Add new test case host_verify_saml_token

common/vm_check_vmtools_capability.yml

@@ -0,0 +1,24 @@
+# Copyright 2024 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+---
+# Description:
+#   Check VMware Tools capability for host verified SAML token is TRUE in VM
+# advanced settings
+#
+- name: "Initialize fact of VMware Tools capability for host verified SAML token"
+  ansible.builtin.set_fact:
+    vmtools_capability_key: "tools.capability.verifiedSamlToken"
+
+- name: "Get VM's extra configs"
+  include_tasks: vm_get_extra_config.yml
+
+- name: "Check VMware Tools capability {{ vmtools_capability_key }} is TRUE"
+  ansible.builtin.assert:
+    that:
+      - vmtools_capability_key in vm_extra_config
+      - vm_extra_config[vmtools_capability_key] == "TRUE"
+    fail_msg: >-
+      VMware Tools capability '{{ vmtools_capability_key }} = TRUE' doesn't exsit in VM's advanced settings.
+      Current {{ vmtools_capability_key }} is {{ vm_extra_config[vmtools_capability_key] | default('undefined') }}
+    success_msg: >-
+      VMware Tools capability '{{ vmtools_capability_key }}' is TRUE in VM's advanced settings

linux/gosv_testcase_list.yml

@@ -7,6 +7,7 @@
 - import_playbook: open_vm_tools/ovt_verify_src_install.yml
 - import_playbook: open_vm_tools/ovt_verify_status.yml
 - import_playbook: vgauth_check_service/vgauth_check_service.yml
+- import_playbook: host_verify_saml_token/host_verify_saml_token.yml
 - import_playbook: check_ip_address/check_ip_address.yml
 - import_playbook: check_os_fullname/check_os_fullname.yml
 - import_playbook: stat_balloon/stat_balloon.yml

linux/host_verify_saml_token/check_host_verified_token.yml

@@ -0,0 +1,53 @@
+# Copyright 2024 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+---
+# Description:
+#   Check VC SSO user's SAML token munged (signature value is replaced) and token is verified by host
+# in VGAuthService log file
+# Parameter:
+#   vgauth_log_path_local: The collected VGAuthService log file at localhost
+#
+- name: "Set facts of keywords for host verified SMAL token"
+  ansible.builtin.set_fact:
+    munged_signature: '<ds:SignatureValue>JUhPU1RfVkVSSUZJRURfU0lHTkFUVVJFJQA=</ds:SignatureValue>'
+    host_verified_value: "hostVerified 'TRUE'"
+    host_verified_result: 'VerifySignature: token is hostVerified, skipping signature check'
+
+- name: "Look for keywords about hostVerified value"
+  ansible.builtin.shell:
+    cmd: "grep -o -e \"{{ host_verified_value }}\" '{{ vgauth_log_path_local }}'"
+  ignore_errors: true
+  register: get_host_verified_value
+
+- name: "Check hostVerified is 'TRUE'"
+  ansible.builtin.assert:
+    that:
+      - get_host_verified_value.rc is defined
+      - get_host_verified_value.rc == 0
+      - get_host_verified_value.stdout_lines is defined
+      - get_host_verified_value.stdout_lines | length == 1
+      - get_host_verified_value.stdout_lines[0] == host_verified_value
+    fail_msg: "Failed to find {{ host_verified_value }} in VGAuthService log"
+    success_msg: "Found {{ host_verified_value }} in VGAuthService log"
+
+# Flatcar can't enable debug mode, so no debug log checking
+- name: "Check SAML token is munged and verified by host"
+  when: guest_os_ansible_distribution != 'Flatcar'
+  block:
+    - name: "Look for keywords about host verified SAML token"
+      ansible.builtin.shell:
+        cmd: "grep -o -e '{{ munged_signature }}' -e '{{ host_verified_result }}' '{{ vgauth_log_path_local }}'"
+      ignore_errors: true
+      register: get_host_verified_result
+
+    - name: "Check VC SSO user's SAML token is munged and verified by host"
+      ansible.builtin.assert:
+        that:
+          - get_host_verified_result.rc is defined
+          - get_host_verified_result.rc == 0
+          - get_host_verified_result.stdout_lines is defined
+          - get_host_verified_result.stdout_lines | length == 2
+          - get_host_verified_result.stdout_lines[0] == munged_signature
+          - get_host_verified_result.stdout_lines[1] == host_verified_result
+        fail_msg: "Failed to find munged SAML token or host verified result"
+        success_msg: "VC SSO user's SAML token signature is munged, and verified by host"

linux/host_verify_saml_token/host_verify_saml_token.yml

@@ -0,0 +1,118 @@
+# Copyright 2024 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+---
+# Description:
+#   This test case is used for test host verified SAML token in guest operations
+#
+- name: host_verify_saml_token
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: "Test case block"
+      block:
+        - name: "Skip test case due to missing vCenter Server variables"
+          include_tasks: ../../common/skip_test_case.yml
+          vars:
+            skip_msg: "Skip test case {{ ansible_play_name }} is because of missing vCenter Server variables."
+            skip_reason: "Not Applicable"
+          when: >
+            (vcenter_is_defined is undefined or not vcenter_is_defined) or
+            (vcenter_ssh_username is undefined or not vcenter_ssh_username) or
+            (vcenter_ssh_password is undefined or not vcenter_ssh_password)
+
+        - name: "Test setup"
+          include_tasks: ../setup/test_setup.yml
+          vars:
+            skip_test_no_vmtools: true
+
+        - name: "Skip test case for {{ guest_os_ansible_distribution }}"
+          include_tasks: ../../common/skip_test_case.yml
+          vars:
+            skip_msg: >-
+              Skip test case {{ ansible_play_name }} because {{ guest_os_ansible_distribution }}
+              {{ guest_os_ansible_distribution_ver }} doesn't have VGAuthService.
+            skip_reason: "Not Supported"
+          when: >-
+            (guest_os_ansible_distribution == 'FreeBSD' or
+             (guest_os_ansible_distribution == 'Flatcar' and
+              guest_os_ansible_distribution_ver is version('3760.2.0', '<')))
+
+        - name: "Skip test case for old ESXi server or VMware Tools"
+          include_tasks: ../../common/skip_test_case.yml
+          vars:
+            skip_msg: >-
+              Skip test case {{ ansible_play_name }} because ESXi version is {{ esxi_version }} < 8.0.2 or
+              VMware Tools version is {{ vmtools_version }} < 12.3.0.
+            skip_reason: "Not Supported"
+          when: esxi_version is version('8.0.2', '<') or vmtools_version is version('12.3.0', '<')
+
+        - name: "Check VMware Tools capability exists for host verified SAML token"
+          include_tasks: ../../common/vm_check_vmtools_capability.yml
+
+        - name: "Initialize facts about domain user information"
+          ansible.builtin.set_fact:
+            vcenter_admin_user_name: "{{ vcenter_username.split('@')[0] }}"
+            vcenter_domain_name: "{{ vcenter_username.split('@')[-1] }}"
+            vcenter_domain_user_name: "vcuser_{{ current_test_timestamp }}"
+            vcenter_domain_user_password: "VP@ssw0rd"
+            vcenter_domain_user_group: "DCAdmins"
+            vm_guest_user_name: "gosuser_{{ current_test_timestamp }}"
+            vm_guest_user_password: "GP@ssw0rd"
+
+        - name: "Add domain user '{{ vcenter_domain_user_name }}'"
+          include_tasks: ../../common/vcenter_manage_domain_user.yml
+          vars:
+            vcenter_domain_user_op: "add"
+
+        - name: "Add a new guest user '{{ vm_guest_user_name }}'"
+          include_tasks: ../utils/add_user.yml
+          vars:
+            guest_user_name: "{{ vm_guest_user_name }}"
+            guest_user_password: "{{ vm_guest_user_password }}"
+
+        # Flatcar's filesystem is read-only, which can't enable debug logging"
+        - name: "Enable debug logging for VGAuthService and VMware Tools"
+          when: guest_os_ansible_distribution != 'Flatcar'
+          block:
+            - name: "Enable debug logging for VGAuthService"
+              include_tasks: ../utils/enable_vgauth_logging.yml
+
+            - name: "Enable debug logging for VMware Tools"
+              include_tasks: ../utils/enable_vmtools_logging.yml
+
+        - name: "Test guest operation with VC SSO user's SAML token"
+          include_tasks: test_guest_ops_with_token.yml
+
+        - name: "Collect VGAuthServcie log"
+          include_tasks: ../utils/collect_vgauth_logs.yml
+
+        - name: "Check VGAuthService log is collected successfully"
+          ansible.builtin.assert:
+            that:
+              - vgauth_log_file_exists
+              - vgauth_log_is_collected
+              - vgauth_log_file_dest
+            fail_msg: "Failed to collect VGAuthService log"
+            success_msg: "The VGAuthService log is collected to {{ vgauth_log_file_dest }}"
+
+        - name: "Check VC SSO user's SAML token is verified by host"
+          include_tasks: check_host_verified_token.yml
+          vars:
+            vgauth_log_path_local: "{{ vgauth_log_file_dest }}"
+
+        - name: "Delete domain user '{{ vcenter_domain_user_name }}'"
+          include_tasks: ../../common/vcenter_manage_domain_user.yml
+          vars:
+            vcenter_domain_user_op: "delete"
+      rescue:
+        - name: "Test rescue"
+          include_tasks: ../../common/test_rescue.yml
+      always:
+        - name: "Collect VGAuthServcie log"
+          include_tasks: ../utils/collect_vgauth_logs.yml
+          vars:
+            vgauth_log_file_src: "{{ vgauth_latest_log_file | default('') }}"
+          when: vgauth_log_is_collected is undefined or not vgauth_log_is_collected
+
+        - name: "Collect VMware Tools logs"
+          include_tasks: ../utils/collect_vmtools_logs.yml

linux/host_verify_saml_token/test_guest_ops_with_token.yml

@@ -0,0 +1,122 @@
+# Copyright 2024 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+---
+# Description:
+#   Perform guest operation testing with guest user alias to check
+# VC SSO user's SAML token is verified by host.
+#
+- name: "Set log file of testing host verified SAML token and checking messages"
+  ansible.builtin.set_fact:
+    saml_token_test_log: "{{ current_test_log_folder }}/test_saml_token.log"
+    add_alias_check_msg: >-
+      Successfuly added guest user mapping:
+      {{ vm_guest_user_name }}:{{ vcenter_domain_user_name }}@{{ vcenter_domain_name }}
+    remove_alias_check_msg: >-
+      Successfuly removed guest user mapping:
+      {{ vm_guest_user_name }}:{{ vcenter_domain_user_name }}@{{ vcenter_domain_name }}
+    guest_user_environment: []
+
+- name: "Set command for testing host verified SAML token"
+  ansible.builtin.set_fact:
+    saml_token_test_cmd: >-
+      python ../../tools/vgauth_guestops.py -l {{ saml_token_test_log }}
+      -H {{ vcenter_hostname }} -d '{{ vcenter_domain_name }}' -vm '{{ vm_name }}'
+      -au '{{ vcenter_admin_user_name }}' -ap '{{ vcenter_password }}'
+
+# Add guest alias
+- name: "Add guest user mapping for guest user {{ vm_guest_user_name }}"
+  ansible.builtin.command: >-
+      {{ saml_token_test_cmd }}
+      -tu '{{ vcenter_domain_user_name }}' -tp '{{ vcenter_domain_user_password }}'
+      -gu '{{ vm_guest_user_name }}' -gp '{{ vm_guest_user_password }}'
+      -o AddGuestAlias
+  register: add_alias_result
+  ignore_errors: true
+
+- name: "Display the result of adding guest user mapping"
+  debug: var=add_alias_result
+  when: enable_debug
+
+- name: "Check the result of adding guest user mapping"
+  ansible.builtin.assert:
+    that:
+      - add_alias_result.rc is defined
+      - add_alias_result.rc == 0
+      - add_alias_result.stdout_lines is defined
+      - add_alias_result.stdout_lines | select('search', add_alias_check_msg) | length > 0
+    fail_msg: >-
+      Failed to add guest user mapping
+      {{ vm_guest_user_name }}:{{ vcenter_domain_user_name }}@{{ vcenter_domain_name }}
+      on VM {{ vm_name }}.
+      Return code is '{{ add_alias_result.rc | default("") }}'.
+      Output is '{{ add_alias_result.stdout | default("") }}'.
+      Hit error '{{ add_alias_result.stderr | default("") }}'.
+    success_msg: "{{ add_alias_check_msg }}"
+
+# Test guest operation
+- name: "Perform guest operation of reading guest user's environment variables"
+  ansible.builtin.command: >-
+    {{ saml_token_test_cmd }}
+    -tu '{{ vcenter_domain_user_name }}' -tp '{{ vcenter_domain_user_password }}'
+    -gu '{{ vm_guest_user_name }}' -o PerformGuestOps
+  register: perform_guestops_result
+  ignore_errors: true
+
+- name: "Display the result of reading guest user's environment variables by guest operation"
+  debug: var=perform_guestops_result
+  when: enable_debug
+
+- name: "Set fact of guest user's environment variables retrieved by guest operation"
+  ansible.builtin.set_fact:
+    guest_user_environment: >-
+      {{
+        perform_guestops_result.stdout_lines |
+        select('match', 'USER(NAME)?=' ~ vm_guest_user_name)
+      }}
+  when:
+    - perform_guestops_result.stdout_lines is defined
+    - perform_guestops_result.stdout_lines | length > 0
+
+- name: "Check the result of reading guest user's environment variables by guest operation"
+  ansible.builtin.assert:
+    that:
+      - perform_guestops_result.rc is defined
+      - perform_guestops_result.rc == 0
+      - guest_user_environment | length == 1
+    fail_msg: >-
+      Failed to read guest user's environment variables by guest operation with VC SSO user
+      {{ vcenter_domain_user_name }}@{{ vcenter_domain_name }} on VM {{ vm_name }}.
+      Return code is '{{ perform_guestops_result.rc | default("") }}'.
+      Output is '{{ perform_guestops_result.stdout | default("") }}'.
+      Hit error '{{ perform_guestops_result.stderr | default("") }}'.
+    success_msg: "Successfully read guest user's environment variable {{ guest_user_environment }}"
+
+# Remove guest alias
+- name: "Remove guest user mapping for guest user {{ vm_guest_user_name }}"
+  ansible.builtin.command: >-
+      {{ saml_token_test_cmd }}
+      -tu '{{ vcenter_domain_user_name }}' -tp '{{ vcenter_domain_user_password }}'
+      -gu '{{ vm_guest_user_name }}' -gp '{{ vm_guest_user_password }}'
+      -o RemoveGuestAlias
+  register: remove_alias_result
+  ignore_errors: true
+
+- name: "Display the result of removing guest user mapping"
+  debug: var=remove_alias_result
+  when: enable_debug
+
+- name: "Check the result of removing guest user mapping"
+  ansible.builtin.assert:
+    that:
+      - remove_alias_result.rc is defined
+      - remove_alias_result.rc == 0
+      - remove_alias_result.stdout_lines is defined
+      - remove_alias_result.stdout_lines | select('search', remove_alias_check_msg) | length > 0
+    fail_msg: >-
+      Failed to remove guest user mapping
+      {{ vm_guest_user_name }}:{{ vcenter_domain_user_name }}@{{ vcenter_domain_name }}
+      on VM {{ vm_name }}.
+      Return code is '{{ remove_alias_result.rc | default("") }}'.
+      Output is '{{ remove_alias_result.stdout | default("") }}'.
+      Hit error '{{ remove_alias_result.stderr | default("") }}'.
+    success_msg: "{{ remove_alias_check_msg }}"

linux/utils/collect_vgauth_logs.yml

@@ -3,40 +3,43 @@
 ---
 # Collect VGAuthService logs to local test case log directory
 # Parameter:
-#   vgauth_log_file_src: The VGAuthService log file path
+#   vgauth_latest_log_file: The VGAuthService log file path
 #
 - name: "Initialize the latest VGAuthService log path in guest OS"
   ansible.builtin.set_fact:
-    vgauth_log_file_src: "/var/log/vmware-vgauthsvc.log.0"
-  when: vgauth_log_file_src is undefined or not vgauth_log_file_src
+    vgauth_latest_log_file: "/var/log/vmware-vgauthsvc.log.0"
+  when: vgauth_latest_log_file is undefined
 
-- name: "Initialize facts of collected VGAuthService log path at localhost"
+- debug: var=vgauth_latest_log_file
+
+- name: "Initialize facts for collecting VGAuthService log file"
   ansible.builtin.set_fact:
+    vgauth_log_file_exists: false
     vgauth_log_file_dest: ""
     vgauth_log_is_collected: false
 
 - name: "Get VGAuthService log file info"
   include_tasks: get_file_stat_info.yml
   vars:
-    guest_file_path: "{{ vgauth_log_file_src }}"
+    guest_file_path: "{{ vgauth_latest_log_file }}"
 
 - name: "Set fact of VGAuthService log exists or not"
   ansible.builtin.set_fact:
     vgauth_log_file_exists: "{{ guest_file_exists }}"
 
-- name: "Collect VGAuthService log file"
+- name: "Collect VGAuthService log file to localhost"
+  when: vgauth_log_file_exists | bool
   block:
     - name: "Collect VGAuthServce log to test case log dir"
       include_tasks: fetch_file.yml
       vars:
-        fetch_file_src_path: "{{ vgauth_log_file_src }}"
+        fetch_file_src_path: "{{ vgauth_latest_log_file }}"
         fetch_file_dst_path: "{{ current_test_log_folder }}/"
 
     - name: "Set facts of VGAuthService file collected at localhost"
       ansible.builtin.set_fact:
         vgauth_log_file_dest: "{{ fetch_file_local_path }}"
-        vgauth_log_is_collected: True
+        vgauth_log_is_collected: true
       when:
         - fetch_file_local_path is defined
         - fetch_file_local_path
-  when: vgauth_log_file_exists | bool

linux/vgauth_check_service/vgauth_check_service.yml

@@ -84,8 +84,3 @@
       always:
         - name: "Collect VGAuthServcie logs"
           include_tasks: ../utils/collect_vgauth_logs.yml
-          vars:
-            vgauth_log_file_src: "{{ vgauth_latest_log_file }}"
-          when:
-            - vgauth_latest_log_file is defined
-            - vgauth_latest_log_file