Implement OAuth in the modern test framework (#1410)

* Configure Azure Pipelines for OAuth on E2E

* Handle separate source/destination request lists

* Reduce surface area of oauth testing

* Update function signatures

* Fix panic

* Set OAuth info

* Fix auth for remove

* Fix resume support

* Fix objectTarget

* Fix CopyToWrongBlobType

* Fix StripTopDir

* Reduce scale of TestResume_LargeGeneric

* Add CPK vars

* Add HNS key

* Fix test definitions

* Add E2E classic account key

* Resolve Mohit's comments

Author: adreed-msft

azure-pipelines.yml

@@ -101,12 +101,15 @@ jobs:
           set -e
           GOARCH=amd64 GOOS=linux go build -o azcopy_linux_amd64
           export AZCOPY_E2E_EXECUTABLE_PATH=$(pwd)/azcopy_linux_amd64
-          go test -timeout 20m -race -short -cover ./e2etest
+          go test -timeout 30m -race -short -cover ./e2etest
         env:
           AZCOPY_E2E_ACCOUNT_KEY: $(AZCOPY_E2E_ACCOUNT_KEY)
           AZCOPY_E2E_ACCOUNT_NAME: $(AZCOPY_E2E_ACCOUNT_NAME)
           AZCOPY_E2E_ACCOUNT_KEY_HNS: $(AZCOPY_E2E_ACCOUNT_KEY_HNS)
           AZCOPY_E2E_ACCOUNT_NAME_HNS: $(AZCOPY_E2E_ACCOUNT_NAME_HNS)
+          AZCOPY_E2E_TENANT_ID: $(OAUTH_TENANT_ID)
+          AZCOPY_E2E_APPLICATION_ID: $(ACTIVE_DIRECTORY_APPLICATION_ID)
+          AZCOPY_E2E_CLIENT_SECRET: $(AZCOPY_SPA_CLIENT_SECRET)
           AZCOPY_E2E_CLASSIC_ACCOUNT_NAME: $(AZCOPY_E2E_CLASSIC_ACCOUNT_NAME)
           AZCOPY_E2E_CLASSIC_ACCOUNT_KEY: $(AZCOPY_E2E_CLASSIC_ACCOUNT_KEY)
           CPK_ENCRYPTION_KEY: $(CPK_ENCRYPTION_KEY)
@@ -125,6 +128,9 @@ jobs:
           AZCOPY_E2E_ACCOUNT_NAME: $(AZCOPY_E2E_ACCOUNT_NAME)
           AZCOPY_E2E_ACCOUNT_KEY_HNS: $(AZCOPY_E2E_ACCOUNT_KEY_HNS)
           AZCOPY_E2E_ACCOUNT_NAME_HNS: $(AZCOPY_E2E_ACCOUNT_NAME_HNS)
+          AZCOPY_E2E_TENANT_ID: $(OAUTH_TENANT_ID)
+          AZCOPY_E2E_APPLICATION_ID: $(ACTIVE_DIRECTORY_APPLICATION_ID)
+          AZCOPY_E2E_CLIENT_SECRET: $(AZCOPY_SPA_CLIENT_SECRET)
           AZCOPY_E2E_CLASSIC_ACCOUNT_NAME: $(AZCOPY_E2E_CLASSIC_ACCOUNT_NAME)
           AZCOPY_E2E_CLASSIC_ACCOUNT_KEY: $(AZCOPY_E2E_CLASSIC_ACCOUNT_KEY)
           CPK_ENCRYPTION_KEY: $(CPK_ENCRYPTION_KEY)
@@ -145,6 +151,9 @@ jobs:
           AZCOPY_E2E_ACCOUNT_NAME: $(AZCOPY_E2E_ACCOUNT_NAME)
           AZCOPY_E2E_ACCOUNT_KEY_HNS: $(AZCOPY_E2E_ACCOUNT_KEY_HNS)
           AZCOPY_E2E_ACCOUNT_NAME_HNS: $(AZCOPY_E2E_ACCOUNT_NAME_HNS)
+          AZCOPY_E2E_TENANT_ID: $(OAUTH_TENANT_ID)
+          AZCOPY_E2E_APPLICATION_ID: $(ACTIVE_DIRECTORY_APPLICATION_ID)
+          AZCOPY_E2E_CLIENT_SECRET: $(AZCOPY_SPA_CLIENT_SECRET)
           AZCOPY_E2E_CLASSIC_ACCOUNT_NAME: $(AZCOPY_E2E_CLASSIC_ACCOUNT_NAME)
           AZCOPY_E2E_CLASSIC_ACCOUNT_KEY: $(AZCOPY_E2E_CLASSIC_ACCOUNT_KEY)
           CPK_ENCRYPTION_KEY: $(CPK_ENCRYPTION_KEY)

e2etest/config.go

@@ -34,6 +34,18 @@ import (
 // the general guidance is to take in as few parameters as possible
 type GlobalInputManager struct{}
 
+func (GlobalInputManager) GetServicePrincipalAuth() (tenantID string, applicationID string, clientSecret string) {
+	tenantID = os.Getenv("AZCOPY_E2E_TENANT_ID")
+	applicationID = os.Getenv("AZCOPY_E2E_APPLICATION_ID")
+	clientSecret = os.Getenv("AZCOPY_E2E_CLIENT_SECRET")
+
+	if applicationID == "" || clientSecret == "" {
+		panic("Insufficient information was supplied for service principal authentication")
+	}
+
+	return
+}
+
 func (GlobalInputManager) GetAccountAndKey(accountType AccountType) (string, string) {
 	var name, key string
 

e2etest/declarativeRunner.go

@@ -33,19 +33,84 @@ import (
 // In particular, it lets one test cover a range of different source/dest types, and even cover both sync and copy.
 // See first test in zt_enumeration for an annotated example.
 
+var validCredTypesPerLocation = map[common.Location][]common.CredentialType{
+	common.ELocation.Unknown(): {common.ECredentialType.Unknown(), common.ECredentialType.Anonymous(), common.ECredentialType.OAuthToken()}, // Delete!
+	common.ELocation.File():    {common.ECredentialType.Anonymous()},
+	common.ELocation.Blob():    {common.ECredentialType.Anonymous(), common.ECredentialType.OAuthToken()},
+	common.ELocation.BlobFS():  {common.ECredentialType.Anonymous(), common.ECredentialType.OAuthToken()}, // todo: currently, account key auth isn't even supported in e2e tests.
+	common.ELocation.Local():   {common.ECredentialType.Anonymous()},
+	common.ELocation.Pipe():    {common.ECredentialType.Anonymous()},
+	common.ELocation.S3():      {common.ECredentialType.S3AccessKey()},
+	common.ELocation.GCP():     {common.ECredentialType.GoogleAppCredentials()},
+}
+
+var allCredentialTypes []common.CredentialType = nil
+var anonymousAuthOnly = []common.CredentialType{common.ECredentialType.Anonymous()}
+
+func getValidCredCombinationsForFromTo(fromTo common.FromTo, requestedCredentialTypesSrc, requestedCredentialTypesDst []common.CredentialType) [][2]common.CredentialType {
+	output := make([][2]common.CredentialType, 0)
+
+	credIsRequested := func(cType common.CredentialType, dst bool) bool {
+		if (dst && requestedCredentialTypesDst == nil) || (!dst && requestedCredentialTypesSrc == nil) {
+			return true
+		}
+
+		toSearch := requestedCredentialTypesSrc
+		if dst {
+			toSearch = requestedCredentialTypesDst
+		}
+
+		for _, v := range toSearch {
+			if v == cType {
+				return true
+			}
+		}
+
+		return false
+	}
+
+	// determine source types
+	var sourceTypes []common.CredentialType
+	if fromTo.IsS2S() {
+		// source must always be anonymous-- no exceptions until OAuth over S2S is introduced.
+		sourceTypes = []common.CredentialType{common.ECredentialType.Anonymous()}
+	} else {
+		sourceTypes = validCredTypesPerLocation[fromTo.From()]
+	}
+
+	for _, srcCredType := range sourceTypes {
+		for _, dstCredType := range validCredTypesPerLocation[fromTo.To()] {
+			// make sure the user asked for this.
+			if !(credIsRequested(srcCredType, false) && credIsRequested(dstCredType, true)) {
+				continue
+			}
+
+			output = append(output, [2]common.CredentialType{srcCredType, dstCredType})
+		}
+	}
+
+	return output
+}
+
 // RunScenarios is the key entry point for declarative testing.
 // It constructs and executes scenarios (subtest in Go-speak), according to its parameters, and checks their results
 func RunScenarios(
 	t *testing.T,
 	operations Operation,
 	testFromTo TestFromTo,
 	validate Validate, // TODO: do we really want the test author to have to nominate which validation should happen?  Pros: better perf of tests. Cons: they have to tell us, and if they tell us wrong test may not test what they think it tests
-	/*_ interface{}, // TODO if we want it??, blockBLobsOnly or specifc/all blob types
-	  _ interface{}, // TODO if we want it??, default auth type only, or specific/all auth types*/
+// _ interface{}, // TODO if we want it??, blockBLobsOnly or specifc/all blob types
+
+// It would be a pain to list out every combo by hand,
+// In addition to the fact that not every credential type is sensible.
+// Thus, the E2E framework takes in a requested set of credential types, and applies them where sensible.
+// This allows you to make tests use OAuth only, SAS only, etc.
+	requestedCredentialTypesSrc []common.CredentialType,
+	requestedCredentialTypesDst []common.CredentialType,
 	p params,
 	hs *hooks,
 	fs testFiles,
-	// TODO: do we need something here to explicitly say that we expect success or failure? For now, we are just inferring that from the elements of sourceFiles
+// TODO: do we need something here to explicitly say that we expect success or failure? For now, we are just inferring that from the elements of sourceFiles
 	destAccountType AccountType,
 	accountType AccountType,
 	scenarioSuffix string) {
@@ -58,7 +123,7 @@ func RunScenarios(
 	}
 
 	// construct all the scenarios
-	scenarios := make([]scenario, 0, 16)
+	scenarios := make([]scenario, 0)
 	for _, op := range operations.getValues() {
 		if op == eOperation.Resume() {
 			continue
@@ -73,44 +138,50 @@ func RunScenarios(
 			}
 			seenFromTos[fromTo] = true
 
-			// Create unique name for generating container names
-			compactScenarioName := fmt.Sprintf("%.4s-%s-%c-%c%c", suiteName, testName, op.String()[0], fromTo.From().String()[0], fromTo.To().String()[0])
-			fullScenarioName := fmt.Sprintf("%s.%s.%s-%s", suiteName, testName, op.String(), fromTo.String())
+			credentialTypes := getValidCredCombinationsForFromTo(fromTo, requestedCredentialTypesSrc, requestedCredentialTypesDst)
 
-			// Sub-test name is not globally unique (it doesn't need to be) but it is more human-readable
-			subtestName := fmt.Sprintf("%s-%s", op, fromTo)
-			if scenarioSuffix != "" {
-				subtestName += "-" + scenarioSuffix
-			}
+			for _, credTypes := range credentialTypes {
+				// Create unique name for generating container names
+				compactScenarioName := fmt.Sprintf("%.4s-%s-%c-%c%c", suiteName, testName, op.String()[0], fromTo.From().String()[0], fromTo.To().String()[0])
+				fullScenarioName := fmt.Sprintf("%s.%s.%s-%s", suiteName, testName, op.String(), fromTo.String())
+				// Sub-test name is not globally unique (it doesn't need to be) but it is more human-readable
+				subtestName := fmt.Sprintf("%s-%s", op, fromTo)
 
-			hsToUse := hooks{}
-			if hs != nil {
-				hsToUse = *hs
-			}
+				hsToUse := hooks{}
+				if hs != nil {
+					hsToUse = *hs
+				}
 
-			// Handles destination being different account type
-			isSourceAcc := true
-			if destAccountType != accountType {
-				isSourceAcc = false
-			}
-			s := scenario{
-				srcAccountType:      accountType,
-				destAccountType:     destAccountType,
-				subtestName:         subtestName,
-				compactScenarioName: compactScenarioName,
-				fullScenarioName:    fullScenarioName,
-				operation:           op,
-				fromTo:              fromTo,
-				validate:            validate,
-				p:                   p, // copies them, because they are a struct. This is what we need, since they may be morphed while running
-				hs:                  hsToUse,
-				fs:                  fs.DeepCopy(),
-				needResume:          operations&eOperation.Resume() != 0,
-				stripTopDir:         p.stripTopDir,
-				isSourceAcc:         isSourceAcc,
-			}
+				if scenarioSuffix != "" {
+					subtestName += "-" + scenarioSuffix
+				}
 
-			scenarios = append(scenarios, s)
+				// Handles destination being different account type
+				isSourceAcc := true
+				if destAccountType != accountType {
+					isSourceAcc = false
+				}
+
+				s := scenario{
+					srcAccountType:      accountType,
+					destAccountType:     destAccountType,
+					subtestName:         subtestName,
+					compactScenarioName: compactScenarioName,
+					fullScenarioName:    fullScenarioName,
+					operation:           op,
+					fromTo:              fromTo,
+					credTypes:           credTypes,
+					validate:            validate,
+					p:                   p, // copies them, because they are a struct. This is what we need, since they may be morphed while running
+					hs:                  hsToUse,
+					fs:                  fs.DeepCopy(),
+					needResume:          operations&eOperation.Resume() != 0,
+					stripTopDir:         p.stripTopDir,
+					isSourceAcc:         isSourceAcc,
+				}
+
+				scenarios = append(scenarios, s)
+			}
 		}
 	}
 
@@ -122,22 +193,28 @@ func RunScenarios(
 	// run them in parallel if not debugging, but sequentially (for easier debugging) if a debugger is attached
 	parallel := !isLaunchedByDebugger && !p.disableParallelTesting // this only works if gops.exe is on your path. See azcopyDebugHelper.go for instructions.
 	for _, s := range scenarios {
-		sen := s // capture to separate var inside the loop, for the parallel case
 		// use t.Run to get proper sub-test support
 		t.Run(s.subtestName, func(t *testing.T) {
-			if parallel {
-				t.Parallel() // tell testing that it can run stuff in parallel with us
-			}
-			// set asserter now (and only now), since before this point we don't have the right "t"
-			sen.a = &testingAsserter{
-				t:                   t,
-				fullScenarioName:    sen.fullScenarioName,
-				compactScenarioName: sen.compactScenarioName,
-			}
-			if hs != nil {
-				sen.runHook(hs.beforeTestRun)
-			}
-			sen.Run()
+			sen := s // capture to separate var inside the loop, for the parallel case
+			credNames := fmt.Sprintf("%s-%s", s.credTypes[0].String(), s.credTypes[1].String())
+
+			t.Run(credNames, func(t *testing.T) {
+				if parallel {
+					t.Parallel() // tell testing that it can run stuff in parallel with us
+				}
+				// set asserter now (and only now), since before this point we don't have the right "t"
+				sen.a = &testingAsserter{
+					t:                   t,
+					fullScenarioName:    sen.fullScenarioName,
+					compactScenarioName: sen.compactScenarioName,
+				}
+
+				if hs != nil {
+					sen.runHook(hs.beforeTestRun)
+				}
+
+				sen.Run()
+			})
 		})
 	}
 }

e2etest/declarativeScenario.go

@@ -46,6 +46,7 @@ type scenario struct {
 	operation           Operation
 	validate            Validate
 	fromTo              common.FromTo
+	credTypes           [2]common.CredentialType
 	p                   params
 	hs                  hooks
 	fs                  testFiles
@@ -125,7 +126,7 @@ func (s *scenario) Run() {
 
 func (s *scenario) runHook(h hookFunc) bool {
 	if h == nil {
-		return true //nothing to do. So "successful"
+		return true // nothing to do. So "successful"
 	}
 
 	// run the hook, passing ourself in as the implementation of hookHelper interface
@@ -186,21 +187,28 @@ func (s *scenario) runAzCopy() {
 		}
 	}
 
-	// run AzCopy
-	const useSas = true // TODO: support other auth options (see params of RunTest)
 	tf := s.GetTestFiles()
-	var srcUseSas = tf.sourcePublic == azblob.PublicAccessNone
+	// run AzCopy
 	result, wasClean, err := r.ExecuteAzCopyCommand(
 		s.operation,
-		s.state.source.getParam(s.stripTopDir, srcUseSas, tf.objectTarget),
-		// Prefer the destination target over the object target itself.
-		s.state.dest.getParam(false, useSas, common.IffString(tf.destTarget != "", tf.destTarget, tf.objectTarget)),
+		s.state.source.getParam(s.stripTopDir, s.credTypes[0] == common.ECredentialType.Anonymous(), tf.objectTarget),
+		s.state.dest.getParam(false, s.credTypes[1] == common.ECredentialType.Anonymous(), common.IffString(tf.destTarget != "", tf.destTarget, tf.objectTarget)),
+		s.credTypes[0] == common.ECredentialType.OAuthToken() || s.credTypes[1] == common.ECredentialType.OAuthToken(), // needsOAuth
 		afterStart, s.chToStdin)
 
 	if !wasClean {
 		s.a.AssertNoErr(err, "running AzCopy")
 	}
 
+	// Generally, a cancellation is done when auth fails.
+	if result.finalStatus.JobStatus == common.EJobStatus.Cancelled() {
+		for _, v := range result.finalStatus.FailedTransfers {
+			if v.ErrorCode == 403 {
+				s.a.Error("authorization failed, perhaps SPN auth or the SAS token is bad?")
+			}
+		}
+	}
+
 	s.state.result = &result
 }
 
@@ -232,6 +240,7 @@ func (s *scenario) resumeAzCopy() {
 		eOperation.Resume(),
 		s.state.result.jobID.String(),
 		"",
+		false,
 		afterStart,
 		s.chToStdin,
 	)
@@ -429,7 +438,7 @@ func (s *scenario) validateContent() {
 	}
 }
 
-//// Individual property validation routines
+// // Individual property validation routines
 
 func (s *scenario) validateMetadata(expected, actual map[string]string, isFolder bool) {
 	if isFolder { // hdi_isfolder is service-relevant metadata, not something we'd be testing for. This can pop up when specifying a folder() on blob.
@@ -551,7 +560,7 @@ func (s *scenario) validateLastWriteTime(expected, actual *time.Time) {
 		expected, actual))
 }
 
-//nolint
+// nolint
 func (s *scenario) validateSMBAttrs(expected, actual *uint32) {
 	if expected == nil {
 		// These properties were not explicitly stated for verification
@@ -575,7 +584,7 @@ func (s *scenario) cleanup() {
 	}
 }
 
-/// support the hookHelper functions. These are use by our hooks to modify the state, or resources, of the running test
+// / support the hookHelper functions. These are use by our hooks to modify the state, or resources, of the running test
 
 func (s *scenario) FromTo() common.FromTo {
 	return s.fromTo

e2etest/factory.go

@@ -159,6 +159,7 @@ func (TestResourceFactory) CreateNewContainer(c asserter, publicAccess azblob.Pu
 	name = TestResourceNameGenerator{}.GenerateContainerName(c)
 	container = TestResourceFactory{}.GetBlobServiceURL(accountType).NewContainerURL(name)
 
+
 	cResp, err := container.Create(context.Background(), nil, publicAccess)
 	c.AssertNoErr(err)
 	c.Assert(cResp.StatusCode(), equals(), 201)
@@ -252,18 +253,18 @@ func generateName(c asserter, prefix string, maxLen int) string {
 	name := c.CompactScenarioName() // don't want to just use test name here, because each test contains multiple scenarios with the declarative runner
 
 	textualPortion := fmt.Sprintf("%s-%s", prefix, strings.ToLower(name))
-	currentTime := time.Now()
-	numericSuffix := fmt.Sprintf("%02d%02d%d", currentTime.Minute(), currentTime.Second(), currentTime.Nanosecond())
+	// GUIDs are less prone to overlap than times.
+	guidSuffix := uuid.New().String()
 	if maxLen > 0 {
-		maxTextLen := maxLen - len(numericSuffix)
+		maxTextLen := maxLen - len(guidSuffix)
 		if maxTextLen < 1 {
 			panic("max len too short")
 		}
 		if len(textualPortion) > maxTextLen {
 			textualPortion = textualPortion[:maxTextLen]
 		}
 	}
-	name = textualPortion + numericSuffix
+	name = textualPortion + guidSuffix
 	return name
 }