keycloak-scim/testsuite/integration-arquillian/HOW-TO-RUN.md

817 lines
38 KiB
Markdown
Raw Normal View History

How To Run various testsuite configurations
===========================================
## Base steps
It's recomended to build the workspace including distribution.
cd $KEYCLOAK_SOURCES
mvn clean install -DskipTests=true
cd distribution
mvn clean install
## Debugging - tips & tricks
### Arquillian debugging
Adding this system property when running any test:
-Darquillian.debug=true
will add lots of info to the log. Especially about:
* The test method names, which will be executed for each test class, will be written at the proper running order to the log at the beginning of each test class(done by KcArquillian class).
* All the triggered arquillian lifecycle events and executed observers listening to those events will be written to the log
* The bootstrap of WebDriver will be unlimited. By default there is just 1 minute timeout and test is cancelled when WebDriver is not bootstrapped within it.
### WebDriver timeout
By default, WebDriver has 10 seconds timeout to load every page and it timeouts with error after that. Use this to increase timeout to 1 hour instead:
-Dpageload.timeout=3600000
### Surefire debugging
For debugging, the best is to run the test from IDE and debug it directly. When you use embedded Undertow (which is by default), then JUnit test, Keycloak server
and adapter are all in the same JVM and you can debug them easily. If it is not an option and you are forced to test with Maven and Wildfly (or EAP), you can use this:
-Dmaven.surefire.debug=true
Or slightly longer version (that allows you to specify debugging port as well as wait till you attach the debugger):
-Dmaven.surefire.debug="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006 -Xnoagent -Djava.compiler=NONE"
and you will be able to attach remote debugger to the test. Unfortunately server and adapter are running in different JVMs, so this won't help to debug those.
### JBoss auth server debugging
When tests are run on JBoss based container (WildFly/EAP) there is possibility to attach a debugger, by default on localhost:5005.
The server won't wait to attach the debugger. There are some properties what can change the default behaviour.
-Dauth.server.debug.port=$PORT
-Dauth.server.debug.suspend=y
More info: http://javahowto.blogspot.cz/2010/09/java-agentlibjdwp-for-attaching.html
### JBoss app server debugging
Analogically, there is the same behaviour for JBoss based app server as for auth server. The default port is set to 5006. There are app server properties.
-Dapp.server.debug.port=$PORT
-Dapp.server.debug.suspend=y
## Testsuite logging
It is configured in `testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties` . You can see that logging of testsuite itself (category `org.keycloak.testsuite`) is debug by default.
When you run tests with undertow (which is by default), there is logging for Keycloak server and adapter (category `org.keycloak` ) in `info` when you run tests from IDE, but `off` when
you run tests with maven. The reason is that, we don't want huge logs when running mvn build. However using system property `keycloak.logging.level` will override it. This can be used for both IDE or maven.
So for example using `-Dkeycloak.logging.level=debug` will enable debug logging for keycloak server and adapter.
For more fine-tuning of individual categories, you can look at log4j.properties file and temporarily enable/disable them here.
### Wildfly server logging
When using Keycloak on Wildfly/EAP, there is INFO logging level enabled by default for most of the java packages.
You can use those system properties to enable DEBUG logging for particular packages:
* `-Dinfinispan.logging.level=DEBUG` - for package `org.infinispan`
* `-Dorg.keycloak.services.scheduled=DEBUG` - for package `org.keycloak.services.scheduled`
You can use value `TRACE` if you want to enable even TRACE logging.
There is no support for more packages ATM, you need to edit the file `testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/add-log-level.cli`
and add packages manually.
## Run adapter tests
2018-04-18 11:31:04 +00:00
### Undertow
mvn -f testsuite/integration-arquillian/tests/base/pom.xml \
-Dtest=org.keycloak.testsuite.adapter.**.*Test
2019-02-12 09:12:40 +00:00
### Jetty
At the moment we can run the testsuite with Jetty `9.2` and `9.4`.
2019-02-12 09:12:40 +00:00
Each version has its corresponding profile:
* Jetty `9.2`: `app-server-jetty92`
* Jetty `9.4`: `app-server-jetty94`
Here's how to run the tests with Jetty `9.4`:
mvn -f testsuite/integration-arquillian/pom.xml \
2019-02-12 09:12:40 +00:00
-Papp-server-jetty94 \
-Dtest=org.keycloak.testsuite.adapter.**.*Test
2018-04-18 11:31:04 +00:00
### Wildfly
# Run tests
2018-04-18 11:31:04 +00:00
mvn -f testsuite/integration-arquillian/pom.xml \
clean install \
-Papp-server-wildfly \
-Dtest=org.keycloak.testsuite.adapter.**
### Tomcat
We run testsuite with Tomcat 7, 8 and 9. For specific versions see properties `${tomcat[7,8,9].version}` in parent [pom.xml](../../pom.xml).
To run tests on Tomcat:
````
mvn -f testsuite/integration-arquillian/pom.xml \
clean install \
-Papp-server-tomcat[7,8,9] \
-Dtest=org.keycloak.testsuite.adapter.**
````
### Wildfly with legacy non-elytron adapter
mvn -f testsuite/integration-arquillian/pom.xml \
clean install \
-Dskip.elytron.adapter.installation=true \
-Dskip.adapter.offline.installation=false \
-Papp-server-wildfly \
-Dtest=org.keycloak.testsuite.adapter.**
### Wildfly deprecated
This is usually previous version of WildFly application server right before current version.
See the property `wildfly.deprecated.version` in the file [pom.xml](pom.xml) ) .
mvn -f testsuite/integration-arquillian/pom.xml \
clean install \
-Pauth-server-wildfly \
-Papp-server-wildfly-deprecated \
-Dtest=org.keycloak.testsuite.adapter.**
### JBoss Fuse 6.3
1) Download JBoss Fuse 6.3 to your filesystem. It can be downloaded from http://origin-repository.jboss.org/nexus/content/groups/m2-proxy/org/jboss/fuse/jboss-fuse-karaf
Assumed you downloaded `jboss-fuse-karaf-6.3.0.redhat-229.zip`
2) Install to your local maven repository and change the properties according to your env (This step can be likely avoided if you somehow configure your local maven settings to point directly to Fuse repo):
mvn install:install-file \
-DgroupId=org.jboss.fuse \
-DartifactId=jboss-fuse-karaf \
-Dversion=6.3.0.redhat-229 \
-Dpackaging=zip \
-Dfile=/mydownloads/jboss-fuse-karaf-6.3.0.redhat-229.zip
3) Prepare Fuse and run the tests (change props according to your environment, versions etc):
# Prepare Fuse server
2018-06-13 12:22:35 +00:00
mvn -f testsuite/integration-arquillian/servers/pom.xml \
clean install \
-Papp-server-fuse63 \
-Dfuse63.version=6.3.0.redhat-229
# Run the Fuse adapter tests
mvn -f testsuite/integration-arquillian/tests/base/pom.xml \
clean install \
-Pauth-server-wildfly \
-Papp-server-fuse63 \
-Dauth.server.ssl.required=false \
-Dadditional.fuse.repos=,$REPO \
-Dtest=*.fuse.*
### JBoss Fuse 7.X
2018-06-13 12:22:35 +00:00
1) Download JBoss Fuse 7 to your filesystem. It can be downloaded from http://origin-repository.jboss.org/nexus/content/groups/m2-proxy/org/jboss/fuse/fuse-karaf (Fuse 7.3 or higher is required)
Assumed you downloaded `fuse-karaf-7.3.0.fuse-730065-redhat-00002.zip`
2018-06-13 12:22:35 +00:00
2) Install to your local maven repository and change the properties according to your env (This step can be likely avoided if you somehow configure your local maven settings to point directly to Fuse repo):
mvn install:install-file \
-DgroupId=org.jboss.fuse \
-DartifactId=fuse-karaf \
-Dversion=7.3.0.fuse-730065-redhat-00002 \
2018-06-13 12:22:35 +00:00
-Dpackaging=zip \
-Dfile=/mydownloads/fuse-karaf-7.3.0.fuse-730065-redhat-00002.zip
2018-06-13 12:22:35 +00:00
3) Prepare Fuse and run the tests (change props according to your environment, versions etc):
# Prepare Fuse server
mvn -f testsuite/integration-arquillian/servers/pom.xml \
clean install \
-Papp-server-fuse7x \
-Dfuse7x.version=7.3.0.fuse-730065-redhat-00002
2018-06-13 12:22:35 +00:00
# Run the Fuse adapter tests
mvn -f testsuite/integration-arquillian/tests/base/pom.xml \
2018-06-13 12:22:35 +00:00
clean test \
-Papp-server-fuse7x \
-Dauth.server.ssl.required=false \
-Dadditional.fuse.repos=,$REPO \
-Dtest=*.fuse.*
2018-06-13 12:22:35 +00:00
### EAP6 with Hawtio
1) Download JBoss EAP 6.4.0.GA zip
2) Install to your local maven repository and change the properties according to your env (This step can be likely avoided if you somehow configure your local maven settings to point directly to EAP repo):
mvn install:install-file \
-DgroupId=org.jboss.as \
-DartifactId=jboss-as-dist \
-Dversion=7.5.21.Final-redhat-1 \
-Dpackaging=zip \
-Dfile=/mydownloads/jboss-eap-6.4.0.zip
3) Download Fuse EAP installer (for example from http://origin-repository.jboss.org/nexus/content/groups/m2-proxy/com/redhat/fuse/eap/fuse-eap-installer/6.3.0.redhat-220/ )
4) Install previously downloaded file manually
mvn install:install-file \
-DgroupId=com.redhat.fuse.eap \
-DartifactId=fuse-eap-installer \
-Dversion=6.3.0.redhat-347 \
-Dpackaging=jar \
-Dfile=/fuse-eap-installer-6.3.0.redhat-347.jar
5) Prepare EAP6 with Hawtio and run the test
# Prepare EAP6 and deploy hawtio
mvn -f testsuite/integration-arquillian/servers \
clean install \
-Pauth-server-wildfly \
-Papp-server-eap6 \
-Dapp.server.jboss.version=7.5.21.Final-redhat-1 \
-Dfuse63.version=6.3.0.redhat-347
# Run the test
mvn -f testsuite/integration-arquillian/tests/base/pom.xml \
clean install \
-Pauth-server-wildfly \
-Papp-server-eap6 \
-Dtest=EAP6Fuse6HawtioAdapterTest
## Migration test
### DB migration test
This test will:
- start Keycloak 1.9.8 (replace with the other version if needed)
- import realm and some data to MySQL DB
- stop Keycloak 1.9.8
- start latest Keycloak, which automatically updates DB from 1.9.8
- Do some test that data are correct
1) Prepare MySQL DB and ensure that MySQL DB is empty. See [../../docs/tests-db.md](../../docs/tests-db.md) for some hints for locally prepare Docker MySQL image.
2) Run the test (Update according to your DB connection, versions etc):
export DB_HOST=localhost
mvn -f testsuite/integration-arquillian/pom.xml \
clean install \
-Pauth-server-wildfly,jpa,clean-jpa,auth-server-migration,test-70-migration \
-Dtest=MigrationTest \
-Dmigration.mode=auto \
-Djdbc.mvn.groupId=mysql \
-Djdbc.mvn.artifactId=mysql-connector-java \
-Djdbc.mvn.version=8.0.12 \
-Djdbc.mvn.version.legacy=5.1.38 \
-Dkeycloak.connectionsJpa.url=jdbc:mysql://$DB_HOST/keycloak \
-Dkeycloak.connectionsJpa.user=keycloak \
-Dkeycloak.connectionsJpa.password=keycloak
The profile "test-7X-migration" indicates from which version you want to test migration. The valid values are:
* test-70-migration - indicates migration from RHSSO 7.0 (Equivalent to Keycloak 1.9.8.Final)
* test-71-migration - indicates migration from RHSSO 7.1 (Equivalent to Keycloak 2.5.5.Final)
* test-72-migration - indicates migration from RHSSO 7.2 (Equivalent to Keycloak 3.4.3.Final)
* test-73-migration - indicates migration from RHSSO 7.3 (Equivalent to Keycloak 4.8.3.Final)
### DB migration test with manual mode
Same test as above, but it uses manual migration mode. During startup of the new Keycloak server, Liquibase won't automatically perform DB update, but it
just exports the needed SQL into the script. This SQL script then needs to be manually executed against the DB.
Then there is another startup of the new Keycloak server against the DB, which already has SQL changes applied and
the same test as in `auto` mode (MigrationTest) is executed to test that data are correct.
The test is executed in same way as the "auto" DB migration test with the only difference
that you need to use property `migration.mode` with the value `manual` .
-Dmigration.mode=manual
## Server configuration migration test
This will compare if Wildfly configuration files (standalone.xml, standalone-ha.xml, domain.xml)
are correctly migrated from previous version
mvn -f testsuite/integration-arquillian/tests/other/server-config-migration/pom.xml \
clean install \
-Dmigrated.version=1.9.8.Final-redhat-1
For the available versions, take a look at the directory [tests/other/server-config-migration/src/test/resources/standalone](tests/other/server-config-migration/src/test/resources/standalone)
## Admin Console UI tests
The UI tests are real-life, UI focused integration tests. Hence they do not support the default HtmlUnit browser. Only the following real-life browsers are supported: Mozilla Firefox, Google Chrome and Internet Explorer. For details on how to run the tests with these browsers, please refer to [Different Browsers](#different-browsers) chapter.
The UI tests are focused on the Admin Console. They are placed in the `console` module and are disabled by default.
The tests also use some constants placed in [test-constants.properties](tests/base/src/test/resources/test-constants.properties). A different file can be specified by `-Dtestsuite.constants=path/to/different-test-constants.properties`
2017-06-13 09:24:45 +00:00
In case a custom `settings.xml` is used for Maven, you need to specify it also in `-Dkie.maven.settings.custom=path/to/settings.xml`.
## Spring Boot adapter tests
Currently we are testing Spring Boot with three different containers `Tomcat 8`, `Undertow` and `Jetty [9.2, 9.3, 9.4]`. We are testing two versions of Spring Boot 1.5.x and 2.1.x. All versions are specified in [root pom.xml](../../pom.xml) (see properties `spring-boot15.version` and `spring-boot21.version`).
To run tests execute following command. Default version of Spring Boot is 1.5.x, to run tests with version 2.1.x add profile `-Pspringboot21`
```
mvn -f testsuite/integration-arquillian/tests/other/springboot-tests/pom.xml \
clean test \
-Dadapter.container=[tomcat|undertow|jetty92|jetty93|jetty94] \
[-Pspringboot21]
```
Note: Spring Boot 21 doesn't work with jetty92 and jetty93, only jetty94 is tested.
#### Execution example
```
mvn -f testsuite/integration-arquillian/tests/other/console/pom.xml \
clean test \
-Dbrowser=firefox \
-Dfirefox_binary=/opt/firefox-45.1.1esr/firefox
```
## Base UI tests
Similarly to Admin Console tests, these tests are focused on UI, specifically on the parts of the server that are accessed by an end user (like Login page, or Account Console).
They are designed to work with mobile browsers (alongside the standard desktop browsers). For details on the supported browsers and their configuration please refer to [Different Browsers chapter](#different-browsers).
#### Execution example
```
mvn -f testsuite/integration-arquillian/tests/other/base-ui/pom.xml \
clean test \
-Pandroid \
-Dappium.avd=Nexus_5X_API_27
```
## WebAuthN tests
The WebAuthN tests, in Keycloak, can be only executed with Chrome browser, because the Chrome has feature _WebAuthenticationTestingApi_,
which simulate hardware authentication device. For automated WebAuthN testing, this approach seems like the best choice so far.
To enabling the feature you have to add flag to _chromeArguments_. In each WebAuthN test should be method with ``@Before`` annotation
to verify the browser properties.
#### Example of verifying the browser properties
```
@Before
void verifyEnvironment(WebDriver driver) {
WebAuthnAssume.assumeChrome(driver);
}
```
#### Run all WebAuthN tests
```
mvn -f testsuite/integration-arquillian/tests/base/pom.xml \
clean test \
-Dtest=org.keycloak.testsuite.webauthn.**.*Test \
-Dbrowser=chrome \
-DchromeArguments=--enable-web-authentication-testing-api
```
2017-01-30 11:03:37 +00:00
## Social Login
The social login tests require setup of all social networks including an example social user. These details can't be
shared as it would result in the clients and users eventually being blocked. By default these tests are skipped.
2017-09-12 09:57:59 +00:00
To run the full test you need to configure clients in Google, Facebook, GitHub, Twitter, LinkedIn, Microsoft, PayPal and
StackOverflow. See the server administration guide for details on how to do that. You have to use URLs like
`http://localhost:8180/auth/realms/social/broker/google/endpoint` (with `google` replaced by the name
of given provider) as an authorized redirect URL when configuring the client. Further, you also need to create a sample user
that can login to the social network.
2017-01-30 11:03:37 +00:00
The details should be added to a standard properties file. For some properties you can use shared common properties and
override when needed. Or you can specify these for all providers. All providers require at least clientId and
clientSecret (StackOverflow also requires clientKey).
An example social.properties file looks like:
common.username=sampleuser@example.org
common.password=commonpassword
common.profile.firstName=Foo
common.profile.lastName=Bar
common.profile.email=sampleuser@example.org
google.clientId=asdfasdfasdfasdfsadf
google.clientSecret=zxcvzxcvzxcvzxcv
facebook.clientId=asdfasdfasdfasdfsadf
facebook.clientSecret=zxcvzxcvzxcvzxcv
facebook.profile.lastName=Test
In the example above the common username, password and profile are shared for all providers, but Facebook has a
different last name. Profile informations are used for assertion after login, so you have to set them to be same as
user profile information returned by given social login provider for used sample user.
2017-01-30 11:03:37 +00:00
Some providers actively block bots so you need to use a proper browser to test. Either Firefox or Chrome should work.
2017-01-30 11:03:37 +00:00
To run the tests run:
mvn -f testsuite/integration-arquillian/pom.xml \
clean install \
-Pauth-server-wildfly \
-Dtest=SocialLoginTest \
-Dbrowser=chrome \
-Dsocial.config=/path/to/social.properties
To run individual social provider test only you can use option like `-Dtest=SocialLoginTest#linkedinLogin`
2017-01-30 11:03:37 +00:00
## Different Browsers
You can use many different real-world browsers to run the integration tests.
Although technically they can be run with almost every test in the testsuite, they can fail with some of them as the tests often require specific optimizations for given browser. Therefore, only some of the test modules have support to be run with specific browsers.
#### Mozilla Firefox
* **Supported test modules:** `console`, `base-ui`
* **Supported version:** latest stable
* **Driver download required:** [GeckoDriver](https://github.com/mozilla/geckodriver/releases)
* **Run with:** `-Dbrowser=firefox -Dwebdriver.gecko.driver=path/to/geckodriver`; optionally you can specify `-Dfirefox_binary=path/to/firefox/binary`
#### Google Chrome
* **Supported test modules:** `console`, `base-ui`
* **Supported version:** latest stable
* **Driver download required:** [ChromeDriver](https://sites.google.com/a/chromium.org/chromedriver/) that corresponds with your version of the browser
* **Run with:** `-Dbrowser=chrome -Dwebdriver.chrome.driver=path/to/chromedriver`
#### Internet Explorer
* **Supported test modules:** `console`, `base-ui`
* **Supported version:** 11
* **Driver download required:** [Internet Explorer Driver Server](http://www.seleniumhq.org/download/); recommended version [3.5.1 32-bit](http://selenium-release.storage.googleapis.com/3.5/IEDriverServer_Win32_3.5.1.zip)
2019-01-28 17:36:17 +00:00
* **Run with:** `-Dbrowser=internetExplorer -Dwebdriver.ie.driver=path/to/IEDriverServer.exe -Dauth.server.ssl.required=false`
Note: We currently do not support SSL in IE.
#### Apple Safari
* **Supported test modules:** `base-ui`
* **Supported version:** latest stable
* **Driver download required:** no (the driver is bundled with macOS)
* **Run with:** `-Dbrowser=safari`
#### [DEPRECATED] Mozilla Firefox with legacy driver
* **Supported test modules:** `console`
* **Supported version:** [52 ESR](http://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/) ([Extended Support Release](https://www.mozilla.org/en-US/firefox/organizations/))
* **Driver download required:** no
* **Run with:** `-Dbrowser=firefox -DfirefoxLegacyDriver=true -Dfirefox_binary=path/to/firefox-52-esr/binary`
#### Automatic driver downloads
You can rely on automatic driver downloads which is provided by [Arquillian Drone](http://arquillian.org/arquillian-extension-drone/#_automatic_download). To do so just omit the `-Dwebdriver.{browser}.driver` CLI argument when running the tests.
By default latest driver version is always downloaded. To download a specific version, add `-DfirefoxDriverVersion`, `-DchromeDriverVersion` or `-DieDriverVersion` CLI argument.
#### Mobile browsers
The support for testing with the mobile browsers is implemented using the [Appium](http://appium.io/) project.
This means the tests can be run with a real mobile browser in a real mobile OS. However, only emulators/simulators of mobile devices are supported at the moment (no physical devices) in our testsuite.
First, you need to install the Appium server. If you have Node.js and npm installed on your machine, you can do that with: `npm install -g appium`. For further details and requirements please refer to the [official Appium documentation](http://appium.io/docs/en/about-appium/intro/).
The tests will try to start the Appium server automatically but you can do it manually as well (just by executing `appium`).
To use a mobile browser you need to create a virtual device. The most convenient way to do so is to install the desired platform's IDE - either [Android Studio](https://developer.android.com/studio/) (for Android devices) or [Xcode](https://developer.apple.com/xcode/) (for iOS devices) - then you can create a device (smartphone/tablet) there. For details please refer to documentation of those IDEs.
#### Google Chrome on Android
* **Supported test modules:** `base-ui`
* **Supported host OS:** Windows, Linux, macOS
* **Supported browser version:** latest stable
* **Supported mobile OS version:** Android 7.x, 8.x
* **Run with:** `mvn clean test -Pandroid -Dappium.avd=name_of_the_AVD` where AVD is the name of your Android Virtual Device (e.g. `Nexus_5X_API_27`)
**Tips & tricks:**
* If the AVD name contains any spaces, you need to replace them with underscores when specifying the `-Dappium.avd=...`.
* It's probable that a freshly created device will contain an outdated Chrome version. To update to the latest version (without using the Play Store) you need to download an `.apk` for Chrome and install it with `adb install -r path/to/chrome.apk`.
* Chrome on Android uses ChromeDriver similarly to regular desktop Chrome. The ChromeDriver is bundled with the Appium server. To use a newer ChromeDriver please follow the [Appium documentation](http://appium.io/docs/en/writing-running-appium/web/chromedriver/).
#### Apple Safari on iOS
* **Supported test modules:** `base-ui`
* **Supported host OS:** macOS
* **Supported browser version:** _depends on the mobile OS version_
* **Supported mobile OS version:** iOS 11.x
* **Run with:** `mvn clean test -Pios -Dappium.deviceName=device_name` where the device name is your device identification (e.g. `iPhone X`)
## Disabling TLS (SSL) in the tests
All tests are executed with TLS by default. In order to disable it, you need to switch the `auth.server.ssl.required` property off.
Here's an example:
mvn -f testsuite/integration-arquillian/pom.xml \
clean install \
-Dauth.server.ssl.required=false
NOTE: You can also do it ad-hoc from your IDE, however some tests (like AuthZ or JS Adapter tests) require rebuilt test applications.
so please make sure you rebuild all `testsuite/integration-arquillian` child modules.
## Cluster tests
Cluster tests use 2 backend servers (Keycloak on Wildfly/EAP or Keycloak on Undertow), 1 frontend loadbalancer server node and one shared DB. Invalidation tests don't use loadbalancer.
The browser usually communicates directly with the backend node1 and after doing some change here (eg. updating user), it verifies that the change is visible on node2 and user is updated here as well.
Failover tests use loadbalancer and they require the setup with the distributed infinispan caches switched to have 2 owners (default value is 1 owner). Otherwise failover won't reliably work.
The setup includes:
* a load balancer on embedded Undertow (SimpleUndertowLoadBalancer)
* two clustered nodes of Keycloak server on Wildfly/EAP or on embedded undertow
* shared DB
### Cluster tests with Keycloak on Wildfly
After you build the distribution, you run this command to setup servers and run cluster tests using shared Docker database:
mvn -f testsuite/integration-arquillian/pom.xml \
-Pauth-server-wildfly,auth-server-cluster,db-mysql,jpa \
-Dsession.cache.owners=2 \
-Dbackends.console.output=true \
-Dauth.server.log.check=false \
-Dfrontend.console.output=true \
-Dtest=org.keycloak.testsuite.cluster.**.*Test clean install
### Cluster tests with Keycloak on embedded undertow
mvn -f testsuite/integration-arquillian/tests/base/pom.xml \
-Pauth-server-cluster-undertow,db-mysql \
-Dsession.cache.owners=2 \
-Dkeycloak.connectionsInfinispan.sessionsOwners=2 \
-Dbackends.console.output=true \
-Dauth.server.log.check=false \
-Dfrontend.console.output=true \
-Dtest=org.keycloak.testsuite.cluster.**.*Test clean install
Note that after update, you might encounter `org.infinispan.commons.CacheException: Initial state transfer timed out for cache org.infinispan.CONFIG`
error in some environments. This can be fixed by adding `-Djava.net.preferIPv4Stack=true` parameter to the command above.
#### Run cluster tests from IDE on embedded undertow
The test uses Undertow loadbalancer on `http://localhost:8180` and two embedded backend Undertow servers with Keycloak on `http://localhost:8181` and `http://localhost:8182` .
You can use any cluster test (eg. AuthenticationSessionFailoverClusterTest) and run from IDE with those system properties (replace with your DB settings):
-Dauth.server.undertow=false -Dauth.server.undertow.cluster=true -Dauth.server.cluster=true
-Dkeycloak.connectionsJpa.url=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver=com.mysql.jdbc.Driver
-Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsInfinispan.clustered=true -Dresources
-Dkeycloak.connectionsInfinispan.sessionsOwners=2 -Dsession.cache.owners=2
Invalidation tests (subclass of `AbstractInvalidationClusterTest`) don't need last two properties.
#### Run cluster environment from IDE
This mode is useful for develop/manual tests of clustering features. You will need to manually run keycloak backend nodes and loadbalancer.
1) Run KeycloakServer server1 with:
-Dkeycloak.connectionsJpa.url=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver=com.mysql.jdbc.Driver
-Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsInfinispan.clustered=true
-Dkeycloak.connectionsInfinispan.sessionsOwners=2 -Dresources
and argument: `-p 8181`
2) Run KeycloakServer server2 with same parameters but argument: `-p 8182`
3) Run loadbalancer (class `SimpleUndertowLoadBalancer`) without arguments and system properties. Loadbalancer runs on port 8180, so you can access Keycloak on `http://localhost:8180/auth`
2017-05-29 07:02:57 +00:00
## Cross-DC tests
KEYCLOAK-4335: x509 client certificate authentication Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README Changes to the formating of the readme Added a list of features to readme Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master Removed a superfluous file created when merging x509 and main branches X509 authentication: removed the PKIX path validation as superflous Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main Merge the unit tests from x509 branch added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing. changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway) X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them X509 fixed a compile error caused by the changes to the user model in master Integration tests to validate X509 client certificate authentication Minor tweaks to X509 client auth related integration tests CRLs to support x509 client cert auth integration tests X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class X509 separated the browser and direct grant x509 authenction integration tests x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator x509 removed the dependency on mockito x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests index.txt.attr is needed by openssl to run a simple OCSP server x509: minor grammar fixes Add OCSP stub responder to integration tests This commit adds OCSP stub responder needed for the integration tests, and eliminates the need to run external OCSP responder in order to run the OCSP in X509OCSPResponderTest. Replace printStackTrece with logging This commit replaces call to printStackTrace that will end up going to the stderr with logging statement of WARN severity. Remove unused imports Removed unused imports in org.keycloak.authentication.authenticators.x509 package. Parameterized Hashtable variable Removed unused CertificateFactory variable Declared serialVersionUID for Serializable class Removed unused CertificateBuilder class The CertificateBuilder was not used anywhere in the code, removing it to prevent technical debt. Removing unused variable declaration `response` variable is not used in the test, removed it. Made sure InputStreams are closed Even though the InputStreams are memory based, added try-with-resources to make sure that they are closed. Removed deprecated usage of URLEncoder Replaced invocation of deprecated method from URLEncoder with Encode from Keycloak util package. Made it more clear how to control OCSP stub responder in the tests X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests KEYCLOAK-4335: fixed a few issues after rebasing
2016-07-26 15:47:28 +00:00
Cross-DC tests use 2 data centers, each with one automatically started and one manually controlled backend servers,
and 1 frontend loadbalancer server node that sits in front of all servers.
2017-05-29 07:02:57 +00:00
The browser usually communicates directly with the frontent node and the test controls where the HTTP requests
land by adjusting load balancer configuration (e.g. to direct the traffic to only a single DC).
For an example of a test, see [org.keycloak.testsuite.crossdc.ActionTokenCrossDCTest](tests/base/src/test/java/org/keycloak/testsuite/crossdc/ActionTokenCrossDCTest.java).
The cross DC requires setting a profile specifying used cache server by specifying
`cache-server-infinispan` or `cache-server-jdg` profile in maven.
2017-05-29 07:02:57 +00:00
Since JDG does not distribute `infinispan-server` zip artifact anymore, for `cache-server-jdg` profile it is
necessary to download the artifact and install it to local Maven repository. For JDG 7.3.0, the command is the following:
mvn install:install-file \
-DgroupId=org.infinispan.server -DartifactId=infinispan-server -Dpackaging=zip -Dclassifier=bin -DgeneratePom=true \
-Dversion=9.4.6.Final-redhat-00002 -Dfile=jboss-datagrid-7.3.0-server.zip
2017-05-29 07:02:57 +00:00
#### Run Cross-DC Tests from Maven
a) Prepare the environment. Compile the infinispan server and eventually Keycloak on JBoss server.
a1) If you want to use **Undertow** based Keycloak container, you just need to download and prepare the
Infinispan/JDG test server via the following command:
`mvn -Pcache-server-infinispan,auth-servers-crossdc-undertow -f testsuite/integration-arquillian -DskipTests clean install`
*note: 'cache-server-infinispan' can be replaced by 'cache-server-jdg'*
a2) If you want to use **JBoss-based** Keycloak backend containers instead of containers on Embedded Undertow,
you need to prepare both the Infinispan/JDG test server and the Keycloak server on Wildfly/EAP. Run following command:
`mvn -Pcache-server-infinispan,auth-servers-crossdc-jboss,auth-server-wildfly -f testsuite/integration-arquillian -DskipTests clean install`
2017-05-29 07:02:57 +00:00
*note: 'cache-server-infinispan' can be replaced by 'cache-server-jdg'*
*note: 'auth-server-wildfly' can be replaced by 'auth-server-eap'*
By default JBoss-based containers use TCP-based h2 database. It can be configured to use real DB spawn in Docker, e.g. with following command:
`mvn -Pcache-server-infinispan,auth-servers-crossdc-jboss,auth-server-wildfly,jpa,db-mariadb -f testsuite/integration-arquillian -DskipTests clean install`
b1) For **Undertow** Keycloak backend containers, you can run the tests using the following command (adjust the test specification according to your needs):
`mvn -Pcache-server-infinispan,auth-servers-crossdc-undertow -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base clean install`
2017-05-29 07:02:57 +00:00
*note: 'cache-server-infinispan' can be replaced by 'cache-server-jdg'*
*note: It can be useful to add additional system property to enable logging:*
`-Dkeycloak.infinispan.logging.level=debug`
b2) For **JBoss-based** Keycloak backend containers, you can run the tests like this:
`mvn -Pcache-server-infinispan,auth-servers-crossdc-jboss,auth-server-wildfly -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base clean install`
*note: 'cache-server-infinispan' can be replaced by 'cache-server-jdg'*
*note: 'auth-server-wildfly can be replaced by auth-server-eap'*
**note**:
For **JBoss-based** Keycloak backend containers on real DB, the previous commands from (a2) and (b2) can be "squashed" into one. E.g.:
`mvn -f testsuite/integration-arquillian -Dtest=*.crossdc.* -Pcache-server-infinispan,auth-servers-crossdc-jboss,auth-server-wildfly,jpa,db-mariadb clean install`
#### Run Cross-DC Tests from Intellij IDEA
First we will manually download, configure and run infinispan servers. Then we can run the tests from IDE against the servers.
It's more effective during development as there is no need to restart infinispan server(s) among test runs.
1) Download infinispan server of corresponding version (See "infinispan.version" property in [root pom.xml](../../pom.xml))
from http://infinispan.org/download/ and go through the steps from the
[Keycloak Cross-DC documentation](http://www.keycloak.org/docs/latest/server_installation/index.html#jdgsetup) for setup infinispan servers.
The difference to original docs is, that you need to have JDG servers available on localhost with port offsets. So:
* The TCPPING hosts should be like this:
```xml
<property name="initial_hosts">localhost[8610],localhost[9610]"</property>
```
* The port offset when starting node `jdg1` should be like: `-Djboss.socket.binding.port-offset=1010` and when
starting the `jdg2` server, then `-Djboss.socket.binding.port-offset=2010` . In both cases, the bind address should be just
default `localhost` (In other words, the `-b` switch can be omitted).
So assume you have both Infinispan/JDG servers up and running.
2) Setup MySQL database or some other shared database.
3) Ensure that `org.wildfly.arquillian:wildfly-arquillian-container-managed` is on the classpath when running test. On Intellij, it can be
done by going to: `View` -> `Tool Windows` -> `Maven projects`. Then check profile `cache-server-infinispan` and `auth-servers-crossdc-undertow`.
The tests will use this profile when executed.
4) Run the LoginCrossDCTest (or any other test) with those properties. In shortcut, it's using MySQL database and
connects to the remoteStore provided by infinispan server configured in previous steps:
`-Dauth.server.crossdc=true -Dauth.server.undertow.crossdc=true -Dcache.server.lifecycle.skip=true -Dkeycloak.connectionsInfinispan.clustered=true -Dkeycloak.connectionsJpa.url.crossdc=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver.crossdc=com.mysql.jdbc.Driver -Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsInfinispan.clustered=true -Dkeycloak.connectionsInfinispan.remoteStorePort=12232 -Dkeycloak.connectionsInfinispan.remoteStorePort.2=13232 -Dkeycloak.connectionsInfinispan.sessionsOwners=1 -Dsession.cache.owners=1 -Dkeycloak.infinispan.logging.level=debug -Dresources`
**NOTE**: Tests from package `manual` (eg. SessionsPreloadCrossDCTest) needs to be executed with managed containers.
So skip steps 1,2 and add property `-Dmanual.mode=true` and change "cache.server.lifecycle.skip" to false `-Dcache.server.lifecycle.skip=false` or remove it.
5) If you want to debug or test manually, the servers are running on these ports (Note that not all backend servers are running by default and some might be also unused by loadbalancer):
* *Loadbalancer* -> "http://localhost:8180/auth"
* *auth-server-undertow-cross-dc-0_1* -> "http://localhost:8101/auth"
* *auth-server-undertow-cross-dc-0_2-manual* -> "http://localhost:8102/auth"
* *auth-server-undertow-cross-dc-1_1* -> "http://localhost:8111/auth"
* *auth-server-undertow-cross-dc-1_2-manual* -> "http://localhost:8112/auth"
## Run Docker Authentication test
First, validate that your machine has a valid docker installation and that it is available to the JVM running the test.
The exact steps to configure Docker depend on the operating system.
By default, the test will run against Undertow based embedded Keycloak Server, thus no distribution build is required beforehand.
The exact command line arguments depend on the operating system.
2019-03-19 10:41:42 +00:00
### General guidelines
If docker daemon doesn't run locally, or if you're not running on Linux, you may need
to determine the IP of the bridge interface or local interface that Docker daemon can use to connect to Keycloak Server.
Then specify that IP as additional system property called *host.ip*, for example:
-Dhost.ip=192.168.64.1
If using Docker for Mac, you can create an alias for your local network interface:
sudo ifconfig lo0 alias 10.200.10.1/24
Then pass the IP as *host.ip*:
-Dhost.ip=10.200.10.1
If you're running a Docker fork that always lists a host component of an image on `docker images` (e.g. Fedora / RHEL Docker)
use `-Ddocker.io-prefix-explicit=true` argument when running the test.
### Fedora
On Fedora one way to set up Docker server is the following:
# install docker
sudo dnf install docker
# configure docker
# remove --selinux-enabled from OPTIONS
sudo vi /etc/sysconfig/docker
# create docker group and add your user (so docker wouldn't need root permissions)
sudo groupadd docker && sudo gpasswd -a ${USER} docker && sudo systemctl restart docker
newgrp docker
# you need to login again after this
# make sure Docker is available
docker pull registry:2
You may also need to add an iptables rule to allow container to host traffic
sudo iptables -I INPUT -i docker0 -j ACCEPT
Then, run the test passing `-Ddocker.io-prefix-explicit=true`:
mvn -f testsuite/integration-arquillian/tests/base/pom.xml \
clean test \
-Dtest=DockerClientTest \
-Dkeycloak.profile.feature.docker=enabled \
-Ddocker.io-prefix-explicit=true
### macOS
On macOS all you need to do is install Docker for Mac, start it up, and check that it works:
# make sure Docker is available
docker pull registry:2
Be especially careful to restart Docker server after every sleep / suspend to ensure system clock of Docker VM is synchronized with
that of the host operating system - Docker for Mac runs inside a VM.
Then, run the test passing `-Dhost.ip=IP` where IP corresponds to en0 interface or an alias for localhost:
mvn -f testsuite/integration-arquillian/tests/base/pom.xml \
clean test \
-Dtest=DockerClientTest \
-Dkeycloak.profile.feature.docker=enabled \
-Dhost.ip=10.200.10.1
### Running Docker test against Keycloak Server distribution
Make sure to build the distribution:
mvn clean install -f distribution
Then, before running the test, setup Keycloak Server distribution for the tests:
mvn -f testsuite/integration-arquillian/servers/pom.xml \
clean install \
-Pauth-server-wildfly
When running the test, add the following arguments to the command line:
-Pauth-server-wildfly -Pauth-server-enable-disable-feature -Dfeature.name=docker -Dfeature.value=enabled
## Java 11 support
Java 11 requires some arguments to be passed to JVM. Those can be activated using `-Pjava11-auth-server` and
`-Pjava11-app-server` profiles, respectively.