Add indices:data/read/search/template/render to cluster permissions dropdown #212

Workflow file for this run

.github/workflows/cypress-test-oidc-e2e.yml at c12ed2f

	name: Snapshot based E2E OIDC tests workflow
	on:
	pull_request:
	branches: [ '**' ]
	env:
	OPENSEARCH_VERSION: '3.0.0'
	KEYCLOAK_VERSION: '21.0.1'
	TEST_KEYCLOAK_CLIENT_SECRET: 'oacHfNaXyy81r2uHq1A9RY4ASryre4rZ'
	CI: 1
	# avoid warnings like "tput: No value for $TERM and no -T specified"
	TERM: xterm
	PLUGIN_NAME: opensearch-security
	# This is the SHA256 checksum of the known good kc.sh script for Keycloak version 21.0.1.
	KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT: 'f825ea1a9ffa5ad91673737c06857ababbb69b6b8f09e0c637b4c998517f9608'
	OPENSEARCH_INITIAL_ADMIN_PASSWORD: myStrongPassword123!

	jobs:
	tests:
	name: Run Cypress E2E OIDC tests
	strategy:
	fail-fast: false
	matrix:
	os: [ ubuntu-latest ]
	runs-on: ${{ matrix.os }}

	steps:
	- name: Set up JDK
	uses: actions/setup-java@v1
	with:
	java-version: 11

	- name: Checkout Branch
	uses: actions/checkout@v3

	- name: Set env
	run: \|
	opensearch_version=$(node -p "require('./package.json').opensearchDashboards.version")
	plugin_version=$(node -p "require('./package.json').version")
	echo "OPENSEARCH_VERSION=$opensearch_version" >> $GITHUB_ENV
	echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
	shell: bash

	# Download and Check Keycloak Version
	- name: Download and Check Keyloak Version on Linux
	if: ${{ runner.os == 'Linux' }}
	run: \|
	echo "Downloading Keycloak ${{ env.KEYCLOAK_VERSION }}"
	wget https://github.com/keycloak/keycloak/releases/download/${{ env.KEYCLOAK_VERSION }}/keycloak-${{ env.KEYCLOAK_VERSION }}.tar.gz
	echo "Unpacking Keycloak"
	tar -xzf keycloak-${{ env.KEYCLOAK_VERSION }}.tar.gz
	cd keycloak-${{ env.KEYCLOAK_VERSION }}/bin
	echo "Generating checksum for the downloaded kc.sh script..."
	DOWNLOADED_CHECKSUM=$(sha256sum kc.sh \| awk '{print $1}')
	echo "Downloaded kc.sh checksum: $DOWNLOADED_CHECKSUM"
	echo "Known good kc.sh checksum: ${{ env.KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT }}"
	KNOWN_GOOD_CHECKSUM="${{ env.KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT }}"
	if [ "$DOWNLOADED_CHECKSUM" != "$KNOWN_GOOD_CHECKSUM" ]; then
	echo "Checksum mismatch. The kc.sh script does not match the known good version. Please check https://github.com/keycloak/keycloak and verify the updates."
	exit 1
	else
	echo "Checksum match confirmed. Proceeding with setup."
	fi
	chmod +x ./kc.sh

	# Setup and Run Keycloak
	- name: Get and run Keycloak on Linux
	if: ${{ runner.os == 'Linux' }}
	run: \|
	export KEYCLOAK_ADMIN=admin
	export KEYCLOAK_ADMIN_PASSWORD=admin
	cd keycloak-${{ env.KEYCLOAK_VERSION }}/bin
	echo "Starting keycloak"
	./kc.sh start-dev --http-enabled=true --hostname-strict-https=false --http-host=localhost --http-relative-path /auth --health-enabled=true &
	timeout 300 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:8080/auth/health)" != "200" ]]; do sleep 5; done'
	chmod +x kcadm.sh
	echo "Creating client"
	./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password admin
	CID=$(./kcadm.sh create clients -r master -s clientId=opensearch -s secret="${{ env.TEST_KEYCLOAK_CLIENT_SECRET }}" -s 'attributes."access.token.lifespan"=60' -s 'redirectUris=["http://localhost:5603/auth/openid/login", "http://localhost:5601", "http://localhost:5601/auth/openid/login"]' -i)
	./kcadm.sh get clients/$CID/installation/providers/keycloak-oidc-keycloak-json > tmp
	echo "Getting client secret for dashboards configuration purpose"
	CLIENT_SECRET=$(grep -o '"secret" : "[^"]' tmp \| grep -o '[^"]$')
	echo "KEYCLOAK_CLIENT_SECRET=$CLIENT_SECRET" >> $GITHUB_ENV
	echo "The client secret is: $CLIENT_SECRET"
	echo "Creating client mapper"
	./kcadm.sh create clients/$CID/protocol-mappers/models -r master -s 'config."id.token.claim"=true' -s 'config."multivalued"=true' -s 'config."claim.name"="roles"' -s 'config."userinfo.token.claim"=true' -s 'config."access.token.claim"=true' -s 'name=rolemapper' -s 'protocolMapper=oidc-usermodel-realm-role-mapper' -s "protocol=openid-connect"

	- name: Download security plugin and create setup scripts
	uses: ./.github/actions/download-plugin
	with:
	opensearch-version: ${{ env.OPENSEARCH_VERSION }}
	plugin-name: ${{ env.PLUGIN_NAME }}
	plugin-version: ${{ env.PLUGIN_VERSION }}

	# Download OpenSearch
	- name: Download OpenSearch for Linux
	uses: peternied/download-file@v2
	if: ${{ runner.os == 'Linux' }}
	with:
	url: https://artifacts.opensearch.org/snapshots/core/opensearch/${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/opensearch-min-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT-linux-x64-latest.tar.gz

	# Extract downloaded tar/zip
	- name: Extract downloaded tar
	if: ${{ runner.os == 'Linux' }}
	run: \|
	tar -xzf opensearch-*.tar.gz
	rm -f opensearch-*.tar.gz
	shell: bash

	# Install the security plugin
	- name: Install Plugin into OpenSearch for Linux
	if: ${{ runner.os == 'Linux'}}
	run: \|
	chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/bin/opensearch-plugin
	/bin/bash -c "yes \| ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/bin/opensearch-plugin install file:$(pwd)/opensearch-security.zip"
	shell: bash

	# Add OIDC Configuration
	- name: Injecting OIDC Configuration for Linux
	if: ${{ runner.os == 'Linux'}}
	run: \|
	echo "Creating new SAML configuration"
	cd ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/
	rm -rf config.yml
	cat << 'EOT' > config.yml
	---
	_meta:
	type: "config"
	config_version: 2
	config:
	dynamic:
	http:
	anonymous_auth_enabled: false
	authc:
	basic_internal_auth_domain:
	description: "Authenticate via HTTP Basic against internal users database"
	http_enabled: true
	transport_enabled: true
	order: 0
	http_authenticator:
	type: basic
	challenge: false
	authentication_backend:
	type: intern
	openid_auth_domain:
	http_enabled: true
	transport_enabled: true
	order: 1
	http_authenticator:
	type: openid
	challenge: false
	config:
	subject_key: preferred_username
	roles_key: roles
	openid_connect_url: http://localhost:8080/auth/realms/master/.well-known/openid-configuration
	authentication_backend:
	type: noop
	EOT
	echo "THIS IS THE SECURITY CONFIG FILE: "
	cat config.yml

	# Run any configuration scripts
	- name: Run Setup Script for Linux
	if: ${{ runner.os == 'Linux' }}
	run: \|
	echo "running linux setup"
	chmod +x ./setup.sh
	./setup.sh
	shell: bash

	# Run OpenSearch
	- name: Run OpenSearch with plugin on Linux
	if: ${{ runner.os == 'Linux'}}
	run: \|
	/bin/bash -c "./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/bin/opensearch &"
	shell: bash

	# Give the OpenSearch process some time to boot up before sending any requires, might need to increase the default time!
	- name: Sleep while OpenSearch starts
	uses: peternied/action-sleep@v1
	with:
	seconds: 30

	# Verify that the server is operational
	- name: Check OpenSearch Running on Linux
	if: ${{ runner.os != 'Windows'}}
	run: curl https://localhost:9200/_cat/plugins -u 'admin:${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}' -k -v
	shell: bash

	- if: always()
	run: cat ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/logs/opensearch.log
	shell: bash

	# OSD bootstrap
	- name: Run Dashboard with Security Dashboards Plugin
	uses: ./.github/actions/install-dashboards
	with:
	plugin_name: security-dashboards-plugin

	# Configure the Dashboard for OIDC setup
	- name: Configure and Run OpenSearch Dashboards with Cypress Test Cases
	if: ${{ runner.os == 'Linux' }}
	run: \|
	cd ./OpenSearch-Dashboards
	rm -rf ./config/opensearch_dashboards.yml
	cat << 'EOT' > ./config/opensearch_dashboards.yml
	server.host: "localhost"
	opensearch.hosts: ["https://localhost:9200"]
	opensearch.ssl.verificationMode: none
	opensearch.username: "kibanaserver"
	opensearch.password: "kibanaserver"
	opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
	opensearch_security.multitenancy.enabled: true
	opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
	opensearch_security.readonly_mode.roles: ["kibana_read_only"]
	opensearch_security.cookie.secure: false
	opensearch_security.openid.connect_url: "http://127.0.0.1:8080/auth/realms/master/.well-known/openid-configuration"
	opensearch_security.openid.client_id: "opensearch"
	opensearch_security.openid.client_secret: "${{ env.TEST_KEYCLOAK_CLIENT_SECRET }}"
	opensearch_security.auth.type: ["openid"]
	opensearch_security.auth.multiple_auth_enabled: true
	opensearch_security.ui.openid.login.buttonname: "OIDC"
	home.disableWelcomeScreen: true
	EOT
	echo 'HERE IS THE DASHBOARD CONFIG FILE: '
	cat ./config/opensearch_dashboards.yml
	nohup yarn start --no-base-path --no-watch \| tee dashboard.log &

	# Check if OSD is ready with a max timeout of 600 seconds
	- name : Check If OpenSearch Dashboards Is Ready
	if: ${{ runner.os == 'Linux' }}
	run: \|
	cd ./OpenSearch-Dashboards
	echo "Start checking OpenSearch Dashboards."
	for i in {1..60}; do
	if grep -q "bundles compiled successfully after" "dashboard.log"; then
	echo "OpenSearch Dashboards compiled successfully."
	break
	fi
	if [ $i -eq 60 ]; then
	echo "Timeout for 600 seconds reached. OpenSearch Dashboards did not finish compiling."
	exit 1
	fi
	sleep 10
	done

	- name: Run Cypress
	run : \|
	yarn add cypress --save-dev
	yarn cypress:run --browser chrome --headless --spec 'test/cypress/e2e/oidc/*.js'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add indices:data/read/search/template/render to cluster permissions dropdown #212

Workflow file

Add indices:data/read/search/template/render to cluster permissions dropdown #212

Jobs

Run details

Workflow file for this run