Merge pull request #106 from shift7-ch/94-hybrid-integrationtests

Hybrid integrationtests aka AWS.

Author: chenkins

.github/workflows/build.yml

@@ -15,6 +15,8 @@ jobs:
       matrix:
         os: [ ubuntu-latest ]
     steps:
+      - name: Docker network prune
+        run: docker network prune --force
       - uses: actions/checkout@v4
       - name: Set up JDK 21
         uses: actions/setup-java@v4

hub/src/main/java/cloud/katta/protocols/hub/serializer/StorageProfileDtoWrapperDeserializer.java

@@ -6,6 +6,8 @@
 
 import ch.cyberduck.core.serializer.Deserializer;
 
+import cloud.katta.client.model.Protocol;
+
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -46,7 +48,7 @@ public <L> List<L> listForKey(final String key) {
                     properties.add(String.format("3.storage.class.options=%s", dto.getStorageClass().name()));
                     properties.add(String.format("3.storage.class=%s", dto.getStorageClass().name()));
                 }
-                if(dto.getStsEndpoint() != null) {
+                if(dto.getProtocol() == Protocol.S3_STS) {
                     properties.add(String.format("%s=%s", S3AssumeRoleProtocol.OAUTH_TOKENEXCHANGE, true));
                     properties.add(String.format("%s=%s", S3AssumeRoleProtocol.S3_ASSUMEROLE_ROLEARN, dto.getStsRoleArn()));
                     if(dto.getStsRoleArn2() != null) {

hub/src/main/java/cloud/katta/protocols/s3/S3AssumeRoleSession.java

@@ -9,6 +9,8 @@
 import ch.cyberduck.core.OAuthTokens;
 import ch.cyberduck.core.aws.CustomClientConfiguration;
 import ch.cyberduck.core.exception.LoginCanceledException;
+import ch.cyberduck.core.http.CustomServiceUnavailableRetryStrategy;
+import ch.cyberduck.core.http.ExecutionCountServiceUnavailableRetryStrategy;
 import ch.cyberduck.core.oauth.OAuth2AuthorizationService;
 import ch.cyberduck.core.oauth.OAuth2RequestInterceptor;
 import ch.cyberduck.core.preferences.HostPreferences;
@@ -92,7 +94,9 @@ protected String getWebIdentityToken(final OAuthTokens oauth) {
             }
             log.debug("Register interceptor {}", sts);
             configuration.addInterceptorLast(sts);
-            configuration.setServiceUnavailableRetryStrategy(new S3AuthenticationResponseInterceptor(this, sts));
+            final S3AuthenticationResponseInterceptor interceptor = new S3AuthenticationResponseInterceptor(this, sts);
+            configuration.setServiceUnavailableRetryStrategy(new CustomServiceUnavailableRetryStrategy(host,
+                    new ExecutionCountServiceUnavailableRetryStrategy(interceptor)));
             return sts;
         }
         return super.configureCredentialsStrategy(proxy, configuration, prompt);

hub/src/main/java/cloud/katta/protocols/s3/STSChainedAssumeRoleRequestInterceptor.java

@@ -56,11 +56,6 @@ public TemporaryAccessTokens authorize(final OAuthTokens oauth) throws Backgroun
         return this.authorize(oauth, super.authorize(oauth));
     }
 
-    @Override
-    public TemporaryAccessTokens refresh(final OAuthTokens oauth) throws BackgroundException {
-        return this.authorize(oauth, super.refresh(oauth));
-    }
-
     /**
      * Assume role with previously obtained temporary access token
      *

hub/src/main/java/cloud/katta/workflows/CreateVaultService.java

@@ -37,6 +37,7 @@
 import cloud.katta.client.api.UsersResourceApi;
 import cloud.katta.client.api.VaultResourceApi;
 import cloud.katta.client.model.CreateS3STSBucketDto;
+import cloud.katta.client.model.Protocol;
 import cloud.katta.client.model.UserDto;
 import cloud.katta.client.model.VaultDto;
 import cloud.katta.crypto.UserKeys;
@@ -94,7 +95,7 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
             final UvfMetadataPayload metadataPayload = UvfMetadataPayload.create()
                     .withStorage(new VaultMetadataJWEBackendDto()
                             .provider(storageProfileWrapper.getId().toString())
-                            .defaultPath(storageProfileWrapper.getStsEndpoint() != null ? storageProfileWrapper.getBucketPrefix() + vaultModel.vaultId() : vaultModel.bucketName())
+                            .defaultPath(storageProfileWrapper.getProtocol() == Protocol.S3_STS ? storageProfileWrapper.getBucketPrefix() + vaultModel.vaultId() : vaultModel.bucketName())
                             .nickname(vaultModel.vaultName())
                             .username(vaultModel.accessKeyId())
                             .password(vaultModel.secretKey()))
@@ -131,7 +132,7 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
             final OAuthTokens tokens = keychain.findOAuthTokens(hubSession.getHost());
             final Host bookmark = new VaultServiceImpl(vaultResource, storageProfileResource).getStorageBackend(ProtocolFactory.get(),
                     configResource.apiConfigGet(), vaultDto.getId(), metadataPayload.storage(), tokens);
-            if(storageProfileWrapper.getStsEndpoint() == null) {
+            if(storageProfileWrapper.getProtocol() == Protocol.S3) {
                 // permanent: template upload into existing bucket from client (not backend)
                 templateUploadService.uploadTemplate(bookmark, metadataPayload, storageDto, hashedRootDirId);
             }
@@ -143,6 +144,7 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
                         vaultDto.getId().toString(),
                         storageProfileWrapper.getStsEndpoint(),
                         String.format("%s%s", storageProfileWrapper.getBucketPrefix(), vaultDto.getId()),
+                        vaultModel.region(),
                         storageProfileWrapper.getBucketAcceleration()
                 );
                 log.debug("Create STS bucket {} for vault {}", storageDto, vaultDto);
@@ -191,12 +193,12 @@ void uploadTemplate(final Host bookmark, final UvfMetadataPayload metadataPayloa
     static class STSInlinePolicyService {
         static STSInlinePolicyService disabled = new STSInlinePolicyService() {
             @Override
-            TemporaryAccessTokens getSTSTokensFromAccessTokenWithCreateBucketInlinePolicy(final String token, final String roleArn, final String roleSessionName, final String stsEndpoint, final String bucketName, final Boolean bucketAcceleration) {
+            TemporaryAccessTokens getSTSTokensFromAccessTokenWithCreateBucketInlinePolicy(final String token, final String roleArn, final String roleSessionName, final String stsEndpoint, final String bucketName, final String region, final Boolean bucketAcceleration) {
                 return new TemporaryAccessTokens(null);
             }
         };
 
-        TemporaryAccessTokens getSTSTokensFromAccessTokenWithCreateBucketInlinePolicy(final String token, final String roleArn, final String roleSessionName, final String stsEndpoint, final String bucketName, final Boolean bucketAcceleration) throws IOException {
+        TemporaryAccessTokens getSTSTokensFromAccessTokenWithCreateBucketInlinePolicy(final String token, final String roleArn, final String roleSessionName, final String stsEndpoint, final String bucketName, final String region, final Boolean bucketAcceleration) throws IOException {
             log.debug("Get STS tokens from {} to pass to backend {} with role {} and session name {}", token, stsEndpoint, roleArn, roleSessionName);
 
             final AssumeRoleWithWebIdentityRequest request = new AssumeRoleWithWebIdentityRequest();
@@ -214,9 +216,13 @@ TemporaryAccessTokens getSTSTokensFromAccessTokenWithCreateBucketInlinePolicy(fi
 
             AWSSecurityTokenServiceClientBuilder serviceBuild = AWSSecurityTokenServiceClientBuilder
                     .standard();
+            // Exactly only one of Region or EndpointConfiguration may be set.
             if(stsEndpoint != null) {
                 serviceBuild.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(stsEndpoint, null));
             }
+            else {
+                serviceBuild.withRegion(region);
+            }
             final AWSSecurityTokenService service = serviceBuild
                     .withCredentials(new AWSStaticCredentialsProvider(new AnonymousAWSCredentials()))
                     .build();

hub/src/main/java/cloud/katta/workflows/VaultServiceImpl.java

@@ -94,7 +94,7 @@ public Host getStorageBackend(final ProtocolFactory protocols, final ConfigDto c
             switch(storageProfile.getProtocol()) {
                 case S3:
                 case S3_STS:
-                    final Profile profile = new Profile(protocols.forType(Protocol.Type.s3), new StorageProfileDtoWrapperDeserializer(
+                    final Profile profile = new Profile(protocols.forType(protocols.find(ProtocolFactory.BUNDLED_PROFILE_PREDICATE), Protocol.Type.s3), new StorageProfileDtoWrapperDeserializer(
                             new HubConfigDtoDeserializer(configDto), storageProfile));
                     log.debug("Register storage profile {}", profile);
                     protocols.register(profile);
@@ -106,6 +106,10 @@ public Host getStorageBackend(final ProtocolFactory protocols, final ConfigDto c
         final String provider = vaultMetadata.getProvider();
         log.debug("Lookup provider {} from vault metadata", provider);
         final Protocol protocol = protocols.forName(provider);
+        if((protocol.getOAuthTokenUrl() != null) && (!protocol.getOAuthTokenUrl().equals(configDto.getKeycloakTokenEndpoint()))) {
+            // this may happen if the storage profile ID is deployed to two different hubs
+            throw new AccessException(String.format("Expected keycloak endpoint %s, found %s.", configDto.getKeycloakTokenEndpoint(), protocol.getOAuthTokenUrl()));
+        }
         final Host bookmark = new Host(protocol);
         log.debug("Configure bookmark for vault {}", vaultMetadata);
         bookmark.setNickname(vaultMetadata.getNickname());

hub/src/test/java/cloud/katta/client/model/ObjectMapperTest.java

@@ -26,9 +26,9 @@ public void testAWSStatic() throws IOException {
 
         final StorageProfileS3Dto awsStaticProfile = mapper.readValue(this.getClass().getResourceAsStream("/setup/aws_static/aws_static_profile.json"), StorageProfileS3Dto.class);
         assertEquals(Protocol.S3, awsStaticProfile.getProtocol());
-        assertNull(awsStaticProfile.getScheme());
+        assertEquals("https", awsStaticProfile.getScheme());
         assertNull(awsStaticProfile.getHostname());
-        assertNull(awsStaticProfile.getPort());
+        assertEquals(443, awsStaticProfile.getPort());
         // default STANDARD from backend
         assertEquals(S3STORAGECLASSES.STANDARD, awsStaticProfile.getStorageClass());
         assertFalse(awsStaticProfile.getArchived());
@@ -42,14 +42,14 @@ public void testAWSSTS() throws IOException {
 
 
         final StorageProfileS3STSDto awsSTSProfile = mapper.readValue(this.getClass().getResourceAsStream("/setup/aws_sts/aws_sts_profile.json"), StorageProfileS3STSDto.class);
-        assertEquals("cipherduck", awsSTSProfile.getBucketPrefix());
+        assertEquals("katta", awsSTSProfile.getBucketPrefix());
         assertEquals("eu-west-1", awsSTSProfile.getRegion());
         assertEquals(Arrays.asList("eu-west-1", "eu-west-2", "eu-west-3"), awsSTSProfile.getRegions());
         assertFalse(awsSTSProfile.getWithPathStyleAccessEnabled());
-        assertEquals("arn:aws:iam::930717317329:role/cipherduck-createbucket", awsSTSProfile.getStsRoleArnHub());
-        assertEquals("arn:aws:iam::930717317329:role/cipherduck-createbucket", awsSTSProfile.getStsRoleArnClient());
-        assertEquals("arn:aws:iam::930717317329:role/cipherduck_chain_01", awsSTSProfile.getStsRoleArn());
-        assertEquals("arn:aws:iam::930717317329:role/cipherduck_chain_02", awsSTSProfile.getStsRoleArn2());
+        assertEquals("arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket", awsSTSProfile.getStsRoleArnHub());
+        assertEquals("arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket", awsSTSProfile.getStsRoleArnClient());
+        assertEquals("arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-sts-chain-01", awsSTSProfile.getStsRoleArn());
+        assertEquals("arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-sts-chain-02", awsSTSProfile.getStsRoleArn2());
         assertEquals(Protocol.S3_STS, awsSTSProfile.getProtocol());
         assertNull(awsSTSProfile.getScheme());
         assertNull(awsSTSProfile.getHostname());
@@ -80,7 +80,7 @@ public void testMinioSTS() throws IOException {
         final ObjectMapper mapper = new ObjectMapper();
         mapper.registerModule(new JsonNullableModule());
         final StorageProfileS3STSDto minioSTSProfile = mapper.readValue(this.getClass().getResourceAsStream("/setup/minio_sts/minio_sts_profile.json"), StorageProfileS3STSDto.class);
-        assertEquals("cipherduck", minioSTSProfile.getBucketPrefix());
+        assertEquals("katta", minioSTSProfile.getBucketPrefix());
         assertEquals("eu-central-1", minioSTSProfile.getRegion());
         assertEquals(Arrays.asList("eu-west-1", "eu-west-2", "eu-west-3", "eu-north-1", "eu-south-1", "eu-south-2", "eu-central-1", "eu-central-2"), minioSTSProfile.getRegions());
         assertTrue(minioSTSProfile.getWithPathStyleAccessEnabled());

hub/src/test/java/cloud/katta/core/AbstractHubSynchronizeTest.java

@@ -4,15 +4,7 @@
 
 package cloud.katta.core;
 
-import ch.cyberduck.core.AlphanumericRandomStringService;
-import ch.cyberduck.core.AttributedList;
-import ch.cyberduck.core.DisabledConnectionCallback;
-import ch.cyberduck.core.DisabledListProgressListener;
-import ch.cyberduck.core.ListService;
-import ch.cyberduck.core.OAuthTokens;
-import ch.cyberduck.core.Path;
-import ch.cyberduck.core.Session;
-import ch.cyberduck.core.SimplePathPredicate;
+import ch.cyberduck.core.*;
 import ch.cyberduck.core.exception.AccessDeniedException;
 import ch.cyberduck.core.exception.BackgroundException;
 import ch.cyberduck.core.exception.NotfoundException;
@@ -27,11 +19,12 @@
 import ch.cyberduck.core.features.Vault;
 import ch.cyberduck.core.features.Write;
 import ch.cyberduck.core.io.StatusOutputStream;
+import ch.cyberduck.core.proxy.DisabledProxyFinder;
+import ch.cyberduck.core.s3.S3Session;
 import ch.cyberduck.core.transfer.Transfer;
 import ch.cyberduck.core.transfer.TransferItem;
 import ch.cyberduck.core.transfer.TransferStatus;
-
-import cloud.katta.client.api.UsersResourceApi;
+import ch.cyberduck.core.worker.DeleteWorker;
 
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.RandomUtils;
@@ -53,16 +46,23 @@
 import java.util.EnumSet;
 import java.util.List;
 import java.util.UUID;
+import java.util.stream.Collectors;
 
 import cloud.katta.client.ApiClient;
 import cloud.katta.client.ApiException;
+import cloud.katta.client.api.ConfigResourceApi;
 import cloud.katta.client.api.StorageProfileResourceApi;
+import cloud.katta.client.api.UsersResourceApi;
+import cloud.katta.client.api.VaultResourceApi;
+import cloud.katta.client.model.ConfigDto;
+import cloud.katta.client.model.Protocol;
 import cloud.katta.client.model.S3SERVERSIDEENCRYPTION;
 import cloud.katta.client.model.S3STORAGECLASSES;
 import cloud.katta.client.model.StorageProfileDto;
 import cloud.katta.client.model.StorageProfileS3Dto;
 import cloud.katta.client.model.StorageProfileS3STSDto;
 import cloud.katta.crypto.UserKeys;
+import cloud.katta.crypto.uvf.VaultMetadataJWEBackendDto;
 import cloud.katta.model.StorageProfileDtoWrapper;
 import cloud.katta.protocols.hub.HubSession;
 import cloud.katta.protocols.hub.HubVaultRegistry;
@@ -72,6 +72,7 @@
 import cloud.katta.workflows.CreateVaultService;
 import cloud.katta.workflows.DeviceKeysServiceImpl;
 import cloud.katta.workflows.UserKeysServiceImpl;
+import cloud.katta.workflows.VaultServiceImpl;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.databind.ObjectMapper;
 
@@ -228,6 +229,30 @@ public void test03AddVault(final HubTestConfig config) throws Exception {
             log.info("Creating vault in {}", hubSession);
             final UUID vaultId = UUID.randomUUID();
 
+
+            if(storageProfileWrapper.getProtocol() == Protocol.S3) {
+                // empty bucket
+                final HostPasswordStore keychain = PasswordStoreFactory.get();
+
+                final OAuthTokens tokens = keychain.findOAuthTokens(hubSession.getHost());
+                final Host bookmark = new VaultServiceImpl(new VaultResourceApi(hubSession.getClient()), new StorageProfileResourceApi(hubSession.getClient()))
+                        .getStorageBackend(
+                                ProtocolFactory.get(),
+                                new ConfigResourceApi(hubSession.getClient()).apiConfigGet(), vaultId, new VaultMetadataJWEBackendDto()
+                                        .provider(storageProfileWrapper.getId().toString())
+                                        .defaultPath(config.vault.bucketName)
+                                        .nickname(config.vault.bucketName)
+                                        .username(config.vault.username)
+                                        .password(config.vault.password), tokens);
+                final S3Session session = new S3Session(bookmark);
+                session.open(new DisabledProxyFinder(), new DisabledHostKeyCallback(), new DisabledLoginCallback(), new DisabledCancelCallback());
+                session.login(new DisabledLoginCallback(), new DisabledCancelCallback());
+                new DeleteWorker(new DisabledLoginCallback(),
+                        session.getFeature(ListService.class).list(new Path("/" + config.vault.bucketName, EnumSet.of(AbstractPath.Type.directory)), new DisabledListProgressListener()).toStream().filter(f -> session.getFeature(Delete.class).isSupported(f)).collect(Collectors.toList()),
+                        new DisabledListProgressListener()).run(session);
+                session.close();
+            }
+
             final UserKeys userKeys = new UserKeysServiceImpl(hubSession).getUserKeys(hubSession.getHost(), hubSession.getMe(),
                     new DeviceKeysServiceImpl().getDeviceKeys(hubSession.getHost()));
             new CreateVaultService(hubSession).createVault(userKeys, storageProfileWrapper, new CreateVaultService.CreateVaultModel(
@@ -237,7 +262,7 @@ public void test03AddVault(final HubTestConfig config) throws Exception {
             final AttributedList<Path> vaults = hubSession.getFeature(ListService.class).list(Home.ROOT, new DisabledListProgressListener());
             assertFalse(vaults.isEmpty());
 
-            final Path bucket = new Path(storageProfileWrapper.getStsEndpoint() != null ? storageProfileWrapper.getBucketPrefix() + vaultId : config.vault.bucketName,
+            final Path bucket = new Path(storageProfileWrapper.getProtocol() == Protocol.S3_STS ? storageProfileWrapper.getBucketPrefix() + vaultId : config.vault.bucketName,
                     EnumSet.of(Path.Type.volume, Path.Type.directory));
             final HubVaultRegistry vaultRegistry = hubSession.getRegistry();
             {
@@ -326,9 +351,11 @@ public void test04SetupCode(final HubTestConfig config) throws Exception {
         assertEquals(StringUtils.EMPTY, hubSession.getHost().getCredentials().getPassword());
         final ListService feature = hubSession.getFeature(ListService.class);
         final AttributedList<Path> vaults = feature.list(Home.ROOT, new DisabledListProgressListener());
-        assertEquals(2, vaults.size());
+        final ConfigDto configDto = new ConfigResourceApi(hubSession.getClient()).apiConfigGet();
+        final int expectedNumberOfVaults = configDto.getKeycloakTokenEndpoint().contains("localhost") ? 2 : 4;
+        assertEquals(expectedNumberOfVaults, vaults.size());
         assertEquals(vaults, feature.list(Home.ROOT, new DisabledListProgressListener()));
-        for(Path vault : vaults) {
+        for(final Path vault : vaults) {
             assertTrue(hubSession.getFeature(Find.class).find(vault));
         }
         new UsersResourceApi(hubSession.getClient()).apiUsersMeGet(true);