Dynamically add space developer role for non-admin clients

When using the space per service instance strategy, currently the OAuth
client requires `cloud_controller.admin` privileges to deploy apps and
services to a new space. This commit adds support for dynamically granting
the space developer role to a client which has the org manager role but not
admin privileges.

Resolves #203

Requiring client credentials to run ATs

Author: royclarkson

spring-cloud-app-broker-acceptance-tests/README.adoc

@@ -16,14 +16,8 @@ The tests require the following properties to be set:
 * `spring.cloud.appbroker.acceptance-test.cloudfoundry.default-org` - The CF organization where the tests are going to run.
 * `spring.cloud.appbroker.acceptance-test.cloudfoundry.default-space` - The CF space where the tests are going to run.
 * `spring.cloud.appbroker.acceptance-test.cloudfoundry.skip-ssl-validation` - If SSL validation should be skipped.
-
-To authenticate to the target CF with a user account, set the following properties:
-
 * `spring.cloud.appbroker.acceptance-test.cloudfoundry.username` - The CF API username.
 * `spring.cloud.appbroker.acceptance-test.cloudfoundry.password` - The CF API password.
-
-To authenticate to the target CF with an OAuth2 client in UAA, set the following properties:
-
 * `spring.cloud.appbroker.acceptance-test.cloudfoundry.client-id` - The CF API OAuth2 client ID.
 * `spring.cloud.appbroker.acceptance-test.cloudfoundry.client-secret` - The CF API OAuth2 client secret.
 

spring-cloud-app-broker-acceptance-tests/src/test/java/org.springframework.cloud.appbroker.acceptance/CloudFoundryAcceptanceTest.java

@@ -36,7 +36,9 @@
 import com.jayway.jsonpath.spi.mapper.MappingProvider;
 import org.cloudfoundry.operations.applications.ApplicationEnvironments;
 import org.cloudfoundry.operations.applications.ApplicationSummary;
+import org.cloudfoundry.operations.organizations.OrganizationSummary;
 import org.cloudfoundry.operations.services.ServiceInstance;
+import org.cloudfoundry.operations.spaces.SpaceSummary;
 import org.cloudfoundry.uaa.clients.GetClientResponse;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -54,6 +56,12 @@
 import org.springframework.web.client.RestTemplate;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.cloud.appbroker.acceptance.fixtures.cf.CloudFoundryClientConfiguration.ACCEPTANCE_TEST_OAUTH_CLIENT_AUTHORITIES;
+import static org.springframework.cloud.appbroker.acceptance.fixtures.cf.CloudFoundryClientConfiguration.ACCEPTANCE_TEST_OAUTH_CLIENT_ID;
+import static org.springframework.cloud.appbroker.acceptance.fixtures.cf.CloudFoundryClientConfiguration.ACCEPTANCE_TEST_OAUTH_CLIENT_SECRET;
+import static org.springframework.cloud.appbroker.acceptance.fixtures.cf.CloudFoundryClientConfiguration.APP_BROKER_CLIENT_AUTHORITIES;
+import static org.springframework.cloud.appbroker.acceptance.fixtures.cf.CloudFoundryClientConfiguration.APP_BROKER_CLIENT_ID;
+import static org.springframework.cloud.appbroker.acceptance.fixtures.cf.CloudFoundryClientConfiguration.APP_BROKER_CLIENT_SECRET;
 
 @SpringBootTest(classes = {
 	CloudFoundryClientConfiguration.class,
@@ -114,24 +122,41 @@ public Set<Option> options() {
 
 	@AfterEach
 	void tearDown() {
-		blockingSubscribe(cleanup());
+		blockingSubscribe(cloudFoundryService.getOrCreateDefaultOrganization()
+			.map(OrganizationSummary::getId)
+			.flatMap(orgId -> cloudFoundryService.getOrCreateDefaultSpace()
+				.map(SpaceSummary::getId)
+				.flatMap(spaceId -> cleanup(orgId, spaceId))));
 	}
 
 	private Mono<Void> initializeBroker(String... appBrokerProperties) {
-		return cleanup()
-			.then(
-				cloudFoundryService
-					.getOrCreateDefaultOrganization()
-					.then(cloudFoundryService.getOrCreateDefaultSpace())
+		return cloudFoundryService
+			.getOrCreateDefaultOrganization()
+			.map(OrganizationSummary::getId)
+			.flatMap(orgId -> cloudFoundryService
+				.getOrCreateDefaultSpace()
+				.map(SpaceSummary::getId)
+				.flatMap(spaceId -> cleanup(orgId, spaceId)
+					.then(uaaService.createClient(
+						ACCEPTANCE_TEST_OAUTH_CLIENT_ID,
+						ACCEPTANCE_TEST_OAUTH_CLIENT_SECRET,
+						ACCEPTANCE_TEST_OAUTH_CLIENT_AUTHORITIES))
+					.then(uaaService.createClient(
+						APP_BROKER_CLIENT_ID,
+						APP_BROKER_CLIENT_SECRET,
+						APP_BROKER_CLIENT_AUTHORITIES))
+					.then(cloudFoundryService.associateAppBrokerClientWithOrgAndSpace(orgId, spaceId))
 					.then(cloudFoundryService.pushBrokerApp(TEST_BROKER_APP_NAME, getTestBrokerAppPath(), appBrokerProperties))
 					.then(cloudFoundryService.createServiceBroker(SERVICE_BROKER_NAME, TEST_BROKER_APP_NAME))
 					.then(cloudFoundryService.enableServiceBrokerAccess(APP_SERVICE_NAME))
-					.then(cloudFoundryService.enableServiceBrokerAccess(BACKING_SERVICE_NAME)));
+					.then(cloudFoundryService.enableServiceBrokerAccess(BACKING_SERVICE_NAME))));
 	}
 
-	private Mono<Void> cleanup() {
+	private Mono<Void> cleanup(String orgId, String spaceId) {
 		return cloudFoundryService.deleteServiceBroker(SERVICE_BROKER_NAME)
-			.then(cloudFoundryService.deleteApp(TEST_BROKER_APP_NAME));
+			.then(cloudFoundryService.deleteApp(TEST_BROKER_APP_NAME))
+			.then(cloudFoundryService.removeAppBrokerClientFromOrgAndSpace(orgId, spaceId))
+			.onErrorResume(e -> Mono.empty());
 	}
 
 	void createServiceInstance(String serviceInstanceName) {

spring-cloud-app-broker-acceptance-tests/src/test/java/org.springframework.cloud.appbroker.acceptance/fixtures/cf/CloudFoundryClientConfiguration.java

@@ -18,7 +18,6 @@
 
 import java.util.Optional;
 
-import org.cloudfoundry.UnknownCloudFoundryException;
 import org.cloudfoundry.client.CloudFoundryClient;
 import org.cloudfoundry.doppler.DopplerClient;
 import org.cloudfoundry.operations.CloudFoundryOperations;
@@ -32,31 +31,39 @@
 import org.cloudfoundry.reactor.tokenprovider.PasswordGrantTokenProvider;
 import org.cloudfoundry.reactor.uaa.ReactorUaaClient;
 import org.cloudfoundry.uaa.UaaClient;
-import org.cloudfoundry.uaa.UaaException;
-import org.cloudfoundry.uaa.clients.Clients;
-import org.cloudfoundry.uaa.clients.CreateClientRequest;
-import org.cloudfoundry.uaa.clients.DeleteClientRequest;
-import org.cloudfoundry.uaa.tokens.GrantType;
+
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import reactor.core.publisher.Mono;
 
 @Configuration
 @EnableConfigurationProperties(CloudFoundryProperties.class)
 public class CloudFoundryClientConfiguration {
 
-	static final String ACCEPTANCE_TEST_OAUTH_CLIENT_ID = "acceptance-test-client";
-	static final String ACCEPTANCE_TEST_OAUTH_CLIENT_SECRET = "acceptance-test-client-secret";
-	private static final String[] ACCEPTANCE_TEST_OAUTH_CLIENT_AUTHORITIES = {
-		"openid", "cloud_controller.admin", "cloud_controller.read", "cloud_controller.write",
-		"clients.read", "clients.write"
+	public static final String ACCEPTANCE_TEST_OAUTH_CLIENT_ID = "acceptance-test-client";
+	public static final String ACCEPTANCE_TEST_OAUTH_CLIENT_SECRET = "acceptance-test-client-secret";
+	public static final String[] ACCEPTANCE_TEST_OAUTH_CLIENT_AUTHORITIES = {
+		"openid",
+		"cloud_controller.admin",
+		"cloud_controller.read",
+		"cloud_controller.write",
+		"clients.read",
+		"clients.write"
+	};
+
+	public static final String APP_BROKER_CLIENT_ID = "app-broker-client";
+	public static final String APP_BROKER_CLIENT_SECRET = "app-broker-client-secret";
+	public static final String[] APP_BROKER_CLIENT_AUTHORITIES = {
+		"cloud_controller.read", "cloud_controller.write"
 	};
 
 	@Bean
-	CloudFoundryOperations cloudFoundryOperations(CloudFoundryProperties properties, CloudFoundryClient client,
-												  DopplerClient dopplerClient, UaaClient uaaClient) {
+	CloudFoundryOperations cloudFoundryOperations(CloudFoundryProperties properties,
+												  CloudFoundryClient client,
+												  DopplerClient dopplerClient,
+												  UaaClient uaaClient) {
 		return DefaultCloudFoundryOperations.builder()
 			.cloudFoundryClient(client)
 			.dopplerClient(dopplerClient)
@@ -67,7 +74,8 @@ CloudFoundryOperations cloudFoundryOperations(CloudFoundryProperties properties,
 	}
 
 	@Bean
-	CloudFoundryClient cloudFoundryClient(ConnectionContext connectionContext, TokenProvider tokenProvider) {
+	CloudFoundryClient cloudFoundryClient(ConnectionContext connectionContext,
+										  @Qualifier("userCredentials") TokenProvider tokenProvider) {
 		return ReactorCloudFoundryClient.builder()
 			.connectionContext(connectionContext)
 			.tokenProvider(tokenProvider)
@@ -85,24 +93,29 @@ ConnectionContext connectionContext(CloudFoundryProperties properties) {
 	}
 
 	@Bean
-	DopplerClient dopplerClient(ConnectionContext connectionContext, TokenProvider tokenProvider) {
+	DopplerClient dopplerClient(ConnectionContext connectionContext,
+								@Qualifier("userCredentials") TokenProvider tokenProvider) {
 		return ReactorDopplerClient.builder()
 			.connectionContext(connectionContext)
 			.tokenProvider(tokenProvider)
 			.build();
 	}
 
 	@Bean
-	UaaClient uaaClient(ConnectionContext connectionContext, TokenProvider tokenProvider) {
+	UaaClient uaaClient(ConnectionContext connectionContext,
+						@Qualifier("clientCredentials") TokenProvider tokenProvider) {
 		return ReactorUaaClient.builder()
 			.connectionContext(connectionContext)
 			.tokenProvider(tokenProvider)
 			.build();
 	}
 
 	@Bean
-	@ConditionalOnProperty({CloudFoundryProperties.PROPERTY_PREFIX + ".username",
-		CloudFoundryProperties.PROPERTY_PREFIX + ".password"})
+	@Qualifier("userCredentials")
+	@ConditionalOnProperty({
+		CloudFoundryProperties.PROPERTY_PREFIX + ".username",
+		CloudFoundryProperties.PROPERTY_PREFIX + ".password"
+	})
 	PasswordGrantTokenProvider passwordTokenProvider(CloudFoundryProperties properties) {
 		return PasswordGrantTokenProvider.builder()
 			.password(properties.getPassword())
@@ -111,42 +124,17 @@ PasswordGrantTokenProvider passwordTokenProvider(CloudFoundryProperties properti
 	}
 
 	@Bean
-	@ConditionalOnProperty({CloudFoundryProperties.PROPERTY_PREFIX + ".client-id",
-		CloudFoundryProperties.PROPERTY_PREFIX + ".client-secret"})
-	ClientCredentialsGrantTokenProvider clientTokenProvider(ConnectionContext connectionContext,
-															CloudFoundryProperties properties) {
-
-		Clients uaaClients = buildTempUaaClient(connectionContext, properties).clients();
-
-		uaaClients.delete(DeleteClientRequest.builder()
-			.clientId(ACCEPTANCE_TEST_OAUTH_CLIENT_ID)
-			.build())
-			.onErrorResume(UaaException.class, e -> Mono.empty())
-			.onErrorResume(UnknownCloudFoundryException.class, e -> Mono.empty())
-			.then(uaaClients.create(CreateClientRequest.builder()
-				.clientId(ACCEPTANCE_TEST_OAUTH_CLIENT_ID)
-				.clientSecret(ACCEPTANCE_TEST_OAUTH_CLIENT_SECRET)
-				.authorizedGrantType(GrantType.CLIENT_CREDENTIALS)
-				.authorities(ACCEPTANCE_TEST_OAUTH_CLIENT_AUTHORITIES)
-				.build()))
-			.block();
-
+	@Qualifier("clientCredentials")
+	@ConditionalOnProperty({
+		CloudFoundryProperties.PROPERTY_PREFIX + ".client-id",
+		CloudFoundryProperties.PROPERTY_PREFIX + ".client-secret"
+	})
+	ClientCredentialsGrantTokenProvider clientTokenProvider(CloudFoundryProperties properties) {
 		return ClientCredentialsGrantTokenProvider.builder()
-			.clientId(ACCEPTANCE_TEST_OAUTH_CLIENT_ID)
-			.clientSecret(ACCEPTANCE_TEST_OAUTH_CLIENT_SECRET)
+			.clientId(properties.getClientId())
+			.clientSecret(properties.getClientSecret())
 			.identityZoneSubdomain(properties.getIdentityZoneSubdomain())
 			.build();
 	}
 
-	private UaaClient buildTempUaaClient(ConnectionContext connectionContext, CloudFoundryProperties properties) {
-		return ReactorUaaClient.builder()
-			.connectionContext(connectionContext)
-			.tokenProvider(ClientCredentialsGrantTokenProvider.builder()
-				.clientId(properties.getClientId())
-				.clientSecret(properties.getClientSecret())
-				.identityZoneSubdomain(properties.getIdentityZoneSubdomain())
-				.build())
-			.build();
-	}
-
 }

spring-cloud-app-broker-acceptance-tests/src/test/java/org.springframework.cloud.appbroker.acceptance/fixtures/cf/CloudFoundryService.java

@@ -22,6 +22,16 @@
 import java.util.List;
 import java.util.Map;
 
+import org.cloudfoundry.client.CloudFoundryClient;
+import org.cloudfoundry.client.v2.organizations.AssociateOrganizationManagerRequest;
+import org.cloudfoundry.client.v2.organizations.AssociateOrganizationManagerResponse;
+import org.cloudfoundry.client.v2.organizations.AssociateOrganizationUserRequest;
+import org.cloudfoundry.client.v2.organizations.AssociateOrganizationUserResponse;
+import org.cloudfoundry.client.v2.organizations.RemoveOrganizationManagerRequest;
+import org.cloudfoundry.client.v2.organizations.RemoveOrganizationUserRequest;
+import org.cloudfoundry.client.v2.spaces.AssociateSpaceDeveloperRequest;
+import org.cloudfoundry.client.v2.spaces.AssociateSpaceDeveloperResponse;
+import org.cloudfoundry.client.v2.spaces.RemoveSpaceDeveloperRequest;
 import org.cloudfoundry.operations.CloudFoundryOperations;
 import org.cloudfoundry.operations.DefaultCloudFoundryOperations;
 import org.cloudfoundry.operations.applications.ApplicationDetail;
@@ -63,11 +73,16 @@ public class CloudFoundryService {
 
 	private static final String DEPLOYER_PROPERTY_PREFIX = "spring.cloud.appbroker.deployer.cloudfoundry.";
 
+	private final CloudFoundryClient cloudFoundryClient;
+
 	private final CloudFoundryOperations cloudFoundryOperations;
+
 	private final CloudFoundryProperties cloudFoundryProperties;
 
-	public CloudFoundryService(CloudFoundryOperations cloudFoundryOperations,
+	public CloudFoundryService(CloudFoundryClient cloudFoundryClient,
+							   CloudFoundryOperations cloudFoundryOperations,
 							   CloudFoundryProperties cloudFoundryProperties) {
+		this.cloudFoundryClient = cloudFoundryClient;
 		this.cloudFoundryOperations = cloudFoundryOperations;
 		this.cloudFoundryProperties = cloudFoundryProperties;
 	}
@@ -129,7 +144,7 @@ public Mono<Void> deleteApp(String appName) {
 				.deleteRoutes(true)
 				.build())
 			.doOnSuccess(item -> LOGGER.info("Deleted app " + appName))
-			.doOnError(error -> LOGGER.error("Error deleting app " + appName + ": " + error))
+			.doOnError(error -> LOGGER.warn("Error deleting app " + appName + ": " + error))
 			.onErrorResume(e -> Mono.empty());
 	}
 
@@ -139,7 +154,7 @@ public Mono<Void> deleteServiceBroker(String brokerName) {
 				.name(brokerName)
 				.build())
 			.doOnSuccess(item -> LOGGER.info("Deleted service broker " + brokerName))
-			.doOnError(error -> LOGGER.error("Error deleting service broker " + brokerName + ": " + error))
+			.doOnError(error -> LOGGER.warn("Error deleting service broker " + brokerName + ": " + error))
 			.onErrorResume(e -> Mono.empty());
 	}
 
@@ -152,7 +167,7 @@ public Mono<Void> deleteServiceInstance(String serviceInstanceName) {
 				.doOnSuccess(item -> LOGGER.info("Deleted service instance " + serviceInstanceName))
 				.doOnError(error -> LOGGER.error("Error deleting service instance " + serviceInstanceName + ": " + error))
 				.onErrorResume(e -> Mono.empty()))
-			.doOnError(error -> LOGGER.error("Error getting service instance " + serviceInstanceName + ": " + error))
+			.doOnError(error -> LOGGER.warn("Error getting service instance " + serviceInstanceName + ": " + error))
 			.onErrorResume(e -> Mono.empty());
 	}
 
@@ -303,6 +318,63 @@ private Mono<SpaceSummary> getDefaultSpace(Spaces spaceOperations) {
 			.next();
 	}
 
+	public Mono<Void> associateAppBrokerClientWithOrgAndSpace(String orgId, String spaceId) {
+		return Mono.justOrEmpty(CloudFoundryClientConfiguration.APP_BROKER_CLIENT_ID)
+			.flatMap(userId -> associateOrgUser(orgId, userId)
+				.then(associateOrgManager(orgId, userId))
+				.then(associateSpaceDeveloper(spaceId, userId)))
+			.then();
+	}
+
+	public Mono<Void> removeAppBrokerClientFromOrgAndSpace(String orgId, String spaceId) {
+		return Mono.justOrEmpty(CloudFoundryClientConfiguration.APP_BROKER_CLIENT_ID)
+			.flatMap(userId -> removeSpaceDeveloper(spaceId, userId)
+				.then(removeOrgManager(orgId, userId))
+				.then(removeOrgUser(orgId, userId)));
+	}
+
+	private Mono<AssociateOrganizationUserResponse> associateOrgUser(String orgId, String userId) {
+		return cloudFoundryClient.organizations().associateUser(AssociateOrganizationUserRequest.builder()
+			.organizationId(orgId)
+			.userId(userId)
+			.build());
+	}
+
+	private Mono<AssociateOrganizationManagerResponse> associateOrgManager(String orgId, String userId) {
+		return cloudFoundryClient.organizations().associateManager(AssociateOrganizationManagerRequest.builder()
+			.organizationId(orgId)
+			.managerId(userId)
+			.build());
+	}
+
+	private Mono<AssociateSpaceDeveloperResponse> associateSpaceDeveloper(String spaceId, String userId) {
+		return cloudFoundryClient.spaces().associateDeveloper(AssociateSpaceDeveloperRequest.builder()
+			.spaceId(spaceId)
+			.developerId(userId)
+			.build());
+	}
+
+	private Mono<Void> removeOrgUser(String orgId, String userId) {
+		return cloudFoundryClient.organizations().removeUser(RemoveOrganizationUserRequest.builder()
+			.organizationId(orgId)
+			.userId(userId)
+			.build());
+	}
+
+	private Mono<Void> removeOrgManager(String orgId, String userId) {
+		return cloudFoundryClient.organizations().removeManager(RemoveOrganizationManagerRequest.builder()
+			.organizationId(orgId)
+			.managerId(userId)
+			.build());
+	}
+
+	private Mono<Void> removeSpaceDeveloper(String spaceId, String userId) {
+		return cloudFoundryClient.spaces().removeDeveloper(RemoveSpaceDeveloperRequest.builder()
+			.spaceId(spaceId)
+			.developerId(userId)
+			.build());
+	}
+
 	private CloudFoundryOperations createOperationsForSpace(String space) {
 		final String defaultOrg = cloudFoundryProperties.getDefaultOrg();
 		return DefaultCloudFoundryOperations.builder()
@@ -325,19 +397,10 @@ private Map<String, String> appBrokerDeployerEnvironmentVariables() {
 		deployerVariables.put(DEPLOYER_PROPERTY_PREFIX + "skip-ssl-validation",
 			String.valueOf(cloudFoundryProperties.isSkipSslValidation()));
 		deployerVariables.put(DEPLOYER_PROPERTY_PREFIX + "properties.memory", "1024M");
-
-		if (cloudFoundryProperties.getUsername() == null || cloudFoundryProperties.getPassword() == null) {
-			deployerVariables.put(DEPLOYER_PROPERTY_PREFIX + "client-id",
-				CloudFoundryClientConfiguration.ACCEPTANCE_TEST_OAUTH_CLIENT_ID);
-			deployerVariables.put(DEPLOYER_PROPERTY_PREFIX + "client-secret",
-				CloudFoundryClientConfiguration.ACCEPTANCE_TEST_OAUTH_CLIENT_SECRET);
-		} else {
-			deployerVariables.put(DEPLOYER_PROPERTY_PREFIX + "username",
-				cloudFoundryProperties.getUsername());
-			deployerVariables.put(DEPLOYER_PROPERTY_PREFIX + "password",
-				cloudFoundryProperties.getPassword());
-		}
-
+		deployerVariables.put(DEPLOYER_PROPERTY_PREFIX + "client-id",
+			CloudFoundryClientConfiguration.APP_BROKER_CLIENT_ID);
+		deployerVariables.put(DEPLOYER_PROPERTY_PREFIX + "client-secret",
+			CloudFoundryClientConfiguration.APP_BROKER_CLIENT_SECRET);
 		return deployerVariables;
 	}