test: extract common JTW code from the multi-tenancy.sh test

Move some code related to using JWT tokens from the `multi-tenancy.sh` test case to `test/cases/api/common/common.sh`, `tools/provision.sh` and `tools/run-mock-auth-servers.sh`. Move the composer and worker configuration from the test to new testing configuration files. The `tools/provision.sh` now accepts an optional argument specifying the authentication method to use with the provisioned composer and workers. Valid values are `tls` and `jwt`. If no argument is specified, the `tls` option is used and the script defaults to its previous behavior.
2022-07-23 22:13:41 +02:00 · 2022-07-23 22:13:41 +02:00 · 765d218b6f
commit 765d218b6f
parent faf911cd21
7 changed files with 164 additions and 101 deletions
--- a/osbuild-composer.spec
+++ b/osbuild-composer.spec
@ -205,6 +205,7 @@ install -m 0755 -vp tools/libvirt_test.sh                          %{buildroot}%
 install -m 0755 -vp tools/s3_test.sh                               %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/generic_s3_test.sh                       %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/generic_s3_https_test.sh                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
+install -m 0755 -vp tools/run-mock-auth-servers.sh                 %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/set-env-variables.sh                     %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vp tools/test-case-generators/generate-test-cases %{buildroot}%{_libexecdir}/osbuild-composer-test/
 install -m 0755 -vd                                                %{buildroot}%{_libexecdir}/tests/osbuild-composer
--- a/test/cases/api/common/common.sh
+++ b/test/cases/api/common/common.sh
@ -44,3 +44,28 @@ function _instanceCheck() {
    echo "Not RHEL OS. Skip subscription check."
  fi
 }
+
+# Fetch a JWT token
+function access_token {
+  # Refresh token represents the ORG ID
+  local refresh_token="$1"
+  curl --request POST \
+    --data "refresh_token=$refresh_token" \
+    --header "Content-Type: application/x-www-form-urlencoded" \
+    --silent \
+    --show-error \
+    --fail \
+    localhost:8081/token | jq -r .access_token
+}
+
+# Get the compose status using a JWT token
+function compose_status {
+  local compose="$1"
+  local refresh_token="$2"
+  curl \
+    --silent \
+    --show-error \
+    --fail \
+    --header "Authorization: Bearer $(access_token "$refresh_token")" \
+    "http://localhost:443/api/image-builder-composer/v2/composes/$compose"
+}
--- a/test/cases/multi-tenancy.sh
+++ b/test/cases/multi-tenancy.sh
@ -21,7 +21,10 @@ function greenprint {
 }

 # Provision the software under test.
-/usr/libexec/osbuild-composer-test/provision.sh
+/usr/libexec/osbuild-composer-test/provision.sh jwt
+
+# Source common functions
+source /usr/libexec/tests/osbuild-composer/api/common/common.sh

 greenprint "Registering clean ups"
 KILL_PIDS=()
@ -39,6 +42,9 @@ function cleanup() {
  for P in "${KILL_PIDS[@]}"; do
      sudo pkill -P "$P"
  done
+
+  /usr/libexec/osbuild-composer-test/run-mock-auth-servers.sh stop
+
  set -eu
 }
 trap cleanup EXIT
@ -61,59 +67,6 @@ sudo cp \
    "${OSBUILD_COMPOSER_TEST_DATA}"/kerberos/krb5-local.conf \
    /etc/krb5.conf.d/local

-greenprint "Configuring composer and worker"
-sudo tee "/etc/osbuild-composer/osbuild-composer.toml" >/dev/null <<EOF
-[koji]
-enable_tls = false
-enable_mtls = false
-enable_jwt = true
-jwt_keys_urls = ["https://localhost:8082/certs"]
-jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
-jwt_acl_file = ""
-jwt_tenant_provider_fields = ["rh-org-id"]
-[worker]
-enable_artifacts = false
-enable_tls = true
-enable_mtls = false
-enable_jwt = true
-jwt_keys_urls = ["https://localhost:8082/certs"]
-jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
-jwt_tenant_provider_fields = ["rh-org-id"]
-EOF
-
-# No compose will get this orgID
-sudo tee "/etc/osbuild-worker/token" >/dev/null <<EOF
-123456789
-EOF
-
-sudo tee "/etc/osbuild-worker/osbuild-worker.toml" >/dev/null <<EOF
-[authentication]
-oauth_url = "http://localhost:8081/token"
-client_id = "rhsm-api"
-offline_token = "/etc/osbuild-worker/token"
-
-[koji.localhost.kerberos]
-principal = "osbuild-krb@LOCAL"
-keytab = "/etc/osbuild-worker/client.keytab"
-
-[aws]
-bucket = "${AWS_BUCKET}"
-credentials = "/etc/osbuild-worker/aws-credentials.toml"
-EOF
-
-greenprint "Starting mock servers"
-# Spin up an https instance for the composer-api and worker-api; the auth handler needs to hit an ssl `/certs` endpoint
-sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8082 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem -cert /etc/osbuild-composer/composer-crt.pem -key /etc/osbuild-composer/composer-key.pem &
-KILL_PIDS+=("$!")
-# Spin up an http instance for the worker client to bypass the need to specify an extra CA
-sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8081 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem &
-KILL_PIDS+=("$!")
-
-greenprint "Restarting composer, stopping a local worker and starting a remote worker"
-sudo systemctl restart osbuild-composer
-sudo systemctl stop osbuild-worker@1
-sudo systemctl start osbuild-remote-worker@localhost:8700
-
 DISTRO=rhel-86

 function s3_request {
@ -153,17 +106,6 @@ function koji_request {
 EOF
 }

-function access_token {
-  local refresh_token="$1"
-  curl --request POST \
-    --data "refresh_token=$refresh_token" \
-    --header "Content-Type: application/x-www-form-urlencoded" \
-    --silent \
-    --show-error \
-    --fail \
-    localhost:8081/token | jq -r .access_token
-}
-
 function send_compose {
  local request_file="$1"
  local refresh_token="$2"
@ -178,22 +120,11 @@ function send_compose {
    http://localhost:443/api/image-builder-composer/v2/compose | jq -r '.id'
 }

-function compose_status {
-  local compose="$1"
-  local refresh_token="$2"
-  curl \
-    --silent \
-    --show-error \
-    --fail \
-    --header "Authorization: Bearer $(access_token "$refresh_token")" \
-    "http://localhost:443/api/image-builder-composer/v2/composes/$compose" | jq -r '.status'
-}
-
 function assert_status {
  local compose="$1"
  local refresh_token="$2"
  local status="$3"
-  [[ $(compose_status "$compose" "$refresh_token") == "$status" ]]
+  [[ $(compose_status "$compose" "$refresh_token" | jq -r '.status') == "$status" ]]
 }

 function wait_for_status {
@ -203,7 +134,7 @@ function wait_for_status {
  while true
  do
    local current_status
-    current_status=$(compose_status "$compose" "$refresh_token")
+    current_status=$(compose_status "$compose" "$refresh_token" | jq -r '.status')

    case "$current_status" in
      "$desired_status")
--- a/test/data/composer/osbuild-composer-jwt.toml
+++ b/test/data/composer/osbuild-composer-jwt.toml
@ -0,0 +1,17 @@
+[koji]
+enable_tls = false
+enable_mtls = false
+enable_jwt = true
+jwt_keys_urls = ["https://localhost:8082/certs"]
+jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
+jwt_acl_file = ""
+jwt_tenant_provider_fields = ["rh-org-id"]
+
+[worker]
+enable_artifacts = false
+enable_tls = true
+enable_mtls = false
+enable_jwt = true
+jwt_keys_urls = ["https://localhost:8082/certs"]
+jwt_ca_file = "/etc/osbuild-composer/ca-crt.pem"
+jwt_tenant_provider_fields = ["rh-org-id"]
--- a/test/data/worker/osbuild-worker-jwt.toml
+++ b/test/data/worker/osbuild-worker-jwt.toml
@ -0,0 +1,8 @@
+[authentication]
+oauth_url = "http://localhost:8081/token"
+client_id = "rhsm-api"
+offline_token = "/etc/osbuild-worker/token"
+
+[koji.localhost.kerberos]
+principal = "osbuild-krb@LOCAL"
+keytab = "/etc/osbuild-worker/client.keytab"
--- a/tools/provision.sh
+++ b/tools/provision.sh
@ -7,6 +7,12 @@ source /usr/libexec/osbuild-composer-test/set-env-variables.sh
 ARTIFACTS="${ARTIFACTS:=/tmp/artifacts}"
 mkdir -p "${ARTIFACTS}"

+# determine the authentication method used by composer
+AUTH_METHOD_TLS="tls"
+AUTH_METHOD_JWT="jwt"
+# default to TLS for now
+AUTH_METHOD="${1:-$AUTH_METHOD_TLS}"
+
 # koji and ansible are not in RHEL repositories. Depending on them in the spec
 # file breaks RHEL gating (see OSCI-1541). Therefore, we need to enable epel
 # and install koji and ansible here.
@ -34,12 +40,38 @@ if [[ "$VERSION_ID" == "9.0" || "$VERSION_ID" == "9" ]]; then
 fi

 sudo mkdir -p /etc/osbuild-composer
-sudo cp -a /usr/share/tests/osbuild-composer/composer/osbuild-composer-tls.toml \
-    /etc/osbuild-composer/osbuild-composer.toml
-
 sudo mkdir -p /etc/osbuild-worker
-sudo cp -a /usr/share/tests/osbuild-composer/worker/osbuild-worker-tls.toml \
-    /etc/osbuild-worker/osbuild-worker.toml
+
+# Generate all X.509 certificates for the tests
+# The whole generation is done in a $CADIR to better represent how osbuild-ca
+# it.
+CERTDIR=/etc/osbuild-composer
+OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
+CADIR=/etc/osbuild-composer-test/ca
+
+scriptloc=$(dirname "$0")
+sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}"
+sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem
+
+# Copy the appropriate configuration files
+if [[ "$AUTH_METHOD" == "$AUTH_METHOD_JWT" ]]; then
+    COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-jwt.toml"
+    WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-jwt.toml"
+
+    # Default orgID
+    sudo tee "/etc/osbuild-worker/token" >/dev/null <<EOF
+123456789
+EOF
+
+    /usr/libexec/osbuild-composer-test/run-mock-auth-servers.sh start
+
+elif [[ "$AUTH_METHOD" == "$AUTH_METHOD_TLS" ]]; then
+    COMPOSER_TEST_CONFIG="/usr/share/tests/osbuild-composer/composer/osbuild-composer-tls.toml"
+    WORKER_TEST_CONFIG="/usr/share/tests/osbuild-composer/worker/osbuild-worker-tls.toml"
+fi
+
+sudo cp -a "$COMPOSER_TEST_CONFIG" /etc/osbuild-composer/osbuild-composer.toml
+sudo cp -a "$WORKER_TEST_CONFIG" /etc/osbuild-worker/osbuild-worker.toml

 # if GCP credentials are defined in the ENV, add them to the worker's configuration
 GOOGLE_APPLICATION_CREDENTIALS="${GOOGLE_APPLICATION_CREDENTIALS:-}"
@ -126,17 +158,25 @@ if [ -f "rhel-${VERSION_ID%.*}-beta.json" ]; then
    sudo cp rhel-"${VERSION_ID%.*}"-beta.json "$REPODIR/rhel-${VERSION_SUFFIX}-beta.json"
 fi

-# Generate all X.509 certificates for the tests
-# The whole generation is done in a $CADIR to better represent how osbuild-ca
-# it.
-CERTDIR=/etc/osbuild-composer
-OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
-CADIR=/etc/osbuild-composer-test/ca
-
-scriptloc=$(dirname "$0")
-sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}"
-sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem
+# start appropriate units
+case "${AUTH_METHOD}" in
+    "${AUTH_METHOD_JWT}")
+        # JWT is used only in the "Service" scenario. This means that:
+        # - only remote workers will be used (no local worker)
+        # - only Cloud API socket will be started (no Weldr API)
+        sudo systemctl stop 'osbuild*'
+        # make sure that the local worker is not running
+        sudo systemctl mask osbuild-worker@1.service
+        # enable remote worker API
+        sudo systemctl start osbuild-remote-worker.socket
+        # enable Cloud API
+        sudo systemctl start osbuild-composer-api.socket
+        # start a remote worker
+        sudo systemctl start osbuild-remote-worker@localhost:8700.service
+        ;;

+    *)
+        # the default setup used previously for all tests
        sudo systemctl start osbuild-remote-worker.socket
        sudo systemctl start osbuild-composer.socket
        sudo systemctl start osbuild-composer-api.socket
@ -146,3 +186,5 @@ sudo systemctl start osbuild-composer-api.socket
        # test case is supposed to run on a pristine machine. However, this is
        # currently not true on Schutzbot
        sudo systemctl try-restart osbuild-composer
+        ;;
+esac
--- a/tools/run-mock-auth-servers.sh
+++ b/tools/run-mock-auth-servers.sh
@ -0,0 +1,39 @@
+#!/bin/bash
+set -eu
+
+# Colorful output.
+function greenprint {
+    echo -e "\033[1;32m[$(date -Isecond)] ${1}\033[0m"
+}
+
+servers_start() {
+    greenprint "Starting mock JWT AUTH servers"
+    # Spin up an https instance for the composer-api and worker-api; the auth handler needs to hit an ssl `/certs` endpoint
+    sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8082 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem -cert /etc/osbuild-composer/composer-crt.pem -key /etc/osbuild-composer/composer-key.pem &
+    # Spin up an http instance for the worker client to bypass the need to specify an extra CA
+    sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider -a localhost:8081 -rsaPubPem /etc/osbuild-composer/client-crt.pem -rsaPem /etc/osbuild-composer/client-key.pem &
+}
+
+servers_stop() {
+    greenprint "Stopping mock JWT AUTH servers"
+    local KILL_PIDS=()
+    # shellcheck disable=SC2207
+    # The split is desired and should be simple enough for the shell to handle
+    KILL_PIDS=($(pgrep -f '^sudo /usr/libexec/osbuild-composer-test/osbuild-mock-openid-provider'))
+    for PID in "${KILL_PIDS[@]}"; do
+        sudo pkill -P "$PID"
+    done
+}
+
+case "$1" in
+    "start")
+        servers_start
+        ;;
+    "stop")
+        servers_stop
+        ;;
+    *)
+        echo "Usage: $0 {start|stop}"
+        exit 1
+        ;;
+esac