Run all Behat features in isolation

The initialization config for the tests are now using the same config
as middleware is using when a new environment is bootstrapped.

After the initial setup of the tests a mysqldump is created in
order to run all test in isolation and prevent unwanted side effects.

And the event stream is no only used to boostrap an SRAA with a token.

Author: pablothedude

stepup/tests/behat/.gitignore

@@ -1 +1,2 @@
-/vendor
+/vendor
+setup.sql

stepup/tests/behat/features/bootstrap/FeatureContext.php

@@ -4,6 +4,7 @@
 use Behat\Behat\Hook\Scope\BeforeScenarioScope;
 use Behat\MinkExtension\Context\MinkContext;
 use Behat\Behat\Hook\Scope\BeforeFeatureScope;
+use Behat\Testwork\Hook\Scope\BeforeSuiteScope;
 use Ramsey\Uuid\Uuid;
 use Surfnet\StepupBehat\Factory\CommandPayloadFactory;
 use Surfnet\StepupBehat\Repository\SecondFactorRepository;
@@ -65,9 +66,9 @@ private static function execCommand(string $command): void
     }
 
     /**
-     * @BeforeFeature
+     * @BeforeSuite
      */
-    public static function setupDatabase(BeforeFeatureScope $scope)
+    public static function setupDatabase(BeforeSuiteScope $scope)
     {
         // Generate test databases
         echo "Preparing test schemas\n";
@@ -83,8 +84,25 @@ public static function setupDatabase(BeforeFeatureScope $scope)
         // Perform an event replay
         echo "Replaying event stream\n";
         self::execCommand("docker exec -t stepup-middleware-1 bin/console middleware:event:replay --env=smoketest_event_replay --no-interaction -vvv");
+
         // Push config
+        echo "Push Middleware config\n";
         self::execCommand("./fixtures/middleware-push-config.sh");
+        self::execCommand("./fixtures/middleware-push-whitelist.sh");
+        self::execCommand("./fixtures/middleware-push-institution.sh");
+
+        // Write base setup for initializing features
+        echo "Dump empty setup to mysql file\n";
+        self::execCommand("mysqldump -h mariadb -u root -psecret --single-transaction --databases middleware_test gateway_test > setup.sql");
+    }
+
+    /**
+     * @BeforeFeature
+     */
+    public static function load(BeforeFeatureScope $scope)
+    {
+        // restore base setup
+        self::execCommand("mysql -h mariadb -u root -psecret < setup.sql");
     }
 
     /**

stepup/tests/behat/features/identity.feature

@@ -3,6 +3,11 @@ Feature: A (S)RA(A) user reads identities of StepUp users in the middleware API
   As a (S)RA(A) user
   I must be able to read from the middleware API
 
+  Scenario: Provision the following users:
+    Given a user "jane-a1" identified by "urn:collab:person:institution-a.example.com:jane-a-ra" from institution "institution-a.example.com" with UUID "00000000-0000-4000-8000-000000000001"
+    And a user "joe-a1" identified by "urn:collab:person:institution-a.example.com:jane-a-ra" from institution "institution-a.example.com" with UUID "00000000-0000-4000-8000-000000000002"
+    And a user "jill-a1" identified by "urn:collab:person:institution-a.example.com:jane-a-ra" from institution "institution-a.example.com" with UUID "00000000-0000-4000-8000-000000000003"
+
   Scenario: A (S)RA(A) user reads identities without additional authorization context
     Given I authenticate with user "ra" and password "secret"
     When I request "GET /identity?institution=institution-a.example.com"

stepup/tests/behat/features/ra_candidate.feature

@@ -23,11 +23,7 @@ Feature: A RAA manages ra candidates in the ra environment
     Then I should see the following candidates:
       | name                                  | institution               |
       | jane-a-ra                             | institution-a.example.com |
-      | jane-b1 institution-b.example.com     | institution-b.example.com |
-      | user-b-ra institution-b.example.com   | institution-b.example.com |
-      | user-b5 institution-b.example.com     | institution-b.example.com |
       | Admin                                 | dev.openconext.local      |
-      | SRAA2                                 | dev.openconext.local      |
 
   Scenario: SRAA user checks if "Jane Toppan" is a candidate for all institutions (with filtering on institution-a)
     Given I am logged in into the ra portal as "admin" with a "yubikey" token
@@ -42,9 +38,6 @@ Feature: A RAA manages ra candidates in the ra environment
     When I visit the RA promotion page
     Then I should see the following candidates for "institution-b.example.com":
       | name                                | institution               |
-      | jane-b1 institution-b.example.com   | institution-b.example.com |
-      | user-b-ra institution-b.example.com | institution-b.example.com |
-      | user-b5 institution-b.example.com   | institution-b.example.com |
 
   Scenario: SRAA user demotes "jane-a-ra" to no longer be an RAA for "institution-a"
     Given I am logged in into the ra portal as "admin" with a "yubikey" token
@@ -57,18 +50,12 @@ Feature: A RAA manages ra candidates in the ra environment
     Then I should see the following candidates for "institution-a.example.com":
       | name                                | institution               |
       | jane-a-ra                           | institution-a.example.com |
-      | jane-b1 institution-b.example.com   | institution-b.example.com |
-      | user-b-ra institution-b.example.com | institution-b.example.com |
-      | user-b5 institution-b.example.com   | institution-b.example.com |
 
   Scenario: SRAA user checks if "Jane Toppan" is not a candidate for "institution-b"
     Given I am logged in into the ra portal as "admin" with a "yubikey" token
     When I visit the RA promotion page
     Then I should see the following candidates for "institution-b.example.com":
       | name                                | institution               |
-      | jane-b1 institution-b.example.com   | institution-b.example.com |
-      | user-b-ra institution-b.example.com | institution-b.example.com |
-      | user-b5 institution-b.example.com   | institution-b.example.com |
 
   Scenario: SRAA user checks if "Jane Toppan" is not listed for "institution-a"
     Given I am logged in into the ra portal as "admin" with a "yubikey" token

stepup/tests/behat/features/ra_multiple_tokens.feature

@@ -54,11 +54,7 @@ Feature: A RAA (jane a ra) has two loa 3 tokens which makes her a valid RA candi
     Then I should see the following candidates:
       | name                                | institution               |
       | jane-a-ra                           | institution-a.example.com |
-      | jane-b1 institution-b.example.com   | institution-b.example.com |
-      | user-b5 institution-b.example.com   | institution-b.example.com |
-      | user-b-ra institution-b.example.com | institution-b.example.com |
       | Admin                               | dev.openconext.local      |
-      | SRAA2                               | dev.openconext.local      |
 
   Scenario: SRAA user checks if "jane-a-ra" is a candidate for institutions if relieved from the RAA role
     Given I am logged in into the ra portal as "admin" with a "yubikey" token
@@ -68,11 +64,7 @@ Feature: A RAA (jane a ra) has two loa 3 tokens which makes her a valid RA candi
     And I should see the following candidates:
       | name                                | institution               |
       | jane-a-ra                           | institution-a.example.com |
-      | jane-b1 institution-b.example.com   | institution-b.example.com |
-      | user-b5 institution-b.example.com   | institution-b.example.com |
-      | user-b-ra institution-b.example.com | institution-b.example.com |
       | Admin                               | dev.openconext.local      |
-      | SRAA2                               | dev.openconext.local      |
 
   Scenario: Sraa revokes only one vetted token from "jane-a-ra" and that shouldn't remove her as candidate
     Given I am logged in into the ra portal as "admin" with a "yubikey" token
@@ -82,11 +74,7 @@ Feature: A RAA (jane a ra) has two loa 3 tokens which makes her a valid RA candi
       And I should see the following candidates:
         | name                                | institution               |
         | jane-a-ra                           | institution-a.example.com |
-        | jane-b1 institution-b.example.com   | institution-b.example.com |
-        | user-b5 institution-b.example.com   | institution-b.example.com |
-        | user-b-ra institution-b.example.com | institution-b.example.com |
         | Admin                               | dev.openconext.local      |
-        | SRAA2                               | dev.openconext.local      |
 
   Scenario: Sraa revokes the last vetted token from "Jane Toppan" and that must remove her as candidate
     Given I am logged in into the ra portal as "admin" with a "yubikey" token
@@ -95,8 +83,4 @@ Feature: A RAA (jane a ra) has two loa 3 tokens which makes her a valid RA candi
     Then I visit the RA promotion page
       And I should see the following candidates:
         | name                                | institution               |
-        | jane-b1 institution-b.example.com   | institution-b.example.com |
-        | user-b5 institution-b.example.com   | institution-b.example.com |
-        | user-b-ra institution-b.example.com | institution-b.example.com |
         | Admin                               | dev.openconext.local      |
-        | SRAA2                               | dev.openconext.local      |

stepup/tests/behat/fixtures/events.sql

@@ -0,0 +1,133 @@
+{
+  "dev.openconext.local": {
+    "use_ra_locations": true,
+    "show_raa_contact_information": true,
+    "verify_email": false,
+    "allowed_second_factors": [],
+    "number_of_tokens_per_identity": 5,
+    "self_vet": true,
+    "allow_self_asserted_tokens": true
+  },
+  "institution-a.example.com": {
+    "use_ra_locations": true,
+    "show_raa_contact_information": true,
+    "verify_email": true,
+    "allowed_second_factors": [],
+    "number_of_tokens_per_identity": 2,
+    "self_vet": true,
+    "sso_on_2fa": true,
+    "allow_self_asserted_tokens": true
+  },
+  "institution-b.example.com": {
+    "use_ra_locations": false,
+    "show_raa_contact_information": true,
+    "verify_email": false,
+    "allowed_second_factors": [],
+    "number_of_tokens_per_identity": 2,
+    "self_vet": true,
+    "sso_on_2fa": true,
+    "allow_self_asserted_tokens": true
+  },
+  "institution-d.example.com": {
+    "use_ra_locations": true,
+    "show_raa_contact_information": false,
+    "verify_email": true,
+    "allowed_second_factors": [
+      "yubikey",
+      "tiqr"
+    ],
+    "number_of_tokens_per_identity": 1,
+    "self_vet": false,
+    "allow_self_asserted_tokens": false
+  },
+  "institution-f.example.com": {
+    "use_ra_locations": true,
+    "show_raa_contact_information": false,
+    "verify_email": false,
+    "allowed_second_factors": [],
+    "number_of_tokens_per_identity": 2,
+    "use_ra": [
+      "institution-f.example.com",
+      "institution-a.example.com",
+      "institution-b.example.com"
+    ],
+    "use_raa": [
+      "institution-f.example.com",
+      "institution-a.example.com"
+    ],
+    "select_raa": [
+      "institution-f.example.com"
+    ],
+    "self_vet": true,
+    "allow_self_asserted_tokens": false
+  },
+  "institution-g.example.com": {
+    "use_ra_locations": true,
+    "show_raa_contact_information": true,
+    "verify_email": false,
+    "allowed_second_factors": [],
+    "number_of_tokens_per_identity": 2,
+    "use_ra": [
+      "institution-g.example.com"
+    ],
+    "use_raa": [
+      "institution-g.example.com"
+    ],
+    "select_raa": [
+      "institution-h.example.com",
+      "institution-g.example.com"
+    ],
+    "self_vet": true,
+    "allow_self_asserted_tokens": false
+  },
+  "institution-h.example.com": {
+    "use_ra_locations": true,
+    "show_raa_contact_information": true,
+    "verify_email": false,
+    "allowed_second_factors": [],
+    "number_of_tokens_per_identity": 2,
+    "use_ra": [
+      "institution-h.example.com"
+    ],
+    "use_raa": [
+      "institution-h.example.com"
+    ],
+    "select_raa": [
+      "institution-h.example.com",
+      "institution-g.example.com"
+    ],
+    "self_vet": true,
+    "allow_self_asserted_tokens": true
+  },
+  "institution-v.example.com": {
+    "use_ra_locations": true,
+    "show_raa_contact_information": true,
+    "verify_email": false,
+    "allowed_second_factors": [],
+    "number_of_tokens_per_identity": 2,
+    "use_ra": [],
+    "use_raa": [],
+    "select_raa": [
+      "institution-a.example.com",
+      "institution-b.example.com"
+    ],
+    "self_vet": true,
+    "allow_self_asserted_tokens": false
+  },
+  "institution-i.example.com": {
+    "use_ra_locations": true,
+    "show_raa_contact_information": true,
+    "verify_email": false,
+    "allowed_second_factors": [],
+    "number_of_tokens_per_identity": 2,
+    "use_ra": [
+      "institution-v.example.com"
+    ],
+    "use_raa": [
+      "institution-v.example.com"
+    ],
+    "select_raa": [],
+    "self_vet": true,
+    "allow_self_asserted_tokens": false
+  }
+}

stepup/tests/behat/fixtures/middleware-institution.json

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+CWD=$(pwd)
+
+function error_exit {
+	echo "${1}"
+	if [ -n "${TMP_FILE}" -a -d "${TMP_FILE}" ]; then
+		rm "${TMP_FILE}"
+	fi
+	cd "${CWD}"
+	exit 1
+}
+
+# Script to write the middleware institution config
+
+TMP_FILE=$(mktemp -t midcfg.XXXXXX)
+if [ $? -ne "0" ]; then
+	error_exit "Could not create temp file"
+fi
+
+echo "Pushing new institution configuration to: https://middleware.dev.openconext.local/management/institution-configuration"
+
+http_response=$(curl -k --write-out %\{http_code\} --output "${TMP_FILE}" -XPOST -s \
+	-u management:secret \
+	-H "Accept: application/json" \
+	-H "Content-type: application/json" \
+	-d @./fixtures/middleware-institution.json \
+	https://middleware.dev.openconext.local/management/institution-configuration)
+
+output=$(cat ${TMP_FILE})
+rm ${TMP_FILE}
+echo $output
+
+res=$?
+if [ $res -ne "0" ]; then
+	error_exit "Curl failed with code $res"
+fi
+
+# Check for HTTP 200
+if [ "${http_response}" -ne "200" ]; then
+	error_exit "Unexpected HTTP response: ${http_response}"
+fi
+
+# On success JSON output should start with: {"status":"OK"
+ok_count=$(echo "${output}" | grep -c "status")
+if [ $ok_count -ne "1" ]; then
+	error_exit "Expected one JSON \"status: OK\" in response, found $ok_count"
+fi
+
+echo "OK. New config pushed"

stepup/tests/behat/fixtures/middleware-push-institution.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+CWD=$(pwd)
+
+function error_exit {
+	echo "${1}"
+	if [ -n "${TMP_FILE}" -a -d "${TMP_FILE}" ]; then
+		rm "${TMP_FILE}"
+	fi
+	cd ${CWD}
+	exit 1
+}
+
+# Script to write the middleware institution whitelist
+
+TMP_FILE=$(mktemp -t midcfg.XXXXXX)
+if [ $? -ne "0" ]; then
+	error_exit "Could not create temp file"
+fi
+
+echo "Pushing new institution whitelist to: http://middleware.dev.openconext.local/management/whitelist/replace"
+
+http_response=$(curl -k --write-out %{http_code} --output ${TMP_FILE} -XPOST -s \
+	-u management:secret \
+    	-H "Accept: application/json" \
+    	-H "Content-type: application/json" \
+	-d @./fixtures/middleware-whitelist.json \
+	https://middleware.dev.openconext.local/management/whitelist/replace)
+
+res=$?
+
+output=$(cat "${TMP_FILE}")
+rm "${TMP_FILE}"
+echo "$output"
+
+if [ $res -ne "0" ]; then
+	error_exit "Curl failed with code $res"
+fi
+
+# Check for HTTP 200
+if [ "${http_response}" -ne "200" ]; then
+	error_exit "Unexpected HTTP response: ${http_response}"
+fi
+
+# On success JSON output should start with: {"status":"OK"
+ok_count=$(echo "${output}" | grep -c "status")
+if [ $ok_count -ne "1" ]; then
+	error_exit "Expected one JSON \"status: OK\" in response, found $ok_count"
+fi
+
+echo "OK. New config pushed"