Switch testing over to oci-env (#1773)

* add make targets for running tests with oci-env
* add make targets for running gh action integration tests
* enable testing for LDAP and Keycloak
* switch gh actions pipeline over to use oci-env

Issue: AAH-2393

---------

Co-authored-by: Christian <[email protected]>

.github/workflows/ci_oci-env-integration.yml

@@ -0,0 +1,60 @@
+---
+name: OCI Env Integration
+on: 
+  pull_request:
+    branches:
+      - '**'
+    paths-ignore:
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - 'CHANGES/**'
+  push:
+    branches:
+      - '**'
+  workflow_dispatch:
+
+jobs:
+  integration:
+    strategy:
+      fail-fast: false
+      matrix:
+        env:
+          - TEST_PROFILE: ldap
+          - TEST_PROFILE: keycloak
+          - TEST_PROFILE: standalone
+          - TEST_PROFILE: rbac
+          - TEST_PROFILE: certified-sync
+          - TEST_PROFILE: insights
+          - TEST_PROFILE: iqe_rbac
+          - TEST_PROFILE: x_repo_search
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-python@v2
+        with:
+          python-version: "3.10"
+
+      # Note: COMPOSE_INTERACTIVE_NO_CLI=1 is required for oci-env to work correctly when there's no interactive terminal
+      - name: Set environment variables
+        run: |
+          echo "OCI_ENV_PATH=${HOME}/work/galaxy_ng/oci_env" >> $GITHUB_ENV
+          echo "COMPOSE_INTERACTIVE_NO_CLI=1" >> $GITHUB_ENV
+
+      - name: Update apt
+        run: sudo apt -y update
+
+      - name: Install LDAP requirements
+        run: sudo apt-get install -y libsasl2-dev python3 libldap2-dev libssl-dev build-essential
+
+      - name: Install docker-compose
+        run: pip3 install --upgrade docker-compose
+
+      - name: setup oci-env
+        run: |
+          git clone https://github.com/pulp/oci_env.git $OCI_ENV_PATH
+          pip install -e $OCI_ENV_PATH/client/
+          mkdir $OCI_ENV_PATH/db_backup/
+
+      - name: run integration tests
+        run: make gh-action/${{ matrix.env.TEST_PROFILE }}

CHANGES/2393.misc

@@ -0,0 +1 @@
+Refactor integration tests to use oci-env.

Dockerfile.sync_tests_stage

@@ -20,4 +20,4 @@ ENV SYNC_TESTS_STAGE=true \
     HUB_USE_MOVE_ENDPOINT=true \
     HUB_API_ROOT="https://console.stage.redhat.com/api/automation-hub/" \
     HUB_AUTH_URL="https://sso.stage.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token/"
-CMD ["pytest", "--log-cli-level=DEBUG", "-m", "sync", "--junitxml=galaxy_ng-results.xml", "-v", "galaxy_ng/tests/integration"]
+CMD ["pytest", "--log-cli-level=DEBUG", "-m", "sync", "--junitxml=galaxy_ng-results.xml", "-v", "galaxy_ng/tests/integration/api/test_sync_stage.py"]

Makefile

@@ -5,6 +5,9 @@ RUNNING = $(shell docker ps -q -f name=api)
 # if running is empty, then DJ_MANAGER = manage, else DJ_MANAGER = django-admin
 DJ_MANAGER = $(shell if [ "$(RUNNING)" = "" ]; then echo manage; else echo django-admin; fi)
 
+# set the OCI_ENV_PATH to be ../oci_env/ if this isn't set in the user's environment
+export OCI_ENV_PATH = $(shell if [ -n "$$OCI_ENV_PATH" ]; then echo "$$OCI_ENV_PATH"; else echo ${PWD}/../oci_env/; fi)
+
 define exec_or_run
 	# Tries to run on existing container if it exists, otherwise starts a new one.
 	@echo $(1)$(2)$(3)$(4)$(5)$(6)
@@ -103,6 +106,42 @@ docker/test/integration/container:      ## Run integration tests.
 	docker build . -f dev/standalone/integration-test-dockerfile -t galaxy-integration-runner
 	docker run -it --rm --add-host=localhost:host-gateway galaxy-integration-runner $(FLAGS)
 
+.PHONY: oci-env/integration
+oci-env/integration:
+	oci-env exec bash /src/galaxy_ng/profiles/base/run_integration.sh $(FLAGS)
+
+.PHONY: gh-action/ldap
+gh-action/ldap:
+	python3 dev/oci_env_integration/actions/ldap.py
+
+.PHONY: gh-action/x_repo_search
+gh-action/x_repo_search:
+	python3 dev/oci_env_integration/actions/x_repo_search.py
+
+.PHONY: gh-action/iqe_rbac
+gh-action/iqe_rbac:
+	python3 dev/oci_env_integration/actions/iqe_rbac.py
+
+.PHONY: gh-action/keycloak
+gh-action/keycloak:
+	python3 dev/oci_env_integration/actions/keycloak.py
+
+.PHONY: gh-action/rbac
+gh-action/rbac:
+	python3 dev/oci_env_integration/actions/rbac.py
+
+.PHONY: gh-action/insights
+gh-action/insights:
+	python3 dev/oci_env_integration/actions/insights.py
+
+.PHONY: gh-action/standalone
+gh-action/standalone:
+	python3 dev/oci_env_integration/actions/standalone.py
+
+.PHONY: gh-action/certified-sync
+gh-action/certified-sync:
+	python3 dev/oci_env_integration/actions/certified-sync.py
+
 .PHONY: docker/loaddata
 docker/loaddata:  ## Load initial data from python script
 	$(call exec_or_run, api, "/bin/bash", "-c", "/entrypoint.sh manage shell < app/dev/common/setup_test_data.py")

dev/common/setup_test_data.py

@@ -1,120 +1,78 @@
 from django.contrib.contenttypes.models import ContentType
 from pulpcore.plugin.models.role import GroupRole, Role
-from pulpcore.plugin.util import assign_role
 from pulp_ansible.app.models import CollectionRemote
 from rest_framework.authtoken.models import Token
 
 from galaxy_ng.app.models import Namespace
 from galaxy_ng.app.models.auth import Group, User
 
+from galaxy_ng.tests.integration.constants import CREDENTIALS, PROFILES
+
+
 """
 Setup test data used in integration tests.
 """
 
-print("Add a group that has namespace permissions")
-test_group, _ = Group.objects.get_or_create(name="ns_group_for_tests")
-
-print("Ensure partner-engineers group created and has roles assigned")
-PE_GROUP_NAME = "system:partner-engineers"
-pe_group, _ = Group.objects.get_or_create(name=PE_GROUP_NAME)
-pe_roles = [
-    "galaxy.group_admin",
-    "galaxy.user_admin",
-    "galaxy.collection_admin",
-]
-roles_in_group = [group_role.role.name for group_role in pe_group.object_roles.all()]
-for role in pe_roles:
-    if role not in roles_in_group:
-        assign_role(rolename=role, entity=pe_group)
-
-print("Add a group that has registry and registry remote roles assigned")
-ee_group, _ = Group.objects.get_or_create(name="ee_group_for_tests")
-ee_role = 'galaxy.execution_environment_admin'
-roles_in_ee_group = [group_role.role.name for group_role in ee_group.object_roles.all()]
-if ee_role not in roles_in_ee_group:
-    assign_role(rolename=ee_role, entity=ee_group)
-
-print("Get or create test users to match keycloak passwords")
-
-# in ephemeral keycloak this user is part of customer account: 6089723
-basic_user, _ = User.objects.get_or_create(username="iqe_normal_user")
-basic_user.set_password("redhat")
-basic_user.groups.add(test_group)
-basic_user.save()
-
-# in ephemeral keycloak this user is part of customer account: 6089719
-partner_engineer, _ = User.objects.get_or_create(username="jdoe")
-partner_engineer.set_password("redhat")
-partner_engineer.groups.add(test_group)
-partner_engineer.groups.add(pe_group)
-partner_engineer.save()
-
-# in ephemeral keycloak this user is part of customer account: 6089720
-org_admin, _ = User.objects.get_or_create(username="org-admin")
-org_admin.set_password("redhat")
-org_admin.groups.add(test_group)
-org_admin.save()
-
-# in ephemeral keycloak this user is part of customer account: 6089726
-admin, _ = User.objects.get_or_create(username="notifications_admin")
-admin.set_password("redhat")
-admin.is_superuser = True
-admin.is_staff = True
-admin.save()
-
-# in ephemeral keycloak this user is part of customer account: 6089726
-iqe_admin, _ = User.objects.get_or_create(username="iqe_admin")
-iqe_admin.set_password("redhat")
-iqe_admin.is_superuser = True
-iqe_admin.is_staff = True
-iqe_admin.save()
-
-# Note: this user is not a part of ephemeral keycloak users
-ee_admin, _ = User.objects.get_or_create(username="ee_admin")
-ee_admin.set_password("redhat")
-ee_admin.groups.add(ee_group)
-ee_admin.save()
-
-# Note: User not used for integration tests, not part of ephemeral keycloak users
-legacy_admin, _ = User.objects.get_or_create(username="admin")
-legacy_admin.set_password("admin")
-legacy_admin.email = "[email protected]"
-legacy_admin.is_superuser = True
-legacy_admin.is_staff = True
-legacy_admin.save()
-
-
-print("Get or create tokens for test users")
-Token.objects.get_or_create(user=basic_user, key="abcdefghijklmnopqrstuvwxyz1234567891")
-Token.objects.get_or_create(user=partner_engineer, key="abcdefghijklmnopqrstuvwxyz1234567892")
-Token.objects.get_or_create(user=org_admin, key="abcdefghijklmnopqrstuvwxyz1234567893")
-Token.objects.get_or_create(user=admin, key="abcdefghijklmnopqrstuvwxyz1234567894")
-Token.objects.get_or_create(user=ee_admin, key="abcdefghijklmnopqrstuvwxyz1234567895")
-
-
-print("Get or create namespaces + add object permissions to group")
-for nsname in ["autohubtest2", "autohubtest3"]:
+TEST_NAMESPACES = {}
+
+print("Create test namespaces")
+for nsname in ["autohubtest2", "autohubtest3", "signing"]:
     ns, _ = Namespace.objects.get_or_create(name=nsname)
-    # connect group to role for this namespace object
-    GroupRole.objects.get_or_create(
-        role=Role.objects.get(name="galaxy.collection_namespace_owner"),
-        group=test_group,
-        content_type=ContentType.objects.get(model="namespace"),
-        object_id=ns.id,
-    )
-
-print("Create a signing namespace and roles")
-signing_ns, _ = Namespace.objects.get_or_create(name="signing")
-# connect group to role for this namespace object
-GroupRole.objects.get_or_create(
-    role=Role.objects.get(name="galaxy.collection_namespace_owner"),
-    group=pe_group,
-    content_type=ContentType.objects.get(model="namespace"),
-    object_id=signing_ns.id,
-)
-
-print("Add a group that exists in the testing LDAP container")
-ldap_group, _ = Group.objects.get_or_create(name="admin_staff")
+    TEST_NAMESPACES[nsname] = ns
+
+
+def _init_group(credentials, profile):
+    if g := credentials.get("group"):
+        group, _ = Group.objects.get_or_create(name=g)
+
+        # add namespace ownership to the group
+        if namespaces := profile.get("namespaces"):
+            for ns in namespaces:
+                ns = TEST_NAMESPACES[ns]
+
+                # assign_role creates duplicate entries, so we'll use this directly.
+                GroupRole.objects.get_or_create(
+                    role=Role.objects.get(name="galaxy.collection_namespace_owner"),
+                    group=group,
+                    content_type=ContentType.objects.get(model="namespace"),
+                    object_id=ns.id,
+                )
+
+        if roles := profile.get("roles"):
+            for role in roles:
+                GroupRole.objects.get_or_create(
+                    role=Role.objects.get(name=role),
+                    group=group,
+                )
+
+        return group
+
+
+def _init_token(user, credentials):
+    if token := credentials.get("token"):
+        Token.objects.get_or_create(user=user, key=token)
+
+
+for profile_name in PROFILES:
+    profile = PROFILES[profile_name]
+    if ldap_user := profile["username"].get("ldap"):
+        print(f"Initializing ldap user for test profile: {profile_name}")
+        credentials = CREDENTIALS[ldap_user]
+        _init_group(credentials, profile)
+
+    if galaxy_user := profile["username"].get("galaxy"):
+        print(f"Initializing galaxy user for test profile: {profile_name}")
+        u, _ = User.objects.get_or_create(username=galaxy_user)
+        credentials = CREDENTIALS[galaxy_user]
+
+        u.set_password(credentials["password"])
+        u.is_superuser = profile.get("is_superuser", False)
+
+        if group := _init_group(credentials, profile):
+            u.groups.add(group)
+        u.save()
+
+        _init_token(u, credentials)
 
 
 print("CollectionRemote community url points to beta-galaxy.ansible.com")

dev/ephemeral/run_tests.sh

@@ -12,7 +12,7 @@ ${VENV_PATH}/bin/pip install -r integration_requirements.txt
 
 echo "Running pytest ..."
 ${VENV_PATH}/bin/pytest \
-    --capture=no -m "cloud_only or (not standalone_only and not community_only and not sync and not rm_sync and not x_repo_search and not rbac_repos)" \
+    --capture=no -m "deployment_cloud or all" \
     -v \
     galaxy_ng/tests/integration $@
 RC=$?