diff --git a/.github/workflows/scripts/install.sh b/.github/workflows/scripts/install.sh index db4367bb6..eed9d5fea 100755 --- a/.github/workflows/scripts/install.sh +++ b/.github/workflows/scripts/install.sh @@ -95,7 +95,7 @@ if [ "$TEST" = "s3" ]; then sed -i -e '$a s3_test: true\ minio_access_key: "'$MINIO_ACCESS_KEY'"\ minio_secret_key: "'$MINIO_SECRET_KEY'"\ -pulp_scenario_settings: {"flatpak_index": false}\ +pulp_scenario_settings: {"flatpak_index": false, "token_auth_disabled": true}\ pulp_scenario_env: {}\ ' vars/main.yaml export PULP_API_ROOT="/rerouted/djnd/" diff --git a/CHANGES/1607.misc b/CHANGES/1607.misc new file mode 100644 index 000000000..951ddbc4b --- /dev/null +++ b/CHANGES/1607.misc @@ -0,0 +1 @@ +Disabled token authentication for the S3 test runner. diff --git a/pulp_container/app/settings.py b/pulp_container/app/settings.py index 48e745184..02d552c93 100644 --- a/pulp_container/app/settings.py +++ b/pulp_container/app/settings.py @@ -3,6 +3,7 @@ "reusable_conditions": ["pulp_container.app.global_access_conditions"], } +TOKEN_AUTH_DISABLED = False FLATPAK_INDEX = False # The number of allowed threads to sign manifests in parallel diff --git a/pulp_container/tests/functional/api/test_push_content.py b/pulp_container/tests/functional/api/test_push_content.py index 6be3c8681..3c761035d 100644 --- a/pulp_container/tests/functional/api/test_push_content.py +++ b/pulp_container/tests/functional/api/test_push_content.py @@ -5,6 +5,8 @@ import requests import unittest +from django.conf import settings + from subprocess import CalledProcessError from urllib.parse import urlparse, urljoin @@ -71,7 +73,6 @@ def test_push_without_login( def test_push_with_dist_perms( add_to_cleanup, gen_user, - anonymous_user, registry_client, local_registry, container_push_repository_api, @@ -83,6 +84,9 @@ def test_push_with_dist_perms( It also checks read abilities for users with different set of permissions. """ + if settings.TOKEN_AUTH_DISABLED: + pytest.skip("RBAC cannot be tested when token authentication is disabled") + user_creator = gen_user(model_roles=["container.containernamespace_creator"]) user_dist_collaborator = gen_user() user_dist_consumer = gen_user() @@ -164,12 +168,12 @@ def test_push_with_no_perms( gen_user, registry_client, local_registry, + container_distribution_api, container_namespace_api, ): """ Test that user with no permissions can't perform push. """ - user_creator = gen_user(model_roles=["container.containernamespace_creator"]) user_helpless = gen_user() repo_name = "unsuccessful/perms" local_url = f"{repo_name}:2.0" @@ -178,16 +182,35 @@ def test_push_with_no_perms( with user_helpless, pytest.raises(CalledProcessError): local_registry.tag_and_push(image_path, local_url) - # test a user can still pull - with user_creator: + # test if the helpless user can still pull + if settings.TOKEN_AUTH_DISABLED: + # push by using the admin user local_registry.tag_and_push(image_path, local_url) namespace = container_namespace_api.list(name="unsuccessful").results[0] add_to_cleanup(container_namespace_api, namespace.pulp_href) - with user_helpless: - with pytest.raises(CalledProcessError): + with user_helpless: + with pytest.raises(CalledProcessError): + local_registry.tag_and_push(image_path, local_url) + local_registry.pull(local_url) + + # flagging the repository as "private" does not have an effect on pulling + distribution = container_distribution_api.list(name=repo_name).results[0] + container_distribution_api.partial_update(distribution.pulp_href, {"private": True}) + with user_helpless: + local_registry.pull(local_url) + else: + # push by using the creator user + user_creator = gen_user(model_roles=["container.containernamespace_creator"]) + with user_creator: local_registry.tag_and_push(image_path, local_url) - local_registry.pull(local_url) + namespace = container_namespace_api.list(name="unsuccessful").results[0] + add_to_cleanup(container_namespace_api, namespace.pulp_href) + + with user_helpless: + with pytest.raises(CalledProcessError): + local_registry.tag_and_push(image_path, local_url) + local_registry.pull(local_url) def test_push_to_existing_namespace( @@ -206,6 +229,9 @@ def test_push_to_existing_namespace( Container distribution perms should be enough to push to the existing distribution. """ + if settings.TOKEN_AUTH_DISABLED: + pytest.skip("RBAC cannot be tested when token authentication is disabled") + user_creator = gen_user(model_roles=["container.containernamespace_creator"]) user_dist_collaborator = gen_user() user_namespace_collaborator = gen_user() @@ -273,6 +299,9 @@ def test_push_private_repository( Test that the same user can pull, but another cannot. Test that the other user can pull after marking it non-private. """ + if settings.TOKEN_AUTH_DISABLED: + pytest.skip("RBAC cannot be tested when token authentication is disabled") + user_creator = gen_user(model_roles=["container.containernamespace_creator"]) user_dist_consumer = gen_user() user_helpless = gen_user() @@ -326,6 +355,9 @@ def test_push_matching_username( """ Test that you can push to a nonexisting namespace that matches your username. """ + if settings.TOKEN_AUTH_DISABLED: + pytest.skip("RBAC cannot be tested when token authentication is disabled") + user_helpless = gen_user() namespace_name = user_helpless.username repo_name = f"{namespace_name}/matching" diff --git a/pulp_container/tests/functional/api/test_rbac_push_repositories.py b/pulp_container/tests/functional/api/test_rbac_push_repositories.py index 73a646d28..915320a84 100644 --- a/pulp_container/tests/functional/api/test_rbac_push_repositories.py +++ b/pulp_container/tests/functional/api/test_rbac_push_repositories.py @@ -2,6 +2,8 @@ import pytest +from django.conf import settings + from pulp_smash import utils from pulp_smash.pulp3.bindings import monitor_task @@ -19,6 +21,8 @@ def test_rbac_push_repository( container_push_repository_api, ): """Verify RBAC for a ContainerPushRepository.""" + if settings.TOKEN_AUTH_DISABLED: + pytest.skip("RBAC cannot be tested when token authentication is disabled") namespace_name = utils.uuid4() repo_name = f"{namespace_name}/perms" diff --git a/pulp_container/tests/functional/api/test_rbac_remotes.py b/pulp_container/tests/functional/api/test_rbac_remotes.py index 6e7dae056..1a5e03095 100644 --- a/pulp_container/tests/functional/api/test_rbac_remotes.py +++ b/pulp_container/tests/functional/api/test_rbac_remotes.py @@ -3,6 +3,8 @@ from random import choice import pytest +from django.conf import settings + from pulp_smash import utils from pulp_smash.pulp3.bindings import monitor_task from pulp_smash.pulp3.constants import ON_DEMAND_DOWNLOAD_POLICIES @@ -15,6 +17,8 @@ @pytest.mark.parallel def test_rbac_remotes(gen_user, container_remote_api): """RBAC remotes.""" + if settings.TOKEN_AUTH_DISABLED: + pytest.skip("RBAC cannot be tested when token authentication is disabled") # Setup user1 = gen_user(model_roles=["container.containerremote_creator"]) diff --git a/pulp_container/tests/functional/api/test_rbac_repo_content.py b/pulp_container/tests/functional/api/test_rbac_repo_content.py index b87de283e..2668ea36b 100644 --- a/pulp_container/tests/functional/api/test_rbac_repo_content.py +++ b/pulp_container/tests/functional/api/test_rbac_repo_content.py @@ -2,6 +2,8 @@ import pytest +from django.conf import settings + from pulp_smash.pulp3.bindings import monitor_task from pulp_smash.pulp3.utils import gen_repo @@ -33,6 +35,8 @@ def test_rbac_repository_content( container_tag_api, ): """Assert that certain users can list and read content.""" + if settings.TOKEN_AUTH_DISABLED: + pytest.skip("RBAC cannot be tested when token authentication is disabled") user_creator = gen_user( model_roles=[ diff --git a/pulp_container/tests/functional/api/test_rbac_repo_versions.py b/pulp_container/tests/functional/api/test_rbac_repo_versions.py index f5cc92f4e..cbef66f98 100644 --- a/pulp_container/tests/functional/api/test_rbac_repo_versions.py +++ b/pulp_container/tests/functional/api/test_rbac_repo_versions.py @@ -2,6 +2,8 @@ import pytest +from django.conf import settings + from pulp_smash import utils from pulp_smash.pulp3.bindings import monitor_task from pulp_smash.pulp3.utils import gen_repo @@ -28,6 +30,9 @@ def test_rbac_repository_version( container_manifest_api, ): """Verify RBAC for a ContainerRepositoryVersion.""" + if settings.TOKEN_AUTH_DISABLED: + pytest.skip("RBAC cannot be tested when token authentication is disabled") + user_creator = gen_user( model_roles=[ "container.containerrepository_creator", @@ -135,6 +140,9 @@ def test_rbac_push_repository_version( container_push_repository_version_api, ): """Verify RBAC for a ContainerPushRepositoryVersion.""" + if settings.TOKEN_AUTH_DISABLED: + pytest.skip("RBAC cannot be tested when token authentication is disabled") + try: # Remove namespace to start out clean namespace = container_namespace_api.list(name="test_push_repo").results[0] @@ -191,7 +199,6 @@ def test_rbac_push_repository_version( def test_cross_repository_blob_mount( add_to_cleanup, gen_user, - pulp_cfg, registry_client, local_registry, mount_blob, diff --git a/pulp_container/tests/functional/api/test_rbac_sync_repositories.py b/pulp_container/tests/functional/api/test_rbac_sync_repositories.py index b8b64e407..6f7320867 100644 --- a/pulp_container/tests/functional/api/test_rbac_sync_repositories.py +++ b/pulp_container/tests/functional/api/test_rbac_sync_repositories.py @@ -2,6 +2,8 @@ import pytest +from django.conf import settings + from pulp_smash import utils from pulp_smash.pulp3.bindings import monitor_task @@ -11,6 +13,8 @@ @pytest.mark.parallel def test_rbac_sync_repositories(gen_user, container_repository_api): """RBAC sync repositories.""" + if settings.TOKEN_AUTH_DISABLED: + pytest.skip("RBAC cannot be tested when token authentication is disabled") user1 = gen_user(model_roles=["container.containerrepository_creator"]) user2 = gen_user(model_roles=["container.containerrepository_viewer"]) diff --git a/pulp_container/tests/functional/api/test_repositories_list.py b/pulp_container/tests/functional/api/test_repositories_list.py index 98622a0b7..2cff4642e 100644 --- a/pulp_container/tests/functional/api/test_repositories_list.py +++ b/pulp_container/tests/functional/api/test_repositories_list.py @@ -5,7 +5,7 @@ from urllib.parse import urljoin import requests -from pulp_smash import api, config +from pulp_smash import api, cli, config, utils from pulp_smash.pulp3.bindings import delete_orphans, monitor_task from pulp_smash.pulp3.utils import gen_distribution, gen_repo @@ -31,6 +31,9 @@ RemotesContainerApi, ) +cli_client = cli.Client(config.get_config()) +TOKEN_AUTH_DISABLED = utils.get_pulp_setting(cli_client, "TOKEN_AUTH_DISABLED") + class RepositoriesList: """Base class used for initializing and listing repositories.""" @@ -59,9 +62,14 @@ def setUpClass(cls): def get_listed_repositories(self, auth=None): """Fetch repositories from the catalog endpoint.""" repositories_list_endpoint = urljoin(self.cfg.get_base_url(), "/v2/_catalog") + response = requests.get(repositories_list_endpoint) + + if TOKEN_AUTH_DISABLED: + return response with self.assertRaises(requests.HTTPError) as cm: - requests.get(repositories_list_endpoint).raise_for_status() + response.raise_for_status() + content_response = cm.exception.response authenticate_header = content_response.headers["Www-Authenticate"] @@ -186,6 +194,7 @@ def test_none_user(self): repositories = self.get_listed_repositories(auth) self.assertEqual(repositories.json(), {"repositories": [self.distribution3.base_path]}) + @unittest.skipIf(TOKEN_AUTH_DISABLED, "Token authentication is not enabled") def test_all_user(self): """Check if the user can see all repositories.""" auth = (self.user_all["username"], self.user_all["password"]) @@ -199,6 +208,7 @@ def test_all_user(self): ) self.assertEqual(repositories.json(), {"repositories": repositories_names}) + @unittest.skipIf(TOKEN_AUTH_DISABLED, "Token authentication is not enabled") def test_only_dist1_user(self): """Check if the user can see all public repositories, but not all private repositories.""" auth = (self.user_only_dist1["username"], self.user_only_dist1["password"]) diff --git a/template_config.yml b/template_config.yml index 77868af5d..4afbaa5a1 100644 --- a/template_config.yml +++ b/template_config.yml @@ -64,6 +64,7 @@ pulp_settings_azure: pulp_settings_gcp: null pulp_settings_s3: flatpak_index: false + token_auth_disabled: true pydocstyle: true release_email: pulp-infra@redhat.com release_user: pulpbot