Add GitHub CI workflow for kerberos. Refs #17

- verifies curl, inside the test environment, supports kerberos - verifies web login with kerberos
kiwitcms · Mar 20, 2020 · 229cbc7 · 229cbc7
1 parent 0056800
commit 229cbc7
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 0 deletions.
diff --git a/.github/workflows/kerberos.yml b/.github/workflows/kerberos.yml
@@ -0,0 +1,53 @@
+name: kerberos
+
+# NOTE: Restricting branches prevents jobs from being doubled since
+# a push to a pull request triggers two events.
+on:
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - "*"
+
+jobs:
+  test:
+    name: tcms-api on Linux
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v2
+
+    - name: Verify curl with Kerberos
+      run: |
+        make verify-curl-with-kerberos
+        klist
+
+    - name: Build & start services
+      run: |
+        make build-services
+        make run-services
+
+    - name: Install & configure Kerberos client
+      run: |
+        KRB5_ADDR=`docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' krb5_kiwitcms_org`
+
+        sudo apt-get -y install krb5-user
+        sudo cp ./tests/krb5/krb5.conf /etc/
+        sudo sed -i "s/localhost\./$KRB5_ADDR/" /etc/krb5.conf
+
+        # this directory is missing and krb5.conf wants to include it
+        sudo mkdir /etc/krb5.conf.d/
+
+        WEB_ADDR=`docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' web_kiwitcms_org`
+        sudo sh -c "echo '$WEB_ADDR    web.kiwitcms.org' >> /etc/hosts"
+
+    - name: Obtain valid Kerberos ticket
+      run: |
+        echo changeme | kinit travis@KIWITCMS.ORG
+        klist
+
+    - name: Verify web login with Kerberos
+      run: |
+        make verify-web-login
+        klist
diff --git a/Makefile b/Makefile
@@ -30,3 +30,23 @@ run-services:
 	docker cp ./application.keytab web_kiwitcms_org:/Kiwi/application.keytab
 	rm ./application.keytab
 	docker exec -u 0 -i web_kiwitcms_org /bin/bash -c 'chown 1001:root /Kiwi/application.keytab'
+
+.PHONY: verify-curl-with-kerberos
+verify-curl-with-kerberos:
+	# make sure curl supports Negotiate authentication
+	curl -V | egrep -i "GSS-Negotiate|GSS-API|Kerberos
+
+.PHONY: verify-web-login
+verify-web-login: verify-curl-with-kerberos
+	# grab the page
+	curl -k -L -o /tmp/curl.log --negotiate -u: \
+	     -b /tmp/cookie.jar -c /tmp/cookie.jar \
+	    https://web.kiwitcms.org:8443/login/kerberos/
+
+	# verify user has been logged in
+	cat /tmp/curl.log | grep 'Kiwi TCMS - Dashboard'
+	cat /tmp/curl.log | grep 'Test executions'
+	cat /tmp/curl.log | grep 'Your Test plans'
+
+	# verify username is 'travis', e.g. taken from 'travis@KIWITCMS.ORG' principal
+	cat /tmp/curl.log | grep '<a href="/accounts/travis/profile/" target="_parent">My profile</a>'