feat: enable acceptance tests with OrgManager role#922
Open
bonzofenix wants to merge 52 commits intocf-clifrom
Open
feat: enable acceptance tests with OrgManager role#922bonzofenix wants to merge 52 commits intocf-clifrom
bonzofenix wants to merge 52 commits intocf-clifrom
Conversation
The tests were failing because newly created test spaces didn't have service visibility, even though service access was enabled at the org level. cf-test-helpers needs to explicitly enable service access for each new test space it creates. Changed SKIP_SERVICE_ACCESS_MANAGEMENT from true to false so that cf-test-helpers will run 'cf enable-service-access' for each test space, making the service visible to the OrgManager test user.
Change from 'cf enable-service-access <service> -o <org>' to 'cf enable-service-access <service>' to make the service visible globally across all orgs and spaces. This fixes the issue where new test spaces couldn't see the service even though it was enabled for the organization. Global visibility ensures all spaces (including newly created ones) can access the service broker without requiring OrgManager to run enable-service-access commands (which they don't have permission for).
Authenticate as the OrgManager user before trying to enable service access globally. This will fail if OrgManager doesn't have sufficient permissions, telling us whether this approach works in environments without admin access during test execution.
- Removed service access logic from setup-acceptance-user.sh - Created new enable-service-access.sh script - Added workflow step to enable service access AFTER broker registration This fixes the timing issue where we tried to enable service access before the service broker was registered. Now: 1. Setup user (create user, assign OrgManager role) 2. Deploy and register service broker 3. Enable service access as OrgManager user 4. Run tests
Moved gh pr checks permission to global settings. Co-Authored-By: Claude <noreply@anthropic.com>
Changed approach: - Script now runs as admin (not OrgManager) - Removed username/password parameters - Admin enables service access globally after registering broker - Tests run with OrgManager and SKIP_SERVICE_ACCESS_MANAGEMENT=true This follows the constraint: admin used only during setup/deployment, OrgManager used for test execution.
Set add_existing_user_to_existing_space=true to ensure cf-test-helpers assigns SpaceDeveloper role to the OrgManager user in newly created test spaces. OrgManagers can create spaces but don't automatically get space-level roles needed to push apps. Co-Authored-By: Claude <noreply@anthropic.com>
Merge setup scripts and simplify password handling: - Update setup-acceptance-user.sh to retrieve password from CredHub (not passed as parameter) - Add CREDHUB_TEST_USER_PASSWORD_PATH to vars.source.sh for consistent path reference - Remove setup-test-user-and-env.sh (functionality merged into setup-acceptance-user.sh) - Deploy job: Create user and store password in CredHub - Acceptance tests job: Retrieve password from CredHub and set environment variables This provides a clean separation: - User setup happens in deploy job with admin credentials - Test execution uses CredHub to retrieve password - No environment variable exports in setup script (done in test job) Co-Authored-By: Claude <noreply@anthropic.com>
bonzofenix
changed the title
Changes: - Add autoscaler_test_user_password to secrets template interpolated from CredHub - Read AUTOSCALER_TEST_PASSWORD using yq from secrets file instead of environment variable - Remove admin fallback - AUTOSCALER_TEST_USER must be explicitly set - Default EXISTING_USER to AUTOSCALER_TEST_USER - Default EXISTING_USER_PASSWORD to AUTOSCALER_TEST_PASSWORD This centralizes credential management in CredHub and removes hardcoded admin fallbacks. Co-Authored-By: Claude <noreply@anthropic.com>
The setup script was storing the password at autoscaler_test_password while the build script expected it at test_user_password, causing deployment failures during credhub interpolation. Co-Authored-By: Claude <noreply@anthropic.com>
bonzofenix
force-pushed
the
fixed-acceptance-test-org
branch
from
2dc3038 to
5b0f8e1
Compare
…e.sh The acceptance tests were failing because USE_EXISTING_ORGANIZATION was defaulting to false when building the extension file. This caused cf-test-helpers to attempt creating org quotas, which requires admin privileges that the OrgManager test user doesn't have. With this fix: - USE_EXISTING_ORGANIZATION defaults to true - EXISTING_ORGANIZATION defaults to AUTOSCALER_ORG - Tests will use the existing org's quota instead of creating new ones - OrgManager permissions are sufficient (only creates spaces, not quotas) Root cause: build-extension-file.sh runs during deploy step before the acceptance_tests job sets environment variables, so defaults matter. Co-Authored-By: Claude <noreply@anthropic.com>
The acceptance tests were failing with user creation permission errors because USE_EXISTING_USER was defaulting to false. This caused cf-test-helpers to attempt creating new users, which requires admin privileges that the OrgManager test user doesn't have. With this fix: - USE_EXISTING_USER defaults to true - Tests will reuse the existing acceptance-test-user - No user creation is attempted - OrgManager permissions are sufficient This is the second part of the OrgManager permissions fix. The first part fixed USE_EXISTING_ORGANIZATION to skip quota creation. Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
Author
Added Password Grant Support for Scaling Engine and OperatorThis change enables the scaling engine and operator components to authenticate to Cloud Foundry using the acceptance test user credentials (username/password) instead of a UAA client. ChangesCF Client (
Deployment Configuration (
Tests (
Backward Compatibility
|
bonzofenix
force-pushed
the
fixed-acceptance-test-org
branch
from
cde38d3 to
eab0a1f
Compare
Integrates the go-cfclient refactoring with password grant support: - CF client now uses go-cfclient library wrapper - Added password grant support via config.UserPassword option - Removed old custom CF client implementation - Regenerated fakes for new interface signatures Co-Authored-By: Claude <noreply@anthropic.com>
- Add test for password grant with explicit client_id preservation - Add test for CFClientWrapper creation with password grant Co-Authored-By: Claude <noreply@anthropic.com>
…nager - Extract security group setup from mta-deploy.sh into separate scripts/set-security-group.sh with dedicated `make set-security-group` target - Remove metricsforwarder/Makefile (security group logic moved to new script) - Security group is now space-scoped instead of global - Rename cf_login to cf_admin_login to allow for future org manager login - Rename AUTOSCALER_TEST_USER to AUTOSCALER_ORG_MANAGER_USER - Rename AUTOSCALER_TEST_PASSWORD to AUTOSCALER_ORG_MANAGER_PASSWORD - Simplify setup-acceptance-user.sh to delete and recreate user for idempotency Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
Author
Refactoring: Security Group Setup & User RenamingChanges in this commit:Security Group Extraction:
CF Login Refactoring:
User Variable Renaming:
Simplified User Setup:
|
…tion - Add cf_login function for org manager authentication (separate from cf_admin_login) - Setup org manager user with SpaceManager + SpaceDeveloper roles for MTA deployments - Register service broker as space-scoped (allows non-admin registration) - Rename setup-acceptance-user to setup-org-manager-user - Rename deploy-register-cf to register-broker - Rename cf-login target to cf-admin-login - Add deploying user message to mta-deploy.sh - Simplify scripts: remove unused code, fix indentation, remove unnecessary pushd/popd Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
Author
Changes
Commit: 925c619 |
Enable password grant OAuth2 flow for log-cache access in the event generator. This allows authentication using org manager credentials instead of requiring a dedicated UAA client with client_credentials. - Add GrantType, Username, Password fields to UAACreds model - Add IsPasswordGrant() method to detect password grant configuration - Update fetcher factory to use WithOauth2HTTPUser() for password grants - Configure deployment scripts to use org manager credentials Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
Author
Event Generator Password Grant SupportThis commit adds password grant authentication for the event generator's log-cache access. Changes
Why Password Grant?The event generator needs to access log-cache for metrics. Instead of requiring a dedicated UAA client with TestingAll password grant tests pass. The fetcher factory correctly configures the OAuth2 HTTP client with user credentials when |
The go-log-cache library's OAuth2 client sends credentials in the request body, but CF's "cf" UAA client requires Basic auth header. This custom CFOauth2HTTPClient: - Sends client_id:client_secret via Basic auth header - Uses password grant with username/password in form body - Handles 401 responses with automatic token refresh - Passes all acceptance tests Co-Authored-By: Claude <noreply@anthropic.com>
Add unit tests for the custom OAuth2 HTTP client that uses Basic auth for token requests (required by CF's "cf" UAA client). Tests cover: - Bearer token injection for authenticated requests - Token reuse across multiple requests - Token refresh on 401 Unauthorized responses - Thread-safe concurrent request handling - Basic auth header format for client credentials - Error handling for token endpoint failures - SSL validation configuration - Malformed token response handling These tests ensure the OAuth2 client properly authenticates with CloudFoundry's UAA and handles token lifecycle management correctly. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
The 60-second timeout was insufficient in CI environments, causing broker deletion to fail with "cannot remove brokers that have associated service instances" errors. Increasing to 180 seconds (36 polling attempts at 5s intervals) gives CF adequate time to complete asynchronous service instance deletions during cleanup. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
bonzofenix
force-pushed
the
fixed-acceptance-test-org
branch
from
f7b5040 to
4ad8b82
Compare
The workflow was calling cf_login which doesn't exist in scripts/common.sh. Changed to cf_org_manager_login which is the correct function name. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
scripts/setup-acceptance-user.shto create test users with OrgManager role and store credentials in CredHubscripts/enable-service-access.shto enable service access as admin before tests run.github/workflows/acceptance_tests_reusable.yamlto setup test user and enable service access before deploymentskip_service_access_managementconfiguration option inacceptance/config/config.goto skip enable/disable operations during testsacceptance/*/suite_test.goto useCleanupInExistingOrgwhen using existing organizationacceptance/helpers/cleanup.goto properly clean up all test spaces in existing organization modeCLAUDE.mdfor CI/CD workflows, OrgManager permissions, and debuggingacceptance/README.mdwith guidance for running tests with existing organizations and OrgManager roleTesting
🤖 Generated with Claude Code