best-effort-integration-testing

Summary:

- Better documentation for aws assume role auth model.
- Added replica best effort `robot` integration test suite for foreign tests.
- `aws` tests only to begin with.

Author: general-kroll-4-life

.github/workflows/build.yml

@@ -745,6 +745,42 @@ jobs:
       run: |
         cat ./test/robot/integration-traffic-lights/tmp/* || true
     
+    - name: Run foreign traffic light robot integration tests
+      if: ((startsWith(github.ref_name, 'build-traffic-lights') && github.ref_type == 'tag') || (github.repository == 'stackql/stackql' && github.event_name == 'push' && github.ref == 'refs/heads/main')) && matrix.registry == 'test/registry'
+      env:
+        PYTHONPATH: '${{ env.PYTHONPATH }}:${{ github.workspace }}/test/python'
+        AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+        AZURE_INTEGRATION_TESTING_SUB_ID: ${{ secrets.AZURE_INTEGRATION_TESTING_SUB_ID }}
+        AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_FOREIGN_ACCESS_KEY_ID }}
+        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_FOREIGN_SECRET_ACCESS_KEY }}
+        STACKQL_AUDIT_ROLE_ARN: ${{ secrets.STACKQL_AUDIT_ROLE_ARN }}
+        GODEBUG: netdns=go
+      run: |
+        echo "## Stray flask apps to be killed before robot tests ##"
+        pgrep -f flask | xargs kill -9 || true
+        echo "## End ##"
+        if python cicd/python/build.py --robot-test-foreign-traffic-lights-integration; then
+          echo "✅ Foreign traffic light robot integration tests **all** passed"
+        else
+          rv="$?"
+          echo "🟡 **some** foreign traffic light robot integration tests failed code = $rv"
+        fi
+        {
+          echo "FOREIGN_TRAFFIC_LIGHTS_COMPLETED=true"
+        } >> "$GITHUB_ENV"
+
+    - name: Output from foreign traffic lights integration tests
+      if: env.FOREIGN_TRAFFIC_LIGHTS_COMPLETED == 'true'
+      run: |
+        cat ./test/robot/reports-foreign-integration-traffic-lights/output.xml || true
+
+    - name: Output from foreign traffic lights tmp dir
+      if: env.FOREIGN_TRAFFIC_LIGHTS_COMPLETED == 'true'
+      run: |
+        cat ./test/robot/foreign-integration-traffic-lights/tmp/* || true
+    
     - name: Generate rewritten registry for simulations
       if: ${{ matrix.registry  != 'test/registry' }}
       run: |

cicd/python/build.py

@@ -82,6 +82,16 @@ def run_robot_integration_traffic_lights_tests_stackql(*args, **kwargs) -> int:
         shell=True
     )
 
+def run_robot_foreign_integration_traffic_lights_tests_stackql(*args, **kwargs) -> int:
+    variables = ' '.join([f'--variable {key}:{sanitise_val(value)} ' for key, value in kwargs.get("variables", {}).items()])
+    return subprocess.call(
+        'robot '
+        f'{variables} ' 
+        '-d test/robot/reports-foreign-integration-traffic-lights '
+        'test/robot/foreign-integration-traffic-lights',
+        shell=True
+    )
+
 def main():
     parser = argparse.ArgumentParser()
     parser.add_argument('--verbose', action='store_true')
@@ -91,6 +101,7 @@ def main():
     parser.add_argument('--robot-test', action='store_true')
     parser.add_argument('--robot-test-integration', action='store_true')
     parser.add_argument('--robot-test-traffic-lights-integration', action='store_true')
+    parser.add_argument('--robot-test-foreign-traffic-lights-integration', action='store_true')
     parser.add_argument('--config', type=json.loads, default={})
     args = parser.parse_args()
     ret_code = 0
@@ -118,6 +129,10 @@ def main():
         ret_code = run_robot_integration_traffic_lights_tests_stackql(**args.config)
         if ret_code != 0:
             exit(ret_code)
+    if args.robot_test_foreign_traffic_lights_integration:
+        ret_code = run_robot_foreign_integration_traffic_lights_tests_stackql(**args.config)
+        if ret_code != 0:
+            exit(ret_code)
     exit(ret_code)
 
 

docs/auth.md

@@ -44,8 +44,11 @@ The `--auth` `json` string can be configured for assuming a foriegn role.  Tis,
 {"aws": {"type": "aws_assume_role", "keyIDenvvar": "AWS_ACCESS_KEY_ID", "credentialsenvvar": "AWS_SECRET_ACCESS_KEY", "aws_role_arn": "arn:aws:iam::123456789012:role/MyRole"}}
 ```
 
-Eg:
+Eg, presuming the source scripts constains the cited env vars:
 
 ```bash
-stackql --auth '{"aws":{"type":"aws_assume_role","keyIDenvvar":"AWS_ACCESS_KEY_ID","credentialsenvvar":"AWS_SECRET_ACCESS_KEY", "aws_role_arn": "arn:aws:iam::123456789012:role/MyRole"}}' shell
+
+source cicd/vol/vendor-secrets/ryuk_to_stackql_user.sh
+
+stackql --auth '{"aws":{"type":"aws_assume_role","keyIDenvvar":"AWS_ACCESS_KEY_ID","credentialsenvvar":"AWS_SECRET_ACCESS_KEY", "aws_role_arn": "'${STACKQL_AUDIT_ROLE_ARN}'"}}' shell
 ```

test/robot/foreign-integration-traffic-lights/__init__.robot

@@ -0,0 +1,4 @@
+*** Settings ***
+Resource          ${CURDIR}/stackql.resource
+
+

test/robot/foreign-integration-traffic-lights/stackql.resource

@@ -0,0 +1,21 @@
+*** Variables ***
+${LOCAL_LIB_HOME}               ${CURDIR}${/}..${/}..${/}python
+${REPOSITORY_ROOT}              ${CURDIR}${/}..${/}..${/}..
+${EXECUTION_PLATFORM}           native   # to be overridden from command line, eg "docker"
+${SQL_BACKEND}                  sqlite_embedded   # to be overridden from command line, eg "postgres_tcp"
+${IS_WSL}                       false   # to be overridden from command line, with string "true"
+${USE_STACKQL_PREINSTALLED}     false   # to be overridden from command line, with string "true"
+${SUNDRY_CONFIG}                {}  # to be overridden from command line, with string value
+${STACKQL_INTERFACE_LIBRARY}    stackql_test_tooling.StackQLInterfaces
+${CLOUD_INTEGRATION_LIBRARY}    stackql_test_tooling.CloudIntegration
+
+*** Settings ***
+Library           Process
+Library           OperatingSystem 
+Variables         ${LOCAL_LIB_HOME}/stackql_test_tooling/stackql_context.py    ${REPOSITORY_ROOT}    ${EXECUTION_PLATFORM}    ${SQL_BACKEND}    ${USE_STACKQL_PREINSTALLED}
+...               ${SUNDRY_CONFIG}
+Library           Process
+Library           OperatingSystem
+Library           String
+Library           ${STACKQL_INTERFACE_LIBRARY}    ${EXECUTION_PLATFORM}    ${SQL_BACKEND}
+Library           ${CLOUD_INTEGRATION_LIBRARY}

test/robot/foreign-integration-traffic-lights/stackql_foreign_traffic_light_integration_from_cmd_line.robot

@@ -0,0 +1,99 @@
+
+
+
+*** Settings ***
+Resource          ${CURDIR}/stackql.resource
+
+*** Test Cases *** 
+Nop From Lib
+    ${result} =     Nop Cloud Integration Keyword
+    Should Be Equal    ${result}    PASS
+
+
+AWS S3 Buckets Location Constraint
+    Sleep    2s
+    ${awsRoleArn} =    Get Environment Variable    STACKQL_AUDIT_ROLE_ARN
+    Should Not Be Empty    ${awsRoleArn}
+    ${awsAuthCfg} =    Catenate
+    ...    { "aws": { "type":"aws_assume_role", "keyIDenvvar": "AWS_ACCESS_KEY_ID", "credentialsenvvar": "AWS_SECRET_ACCESS_KEY", "aws_role_arn": "${awsRoleArn}" } }
+    ${locactionConstraintQuery} =    Catenate
+    ...    select LocationConstraint from aws.s3.bucket_locations where region = 'ap-southeast-1' and Bucket = 'stackql-trial-bucket-01';
+    ${result} =    Run Process
+    ...    ${STACKQL_EXE}
+    ...    \-\-auth
+    ...    ${awsAuthCfg}
+    ...    \-\-registry
+    ...    { "url": "file://${REPOSITORY_ROOT}/test/registry", "localDocRoot": "${REPOSITORY_ROOT}/test/registry", "verifyConfig": { "nopVerify": true } }
+    ...    exec
+    ...    ${locactionConstraintQuery}
+    ...    cwd=${REPOSITORY_ROOT}
+    ...    stdout=${CURDIR}/tmp/AWS-S3-Buckets-Location-Constraint.tmp
+    ...    stderr=${CURDIR}/tmp/AWS-S3-Buckets-Location-Constraint-stderr.tmp
+    Should Be Equal As Integers    ${result.rc}           0
+    Should Contain                 ${result.stdout}       ap\-southeast\-1
+
+AWS S3 Buckets List
+    Sleep    2s
+    ${awsRoleArn} =    Get Environment Variable    STACKQL_AUDIT_ROLE_ARN
+    Should Not Be Empty    ${awsRoleArn}
+    ${awsAuthCfg} =    Catenate
+    ...    { "aws": { "type":"aws_assume_role", "keyIDenvvar": "AWS_ACCESS_KEY_ID", "credentialsenvvar": "AWS_SECRET_ACCESS_KEY", "aws_role_arn": "${awsRoleArn}" } }
+    ${bucketsListQuery} =    Catenate
+    ...    select * from aws.s3.buckets where region = 'us-east-1' order by BucketArn desc;
+   ${result} =    Run Process
+    ...    ${STACKQL_EXE}
+    ...    \-\-auth
+    ...    ${awsAuthCfg}
+    ...    \-\-registry
+    ...    { "url": "file://${REPOSITORY_ROOT}/test/registry", "localDocRoot": "${REPOSITORY_ROOT}/test/registry", "verifyConfig": { "nopVerify": true } }
+    ...    exec
+    ...    ${bucketsListQuery}
+    ...    cwd=${REPOSITORY_ROOT}
+    ...    stdout=${CURDIR}/tmp/AWS-S3-Buckets-List.tmp
+    ...    stderr=${CURDIR}/tmp/AWS-S3-Buckets-List-stderr.tmp
+    Should Be Equal As Integers    ${result.rc}           0
+    Should Contain                 ${result.stdout}       stackql\-trial\-bucket\-02
+
+AWS S3 Bucket Objects List
+    Sleep    2s
+    ${awsRoleArn} =    Get Environment Variable    STACKQL_AUDIT_ROLE_ARN
+    Should Not Be Empty    ${awsRoleArn}
+    ${awsAuthCfg} =    Catenate
+    ...    { "aws": { "type":"aws_assume_role", "keyIDenvvar": "AWS_ACCESS_KEY_ID", "credentialsenvvar": "AWS_SECRET_ACCESS_KEY", "aws_role_arn": "${awsRoleArn}" } }
+    ${bucketObjectsListQuery} =    Catenate
+    ...    select * from aws.s3.objects where Bucket = 'stackql-trial-bucket-02' and region = 'ap-southeast-2';
+    ${result} =    Run Process
+    ...    ${STACKQL_EXE}
+    ...    \-\-auth
+    ...    ${awsAuthCfg}
+    ...    \-\-registry
+    ...    { "url": "file://${REPOSITORY_ROOT}/test/registry", "localDocRoot": "${REPOSITORY_ROOT}/test/registry", "verifyConfig": { "nopVerify": true } }
+    ...    exec
+    ...    ${bucketObjectsListQuery}
+    ...    cwd=${REPOSITORY_ROOT}
+    ...    stdout=${CURDIR}/tmp/AWS-S3-Bucket-Objects-List.tmp
+    ...    stderr=${CURDIR}/tmp/AWS-S3-Bucket-Objects-List-stderr.tmp
+    Should Be Equal As Integers    ${result.rc}           0
+    Should Contain                 ${result.stdout}       docs/advanced
+
+AWS S3 Bucket ABAC Works
+    Sleep    2s
+    ${awsRoleArn} =    Get Environment Variable    STACKQL_AUDIT_ROLE_ARN
+    Should Not Be Empty    ${awsRoleArn}
+    ${awsAuthCfg} =    Catenate
+    ...    { "aws": { "type": "aws_assume_role", "keyIDenvvar": "AWS_ACCESS_KEY_ID", "credentialsenvvar": "AWS_SECRET_ACCESS_KEY", "aws_role_arn": "${awsRoleArn}" } }
+    ${bucketObjectsListQuery} =    Catenate
+    ...    select * from aws.s3.bucket_abac where Bucket = 'stackql-trial-bucket-02' and region = 'ap-southeast-2';
+    ${result} =    Run Process
+    ...    ${STACKQL_EXE}
+    ...    \-\-auth
+    ...    ${awsAuthCfg}
+    ...    \-\-registry
+    ...    { "url": "file://${REPOSITORY_ROOT}/test/registry", "localDocRoot": "${REPOSITORY_ROOT}/test/registry", "verifyConfig": { "nopVerify": true } }
+    ...    exec
+    ...    ${bucketObjectsListQuery}
+    ...    cwd=${REPOSITORY_ROOT}
+    ...    stdout=${CURDIR}/tmp/AWS-S3-Bucket-Objects-List.tmp
+    ...    stderr=${CURDIR}/tmp/AWS-S3-Bucket-Objects-List-stderr.tmp
+    Should Be Equal As Integers    ${result.rc}           0
+    Should Contain                 ${result.stdout}       stackql\-trial\-bucket\-02

test/robot/foreign-integration-traffic-lights/tmp/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

test/robot/reports-foreign-integration-traffic-lights/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore