src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh - aurora - Git at Google

 #!/bin/bash
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 #
 # An integration test for the client, using the vagrant environment as a testbed.
 set -eux

 readonly KRB5_MAJOR_MINOR=1.17
 readonly KRB5_VERSION=1.17
 readonly KRB5_URL_BASE=http://web.mit.edu/kerberos/dist/krb5/
 readonly KRB5_TARBALL=krb5-$KRB5_MAJOR_MINOR.tar.gz
 readonly KRB5_KEY_IDS=(5F8372DF 253AAB87 0055C305)
 readonly SCHEDULER_HOSTNAME=aurora.local
 readonly LC_ALL=en_US.UTF-8

 function enter_vagrant {
   exec vagrant ssh -- /vagrant/src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh "$@"
 }

 function enter_testrealm {
   cd $HOME
     [[ -f $KRB5_TARBALL ]] || wget "$KRB5_URL_BASE/$KRB5_VERSION/$KRB5_TARBALL"
     [[ -f $KRB5_TARBALL.asc ]] || wget "$KRB5_URL_BASE/$KRB5_VERSION/$KRB5_TARBALL.asc"
     gpg --list-keys ${KRB5_KEY_IDS[@]} &>/dev/null || gpg --keyserver keyserver.ubuntu.com --recv-keys ${KRB5_KEY_IDS[@]}
     gpg --verify $KRB5_TARBALL.asc
     [[ -d `basename $KRB5_TARBALL .tar.gz` ]] || tar zxvf $KRB5_TARBALL
     cd `basename $KRB5_TARBALL .tar.gz`
       mkdir -p build
       cd build
         [[ -f Makefile ]] || ../src/configure
         make
         # Reinvokes this script with a full kerberos test realm configured.
         SHELL=$0 exec make testrealm
 }

 function await_scheduler_ready {
   while ! curl -s localhost:8081/vars | grep "framework_registered 1"; do
     sleep 3
   done
 }

 readonly SNAPSHOT_RPC_DATA="[1,\"snapshot\",1,0,{}]"
 readonly SNAPSHOT_RESPONSE_OUTFILE="snapshot-response.%s.json"
 function snapshot_as {
   local principal=$1
   kinit -k -t "testdir/${principal}.keytab" $principal
   curl -u : --negotiate -w '%{http_code}\n' \
     -o $(printf $SNAPSHOT_RESPONSE_OUTFILE $principal) \
     -v "http://$SCHEDULER_HOSTNAME:8081/api" \
     -H "Content-Type:application/vnd.apache.thrift.json" \
     --data-binary "$SNAPSHOT_RPC_DATA"
   kdestroy
 }

 function setup {
   cat >> $KRB5_CONFIG <<EOF
 [domain_realm]
   .local = KRBTEST.COM
 EOF

   aurorabuild all
   sudo cp /vagrant/examples/vagrant/systemd/aurora-scheduler-kerberos.service \
     /etc/systemd/system/aurora-scheduler-kerberos.service
   sudo systemctl stop aurora-scheduler || true
   sudo systemctl daemon-reload
   sudo systemctl start aurora-scheduler-kerberos
   await_scheduler_ready

   kadmin.local -q "addprinc -randkey HTTP/$SCHEDULER_HOSTNAME"
   rm -f testdir/HTTP-$SCHEDULER_HOSTNAME.keytab.keytab
   kadmin.local -q "ktadd -keytab testdir/HTTP-$SCHEDULER_HOSTNAME.keytab HTTP/$SCHEDULER_HOSTNAME"

   kadmin.local -q "addprinc -randkey vagrant"
   rm -f testdir/vagrant.keytab
   kadmin.local -q "ktadd -keytab testdir/vagrant.keytab vagrant"

   kadmin.local -q "addprinc -randkey unpriv"
   rm -f testdir/unpriv.keytab
   kadmin.local -q "ktadd -keytab testdir/unpriv.keytab unpriv"

   kadmin.local -q "addprinc -randkey root"
   rm -f testdir/root.keytab
   kadmin.local -q "ktadd -keytab testdir/root.keytab root"
 }

 function test_snapshot {
   snapshot_as vagrant
   cat snapshot-response.vagrant.json
   grep -q 'lacks permission' snapshot-response.vagrant.json
   snapshot_as unpriv
   cat snapshot-response.unpriv.json
   grep -q 'lacks permission' snapshot-response.unpriv.json
   snapshot_as root
   cat snapshot-response.root.json
   grep -qv 'lacks permission' snapshot-response.root.json
 }

 function test_clients {
   sudo cp /vagrant/examples/vagrant/clusters_kerberos.json /etc/aurora/clusters.json

   kinit -k -t "testdir/root.keytab" root
   aurora_admin set_quota devcluster kerberos-test 0.0 0MB 0MB /dev/null 2>&1 | grep 'OK' | true
   aurora update pause devcluster/role/env/job /dev/null 2>&1 | grep 'No active update found' | true
   kdestroy
 }

 function tear_down {
   local retcode=$1
   sudo cp /vagrant/examples/vagrant/clusters.json /etc/aurora/clusters.json
   sudo systemctl stop aurora-scheduler-kerberos || true
   sudo rm -f /etc/systemd/system/aurora-scheduler-kerberos.service
   sudo systemctl start aurora-scheduler || true
   if [[ $retcode -ne 0 ]]; then
     echo
     echo '!!! FAILED'
     echo
   fi
   exit $retcode
 }

 function main {
   if [[ "$USER" != "vagrant" ]]; then
     enter_vagrant "$@"
   elif [[ -z "${KRB5_CONFIG:-}" ]]; then
     enter_testrealm "$@"
   else
     trap 'tear_down 1' EXIT
     setup
     test_snapshot
     test_clients
     set +x
     echo
     echo '*** OK (All tests passed) ***'
     echo
     trap '' EXIT
     tear_down 0
   fi
 }

 main "$@"
	#!/bin/bash
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#
	#
	# An integration test for the client, using the vagrant environment as a testbed.
	set -eux

	readonly KRB5_MAJOR_MINOR=1.17
	readonly KRB5_VERSION=1.17
	readonly KRB5_URL_BASE=http://web.mit.edu/kerberos/dist/krb5/
	readonly KRB5_TARBALL=krb5-$KRB5_MAJOR_MINOR.tar.gz
	readonly KRB5_KEY_IDS=(5F8372DF 253AAB87 0055C305)
	readonly SCHEDULER_HOSTNAME=aurora.local
	readonly LC_ALL=en_US.UTF-8

	function enter_vagrant {
	exec vagrant ssh -- /vagrant/src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh "$@"
	}

	function enter_testrealm {
	cd $HOME
	[[ -f $KRB5_TARBALL ]] \|\| wget "$KRB5_URL_BASE/$KRB5_VERSION/$KRB5_TARBALL"
	[[ -f $KRB5_TARBALL.asc ]] \|\| wget "$KRB5_URL_BASE/$KRB5_VERSION/$KRB5_TARBALL.asc"
	gpg --list-keys ${KRB5_KEY_IDS[@]} &>/dev/null \|\| gpg --keyserver keyserver.ubuntu.com --recv-keys ${KRB5_KEY_IDS[@]}
	gpg --verify $KRB5_TARBALL.asc
	[[ -d `basename $KRB5_TARBALL .tar.gz` ]] \|\| tar zxvf $KRB5_TARBALL
	cd `basename $KRB5_TARBALL .tar.gz`
	mkdir -p build
	cd build
	[[ -f Makefile ]] \|\| ../src/configure
	make
	# Reinvokes this script with a full kerberos test realm configured.
	SHELL=$0 exec make testrealm
	}

	function await_scheduler_ready {
	while ! curl -s localhost:8081/vars \| grep "framework_registered 1"; do
	sleep 3
	done
	}

	readonly SNAPSHOT_RPC_DATA="[1,\"snapshot\",1,0,{}]"
	readonly SNAPSHOT_RESPONSE_OUTFILE="snapshot-response.%s.json"
	function snapshot_as {
	local principal=$1
	kinit -k -t "testdir/${principal}.keytab" $principal
	curl -u : --negotiate -w '%{http_code}\n' \
	-o $(printf $SNAPSHOT_RESPONSE_OUTFILE $principal) \
	-v "http://$SCHEDULER_HOSTNAME:8081/api" \
	-H "Content-Type:application/vnd.apache.thrift.json" \
	--data-binary "$SNAPSHOT_RPC_DATA"
	kdestroy
	}

	function setup {
	cat >> $KRB5_CONFIG <<EOF
	[domain_realm]
	.local = KRBTEST.COM
	EOF

	aurorabuild all
	sudo cp /vagrant/examples/vagrant/systemd/aurora-scheduler-kerberos.service \
	/etc/systemd/system/aurora-scheduler-kerberos.service
	sudo systemctl stop aurora-scheduler \|\| true
	sudo systemctl daemon-reload
	sudo systemctl start aurora-scheduler-kerberos
	await_scheduler_ready

	kadmin.local -q "addprinc -randkey HTTP/$SCHEDULER_HOSTNAME"
	rm -f testdir/HTTP-$SCHEDULER_HOSTNAME.keytab.keytab
	kadmin.local -q "ktadd -keytab testdir/HTTP-$SCHEDULER_HOSTNAME.keytab HTTP/$SCHEDULER_HOSTNAME"

	kadmin.local -q "addprinc -randkey vagrant"
	rm -f testdir/vagrant.keytab
	kadmin.local -q "ktadd -keytab testdir/vagrant.keytab vagrant"

	kadmin.local -q "addprinc -randkey unpriv"
	rm -f testdir/unpriv.keytab
	kadmin.local -q "ktadd -keytab testdir/unpriv.keytab unpriv"

	kadmin.local -q "addprinc -randkey root"
	rm -f testdir/root.keytab
	kadmin.local -q "ktadd -keytab testdir/root.keytab root"
	}

	function test_snapshot {
	snapshot_as vagrant
	cat snapshot-response.vagrant.json
	grep -q 'lacks permission' snapshot-response.vagrant.json
	snapshot_as unpriv
	cat snapshot-response.unpriv.json
	grep -q 'lacks permission' snapshot-response.unpriv.json
	snapshot_as root
	cat snapshot-response.root.json
	grep -qv 'lacks permission' snapshot-response.root.json
	}

	function test_clients {
	sudo cp /vagrant/examples/vagrant/clusters_kerberos.json /etc/aurora/clusters.json

	kinit -k -t "testdir/root.keytab" root
	aurora_admin set_quota devcluster kerberos-test 0.0 0MB 0MB /dev/null 2>&1 \| grep 'OK' \| true
	aurora update pause devcluster/role/env/job /dev/null 2>&1 \| grep 'No active update found' \| true
	kdestroy
	}

	function tear_down {
	local retcode=$1
	sudo cp /vagrant/examples/vagrant/clusters.json /etc/aurora/clusters.json
	sudo systemctl stop aurora-scheduler-kerberos \|\| true
	sudo rm -f /etc/systemd/system/aurora-scheduler-kerberos.service
	sudo systemctl start aurora-scheduler \|\| true
	if [[ $retcode -ne 0 ]]; then
	echo
	echo '!!! FAILED'
	echo
	fi
	exit $retcode
	}

	function main {
	if [[ "$USER" != "vagrant" ]]; then
	enter_vagrant "$@"
	elif [[ -z "${KRB5_CONFIG:-}" ]]; then
	enter_testrealm "$@"
	else
	trap 'tear_down 1' EXIT
	setup
	test_snapshot
	test_clients
	set +x
	echo
	echo '* OK (All tests passed) *'
	echo
	trap '' EXIT
	tear_down 0
	fi
	}

	main "$@"