Remove requestor dependency from client creds rotation test (uc-cdis#950)

Author: paulineribeyre

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/Yelp/detect-secrets.git
-    rev: v1.0.3
+    rev: v1.4.0
     hooks:
     - id: detect-secrets
       args: ['--baseline', '.secrets.baseline']

.secrets.baseline

@@ -1,5 +1,5 @@
 {
-  "version": "1.0.3",
+  "version": "1.4.0",
   "plugins_used": [
     {
       "name": "ArtifactoryDetector"
@@ -80,6 +80,12 @@
     {
       "path": "detect_secrets.filters.heuristic.is_likely_id_string"
     },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
     {
       "path": "detect_secrets.filters.heuristic.is_potential_uuid"
     },
@@ -89,6 +95,9 @@
     {
       "path": "detect_secrets.filters.heuristic.is_sequential_string"
     },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
     {
       "path": "detect_secrets.filters.heuristic.is_templated_secret"
     },
@@ -100,24 +109,6 @@
     }
   ],
   "results": {
-    "README.md": [
-      {
-        "type": "Secret Keyword",
-        "filename": "README.md",
-        "hashed_secret": "398ec9c29cf195ff9202bd85b75002adc88832c3",
-        "is_verified": false,
-        "line_number": 154
-      }
-    ],
-    "getAccessToken.sh": [
-      {
-        "type": "Secret Keyword",
-        "filename": "getAccessToken.sh",
-        "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f",
-        "is_verified": false,
-        "line_number": 21
-      }
-    ],
     "load-testing/grafana/grafana-provisioning/datasources/datasource.yml": [
       {
         "type": "Secret Keyword",
@@ -136,15 +127,6 @@
         "line_number": 66
       }
     ],
-    "load-testing/sample-descriptors/load-test-metadata-service-create-and-query-sample.json": [
-      {
-        "type": "Secret Keyword",
-        "filename": "load-testing/sample-descriptors/load-test-metadata-service-create-and-query-sample.json",
-        "hashed_secret": "dd29ecf524b030a65261e3059c48ab9e1ecb2585",
-        "is_verified": false,
-        "line_number": 22
-      }
-    ],
     "services/portal/studyViewer/studyViewerProps.js": [
       {
         "type": "Base64 High Entropy String",
@@ -313,22 +295,22 @@
         "line_number": 24
       }
     ],
-    "suites/apis/presignedUrlTest.js": [
+    "suites/apis/oidcClientTest.js": [
       {
         "type": "Hex High Entropy String",
-        "filename": "suites/apis/presignedUrlTest.js",
+        "filename": "suites/apis/oidcClientTest.js",
         "hashed_secret": "62bd0c4d3a6b445b13212d23500a7f0916757c3e",
         "is_verified": false,
-        "line_number": 13
+        "line_number": 97
       }
     ],
-    "suites/apis/rasIntegrationTest.js": [
+    "suites/apis/presignedUrlTest.js": [
       {
-        "type": "Secret Keyword",
-        "filename": "suites/apis/rasIntegrationTest.js",
-        "hashed_secret": "f44217a81173869e08671753c52553646ff5d95b",
+        "type": "Hex High Entropy String",
+        "filename": "suites/apis/presignedUrlTest.js",
+        "hashed_secret": "62bd0c4d3a6b445b13212d23500a7f0916757c3e",
         "is_verified": false,
-        "line_number": 10
+        "line_number": 13
       }
     ],
     "suites/batch/GoogleBucketManifestGenerationTest.js": [
@@ -363,6 +345,15 @@
         "line_number": 32
       }
     ],
+    "suites/coremetadata/testPlan.md": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "suites/coremetadata/testPlan.md",
+        "hashed_secret": "c9705c520825a1682dac6283066f577c950844bf",
+        "is_verified": false,
+        "line_number": 25
+      }
+    ],
     "suites/google/googleDataAccessTest.js": [
       {
         "type": "Hex High Entropy String",
@@ -379,6 +370,15 @@
         "line_number": 62
       }
     ],
+    "suites/google/googleServiceAccountKeyTest.js": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "suites/google/googleServiceAccountKeyTest.js",
+        "hashed_secret": "5e7cb7af2f82537bd0716cb4e821ffe25064af6f",
+        "is_verified": false,
+        "line_number": 193
+      }
+    ],
     "suites/portal/indexingPageTest.js": [
       {
         "type": "Hex High Entropy String",
@@ -388,13 +388,13 @@
         "line_number": 18
       }
     ],
-    "suites/portal/rasAuthN.js": [
+    "suites/pre-release/dcf/3.googleCredentialsTest.js": [
       {
-        "type": "Secret Keyword",
-        "filename": "suites/portal/rasAuthN.js",
-        "hashed_secret": "f44217a81173869e08671753c52553646ff5d95b",
+        "type": "Hex High Entropy String",
+        "filename": "suites/pre-release/dcf/3.googleCredentialsTest.js",
+        "hashed_secret": "1ffff910318085530fb395f27ec73a52084f0685",
         "is_verified": false,
-        "line_number": 11
+        "line_number": 119
       }
     ],
     "utils/user.js": [
@@ -407,5 +407,5 @@
       }
     ]
   },
-  "generated_at": "2023-04-21T03:56:11Z"
+  "generated_at": "2023-05-01T21:15:31Z"
 }

services/apis/indexd/indexdTasks.js

@@ -31,7 +31,7 @@ module.exports = {
    *                 user account (mainAcct)'s access token
    * @returns {Array<Promise<>>}
    */
-  async addFileIndices(files, authHeaders = user.mainAcct.indexdAuthHeader) {
+  async addFileIndices(files, authHeaders = user.mainAcct.indexdAuthHeader, ignoreFailures = true) {
     authHeaders['Content-Type'] = 'application/json; charset=UTF-8';
     const promiseList = files.map((file) => {
       if (!file.did) {
@@ -79,9 +79,13 @@ module.exports = {
       async () => Promise.all(promiseList).then(
         () => true,
         (v) => {
-          console.log('Some of the indexd submissions failed?  Ignoring failure ...', v);
-          // succeed anyway - this thing is flaky for some reason
-          return true;
+          if (ignoreFailures) {
+            console.log('Some of the indexd submissions failed?  Ignoring failure ...', v);
+            // succeed anyway - this thing is flaky for some reason
+            return true;
+          } else {
+            return false;
+          }
         },
       )
     )();

suites/apis/oidcClientTest.js

@@ -61,7 +61,7 @@ Scenario('OIDC Client Expiration @clientExpiration', async ({ I, fence }) => {
 });
 
 
-Scenario('OIDC Client Rotation @clientRotation', async ({ I, fence, requestor }) => {
+Scenario('OIDC Client Rotation @clientRotation @requires-indexd', async ({ I, fence, indexd }) => {
   const clientName = 'jenkinsClientTester';
   console.log(`  Creating client '${clientName}'`);
   const creds1 = new Client({
@@ -90,28 +90,22 @@ Scenario('OIDC Client Rotation @clientRotation', async ({ I, fence, requestor })
 
   // check that both sets of credentials work:
   // - we can get an access token using the creds
-  // - the token should have access to create a request in requestor, as stated in the user.yaml
+  // - the token should have access to create a record in indexd, as stated in the user.yaml
+  const indexdRecord = {
+    filename: 'testfile',
+    size: 9,
+    md5: '73d643ec3f4beb9020eef0beed440ad0',
+    urls: ['s3://mybucket/testfile'],
+    authz: ['/programs/jnkns/projects/jenkins'],
+  };
   console.log('Checking credentials obtained before rotating...');
   const client1AccessToken = await fence.do.getAccessTokenWithClientCredentials(creds1.id, creds1.secret);
-  let createRequest = await I.sendPostRequest(
-    `${requestor.props.endpoint.requestEndPoint}`,
-    {
-      username: "test-client-rotation-user",
-      policy_id: 'requestor_client_credentials_test',
-    },
-    getAccessTokenHeader(client1AccessToken),
-  );
-  expect(createRequest, 'The token generated with the old creds should have access').to.have.property('status', 201);
+  let ok = await indexd.do.addFileIndices([indexdRecord], getAccessTokenHeader(client1AccessToken), false);
+  expect(ok, 'The token generated with the old creds should have access').to.be.true;
 
   console.log('Checking credentials obtained after rotating...');
+  delete indexdRecord.did; // reset the GUID so a new record is created
   const client2AccessToken = await fence.do.getAccessTokenWithClientCredentials(creds2.client_id, creds2.client_secret);
-  createRequest = await I.sendPostRequest(
-    `${requestor.props.endpoint.requestEndPoint}`,
-    {
-      username: "test-client-rotation-user",
-      policy_id: 'requestor_client_credentials_test',
-    },
-    getAccessTokenHeader(client2AccessToken),
-  );
-  expect(createRequest, 'The token generated with the new creds should have access').to.have.property('status', 201);
+  ok = await indexd.do.addFileIndices([indexdRecord], getAccessTokenHeader(client2AccessToken), false);
+  expect(ok, 'The token generated with the new creds should have access').to.be.true;
 });