run_tests: add some functional tests

Validate the ACL of the different accounts after the deployment.

Change-Id: Iabad68ee5009e4bbed2bb37709d2e455628c6ffa

mock-certs.sh

@@ -21,21 +21,20 @@ if [ ! -e /etc/pki/ca-trust/source/anchors/mocked.pem ]; then
     update-ca-trust extract
 fi
 
+rm -rf /etc/letsencrypt/live
 for domain in ${domains}; do
     mkdir -p /etc/letsencrypt/live/${domain}
-    if [ ! -e /etc/letsencrypt/live/${domain}/${domain}-privkey.pem ]; then
-        ./cfssl gencert \
-                -ca /etc/pki/ca-trust/source/anchors/mocked.pem \
-                -ca-key /etc/pki/ca-trust/source/anchors/mocked-key.pem \
-                -hostname=${domain} ca-config.json| ./cfssljson -bare /etc/letsencrypt/live/${domain}/cert
-        cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/chain.pem
-        cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/fullchain.pem
-        cp /etc/letsencrypt/live/${domain}/cert-key.pem /etc/letsencrypt/live/${domain}/privkey.pem
-        cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-cert.pem
-        cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-chain.pem
-        cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-fullchain.pem
-        cp /etc/letsencrypt/live/${domain}/cert-key.pem /etc/letsencrypt/live/${domain}/${domain}-privkey.pem
-        openssl verify /etc/letsencrypt/live/${domain}/chain.pem
-    fi
+    ./cfssl gencert \
+            -ca /etc/pki/ca-trust/source/anchors/mocked.pem \
+            -ca-key /etc/pki/ca-trust/source/anchors/mocked-key.pem \
+            -hostname=${domain} ca-config.json| ./cfssljson -bare /etc/letsencrypt/live/${domain}/cert
+    cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/chain.pem
+    cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/fullchain.pem
+    cp /etc/letsencrypt/live/${domain}/cert-key.pem /etc/letsencrypt/live/${domain}/privkey.pem
+    cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-cert.pem
+    cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-chain.pem
+    cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-fullchain.pem
+    cp /etc/letsencrypt/live/${domain}/cert-key.pem /etc/letsencrypt/live/${domain}/${domain}-privkey.pem
+    openssl verify /etc/letsencrypt/live/${domain}/chain.pem
     find /etc/letsencrypt/live/${domain} -type f -exec chmod 644 {} \;
 done

run_tests.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-set -e
+set -eu
 
 export RDO_GITHUB_CLIENT_ID=oauth_client_id
 export RDO_GITHUB_CLIENT_SECRET=oauth_client_secret
@@ -10,6 +10,57 @@ function cleanup() {
     rm -rf openshift-ansible
 }
 
+function get_user_token() {
+    local user=$1
+
+    secret_name=$(oc describe sa ${user}|awk '/Tokens:/ {print $2}')
+    secret_value=$(oc describe secret ${secret_name}|awk '/token:/ {print $2}')
+
+    echo ${secret_value}
+}
+
+function teardown() {
+    sudo docker tag docker.io/fedora trunk.registry.rdoproject.org/master/fedora
+    sudo docker tag docker.io/fedora registry.distributed-ci.io/rhosp12/fedora
+    sudo docker logout trunk.registry.rdoproject.org
+    sudo docker logout registry.distributed-ci.io
+}
+
+function ok() {
+    local command=$1
+
+    set +e
+    echo "-> Should succeed: ... ${command}"
+    sudo $command
+    ret=$?
+
+    if [ $ret -eq 0 ]; then
+        echo "  -> OK"
+    else
+        echo "  -> KO"
+        exit 1
+    fi
+    set -e
+}
+
+function ko() {
+    local command=$1
+
+    set +e
+    echo "-> Should fail: ... ${command}"
+    sudo $command
+    ret=$?
+
+    if [ $ret -eq 0 ]; then
+        echo "  -> OK"
+        exit 1
+    else
+        echo "  -> KO"
+    fi
+    set -e
+}
+
+
 # Generate the local SSL certificates
 sudo ./mock-certs.sh
 
@@ -47,3 +98,44 @@ sudo oc get svc
 sudo oc get projects
 sudo oc policy who-can resource cluster-admin
 sudo oc get serviceaccounts --all-namespaces=true
+
+sudo docker pull fedora
+teardown
+echo "Try to push an image in master without being auth"
+ko "docker push trunk.registry.rdoproject.org/master/fedora"
+
+teardown
+echo "Try to push an image in master with the proper auth"
+ok "docker login -u tripleo.service -p $(get_user_token tripleo.service) trunk.registry.rdoproject.org"
+ok "docker push trunk.registry.rdoproject.org/master/fedora"
+
+teardown
+echo "Try to pull the freshly uploaded image"
+ok "docker rmi trunk.registry.rdoproject.org/master/fedora"
+ok "docker pull trunk.registry.rdoproject.org/master/fedora"
+
+teardown
+echo "Try to push to OSP/DCI without being auth"
+ko "docker push registry.distributed-ci.io/rhosp12/fedora"
+
+teardown
+echo "Try to push from OSP/DCI with the read-only account"
+ok "docker login -u dci-registry-user-osp12.service -p $(get_user_token dci-registry-user-osp12.service) registry.distributed-ci.io"
+ko "docker push registry.distributed-ci.io/rhosp12/fedora"
+
+teardown
+echo "Try to push to OSP/DCI with the proper auth"
+ok "docker login -u dci-registry-admin.service -p $(get_user_token dci-registry-admin.service) registry.distributed-ci.io"
+ok "docker push registry.distributed-ci.io/rhosp12/fedora"
+
+teardown
+echo "Try to pull from OSP/DCI with the read-only account"
+ok "docker rmi registry.distributed-ci.io/rhosp12/fedora"
+ok "docker login -u dci-registry-user-osp12.service -p $(get_user_token dci-registry-user-osp12.service) registry.distributed-ci.io"
+ok "docker pull registry.distributed-ci.io/rhosp12/fedora"
+
+teardown
+echo "Try to pull from OSP/DCI without being auth"
+ko "docker pull registry.distributed-ci.io/rhosp12/fedora"
+
+echo "\o/ LOOKS GREAT!!! \o/"