libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions
keycloak-scim/testsuite/integration-arquillian
History
Peter Nalyvayko b2f10359c8 KEYCLOAK-4335: x509 client certificate authentication 
Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments

x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute

Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received

Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes

Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document

A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README

Changes to the formating of the readme

Added a list of features to readme

Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions

Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master

Removed a superfluous file created when merging x509 and main branches

X509 authentication: removed the PKIX path validation as superflous

Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main

Merge the unit tests from x509 branch

added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured

CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing.

changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail

Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway)

X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them

X509 fixed a compile error caused by the changes to the user model in master

Integration tests to validate X509 client certificate authentication

Minor tweaks to X509 client auth related integration tests

CRLs to support x509 client cert auth integration tests

X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime

X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class

X509 separated the browser and direct grant x509 authenction integration tests

x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator

x509 removed the dependency on mockito

x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests

index.txt.attr is needed by openssl to run a simple OCSP server

x509: minor grammar fixes

Add OCSP stub responder to integration tests

This commit adds OCSP stub responder needed for the integration tests,
and eliminates the need to run external OCSP responder in order to run
the OCSP in X509OCSPResponderTest.

Replace printStackTrece with logging

This commit replaces call to printStackTrace that will end up going to
the stderr with logging statement of WARN severity.

Remove unused imports

Removed unused imports in
org.keycloak.authentication.authenticators.x509 package.

Parameterized Hashtable variable

Removed unused CertificateFactory variable

Declared serialVersionUID for Serializable class

Removed unused CertificateBuilder class

The CertificateBuilder was not used anywhere in the code, removing it to
prevent technical debt.

Removing unused variable declaration

`response` variable is not used in the test, removed it.

Made sure InputStreams are closed

Even though the InputStreams are memory based, added try-with-resources
to make sure that they are closed.

Removed deprecated usage of URLEncoder

Replaced invocation of deprecated method from URLEncoder with Encode
from Keycloak util package.

Made it more clear how to control OCSP stub responder in the tests

X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job

KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests

KEYCLOAK-4335: fixed a few issues after rebasing
2017-03-17 05:24:57 -04:00
..
servers KEYCLOAK-4335: x509 client certificate authentication 2017-03-17 05:24:57 -04:00
test-apps Bump to 3.1.0.CR1-SNAPSHOT 2017-03-16 14:21:40 +01:00
test-utils Bump to 3.1.0.CR1-SNAPSHOT 2017-03-16 14:21:40 +01:00
tests KEYCLOAK-4335: x509 client certificate authentication 2017-03-17 05:24:57 -04:00
HOW-TO-RUN.md KEYCLOAK-4335: x509 client certificate authentication 2017-03-17 05:24:57 -04:00
pom.xml Bump to 3.1.0.CR1-SNAPSHOT 2017-03-16 14:21:40 +01:00
README.md KEYCLOAK-4169 Instructions on how to run UI and Welcome Page tests 2017-03-10 11:26:21 +01:00

README.md

Keycloak Arquillian Integration Testsuite

Overview

For overview see the Modules Overview section at the bottom of this README.

How to run tests

See the file HOW-TO-RUN.md .

Container Lifecycles

Auth Server

Keycloak server is automatically started by the testsuite on the BeforeSuite event and stopped on AfterSuite event.

By default the server runs in embedded Undertow.

Wildfly/EAP

Testsuite supports running server on Wildfly/EAP. For this it's necessary to:

  • build the project including the distribution module (artifact keycloak-server-dist/-overlay needs to be available before running the testsuite),
  • activate profile auth-server-wildfly or auth-server-eap7.

More details...

Cluster Setup

The cluster setup for server can be enabled by activating profile auth-server-cluster.

The cluster setup is not supported for server on Undertow. Profile auth-server-wildfly or auth-server-eap needs to be activated.

The setup includes:

  • a mod_cluster load balancer on Wildfly
  • two clustered nodes of Keycloak server on Wildfly/EAP

Clustering tests require MULTICAST to be enabled on machine's loopback network interface. This can be done by running the following commands under root privileges:

route add -net 224.0.0.0 netmask 240.0.0.0 dev lo
ifconfig lo multicast

App Servers / Adapter Tests

Lifecycle of application server is always tied to a particular TestClass.

Each adapter test class is annotated by @AppServerContainer("app-server-*") annotation that links it to a particular Arquillian container in arquillian.xml. The AppServerTestEnricher then ensures the server is started during BeforeClass event and stopped during AfterClass event for that particular test class. In case the @AppServerContainer annotation has no value it's assumed that the application container is the same as the auth server container - a "relative" adapter test scenario.

The app-servers with installed Keycloak adapter are prepared in servers/app-server submodules, activated by -Papp-server-MODULE. More details.

The corresponding adapter test modules are in tests/other/adapters submodules, and are activated by the same profiles.

SuiteContext and TestContext

These objects are injected into AbstractKeycloakTest class so they can be used everywhere. They can be used to get information about the tested containers, and to store information that won't survive across test classes or test methods. (Arquillian creates a new instance of test class for each test method run, so all data in the fields is always lost.)

REST Testing

The AbstractKeycloakTest has an initialized instance of AdminClient. Subclasses can use it to access any REST subresources.

UI Testing

Page Objects

Page Objects are used by tests to access and operate on UI. They can be injected using annotation @Page provided by the Arquillian Graphene extension.

The base class for all page objects used throughout this Arquillian testsuite is AbstractPage, and it's subclass AbstractPageWithInjectedUrl.

For the page objects for the adapter test apps the URLs are injected automatically by Arquillian depending on actual URL of the deployed app/example.

For the pages under the /auth context the URL is only injected to the AuthServerContextRoot page object, and the URL hierarchy is modeled by the class inheritance hierarchy (subclasses/extending of AuthServerContextRoot).

Browsers

The default browser for UI testing is htmlunit which is used for fast "headless" testing. Other browsers can be selected with the -Dbrowser property, for example firefox. See HOW-TO-RUN.md and Arquillian Graphene documentation for more details.

Utils classes

UI testing is sometimes very tricky due to different demands and behaviours of different browsers and their drivers. So there are some very useful Utils classes which are already dealing with some common stability issues while testing. See UIUtils, URLUtils and WaitUtils classes in the Base Testsuite.

Test Modules

Base Testsuite

The base testsuite contains custom Arquillian extensions and most functional tests. The other test modules depend on this module.

Admin Console UI Tests

Tests for Keycloak Admin Console are located in a separate module tests/other/console and are disabled by default. Can be enabled by -Pconsole-ui-tests.

Adapter Tests

Adapter tests are located in submodules of the tests/other/adapters module.

They are disabled by default; they can be enabled by corresponding profiles. Multiple profiles can be enabled for a single test execution.

Types of adapter tests

  1. Using custom test servlets
  2. Using example demo apps from keycloak/examples modules.

Relative vs Non-relative scenario

The test suite can handle both types. It automatically modifies imported test realms and deployments' adapter configs based on scenario type.

Scenario Description Realm config (server side) Adapter config (client side)
Relative auth server == app server client baseUrl, adminUrl and redirect-uris can be relative auth-server-url can be relative
Non-relative auth server != app server client baseUrl, adminUrl and redirect-uris need to include FQDN of the app server auth-server-url needs to include FQDN of the auth server

Adapter Config Mode

  1. Provided - In standalone.xml using secure-deployment. Wildfly only. WIP
  2. Bundled - In the deployed war in /WEB-INF/keycloak.json. Default.

Custom Arquillian Extensions

Custom extensions are registered in META-INF/services/org.jboss.arquillian.core.spi.LoadableExtension.

MultipleContainersExtension

  • Replaces Arquillian's default container handling.
  • Allows to manage multiple container instances of different types within a single test run.
  • Allows to skip loading disabled containers based on enabled config property in arquillian.xml.

KeycloakArquillianExtension

  • AuthServerTestEnricher - Handles lifecycle of auth server and migrated auth server.
  • AppServerTestEnricher - Handles lifecycles of app servers.
  • CustomUndertowContainer - Custom container controller for JAX-RS-enabled Undertow with Keycloak Server.
  • DeploymentArchiveProcessor - Modifies adapter configs before test apps are deployed.
  • DeploymentTargetModifier - Ensures all test app deployments are targeted at app server containers.
  • URLProvider - Fixes URLs injected by Arquillian Graphene which contain value 127.0.0.1 instead of required localhost.

Modules Overview

integration-arquillian
│
├──servers   (preconfigured test servers)
│  │
│  ├──auth-server
│  │  ├──jboss (wildfly/eap)
│  │  └──undertow (arq. extension)
│  │
│  ├──app-server
│  │  ├──jboss (wildfly/eap/as)
│  │  ├──tomcat
│  │  └──karaf
│  │
│  └──wildfly-balancer
│
└──tests   (common settings for all test modules)
   │
   ├──base    (custom ARQ extensions + base functional tests)
   │
   └──other   (common settings for all test modules dependent on base)
      │
      ├──adapters         (common settings for all adapter test modules)
      │  ├──jboss
      │  ├──tomcat
      │  └──karaf
      │
      ├──console          
      ├──console_no_users 
      └──...