Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default user positive and negative test for deploying #4221

Merged
merged 3 commits into from
Feb 4, 2022
Merged

Default user positive and negative test for deploying #4221

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d30244c
Fix bearer token login on E2E tests (#2898)
Feb 2, 2022
2e8a049
Added positive and negative permissions tests for regular user (#4081)
Feb 2, 2022
b16c146
Re-add rolebinding for kubeapps-user in its namespace (#4081)
Feb 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -314,7 +314,6 @@ install_cluster: &install_cluster
sleep 5 &&
kubectl --context kind-kubeapps-ci --kubeconfig ${HOME}/.kube/kind-config-kubeapps-ci wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s &&

kubectl --context kind-kubeapps-ci --kubeconfig ${HOME}/.kube/kind-config-kubeapps-ci delete rolebinding kubeapps-user -n kubeapps-user-namespace &&
kubectl --context kind-kubeapps-ci --kubeconfig ${HOME}/.kube/kind-config-kubeapps-ci create rolebinding kubeapps-view-secret-oidc --role view-secrets --user oidc:kubeapps-user@example.com &&
kubectl --context kind-kubeapps-ci --kubeconfig ${HOME}/.kube/kind-config-kubeapps-ci create clusterrolebinding kubeapps-view-oidc --clusterrole=view --user oidc:kubeapps-user@example.com &&
echo "Cluster created"
Expand All @@ -327,7 +326,6 @@ install_cluster: &install_cluster
sleep 5 &&
kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=120s &&

kubectl --context kind-kubeapps-ci --kubeconfig ${HOME}/.kube/kind-config-kubeapps-ci delete rolebinding kubeapps-user -n kubeapps-user-namespace &&
kubectl --context kind-kubeapps-ci --kubeconfig ${HOME}/.kube/kind-config-kubeapps-ci create rolebinding kubeapps-view-secret-oidc --role view-secrets --user oidc:kubeapps-user@example.com &&
kubectl --context kind-kubeapps-ci --kubeconfig ${HOME}/.kube/kind-config-kubeapps-ci create clusterrolebinding kubeapps-view-oidc --clusterrole=view --user oidc:kubeapps-user@example.com &&
echo "Cluster created"
Expand Down
104 changes: 73 additions & 31 deletions integration/tests/main/01-missing-permissions.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,35 +5,77 @@ const { test, expect } = require("@playwright/test");
const { KubeappsLogin } = require("../utils/kubeapps-login");
const utils = require("../utils/util-functions");

test("Regular user fails to deploy an application due to missing permissions", async ({ page }) => {
test.setTimeout(60000);

// Log in
const k = new KubeappsLogin(page);
await k.doLogin("kubeapps-user@example.com", "password", process.env.VIEW_TOKEN);

// Select package to deploy
await page.click('a.nav-link:has-text("Catalog")');
await page.click('a .card-title:has-text("apache")');
await page.click('cds-button:has-text("Deploy") >> nth=0');

// Deploy package
const releaseNameLocator = page.locator("#releaseName");
await releaseNameLocator.waitFor();
await expect(releaseNameLocator).toHaveText("");
await releaseNameLocator.type(utils.getRandomName("test-01-release"));
await page.locator('cds-button:has-text("Deploy")').click();

const errorLocator = page.locator(".alert-items .alert-text");
await expect(errorLocator).toHaveCount(1);
await page.waitForTimeout(5000);

// For some reason, UI is showing different error messages randomly
// Custom assertion logic
const errorMsg = await errorLocator.textContent();
console.log(`Error message on UI = "${errorMsg}"`);

await page.waitForFunction(msg => {
return msg.indexOf("secrets is forbidden") > -1 || msg.indexOf("unable to read secret") > -1;
}, errorMsg);
test.describe("Limited user simple deployments", () => {
test("Regular user fails to deploy package due to missing permissions", async ({ page }) => {
test.setTimeout(60000);

// Log in
const k = new KubeappsLogin(page);
await k.doLogin("kubeapps-user@example.com", "password", process.env.VIEW_TOKEN);

// Select package to deploy
await page.click('a.nav-link:has-text("Catalog")');
await page.click('a .card-title:has-text("apache")');
await page.click('cds-button:has-text("Deploy") >> nth=0');

// Deploy package
const releaseNameLocator = page.locator("#releaseName");
await releaseNameLocator.waitFor();
await expect(releaseNameLocator).toHaveText("");
await releaseNameLocator.type(utils.getRandomName("test-01-release"));
await page.locator('cds-button:has-text("Deploy")').click();

const errorLocator = page.locator(".alert-items .alert-text");
await expect(errorLocator).toHaveCount(1);
await page.waitForTimeout(5000);

// For some reason, UI is showing different error messages randomly
// Custom assertion logic
const errorMsg = await errorLocator.textContent();
console.log(`Error message on UI = "${errorMsg}"`);

await page.waitForFunction(msg => {
return msg.indexOf("secrets is forbidden") > -1 || msg.indexOf("unable to read secret") > -1;
}, errorMsg);
});

test("Regular user fails to deploy package in its own namespace from repos with secret", async ({
page,
}) => {
// Explanation: User has permissions to deploy in its namespace, but can't actually deploy
// if the package is from a repo that has a secret to which the user doesn't have access

test.setTimeout(60000);

// Log in
const k = new KubeappsLogin(page);
await k.doLogin("kubeapps-user@example.com", "password", process.env.VIEW_TOKEN);

// Change to user's namespace using UI
await page.click(".kubeapps-dropdown .kubeapps-nav-link");
await page.selectOption('select[name="namespaces"]', "kubeapps-user-namespace");
await page.click('cds-button:has-text("Change Context")');

// Select package to deploy
await page.click('a.nav-link:has-text("Catalog")');
await page.click('a .card-title:has-text("apache")');
await page.click('cds-button:has-text("Deploy") >> nth=0');

// Deploy package
const releaseNameLocator = page.locator("#releaseName");
await releaseNameLocator.waitFor();
await expect(releaseNameLocator).toHaveText("");
await releaseNameLocator.type(utils.getRandomName("test-01-release"));
await page.locator('cds-button:has-text("Deploy")').click();

const errorLocator = page.locator(".alert-items .alert-text");
await expect(errorLocator).toHaveCount(1);
await page.waitForTimeout(5000);

// For some reason, UI is showing different error messages randomly
// Custom assertion logic
const errorMsg = await errorLocator.textContent();
console.log(`Error message on UI = "${errorMsg}"`);
await expect(errorLocator).toContainText("unable to read secret");
});
});
81 changes: 81 additions & 0 deletions integration/tests/main/09-user-positive-installation.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
// Copyright 2022 the Kubeapps contributors.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, I wasn't thinking that we needed a new test for this, but rather just updating the existing default deployment test to use the kubeapps-user... we know if it passes with that that it will have no issues to pass with a higher-privileged account. Adding redundant tests will just lengthen the test run, won't it? Or is there a reason you think we should test both with the kubeapps-user as well as with kubeapps-operator?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the new 09 test, repository is created by admin user and consumed by another user with less privileges. I don't think we are covering that in other tests? I mean, in 03 test, admin does everything (add repo, deploy, etc.) and in test 04 admin deploys to default namespace using an initial repo from Kubeapps installation.
I think each test covers a slightly different scenario, it's a bit of the "how far do we want to get with e2e tests?" question I would say.
However, happy to remove any test if you think that is not needed!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK - I hadn't realised it was adding a repo. I'm OK with having a separate test, but it's not clear to me why we'd add a repo as part of this test (given we already have a repo with charts we can use for this test, and have other tests that add repositories). Also, I'm not sure about adding a non-bitnami repo so that our CI is now dependent on the prometheus community helm charts?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@absoludity Update: removing the rolebinding deletion from .circleci/config.yml works as expected.

Great, though it might be worth checking with @antgamdia - looks like he added the deletion. I can only guess that the intent was to use the default namespace for the kubeapps user and so extra RBAC for other namespaces was removed, at the time.

Copy link
Contributor

@antgamdia antgamdia Feb 4, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's right, though I can't 100% remember, the idea was just using the default namespace (perhaps because of the problems you mentioned about the test selecting the wrong context?), so I just deleted this extra RBAC (which was granting edit ClusterRole in the kubeapps-user-namespace namespace

@antgamdia Do you know if putting back the kubeapps-user role binding for the view user could bring any issues?
Tests are passing successfully.

@castelblanque Now the tests are handling better how to switch contexts, +1 to remove any deletion that might veil any errors on the current rbac dev file we're using.

// SPDX-License-Identifier: Apache-2.0

const { test, expect } = require("@playwright/test");
const { KubeappsLogin } = require("../utils/kubeapps-login");
const utils = require("../utils/util-functions");

test.describe("Limited user simple deployments", () => {
test("Regular user can deploy and delete packages in its own namespace from global repo without secrets", async ({
page,
}) => {
test.setTimeout(120000);

// Log in as admin to create a repo without password
const k = new KubeappsLogin(page);
await k.doLogin("kubeapps-operator@example.com", "password", process.env.ADMIN_TOKEN);

// Change namespace using UI
await page.click(".kubeapps-dropdown .kubeapps-nav-link");
await page.selectOption('select[name="namespaces"]', "kubeapps");
await page.click('cds-button:has-text("Change Context")');

// Go to repos page
await page.click(".dropdown.kubeapps-menu button.kubeapps-nav-link");
await page.click('a.dropdown-menu-link:has-text("App Repositories")');
await page.waitForTimeout(3000);

// Add new repo
const repoName = utils.getRandomName("repo-test-09");
console.log(`Creating repository "${repoName}"`);
await page.click('cds-button:has-text("Add App Repository")');
await page.type("input#kubeapps-repo-name", repoName);
await page.type(
"input#kubeapps-repo-url",
"https://prometheus-community.github.io/helm-charts",
);
await page.click('cds-button:has-text("Install Repo")');
await page.waitForLoadState("networkidle");

// Log out admin and log in regular user
await k.doLogout();
await k.doLogin("kubeapps-user@example.com", "password", process.env.VIEW_TOKEN);

// Switch to user's namespace using UI
await page.click(".kubeapps-dropdown .kubeapps-nav-link");
await page.selectOption('select[name="namespaces"]', "kubeapps-user-namespace");
await page.click('cds-button:has-text("Change Context")');

// Select package to deploy
await page.click('a.nav-link:has-text("Catalog")');
await page.locator("input#search").type("alertmanager");
await page.waitForTimeout(3000);
await page.click('a:has-text("alertmanager")');
await page.click('cds-button:has-text("Deploy") >> nth=0');

// Deploy package
const releaseNameLocator = page.locator("#releaseName");
await releaseNameLocator.waitFor();
await expect(releaseNameLocator).toHaveText("");
const releaseName = utils.getRandomName("test-09-release");
console.log(`Creating release "${releaseName}"`);
await releaseNameLocator.type(releaseName);
await page.locator('cds-button:has-text("Deploy")').click();

// Check that package is deployed
await page.waitForSelector("css=.application-status-pie-chart-number >> text=1");
await page.waitForSelector("css=.application-status-pie-chart-title >> text=Ready");

// Delete deployment
await page.locator('cds-button:has-text("Delete")').click();
await page.locator('cds-modal-actions button:has-text("Delete")').click();
await page.waitForTimeout(10000);

// Search for package deployed
await page.click('a.nav-link:has-text("Applications")');
await page.locator("input#search").type("alertmanager");
await page.waitForTimeout(3000);
const packageLocator = page.locator('a:has-text("alertmanager")');
await expect(packageLocator).toHaveCount(0);
});
});
16 changes: 13 additions & 3 deletions integration/tests/utils/kubeapps-login.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,14 @@ exports.KubeappsLogin = class KubeappsLogin {
constructor(page) {
this.page = page;
this.oidc = process.env.USE_MULTICLUSTER_OIDC_ENV === "true";
this.token = "";
}

isOidc = () => this.oidc;

setToken(token) {
if ((token.match(/Bearer/g)).length > 1) {
let bearerMatch = token.match(/Bearer/g);
if (bearerMatch && bearerMatch.length > 1) {
token = token.split(",")[0];
}
this.token = token.trim().startsWith("Bearer") ? token.trim().substring(7) : token;
Expand All @@ -36,6 +38,14 @@ exports.KubeappsLogin = class KubeappsLogin {
console.log("Logged into Kubeapps!");
}

async doLogout() {
console.log("Logging out of Kubeapps");
await this.page.click(".dropdown.kubeapps-menu .kubeapps-nav-link");
await this.page.click('cds-button:has-text("Log out")');
await this.page.waitForLoadState("networkidle");
console.log("Logged out of Kubeapps");
}

async doOidcLogin(username, pwd) {
console.log(`Logging in Kubeapps via OIDC in host: ${utils.getUrl("/")}`);

Expand Down Expand Up @@ -71,8 +81,8 @@ exports.KubeappsLogin = class KubeappsLogin {
await this.page.goto(utils.getUrl("/"));
await this.page.waitForLoadState("networkidle");

const formLocator = page.locator("form");
await formLocator.type("input[name=token]", token);
const inputLocator = this.page.locator("form input[name=token]");
await inputLocator.type(token);
await this.page.click("#login-submit-button");

await this.page.waitForLoadState("networkidle");
Expand Down