Merge branch 'master' into ib/bump-vite

Author: ibodrov

it/server/src/test/java/com/walmartlabs/concord/it/server/AbstractGitHubTriggersIT.java

@@ -155,7 +155,7 @@ protected int waitForProcessesToFinish() throws Exception {
         }
     }
 
-    protected void expectNoProceses(String orgName, String projectName, OffsetDateTime afterCreatedAt) throws Exception {
+    protected void expectNoProcesses(String orgName, String projectName, OffsetDateTime afterCreatedAt) throws Exception {
         ProcessV2Api processApi = new ProcessV2Api(getApiClient());
         ProcessListFilter filter = ProcessListFilter.builder()
                 .orgName(orgName)

it/server/src/test/java/com/walmartlabs/concord/it/server/GitHubTriggersV2IT.java

@@ -21,7 +21,6 @@
  */
 
 import com.walmartlabs.concord.client2.*;
-import com.walmartlabs.concord.client2.ProcessListFilter;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 
@@ -43,21 +42,9 @@ public void tearDown() throws Exception {
     }
 
     /**
-     * Test subscription to unknown repositories only:
-     * <pre>
-     * # project A
-     * # a default onPush trigger for the default branch
-     * triggers:
-     *   - github:
-     *       entryPoint: onPush
-     *
-     * # project G
-     * # accepts only specific commit authors
-     * triggers:
-     *   - github:
-     *       author: ".*xyz.*"
-     *       entryPoint: onPush
-     * </pre>
+     * Checks if "conditions->sender" works.
+     * Tests filtering by "sender" in events that originate from "known"
+     * and "unknown" (not registered in any Concord project) GitHub repositories.
      */
     @Test
     public void testFilterBySender() throws Exception {
@@ -66,47 +53,41 @@ public void testFilterBySender() throws Exception {
         String orgXName = "orgX_" + randomString();
         orgApi.createOrUpdateOrg(new OrganizationEntry().name(orgXName));
 
-        Path repo = initRepo("githubTests/repos/v2/defaultTrigger");
-        String branch = "branch_" + randomString();
-        createNewBranch(repo, branch, "githubTests/repos/v2/defaultTriggerWithSender");
-
-        // Project A
-        // master branch + a default trigger
+        // project A uses a default trigger without conditions
+        // should trigger on any event for the matching "known" repository
+        // i.e. the event must come from a GitHub URL that is added to a Concord project
         String projectAName = "projectA_" + randomString();
         String repoAName = "repoA_" + randomString();
         Path projectARepo = initProjectAndRepo(orgXName, projectAName, repoAName, null, initRepo("githubTests/repos/v2/defaultTrigger"));
         refreshRepo(orgXName, projectAName, repoAName);
 
-        // Project G
-        // accepts only specific commit authors
+        // project G accepts only specific event senders but from any repository
+        // (including events from GitHub URLs that are not registered in any Concord project)
         String projectGName = "projectG_" + randomString();
         String repoGName = "repoG_" + randomString();
-        Path projectBRepo = initProjectAndRepo(orgXName, projectGName, repoGName, null, initRepo("githubTests/repos/v2/defaultTriggerWithSender"));
+        initProjectAndRepo(orgXName, projectGName, repoGName, null, initRepo("githubTests/repos/v2/anyRepoWithSender"));
         refreshRepo(orgXName, projectGName, repoGName);
 
-        // ---
-
+        // send an a projectARepo event from a random sender
         sendEvent("githubTests/events/direct_branch_push.json", "push",
                 "_FULL_REPO_NAME", toRepoName(projectARepo),
                 "_REF", "refs/heads/master",
-                "_USER_NAME", "aknowndude",
+                "_USER_NAME", "arandomdude" + randomString(),
                 "_USER_LDAP_DN", "");
 
         // A's triggers should be activated
-        ProcessEntry procA = waitForAProcess(orgXName, projectAName, "github");
-        expectNoProceses(orgXName, projectGName, null);
-
-        // ---
+        waitForAProcess(orgXName, projectAName, "github");
+        // G's triggers should NOT be activated, the event is not from not the right sender
+        expectNoProcesses(orgXName, projectGName, null);
 
         // see https://github.com/walmartlabs/concord/issues/435
         // wait a bit to reliably filter out subsequent processes of projectA
         Thread.sleep(1000);
         OffsetDateTime now = OffsetDateTime.now().truncatedTo(ChronoUnit.SECONDS);
 
-        // ---
-
+        // send an a projectARepo event (again), this time from the user expected by the G trigger
         sendEvent("githubTests/events/direct_branch_push.json", "push",
-                "_FULL_REPO_NAME", toRepoName(projectBRepo),
+                "_FULL_REPO_NAME", "org" + randomString() + "/" + "repo" + randomString(), // a random ("unknown") GitHub repository
                 "_REF", "refs/heads/master",
                 "_USER_NAME", "somecooldude",
                 "_USER_LDAP_DN", "");
@@ -115,9 +96,9 @@ public void testFilterBySender() throws Exception {
         waitForAProcess(orgXName, projectGName, "github");
 
         // no A's are expected
-        expectNoProceses(orgXName, projectAName, now);
+        expectNoProcesses(orgXName, projectAName, now);
 
-        // ---
+        // clean up
 
         deleteOrg(orgXName);
     }

it/server/src/test/java/com/walmartlabs/concord/it/server/LdapIT.java

@@ -19,21 +19,32 @@
  * =====
  */
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.walmartlabs.concord.client2.*;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
 import javax.naming.Context;
 import javax.naming.NameAlreadyBoundException;
 import javax.naming.directory.*;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.util.Base64;
+import java.util.Map;
 import java.util.Properties;
+import java.util.UUID;
 
 import static com.walmartlabs.concord.it.common.ITUtils.archive;
 import static com.walmartlabs.concord.it.common.ServerClient.assertLog;
 import static com.walmartlabs.concord.it.common.ServerClient.waitForCompletion;
+import static com.walmartlabs.concord.it.common.ServerClient.waitForStatus;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
@@ -44,6 +55,7 @@ public class LdapIT extends AbstractServerIT {
     private static final String GROUP_OU = "ou=groups,dc=example,dc=org";
     private static final String USER_OU = "ou=users,dc=example,dc=org";
     private static DirContext ldapCtx;
+    private static final HttpClient HTTP_CLIENT = HttpClient.newBuilder().build();
 
     @BeforeAll
     public static void createLdapStructure() throws Exception {
@@ -92,7 +104,6 @@ public void testLdapUserGroups() throws Exception {
         byte[] ab = getLog(pir.getInstanceId());
         String groupDn = "cn=" + groupName + "," + GROUP_OU;
         assertLog(".*" + groupDn + ".*", ab);
-
     }
 
     @Test
@@ -136,6 +147,140 @@ void testDisableLdapUser() throws Exception {
         assertTrue(ue.getPermanentlyDisabled());
     }
 
+    @Test
+    void testSubmitFormRunAsGroupWithApiKey() throws Exception {
+        // create users in ldap
+        String noGroupUser = "noGroupUser" + randomString();
+        createLdapUser(noGroupUser);
+
+        String username = "runAsUser" + randomString();
+        createLdapUser(username);
+
+        // create group
+        String groupName = "RunAsGroup" + randomString();
+        createLdapGroupWithUser(groupName, username);
+
+        UsersApi usersApi = new UsersApi(getApiClient());
+        usersApi.createOrUpdateUser(new CreateUserRequest()
+                .username(username)
+                .type(CreateUserRequest.TypeEnum.LDAP));
+        usersApi.createOrUpdateUser(new CreateUserRequest()
+                .username(noGroupUser)
+                .type(CreateUserRequest.TypeEnum.LDAP));
+
+        String noGroupApiKey = createApiKey(noGroupUser);
+        String validUserApiKey = createApiKey(username);
+
+        setApiKey(validUserApiKey);
+
+        // --- execute form
+
+        byte[] payload = archive(LdapIT.class.getResource("ldapFormRunAs").toURI());
+        StartProcessResponse spr = start(Map.of(
+                "archive", payload,
+                "arguments.ldapGroupName", groupName
+        ));
+        assertNotNull(spr.getInstanceId());
+
+
+        // ---
+
+        ProcessEntry pir = waitForStatus(getApiClient(), spr.getInstanceId(), ProcessEntry.StatusEnum.SUSPENDED);
+
+        // --- try to get with user not in group (expect no permission)
+
+        ApiException noGroupEx = assertThrows(ApiException.class, () ->
+                new ProcessFormsApi(getApiClientForKey(noGroupApiKey)).getProcessForm(pir.getInstanceId(), "myForm"));
+
+        assertEquals(403, noGroupEx.getCode());
+        assertTrue(noGroupEx.getMessage().contains("doesn't have the necessary permissions to resume process. Expected LDAP group(s) '[CN=RunAsGroup"));
+
+        // --- get form with user in expected ldap group
+
+        ProcessFormsApi formsApi = new ProcessFormsApi(getApiClientForKey(validUserApiKey));
+
+        FormInstanceEntry form = formsApi.getProcessForm(pir.getInstanceId(), "myForm");
+
+        assertEquals("myForm", form.getName());
+        assertEquals(1, form.getFields().size());
+        assertEquals("inputName", form.getFields().get(0).getName());
+        assertEquals("string", form.getFields().get(0).getType());
+
+        // --- submit form with user in expected ldap group
+
+        formsApi.submitForm(pir.getInstanceId(), "myForm", Map.of("inputName", "testuser"));
+
+        waitForStatus(getApiClient(), spr.getInstanceId(), ProcessEntry.StatusEnum.FINISHED);
+
+        byte[] ab = getLog(pir.getInstanceId());
+        assertLog(".*Submitted name: testuser.*", ab);
+    }
+
+    @Test
+    void testSubmitFormRunAsGroupWithPassword() throws Exception {
+        // create users in ldap
+        String noGroupUser = "noGroupUser" + randomString();
+        createLdapUser(noGroupUser);
+
+        String username = "runAsUser" + randomString();
+        createLdapUser(username);
+
+        // create group
+        String groupName = "RunAsGroup" + randomString();
+        createLdapGroupWithUser(groupName, username);
+
+        UsersApi usersApi = new UsersApi(getApiClient());
+        usersApi.createOrUpdateUser(new CreateUserRequest()
+                .username(username)
+                .type(CreateUserRequest.TypeEnum.LDAP));
+        usersApi.createOrUpdateUser(new CreateUserRequest()
+                .username(noGroupUser)
+                .type(CreateUserRequest.TypeEnum.LDAP));
+
+        String validUserApiKey = createApiKey(username);
+
+        setApiKey(validUserApiKey);
+
+        // --- execute form
+
+        byte[] payload = archive(LdapIT.class.getResource("ldapFormRunAs").toURI());
+        StartProcessResponse spr = start(Map.of(
+                "archive", payload,
+                "arguments.ldapGroupName", groupName
+        ));
+        assertNotNull(spr.getInstanceId());
+
+        // ---
+
+        ProcessEntry pir = waitForStatus(getApiClient(), spr.getInstanceId(), ProcessEntry.StatusEnum.SUSPENDED);
+
+        // --- try to get with user not in group (expect no permission)
+
+        ApiException noGroupEx = assertThrows(ApiException.class, () ->
+                getFormHttpClient(getApiClient().getBaseUrl(), pir.getInstanceId(), "myForm", noGroupUser, noGroupUser));
+
+        assertEquals(403, noGroupEx.getCode());
+        assertTrue(noGroupEx.getResponseBody().contains("doesn't have the necessary permissions to resume process. Expected LDAP group(s) '[CN=RunAsGroup"));
+
+        // --- get form with user in expected ldap group
+
+        FormInstanceEntry form = getFormHttpClient(getApiClient().getBaseUrl(), pir.getInstanceId(), "myForm", username, username);
+
+        assertEquals("myForm", form.getName());
+        assertEquals(1, form.getFields().size());
+        assertEquals("inputName", form.getFields().get(0).getName());
+        assertEquals("string", form.getFields().get(0).getType());
+
+        // --- submit form with user in expected ldap group
+
+        submitFormHttpClient(getApiClient().getBaseUrl(), pir.getInstanceId(), "myForm", Map.of("inputName", "testuser"), username, username);
+
+        waitForStatus(getApiClient(), spr.getInstanceId(), ProcessEntry.StatusEnum.FINISHED);
+
+        byte[] ab = getLog(pir.getInstanceId());
+        assertLog(".*Submitted name: testuser.*", ab);
+    }
+
     public static DirContext createContext() throws Exception {
         String url = System.getenv("IT_LDAP_URL");
         String connectionType = "simple";
@@ -176,6 +321,7 @@ private static void createLdapUser(String username) throws Exception {
         Attribute uid = new BasicAttribute("uid", username);
         Attribute cn = new BasicAttribute(COMMON_NAME, username);
         Attribute sn = new BasicAttribute("sn", username);
+        Attribute userPassword = new BasicAttribute("userPassword", username);
 
         Attribute objectClass = new BasicAttribute(OBJECT_CLASS);
         objectClass.add("top");
@@ -186,6 +332,7 @@ private static void createLdapUser(String username) throws Exception {
         attributes.put(uid);
         attributes.put(cn);
         attributes.put(sn);
+        attributes.put(userPassword);
         attributes.put(objectClass);
 
         try {
@@ -216,4 +363,49 @@ private static void createLdapGroupWithUser(String groupName, String username) t
             // already exists, ignore
         }
     }
+
+    private String createApiKey(String username) throws Exception {
+        ApiKeysApi apiKeyResource = new ApiKeysApi(getApiClient());
+        CreateApiKeyResponse cakr = apiKeyResource.createUserApiKey(new CreateApiKeyRequest()
+                .username(username)
+                .userType(CreateApiKeyRequest.UserTypeEnum.LDAP));
+
+        return cakr.getKey();
+    }
+
+    private FormInstanceEntry getFormHttpClient(String baseUrl, UUID instanceId, String formName, String username, String password) throws Exception {
+        HttpRequest req = HttpRequest.newBuilder(URI.create(baseUrl + "/api/v1/process/" + instanceId + "/form/" + formName))
+                .GET()
+                .header("Authorization", "Basic " + Base64.getEncoder().encodeToString((username + ":" + password).getBytes()))
+                .build();
+
+        HttpResponse<InputStream> resp = HTTP_CLIENT.send(req, HttpResponse.BodyHandlers.ofInputStream());
+
+        try (InputStream is = resp.body()) {
+            if (resp.statusCode() != 200) {
+                throw new ApiException(resp.statusCode(), resp.headers(), new String(is.readAllBytes()));
+            }
+
+            return new ObjectMapper().readValue(resp.body(), FormInstanceEntry.class);
+        }
+    }
+
+    private void submitFormHttpClient(String baseUrl, UUID instanceId, String formName, Map<String, Object> data, String username, String password) throws Exception {
+        ObjectMapper mapper = new ObjectMapper();
+        String requestBody = mapper.writeValueAsString(data);
+
+        HttpRequest req = HttpRequest.newBuilder(URI.create(baseUrl + "/api/v1/process/" + instanceId + "/form/" + formName))
+                .POST(HttpRequest.BodyPublishers.ofString(requestBody))
+                .header("Content-Type", "application/json")
+                .header("Authorization", "Basic " + Base64.getEncoder().encodeToString((username + ":" + password).getBytes()))
+                .build();
+
+        HttpResponse<InputStream> resp = HTTP_CLIENT.send(req, HttpResponse.BodyHandlers.ofInputStream());
+
+        try (InputStream is = resp.body()) {
+            if (resp.statusCode() != 200) {
+                throw new ApiException(resp.statusCode(), resp.headers(), new String(resp.body().readAllBytes()));
+            }
+        }
+    }
 }

it/server/src/test/resources/com/walmartlabs/concord/it/server/githubTests/repos/v2/defaultTriggerWithSender/concord.yml renamed to it/server/src/test/resources/com/walmartlabs/concord/it/server/githubTests/repos/v2/anyRepoWithSender/concord.yml

@@ -7,4 +7,7 @@ triggers:
       entryPoint: "onPush"
       version: 2
       conditions:
+        githubOrg: ".*"
+        githubRepo: ".*"
+        type: ".*"
         sender: ".*some.*dude.*"

it/server/src/test/resources/com/walmartlabs/concord/it/server/ldapFormRunAs/concord.yml

@@ -0,0 +1,9 @@
+flows:
+  default:
+    - form: myForm
+      fields:
+        - inputName: { label: "name", type: "string" }
+      runAs:
+        ldap:
+          - group: "CN=${ldapGroupName},.*"
+    - log: "Submitted name: ${myForm.inputName}"