test-run

Co-authored-by: Copilot <copilot@github.com>

Author: general-kroll-4-life

.github/workflows/build.yml

@@ -817,6 +817,39 @@ jobs:
           python cicd/python/build.py --robot-test  --config='{ "variables": { "SHOULD_RUN_DOCKER_EXTERNAL_TESTS": "true" } }'
         fi
 
+    - name: Run mocked ID federation traffic light tests
+      if: ((startsWith(github.ref_name, 'build-traffic-lights') && github.ref_type == 'tag') || (github.repository == 'stackql/stackql' && github.event_name == 'push' && github.ref == 'refs/heads/main')) && matrix.registry == 'test/registry'
+      env:
+        PYTHONPATH: '${{ env.PYTHONPATH }}:${{ github.workspace }}/test/python'
+      run: |
+        echo "## Stray flask apps to be killed before robot tests ##"
+        pgrep -f flask | xargs kill -9 || true
+        echo "## End ##"
+        if robot \
+          --variable 'SUNDRY_CONFIG:{"registry_path": "test/registry"}' \
+          --variable RUN_ID_FED_TRAFFIC_LIGHTS:true \
+          --include id_fed_traffic_lightANDtls_proxied \
+          -d test/robot/reports-id-fed-traffic-lights \
+          test/robot/functional/stackql_mocked_from_cmd_line.robot; then
+          echo "✅ Mocked ID federation traffic light tests **all** passed"
+        else
+          rv="$?"
+          echo "🟡 **some** mocked ID federation traffic light tests failed code = $rv"
+        fi
+        {
+          echo "ID_FED_TRAFFIC_LIGHTS_COMPLETED=true"
+        } >> "$GITHUB_ENV"
+
+    - name: Output from mocked ID federation traffic light tests
+      if: env.ID_FED_TRAFFIC_LIGHTS_COMPLETED == 'true'
+      run: |
+        cat ./test/robot/reports-id-fed-traffic-lights/output.xml || true
+
+    - name: Output from mocked ID federation traffic lights tmp dir
+      if: env.ID_FED_TRAFFIC_LIGHTS_COMPLETED == 'true'
+      run: |
+        cat ./test/robot/functional/tmp/ID-Fed-* || true
+
     - name: Output from mocked functional tests
       if: always()
       run: |

test/robot/functional/stackql_mocked_from_cmd_line.robot

@@ -4514,7 +4514,7 @@ ID Fed AWS S3 Buckets Traffic Light Canonical
     Create File    ${CURDIR}/tmp/id-fed-aws-subject-token.jwt    mock-oidc-subject-token-aws
     ${authCfg} =    Catenate
     ...    {"aws":{"type":"aws_web_identity","aws_role_arn":"arn:aws:iam::123456789012:role/mock-idfed-role","aws_sts_region":"us-east-1","aws_sts_endpoint":"https://${LOCAL_HOST_ALIAS}:${MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN}/aws/sts","oidc_subject_token_file":"${CURDIR}/tmp/id-fed-aws-subject-token.jwt"}}
-    Should Stackql Exec Inline Contain Both Streams
+    Should Stackql Exec Inline Equal Both Streams
     ...    ${STACKQL_EXE}
     ...    ${OKTA_SECRET_STR}
     ...    ${GITHUB_SECRET_STR}
@@ -4523,7 +4523,7 @@ ID Fed AWS S3 Buckets Traffic Light Canonical
     ...    ${authCfg}
     ...    ${SQL_BACKEND_CFG_STR_CANONICAL}
     ...    ${SELECT_AWS_S3_BUCKETS}
-    ...    CreationDate
+    ...    ${SELECT_AWS_S3_BUCKETS_EXPECTED}
     ...    ${EMPTY}
     ...    stdout=${CURDIR}/tmp/ID-Fed-AWS-S3-Buckets-Traffic-Light-Canonical-stdout.tmp
     ...    stderr=${CURDIR}/tmp/ID-Fed-AWS-S3-Buckets-Traffic-Light-Canonical-stderr.tmp
@@ -4535,18 +4535,16 @@ ID Fed Azure Public Keys Traffic Light Canonical
     Create File    ${CURDIR}/tmp/id-fed-azure-subject-token.jwt    mock-oidc-subject-token-azure
     ${authCfg} =    Catenate
     ...    {"azure":{"type":"azure_federated","azure_tenant_id":"00000000-0000-0000-0000-000000000000","client_id":"11111111-1111-1111-1111-111111111111","scopes":["https://management.azure.com/.default"],"azure_federated_endpoint":"https://${LOCAL_HOST_ALIAS}:${MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN}/azure/federated/token","oidc_subject_token_file":"${CURDIR}/tmp/id-fed-azure-subject-token.jwt"}}
-    ${inputStr} =    Catenate
-    ...    select name from azure.network.virtual_networks where subscriptionId = 'subid' order by name asc;
-    Should Stackql Exec Inline Contain Both Streams
+    Should Stackql Exec Inline Equal Both Streams
     ...    ${STACKQL_EXE}
     ...    ${OKTA_SECRET_STR}
     ...    ${GITHUB_SECRET_STR}
     ...    ${K8S_SECRET_STR}
     ...    ${REGISTRY_NO_VERIFY_CFG_STR}
     ...    ${authCfg}
     ...    ${SQL_BACKEND_CFG_STR_CANONICAL}
-    ...    ${inputStr}
-    ...    name
+    ...    ${SELECT_AZURE_COMPUTE_PUBLIC_KEYS}
+    ...    ${SELECT_AZURE_COMPUTE_PUBLIC_KEYS_EXPECTED}
     ...    ${EMPTY}
     ...    stdout=${CURDIR}/tmp/ID-Fed-Azure-Public-Keys-Traffic-Light-Canonical-stdout.tmp
     ...    stderr=${CURDIR}/tmp/ID-Fed-Azure-Public-Keys-Traffic-Light-Canonical-stderr.tmp
@@ -4558,7 +4556,7 @@ ID Fed Google Container Agg Desc Traffic Light Canonical
     Create File    ${CURDIR}/tmp/id-fed-gcp-subject-token.jwt    mock-oidc-subject-token-gcp
     ${authCfg} =    Catenate
     ...    {"google":{"type":"gcp_workload_identity","gcp_workload_identity_audience":"//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/mock-pool/providers/mock-provider","gcp_workload_identity_token_url":"https://${LOCAL_HOST_ALIAS}:${MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN}/gcp/sts/token","gcp_service_account_impersonation_url":"https://${LOCAL_HOST_ALIAS}:${MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN}/gcp/iamcredentials/generateAccessToken","scopes":["https://www.googleapis.com/auth/cloud-platform"],"oidc_subject_token_file":"${CURDIR}/tmp/id-fed-gcp-subject-token.jwt"}}
-    Should Stackql Exec Inline Contain Both Streams
+    Should Stackql Exec Inline Equal Both Streams
     ...    ${STACKQL_EXE}
     ...    ${OKTA_SECRET_STR}
     ...    ${GITHUB_SECRET_STR}
@@ -4567,7 +4565,7 @@ ID Fed Google Container Agg Desc Traffic Light Canonical
     ...    ${authCfg}
     ...    ${SQL_BACKEND_CFG_STR_CANONICAL}
     ...    ${SELECT_CONTAINER_SUBNET_AGG_DESC}
-    ...    ipCidrRange
+    ...    ${SELECT_CONTAINER_SUBNET_AGG_DESC_EXPECTED}
     ...    ${EMPTY}
     ...    stdout=${CURDIR}/tmp/ID-Fed-Google-Container-Agg-Desc-Traffic-Light-Canonical-stdout.tmp
     ...    stderr=${CURDIR}/tmp/ID-Fed-Google-Container-Agg-Desc-Traffic-Light-Canonical-stderr.tmp

test/robot/id-fed-traffic-lights/stackql.resource

@@ -0,0 +1,6 @@
+*** Variables ***
+${REPOSITORY_ROOT}    ${CURDIR}/../../..
+${STACKQL_EXE}        ${REPOSITORY_ROOT}/build/stackql
+
+*** Keywords ***
+# Add any custom keywords here if needed for the id-fed traffic-light suite.

test/robot/id-fed-traffic-lights/stackql_idfed_traffic_light_integration_from_cmd_line.robot

@@ -0,0 +1,75 @@
+*** Settings ***
+Resource          ${CURDIR}/stackql.resource
+
+*** Test Cases ***
+
+IDFed AWS S3 Buckets List
+    Sleep    2s
+    ${awsRoleArn} =    OperatingSystem.Get Environment Variable    STACKQL_IDFED_ROLE_ARN
+    Should Not Be Empty    ${awsRoleArn}
+    ${awsAuthCfg} =    Catenate
+    ...    { "aws": { "type":"aws_web_identity", "aws_role_arn": "${awsRoleArn}", "aws_sts_region": "us-east-1", "oidc_subject_token_file_env_var": "OIDC_SUBJECT_TOKEN_FILE" } }
+    ${bucketsListQuery} =    Catenate
+    ...    select * from aws.s3.buckets where region = 'ap-southeast-2';
+    ${result} =    Run Process
+    ...    ${STACKQL_EXE}
+    ...    \-\-auth
+    ...    ${awsAuthCfg}
+    ...    \-\-registry
+    ...    { "url": "file://${REPOSITORY_ROOT}/test/registry", "localDocRoot": "${REPOSITORY_ROOT}/test/registry", "verifyConfig": { "nopVerify": true } }
+    ...    exec
+    ...    ${bucketsListQuery}
+    ...    cwd=${REPOSITORY_ROOT}
+    ...    stdout=${CURDIR}/tmp/IDFed-AWS-S3-Buckets-List.tmp
+    ...    stderr=${CURDIR}/tmp/IDFed-AWS-S3-Buckets-List-stderr.tmp
+    Should Be Equal As Integers    ${result.rc}           0
+    Should Be Empty                ${result.stderr}
+    Should Contain                 ${result.stdout}       stackql-trial-bucket-02
+
+IDFed Azure VNETs List
+    Sleep    2s
+    ${azureTargetSubscription} =    OperatingSystem.Get Environment Variable    AZURE_TARGET_SUBSCRIPTION_ID
+    Should Not Be Empty    ${azureTargetSubscription}
+    ${azureAuthCfg} =    Catenate
+    ...    { "azure": { "type": "azure_federated", "azure_tenant_id": "${AZURE_TENANT_ID}", "client_id": "${AZURE_CLIENT_ID}", "scopes": ["https://management.azure.com/.default"], "oidc_subject_token_file_env_var": "OIDC_SUBJECT_TOKEN_FILE" } }
+    ${bucketsListQuery} =    Catenate
+    ...    select location, name from azure.network.virtual_networks where subscriptionId = '${azureTargetSubscription}';
+    ${result} =    Run Process
+    ...    ${STACKQL_EXE}
+    ...    \-\-auth
+    ...    ${azureAuthCfg}
+    ...    \-\-registry
+    ...    { "url": "file://${REPOSITORY_ROOT}/test/registry", "localDocRoot": "${REPOSITORY_ROOT}/test/registry", "verifyConfig": { "nopVerify": true } }
+    ...    exec
+    ...    ${bucketsListQuery}
+    ...    cwd=${REPOSITORY_ROOT}
+    ...    stdout=${CURDIR}/tmp/IDFed-Azure-VNETs-List.tmp
+    ...    stderr=${CURDIR}/tmp/IDFed-Azure-VNETs-List-stderr.tmp
+    Should Be Equal As Integers    ${result.rc}           0
+    Should Be Empty                ${result.stderr}
+    Should Contain                 ${result.stdout}       inspector-network
+
+IDFed Google Buckets List
+    Sleep    2s
+    ${gcpAudience} =    OperatingSystem.Get Environment Variable    GCP_OIDC_AUDIENCE
+    ${gcpServiceAccount} =    OperatingSystem.Get Environment Variable    GCP_SERVICE_ACCOUNT_EMAIL
+    Should Not Be Empty    ${gcpAudience}
+    Should Not Be Empty    ${gcpServiceAccount}
+    ${gcpAuthCfg} =    Catenate
+    ...    { "google": { "type": "gcp_workload_identity", "gcp_workload_identity_audience": "${gcpAudience}", "gcp_service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${gcpServiceAccount}:generateAccessToken", "scopes": ["https://www.googleapis.com/auth/cloud-platform"], "oidc_subject_token_file_env_var": "OIDC_SUBJECT_TOKEN_FILE" } }
+    ${bucketsListQuery} =    Catenate
+    ...    select location, name from google.storage.buckets where project = 'stackql-demo';
+    ${result} =    Run Process
+    ...    ${STACKQL_EXE}
+    ...    \-\-auth
+    ...    ${gcpAuthCfg}
+    ...    \-\-registry
+    ...    { "url": "file://${REPOSITORY_ROOT}/test/registry", "localDocRoot": "${REPOSITORY_ROOT}/test/registry", "verifyConfig": { "nopVerify": true } }
+    ...    exec
+    ...    ${bucketsListQuery}
+    ...    cwd=${REPOSITORY_ROOT}
+    ...    stdout=${CURDIR}/tmp/IDFed-Google-Buckets-List.tmp
+    ...    stderr=${CURDIR}/tmp/IDFed-Google-Buckets-List-stderr.tmp
+    Should Be Equal As Integers    ${result.rc}           0
+    Should Be Empty                ${result.stderr}
+    Should Contain                 ${result.stdout}       stackql-demo-bucket

test/robot/id-fed-traffic-lights/tmp/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

test/robot/reports-id-fed-traffic-lights-local/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore