- Robot working locally.

Author: general-kroll-4-life

cicd/requirements.txt

@@ -2,4 +2,5 @@ psycopg2-binary>=2.9.9
 psycopg[binary]>=3.1.16
 PyYaml>=6.0.1
 robotframework>=6.1.1
-sqlalchemy==1.4.44
+sqlalchemy==1.4.44
+Flask==3.0.3

go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.10.1
-	github.com/stackql/any-sdk v0.0.3-beta20
+	github.com/stackql/any-sdk v0.0.3-beta21
 	github.com/stackql/go-suffix-map v0.0.1-alpha01
 	github.com/stackql/psql-wire v0.1.1-alpha07
 	github.com/stackql/stackql-parser v0.0.14-alpha04

go.sum

@@ -471,8 +471,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.10.1 h1:nuJZuYpG7gTj/XqiUwg8bA0cp1+M2mC3J4g5luUYBKk=
 github.com/spf13/viper v1.10.1/go.mod h1:IGlFPqhNAPKRxohIzWpI5QEy4kuI7tcl5WvR+8qy1rU=
-github.com/stackql/any-sdk v0.0.3-beta20 h1:7zHdJp0gM9G8vr5IDN/e8H74gqWI2MkWXGrfkQp6irA=
-github.com/stackql/any-sdk v0.0.3-beta20/go.mod h1:CIMFo3fC2ScpqzkzeCkzUQQuzYA1VuqpG0p1EZXN+wY=
+github.com/stackql/any-sdk v0.0.3-beta21 h1:1x76S9scXukHKcBUmzSVYpwWG8TnZXMhlgU0HHcTO2g=
+github.com/stackql/any-sdk v0.0.3-beta21/go.mod h1:CIMFo3fC2ScpqzkzeCkzUQQuzYA1VuqpG0p1EZXN+wY=
 github.com/stackql/go-suffix-map v0.0.1-alpha01 h1:TDUDS8bySu41Oo9p0eniUeCm43mnRM6zFEd6j6VUaz8=
 github.com/stackql/go-suffix-map v0.0.1-alpha01/go.mod h1:QAi+SKukOyf4dBtWy8UMy+hsXXV+yyEE4vmBkji2V7g=
 github.com/stackql/psql-wire v0.1.1-alpha07 h1:LQWVUlx4Bougk6dztDNG5tmXxpIVeeTSsInTj801xCs=

test/assets/credentials/dummy/google/docker-functional-test-dummy-sa-key.json

@@ -6,7 +6,7 @@
   "client_email": "[email protected]",
   "client_id": "11",
   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://host.docker.internal:1080/token",
+  "token_uri": "http://host.docker.internal:2091/google/simple/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/silly-sa%40silly-project-01.iam.gserviceaccount.com"
 }

test/assets/credentials/dummy/google/functional-test-dummy-sa-key.json

@@ -6,7 +6,7 @@
   "client_email": "[email protected]",
   "client_id": "11",
   "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://localhost:1080/token",
+  "token_uri": "http://localhost:2091/google/simple/token",
   "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
   "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/silly-sa%40silly-project-01.iam.gserviceaccount.com"
 }

test/python/flask/oauth2/token_srv.py

@@ -0,0 +1,82 @@
+from flask import Flask, request
+
+import json
+
+import base64
+
+import logging
+
+from typing import List
+
+
+"""
+- Google stuff based upon [the service account key flow doco](https://developers.google.com/identity/protocols/oauth2/service-account#httprest_1).
+
+Example invocation:
+
+```bash
+flask --app=test/python/flask/oaut/token_srv run --port=8070
+```
+
+
+Then, in some other shell:
+
+```bash
+
+curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhIjogImIifQ==.eyJzdWIiOiAianMifQ==.ZXlKaElqb2dJbUlpZlE9PS5leUp6ZFdJaU9pQWlhbk1pZlE9PQ==' http://127.0.0.1:8070/google/simple/token
+```
+"""
+
+app = Flask(__name__)
+
+app.logger.setLevel(logging.INFO)
+
+class GoogleServiceAccountJWT(object):
+
+    def __init__(self, encoded_jwt: str) -> None:
+        self._encoded_jwt = encoded_jwt
+        split_jwt = encoded_jwt.split('.')
+        if len(split_jwt) != 3:
+            raise ValueError(f'invalid JWT; length {len(split_jwt)} != 3')
+        self._jwt_header: dict = json.loads(base64.urlsafe_b64decode(self._pad(split_jwt[0])).decode('utf-8'))
+        self._jwt_claims: dict = json.loads(base64.urlsafe_b64decode(self._pad(split_jwt[1])).decode('utf-8'))
+        self._jwt_signature: bytes = base64.urlsafe_b64decode(self._pad(split_jwt[2]))
+    
+    def _pad(self, s: str) -> str:
+        return s + '=' * (4 - len(s) % 4)
+
+    def generate_google_response_dict(self, default_scopes: List[str]=["https://www.googleapis.com/auth/cloud-platform"]) -> dict:
+        return {
+            "access_token": "1/8xbJqaOZXSUZbHLl5EOtu1pxz3fmmetKx9W8CV4t79M",
+            "scope": ' '.join(default_scopes),
+            "token_type": "Bearer",
+            "expires_in": 3600
+        }
+
+_SIMPLE_RESPONSE = {
+            "access_token": "1/8xbJqaOZXSUZbHLl5EOtu1pxz3fmmetKx9W8CV4t79M",
+            "scope": 'my-scope',
+            "token_type": "Bearer",
+            "expires_in": 3600
+        }
+
+@app.route("/")
+def hello_world():
+    return "<p>Hello, World!</p>"
+
+@app.route("/google/simple/token", methods=['POST'])
+def google_simple_token():
+    request_data = request.form
+    proffrered_jwt = request_data['assertion']
+    app.logger.info(f'proffered_jwt: {proffrered_jwt}')
+    google_jwt: GoogleServiceAccountJWT = GoogleServiceAccountJWT(proffrered_jwt)
+    return json.dumps(google_jwt.generate_google_response_dict(), sort_keys=True)
+
+@app.route("/contrived/simple/error/token", methods=['POST'])
+def google_simple_error_token():
+    return json.dumps({"msg": "auth failed"}, sort_keys=True), 401
+
+@app.route("/contrived/simple/token", methods=['POST'])
+def contrived_simple_token():
+    request_data = request.form
+    return json.dumps(_SIMPLE_RESPONSE, sort_keys=True)

test/python/oauth2_token.py

@@ -0,0 +1,50 @@
+import base64, json
+
+import argparse
+
+
+def create_token(header: dict, claims: dict) -> str:
+    """
+    Create a token from the claims.
+    """
+    header_b64 = base64.urlsafe_b64encode(json.dumps(header, sort_keys=True).encode('utf-8')).decode('utf-8')
+    claims_b64 = base64.urlsafe_b64encode(json.dumps(claims, sort_keys=True).encode('utf-8')).decode('utf-8')
+    signature = f'{header_b64}.{claims_b64}'
+
+    return f'{header_b64}.{claims_b64}.{base64.urlsafe_b64encode(signature.encode("utf-8")).decode("utf-8")}'
+
+
+def parse_args() -> argparse.Namespace:
+    """
+    Parse the arguments.
+    """
+    parser = argparse.ArgumentParser(description='Create a token.')
+    parser.add_argument('--create-token', help='Opt-in create token', action=argparse.BooleanOptionalAction)
+    parser.add_argument('--header', type=str, help='The header.')
+    parser.add_argument('--claims', type=str, help='The claims.')
+    return parser.parse_args()
+
+
+def generate_token(ns: argparse.Namespace) -> str:
+    """
+    Create a token.
+    """
+    header = json.loads(ns.header)
+    claims = json.loads(ns.claims)
+    return create_token(header, claims)
+
+
+def main() -> None:
+    """
+    Main entry point.
+    """
+    args = parse_args()
+    if args.create_token:
+        print(generate_token(args))
+        return
+    exit(1)
+
+
+if __name__ == '__main__':
+    main()
+

test/robot/functional/stackql.resource

@@ -16,6 +16,7 @@ Library           OperatingSystem
 Library           String
 Library           ${LOCAL_LIB_HOME}/StackQLInterfaces.py    ${EXECUTION_PLATFORM}    ${SQL_BACKEND}    ${CONCURRENCY_LIMIT}
 Library           ${LOCAL_LIB_HOME}/CloudIntegration.py
+Library           ${LOCAL_LIB_HOME}/web_service_keywords.py
 
 *** Keywords ***
 Start Mock Server
@@ -42,6 +43,7 @@ Start All Mock Servers
     Start Mock Server    ${JSON_INIT_FILE_PATH_SUMOLOGIC}    ${MOCKSERVER_JAR}    ${MOCKSERVER_PORT_SUMOLOGIC}
     Start Mock Server    ${JSON_INIT_FILE_PATH_DIGITALOCEAN}    ${MOCKSERVER_JAR}    ${MOCKSERVER_PORT_DIGITALOCEAN}
     Start Mock Server    ${JSON_INIT_FILE_PATH_STACKQL_AUTH_TESTING}    ${MOCKSERVER_JAR}    ${MOCKSERVER_PORT_STACKQL_AUTH_TESTING}
+    Create OAuth2 Client Credentials Web Service    ${MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN}
 
 
 Prepare StackQL Environment

test/robot/lib/stackql_context.py

@@ -562,6 +562,8 @@ def get_registry_cfg(url :str, local_root :str, nop_verify :bool) -> dict:
 JSON_INIT_FILE_PATH_DIGITALOCEAN = os.path.join(REPOSITORY_ROOT, 'test', 'mockserver', 'expectations', 'static-digitalocean-expectations.json')
 MOCKSERVER_PORT_DIGITALOCEAN = 1097
 
+MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN = 2091
+
 JSON_INIT_FILE_PATH_REGISTRY = os.path.join(REPOSITORY_ROOT, 'test', 'mockserver', 'expectations', 'static-registry-expectations.json')
 
 PG_SRV_PORT_MTLS = 5476
@@ -892,6 +894,7 @@ def get_variables(execution_env :str, sql_backend_str :str, use_stackql_preinsta
     'MOCKSERVER_PORT_GOOGLE':                         MOCKSERVER_PORT_GOOGLE,
     'MOCKSERVER_PORT_GOOGLEADMIN':                    MOCKSERVER_PORT_GOOGLEADMIN,
     'MOCKSERVER_PORT_STACKQL_AUTH_TESTING':           MOCKSERVER_PORT_STACKQL_AUTH_TESTING,
+    'MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN': MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN,
     'MOCKSERVER_PORT_K8S':                            MOCKSERVER_PORT_K8S,
     'MOCKSERVER_PORT_OKTA':                           MOCKSERVER_PORT_OKTA,
     'MOCKSERVER_PORT_REGISTRY':                       MOCKSERVER_PORT_REGISTRY,

test/robot/lib/web_service_keywords.py

@@ -0,0 +1,105 @@
+from robot.api.deco import library, keyword
+
+from robot.libraries.Process import Process
+
+import json
+
+from requests import get, post, Response
+
+import os
+
+from typing import Union, Tuple, List
+
+@library
+class web_service_keywords(Process):
+
+    _DEFAULT_SQLITE_DB_PATH: str = os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "..", "tmp", "robot_cli_affirmation_store.db"))
+
+    def _get_dsn(self) -> str:
+        return self._DEFAULT_SQLITE_DB_PATH
+    
+    def __init__(self):
+        self._affirmation_store_web_service = None
+        self._web_server_app: str = 'test/python/flask/oauth2/token_srv'
+        super().__init__()
+
+    @keyword
+    def create_oauth2_client_credentials_web_service(
+        self,
+        port: int
+    ) -> None:
+        """
+        Sign the input.
+        """
+        return self.start_process(
+            'flask',
+            f'--app={self._web_server_app}',
+            'run',
+            f'--port={port}',
+            stdout=os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'log', f'token-client-credentials-{port}-stdout.txt')),
+            stderr=os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'log', f'token-client-credentials-{port}-stderr.txt'))
+        )
+    
+    @keyword
+    def send_get_request(
+        self,
+        address: str
+    ) -> Response:
+        """
+        Send a simple get request.
+        """
+        return get(address)
+    
+    @keyword
+    def send_json_post_request(
+        self,
+        address: str,
+        input: dict
+    ) -> Response:
+        """
+        Send a canonical json post request.
+        """
+        return post(address, json=input)
+    
+    @keyword
+    def send_to_affirmation_store(
+        self,
+        frame_key_val: str,
+        json_input: Union[str, dict],
+        affirmation_store_url: str = 'http://127.0.0.1:5848',
+        path_prefix: str = '/data/',
+        frame_key: str = '_frame_hash'
+    ) -> Response:
+        """
+        Send a canonical json post request.
+        """
+        if isinstance(json_input, str):
+            input = json.loads(json_input)
+        return post(f'{affirmation_store_url}{path_prefix}{frame_key_val}', json=input)
+    
+    @keyword
+    def extract_frame_key(
+        self,
+        json_input: Union[str, dict],
+        frame_key: str = '_frame_hash'
+    ) -> Response:
+        """
+        Extract frame hash key.
+        """
+        if isinstance(json_input, str):
+            json_input = json.loads(json_input)
+        frame_key_val = json_input.get(frame_key)
+        return frame_key_val
+    
+    @keyword
+    def retrieve_from_affirmation_store(
+        self,
+        frame_key_val: str,
+        affirmation_store_url: str = 'http://127.0.0.1:5848',
+        path_prefix: str = '/data/',
+        frame_key: str = '_frame_hash'
+    ) -> Response:
+        """
+        Retrieve from affirmation store.
+        """
+        return get(f'{affirmation_store_url}{path_prefix}{frame_key_val}')