From 6ce318243a91b5427672578cb10da5f0e7a5b9a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gon=C3=A9ri=20Le=20Bouder?= Date: Fri, 15 Dec 2017 12:50:39 -0500 Subject: [PATCH] run_tests: add some functional tests Validate the ACL of the different accounts after the deployment. Change-Id: Iabad68ee5009e4bbed2bb37709d2e455628c6ffa --- mock-certs.sh | 27 +++++++-------- run_tests.sh | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 106 insertions(+), 15 deletions(-) diff --git a/mock-certs.sh b/mock-certs.sh index 1070cae..a261ad6 100755 --- a/mock-certs.sh +++ b/mock-certs.sh @@ -21,21 +21,20 @@ if [ ! -e /etc/pki/ca-trust/source/anchors/mocked.pem ]; then update-ca-trust extract fi +rm -rf /etc/letsencrypt/live for domain in ${domains}; do mkdir -p /etc/letsencrypt/live/${domain} - if [ ! -e /etc/letsencrypt/live/${domain}/${domain}-privkey.pem ]; then - ./cfssl gencert \ - -ca /etc/pki/ca-trust/source/anchors/mocked.pem \ - -ca-key /etc/pki/ca-trust/source/anchors/mocked-key.pem \ - -hostname=${domain} ca-config.json| ./cfssljson -bare /etc/letsencrypt/live/${domain}/cert - cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/chain.pem - cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/fullchain.pem - cp /etc/letsencrypt/live/${domain}/cert-key.pem /etc/letsencrypt/live/${domain}/privkey.pem - cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-cert.pem - cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-chain.pem - cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-fullchain.pem - cp /etc/letsencrypt/live/${domain}/cert-key.pem /etc/letsencrypt/live/${domain}/${domain}-privkey.pem - openssl verify /etc/letsencrypt/live/${domain}/chain.pem - fi + ./cfssl gencert \ + -ca /etc/pki/ca-trust/source/anchors/mocked.pem \ + -ca-key /etc/pki/ca-trust/source/anchors/mocked-key.pem \ + -hostname=${domain} ca-config.json| ./cfssljson -bare /etc/letsencrypt/live/${domain}/cert + cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/chain.pem + cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/fullchain.pem + cp /etc/letsencrypt/live/${domain}/cert-key.pem /etc/letsencrypt/live/${domain}/privkey.pem + cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-cert.pem + cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-chain.pem + cp /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/${domain}-fullchain.pem + cp /etc/letsencrypt/live/${domain}/cert-key.pem /etc/letsencrypt/live/${domain}/${domain}-privkey.pem + openssl verify /etc/letsencrypt/live/${domain}/chain.pem find /etc/letsencrypt/live/${domain} -type f -exec chmod 644 {} \; done diff --git a/run_tests.sh b/run_tests.sh index bdc0160..5d92121 100755 --- a/run_tests.sh +++ b/run_tests.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -e +set -eu export RDO_GITHUB_CLIENT_ID=oauth_client_id export RDO_GITHUB_CLIENT_SECRET=oauth_client_secret @@ -10,6 +10,57 @@ function cleanup() { rm -rf openshift-ansible } +function get_user_token() { + local user=$1 + + secret_name=$(oc describe sa ${user}|awk '/Tokens:/ {print $2}') + secret_value=$(oc describe secret ${secret_name}|awk '/token:/ {print $2}') + + echo ${secret_value} +} + +function teardown() { + sudo docker tag docker.io/fedora trunk.registry.rdoproject.org/master/fedora + sudo docker tag docker.io/fedora registry.distributed-ci.io/rhosp12/fedora + sudo docker logout trunk.registry.rdoproject.org + sudo docker logout registry.distributed-ci.io +} + +function ok() { + local command=$1 + + set +e + echo "-> Should succeed: ... ${command}" + sudo $command + ret=$? + + if [ $ret -eq 0 ]; then + echo " -> OK" + else + echo " -> KO" + exit 1 + fi + set -e +} + +function ko() { + local command=$1 + + set +e + echo "-> Should fail: ... ${command}" + sudo $command + ret=$? + + if [ $ret -eq 0 ]; then + echo " -> OK" + exit 1 + else + echo " -> KO" + fi + set -e +} + + # Generate the local SSL certificates sudo ./mock-certs.sh @@ -47,3 +98,44 @@ sudo oc get svc sudo oc get projects sudo oc policy who-can resource cluster-admin sudo oc get serviceaccounts --all-namespaces=true + +sudo docker pull fedora +teardown +echo "Try to push an image in master without being auth" +ko "docker push trunk.registry.rdoproject.org/master/fedora" + +teardown +echo "Try to push an image in master with the proper auth" +ok "docker login -u tripleo.service -p $(get_user_token tripleo.service) trunk.registry.rdoproject.org" +ok "docker push trunk.registry.rdoproject.org/master/fedora" + +teardown +echo "Try to pull the freshly uploaded image" +ok "docker rmi trunk.registry.rdoproject.org/master/fedora" +ok "docker pull trunk.registry.rdoproject.org/master/fedora" + +teardown +echo "Try to push to OSP/DCI without being auth" +ko "docker push registry.distributed-ci.io/rhosp12/fedora" + +teardown +echo "Try to push from OSP/DCI with the read-only account" +ok "docker login -u dci-registry-user-osp12.service -p $(get_user_token dci-registry-user-osp12.service) registry.distributed-ci.io" +ko "docker push registry.distributed-ci.io/rhosp12/fedora" + +teardown +echo "Try to push to OSP/DCI with the proper auth" +ok "docker login -u dci-registry-admin.service -p $(get_user_token dci-registry-admin.service) registry.distributed-ci.io" +ok "docker push registry.distributed-ci.io/rhosp12/fedora" + +teardown +echo "Try to pull from OSP/DCI with the read-only account" +ok "docker rmi registry.distributed-ci.io/rhosp12/fedora" +ok "docker login -u dci-registry-user-osp12.service -p $(get_user_token dci-registry-user-osp12.service) registry.distributed-ci.io" +ok "docker pull registry.distributed-ci.io/rhosp12/fedora" + +teardown +echo "Try to pull from OSP/DCI without being auth" +ko "docker pull registry.distributed-ci.io/rhosp12/fedora" + +echo "\o/ LOOKS GREAT!!! \o/"