diff --git a/.ci/cico_updates_openshift.sh b/.ci/cico_updates_openshift.sh index 208f4e6bfe..47137d20ce 100755 --- a/.ci/cico_updates_openshift.sh +++ b/.ci/cico_updates_openshift.sh @@ -15,6 +15,7 @@ set -x export OPERATOR_REPO=$(dirname $(dirname $(readlink -f "$0"))); source "${OPERATOR_REPO}"/.github/bin/common.sh +source "${OPERATOR_REPO}"/.github/bin/oauth-provision.sh #Stop execution on any error trap "catchFinish" EXIT SIGINT @@ -22,10 +23,12 @@ trap "catchFinish" EXIT SIGINT runTests() { "${OPERATOR_REPO}"/olm/testUpdate.sh "openshift" "stable" ${NAMESPACE} waitEclipseCheDeployed ${LAST_PACKAGE_VERSION} + provisionOAuth startNewWorkspace waitWorkspaceStart } init +provisionOpenShiftOAuthUser initStableTemplates "openshift" "stable" runTests diff --git a/.ci/oci-nightly-olm.sh b/.ci/oci-nightly-olm.sh index 6c2b6e7d0b..e1a7e0c9d1 100755 --- a/.ci/oci-nightly-olm.sh +++ b/.ci/oci-nightly-olm.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright (c) 2012-2020 Red Hat, Inc. +# Copyright (c) 2012-2021 Red Hat, Inc. # This program and the accompanying materials are made # available under the terms of the Eclipse Public License 2.0 # which is available at https://www.eclipse.org/legal/epl-2.0/ @@ -22,6 +22,7 @@ set -u export OPERATOR_REPO=$(dirname $(dirname $(readlink -f "$0"))); source "${OPERATOR_REPO}"/.github/bin/common.sh +source "${OPERATOR_REPO}"/.github/bin/oauth-provision.sh #Stop execution on any error trap "catchFinish" EXIT SIGINT @@ -35,12 +36,14 @@ runTests() { # Deploy Eclipse Che applying CR applyOlmCR waitEclipseCheDeployed "nightly" + provisionOAuth startNewWorkspace waitWorkspaceStart } init overrideDefaults +provisionOpenShiftOAuthUser patchEclipseCheOperatorSubscription printOlmCheObjects runTests diff --git a/.ci/oci-single-host.sh b/.ci/oci-single-host.sh index ac5fa51c97..b32a27ccab 100755 --- a/.ci/oci-single-host.sh +++ b/.ci/oci-single-host.sh @@ -22,6 +22,7 @@ set -u export OPERATOR_REPO=$(dirname $(dirname $(readlink -f "$0"))); source "${OPERATOR_REPO}"/.github/bin/common.sh +source "${OPERATOR_REPO}"/.github/bin/oauth-provision.sh #Stop execution on any error trap "catchFinish" EXIT SIGINT @@ -36,12 +37,14 @@ runTests() { # Deploy Eclipse Che applying CR applyOlmCR waitEclipseCheDeployed "nightly" + provisionOAuth startNewWorkspace waitWorkspaceStart } init overrideDefaults +provisionOpenShiftOAuthUser patchEclipseCheOperatorSubscription printOlmCheObjects runTests diff --git a/.github/bin/common.sh b/.github/bin/common.sh index 5acf33812b..05faddff90 100755 --- a/.github/bin/common.sh +++ b/.github/bin/common.sh @@ -1,14 +1,12 @@ -#!/usr/bin/env bash +#!/bin/bash # -# Copyright (c) 2020 Red Hat, Inc. +# Copyright (c) 2012-2021 Red Hat, Inc. # This program and the accompanying materials are made # available under the terms of the Eclipse Public License 2.0 # which is available at https://www.eclipse.org/legal/epl-2.0/ # # SPDX-License-Identifier: EPL-2.0 # -# Contributors: -# Red Hat, Inc. - initial API and implementation set -e set -x @@ -35,7 +33,7 @@ init() { export OPERATOR_IMAGE="quay.io/eclipse/che-operator:test" export DEFAULT_DEVFILE="https://raw.githubusercontent.com/eclipse/che-devfile-registry/master/devfiles/quarkus/devfile.yaml" export CHE_EXPOSURE_STRATEGY="multi-host" - export OAUTH="false" + export OAUTH="true" export XDG_DATA_HOME=/tmp/xdg_data export XDG_CACHE_HOME=/tmp/xdg_cache @@ -309,3 +307,20 @@ applyOlmCR() { echo -e "$CR" echo "$CR" | oc apply -n "${NAMESPACE}" -f - } + +# Create admin user inside of openshift cluster and login +function provisionOpenShiftOAuthUser() { + oc create secret generic htpass-secret --from-file=htpasswd="${OPERATOR_REPO}"/.github/bin/resources/users.htpasswd -n openshift-config + oc apply -f "${OPERATOR_REPO}"/.github/bin/resources/htpasswdProvider.yaml + oc adm policy add-cluster-role-to-user cluster-admin user + + echo -e "[INFO] Waiting for htpasswd auth to be working up to 5 minutes" + CURRENT_TIME=$(date +%s) + ENDTIME=$(($CURRENT_TIME + 300)) + while [ $(date +%s) -lt $ENDTIME ]; do + if oc login -u user -p user --insecure-skip-tls-verify=false; then + break + fi + sleep 10 + done +} diff --git a/.github/bin/oauth-provision.sh b/.github/bin/oauth-provision.sh new file mode 100644 index 0000000000..f72276a9f6 --- /dev/null +++ b/.github/bin/oauth-provision.sh @@ -0,0 +1,97 @@ +#!/bin/bash +# +# Copyright (c) 2012-2021 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# + +# exit immediately when a command fails +set -e +# only exit with zero if all commands of the pipeline exit successfully +set -o pipefail +# error on unset variables +set -u + +# Link ocp account with Keycloak IDP +function provisionOAuth() { + OCP_USER_UID=$(oc get user user -o=jsonpath='{.metadata.uid}') + + IDP_USERNAME="admin" + CHE_USERNAME="admin" + # Get Eclipse Che IDP secrets and decode to use to connect to IDP + IDP_PASSWORD=$(oc get secret che-identity-secret -n eclipse-che -o=jsonpath='{.data.password}' | base64 --decode) + + # Get Auth Route + if [[ "${CHE_EXPOSURE_STRATEGY}" == "single-host" ]]; then + IDP_HOST="https://"$(oc get route che -n eclipse-che -o=jsonpath='{.spec.host}') + fi + + if [[ "${CHE_EXPOSURE_STRATEGY}" == "multi-host" ]]; then + IDP_HOST="https://"$(oc get route keycloak -n eclipse-che -o=jsonpath='{.spec.host}') + fi + + # Get the oauth client from Eclipse Che Custom Resource + OAUTH_CLIENT_NAME=$(oc get checluster eclipse-che -n eclipse-che -o=jsonpath='{.spec.auth.oAuthClientName}') + + # Obtain from Keycloak the token to make api request authentication + IDP_TOKEN=$(curl -k --location --request POST ''$IDP_HOST'/auth/realms/master/protocol/openid-connect/token' \ + --header 'Content-Type: application/x-www-form-urlencoded' \ + --data-urlencode 'username='$IDP_USERNAME'' \ + --data-urlencode 'password='$IDP_PASSWORD'' \ + --data-urlencode 'grant_type=password' \ + --data-urlencode 'client_id=admin-cli' | jq -r .access_token) + + echo -e "[INFO] IDP Token: $IDP_TOKEN" + + # Get admin user id from IDP + CHE_USER_ID=$(curl --location -k --request GET ''$IDP_HOST'/auth/admin/realms/che/users' \ + --header 'Authorization: Bearer '$IDP_TOKEN'' | jq -r '.[] | select(.username == "'$CHE_USERNAME'").id' ) + + echo -e "[INFO] Eclipse CHE user ID: $CHE_USER_ID" + + # Request to link Openshift user with Identity Provider user. In this case we are linked an existed user in IDP + curl --location -k --request POST ''$IDP_HOST'/auth/admin/realms/che/users/'$CHE_USER_ID'/federated-identity/openshift-v4' \ + --header 'Authorization: Bearer '$IDP_TOKEN'' \ + --header 'Content-Type: application/json' \ + --data '{ + "identityProvider": "openshift-v4", + "userId": "'$OCP_USER_UID'", + "userName": "'$CHE_USERNAME'" + }' + +# Create OAuthClientAuthorization object for Eclipse Che in Cluster. +OAUTHCLIENTAuthorization=$( + oc create -f - -o jsonpath='{.metadata.name}' < path.sql +UPDATE federated_identity SET token ='{"access_token":"INSERT_TOKEN_HERE","expires_in":86400,"scope":"user:full","token_type":"Bearer"}' +WHERE federated_username = 'INSERT_CHE_USER_HERE' +EOF + + TOKEN=$(oc whoami -t) + sed -i "s|INSERT_TOKEN_HERE|$TOKEN|g" path.sql + sed -i "s|INSERT_CHE_USER_HERE|$CHE_USERNAME|g" path.sql + + # Insert sql script inside of postgres and execute it. + POSTGRES_POD=$(oc get pods -o json -n eclipse-che | jq -r '.items[] | select(.metadata.name | test("postgres-")).metadata.name') + oc cp path.sql "${POSTGRES_POD}":/tmp/ -n eclipse-che + oc exec -it "${POSTGRES_POD}" -n eclipse-che -- bash -c "psql -U postgres -d keycloak -d keycloak -f /tmp/path.sql" + + rm path.sql +} diff --git a/.github/bin/resources/htpasswdProvider.yaml b/.github/bin/resources/htpasswdProvider.yaml new file mode 100644 index 0000000000..6818e49b5b --- /dev/null +++ b/.github/bin/resources/htpasswdProvider.yaml @@ -0,0 +1,12 @@ +apiVersion: config.openshift.io/v1 +kind: OAuth +metadata: + name: cluster +spec: + identityProviders: + - name: htpasswd + mappingMethod: claim + type: HTPasswd + htpasswd: + fileData: + name: htpass-secret diff --git a/.github/bin/resources/users.htpasswd b/.github/bin/resources/users.htpasswd new file mode 100644 index 0000000000..ebec0fc0da --- /dev/null +++ b/.github/bin/resources/users.htpasswd @@ -0,0 +1 @@ +user:{SHA}Et6pb+wgWTVmq3VpLJlJWWgzrck=