diff --git a/bin/smoke-em.sh b/bin/smoke-em.sh index a754942..d192b75 100755 --- a/bin/smoke-em.sh +++ b/bin/smoke-em.sh @@ -26,21 +26,30 @@ CLEAR_LINE="\e[2K" SOUND_ENDPOINT_RE="successful (100%)" +ENDPOINTS=$BASE/etc/endpoints + OUTPUT_DESCRIPTION="stdout" QUIET=0 -while getopts "h?s:m:xp:qS:" opt; do +VO="dteam" +while getopts "h?e:s:m:xo:p:qv:S:" opt; do case "$opt" in h|\?) - echo "$0 -x [-s [-m ]] [-p ] [-S ]" + echo "$0 -x [-s [-m ]] [-p ] [-S ] [-o ]" echo + echo " -e endpoint file (defaults to etc/endpoints)" echo " -s send report as an email to " echo " -m use 'mail' or 'thunderbird' to send email" echo " -x use extended tests, if supported" echo " -p use for persistent state" echo " -q limit output to errors and prompts" + echo " -v specify the VO to use for the tests" echo " -S skip endpoints listed in " + echo " -o use token auth from oidc-agent account " exit 0 ;; + e) + ENDPOINTS="$OPTARG" + ;; s) sendEmail="$OPTARG" OUTPUT_DESCRIPTION="emailing" @@ -51,12 +60,18 @@ while getopts "h?s:m:xp:qS:" opt; do x) EXTENDED_TESTS=1 ;; + o) + OIDC_AGENT_ACCOUNT="$OPTARG" + ;; p) persistentState="$OPTARG" ;; q) QUIET=1 ;; + v) + VO="$OPTARG" + ;; S) MANUAL_SKIP_FILE="$OPTARG" [ -f "$MANUAL_SKIP_FILE" ] || fatal No such file $MANUAL_SKIP_FILE @@ -143,10 +158,9 @@ runTests() { STARTED_AT=$(date +%s) - - TOTAL=$(wc -l $BASE/etc/endpoints|awk '{print $1}') + TOTAL=$(wc -l $ENDPOINTS|awk '{print $1}') COUNT=0 - cat $BASE/etc/endpoints | while read name type workarounds url; do + cat $ENDPOINTS | while read name type workarounds url; do if [ $EXTENDED_TESTS -eq 1 ]; then case $type in dCache|DPM|StoRM) @@ -160,6 +174,14 @@ runTests() { options="-f" fi + if [ ! -z "$OIDC_AGENT_ACCOUNT" ]; then + options="$options -t wlcg -o $OIDC_AGENT_ACCOUNT" + fi + + if [ ! -z "$VO" ]; then + options="$options -v $VO" + fi + if [[ "$workarounds" == *L* ]]; then options="$options -L" fi @@ -375,7 +397,7 @@ sendEmail() { # $1 - email address, $2 - subject voms-proxy-info -e >/dev/null 2>&1 || fatal "Need valid X.509 proxy" voms-proxy-info -e -hours 1 >/dev/null 2>&1 || fatal "X.509 proxy expires too soon" -voms-proxy-info --acexists dteam 2>/dev/null || fatal "X.509 proxy does not assert dteam membership" +voms-proxy-info --acexists $VO 2>/dev/null || fatal "X.509 proxy does not assert $VO membership" loadManualSkipped downloadGocDbDowntimeInfo diff --git a/bin/smoke-test.sh b/bin/smoke-test.sh index 74eb752..825abc3 100755 --- a/bin/smoke-test.sh +++ b/bin/smoke-test.sh @@ -58,7 +58,7 @@ extended=0 tokenType=macaroon workarounds="" debugOutput=0 -vo=dteam +vo=${SMOKE_TEST_VO:-dteam} withColour() { RESET="\x1B[0m" @@ -528,6 +528,34 @@ requestMacaroon() { # $1 Caveats, $2 URL, $3 variable for macaroon, $4 variable eval $3="$macaroon" } +requestWlcgToken() { # $1 oidc-agent account name, $2 audience, $3 variable for token, $4 token for result. + # Fallback to failing unless we specify otherwise. + eval $4=1 + lastTestFailed=0 + + echo -n "Requesting token from account $1 for audience $2: " + + token=$(oidc-token $1 --aud $2) + eval $3="$token" + if [ -z "$token" ]; then + fail "Token request failed" + eval $4=3 + return + fi + + local body=$(echo -n $token | tr '.' ' ' | awk '{print $2;}' | base64 --decode 2>/dev/null) + debug "Returned token body is $body" + audience="$(echo -n $body | jq -r .aud )" + if [ "$audience" != "$2" ]; then + fail "Issuer returned incorrect audience (desired $2; returned $audience)" + eval $4=2 + return + fi + + eval $4=0 + success +} + requestSciToken() { # $1 Scopes, $2 Issuer URL, $3 variable for token, $4 variable for result local target_scitoken=$(mktemp) local scitoken_json=$(mktemp) @@ -580,7 +608,7 @@ done # Check if stdout is sent to a terminal, or redirect to a file. if [ -t 1 ] ; then withColour; else withoutColour; fi -while getopts "h?t:v:p:r:u:s:fxlLCcd2" opt; do +while getopts "h?t:v:o:p:r:u:s:fxlLCcd2" opt; do case "$opt" in h|\?) echo "$0 [-f] [-x] [-c] [-C] [-L] [-2] [-t ] [-d] [-v ] [-p ] [-u ] [-s ] URL" @@ -592,13 +620,14 @@ while getopts "h?t:v:p:r:u:s:fxlLCcd2" opt; do echo " -l Disable location-trusted work-around" echo " -L Enable location-trusted work-around" echo " -2 Force client not to use TLS v1.3 as work-around" - echo " -t Use for non-X.509 authn to target" + echo " -t Use for non-X.509 authn to target (valid values: macaroon, scitoken, wlcg)" echo " -d Include additional logging" echo " -v Test as member of VO " echo " -p Use as the public link for TPC PULL" echo " -r Use as the VO-private link for TPC PULL" echo " -u Use as the base for HTTP PUSH" echo " -s SciToken server" + echo " -o oidc-agent account name (for use with wlcg tokens)" echo echo "Defaults:" echo " -p $THIRDPARTY_UNAUTHENTICATED_URL" @@ -644,8 +673,11 @@ while getopts "h?t:v:p:r:u:s:fxlLCcd2" opt; do scitoken) tokenType=SciToken ;; + wlcg) + tokenType=WlcgToken + ;; *) - fatal "Unknown token type \"$OPTARG\". Must be one of \"macaroon\" or \"scitoken\"" + fatal "Unknown token type \"$OPTARG\". Must be one of \"macaroon\", \"wlcg\", or \"scitoken\"" ;; esac ;; @@ -655,6 +687,9 @@ while getopts "h?t:v:p:r:u:s:fxlLCcd2" opt; do v) vo=$OPTARG ;; + o) + OIDC_AGENT_ACCOUNT=$OPTARG + ;; p) THIRDPARTY_UNAUTHENTICATED_URL=$OPTARG ;; @@ -808,6 +843,8 @@ if [ $CURL_HAS_CONNECT_TO -eq 0 ]; then echo "WARNING: curl does not support --connect-to; not specifying an IP address" IP_ADDRESS_COUNT=1 ALL_IP_ADDRESSES=$(echo "$ALL_IP_ADDRESSES" | awk '{print $1;}') + echo "WARNING: curl does not support --tls-max; not using" + GOLDEN_ENDPOINT_EXTRA_OPTIONS="" fi @@ -818,6 +855,12 @@ case $tokenType in unset NON_SUT_TEST ;; + WlcgToken) + NON_SUT_TEST=1 + requestWlcgToken "$OIDC_AGENT_ACCOUNT" "https://$HOST_PORT" TARGET_TOKEN tokenFailed + unset NON_SUT_TEST + ;; + macaroon) tokenFailed=1 ;; diff --git a/etc/token-endpoints b/etc/token-endpoints new file mode 100644 index 0000000..866fc8d --- /dev/null +++ b/etc/token-endpoints @@ -0,0 +1,4 @@ +NEBRASKA xrootd-D/HDFS - https://red-gridftp1.unl.edu:1094/user/dteam +CERN-EOSPPS EOS - https://eospps.cern.ch:443/eos/opstest/tpc/https +DESY-PROM-DCA dCache - https://prometheus.desy.de:2443/VOs/dteam +PRAGUELCG2-DPM DPM - https://golias100.farm.particle.cz:443/dpm/farm.particle.cz/home/dteam diff --git a/etc/wlcg-token-endpoints b/etc/wlcg-token-endpoints new file mode 100644 index 0000000..e142f11 --- /dev/null +++ b/etc/wlcg-token-endpoints @@ -0,0 +1,6 @@ +NEBRASKA xrootd-D/HDFS - https://red-gridftp1.unl.edu:1094/user/dteam +CERN-EOSPPS EOS - https://eospps.cern.ch:443/eos/opstest/tpc/https +DESY-PROM-DCA dCache - https://prometheus.desy.de:2443/VOs/wlcg +INFN-T1-STO SToRM - https://xfer.cr.cnaf.infn.it:8443/wlcg +PRAGUELCG2-DPM DPM - https://golias100.farm.particle.cz:443/dpm/farm.particle.cz/home/wlcg +MANCHESTER DPM - https://vm33.in.tier2.hep.manchester.ac.uk/dpm/tier2.hep.manchester.ac.uk/home/wlcg