Add oauth to tests

.ci/cico_updates_openshift.sh

@@ -15,17 +15,26 @@ set -x
 
 export OPERATOR_REPO=$(dirname $(dirname $(readlink -f "$0")));
 source "${OPERATOR_REPO}"/.github/bin/common.sh
+source "${OPERATOR_REPO}"/.github/bin/oauth-provision.sh
 
 #Stop execution on any error
 trap "catchFinish" EXIT SIGINT
 
+overrideDefaults() {
+  export OAUTH="true"
+}
+
 runTests() {
   "${OPERATOR_REPO}"/olm/testUpdate.sh "openshift" "stable" ${NAMESPACE}
   waitEclipseCheDeployed ${LAST_PACKAGE_VERSION}
+  oauthProvisioned
+  provisionPostgres
   startNewWorkspace
   waitWorkspaceStart
 }
 
 init
+overrideDefaults
+provisionOpenshiftUsers
 initStableTemplates "openshift" "stable"
 runTests

.ci/oci-nightly-olm.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright (c) 2012-2020 Red Hat, Inc.
+# Copyright (c) 2012-2021 Red Hat, Inc.
 # This program and the accompanying materials are made
 # available under the terms of the Eclipse Public License 2.0
 # which is available at https://www.eclipse.org/legal/epl-2.0/
@@ -22,24 +22,29 @@ set -u
 
 export OPERATOR_REPO=$(dirname $(dirname $(readlink -f "$0")));
 source "${OPERATOR_REPO}"/.github/bin/common.sh
+source "${OPERATOR_REPO}"/.github/bin/oauth-provision.sh
 
 #Stop execution on any error
 trap "catchFinish" EXIT SIGINT
 
 overrideDefaults() {
   # CI_CHE_OPERATOR_IMAGE it is che operator image builded in openshift CI job workflow. More info about how works image dependencies in ci:https://github.com/openshift/ci-tools/blob/master/TEMPLATES.md#parameters-available-to-templates
   export OPERATOR_IMAGE=${CI_CHE_OPERATOR_IMAGE:-"quay.io/eclipse/che-operator:nightly"}
+  export OAUTH="true"
 }
 
 runTests() {
     # Deploy Eclipse Che applying CR
     applyOlmCR
     waitEclipseCheDeployed "nightly"
+    oauthProvisioned
+    provisionPostgres
     startNewWorkspace
     waitWorkspaceStart
 }
 
 init
+provisionOpenshiftUsers
 overrideDefaults
 patchEclipseCheOperatorSubscription
 printOlmCheObjects

.ci/oci-single-host.sh

@@ -22,6 +22,7 @@ set -u
 
 export OPERATOR_REPO=$(dirname $(dirname $(readlink -f "$0")));
 source "${OPERATOR_REPO}"/.github/bin/common.sh
+source "${OPERATOR_REPO}"/.github/bin/oauth-provision.sh
 
 #Stop execution on any error
 trap "catchFinish" EXIT SIGINT
@@ -30,18 +31,22 @@ overrideDefaults() {
   # CI_CHE_OPERATOR_IMAGE it is che operator image builded in openshift CI job workflow. More info about how works image dependencies in ci:https://github.com/openshift/ci-tools/blob/master/TEMPLATES.md#parameters-available-to-templates
   export OPERATOR_IMAGE=${CI_CHE_OPERATOR_IMAGE:-"quay.io/eclipse/che-operator:nightly"}
   export CHE_EXPOSURE_STRATEGY="single-host"
+  export OAUTH="true"
 }
 
 runTests() {
     # Deploy Eclipse Che applying CR
     applyOlmCR
     waitEclipseCheDeployed "nightly"
+    oauthProvisioned
+    provisionPostgres
     startNewWorkspace
     waitWorkspaceStart
 }
 
 init
 overrideDefaults
+provisionOpenshiftUsers
 patchEclipseCheOperatorSubscription
 printOlmCheObjects
 runTests

.github/bin/common.sh

@@ -1,14 +1,12 @@
-#!/usr/bin/env bash
+#!/bin/bash
 #
-# Copyright (c) 2020 Red Hat, Inc.
+# Copyright (c) 2012-2021 Red Hat, Inc.
 # This program and the accompanying materials are made
 # available under the terms of the Eclipse Public License 2.0
 # which is available at https://www.eclipse.org/legal/epl-2.0/
 #
 # SPDX-License-Identifier: EPL-2.0
 #
-# Contributors:
-#   Red Hat, Inc. - initial API and implementation
 
 set -e
 set -x
@@ -309,3 +307,20 @@ applyOlmCR() {
   echo -e "$CR"
   echo "$CR" | oc apply -n "${NAMESPACE}" -f -
 }
+
+# Create admin user inside of openshift cluster and login
+function provisionOpenshiftUsers() {
+  oc create secret generic htpass-secret --from-file=htpasswd="${OPERATOR_REPO}"/.github/bin/resources/users.htpasswd -n openshift-config            
+  oc apply -f "${OPERATOR_REPO}"/.github/bin/resources/htpasswdProvider.yaml
+  oc adm policy add-cluster-role-to-user cluster-admin user
+
+  echo -e "[INFO] Waiting for htpasswd auth to be working up to 5 minutes"
+  CURRENT_TIME=$(date +%s)
+  ENDTIME=$(($CURRENT_TIME + 300))
+  while [ $(date +%s) -lt $ENDTIME ]; do
+      if oc login -u user -p user --insecure-skip-tls-verify=false; then
+          break
+      fi
+      sleep 10
+  done
+}

.github/bin/oauth-provision.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+#
+# Copyright (c) 2012-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+# exit immediately when a command fails
+set -e
+# only exit with zero if all commands of the pipeline exit successfully
+set -o pipefail
+# error on unset variables
+set -u
+
+export CHE_EXPOSURE_STRATEGY="single-host"
+
+# Link ocp account with Keycloak IDP
+function oauthProvisioned() {
+  OCP_USER_UID=$(oc get user user -o=jsonpath='{.metadata.uid}')
+
+  IDP_USER="admin"
+  IDP_PASSWORD=$(oc get secret che-identity-secret -n eclipse-che -o=jsonpath='{.data.password}' | base64 --decode)
+
+  if [[ "${CHE_EXPOSURE_STRATEGY}" == "single-host" ]]; then
+    IDP_HOST="https://"$(oc get route che -n eclipse-che -o=jsonpath='{.spec.host}')
+  fi
+
+  if [[ "${CHE_EXPOSURE_STRATEGY}" == "multi-host" ]]; then
+    IDP_HOST="https://"$(oc get route keycloak -n eclipse-che -o=jsonpath='{.spec.host}')
+  fi
+
+  OAUTH_CLIENT_NAME=$(oc get checluster eclipse-che -n eclipse-che -o=jsonpath='{.spec.auth.oAuthClientName}')
+
+  TOKEN_RESULT=$(curl -k --location --request POST ''$IDP_HOST'/auth/realms/master/protocol/openid-connect/token' \
+  --header 'Content-Type: application/x-www-form-urlencoded' \
+  --data-urlencode 'username=admin' \
+  --data-urlencode 'password='$IDP_PASSWORD'' \
+  --data-urlencode 'grant_type=password' \
+  --data-urlencode 'client_id=admin-cli' | jq -r .access_token)
+
+  echo -e "[INFO] Token: $TOKEN_RESULT"
+
+  USER_ID=$(curl --location -k --request GET ''$IDP_HOST'/auth/admin/realms/che/users' \
+  --header 'Authorization: Bearer '$TOKEN_RESULT'' | jq -r '.[] | select(.username == "admin").id' )
+
+  echo -e "[INFO] user id: $USER_ID"
+
+  curl --location -k --request POST ''$IDP_HOST'/auth/admin/realms/che/users/'$USER_ID'/federated-identity/openshift-v4' \
+  --header 'Authorization: Bearer '$TOKEN_RESULT'' \
+  --header 'Content-Type: application/json' \
+  --data '{
+      "identityProvider": "openshift-v4",
+      "userId": "'$OCP_USER_UID'",
+      "userName": "admin"
+  }'
+
+OAUTHCLIENTAuthorization=$(
+    oc create -f - -o jsonpath='{.metadata.name}' <<EOF
+apiVersion: oauth.openshift.io/v1
+kind: OAuthClientAuthorization
+metadata:
+  generateName: $IDP_USER:$OAUTH_CLIENT_NAME
+  namespace: eclipse-che
+clientName: $OAUTH_CLIENT_NAME
+userName: $IDP_USER
+userUID: $OCP_USER_UID
+scopes:
+  - 'user:full'
+EOF
+)
+
+  echo -e "Created authorization client: $OAUTHCLIENTAuthorization"
+}
+
+# Insert in Keycloak Database openshift token after linking ocp user with IDP user
+function provisionPostgres() {
+  cat << 'EOF' > path.sql
+UPDATE federated_identity SET token ='{"access_token":"INSERT_TOKEN_HERE","expires_in":86400,"scope":"user:full","token_type":"Bearer"}'
+WHERE federated_username = 'admin'
+EOF
+
+  TOKEN=$(oc whoami -t)
+  sed -i "s|INSERT_TOKEN_HERE|$TOKEN|g" path.sql
+
+  POSTGRES_POD=$(oc get pods -o json -n eclipse-che | jq -r '.items[] | select(.metadata.name | test("postgres-")).metadata.name')
+
+  oc cp path.sql "${POSTGRES_POD}":/tmp/ -n eclipse-che
+  oc exec -it "${POSTGRES_POD}" -n eclipse-che  -- bash -c "psql -U postgres -d keycloak -d keycloak -f /tmp/path.sql"
+
+  rm path.sql
+}

.github/bin/resources/htpasswdProvider.yaml

@@ -0,0 +1,12 @@
+apiVersion: config.openshift.io/v1
+kind: OAuth
+metadata:
+  name: cluster
+spec:
+  identityProviders:
+  - name: htpasswd
+    mappingMethod: claim 
+    type: HTPasswd
+    htpasswd:
+      fileData:
+        name: htpass-secret

.github/bin/resources/users.htpasswd

@@ -0,0 +1 @@
+user:{SHA}Et6pb+wgWTVmq3VpLJlJWWgzrck=