Test with assume role with web identity for data accessor

Issue: ZENKO-4871
scality · Aug 28, 2024 · fe84799 · fe84799
1 parent 4c2ee0a
commit fe84799
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 6 deletions.
diff --git a/.github/scripts/end2end/configs/keycloak_config.json b/.github/scripts/end2end/configs/keycloak_config.json
@@ -2,6 +2,14 @@
   "realm" : "${OIDC_REALM}",
   "enabled" : true,
   "groups" : [
+    {
+      "name": "AccountTest::DataAccessor",
+      "path": "/AccountTest::DataAccessor",
+      "attributes": {},
+      "realmRoles": [],
+      "clientRoles": {},
+      "subGroups": []
+    },
     {
       "name": "AccountTest::DataConsumer",
       "path": "/AccountTest::DataConsumer",

diff --git a/.github/scripts/end2end/deploy-zenko.sh b/.github/scripts/end2end/deploy-zenko.sh
@@ -37,7 +37,8 @@ else
 fi
 
 # TODO: use kustomize
-export ZENKO_ANNOTATIONS="annotations:"
+export ZENKO_ANNOTATIONS="annotations:
+    vault.scality/data-accessor: 'true'"
 export ZENKO_MONGODB_ENDPOINT="data-db-mongodb-sharded.default.svc.cluster.local:27017"
 export ZENKO_MONGODB_CONFIG="writeConcern: 'majority'
     enableSharding: true"

diff --git a/.github/scripts/end2end/run-e2e-ctst.sh b/.github/scripts/end2end/run-e2e-ctst.sh
@@ -22,6 +22,7 @@ ADMIN_PRA_SECRET_ACCESS_KEY=$(kubectl get secret end2end-pra-management-vault-ad
 STORAGE_MANAGER_USER_NAME="ctst_storage_manager"
 STORAGE_ACCOUNT_OWNER_USER_NAME="ctst_storage_account_owner"
 DATA_CONSUMER_USER_NAME="ctst_data_consumer"
+DATA_ACCESSOR_USER_NAME="ctst_data_accessor"
 VAULT_AUTH_HOST="${ZENKO_NAME}-connector-vault-auth-api.default.svc.cluster.local"
 ZENKO_PORT="80"
 KEYCLOAK_TEST_PASSWORD=${OIDC_PASSWORD}
@@ -79,6 +80,7 @@ WORLD_PARAMETERS="$(jq -c <<EOF
   "StorageManagerUsername":"${STORAGE_MANAGER_USER_NAME}",
   "StorageAccountOwnerUsername":"${STORAGE_ACCOUNT_OWNER_USER_NAME}",
   "DataConsumerUsername":"${DATA_CONSUMER_USER_NAME}",
+  "DataAccessorUsername":"${DATA_ACCESSOR_USER_NAME}",
   "ServiceUsersCredentials":${SERVICE_USERS_CREDENTIALS},
   "InstanceID":"${INSTANCE_ID}",
   "KafkaCleanerInterval":"${KAFKA_CLEANER_INTERVAL}",
@@ -105,7 +107,7 @@ docker run \
     --rm \
     --network=host \
     "${E2E_IMAGE}" /bin/bash \
-    -c "SUBDOMAIN=${SUBDOMAIN} CONTROL_PLANE_INGRESS_ENDPOINT=${OIDC_ENDPOINT} ACCOUNT=${ZENKO_ACCOUNT_NAME} KEYCLOAK_REALM=${KEYCLOAK_TEST_REALM_NAME} STORAGE_MANAGER=${STORAGE_MANAGER_USER_NAME} STORAGE_ACCOUNT_OWNER=${STORAGE_ACCOUNT_OWNER_USER_NAME} DATA_CONSUMER=${DATA_CONSUMER_USER_NAME} /ctst/bin/seedKeycloak.sh"; [[ $? -eq 1 ]] && exit 1 || echo 'Keycloak Configured!'
+    -c "SUBDOMAIN=${SUBDOMAIN} CONTROL_PLANE_INGRESS_ENDPOINT=${OIDC_ENDPOINT} ACCOUNT=${ZENKO_ACCOUNT_NAME} KEYCLOAK_REALM=${KEYCLOAK_TEST_REALM_NAME} STORAGE_MANAGER=${STORAGE_MANAGER_USER_NAME} STORAGE_ACCOUNT_OWNER=${STORAGE_ACCOUNT_OWNER_USER_NAME} DATA_CONSUMER=${DATA_CONSUMER_USER_NAME} DATA_ACCESSOR=${DATA_ACCESSOR_USER_NAME} /ctst/bin/seedKeycloak.sh"; [[ $? -eq 1 ]] && exit 1 || echo 'Keycloak Configured!'
 
 # Grant access to Kube API (insecure, only for testing)
 kubectl create clusterrolebinding serviceaccounts-cluster-admin \

diff --git a/tests/ctst/features/pra.feature b/tests/ctst/features/pra.feature
@@ -22,6 +22,10 @@ Feature: PRA operations
 
     # Check that objects are transitioned in the DR site
     Given access keys for the replicated account
+
+    When the user tries to perform PutObject on "DR" site
+    Then it "should not" pass Vault authentication
+
     Then object "obj-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site
     And object "obj-2" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site
 
@@ -35,9 +39,6 @@ Feature: PRA operations
     Then object "obj-1" should "" be "restored" and have the storage class "e2e-cold" on "Primary" site
     And object "obj-1" should "" be "transitioned" and have the storage class "e2e-cold" on "DR" site
 
-    When the user tries to perform PutObject on "DR" site
-    Then it "should not" pass Vault authentication
-
     # Uninstall DR
     #When I uninstall DR
     #Then the DR custom resources should be deleted

diff --git a/tests/ctst/steps/pra.ts b/tests/ctst/steps/pra.ts
@@ -15,6 +15,7 @@ import {
 import { Constants, Identity, IdentityEnum, S3, SuperAdmin, Utils } from 'cli-testing';
 import { safeJsonParse } from 'common/utils';
 import assert from 'assert';
+import { EntityType } from 'world/Zenko';
 
 enum ZenkoDrSinkPhases {
     ZenkoDRSinkPhaseNew = 'New',
@@ -277,6 +278,10 @@ When('the user tries to perform PutObject on {string} site', async function (thi
         Identity.useIdentity(IdentityEnum.ACCOUNT, Zenko.sites['source'].accountName);
     }
     this.resetCommand();
+    this.addToSaved('accountName', Zenko.sites['source'].accountName);
+
+    await this.setupEntity(EntityType.DATA_ACCESSOR);
+
     const preName = this.getSaved<string>('accountName') ||
         this.parameters.AccountName || Constants.ACCOUNT_NAME;
 

diff --git a/tests/ctst/world/Zenko.ts b/tests/ctst/world/Zenko.ts
@@ -37,6 +37,7 @@ export enum EntityType {
     STORAGE_MANAGER = 'STORAGE_MANAGER',
     STORAGE_ACCOUNT_OWNER = 'STORAGE_ACCOUNT_OWNER',
     DATA_CONSUMER = 'DATA_CONSUMER',
+    DATA_ACCESSOR = 'DATA_ACCESSOR',
     ASSUME_ROLE_USER = 'ASSUME_ROLE_USER',
     ASSUME_ROLE_USER_CROSS_ACCOUNT = 'ASSUME_ROLE_USER_CROSS_ACCOUNT',
 }
@@ -66,6 +67,7 @@ export interface ZenkoWorldParameters extends ClientOptions {
     StorageManagerUsername: string;
     StorageAccountOwnerUsername: string;
     DataConsumerUsername: string;
+    DataAccessorUsername: string;
     ServiceUsersCredentials: string;
     KeycloakTestPassword: string;
     AzureAccountName: string;
@@ -221,7 +223,7 @@ export default class Zenko extends World<ZenkoWorldParameters> {
      * entity provided to let the test run the AWS CLI command using this particular
      * type of entity.
      * @param {ScenarioCallerType} entityType - type of entity, can be 'account', 'storage manager',
-     * 'storage account owner', 'data consumer' or 'iam user'
+     * 'storage account owner', 'data consumer', 'data accessor' or 'iam user'
      * @returns {undefined}
      */
     async setupEntity(entityType: string): Promise<void> {
@@ -246,6 +248,10 @@ export default class Zenko extends World<ZenkoWorldParameters> {
             await this.prepareARWWI(this.parameters.DataConsumerUsername || 'data_consumer',
                 'data-consumer-role', this.parameters.KeycloakTestPassword);
             break;
+        case EntityType.DATA_ACCESSOR:
+            await this.prepareARWWI(this.parameters.DataAccessorUsername || 'data_accessor',
+                'data-accessor-role', this.parameters.KeycloakTestPassword);
+            break;
         case EntityType.ASSUME_ROLE_USER:
             await this.prepareAssumeRole(false);
             break;