replace test harness with testcontainers (#469)

* Rework as in remove existing test harness and use testcontainers instead * Create SBOM files as part of the release * Fix topaz [ds|az] test exec --stdin does not work #472
aserto-dev · Oct 10, 2024 · 81f87e8 · 81f87e8
1 parent b5e9e98
commit 81f87e8
Show file tree

Hide file tree

Showing 76 changed files with 1,948 additions and 1,555 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -23,18 +23,52 @@ env:
   GO_RELEASER_VERSION: "v2.3.2"
   GO_LANGCI_LINT_VERSION: "v1.61.0"
   GO_TESTSUM_VERSION: "1.11.0"
+  SYFT_VERSION: "1.13.0"
 
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
+      -
+        name: Read Configuration
+        uses: hashicorp/vault-action@v3
+        id: vault
+        with:
+          url: https://vault.eng.aserto.com/
+          token: ${{ secrets.VAULT_TOKEN }}
+          secrets: |
+            kv/data/github  "SSH_PRIVATE_KEY"     | SSH_PRIVATE_KEY;
+            kv/data/github  "USERNAME"            | DOCKER_USERNAME;
+            kv/data/github  "DOCKER_PUSH_TOKEN"   | DOCKER_PASSWORD;
+            kv/data/github  "READ_WRITE_TOKEN"    | READ_WRITE_TOKEN;
       -
         uses: actions/checkout@v4
       -
         name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
+      -
+        name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Login to GitHub Packages Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: https://ghcr.io
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+      -
+        name: Docker SSH Setup
+        run: |
+          mkdir -p $HOME/.ssh
+          umask 0077 && echo -e "${SSH_PRIVATE_KEY}" > $HOME/.ssh/id_rsa
+          ssh-keyscan github.com >> $HOME/.ssh/known_hosts
+          git config --global url."[email protected]:".insteadOf https://github.com/
+          git config --global user.email "[email protected]"
+          git config --global user.name "Aserto Bot"
+          eval `ssh-agent`
+          ssh-add $HOME/.ssh/id_rsa
       -
         name: Build
         uses: goreleaser/goreleaser-action@v6
@@ -50,6 +84,15 @@ jobs:
         with:
           version: ${{ env.GO_LANGCI_LINT_VERSION }}
           args: --timeout=30m
+      -
+        name: Test Snapshot
+        uses: goreleaser/goreleaser-action@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          distribution: goreleaser
+          version: ${{ env.GO_RELEASER_VERSION }}
+          args: release --clean --snapshot --config .goreleaser-test.yml
       -
         name: Test Setup
         uses: gertd/[email protected]
@@ -58,11 +101,7 @@ jobs:
       -
         name: Test
         run: |
-          gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... github.com/aserto-dev/topaz/pkg/app/tests/authz/...
-          gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... github.com/aserto-dev/topaz/pkg/app/tests/builtin/...
-          gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... github.com/aserto-dev/topaz/pkg/app/tests/manifest/...
-          gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... github.com/aserto-dev/topaz/pkg/app/tests/policy/...
-          gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... github.com/aserto-dev/topaz/pkg/app/tests/query/...
+          gotestsum --format short-verbose -- -count=1 -parallel=1 -v -timeout=120s -coverprofile=cover.out -coverpkg=./... ./...
       -
         name: Upload code coverage
         uses: shogo82148/actions-goveralls@v1
@@ -189,6 +228,10 @@ jobs:
           git config --global user.name "Aserto Bot"
           eval `ssh-agent`
           ssh-add $HOME/.ssh/id_rsa
+      -
+        name: Setup syft
+        run: |
+          brew install syft
       -
         name: Release
         uses: goreleaser/goreleaser-action@v6

diff --git a/.gitignore b/.gitignore
@@ -22,6 +22,7 @@
 .opa/
 /bundle/
 /dist/
+/test/
 
 # runtime directories
 /cfg/

diff --git a/.goreleaser-test.yml b/.goreleaser-test.yml
@@ -0,0 +1,107 @@
+version: 2
+
+project_name: topaz
+
+env:
+  # https://goreleaser.com/customization/env/
+  - REGISTRY=ghcr.io
+  - ORG=aserto-dev
+  - REPO=topaz
+  - DESCRIPTION="Topaz Authorization Service"
+  - LICENSE=Apache-2.0
+
+before:
+  # https://goreleaser.com/customization/hooks/
+  hooks:
+
+# https://goreleaser.com/customization/dist/
+dist: test
+
+builds:
+  # https://goreleaser.com/customization/build/
+  - id: topazd
+    main: ./cmd/topazd
+    binary: topazd
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    env:
+      - CGO_ENABLED=0
+    ldflags:
+      - -s
+      - -w
+      - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/pkg/version.ver={{.Version}}
+      - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/pkg/version.commit={{.ShortCommit}}
+      - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/pkg/version.date={{.Date}}
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+  - id: topaz
+    main: ./cmd/topaz
+    binary: topaz
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    env:
+      - CGO_ENABLED=0
+    ldflags:
+      - -s
+      - -w
+      - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/pkg/version.ver={{.Version}}
+      - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/pkg/version.commit={{.ShortCommit}}
+      - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/pkg/version.date={{.Date}}
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+snapshot:
+  # https://goreleaser.com/customization/snapshots/
+  version_template: "test-{{ .ShortCommit }}"
+
+dockers:
+  # https://goreleaser.com/customization/docker/
+  - use: buildx
+    goos: linux
+    goarch: amd64
+    image_templates:
+      - &amd64-image "{{ .Env.REGISTRY }}/{{ .Env.ORG }}/{{ .Env.REPO }}:{{ .Version }}-amd64"
+    skip_push: false
+    dockerfile: Dockerfile.goreleaser
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.source=https://github.com/{{ .Env.ORG }}/{{ .Env.REPO }}"
+      - "--label=org.opencontainers.image.description={{ .Env.DESCRIPTION }}"
+      - "--label=org.opencontainers.image.licenses={{ .Env.LICENSE }}"
+
+  - use: buildx
+    goos: linux
+    goarch: arm64
+    image_templates:
+      - &arm64-image "{{ .Env.REGISTRY }}/{{ .Env.ORG }}/{{ .Env.REPO }}:{{ .Version }}-arm64"
+    skip_push: false
+    dockerfile: Dockerfile.goreleaser
+    build_flag_templates:
+      - "--platform=linux/arm64/v8"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.source=https://github.com/{{ .Env.ORG }}/{{ .Env.REPO }}"
+      - "--label=org.opencontainers.image.description={{ .Env.DESCRIPTION }}"
+      - "--label=org.opencontainers.image.licenses={{ .Env.LICENSE }}"
+
+docker_manifests:
+  # https://goreleaser.com/customization/docker_manifest/
+  - name_template: "{{ .Env.REGISTRY }}/{{ .Env.ORG }}/{{ .Env.REPO }}:latest"
+    image_templates: [*amd64-image, *arm64-image]
+  - name_template: "{{ .Env.REGISTRY }}/{{ .Env.ORG }}/{{ .Env.REPO }}:{{ .Major }}"
+    image_templates: [*amd64-image, *arm64-image]
+  - name_template: "{{ .Env.REGISTRY }}/{{ .Env.ORG }}/{{ .Env.REPO }}:{{ .Major }}.{{ .Minor }}"
+    image_templates: [*amd64-image, *arm64-image]
+  - name_template: "{{ .Env.REGISTRY }}/{{ .Env.ORG }}/{{ .Env.REPO }}:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+    image_templates: [*amd64-image, *arm64-image]
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -205,3 +205,21 @@ docker_manifests:
     image_templates: [*amd64-image, *arm64-image]
   - name_template: "{{ .Env.REGISTRY }}/{{ .Env.ORG }}/{{ .Env.REPO }}:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
     image_templates: [*amd64-image, *arm64-image]
+
+sboms:
+  # https://goreleaser.com/customization/sbom/
+  - id: default
+    documents:
+      - "${artifact}.spdx.sbom.json"
+    cmd: syft
+    args:
+      - "$artifact"
+      - "--output" 
+      - "spdx-json=$document"
+    env:
+      - SYFT_FILE_METADATA_CATALOGER_ENABLED=true 
+    artifacts: binary
+    ids:
+      - topaz
+      - topazd
+      # - topaz-db
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -160,6 +160,7 @@
     "rlcp",
     "runtimes",
     "samber",
+    "sboms",
     "sirupsen",
     "statefulset",
     "staticcheck",
@@ -169,6 +170,7 @@
     "structpb",
     "stylecheck",
     "sver",
+    "syft",
     "tcell",
     "templ",
     "testdata",

diff --git a/Dockerfile.test b/Dockerfile.test
@@ -0,0 +1,18 @@
+FROM alpine
+
+ARG GOARCH
+
+RUN apk add --no-cache bash tzdata ca-certificates
+
+RUN mkdir /config && \
+    mkdir /certs && \
+    mkdir /db && \
+    mkdir /decisions
+VOLUME ["/config", "/certs", "/db", "/decisions"]
+
+WORKDIR /app
+
+COPY dist/topaz*_linux_${GOARCH}/topaz* /app/
+
+ENTRYPOINT ["./topazd"]
+CMD ["run", "-c", "/config/config.yaml"]
diff --git a/assets/acmecorp.json b/assets/acmecorp.json
@@ -0,0 +1,18 @@
+{
+    "name": "acmecorp",
+    "description": "Acmecorp directory instance",
+    "assets": {
+        "manifest": "acmecorp/manifest.yaml",
+        "policy": {
+            "name": "acmecorp",
+            "resource": "ghcr.io/aserto-policies/policy-rebac:latest"
+        },
+        "idp_data": [
+            "acmecorp/acmecorp_objects.json",
+            "acmecorp/acmecorp_relations.json"
+        ],
+        "domain_data": [
+        ],
+        "assertions": []
+    }
+}
diff --git a/assets/assets.go b/assets/assets.go
@@ -0,0 +1,35 @@
+package assets_test
+
+import (
+	"bytes"
+	_ "embed"
+	"io"
+)
+
+//go:embed config/config.yaml
+var config []byte
+
+func ConfigReader() io.Reader {
+	return bytes.NewReader(config)
+}
+
+//go:embed config/peoplefinder.yaml
+var configOnline []byte
+
+func PeoplefinderConfigReader() io.Reader {
+	return bytes.NewReader(configOnline)
+}
+
+//go:embed gdrive/manifest.yaml
+var manifest []byte
+
+func ManifestReader() io.Reader {
+	return bytes.NewReader(manifest)
+}
+
+//go:embed db/acmecorp.db
+var acmecorp []byte
+
+func AcmecorpReader() io.Reader {
+	return bytes.NewReader(acmecorp)
+}
diff --git a/assets/citadel.json b/assets/citadel.json
@@ -0,0 +1,18 @@
+{
+    "name": "citadel",
+    "description": "Citadel directory instance",
+    "assets": {
+        "manifest": "citadel/manifest.yaml",
+        "policy": {
+            "name": "citadel",
+            "resource": "ghcr.io/aserto-policies/policy-rebac:latest"
+        },
+        "idp_data": [
+            "citadel/citadel_objects.json",
+            "citadel/citadel_relations.json"
+        ],
+        "domain_data": [
+        ],
+        "assertions": []
+    }
+}