Merge pull request openshift#1515 from richm/user-creation-with-new-installer

openshift-merge-robot · web-flow · commit b97d6aa99265 · 2019-03-22T12:58:11.000-07:00
add back tests that require user creation
diff --git a/hack/testing/entrypoint.sh b/hack/testing/entrypoint.sh
@@ -75,10 +75,8 @@ if oc get clusterlogging example > /dev/null 2>&1 ; then
     # cannot mount file inside pod into another pod - rewrite to use a configmap or secret
     # test-viaq-data-model
     expected_failures=(
-        check-logs test-access-control test-kibana-dashboards test-multi-tenancy
         test-out_rawtcp test-remote-syslog test-zzz-duplicate-entries
         test-read-throttling test-viaq-data-model test-zzzz-bulk-rejection
-
     )
 else
     expected_failures=(
@@ -206,6 +204,8 @@ function cleanup() {
 }
 trap "cleanup" EXIT
 
+rm -f ${OS_O_A_L_DIR}/temp/htpw.file
+
 if [[ -z "${TEST_ONLY:-}" ]]; then
 	"${OS_O_A_L_DIR}/hack/testing/setup.sh"
 elif [[ -z "${KUBECONFIG:-}" ]]; then
diff --git a/hack/testing/util.sh b/hack/testing/util.sh
@@ -83,9 +83,120 @@ function get_es_cert_path() {
   echo ${OS_O_A_L_DIR}/temp/es_certs
 }
 
+function create_users() {
+    # args are username password true|false (isadmin)
+    local addeduser=""
+    local username=""
+    local pwd=""
+    local isadmin=""
+    local existingusers=""
+    for item in "$@" ; do
+        if [ -z "$username" ] ; then username="$item" ; continue ; fi
+        if [ -z "$pwd" ] ; then pwd="$item" ; continue ; fi
+        if [ -z "$isadmin" ] ; then isadmin="$item" ; fi
+        if oc get user $username > /dev/null 2>&1 ; then
+            existingusers="$existingusers $username"
+        else
+            echo create_users: new user $username
+            oc get users
+            if [ ! -d ${OS_O_A_L_DIR}/temp ] ; then
+                mkdir -p ${OS_O_A_L_DIR}/temp
+            fi
+            local htpwargs="-b"
+            if [ ! -f ${OS_O_A_L_DIR}/temp/htpw.file ] ; then
+                htpwargs="$htpwargs -c"
+            fi
+            htpasswd $htpwargs ${OS_O_A_L_DIR}/temp/htpw.file "$username" "$pwd"
+            addeduser=true
+        fi
+        username=""
+        pwd=""
+        isadmin=""
+    done
+    if [ "${addeduser:-false}" = true ] ; then
+        # set management state to managed for auth operator
+        local mgmtstate=$( oc get authentication.operator cluster -o jsonpath='{.spec.managementState}' )
+        if [ "$mgmtstate" != Managed ] ; then
+            oc patch authentication.operator cluster --type=merge -p "{\"spec\":{\"managementState\": \"Managed\"}}"
+        fi
+        # kick the console pods because they cache oauth metadata (temporary, should not be required)
+        oc delete pods -n openshift-console --all --force --grace-period=0
+
+        # kick the monitoring pods because they cache oauth metadata (temporary, should not be required)
+        oc delete pods -n openshift-monitoring --all --force --grace-period=0
+
+        # see if there is already an htpass-secret - if so, delete it and recreate it
+        if oc -n openshift-config get secret htpass-secret > /dev/null 2>&1 ; then
+            oc -n openshift-config delete secret htpass-secret
+            os::cmd::try_until_failure "oc -n openshift-config get secret htpass-secret > /dev/null 2>&1"
+        fi
+        oc -n openshift-config create secret generic htpass-secret --from-file=htpasswd=${OS_O_A_L_DIR}/temp/htpw.file
+        os::cmd::try_until_success "oc -n openshift-config get secret htpass-secret > /dev/null 2>&1"
+        # configure HTPasswd IDP if not already configured
+        if ! oc get oauth -o jsonpath='{.items[*].spec.identityProviders[*].type}' | grep -q -i '^htpasswd$' ; then
+            oc apply -f - <<EOF
+apiVersion: config.openshift.io/v1
+kind: OAuth
+metadata:
+  name: cluster
+spec:
+  identityProviders:
+  - name: htpassidp
+    challenge: true
+    login: true
+    mappingMethod: claim
+    type: HTPasswd
+    htpasswd:
+      fileData:
+        name: htpass-secret
+EOF
+        fi
+        # fix ca cert in kubeconfig - should not be necessary much longer
+        if [ ! -d ${OS_O_A_L_DIR}/temp ] ; then
+            mkdir -p ${OS_O_A_L_DIR}/temp
+        fi
+        if [ ! -f ${OS_O_A_L_DIR}/temp/tls.crt ] ; then
+            oc -n openshift-ingress-operator extract secret/router-ca --to=${OS_O_A_L_DIR}/temp --keys=tls.crt
+            oc config view --minify -o go-template='{{index .clusters 0 "cluster" "certificate-authority-data" }}' --raw=true | base64 -d > ${OS_O_A_L_DIR}/temp/current-ca.crt
+            cat ${OS_O_A_L_DIR}/temp/tls.crt >> ${OS_O_A_L_DIR}/temp/current-ca.crt
+            for cluster in $( oc config get-clusters | grep -v NAME ) ; do
+                oc config set-cluster "$cluster" --certificate-authority=${OS_O_A_L_DIR}/temp/current-ca.crt --embed-certs=true
+            done
+        fi
+        # iterate over the users again, doing the oc login to ensure they exist
+        while [ -n "${1:-}" ] ; do
+            username="$1" ; shift
+            pwd="$1" ; shift
+            isadmin="$1"; shift
+            local existinguser=""
+            local skip=""
+            if [ -n "$existingusers" ] ; then
+                for existinguser in $existingusers ; do
+                    if [ "$existinguser" = "$username" ] ; then
+                        skip=true
+                    fi
+                done
+            fi
+            if [ "${skip:-false}" = true ] ; then
+                continue
+            fi
+            # wait until oc login succeeds
+            os::cmd::try_until_success "oc login -u '$username' -p '$pwd'" $((3 * minute)) 3
+            oc login -u system:admin
+            if [ $isadmin = true ] ; then
+                echo adding cluster-admin role to user "$username"
+                oc adm policy add-cluster-role-to-user cluster-admin "$username"
+            else
+                echo user "$username" is not an admin user
+            fi
+        done
+    fi
+}
+
 # set the test_token, test_name, and test_ip for token auth
 function get_test_user_token() {
     local current_project; current_project="$( oc project -q )"
+    create_users ${1:-${LOG_ADMIN_USER:-admin}} ${2:-${LOG_ADMIN_PW:-admin}} ${3:-true}
     oc login --username=${1:-${LOG_ADMIN_USER:-admin}} --password=${2:-${LOG_ADMIN_PW:-admin}} > /dev/null
     test_token="$(oc whoami -t)"
     test_name="$(oc whoami)"
diff --git a/openshift/ci-operator/build-image/Dockerfile b/openshift/ci-operator/build-image/Dockerfile
@@ -3,4 +3,4 @@
 FROM openshift/origin-release:golang-1.10
 
 RUN yum -y install epel-release && \
-  yum -y install jq bc sudo
+  yum -y install jq bc sudo httpd-tools procps-ng
diff --git a/openshift/ci-operator/build-image/Dockerfile.full b/openshift/ci-operator/build-image/Dockerfile.full
@@ -6,7 +6,7 @@
 FROM openshift/origin-release:golang-1.10
 
 RUN yum -y install epel-release && \
-  yum -y install jq bc sudo
+  yum -y install jq bc sudo httpd-tools procps-ng coreutils
 
 RUN mkdir -p /go/src/github.com/openshift/origin-aggregated-logging/
 ADD Makefile /go/src/github.com/openshift/origin-aggregated-logging/
diff --git a/openshift/ci-operator/build-image/launch-e2e-test.sh b/openshift/ci-operator/build-image/launch-e2e-test.sh
@@ -16,6 +16,15 @@ fi
 if ! type -p sudo > /dev/null 2>&1 ; then
     pkgs="$pkgs sudo"
 fi
+if ! type -p htpasswd > /dev/null 2>&1 ; then
+    pkgs="$pkgs httpd-tools"
+fi
+if ! type -p watch > /dev/null 2>&1 ; then
+    pkgs="$pkgs procps-ng"
+fi
+if ! type -p base64 > /dev/null 2>&1 ; then
+    pkgs="$pkgs coreutils"
+fi
 if [ -n "$pkgs" ] ; then
     yum -y install $pkgs
 fi
diff --git a/test/access_control.sh b/test/access_control.sh
@@ -9,13 +9,17 @@ os::util::environment::use_sudo
 os::test::junit::declare_suite_start "test/access_control"
 
 LOGGING_NS=${LOGGING_NS:-openshift-logging}
+
 espod=$( get_es_pod es )
 esopspod=$( get_es_pod es-ops )
 esopspod=${esopspod:-$espod}
 es_svc=$( get_es_svc es )
 es_ops_svc=$( get_es_svc es-ops )
 es_ops_svc=${es_ops_svc:-$es_svc}
 
+# enable debug logging for searchguard and o-e-plugin
+#curl_es $es_svc /_cluster/settings -XPUT -d '{"transient":{"logger.com.floragunn.searchguard":"TRACE","logger.io.fabric8.elasticsearch":"TRACE"}}'
+
 delete_users=""
 REUSE=${REUSE:-false}
 
@@ -28,6 +32,11 @@ function cleanup() {
         done
     fi
     if [ -n "${espod:-}" ] ; then
+        oc exec -c elasticsearch $espod -- es_acl get --doc=roles > $ARTIFACT_DIR/roles
+        oc exec -c elasticsearch $espod -- es_acl get --doc=rolesmapping > $ARTIFACT_DIR/rolesmapping
+        oc exec -c elasticsearch $espod -- es_acl get --doc=actiongroups > $ARTIFACT_DIR/actiongroups
+        oc logs -c elasticsearch $espod > $ARTIFACT_DIR/es.log
+        oc exec -c elasticsearch $espod -- logs >> $ARTIFACT_DIR/es.log
         curl_es_pod $espod /project.access-control-* -XDELETE > /dev/null
     fi
     for proj in access-control-1 access-control-2 access-control-3 ; do
@@ -49,10 +58,9 @@ function create_user_and_assign_to_projects() {
         os::log::info Using existing user $user
     else
         os::log::info Creating user $user with password $pw
-        oc login --username=$user --password=$pw 2>&1 | artifact_out
+        create_users "$user" "$pw" false 2>&1 | artifact_out
         delete_users="$delete_users $user"
     fi
-    oc login --username=system:admin 2>&1 | artifact_out
     os::log::info Assigning user to projects "$@"
     while [ -n "${1:-}" ] ; do
         oc project $1 2>&1 | artifact_out
@@ -107,7 +115,7 @@ function test_user_has_proper_access() {
     if [ "$espod" = "$esopspod" ] ; then
         esopshost=$eshost
     fi
-    get_test_user_token $user $pw
+    get_test_user_token $user $pw false
     for proj in "$@" ; do
         if [ "$proj" = "--" ] ; then
             expected=0
@@ -136,12 +144,28 @@ function test_user_has_proper_access() {
             # make sure no access with incorrect auth
             # bogus token
             os::log::info Checking access providing bogus token
-            os::cmd::expect_success_and_text "curl_es_pod_with_token $espod '/project.$proj.*/_count' BOGUS -w '%{response_code}\n'" '401$'
-            os::cmd::expect_success_and_text "curl_es_from_kibana $kpod $eshost '/project.$proj.*/_count' BOGUS -w '%{response_code}\n'" '.*403$'
+            if ! os::cmd::expect_success_and_text "curl_es_pod_with_token $espod '/project.$proj.*/_count' BOGUS -w '%{response_code}\n'" '401$'; then
+                os::log::error invalid access from es with BOGUS token
+                curl_es_pod_with_token $espod "/project.$proj.*/_count" BOGUS -v || :
+                exit 1
+            fi
+            if ! os::cmd::expect_success_and_text "curl_es_from_kibana $kpod $eshost '/project.$proj.*/_count' BOGUS -w '%{response_code}\n'" '.*403$'; then
+                os::log::error invalid access from kibana with BOGUS token
+                curl_es_from_kibana $kpod $eshost "/project.$proj.*/_count" BOGUS -v || :
+                exit 1
+            fi
             # no token
             os::log::info Checking access providing no username or token
-            os::cmd::expect_success_and_text "curl_es_pod_with_token $espod '/project.$proj.*/_count' '' -w '%{response_code}\n'" '401$'
-            os::cmd::expect_success_and_text "curl_es_from_kibana $kpod $eshost '/project.$proj.*/_count' '' -w '%{response_code}\n' -o /dev/null" '403$'
+            if ! os::cmd::expect_success_and_text "curl_es_pod_with_token $espod '/project.$proj.*/_count' '' -w '%{response_code}\n'" '401$'; then
+                os::log::error invalid access from es with empty token
+                curl_es_pod_with_token $espod "/project.$proj.*/_count" "" -v || :
+                exit 1
+            fi
+            if ! os::cmd::expect_success_and_text "curl_es_from_kibana $kpod $eshost '/project.$proj.*/_count' '' -w '%{response_code}\n' -o /dev/null" '403$'; then
+                os::log::error invalid access from kibana with empty token
+                curl_es_from_kibana $kpod $eshost "/project.$proj.*/_count" "" -v || :
+                exit 1
+            fi
         fi
     done
 
@@ -186,21 +210,6 @@ done
 LOG_ADMIN_USER=${LOG_ADMIN_USER:-admin}
 LOG_ADMIN_PW=${LOG_ADMIN_PW:-admin}
 
-if oc get users "$LOG_ADMIN_USER" > /dev/null 2>&1 ; then
-    echo Using existing admin user $LOG_ADMIN_USER 2>&1 | artifact_out
-else
-    os::log::info Creating cluster-admin user $LOG_ADMIN_USER
-    current_project="$( oc project -q )"
-    oc login --username=$LOG_ADMIN_USER --password=$LOG_ADMIN_PW 2>&1 | artifact_out
-    oc login --username=system:admin 2>&1 | artifact_out
-    oc project $current_project 2>&1 | artifact_out
-fi
-oc adm policy add-cluster-role-to-user cluster-admin $LOG_ADMIN_USER 2>&1 | artifact_out
-os::log::info workaround access_control admin failures - sleep 60 seconds to allow system to process cluster role setting
-sleep 60
-oc policy can-i '*' '*' --user=$LOG_ADMIN_USER 2>&1 | artifact_out
-oc get users 2>&1 | artifact_out
-
 # if you ever want to run this test again on the same machine, you'll need to
 # use different usernames, otherwise you'll get this odd error:
 # # oc login --username=loguser --password=loguser
@@ -212,6 +221,13 @@ LOG_NORMAL_PW=${LOG_NORMAL_PW:-loguserac-$RANDOM}
 LOG_USER2=${LOG_USER2:-loguser2ac-$RANDOM}
 LOG_PW2=${LOG_PW2:-loguser2ac-$RANDOM}
 
+create_users $LOG_NORMAL_USER $LOG_NORMAL_PW false $LOG_USER2 $LOG_PW2 false $LOG_ADMIN_USER $LOG_ADMIN_PW true 2>&1 | artifact_out
+
+os::log::info workaround access_control admin failures - sleep 60 seconds to allow system to process cluster role setting
+sleep 60
+oc auth can-i '*' '*' --user=$LOG_ADMIN_USER 2>&1 | artifact_out
+oc get users 2>&1 | artifact_out
+
 create_user_and_assign_to_projects $LOG_NORMAL_USER $LOG_NORMAL_PW access-control-1 access-control-2
 create_user_and_assign_to_projects $LOG_USER2 $LOG_PW2 access-control-2 access-control-3
 
@@ -227,7 +243,7 @@ if [ ${LOGGING_NS} = "logging" ] ; then
 fi
 
 os::log::info now auth using admin + token
-get_test_user_token $LOG_ADMIN_USER $LOG_ADMIN_PW
+get_test_user_token $LOG_ADMIN_USER $LOG_ADMIN_PW true
 if [ ${LOGGING_NS} = "logging" ] && [ $espod != $esopspod] ; then
   nrecs=$( curl_es_pod_with_token $espod "/${logging_index}/_count" $test_token | get_count_from_json )
   os::cmd::expect_success "test $nrecs -gt 1"
diff --git a/test/cluster/functionality.sh b/test/cluster/functionality.sh
@@ -43,6 +43,7 @@ os::test::junit::declare_suite_start "test/cluster/functionality"
 # We need to use a name and token for logging checks later,
 # so we have to provision a user with a token for this.
 # TODO: Why is this necessary?
+create_users ${LOG_ADMIN_USER:-admin} ${LOG_ADMIN_PW:-admin} true
 os::cmd::expect_success "oc login --username=${LOG_ADMIN_USER:-admin} --password=${LOG_ADMIN_PW:-admin}"
 test_user="$( oc whoami )"
 test_token="$( oc whoami -t )"
@@ -118,7 +119,7 @@ for elasticsearch_pod in $( get_es_pod ${OAL_ELASTICSEARCH_COMPONENT} ); do
 		for kibana_pod in $( oc get pods --selector component="${OAL_KIBANA_COMPONENT}"  -o jsonpath='{ .items[*].metadata.name }' ); do
 			os::log::info "Checking for index ${index} with Kibana pod ${kibana_pod}..."
 			# As we're checking system log files, we need to use `sudo`
-			os::cmd::expect_success "sudo -E VERBOSE=true go run '${OS_O_A_L_DIR}/hack/testing/check-logs.go' '${kibana_pod}' '${elasticsearch_api}' '${index}' '${index_search_path}' '${query_size}' '${test_user}' '${test_token}' '${test_ip}'"
+			os::cmd::expect_success "sudo -E env PATH=$PATH VERBOSE=true go run '${OS_O_A_L_DIR}/hack/testing/check-logs.go' '${kibana_pod}' '${elasticsearch_api}' '${index}' '${index_search_path}' '${query_size}' '${test_user}' '${test_token}' '${test_ip}'"
 		done
 	done
 
diff --git a/test/kibana_dashboards.sh b/test/kibana_dashboards.sh
@@ -30,12 +30,8 @@ if oc get users "$LOG_ADMIN_USER" > /dev/null 2>&1 ; then
     os::log::debug Using existing user $LOG_ADMIN_USER
 else
     os::log::info Creating cluster-admin user $LOG_ADMIN_USER
-    current_project="$( oc project -q )"
-    os::log::debug "$( oc login --username=$LOG_ADMIN_USER --password=$LOG_ADMIN_PW )"
-    os::log::debug "$( oc login --username=system:admin )"
-    os::log::debug "$( oc project $current_project )"
+    create_users $LOG_ADMIN_USER $LOG_ADMIN_PW true 2>&1 | artifact_out
 fi
-os::log::debug "$( oc adm policy add-cluster-role-to-user cluster-admin $LOG_ADMIN_USER )"
 
 function cleanup() {
     set +e
@@ -53,7 +49,7 @@ done
 
 # use admin user created in logging framework
 # make sure admin kibana index exists - log in to ES as admin user
-get_test_user_token $LOG_ADMIN_USER $LOG_ADMIN_PW
+get_test_user_token $LOG_ADMIN_USER $LOG_ADMIN_PW true
 for pod in $espod $esopspod ; do
     curl_es_pod_with_token $pod "/" "$test_token" | curl_output
     # add the ui objects
diff --git a/test/multi_tenancy.sh b/test/multi_tenancy.sh
@@ -60,7 +60,7 @@ function create_user_and_assign_to_projects() {
         os::log::info Using existing user $user
     else
         os::log::info Creating user $user with password $pw
-        oc login --username=$user --password=$pw 2>&1 | artifact_out
+        create_users $user $pw false 2>&1 | artifact_out
         delete_users="$delete_users $user"
     fi
     os::log::debug "$( oc login --username=system:admin 2>&1 )"
@@ -90,7 +90,7 @@ function test_user_has_proper_access() {
     # rest - indices to which access should be granted
     for proj in "$@" ; do
         os::log::info See if user $user can read /project.$proj.*
-        get_test_user_token $user $pw
+        get_test_user_token $user $pw false
         nrecs=$( curl_es_pod_with_token $espod "/project.$proj.*/_count" $test_token | \
                      get_count_from_json )
         if ! os::cmd::expect_success "test $nrecs = 1" ; then
@@ -108,7 +108,7 @@ function test_user_has_proper_access() {
 
     # test user has access for msearch for multiple indices
     os::log::info See if user $user can _msearch "$indices"
-    get_test_user_token $user $pw
+    get_test_user_token $user $pw false
     nrecs=$( { echo '{"index":'"${indices}"'}'; echo '{"size":0,"query":{"match_all":{}}}'; } | \
                      curl_es_pod_with_token_and_input $espod "/_msearch" $test_token -XPOST --data-binary @- | \
                      get_count_from_json_from_search )
@@ -124,7 +124,7 @@ function test_user_has_proper_access() {
 
     # verify normal user has no access to default indices
     os::log::info See if user $user is denied /project.default.*
-    get_test_user_token $user $pw
+    get_test_user_token $user $pw false
     nrecs=$( curl_es_pod_with_token $espod "/project.default.*/_count" $test_token | \
                  get_count_from_json )
     if ! os::cmd::expect_success "test $nrecs = 0" ; then
@@ -135,7 +135,7 @@ function test_user_has_proper_access() {
 
     # verify normal user has no access to .operations
     os::log::info See if user $user is denied /.operations.*
-    get_test_user_token $user $pw
+    get_test_user_token $user $pw false
     nrecs=$( curl_es_pod_with_token $esopspod "/.operations.*/_count" $test_token | \
                  get_count_from_json )
     if ! os::cmd::expect_success "test $nrecs = 0" ; then
@@ -165,6 +165,7 @@ LOG_NORMAL_PW=${LOG_NORMAL_PW:-loguser1-$RANDOM}
 LOG_USER2=${LOG_USER2:-loguser2-$RANDOM}
 LOG_PW2=${LOG_PW2:-loguser2-$RANDOM}
 
+create_users $LOG_NORMAL_USER $LOG_NORMAL_PW false $LOG_USER2 $LOG_PW2 false 2>&1 | artifact_out
 create_user_and_assign_to_projects $LOG_NORMAL_USER $LOG_NORMAL_PW multi-tenancy-1 multi-tenancy-2
 create_user_and_assign_to_projects $LOG_USER2 $LOG_PW2 multi-tenancy-2 multi-tenancy-3
 
