From cd93844db2fd8a9901fbf4df3b597b138af6e042 Mon Sep 17 00:00:00 2001 From: BjornMagnussonXA Date: Wed, 11 May 2022 10:01:24 +0200 Subject: [PATCH] Added JWT handling to a1pms Fixed issue with mounting files to docker containers Minor follow john for ics Issue-ID: NONRTRIC-748 Signed-off-by: BjornMagnussonXA Change-Id: I28ef9d1e0734c70c06f4e6980b11cde56f2db372 --- test/auto-test/FTC100.sh | 129 +++++++++++++++++++--- test/auto-test/FTC1100.sh | 75 +++++++++---- test/auto-test/FTC1800.sh | 4 +- test/common/a1pms_api_functions.sh | 21 +++- test/common/cr_api_functions.sh | 8 +- test/common/ics_api_functions.sh | 1 + test/common/istio_api_functions.sh | 22 +++- test/common/keycloak_api_functions.sh | 108 +++++++++++------- test/common/ricsim_api_functions.sh | 18 ++- test/common/test_env-oran-f-release.sh | 2 +- test/common/testcase_common.sh | 17 ++- test/http-https-proxy/http_proxy.js | 2 +- test/simulator-group/a1pms/app.yaml | 27 +++++ test/simulator-group/a1pms/application.yaml | 1 + test/simulator-group/a1pms/application2.yaml | 1 + test/simulator-group/a1pms/mnt/.gitignore | 18 +++ test/simulator-group/control_panel/mnt/.gitignore | 16 +++ test/simulator-group/ics/mnt/.gitignore | 5 +- test/simulator-group/istio/ap-role-snippet.yaml | 3 + test/simulator-group/ngw/mnt/.gitignore | 16 +++ 20 files changed, 395 insertions(+), 99 deletions(-) create mode 100644 test/simulator-group/a1pms/mnt/.gitignore create mode 100644 test/simulator-group/istio/ap-role-snippet.yaml diff --git a/test/auto-test/FTC100.sh b/test/auto-test/FTC100.sh index 55f7d824..dfcee332 100755 --- a/test/auto-test/FTC100.sh +++ b/test/auto-test/FTC100.sh @@ -20,11 +20,17 @@ TC_ONELINE_DESCR="Full a1pms API walkthrough using a1pms REST/DMAAP and with/without SDNC A1 Controller" +USE_ISTIO=1 + #App names to include in the test when running docker, space separated list DOCKER_INCLUDED_IMAGES="CBS CONSUL CP CR MR A1PMS RICSIM SDNC NGW KUBEPROXY" #App names to include in the test when running kubernetes, space separated list -KUBE_INCLUDED_IMAGES="CP CR MR A1PMS RICSIM SDNC KUBEPROXY NGW" +if [ $USE_ISTIO -eq 0 ]; then + KUBE_INCLUDED_IMAGES="CP CR MR A1PMS RICSIM SDNC KUBEPROXY NGW" +else + KUBE_INCLUDED_IMAGES="CP CR MR A1PMS RICSIM SDNC KUBEPROXY NGW KEYCLOAK ISTIO AUTHSIDECAR" +fi #Prestarted app (not started by script) to include in the test when running kubernetes, space separated list KUBE_PRESTARTED_IMAGES="" @@ -46,11 +52,25 @@ setup_testenvironment generate_policy_uuid -# Tested variants of REST/DMAAP/SDNC config -TESTED_VARIANTS="REST DMAAP REST+SDNC DMAAP+SDNC" - -#Test a1pms and simulator protocol versions (others are http only) -TESTED_PROTOCOLS="HTTP HTTPS" +if [ $USE_ISTIO -eq 0 ]; then + # Tested variants of REST/DMAAP/SDNC config + TESTED_VARIANTS="REST DMAAP REST+SDNC DMAAP+SDNC" + + #Test a1pms and simulator protocol versions (others are http only) + TESTED_PROTOCOLS="HTTP HTTPS" +else + if [ $USE_ISTIO -eq 1 ]; then + echo -e $RED"#########################################"$ERED + echo -e $RED"# No test of https when running with istio"$ERED + echo -e $RED"# No test of SDNC when running with istio"$ERED + echo -e $RED"#########################################"$ERED + fi + # Tested variants of REST/DMAAP/SDNC config + TESTED_VARIANTS="REST DMAAP" + + #Test a1pms and simulator protocol versions (others are http only) + TESTED_PROTOCOLS="HTTP" +fi for __httpx in $TESTED_PROTOCOLS ; do for interface in $TESTED_VARIANTS ; do @@ -64,8 +84,80 @@ for __httpx in $TESTED_PROTOCOLS ; do # Clean container and start all needed containers # clean_environment + if [ $RUNMODE != "KUBE" ]; then + USE_ISTIO=0 + echo "ISTIO not supported by docker - setting USE-ISTIO=0" + fi + + if [ $USE_ISTIO -eq 1 ]; then + echo -e $RED"#########################################"$ERED + echo -e $RED"# Work around istio jwks cache"$ERED + echo -e $RED"# Cycle istiod down and up to clear cache"$ERED + echo "" + __kube_scale deployment istiod istio-system 0 + __kube_scale deployment istiod istio-system 1 + echo -e $RED"# Cycle istiod done" + echo -e $RED"#########################################"$ERED + + istio_enable_istio_namespace $KUBE_SIM_NAMESPACE + istio_enable_istio_namespace $KUBE_NONRTRIC_NAMESPACE + istio_enable_istio_namespace $KUBE_A1SIM_NAMESPACE + fi + + start_kube_proxy + if [ $USE_ISTIO -eq 1 ]; then + start_keycloak + + keycloak_api_obtain_admin_token + + keycloak_api_create_realm nrtrealm true 60 + keycloak_api_create_confidential_client nrtrealm a1pmsc + keycloak_api_generate_client_secret nrtrealm a1pmsc + keycloak_api_get_client_secret nrtrealm a1pmsc + keycloak_api_create_client_roles nrtrealm a1pmsc nrtrole + keycloak_api_map_client_roles nrtrealm a1pmsc nrtrole + + keycloak_api_get_client_token nrtrealm a1pmsc + + CLIENT_TOKEN=$(keycloak_api_read_client_token nrtrealm a1pmsc) + echo "CLIENT_TOKEN: "$CLIENT_TOKEN + + A1PMS_SEC=$(keycloak_api_read_client_secret nrtrealm a1pmsc) + echo "A1PMS_SEC: "$A1PMS_SEC + + # Protect ricsim-g3 + istio_req_auth_by_jwks ricsim-g1 $KUBE_A1SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS" + istio_auth_policy_by_issuer ricsim-g1 $KUBE_A1SIM_NAMESPACE KUBEPROXY + + istio_req_auth_by_jwksuri ricsim-g1 $KUBE_A1SIM_NAMESPACE nrtrealm + istio_auth_policy_by_realm ricsim-g1 $KUBE_A1SIM_NAMESPACE nrtrealm a1pmsc nrtrole + + # Protect ricsim-g2 + istio_req_auth_by_jwks ricsim-g2 $KUBE_A1SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS" + istio_auth_policy_by_issuer ricsim-g2 $KUBE_A1SIM_NAMESPACE KUBEPROXY + + istio_req_auth_by_jwksuri ricsim-g2 $KUBE_A1SIM_NAMESPACE nrtrealm + istio_auth_policy_by_realm ricsim-g2 $KUBE_A1SIM_NAMESPACE nrtrealm a1pmsc nrtrole + + # Protect ricsim-g3 + istio_req_auth_by_jwks ricsim-g3 $KUBE_A1SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS" + istio_auth_policy_by_issuer ricsim-g3 $KUBE_A1SIM_NAMESPACE KUBEPROXY + + istio_req_auth_by_jwksuri ricsim-g3 $KUBE_A1SIM_NAMESPACE nrtrealm + istio_auth_policy_by_realm ricsim-g3 $KUBE_A1SIM_NAMESPACE nrtrealm a1pmsc nrtrole + + # Protect CR + istio_req_auth_by_jwks $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS" + istio_auth_policy_by_issuer $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY + + istio_req_auth_by_jwksuri $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm + istio_auth_policy_by_realm $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm a1pmsc nrtrole + + a1pms_configure_sec nrtrealm a1pmsc $A1PMS_SEC + fi + if [ $__httpx == "HTTPS" ]; then use_cr_https use_a1pms_rest_https @@ -585,18 +677,19 @@ for __httpx in $TESTED_PROTOCOLS ; do else mr_equal requests_submitted 0 fi - - if [[ $interface = *"SDNC"* ]]; then - sim_contains_str ricsim_g1_1 remote_hosts $SDNC_APP_NAME - sim_contains_str ricsim_g2_1 remote_hosts $SDNC_APP_NAME - if [ "$A1PMS_VERSION" == "V2" ]; then - sim_contains_str ricsim_g3_1 remote_hosts $SDNC_APP_NAME - fi - else - sim_contains_str ricsim_g1_1 remote_hosts $A1PMS_APP_NAME - sim_contains_str ricsim_g2_1 remote_hosts $A1PMS_APP_NAME - if [ "$A1PMS_VERSION" == "V2" ]; then - sim_contains_str ricsim_g3_1 remote_hosts $A1PMS_APP_NAME + if [ $USE_ISTIO -eq 0 ]; then + if [[ $interface = *"SDNC"* ]]; then + sim_contains_str ricsim_g1_1 remote_hosts $SDNC_APP_NAME + sim_contains_str ricsim_g2_1 remote_hosts $SDNC_APP_NAME + if [ "$A1PMS_VERSION" == "V2" ]; then + sim_contains_str ricsim_g3_1 remote_hosts $SDNC_APP_NAME + fi + else + sim_contains_str ricsim_g1_1 remote_hosts $A1PMS_APP_NAME + sim_contains_str ricsim_g2_1 remote_hosts $A1PMS_APP_NAME + if [ "$A1PMS_VERSION" == "V2" ]; then + sim_contains_str ricsim_g3_1 remote_hosts $A1PMS_APP_NAME + fi fi fi diff --git a/test/auto-test/FTC1100.sh b/test/auto-test/FTC1100.sh index 82bb8dd3..b8c30451 100755 --- a/test/auto-test/FTC1100.sh +++ b/test/auto-test/FTC1100.sh @@ -68,6 +68,7 @@ if [ $USE_ISTIO -eq 1 ]; then __kube_scale deployment istiod istio-system 1 echo -e $RED"# Cycle istiod done" echo -e $RED"#########################################"$ERED + echo "" istio_enable_istio_namespace $KUBE_SIM_NAMESPACE istio_enable_istio_namespace $KUBE_NONRTRIC_NAMESPACE @@ -106,6 +107,8 @@ if [ $USE_ISTIO -eq 1 ]; then keycloak_api_create_confidential_client nrtrealm icsc keycloak_api_generate_client_secret nrtrealm icsc keycloak_api_get_client_secret nrtrealm icsc + keycloak_api_create_client_roles nrtrealm icsc nrtrole + keycloak_api_map_client_roles nrtrealm icsc nrtrole keycloak_api_get_client_token nrtrealm icsc @@ -119,13 +122,13 @@ if [ $USE_ISTIO -eq 1 ]; then istio_auth_policy_by_issuer $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY istio_req_auth_by_jwksuri $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm - istio_auth_policy_by_realm $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm + istio_auth_policy_by_realm $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm icsc nrtrole istio_req_auth_by_jwks $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS" istio_auth_policy_by_issuer $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY istio_req_auth_by_jwksuri $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm - istio_auth_policy_by_realm $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm + istio_auth_policy_by_realm $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm icsc nrtrole ics_configure_sec nrtrealm icsc $ICS_SEC @@ -153,6 +156,11 @@ fi start_cr 1 +if [ $USE_ISTIO -eq 1 ]; then + echo "Sleep 120 to let istio settle - enabling istio on workloads may cause initial dns disturbances - temporary unavailable dns names" + sleep 120 +fi + CB_JOB="$PROD_STUB_SERVICE_PATH$PROD_STUB_JOB_CALLBACK" CB_SV="$PROD_STUB_SERVICE_PATH$PROD_STUB_SUPERVISION_CALLBACK" #Targets for ei jobs @@ -1446,7 +1454,7 @@ ics_api_edp_get_type_2 200 type101 testdata/ics/info-type-1.json ics_api_edp_put_producer_2 201 prod-ia $CB_JOB/prod-ia $CB_SV/prod-ia type101 ics_api_edp_put_producer_2 200 prod-ia $CB_JOB/prod-ia $CB_SV/prod-ia type101 -if [[ "$ICS_FEATURE_LEVEL" == *"RESP_CODE_CHANGE_1" ]]; then +if [[ "$ICS_FEATURE_LEVEL" == *"RESP_CODE_CHANGE_1"* ]]; then ics_api_edp_delete_type_2 409 type101 else ics_api_edp_delete_type_2 406 type101 @@ -1966,25 +1974,44 @@ else cr_equal 0 received_callbacks 12 fi ### Test of pre and post validation +if [[ "$ICS_FEATURE_LEVEL" != *"DEFAULT_TYPE_VALIDATION"* ]]; then + ics_api_idc_get_type_ids 200 type1 type2 type4 type6 type101 type102 type104 type106 + ics_api_idc_put_job 404 job150 type150 $TARGET150 info-owner-1 $INFOSTATUS150 testdata/ics/job-template.json VALIDATE + ics_api_idc_put_job 201 job160 type160 $TARGET160 info-owner-1 $INFOSTATUS160 testdata/ics/job-template.json -ics_api_idc_get_type_ids 200 type1 type2 type4 type6 type101 type102 type104 type106 -ics_api_idc_put_job 404 job150 type150 $TARGET150 info-owner-1 $INFOSTATUS150 testdata/ics/job-template.json VALIDATE -ics_api_idc_put_job 201 job160 type160 $TARGET160 info-owner-1 $INFOSTATUS160 testdata/ics/job-template.json -ics_api_idc_get_job_status2 404 job150 -ics_api_idc_get_job_status2 200 job160 DISABLED EMPTYPROD 60 + ics_api_idc_get_job_status2 404 job150 + ics_api_idc_get_job_status2 200 job160 DISABLED EMPTYPROD 60 -prodstub_arm_producer 200 prod-ig -prodstub_arm_job_create 200 prod-ig job150 -prodstub_arm_job_create 200 prod-ig job160 + prodstub_arm_producer 200 prod-ig + prodstub_arm_job_create 200 prod-ig job150 + prodstub_arm_job_create 200 prod-ig job160 -ics_api_edp_put_producer_2 201 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig NOTYPE -ics_api_edp_get_producer_status 200 prod-ig ENABLED 360 + ics_api_edp_put_producer_2 201 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig NOTYPE + ics_api_edp_get_producer_status 200 prod-ig ENABLED 360 -ics_api_edp_get_producer_2 200 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig EMPTY + ics_api_edp_get_producer_2 200 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig EMPTY -ics_api_idc_get_job_status2 404 job150 -ics_api_idc_get_job_status2 200 job160 DISABLED EMPTYPROD 60 + ics_api_idc_get_job_status2 404 job150 + ics_api_idc_get_job_status2 200 job160 DISABLED EMPTYPROD 60 +else + ics_api_idc_get_type_ids 200 type1 type2 type4 type6 type101 type102 type104 type106 + ics_api_idc_put_job 404 job150 type150 $TARGET150 info-owner-1 $INFOSTATUS150 testdata/ics/job-template.json VALIDATE + + ics_api_idc_get_job_status2 404 job150 + + prodstub_arm_producer 200 prod-ig + prodstub_arm_job_create 200 prod-ig job150 + prodstub_arm_job_create 200 prod-ig job160 + + ics_api_edp_put_producer_2 201 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig NOTYPE + ics_api_edp_get_producer_status 200 prod-ig ENABLED 360 + + ics_api_edp_get_producer_2 200 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig EMPTY + + ics_api_idc_get_job_status2 404 job150 + #ics_api_idc_get_job_status2 200 job160 DISABLED EMPTYPROD 60 +fi prodstub_arm_type 200 prod-ig type160 @@ -1998,12 +2025,14 @@ ics_api_edp_get_producer_2 200 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig type160 ics_api_idc_put_job 404 job150 type150 $TARGET150 info-owner-1 $INFOSTATUS150 testdata/ics/job-template.json VALIDATE ics_api_idc_get_job_status2 404 job150 -ics_api_idc_get_job_status2 200 job160 ENABLED 1 prod-ig 60 +if [[ "$ICS_FEATURE_LEVEL" != *"DEFAULT_TYPE_VALIDATION"* ]]; then + ics_api_idc_get_job_status2 200 job160 ENABLED 1 prod-ig 60 -prodstub_check_jobdata_3 200 prod-ig job160 type160 $TARGET160 info-owner-1 testdata/ics/job-template.json + prodstub_check_jobdata_3 200 prod-ig job160 type160 $TARGET160 info-owner-1 testdata/ics/job-template.json -prodstub_equal create/prod-ig/job160 1 -prodstub_equal delete/prod-ig/job160 0 + prodstub_equal create/prod-ig/job160 1 + prodstub_equal delete/prod-ig/job160 0 +fi prodstub_arm_type 200 prod-ig type150 @@ -2023,6 +2052,10 @@ ics_api_edp_get_producer_status 200 prod-ig ENABLED 360 ics_api_edp_get_producer_2 200 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig type160 type150 +if [[ "$ICS_FEATURE_LEVEL" == *"DEFAULT_TYPE_VALIDATION"* ]]; then + ics_api_idc_put_job 201 job160 type160 $TARGET160 info-owner-1 $INFOSTATUS160 testdata/ics/job-template.json +fi + ics_api_idc_get_job_status2 404 job150 ics_api_idc_get_job_status2 200 job160 ENABLED 1 prod-ig @@ -2042,7 +2075,7 @@ fi if [[ "$ICS_FEATURE_LEVEL" == *"TYPE-SUBSCRIPTIONS"* ]]; then - if [[ "$ICS_FEATURE_LEVEL" == *"RESP_CODE_CHANGE_1" ]]; then + if [[ "$ICS_FEATURE_LEVEL" == *"RESP_CODE_CHANGE_1"* ]]; then ics_api_edp_delete_type_2 409 type104 else ics_api_edp_delete_type_2 406 type104 diff --git a/test/auto-test/FTC1800.sh b/test/auto-test/FTC1800.sh index 749ba826..6e1b764b 100755 --- a/test/auto-test/FTC1800.sh +++ b/test/auto-test/FTC1800.sh @@ -359,7 +359,7 @@ fi if [[ "$ICS_FEATURE_LEVEL" == *"TYPE-SUBSCRIPTIONS"* ]]; then - ics_equal json:/data-consumer/v1/info-type-subscription 2 200 + ics_equal json:data-consumer/v1/info-type-subscription 2 200 ics_api_idc_get_subscription_ids 200 owner1 subscription-id-1 ics_api_idc_get_subscription_ids 200 owner2 subscription-id-2 @@ -382,7 +382,7 @@ set_ics_trace if [[ "$ICS_FEATURE_LEVEL" == *"TYPE-SUBSCRIPTIONS"* ]]; then - ics_equal json:/data-consumer/v1/info-type-subscription 2 200 + ics_equal json:data-consumer/v1/info-type-subscription 2 200 ics_api_idc_get_subscription_ids 200 owner1 subscription-id-1 ics_api_idc_get_subscription_ids 200 owner2 subscription-id-2 diff --git a/test/common/a1pms_api_functions.sh b/test/common/a1pms_api_functions.sh index f5397171..8a903b8f 100644 --- a/test/common/a1pms_api_functions.sh +++ b/test/common/a1pms_api_functions.sh @@ -89,6 +89,7 @@ __A1PMS_store_docker_logs() { # args: - __A1PMS_initial_setup() { use_a1pms_rest_http + export A1PMS_SIDECAR_JWT_FILE="" } # Set app short-name, app name and namespace for logging runtime statistics of kubernets pods or docker containers @@ -306,6 +307,10 @@ start_a1pms() { # Create app input_yaml=$SIM_GROUP"/"$A1PMS_COMPOSE_DIR"/"app.yaml output_yaml=$PWD/tmp/a1pmsapp.yaml + if [ -z "$A1PMS_SIDECAR_JWT_FILE" ]; then + cat $input_yaml | sed '/#A1PMS_JWT_START/,/#A1PMS_JWT_STOP/d' > $PWD/tmp/a1pmsapp_tmp.yaml + input_yaml=$PWD/tmp/a1pmsapp_tmp.yaml + fi __kube_create_instance app $A1PMS_APP_NAME $input_yaml $output_yaml fi @@ -346,6 +351,7 @@ start_a1pms() { fi else echo " No files in mounted dir or dir does not exists" + mkdir db fi cd $curdir @@ -542,7 +548,7 @@ prepare_consul_config() { ric_id=${ric%.*.*} #extract pod id from full hosthame ric_id=$(echo "$ric_id" | tr '-' '_') else - if [ $DOCKER_COMPOSE_VERION == "V1" ]; then + if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then ric_id=$ric else ric_id=$(echo "$ric" | tr '-' '_') #ric id still needs underscore as it is different from the container name @@ -2380,4 +2386,17 @@ a1pms_kube_pvc_reset() { __log_test_pass return 0 +} + +# args: +a1pms_configure_sec() { + export A1PMS_CREDS_GRANT_TYPE="client_credentials" + export A1PMS_CREDS_CLIENT_SECRET=$3 + export A1PMS_CREDS_CLIENT_ID=$2 + export A1PMS_AUTH_SERVICE_URL=$KEYCLOAK_SERVICE_PATH$KEYCLOAK_TOKEN_URL_PREFIX/$1/protocol/openid-connect/token + export A1PMS_SIDECAR_MOUNT="/token-cache" + export A1PMS_SIDECAR_JWT_FILE=$A1PMS_SIDECAR_MOUNT"/jwt.txt" + + export AUTHSIDECAR_APP_NAME + export AUTHSIDECAR_DISPLAY_NAME } \ No newline at end of file diff --git a/test/common/cr_api_functions.sh b/test/common/cr_api_functions.sh index e80ad16b..a29d010f 100644 --- a/test/common/cr_api_functions.sh +++ b/test/common/cr_api_functions.sh @@ -122,7 +122,7 @@ __CR_statisics_setup() { CR_INSTANCE_KUBE=$(($CR_INSTANCE-1)) echo -n " CR-$CR_INSTANCE_KUBE $CR_APP_NAME-$CR_INSTANCE_KUBE $KUBE_SIM_NAMESPACE " else - if [ $DOCKER_COMPOSE_VERION == "V1" ]; then + if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then echo -n " CR_$CR_INSTANCE ${CR_APP_NAME}_cr_$CR_INSTANCE " else echo -n " CR_$CR_INSTANCE ${CR_APP_NAME}-cr-$CR_INSTANCE " @@ -171,7 +171,7 @@ __cr_set_protocoll() { for ((CR_INSTANCE=0; CR_INSTANCE<$MAX_CR_APP_COUNT; CR_INSTANCE++ )); do CR_DOCKER_INSTANCE=$(($CR_INSTANCE+1)) # CR_SERVICE_PATH is the base path to cr - if [ $DOCKER_COMPOSE_VERION == "V1" ]; then + if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then __CR_SERVICE_PATH=$1"://"$CR_APP_NAME"_cr_"${CR_DOCKER_INSTANCE}":"$2 # docker access, container->container and script->container via proxy else __CR_SERVICE_PATH=$1"://"$CR_APP_NAME"-cr-"${CR_DOCKER_INSTANCE}":"$2 # docker access, container->container and script->container via proxy @@ -299,7 +299,7 @@ start_cr() { app_data="" cntr=1 while [ $cntr -le $CR_APP_COUNT ]; do - if [ $DOCKER_COMPOSE_VERION == "V1" ]; then + if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then app=$CR_APP_NAME"_cr_"$cntr else app=$CR_APP_NAME"-cr-"$cntr @@ -315,7 +315,7 @@ start_cr() { cntr=1 #Counter for docker instance, starts on 1 cntr2=0 #Couter for env var name, starts with 0 to be compablible with kube while [ $cntr -le $CR_APP_COUNT ]; do - if [ $DOCKER_COMPOSE_VERION == "V1" ]; then + if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then app=$CR_APP_NAME"_cr_"$cntr else app=$CR_APP_NAME"-cr-"$cntr diff --git a/test/common/ics_api_functions.sh b/test/common/ics_api_functions.sh index 2152de9e..0c067ca3 100644 --- a/test/common/ics_api_functions.sh +++ b/test/common/ics_api_functions.sh @@ -326,6 +326,7 @@ start_ics() { fi else echo " No files in mounted dir or dir does not exists" + mkdir db fi cd $curdir diff --git a/test/common/istio_api_functions.sh b/test/common/istio_api_functions.sh index 2afc3f9c..dbbc6a50 100644 --- a/test/common/istio_api_functions.sh +++ b/test/common/istio_api_functions.sh @@ -69,6 +69,11 @@ __ISTIO_kube_scale_zero_and_wait() { # This function is called for apps managed by the test script. __ISTIO_kube_delete_all() { __kube_delete_all_resources $KUBE_NONRTRIC_NAMESPACE autotest ISTIO + __kube_delete_all_resources $KUBE_A1SIM_NAMESPACE autotest ISTIO + __kube_delete_all_resources $KUBE_ONAP_NAMESPACE autotest ISTIO + __kube_delete_all_resources $KUBE_KEYCLOAK_NAMESPACE autotest ISTIO + __kube_delete_all_resources $KUBE_SDNC_NAMESPACE autotest ISTIO + __kube_delete_all_resources $KUBE_SIM_NAMESPACE autotest ISTIO } # Store docker logs @@ -189,11 +194,11 @@ istio_req_auth_by_jwks() { } # Authorization policy - by realm -# args: +# args: [ ] istio_auth_policy_by_realm() { __log_conf_start $@ - if [ $# -ne 3 ]; then - __print_err " " $@ + if [ $# -ne 3 ] && [ $# -ne 5 ]; then + __print_err " [ ]" $@ return 1 fi name="ap-realm-"$3"-"$1"-"$2 @@ -208,6 +213,17 @@ istio_auth_policy_by_realm() { __log_conf_fail_general "Cannot substitute yaml: $inputfile" return 1 fi + if [ $# -gt 3 ]; then + export ISTIO_TEMPLATE_REPLACE_AP_CLIENT=$4 + export ISTIO_TEMPLATE_REPLACE_AP_ROLE=$5 + inputfile=$SIM_GROUP/$ISTIO_COMPOSE_DIR/ap-role-snippet.yaml + envsubst < $inputfile >> $outputfile + if [ $? -ne 0 ]; then + __log_conf_fail_general "Cannot substitute yaml: $inputfile" + return 1 + fi + fi + kubectl $KUBECONF apply -f $outputfile &> tmp/kubeerr if [ $? -ne 0 ]; then __log_conf_fail_general "Cannot apply yaml: $outputfile" diff --git a/test/common/keycloak_api_functions.sh b/test/common/keycloak_api_functions.sh index 828dcb39..7f49595b 100644 --- a/test/common/keycloak_api_functions.sh +++ b/test/common/keycloak_api_functions.sh @@ -280,41 +280,6 @@ __execute_curl_to_keycloak() { return 0 } -# # Excute a curl cmd towards the keycloak and check the response code is 2XX. -# # args: -# # resp: if return code is 0 otherwise -# __execute_curl_to_keycloak2() { - -# # TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S") -# # echo "(${BASH_LINENO[0]}) - ${TIMESTAMP}: ${FUNCNAME[0]}" $@ >> $HTTPLOG -# proxyflag="" -# if [ ! -z "$KUBE_PROXY_PATH" ]; then -# if [ $KUBE_PROXY_HTTPX == "http" ]; then -# proxyflag=" --proxy $KUBE_PROXY_PATH" -# else -# proxyflag=" --proxy-insecure --proxy $KUBE_PROXY_PATH" -# fi -# fi -# __cmd="curl -skw %{http_code} $proxyflag "$(< $1) -# echo " CMD: $__cmd" >> $HTTPLOG -# res=$(curl -skw %{http_code} $proxyflag $(< $1)) -# echo " RESP: $res" >> $HTTPLOG -# retcode=$? -# if [ $retcode -ne 0 ]; then -# __log_conf_fail_general " Fatal error when executing curl, response: "$retcode -# echo "$res" -# return 1 -# fi -# status=${res:${#res}-3} -# if [ $status -lt 200 ] && [ $status -gt 299 ]; then -# __log_conf_fail_status_code "2XX" $status -# echo "$res" -# return 1 -# fi -# echo ${res:0:${#res}-3} -# return 0 -# } - # Excute a curl cmd towards the keycloak and check the response code is 2XX. # args: # resp: if return code is 0 otherwise @@ -464,11 +429,11 @@ __keycloak_api_get_service_account_id() { TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S") echo "(${BASH_LINENO[0]}) - ${TIMESTAMP}: ${FUNCNAME[0]}" $@ >> $HTTPLOG - res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/clients$2/service-account-user" "$__KEYCLOAK_ADMIN_TOKEN") + res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/clients/$2/service-account-user" "$__KEYCLOAK_ADMIN_TOKEN") if [ $? -ne 0 ]; then return 1 fi - echo $res | jq -r '.[0].id' + echo $res | jq -r '.id' return 0 } @@ -543,6 +508,75 @@ keycloak_api_create_client_roles() { return 0 } +# Get client role id +# args: +__get_client_available_role_id() { + res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/users/$2/role-mappings/clients/$3/available" "$__KEYCLOAK_ADMIN_TOKEN") + if [ $? -ne 0 ]; then + __log_conf_fail_general " Fatal error when getting availiable client role id, response: "$? + return 1 + fi + __client_role_id=$(echo $res | jq -r '.[] | select(.name=="'$4'") | .id ') + echo $__client_role_id + return 0 +} + +# Map roles to a client +# args: + +keycloak_api_map_client_roles() { + __log_conf_start $@ + __c_id=$(__keycloak_api_get_client_id $1 $2) + if [ $? -ne 0 ]; then + __log_conf_fail_general " Fatal error when getting client id, response: "$? + return 1 + fi + __sa_id=$(__keycloak_api_get_service_account_id $1 $__c_id) + if [ $? -ne 0 ]; then + __log_conf_fail_general " Fatal error when getting service account id, response: "$? + return 1 + fi + __realm=$1 + shift; shift; + __json="[" + __cntr=0 + while [ $# -gt 0 ]; do + __client_role_id=$(__get_client_available_role_id $__realm $__sa_id $__c_id $1) + if [ $? -ne 0 ]; then + __log_conf_fail_general " Fatal error when getting client role id, response: "$? + return 1 + fi + __role='{"name":"'$1'","id":"'$__client_role_id'","composite": false,"clientRole": true}' + if [ $__cntr -gt 0 ]; then + __json=$__json"," + fi + __json=$__json$__role + let __cntr=__cntr+1 + shift + done + __json=$__json"]" + + res=$(__execute_curl_to_keycloak2 POST "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$__realm/users/$__sa_id/role-mappings/clients/$__c_id" "$__KEYCLOAK_ADMIN_TOKEN" "$__json") + if [ $? -ne 0 ]; then + __log_conf_fail_general " Fatal error when mapping client roles, response: "$? + return 1 + fi + + + + + # while [ $# -gt 0 ]; do + # __json='{"name":"'$1'"}' + # res=$(__execute_curl_to_keycloak2 POST "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$__realm/clients/$__c_id/roles" "$__KEYCLOAK_ADMIN_TOKEN" "$__json") + # if [ $? -ne 0 ]; then + # __log_conf_fail_general " Fatal error when adding client role, response: "$? + # return 1 + # fi + # shift + # done + __log_conf_ok + return 0 +} + # Get a client token # args: keycloak_api_get_client_token() { diff --git a/test/common/ricsim_api_functions.sh b/test/common/ricsim_api_functions.sh index b8af5323..d71d11a7 100644 --- a/test/common/ricsim_api_functions.sh +++ b/test/common/ricsim_api_functions.sh @@ -103,7 +103,7 @@ __RICSIM_statisics_setup() { echo -n " RICSIM_G2_$RICSIM_INSTANCE_KUBE ${RIC_SIM_PREFIX}-g2-$RICSIM_INSTANCE_KUBE $KUBE_A1SIM_NAMESPACE " echo -n " RICSIM_G3_$RICSIM_INSTANCE_KUBE ${RIC_SIM_PREFIX}-g3-$RICSIM_INSTANCE_KUBE $KUBE_A1SIM_NAMESPACE " else - if [ $DOCKER_COMPOSE_VERION == "V1" ]; then + if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then echo -n " RICSIM_G1_$RICSIM_INSTANCE ${RIC_SIM_PREFIX}_g1_$RICSIM_INSTANCE " echo -n " RICSIM_G2_$RICSIM_INSTANCE ${RIC_SIM_PREFIX}_g2_$RICSIM_INSTANCE " echo -n " RICSIM_G3_$RICSIM_INSTANCE ${RIC_SIM_PREFIX}_g3_$RICSIM_INSTANCE " @@ -294,7 +294,7 @@ start_ric_simulators() { # -- app_data="" cntr=1 - if [ $DOCKER_COMPOSE_VERION == "V1" ]; then + if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then app_name_prefix=$RIC_SIM_PREFIX"_"$RICSIM_COMPOSE_SERVICE_NAME"_" else app_name_prefix=$RIC_SIM_PREFIX"-"$RICSIM_COMPOSE_SERVICE_NAME"-" @@ -309,7 +309,7 @@ start_ric_simulators() { cntr=1 while [ $cntr -le $2 ]; do - if [ $DOCKER_COMPOSE_VERION == "V1" ]; then + if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then app=$RIC_SIM_PREFIX"_"$RICSIM_COMPOSE_SERVICE_NAME"_"$cntr else app=$RIC_SIM_PREFIX"-"$RICSIM_COMPOSE_SERVICE_NAME"-"$cntr @@ -347,7 +347,7 @@ __find_sim_host() { fi echo $RIC_SIM_HTTPX"://"$ricname.$ric_setname.$KUBE_A1SIM_NAMESPACE":"$RIC_SIM_PORT else - if [ $DOCKER_COMPOSE_VERION == "V1" ]; then + if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then echo $RIC_SIM_HTTPX"://"$1":"$RIC_SIM_PORT else ricname=$(echo "$1" | tr '_' '-') @@ -376,8 +376,14 @@ __execute_curl_to_sim() { proxyflag=" --proxy-insecure --proxy $KUBE_PROXY_PATH" fi fi - echo " CMD: $2 $proxyflag" >> $HTTPLOG - res="$($2 $proxyflag)" + if [ -z "$KUBE_PROXY_CURL_JWT" ]; then + echo " CMD: $2 $proxyflag" >> $HTTPLOG + res="$($2 $proxyflag)" + else + echo " CMD: $2 $proxyflag -H Authorization: Bearer $KUBE_PROXY_CURL_JWT" >> $HTTPLOG + res=$($2 $proxyflag -H 'Authorization: Bearer '$KUBE_PROXY_CURL_JWT) + fi + echo " RESP: $res" >> $HTTPLOG retcode=$? if [ $retcode -ne 0 ]; then diff --git a/test/common/test_env-oran-f-release.sh b/test/common/test_env-oran-f-release.sh index 85f4764d..da8a5db0 100755 --- a/test/common/test_env-oran-f-release.sh +++ b/test/common/test_env-oran-f-release.sh @@ -298,7 +298,7 @@ ICS_COMPOSE_DIR="ics" # Dir in simulator_grou ICS_CONFIG_MOUNT_PATH=/opt/app/information-coordinator-service/config # Internal container path for configuration ICS_CONFIG_FILE=application.yaml # Config file name ICS_VERSION="V1-2" # Version where the types are decoupled from the producer registration -ICS_FEATURE_LEVEL="INFO-TYPES TYPE-SUBSCRIPTIONS INFO-TYPE-INFO RESP_CODE_CHANGE_1" # Space separated list of features +ICS_FEATURE_LEVEL="INFO-TYPES TYPE-SUBSCRIPTIONS INFO-TYPE-INFO RESP_CODE_CHANGE_1 DEFAULT_TYPE_VALIDATION" # Space separated list of features MR_DMAAP_APP_NAME="message-router" # Name for the Dmaap MR MR_STUB_APP_NAME="mr-stub" # Name of the MR stub diff --git a/test/common/testcase_common.sh b/test/common/testcase_common.sh index 78f27fd2..47d8ced5 100755 --- a/test/common/testcase_common.sh +++ b/test/common/testcase_common.sh @@ -135,7 +135,7 @@ IMAGE_CATEGORY="DEV" #Var to indicate docker-compose version, V1 or V2 #V1 names replicated containers __ #V2 names replicated containers -- -DOCKER_COMPOSE_VERION="V1" +DOCKER_COMPOSE_VERSION="V1" # Function to indent cmd output with one space indent1() { sed 's/^/ /'; } @@ -1120,7 +1120,7 @@ if [ $RUNMODE == "DOCKER" ]; then tmp=$(docker-compose version) echo " docker-compose installed and using version $tmp" if [[ "$tmp" == *'v2'* ]]; then - DOCKER_COMPOSE_VERION="V2" + DOCKER_COMPOSE_VERSION="V2" fi fi fi @@ -2731,6 +2731,17 @@ __clean_kube() { fi done + # Remove istio label on namespaces + test_env_namespaces=$(kubectl $KUBECONF get ns --no-headers -o custom-columns=":metadata.name" -l autotest=engine -l istio-injection=enabled) #Get list of ns created by the test env + if [ $? -ne 0 ]; then + echo " Cannot get list of namespaces...continues.." + else + for test_env_ns in $test_env_namespaces; do + echo " Removing istio label on ns: "$test_env_ns + __kube_label_non_ns_instance ns $test_env_ns "istio-injection-" + done + fi + echo "" } @@ -2853,7 +2864,7 @@ __start_container() { envsubst < $compose_file > "gen_"$compose_file compose_file="gen_"$compose_file - if [ $DOCKER_COMPOSE_VERION == "V1" ]; then + if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then docker_compose_cmd="docker-compose" else docker_compose_cmd="docker compose" diff --git a/test/http-https-proxy/http_proxy.js b/test/http-https-proxy/http_proxy.js index 0bab0523..e90dfcad 100644 --- a/test/http-https-proxy/http_proxy.js +++ b/test/http-https-proxy/http_proxy.js @@ -77,7 +77,7 @@ function httpclientrequest(clientrequest, clientresponse) { if (crproto != undefined) { crurl=crproto+"://"+crhost+crurl if (debug) { - console.log(" Constructed ulr: "+crurl) + console.log(" Constructed url: "+crurl) } } else if (crurl.startsWith('/')) { console.log("Catched bad url in http request: "+crurl) diff --git a/test/simulator-group/a1pms/app.yaml b/test/simulator-group/a1pms/app.yaml index b53f22ad..11dad9bd 100644 --- a/test/simulator-group/a1pms/app.yaml +++ b/test/simulator-group/a1pms/app.yaml @@ -36,6 +36,29 @@ spec: name: a1pms-pv-data-name - mountPath: $A1PMS_DATA_MOUNT_PATH name: a1pms-data-name +#A1PMS_JWT_START + - mountPath: $A1PMS_SIDECAR_MOUNT + name: token-cache-volume +#A1PMS_JWT_STOP +#A1PMS_JWT_START + - name: $AUTHSIDECAR_APP_NAME + image: $AUTHSIDECAR_IMAGE + imagePullPolicy: $KUBE_IMAGE_PULL_POLICY + env: + - name: CREDS_GRANT_TYPE + value: $A1PMS_CREDS_GRANT_TYPE + - name: CREDS_CLIENT_SECRET + value: $A1PMS_CREDS_CLIENT_SECRET + - name: CREDS_CLIENT_ID + value: $A1PMS_CREDS_CLIENT_ID + - name: OUTPUT_FILE + value: $A1PMS_SIDECAR_JWT_FILE + - name: AUTH_SERVICE_URL + value: $A1PMS_AUTH_SERVICE_URL + volumeMounts: + - mountPath: $A1PMS_SIDECAR_MOUNT + name: token-cache-volume +#A1PMS_JWT_STOP volumes: - configMap: defaultMode: 420 @@ -48,6 +71,10 @@ spec: - persistentVolumeClaim: claimName: $A1PMS_DATA_PVC_NAME name: a1pms-pv-data-name +#A1PMS_JWT_START + - name: token-cache-volume + emptyDir: {} +#A1PMS_JWT_STOP # Selector will be set when pod is started first time nodeSelector: diff --git a/test/simulator-group/a1pms/application.yaml b/test/simulator-group/a1pms/application.yaml index b9286b6f..a3530b79 100644 --- a/test/simulator-group/a1pms/application.yaml +++ b/test/simulator-group/a1pms/application.yaml @@ -69,3 +69,4 @@ app: http.proxy-host: $A1PMS_HTTP_PROXY_CONFIG_HOST_NAME http.proxy-port: $A1PMS_HTTP_PROXY_CONFIG_PORT http.proxy-type: HTTP + auth-token-file: $A1PMS_SIDECAR_JWT_FILE \ No newline at end of file diff --git a/test/simulator-group/a1pms/application2.yaml b/test/simulator-group/a1pms/application2.yaml index 18a92e0e..05ee2785 100644 --- a/test/simulator-group/a1pms/application2.yaml +++ b/test/simulator-group/a1pms/application2.yaml @@ -69,3 +69,4 @@ app: http.proxy-host: $A1PMS_HTTP_PROXY_CONFIG_HOST_NAME http.proxy-port: $A1PMS_HTTP_PROXY_CONFIG_PORT http.proxy-type: HTTP + auth-token-file: $A1PMS_SIDECAR_JWT_FILE \ No newline at end of file diff --git a/test/simulator-group/a1pms/mnt/.gitignore b/test/simulator-group/a1pms/mnt/.gitignore new file mode 100644 index 00000000..beb0d9bf --- /dev/null +++ b/test/simulator-group/a1pms/mnt/.gitignore @@ -0,0 +1,18 @@ +################################################################################ +# Copyright (c) 2021 Nordix Foundation. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ +* +!.gitignore +!db diff --git a/test/simulator-group/control_panel/mnt/.gitignore b/test/simulator-group/control_panel/mnt/.gitignore index 72e8ffc0..2aac55e8 100644 --- a/test/simulator-group/control_panel/mnt/.gitignore +++ b/test/simulator-group/control_panel/mnt/.gitignore @@ -1 +1,17 @@ +################################################################################ +# Copyright (c) 2022 Nordix Foundation. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ * +!.gitignore diff --git a/test/simulator-group/ics/mnt/.gitignore b/test/simulator-group/ics/mnt/.gitignore index b94353c3..f27872eb 100644 --- a/test/simulator-group/ics/mnt/.gitignore +++ b/test/simulator-group/ics/mnt/.gitignore @@ -1,5 +1,5 @@ ################################################################################ -# Copyright (c) 2021 Nordix Foundation. # +# Copyright (c) 2022 Nordix Foundation. # # # # Licensed under the Apache License, Version 2.0 (the "License"); # # you may not use this file except in compliance with the License. # @@ -14,4 +14,5 @@ # limitations under the License. # ################################################################################ * -!.gitignore \ No newline at end of file +!.gitignore +!db diff --git a/test/simulator-group/istio/ap-role-snippet.yaml b/test/simulator-group/istio/ap-role-snippet.yaml new file mode 100644 index 00000000..0107a4f6 --- /dev/null +++ b/test/simulator-group/istio/ap-role-snippet.yaml @@ -0,0 +1,3 @@ + when: + - key: request.auth.claims[resource_access][${ISTIO_TEMPLATE_REPLACE_AP_CLIENT}][roles] + values: ["${ISTIO_TEMPLATE_REPLACE_AP_ROLE}"] diff --git a/test/simulator-group/ngw/mnt/.gitignore b/test/simulator-group/ngw/mnt/.gitignore index 72e8ffc0..2aac55e8 100644 --- a/test/simulator-group/ngw/mnt/.gitignore +++ b/test/simulator-group/ngw/mnt/.gitignore @@ -1 +1,17 @@ +################################################################################ +# Copyright (c) 2022 Nordix Foundation. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ * +!.gitignore -- 2.16.6