Merge pull request #4845 from linuxfoundation/unicron-v3-apis-test-coverage-dev

Try to fix broken V3 token handling

Author: lukaszgryglicki

cla-backend-go/serverless.yml

@@ -223,6 +223,9 @@ provider:
     AUTH0_DOMAIN: ${file(./env.json):auth0-domain, ssm:/cla-auth0-domain-${opt:stage}}
     AUTH0_CLIENT_ID: ${file(./env.json):auth0-clientId, ssm:/cla-auth0-clientId-${opt:stage}}
     AUTH0_USERNAME_CLAIM: ${file(./env.json):auth0-username-claim, ssm:/cla-auth0-username-claim-${opt:stage}}
+    AUTH0_USERNAME_CLAIM_CLI: ${file(./env.json):auth0-username-cli-claim, ssm:/cla-auth0-username-claim-cli-${opt:stage}}
+    AUTH0_EMAIL_CLAIM_CLI: ${file(./env.json):auth0-email-cli-claim, ssm:/cla-auth0-email-claim-cli-${opt:stage}}
+    AUTH0_NAME_CLAIM_CLI: ${file(./env.json):auth0-name-cli-claim, ssm:/cla-auth0-name-claim-cli-${opt:stage}}
     AUTH0_ALGORITHM: ${file(./env.json):auth0-algorithm, ssm:/cla-auth0-algorithm-${opt:stage}}
     SF_INSTANCE_URL: ${file(./env.json):sf-instance-url, ssm:/cla-sf-instance-url-${opt:stage}}
     SF_CLIENT_ID: ${file(./env.json):sf-client-id, ssm:/cla-sf-consumer-key-${opt:stage}}

cla-backend/serverless.yml

@@ -312,6 +312,9 @@ provider:
     AUTH0_DOMAIN: ${file(./env.json):auth0-domain, ssm:/cla-auth0-domain-${sls:stage}}
     AUTH0_CLIENT_ID: ${file(./env.json):auth0-clientId, ssm:/cla-auth0-clientId-${sls:stage}}
     AUTH0_USERNAME_CLAIM: ${file(./env.json):auth0-username-claim, ssm:/cla-auth0-username-claim-${sls:stage}}
+    AUTH0_USERNAME_CLAIM_CLI: ${file(./env.json):auth0-username-cli-claim, ssm:/cla-auth0-username-claim-cli-${sls:stage}}
+    AUTH0_EMAIL_CLAIM_CLI: ${file(./env.json):auth0-email-cli-claim, ssm:/cla-auth0-email-claim-cli-${sls:stage}}
+    AUTH0_NAME_CLAIM_CLI: ${file(./env.json):auth0-name-cli-claim, ssm:/cla-auth0-name-claim-cli-${sls:stage}}
     AUTH0_ALGORITHM: ${file(./env.json):auth0-algorithm, ssm:/cla-auth0-algorithm-${sls:stage}}
     SF_INSTANCE_URL: ${file(./env.json):sf-instance-url, ssm:/cla-sf-instance-url-${sls:stage}}
     SF_CLIENT_ID: ${file(./env.json):sf-client-id, ssm:/cla-sf-consumer-key-${sls:stage}}

tests/functional/cypress/support/commands.js

@@ -204,6 +204,35 @@ export function shortenMiddle(str) {
   return `${first}...${last}`;
 }
 
+export function getTokenForV3() {
+  // V3 APIs require a token with specific claims: http://lfx.dev/claims/username and http://lfx.dev/claims/email
+  // The token generation is the same as V4, but V3 expects the AUTH0_USERNAME_CLAIM to be set to "http://lfx.dev/claims/username"
+  cy.task('log', '--> getting token by request for V3');
+  return cy
+    .request({
+      method: 'POST',
+      url: Cypress.env('AUTH0_TOKEN_API'),
+      headers: {
+        'content-type': 'application/json',
+      },
+      body: {
+        grant_type: 'http://auth0.com/oauth/grant-type/password-realm',
+        realm: 'Username-Password-Authentication',
+        username: Cypress.env('AUTH0_USER_NAME'),
+        password: Cypress.env('AUTH0_PASSWORD'),
+        client_id: Cypress.env('AUTH0_CLIENT_ID'),
+        audience: 'https://api-gw.dev.platform.linuxfoundation.org/',
+        scope: 'access:api openid profile email',
+      },
+    })
+    .then((response) => {
+      expect(response.status).to.eq(200);
+      const token = response.body.access_token;
+      cy.task('log', `--> got token ${shortenMiddle(token)} from request for V3`);
+      return token;
+    });
+}
+
 export function getAPIBaseURL(version) {
   const local = Cypress.env('LOCAL');
   switch (version) {
@@ -212,6 +241,12 @@ export function getAPIBaseURL(version) {
         return 'http://localhost:5001/v4/';
       }
       return `${Cypress.env('APP_URL')}cla-service/v4/`;
+    case 'v3':
+      if (local) {
+        return 'http://localhost:5001/v3/';
+      }
+      // V3 is deployed on the legacy API endpoint, not the new cla-service endpoint
+      return 'https://api.lfcla.dev.platform.linuxfoundation.org/v3/';
     default:
       cy.task('log', `--> unknown API version ${version}`);
   }
@@ -230,6 +265,26 @@ export function getXACLHeader() {
   return {};
 }
 
+export function getXACLHeaders() {
+  // V3 APIs (which are actually V1 internally) use the same authentication as V4
+  // They need both X-ACL headers and bearer tokens
+  const xacl = Cypress.env('XACL');
+  if (xacl) {
+    return {
+      'X-ACL': xacl,
+      'X-USERNAME': 'lgryglicki',
+      'X-EMAIL': '[email protected]',
+    };
+  }
+  return {};
+}
+
+export function getOAuth2Headers() {
+  // V3 APIs (which are actually V1 internally) use the same authentication as V4
+  // They need both X-ACL headers and bearer tokens - just alias to getXACLHeaders
+  return getXACLHeaders();
+}
+
 let bearerToken = '';
 export function getTokenKey() {
   const envToken = Cypress.env('TOKEN');

utils/get_dev_claims.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+aws --profile lfproduct-dev --region us-east-1 ssm get-parameter --name "/cla-auth0-username-claim-dev" --query "Parameter.Value" --output text
+aws --profile lfproduct-dev --region us-east-1 ssm get-parameter --name "/cla-auth0-username-claim-cli-dev" --query "Parameter.Value" --output text
+aws --profile lfproduct-dev --region us-east-1 ssm get-parameter --name "/cla-auth0-email-claim-cli-dev" --query "Parameter.Value" --output text
+aws --profile lfproduct-dev --region us-east-1 ssm get-parameter --name "/cla-auth0-name-claim-cli-dev" --query "Parameter.Value" --output text

utils/get_prod_claims.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+aws --profile lfproduct-prod --region us-east-1 ssm get-parameter --name "/cla-auth0-username-claim-prod" --query "Parameter.Value" --output text
+aws --profile lfproduct-prod --region us-east-1 ssm get-parameter --name "/cla-auth0-username-claim-cli-prod" --query "Parameter.Value" --output text
+aws --profile lfproduct-prod --region us-east-1 ssm get-parameter --name "/cla-auth0-email-claim-cli-prod" --query "Parameter.Value" --output text
+aws --profile lfproduct-prod --region us-east-1 ssm get-parameter --name "/cla-auth0-name-claim-cli-prod" --query "Parameter.Value" --output text

utils/restore_dev_claims.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# This is needed for V3 CLA Auth0 setup
+aws --profile lfproduct-dev --region us-east-1 ssm put-parameter --name "/cla-auth0-username-claim-dev" --value "https://sso.linuxfoundation.org/claims/username" --type "String" --overwrite
+aws --profile lfproduct-dev --region us-east-1 ssm delete-parameter --name "/cla-auth0-username-claim-cli-dev"
+aws --profile lfproduct-dev --region us-east-1 ssm delete-parameter --name "/cla-auth0-email-claim-cli-dev"
+aws --profile lfproduct-dev --region us-east-1 ssm delete-parameter --name "/cla-auth0-name-claim-cli-dev"
+./utils/get_dev_claims.sh

utils/set_dev_claims.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# This is needed for V3 CLA Auth0 setup
+aws --profile lfproduct-dev --region us-east-1 ssm put-parameter --name "/cla-auth0-username-claim-cli-dev" --value "http://lfx.dev/claims/username" --type "String" --overwrite
+aws --profile lfproduct-dev --region us-east-1 ssm put-parameter --name "/cla-auth0-email-claim-cli-dev" --value "http://lfx.dev/claims/email" --type "String" --overwrite
+aws --profile lfproduct-dev --region us-east-1 ssm put-parameter --name "/cla-auth0-name-claim-cli-dev" --value "http://lfx.dev/claims/username" --type "String" --overwrite
+./utils/get_dev_claims.sh