Skip to content

Commit dd05ec1

Browse files
dzemanovdzemanov
committed
Introduce topology rbac e2e tests
Signed-off-by: Dominika Zemanovicova <[email protected]>
1 parent 52dc9f2 commit dd05ec1

File tree

13 files changed

+327
-117
lines changed

13 files changed

+327
-117
lines changed

.ibm/pipelines/env_variables.sh

+4
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,10 @@ QE_USER3_ID=$(cat /tmp/secrets/QE_USER3_ID)
5353
QE_USER3_PASS=$(cat /tmp/secrets/QE_USER3_PASS)
5454
QE_USER4_ID=$(cat /tmp/secrets/QE_USER4_ID)
5555
QE_USER4_PASS=$(cat /tmp/secrets/QE_USER4_PASS)
56+
QE_USER5_ID=$(cat /tmp/secrets/QE_USER5_ID)
57+
QE_USER5_PASS=$(cat /tmp/secrets/QE_USER5_PASS)
58+
QE_USER6_ID=$(cat /tmp/secrets/QE_USER6_ID)
59+
QE_USER6_PASS=$(cat /tmp/secrets/QE_USER6_PASS)
5660

5761
K8S_CLUSTER_TOKEN_TEMPORARY=$(cat /tmp/secrets/K8S_CLUSTER_TOKEN_TEMPORARY)
5862

.ibm/pipelines/resources/config_map/app-config-rhdh-rbac.yaml

+1
Original file line numberDiff line numberDiff line change
@@ -129,6 +129,7 @@ permission:
129129
- catalog
130130
- permission
131131
- scaffolder
132+
- kubernetes
132133
admin:
133134
users:
134135
- name: user:default/rhdh-qe

.ibm/pipelines/resources/config_map/rbac-policy.csv

+11-1
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ p, role:xyz/team_a, catalog.location.read, read, allow
1010

1111
g, user:default/rhdh-qe, role:default/qe_rbac_admin
1212
p, role:default/qe_rbac_admin, kubernetes.proxy, use, allow
13+
p, role:default/qe_rbac_admin, kubernetes.resources.read, read, allow
14+
p, role:default/qe_rbac_admin, kubernetes.clusters.read, read, allow
1315
p, role:default/qe_rbac_admin, catalog.entity.create, create, allow
1416
p, role:default/qe_rbac_admin, catalog.location.create, create, allow
1517
p, role:default/qe_rbac_admin, catalog.location.read, read, allow
@@ -20,4 +22,12 @@ p, role:default/bulk_import, catalog.entity.create, create, allow
2022
g, user:default/rhdh-qe-2, role:default/bulk_import
2123

2224
g, group:default/rhdh-qe-parent-team, role:default/transitive-owner
23-
g, group:default/rhdh-qe-child-team, role:default/transitive-owner
25+
g, group:default/rhdh-qe-child-team, role:default/transitive-owner
26+
27+
g, user:default/rhdh-qe-5, role:default/kubernetes_reader
28+
p, role:default/kubernetes_reader, kubernetes.resources.read, read, allow
29+
p, role:default/kubernetes_reader, kubernetes.clusters.read, read, allow
30+
31+
g, user:default/rhdh-qe-5, role:default/catalog_reader
32+
g, user:default/rhdh-qe-6, role:default/catalog_reader
33+
p, role:default/catalog_reader, catalog.entity.read, read, allow

.ibm/pipelines/value_files/values_showcase-rbac.yaml

+6-5
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,8 @@ global:
4242
disabled: false
4343
- package: ./dynamic-plugins/dist/backstage-community-plugin-tekton
4444
disabled: false
45+
- package: ./dynamic-plugins/dist/backstage-community-plugin-topology
46+
disabled: false
4547
- package: ./dynamic-plugins/dist/backstage-plugin-kubernetes
4648
disabled: false
4749
- package: ./dynamic-plugins/dist/backstage-plugin-kubernetes-backend-dynamic
@@ -52,8 +54,9 @@ global:
5254
- clusters:
5355
- authProvider: serviceAccount
5456
name: 'my-cluster'
55-
serviceAccountToken: ${K8S_SERVICE_ACCOUNT_TOKEN}
57+
serviceAccountToken: ${K8S_CLUSTER_TOKEN_ENCODED}
5658
url: ${K8S_CLUSTER_API_SERVER_URL}
59+
skipTLSVerify: true
5760
type: config
5861
customResources:
5962
# Add for tekton
@@ -70,10 +73,6 @@ global:
7073
- apiVersion: 'v1'
7174
group: 'route.openshift.io'
7275
plural: 'routes'
73-
# Add to view topology code decorators
74-
- group: 'org.eclipse.che'
75-
apiVersion: 'v2'
76-
plural: 'checlusters'
7776
serviceLocatorMethod:
7877
type: multiTenant
7978
# Enable OCM plugins.
@@ -194,6 +193,8 @@ upstream:
194193
# disable telemetry in CI
195194
- name: SEGMENT_TEST_MODE
196195
value: 'true'
196+
- name: NODE_TLS_REJECT_UNAUTHORIZED
197+
value: '0'
197198
extraVolumeMounts:
198199
# The initContainer below will install dynamic plugins in this volume mount.
199200
- name: dynamic-plugins-root

e2e-tests/playwright.config.ts

+6-6
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ export default defineConfig({
5555
name: "showcase",
5656
testIgnore: [
5757
"**/playwright/e2e/plugins/rbac/**/*.spec.ts",
58-
"**/playwright/e2e/plugins/analytics/analytics-disabled-rbac.spec.ts",
58+
"**/playwright/e2e/plugins/**/*-rbac.spec.ts",
5959
"**/playwright/e2e/verify-tls-config-with-external-postgres-db.spec.ts",
6060
"**/playwright/e2e/authProviders/**/*.spec.ts",
6161
"**/playwright/e2e/plugins/bulk-import.spec.ts",
@@ -68,7 +68,7 @@ export default defineConfig({
6868
name: "showcase-rbac",
6969
testMatch: [
7070
"**/playwright/e2e/plugins/rbac/**/*.spec.ts",
71-
"**/playwright/e2e/plugins/analytics/analytics-disabled-rbac.spec.ts",
71+
"**/playwright/e2e/plugins/**/*-rbac.spec.ts",
7272
"**/playwright/e2e/verify-tls-config-with-external-postgres-db.spec.ts",
7373
"**/playwright/e2e/plugins/bulk-import.spec.ts",
7474
],
@@ -100,7 +100,7 @@ export default defineConfig({
100100
testIgnore: [
101101
"**/playwright/e2e/smoke-test.spec.ts",
102102
"**/playwright/e2e/plugins/rbac/**/*.spec.ts",
103-
"**/playwright/e2e/plugins/analytics/analytics-disabled-rbac.spec.ts",
103+
"**/playwright/e2e/plugins/**/*-rbac.spec.ts",
104104
"**/playwright/e2e/verify-tls-config-with-external-postgres-db.spec.ts",
105105
"**/playwright/e2e/authProviders/**/*.spec.ts",
106106
"**/playwright/e2e/plugins/bulk-import.spec.ts",
@@ -118,15 +118,15 @@ export default defineConfig({
118118
dependencies: ["smoke-test"],
119119
testMatch: [
120120
"**/playwright/e2e/plugins/rbac/**/*.spec.ts",
121-
"**/playwright/e2e/plugins/analytics/analytics-disabled-rbac.spec.ts",
121+
"**/playwright/e2e/plugins/**/*-rbac.spec.ts",
122122
"**/playwright/e2e/plugins/bulk-import.spec.ts",
123123
],
124124
},
125125
{
126126
name: "showcase-operator",
127127
testIgnore: [
128128
"**/playwright/e2e/plugins/rbac/**/*.spec.ts",
129-
"**/playwright/e2e/plugins/analytics/analytics-disabled-rbac.spec.ts",
129+
"**/playwright/e2e/plugins/**/*-rbac.spec.ts",
130130
"**/playwright/e2e/verify-tls-config-with-external-postgres-db.spec.ts",
131131
"**/playwright/e2e/authProviders/**/*.spec.ts",
132132
"**/playwright/e2e/plugins/bulk-import.spec.ts",
@@ -142,7 +142,7 @@ export default defineConfig({
142142
name: "showcase-operator-rbac",
143143
testMatch: [
144144
"**/playwright/e2e/plugins/rbac/**/*.spec.ts",
145-
"**/playwright/e2e/plugins/analytics/analytics-disabled-rbac.spec.ts",
145+
"**/playwright/e2e/plugins/**/*-rbac.spec.ts",
146146
"**/playwright/e2e/plugins/bulk-import.spec.ts",
147147
],
148148
},

e2e-tests/playwright/data/rbac-constants.ts

+38
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,14 @@ export class RbacConstants {
3030
],
3131
name: "role:default/transitive-owner",
3232
},
33+
{
34+
memberReferences: ["user:default/rhdh-qe-5"],
35+
name: "role:default/kubernetes_reader",
36+
},
37+
{
38+
memberReferences: ["user:default/rhdh-qe-5", "user:default/rhdh-qe-6"],
39+
name: "role:default/catalog_reader",
40+
},
3341
];
3442
}
3543

@@ -107,6 +115,18 @@ export class RbacConstants {
107115
policy: "use",
108116
effect: "allow",
109117
},
118+
{
119+
entityReference: "role:default/qe_rbac_admin",
120+
permission: "kubernetes.resources.read",
121+
policy: "read",
122+
effect: "allow",
123+
},
124+
{
125+
entityReference: "role:default/qe_rbac_admin",
126+
permission: "kubernetes.clusters.read",
127+
policy: "read",
128+
effect: "allow",
129+
},
110130
{
111131
entityReference: "role:default/qe_rbac_admin",
112132
permission: "catalog.entity.create",
@@ -143,6 +163,24 @@ export class RbacConstants {
143163
policy: "create",
144164
effect: "allow",
145165
},
166+
{
167+
entityReference: "role:default/kubernetes_reader",
168+
permission: "kubernetes.resources.read",
169+
policy: "read",
170+
effect: "allow",
171+
},
172+
{
173+
entityReference: "role:default/kubernetes_reader",
174+
permission: "kubernetes.clusters.read",
175+
policy: "read",
176+
effect: "allow",
177+
},
178+
{
179+
entityReference: "role:default/catalog_reader",
180+
permission: "catalog.entity.read",
181+
policy: "read",
182+
effect: "allow",
183+
},
146184
];
147185
}
148186
}

e2e-tests/playwright/e2e/plugins/rbac/rbac.spec.ts

+24-39
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,13 @@ import {
88
} from "../../../support/pageObjects/page-obj";
99
import { Common, setupBrowser } from "../../../utils/common";
1010
import { UIhelper } from "../../../utils/ui-helper";
11-
import fs from "fs/promises";
1211
import { RbacPo } from "../../../support/pageObjects/rbac-po";
1312
import { RhdhAuthApiHack } from "../../../support/api/rhdh-auth-api-hack";
1413
import RhdhRbacApi from "../../../support/api/rbac-api";
1514
import { RbacConstants } from "../../../data/rbac-constants";
1615
import { Policy } from "../../../support/api/rbac-api-structures";
1716
import { CatalogImport } from "../../../support/pages/catalog-import";
17+
import { downloadAndReadFile } from "../../../utils/helper";
1818

1919
/*
2020
Note that:
@@ -226,7 +226,10 @@ test.describe.serial("Test RBAC", () => {
226226

227227
test("Should download the user list", async ({ page }) => {
228228
await page.locator('a:has-text("Download User List")').click();
229-
const fileContent = await downloadAndReadFile(page);
229+
const fileContent = await downloadAndReadFile(
230+
page,
231+
'a:has-text("Download User List")',
232+
);
230233
const lines = fileContent.trim().split("\n");
231234

232235
const header = "userEntityRef,displayName,email,lastAuthTime";
@@ -243,25 +246,6 @@ test.describe.serial("Test RBAC", () => {
243246
}
244247
});
245248

246-
async function downloadAndReadFile(
247-
page: Page,
248-
): Promise<string | undefined> {
249-
const [download] = await Promise.all([
250-
page.waitForEvent("download"),
251-
page.locator('a:has-text("Download User List")').click(),
252-
]);
253-
254-
const filePath = await download.path();
255-
256-
if (filePath) {
257-
const fileContent = await fs.readFile(filePath, "utf-8");
258-
return fileContent;
259-
} else {
260-
console.error("Download failed or path is not available");
261-
return undefined;
262-
}
263-
}
264-
265249
test("View details of a role", async ({ page }) => {
266250
const uiHelper = new UIhelper(page);
267251
await uiHelper.clickLink("role:default/rbac_admin");
@@ -293,7 +277,6 @@ test.describe.serial("Test RBAC", () => {
293277
test("Create and edit a role from the roles list page", async ({
294278
page,
295279
}) => {
296-
const rolesHelper = new Roles(page);
297280
const uiHelper = new UIhelper(page);
298281

299282
await uiHelper.clickButton("Create");
@@ -325,11 +308,12 @@ test.describe.serial("Test RBAC", () => {
325308

326309
const rbacPo = new RbacPo(page);
327310
const testUser = "Jonathon Page";
328-
await rbacPo.createRole("test-role", [
329-
RbacPo.rbacTestUsers.guest,
330-
RbacPo.rbacTestUsers.tara,
331-
RbacPo.rbacTestUsers.backstage,
332-
]);
311+
await rbacPo.createRole(
312+
"test-role",
313+
[RbacPo.rbacTestUsers.guest, RbacPo.rbacTestUsers.tara],
314+
[RbacPo.rbacTestUsers.backstage],
315+
[{ permission: "catalog.entity.delete" }],
316+
);
333317
await page.click(
334318
ROLES_PAGE_COMPONENTS.editRole("role:default/test-role"),
335319
);
@@ -361,20 +345,20 @@ test.describe.serial("Test RBAC", () => {
361345
await usersAndGroupsLocator.waitFor();
362346
await expect(usersAndGroupsLocator).toBeVisible();
363347

364-
await rolesHelper.deleteRole("role:default/test-role");
348+
await rbacPo.deleteRole("role:default/test-role");
365349
});
366350

367351
test("Edit users and groups and update policies of a role from the overview page", async ({
368352
page,
369353
}) => {
370-
const rolesHelper = new Roles(page);
371354
const uiHelper = new UIhelper(page);
372355
const rbacPo = new RbacPo(page);
373-
await rbacPo.createRole("test-role1", [
374-
RbacPo.rbacTestUsers.guest,
375-
RbacPo.rbacTestUsers.tara,
376-
RbacPo.rbacTestUsers.backstage,
377-
]);
356+
await rbacPo.createRole(
357+
"test-role1",
358+
[RbacPo.rbacTestUsers.guest, RbacPo.rbacTestUsers.tara],
359+
[RbacPo.rbacTestUsers.backstage],
360+
[{ permission: "catalog.entity.delete" }],
361+
);
378362

379363
await uiHelper.searchInputAriaLabel("test-role1");
380364

@@ -423,17 +407,18 @@ test.describe.serial("Test RBAC", () => {
423407
);
424408
await uiHelper.verifyHeading("Permission Policies (2)");
425409

426-
await rolesHelper.deleteRole("role:default/test-role1");
410+
await rbacPo.deleteRole("role:default/test-role1");
427411
});
428412

429413
test("Create a role with a permission policy per resource type and verify that the only authorized users can access specific resources.", async ({
430414
page,
431415
}) => {
432-
const rolesHelper = new Roles(page);
433416
const uiHelper = new UIhelper(page);
434-
await new RbacPo(page).createRole(
417+
const rbacPo = new RbacPo(page);
418+
await rbacPo.createConditionalRole(
435419
"test-role1",
436-
["Guest User", "rhdh-qe", "Backstage"],
420+
["Guest User", "rhdh-qe"],
421+
["Backstage"],
437422
"anyOf",
438423
);
439424

@@ -444,7 +429,7 @@ test.describe.serial("Test RBAC", () => {
444429
.locator(SEARCH_OBJECTS_COMPONENTS.ariaLabelSearch)
445430
.fill("test-role1");
446431
await uiHelper.verifyHeading("All roles (1)");
447-
await rolesHelper.deleteRole("role:default/test-role1");
432+
await rbacPo.deleteRole("role:default/test-role1");
448433
});
449434
});
450435

0 commit comments

Comments
 (0)