Merge pull request #2050 from alan-turing-institute/smoke_tests

Fix smoke tests
alan-turing-institute · Jul 26, 2024 · 996f54f · 996f54f
2 parents 11e19d3 + e999046
commit 996f54f
Show file tree

Hide file tree

Showing 17 changed files with 33 additions and 20 deletions.
diff --git a/data_safe_haven/infrastructure/components/composite/postgresql_database.py b/data_safe_haven/infrastructure/components/composite/postgresql_database.py
@@ -76,6 +76,15 @@ def __init__(
             opts=child_opts,
             tags=child_tags,
         )
+        # Configure require_secure_transport
+        dbforpostgresql.Configuration(
+            f"{self._name}_secure_transport_configuration",
+            configuration_name="require_secure_transport",
+            resource_group_name=props.database_resource_group_name,
+            server_name=props.database_server_name,
+            source="user-override",
+            value="OFF",
+        )
         # Add any databases that are requested
         props.database_names.apply(
             lambda db_names: [

diff --git a/data_safe_haven/infrastructure/programs/declarative_sre.py b/data_safe_haven/infrastructure/programs/declarative_sre.py
@@ -350,6 +350,7 @@ def __call__(self) -> None:
                 apt_proxy_server_hostname=apt_proxy_server.hostname,
                 data_collection_rule_id=monitoring.data_collection_rule_vms.id,
                 data_collection_endpoint_id=monitoring.data_collection_endpoint.id,
+                database_service_admin_password=data.password_database_service_admin,
                 ldap_group_filter=ldap_group_filter,
                 ldap_group_search_base=ldap_group_search_base,
                 ldap_server_hostname=identity.hostname,

diff --git a/data_safe_haven/infrastructure/programs/sre/data.py b/data_safe_haven/infrastructure/programs/sre/data.py
@@ -254,7 +254,7 @@ def __init__(
             tags=child_tags,
         )
 
-        # Secret: database service admin password
+        # Secret: DNS server admin password
         keyvault.Secret(
             f"{self._name}_kvs_password_dns_server_admin",
             properties=keyvault.SecretPropertiesArgs(

diff --git a/data_safe_haven/infrastructure/programs/sre/database_servers.py b/data_safe_haven/infrastructure/programs/sre/database_servers.py
@@ -24,13 +24,10 @@ def __init__(
         resource_group_name: Input[str],
         sre_fqdn: Input[str],
         subnet_id: Input[str],
-        database_username: Input[str] | None = None,
     ) -> None:
         self.database_password = database_password
         self.database_system = database_system
-        self.database_username = (
-            database_username if database_username else "databaseadmin"
-        )
+        self.database_username = "databaseadmin"
         self.location = location
         self.resource_group_name = resource_group_name
         self.sre_fqdn = sre_fqdn

diff --git a/data_safe_haven/infrastructure/programs/sre/workspaces.py b/data_safe_haven/infrastructure/programs/sre/workspaces.py
@@ -27,8 +27,9 @@ def __init__(
         self,
         admin_password: Input[str],
         apt_proxy_server_hostname: Input[str],
-        data_collection_rule_id: Input[str],
         data_collection_endpoint_id: Input[str],
+        data_collection_rule_id: Input[str],
+        database_service_admin_password: Input[str],
         ldap_group_filter: Input[str],
         ldap_group_search_base: Input[str],
         ldap_server_hostname: Input[str],
@@ -41,8 +42,8 @@ def __init__(
         software_repository_hostname: Input[str],
         sre_name: Input[str],
         storage_account_data_desired_state_name: Input[str],
-        storage_account_data_private_user_name: Input[str],
         storage_account_data_private_sensitive_name: Input[str],
+        storage_account_data_private_user_name: Input[str],
         subnet_workspaces: Input[network.GetSubnetResult],
         subscription_name: Input[str],
         virtual_network: Input[network.VirtualNetwork],
@@ -53,6 +54,7 @@ def __init__(
         self.apt_proxy_server_hostname = apt_proxy_server_hostname
         self.data_collection_rule_id = data_collection_rule_id
         self.data_collection_endpoint_id = data_collection_endpoint_id
+        self.database_service_admin_password = database_service_admin_password
         self.ldap_group_filter = ldap_group_filter
         self.ldap_group_search_base = ldap_group_search_base
         self.ldap_server_hostname = ldap_server_hostname
@@ -113,6 +115,7 @@ def __init__(
         # Load cloud-init file
         cloudinit = Output.all(
             apt_proxy_server_hostname=props.apt_proxy_server_hostname,
+            database_service_admin_password=props.database_service_admin_password,
             ldap_group_filter=props.ldap_group_filter,
             ldap_group_search_base=props.ldap_group_search_base,
             ldap_server_hostname=props.ldap_server_hostname,

diff --git a/data_safe_haven/resources/workspace/ansible/desired_state.yaml b/data_safe_haven/resources/workspace/ansible/desired_state.yaml
@@ -148,14 +148,12 @@
         creates: /etc/audit/rules.d/50-privileged.rules
       notify: Restart auditd
 
-    - name: Copy test files
+    - name: Copy smoke test files
       ansible.builtin.copy:
         src: "{{ item }}"
-        dest: /home/dshadmin/tests/
-        mode: '0700'
-        owner: dshadmin
-        group: dshadmin
-      with_fileglob: 'home/dshadmin/tests/*'
+        dest: /usr/local/smoke_tests/
+        mode: '0755'
+      with_fileglob: 'usr/local/smoke_tests/*'
 
 
   handlers:

diff --git a/...es/home/dshadmin/tests/run_all_tests.bats → .../usr/local/smoke_tests/run_all_tests.bats b/...es/home/dshadmin/tests/run_all_tests.bats → .../usr/local/smoke_tests/run_all_tests.bats
@@ -32,7 +32,7 @@ install_r_package_version() {
 }
 
 check_db_credentials() {
-    db_credentials="${HOME}/.local/db.dsh"
+    db_credentials="/etc/database_credential"
     if [ -f "$db_credentials" ]; then
         return 0
     fi

diff --git a/...les/home/dshadmin/tests/test_databases.sh → ...s/usr/local/smoke_tests/test_databases.sh b/...les/home/dshadmin/tests/test_databases.sh → ...s/usr/local/smoke_tests/test_databases.sh
@@ -12,7 +12,7 @@ while getopts d:l: flag; do
     esac
 done
 
-db_credentials="${HOME}/.local/db.dsh"
+db_credentials="/etc/database_credential"
 if [ -f "$db_credentials" ]; then
     username="databaseadmin"
     password="$(cat "$db_credentials")"

diff --git a/...es/home/dshadmin/tests/test_databases_R.R → .../usr/local/smoke_tests/test_databases_R.R b/...es/home/dshadmin/tests/test_databases_R.R → .../usr/local/smoke_tests/test_databases_R.R
@@ -34,7 +34,7 @@ if (db_type == "mssql") {
         host = server_name,
         port = port,
         dbname = db_name,
-        user = paste(username, "@", hostname, sep=""),
+        user = username,
         password = password
     )
 } else {

diff --git a/...e/dshadmin/tests/test_databases_python.py → ...ocal/smoke_tests/test_databases_python.py b/...e/dshadmin/tests/test_databases_python.py → ...ocal/smoke_tests/test_databases_python.py
@@ -24,7 +24,7 @@ def test_database(
             server=server_name, user=username_full, password=password, database=db_name
         )
     elif db_type == "postgresql":
-        connection_string = f"host={server_name} port={port} dbname={db_name} user={username_full} password={password}"
+        connection_string = f"host={server_name} port={port} dbname={db_name} user={username} password={password}"
         cnxn = psycopg.connect(connection_string)
     else:
         msg = f"Database type '{db_type}' was not recognised"

diff --git a/...ome/dshadmin/tests/test_functionality_R.R → .../local/smoke_tests/test_functionality_R.R b/...ome/dshadmin/tests/test_functionality_R.R → .../local/smoke_tests/test_functionality_R.R
diff --git a/...hadmin/tests/test_functionality_python.py → .../smoke_tests/test_functionality_python.py b/...hadmin/tests/test_functionality_python.py → .../smoke_tests/test_functionality_python.py
diff --git a/...ome/dshadmin/tests/test_mounted_drives.sh → .../local/smoke_tests/test_mounted_drives.sh b/...ome/dshadmin/tests/test_mounted_drives.sh → .../local/smoke_tests/test_mounted_drives.sh
diff --git a/...admin/tests/test_repository_R.mustache.sh → ...sr/local/smoke_tests/test_repository_R.sh b/...admin/tests/test_repository_R.mustache.sh → ...sr/local/smoke_tests/test_repository_R.sh
@@ -25,7 +25,7 @@ for package in "${packages[@]}"; do
     fi
 done
 # If requested, demonstrate that installation fails for packages *not* on the approved list
-TEST_FAILURE="{{check_uninstallable_packages}}"
+TEST_FAILURE=0
 if [ $TEST_FAILURE -eq 1 ]; then
     for package in "${uninstallable_packages[@]}"; do
         echo "Attempting to install ${package}..."

diff --git a/.../tests/test_repository_python.mustache.sh → ...cal/smoke_tests/test_repository_python.sh b/.../tests/test_repository_python.mustache.sh → ...cal/smoke_tests/test_repository_python.sh
@@ -19,7 +19,7 @@ for package in "${installable_packages[@]}"; do
     fi
 done
 # If requested, demonstrate that installation fails for packages *not* on the approved list
-TEST_FAILURE="{{check_uninstallable_packages}}"
+TEST_FAILURE=0
 if [ $TEST_FAILURE -eq 1 ]; then
     for package in "${uninstallable_packages[@]}"; do
         echo "Attempting to install ${package}..."

diff --git a/data_safe_haven/resources/workspace/ansible/host_vars/localhost.yaml b/data_safe_haven/resources/workspace/ansible/host_vars/localhost.yaml
@@ -22,7 +22,7 @@ package_categories:
     common:
       - libpq-dev     # interact with PostgreSQL databases
       - msodbcsql17   # interact with Microsoft SQL databases
-      - postgresql-client-common  # CLI psql client
+      - postgresql-client  # CLI psql client
       - unixodbc-dev  # interact with Microsoft SQL databases
     jammy: []
     noble: []

diff --git a/data_safe_haven/resources/workspace/workspace.cloud_init.mustache.yaml b/data_safe_haven/resources/workspace/workspace.cloud_init.mustache.yaml
@@ -1,6 +1,11 @@
 #cloud-config
 
 write_files:
+  - path: "/etc/database_credential"
+    permissions: "0400"
+    content: |
+      {{ database_service_admin_password }}
+
   - path: "/etc/nslcd.conf"
     permissions: "0400"
     content: |