-
Notifications
You must be signed in to change notification settings - Fork 161
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Reverting line ending changes from last commit
Signed-off-by: Sebastian Klein <[email protected]>
- Loading branch information
1 parent
924391e
commit 508f964
Showing
2 changed files
with
295 additions
and
295 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,159 +1,159 @@ | ||
name: Snapshot based E2E OIDC tests workflow | ||
|
||
on: [ push, pull_request ] | ||
|
||
env: | ||
OPENSEARCH_VERSION: '3.0.0' | ||
KEYCLOAK_VERSION: '21.0.1' | ||
TEST_KEYCLOAK_CLIENT_SECRET: 'oacHfNaXyy81r2uHq1A9RY4ASryre4rZ' | ||
CI: 1 | ||
# avoid warnings like "tput: No value for $TERM and no -T specified" | ||
TERM: xterm | ||
PLUGIN_NAME: opensearch-security | ||
# This is the SHA256 checksum of the known good kc.sh script for Keycloak version 21.0.1. | ||
KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT: 'f825ea1a9ffa5ad91673737c06857ababbb69b6b8f09e0c637b4c998517f9608' | ||
OPENSEARCH_INITIAL_ADMIN_PASSWORD: myStrongPassword123! | ||
|
||
jobs: | ||
tests: | ||
name: Run Cypress E2E OIDC tests | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
os: [ ubuntu-latest ] | ||
basePath: [ "", "/osd" ] | ||
runs-on: ${{ matrix.os }} | ||
|
||
steps: | ||
- name: Checkout Branch | ||
uses: actions/checkout@v3 | ||
|
||
# Download and Check Keycloak Version | ||
- name: Download and Check Keyloak Version on Linux | ||
if: ${{ runner.os == 'Linux' }} | ||
run: | | ||
echo "Downloading Keycloak ${{ env.KEYCLOAK_VERSION }}" | ||
wget https://github.com/keycloak/keycloak/releases/download/${{ env.KEYCLOAK_VERSION }}/keycloak-${{ env.KEYCLOAK_VERSION }}.tar.gz | ||
echo "Unpacking Keycloak" | ||
tar -xzf keycloak-${{ env.KEYCLOAK_VERSION }}.tar.gz | ||
cd keycloak-${{ env.KEYCLOAK_VERSION }}/bin | ||
echo "Generating checksum for the downloaded kc.sh script..." | ||
DOWNLOADED_CHECKSUM=$(sha256sum kc.sh | awk '{print $1}') | ||
echo "Downloaded kc.sh checksum: $DOWNLOADED_CHECKSUM" | ||
echo "Known good kc.sh checksum: ${{ env.KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT }}" | ||
KNOWN_GOOD_CHECKSUM="${{ env.KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT }}" | ||
if [ "$DOWNLOADED_CHECKSUM" != "$KNOWN_GOOD_CHECKSUM" ]; then | ||
echo "Checksum mismatch. The kc.sh script does not match the known good version. Please check https://github.com/keycloak/keycloak and verify the updates." | ||
exit 1 | ||
else | ||
echo "Checksum match confirmed. Proceeding with setup." | ||
fi | ||
chmod +x ./kc.sh | ||
# Setup and Run Keycloak | ||
- name: Get and run Keycloak on Linux | ||
if: ${{ runner.os == 'Linux' }} | ||
run: | | ||
export KEYCLOAK_ADMIN=admin | ||
export KEYCLOAK_ADMIN_PASSWORD=admin | ||
cd keycloak-${{ env.KEYCLOAK_VERSION }}/bin | ||
echo "Starting keycloak" | ||
./kc.sh start-dev --http-enabled=true --hostname-strict-https=false --http-host=localhost --http-relative-path /auth --health-enabled=true & | ||
timeout 300 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:8080/auth/health)" != "200" ]]; do sleep 5; done' | ||
chmod +x kcadm.sh | ||
echo "Creating client" | ||
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password admin | ||
CID=$(./kcadm.sh create clients -r master -s clientId=opensearch -s secret="${{ env.TEST_KEYCLOAK_CLIENT_SECRET }}" -s 'attributes."access.token.lifespan"=60' -s 'redirectUris=["http://localhost:5603${{ matrix.basePath }}/auth/openid/login", "http://localhost:5601${{ matrix.basePath }}", "http://localhost:5601${{ matrix.basePath }}/auth/openid/login"]' -i) | ||
./kcadm.sh get clients/$CID/installation/providers/keycloak-oidc-keycloak-json > tmp | ||
echo "Getting client secret for dashboards configuration purpose" | ||
CLIENT_SECRET=$(grep -o '"secret" : "[^"]*' tmp | grep -o '[^"]*$') | ||
echo "KEYCLOAK_CLIENT_SECRET=$CLIENT_SECRET" >> $GITHUB_ENV | ||
echo "The client secret is: $CLIENT_SECRET" | ||
echo "Creating client mapper" | ||
./kcadm.sh create clients/$CID/protocol-mappers/models -r master -s 'config."id.token.claim"=true' -s 'config."multivalued"=true' -s 'config."claim.name"="roles"' -s 'config."userinfo.token.claim"=true' -s 'config."access.token.claim"=true' -s 'name=rolemapper' -s 'protocolMapper=oidc-usermodel-realm-role-mapper' -s "protocol=openid-connect" | ||
# Add OpenID Configuration | ||
- name: Creating OpenID Configuration for Linux | ||
if: ${{ runner.os == 'Linux'}} | ||
run: | | ||
echo "Creating new OpenID configuration" | ||
cat << 'EOT' > config_openid.yml | ||
--- | ||
_meta: | ||
type: "config" | ||
config_version: 2 | ||
config: | ||
dynamic: | ||
http: | ||
anonymous_auth_enabled: false | ||
authc: | ||
basic_internal_auth_domain: | ||
description: "Authenticate via HTTP Basic against internal users database" | ||
http_enabled: true | ||
transport_enabled: true | ||
order: 0 | ||
http_authenticator: | ||
type: basic | ||
challenge: false | ||
authentication_backend: | ||
type: intern | ||
openid_auth_domain: | ||
http_enabled: true | ||
transport_enabled: true | ||
order: 1 | ||
http_authenticator: | ||
type: openid | ||
challenge: false | ||
config: | ||
subject_key: preferred_username | ||
roles_key: roles | ||
openid_connect_url: http://localhost:8080/auth/realms/master/.well-known/openid-configuration | ||
authentication_backend: | ||
type: noop | ||
EOT | ||
# Configure the Dashboard for OpenID setup | ||
- name: Create OpenSearch Dashboards Config for OpenID | ||
if: ${{ runner.os == 'Linux' }} | ||
run: | | ||
cat << 'EOT' > opensearch_dashboards_openid.yml | ||
server.host: "localhost" | ||
opensearch.hosts: ["https://localhost:9200"] | ||
opensearch.ssl.verificationMode: none | ||
opensearch.username: "kibanaserver" | ||
opensearch.password: "kibanaserver" | ||
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ] | ||
opensearch_security.multitenancy.enabled: true | ||
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] | ||
opensearch_security.readonly_mode.roles: ["kibana_read_only"] | ||
opensearch_security.cookie.secure: false | ||
opensearch_security.openid.connect_url: "http://localhost:8080/auth/realms/master/.well-known/openid-configuration" | ||
opensearch_security.openid.client_id: "opensearch" | ||
opensearch_security.openid.client_secret: "${{ env.TEST_KEYCLOAK_CLIENT_SECRET }}" | ||
opensearch_security.openid.base_redirect_url: http://localhost:5601${{ matrix.basePath }} | ||
opensearch_security.auth.type: "openid" | ||
home.disableWelcomeScreen: true | ||
EOT | ||
- name: Run OSD with basePath | ||
if: ${{ matrix.basePath != '' }} | ||
run: | | ||
echo "server.basePath: \"${{ matrix.basePath }}\"" >> opensearch_dashboards_openid.yml | ||
echo "server.rewriteBasePath: true" >> opensearch_dashboards_openid.yml | ||
- name: Run Cypress Tests with basePath | ||
if: ${{ matrix.basePath != '' }} | ||
uses: ./.github/actions/run-cypress-tests | ||
with: | ||
security_config_file: config_openid.yml | ||
dashboards_config_file: opensearch_dashboards_openid.yml | ||
yarn_command: 'yarn cypress:run --browser chrome --headless --spec "test/cypress/e2e/oidc/*.js" --env basePath=${{ matrix.basePath }}' | ||
osd_base_path: ${{ matrix.basePath }} | ||
|
||
- name: Run Cypress Tests | ||
if: ${{ matrix.basePath == '' }} | ||
uses: ./.github/actions/run-cypress-tests | ||
with: | ||
security_config_file: config_openid.yml | ||
dashboards_config_file: opensearch_dashboards_openid.yml | ||
yarn_command: 'yarn cypress:run --browser chrome --headless --spec "test/cypress/e2e/oidc/*.js"' | ||
name: Snapshot based E2E OIDC tests workflow | ||
|
||
on: [ push, pull_request ] | ||
|
||
env: | ||
OPENSEARCH_VERSION: '3.0.0' | ||
KEYCLOAK_VERSION: '21.0.1' | ||
TEST_KEYCLOAK_CLIENT_SECRET: 'oacHfNaXyy81r2uHq1A9RY4ASryre4rZ' | ||
CI: 1 | ||
# avoid warnings like "tput: No value for $TERM and no -T specified" | ||
TERM: xterm | ||
PLUGIN_NAME: opensearch-security | ||
# This is the SHA256 checksum of the known good kc.sh script for Keycloak version 21.0.1. | ||
KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT: 'f825ea1a9ffa5ad91673737c06857ababbb69b6b8f09e0c637b4c998517f9608' | ||
OPENSEARCH_INITIAL_ADMIN_PASSWORD: myStrongPassword123! | ||
|
||
jobs: | ||
tests: | ||
name: Run Cypress E2E OIDC tests | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
os: [ ubuntu-latest ] | ||
basePath: [ "", "/osd" ] | ||
runs-on: ${{ matrix.os }} | ||
|
||
steps: | ||
- name: Checkout Branch | ||
uses: actions/checkout@v3 | ||
|
||
# Download and Check Keycloak Version | ||
- name: Download and Check Keyloak Version on Linux | ||
if: ${{ runner.os == 'Linux' }} | ||
run: | | ||
echo "Downloading Keycloak ${{ env.KEYCLOAK_VERSION }}" | ||
wget https://github.com/keycloak/keycloak/releases/download/${{ env.KEYCLOAK_VERSION }}/keycloak-${{ env.KEYCLOAK_VERSION }}.tar.gz | ||
echo "Unpacking Keycloak" | ||
tar -xzf keycloak-${{ env.KEYCLOAK_VERSION }}.tar.gz | ||
cd keycloak-${{ env.KEYCLOAK_VERSION }}/bin | ||
echo "Generating checksum for the downloaded kc.sh script..." | ||
DOWNLOADED_CHECKSUM=$(sha256sum kc.sh | awk '{print $1}') | ||
echo "Downloaded kc.sh checksum: $DOWNLOADED_CHECKSUM" | ||
echo "Known good kc.sh checksum: ${{ env.KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT }}" | ||
KNOWN_GOOD_CHECKSUM="${{ env.KNOWN_CHECKSUM_OF_KEYCLOAK_SCRIPT }}" | ||
if [ "$DOWNLOADED_CHECKSUM" != "$KNOWN_GOOD_CHECKSUM" ]; then | ||
echo "Checksum mismatch. The kc.sh script does not match the known good version. Please check https://github.com/keycloak/keycloak and verify the updates." | ||
exit 1 | ||
else | ||
echo "Checksum match confirmed. Proceeding with setup." | ||
fi | ||
chmod +x ./kc.sh | ||
# Setup and Run Keycloak | ||
- name: Get and run Keycloak on Linux | ||
if: ${{ runner.os == 'Linux' }} | ||
run: | | ||
export KEYCLOAK_ADMIN=admin | ||
export KEYCLOAK_ADMIN_PASSWORD=admin | ||
cd keycloak-${{ env.KEYCLOAK_VERSION }}/bin | ||
echo "Starting keycloak" | ||
./kc.sh start-dev --http-enabled=true --hostname-strict-https=false --http-host=localhost --http-relative-path /auth --health-enabled=true & | ||
timeout 300 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:8080/auth/health)" != "200" ]]; do sleep 5; done' | ||
chmod +x kcadm.sh | ||
echo "Creating client" | ||
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password admin | ||
CID=$(./kcadm.sh create clients -r master -s clientId=opensearch -s secret="${{ env.TEST_KEYCLOAK_CLIENT_SECRET }}" -s 'attributes."access.token.lifespan"=60' -s 'redirectUris=["http://localhost:5603${{ matrix.basePath }}/auth/openid/login", "http://localhost:5601${{ matrix.basePath }}", "http://localhost:5601${{ matrix.basePath }}/auth/openid/login"]' -i) | ||
./kcadm.sh get clients/$CID/installation/providers/keycloak-oidc-keycloak-json > tmp | ||
echo "Getting client secret for dashboards configuration purpose" | ||
CLIENT_SECRET=$(grep -o '"secret" : "[^"]*' tmp | grep -o '[^"]*$') | ||
echo "KEYCLOAK_CLIENT_SECRET=$CLIENT_SECRET" >> $GITHUB_ENV | ||
echo "The client secret is: $CLIENT_SECRET" | ||
echo "Creating client mapper" | ||
./kcadm.sh create clients/$CID/protocol-mappers/models -r master -s 'config."id.token.claim"=true' -s 'config."multivalued"=true' -s 'config."claim.name"="roles"' -s 'config."userinfo.token.claim"=true' -s 'config."access.token.claim"=true' -s 'name=rolemapper' -s 'protocolMapper=oidc-usermodel-realm-role-mapper' -s "protocol=openid-connect" | ||
# Add OpenID Configuration | ||
- name: Creating OpenID Configuration for Linux | ||
if: ${{ runner.os == 'Linux'}} | ||
run: | | ||
echo "Creating new OpenID configuration" | ||
cat << 'EOT' > config_openid.yml | ||
--- | ||
_meta: | ||
type: "config" | ||
config_version: 2 | ||
config: | ||
dynamic: | ||
http: | ||
anonymous_auth_enabled: false | ||
authc: | ||
basic_internal_auth_domain: | ||
description: "Authenticate via HTTP Basic against internal users database" | ||
http_enabled: true | ||
transport_enabled: true | ||
order: 0 | ||
http_authenticator: | ||
type: basic | ||
challenge: false | ||
authentication_backend: | ||
type: intern | ||
openid_auth_domain: | ||
http_enabled: true | ||
transport_enabled: true | ||
order: 1 | ||
http_authenticator: | ||
type: openid | ||
challenge: false | ||
config: | ||
subject_key: preferred_username | ||
roles_key: roles | ||
openid_connect_url: http://localhost:8080/auth/realms/master/.well-known/openid-configuration | ||
authentication_backend: | ||
type: noop | ||
EOT | ||
# Configure the Dashboard for OpenID setup | ||
- name: Create OpenSearch Dashboards Config for OpenID | ||
if: ${{ runner.os == 'Linux' }} | ||
run: | | ||
cat << 'EOT' > opensearch_dashboards_openid.yml | ||
server.host: "localhost" | ||
opensearch.hosts: ["https://localhost:9200"] | ||
opensearch.ssl.verificationMode: none | ||
opensearch.username: "kibanaserver" | ||
opensearch.password: "kibanaserver" | ||
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ] | ||
opensearch_security.multitenancy.enabled: true | ||
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] | ||
opensearch_security.readonly_mode.roles: ["kibana_read_only"] | ||
opensearch_security.cookie.secure: false | ||
opensearch_security.openid.connect_url: "http://localhost:8080/auth/realms/master/.well-known/openid-configuration" | ||
opensearch_security.openid.client_id: "opensearch" | ||
opensearch_security.openid.client_secret: "${{ env.TEST_KEYCLOAK_CLIENT_SECRET }}" | ||
opensearch_security.openid.base_redirect_url: http://localhost:5601${{ matrix.basePath }} | ||
opensearch_security.auth.type: "openid" | ||
home.disableWelcomeScreen: true | ||
EOT | ||
- name: Run OSD with basePath | ||
if: ${{ matrix.basePath != '' }} | ||
run: | | ||
echo "server.basePath: \"${{ matrix.basePath }}\"" >> opensearch_dashboards_openid.yml | ||
echo "server.rewriteBasePath: true" >> opensearch_dashboards_openid.yml | ||
- name: Run Cypress Tests with basePath | ||
if: ${{ matrix.basePath != '' }} | ||
uses: ./.github/actions/run-cypress-tests | ||
with: | ||
security_config_file: config_openid.yml | ||
dashboards_config_file: opensearch_dashboards_openid.yml | ||
yarn_command: 'yarn cypress:run --browser chrome --headless --spec "test/cypress/e2e/oidc/*.js" --env basePath=${{ matrix.basePath }}' | ||
osd_base_path: ${{ matrix.basePath }} | ||
|
||
- name: Run Cypress Tests | ||
if: ${{ matrix.basePath == '' }} | ||
uses: ./.github/actions/run-cypress-tests | ||
with: | ||
security_config_file: config_openid.yml | ||
dashboards_config_file: opensearch_dashboards_openid.yml | ||
yarn_command: 'yarn cypress:run --browser chrome --headless --spec "test/cypress/e2e/oidc/*.js"' |
Oops, something went wrong.