*** Settings ***
Documentation Smoke test for ozone secure tenant commands
Library OperatingSystem
Library String
Library BuiltIn
Resource ../commonlib.robot
Resource ../s3/commonawslib.robot
Test Timeout 5 minutes
*** Variables ***
${RANGER_ENDPOINT_URL} http://ranger:6080
${S3G_ENDPOINT_URL} http://s3g:9878
*** Test Cases ***
Create Tenant Success with Cluster Admin
Run Keyword Kinit test user testuser testuser.keytab
${output} = Execute ozone tenant --verbose create tenantone
Should contain ${output} "tenantId": "tenantone"
Assign User Success with Cluster Admin
${output} = Execute ozone tenant --verbose user assign testuser --tenant=tenantone
Should contain ${output} Assigned 'testuser' to 'tenantone'
${accessId} = Get Regexp Matches ${output} (?<=export AWS_ACCESS_KEY_ID=).*
${secretKey} = Get Regexp Matches ${output} (?<=export AWS_SECRET_ACCESS_KEY=).*
${accessId} = Set Variable ${accessId[0]}
${secretKey} = Set Variable ${secretKey[0]}
Set Global Variable ${ACCESS_ID} ${accessId}
Set Global Variable ${SECRET_KEY} ${secretKey}
Assign User Failure to Non-existent Tenant
${rc} ${output} = Run And Return Rc And Output ozone tenant user assign testuser --tenant=thistenantdoesnotexist
Should contain ${output} Tenant 'thistenantdoesnotexist' doesn't exist
GetUserInfo Success
${output} = Execute ozone tenant user info testuser
Should contain ${output} Tenant 'tenantone' with accessId 'tenantone$testuser'
GetUserInfo as JSON Success
${output} = Execute ozone tenant user info --json testuser | jq '.tenants | .[].accessId'
Should contain ${output} "tenantone$testuser"
Create Bucket 1 Success via S3 API
Execute aws configure set aws_access_key_id ${ACCESS_ID}
Execute aws configure set aws_secret_access_key ${SECRET_KEY}
${output} = Execute aws s3api --endpoint-url ${S3G_ENDPOINT_URL} create-bucket --bucket bucket-test1
Should contain ${output} bucket-test1
${output} = Execute aws s3api --endpoint-url ${S3G_ENDPOINT_URL} list-buckets
Should contain ${output} bucket-test1
Verify Bucket 1 Owner
${result} = Execute ozone sh bucket info /tenantone/bucket-test1 | jq -r '.owner'
Should Be Equal ${result} testuser
SetSecret Success with Cluster Admin
${output} = Execute ozone tenant user setsecret 'tenantone$testuser' --secret=somesecret1
Should contain ${output} export AWS_SECRET_ACCESS_KEY='somesecret1'
SetSecret Failure For Invalid Secret 1
${rc} ${output} = Run And Return Rc And Output ozone tenant user setsecret 'tenantone$testuser' --secret=''
Should contain ${output} secretKey cannot be null or empty.
SetSecret Failure For Invalid Secret 2
${rc} ${output} = Run And Return Rc And Output ozone tenant user setsecret 'tenantone$testuser' --secret=short
Should contain ${output} Secret key length should be at least 8 characters
GetSecret Success
${output} = Execute ozone tenant user getsecret 'tenantone$testuser'
Should contain ${output} export AWS_SECRET_ACCESS_KEY='somesecret1'
Delete Bucket 1 Failure With Old SecretKey via S3 API
${rc} ${output} = Run And Return Rc And Output aws s3api --endpoint-url ${S3G_ENDPOINT_URL} delete-bucket --bucket bucket-test1
Should Be True ${rc} > 0
Delete Bucket 1 Success With Newly Set SecretKey via S3 API
Execute aws configure set aws_secret_access_key 'somesecret1'
${output} = Execute aws s3api --endpoint-url ${S3G_ENDPOINT_URL} delete-bucket --bucket bucket-test1
Delete Tenant Failure Tenant Not Empty
${rc} ${output} = Run And Return Rc And Output ozone tenant delete tenantone
Should contain ${output} TENANT_NOT_EMPTY Tenant 'tenantone' is not empty. All accessIds associated to this tenant must be revoked before the tenant can be deleted. See `ozone tenant user revoke`
Create Tenant Failure with Regular User
Run Keyword Kinit test user testuser2 testuser2.keytab
${rc} ${output} = Run And Return Rc And Output ozone tenant create tenanttwo
Should contain ${output} PERMISSION_DENIED User 'testuser2/scm@EXAMPLE.COM' or 'testuser2' is not an Ozone admin
SetSecret Failure with Regular User
${rc} ${output} = Run And Return Rc And Output ozone tenant user set-secret 'tenantone$testuser' --secret=somesecret2
Should contain ${output} USER_MISMATCH Requested accessId 'tenantone$testuser' doesn't belong to current user 'testuser2/scm@EXAMPLE.COM', nor does current user have Ozone or tenant administrator privilege
Create Bucket 2 Success with somesecret1 via S3 API
${output} = Execute aws s3api --endpoint-url ${S3G_ENDPOINT_URL} create-bucket --bucket bucket-test2
Should contain ${output} bucket-test2
Delete Bucket 2 Failure with somesecret2 via S3 API
Execute aws configure set aws_secret_access_key 'somesecret2'
${rc} ${output} = Run And Return Rc And Output aws s3api --endpoint-url ${S3G_ENDPOINT_URL} delete-bucket --bucket bucket-test2
Should Be True ${rc} > 0
Delete Bucket 2 Success with somesecret1 via S3 API
Execute aws configure set aws_secret_access_key 'somesecret1'
${output} = Execute aws s3api --endpoint-url ${S3G_ENDPOINT_URL} delete-bucket --bucket bucket-test2
Revoke User AccessId Success with Cluster Admin
Run Keyword Kinit test user testuser testuser.keytab
${output} = Execute ozone tenant --verbose user revoke 'tenantone$testuser'
Should contain ${output} Revoked accessId 'tenantone$testuser'.
Create Bucket 3 Failure with Revoked AccessId via S3 API
${rc} ${output} = Run And Return Rc And Output aws s3api --endpoint-url ${S3G_ENDPOINT_URL} create-bucket --bucket bucket-test3
Should Be True ${rc} > 0
Delete Tenant Success with Cluster Admin
${output} = Execute ozone tenant delete tenantone
Should contain ${output} Deleted tenant 'tenantone'.
Delete Volume Success with Cluster Admin
${output} = Execute ozone sh volume delete tenantone
Should contain ${output} Volume tenantone is deleted
List Tenant Expect Empty Result
${output} = Execute ozone tenant list
Should not contain ${output} tenantone