Add ad-user-info test suite that I apparently forgot to commit before

nightkr · nightkr · commit 63e223a7a242 · 2025-03-19T10:47:29.000+01:00
Disabled for now, since it still requires some manual setup, but at
least it's a starting point...
diff --git a/tests/templates/kuttl/ad-user-info/00-limit-range.yaml b/tests/templates/kuttl/ad-user-info/00-limit-range.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: limit-request-ratio
+spec:
+  limits:
+    - type: "Container"
+      maxLimitRequestRatio:
+        cpu: 5
+        memory: 1
diff --git a/tests/templates/kuttl/ad-user-info/00-patch-ns.yaml.j2 b/tests/templates/kuttl/ad-user-info/00-patch-ns.yaml.j2
@@ -0,0 +1,9 @@
+{% if test_scenario['values']['openshift'] == 'true' %}
+# see https://github.com/stackabletech/issues/issues/566
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: kubectl patch namespace $NAMESPACE -p '{"metadata":{"labels":{"pod-security.kubernetes.io/enforce":"privileged"}}}'
+    timeout: 120
+{% endif %}
diff --git a/tests/templates/kuttl/ad-user-info/01-assert.yaml.j2 b/tests/templates/kuttl/ad-user-info/01-assert.yaml.j2
@@ -0,0 +1,10 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+{% if lookup('env', 'VECTOR_AGGREGATOR') %}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vector-aggregator-discovery
+{% endif %}
diff --git a/tests/templates/kuttl/ad-user-info/01-install-vector-aggregator-discovery-configmap.yaml.j2 b/tests/templates/kuttl/ad-user-info/01-install-vector-aggregator-discovery-configmap.yaml.j2
@@ -0,0 +1,9 @@
+{% if lookup('env', 'VECTOR_AGGREGATOR') %}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vector-aggregator-discovery
+data:
+  ADDRESS: {{ lookup('env', 'VECTOR_AGGREGATOR') }}
+{% endif %}
diff --git a/tests/templates/kuttl/ad-user-info/10-assert.yaml b/tests/templates/kuttl/ad-user-info/10-assert.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: install-opa
+timeout: 300
+commands:
+  - script: kubectl -n $NAMESPACE wait --for=condition=available opaclusters.opa.stackable.tech/test-opa --timeout 301s
diff --git a/tests/templates/kuttl/ad-user-info/10-install-opa.yaml.j2 b/tests/templates/kuttl/ad-user-info/10-install-opa.yaml.j2
@@ -0,0 +1,69 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      kubectl apply -n $NAMESPACE -f - <<EOF
+      ---
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: test
+        labels:
+          opa.stackable.tech/bundle: "true"
+      data:
+        test.rego: |
+          package test
+
+          import data.stackable.opa.userinfo.v1 as userinfo
+
+          currentUserInfoByUsername := userinfo.userInfoByUsername(input.username)
+          currentUserInfoById := userinfo.userInfoById(input.id)
+      ---
+      apiVersion: opa.stackable.tech/v1alpha1
+      kind: OpaCluster
+      metadata:
+        name: test-opa
+      spec:
+        image:
+{% if test_scenario['values']['opa-latest'].find(",") > 0 %}
+          custom: "{{ test_scenario['values']['opa-latest'].split(',')[1] }}"
+          productVersion: "{{ test_scenario['values']['opa-latest'].split(',')[0] }}"
+{% else %}
+          productVersion: "{{ test_scenario['values']['opa-latest'] }}"
+{% endif %}
+          pullPolicy: IfNotPresent
+        clusterConfig:
+          userInfo:
+            backend:
+              experimentalActiveDirectory:
+                ldapServer: sble-addc.sble.test
+                baseDistinguishedName: DC=sble,DC=test
+                customAttributeMappings:
+                  country: c
+                kerberosSecretClassName: kerberos-ad
+                tls:
+                  verification:
+                    server:
+                      caCert:
+                        secretClass: tls-ad
+            cache: # optional, enabled by default
+              entryTimeToLive: 60s # optional, defaults to 60s
+{% if lookup('env', 'VECTOR_AGGREGATOR') %}
+          vectorAggregatorConfigMapName: vector-aggregator-discovery
+{% endif %}
+        servers:
+          config:
+            logging:
+              enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+          podOverrides:
+            spec:
+              volumes:
+              - name: kerberos
+                ephemeral:
+                  volumeClaimTemplate:
+                    metadata:
+                      annotations:
+                        secrets.stackable.tech/scope: service=opa
+          roleGroups:
+            default: {}
diff --git a/tests/templates/kuttl/ad-user-info/20-assert.yaml b/tests/templates/kuttl/ad-user-info/20-assert.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-regorule
+timeout: 300
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: test-regorule
+status:
+  readyReplicas: 1
+  replicas: 1
diff --git a/tests/templates/kuttl/ad-user-info/20-install-test-regorule.yaml b/tests/templates/kuttl/ad-user-info/20-install-test-regorule.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: test-regorule
+  labels:
+    app: test-regorule
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-regorule
+  template:
+    metadata:
+      labels:
+        app: test-regorule
+    spec:
+      containers:
+      - name: test-regorule
+        image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev
+        stdin: true
+        tty: true
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "512m"
+          limits:
+            memory: "128Mi"
+            cpu: "1"
diff --git a/tests/templates/kuttl/ad-user-info/30-assert.yaml b/tests/templates/kuttl/ad-user-info/30-assert.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-regorule
+commands:
+  - script: kubectl exec -n $NAMESPACE test-regorule-0 -- python /tmp/test-regorule.py -u 'http://test-opa-server-default:8081/v1/data/test'
diff --git a/tests/templates/kuttl/ad-user-info/30-prepare-test-regorule.yaml b/tests/templates/kuttl/ad-user-info/30-prepare-test-regorule.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: kubectl cp -n $NAMESPACE ./test-regorule.py test-regorule-0:/tmp
diff --git a/tests/templates/kuttl/ad-user-info/test-regorule.py b/tests/templates/kuttl/ad-user-info/test-regorule.py
@@ -0,0 +1,75 @@
+#!/usr/bin/env python
+import requests
+import argparse
+import json
+
+# todo: make the test more comprehensive to check customAttributes
+users_and_groups = {
+    "alice@sble.test": ["CN=Superset Admins,CN=Users,DC=sble,DC=test", "CN=Domain Users,CN=Users,DC=sble,DC=test", "CN=Users,CN=Builtin,DC=sble,DC=test"],
+    "bob@sble.test": ["CN=Domain Users,CN=Users,DC=sble,DC=test", "CN=Users,CN=Builtin,DC=sble,DC=test"],
+}
+
+
+def assertions(
+    username, response, opa_attribute, expected_groups, expected_attributes={}
+):
+    assert "result" in response
+    result = response["result"]
+    print(result)
+    assert opa_attribute in result, f"expected {opa_attribute} in {result}"
+
+    # repeated the right hand side for better output on error
+    assert "customAttributes" in result[opa_attribute]
+    assert "groups" in result[opa_attribute]
+    assert "id" in result[opa_attribute]
+    assert "username" in result[opa_attribute]
+
+    # todo: split out group assertions
+    print(f"Testing for {username} in groups {expected_groups}")
+    groups = sorted(result[opa_attribute]["groups"])
+    expected_groups = sorted(expected_groups)
+    assert groups == expected_groups, f"got {groups}, expected: {expected_groups}"
+
+    # todo: split out customAttribute assertions
+    print(f"Testing for {username} with customAttributes {expected_attributes}")
+    custom_attributes = result[opa_attribute]["customAttributes"]
+    assert (
+        custom_attributes == expected_attributes
+    ), f"got {custom_attributes}, expected: {expected_attributes}"
+
+
+if __name__ == "__main__":
+    all_args = argparse.ArgumentParser()
+    all_args.add_argument("-u", "--url", required=True, help="OPA service url")
+    args = vars(all_args.parse_args())
+    params = {"strict-builtin-errors": "true"}
+
+    def make_request(payload):
+        response = requests.post(args["url"], data=json.dumps(payload), params=params)
+        expected_status_code = 200
+        assert (
+            response.status_code == expected_status_code
+        ), f"got {response.status_code}, expected: {expected_status_code}"
+        return response.json()
+
+    for username, groups in users_and_groups.items():
+        try:
+            # todo: try this out locally until it works
+            # url = 'http://test-opa-svc:8081/v1/data'
+            payload = {"input": {"username": username}}
+            response = make_request(payload)
+            assertions(username, response, "currentUserInfoByUsername", groups, {})
+
+            # do the reverse lookup
+            user_id = response["result"]["currentUserInfoByUsername"]["id"]
+            payload = {"input": {"id": user_id}}
+            response = make_request(payload)
+            assertions(username, response, "currentUserInfoById", groups, {})
+        except Exception as e:
+            print(f"exception: {e}")
+            if response is not None:
+                print(f"request  body: {payload}")
+                print(f"response body: {response}")
+            raise e
+
+    print("Test successful!")
diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml
@@ -39,6 +39,12 @@ tests:
       - opa-latest
       - keycloak
       - openshift
+  # AD must be initialized (by running ad-init) first,
+  # and the correct users and groups must be set up (see test-regorule.py)
+  # name: ad-user-info
+  #   dimensions:
+  #     - opa-latest
+  #     - openshift
   - name: aas-user-info
     dimensions:
       - opa-latest
