test: enable Azure AD with e2e tests

.github/workflows/container-ecr-viewer.yaml

@@ -78,15 +78,24 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-  convert-data:
+  e2e-tests:
     strategy:
       fail-fast: false
       matrix:
         include:
-          - config: AWS_SQLSERVER_NON_INTEGRATED
+          - config: AWS_SQLSERVER_DUAL
+            azure_ad: true
             schema: extended
+            endpoint: process-ecr
+          - config: GCP_PG_DUAL
+            azure_ad: false
+            schema: core
+            endpoint: process-zip
+          - config: AWS_INTEGRATED
+            azure_ad: false
             endpoint: process-zip
           - config: AZURE_PG_NON_INTEGRATED
+            azure_ad: true
             schema: core
             endpoint: process-ecr
     runs-on: ubuntu-latest
@@ -116,26 +125,23 @@ jobs:
         run: |
           echo "METADATA_DATABASE_SCHEMA=${{ matrix.schema }}" >> .env.local
 
-      - name: Set UPLOAD_URL to ${{ matrix.endpoint }}
+      - name: Set up Azure AD
+        if: ${{ matrix.azure_ad }}
         working-directory: ./containers/${{env.CONTAINER}}
         run: |
-          echo "UPLOAD_URL=http://host.docker.internal:3000/ecr-viewer/api/${{ matrix.endpoint }}" >> .env.local
+          sed -i 's/AUTH_PROVIDER=.*$/AUTH_PROVIDER=ad/' .env.local
+          sed -i 's/AUTH_CLIENT_ID=.*$/AUTH_CLIENT_ID=${{ secrets.AZURE_AD_CLIENT_ID }}/' .env.local
+          sed -i 's/AUTH_CLIENT_SECRET=.*$/AUTH_CLIENT_SECRET=${{ secrets.AZURE_AD_CLIENT_SECRET }}/' .env.local
+          sed -i 's/AUTH_ISSUER=.*$/AUTH_ISSUER=${{ secrets.AZURE_AD_ISSUER }}/' .env.local
+          sed -i 's/AUTH_ADMIN_USER=.*$/AUTH_ADMIN_USER=${{ secrets.AZURE_ADMIN_USER }}/' .env.local
+          sed -i 's/AUTH_ADMIN_PASSWORD=.*$/AUTH_ADMIN_PASSWORD=${{ secrets.AZURE_ADMIN_PASSWORD }}/' .env.local
+          sed -i 's/AUTH_STANDARD_USER=.*$/AUTH_STANDARD_USER=${{ secrets.AZURE_STANDARD_USER }}/' .env.local
+          sed -i 's/AUTH_STANDARD_PASSWORD=.*$/AUTH_STANDARD_PASSWORD=${{ secrets.AZURE_STANDARD_PASSWORD }}/' .env.local
 
-      - name: Run seed data conversion
-        run: npm run convert-seed-data
+      - name: Set UPLOAD_URL to ${{ matrix.endpoint }}
         working-directory: ./containers/${{env.CONTAINER}}
-
-  e2e-tests:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{env.NODE_VERSION}}
+        run: |
+          echo "UPLOAD_URL=http://host.docker.internal:3000/ecr-viewer/api/${{ matrix.endpoint }}" >> .env.local
 
       - name: Install dependencies
         working-directory: ./containers/${{env.CONTAINER}}
@@ -145,12 +151,6 @@ jobs:
         working-directory: ./containers/${{env.CONTAINER}}
         run: npm run test:e2e:install
 
-      - name: Set up env vars
-        working-directory: ./containers/${{env.CONTAINER}}
-        run: |
-          npm run setup-local-env
-          ../../setup-env.sh ../orchestration/.env ../orchestration/.env.sample
-
       - name: Run local docker and wait for it to be ready
         working-directory: ./containers/${{env.CONTAINER}}
         run: npm run local-docker:silent && ./tests/e2e/waitForUrl.sh localhost:3000/ecr-viewer/api/health-check localhost:8071/health/ready
@@ -175,7 +175,7 @@ jobs:
         uses: actions/upload-artifact@v4
         if: ${{ !cancelled() }}
         with:
-          name: playwright-report-migrations
+          name: playwright-report-migrations-${{ matrix.config }}
           path: containers/${{env.CONTAINER}}/playwright-report/
           retention-days: 5
 
@@ -193,7 +193,7 @@ jobs:
         working-directory: ./containers/${{env.CONTAINER}}
         run: npm run test:e2e:seed-user-prog
 
-      - name: Run Playwright tests - Non-Integrated
+      - name: Run Playwright tests
         working-directory: ./containers/${{env.CONTAINER}}
         run: npm run test:e2e
 
@@ -209,55 +209,22 @@ jobs:
         working-directory: ./containers/${{env.CONTAINER}}
         run: docker compose --profile "*" down
 
-      - name: Upload playwright report - Non-Integrated
+      - name: Upload playwright report
         uses: actions/upload-artifact@v4
         if: ${{ !cancelled() }}
         with:
-          name: playwright-report
+          name: playwright-report-${{ matrix.config }}
           path: containers/${{env.CONTAINER}}/playwright-report/
           retention-days: 5
 
       - name: Upload Lighthouse report
         uses: actions/upload-artifact@v4
         if: ${{ !cancelled() }}
         with:
-          name: lighthouse-report
+          name: lighthouse-report-${{ matrix.config }}
           path: containers/${{env.CONTAINER}}/lighthouse/
           retention-days: 5
 
-      - name: Set CONFIG_NAME to AWS_INTEGRATED
-        working-directory: ./containers/${{env.CONTAINER}}
-        run: |
-          sed -i 's/AWS_SQLSERVER_DUAL/AWS_INTEGRATED/' .env.local
-
-      - name: Run local docker and wait for it to be ready
-        working-directory: ./containers/${{env.CONTAINER}}
-        run: npm run local-docker:silent && ./tests/e2e/waitForUrl.sh localhost:3000/ecr-viewer/api/health-check
-
-      - name: Run Playwright tests - Integrated
-        working-directory: ./containers/${{env.CONTAINER}}
-        run: npm run test:e2e:integrated
-
-      - name: Get docker logs
-        if: ${{ !cancelled() }}
-        working-directory: ./containers/${{env.CONTAINER}}/tests/e2e
-        shell: bash
-        run: |
-          echo "Saving $CONTAINER logs"
-          docker compose --profile "*" logs --timestamps &>> e2e-run.log
-
-      - name: Docker down
-        working-directory: ./containers/${{env.CONTAINER}}
-        run: docker compose --profile "*" down
-
-      - name: Upload playwright report - integrated
-        uses: actions/upload-artifact@v4
-        if: ${{ !cancelled() }}
-        with:
-          name: playwright-report-integrated
-          path: containers/${{env.CONTAINER}}/playwright-report/
-          retention-days: 5
-
       - name: Get docker logs
         if: ${{ !cancelled() }}
         working-directory: ./containers/${{env.CONTAINER}}/tests/e2e
@@ -267,10 +234,10 @@ jobs:
           docker compose --profile "*" logs --timestamps &>> e2e-run.log
 
       - name: Archive docker logs
-        if: ${{ !cancelled() }}
+        if: ${{ always() }}
         uses: actions/upload-artifact@v4
         with:
-          name: logs
+          name: logs-${{ matrix.config }}
           path: ./containers/${{env.CONTAINER}}/tests/e2e/e2e-run.log
           retention-days: 5
 

containers/ecr-viewer/.env.sample

@@ -45,8 +45,10 @@ AUTH_CLIENT_ID=ecr-viewer
 AUTH_CLIENT_SECRET=P7e6LOwZXhJq1MCo0GSRAQFqBOYDuaBx
 AUTH_ISSUER=http://localhost:8070/realms/master
 # For local testing only
-AUTH_USER=ecr-viewer-admin
-AUTH_PASSWORD=pw
+[email protected]
+AUTH_ADMIN_PASSWORD=pw
+[email protected]
+AUTH_STANDARD_PASSWORD=pw
 # AUTH_SESSION_DURATION_MIN=3
 
 # INTEGRATED AUTH - For testing use only

containers/ecr-viewer/.eslintrc.json

@@ -87,7 +87,7 @@
   },
   "overrides": [
     {
-      "files": ["*.test*", "**/tests/**/*"],
+      "files": ["./tests/**/*"],
       "rules": {
         "@typescript-eslint/no-explicit-any": "off",
         "jsdoc/require-jsdoc": "off"

containers/ecr-viewer/package.json

@@ -24,10 +24,9 @@
     "test:integration:pg": "npx @dotenvx/dotenvx run -f .env.local -- sh -c 'METADATA_DATABASE_TYPE=postgres TEST_TYPE=integration TZ=America/New_York jest --runInBand --detectOpenHandles'",
     "test:integration:sqlserver": "npx @dotenvx/dotenvx run -f .env.local -- sh -c 'METADATA_DATABASE_TYPE=sqlserver TEST_TYPE=integration TZ=America/New_York jest --runInBand --detectOpenHandles'",
     "test:e2e:install": "playwright install --with-deps",
-    "test:e2e": "npx @dotenvx/dotenvx run -f .env.local -- sh -c 'playwright test ./tests/e2e/dual'",
-    "test:e2e:migrations": "npx @dotenvx/dotenvx run -f .env.local -- sh -c 'playwright test ./tests/e2e/migrations.spec.ts --project chromium'",
-    "test:e2e:integrated": "npx @dotenvx/dotenvx run -f .env.local -- sh -c 'playwright test ./tests/e2e/integrated'",
-    "test:e2e:seed-user-prog": "npx @dotenvx/dotenvx run -f .env.local -- sh -c 'playwright test ./tests/e2e/seed.spec.ts --project chromium'",
+    "test:e2e": "npx @dotenvx/dotenvx run -f .env.local -- playwright test --project chromium --project firefox --project webkit",
+    "test:e2e:migrations": "npx @dotenvx/dotenvx run -f .env.local -- playwright test --project migrations",
+    "test:e2e:seed-user-prog": "npx @dotenvx/dotenvx run -f .env.local -- playwright test --project seed",
     "clear-local": "docker compose -f ./seed-scripts/docker-compose-seed.yaml --profile \"*\" down -v",
     "convert-seed-data": "npx @dotenvx/dotenvx run -f .env.local -- sh -c 'docker compose -f ./seed-scripts/docker-compose-seed.yaml --profile ${CONFIG_NAME} --profile ecr-viewer up --abort-on-container-exit ${CONVERT_FLAGS}'",
     "convert-seed-data:build": "CONVERT_FLAGS=--build npm run convert-seed-data"

containers/ecr-viewer/playwright.config.ts

@@ -1,10 +1,19 @@
 import { defineConfig, devices } from "@playwright/test";
 
+// for main e2e tests, pick the test dir based on the config
+const testDir =
+  process.env.CONFIG_NAME?.endsWith("DUAL") ||
+  process.env.CONFIG_NAME?.endsWith("NON_INTEGRATED")
+    ? "./tests/e2e/dual"
+    : "./tests/e2e/integrated";
+
 /**
  * See https://playwright.dev/docs/test-configuration.
  */
 export default defineConfig({
-  testDir: "./tests/e2e",
+  testDir: "./tests/e2e", // base test dir
+  globalSetup: require.resolve("./tests/e2e/global-setup"),
+  globalTeardown: require.resolve("./tests/e2e/global-teardown"),
   /* Run tests in files in parallel */
   fullyParallel: true,
   /* Fail the build on CI if you accidentally left test.only in the source code. */
@@ -30,18 +39,33 @@ export default defineConfig({
     {
       name: "chromium",
       use: { ...devices["Desktop Chrome"] },
+      testDir,
     },
 
     {
       name: "firefox",
       use: { ...devices["Desktop Firefox"] },
-      testIgnore: /lighthouse.spec.ts/,
+      testIgnore: [/lighthouse.spec.ts/],
+      testDir,
     },
 
     {
       name: "webkit",
       use: { ...devices["Desktop Safari"] },
-      testIgnore: /lighthouse.spec.ts/,
+      testIgnore: [/lighthouse.spec.ts/],
+      testDir,
+    },
+
+    {
+      name: "migrations",
+      use: { ...devices["Desktop Chrome"] },
+      testMatch: [/migrations.spec.ts/],
+    },
+
+    {
+      name: "seed",
+      use: { ...devices["Desktop Chrome"] },
+      testMatch: [/seed.spec.ts/],
     },
   ],
   webServer: {

containers/ecr-viewer/seed-scripts/create-seed-data.py

@@ -6,6 +6,7 @@
 
 import grequests
 import requests as rqsts
+from azure.identity import DefaultAzureCredential
 
 MIGRATION_URL = "http://host.docker.internal:3000/ecr-viewer/api/migrate-db"
 BASEDIR = os.path.dirname(os.path.abspath(__file__))
@@ -43,25 +44,48 @@ def _process_files():
     subfolders = subfolders_raw.split(",")
 
     print("Requesting API token...")
-    token_req = rqsts.post(
-        f"{os.getenv('AUTH_ISSUER').replace('localhost', 'host.docker.internal')}/protocol/openid-connect/token",
-        data={
-            "client_id": os.getenv("AUTH_CLIENT_ID"),
-            "client_secret": os.getenv("AUTH_CLIENT_SECRET"),
-            "username": os.getenv("AUTH_USER"),
-            "password": os.getenv("AUTH_PASSWORD"),
-            "grant_type": "password",
-            "scope": "openid email profile",
-        },
-    )
-    assert token_req.status_code == 200, f"{token_req.json()}"
-    token = token_req.json()["access_token"]
+    config_name = os.getenv("CONFIG_NAME")
+    if config_name.endswith("INTEGRATED") and not config_name.endswith(
+        "NON_INTEGRATED"
+    ):
+        print("using integrated auth")
+        token = os.getenv("DUMMY_NBS_JWT")
+    elif os.getenv("AUTH_PROVIDER") == "keycloak":
+        print("using keycloak auth")
+        token_req = rqsts.post(
+            f"{os.getenv('AUTH_ISSUER').replace('localhost', 'host.docker.internal')}/protocol/openid-connect/token",
+            data={
+                "client_id": os.getenv("AUTH_CLIENT_ID"),
+                "client_secret": os.getenv("AUTH_CLIENT_SECRET"),
+                "username": os.getenv("AUTH_ADMIN_USER"),
+                "password": os.getenv("AUTH_ADMIN_PASSWORD"),
+                "grant_type": "password",
+                "scope": "openid email profile",
+            },
+        )
+        assert token_req.status_code == 200, f"{token_req.json()}"
+        token = token_req.json()["access_token"]
+    elif os.getenv("AUTH_PROVIDER") == "ad":
+        print("using ad auth")
+        os.environ["AZURE_CLIENT_ID"] = os.getenv("AUTH_CLIENT_ID")
+        os.environ["AZURE_TENANT_ID"] = os.getenv("AUTH_ISSUER")
+        os.environ["AZURE_CLIENT_SECRET"] = os.getenv("AUTH_CLIENT_SECRET")
+        default_credential = DefaultAzureCredential()
+        token = default_credential.get_token(
+            f"{os.getenv('AUTH_CLIENT_ID')}/.default"
+        ).token
+    else:
+        raise "Unknown auth setup"
+
     headers = {"Authorization": f"Bearer {token}"}
 
     print("Requesting db migration...")
     rs = rqsts.post(
         MIGRATION_URL,
-        data={"migration_secret": "test", "init_admin_email": "[email protected]"},
+        data={
+            "migration_secret": "test",
+            "init_admin_email": os.getenv("AUTH_ADMIN_USER"),
+        },
         headers=headers,
     )
     assert rs.status_code == 200, f"{rs.json()}"

containers/ecr-viewer/seed-scripts/docker-compose-seed.yaml

@@ -88,10 +88,12 @@ services:
       - CONFIG_NAME
       - SEED_DATA_DIRECTORIES=${SEED_DATA_DIRECTORIES:-star-wars}
       - UPLOAD_URL=${UPLOAD_URL:-http://host.docker.internal:3000/ecr-viewer/api/process-ecr}
+      - AUTH_PROVIDER
       - AUTH_CLIENT_ID
       - AUTH_CLIENT_SECRET
       - AUTH_ISSUER
-      - AUTH_USER
-      - AUTH_PASSWORD
+      - AUTH_ADMIN_USER
+      - AUTH_ADMIN_PASSWORD
+      - DUMMY_NBS_JWT
     extra_hosts:
       - host.docker.internal:host-gateway

containers/ecr-viewer/seed-scripts/requirements.txt

@@ -1,3 +1,4 @@
+azure-identity
 grequests
 requests
 gevent>=23.9

containers/ecr-viewer/src/app/api/migrate-db/route.ts

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { z } from "zod";
 
+import { dbDialect } from "@/app/data/metadataDb/utils/db-config";
 import { createInitialAdminUser } from "@/app/services/userService";
 
 import { migrateDown, migrateUp } from "./migrate";
@@ -38,6 +39,13 @@ interface MigrationResponse {
 export async function POST(
   request: NextRequest,
 ): Promise<NextResponse<MigrationResponse>> {
+  if (!dbDialect()) {
+    return NextResponse.json(
+      { message: "No database set up to migrate" },
+      { status: 200 }, // success in the sense there's nothing to do
+    );
+  }
+
   if (!process.env.METADATA_DATABASE_MIGRATION_SECRET) {
     console.error("No migration secret found!");
     return NextResponse.json(

containers/ecr-viewer/src/app/utils/auth-utils.ts

@@ -8,7 +8,7 @@ interface UserSession {
 }
 
 /**
- * Server side helper for whether this user is logged in. For client side, see `useLoggedInUser`.
+ * Server side helper for whether this user is logged in. For client side, see `useIsLoggedInUser`.
  * A user can have access to an ecr page without being a logged in user if
  * they are authenticated via an NBS jwt.
  * @returns whether the user is logged in

containers/ecr-viewer/src/app/view-data/components/SideNav.tsx

@@ -231,6 +231,7 @@ const SideNav: React.FC = () => {
           key={section.id}
           href={"#" + section.id}
           className={activeSection === section.id ? "usa-current" : ""}
+          data-testid="sidenav-link"
         >
           {section.title}
         </a>