Disable token authentication for the S3 runner

This change might help us identify errors in scenarios where the
token authentication is disabled (e.g., Katello installations).

closes #1607

.github/workflows/scripts/install.sh

@@ -95,7 +95,7 @@ if [ "$TEST" = "s3" ]; then
   sed -i -e '$a s3_test: true\
 minio_access_key: "'$MINIO_ACCESS_KEY'"\
 minio_secret_key: "'$MINIO_SECRET_KEY'"\
-pulp_scenario_settings: {"flatpak_index": false}\
+pulp_scenario_settings: {"flatpak_index": false, "token_auth_disabled": true}\
 pulp_scenario_env: {}\
 ' vars/main.yaml
   export PULP_API_ROOT="/rerouted/djnd/"

CHANGES/1607.misc

@@ -0,0 +1 @@
+Disabled token authentication for the S3 test runner.

pulp_container/app/settings.py

@@ -3,6 +3,7 @@
     "reusable_conditions": ["pulp_container.app.global_access_conditions"],
 }
 
+TOKEN_AUTH_DISABLED = False
 FLATPAK_INDEX = False
 
 # The number of allowed threads to sign manifests in parallel

pulp_container/tests/functional/api/test_push_content.py

@@ -5,6 +5,8 @@
 import requests
 import unittest
 
+from django.conf import settings
+
 from subprocess import CalledProcessError
 from urllib.parse import urlparse, urljoin
 
@@ -71,7 +73,6 @@ def test_push_without_login(
 def test_push_with_dist_perms(
     add_to_cleanup,
     gen_user,
-    anonymous_user,
     registry_client,
     local_registry,
     container_push_repository_api,
@@ -83,6 +84,9 @@ def test_push_with_dist_perms(
 
     It also checks read abilities for users with different set of permissions.
     """
+    if settings.TOKEN_AUTH_DISABLED:
+        pytest.skip("RBAC cannot be tested when token authentication is disabled")
+
     user_creator = gen_user(model_roles=["container.containernamespace_creator"])
     user_dist_collaborator = gen_user()
     user_dist_consumer = gen_user()
@@ -164,12 +168,12 @@ def test_push_with_no_perms(
     gen_user,
     registry_client,
     local_registry,
+    container_distribution_api,
     container_namespace_api,
 ):
     """
     Test that user with no permissions can't perform push.
     """
-    user_creator = gen_user(model_roles=["container.containernamespace_creator"])
     user_helpless = gen_user()
     repo_name = "unsuccessful/perms"
     local_url = f"{repo_name}:2.0"
@@ -178,16 +182,35 @@ def test_push_with_no_perms(
     with user_helpless, pytest.raises(CalledProcessError):
         local_registry.tag_and_push(image_path, local_url)
 
-    # test a user can still pull
-    with user_creator:
+    # test if the helpless user can still pull
+    if settings.TOKEN_AUTH_DISABLED:
+        # push by using the admin user
         local_registry.tag_and_push(image_path, local_url)
         namespace = container_namespace_api.list(name="unsuccessful").results[0]
         add_to_cleanup(container_namespace_api, namespace.pulp_href)
 
-    with user_helpless:
-        with pytest.raises(CalledProcessError):
+        with user_helpless:
+            with pytest.raises(CalledProcessError):
+                local_registry.tag_and_push(image_path, local_url)
+            local_registry.pull(local_url)
+
+        # flagging the repository as "private" does not have an effect on pulling
+        distribution = container_distribution_api.list(name=repo_name).results[0]
+        container_distribution_api.partial_update(distribution.pulp_href, {"private": True})
+        with user_helpless:
+            local_registry.pull(local_url)
+    else:
+        # push by using the creator user
+        user_creator = gen_user(model_roles=["container.containernamespace_creator"])
+        with user_creator:
             local_registry.tag_and_push(image_path, local_url)
-        local_registry.pull(local_url)
+            namespace = container_namespace_api.list(name="unsuccessful").results[0]
+            add_to_cleanup(container_namespace_api, namespace.pulp_href)
+
+        with user_helpless:
+            with pytest.raises(CalledProcessError):
+                local_registry.tag_and_push(image_path, local_url)
+            local_registry.pull(local_url)
 
 
 def test_push_to_existing_namespace(
@@ -206,6 +229,9 @@ def test_push_to_existing_namespace(
     Container distribution perms should be enough to push to the existing
     distribution.
     """
+    if settings.TOKEN_AUTH_DISABLED:
+        pytest.skip("RBAC cannot be tested when token authentication is disabled")
+
     user_creator = gen_user(model_roles=["container.containernamespace_creator"])
     user_dist_collaborator = gen_user()
     user_namespace_collaborator = gen_user()
@@ -273,6 +299,9 @@ def test_push_private_repository(
     Test that the same user can pull, but another cannot.
     Test that the other user can pull after marking it non-private.
     """
+    if settings.TOKEN_AUTH_DISABLED:
+        pytest.skip("RBAC cannot be tested when token authentication is disabled")
+
     user_creator = gen_user(model_roles=["container.containernamespace_creator"])
     user_dist_consumer = gen_user()
     user_helpless = gen_user()
@@ -326,6 +355,9 @@ def test_push_matching_username(
     """
     Test that you can push to a nonexisting namespace that matches your username.
     """
+    if settings.TOKEN_AUTH_DISABLED:
+        pytest.skip("RBAC cannot be tested when token authentication is disabled")
+
     user_helpless = gen_user()
     namespace_name = user_helpless.username
     repo_name = f"{namespace_name}/matching"

pulp_container/tests/functional/api/test_rbac_push_repositories.py

@@ -2,6 +2,8 @@
 
 import pytest
 
+from django.conf import settings
+
 from pulp_smash import utils
 from pulp_smash.pulp3.bindings import monitor_task
 
@@ -19,6 +21,8 @@ def test_rbac_push_repository(
     container_push_repository_api,
 ):
     """Verify RBAC for a ContainerPushRepository."""
+    if settings.TOKEN_AUTH_DISABLED:
+        pytest.skip("RBAC cannot be tested when token authentication is disabled")
 
     namespace_name = utils.uuid4()
     repo_name = f"{namespace_name}/perms"

pulp_container/tests/functional/api/test_rbac_remotes.py

@@ -3,6 +3,8 @@
 from random import choice
 import pytest
 
+from django.conf import settings
+
 from pulp_smash import utils
 from pulp_smash.pulp3.bindings import monitor_task
 from pulp_smash.pulp3.constants import ON_DEMAND_DOWNLOAD_POLICIES
@@ -15,6 +17,8 @@
 @pytest.mark.parallel
 def test_rbac_remotes(gen_user, container_remote_api):
     """RBAC remotes."""
+    if settings.TOKEN_AUTH_DISABLED:
+        pytest.skip("RBAC cannot be tested when token authentication is disabled")
 
     # Setup
     user1 = gen_user(model_roles=["container.containerremote_creator"])

pulp_container/tests/functional/api/test_rbac_repo_content.py

@@ -2,6 +2,8 @@
 
 import pytest
 
+from django.conf import settings
+
 from pulp_smash.pulp3.bindings import monitor_task
 from pulp_smash.pulp3.utils import gen_repo
 
@@ -33,6 +35,8 @@ def test_rbac_repository_content(
     container_tag_api,
 ):
     """Assert that certain users can list and read content."""
+    if settings.TOKEN_AUTH_DISABLED:
+        pytest.skip("RBAC cannot be tested when token authentication is disabled")
 
     user_creator = gen_user(
         model_roles=[

pulp_container/tests/functional/api/test_rbac_repo_versions.py

@@ -2,6 +2,8 @@
 
 import pytest
 
+from django.conf import settings
+
 from pulp_smash import utils
 from pulp_smash.pulp3.bindings import monitor_task
 from pulp_smash.pulp3.utils import gen_repo
@@ -28,6 +30,9 @@ def test_rbac_repository_version(
     container_manifest_api,
 ):
     """Verify RBAC for a ContainerRepositoryVersion."""
+    if settings.TOKEN_AUTH_DISABLED:
+        pytest.skip("RBAC cannot be tested when token authentication is disabled")
+
     user_creator = gen_user(
         model_roles=[
             "container.containerrepository_creator",
@@ -135,6 +140,9 @@ def test_rbac_push_repository_version(
     container_push_repository_version_api,
 ):
     """Verify RBAC for a ContainerPushRepositoryVersion."""
+    if settings.TOKEN_AUTH_DISABLED:
+        pytest.skip("RBAC cannot be tested when token authentication is disabled")
+
     try:
         # Remove namespace to start out clean
         namespace = container_namespace_api.list(name="test_push_repo").results[0]
@@ -191,7 +199,6 @@ def test_rbac_push_repository_version(
 def test_cross_repository_blob_mount(
     add_to_cleanup,
     gen_user,
-    pulp_cfg,
     registry_client,
     local_registry,
     mount_blob,

pulp_container/tests/functional/api/test_rbac_sync_repositories.py

@@ -2,6 +2,8 @@
 
 import pytest
 
+from django.conf import settings
+
 from pulp_smash import utils
 from pulp_smash.pulp3.bindings import monitor_task
 
@@ -11,6 +13,8 @@
 @pytest.mark.parallel
 def test_rbac_sync_repositories(gen_user, container_repository_api):
     """RBAC sync repositories."""
+    if settings.TOKEN_AUTH_DISABLED:
+        pytest.skip("RBAC cannot be tested when token authentication is disabled")
 
     user1 = gen_user(model_roles=["container.containerrepository_creator"])
     user2 = gen_user(model_roles=["container.containerrepository_viewer"])

pulp_container/tests/functional/api/test_repositories_list.py

@@ -5,7 +5,7 @@
 from urllib.parse import urljoin
 import requests
 
-from pulp_smash import api, config
+from pulp_smash import api, cli, config, utils
 from pulp_smash.pulp3.bindings import delete_orphans, monitor_task
 from pulp_smash.pulp3.utils import gen_distribution, gen_repo
 
@@ -31,6 +31,9 @@
     RemotesContainerApi,
 )
 
+cli_client = cli.Client(config.get_config())
+TOKEN_AUTH_DISABLED = utils.get_pulp_setting(cli_client, "TOKEN_AUTH_DISABLED")
+
 
 class RepositoriesList:
     """Base class used for initializing and listing repositories."""
@@ -59,9 +62,14 @@ def setUpClass(cls):
     def get_listed_repositories(self, auth=None):
         """Fetch repositories from the catalog endpoint."""
         repositories_list_endpoint = urljoin(self.cfg.get_base_url(), "/v2/_catalog")
+        response = requests.get(repositories_list_endpoint)
+
+        if TOKEN_AUTH_DISABLED:
+            return response
 
         with self.assertRaises(requests.HTTPError) as cm:
-            requests.get(repositories_list_endpoint).raise_for_status()
+            response.raise_for_status()
+
         content_response = cm.exception.response
         authenticate_header = content_response.headers["Www-Authenticate"]
 
@@ -186,6 +194,7 @@ def test_none_user(self):
         repositories = self.get_listed_repositories(auth)
         self.assertEqual(repositories.json(), {"repositories": [self.distribution3.base_path]})
 
+    @unittest.skipIf(TOKEN_AUTH_DISABLED, "Token authentication is not enabled")
     def test_all_user(self):
         """Check if the user can see all repositories."""
         auth = (self.user_all["username"], self.user_all["password"])
@@ -199,6 +208,7 @@ def test_all_user(self):
         )
         self.assertEqual(repositories.json(), {"repositories": repositories_names})
 
+    @unittest.skipIf(TOKEN_AUTH_DISABLED, "Token authentication is not enabled")
     def test_only_dist1_user(self):
         """Check if the user can see all public repositories, but not all private repositories."""
         auth = (self.user_only_dist1["username"], self.user_only_dist1["password"])

template_config.yml

@@ -64,6 +64,7 @@ pulp_settings_azure:
 pulp_settings_gcp: null
 pulp_settings_s3:
   flatpak_index: false
+  token_auth_disabled: true
 pydocstyle: true
 release_email: [email protected]
 release_user: pulpbot