OIDC auth implemented, tests updated
This commit is contained in:
parent
88918c602a
commit
7417ce44e5
|
@ -19,7 +19,8 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"addons": {
|
"addons": {
|
||||||
"localstorage": {}
|
"localstorage": {},
|
||||||
|
"oidc": { "loginRedirectUri": "/oauth_callback" }
|
||||||
},
|
},
|
||||||
"manifestVersion": 2,
|
"manifestVersion": 2,
|
||||||
"website": "http://www.minio.io",
|
"website": "http://www.minio.io",
|
||||||
|
|
|
@ -5,3 +5,15 @@ Please use the following credentials to login:
|
||||||
|
|
||||||
Please change the credentials immediately by following this [guide](https://cloudron.io/documentation/apps/minio/#admin-credentials).
|
Please change the credentials immediately by following this [guide](https://cloudron.io/documentation/apps/minio/#admin-credentials).
|
||||||
|
|
||||||
|
By default, Cloudron users have `readwrite` access policy.
|
||||||
|
If you'd like to change it, you should create a respective policy by following [Minio documentation](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html)
|
||||||
|
|
||||||
|
After that you should add the variable MINIO_IDENTITY_OPENID_ROLE_POLICY in /app/data/env.sh, e.g.
|
||||||
|
|
||||||
|
```
|
||||||
|
export MINIO_IDENTITY_OPENID_ROLE_POLICY="new-policy-name"
|
||||||
|
```
|
||||||
|
|
||||||
|
Where `new-policy-name` is the policy you have created.
|
||||||
|
|
||||||
|
Be sure to restart the app after making changes.
|
||||||
|
|
13
start.sh
13
start.sh
|
@ -17,6 +17,19 @@ if [[ ! -d /app/data/mc_config ]]; then
|
||||||
/app/code/mc --config-dir /app/data/mc_config &> /dev/null || true
|
/app/code/mc --config-dir /app/data/mc_config &> /dev/null || true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
|
||||||
|
export MINIO_IDENTITY_OPENID_DISPLAY_NAME="Cloudron"
|
||||||
|
export MINIO_IDENTITY_OPENID_CONFIG_URL="${CLOUDRON_OIDC_DISCOVERY_URL}"
|
||||||
|
export MINIO_IDENTITY_OPENID_CLIENT_ID="${CLOUDRON_OIDC_CLIENT_ID}"
|
||||||
|
export MINIO_IDENTITY_OPENID_CLIENT_SECRET="${CLOUDRON_OIDC_CLIENT_SECRET}"
|
||||||
|
export MINIO_IDENTITY_OPENID_SCOPES="openid profile email"
|
||||||
|
if [[ -z "${MINIO_IDENTITY_OPENID_ROLE_POLICY:-}" ]]; then
|
||||||
|
export MINIO_IDENTITY_OPENID_ROLE_POLICY="readwrite"
|
||||||
|
fi
|
||||||
|
|
||||||
|
export MINIO_IDENTITY_OPENID_COMMENT="Cloudron OIDC"
|
||||||
|
fi
|
||||||
|
|
||||||
# minio is used for backups at times and has a large number of files. optimize by checking if files are actually in correct chown state
|
# minio is used for backups at times and has a large number of files. optimize by checking if files are actually in correct chown state
|
||||||
echo "==> Changing ownership"
|
echo "==> Changing ownership"
|
||||||
[[ $(stat --format '%U' /app/data/data) != "cloudron" ]] && chown -R cloudron:cloudron /app/data
|
[[ $(stat --format '%U' /app/data/data) != "cloudron" ]] && chown -R cloudron:cloudron /app/data
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
"version": "1.0.0",
|
"version": "1.0.0",
|
||||||
"license": "ISC",
|
"license": "ISC",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"chromedriver": "^121.0.1",
|
"chromedriver": "^121.0.2",
|
||||||
"expect.js": "^0.3.1",
|
"expect.js": "^0.3.1",
|
||||||
"mocha": "^10.3.0",
|
"mocha": "^10.3.0",
|
||||||
"selenium-webdriver": "^4.17.0",
|
"selenium-webdriver": "^4.17.0",
|
||||||
|
@ -228,9 +228,9 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/chromedriver": {
|
"node_modules/chromedriver": {
|
||||||
"version": "121.0.1",
|
"version": "121.0.2",
|
||||||
"resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-121.0.1.tgz",
|
"resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-121.0.2.tgz",
|
||||||
"integrity": "sha512-7y/RLV3tKNpNf/Ye74eOF7gyrCA78qq3i6JjrMJ4xovc2XZaw4a3cZA6+2PflGX/0HttYiKJV2WO611JROGNaw==",
|
"integrity": "sha512-58MUSCEE3oB3G3Y/Jo3URJ2Oa1VLHcVBufyYt7vNfGrABSJm7ienQLF9IQ8LPDlPVgLUXt2OBfggK3p2/SlEBg==",
|
||||||
"hasInstallScript": true,
|
"hasInstallScript": true,
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@testim/chrome-version": "^1.1.4",
|
"@testim/chrome-version": "^1.1.4",
|
||||||
|
@ -1710,9 +1710,9 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"chromedriver": {
|
"chromedriver": {
|
||||||
"version": "121.0.1",
|
"version": "121.0.2",
|
||||||
"resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-121.0.1.tgz",
|
"resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-121.0.2.tgz",
|
||||||
"integrity": "sha512-7y/RLV3tKNpNf/Ye74eOF7gyrCA78qq3i6JjrMJ4xovc2XZaw4a3cZA6+2PflGX/0HttYiKJV2WO611JROGNaw==",
|
"integrity": "sha512-58MUSCEE3oB3G3Y/Jo3URJ2Oa1VLHcVBufyYt7vNfGrABSJm7ienQLF9IQ8LPDlPVgLUXt2OBfggK3p2/SlEBg==",
|
||||||
"requires": {
|
"requires": {
|
||||||
"@testim/chrome-version": "^1.1.4",
|
"@testim/chrome-version": "^1.1.4",
|
||||||
"axios": "^1.6.5",
|
"axios": "^1.6.5",
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
"author": "",
|
"author": "",
|
||||||
"license": "ISC",
|
"license": "ISC",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"chromedriver": "^121.0.1",
|
"chromedriver": "^121.0.2",
|
||||||
"expect.js": "^0.3.1",
|
"expect.js": "^0.3.1",
|
||||||
"mocha": "^10.3.0",
|
"mocha": "^10.3.0",
|
||||||
"selenium-webdriver": "^4.17.0",
|
"selenium-webdriver": "^4.17.0",
|
||||||
|
|
85
test/test.js
85
test/test.js
|
@ -20,6 +20,11 @@ const execSync = require('child_process').execSync,
|
||||||
{ Builder, By, until } = require('selenium-webdriver'),
|
{ Builder, By, until } = require('selenium-webdriver'),
|
||||||
{ Options } = require('selenium-webdriver/chrome');
|
{ Options } = require('selenium-webdriver/chrome');
|
||||||
|
|
||||||
|
if (!process.env.USERNAME || !process.env.PASSWORD) {
|
||||||
|
console.log('USERNAME and PASSWORD env vars need to be set');
|
||||||
|
process.exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
describe('Application life cycle test', function () {
|
describe('Application life cycle test', function () {
|
||||||
this.timeout(0);
|
this.timeout(0);
|
||||||
|
|
||||||
|
@ -29,6 +34,9 @@ describe('Application life cycle test', function () {
|
||||||
const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
|
const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
|
||||||
|
|
||||||
let browser, app;
|
let browser, app;
|
||||||
|
var athenticated_by_oidc = false;
|
||||||
|
let username = process.env.USERNAME;
|
||||||
|
let password = process.env.PASSWORD;
|
||||||
|
|
||||||
before(function () {
|
before(function () {
|
||||||
browser = new Builder().forBrowser('chrome').setChromeOptions(new Options().windowSize({ width: 1280, height: 1024 })).build();
|
browser = new Builder().forBrowser('chrome').setChromeOptions(new Options().windowSize({ width: 1280, height: 1024 })).build();
|
||||||
|
@ -51,6 +59,14 @@ describe('Application life cycle test', function () {
|
||||||
|
|
||||||
async function login(accessKey='minioadmin', secretKey='minioadmin') {
|
async function login(accessKey='minioadmin', secretKey='minioadmin') {
|
||||||
await browser.get(`https://${app.fqdn}/login`);
|
await browser.get(`https://${app.fqdn}/login`);
|
||||||
|
await browser.sleep(2000);
|
||||||
|
|
||||||
|
if (await browser.findElements(By.id('accessKey')).then(found => !found.length) && await browser.findElements(By.id('alternativeMethods-select')).then(found => !!found.length)) {
|
||||||
|
await browser.findElement(By.xpath('//div[@id="alternativeMethods-select"]/div[contains(., "Other Authentication Methods")]')).click();
|
||||||
|
await browser.sleep(2000);
|
||||||
|
await browser.findElement(By.xpath('//li[contains(., "Use Credentials")] | //div[@label="Use Credentials"]')).click();
|
||||||
|
await browser.sleep(2000);
|
||||||
|
}
|
||||||
await waitForElement(By.id('accessKey'));
|
await waitForElement(By.id('accessKey'));
|
||||||
await browser.findElement(By.id('accessKey')).sendKeys(accessKey);
|
await browser.findElement(By.id('accessKey')).sendKeys(accessKey);
|
||||||
await browser.findElement(By.id('secretKey')).sendKeys(secretKey);
|
await browser.findElement(By.id('secretKey')).sendKeys(secretKey);
|
||||||
|
@ -59,13 +75,35 @@ describe('Application life cycle test', function () {
|
||||||
await timers.setTimeout(5000);
|
await timers.setTimeout(5000);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
async function loginOIDC(username, password) {
|
||||||
|
browser.manage().deleteAllCookies();
|
||||||
|
await browser.get(`https://${app.fqdn}/login`);
|
||||||
|
await browser.sleep(4000);
|
||||||
|
|
||||||
|
await browser.findElement(By.xpath('//button[contains(., "Cloudron")]')).click();
|
||||||
|
await browser.sleep(4000);
|
||||||
|
|
||||||
|
if (!athenticated_by_oidc) {
|
||||||
|
await waitForElement(By.xpath('//input[@name="username"]'));
|
||||||
|
await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
|
||||||
|
await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
|
||||||
|
await browser.sleep(2000);
|
||||||
|
await browser.findElement(By.id('loginSubmitButton')).click();
|
||||||
|
await browser.sleep(2000);
|
||||||
|
|
||||||
|
athenticated_by_oidc = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
|
||||||
|
}
|
||||||
|
|
||||||
async function logout() {
|
async function logout() {
|
||||||
await browser.get(`https://${app.fqdn}/`);
|
await browser.get(`https://${app.fqdn}/`);
|
||||||
await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
|
await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
|
||||||
const button = await browser.findElement(By.xpath('//button[@id="sign-out"]'));
|
const button = await browser.findElement(By.xpath('//button[@id="sign-out"]'));
|
||||||
await browser.executeScript('arguments[0].scrollIntoView(false)', button);
|
await browser.executeScript('arguments[0].scrollIntoView(false)', button);
|
||||||
await button.click();
|
await button.click();
|
||||||
await waitForElement(By.id('accessKey'));
|
await waitForElement(By.xpath('//*[@id="accessKey"] | //button[contains(., "Cloudron")]'));
|
||||||
}
|
}
|
||||||
|
|
||||||
async function addBucket() {
|
async function addBucket() {
|
||||||
|
@ -104,13 +142,17 @@ describe('Application life cycle test', function () {
|
||||||
|
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
|
|
||||||
it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
|
it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin'));
|
||||||
it('can add bucket', addBucket);
|
it('can add bucket', addBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
it('does redirect', checkRedirect);
|
it('does redirect', checkRedirect);
|
||||||
it('check api', checkApi);
|
it('check api', checkApi);
|
||||||
|
|
||||||
it('can change credentials', async function () {
|
it('can OIDC login', loginOIDC.bind(null, username, password));
|
||||||
|
it('has bucket', checkBucket);
|
||||||
|
it('can logout', logout);
|
||||||
|
|
||||||
|
it('can change Admin credentials', async function () {
|
||||||
let data = fs.readFileSync(path.join(__dirname, '../env.sh'), 'utf8');
|
let data = fs.readFileSync(path.join(__dirname, '../env.sh'), 'utf8');
|
||||||
data = data
|
data = data
|
||||||
.replace(/MINIO_ROOT_USER=.*/, 'MINIO_ROOT_USER=minioakey')
|
.replace(/MINIO_ROOT_USER=.*/, 'MINIO_ROOT_USER=minioakey')
|
||||||
|
@ -123,12 +165,16 @@ describe('Application life cycle test', function () {
|
||||||
|
|
||||||
it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); });
|
it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); });
|
||||||
|
|
||||||
it('can login', login.bind(null, 'minioakey', 'minioskey'));
|
it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
|
||||||
it('has bucket', checkBucket);
|
it('has bucket', checkBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
it('does redirect', checkRedirect);
|
it('does redirect', checkRedirect);
|
||||||
it('check api', checkApi);
|
it('check api', checkApi);
|
||||||
|
|
||||||
|
it('can OIDC login', loginOIDC.bind(null, username, password));
|
||||||
|
it('has bucket', checkBucket);
|
||||||
|
it('can logout', logout);
|
||||||
|
|
||||||
it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
|
it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
|
||||||
it('restore app', async function () {
|
it('restore app', async function () {
|
||||||
const backups = JSON.parse(execSync(`cloudron backup list --raw --app ${app.id}`));
|
const backups = JSON.parse(execSync(`cloudron backup list --raw --app ${app.id}`));
|
||||||
|
@ -139,9 +185,15 @@ describe('Application life cycle test', function () {
|
||||||
await timers.setTimeout(10000);
|
await timers.setTimeout(10000);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('can login', login.bind(null, 'minioakey', 'minioskey'));
|
it('can get app information', getAppInfo);
|
||||||
|
it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
|
||||||
it('has bucket', checkBucket);
|
it('has bucket', checkBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
|
|
||||||
|
it('can OIDC login', loginOIDC.bind(null, username, password));
|
||||||
|
it('has bucket', checkBucket);
|
||||||
|
it('can logout', logout);
|
||||||
|
|
||||||
it('does redirect', checkRedirect);
|
it('does redirect', checkRedirect);
|
||||||
it('check api', checkApi);
|
it('check api', checkApi);
|
||||||
|
|
||||||
|
@ -152,9 +204,14 @@ describe('Application life cycle test', function () {
|
||||||
});
|
});
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
|
|
||||||
it('can login', login.bind(null, 'minioakey', 'minioskey'));
|
it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
|
||||||
it('has bucket', checkBucket);
|
it('has bucket', checkBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
|
|
||||||
|
it('can OIDC login', loginOIDC.bind(null, username, password));
|
||||||
|
it('has bucket', checkBucket);
|
||||||
|
it('can logout', logout);
|
||||||
|
|
||||||
it('does redirect', checkRedirect);
|
it('does redirect', checkRedirect);
|
||||||
it('check api', checkApi);
|
it('check api', checkApi);
|
||||||
|
|
||||||
|
@ -167,13 +224,27 @@ describe('Application life cycle test', function () {
|
||||||
it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
|
it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
|
||||||
it('can add buckets', addBucket);
|
it('can add buckets', addBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
|
|
||||||
|
/* should be added on the next release
|
||||||
|
it('can OIDC login', loginOIDC.bind(null, username, password));
|
||||||
|
it('has bucket', checkBucket);
|
||||||
|
it('can logout', logout);
|
||||||
|
*/
|
||||||
|
|
||||||
it('can update', function () { execSync(`cloudron update --app ${LOCATION}`, EXEC_ARGS); });
|
it('can update', function () { execSync(`cloudron update --app ${LOCATION}`, EXEC_ARGS); });
|
||||||
it('can configure', function () { execSync(`cloudron configure --app ${LOCATION} --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); });
|
it('can configure', function () { execSync(`cloudron configure --app ${LOCATION} --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); });
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
|
|
||||||
it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
|
it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin'));
|
||||||
it('has bucket', checkBucket);
|
it('has bucket', checkBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
|
|
||||||
|
/* should be added on the next release
|
||||||
|
it('can OIDC login', loginOIDC.bind(null, username, password));
|
||||||
|
it('has bucket', checkBucket);
|
||||||
|
it('can logout', logout);
|
||||||
|
*/
|
||||||
|
|
||||||
it('does redirect', checkRedirect);
|
it('does redirect', checkRedirect);
|
||||||
it('check api', checkApi);
|
it('check api', checkApi);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue