Add testing of SUMO accesses, using specific identities in each test (#…

…284)
equinor · Feb 6, 2024 · 35a9b56 · 35a9b56
1 parent 70fe5ca
commit 35a9b56
Show file tree

Hide file tree

Showing 10 changed files with 697 additions and 0 deletions.
diff --git a/.github/workflows/run_tests_access_drogon_manage_login.yaml b/.github/workflows/run_tests_access_drogon_manage_login.yaml
@@ -0,0 +1,49 @@
+name: Test access to Sumo with DROGON-MANAGE login
+
+on:
+  schedule:
+    - cron: "44 4 * * *"
+  workflow_dispatch:
+
+jobs:
+  build_pywheels:
+    name: PY ${{ matrix.python-version }} on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+        os: [ubuntu-latest]
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Azure Login
+        uses: Azure/login@v1
+        with:
+          client-id: 0f8ab6eb-439b-4d3a-b765-301a6bc7f6cb
+          tenant-id: 3aa4a235-b6e2-48d5-9195-7fcf05b459b0
+          allow-no-subscriptions: true
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install fmu-sumo
+        run: >
+          python -m pip install --upgrade pip &&
+          python -m pip install .[test]
+      - name: Run tests
+        shell: bash
+        run: |
+          az --version
+          az account list
+          pip list | grep -i sumo
+          access_token=$(az account get-access-token --scope api://88d2b022-3539-4dda-9e66-853801334a86/.default --query accessToken --output tsv)
+          export ACCESS_TOKEN=$access_token
+
+          pytest -s --timeout=300 tests/test_access/tst_access_drogon_manage_login.py
+
diff --git a/.github/workflows/run_tests_access_drogon_read_login.yaml b/.github/workflows/run_tests_access_drogon_read_login.yaml
@@ -0,0 +1,49 @@
+name: Test access to Sumo with DROGON-READ login
+
+on:
+  schedule:
+    - cron: "24 4 * * *"
+  workflow_dispatch:
+
+jobs:
+  build_pywheels:
+    name: PY ${{ matrix.python-version }} on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+        os: [ubuntu-latest]
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Azure Login
+        uses: Azure/login@v1
+        with:
+          client-id: 121279f7-331a-45fd-9a5f-62d9026694a7
+          tenant-id: 3aa4a235-b6e2-48d5-9195-7fcf05b459b0
+          allow-no-subscriptions: true
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install fmu-sumo
+        run: >
+          python -m pip install --upgrade pip &&
+          python -m pip install .[test]
+      - name: Run tests
+        shell: bash
+        run: |
+          az --version
+          az account list
+          pip list | grep -i sumo
+          access_token=$(az account get-access-token --scope api://88d2b022-3539-4dda-9e66-853801334a86/.default --query accessToken --output tsv)
+          export ACCESS_TOKEN=$access_token
+
+          pytest -s --timeout=300 tests/test_access/tst_access_drogon_read_login.py
+
diff --git a/.github/workflows/run_tests_access_drogon_write_login.yaml b/.github/workflows/run_tests_access_drogon_write_login.yaml
@@ -0,0 +1,49 @@
+name: Test access to Sumo with DROGON-WRITE login
+
+on:
+  schedule:
+    - cron: "34 4 * * *"
+  workflow_dispatch:
+
+jobs:
+  build_pywheels:
+    name: PY ${{ matrix.python-version }} on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+        os: [ubuntu-latest]
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Azure Login
+        uses: Azure/login@v1
+        with:
+          client-id: 556cac03-e416-4ed6-86d7-d9d3f965d72e
+          tenant-id: 3aa4a235-b6e2-48d5-9195-7fcf05b459b0
+          allow-no-subscriptions: true
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install fmu-sumo
+        run: >
+          python -m pip install --upgrade pip &&
+          python -m pip install .[test]
+      - name: Run tests
+        shell: bash
+        run: |
+          az --version
+          az account list
+          pip list | grep -i sumo
+          access_token=$(az account get-access-token --scope api://88d2b022-3539-4dda-9e66-853801334a86/.default --query accessToken --output tsv)
+          export ACCESS_TOKEN=$access_token
+
+          pytest -s --timeout=300 tests/test_access/tst_access_drogon_write_login.py
+
diff --git a/.github/workflows/run_tests_access_no_access_login.yaml b/.github/workflows/run_tests_access_no_access_login.yaml
@@ -0,0 +1,49 @@
+name: Test access to Sumo with NO-ACCESS login
+
+on:
+  schedule:
+    - cron: "54 4 * * *"
+    workflow_dispatch:
+
+jobs:
+  build_pywheels:
+    name: PY ${{ matrix.python-version }} on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        python-version: ["3.11"]
+        os: [ubuntu-latest]
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Azure Login
+        uses: Azure/login@v1
+        with:
+          client-id: fea86a50-0f48-4cef-ba4d-1d789a00b701
+          tenant-id: 3aa4a235-b6e2-48d5-9195-7fcf05b459b0
+          allow-no-subscriptions: true
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install fmu-sumo
+        run: >
+          python -m pip install --upgrade pip &&
+          python -m pip install .[test]
+      - name: Run tests
+        shell: bash
+        run: |
+          az --version
+          az account list
+          pip list | grep -i sumo
+          access_token=$(az account get-access-token --scope api://88d2b022-3539-4dda-9e66-853801334a86/.default --query accessToken --output tsv)
+          export ACCESS_TOKEN=$access_token
+
+          pytest -s --timeout=300 tests/test_access/tst_access_no_access_login.py
+
diff --git a/tests/data/test_case_080/case2.json b/tests/data/test_case_080/case2.json
@@ -0,0 +1,64 @@
+{
+  "$schema": "https://main-fmu-schemas-dev.radix.equinor.com/schemas/0.8.0/fmu_results.json",
+  "version": "0.8.0",
+  "source": "fmu",
+  "class": "case",
+  "access": {
+    "asset": {
+      "name": "Drogon"
+    }
+  },
+  "fmu": {
+    "model": {
+      "name": "ff",
+      "revision": "undefined"
+    },
+    "case": {
+      "name": "01_drogon_design_hubbabubba",
+      "uuid": "11111111-2222-3333-ba2a-afe535790707",
+      "user": {
+        "id": "some_user_01"
+      },
+      "description": []
+    }
+  },
+  "masterdata": {
+    "smda": {
+      "country": [
+        {
+          "identifier": "Norway",
+          "uuid": "ad214d85-8a1d-19da-e053-c918a4889309"
+        }
+      ],
+      "discovery": [
+        {
+          "short_identifier": "DROGON",
+          "uuid": "ad214d85-8a1d-19da-e053-c918a4889309"
+        }
+      ],
+      "field": [
+        {
+          "identifier": "DROGON",
+          "uuid": "00000000-0000-0000-0000-000000000000"
+        }
+      ],
+      "coordinate_system": {
+        "identifier": "ST_WGS84_UTM37N_P32637",
+        "uuid": "ad214d85-dac7-19da-e053-c918a4889309"
+      },
+      "stratigraphic_column": {
+        "identifier": "DROGON_HAS_NO_STRATCOLUMN",
+        "uuid": "00000000-0000-0000-0000-000000000000"
+      }
+    }
+  },
+  "tracklog": [ 
+    {
+        "datetime": "2024-02-06T07:01:40.564169+00:00",
+        "user": {
+          "id": "some_user"
+        },
+        "event": "created"
+      }
+  ]
+}
diff --git a/tests/test_access/README.md b/tests/test_access/README.md
@@ -0,0 +1,41 @@
+# Testing access to SUMO
+
+Tests in this folder shall be run inside Github Actions as specific 
+users with specific access. Each test file is tailored for a specific 
+user with either no-access, DROGON-READ, DROGON-WRITE or DROGON-MANAGE.
+Since you as a developer have different accesses, many tests will fail
+if you run them as yourself. 
+
+There are pytest skip decorators to avoid running these tests
+outside Github Actions. 
+In addition, the file names use the non-standard 'tst' over 'test' to avoid being picked 
+up by a call to pytest. 
+
+Print statements are used to ensure the Github Actions run provide 
+information that can be used for debugging. 
+
+Use allow-no-subscriptions flag to avoid having to give the App Registrations access to some resource inside the subscription itself. Example: 
+```
+      - name: Azure Login
+        uses: Azure/login@v1
+        with:
+          client-id: <relevant App Registration id here>
+          tenant-id: 3aa4a235-b6e2-48d5-9195-7fcf05b459b0
+          allow-no-subscriptions: true
+```
+
+If you want to run the tests on your laptop, using bash:
+export GITHUB_ACTIONS="true"
+
+In theory you could run locally as the App Registration / Service Principal but I 
+do not think the sumo-wrapper-python makes it possible:
+```
+az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant> --allow-no-subscriptions
+```
+
+Relevant App Registrations:
+
+* sumo-test-runner-no-access No access
+* sumo-test-runner-drogon-read DROGON-READ
+* sumo-test-runner-drogon-write DROGON-WRITE
+* sumo-test-runner-drogon-manage DROGON-MANAGE