diff --git a/.gitignore b/.gitignore index c94d426..8c8e78b 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ node_modules/ /playwright/.auth/ .vscode .env +*.keytab diff --git a/docker/.dockerignore b/docker/.dockerignore new file mode 100644 index 0000000..6b7dd3d --- /dev/null +++ b/docker/.dockerignore @@ -0,0 +1,12 @@ +.gitignore +*.md +.git +.vscode +.github +.husky +test-results +playwright-report +user.json +Dockerfile +node_modules +.env diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 0000000..ddde297 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,48 @@ +FROM registry.redhat.io/ubi9/ubi:9.5 as base + +ENV LANG=C.UTF-8 +ENV LC_ALL=C.UTF-8 +ENV RH_CERT_URL="https://certs.corp.redhat.com" +ENV KRB5CCNAME=/tmp/cache + +COPY docker/krb5.conf /etc/krb5.conf +COPY docker/krb5.conf.d /etc/krb5.conf.d +COPY docker/krb5.keytab /krb5/krb5.keytab +COPY docker/install-certs.sh /install-certs.sh +COPY docker/auth.sh /auth.sh + +RUN ./install-certs.sh $RH_CERT_URL \ + && yum update -y \ + && yum install -y wget git krb5-workstation \ + # Playwright dependencies + libxcb libXdamage libXcursor libXext libXcomposite libXrandr \ + libXi pango cairo cairo-gobject libXrender gtk3 atk gdk-pixbuf2 \ + # NodeJS + && yum module install -y nodejs:20/common \ + && yum clean all \ + && npm install -g yarn \ + && chmod 755 /krb5 \ + && mkdir -p /var/lib/sss/pubconf/krb5.include.d \ + && chmod 755 /etc/krb5.conf.d \ + && chown -R 1001:0 /etc/krb5.conf.d \ + && chown 1001:0 /etc/krb5.conf \ + && chown -R 1001:0 /krb5 + +FROM base as build + +WORKDIR /app +ENV PLAYWRIGHT_BROWSERS_PATH=0 + +COPY --chown=1001 package.json /app/package.json +COPY --chown=1001 yarn.lock /app/yarn.lock +COPY --chown=1001 playwright.config.ts /app/playwright.config.ts +COPY --chown=1001 tsconfig.json /app/tsconfig.json + +RUN yarn install --frozen-lockfile \ + && yarn playwright install chromium firefox + +COPY --chown=1001 . /app + +USER 1001 + +CMD ["/bin/sh"] diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 0000000..ed7e2f3 --- /dev/null +++ b/docker/README.md @@ -0,0 +1,60 @@ +# OSIM UI + Kerberos Tests Container + +This is the container that is used to run the tests on the CI/CD pipeline. It is based on redhat's ubi9 image and has the necessary dependencies to run the tests. + +## Building the container +Before building the container, you need to prepare some files. + +1. Create a `krb5.keytab` file in the `docker` directory. This file is used to authenticate with kerberos. +```bash +$ ktutil +ktutil: addent -password -p -k 1 -e aes256-cts-hmac-sha1-96 -f +ktutil: wkt krb5.keytab +ktutil: quit +``` +2. Create a `crypto-policies` file in the `krb5.conf.d` directory. You should have this file in `/etc/krb5.conf.d/` on your machine. + +3. Provide the correct realm configuration in a file inside the `krb5.conf.d` directory. You should have this file in `/etc/krb5.conf` on your machine. + + +That should look like this: +``` +|-- docker +| |-- krb5.conf.d +| | |-- crypto-policies +| | |-- realm +| |-- krb5.keytab +|-- Dockerfile +|-- # Other files +``` + +After preparing the files, you can build the container using the following command: + +> [!IMPORTANT] +> Make sure to run the command from the root of the project. +> (outside of the docker folder) + +```bash +podman build -t osim-ui-tests -f docker/Dockerfile --ignorefile docker/.dockerignore . +``` + +## Running the container +Make sure to provide the required [environment variables](/README.md#required-environment-variables) when running the container: + +```bash +podman run --rm -it --env-file .env osim-ui-tests +``` + +## Running the tests + +You need to authenticate with kerberos before running the tests. You can do this by running the script **inside the container**: + +```bash +sh /auth.sh +``` + +After authenticating, you can run the tests using the following command: + +```bash +yarn test +``` diff --git a/docker/auth.sh b/docker/auth.sh new file mode 100755 index 0000000..b1ddf00 --- /dev/null +++ b/docker/auth.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +principal="$( klist -kt /krb5/krb5.keytab | grep -Eo -m1 '\w+@[A-Z.]+' )" + +kinit -k -t /krb5/krb5.keytab $principal +klist -c /tmp/cache diff --git a/docker/install-certs.sh b/docker/install-certs.sh new file mode 100755 index 0000000..5528c1d --- /dev/null +++ b/docker/install-certs.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +if [[ -z "${1}" ]]; then + echo -e "\e[1;33mWARNING: RH_CERT_URL environment variable not set, internal RH resources won't be accessible\e[0m" +else + curl "${1}/certs/Current-IT-Root-CAs.pem" -o /etc/pki/ca-trust/source/anchors/Current-IT-Root-CAs.pem + mkdir -p /etc/ipa + curl "${1}/chains/ipa-ca-chain-2015.crt" -o /etc/ipa/ipa.crt + update-ca-trust +fi diff --git a/docker/krb5.conf b/docker/krb5.conf new file mode 100644 index 0000000..0a89a28 --- /dev/null +++ b/docker/krb5.conf @@ -0,0 +1,31 @@ +# To opt out of the system crypto-policies configuration of krb5, remove the +# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. +includedir /etc/krb5.conf.d/ + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt + spake_preauth_groups = edwards25519 + dns_canonicalize_hostname = fallback + qualify_shortname = "" +# default_realm = EXAMPLE.COM + default_ccache_name = KEYRING:persistent:%{uid} + +[realms] +# EXAMPLE.COM = { +# kdc = kerberos.example.com +# admin_server = kerberos.example.com +# } + +[domain_realm] +# .example.com = EXAMPLE.COM +# example.com = EXAMPLE.COM diff --git a/docker/krb5.conf.d/.gitignore b/docker/krb5.conf.d/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/docker/krb5.conf.d/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore