feat: Enable acceptance tests with OrgManager role and OAuth2 password grant#1149
Draft
bonzofenix wants to merge 7 commits intomainfrom
Draft
feat: Enable acceptance tests with OrgManager role and OAuth2 password grant#1149bonzofenix wants to merge 7 commits intomainfrom
bonzofenix wants to merge 7 commits intomainfrom
Conversation
The go-log-cache library's OAuth2 client sends credentials in the request body, but CF's "cf" UAA client requires Basic auth header. This adds a custom CFOauth2HTTPClient that: - Sends client_id:client_secret via Basic auth header - Uses password grant with username/password in form body - Handles 401 responses with automatic token refresh - Prevents race conditions with mutex-protected token storage - Supports token expiration with configurable buffer This enables the Event Generator to authenticate as org manager users when fetching metrics from Log Cache, instead of requiring dedicated UAA clients with client_credentials. Files: - eventgenerator/metric/cf_oauth2_client.go: Custom OAuth2 HTTP client - eventgenerator/metric/cf_oauth2_client_test.go: Comprehensive tests - eventgenerator/metric/fetcher_factory.go: Password grant detection - eventgenerator/metric/fetcher_factory_test.go: Factory tests - models/uaa_creds.go: GrantType/Username/Password fields
Enable running acceptance tests with separate org manager users instead of requiring full admin privileges. This includes: Acceptance test configuration: - Support for existing org/space/user reuse - Skip service access management option - Per-PR test user isolation via AUTOSCALER_TEST_USER New scripts: - setup-org-manager-user.sh: Create/configure org manager test users - org-manager-login.sh: Login as org manager - enable-service-access.sh: Enable service access as admin - set-security-group.sh: Configure security groups for autoscaler - register-broker.sh: Register service broker with proper permissions CI workflow changes: - Add cleanup, user setup, and security group steps before deployment - Use register-broker target instead of deploy-register-cf Acceptance test helpers: - Org creation/management helpers - Cleanup improvements for test isolation - Config support for OrgManager-level permissions
Extend the CF client to support OAuth2 password grant in addition to client_credentials. This enables authentication using org manager user credentials for components that need CF API access. Changes: - cf/config.go: Add GrantType, Username, Password fields with validation - cf/client.go: Add grant type constants - cf/cfclient_wrapper.go: Use UserPassword config for password grant, switch introspect to use Basic auth directly - cf/config_test.go: Add password grant validation tests - cf/cfclient_wrapper_test.go: Add password grant client creation test
The gosec linter no longer flags these lines, making the //nolint:gosec directives unnecessary. Removing them fixes nolintlint errors in CI.
- Add #nosec G704 directives for HTTP client Do() calls in cfclient_wrapper.go and cf_oauth2_client.go (URLs come from trusted CF API endpoints or user configuration) - Fix config deserialization test to initialize a fresh Config before unmarshaling, preventing state leakage from password grant validation tests
…mments Use rejected-token comparison in forceRefreshToken() so that when multiple goroutines receive 401s simultaneously, only the first one to acquire the lock refreshes. Others see the token has changed and reuse the new one. Remove comments that restate what the code does.
bonzofenix
force-pushed
the
fixed-acceptance-test-org-v2
branch
from
1f2b0ad to
a7210a4
Compare
…pecs The cf_oauth2_client_test.go used package metric (white-box) with its own TestCFOauth2HTTPClient/RunSpecs entry point. This caused Ginkgo to fail when running go test because TestMetricsSuite also calls RunSpecs in the same process — Ginkgo does not support rerunning suites. Convert to package metric_test so all specs run under the single TestMetricsSuite runner. Replace internal field assertions with behavioral tests that verify URL handling via actual HTTP requests.
bonzofenix
force-pushed
the
fixed-acceptance-test-org-v2
branch
from
d9d9381 to
6fc8f35
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CFOauth2HTTPClientthat authenticates via Basic Auth header (required by CF's "cf" UAA client) instead of request body. Handles token refresh, expiration, and concurrent access safely.go-cfclient/v3wrapper to support bothclient_credentialsandpasswordgrant types, with proper validation.Key files
eventgenerator/metric/cf_oauth2_client.go,fetcher_factory.go,models/uaa_creds.gocf/config.go,cf/cfclient_wrapper.go,cf/client.goacceptance/config/,acceptance/helpers/,acceptance/broker/scripts/setup-org-manager-user.sh,scripts/register-broker.sh,scripts/enable-service-access.sh,scripts/set-security-group.sh.github/workflows/acceptance_tests_reusable.yaml,MakefileSupersedes #922 (converted to draft) with a clean 3-commit history rebased on main.
Test plan
eventgenerator/metric/(OAuth2 client + fetcher factory)cf/(config validation + wrapper password grant)