMY_CI_PW` is not set'); - return Promise.resolve(); - } - + check(process.env.WCS_DUMMY_CI_PW)('makes a WCS logged-in request with username/password', async () => { const client = await weaviate.connectToLocal({ port: 8085, authCredentials: new AuthUserPasswordCredentials({ @@ -168,12 +163,7 @@ describe('connection', () => { }); }); - it('makes a logged-in request with access token', async () => { - if (process.env.WCS_DUMMY_CI_PW == undefined || process.env.WCS_DUMMY_CI_PW == '') { - console.warn('Skipping because `WCS_DUMMY_CI_PW` is not set'); - return; - } - + check(process.env.WCS_DUMMY_CI_PW)('makes a logged-in request with access token', async () => { const dummy = new Connection({ scheme: 'http', host: 'localhost:8085', @@ -208,12 +198,7 @@ describe('connection', () => { }); }); - it('uses refresh token to fetch new access token', async () => { - if (process.env.WCS_DUMMY_CI_PW == undefined || process.env.WCS_DUMMY_CI_PW == '') { - console.warn('Skipping because `WCS_DUMMY_CI_PW` is not set'); - return; - } - + check(process.env.WCS_DUMMY_CI_PW)('uses refresh token to fetch new access token', async () => { const dummy = new Connection({ scheme: 'http', host: 'localhost:8085', @@ -240,16 +225,14 @@ describe('connection', () => { // force the use of refreshToken (conn as any).oidcAuth?.resetExpiresAt(); - return conn - .login() - .then((resp) => { - expect(resp).toBeDefined(); - expect(resp != '').toBeTruthy(); - conn.oidcAuth?.stopTokenRefresh(); - }) - .catch((e: any) => { - throw new Error('it should not have errord: ' + e); - }); + return conn.login().then((resp) => { + expect(resp).toBeDefined(); + expect(resp != '').toBeTruthy(); + conn.oidcAuth?.stopTokenRefresh(); + }); + // .catch((e: any) => { + // throw new Error('it should not have errord: ' + e); + // }); }); it('fails to access auth-enabled server without client auth', async () => { From 4269aa0c72d5473922b344c80cb7a06a490ac27b Mon Sep 17 00:00:00 2001 From: Tommy Smith Date: Fri, 28 Nov 2025 10:29:19 +0000 Subject: [PATCH 7/8] Remove hard-coded refresh token error --- src/connection/auth.ts | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/connection/auth.ts b/src/connection/auth.ts index bd137c4c..ec18aed4 100644 --- a/src/connection/auth.ts +++ b/src/connection/auth.ts @@ -289,14 +289,7 @@ class AccessTokenAuthenticator implements OidcAuthFlow { }); }; - validateOpenidConfig = () => { - if ( - this.openidConfig.provider.grant_types_supported === undefined || - !this.openidConfig.provider.grant_types_supported.includes('refresh_token') - ) { - throw new Error('grant_type refresh_token not supported'); - } - }; + validateOpenidConfig = () => {}; requestAccessToken = () => { const url = this.openidConfig.provider.token_endpoint; From 4e360a132742f9c91e22a32fad698edd37ff6958 Mon Sep 17 00:00:00 2001 From: Tommy Smith Date: Fri, 28 Nov 2025 10:38:41 +0000 Subject: [PATCH 8/8] Remove extra auth tests to avoid rate limit issues --- .github/workflows/main.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index d8419ac0..2ac2d4aa 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -80,8 +80,6 @@ jobs: fail-fast: false matrix: versions: [ - { node: "22.x", weaviate: $WEAVIATE_131}, - { node: "22.x", weaviate: $WEAVIATE_132}, { node: "22.x", weaviate: $WEAVIATE_133}, ] steps: