Travis CI Dynamic Stormpath Configuration

Travis CI runs the test suite in the Java SDK.

In order for the integration tests to run, Travis must be able to connect to Stormpath tenants. In particular, the tests require one tenant that is configured to support many applications and one tenant that is configured to support only a single application (the default when you first create a new tenant).

Ordinarily, these settings would be fixed in the .travis.yml file. However, it is convenient to be able to have Travis target different tenants for different runs. For instance, you may be working on an experimental branch that you want to have Travis run against a locally running instance of the Stormpath backend. Or you may want Travis to run against tenants in the Enterprise Cloud or a Private Deployment, rather than the Community Cloud. You could even have Travis run the build against a locally running instance of the Stormpath backend by using a service like ngrok.

Travis CI can be configured in a dynamic way without having to make changes to the stormpath-sdk-java project.

Overview of How it Works

1. An encrypted file of global settings is retrieved from a publicly available website
2. Travis decrypts this file an exports its settings into the environment.
3. A shell script containing Author information is retrieved from a publicly available website
4. Based on who the Author is of the last commit, an encrypted file of Stormpath settings is retrieved from a publicly available website.
5. Travis decrypts this file and exports its settings into the environment.
6. The build proceeds and the tests are run against the author specified Stormpath environment

Details

Travis encrypted files

Travis creates private keys on a per-project and per-user basis. That is, if I encrypt a file using the travis tools in the stormpath-sdk-java, a new private key is setup bound to my travis account AND the stormpath-sdk-java project.

That's why at the beginning of a travis run, you see output like this:

$ export encrypted_da634cfd642b_key=[secure]
$ export encrypted_da634cfd642b_iv=[secure]
$ export encrypted_0b7f5d43be1f_key=[secure]
$ export encrypted_0b7f5d43be1f_iv=[secure]

That indicates that two different users have created encrypted files in the stormpath-sdk-java project. This is indicated by 0b7f5d43be1f and da634cfd642b.

When you encrypt a file, travis outputs this identifier to you. This will become important later in configuring your author settings later.

stormpath_authors.sh

This file contains information about each author that is authorized to commit to the stormpath-sdk-java project. An author section looks like this:

  [email protected]|[email protected])
    AUTHOR=micah
    ENCRYPT_KEY=$encrypted_0b7f5d43be1f_key
    ENCRYPT_IV=$encrypted_0b7f5d43be1f_iv
    ;;

The first line contains all the email addresses that an author uses when committing to github. This is important as early in the build process, the Travis script extracts the email from latest commit of the branch being built.

The second line is a single author identifier that corresponds to a folder name on the website that serves these files.

The third and fourth lines are key for Travis being able to decrypt your personal settings file. It uses the id you are given when you run the travis encrypt command (more on that below).

stormpath_env.sh

This file contains your Stormpath environment settings. In most cases, this will be a pre-defined set of tenants in the Community Cloud that all the developers will use. It is here that you can customize these settings.

The file must contain these settings:

STORMPATH_CLIENT_BASEURL=
STORMPATH_API_KEY_ID=
STORMPATH_API_KEY_SECRET=
STORMPATH_API_KEY_ID_TWO_APP=
STORMPATH_API_KEY_SECRET_TWO_APP=
STORMPATH_TEST_APPLICATION_HREF=

export STORMPATH_CLIENT_BASEURL STORMPATH_API_KEY_ID STORMPATH_API_KEY_SECRET STORMPATH_API_KEY_ID_TWO_APP STORMPATH_API_KEY_SECRET_TWO_APP STORMPATH_TEST_APPLICATION_HREF

When your stormpath_env.sh file is ready to go, you encrypt it by following these steps:

1. Copy the stormpath_env.sh file into your local stormpath-sdk-java project.

2. Encrypt it with travis. You will need to have the Travis command line tool installed.

   travis encrypt-file stormpath_env.sh

   You'll see output like this:

   encrypting stormpath_env.sh for stormpath/stormpath-sdk-java
   storing result as stormpath_env.sh.enc
   storing secure env variables for decryption
   
   Please add the following to your build script (before_install stage in your .travis.yml, for instance):
   
   openssl aes-256-cbc -K $encrypted_0b7f5d43be1f_key -iv $encrypted_0b7f5d43be1f_iv -in stormpath_env.sh.enc -out stormpath_env.sh -d
   

   Notice the $encrypted_0b7f5d43be1f_key and the $encrypted_0b7f5d43be1f_iv references. Those will need to be updated in your section of the stormpath_authors.sh file.

3. Upload the encrypted stormpath_env.sh.enc to your folder in the S3 bucket.

   All of the encrypted configurations files (as well as the author file and encrypted global configuration file) are stored in an amazon S3 bucket that is exposed as a static website.

   The S3 bucket location is: stormpath-sdk-java-travis-setup.s3-website-us-east-1.amazonaws.com

   The stormpath_env.sh.enc file should be placed in the folder in the S3 bucket that matches the settings in the stormpath_authors.sh file.

   If you do not have direct access to the S3 bucket, simply email the encrypted file to [email protected]

   Note: never email the unencrypted stormpath_env.sh file as it has secret keys in it. Also, never upload the unencrypted file to the S3 bucket. Everything in the S3 bucket is publicly available.

4. Very Important: Cleanup

   Delete BOTH the stormpath_env.sh and stormpath_env.sh.enc files from the stormpath-sdk-java project,

   NOTE: NEVER commit either of these files to the stormpath-sdk-java project. They are only in this location because travis needs to identify the github project and the travis user in order to properly encrypt the file.