From 70074dcf71eea35cac96f0e519b4608fffcb4257 Mon Sep 17 00:00:00 2001 From: phala Date: Fri, 17 May 2024 21:46:50 +0200 Subject: [PATCH] Rename RHSSO to Keycloak --- README.md | 6 +-- config/settings.local.yaml.tpl | 8 ++-- config/settings.yaml | 2 +- testsuite/config/__init__.py | 4 +- testsuite/httpx/auth.py | 4 +- .../oidc/{rhsso => keycloak}/__init__.py | 14 +++--- testsuite/oidc/{rhsso => keycloak}/objects.py | 10 ++-- testsuite/tests/conftest.py | 18 +++---- .../opa/test_authorization_services.py | 39 +++++++-------- .../tests/kuadrant/authorino/conftest.py | 6 +-- .../kuadrant/authorino/dinosaur/conftest.py | 48 +++++++++---------- .../authorino/dinosaur/test_dinosaur.py | 16 +++---- .../anonymous/test_anonymous_identity.py | 8 ++-- .../identity/auth/test_auth_identity.py | 16 +++---- .../auth/test_multiple_auth_identities.py | 18 +++---- .../test_extended_properties.py | 6 +-- .../test_token_normalization.py | 16 +++---- .../identity/{rhsso => keycloak}/__init__.py | 0 .../identity/{rhsso => keycloak}/conftest.py | 22 ++++----- .../test_auth_credentials.py | 10 ++-- .../{rhsso => keycloak}/test_jwt_ttl.py | 6 +-- .../test_keycloak_context.py} | 18 +++---- .../test_keycloak_roles.py} | 8 ++-- .../kuadrant/authorino/metadata/test_uma.py | 32 ++++++------- .../authorino/metadata/test_user_info.py | 18 +++---- .../operator/clusterwide/conftest.py | 2 +- .../authorino/performance/conftest.py | 6 +-- .../template_perf_basic_query_rhsso.hf.yaml | 2 +- .../authorino/performance/test_perf_basic.py | 20 ++++---- .../kuadrant/authorino/wristband/conftest.py | 6 +-- .../authorino/wristband/test_wristband.py | 2 +- testsuite/tests/kuadrant/gateway/conftest.py | 4 +- .../kuadrant/test_rate_limit_anonymous.py | 4 +- .../tests/kuadrant/test_rate_limit_authz.py | 16 +++---- 34 files changed, 209 insertions(+), 206 deletions(-) rename testsuite/oidc/{rhsso => keycloak}/__init__.py (91%) rename testsuite/oidc/{rhsso => keycloak}/objects.py (94%) rename testsuite/tests/kuadrant/authorino/identity/{rhsso => keycloak}/__init__.py (100%) rename testsuite/tests/kuadrant/authorino/identity/{rhsso => keycloak}/conftest.py (65%) rename testsuite/tests/kuadrant/authorino/identity/{rhsso => keycloak}/test_auth_credentials.py (85%) rename testsuite/tests/kuadrant/authorino/identity/{rhsso => keycloak}/test_jwt_ttl.py (94%) rename testsuite/tests/kuadrant/authorino/identity/{rhsso/test_rhsso_context.py => keycloak/test_keycloak_context.py} (70%) rename testsuite/tests/kuadrant/authorino/identity/{rhsso/test_rhsso_roles.py => keycloak/test_keycloak_roles.py} (79%) diff --git a/README.md b/README.md index 571a3ba4..7318a9a5 100644 --- a/README.md +++ b/README.md @@ -91,9 +91,9 @@ podman run \ -v $HOME/.kube/config:/run/kubeconfig:z \ -e KUADRANT_SERVICE_PROTECTION__PROJECT=authorino \ -e KUADRANT_SERVICE_PROTECTION__PROJECT2=authorino2 \ - -e KUADRANT_RHSSO__url="https://my-sso.net" \ - -e KUADRANT_RHSSO__password="ADMIN_PASSWORD" \ - -e KUADRANT_RHSSO__username="ADMIN_USERNAME" \ + -e KUADRANT_KEYCLOAK__url="https://my-sso.net" \ + -e KUADRANT_KEYCLOAK__password="ADMIN_PASSWORD" \ + -e KUADRANT_KEYCLOAK__username="ADMIN_USERNAME" \ -e KUADRANT_AUTH0__url="AUTH0_URL" \ -e KUADRANT_AUTH0__client_id="AUTH0_CLIENT_ID" \ -e KUADRANT_AUTH0__client_secret="AUTH0_CLIENT_SECRET" \ diff --git a/config/settings.local.yaml.tpl b/config/settings.local.yaml.tpl index e5a05f70..d6d3d0f3 100644 --- a/config/settings.local.yaml.tpl +++ b/config/settings.local.yaml.tpl @@ -7,10 +7,10 @@ # kubeconfig_path: "~/.kube/config" # Optional: Kubeconfig to use, if None the default one is used # tools: # project: "tools" # Optional: OpenShift project, where external tools are located -# rhsso: -# url: "SSO_URL" -# username: "SSO_ADMIN_USERNAME" -# password: "SSO_ADMIN_PASSWORD" +# keycloak: +# url: "KEYCLOAK_URL" +# username: "KEYCLOAK_ADMIN_USERNAME" +# password: "KEYCLOAK_ADMIN_PASSWORD" # test_user: # username: "testUser" # password: "testPassword" diff --git a/config/settings.yaml b/config/settings.yaml index 549b6378..97ee154e 100644 --- a/config/settings.yaml +++ b/config/settings.yaml @@ -4,7 +4,7 @@ default: tools: project: "tools" cfssl: "cfssl" - rhsso: + keycloak: username: "admin" test_user: username: "testUser" diff --git a/testsuite/config/__init__.py b/testsuite/config/__init__.py index b956a262..fdc8fce7 100644 --- a/testsuite/config/__init__.py +++ b/testsuite/config/__init__.py @@ -52,8 +52,8 @@ def __init__(self, name, default, **kwargs) -> None: Validator("control_plane.managedzone", must_exist=True, ne=None), Validator("control_plane.clusterissuer", must_exist=True, ne=None), Validator("letsencrypt.clusterissuer", must_exist=True, ne=None), - DefaultValueValidator("rhsso.url", default=fetch_route("no-ssl-sso")), - DefaultValueValidator("rhsso.password", default=fetch_secret("credential-sso", "ADMIN_PASSWORD")), + DefaultValueValidator("keycloak.url", default=fetch_route("no-ssl-sso")), + DefaultValueValidator("keycloak.password", default=fetch_secret("credential-sso", "ADMIN_PASSWORD")), DefaultValueValidator("mockserver.url", default=fetch_route("mockserver", force_http=True)), ], validate_only=["authorino", "kuadrant", "default_exposer", "control_plane"], diff --git a/testsuite/httpx/auth.py b/testsuite/httpx/auth.py index a09875a4..e42f2265 100644 --- a/testsuite/httpx/auth.py +++ b/testsuite/httpx/auth.py @@ -5,7 +5,7 @@ from httpx import Auth, Request, URL, Response -from testsuite.oidc.rhsso import User +from testsuite.oidc.keycloak import User from testsuite.oidc import Token TokenType = Union[Token, Callable[[], Token]] @@ -22,7 +22,7 @@ def __init__(self, token: TokenType, location="authorization", username: str = N @classmethod def from_user(cls, token: TokenType, user: User, location="authorization"): - """Creates Auth from RHSSO User object""" + """Creates Auth from Keycloak User object""" return cls(token, location, user.username, user.password) @cached_property diff --git a/testsuite/oidc/rhsso/__init__.py b/testsuite/oidc/keycloak/__init__.py similarity index 91% rename from testsuite/oidc/rhsso/__init__.py rename to testsuite/oidc/keycloak/__init__.py index c776d9b2..e10beadf 100644 --- a/testsuite/oidc/rhsso/__init__.py +++ b/testsuite/oidc/keycloak/__init__.py @@ -1,4 +1,4 @@ -"""Objects for RHSSO""" +"""Keycloak OIDCProvider""" from functools import cached_property from urllib.parse import urlparse @@ -11,9 +11,9 @@ # pylint: disable=too-many-instance-attributes -class RHSSO(OIDCProvider, LifecycleObject): +class Keycloak(OIDCProvider, LifecycleObject): """ - OIDCProvider implementation for RHSSO. It creates Realm, client and user. + OIDCProvider implementation using Keycloak. It creates Realm, Client and single User. """ def __init__( @@ -37,7 +37,7 @@ def __init__( self.client = None try: - self.master = KeycloakAdmin( + self.master_realm = KeycloakAdmin( server_url=server_url, username=username, password=password, @@ -49,7 +49,7 @@ def __init__( # Older Keycloaks versions (and RHSSO) needs requires url to be pointed at auth/ endpoint # pylint: disable=protected-access self.server_url = urlparse(server_url)._replace(path="auth/").geturl() - self.master = KeycloakAdmin( + self.master_realm = KeycloakAdmin( server_url=self.server_url, username=username, password=password, @@ -59,8 +59,8 @@ def __init__( def create_realm(self, name: str, **kwargs) -> Realm: """Creates new realm""" - self.master.create_realm(payload={"realm": name, "enabled": True, "sslRequired": "None", **kwargs}) - return Realm(self.master, name) + self.master_realm.create_realm(payload={"realm": name, "enabled": True, "sslRequired": "None", **kwargs}) + return Realm(self.master_realm, name) def commit(self): self.realm: Realm = self.create_realm(self.realm_name, accessTokenLifespan=24 * 60 * 60) diff --git a/testsuite/oidc/rhsso/objects.py b/testsuite/oidc/keycloak/objects.py similarity index 94% rename from testsuite/oidc/rhsso/objects.py rename to testsuite/oidc/keycloak/objects.py index 0e38d9a5..f25505b7 100644 --- a/testsuite/oidc/rhsso/objects.py +++ b/testsuite/oidc/keycloak/objects.py @@ -1,4 +1,4 @@ -"""Object wrappers of RHSSO resources""" +"""Object wrappers for Keycloak resources""" from functools import cached_property from typing import List @@ -7,7 +7,7 @@ class Realm: - """Helper class for RHSSO realm manipulation""" + """Helper class for Keycloak realm manipulation""" def __init__(self, master: KeycloakAdmin, name) -> None: self.admin = KeycloakAdmin( @@ -63,7 +63,7 @@ def oidc_client(self, client_id, client_secret): class Client: - """Helper class for RHSSO client manipulation""" + """Helper class for Keycloak client manipulation""" def __init__(self, realm: Realm, client_id) -> None: self.admin = realm.admin @@ -79,7 +79,7 @@ def assign_role(self, role_name): @cached_property def auth_id(self): - """Note This is different clientId (clientId) than self.client_id (Id), because RHSSO""" + """Note This is different clientId (clientId) than self.client_id (Id), because Keycloak""" return self.admin.get_client(self.client_id)["clientId"] @property @@ -105,7 +105,7 @@ def create_uma_resource(self, name, uris: List[str], owner=None): class User: - """Wrapper object for User object in RHSSO""" + """Wrapper object for User object in Keycloak""" def __init__(self, realm: Realm, user_id, username, password) -> None: super().__init__() diff --git a/testsuite/tests/conftest.py b/testsuite/tests/conftest.py index 71ac0032..0c98d19d 100644 --- a/testsuite/tests/conftest.py +++ b/testsuite/tests/conftest.py @@ -21,7 +21,7 @@ from testsuite.mockserver import Mockserver from testsuite.oidc import OIDCProvider from testsuite.oidc.auth0 import Auth0Provider -from testsuite.oidc.rhsso import RHSSO +from testsuite.oidc.keycloak import Keycloak from testsuite.openshift.kuadrant import KuadrantCR from testsuite.tracing import TracingClient from testsuite.utils import randomize, _whoami @@ -150,17 +150,17 @@ def openshift2(testconfig, skip_or_fail): @pytest.fixture(scope="session") -def rhsso(request, testconfig, blame, skip_or_fail): - """RHSSO OIDC Provider fixture""" +def keycloak(request, testconfig, blame, skip_or_fail): + """Keycloak OIDC Provider fixture""" try: - testconfig.validators.validate(only="rhsso") - cnf = testconfig["rhsso"] - info = RHSSO( + testconfig.validators.validate(only="keycloak") + cnf = testconfig["keycloak"] + info = Keycloak( cnf["url"], cnf["username"], cnf["password"], blame("realm"), - blame("client"), + "base-client", cnf["test_user"]["username"], cnf["test_user"]["password"], ) @@ -217,9 +217,9 @@ def tracing(testconfig, skip_or_fail): @pytest.fixture(scope="session") -def oidc_provider(rhsso) -> OIDCProvider: +def oidc_provider(keycloak) -> OIDCProvider: """Fixture which enables switching out OIDC providers for individual modules""" - return rhsso + return keycloak @pytest.fixture(scope="session") diff --git a/testsuite/tests/kuadrant/authorino/authorization/opa/test_authorization_services.py b/testsuite/tests/kuadrant/authorino/authorization/opa/test_authorization_services.py index 9b85e1ce..92b77551 100644 --- a/testsuite/tests/kuadrant/authorino/authorization/opa/test_authorization_services.py +++ b/testsuite/tests/kuadrant/authorino/authorization/opa/test_authorization_services.py @@ -19,8 +19,9 @@ pytestmark = [pytest.mark.authorino] +# pylint: disable=line-too-long @pytest.fixture(scope="module") -def rego_policy(rhsso): +def rego_policy(keycloak): """ Complex OPA REGO policy that implements the UMA authorization flow. See https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_uma_authorization_process @@ -29,12 +30,12 @@ def rego_policy(rhsso): under the used scope (HTTP GET) this REGO policy authorizes the request. """ return f"""\ -pat := http.send({{"url":"{rhsso.server_url}realms/{rhsso.realm.name}/protocol/openid-connect/token",\ +pat := http.send({{"url":"{keycloak.server_url}realms/{keycloak.realm.name}/protocol/openid-connect/token",\ "method": "post","headers":{{"Content-Type":"application/x-www-form-urlencoded"}},\ -"raw_body":"grant_type=client_credentials&client_id={rhsso.client_name}&client_secret={rhsso.client.secret}"}})\ +"raw_body":"grant_type=client_credentials&client_id={keycloak.client_name}&client_secret={keycloak.client.secret}"}})\ .body.access_token -resource_id := http.send({{"url":concat("",["{rhsso.server_url}realms/{rhsso.realm.name}/authz/protection/\ +resource_id := http.send({{"url":concat("",["{keycloak.server_url}realms/{keycloak.realm.name}/authz/protection/\ resource_set?uri=",input.context.request.http.path]),"method":"get", "headers":\ {{"Authorization":concat(" ",["Bearer ",pat])}}}}).body[0] @@ -44,12 +45,12 @@ def rego_policy(rhsso): rpt = access_token {{ object.get(input.auth.identity, "authorization", {{}}).permissions }} else = rpt_str {{ - ticket := http.send({{"url":"{rhsso.server_url}realms/{rhsso.realm.name}/authz/protection/permission",\ + ticket := http.send({{"url":"{keycloak.server_url}realms/{keycloak.realm.name}/authz/protection/permission",\ "method":"post","headers":{{"Authorization":concat(" ",["Bearer ",pat]),"Content-Type":"application/json"}},\ "raw_body":concat("",["[{{\\"resource_id\\":\\"",resource_id,"\\",\\"resource_scopes\\":[\\"",scope,"\\"]}}]"\ ])}}).body.ticket - rpt_str := object.get(http.send({{"url":"{rhsso.server_url}realms/{rhsso.realm.name}/protocol/openid-connect/token",\ + rpt_str := object.get(http.send({{"url":"{keycloak.server_url}realms/{keycloak.realm.name}/protocol/openid-connect/token",\ "method":"post","headers":{{"Authorization":concat(" ",\ ["Bearer ",access_token]),"Content-Type":"application/x-www-form-urlencoded"}},"raw_body":concat("",\ ["grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&ticket=",ticket,"&submit_request=true"])}})\ @@ -84,34 +85,34 @@ def authorization(authorization, rego_policy): @pytest.fixture(scope="module") -def resource_owner_auth(rhsso): +def resource_owner_auth(keycloak): """ Auth for user who owns the protected resource, a.k.a. "owner" user. The "uma_protection" client role is assigned to the user so that they are allowed to create protected resources. """ - owner = rhsso.realm.create_user("owner", "owner") - role = rhsso.realm.admin.get_client_role(client_id=rhsso.client.client_id, role_name="uma_protection") - rhsso.realm.admin.assign_client_role(user_id=owner.user_id, client_id=rhsso.client.client_id, roles=[role]) - return HttpxOidcClientAuth.from_user(rhsso.get_token(owner.username, owner.password), owner) + owner = keycloak.realm.create_user("owner", "owner") + role = keycloak.realm.admin.get_client_role(client_id=keycloak.client.client_id, role_name="uma_protection") + keycloak.realm.admin.assign_client_role(user_id=owner.user_id, client_id=keycloak.client.client_id, roles=[role]) + return HttpxOidcClientAuth.from_user(keycloak.get_token(owner.username, owner.password), owner) @pytest.fixture(scope="module") -def requester_auth(rhsso): +def requester_auth(keycloak): """Auth for user who requests the access to the protected resource, a.k.a. "requester" user""" - requester = rhsso.realm.create_user("requester", "requester") - return HttpxOidcClientAuth.from_user(rhsso.get_token(requester.username, requester.password), requester) + requester = keycloak.realm.create_user("requester", "requester") + return HttpxOidcClientAuth.from_user(keycloak.get_token(requester.username, requester.password), requester) @pytest.fixture(scope="module") -def owner_uma(rhsso, resource_owner_auth): +def owner_uma(keycloak, resource_owner_auth): """UMA client used to create a protected resource and assign permissions for "requester" to access it.""" keycloak_connection = KeycloakOpenIDConnection( - server_url=rhsso.server_url, - client_id=rhsso.client_name, - client_secret_key=rhsso.client.secret, + server_url=keycloak.server_url, + client_id=keycloak.client_name, + client_secret_key=keycloak.client.secret, username=resource_owner_auth.username, password=resource_owner_auth.password, - realm_name=rhsso.realm_name, + realm_name=keycloak.realm_name, ) return KeycloakUMA(keycloak_connection) diff --git a/testsuite/tests/kuadrant/authorino/conftest.py b/testsuite/tests/kuadrant/authorino/conftest.py index 56f4941c..c738ecd0 100644 --- a/testsuite/tests/kuadrant/authorino/conftest.py +++ b/testsuite/tests/kuadrant/authorino/conftest.py @@ -39,16 +39,16 @@ def authorino(authorino, openshift, blame, request, testconfig, label) -> Author # pylint: disable=unused-argument @pytest.fixture(scope="module") def authorization(authorization, oidc_provider, route, authorization_name, openshift, label) -> AuthConfig: - """In case of Authorino, AuthC onfig used for authorization""" + """In case of Authorino, AuthConfig used for authorization""" if authorization is None: authorization = AuthConfig.create_instance(openshift, authorization_name, route, labels={"testRun": label}) - authorization.identity.add_oidc("rhsso", oidc_provider.well_known["issuer"]) + authorization.identity.add_oidc("default", oidc_provider.well_known["issuer"]) return authorization @pytest.fixture(scope="module") def auth(oidc_provider): - """Returns RHSSO authentication object for HTTPX""" + """Returns authentication object for HTTPX""" return HttpxOidcClientAuth(oidc_provider.get_token, "authorization") diff --git a/testsuite/tests/kuadrant/authorino/dinosaur/conftest.py b/testsuite/tests/kuadrant/authorino/dinosaur/conftest.py index 583a34b9..2304a058 100644 --- a/testsuite/tests/kuadrant/authorino/dinosaur/conftest.py +++ b/testsuite/tests/kuadrant/authorino/dinosaur/conftest.py @@ -5,23 +5,23 @@ import pytest from testsuite.httpx.auth import HttpxOidcClientAuth -from testsuite.oidc.rhsso import RHSSO +from testsuite.oidc.keycloak import Keycloak from testsuite.utils import ContentType from testsuite.policy.authorization import Pattern, PatternRef, Value, ValueFrom, DenyResponse @pytest.fixture(scope="session") -def admin_rhsso(blame, rhsso): - """RHSSO OIDC Provider fixture""" +def admin_rhsso(blame, keycloak): + """Keycloak Admin realm""" - info = RHSSO( - rhsso.server_url, - rhsso.username, - rhsso.password, + info = Keycloak( + keycloak.server_url, + keycloak.username, + keycloak.password, blame("admin"), blame("client"), - rhsso.test_username, - rhsso.test_password, + keycloak.test_username, + keycloak.test_password, ) info.commit() @@ -30,7 +30,7 @@ def admin_rhsso(blame, rhsso): @pytest.fixture() def admin_auth(admin_rhsso): - """Returns RHSSO authentication object for HTTPX""" + """Returns Keycloak authentication object for HTTPX""" return HttpxOidcClientAuth(admin_rhsso.get_token, "authorization") @@ -78,7 +78,7 @@ def _resource_info(org_id, owner): @pytest.fixture(scope="module") -def authorization(authorization, rhsso, terms_and_conditions, cluster_info, admin_rhsso, resource_info): +def authorization(authorization, keycloak, terms_and_conditions, cluster_info, admin_rhsso, resource_info): """Creates complex Authorization Config.""" path_fourth_element = 'context.request.http.path.@extract:{"sep":"/","pos":4}' path_third_element = 'context.request.http.path.@extract:{"sep":"/","pos":3}' @@ -104,7 +104,7 @@ def authorization(authorization, rhsso, terms_and_conditions, cluster_info, admi Pattern(path_fourth_element, "neq", "agent-clusters"), Pattern(path_fourth_element, "neq", "admin"), ], - "user-sso": [Pattern("auth.identity.iss", "eq", rhsso.well_known["issuer"])], + "user-sso": [Pattern("auth.identity.iss", "eq", keycloak.well_known["issuer"])], "admin-sso": [Pattern("auth.identity.iss", "eq", admin_rhsso.well_known["issuer"])], "require-org-id": [Pattern("auth.identity.org_id", "neq", "")], } @@ -114,7 +114,7 @@ def authorization(authorization, rhsso, terms_and_conditions, cluster_info, admi authorization.identity.clear_all() authorization.identity.add_oidc( "user-sso", - rhsso.well_known["issuer"], + keycloak.well_known["issuer"], ttl=3600, defaults_properties={"org_id": ValueFrom("auth.identity.middle_name")}, ) @@ -126,10 +126,10 @@ def authorization(authorization, rhsso, terms_and_conditions, cluster_info, admi "terms-and-conditions", terms_and_conditions("false"), "GET", when=[PatternRef("create-dinosaur-route")] ) authorization.metadata.add_http( - "cluster-info", cluster_info(rhsso.client_name), "GET", when=[PatternRef("agent-clusters-route")] + "cluster-info", cluster_info(keycloak.client_name), "GET", when=[PatternRef("agent-clusters-route")] ) authorization.metadata.add_http( - "resource-info", resource_info("123", rhsso.client_name), "GET", when=[PatternRef("dinosaur-resource-route")] + "resource-info", resource_info("123", keycloak.client_name), "GET", when=[PatternRef("dinosaur-resource-route")] ) authorization.authorization.add_auth_rules("bearer-token", [Pattern("auth.identity.typ", "eq", "Bearer")]) @@ -229,33 +229,33 @@ def authorization(authorization, rhsso, terms_and_conditions, cluster_info, admi @pytest.fixture(scope="module") -def user_with_valid_org_id(rhsso, blame): +def user_with_valid_org_id(keycloak, blame): """ Creates new user with valid middle name. Middle name is mapped to org ID in auth config. """ - user = rhsso.realm.create_user(blame("someuser"), blame("password")) + user = keycloak.realm.create_user(blame("someuser"), blame("password")) user.assign_attribute({"middleName": "123"}) - return HttpxOidcClientAuth.from_user(rhsso.get_token, user=user) + return HttpxOidcClientAuth.from_user(keycloak.get_token, user=user) @pytest.fixture(scope="module", params=["321", None]) -def user_with_invalid_org_id(rhsso, blame, request): +def user_with_invalid_org_id(keycloak, blame, request): """ Creates new user with valid middle name. Middle name is mapped to org ID in auth config. """ - user = rhsso.realm.create_user(blame("someuser"), blame("password")) + user = keycloak.realm.create_user(blame("someuser"), blame("password")) user.assign_attribute({"middleName": request.param}) - return HttpxOidcClientAuth.from_user(rhsso.get_token, user=user) + return HttpxOidcClientAuth.from_user(keycloak.get_token, user=user) @pytest.fixture(scope="module") -def user_with_invalid_email(rhsso, blame): +def user_with_invalid_email(keycloak, blame): """Creates new user with invalid email""" - user = rhsso.realm.create_user(blame("someuser"), blame("password"), email="denied-test-user1@example.com") + user = keycloak.realm.create_user(blame("someuser"), blame("password"), email="denied-test-user1@example.com") user.assign_attribute({"middleName": "123"}) - return HttpxOidcClientAuth.from_user(rhsso.get_token, user=user) + return HttpxOidcClientAuth.from_user(keycloak.get_token, user=user) @pytest.fixture(scope="module") diff --git a/testsuite/tests/kuadrant/authorino/dinosaur/test_dinosaur.py b/testsuite/tests/kuadrant/authorino/dinosaur/test_dinosaur.py index 1bc710bf..b3a596e6 100644 --- a/testsuite/tests/kuadrant/authorino/dinosaur/test_dinosaur.py +++ b/testsuite/tests/kuadrant/authorino/dinosaur/test_dinosaur.py @@ -208,7 +208,7 @@ def test_instance_types(client, user_with_valid_org_id, user_with_invalid_org_id assert response.json() == ERROR_MESSAGE -def test_agent_clusters(client, user_with_valid_org_id, rhsso, cluster_info): +def test_agent_clusters(client, user_with_valid_org_id, keycloak, cluster_info): """ Test: - send request to agent clusters endpoint with valid cluster info @@ -216,7 +216,7 @@ def test_agent_clusters(client, user_with_valid_org_id, rhsso, cluster_info): - send request to agent clusters endpoint with invalid cluster info - assert that response status code is 403 """ - cluster_info(rhsso.client_name) + cluster_info(keycloak.client_name) response = client.get("/anything/dinosaurs_mgmt/v1/agent-clusters", auth=user_with_valid_org_id) assert response.status_code == 200 @@ -226,14 +226,14 @@ def test_agent_clusters(client, user_with_valid_org_id, rhsso, cluster_info): assert response.json() == ERROR_MESSAGE -def test_resource_is_owner(client, user_with_valid_org_id, resource_info, rhsso): +def test_resource_is_owner(client, user_with_valid_org_id, resource_info, keycloak): """ Test: - set resource info to valid middle name - send requests (GET, DELETE and POST) to dinosaur resource using user with valid midlle name - assert that response status code is 200 """ - resource_info("123", rhsso.client_name) + resource_info("123", keycloak.client_name) response = client.get("/anything/dinosaurs_mgmt/v1/dinosaurs/123", auth=user_with_valid_org_id) assert response.status_code == 200 @@ -245,14 +245,14 @@ def test_resource_is_owner(client, user_with_valid_org_id, resource_info, rhsso) assert response.status_code == 200 -def test_resource_is_not_owner_client_denied(client, user_with_invalid_email, resource_info, rhsso): +def test_resource_is_not_owner_client_denied(client, user_with_invalid_email, resource_info, keycloak): """ Test: - set resource info to valid middle name - send requests (GET, DELETE and POST) to dinosaur resource using user with invalid midlle name - assert that response status code is 403 """ - resource_info("123", rhsso.client_name) + resource_info("123", keycloak.client_name) response = client.get("/anything/dinosaurs_mgmt/v1/dinosaurs/123", auth=user_with_invalid_email) assert response.status_code == 403 @@ -267,14 +267,14 @@ def test_resource_is_not_owner_client_denied(client, user_with_invalid_email, re assert response.json() == ERROR_MESSAGE -def test_resource_is_not_owner_resource_denied(client, user_with_valid_org_id, resource_info, rhsso): +def test_resource_is_not_owner_resource_denied(client, user_with_valid_org_id, resource_info, keycloak): """ Test: - set resource info to invalid middle name - send requests (GET, DELETE and POST) to dinosaur resource using user with valid midlle name - assert that response status code is 403 """ - resource_info("321", rhsso.client_name) + resource_info("321", keycloak.client_name) response = client.get("/anything/dinosaurs_mgmt/v1/dinosaurs/123", auth=user_with_valid_org_id) assert response.status_code == 403 diff --git a/testsuite/tests/kuadrant/authorino/identity/anonymous/test_anonymous_identity.py b/testsuite/tests/kuadrant/authorino/identity/anonymous/test_anonymous_identity.py index 84ccfa58..872a38dd 100644 --- a/testsuite/tests/kuadrant/authorino/identity/anonymous/test_anonymous_identity.py +++ b/testsuite/tests/kuadrant/authorino/identity/anonymous/test_anonymous_identity.py @@ -6,16 +6,16 @@ @pytest.fixture(scope="module") -def authorization(authorization, rhsso): - """Add RHSSO identity""" - authorization.identity.add_oidc("rhsso", rhsso.well_known["issuer"]) +def authorization(authorization, keycloak): + """Add Keycloak identity""" + authorization.identity.add_oidc("keycloak", keycloak.well_known["issuer"]) return authorization def test_anonymous_identity(client, auth, authorization): """ Setup: - - Create AuthConfig with RHSSO identity + - Create AuthConfig with Keycloak identity Test: - Send request with authentication - Assert that response status code is 200 diff --git a/testsuite/tests/kuadrant/authorino/identity/auth/test_auth_identity.py b/testsuite/tests/kuadrant/authorino/identity/auth/test_auth_identity.py index 7778eaac..5b89e7da 100644 --- a/testsuite/tests/kuadrant/authorino/identity/auth/test_auth_identity.py +++ b/testsuite/tests/kuadrant/authorino/identity/auth/test_auth_identity.py @@ -1,32 +1,32 @@ -"""Tests basic authentication with RHSSO/Auth0 as identity provider""" +"""Tests basic authentication with Keycloak/Auth0 as identity provider""" import pytest from testsuite.httpx.auth import HttpxOidcClientAuth from testsuite.oidc import OIDCProvider -from testsuite.oidc.rhsso import RHSSO +from testsuite.oidc.keycloak import Keycloak pytestmark = [pytest.mark.authorino] @pytest.fixture(scope="module") def authorization(authorization, oidc_provider): - """Add RHSSO identity to AuthConfig""" - authorization.identity.add_oidc("rhsso", oidc_provider.well_known["issuer"]) + """Add Keycloak identity to AuthConfig""" + authorization.identity.add_oidc("default", oidc_provider.well_known["issuer"]) return authorization -@pytest.fixture(scope="module", params=("rhsso", "auth0")) +@pytest.fixture(scope="module", params=("keycloak", "auth0")) def oidc_provider(request) -> OIDCProvider: """Fixture which enables switching out OIDC providers for individual modules""" return request.getfixturevalue(request.param) @pytest.fixture(scope="module") -def wrong_auth(oidc_provider, auth0, rhsso): +def wrong_auth(oidc_provider, auth0, keycloak): """Different (but valid) auth than was configured""" - token = rhsso.get_token - if isinstance(oidc_provider, RHSSO): + token = keycloak.get_token + if isinstance(oidc_provider, Keycloak): token = auth0.get_token return HttpxOidcClientAuth(token) diff --git a/testsuite/tests/kuadrant/authorino/identity/auth/test_multiple_auth_identities.py b/testsuite/tests/kuadrant/authorino/identity/auth/test_multiple_auth_identities.py index afe11d71..cab22184 100644 --- a/testsuite/tests/kuadrant/authorino/identity/auth/test_multiple_auth_identities.py +++ b/testsuite/tests/kuadrant/authorino/identity/auth/test_multiple_auth_identities.py @@ -1,5 +1,5 @@ """ -Tests for multiple auth identities (RHSSO + Auth0) +Tests for multiple auth identities (Keycloak + Auth0) """ import pytest @@ -16,22 +16,22 @@ def auth0_auth(auth0): @pytest.fixture(scope="module") -def rhsso_auth(rhsso): - """Returns RHSSO authentication object for HTTPX""" - return HttpxOidcClientAuth(rhsso.get_token) +def keycloak_auth(keycloak): + """Returns Keycloak authentication object for HTTPX""" + return HttpxOidcClientAuth(keycloak.get_token) @pytest.fixture(scope="module") -def authorization(authorization, auth0, rhsso): - """Add both RHSSO and Auth0 identities""" - authorization.identity.add_oidc("rhsso", rhsso.well_known["issuer"]) +def authorization(authorization, auth0, keycloak): + """Add both Keycloak and Auth0 identities""" + authorization.identity.add_oidc("Keycloak", keycloak.well_known["issuer"]) authorization.identity.add_oidc("auth0", auth0.well_known["issuer"]) return authorization -def test_correct_auth(client, rhsso_auth, auth0_auth): +def test_correct_auth(client, keycloak_auth, auth0_auth): """Tests correct auth""" - response = client.get("/get", auth=rhsso_auth) + response = client.get("/get", auth=keycloak_auth) assert response.status_code == 200 response = client.get("/get", auth=auth0_auth) diff --git a/testsuite/tests/kuadrant/authorino/identity/extended_properties/test_extended_properties.py b/testsuite/tests/kuadrant/authorino/identity/extended_properties/test_extended_properties.py index b8a9e82b..ca768c97 100644 --- a/testsuite/tests/kuadrant/authorino/identity/extended_properties/test_extended_properties.py +++ b/testsuite/tests/kuadrant/authorino/identity/extended_properties/test_extended_properties.py @@ -9,7 +9,7 @@ @pytest.fixture(scope="module") -def authorization(authorization, rhsso): +def authorization(authorization, keycloak): """ Add new identity with list of extended properties. This list contains: - Static `value` and dynamic `jsonPath` properties @@ -17,8 +17,8 @@ def authorization(authorization, rhsso): Add simple response to inspect 'auth.identity' part of authJson where the properties will be created. """ authorization.identity.add_oidc( - "rhsso", - rhsso.well_known["issuer"], + "keycloak", + keycloak.well_known["issuer"], defaults_properties={ "property_static": Value("static"), "property_dynamic": ValueFrom("context.request.http.path"), diff --git a/testsuite/tests/kuadrant/authorino/identity/extended_properties/test_token_normalization.py b/testsuite/tests/kuadrant/authorino/identity/extended_properties/test_token_normalization.py index fe9ecc4d..1c4dba3d 100644 --- a/testsuite/tests/kuadrant/authorino/identity/extended_properties/test_token_normalization.py +++ b/testsuite/tests/kuadrant/authorino/identity/extended_properties/test_token_normalization.py @@ -20,26 +20,26 @@ def auth_api_key(api_key): @pytest.fixture(scope="module") -def auth_oidc_admin(rhsso, blame): +def auth_oidc_admin(keycloak, blame): """Creates new user with new 'admin' role and return auth for it.""" - realm_role = rhsso.realm.create_realm_role("admin") - user = rhsso.realm.create_user(blame("someuser"), blame("password")) + realm_role = keycloak.realm.create_realm_role("admin") + user = keycloak.realm.create_user(blame("someuser"), blame("password")) user.assign_realm_role(realm_role) - return HttpxOidcClientAuth.from_user(rhsso.get_token, user, "authorization") + return HttpxOidcClientAuth.from_user(keycloak.get_token, user, "authorization") @pytest.fixture(scope="module") -def authorization(authorization, rhsso, api_key): +def authorization(authorization, keycloak, api_key): """ - Add rhsso identity provider with extended property "roles" which is dynamically mapped to + Add Keycloak identity provider with extended property "roles" which is dynamically mapped to list of granted realm roles 'auth.identity.realm_access.roles' Add api_key identity with extended property "roles" which is static list of one role 'admin'. Add authorization rule allowing DELETE method only to users with role 'admin' in 'auth.identity.roles' """ authorization.identity.add_oidc( - "rhsso", - rhsso.well_known["issuer"], + "keycloak", + keycloak.well_known["issuer"], overrides_properties={"roles": ValueFrom("auth.identity.realm_access.roles")}, ) authorization.identity.add_api_key( diff --git a/testsuite/tests/kuadrant/authorino/identity/rhsso/__init__.py b/testsuite/tests/kuadrant/authorino/identity/keycloak/__init__.py similarity index 100% rename from testsuite/tests/kuadrant/authorino/identity/rhsso/__init__.py rename to testsuite/tests/kuadrant/authorino/identity/keycloak/__init__.py diff --git a/testsuite/tests/kuadrant/authorino/identity/rhsso/conftest.py b/testsuite/tests/kuadrant/authorino/identity/keycloak/conftest.py similarity index 65% rename from testsuite/tests/kuadrant/authorino/identity/rhsso/conftest.py rename to testsuite/tests/kuadrant/authorino/identity/keycloak/conftest.py index 9dbe893b..6ec49ee0 100644 --- a/testsuite/tests/kuadrant/authorino/identity/rhsso/conftest.py +++ b/testsuite/tests/kuadrant/authorino/identity/keycloak/conftest.py @@ -1,4 +1,4 @@ -"""Conftest for authorino rhsso tests""" +"""Conftest for Authorino Keycloak tests""" import pytest @@ -6,26 +6,26 @@ @pytest.fixture(scope="session") -def oidc_provider(rhsso): +def oidc_provider(keycloak): """Fixture which enables switching out OIDC providers for individual modules""" - return rhsso + return keycloak @pytest.fixture(scope="module") -def authorization(authorization, rhsso, jwt_ttl): - """Add RHSSO identity to AuthConfig""" +def authorization(authorization, keycloak, jwt_ttl): + """Add Keycloak identity to AuthConfig""" authorization.identity.add_oidc( - "rhsso", - rhsso.well_known["issuer"], + "keycloak", + keycloak.well_known["issuer"], ttl=jwt_ttl, ) return authorization @pytest.fixture(scope="module") -def realm_role(rhsso, blame): +def realm_role(keycloak, blame): """Creates new realm role""" - return rhsso.realm.create_realm_role(blame("role")) + return keycloak.realm.create_realm_role(blame("role")) @pytest.fixture(scope="module") @@ -38,11 +38,11 @@ def jwt_ttl(): @pytest.fixture(scope="module") -def create_jwt_auth(rhsso, auth): +def create_jwt_auth(keycloak, auth): """Creates a new Auth using a new JWT (JSON Web Token)""" def _create_jwt_auth(): - new_token = rhsso.get_token(auth.username, auth.password) + new_token = keycloak.get_token(auth.username, auth.password) return HttpxOidcClientAuth(new_token) return _create_jwt_auth diff --git a/testsuite/tests/kuadrant/authorino/identity/rhsso/test_auth_credentials.py b/testsuite/tests/kuadrant/authorino/identity/keycloak/test_auth_credentials.py similarity index 85% rename from testsuite/tests/kuadrant/authorino/identity/rhsso/test_auth_credentials.py rename to testsuite/tests/kuadrant/authorino/identity/keycloak/test_auth_credentials.py index f8cb2821..fdb3e58c 100644 --- a/testsuite/tests/kuadrant/authorino/identity/rhsso/test_auth_credentials.py +++ b/testsuite/tests/kuadrant/authorino/identity/keycloak/test_auth_credentials.py @@ -1,4 +1,4 @@ -"""Test for RHSSO auth credentials""" +"""Test for Keycloak auth credentials""" import pytest @@ -14,9 +14,11 @@ def credentials(request): @pytest.fixture(scope="module") -def authorization(authorization, rhsso, credentials): - """Add RHSSO identity to Authorization""" - authorization.identity.add_oidc("rhsso", rhsso.well_known["issuer"], credentials=Credentials(credentials, "Token")) +def authorization(authorization, keycloak, credentials): + """Add Keycloak identity to Authorization""" + authorization.identity.add_oidc( + "keycloak", keycloak.well_known["issuer"], credentials=Credentials(credentials, "Token") + ) return authorization diff --git a/testsuite/tests/kuadrant/authorino/identity/rhsso/test_jwt_ttl.py b/testsuite/tests/kuadrant/authorino/identity/keycloak/test_jwt_ttl.py similarity index 94% rename from testsuite/tests/kuadrant/authorino/identity/rhsso/test_jwt_ttl.py rename to testsuite/tests/kuadrant/authorino/identity/keycloak/test_jwt_ttl.py index 99c5413e..f94941b9 100644 --- a/testsuite/tests/kuadrant/authorino/identity/rhsso/test_jwt_ttl.py +++ b/testsuite/tests/kuadrant/authorino/identity/keycloak/test_jwt_ttl.py @@ -10,7 +10,7 @@ pytestmark = [pytest.mark.authorino] -def test_jwt_ttl(client, auth, rhsso, create_jwt_auth, jwt_ttl): +def test_jwt_ttl(client, auth, keycloak, create_jwt_auth, jwt_ttl): """ Note that similar test exists also in test_dinosaur.py. If modifying this test update the test there too. @@ -31,7 +31,7 @@ def test_jwt_ttl(client, auth, rhsso, create_jwt_auth, jwt_ttl): assert response.status_code == 200 # delete the current signing RS256 JWKS key - rhsso.delete_signing_rs256_jwks_key() + keycloak.delete_signing_rs256_jwks_key() # 200 OK expected since Authorino should have the deleted JWKS key still cached. # Potentially unstable if Authorino triggers OIDC discovery in between the JWKS key deletion just above @@ -48,7 +48,7 @@ def test_jwt_ttl(client, auth, rhsso, create_jwt_auth, jwt_ttl): assert response.status_code == 401 # Create a new signing RS256 JWKS key and add it into JWKS - rhsso.create_signing_rs256_jwks_key() + keycloak.create_signing_rs256_jwks_key() # Generate a new JWT and create an Auth object. This needs to be done only after a new signing JWKS key is added # into JWKS hence the Auth object cannot be created via fixture mechanism before the test as usual. diff --git a/testsuite/tests/kuadrant/authorino/identity/rhsso/test_rhsso_context.py b/testsuite/tests/kuadrant/authorino/identity/keycloak/test_keycloak_context.py similarity index 70% rename from testsuite/tests/kuadrant/authorino/identity/rhsso/test_rhsso_context.py rename to testsuite/tests/kuadrant/authorino/identity/keycloak/test_keycloak_context.py index 6c40086f..8533fb28 100644 --- a/testsuite/tests/kuadrant/authorino/identity/rhsso/test_rhsso_context.py +++ b/testsuite/tests/kuadrant/authorino/identity/keycloak/test_keycloak_context.py @@ -1,4 +1,4 @@ -"""Test for RHSSO identity context""" +"""Test for Keycloak identity context""" import json import time @@ -26,16 +26,16 @@ def authorization(authorization): @pytest.fixture(scope="module") -def realm_role(rhsso, realm_role): - """Add realm role to rhsso user""" - rhsso.user.assign_realm_role(realm_role) +def realm_role(keycloak, realm_role): + """Add realm role to Keycloak user""" + keycloak.user.assign_realm_role(realm_role) return realm_role -def tests_rhsso_context(client, auth, rhsso, realm_role): +def test_keycloak_context(client, auth, keycloak, realm_role): """ Test: - - Make request with RHSSO authentication + - Make request with Keycloak authentication - Assert that response has the right information in context """ response = client.get("get", auth=auth) @@ -43,10 +43,10 @@ def tests_rhsso_context(client, auth, rhsso, realm_role): auth_json = json.loads(response.json()["headers"]["Auth-Json"]) identity = auth_json["auth"] now = time.time() - assert rhsso.well_known["issuer"] == identity["iss"] - assert identity["azp"] == rhsso.client_name + assert keycloak.well_known["issuer"] == identity["iss"] + assert identity["azp"] == keycloak.client_name assert float(identity["exp"]) > now assert float(identity["iat"]) <= now assert auth_json["context"] == f"Bearer {auth.token.access_token}" assert realm_role["name"] in identity["realm_access"]["roles"] - assert identity["email"] == rhsso.user.properties["email"] + assert identity["email"] == keycloak.user.properties["email"] diff --git a/testsuite/tests/kuadrant/authorino/identity/rhsso/test_rhsso_roles.py b/testsuite/tests/kuadrant/authorino/identity/keycloak/test_keycloak_roles.py similarity index 79% rename from testsuite/tests/kuadrant/authorino/identity/rhsso/test_rhsso_roles.py rename to testsuite/tests/kuadrant/authorino/identity/keycloak/test_keycloak_roles.py index 4b80dcb4..db558b4f 100644 --- a/testsuite/tests/kuadrant/authorino/identity/rhsso/test_rhsso_roles.py +++ b/testsuite/tests/kuadrant/authorino/identity/keycloak/test_keycloak_roles.py @@ -7,11 +7,11 @@ @pytest.fixture(scope="function") -def user_with_role(rhsso, realm_role, blame): +def user_with_role(keycloak, realm_role, blame): """Creates new user and adds him into realm_role""" username = blame("someuser") password = blame("password") - user = rhsso.realm.create_user(username, password) + user = keycloak.realm.create_user(username, password) user.assign_realm_role(realm_role) return user @@ -23,9 +23,9 @@ def authorization(authorization, realm_role, blame): return authorization -def test_user_with_role(client, user_with_role, rhsso): +def test_user_with_role(client, user_with_role, keycloak): """Test request when user does have required role using new user with assigned role""" - auth = HttpxOidcClientAuth.from_user(rhsso.get_token, user_with_role, "authorization") + auth = HttpxOidcClientAuth.from_user(keycloak.get_token, user_with_role, "authorization") response = client.get("/get", auth=auth) assert response.status_code == 200 diff --git a/testsuite/tests/kuadrant/authorino/metadata/test_uma.py b/testsuite/tests/kuadrant/authorino/metadata/test_uma.py index b17eb3d4..e3606a31 100644 --- a/testsuite/tests/kuadrant/authorino/metadata/test_uma.py +++ b/testsuite/tests/kuadrant/authorino/metadata/test_uma.py @@ -4,8 +4,8 @@ Test setup consists of: 1. Add metadata UMA feature to the AuthConfig 2. Add OPA policy that handles resource-level authorization - 3. Create 2 resources on RHSSO. One (`/anything/1`) owned by default RHSSO user - 4. Create new RHSSO user that should not have access to the `/anything/1` resource + 3. Create 2 resources in Keycloak. One (`/anything/1`) owned by default Keycloak user + 4. Create new Keycloak user that should not have access to the `/anything/1` resource """ import pytest @@ -30,40 +30,40 @@ @pytest.fixture(scope="module", autouse=True) -def client_secret(create_client_secret, rhsso): +def client_secret(create_client_secret, keycloak): """Creates a required secret, used by Authorino to start the authentication with the UMA registry.""" - return create_client_secret("uma-client-secret", rhsso.client.auth_id, rhsso.client.secret) + return create_client_secret("uma-client-secret", keycloak.client.auth_id, keycloak.client.secret) @pytest.fixture(scope="module") -def auth2(rhsso): - """Creates new RHSSO User and returns his authentication object for HTTPX""" - user = rhsso.realm.create_user("newTestUser", "p") - return HttpxOidcClientAuth.from_user(rhsso.get_token, user=user) +def auth2(keycloak): + """Creates new Keycloak User and returns his authentication object for HTTPX""" + user = keycloak.realm.create_user("newTestUser", "p") + return HttpxOidcClientAuth.from_user(keycloak.get_token, user=user) @pytest.fixture(scope="module") -def authorization(client_secret, authorization, rhsso, client): +def authorization(client_secret, authorization, keycloak, client): # pylint: disable=unused-argument """ Adds UMA resource-level authorization metadata feature and OPA policy that authorize user access to the resource. - Creates two client resources on RHSSO client: + Creates two client resources on Keycloak client: 1. `/anything` - accessed by anyone, not enforcing UMA - 2. `/anything/1` - accessed only by default RHSSO user (username = `rhsso.test_username`). + 2. `/anything/1` - accessed only by default Keycloak user (username = `keycloak.test_username`). """ - rhsso.client.create_uma_resource("get1", ["/anything"]) - rhsso.client.create_uma_resource("get2", ["/anything/1"], rhsso.test_username) - # Sometimes RHSSO does not instantly propagate new resources. + keycloak.client.create_uma_resource("get1", ["/anything"]) + keycloak.client.create_uma_resource("get2", ["/anything/1"], keycloak.test_username) + # Sometimes Keycloak does not instantly propagate new resources. # To prevent the flakiness of these tests, we are adding a new retry code: 404 client.add_retry_code(404) - authorization.metadata.add_uma("resource-data", rhsso.well_known["issuer"], "uma-client-secret") + authorization.metadata.add_uma("resource-data", keycloak.well_known["issuer"], "uma-client-secret") authorization.authorization.add_opa_policy("opa", VALIDATE_RESOURCE_OWNER) return authorization def test_uma_resource_authorized(client, auth): - """Test correct auth for default RHSSO user for both endpoints""" + """Test correct auth for default Keycloak user for both endpoints""" response = client.get("/anything", auth=auth) assert response.status_code == 200 response = client.get("/anything/1", auth=auth) diff --git a/testsuite/tests/kuadrant/authorino/metadata/test_user_info.py b/testsuite/tests/kuadrant/authorino/metadata/test_user_info.py index 6699cd42..4039746e 100644 --- a/testsuite/tests/kuadrant/authorino/metadata/test_user_info.py +++ b/testsuite/tests/kuadrant/authorino/metadata/test_user_info.py @@ -12,20 +12,20 @@ @pytest.fixture(scope="module") -def user2(rhsso, blame): +def user2(keycloak, blame): """Second User which has incorrect email""" - return rhsso.realm.create_user("user2", "password", email=f"{blame('test')}@test.com") + return keycloak.realm.create_user("user2", "password", email=f"{blame('test')}@test.com") @pytest.fixture(scope="module") -def authorization(authorization, rhsso): +def authorization(authorization, keycloak): """ Adds auth metadata OIDC UserInfo which fetches OIDC UserInfo in request-time. - Adds a simple rule that accepts only when fetched UserInfo contains the email address of the default RHSSO user. + Adds a simple rule that accepts only when fetched UserInfo contains the email address of the default Keycloak user. """ - authorization.metadata.add_user_info("user-info", "rhsso") + authorization.metadata.add_user_info("user-info", "default") authorization.authorization.add_auth_rules( - "rule", [Pattern("auth.metadata.user-info.email", "eq", rhsso.user.properties["email"])] + "rule", [Pattern("auth.metadata.user-info.email", "eq", keycloak.user.properties["email"])] ) return authorization @@ -36,8 +36,8 @@ def test_correct_auth(client, auth): assert response.status_code == 200 -def test_incorrect_auth(client, rhsso, user2): - """Updates RHSSO user email address and tests incorrect auth""" - auth = HttpxOidcClientAuth.from_user(rhsso.get_token, user2, "authorization") +def test_incorrect_auth(client, keycloak, user2): + """Updates Keycloak user email address and tests incorrect auth""" + auth = HttpxOidcClientAuth.from_user(keycloak.get_token, user2, "authorization") response = client.get("get", auth=auth) assert response.status_code == 403 diff --git a/testsuite/tests/kuadrant/authorino/operator/clusterwide/conftest.py b/testsuite/tests/kuadrant/authorino/operator/clusterwide/conftest.py index 37c8f0cb..696d045f 100644 --- a/testsuite/tests/kuadrant/authorino/operator/clusterwide/conftest.py +++ b/testsuite/tests/kuadrant/authorino/operator/clusterwide/conftest.py @@ -32,7 +32,7 @@ def route2(request, gateway, blame, hostname2): def authorization2(route2, blame, openshift2, label, oidc_provider): """Second valid hostname""" auth = AuthConfig.create_instance(openshift2, blame("ac"), route2, labels={"testRun": label}) - auth.identity.add_oidc("rhsso", oidc_provider.well_known["issuer"]) + auth.identity.add_oidc("default", oidc_provider.well_known["issuer"]) return auth diff --git a/testsuite/tests/kuadrant/authorino/performance/conftest.py b/testsuite/tests/kuadrant/authorino/performance/conftest.py index ed1315aa..ba7bff75 100644 --- a/testsuite/tests/kuadrant/authorino/performance/conftest.py +++ b/testsuite/tests/kuadrant/authorino/performance/conftest.py @@ -55,9 +55,9 @@ def benchmark(hyperfoil, name, template, agents, http, files): @pytest.fixture(scope="module") -def rhsso_auth(rhsso): - """Returns RHSSO authentication object for HTTPX""" - return HttpxOidcClientAuth(rhsso.get_token) +def keycloak_auth(keycloak): + """Returns Keycloak authentication object for HTTPX""" + return HttpxOidcClientAuth(keycloak.get_token) @pytest.fixture(scope="function") diff --git a/testsuite/tests/kuadrant/authorino/performance/templates/template_perf_basic_query_rhsso.hf.yaml b/testsuite/tests/kuadrant/authorino/performance/templates/template_perf_basic_query_rhsso.hf.yaml index 1564c438..18a8a010 100644 --- a/testsuite/tests/kuadrant/authorino/performance/templates/template_perf_basic_query_rhsso.hf.yaml +++ b/testsuite/tests/kuadrant/authorino/performance/templates/template_perf_basic_query_rhsso.hf.yaml @@ -9,7 +9,7 @@ phases: scenario: - loadCsv: &loadCsv - randomCsvRow: - file: 'rhsso_auth.csv' + file: 'keycloak_auth.csv' skipComments: true removeQuotes: true columns: diff --git a/testsuite/tests/kuadrant/authorino/performance/test_perf_basic.py b/testsuite/tests/kuadrant/authorino/performance/test_perf_basic.py index 39bdfc1a..df70c724 100644 --- a/testsuite/tests/kuadrant/authorino/performance/test_perf_basic.py +++ b/testsuite/tests/kuadrant/authorino/performance/test_perf_basic.py @@ -34,37 +34,37 @@ def template(): @pytest.fixture(scope="module") -def http(rhsso, client): - """Configures host for the gateway and RHSSO""" +def http(keycloak, client): + """Configures host for the gateway and Keycloak""" return { "http": [ - {"host": add_port(rhsso.server_url), "sharedConnections": 100}, + {"host": add_port(keycloak.server_url), "sharedConnections": 100}, {"host": add_port(str(client.base_url)), "sharedConnections": 20}, ] } @pytest.fixture(scope="module") -def files(rhsso, client): - """Adds Message and RHSSO CSV to the files""" - token_url_obj = add_port(rhsso.well_known["token_endpoint"], return_netloc=False) +def files(keycloak, client): + """Adds Message and Keycloak CSV to the files""" + token_url_obj = add_port(keycloak.well_known["token_endpoint"], return_netloc=False) client_url = add_port(str(client.base_url)) with MESSAGE_1KB.open("r", encoding="UTF-8") as file: yield { "message_1kb.txt": file, - "rhsso_auth.csv": create_csv_file( - [[client_url, token_url_obj.netloc, token_url_obj.path, rhsso.token_params()]] + "keycloak_auth.csv": create_csv_file( + [[client_url, token_url_obj.netloc, token_url_obj.path, keycloak.token_params()]] ), } -def test_basic_perf_rhsso(generate_report, client, benchmark, rhsso_auth, blame): +def test_basic_perf_rhsso(generate_report, client, benchmark, keycloak_auth, blame): """ Test checks that authorino is set up correctly. Runs the created benchmark. Asserts it was successful. """ - assert client.get("/get", auth=rhsso_auth).status_code == 200 + assert client.get("/get", auth=keycloak_auth).status_code == 200 run = benchmark.start(blame("run")) obj = run.wait(MAX_RUN_TIME) diff --git a/testsuite/tests/kuadrant/authorino/wristband/conftest.py b/testsuite/tests/kuadrant/authorino/wristband/conftest.py index 0632765d..d27bccb3 100644 --- a/testsuite/tests/kuadrant/authorino/wristband/conftest.py +++ b/testsuite/tests/kuadrant/authorino/wristband/conftest.py @@ -12,9 +12,9 @@ @pytest.fixture(scope="session") -def oidc_provider(rhsso): +def oidc_provider(keycloak): """Fixture which enables switching out OIDC providers for individual modules""" - return rhsso + return keycloak @pytest.fixture(scope="module") @@ -115,7 +115,7 @@ def wristband_authorization( labels={"testRun": label}, ) - authorization.identity.add_oidc("rhsso", oidc_provider.well_known["issuer"]) + authorization.identity.add_oidc("default", oidc_provider.well_known["issuer"]) authorization.responses.add_success_dynamic( "wristband", WristbandResponse(issuer=wristband_endpoint, signingKeyRefs=[WristbandSigningKeyRef(wristband_secret)]), diff --git a/testsuite/tests/kuadrant/authorino/wristband/test_wristband.py b/testsuite/tests/kuadrant/authorino/wristband/test_wristband.py index 964e9f91..aebf84b2 100644 --- a/testsuite/tests/kuadrant/authorino/wristband/test_wristband.py +++ b/testsuite/tests/kuadrant/authorino/wristband/test_wristband.py @@ -11,7 +11,7 @@ def test_wristband_token_claims(oidc_provider, auth, wristband_token, wristband_ wristband_decoded = jwt.decode(wristband_token, certificates["signing_ca"].certificate) assert wristband_decoded["exp"] - wristband_decoded["iat"] == 300 assert wristband_decoded["iss"] == wristband_endpoint - # check differences in claims between rhsso token and acquired wristband token + # check differences in claims between Keycloak token and acquired wristband token access_token_decoded = jwt.decode(auth.token.access_token, oidc_provider.get_public_key(), audience="account") for claim in ["preferred_username", "email", "realm_access", "resource_access"]: assert claim in access_token_decoded diff --git a/testsuite/tests/kuadrant/gateway/conftest.py b/testsuite/tests/kuadrant/gateway/conftest.py index 17bf3437..31885b4e 100644 --- a/testsuite/tests/kuadrant/gateway/conftest.py +++ b/testsuite/tests/kuadrant/gateway/conftest.py @@ -24,13 +24,13 @@ def gateway(request, openshift, blame, wildcard_domain, module_label): def authorization(authorization, oidc_provider): # pylint: disable=unused-argument """Create AuthPolicy attached to gateway""" - authorization.identity.add_oidc("rhsso", oidc_provider.well_known["issuer"]) + authorization.identity.add_oidc("default", oidc_provider.well_known["issuer"]) return authorization @pytest.fixture(scope="module") def auth(oidc_provider): - """Returns RHSSO authentication object for HTTPX""" + """Returns Authentication object for HTTPX""" return HttpxOidcClientAuth(oidc_provider.get_token, "authorization") diff --git a/testsuite/tests/kuadrant/test_rate_limit_anonymous.py b/testsuite/tests/kuadrant/test_rate_limit_anonymous.py index d8500c88..5b732756 100644 --- a/testsuite/tests/kuadrant/test_rate_limit_anonymous.py +++ b/testsuite/tests/kuadrant/test_rate_limit_anonymous.py @@ -30,7 +30,7 @@ def rate_limit(rate_limit): def authorization(authorization, oidc_provider): """Add oidc and anonymous identity with low priority to the AuthConfig""" authorization.identity.add_anonymous("anonymous", priority=1) - authorization.identity.add_oidc("rhsso", oidc_provider.well_known["issuer"]) + authorization.identity.add_oidc("default", oidc_provider.well_known["issuer"]) # curly brackets are added to response as it stringifies the anonymous output. authorization.responses.add_success_dynamic( @@ -41,7 +41,7 @@ def authorization(authorization, oidc_provider): @pytest.fixture(scope="module") def auth(oidc_provider): - """Returns RHSSO authentication object for HTTPX""" + """Returns authentication object for HTTPX""" return HttpxOidcClientAuth(oidc_provider.get_token, "authorization") diff --git a/testsuite/tests/kuadrant/test_rate_limit_authz.py b/testsuite/tests/kuadrant/test_rate_limit_authz.py index 52ce13c1..b875ff4e 100644 --- a/testsuite/tests/kuadrant/test_rate_limit_authz.py +++ b/testsuite/tests/kuadrant/test_rate_limit_authz.py @@ -21,8 +21,8 @@ def rate_limit(rate_limit): @pytest.fixture(scope="module") def authorization(authorization, oidc_provider): - """Adds rhsso identity and JSON injection, that wraps the response as Envoy Dynamic Metadata for rate limit""" - authorization.identity.add_oidc("rhsso", oidc_provider.well_known["issuer"]) + """Adds keycloak identity and JSON injection, that wraps the response as Envoy Dynamic Metadata for rate limit""" + authorization.identity.add_oidc("default", oidc_provider.well_known["issuer"]) authorization.responses.add_success_dynamic( "identity", JsonResponse({"user": ValueFrom("auth.identity.preferred_username")}) ) @@ -31,16 +31,16 @@ def authorization(authorization, oidc_provider): @pytest.fixture(scope="module") def auth(oidc_provider): - """Returns RHSSO authentication object for HTTPX""" + """Returns authentication object for HTTPX""" return HttpxOidcClientAuth(oidc_provider.get_token, "authorization") @pytest.fixture(scope="module") -def auth2(rhsso, blame): - """Creates new RHSSO user and returns its authentication object for HTTPX""" - name = rhsso.user.username + "-test2" - user = rhsso.realm.create_user(name, "password", email=f"{blame('test')}@test.com") - return HttpxOidcClientAuth.from_user(rhsso.get_token, user=user) +def auth2(keycloak, blame): + """Creates new Keycloak user and returns its authentication object for HTTPX""" + name = keycloak.user.username + "-test2" + user = keycloak.realm.create_user(name, "password", email=f"{blame('test')}@test.com") + return HttpxOidcClientAuth.from_user(keycloak.get_token, user=user) @pytest.mark.parametrize("rate_limit", ["route", "gateway"], indirect=True)