From ae1fd1f1eadcc0509ccfe67578bb4646ddbaa668 Mon Sep 17 00:00:00 2001 From: Dave Goddard Date: Fri, 23 Sep 2016 09:16:00 -0400 Subject: [PATCH] Improve SecurityLinux smoke test * Creates UAA details per run Signed-off-by: Keaty Gross --- dockerfiles/cf-space-resource/out | 5 +-- pipelines/integration.yml | 69 ++++++++++++++++++------------- scripts/delete-space.sh | 6 --- scripts/test-security.rb | 22 ++++++++++ tasks/create-service.yml | 3 +- tasks/push-app.yml | 3 +- 6 files changed, 65 insertions(+), 43 deletions(-) create mode 100755 scripts/test-security.rb diff --git a/dockerfiles/cf-space-resource/out b/dockerfiles/cf-space-resource/out index 6e29bf7..501b9da 100755 --- a/dockerfiles/cf-space-resource/out +++ b/dockerfiles/cf-space-resource/out @@ -13,10 +13,7 @@ ORGANIZATION=`jq -r '.source.organization' < $payload` cf login -a $TARGET -u $USERNAME -p $PASSWORD --skip-ssl-validation -o dev -s dev -SPACE=$(pwgen -1) +SPACE=$(pwgen -1 | awk '{print tolower($0)}') cf create-space ${SPACE} -o $ORGANIZATION -DOMAIN=$(cf domains | grep shared | cut -d ' ' -f 1) -cf create-domain $ORGANIZATION ${SPACE}.$DOMAIN - echo "{\"version\": {\"ref\":\"$SPACE\"},\"metadata\":[]}" >&3 diff --git a/pipelines/integration.yml b/pipelines/integration.yml index e497d93..0b6a3e3 100644 --- a/pipelines/integration.yml +++ b/pipelines/integration.yml @@ -10,7 +10,7 @@ resources: type: git source: uri: https://github.com/SteelToeOSS/steeltoe-ci.git - branch: master + branch: dgodd - name: samples-rabbit type: git source: @@ -825,10 +825,38 @@ jobs: - put: cf-space resource: pcfdev-space - do: + - task: setup-uaa + config: + platform: linux + image_resource: + type: docker-image + source: + repository: ruby + inputs: + - name: cf-space + outputs: + - name: cf-app-login + run: + path: sh + args: + - -euxc + - | + curl -L 'https://cli.run.pivotal.io/stable?release=linux64-binary&source=github' | tar -zx -C /usr/local/bin/ + gem install cf-uaac + ./cf-space/login + export SPACE=`cat cf-space/name` + uaac target uaa.pcfdev.shoetree.io --skip-ssl-validation + uaac token client get admin -s admin-client-secret + uaac contexts + uaac group add testgroup || true + uaac user add user${SPACE} --given_name Integration --family_name Test --emails test@testcloud.com --password Password1! + uaac member add testgroup user${SPACE} + uaac client add ${SPACE}TestApp --name ${SPACE}TestApp --scope cloud_controller.read,cloud_controller_service_permissions.read,openid,testgroup --authorized_grant_types authorization_code,refresh_token --authorities uaa.resource --redirect_uri http://single-signon-${SPACE}.pcfdev.shoetree.io/signin-cloudfoundry --autoapprove cloud_controller.read,cloud_controller_service_permissions.read,openid,testgroup --secret ${SPACE}TestApp + echo "{\"username\":\"user${SPACE}\",\"password\":\"Password1!\"}" > cf-app-login/login.json - task: create-service file: steeltoe-ci/tasks/create-service.yml params: - CREATE_CUPS: 'myOAuthService -p {"client_id":"${SPACE}TestApp","client_secret":"myTestApp","uri":"uaa://login.pcfdev.shoetree.io"}' + CREATE_CUPS: 'myOAuthService -p {"client_id":"${SPACE}TestApp","client_secret":"${SPACE}TestApp","uri":"uaa://login.pcfdev.shoetree.io"}' - aggregate: - do: - task: publish-signon @@ -845,7 +873,7 @@ jobs: input_mapping: {publish: publish_signon} params: STACK: cflinuxfs2 - APPNAME: singlesignon + APPNAME: single-signon - do: - task: publish-jwtauth file: steeltoe-ci/tasks/publish.yml @@ -862,7 +890,8 @@ jobs: params: STACK: cflinuxfs2 APPNAME: jwtauth - - task: setup-uaa + - task: test-app + attempts: 5 config: platform: linux image_resource: @@ -870,35 +899,17 @@ jobs: source: repository: ruby inputs: + - name: steeltoe-ci - name: cf-space - - name: cf-push - outputs: - - name: cf-app-login run: path: sh args: - -euxc - | - curl -L 'https://cli.run.pivotal.io/stable?release=linux64-binary&source=github' | tar -zx -C /usr/local/bin/ - gem install cf-uaac - ./cf-space/login - export APP_URL=`cat cf-push/url` export SPACE=`cat cf-space/name` - uaac target uaa.pcfdev.shoetree.io --skip-ssl-validation - uaac token client get admin -s admin-client-secret - uaac contexts - uaac group add testgroup || true - uaac user add user_${SPACE} --given_name Integration --family_name Test --emails test@testcloud.com --password Password1! - uaac member add testgroup user_${SPACE} - uaac client add ${SPACE}TestApp --name ${SPACE}TestApp --scope cloud_controller.read,cloud_controller_service_permissions.read,openid,testgroup --authorized_grant_types authorization_code,refresh_token --authorities uaa.resource --redirect_uri http://${APP_URL}/signin-cloudfoundry --autoapprove cloud_controller.read,cloud_controller_service_permissions.read,openid,testgroup --secret ${SPACE}TestApp - echo "{\"username\":\"user_${SPACE}\",\"password\":\"Password1!\"}" > cf-app-login/login.json - - task: test-app - attempts: 5 - file: steeltoe-ci/tasks/test-app.yml - params: - PRECOND: "" - URL_PATH: /Home/ConfigServer - TEXT:

Property bar=spam - # ensure: - # task: delete-space - # file: steeltoe-ci/tasks/delete-space.yml + gem install mechanize + ./steeltoe-ci/scripts/test-security.rb + ensure: + task: delete-space + file: steeltoe-ci/tasks/delete-space.yml + ### FIXME Also remove uaac client etc.... (from above) diff --git a/scripts/delete-space.sh b/scripts/delete-space.sh index 8e1bc7a..0621d43 100755 --- a/scripts/delete-space.sh +++ b/scripts/delete-space.sh @@ -9,9 +9,3 @@ cf services | sed '1,4d' | cut -d ' ' -f 1 | xargs -n1 cf purge-service-instance # Delete space export SPACE=`cat cf-space/name` cf delete-space -f $SPACE - -# Delete domain -export DOMAIN=`cf domains | grep $SPACE | cut -d ' ' -f 1` -if [-n $DOMAIN]; then - cf delete-domain $DOMAIN -f -fi diff --git a/scripts/test-security.rb b/scripts/test-security.rb new file mode 100755 index 0000000..95bf184 --- /dev/null +++ b/scripts/test-security.rb @@ -0,0 +1,22 @@ +#!/usr/bin/env ruby +require 'rubygems' +require 'mechanize' + +space = ENV['SPACE'] or raise 'Please specify space' +agent = Mechanize.new +agent.verify_mode = 0 + +page = agent.get("http://single-signon-#{space}.pcfdev.shoetree.io/Home/InvokeJwtSample") +page.body.match('401 (Not Authenticated)') or raise 'Should force Auth' +page.click('Login In') +page.form_with(action: '/login.do') do |f| + f.username = "user#{space}" + f.password = 'Password1!' +end.submit +page.body.match('Your About page') or raise 'Should now allow testgroup access' + +page.click('Contact') +page.body.match('401 (Not Authenticated)') or raise 'Should not allow testgroup1 access' + +page.click('InvokeJwtSample') +page.body.match('Some missing text - should fail') or raise 'Should allow jwt access' diff --git a/tasks/create-service.yml b/tasks/create-service.yml index 991c38e..6c03028 100644 --- a/tasks/create-service.yml +++ b/tasks/create-service.yml @@ -18,6 +18,5 @@ run: cf create-service $CREATE_SERVICE fi if [ ! -z "$CREATE_CUPS" ]; then - export CREATE_CUPS=`echo $CREATE_CUPS | sed "s/\${SPACE}/$SPACE/"` - cf cups $CREATE_CUPS + cf cups $(echo $CREATE_CUPS | sed "s/\${SPACE}/$SPACE/") fi diff --git a/tasks/push-app.yml b/tasks/push-app.yml index 5b54801..4a33c6e 100644 --- a/tasks/push-app.yml +++ b/tasks/push-app.yml @@ -17,6 +17,5 @@ run: ./cf-space/login export APPNAME=${APPNAME:-testapp} export SPACE=`cat cf-space/name` - export DOMAIN=`cf domains | grep $SPACE | cut -d ' ' -f 1` - cf push $APPNAME -s $STACK -f publish/manifest.yml -p publish -d $DOMAIN + cf push $APPNAME -s $STACK -f publish/manifest.yml -p publish --hostname $APPNAME-$SPACE cf app $APPNAME | grep '^urls: ' | cut -d ' ' -f 2 > cf-push/url