Merge pull request #11626 from owncloud/run-antivirus-test-on-k8s

[tests-only][full-ci] add support for antivirus, email and authapp services

Author: nirajacharya2

.drone.star

@@ -1108,19 +1108,19 @@ def localApiTestPipeline(ctx):
                                      ([] if run_on_k8s else restoreBuildArtifactCache(ctx, "ocis-binary-amd64", "ocis/bin")) +
                                      (tikaService() if params["tikaNeeded"] and not run_on_k8s else tikaServiceK8s() if params["tikaNeeded"] and run_on_k8s else []) +
                                      (waitForServices("online-offices", ["collabora:9980", "onlyoffice:443", "fakeoffice:8080"]) if params["collaborationServiceNeeded"] else []) +
-                                     (waitK3sCluster() + deployOcis() + waitForOcis(ocis_url = ocis_url) + ociswrapper() + waitForOciswrapper() if run_on_k8s else ocisServer(storage, extra_server_environment = params["extraServerEnvironment"], with_wrapper = True, tika_enabled = params["tikaNeeded"], volumes = ([stepVolumeOcisStorage]))) +
-                                     (waitForClamavService() if params["antivirusNeeded"] else []) +
-                                     (waitForEmailService() if params["emailNeeded"] else []) +
+                                     (waitK3sCluster() + (clamavServiceK8s() if params["antivirusNeeded"] and run_on_k8s else []) + (emailServiceK8s() if params["emailNeeded"] and run_on_k8s else []) + deployOcis() + waitForOcis(ocis_url = ocis_url) + ociswrapper() + waitForOciswrapper() if run_on_k8s else ocisServer(storage, extra_server_environment = params["extraServerEnvironment"], with_wrapper = True, tika_enabled = params["tikaNeeded"], volumes = ([stepVolumeOcisStorage]))) +
+                                     (waitForClamavService() if params["antivirusNeeded"] and not run_on_k8s else exposeAntivirusServiceK8s() if params["antivirusNeeded"] and run_on_k8s else []) +
+                                     (waitForEmailService() if params["emailNeeded"] and not run_on_k8s else exposeEmailServiceK8s() if params["emailNeeded"] and run_on_k8s else []) +
                                      (ocisServer(storage, deploy_type = "federation", extra_server_environment = params["extraServerEnvironment"]) if params["federationServer"] else []) +
                                      ((wopiCollaborationService("fakeoffice") + wopiCollaborationService("collabora") + wopiCollaborationService("onlyoffice")) if params["collaborationServiceNeeded"] else []) +
                                      (ocisHealthCheck("wopi", ["wopi-collabora:9304", "wopi-onlyoffice:9304", "wopi-fakeoffice:9304"]) if params["collaborationServiceNeeded"] else []) +
                                      localApiTests(name, params["suites"], storage, params["extraEnvironment"], run_with_remote_php, ocis_url = ocis_url, k8s = run_on_k8s) +
                                      apiTestFailureLog() +
                                      (generateCoverageFromAPITest(ctx, name) if not run_on_k8s else []),
-                            "services": (emailService() if params["emailNeeded"] else []) +
-                                        (clamavService() if params["antivirusNeeded"] else []) +
-                                        ((fakeOffice() + collaboraService() + onlyofficeService()) if params["collaborationServiceNeeded"] else []) +
-                                        (k3sCluster() if run_on_k8s else []),
+                            "services": (k3sCluster() if run_on_k8s else []) +
+                                        (emailService() if params["emailNeeded"] and not run_on_k8s else []) +
+                                        (clamavService() if params["antivirusNeeded"] and not run_on_k8s else []) +
+                                        ((fakeOffice() + collaboraService() + onlyofficeService()) if params["collaborationServiceNeeded"] else []),
                             "depends_on": getPipelineNames(buildOcisBinaryForTesting(ctx)),
                             "trigger": {
                                 "ref": [
@@ -3836,6 +3836,49 @@ def deployOcis():
         ],
     }]
 
+def clamavServiceK8s():
+    return [{
+        "name": "clamav",
+        "image": OC_CI_ALPINE,
+        "commands": [
+            "cp -r %s/tests/config/drone/k8s/clamav %s/ocis-charts/charts/ocis/templates/" % (dirs["base"], dirs["base"]),
+            "sed -i 's/{{ *\\\\.Values\\\\.features\\\\.virusscan\\\\.infectedFileHandling *| *quote *}}/\"delete\"/' %s/ocis-charts/charts/ocis/templates/antivirus/deployment.yaml" % dirs["base"],
+            "sed -i 's/{{ *\\\\.Values\\\\.features\\\\.virusscan\\\\.infectedFileHandling *| *quote *}}/\"delete\"/' %s/ocis-charts/charts/ocis/templates/antivirus/deployment.yaml" % dirs["base"],
+            "sed -i '/name: ANTIVIRUS_SCANNER_TYPE/{n;s/value: *\"icap\"/value: \"clamav\"/}' %s/ocis-charts/charts/ocis/templates/antivirus/deployment.yaml" % dirs["base"],
+            "sed -i '/- name: ANTIVIRUS_SCANNER_TYPE/i\\\\            - name: ANTIVIRUS_CLAMAV_SOCKET\\\n              value: \"tcp://clamav:3310\"' %s/ocis-charts/charts/ocis/templates/antivirus/deployment.yaml" % dirs["base"],
+        ],
+    }]
+
+def emailServiceK8s():
+    return [{
+        "name": "copy-%s-service" % EMAIL_SMTP_HOST,
+        "image": OC_CI_ALPINE,
+        "commands": [
+            "cp -r %s/tests/config/drone/k8s/mailpit %s/ocis-charts/charts/ocis/templates/" % (dirs["base"], dirs["base"]),
+        ],
+    }]
+
+def exposeEmailServiceK8s():
+    return [{
+        "name": EMAIL_SMTP_HOST,
+        "image": "ghcr.io/k3d-io/k3d:5-dind",
+        "commands": [
+            "kubectl port-forward svc/mailpit %s:%s -n ocis" % (EMAIL_PORT, EMAIL_PORT),
+            "kubectl port-forward svc/mailpit 9174:9174 -n ocis",
+        ],
+        "detach": True,
+    }]
+
+def exposeAntivirusServiceK8s():
+    return [{
+        "name": EMAIL_SMTP_HOST,
+        "image": "ghcr.io/k3d-io/k3d:5-dind",
+        "commands": [
+            "kubectl port-forward svc/antivirus 9297:9277 -n ocis",
+        ],
+        "detach": True,
+    }]
+
 def ociswrapper():
     return [{
         "name": "ociswrapper",
@@ -3846,6 +3889,8 @@ def ociswrapper():
             "until test -f $${KUBECONFIG}; do sleep 1s; done",
             "kubectl get pods -A",
             "kubectl get ingress -A",
+            "kubectl describe pods $(kubectl get pods -n ocis -l app=antivirus -o jsonpath=\"{.items[0].metadata.name}\") -n ocis",
+            "kubectl describe pods $(kubectl get pods -n ocis -l app=postprocessing -o jsonpath=\"{.items[0].metadata.name}\") -n ocis",
             "%s/bin/ociswrapper serve --url https://ocis-server --admin-username admin --admin-password admin --skip-ocis-run" % dirs["ocisWrapper"],
         ],
         "detach": True,

tests/acceptance/features/apiAuthApp/token.feature

@@ -113,7 +113,7 @@ Feature: create auth-app token
 
   @env-config
   Scenario: admin creates auth-app token for other user
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     When user "Admin" creates auth-app token for user "Alice" with expiration time "72h" using the auth-app API
     Then the HTTP status code should be "200"
     And the JSON data of the response should match
@@ -139,7 +139,7 @@ Feature: create auth-app token
 
   @env-config
   Scenario: user deletes the created auth-app token
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     And user "Alice" has created auth-app token with expiration time "72h" using the auth-app API
     And user "Admin" has created auth-app token for user "Alice" with expiration time "72h" using the auth-app API
     When user "Alice" deletes all the created auth-app tokens using the auth-app API
@@ -176,7 +176,7 @@ Feature: create auth-app token
 
   @env-config
   Scenario: admin tries to create auth-app token for other users without expiry
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     When user "Admin" tries to create auth-app token for user "Alice" with expiration time "" using the auth-app API
     Then the HTTP status code should be "400"
     And the content in the response should include the following content:
@@ -187,19 +187,19 @@ Feature: create auth-app token
   @env-config
   Scenario: non-admin user tries to create an auth-app token for another user
     Given user "Brian" has been created with default attributes
-    And the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    And the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     When user "Alice" tries to create auth-app token for user "Brian" with expiration time "72h" using the auth-app API
     Then the HTTP status code should be "403"
 
   @env-config @issue-10815
   Scenario: admin tries to create auth-app token for non-existing user
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     When user "Admin" creates auth-app token for user "Brian" with expiration time "72h" using the auth-app API
     Then the HTTP status code should be "403"
 
   @env-config @issue-10815
   Scenario: admin user tries to delete auth-app token of another user with impersonation enabled
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     And user "Admin" has created auth-app token for user "Alice" with expiration time "72h" using the auth-app API
     When user "Admin" tries to delete the last created auth-app token using the auth-app API
     Then the HTTP status code should be "403"

tests/acceptance/features/apiAuthApp/tokenUsage.feature

@@ -112,7 +112,7 @@ Feature: create auth-app token
 
   @env-config
   Scenario: admin tries to access resource of another user using impersonation token
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     And user "Admin" has created auth-app token for user "Alice" with expiration time "72h" using the auth-app API
     And user "Alice" has uploaded file with content "ownCloud test text file" to "textfile.txt"
     When user "Admin" requests these endpoints with "PROPFIND" using the auth-app token of user "Alice"
@@ -124,7 +124,7 @@ Feature: create auth-app token
 
   @env-config
   Scenario: non-admin user tries to access resource of another user using impersonation token
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     And user "Admin" has created auth-app token for user "Alice" with expiration time "72h" using the auth-app API
     And user "Alice" has uploaded file with content "ownCloud test text file" to "textfile.txt"
     And user "Brian" has been created with default attributes
@@ -144,15 +144,15 @@ Feature: create auth-app token
 
   @env-config
   Scenario: user tries to use expired impersonation token created via impersonation token
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     And user "Admin" has created auth-app token for user "Alice" with expiration time "1s" using the auth-app API
     And user "Alice" has waited "2" second for auth-app token to expire
     When user "Alice" lists all available spaces via the Graph API
     Then the HTTP status code should be "401"
 
   @env-config
   Scenario: user lists their drives using impersonation token
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     And user "Admin" has created auth-app token for user "Alice" with expiration time "72h" using the auth-app API
     When user "Alice" lists all available spaces via the Graph API
     Then the HTTP status code should be "200"

tests/acceptance/features/apiAuthApp/tokenUsingUserId.feature

@@ -8,7 +8,7 @@ Feature: create auth-app token using user-id
 
   @env-config @issue-11063
   Scenario: admin creates auth-app token for another user using user-id
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     When user "Admin" creates app token with user-id for user "Alice" with expiration time "72h" using the auth-app API
     Then the HTTP status code should be "200"
     And the JSON data of the response should match
@@ -56,13 +56,13 @@ Feature: create auth-app token using user-id
 
 
   Scenario: non-admin user tries to create own auth-app token using user-id with impersonation enabled
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     When user "Alice" tries to create app token with user-id for user "Alice" with expiration time "72h" using the auth-app API
     Then the HTTP status code should be "403"
 
   @env-config @issue-11063
   Scenario: non-admin user tries to creates auth-app token for another user using user-id
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     And user "Brian" has been created with default attributes
     When user "Brian" tries to create app token with user-id for user "Alice" with expiration time "72h" using the auth-app API
     Then the HTTP status code should be "403"
@@ -88,7 +88,7 @@ Feature: create auth-app token using user-id
 
   @env-config
   Scenario: admin tries to create auth-app token for another user with user-id and without expiry
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     When user "Admin" tries to create app token with user-id for user "Alice" with expiration time "" using the auth-app API
     Then the HTTP status code should be "400"
     And the content in the response should include the following content:
@@ -98,7 +98,7 @@ Feature: create auth-app token using user-id
 
 
   Scenario: non-admin user tries to create auth-app token for another user using user-id and without expiry
-    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "auth-app" service
+    Given the config "AUTH_APP_ENABLE_IMPERSONATION" has been set to "true" for "authapp" service
     And user "Brian" has been created with default attributes
     When user "Brian" tries to create app token with user-id for user "Alice" with expiration time "" using the auth-app API
     Then the HTTP status code should be "400"

tests/acceptance/features/apiNotification/notification.feature

@@ -134,7 +134,7 @@ Feature: Notification
 
   @env-config
   Scenario: get a notification about a file share in default languages
-    Given the config "OCIS_DEFAULT_LANGUAGE" has been set to "de" for "notifications" service
+    Given the config "OCIS_DEFAULT_LANGUAGE" has been set to "de" for "settings" service
     And user "Alice" has sent the following resource share invitation:
       | resource        | textfile1.txt |
       | space           | Personal      |

tests/config/drone/k8s/clamav/deployment.yaml

@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: clamav
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: clamav
+  template:
+    metadata:
+      labels:
+        app: clamav
+    spec:
+      containers:
+      - name: clamav
+        image: owncloudci/clamavd
+        ports:
+        - containerPort: 3310

tests/config/drone/k8s/clamav/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: clamav
+spec:
+  selector:
+    app: clamav
+  ports:
+    - protocol: TCP
+      port: 3310
+      targetPort: 3310

tests/config/drone/k8s/mailpit/deployment.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mailpit
+  labels:
+    app: mailpit
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mailpit
+  template:
+    metadata:
+      labels:
+        app: mailpit
+    spec:
+      containers:
+        - name: mailpit
+          image: axllent/mailpit:latest
+          ports:
+            - containerPort: 1025
+              name: smtp
+            - containerPort: 8025
+              name: web

tests/config/drone/k8s/mailpit/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mailpit
+spec:
+  selector:
+    app: mailpit
+  ports:
+    - name: smtp
+      port: 1025
+      targetPort: smtp
+      protocol: TCP
+      appProtocol: tcp
+    - name: web
+      port: 8025
+      targetPort: web
+      protocol: TCP

tests/config/drone/k8s/values.yaml

@@ -16,8 +16,21 @@ insecure:
   ocisHttpApiInsecure: true
   ocmInsecure: true
 features:
+  authapp:
+    enabled: true
+  emailNotifications:
+    enabled: true
+    smtp:
+      host: mailpit
+      port: 1025
+      sender: 'oCIS <[email protected]>'
+      authentication: none
+      encryption: none
+    branding:
+      enabled: false
   virusscan:
-    enabled: false
+    enabled: true
+    infectedFileHandling: delete
   policies:
     enabled: false
   ocm:
@@ -115,3 +128,9 @@ services:
       enabled: true
       accessModes:
         - ReadWriteOnce
+  antivirus:
+    events:
+      consumer:
+        concurrency: 10
+secretRefs:
+  notificationsSmtpSecretRef: notifications-smtp-secret