🐞 integration tests use modern UAA

Previous to this commit, the integration tests used a very very old version of UAA (3.5.0) from an s3 bucket that needed Java 8. Updates to the integration Docker image that raised the JDK from 8->17 caused this very old version to explode. This commit represents a major refactoring of how UAA runs in the integration specs. * The UAA version now tracks the version in bosh-deployment * There is only 1 UAA started, as opposed to 1 per spec process * The UAA version is from uaa-release, and is templated accordingly Java upgrade PRs: * #2154 * #2515 * #2516 Co-authored-by: Aram Price <aram.price@broadcom.com> Co-authored-by: Chris Selzo <chris.selzo@broadcom.com>
cloudfoundry · May 8, 2024 · 45d7d16 · 45d7d16
1 parent 9e1e333
commit 45d7d16
Show file tree

Hide file tree

Showing 12 changed files with 446 additions and 115 deletions.
diff --git a/ci/dockerfiles/integration/Dockerfile b/ci/dockerfiles/integration/Dockerfile
@@ -111,4 +111,8 @@ RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/trusted.gpg.
     libmysqlclient-dev \
     postgresql-client-${POSTGRES_MAJOR_VERSION}
 
-
+# Install UAA
+COPY bosh-deployment /usr/local/bosh-deployment/
+RUN \
+  UAA_RELEASE_URL="$(bosh int uaa.yml --path /release=uaa/value/url)" \
+  curl -o /usr/local/uaa.tgz "$UAA_RELEASE_URL"
diff --git a/ci/dockerfiles/integration/install-uaa.rb b/ci/dockerfiles/integration/install-uaa.rb
@@ -0,0 +1,55 @@
+require 'yaml'
+require 'json'
+require 'fileutils'
+require 'tmpdir'
+
+uaa_archive_path = ARGV[0]
+
+%w{
+  /var/vcap/sys/run/uaa
+  /var/vcap/sys/log/uaa
+  /var/vcap/data/tmp
+  /var/vcap/data/uaa
+  /var/vcap/data/uaa/cert-cache
+}.each {|path| FileUtils.mkdir_p path}
+
+installed_uaa_job_path = File.join('/', 'var', 'vcap', 'jobs', 'uaa')
+
+Dir.mktmpdir do |workspace|
+  `tar xzf #{uaa_archive_path} -C #{workspace}`
+  uaa_job_path = File.join(workspace, 'uaa')
+  FileUtils.mkdir_p uaa_job_path
+  `tar xzf #{File.join(workspace, 'jobs', 'uaa.tgz')} -C #{uaa_job_path}`
+  uaa_job_spec_path = File.join(uaa_job_path, 'job.MF')
+  job_spec = YAML.load_file(uaa_job_spec_path)
+  job_spec['packages'].each do |package_name|
+    package_path = File.join('/', 'var', 'vcap', 'packages', package_name)
+    FileUtils.mkdir_p(package_path)
+    `tar xzf #{File.join(workspace, 'compiled_packages', "#{package_name}.tgz")} -C #{package_path}`
+  end
+  context_path = File.join(workspace, 'context.json')
+  context = {
+    'default_properties' => job_spec['properties'].map { |key, value| [key, value['default']]}.to_h,
+    'job_properties' => {
+      'uaa' => {
+        'allow_host_access': true,
+        'debug_listen_address': '127.0.0.1:17013',
+        'default_container_grace_time': '0',
+        'destroy_containers_on_start': true,
+        'graph_cleanup_threshold_in_mb': '0',
+        'listen_address': '127.0.0.1:7777',
+        'listen_network': 'tcp',
+      }
+    }
+  }
+  File.write(context_path, context.to_json)
+  templates = job_spec['templates']
+  templates.each do |src, dst|
+    src_path = File.join(uaa_job_path, 'templates', src)
+    dest_path = File.join(installed_uaa_job_path, dst)
+    FileUtils.mkdir_p(File.dirname(dest_path))
+    `ruby #{File.join(__dir__, 'template-renderer.rb')} #{context_path} #{src_path} #{dest_path}`
+  end
+end
+
+`chmod +x #{File.join(installed_uaa_job_path, 'bin', '*')}`
diff --git a/ci/tasks/test-integration.sh b/ci/tasks/test-integration.sh
@@ -8,6 +8,8 @@ source bosh-src/ci/tasks/utils.sh
 check_param RUBY_VERSION
 check_param DB
 
+curl -o /usr/local/uaa.tgz "https://s3.amazonaws.com/bosh-compiled-release-tarballs/uaa-77.8.0-ubuntu-jammy-1.423-20240430-181143-092389865-20240430181145.tgz"
+
 echo "Starting $DB..."
 case "$DB" in
   mysql)
@@ -52,6 +54,7 @@ max_allowed_packet=6M' >> /etc/mysql/my.cnf
   postgresql)
     export PATH=/usr/lib/postgresql/$DB_VERSION/bin:$PATH
     export DB_PASSWORD="smurf"
+    export PGPASSWORD=${DB_PASSWORD}
 
     if [ ! -d /tmp/postgres ]; then # PostgreSQL hasn't been set up
       mkdir /tmp/postgres
@@ -96,7 +99,8 @@ max_allowed_packet=6M' >> /etc/mysql/my.cnf
         export PATH=/usr/lib/postgresql/$DB_VERSION/bin:$PATH
         export PGLOGS=/tmp/log/postgres
         export PGCLIENTENCODING=UTF8
-        pg_ctl start -l $PGLOGS/server.log -o "-N 400"
+        pg_ctl start -l $PGLOGS/server.log -o "-N 400" --wait
+        createdb -h 127.0.0.1 uaa
       '
     fi
     ;;

diff --git a/src/bosh-dev/assets/sandbox/ca/certs/rootCA.srl b/src/bosh-dev/assets/sandbox/ca/certs/rootCA.srl
diff --git a/src/bosh-dev/assets/sandbox/config_server/certs/jwtVerification.key b/src/bosh-dev/assets/sandbox/config_server/certs/jwtVerification.key
@@ -1,6 +1,14 @@
 -----BEGIN PUBLIC KEY-----
-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/85WUjM7WKxnSMkd/TtGo+WWX
-kI5pH8ACBtb5oameiMJIw/wZ+dtyIwU+NZ0mKua+IzpGL1++bLJL0fDxE1LpD88j
-WzjaaTp8930UyY23oMxSa6JMG6OpDW469VTkY1g3uE/RAFtg7J9ZnDrTrMFJrduV
-VRs5sM3o4r1UYUTD6wIDAQAB
------END PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA06hlEn4/NMWtnele3C5j
+PZm3P55/9jppIQXF/BP0OGaAMoRNZEafv6nH1b8btc4zs0dx52Y7xmOpeRqnXDeD
+3E2uTW0tgjsLQU8BbjlXRrKkzvUiYZqkaCkCMxcX5OcBvhT4Km+/1u4AGuFq9sS2
+Pdv+IAWEOsYbJjPl3lZn2uiQCCX5P5z5JkGbQ/7mBSi/ja1SogP1MBzRLf6VyHpE
+q7zvVnfm+oBsvPu2RC0EM14kL/TktQwyAvpL4TWunhE7gAh4j0fMNgmBfW9NG328
+E2+i+1ag+WyFzSy0rJQHgV0ImEtjhmj0E0C1ysI4Fpy5gew0ZrtsFwnXcKV39xMS
+EG3JLzV3h+QZ4BS9nBi/G8lLF3bWO/B0WTuYDWdkLm1ng3K/Oz0KhVkVG5Igu9FD
+k6EkD62SsMYUMl++3/EMrtNxxvJQDSOOf59/o3BQplbl6qOG6Mpji3ZggxyRYgRS
+iC7PPqJAKYrP3zCzeXyQEMMYxuOcmRR3W6aY341v+9Hs4w+zNJZ2DnB+r6Jaqhpi
+sSiu1yzT0nzkesdv47UNLaTkt0fFMbnvkUSvtz3ZRK5MqVAgjBMULqobz5ASPPe0
+RBg7V6023PHtyNxsJpxsobRG2aril4+7OOspiWSHIuoV1vm1IDs2utHak0GHY0Nc
+MBYj/GcsUXZhHBDbjHk07IsCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/src/bosh-dev/assets/sandbox/director_test.yml.erb b/src/bosh-dev/assets/sandbox/director_test.yml.erb
@@ -7,7 +7,7 @@ runtime:
 
 port: <%= director_ruby_port %>
 
-mbus: nats://localhost:<%= nats_port %>
+mbus: "nats://localhost:<%= nats_port %>"
 
 logging:
   level: DEBUG
@@ -99,13 +99,23 @@ user_management:
   <% if user_authentication == 'uaa' %>
   uaa:
     symmetric_key: uaa-secret-key
-    # matches public key in asymmetric/uaa.yml
+    # public key of `uaa.jwt.policy.keys.key1.signingKey` from src/spec/assets/uaa_config/asymmetric/uaa.yml
+    # To Generate:
+    # openssl rsa -pubout -in <(yq .uaa.jwt.policy.keys.key1.signingKey src/spec/assets/uaa_config/asymmetric/uaa.yml)
     public_key: |
       -----BEGIN PUBLIC KEY-----
-      MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/85WUjM7WKxnSMkd/TtGo+WWX
-      kI5pH8ACBtb5oameiMJIw/wZ+dtyIwU+NZ0mKua+IzpGL1++bLJL0fDxE1LpD88j
-      WzjaaTp8930UyY23oMxSa6JMG6OpDW469VTkY1g3uE/RAFtg7J9ZnDrTrMFJrduV
-      VRs5sM3o4r1UYUTD6wIDAQAB
+      MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA06hlEn4/NMWtnele3C5j
+      PZm3P55/9jppIQXF/BP0OGaAMoRNZEafv6nH1b8btc4zs0dx52Y7xmOpeRqnXDeD
+      3E2uTW0tgjsLQU8BbjlXRrKkzvUiYZqkaCkCMxcX5OcBvhT4Km+/1u4AGuFq9sS2
+      Pdv+IAWEOsYbJjPl3lZn2uiQCCX5P5z5JkGbQ/7mBSi/ja1SogP1MBzRLf6VyHpE
+      q7zvVnfm+oBsvPu2RC0EM14kL/TktQwyAvpL4TWunhE7gAh4j0fMNgmBfW9NG328
+      E2+i+1ag+WyFzSy0rJQHgV0ImEtjhmj0E0C1ysI4Fpy5gew0ZrtsFwnXcKV39xMS
+      EG3JLzV3h+QZ4BS9nBi/G8lLF3bWO/B0WTuYDWdkLm1ng3K/Oz0KhVkVG5Igu9FD
+      k6EkD62SsMYUMl++3/EMrtNxxvJQDSOOf59/o3BQplbl6qOG6Mpji3ZggxyRYgRS
+      iC7PPqJAKYrP3zCzeXyQEMMYxuOcmRR3W6aY341v+9Hs4w+zNJZ2DnB+r6Jaqhpi
+      sSiu1yzT0nzkesdv47UNLaTkt0fFMbnvkUSvtz3ZRK5MqVAgjBMULqobz5ASPPe0
+      RBg7V6023PHtyNxsJpxsobRG2aril4+7OOspiWSHIuoV1vm1IDs2utHak0GHY0Nc
+      MBYj/GcsUXZhHBDbjHk07IsCAwEAAQ==
       -----END PUBLIC KEY-----
     url: <%= uaa_url %>
   <% else %>
@@ -126,9 +136,9 @@ cpi:
   max_supported_api_version: 2
   preferred_api_version: <%= preferred_cpi_api_version %>
 
-<% if config_server_enabled %>
 config_server:
-  enabled: true
+  enabled: <%= config_server_enabled ? 'true' : 'false' %>
+<% if config_server_enabled %>
   url: <%= config_server_url %>
   ca_cert: |
     -----BEGIN CERTIFICATE-----
@@ -155,10 +165,6 @@ config_server:
     client_id: <%= config_server_uaa_client_id %>
     client_secret: <%= config_server_uaa_client_secret %>
     ca_cert_path: <%= config_server_uaa_ca_cert_path %>
-
-<% else %>
-config_server:
-  enabled: false
 <% end %>
 
 generate_vm_passwords: <%= generate_vm_passwords %>

diff --git a/src/bosh-dev/lib/bosh/dev/sandbox/director_config.rb b/src/bosh-dev/lib/bosh/dev/sandbox/director_config.rb
@@ -1,3 +1,5 @@
+require 'bosh/dev/sandbox/services/uaa_service'
+
 module Bosh::Dev::Sandbox
   class DirectorConfig
     attr_accessor :audit_log_path
@@ -69,7 +71,7 @@ def initialize(attrs, port_provider)
       @cloud_storage_dir = attrs.fetch(:cloud_storage_dir)
 
       @user_authentication = attrs.fetch(:user_authentication)
-      @uaa_url = "https://localhost:#{port_provider.get_port(:nginx)}/uaa"
+      @uaa_url = "https://127.0.0.1:8443"
 
       @config_server_enabled = attrs.fetch(:config_server_enabled)
       @config_server_url = "https://127.0.0.1:#{port_provider.get_port(:config_server_port)}"

diff --git a/src/bosh-dev/lib/bosh/dev/sandbox/main.rb b/src/bosh-dev/lib/bosh/dev/sandbox/main.rb
@@ -12,7 +12,6 @@
 require 'bosh/dev/sandbox/port_provider'
 require 'bosh/dev/sandbox/services/director_service'
 require 'bosh/dev/sandbox/services/nginx_service'
-require 'bosh/dev/sandbox/services/uaa_service'
 require 'bosh/dev/sandbox/services/config_server_service'
 require 'bosh/dev/gnatsd_manager'
 require 'cloud/dummy'
@@ -102,9 +101,8 @@ def initialize(db_opts, debug, test_env_number)
       @nats_log_path = File.join(@logs_path, 'nats.log')
       setup_nats
 
-      @uaa_service = UaaService.new(@port_provider, sandbox_root, base_log_path, @logger)
       @config_server_service = ConfigServerService.new(@port_provider, base_log_path, @logger, test_env_number)
-      @nginx_service = NginxService.new(sandbox_root, director_port, director_ruby_port, @uaa_service.port, base_log_path, @logger)
+      @nginx_service = NginxService.new(sandbox_root, director_port, director_ruby_port, "8443", base_log_path, @logger)
 
       @db_config = {
         ca_path: File.join(SANDBOX_ASSETS_DIR, 'database', 'rootCA.pem')
@@ -183,7 +181,6 @@ def start
         load_db_and_populate_blobstore(@test_initial_state)
       end
 
-      @uaa_service.start if @user_authentication == 'uaa'
       @config_server_service.start(@with_config_server_trusted_certs) if @config_server_enabled
 
       dir_config = director_config
@@ -268,7 +265,6 @@ def stop
       @nats_process.stop
 
       @health_monitor_process.stop
-      @uaa_service.stop
 
       @config_server_service.stop
 
@@ -473,7 +469,6 @@ def do_reset
 
       @director_service.start(director_config)
 
-      @uaa_service.start if @user_authentication == 'uaa'
       @nginx_service.restart_if_needed
 
       write_in_sandbox(EXTERNAL_CPI_CONFIG, load_config_template(EXTERNAL_CPI_CONFIG_TEMPLATE))