Merge pull request #254 from DRK3/GNAPBDDTests

test: BDD tests showing EDV+GNAP and EDV+no auth
trustbloc · Jul 11, 2022 · 4908bd7 · 4908bd7
2 parents 6e086ab + 2892b9f
commit 4908bd7
Show file tree

Hide file tree

Showing 19 changed files with 2,161 additions and 160 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -60,6 +60,9 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
       - name: Run BDD test
         run: |
+          echo '127.0.0.1 oidc.provider.example.com' | sudo tee -a /etc/hosts
+          echo '127.0.0.1 auth.trustbloc.local' | sudo tee -a /etc/hosts
+          echo '127.0.0.1 testnet.orb.local' | sudo tee -a /etc/hosts
           make bdd-test
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/scripts/check_integration.sh b/scripts/check_integration.sh
@@ -6,19 +6,37 @@
 #
 set -e
 
-echo "Running EDV integration tests..."
-
 PWD=`pwd`
 cd test/bdd
 
 # TODO (#220): Reduce BDD test running time by only starting storage containers as needed.
 
+echo "Running EDV integration tests using MongoDB + GNAP authorization..."
+
+export EDV_DATABASE_TYPE=mongodb
+export EDV_DATABASE_URL=mongodb://mongodb.example.com:27017
+export EDV_AUTH_TYPE=GNAP
+go test -count=1 -v -cover . -p 1 -timeout=20m -race
+
+echo "Running EDV integration tests using MongoDB + ZCAP authorization..."
+
 export EDV_DATABASE_TYPE=mongodb
 export EDV_DATABASE_URL=mongodb://mongodb.example.com:27017
+export EDV_AUTH_TYPE=ZCAP
 go test -count=1 -v -cover . -p 1 -timeout=20m -race
 
+echo "Running EDV integration tests using MongoDB + no authorization..."
+
+export EDV_DATABASE_TYPE=mongodb
+export EDV_DATABASE_URL=mongodb://mongodb.example.com:27017
+export EDV_AUTH_TYPE=none
+go test -count=1 -v -cover . -p 1 -timeout=20m -race
+
+echo "Running EDV integration tests using CouchDB + GNAP authorization..."
+
 export EDV_DATABASE_TYPE=couchdb
 export EDV_DATABASE_URL=admin:[email protected]:5984
+export EDV_AUTH_TYPE=GNAP
 go test -count=1 -v -cover . -p 1 -timeout=20m -race
 
 cd $PWD
diff --git a/scripts/generate_test_keys.sh b/scripts/generate_test_keys.sh
@@ -22,7 +22,10 @@ subjectAltName = @alt_names
 DNS.1 = localhost
 DNS.2 = edv.example.com
 DNS.3 = third.party.oidc.provider.example.com
-DNS.4 = auth.rest.hydra.example.com" >> "$tmp"
+DNS.4 = auth.rest.hydra.example.com
+DNS.5 = auth.trustbloc.local
+DNS.6 = oidc.provider.example.com
+DNS.7 = testnet.orb.local" >> "$tmp"
 
 CERT_CA="test/bdd/fixtures/keys/tls/ec-cacert.pem"
 if [ ! -f "$CERT_CA" ]; then
@@ -43,4 +46,7 @@ mkdir -p test/bdd/fixtures/keys/session_cookies
 openssl rand -out test/bdd/fixtures/keys/session_cookies/auth.key 32
 openssl rand -out test/bdd/fixtures/keys/session_cookies/enc.key 32
 
+#create private key for GNAP signer
+openssl ecparam -name prime256v1 -genkey -noout -out test/bdd/fixtures/keys/gnap-priv-key.pem
+
 echo "done generating edv PKI"
diff --git a/test/bdd/bddtests_test.go b/test/bdd/bddtests_test.go
@@ -21,7 +21,6 @@ import (
 	"github.com/trustbloc/edv/test/bdd/pkg/common"
 	bddctx "github.com/trustbloc/edv/test/bdd/pkg/context"
 	"github.com/trustbloc/edv/test/bdd/pkg/edv"
-	"github.com/trustbloc/edv/test/bdd/pkg/interop"
 )
 
 func TestMain(m *testing.M) {
@@ -62,7 +61,7 @@ func runBDDTests(tags, format string) int { //nolint: gocognit
 				}
 
 				fmt.Println("docker-compose up ... waiting for containers to start ...")
-				testSleep := 25
+				testSleep := 35
 				if os.Getenv("TEST_SLEEP") != "" {
 					var e error
 
@@ -73,6 +72,8 @@ func runBDDTests(tags, format string) int { //nolint: gocognit
 				}
 
 				sleepAndWait(testSleep)
+
+				FeatureContext(s)
 			}
 		})
 		s.AfterSuite(func() {
@@ -87,7 +88,6 @@ func runBDDTests(tags, format string) int { //nolint: gocognit
 				}
 			}
 		})
-		FeatureContext(s)
 	}, godog.Options{
 		Tags:          tags,
 		Format:        format,
@@ -138,12 +138,6 @@ func FeatureContext(s *godog.Suite) {
 		panic(fmt.Sprintf("Failed to create a new NewBDDContext: %s", err))
 	}
 
-	bddInteropContext, err := bddctx.NewBDDInteropContext()
-	if err != nil {
-		panic(fmt.Sprintf("Failed to create a new NewBDDInteropContext: %s", err))
-	}
-
 	edv.NewSteps(bddContext).RegisterSteps(s)
 	common.NewSteps(bddContext).RegisterSteps(s)
-	interop.NewSteps(bddInteropContext).RegisterSteps(s)
 }
diff --git a/test/bdd/fixtures/edv-rest/.env b/test/bdd/fixtures/edv-rest/.env
@@ -17,8 +17,20 @@ EDV_2_PORT=8075
 EDV_DATABASE_TYPE=mongodb
 EDV_DATABASE_URL=mongodb://mongodb.example.com:27017
 EDV_DATABASE_PREFIX=edv_
+EDV_AUTH_TYPE=GNAP
 
 COUCHDB_IMAGE=couchdb
 COUCHDB_IMAGE_TAG=3.1.0
 COUCHDB_USERNAME=admin
 COUCHDB_PASSWORD=password
+
+AUTH_REST_IMAGE=ghcr.io/trustbloc-cicd/auth
+AUTH_REST_IMAGE_TAG=0.1.9-snapshot-2540de8
+
+HYDRA_IMAGE_TAG=v1.3.2-alpine
+MYSQL_IMAGE_TAG=8.0.20
+
+MOCK_LOGIN_CONSENT_IMAGE=mockloginconsent
+
+SIDETREE_MOCK_IMAGE=ghcr.io/trustbloc-cicd/sidetree-mock
+SIDETREE_MOCK_IMAGE_TAG=0.7.0-snapshot-799d4d5
diff --git a/test/bdd/fixtures/edv-rest/docker-compose.yml b/test/bdd/fixtures/edv-rest/docker-compose.yml
@@ -28,16 +28,19 @@ services:
       - EDV_DATABASE_URL=${EDV_DATABASE_URL}
       - EDV_DATABASE_PREFIX=${EDV_DATABASE_PREFIX}
       - EDV_LOG_LEVEL=debug
+      - EDV_TLS_CACERTS=/etc/tls/ec-cacert.pem
       - EDV_TLS_CERT_FILE=/etc/tls/ec-pubCert.pem
       - EDV_TLS_KEY_FILE=/etc/tls/ec-key.pem
-      - EDV_AUTH_TYPE=ZCAP
+      - EDV_AUTH_TYPE=${EDV_AUTH_TYPE}
+      - EDV_GNAP_SIGNING_KEY=/etc/gnap-priv-key.pem
+      - EDV_AUTH_SERVER_URL=https://auth.trustbloc.local:8070
       - EDV_LOCALKMS_SECRETS_DATABASE_TYPE=${EDV_DATABASE_TYPE}
       - EDV_LOCALKMS_SECRETS_DATABASE_URL=${EDV_DATABASE_URL}
       - EDV_LOCALKMS_SECRETS_DATABASE_PREFIX=kms
     ports:
       - ${EDV_1_PORT}:${EDV_1_PORT}
     volumes:
-      - ../keys/tls:/etc/tls
+      - ../keys:/etc
     command: start
 
   edv-2.example.com:
@@ -49,16 +52,19 @@ services:
       - EDV_DATABASE_URL=${EDV_DATABASE_URL}
       - EDV_DATABASE_PREFIX=${EDV_DATABASE_PREFIX}
       - EDV_LOG_LEVEL=debug
+      - EDV_TLS_CACERTS=/etc/tls/ec-cacert.pem
       - EDV_TLS_CERT_FILE=/etc/tls/ec-pubCert.pem
       - EDV_TLS_KEY_FILE=/etc/tls/ec-key.pem
-      - EDV_AUTH_TYPE=ZCAP
+      - EDV_AUTH_TYPE=${EDV_AUTH_TYPE}
+      - EDV_GNAP_SIGNING_KEY=/etc/gnap-priv-key.pem
+      - EDV_AUTH_SERVER_URL=https://auth.trustbloc.local:8070
       - EDV_LOCALKMS_SECRETS_DATABASE_TYPE=${EDV_DATABASE_TYPE}
       - EDV_LOCALKMS_SECRETS_DATABASE_URL=${EDV_DATABASE_URL}
       - EDV_LOCALKMS_SECRETS_DATABASE_PREFIX=kms
     ports:
       - ${EDV_2_PORT}:${EDV_2_PORT}
     volumes:
-      - ../keys/tls:/etc/tls
+      - ../keys:/etc
     command: start
 
   mongodb.example.com:
@@ -77,3 +83,138 @@ services:
       - COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
     volumes:
       - ./couchdb-config/config.ini:/opt/couchdb/etc/local.d/config.ini
+
+  auth.trustbloc.local:
+    container_name: auth.trustbloc.local
+    image: ${AUTH_REST_IMAGE}:${AUTH_REST_IMAGE_TAG}
+    environment:
+      - AUTH_REST_HOST_URL=0.0.0.0:8070
+      - AUTH_REST_EXTERNAL_URL=https://auth.trustbloc.local:8070
+      - AUTH_REST_TLS_CACERTS=/etc/keys/tls/ec-cacert.pem
+      - AUTH_REST_TLS_SYSTEMCERTPOOL=true
+      - AUTH_REST_TLS_SERVE_CERT=/etc/keys/tls/ec-pubCert.pem
+      - AUTH_REST_TLS_SERVE_KEY=/etc/keys/tls/ec-key.pem
+      - AUTH_REST_DATABASE_TYPE=mongodb
+      - AUTH_REST_DATABASE_URL=mongodb://mongodb.example.com:27017
+      - AUTH_REST_DATABASE_PREFIX=authrest_
+      - AUTH_REST_OIDC_CALLBACK=https://auth.trustbloc.local:8070/oauth2/callback
+      - AUTH_REST_OIDC_PROVIDERS_CONFIG=/etc/oidc-config/providers.yaml
+      - AUTH_REST_SDS_DOCS_URL=https://TODO.docs.sds.org
+      - AUTH_REST_SDS_OPSKEYS_URL=https://TODO.keys.sds.org
+      - AUTH_REST_KEYSERVER_AUTH_URL=https://TODO.auth.keyserver.org
+      - AUTH_REST_KEYSERVER_OPS_URL=https://TODO.ops.keyserver.org
+      - AUTH_REST_HYDRA_URL=https://hydra.trustbloc.local:4445
+      - AUTH_REST_API_TOKEN=test_token
+      - AUTH_REST_COOKIE_AUTH_KEY=/etc/keys/session_cookies/auth.key
+      - AUTH_REST_COOKIE_ENC_KEY=/etc/keys/session_cookies/enc.key
+      - AUTH_REST_LOG_LEVEL=DEBUG
+      - AUTH_REST_STATIC_IMAGES=/etc/static/images
+      - GNAP_ACCESS_POLICY=/etc/gnap-config/access_policy.json
+    ports:
+      - 8070:8070
+    entrypoint: ""
+    command:  /bin/sh -c "sleep 30 && auth-rest start"
+    volumes:
+      - ../keys:/etc/keys
+      - ./oidc-config:/etc/oidc-config
+      - ./static:/etc/static
+      - ./gnap-config:/etc/gnap-config
+    depends_on:
+      - hydra.trustbloc.local
+      - mongodb.example.com
+      - oidc.provider.example.com
+
+  hydra.trustbloc.local:
+    container_name: hydra.trustbloc.local
+    image: oryd/hydra:${HYDRA_IMAGE_TAG}
+    ports:
+      - 4444:4444
+      - 4445:4445
+    command:  /bin/sh -c "hydra migrate sql --read-from-env --yes; hydra serve all"
+    entrypoint: ""
+    environment:
+      - DSN=mysql://hydra:hydra-secret-pw@tcp(mysql:3306)/hydra?max_conns=20&max_idle_conns=4
+      - URLS_SELF_ISSUER=https://localhost:4444/
+      - URLS_CONSENT=https://auth.trustbloc.local:8070/hydra/consent
+      - URLS_LOGIN=https://auth.trustbloc.local:8070/hydra/login
+      - SECRETS_SYSTEM=testSecretsSystem
+      - OIDC_SUBJECT_TYPES_SUPPORTED=public
+      - OIDC_SUBJECT_TYPE_PAIRWISE_SALT=testSecretsSystem
+      - SERVE_TLS_KEY_PATH=/etc/tls/ec-key.pem
+      - SERVE_TLS_CERT_PATH=/etc/tls/ec-pubCert.pem
+    restart: unless-stopped
+    volumes:
+      - ../keys/tls:/etc/tls
+    depends_on:
+      - mysql
+
+  mysql:
+    container_name: mysql
+    image: mysql:${MYSQL_IMAGE_TAG}
+    restart: always
+    command: --default-authentication-plugin=mysql_native_password
+    environment:
+      MYSQL_ROOT_PASSWORD: secret
+    logging:
+      driver: "none"
+    volumes:
+      - ./mysql-config:/docker-entrypoint-initdb.d
+
+  oidc.provider.example.com:
+    container_name: oidc.provider.example.com
+    image: oryd/hydra:${HYDRA_IMAGE_TAG}
+    ports:
+      - 5555:5555
+      - 5556:5556
+    command: /bin/sh -c "hydra migrate sql --read-from-env --yes; tmp/hydra_configure.sh& hydra serve all"
+    entrypoint: ""
+    environment:
+      - DSN=mysql://thirdpartyoidc:thirdpartyoidc-secret-pw@tcp(mysql:3306)/thirdpartyoidc?max_conns=20&max_idle_conns=4
+      - URLS_SELF_ISSUER=https://oidc.provider.example.com:5555/
+      - URLS_CONSENT=https://localhost:8099/mock/consent
+      - URLS_LOGIN=https://localhost:8099/mock/login
+      - SECRETS_SYSTEM=testSecretsSystem
+      - OIDC_SUBJECT_TYPES_SUPPORTED=public
+      - OIDC_SUBJECT_TYPE_PAIRWISE_SALT=testSecretsSystem
+      - SERVE_TLS_KEY_PATH=/etc/tls/ec-key.pem
+      - SERVE_TLS_CERT_PATH=/etc/tls/ec-pubCert.pem
+      - SERVE_PUBLIC_PORT=5555
+      - SERVE_ADMIN_PORT=5556
+    restart: unless-stopped
+    volumes:
+      - ../keys/tls:/etc/tls
+      - ./hydra-config/hydra_configure.sh:/tmp/hydra_configure.sh
+    depends_on:
+      - mysql
+      - mock.login.consent.example.com
+
+  mock.login.consent.example.com:
+    container_name: mock.login.consent.example.com
+    image: ${MOCK_LOGIN_CONSENT_IMAGE}:latest
+    environment:
+      - LISTEN_ADDR=:8099
+      - HYDRA_ADMIN_URL=https://oidc.provider.example.com:5556
+      - TLS_CERT_PATH=/etc/tls/ec-pubCert.pem
+      - TLS_KEY_PATH=/etc/tls/ec-key.pem
+      - ROOT_CA_CERTS_PATH=/etc/tls/ec-cacert.pem
+    ports:
+      - 8099:8099
+    volumes:
+      - ../keys/tls:/etc/tls
+
+  testnet.orb.local:
+    container_name: testnet.orb.local
+    image: ${SIDETREE_MOCK_IMAGE}:${SIDETREE_MOCK_IMAGE_TAG}
+    environment:
+      - SIDETREE_MOCK_TLS_CERTIFICATE=/etc/sidetree/tls/ec-pubCert.pem
+      - SIDETREE_MOCK_TLS_KEY=/etc/sidetree/tls/ec-key.pem
+      - SIDETREE_MOCK_HOST=0.0.0.0
+      - SIDETREE_MOCK_PORT=443
+      - SIDETREE_MOCK_DID_NAMESPACE=did:orb
+      - SIDETREE_MOCK_DID_ALIASES=did:orb:testnet.orb.local
+      - SIDETREE_MOCK_EXTERNAL_ENDPOINT=https://testnet.orb.local
+      - SIDETREE_MOCK_WELLKNOWN_PATH=did-orb
+    ports:
+      - "443:443"
+    volumes:
+      - ../keys/tls:/etc/sidetree/tls
diff --git a/test/bdd/fixtures/edv-rest/gnap-config/access_policy.json b/test/bdd/fixtures/edv-rest/gnap-config/access_policy.json
@@ -0,0 +1,13 @@
+{
+  "access-types": [
+    {
+      "reference": "example-token-type",
+      "permission": "NeedsConsent",
+      "expires-in": 3600,
+      "access": {
+        "type": "https://trustbloc.net/definitions/example/access-token",
+        "subject-keys": ["sub"]
+      }
+    }
+  ]
+}
diff --git a/test/bdd/fixtures/edv-rest/hydra-config/hydra_configure.sh b/test/bdd/fixtures/edv-rest/hydra-config/hydra_configure.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# Copyright SecureKey Technologies Inc. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+echo "Creating client for auth..."
+# will use --skip-tls-verify because hydra doesn't trust self-signed certificate
+# remove it when using real certificate
+hydra clients create \
+    --endpoint https://oidc.provider.example.com:5556 \
+    --id auth \
+    --secret auth-secret \
+    --grant-types authorization_code,refresh_token \
+    --response-types code,id_token \
+    --scope openid,profile,email \
+    --skip-tls-verify \
+    --callbacks https://auth.trustbloc.local:8070/oauth2/callback
+
+echo "Finished creating oidc client!"
+
+echo "Creating oidc client for gnap flow..."
+# will use --skip-tls-verify because hydra doesn't trust self-signed certificate
+# remove it when using real certificate
+hydra clients create \
+    --endpoint https://oidc.provider.example.com:5556 \
+    --id auth1 \
+    --secret auth-secret \
+    --grant-types authorization_code,refresh_token \
+    --response-types code,id_token \
+    --scope openid,profile,email \
+    --skip-tls-verify \
+    --callbacks https://auth.trustbloc.local:8070/oidc/callback
+
+echo "Finished creating oidc client for gnap flow!"