Added JWT handling to a1pms
Fixed issue with mounting files to docker containers
Minor follow john for ics
Issue-ID: NONRTRIC-748
Signed-off-by: BjornMagnussonXA <bjorn.magnusson@est.tech>
Change-Id: I28ef9d1e0734c70c06f4e6980b11cde56f2db372
diff --git a/test/auto-test/FTC100.sh b/test/auto-test/FTC100.sh
index 55f7d82..dfcee33 100755
--- a/test/auto-test/FTC100.sh
+++ b/test/auto-test/FTC100.sh
@@ -20,11 +20,17 @@
TC_ONELINE_DESCR="Full a1pms API walkthrough using a1pms REST/DMAAP and with/without SDNC A1 Controller"
+USE_ISTIO=1
+
#App names to include in the test when running docker, space separated list
DOCKER_INCLUDED_IMAGES="CBS CONSUL CP CR MR A1PMS RICSIM SDNC NGW KUBEPROXY"
#App names to include in the test when running kubernetes, space separated list
-KUBE_INCLUDED_IMAGES="CP CR MR A1PMS RICSIM SDNC KUBEPROXY NGW"
+if [ $USE_ISTIO -eq 0 ]; then
+ KUBE_INCLUDED_IMAGES="CP CR MR A1PMS RICSIM SDNC KUBEPROXY NGW"
+else
+ KUBE_INCLUDED_IMAGES="CP CR MR A1PMS RICSIM SDNC KUBEPROXY NGW KEYCLOAK ISTIO AUTHSIDECAR"
+fi
#Prestarted app (not started by script) to include in the test when running kubernetes, space separated list
KUBE_PRESTARTED_IMAGES=""
@@ -46,11 +52,25 @@
generate_policy_uuid
-# Tested variants of REST/DMAAP/SDNC config
-TESTED_VARIANTS="REST DMAAP REST+SDNC DMAAP+SDNC"
+if [ $USE_ISTIO -eq 0 ]; then
+ # Tested variants of REST/DMAAP/SDNC config
+ TESTED_VARIANTS="REST DMAAP REST+SDNC DMAAP+SDNC"
-#Test a1pms and simulator protocol versions (others are http only)
-TESTED_PROTOCOLS="HTTP HTTPS"
+ #Test a1pms and simulator protocol versions (others are http only)
+ TESTED_PROTOCOLS="HTTP HTTPS"
+else
+ if [ $USE_ISTIO -eq 1 ]; then
+ echo -e $RED"#########################################"$ERED
+ echo -e $RED"# No test of https when running with istio"$ERED
+ echo -e $RED"# No test of SDNC when running with istio"$ERED
+ echo -e $RED"#########################################"$ERED
+ fi
+ # Tested variants of REST/DMAAP/SDNC config
+ TESTED_VARIANTS="REST DMAAP"
+
+ #Test a1pms and simulator protocol versions (others are http only)
+ TESTED_PROTOCOLS="HTTP"
+fi
for __httpx in $TESTED_PROTOCOLS ; do
for interface in $TESTED_VARIANTS ; do
@@ -64,8 +84,80 @@
# Clean container and start all needed containers #
clean_environment
+ if [ $RUNMODE != "KUBE" ]; then
+ USE_ISTIO=0
+ echo "ISTIO not supported by docker - setting USE-ISTIO=0"
+ fi
+
+ if [ $USE_ISTIO -eq 1 ]; then
+ echo -e $RED"#########################################"$ERED
+ echo -e $RED"# Work around istio jwks cache"$ERED
+ echo -e $RED"# Cycle istiod down and up to clear cache"$ERED
+ echo ""
+ __kube_scale deployment istiod istio-system 0
+ __kube_scale deployment istiod istio-system 1
+ echo -e $RED"# Cycle istiod done"
+ echo -e $RED"#########################################"$ERED
+
+ istio_enable_istio_namespace $KUBE_SIM_NAMESPACE
+ istio_enable_istio_namespace $KUBE_NONRTRIC_NAMESPACE
+ istio_enable_istio_namespace $KUBE_A1SIM_NAMESPACE
+ fi
+
+
start_kube_proxy
+ if [ $USE_ISTIO -eq 1 ]; then
+ start_keycloak
+
+ keycloak_api_obtain_admin_token
+
+ keycloak_api_create_realm nrtrealm true 60
+ keycloak_api_create_confidential_client nrtrealm a1pmsc
+ keycloak_api_generate_client_secret nrtrealm a1pmsc
+ keycloak_api_get_client_secret nrtrealm a1pmsc
+ keycloak_api_create_client_roles nrtrealm a1pmsc nrtrole
+ keycloak_api_map_client_roles nrtrealm a1pmsc nrtrole
+
+ keycloak_api_get_client_token nrtrealm a1pmsc
+
+ CLIENT_TOKEN=$(keycloak_api_read_client_token nrtrealm a1pmsc)
+ echo "CLIENT_TOKEN: "$CLIENT_TOKEN
+
+ A1PMS_SEC=$(keycloak_api_read_client_secret nrtrealm a1pmsc)
+ echo "A1PMS_SEC: "$A1PMS_SEC
+
+ # Protect ricsim-g3
+ istio_req_auth_by_jwks ricsim-g1 $KUBE_A1SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS"
+ istio_auth_policy_by_issuer ricsim-g1 $KUBE_A1SIM_NAMESPACE KUBEPROXY
+
+ istio_req_auth_by_jwksuri ricsim-g1 $KUBE_A1SIM_NAMESPACE nrtrealm
+ istio_auth_policy_by_realm ricsim-g1 $KUBE_A1SIM_NAMESPACE nrtrealm a1pmsc nrtrole
+
+ # Protect ricsim-g2
+ istio_req_auth_by_jwks ricsim-g2 $KUBE_A1SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS"
+ istio_auth_policy_by_issuer ricsim-g2 $KUBE_A1SIM_NAMESPACE KUBEPROXY
+
+ istio_req_auth_by_jwksuri ricsim-g2 $KUBE_A1SIM_NAMESPACE nrtrealm
+ istio_auth_policy_by_realm ricsim-g2 $KUBE_A1SIM_NAMESPACE nrtrealm a1pmsc nrtrole
+
+ # Protect ricsim-g3
+ istio_req_auth_by_jwks ricsim-g3 $KUBE_A1SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS"
+ istio_auth_policy_by_issuer ricsim-g3 $KUBE_A1SIM_NAMESPACE KUBEPROXY
+
+ istio_req_auth_by_jwksuri ricsim-g3 $KUBE_A1SIM_NAMESPACE nrtrealm
+ istio_auth_policy_by_realm ricsim-g3 $KUBE_A1SIM_NAMESPACE nrtrealm a1pmsc nrtrole
+
+ # Protect CR
+ istio_req_auth_by_jwks $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS"
+ istio_auth_policy_by_issuer $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY
+
+ istio_req_auth_by_jwksuri $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
+ istio_auth_policy_by_realm $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm a1pmsc nrtrole
+
+ a1pms_configure_sec nrtrealm a1pmsc $A1PMS_SEC
+ fi
+
if [ $__httpx == "HTTPS" ]; then
use_cr_https
use_a1pms_rest_https
@@ -585,18 +677,19 @@
else
mr_equal requests_submitted 0
fi
-
- if [[ $interface = *"SDNC"* ]]; then
- sim_contains_str ricsim_g1_1 remote_hosts $SDNC_APP_NAME
- sim_contains_str ricsim_g2_1 remote_hosts $SDNC_APP_NAME
- if [ "$A1PMS_VERSION" == "V2" ]; then
- sim_contains_str ricsim_g3_1 remote_hosts $SDNC_APP_NAME
- fi
- else
- sim_contains_str ricsim_g1_1 remote_hosts $A1PMS_APP_NAME
- sim_contains_str ricsim_g2_1 remote_hosts $A1PMS_APP_NAME
- if [ "$A1PMS_VERSION" == "V2" ]; then
- sim_contains_str ricsim_g3_1 remote_hosts $A1PMS_APP_NAME
+ if [ $USE_ISTIO -eq 0 ]; then
+ if [[ $interface = *"SDNC"* ]]; then
+ sim_contains_str ricsim_g1_1 remote_hosts $SDNC_APP_NAME
+ sim_contains_str ricsim_g2_1 remote_hosts $SDNC_APP_NAME
+ if [ "$A1PMS_VERSION" == "V2" ]; then
+ sim_contains_str ricsim_g3_1 remote_hosts $SDNC_APP_NAME
+ fi
+ else
+ sim_contains_str ricsim_g1_1 remote_hosts $A1PMS_APP_NAME
+ sim_contains_str ricsim_g2_1 remote_hosts $A1PMS_APP_NAME
+ if [ "$A1PMS_VERSION" == "V2" ]; then
+ sim_contains_str ricsim_g3_1 remote_hosts $A1PMS_APP_NAME
+ fi
fi
fi
diff --git a/test/auto-test/FTC1100.sh b/test/auto-test/FTC1100.sh
index 82bb8dd..b8c3045 100755
--- a/test/auto-test/FTC1100.sh
+++ b/test/auto-test/FTC1100.sh
@@ -68,6 +68,7 @@
__kube_scale deployment istiod istio-system 1
echo -e $RED"# Cycle istiod done"
echo -e $RED"#########################################"$ERED
+ echo ""
istio_enable_istio_namespace $KUBE_SIM_NAMESPACE
istio_enable_istio_namespace $KUBE_NONRTRIC_NAMESPACE
@@ -106,6 +107,8 @@
keycloak_api_create_confidential_client nrtrealm icsc
keycloak_api_generate_client_secret nrtrealm icsc
keycloak_api_get_client_secret nrtrealm icsc
+ keycloak_api_create_client_roles nrtrealm icsc nrtrole
+ keycloak_api_map_client_roles nrtrealm icsc nrtrole
keycloak_api_get_client_token nrtrealm icsc
@@ -119,13 +122,13 @@
istio_auth_policy_by_issuer $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY
istio_req_auth_by_jwksuri $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
- istio_auth_policy_by_realm $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
+ istio_auth_policy_by_realm $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm icsc nrtrole
istio_req_auth_by_jwks $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS"
istio_auth_policy_by_issuer $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY
istio_req_auth_by_jwksuri $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
- istio_auth_policy_by_realm $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
+ istio_auth_policy_by_realm $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm icsc nrtrole
ics_configure_sec nrtrealm icsc $ICS_SEC
@@ -153,6 +156,11 @@
start_cr 1
+if [ $USE_ISTIO -eq 1 ]; then
+ echo "Sleep 120 to let istio settle - enabling istio on workloads may cause initial dns disturbances - temporary unavailable dns names"
+ sleep 120
+fi
+
CB_JOB="$PROD_STUB_SERVICE_PATH$PROD_STUB_JOB_CALLBACK"
CB_SV="$PROD_STUB_SERVICE_PATH$PROD_STUB_SUPERVISION_CALLBACK"
#Targets for ei jobs
@@ -1446,7 +1454,7 @@
ics_api_edp_put_producer_2 201 prod-ia $CB_JOB/prod-ia $CB_SV/prod-ia type101
ics_api_edp_put_producer_2 200 prod-ia $CB_JOB/prod-ia $CB_SV/prod-ia type101
-if [[ "$ICS_FEATURE_LEVEL" == *"RESP_CODE_CHANGE_1" ]]; then
+if [[ "$ICS_FEATURE_LEVEL" == *"RESP_CODE_CHANGE_1"* ]]; then
ics_api_edp_delete_type_2 409 type101
else
ics_api_edp_delete_type_2 406 type101
@@ -1966,25 +1974,44 @@
cr_equal 0 received_callbacks 12
fi
### Test of pre and post validation
+if [[ "$ICS_FEATURE_LEVEL" != *"DEFAULT_TYPE_VALIDATION"* ]]; then
+ ics_api_idc_get_type_ids 200 type1 type2 type4 type6 type101 type102 type104 type106
+ ics_api_idc_put_job 404 job150 type150 $TARGET150 info-owner-1 $INFOSTATUS150 testdata/ics/job-template.json VALIDATE
+ ics_api_idc_put_job 201 job160 type160 $TARGET160 info-owner-1 $INFOSTATUS160 testdata/ics/job-template.json
-ics_api_idc_get_type_ids 200 type1 type2 type4 type6 type101 type102 type104 type106
-ics_api_idc_put_job 404 job150 type150 $TARGET150 info-owner-1 $INFOSTATUS150 testdata/ics/job-template.json VALIDATE
-ics_api_idc_put_job 201 job160 type160 $TARGET160 info-owner-1 $INFOSTATUS160 testdata/ics/job-template.json
-ics_api_idc_get_job_status2 404 job150
-ics_api_idc_get_job_status2 200 job160 DISABLED EMPTYPROD 60
+ ics_api_idc_get_job_status2 404 job150
+ ics_api_idc_get_job_status2 200 job160 DISABLED EMPTYPROD 60
-prodstub_arm_producer 200 prod-ig
-prodstub_arm_job_create 200 prod-ig job150
-prodstub_arm_job_create 200 prod-ig job160
+ prodstub_arm_producer 200 prod-ig
+ prodstub_arm_job_create 200 prod-ig job150
+ prodstub_arm_job_create 200 prod-ig job160
-ics_api_edp_put_producer_2 201 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig NOTYPE
-ics_api_edp_get_producer_status 200 prod-ig ENABLED 360
+ ics_api_edp_put_producer_2 201 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig NOTYPE
+ ics_api_edp_get_producer_status 200 prod-ig ENABLED 360
-ics_api_edp_get_producer_2 200 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig EMPTY
+ ics_api_edp_get_producer_2 200 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig EMPTY
-ics_api_idc_get_job_status2 404 job150
-ics_api_idc_get_job_status2 200 job160 DISABLED EMPTYPROD 60
+ ics_api_idc_get_job_status2 404 job150
+ ics_api_idc_get_job_status2 200 job160 DISABLED EMPTYPROD 60
+else
+ ics_api_idc_get_type_ids 200 type1 type2 type4 type6 type101 type102 type104 type106
+ ics_api_idc_put_job 404 job150 type150 $TARGET150 info-owner-1 $INFOSTATUS150 testdata/ics/job-template.json VALIDATE
+
+ ics_api_idc_get_job_status2 404 job150
+
+ prodstub_arm_producer 200 prod-ig
+ prodstub_arm_job_create 200 prod-ig job150
+ prodstub_arm_job_create 200 prod-ig job160
+
+ ics_api_edp_put_producer_2 201 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig NOTYPE
+ ics_api_edp_get_producer_status 200 prod-ig ENABLED 360
+
+ ics_api_edp_get_producer_2 200 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig EMPTY
+
+ ics_api_idc_get_job_status2 404 job150
+ #ics_api_idc_get_job_status2 200 job160 DISABLED EMPTYPROD 60
+fi
prodstub_arm_type 200 prod-ig type160
@@ -1998,12 +2025,14 @@
ics_api_idc_put_job 404 job150 type150 $TARGET150 info-owner-1 $INFOSTATUS150 testdata/ics/job-template.json VALIDATE
ics_api_idc_get_job_status2 404 job150
-ics_api_idc_get_job_status2 200 job160 ENABLED 1 prod-ig 60
+if [[ "$ICS_FEATURE_LEVEL" != *"DEFAULT_TYPE_VALIDATION"* ]]; then
+ ics_api_idc_get_job_status2 200 job160 ENABLED 1 prod-ig 60
-prodstub_check_jobdata_3 200 prod-ig job160 type160 $TARGET160 info-owner-1 testdata/ics/job-template.json
+ prodstub_check_jobdata_3 200 prod-ig job160 type160 $TARGET160 info-owner-1 testdata/ics/job-template.json
-prodstub_equal create/prod-ig/job160 1
-prodstub_equal delete/prod-ig/job160 0
+ prodstub_equal create/prod-ig/job160 1
+ prodstub_equal delete/prod-ig/job160 0
+fi
prodstub_arm_type 200 prod-ig type150
@@ -2023,6 +2052,10 @@
ics_api_edp_get_producer_2 200 prod-ig $CB_JOB/prod-ig $CB_SV/prod-ig type160 type150
+if [[ "$ICS_FEATURE_LEVEL" == *"DEFAULT_TYPE_VALIDATION"* ]]; then
+ ics_api_idc_put_job 201 job160 type160 $TARGET160 info-owner-1 $INFOSTATUS160 testdata/ics/job-template.json
+fi
+
ics_api_idc_get_job_status2 404 job150
ics_api_idc_get_job_status2 200 job160 ENABLED 1 prod-ig
@@ -2042,7 +2075,7 @@
if [[ "$ICS_FEATURE_LEVEL" == *"TYPE-SUBSCRIPTIONS"* ]]; then
- if [[ "$ICS_FEATURE_LEVEL" == *"RESP_CODE_CHANGE_1" ]]; then
+ if [[ "$ICS_FEATURE_LEVEL" == *"RESP_CODE_CHANGE_1"* ]]; then
ics_api_edp_delete_type_2 409 type104
else
ics_api_edp_delete_type_2 406 type104
diff --git a/test/auto-test/FTC1800.sh b/test/auto-test/FTC1800.sh
index 749ba82..6e1b764 100755
--- a/test/auto-test/FTC1800.sh
+++ b/test/auto-test/FTC1800.sh
@@ -359,7 +359,7 @@
if [[ "$ICS_FEATURE_LEVEL" == *"TYPE-SUBSCRIPTIONS"* ]]; then
- ics_equal json:/data-consumer/v1/info-type-subscription 2 200
+ ics_equal json:data-consumer/v1/info-type-subscription 2 200
ics_api_idc_get_subscription_ids 200 owner1 subscription-id-1
ics_api_idc_get_subscription_ids 200 owner2 subscription-id-2
@@ -382,7 +382,7 @@
if [[ "$ICS_FEATURE_LEVEL" == *"TYPE-SUBSCRIPTIONS"* ]]; then
- ics_equal json:/data-consumer/v1/info-type-subscription 2 200
+ ics_equal json:data-consumer/v1/info-type-subscription 2 200
ics_api_idc_get_subscription_ids 200 owner1 subscription-id-1
ics_api_idc_get_subscription_ids 200 owner2 subscription-id-2
diff --git a/test/common/a1pms_api_functions.sh b/test/common/a1pms_api_functions.sh
index f539717..8a903b8 100644
--- a/test/common/a1pms_api_functions.sh
+++ b/test/common/a1pms_api_functions.sh
@@ -89,6 +89,7 @@
# args: -
__A1PMS_initial_setup() {
use_a1pms_rest_http
+ export A1PMS_SIDECAR_JWT_FILE=""
}
# Set app short-name, app name and namespace for logging runtime statistics of kubernets pods or docker containers
@@ -306,6 +307,10 @@
# Create app
input_yaml=$SIM_GROUP"/"$A1PMS_COMPOSE_DIR"/"app.yaml
output_yaml=$PWD/tmp/a1pmsapp.yaml
+ if [ -z "$A1PMS_SIDECAR_JWT_FILE" ]; then
+ cat $input_yaml | sed '/#A1PMS_JWT_START/,/#A1PMS_JWT_STOP/d' > $PWD/tmp/a1pmsapp_tmp.yaml
+ input_yaml=$PWD/tmp/a1pmsapp_tmp.yaml
+ fi
__kube_create_instance app $A1PMS_APP_NAME $input_yaml $output_yaml
fi
@@ -346,6 +351,7 @@
fi
else
echo " No files in mounted dir or dir does not exists"
+ mkdir db
fi
cd $curdir
@@ -542,7 +548,7 @@
ric_id=${ric%.*.*} #extract pod id from full hosthame
ric_id=$(echo "$ric_id" | tr '-' '_')
else
- if [ $DOCKER_COMPOSE_VERION == "V1" ]; then
+ if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then
ric_id=$ric
else
ric_id=$(echo "$ric" | tr '-' '_') #ric id still needs underscore as it is different from the container name
@@ -2380,4 +2386,17 @@
__log_test_pass
return 0
+}
+
+# args: <realm> <client-name> <client-secret>
+a1pms_configure_sec() {
+ export A1PMS_CREDS_GRANT_TYPE="client_credentials"
+ export A1PMS_CREDS_CLIENT_SECRET=$3
+ export A1PMS_CREDS_CLIENT_ID=$2
+ export A1PMS_AUTH_SERVICE_URL=$KEYCLOAK_SERVICE_PATH$KEYCLOAK_TOKEN_URL_PREFIX/$1/protocol/openid-connect/token
+ export A1PMS_SIDECAR_MOUNT="/token-cache"
+ export A1PMS_SIDECAR_JWT_FILE=$A1PMS_SIDECAR_MOUNT"/jwt.txt"
+
+ export AUTHSIDECAR_APP_NAME
+ export AUTHSIDECAR_DISPLAY_NAME
}
\ No newline at end of file
diff --git a/test/common/cr_api_functions.sh b/test/common/cr_api_functions.sh
index e80ad16..a29d010 100644
--- a/test/common/cr_api_functions.sh
+++ b/test/common/cr_api_functions.sh
@@ -122,7 +122,7 @@
CR_INSTANCE_KUBE=$(($CR_INSTANCE-1))
echo -n " CR-$CR_INSTANCE_KUBE $CR_APP_NAME-$CR_INSTANCE_KUBE $KUBE_SIM_NAMESPACE "
else
- if [ $DOCKER_COMPOSE_VERION == "V1" ]; then
+ if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then
echo -n " CR_$CR_INSTANCE ${CR_APP_NAME}_cr_$CR_INSTANCE "
else
echo -n " CR_$CR_INSTANCE ${CR_APP_NAME}-cr-$CR_INSTANCE "
@@ -171,7 +171,7 @@
for ((CR_INSTANCE=0; CR_INSTANCE<$MAX_CR_APP_COUNT; CR_INSTANCE++ )); do
CR_DOCKER_INSTANCE=$(($CR_INSTANCE+1))
# CR_SERVICE_PATH is the base path to cr
- if [ $DOCKER_COMPOSE_VERION == "V1" ]; then
+ if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then
__CR_SERVICE_PATH=$1"://"$CR_APP_NAME"_cr_"${CR_DOCKER_INSTANCE}":"$2 # docker access, container->container and script->container via proxy
else
__CR_SERVICE_PATH=$1"://"$CR_APP_NAME"-cr-"${CR_DOCKER_INSTANCE}":"$2 # docker access, container->container and script->container via proxy
@@ -299,7 +299,7 @@
app_data=""
cntr=1
while [ $cntr -le $CR_APP_COUNT ]; do
- if [ $DOCKER_COMPOSE_VERION == "V1" ]; then
+ if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then
app=$CR_APP_NAME"_cr_"$cntr
else
app=$CR_APP_NAME"-cr-"$cntr
@@ -315,7 +315,7 @@
cntr=1 #Counter for docker instance, starts on 1
cntr2=0 #Couter for env var name, starts with 0 to be compablible with kube
while [ $cntr -le $CR_APP_COUNT ]; do
- if [ $DOCKER_COMPOSE_VERION == "V1" ]; then
+ if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then
app=$CR_APP_NAME"_cr_"$cntr
else
app=$CR_APP_NAME"-cr-"$cntr
diff --git a/test/common/ics_api_functions.sh b/test/common/ics_api_functions.sh
index 2152de9..0c067ca 100644
--- a/test/common/ics_api_functions.sh
+++ b/test/common/ics_api_functions.sh
@@ -326,6 +326,7 @@
fi
else
echo " No files in mounted dir or dir does not exists"
+ mkdir db
fi
cd $curdir
diff --git a/test/common/istio_api_functions.sh b/test/common/istio_api_functions.sh
index 2afc3f9..dbbc6a5 100644
--- a/test/common/istio_api_functions.sh
+++ b/test/common/istio_api_functions.sh
@@ -69,6 +69,11 @@
# This function is called for apps managed by the test script.
__ISTIO_kube_delete_all() {
__kube_delete_all_resources $KUBE_NONRTRIC_NAMESPACE autotest ISTIO
+ __kube_delete_all_resources $KUBE_A1SIM_NAMESPACE autotest ISTIO
+ __kube_delete_all_resources $KUBE_ONAP_NAMESPACE autotest ISTIO
+ __kube_delete_all_resources $KUBE_KEYCLOAK_NAMESPACE autotest ISTIO
+ __kube_delete_all_resources $KUBE_SDNC_NAMESPACE autotest ISTIO
+ __kube_delete_all_resources $KUBE_SIM_NAMESPACE autotest ISTIO
}
# Store docker logs
@@ -189,11 +194,11 @@
}
# Authorization policy - by realm
-# args: <app> <namespace> <realam>
+# args: <app> <namespace> <realam> [<client-id> <client-role>]
istio_auth_policy_by_realm() {
__log_conf_start $@
- if [ $# -ne 3 ]; then
- __print_err "<app> <namespace> <realam>" $@
+ if [ $# -ne 3 ] && [ $# -ne 5 ]; then
+ __print_err "<app> <namespace> <realam> [<client-id> <client-role>]" $@
return 1
fi
name="ap-realm-"$3"-"$1"-"$2
@@ -208,6 +213,17 @@
__log_conf_fail_general "Cannot substitute yaml: $inputfile"
return 1
fi
+ if [ $# -gt 3 ]; then
+ export ISTIO_TEMPLATE_REPLACE_AP_CLIENT=$4
+ export ISTIO_TEMPLATE_REPLACE_AP_ROLE=$5
+ inputfile=$SIM_GROUP/$ISTIO_COMPOSE_DIR/ap-role-snippet.yaml
+ envsubst < $inputfile >> $outputfile
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general "Cannot substitute yaml: $inputfile"
+ return 1
+ fi
+ fi
+
kubectl $KUBECONF apply -f $outputfile &> tmp/kubeerr
if [ $? -ne 0 ]; then
__log_conf_fail_general "Cannot apply yaml: $outputfile"
diff --git a/test/common/keycloak_api_functions.sh b/test/common/keycloak_api_functions.sh
index 828dcb3..7f49595 100644
--- a/test/common/keycloak_api_functions.sh
+++ b/test/common/keycloak_api_functions.sh
@@ -280,41 +280,6 @@
return 0
}
-# # Excute a curl cmd towards the keycloak and check the response code is 2XX.
-# # args: <command-file>
-# # resp: <returned-payload> if return code is 0 otherwise <error-info>
-# __execute_curl_to_keycloak2() {
-
-# # TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
-# # echo "(${BASH_LINENO[0]}) - ${TIMESTAMP}: ${FUNCNAME[0]}" $@ >> $HTTPLOG
-# proxyflag=""
-# if [ ! -z "$KUBE_PROXY_PATH" ]; then
-# if [ $KUBE_PROXY_HTTPX == "http" ]; then
-# proxyflag=" --proxy $KUBE_PROXY_PATH"
-# else
-# proxyflag=" --proxy-insecure --proxy $KUBE_PROXY_PATH"
-# fi
-# fi
-# __cmd="curl -skw %{http_code} $proxyflag "$(< $1)
-# echo " CMD: $__cmd" >> $HTTPLOG
-# res=$(curl -skw %{http_code} $proxyflag $(< $1))
-# echo " RESP: $res" >> $HTTPLOG
-# retcode=$?
-# if [ $retcode -ne 0 ]; then
-# __log_conf_fail_general " Fatal error when executing curl, response: "$retcode
-# echo "$res"
-# return 1
-# fi
-# status=${res:${#res}-3}
-# if [ $status -lt 200 ] && [ $status -gt 299 ]; then
-# __log_conf_fail_status_code "2XX" $status
-# echo "$res"
-# return 1
-# fi
-# echo ${res:0:${#res}-3}
-# return 0
-# }
-
# Excute a curl cmd towards the keycloak and check the response code is 2XX.
# args: <operation> <url> <token> <json>
# resp: <returned-payload> if return code is 0 otherwise <error-info>
@@ -464,11 +429,11 @@
TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
echo "(${BASH_LINENO[0]}) - ${TIMESTAMP}: ${FUNCNAME[0]}" $@ >> $HTTPLOG
- res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/clients$2/service-account-user" "$__KEYCLOAK_ADMIN_TOKEN")
+ res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/clients/$2/service-account-user" "$__KEYCLOAK_ADMIN_TOKEN")
if [ $? -ne 0 ]; then
return 1
fi
- echo $res | jq -r '.[0].id'
+ echo $res | jq -r '.id'
return 0
}
@@ -543,6 +508,75 @@
return 0
}
+# Get client role id
+# args: <realm-name> <service-account-name> <client-name> <role-name>
+__get_client_available_role_id() {
+ res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/users/$2/role-mappings/clients/$3/available" "$__KEYCLOAK_ADMIN_TOKEN")
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general " Fatal error when getting availiable client role id, response: "$?
+ return 1
+ fi
+ __client_role_id=$(echo $res | jq -r '.[] | select(.name=="'$4'") | .id ')
+ echo $__client_role_id
+ return 0
+}
+
+# Map roles to a client
+# args: <realm-name> <client-name> <role>+
+keycloak_api_map_client_roles() {
+ __log_conf_start $@
+ __c_id=$(__keycloak_api_get_client_id $1 $2)
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general " Fatal error when getting client id, response: "$?
+ return 1
+ fi
+ __sa_id=$(__keycloak_api_get_service_account_id $1 $__c_id)
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general " Fatal error when getting service account id, response: "$?
+ return 1
+ fi
+ __realm=$1
+ shift; shift;
+ __json="["
+ __cntr=0
+ while [ $# -gt 0 ]; do
+ __client_role_id=$(__get_client_available_role_id $__realm $__sa_id $__c_id $1)
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general " Fatal error when getting client role id, response: "$?
+ return 1
+ fi
+ __role='{"name":"'$1'","id":"'$__client_role_id'","composite": false,"clientRole": true}'
+ if [ $__cntr -gt 0 ]; then
+ __json=$__json","
+ fi
+ __json=$__json$__role
+ let __cntr=__cntr+1
+ shift
+ done
+ __json=$__json"]"
+
+ res=$(__execute_curl_to_keycloak2 POST "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$__realm/users/$__sa_id/role-mappings/clients/$__c_id" "$__KEYCLOAK_ADMIN_TOKEN" "$__json")
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general " Fatal error when mapping client roles, response: "$?
+ return 1
+ fi
+
+
+
+
+ # while [ $# -gt 0 ]; do
+ # __json='{"name":"'$1'"}'
+ # res=$(__execute_curl_to_keycloak2 POST "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$__realm/clients/$__c_id/roles" "$__KEYCLOAK_ADMIN_TOKEN" "$__json")
+ # if [ $? -ne 0 ]; then
+ # __log_conf_fail_general " Fatal error when adding client role, response: "$?
+ # return 1
+ # fi
+ # shift
+ # done
+ __log_conf_ok
+ return 0
+}
+
# Get a client token
# args: <realm-name> <client-name>
keycloak_api_get_client_token() {
diff --git a/test/common/ricsim_api_functions.sh b/test/common/ricsim_api_functions.sh
index b8af532..d71d11a 100644
--- a/test/common/ricsim_api_functions.sh
+++ b/test/common/ricsim_api_functions.sh
@@ -103,7 +103,7 @@
echo -n " RICSIM_G2_$RICSIM_INSTANCE_KUBE ${RIC_SIM_PREFIX}-g2-$RICSIM_INSTANCE_KUBE $KUBE_A1SIM_NAMESPACE "
echo -n " RICSIM_G3_$RICSIM_INSTANCE_KUBE ${RIC_SIM_PREFIX}-g3-$RICSIM_INSTANCE_KUBE $KUBE_A1SIM_NAMESPACE "
else
- if [ $DOCKER_COMPOSE_VERION == "V1" ]; then
+ if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then
echo -n " RICSIM_G1_$RICSIM_INSTANCE ${RIC_SIM_PREFIX}_g1_$RICSIM_INSTANCE "
echo -n " RICSIM_G2_$RICSIM_INSTANCE ${RIC_SIM_PREFIX}_g2_$RICSIM_INSTANCE "
echo -n " RICSIM_G3_$RICSIM_INSTANCE ${RIC_SIM_PREFIX}_g3_$RICSIM_INSTANCE "
@@ -294,7 +294,7 @@
# <ricsim-prefix>-<service-name>-<index>
app_data=""
cntr=1
- if [ $DOCKER_COMPOSE_VERION == "V1" ]; then
+ if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then
app_name_prefix=$RIC_SIM_PREFIX"_"$RICSIM_COMPOSE_SERVICE_NAME"_"
else
app_name_prefix=$RIC_SIM_PREFIX"-"$RICSIM_COMPOSE_SERVICE_NAME"-"
@@ -309,7 +309,7 @@
cntr=1
while [ $cntr -le $2 ]; do
- if [ $DOCKER_COMPOSE_VERION == "V1" ]; then
+ if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then
app=$RIC_SIM_PREFIX"_"$RICSIM_COMPOSE_SERVICE_NAME"_"$cntr
else
app=$RIC_SIM_PREFIX"-"$RICSIM_COMPOSE_SERVICE_NAME"-"$cntr
@@ -347,7 +347,7 @@
fi
echo $RIC_SIM_HTTPX"://"$ricname.$ric_setname.$KUBE_A1SIM_NAMESPACE":"$RIC_SIM_PORT
else
- if [ $DOCKER_COMPOSE_VERION == "V1" ]; then
+ if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then
echo $RIC_SIM_HTTPX"://"$1":"$RIC_SIM_PORT
else
ricname=$(echo "$1" | tr '_' '-')
@@ -376,8 +376,14 @@
proxyflag=" --proxy-insecure --proxy $KUBE_PROXY_PATH"
fi
fi
- echo " CMD: $2 $proxyflag" >> $HTTPLOG
- res="$($2 $proxyflag)"
+ if [ -z "$KUBE_PROXY_CURL_JWT" ]; then
+ echo " CMD: $2 $proxyflag" >> $HTTPLOG
+ res="$($2 $proxyflag)"
+ else
+ echo " CMD: $2 $proxyflag -H Authorization: Bearer $KUBE_PROXY_CURL_JWT" >> $HTTPLOG
+ res=$($2 $proxyflag -H 'Authorization: Bearer '$KUBE_PROXY_CURL_JWT)
+ fi
+
echo " RESP: $res" >> $HTTPLOG
retcode=$?
if [ $retcode -ne 0 ]; then
diff --git a/test/common/test_env-oran-f-release.sh b/test/common/test_env-oran-f-release.sh
index 85f4764..da8a5db 100755
--- a/test/common/test_env-oran-f-release.sh
+++ b/test/common/test_env-oran-f-release.sh
@@ -298,7 +298,7 @@
ICS_CONFIG_MOUNT_PATH=/opt/app/information-coordinator-service/config # Internal container path for configuration
ICS_CONFIG_FILE=application.yaml # Config file name
ICS_VERSION="V1-2" # Version where the types are decoupled from the producer registration
-ICS_FEATURE_LEVEL="INFO-TYPES TYPE-SUBSCRIPTIONS INFO-TYPE-INFO RESP_CODE_CHANGE_1" # Space separated list of features
+ICS_FEATURE_LEVEL="INFO-TYPES TYPE-SUBSCRIPTIONS INFO-TYPE-INFO RESP_CODE_CHANGE_1 DEFAULT_TYPE_VALIDATION" # Space separated list of features
MR_DMAAP_APP_NAME="message-router" # Name for the Dmaap MR
MR_STUB_APP_NAME="mr-stub" # Name of the MR stub
diff --git a/test/common/testcase_common.sh b/test/common/testcase_common.sh
index 78f27fd..47d8ced 100755
--- a/test/common/testcase_common.sh
+++ b/test/common/testcase_common.sh
@@ -135,7 +135,7 @@
#Var to indicate docker-compose version, V1 or V2
#V1 names replicated containers <proj-name>_<service-name>_<index>
#V2 names replicated containers <proj-name>-<service-name>-<index>
-DOCKER_COMPOSE_VERION="V1"
+DOCKER_COMPOSE_VERSION="V1"
# Function to indent cmd output with one space
indent1() { sed 's/^/ /'; }
@@ -1120,7 +1120,7 @@
tmp=$(docker-compose version)
echo " docker-compose installed and using version $tmp"
if [[ "$tmp" == *'v2'* ]]; then
- DOCKER_COMPOSE_VERION="V2"
+ DOCKER_COMPOSE_VERSION="V2"
fi
fi
fi
@@ -2731,6 +2731,17 @@
fi
done
+ # Remove istio label on namespaces
+ test_env_namespaces=$(kubectl $KUBECONF get ns --no-headers -o custom-columns=":metadata.name" -l autotest=engine -l istio-injection=enabled) #Get list of ns created by the test env
+ if [ $? -ne 0 ]; then
+ echo " Cannot get list of namespaces...continues.."
+ else
+ for test_env_ns in $test_env_namespaces; do
+ echo " Removing istio label on ns: "$test_env_ns
+ __kube_label_non_ns_instance ns $test_env_ns "istio-injection-"
+ done
+ fi
+
echo ""
}
@@ -2853,7 +2864,7 @@
envsubst < $compose_file > "gen_"$compose_file
compose_file="gen_"$compose_file
- if [ $DOCKER_COMPOSE_VERION == "V1" ]; then
+ if [ $DOCKER_COMPOSE_VERSION == "V1" ]; then
docker_compose_cmd="docker-compose"
else
docker_compose_cmd="docker compose"
diff --git a/test/http-https-proxy/http_proxy.js b/test/http-https-proxy/http_proxy.js
index 0bab052..e90dfca 100644
--- a/test/http-https-proxy/http_proxy.js
+++ b/test/http-https-proxy/http_proxy.js
@@ -77,7 +77,7 @@
if (crproto != undefined) {
crurl=crproto+"://"+crhost+crurl
if (debug) {
- console.log(" Constructed ulr: "+crurl)
+ console.log(" Constructed url: "+crurl)
}
} else if (crurl.startsWith('/')) {
console.log("Catched bad url in http request: "+crurl)
diff --git a/test/simulator-group/a1pms/app.yaml b/test/simulator-group/a1pms/app.yaml
index b53f22a..11dad9b 100644
--- a/test/simulator-group/a1pms/app.yaml
+++ b/test/simulator-group/a1pms/app.yaml
@@ -36,6 +36,29 @@
name: a1pms-pv-data-name
- mountPath: $A1PMS_DATA_MOUNT_PATH
name: a1pms-data-name
+#A1PMS_JWT_START
+ - mountPath: $A1PMS_SIDECAR_MOUNT
+ name: token-cache-volume
+#A1PMS_JWT_STOP
+#A1PMS_JWT_START
+ - name: $AUTHSIDECAR_APP_NAME
+ image: $AUTHSIDECAR_IMAGE
+ imagePullPolicy: $KUBE_IMAGE_PULL_POLICY
+ env:
+ - name: CREDS_GRANT_TYPE
+ value: $A1PMS_CREDS_GRANT_TYPE
+ - name: CREDS_CLIENT_SECRET
+ value: $A1PMS_CREDS_CLIENT_SECRET
+ - name: CREDS_CLIENT_ID
+ value: $A1PMS_CREDS_CLIENT_ID
+ - name: OUTPUT_FILE
+ value: $A1PMS_SIDECAR_JWT_FILE
+ - name: AUTH_SERVICE_URL
+ value: $A1PMS_AUTH_SERVICE_URL
+ volumeMounts:
+ - mountPath: $A1PMS_SIDECAR_MOUNT
+ name: token-cache-volume
+#A1PMS_JWT_STOP
volumes:
- configMap:
defaultMode: 420
@@ -48,6 +71,10 @@
- persistentVolumeClaim:
claimName: $A1PMS_DATA_PVC_NAME
name: a1pms-pv-data-name
+#A1PMS_JWT_START
+ - name: token-cache-volume
+ emptyDir: {}
+#A1PMS_JWT_STOP
# Selector will be set when pod is started first time
nodeSelector:
diff --git a/test/simulator-group/a1pms/application.yaml b/test/simulator-group/a1pms/application.yaml
index b9286b6..a3530b7 100644
--- a/test/simulator-group/a1pms/application.yaml
+++ b/test/simulator-group/a1pms/application.yaml
@@ -69,3 +69,4 @@
http.proxy-host: $A1PMS_HTTP_PROXY_CONFIG_HOST_NAME
http.proxy-port: $A1PMS_HTTP_PROXY_CONFIG_PORT
http.proxy-type: HTTP
+ auth-token-file: $A1PMS_SIDECAR_JWT_FILE
\ No newline at end of file
diff --git a/test/simulator-group/a1pms/application2.yaml b/test/simulator-group/a1pms/application2.yaml
index 18a92e0..05ee278 100644
--- a/test/simulator-group/a1pms/application2.yaml
+++ b/test/simulator-group/a1pms/application2.yaml
@@ -69,3 +69,4 @@
http.proxy-host: $A1PMS_HTTP_PROXY_CONFIG_HOST_NAME
http.proxy-port: $A1PMS_HTTP_PROXY_CONFIG_PORT
http.proxy-type: HTTP
+ auth-token-file: $A1PMS_SIDECAR_JWT_FILE
\ No newline at end of file
diff --git a/test/simulator-group/a1pms/mnt/.gitignore b/test/simulator-group/a1pms/mnt/.gitignore
new file mode 100644
index 0000000..beb0d9b
--- /dev/null
+++ b/test/simulator-group/a1pms/mnt/.gitignore
@@ -0,0 +1,18 @@
+################################################################################
+# Copyright (c) 2021 Nordix Foundation. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
+*
+!.gitignore
+!db
diff --git a/test/simulator-group/control_panel/mnt/.gitignore b/test/simulator-group/control_panel/mnt/.gitignore
index 72e8ffc..2aac55e 100644
--- a/test/simulator-group/control_panel/mnt/.gitignore
+++ b/test/simulator-group/control_panel/mnt/.gitignore
@@ -1 +1,17 @@
+################################################################################
+# Copyright (c) 2022 Nordix Foundation. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
*
+!.gitignore
diff --git a/test/simulator-group/ics/mnt/.gitignore b/test/simulator-group/ics/mnt/.gitignore
index b94353c..f27872e 100644
--- a/test/simulator-group/ics/mnt/.gitignore
+++ b/test/simulator-group/ics/mnt/.gitignore
@@ -1,5 +1,5 @@
################################################################################
-# Copyright (c) 2021 Nordix Foundation. #
+# Copyright (c) 2022 Nordix Foundation. #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); #
# you may not use this file except in compliance with the License. #
@@ -14,4 +14,5 @@
# limitations under the License. #
################################################################################
*
-!.gitignore
\ No newline at end of file
+!.gitignore
+!db
diff --git a/test/simulator-group/istio/ap-role-snippet.yaml b/test/simulator-group/istio/ap-role-snippet.yaml
new file mode 100644
index 0000000..0107a4f
--- /dev/null
+++ b/test/simulator-group/istio/ap-role-snippet.yaml
@@ -0,0 +1,3 @@
+ when:
+ - key: request.auth.claims[resource_access][${ISTIO_TEMPLATE_REPLACE_AP_CLIENT}][roles]
+ values: ["${ISTIO_TEMPLATE_REPLACE_AP_ROLE}"]
diff --git a/test/simulator-group/ngw/mnt/.gitignore b/test/simulator-group/ngw/mnt/.gitignore
index 72e8ffc..2aac55e 100644
--- a/test/simulator-group/ngw/mnt/.gitignore
+++ b/test/simulator-group/ngw/mnt/.gitignore
@@ -1 +1,17 @@
+################################################################################
+# Copyright (c) 2022 Nordix Foundation. #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
*
+!.gitignore