particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

test: extract common JTW code from the multi-tenancy.sh test

Browse source 
Move some code related to using JWT tokens from the `multi-tenancy.sh`
test case to `test/cases/api/common/common.sh`, `tools/provision.sh`
and `tools/run-mock-auth-servers.sh`. Move the composer and worker
configuration from the test to new testing configuration files.

The `tools/provision.sh` now accepts an optional argument specifying the
authentication method to use with the provisioned composer and workers.
Valid values are `tls` and `jwt`. If no argument is specified, the `tls`
option is used and the script defaults to its previous behavior.
This commit is contained in:
Tomas Hozza 2022-07-23 22:13:41 +02:00 committed by Ondřej Budai
parent faf911cd21
commit 765d218b6f
7 changed files with 164 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

1
osbuild-composer.spec
View file

@ -205,6 +205,7 @@ install -m 0755 -vp tools/libvirt_test.sh %{buildroot}%
install -m 0755 -vp tools/s3_test.sh %{buildroot}%{_libexecdir}/osbuild-composer-test/ install -m 0755 -vp tools/s3_test.sh %{buildroot}%{_libexecdir}/osbuild-composer-test/
install -m 0755 -vp tools/generic_s3_test.sh %{buildroot}%{_libexecdir}/osbuild-composer-test/ install -m 0755 -vp tools/generic_s3_test.sh %{buildroot}%{_libexecdir}/osbuild-composer-test/
install -m 0755 -vp tools/generic_s3_https_test.sh %{buildroot}%{_libexecdir}/osbuild-composer-test/ install -m 0755 -vp tools/generic_s3_https_test.sh %{buildroot}%{_libexecdir}/osbuild-composer-test/
install -m 0755 -vp tools/run-mock-auth-servers.sh %{buildroot}%{_libexecdir}/osbuild-composer-test/
install -m 0755 -vp tools/set-env-variables.sh %{buildroot}%{_libexecdir}/osbuild-composer-test/ install -m 0755 -vp tools/set-env-variables.sh %{buildroot}%{_libexecdir}/osbuild-composer-test/
install -m 0755 -vp tools/test-case-generators/generate-test-cases %{buildroot}%{_libexecdir}/osbuild-composer-test/ install -m 0755 -vp tools/test-case-generators/generate-test-cases %{buildroot}%{_libexecdir}/osbuild-composer-test/
install -m 0755 -vd %{buildroot}%{_libexecdir}/tests/osbuild-composer install -m 0755 -vd %{buildroot}%{_libexecdir}/tests/osbuild-composer

25
test/cases/api/common/common.sh
View file

@ -44,3 +44,28 @@ function _instanceCheck() {
echo "Not RHEL OS. Skip subscription check." echo "Not RHEL OS. Skip subscription check."
fi fi
} }
# Fetch a JWT token
function access_token {
# Refresh token represents the ORG ID
local refresh_token="$1"
curl --request POST \
--data "refresh_token=$refresh_token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--silent \
--show-error \
--fail \
localhost:8081/token | jq -r .access_token
}
# Get the compose status using a JWT token
function compose_status {
local compose="$1"
local refresh_token="$2"
curl \
--silent \
--show-error \
--fail \
--header "Authorization: Bearer $(access_token "$refresh_token")" \
"http://localhost:443/api/image-builder-composer/v2/composes/$compose"
}

87
test/cases/multi-tenancy.sh
View file

@ -21,7 +21,10 @@ function greenprint {
} }
# Provision the software under test. # Provision the software under test.
/usr/libexec/osbuild-composer-test/provision.sh /usr/libexec/osbuild-composer-test/provision.sh jwt
# Source common functions
source /usr/libexec/tests/osbuild-composer/api/common/common.sh
greenprint "Registering clean ups" greenprint "Registering clean ups"
KILL_PIDS=() KILL_PIDS=()
@ -39,6 +42,9 @@ function cleanup() {
for P in "${KILL_PIDS[@]}"; do for P in "${KILL_PIDS[@]}"; do
sudo pkill -P "$P" sudo pkill -P "$P"
done done
/usr/libexec/osbuild-composer-test/run-mock-auth-servers.sh stop
set -eu set -eu
} }
trap cleanup EXIT trap cleanup EXIT
@ -61,59 +67,6 @@ sudo cp \
"${OSBUILD_COMPOSER_TEST_DATA}"/kerberos/krb5-local.conf \ "${OSBUILD_COMPOSER_TEST_DATA}"/kerberos/krb5-local.conf \
/etc/krb5.conf.d/local /etc/krb5.conf.d/local
greenprint "Configuring composer and worker"
sudo tee "/etc/osbuild-composer/osbuild-composer.toml" >/dev/null <<EOF
[koji]
enable_tls = false
enable_mtls = false
enable_jwt = true
jwt_keys_urls = ["https://localhost:8082/certs"]
jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
jwt_acl_file = ""
jwt_tenant_provider_fields = ["rh-org-id"]
[worker]
enable_artifacts = false
enable_tls = true
enable_mtls = false
enable_jwt = true
jwt_keys_urls = ["https://localhost:8082/certs"]
jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
jwt_tenant_provider_fields = ["rh-org-id"]
EOF
# No compose will get this orgID
sudo tee "/etc/osbuild-worker/token" >/dev/null <<EOF
123456789
EOF
sudo tee "/etc/osbuild-worker/osbuild-worker.toml" >/dev/null <<EOF
[authentication]
oauth_url = "http://localhost:8081/token"
client_id = "rhsm-api"
offline_token = "/etc/osbuild-worker/token"
[koji.localhost.kerberos]
principal = "osbuild-krb@LOCAL"
keytab = "/etc/osbuild-worker/client.keytab"
[aws]
bucket = "${AWS_BUCKET}"
credentials = "/etc/osbuild-worker/aws-credentials.toml"
EOF
greenprint "Starting mock servers"
# Spin up an https instance for the composer-api and worker-api; the auth handler needs to hit an ssl `/certs` endpoint
sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8082 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem -cert /etc/osbuild-composer/composer-crt.pem -key /etc/osbuild-composer/composer-key.pem &
KILL_PIDS+=("$!")
# Spin up an http instance for the worker client to bypass the need to specify an extra CA
sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8081 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem &
KILL_PIDS+=("$!")
greenprint "Restarting composer, stopping a local worker and starting a remote worker"
sudo systemctl restart osbuild-composer
sudo systemctl stop osbuild-worker@1
sudo systemctl start osbuild-remote-worker@localhost:8700
DISTRO=rhel-86 DISTRO=rhel-86
function s3_request { function s3_request {
@ -153,17 +106,6 @@ function koji_request {
EOF EOF
} }
function access_token {
local refresh_token="$1"
curl --request POST \
--data "refresh_token=$refresh_token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--silent \
--show-error \
--fail \
localhost:8081/token | jq -r .access_token
}
function send_compose { function send_compose {
local request_file="$1" local request_file="$1"
local refresh_token="$2" local refresh_token="$2"
@ -178,22 +120,11 @@ function send_compose {
http://localhost:443/api/image-builder-composer/v2/compose | jq -r '.id' http://localhost:443/api/image-builder-composer/v2/compose | jq -r '.id'
} }
function compose_status {
local compose="$1"
local refresh_token="$2"
curl \
--silent \
--show-error \
--fail \
--header "Authorization: Bearer $(access_token "$refresh_token")" \
"http://localhost:443/api/image-builder-composer/v2/composes/$compose" | jq -r '.status'
}
function assert_status { function assert_status {
local compose="$1" local compose="$1"
local refresh_token="$2" local refresh_token="$2"
local status="$3" local status="$3"
[[ $(compose_status "$compose" "$refresh_token") == "$status" ]] [[ $(compose_status "$compose" "$refresh_token" | jq -r '.status') == "$status" ]]
} }
function wait_for_status { function wait_for_status {
@ -203,7 +134,7 @@ function wait_for_status {
while true while true
do do
local current_status local current_status
current_status=$(compose_status "$compose" "$refresh_token") current_status=$(compose_status "$compose" "$refresh_token" | jq -r '.status')
case "$current_status" in case "$current_status" in
"$desired_status") "$desired_status")

17
test/data/composer/osbuild-composer-jwt.toml Normal file
View file

@ -0,0 +1,17 @@
[koji]
enable_tls = false
enable_mtls = false
enable_jwt = true
jwt_keys_urls = ["https://localhost:8082/certs"]
jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
jwt_acl_file = ""
jwt_tenant_provider_fields = ["rh-org-id"]
[worker]
enable_artifacts = false
enable_tls = true
enable_mtls = false
enable_jwt = true
jwt_keys_urls = ["https://localhost:8082/certs"]
jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
jwt_tenant_provider_fields = ["rh-org-id"]

8
test/data/worker/osbuild-worker-jwt.toml Normal file
View file

@ -0,0 +1,8 @@
[authentication]
oauth_url = "http://localhost:8081/token"
client_id = "rhsm-api"
offline_token = "/etc/osbuild-worker/token"
[koji.localhost.kerberos]
principal = "osbuild-krb@LOCAL"
keytab = "/etc/osbuild-worker/client.keytab"

72
tools/provision.sh
View file

@ -7,6 +7,12 @@ source /usr/libexec/osbuild-composer-test/set-env-variables.sh
ARTIFACTS="${ARTIFACTS:=/tmp/artifacts}" ARTIFACTS="${ARTIFACTS:=/tmp/artifacts}"
mkdir -p "${ARTIFACTS}" mkdir -p "${ARTIFACTS}"
# determine the authentication method used by composer
AUTH_METHOD_TLS="tls"
AUTH_METHOD_JWT="jwt"
# default to TLS for now
AUTH_METHOD="${1:-$AUTH_METHOD_TLS}"
# koji and ansible are not in RHEL repositories. Depending on them in the spec # koji and ansible are not in RHEL repositories. Depending on them in the spec
# file breaks RHEL gating (see OSCI-1541). Therefore, we need to enable epel # file breaks RHEL gating (see OSCI-1541). Therefore, we need to enable epel
# and install koji and ansible here. # and install koji and ansible here.
@ -34,12 +40,38 @@ if [[ "$VERSION_ID" == "9.0" || "$VERSION_ID" == "9" ]]; then
fi fi
sudo mkdir -p /etc/osbuild-composer sudo mkdir -p /etc/osbuild-composer
sudo cp -a /usr/share/tests/osbuild-composer/composer/osbuild-composer-tls.toml \
/etc/osbuild-composer/osbuild-composer.toml
sudo mkdir -p /etc/osbuild-worker sudo mkdir -p /etc/osbuild-worker
sudo cp -a /usr/share/tests/osbuild-composer/worker/osbuild-worker-tls.toml \
/etc/osbuild-worker/osbuild-worker.toml # Generate all X.509 certificates for the tests
# The whole generation is done in a $CADIR to better represent how osbuild-ca
# it.
CERTDIR=/etc/osbuild-composer
OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
CADIR=/etc/osbuild-composer-test/ca
scriptloc=$(dirname "$0")
sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}"
sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem
# Copy the appropriate configuration files
if [[ "$AUTH_METHOD" == "$AUTH_METHOD_JWT" ]]; then
COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-jwt.toml"
WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-jwt.toml"
# Default orgID
sudo tee "/etc/osbuild-worker/token" >/dev/null <<EOF
123456789
EOF
/usr/libexec/osbuild-composer-test/run-mock-auth-servers.sh start
elif [[ "$AUTH_METHOD" == "$AUTH_METHOD_TLS" ]]; then
COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-tls.toml"
WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-tls.toml"
fi
sudo cp -a "$COMPOSER_TEST_CONFIG" /etc/osbuild-composer/osbuild-composer.toml
sudo cp -a "$WORKER_TEST_CONFIG" /etc/osbuild-worker/osbuild-worker.toml
# if GCP credentials are defined in the ENV, add them to the worker's configuration # if GCP credentials are defined in the ENV, add them to the worker's configuration
GOOGLE_APPLICATION_CREDENTIALS="${GOOGLE_APPLICATION_CREDENTIALS:-}" GOOGLE_APPLICATION_CREDENTIALS="${GOOGLE_APPLICATION_CREDENTIALS:-}"
@ -126,17 +158,25 @@ if [ -f "rhel-${VERSION_ID%.*}-beta.json" ]; then
sudo cp rhel-"${VERSION_ID%.*}"-beta.json "$REPODIR/rhel-${VERSION_SUFFIX}-beta.json" sudo cp rhel-"${VERSION_ID%.*}"-beta.json "$REPODIR/rhel-${VERSION_SUFFIX}-beta.json"
fi fi
# Generate all X.509 certificates for the tests # start appropriate units
# The whole generation is done in a $CADIR to better represent how osbuild-ca case "${AUTH_METHOD}" in
# it. "${AUTH_METHOD_JWT}")
CERTDIR=/etc/osbuild-composer # JWT is used only in the "Service" scenario. This means that:
OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf # - only remote workers will be used (no local worker)
CADIR=/etc/osbuild-composer-test/ca # - only Cloud API socket will be started (no Weldr API)
sudo systemctl stop 'osbuild*'
scriptloc=$(dirname "$0") # make sure that the local worker is not running
sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}" sudo systemctl mask osbuild-worker@1.service
sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem # enable remote worker API
sudo systemctl start osbuild-remote-worker.socket
# enable Cloud API
sudo systemctl start osbuild-composer-api.socket
# start a remote worker
sudo systemctl start osbuild-remote-worker@localhost:8700.service
;;
*)
# the default setup used previously for all tests
sudo systemctl start osbuild-remote-worker.socket sudo systemctl start osbuild-remote-worker.socket
sudo systemctl start osbuild-composer.socket sudo systemctl start osbuild-composer.socket
sudo systemctl start osbuild-composer-api.socket sudo systemctl start osbuild-composer-api.socket
@ -146,3 +186,5 @@ sudo systemctl start osbuild-composer-api.socket
# test case is supposed to run on a pristine machine. However, this is # test case is supposed to run on a pristine machine. However, this is
# currently not true on Schutzbot # currently not true on Schutzbot
sudo systemctl try-restart osbuild-composer sudo systemctl try-restart osbuild-composer
;;
esac

39
tools/run-mock-auth-servers.sh Normal file
View file

@ -0,0 +1,39 @@
#!/bin/bash
set -eu
# Colorful output.
function greenprint {
echo -e "\033[1;32m[$(date -Isecond)] ${1}\033[0m"
}
servers_start() {
greenprint "Starting mock JWT AUTH servers"
# Spin up an https instance for the composer-api and worker-api; the auth handler needs to hit an ssl `/certs` endpoint
sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8082 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem -cert /etc/osbuild-composer/composer-crt.pem -key /etc/osbuild-composer/composer-key.pem &
# Spin up an http instance for the worker client to bypass the need to specify an extra CA
sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8081 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem &
}
servers_stop() {
greenprint "Stopping mock JWT AUTH servers"
local KILL_PIDS=()
# shellcheck disable=SC2207
# The split is desired and should be simple enough for the shell to handle
KILL_PIDS=($(pgrep -f '^sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider'))
for PID in "${KILL_PIDS[@]}"; do
sudo pkill -P "$PID"
done
}
case "$1" in
"start")
servers_start
;;
"stop")
servers_stop
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac