security-dashboards-plugin/.github/workflows/cypress-test-resource-sharing-enabled-e2e.yml at main · stackabletech/security-dashboards-plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
name: E2E Resource Access Management Cypress Tests

on: [ push, pull_request ]

env:
  CI: 1
  # avoid warnings like "tput: No value for $TERM and no -T specified"
  TERM: xterm
  PLUGIN_NAME: opensearch-security
  OPENSEARCH_INITIAL_ADMIN_PASSWORD: myStrongPassword123!

jobs:
  tests:
    name: Run Cypress resource-access-management tests
    strategy:
      fail-fast: false
      matrix:
        os: [ ubuntu-latest ]
    runs-on: ${{ matrix.os }}

    steps:
      - name: Checkout Branch
        uses: actions/checkout@v6

      - name: Set up JDK 21 for build
        uses: actions/setup-java@v5
        with:
          distribution: temurin
          java-version: '21'

      - name: Set env
        run: |
          opensearch_version=$(node -p "require('./package.json').opensearchDashboards.version")
          plugin_version=$(node -p "require('./package.json').version")
          echo "OPENSEARCH_VERSION=$opensearch_version" >> $GITHUB_ENV
          echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
        shell: bash

      - name: Download security plugin and create setup scripts
        uses: ./.github/actions/download-plugin
        with:
          opensearch-version: ${{ env.OPENSEARCH_VERSION }}
          plugin-name: ${{ env.PLUGIN_NAME }}
          plugin-version: ${{ env.PLUGIN_VERSION }}
          download-location: ${{env.PLUGIN_NAME}}

      # build sample-resource-plugin from source (Linux runner)
      - name: Build sample-resource-plugin (server)
        shell: bash
        run: |
          set -euo pipefail
          OSV="${OPENSEARCH_VERSION}"
          # Map 3.2.0[-anything] -> 3.2
          SEC_REF="$(echo "$OSV" | sed -E 's/^([0-9]+)\.([0-9]+).*/\1.\2/')"
          echo "Derived security repo ref: $SEC_REF (from $OSV)"

          # Prefer branch/tag = X.Y; fall back to main if not found
          if git ls-remote --exit-code --heads https://github.com/opensearch-project/security.git "$SEC_REF" >/dev/null 2>&1 \
            || git ls-remote --exit-code --tags  https://github.com/opensearch-project/security.git "$SEC_REF"  >/dev/null 2>&1; then
            REF="$SEC_REF"
          else
            echo "Ref $SEC_REF not found; falling back to main"
            REF="main"
          fi

          git clone --depth 1 --branch "$REF" https://github.com/opensearch-project/security.git security-src

          pushd security-src
            chmod +x ./gradlew
            # Build the sample resource plugin
            ./gradlew :opensearch-sample-resource-plugin:assemble
            ZIP_PATH=$(ls -t sample-resource-plugin/build/distributions/*.zip | head -n1)
            echo "Built sample plugin: $ZIP_PATH"
            cp "$ZIP_PATH" "$GITHUB_WORKSPACE/sample-resource-plugin.zip"
          popd

          echo "SAMPLE_PLUGIN_ZIP=$GITHUB_WORKSPACE/sample-resource-plugin.zip" >> "$GITHUB_ENV"


      - name: Run Opensearch with security + sample resource plugin
        uses: derek-ho/start-opensearch@v9
        with:
          opensearch-version: ${{ env.OPENSEARCH_VERSION }}
          plugins: "file:$(pwd)/opensearch-security.zip,file:${{ env.SAMPLE_PLUGIN_ZIP }}"
          security-enabled: true
          admin-password: ${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}
          jdk-version: 21
          resource-sharing-enabled: true

      - name: Check OpenSearch is running
        run: |
          curl https://localhost:9200/_cat/plugins -v -u admin:${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }} -k
        shell: bash

      # OSD bootstrap
      - name: Setup Dashboard with Security Dashboards Plugin
        uses: derek-ho/setup-opensearch-dashboards@v3
        with:
          plugin_name: security-dashboards-plugin

      - name: Compile OpenSearch Dashboards
        run: |
          node scripts/build_opensearch_dashboards_platform_plugins --no-examples --workers=10 --verbose
        shell: bash
        working-directory: OpenSearch-Dashboards

      - name: Create OpenSearch Dashboards Config
        if: ${{ runner.os == 'Linux' }}
        run: |
          cat << 'EOT' > resource_sharing_config.yml
          server.host: "localhost"
          opensearch.hosts: ["https://localhost:9200"]
          opensearch.ssl.verificationMode: none
          opensearch.username: "kibanaserver"
          opensearch.password: "kibanaserver"
          opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
          opensearch_security.multitenancy.enabled: true
          opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
          opensearch_security.readonly_mode.roles: ["kibana_read_only"]
          opensearch_security.cookie.secure: false
          data_source.enabled: true
          home.disableWelcomeScreen: true
          EOT
        shell: bash

      - name: Replace opensearch_dashboards.yml
        run: |
            mv resource_sharing_config.yml $GITHUB_WORKSPACE/OpenSearch-Dashboards/config/opensearch_dashboards.yml
        shell: bash

      - name: Run OpenSearch Dashboards
        run: |
          nohup yarn start --no-base-path --no-watch --csp.warnLegacyBrowsers=false | tee dashboard.log &
        shell: bash
        working-directory: OpenSearch-Dashboards

      # Check if OSD is ready with a max timeout of 300 seconds
      - name: Wait for OpenSearch Dashboards (status API)
        shell: bash
        working-directory: OpenSearch-Dashboards
        env:
          OSD_URL: http://localhost:5601
          OSD_USER: admin
          OSD_PASS: ${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}
        run: |
          set -euo pipefail
          TIMEOUT=300
          INTERVAL=5
          end=$((SECONDS + TIMEOUT))

          echo "Waiting up to ${TIMEOUT}s for ${OSD_URL}/api/status ..."
          while (( SECONDS < end )); do
            out="$(curl -s -k -u "${OSD_USER}:${OSD_PASS}" -H 'kbn-xsrf: true' \
                    -w 'HTTPSTATUS:%{http_code}' "${OSD_URL}/api/status" || true)"
            code="${out##*HTTPSTATUS:}"
            body="${out%HTTPSTATUS:*}"

            # Ready when HTTP 200 AND overall.state === "green"
            if [ "${code:-}" = "200" ] && printf '%s' "${body:-}" | grep -Eiq '"state"[[:space:]]*:[[:space:]]*"green"'; then
              echo "OpenSearch Dashboards status is green (HTTP ${code})."
              exit 0
            fi
            sleep "${INTERVAL}"
          done

          echo "Timed out after ${TIMEOUT}s waiting for OpenSearch Dashboards status."
          echo "Last 200 lines of dashboard.log:"
          tail -n 200 dashboard.log || true
          exit 1


      - name: Run Cypress Tests with retry
        uses: Wandalen/wretry.action@v3.8.0
        with:
          attempt_limit: 5
          attempt_delay: 2000
          command: |
            cd ./OpenSearch-Dashboards/plugins/security-dashboards-plugin
            yarn add cypress --save-dev
            eval 'CYPRESS_VERIFY_TIMEOUT=60000 yarn cypress:run --browser chrome --headless --env LOGIN_AS_ADMIN=true --spec "test/cypress/e2e/resource-sharing/resource_access_management.spec.ts"'