test: oic-auth plugin test (#55)

.woke.yaml

@@ -3,3 +3,5 @@ rules:
   - name: slave
   # Ignore whitelist - we are using it to ignore pydantic in pyptoject.toml
   - name: whitelist
+  # Ignore "master" - Keycloak for oidc integration tests uses this terminology.
+  - name: master

src-docs/jenkins.py.md

@@ -27,7 +27,7 @@ Functions to operate Jenkins.
 
 ---
 
-<a href="../src/jenkins.py#L138"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L140"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `wait_ready`
 
@@ -53,7 +53,7 @@ Wait until Jenkins service is up.
 
 ---
 
-<a href="../src/jenkins.py#L167"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L169"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `get_admin_credentials`
 
@@ -77,7 +77,7 @@ Retrieve admin credentials.
 
 ---
 
-<a href="../src/jenkins.py#L191"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L213"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `calculate_env`
 
@@ -95,7 +95,7 @@ Return a dictionary for Jenkins Pebble layer.
 
 ---
 
-<a href="../src/jenkins.py#L200"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L222"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `get_version`
 
@@ -119,7 +119,7 @@ Get the Jenkins server version.
 
 ---
 
-<a href="../src/jenkins.py#L373"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L406"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `bootstrap`
 
@@ -145,7 +145,7 @@ Initialize and install Jenkins.
 
 ---
 
-<a href="../src/jenkins.py#L410"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L444"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `get_node_secret`
 
@@ -176,7 +176,7 @@ Get node secret from jenkins.
 
 ---
 
-<a href="../src/jenkins.py#L433"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L467"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `add_agent_node`
 
@@ -202,7 +202,7 @@ Add a Jenkins agent node.
 
 ---
 
-<a href="../src/jenkins.py#L458"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L492"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `remove_agent_node`
 
@@ -228,7 +228,7 @@ Remove a Jenkins agent node.
 
 ---
 
-<a href="../src/jenkins.py#L511"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L545"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `safe_restart`
 
@@ -253,7 +253,7 @@ Safely restart Jenkins server after all jobs are done executing.
 
 ---
 
-<a href="../src/jenkins.py#L536"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L570"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `get_agent_name`
 
@@ -277,7 +277,7 @@ Infer agent name from unit name.
 
 ---
 
-<a href="../src/jenkins.py#L684"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
+<a href="../src/jenkins.py#L718"><img align="right" style="float:right;" src="https://img.shields.io/badge/-source-cccccc?style=flat-square"></a>
 
 ## <kbd>function</kbd> `remove_unlisted_plugins`
 
@@ -316,7 +316,7 @@ Information needed to log into Jenkins.
 **Attributes:**
 
  - <b>`username`</b>:  The Jenkins account username used to log into Jenkins. 
- - <b>`password`</b>:  The Jenkins account password used to log into Jenkins. 
+ - <b>`password_or_token`</b>:  The Jenkins API token or account password used to log into Jenkins. 
 
 
 

src/charm.py

@@ -151,7 +151,7 @@ def _on_get_admin_password(self, event: ops.ActionEvent) -> None:
             event.defer()
             return
         credentials = jenkins.get_admin_credentials(container)
-        event.set_results({"password": credentials.password})
+        event.set_results({"password": credentials.password_or_token})
 
     def _remove_unlisted_plugins(self, container: ops.Container) -> ops.StatusBase:
         """Remove plugins that are installed but not allowed.

src/jenkins.py

@@ -31,6 +31,8 @@
 EXECUTABLES_PATH = Path("/srv/jenkins/")
 # Path to initial Jenkins password file
 PASSWORD_FILE_PATH = HOME_PATH / "secrets/initialAdminPassword"
+# Path to Jenkins admin API token
+API_TOKEN_PATH = HOME_PATH / "secrets/apiToken"
 # Path to last executed Jenkins version file, required to override wizard installation
 LAST_EXEC_VERSION_PATH = HOME_PATH / Path("jenkins.install.InstallUtil.lastExecVersion")
 # Path to Jenkins version file, required to override wizard installation
@@ -157,11 +159,11 @@ class Credentials:
 
     Attributes:
         username: The Jenkins account username used to log into Jenkins.
-        password: The Jenkins account password used to log into Jenkins.
+        password_or_token: The Jenkins API token or account password used to log into Jenkins.
     """
 
     username: str
-    password: str
+    password_or_token: str
 
 
 def get_admin_credentials(container: ops.Container) -> Credentials:
@@ -175,7 +177,27 @@ def get_admin_credentials(container: ops.Container) -> Credentials:
     """
     user = "admin"
     password_file_contents = str(container.pull(PASSWORD_FILE_PATH, encoding="utf-8").read())
-    return Credentials(username=user, password=password_file_contents.strip())
+    return Credentials(username=user, password_or_token=password_file_contents.strip())
+
+
+def _get_api_credentials(container: ops.Container) -> Credentials:
+    """Retrieve admin API credentials.
+
+    Args:
+        container: The Jenkins workload container.
+
+    Returns:
+        Credentials: The Jenkins API Credentials.
+
+    Raises:
+        JenkinsBootstrapError: if no API credential has been setup yet.
+    """
+    try:
+        token = str(container.pull(API_TOKEN_PATH, encoding="utf-8").read())
+        return Credentials(username="admin", password_or_token=token.strip())
+    except ops.pebble.PathError as exc:
+        logger.debug("Admin API token not yet setup.")
+        raise JenkinsBootstrapError("Admin API credentials not yet setup.") from exc
 
 
 class Environment(typing.TypedDict):
@@ -253,6 +275,17 @@ def _install_configs(container: ops.Container) -> None:
         container.push(LOGGING_CONFIG_PATH, jenkins_logging_config_file, user=USER, group=GROUP)
 
 
+def _setup_user_token(container: ops.Container) -> None:
+    """Configure admin user API token.
+
+    Args:
+        container: The Jenkins workload container.
+    """
+    client = _get_client(get_admin_credentials(container))
+    token: str = client.generate_new_api_token("juju_api_token")
+    container.push(API_TOKEN_PATH, token, user=USER, group=GROUP)
+
+
 def _get_groovy_proxy_args(proxy_config: state.ProxyConfig) -> typing.Iterable[str]:
     """Get proxy arguments for proxy configuration Groovy script.
 
@@ -294,7 +327,7 @@ def _configure_proxy(
     if not proxy_config:
         return
 
-    client = _get_client(get_admin_credentials(container))
+    client = _get_client(_get_api_credentials(container))
     parsed_args = ", ".join(_get_groovy_proxy_args(proxy_config))
     try:
         client.run_groovy_script(f"proxy = new ProxyConfiguration({parsed_args})\nproxy.save()")
@@ -382,6 +415,7 @@ def bootstrap(container: ops.Container, proxy_config: state.ProxyConfig | None =
     """
     _unlock_wizard(container)
     _install_configs(container)
+    _setup_user_token(container)
     try:
         _configure_proxy(container, proxy_config)
         _install_plugins(container, proxy_config)
@@ -402,7 +436,7 @@ def _get_client(client_credentials: Credentials) -> jenkinsapi.jenkins.Jenkins:
     return jenkinsapi.jenkins.Jenkins(
         baseurl=WEB_URL,
         username=client_credentials.username,
-        password=client_credentials.password,
+        password=client_credentials.password_or_token,
         timeout=60,
     )
 
@@ -420,7 +454,7 @@ def get_node_secret(node_name: str, container: ops.Container) -> str:
     Raises:
         JenkinsError: if an error occurred running groovy script getting the node secret.
     """
-    client = _get_client(get_admin_credentials(container))
+    client = _get_client(_get_api_credentials(container))
     try:
         return client.run_groovy_script(
             f'println(jenkins.model.Jenkins.getInstance().getComputer("{node_name}").getJnlpMac())'
@@ -440,7 +474,7 @@ def add_agent_node(agent_meta: state.AgentMeta, container: ops.Container) -> Non
     Raises:
         JenkinsError: if an error occurred running groovy script creating the node.
     """
-    client = _get_client(get_admin_credentials(container))
+    client = _get_client(_get_api_credentials(container))
     try:
         client.create_node(
             name=agent_meta.name,
@@ -465,7 +499,7 @@ def remove_agent_node(agent_name: str, container: ops.Container) -> None:
     Raises:
         JenkinsError: if an error occurred running groovy script removing the node.
     """
-    client = _get_client(get_admin_credentials(container))
+    client = _get_client(_get_api_credentials(container))
     try:
         client.delete_node(nodename=agent_name)
     except jenkinsapi.custom_exceptions.JenkinsAPIException as exc:
@@ -517,7 +551,7 @@ def safe_restart(container: ops.Container) -> None:
     Raises:
         JenkinsError: if there was an API error calling safe restart.
     """
-    client = _get_client(get_admin_credentials(container))
+    client = _get_client(_get_api_credentials(container))
     try:
         # There is a bug with wait_for_reboot in the jenkinsapi
         # https://github.com/pycontribs/jenkinsapi/issues/844
@@ -698,7 +732,7 @@ def remove_unlisted_plugins(
     if not plugins:
         return
 
-    client = _get_client(get_admin_credentials(container))
+    client = _get_client(_get_api_credentials(container))
     res = client.run_groovy_script(
         """
 def plugins = jenkins.model.Jenkins.instance.getPluginManager().getPlugins()