-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add tests for user with Drogon-affiliate access (#322)
- Loading branch information
Showing
3 changed files
with
374 additions
and
12 deletions.
There are no files selected for viewing
51 changes: 51 additions & 0 deletions
51
.github/workflows/run_tests_access_drogon_affiliate_login.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| name: Test access DROGON-AFFILIATE login | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: [main] | ||
| schedule: | ||
| - cron: "59 4 * * *" | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| build_pywheels: | ||
| name: PY ${{ matrix.python-version }} on ${{ matrix.os }} | ||
| runs-on: ${{ matrix.os }} | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.11"] | ||
| os: [ubuntu-latest] | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Azure Login | ||
| uses: Azure/login@v2 | ||
| with: | ||
| client-id: a93bdf61-02ec-4e2d-8d8b-ca00673d11f3 | ||
| tenant-id: 3aa4a235-b6e2-48d5-9195-7fcf05b459b0 | ||
| allow-no-subscriptions: true | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
|
|
||
| - name: Install fmu-sumo | ||
| run: > | ||
| python -m pip install --upgrade pip && | ||
| python -m pip install .[test] | ||
| - name: Run tests | ||
| shell: bash | ||
| run: | | ||
| az --version | ||
| az account list | ||
| pip list | grep -i sumo | ||
| access_token=$(az account get-access-token --scope api://88d2b022-3539-4dda-9e66-853801334a86/.default --query accessToken --output tsv) | ||
| export ACCESS_TOKEN=$access_token | ||
| pytest -s --timeout=300 tests/test_access/tst_access_drogon_affiliate_login.py | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,20 +1,24 @@ | ||
| # Testing access to SUMO: read, write, manage, no access | ||
| # Testing access to SUMO: read, write, manage, no access, affiliate | ||
|
|
||
| Tests in this folder shall be run inside Github Actions as specific | ||
| users with specific access. Each test file is tailored for a specific | ||
| user with either no-access, DROGON-READ, DROGON-WRITE or DROGON-MANAGE. | ||
| user with either no-access, DROGON-READ, DROGON-WRITE, DROGON-MANAGE | ||
| or DROGON-AFFILIATE. | ||
| Since you as a developer have different accesses, many tests will fail | ||
| if you run them as yourself. | ||
|
|
||
| There are pytest skip decorators to avoid running these tests | ||
| outside Github Actions. | ||
| In addition, the file names use the non-standard 'tst' over 'test' to avoid being picked | ||
| up by a call to pytest. | ||
| In addition, the file names use the non-standard 'tst' over 'test' to | ||
| avoid being picked up by a call to pytest. | ||
|
|
||
| Print statements are used to ensure the Github Actions run prints | ||
| information that can be used for debugging. | ||
|
|
||
| Using allow-no-subscriptions flag to avoid having to give the App Registrations access to some resource inside the subscription itself. Example: | ||
| Using allow-no-subscriptions flag to avoid having to give the | ||
| App Registrations access to some resource inside the subscription itself. | ||
| Example: | ||
|
|
||
| ``` | ||
| - name: Azure Login | ||
| uses: Azure/login@v2 | ||
|
|
@@ -24,28 +28,75 @@ Using allow-no-subscriptions flag to avoid having to give the App Registrations | |
| allow-no-subscriptions: true | ||
| ``` | ||
|
|
||
| If you want to run the tests on your laptop, using bash: | ||
| ## Run tests on your local laptop with your own identity | ||
|
|
||
| If you want to run the tests on your laptop as yourself, using bash: | ||
|
|
||
| ``` | ||
| export GITHUB_ACTIONS="true" | ||
| ``` | ||
|
|
||
| Note that since you have different access, most tests should fail | ||
|
|
||
| ## Run tests on your local laptop as one of the App Registrations | ||
|
|
||
| To run these tests on your developer laptop _as the different | ||
| App Registrations_, using bash and az cli: | ||
|
|
||
| * Create a secret for the relevant App Registration inside Azure portal, | ||
| copy the secret. | ||
| * Login as the App Registration: | ||
|
|
||
| ``` | ||
| az login --service-principal -t <Tenant-ID> -u <Client-ID> -p <Client-secret> --allow-no-subscriptions | ||
| ``` | ||
|
|
||
| * Get a token and set it in the environment where sumo-wrapper-python will pick it up: | ||
|
|
||
| In theory you could run locally as the App Registration / Service Principal but I | ||
| do not think the sumo-wrapper-python makes it possible: | ||
| ``` | ||
| az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant> --allow-no-subscriptions | ||
| export ACCESS_TOKEN=$(az account get-access-token --scope api://88d2b022-3539-4dda-9e66-853801334a86/.default --query accessToken --output tsv) | ||
| ``` | ||
|
|
||
| * Set the env-var to mimick Github Actions: | ||
| ``` | ||
| export GITHUB_ACTIONS=true | ||
| ``` | ||
|
|
||
| * Run the tests; preferably start with running userpermissions or similar to verify that you have the | ||
| access you expect: | ||
| ``` | ||
| pytest -s tests/test_access/tst_access_drogon_affiliate_login.py::test_get_userpermissions | ||
| ``` | ||
|
|
||
| It is good practice to delete the secret from the App Registration when you are finished. | ||
|
|
||
| Note that the ACCESS_TOKEN can be used to login to the Swagger page (Bearer) too. | ||
|
|
||
|
|
||
| Relevant App Registrations: | ||
|
|
||
| * sumo-test-runner-no-access No access | ||
| * sumo-test-runner-drogon-read DROGON-READ | ||
| * sumo-test-runner-drogon-write DROGON-WRITE | ||
| * sumo-test-runner-drogon-manage DROGON-MANAGE | ||
| * sumo-test-runner-drogon-affiliate DROGON-AFFILIATE | ||
|
|
||
| (Note that the sumo-test-runner-drogon-affiliate app-reg is added as member | ||
| to Entra ID Group named 'Sumo admin' which have the DROGON-AFFILIATE role) | ||
|
|
||
| The Azure Entra ID 'App Registrations' blade named 'API permissions' is where the access is | ||
| given. | ||
| The Azure Entra ID 'App Registrations' blade named 'API permissions' is | ||
| where the access is given. Remember that the access must be granted/consented | ||
| for Equinor by a mail to [email protected]: | ||
| "Please grant admin consent for Azure Entra ID App Registration sumo-test-runner-drogon-affiliate | ||
| to the sumo-core-dev drogon-affiliate role" | ||
| as explained [here](https://docs.omnia.equinor.com/governance/iam/App-Admin-Consent/) | ||
|
|
||
| ## Test access using shared-key | ||
|
|
||
| Shared key authentication is also tested. The shared keys are manually created with the /admin/make-shared-access-key, then manually put into Github Actions Secrets. Note that these secrets must be replaced when they expire after a year. | ||
| Shared key authentication is also tested. | ||
| The shared keys are manually created with the /admin/make-shared-access-key, | ||
| then manually put into Github Actions Secrets. | ||
| Note that these secrets must be replaced when they expire after a year. | ||
|
|
||
| It is not possible to run a 'no-access' test with shared key. | ||
|
|
||
|
|
||
Oops, something went wrong.