From 765d218b6f025641ed81613ef0a3cf6f6cea5056 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Sat, 23 Jul 2022 22:13:41 +0200
Subject: [PATCH] test: extract common JTW code from the multi-tenancy.sh test

Move some code related to using JWT tokens from the `multi-tenancy.sh`
test case to `test/cases/api/common/common.sh`, `tools/provision.sh`
and `tools/run-mock-auth-servers.sh`. Move the composer and worker
configuration from the test to new testing configuration files.

The `tools/provision.sh` now accepts an optional argument specifying the
authentication method to use with the provisioned composer and workers.
Valid values are `tls` and `jwt`. If no argument is specified, the `tls`
option is used and the script defaults to its previous behavior.
---
 osbuild-composer.spec                        |  1 +
 test/cases/api/common/common.sh              | 25 ++++++
 test/cases/multi-tenancy.sh                  | 87 ++-----------------
 test/data/composer/osbuild-composer-jwt.toml | 17 ++++
 test/data/worker/osbuild-worker-jwt.toml     |  8 ++
 tools/provision.sh                           | 88 +++++++++++++++-----
 tools/run-mock-auth-servers.sh               | 39 +++++++++
 7 files changed, 164 insertions(+), 101 deletions(-)
 create mode 100644 test/data/composer/osbuild-composer-jwt.toml
 create mode 100644 test/data/worker/osbuild-worker-jwt.toml
 create mode 100644 tools/run-mock-auth-servers.sh

diff --git a/osbuild-composer.spec b/osbuild-composer.spec
index 4b018c938..7e32c4194 100644
--- a/osbuild-composer.spec
+++ b/osbuild-composer.spec
@@ -205,6 +205,7 @@ install -m 0755 -vp tools/libvirt_test.sh                          %{buildroot}%
 install -m 0755 -vp tools/s3_test.sh                               %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/generic_s3_test.sh                       %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/generic_s3_https_test.sh                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp tools/run-mock-auth-servers.sh                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/set-env-variables.sh                     %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/test-case-generators/generate-test-cases %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/tests/osbuild-composer
diff --git a/test/cases/api/common/common.sh b/test/cases/api/common/common.sh
index 56fe11296..bd4e770e1 100644
--- a/test/cases/api/common/common.sh
+++ b/test/cases/api/common/common.sh
@@ -44,3 +44,28 @@ function _instanceCheck() {
     echo "Not RHEL OS. Skip subscription check."
   fi
 }
+
+# Fetch a JWT token
+function access_token {
+  # Refresh token represents the ORG ID
+  local refresh_token="$1"
+  curl --request POST \
+    --data "refresh_token=$refresh_token" \
+    --header "Content-Type: application/x-www-form-urlencoded" \
+    --silent \
+    --show-error \
+    --fail \
+    localhost:8081/token | jq -r .access_token
+}
+
+# Get the compose status using a JWT token
+function compose_status {
+  local compose="$1"
+  local refresh_token="$2"
+  curl \
+    --silent \
+    --show-error \
+    --fail \
+    --header "Authorization: Bearer $(access_token "$refresh_token")" \
+    "http://localhost:443/api/image-builder-composer/v2/composes/$compose"
+}
diff --git a/test/cases/multi-tenancy.sh b/test/cases/multi-tenancy.sh
index 54bc9bfef..949cd7e36 100755
--- a/test/cases/multi-tenancy.sh
+++ b/test/cases/multi-tenancy.sh
@@ -21,7 +21,10 @@ function greenprint {
 }
 
 # Provision the software under test.
-/usr/libexec/osbuild-composer-test/provision.sh
+/usr/libexec/osbuild-composer-test/provision.sh jwt
+
+# Source common functions
+source /usr/libexec/tests/osbuild-composer/api/common/common.sh
 
 greenprint "Registering clean ups"
 KILL_PIDS=()
@@ -39,6 +42,9 @@ function cleanup() {
   for P in "${KILL_PIDS[@]}"; do
       sudo pkill -P "$P"
   done
+
+  /usr/libexec/osbuild-composer-test/run-mock-auth-servers.sh stop
+
   set -eu
 }
 trap cleanup EXIT
@@ -61,59 +67,6 @@ sudo cp \
     "${OSBUILD_COMPOSER_TEST_DATA}"/kerberos/krb5-local.conf \
     /etc/krb5.conf.d/local
 
-greenprint "Configuring composer and worker"
-sudo tee "/etc/osbuild-composer/osbuild-composer.toml" >/dev/null <<EOF
-[koji]
-enable_tls = false
-enable_mtls = false
-enable_jwt = true
-jwt_keys_urls = ["https://localhost:8082/certs"]
-jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
-jwt_acl_file = ""
-jwt_tenant_provider_fields = ["rh-org-id"]
-[worker]
-enable_artifacts = false
-enable_tls = true
-enable_mtls = false
-enable_jwt = true
-jwt_keys_urls = ["https://localhost:8082/certs"]
-jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
-jwt_tenant_provider_fields = ["rh-org-id"]
-EOF
-
-# No compose will get this orgID
-sudo tee "/etc/osbuild-worker/token" >/dev/null <<EOF
-123456789
-EOF
-
-sudo tee "/etc/osbuild-worker/osbuild-worker.toml" >/dev/null <<EOF
-[authentication]
-oauth_url = "http://localhost:8081/token"
-client_id = "rhsm-api"
-offline_token = "/etc/osbuild-worker/token"
-
-[koji.localhost.kerberos]
-principal = "osbuild-krb@LOCAL"
-keytab = "/etc/osbuild-worker/client.keytab"
-
-[aws]
-bucket = "${AWS_BUCKET}"
-credentials = "/etc/osbuild-worker/aws-credentials.toml"
-EOF
-
-greenprint "Starting mock servers"
-# Spin up an https instance for the composer-api and worker-api; the auth handler needs to hit an ssl `/certs` endpoint
-sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8082 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem -cert /etc/osbuild-composer/composer-crt.pem -key /etc/osbuild-composer/composer-key.pem &
-KILL_PIDS+=("$!")
-# Spin up an http instance for the worker client to bypass the need to specify an extra CA
-sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8081 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem &
-KILL_PIDS+=("$!")
-
-greenprint "Restarting composer, stopping a local worker and starting a remote worker"
-sudo systemctl restart osbuild-composer
-sudo systemctl stop osbuild-worker@1
-sudo systemctl start osbuild-remote-worker@localhost:8700
-
 DISTRO=rhel-86
 
 function s3_request {
@@ -153,17 +106,6 @@ function koji_request {
 EOF
 }
 
-function access_token {
-  local refresh_token="$1"
-  curl --request POST \
-    --data "refresh_token=$refresh_token" \
-    --header "Content-Type: application/x-www-form-urlencoded" \
-    --silent \
-    --show-error \
-    --fail \
-    localhost:8081/token | jq -r .access_token
-}
-
 function send_compose {
   local request_file="$1"
   local refresh_token="$2"
@@ -178,22 +120,11 @@ function send_compose {
     http://localhost:443/api/image-builder-composer/v2/compose | jq -r '.id'
 }
 
-function compose_status {
-  local compose="$1"
-  local refresh_token="$2"
-  curl \
-    --silent \
-    --show-error \
-    --fail \
-    --header "Authorization: Bearer $(access_token "$refresh_token")" \
-    "http://localhost:443/api/image-builder-composer/v2/composes/$compose" | jq -r '.status'
-}
-
 function assert_status {
   local compose="$1"
   local refresh_token="$2"
   local status="$3"
-  [[ $(compose_status "$compose" "$refresh_token") == "$status" ]]
+  [[ $(compose_status "$compose" "$refresh_token" | jq -r '.status') == "$status" ]]
 }
 
 function wait_for_status {
@@ -203,7 +134,7 @@ function wait_for_status {
   while true
   do
     local current_status
-    current_status=$(compose_status "$compose" "$refresh_token")
+    current_status=$(compose_status "$compose" "$refresh_token" | jq -r '.status')
 
     case "$current_status" in
       "$desired_status")
diff --git a/test/data/composer/osbuild-composer-jwt.toml b/test/data/composer/osbuild-composer-jwt.toml
new file mode 100644
index 000000000..24b6364df
--- /dev/null
+++ b/test/data/composer/osbuild-composer-jwt.toml
@@ -0,0 +1,17 @@
+[koji]
+enable_tls = false
+enable_mtls = false
+enable_jwt = true
+jwt_keys_urls = ["https://localhost:8082/certs"]
+jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
+jwt_acl_file = ""
+jwt_tenant_provider_fields = ["rh-org-id"]
+
+[worker]
+enable_artifacts = false
+enable_tls = true
+enable_mtls = false
+enable_jwt = true
+jwt_keys_urls = ["https://localhost:8082/certs"]
+jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
+jwt_tenant_provider_fields = ["rh-org-id"]
diff --git a/test/data/worker/osbuild-worker-jwt.toml b/test/data/worker/osbuild-worker-jwt.toml
new file mode 100644
index 000000000..1aee20311
--- /dev/null
+++ b/test/data/worker/osbuild-worker-jwt.toml
@@ -0,0 +1,8 @@
+[authentication]
+oauth_url = "http://localhost:8081/token"
+client_id = "rhsm-api"
+offline_token = "/etc/osbuild-worker/token"
+
+[koji.localhost.kerberos]
+principal = "osbuild-krb@LOCAL"
+keytab = "/etc/osbuild-worker/client.keytab"
diff --git a/tools/provision.sh b/tools/provision.sh
index 04a05e9f7..f03773075 100755
--- a/tools/provision.sh
+++ b/tools/provision.sh
@@ -7,6 +7,12 @@ source /usr/libexec/osbuild-composer-test/set-env-variables.sh
 ARTIFACTS="${ARTIFACTS:=/tmp/artifacts}"
 mkdir -p "${ARTIFACTS}"
 
+# determine the authentication method used by composer
+AUTH_METHOD_TLS="tls"
+AUTH_METHOD_JWT="jwt"
+# default to TLS for now
+AUTH_METHOD="${1:-$AUTH_METHOD_TLS}"
+
 # koji and ansible are not in RHEL repositories. Depending on them in the spec
 # file breaks RHEL gating (see OSCI-1541). Therefore, we need to enable epel
 # and install koji and ansible here.
@@ -34,12 +40,38 @@ if [[ "$VERSION_ID" == "9.0" || "$VERSION_ID" == "9" ]]; then
 fi
 
 sudo mkdir -p /etc/osbuild-composer
-sudo cp -a /usr/share/tests/osbuild-composer/composer/osbuild-composer-tls.toml \
-    /etc/osbuild-composer/osbuild-composer.toml
-
 sudo mkdir -p /etc/osbuild-worker
-sudo cp -a /usr/share/tests/osbuild-composer/worker/osbuild-worker-tls.toml \
-    /etc/osbuild-worker/osbuild-worker.toml
+
+# Generate all X.509 certificates for the tests
+# The whole generation is done in a $CADIR to better represent how osbuild-ca
+# it.
+CERTDIR=/etc/osbuild-composer
+OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
+CADIR=/etc/osbuild-composer-test/ca
+
+scriptloc=$(dirname "$0")
+sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}"
+sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem
+
+# Copy the appropriate configuration files
+if [[ "$AUTH_METHOD" == "$AUTH_METHOD_JWT" ]]; then
+    COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-jwt.toml"
+    WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-jwt.toml"
+
+    # Default orgID
+    sudo tee "/etc/osbuild-worker/token" >/dev/null <<EOF
+123456789
+EOF
+
+    /usr/libexec/osbuild-composer-test/run-mock-auth-servers.sh start
+
+elif [[ "$AUTH_METHOD" == "$AUTH_METHOD_TLS" ]]; then
+    COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-tls.toml"
+    WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-tls.toml"
+fi
+
+sudo cp -a "$COMPOSER_TEST_CONFIG" /etc/osbuild-composer/osbuild-composer.toml
+sudo cp -a "$WORKER_TEST_CONFIG" /etc/osbuild-worker/osbuild-worker.toml
 
 # if GCP credentials are defined in the ENV, add them to the worker's configuration
 GOOGLE_APPLICATION_CREDENTIALS="${GOOGLE_APPLICATION_CREDENTIALS:-}"
@@ -126,23 +158,33 @@ if [ -f "rhel-${VERSION_ID%.*}-beta.json" ]; then
     sudo cp rhel-"${VERSION_ID%.*}"-beta.json "$REPODIR/rhel-${VERSION_SUFFIX}-beta.json"
 fi
 
-# Generate all X.509 certificates for the tests
-# The whole generation is done in a $CADIR to better represent how osbuild-ca
-# it.
-CERTDIR=/etc/osbuild-composer
-OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
-CADIR=/etc/osbuild-composer-test/ca
+# start appropriate units
+case "${AUTH_METHOD}" in
+    "${AUTH_METHOD_JWT}")
+        # JWT is used only in the "Service" scenario. This means that:
+        # - only remote workers will be used (no local worker)
+        # - only Cloud API socket will be started (no Weldr API)
+        sudo systemctl stop 'osbuild*'
+        # make sure that the local worker is not running
+        sudo systemctl mask osbuild-worker@1.service
+        # enable remote worker API
+        sudo systemctl start osbuild-remote-worker.socket
+        # enable Cloud API
+        sudo systemctl start osbuild-composer-api.socket
+        # start a remote worker
+        sudo systemctl start osbuild-remote-worker@localhost:8700.service
+        ;;
 
-scriptloc=$(dirname "$0")
-sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}"
-sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem
+    *)
+        # the default setup used previously for all tests
+        sudo systemctl start osbuild-remote-worker.socket
+        sudo systemctl start osbuild-composer.socket
+        sudo systemctl start osbuild-composer-api.socket
 
-sudo systemctl start osbuild-remote-worker.socket
-sudo systemctl start osbuild-composer.socket
-sudo systemctl start osbuild-composer-api.socket
-
-# The keys were regenerated but osbuild-composer might be already running.
-# Let's try to restart it. In ideal world, this shouldn't be needed as every
-# test case is supposed to run on a pristine machine. However, this is
-# currently not true on Schutzbot
-sudo systemctl try-restart osbuild-composer
+        # The keys were regenerated but osbuild-composer might be already running.
+        # Let's try to restart it. In ideal world, this shouldn't be needed as every
+        # test case is supposed to run on a pristine machine. However, this is
+        # currently not true on Schutzbot
+        sudo systemctl try-restart osbuild-composer
+        ;;
+esac
diff --git a/tools/run-mock-auth-servers.sh b/tools/run-mock-auth-servers.sh
new file mode 100644
index 000000000..fee2dafb0
--- /dev/null
+++ b/tools/run-mock-auth-servers.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+set -eu
+
+# Colorful output.
+function greenprint {
+    echo -e "\033[1;32m[$(date -Isecond)] ${1}\033[0m"
+}
+
+servers_start() {
+    greenprint "Starting mock JWT AUTH servers"
+    # Spin up an https instance for the composer-api and worker-api; the auth handler needs to hit an ssl `/certs` endpoint
+    sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8082 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem -cert /etc/osbuild-composer/composer-crt.pem -key /etc/osbuild-composer/composer-key.pem &
+    # Spin up an http instance for the worker client to bypass the need to specify an extra CA
+    sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8081 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem &
+}
+
+servers_stop() {
+    greenprint "Stopping mock JWT AUTH servers"
+    local KILL_PIDS=()
+    # shellcheck disable=SC2207
+    # The split is desired and should be simple enough for the shell to handle
+    KILL_PIDS=($(pgrep -f '^sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider'))
+    for PID in "${KILL_PIDS[@]}"; do
+        sudo pkill -P "$PID"
+    done
+}
+
+case "$1" in
+    "start")
+        servers_start
+        ;;
+    "stop")
+        servers_stop
+        ;;
+    *)
+        echo "Usage: $0 {start|stop}"
+        exit 1
+        ;;
+esac