add SystemResourceIT

Author: benbroadaway

it/server/src/test/java/com/walmartlabs/concord/it/server/AbstractServerIT.java

@@ -245,6 +245,25 @@ protected void withProject(String orgName, Consumer<String> consumer) throws Exc
         }
     }
 
+    protected UserInfo addUser(String username, Set<String> roles) throws ApiException {
+        var usersApi = new UsersApi(getApiClient());
+        var user = usersApi.createOrUpdateUser(new CreateUserRequest().username(username)
+                .type(CreateUserRequest.TypeEnum.LOCAL));
+
+        if (!roles.isEmpty()) {
+            usersApi.updateUserRoles(username, new UpdateUserRolesRequest()
+                    .roles(roles));
+        }
+
+        var apiKeysApi = new ApiKeysApi(getApiClient());
+        var apiKeyResp = apiKeysApi.createUserApiKey(new CreateApiKeyRequest()
+                .userId(user.getId()));
+
+        return new UserInfo(username, user.getId(), apiKeyResp.getKey());
+    }
+
+    protected record UserInfo(String username, UUID userId, String apiKey) { }
+
     @FunctionalInterface
     public interface Consumer<T> {
         void accept(T t) throws Exception;

it/server/src/test/java/com/walmartlabs/concord/it/server/SystemResourceIT.java

@@ -0,0 +1,72 @@
+package com.walmartlabs.concord.it.server;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2018 Walmart Inc.
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import com.walmartlabs.concord.client2.ApiException;
+import com.walmartlabs.concord.client2.SystemApi;
+import org.junit.jupiter.api.Test;
+
+import java.net.URI;
+import java.util.Set;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class ExternalTokenProviderIT extends AbstractServerIT {
+
+    private static final URI URI001 = URI.create("https://github001.local/owner/repo.git");
+    private static final URI URI002 = URI.create("https://github002.local/owner/repo.git");
+
+    @Test
+    void testGetExternalToken() throws Exception {
+        // user with externalTokenLookup role
+        var userBName = "user_external_token_lookup_" + randomString();
+        var externalTokenLookupUser = addUser(userBName, Set.of("externalTokenLookup"));
+
+        // get system-provided token with externalTokenLookup role
+        var systemApi = new SystemApi(getApiClientForKey(externalTokenLookupUser.apiKey()));
+        var token = assertDoesNotThrow(() -> systemApi.getExternalToken(URI001));
+        assertEquals("mock-token", token.getToken());
+        assertNull(token.getUsername());
+
+        // again, but from config that provides username
+        token = assertDoesNotThrow(() -> systemApi.getExternalToken(URI002));
+        assertEquals("mock-token", token.getToken());
+        assertNotNull(token.getUsername());
+        assertEquals("customUser", token.getUsername());
+    }
+
+    @Test
+    void testGetExternalTokenNoPermission() throws Exception {
+        // user with no roles
+        var userAName = "user_basic_" + randomString();
+        var noRolesUser = addUser(userAName, Set.of());
+
+        // attempt to get system-provided token with insufficient privileges
+        var systemApiNoPerm = new SystemApi(getApiClientForKey(noRolesUser.apiKey()));
+        var ex1 = assertThrows(ApiException.class, () -> systemApiNoPerm.getExternalToken(URI001));
+        assertEquals(403, ex1.getCode());
+    }
+
+}

it/server/src/test/java/com/walmartlabs/concord/it/server/UserResourceV2IT.java

@@ -21,13 +21,8 @@
  */
 
 import com.walmartlabs.concord.client2.ApiException;
-import com.walmartlabs.concord.client2.ApiKeysApi;
-import com.walmartlabs.concord.client2.CreateApiKeyRequest;
-import com.walmartlabs.concord.client2.CreateUserRequest;
-import com.walmartlabs.concord.client2.UpdateUserRolesRequest;
 import com.walmartlabs.concord.client2.UserEntry;
 import com.walmartlabs.concord.client2.UserV2Api;
-import com.walmartlabs.concord.client2.UsersApi;
 import org.junit.jupiter.api.Test;
 
 import java.util.Set;
@@ -61,28 +56,10 @@ void testGetUser() throws Exception {
         assertEquals(user.getId(), noRolesUser.userId());
     }
 
-    private UserEntry getUser(UserInfo userInfo, UUID userToGet) throws ApiException {
+    protected UserEntry getUser(UserInfo userInfo, UUID userToGet) throws ApiException {
         var apiClient = new UserV2Api(getApiClientForKey(userInfo.apiKey()));
 
         return apiClient.getUser(userToGet);
     }
 
-    private UserInfo addUser(String username, Set<String> roles) throws ApiException {
-        var usersApi = new UsersApi(getApiClient());
-        var user = usersApi.createOrUpdateUser(new CreateUserRequest().username(username)
-                .type(CreateUserRequest.TypeEnum.LOCAL));
-
-        if (!roles.isEmpty()) {
-            usersApi.updateUserRoles(username, new UpdateUserRolesRequest()
-                    .roles(roles));
-        }
-
-        var apiKeysApi = new ApiKeysApi(getApiClient());
-        var apiKeyResp = apiKeysApi.createUserApiKey(new CreateApiKeyRequest()
-                .userId(user.getId()));
-
-        return new UserInfo(username, user.getId(), apiKeyResp.getKey());
-    }
-
-    private record UserInfo(String username, UUID userId, String apiKey) { }
 }

it/server/src/test/resources/agent.conf

@@ -20,4 +20,14 @@ concord-agent {
         apiKey = "cTJxMnEycTI="
         processRequestDelay = "250 milliseconds"
     }
+
+    externalTokenProvider {
+        enabled = true
+        # Regex matching URI host + port + path for providing lookup for
+        # external auth tokens. URI scheme is ignored. Requires externalTokenLookup
+        # permission for the client user.
+        # e.g. "github.com/my-org/" or "github.com/(orgA|orgB))/"
+        urlPattern = "github(\d+).local/.*"
+    }
+
 }

it/server/src/test/resources/server.conf

@@ -23,6 +23,13 @@ concord-server {
         secret = "12345"
         useSenderLdapDn = true
         disableReposOnDeletedRef = true
+
+        appInstallation {
+            auth = [
+                { type = "OAUTH_TOKEN",                          urlPattern = "(?<baseUrl>github001.local)/", token = "mock-token" },
+                { type = "OAUTH_TOKEN", username = "customUser", urlPattern = "(?<baseUrl>github002.local)/", token = "mock-token" },
+            ]
+        }
     }
 
     git {