Update tests to work with the mock AAI

neicnordic · Feb 6, 2025 · d96099a · d96099a
1 parent e6c96dd
commit d96099a
Show file tree

Hide file tree

Showing 9 changed files with 67 additions and 87 deletions.
diff --git a/.github/integration/scripts/make_sda_credentials.sh b/.github/integration/scripts/make_sda_credentials.sh
@@ -29,19 +29,58 @@ done
 mkdir -p /shared/keys/pub
 if [ ! -f "/shared/keys/jwt.key" ]; then
     echo "creating jwt key"
-    openssl ecparam -genkey -name prime256v1 -noout -out /shared/keys/jwt.key
-    openssl ec -in /shared/keys/jwt.key -outform PEM -pubout >/shared/keys/pub/jwt.pub
+    cat << 'EOF' > /shared/keys/jwt.key
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhuZjxPmOGUIW1
+LhxzKfxkN+1aTbvI5w+AptqT33X+bWuzfjvhEodiNz0bBfQgJJpQ3TZ8J1IZpM2F
+Tnzox+FGxKPe5T9Mgngzd4N6eByWVPXoNMk7IdmBXMdPZBFSyjMW4ba1MELCpiKV
+05de4J5opRDwmHmyMqYJxBk78e3iiYYixVk+j1Ku+yFl4d2R29y2+O9PlZegJloe
+8FGnKIGZApS/8t9iyCkXg8WbjSPzgYCTQKxn/E4lcGdTrAt/McKrWmAuppcr+rpP
++BInm3l5Zu/QiRSZcMb5O460ojP9eKnaUlDpGZv9CY5j4x4lq8vjU2kK77YXBO8I
+2oxse5a5AgMBAAECggEABbwSX6anHqVzECxQurhJWj51gELTT4JXSXxztygJNmKP
+RushGFHBMMSYf9RB5IMpjH5iQPs6wb4HHqjk0YEqfwLF6wbF+eqipSQXKghdKZCV
+AsY8io0MmpXB1omDSygp7h3j52yHdayE2muav+VTAPOYn5QwG0/gGgVqYrR9x7CM
+iTuyOIuGNO4Wlly4/5RhLtSo0pal9AgBvX4crtVEwN8tPgqPVo9w71bSROt9EVNI
+3cZiFFrrapYiifckIGiPGQYQUd5ej9Mq/77Fa0fv0pk0ONQV8HwstQ5HY2WwJWsn
+mccF9plVTzem7N/vo+T+hFRPUO9TZUao91mMV8iV5QKBgQD1nZbQW3NHdol0fXA8
+nw5JRkTLZx1zcZ5l36WVPkwCjJOyXQ2vWHm4lz7F81Rr8dQnMKLWMDKjrBT9Dbfs
+xYK2bYxENS1W/n+0jOIaX/792DY9tfX7vvHU9yGSdoJE5os6DGCHYInOD0xnRmnl
+3vS7gKv8miDwDzFsbjtDg6WfSwKBgQDrRLkmmfZCMcmLA02YSrErAlUseuyad7lY
+HEJApXKfn262iHELlQa2zOBZpJGXIcHsNf1XGpMeU5pH+ILKE4Y5qbclq+AzFCcZ
+nBFUfDeawmWdV5FJqNDd1L8Mb8aE+6q0Y5rNb3RL7A2ypH2ZeYKSGpHz3C7Rn5KW
+voWAXRWriwKBgQCH4bxK3x0ivxiCgtcyIojDzwVGRnDLqmMIVzeDHqjsjBs2BTcJ
+9/e3QK1w1BKzeWF2oPilaJrLY+tkqE9FxWtwQ6DjJ0xDIZ9DIuH/13X5t8EiWOWS
+devSdzpyje+58JW78pcArk7u2hXZ2OHDU5qvlRsRL6/jP3SHWWCeFFnviwKBgGov
+M02r0YygwfEfBYeFtp7Nx7lypZU2Eg4levWIdsp6f9KclEEA+u3IXD25XAiVMNw2
+pegJU3stioWPMSCZXUxrQAEdqOwE3XzehqfWBJaxxIEWQ7m2Gsb0PWIUlMnyeGJA
+Tl8IPboCiVAmk5WQVREyMsuYhf0Qg23MAZ8k5CHvAoGBAJm55NQZVKAEDGd4a21q
+TDcRddtPwwL2oP3qa0gbGk4YFRUCrX99hIejOTvQW1xf6vGxTd7E1QizvFse4yRz
+ZRKyXIc7DCcdzOnpMrSd1+aXwZtRHLSw0EDS6PWeJZdjJYHxl2YpAmMdURdcGTrH
+b6b/6vhU90+xL14CX7Awofp/
+-----END PRIVATE KEY-----
+EOF
+    cat << 'EOF' > /shared/keys/pub/jwt.pub
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4bmY8T5jhlCFtS4ccyn8
+ZDftWk27yOcPgKbak991/m1rs3474RKHYjc9GwX0ICSaUN02fCdSGaTNhU586Mfh
+RsSj3uU/TIJ4M3eDengcllT16DTJOyHZgVzHT2QRUsozFuG2tTBCwqYildOXXuCe
+aKUQ8Jh5sjKmCcQZO/Ht4omGIsVZPo9SrvshZeHdkdvctvjvT5WXoCZaHvBRpyiB
+mQKUv/LfYsgpF4PFm40j84GAk0CsZ/xOJXBnU6wLfzHCq1pgLqaXK/q6T/gSJ5t5
+eWbv0IkUmXDG+TuOtKIz/Xip2lJQ6Rmb/QmOY+MeJavL41NpCu+2FwTvCNqMbHuW
+uQIDAQAB
+-----END PUBLIC KEY-----
+EOF
     chmod 644 /shared/keys/pub/jwt.pub /shared/keys/jwt.key
 fi
 
 echo "creating token"
-token="$(python /scripts/sign_jwt.py)"
+python /scripts/sign_jwt.py [email protected]  > "/shared/token"
 
 cat >/shared/s3cfg <<EOD
 [default]
-access_key=test_dummy.org
-secret_key=test_dummy.org
-access_token=$token
+access_key=test@dummy.org
+secret_key=test@dummy.org
+access_token="$(python /scripts/sign_jwt.py [email protected])"
 check_ssl_certificate = False
 check_ssl_hostname = False
 encoding = UTF-8

diff --git a/.github/integration/scripts/sign_jwt.py b/.github/integration/scripts/sign_jwt.py
@@ -1,26 +1,27 @@
 from datetime import date, timedelta
 from joserfc import jwt
-from joserfc.jwk import ECKey
+from joserfc.jwk import RSAKey
 from pathlib import Path
+import sys
 
 p = Path('/shared/keys/jwt.key')
 raw = p.read_text()
-key = ECKey.import_key(raw)
+key = RSAKey.import_key(raw)
 iat = date.today() - timedelta(days=1)
 exp = date.today() + timedelta(days=1)
 
 header = {
-    'alg': 'ES256',
-    'kid': key.thumbprint(),
+    'alg': 'RS256',
+    'kid': 'rsa1',
     'typ': 'JWT'
 }
 
 payload = {
     'aud': 'XC56EL11xx',
     'exp': exp.strftime('%s'),
     'iat': iat.strftime('%s'),
-    'iss': 'http://oidc',
-    'sub': '[email protected]'
+    'iss': 'http://localhost',
+    'sub': sys.argv[1]
 }
 
 token = jwt.encode(header, payload, key)

diff --git a/.github/integration/sda-s3-integration.yml b/.github/integration/sda-s3-integration.yml
@@ -90,7 +90,7 @@ services:
         condition: service_completed_successfully
       minio:
         condition: service_healthy
-      oidc:
+      mock-aai:
         condition: service_healthy
       postgres:
         condition: service_healthy
@@ -211,39 +211,6 @@ services:
       - ./sda/config.yaml:/config.yaml
       - shared:/shared
 
-  oidc:
-    container_name: oidc
-    command:
-      - /bin/sh
-      - -c
-      - |
-        pip install --upgrade pip
-        pip install aiohttp Authlib joserfc requests
-        python -u /oidc.py
-    depends_on:
-      credentials:
-        condition: service_completed_successfully
-    extra_hosts:
-      - "localhost:host-gateway"
-    healthcheck:
-      test:
-        [
-          "CMD",
-          "python3",
-          "-c",
-          'import requests; print(requests.get(url = "http://localhost:8080/jwk").text)',
-        ]
-      interval: 10s
-      timeout: 2s
-      retries: 6
-    image: python:3.11-slim
-    ports:
-      - "8080:8080"
-    restart: always
-    volumes:
-      - ./sda/oidc.py:/oidc.py
-      - shared:/shared
-
   api:
     command: [sda-api]
     container_name: api
@@ -252,7 +219,7 @@ services:
         condition: service_completed_successfully
       postgres:
         condition: service_healthy
-      oidc:
+      mock-aai:
         condition: service_healthy
       rabbitmq:
         condition: service_healthy
@@ -348,6 +315,7 @@ services:
     volumes:
       - ./sda/config.yaml:/config.yaml
       - shared:/shared
+
   mock-aai:
     container_name: ls-aai-mock
     depends_on:
@@ -357,6 +325,12 @@ services:
       - DOCKERHOST=localhost
     extra_hosts:
       - "localhost:host-gateway"
+    healthcheck:
+      test:
+        [ "CMD", "/bin/true" ]
+      interval: 10s
+      timeout: 2s
+      retries: 6
     image: registry.gitlab.ics.muni.cz:443/perun/deployment/proxyidp/proxyidp-public-docker-images/ls_aai_mock:2.5.2-broker2.1.10-tomcat9.0-jdk11
     ports:
       - "8800:8080"

diff --git a/.github/integration/sda/config.yaml b/.github/integration/sda/config.yaml
@@ -23,7 +23,7 @@ auth:
   jwt:
     issuer: "https://auth:8888"
     privateKey: /shared/keys/jwt.key
-    signatureAlg: ES256
+    signatureAlg: RS256
     tokenTTL: 168
   publicFile: "/shared/c4gh.pub.pem"
   resignJwt:

diff --git a/.github/integration/sda/rbac.json b/.github/integration/sda/rbac.json
@@ -62,7 +62,7 @@
           "rolebinding": "submission"
        },
        {
-          "role": "[email protected]",
+          "role": "[email protected]",
           "rolebinding": "admin"
        }
     ]

diff --git a/.github/integration/tests/sda/10_upload_test.sh b/.github/integration/tests/sda/10_upload_test.sh
@@ -61,38 +61,4 @@ if [ "$num_log_rows" -ne 12 ]; then
     exit 1
 fi
 
-## test with token from OIDC service
-echo "testing with OIDC token"
-newToken=$(curl http://oidc:8080/tokens | jq '.[0]')
-cp s3cfg oidc_s3cfg
-sed -i "s/access_token=.*/access_token=$newToken/" oidc_s3cfg
-
-s3cmd -c oidc_s3cfg put NA12878.bam.c4gh s3://requester_demo.org/data/file1.c4gh
-
-## verify that messages exists in MQ
-echo "waiting for upload to complete"
-RETRY_TIMES=0
-until [ "$(curl -s -k -u guest:guest $URI/api/queues/sda/inbox | jq -r '."messages_ready"')" -eq 7 ]; do
-    echo "waiting for upload to complete"
-    RETRY_TIMES=$((RETRY_TIMES + 1))
-    if [ "$RETRY_TIMES" -eq 30 ]; then
-        echo "::error::Time out while waiting for upload to complete"
-        exit 1
-    fi
-    sleep 2
-done
-
-num_rows=$(psql -U postgres -h postgres -d sda -At -c "SELECT COUNT(*) from sda.files;")
-if [ "$num_rows" -ne 6 ]; then
-    echo "database queries for register_files failed, expected 6 got $num_rows"
-    exit 1
-fi
-
-num_log_rows=$(psql -U postgres -h postgres -d sda -At -c "SELECT COUNT(*) from sda.file_event_log;")
-if [ "$num_log_rows" -ne 14 ]; then
-    echo "database queries for file_event_logs failed, expected 14 got $num_log_rows"
-    exit 1
-fi
-
-
 echo "files uploaded successfully"
diff --git a/.github/integration/tests/sda/11_api_test.sh b/.github/integration/tests/sda/11_api_test.sh
@@ -2,8 +2,8 @@
 set -e
 
 # Test the API files endpoint
-token="$(curl -s http://oidc:8080/tokens | jq -r '.[0]')"
-response="$(curl -s -k -L "http://api:8080/files" -H "Authorization: Bearer $token" | jq -r 'sort_by(.inboxPath)|.[-1].fileStatus')"
+token="$(cat /shared/token)"
+response="$(curl -s -k -L "http://api:8080/users/[email protected]/files" -H "Authorization: Bearer $token" | jq -r 'sort_by(.inboxPath)|.[-1].fileStatus')"
 if [ "$response" != "uploaded" ]; then
 	echo "API returned incorrect value, expected ready got: $response"
 	exit 1

diff --git a/.github/integration/tests/sda/40_mapper_test.sh b/.github/integration/tests/sda/40_mapper_test.sh
@@ -199,7 +199,7 @@ done
 
 
 ## Use API to list the datasets
-token="$(curl http://oidc:8080/tokens | jq -r '.[0]')"
+token="$(cat /shared/token)"
 resp="$(curl -s -k -L -H "Authorization: Bearer $token" -X GET "http://api:8080/datasets/list" | jq '. | length')"
 if [ "$resp" -ne 2 ]; then
 	echo "Error when listing key hash, expected 2 entries got: $resp"

diff --git a/.github/integration/tests/sda/60_api_admin_test.sh b/.github/integration/tests/sda/60_api_admin_test.sh
@@ -2,7 +2,7 @@
 set -e
 cd shared || true
 
-token="$(curl http://oidc:8080/tokens | jq -r '.[0]')"
+token="$(cat /shared/token)"
 # Upload a file and make sure it's listed
 result="$(curl -sk -L "http://api:8080/users/[email protected]/files" -H "Authorization: Bearer $token" | jq '. | length')"
 if [ "$result" -ne 2 ]; then