From 2d29175b52e1d8e620ae286dddc521584f692811 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Mon, 11 May 2026 15:39:07 +0000 Subject: [PATCH] fix(oidc/testfixtures): set Enabled=true on Keycloak integration-test provider Phase-10 live-IdP smoke re-run (after the alg-downgrade relax landed in 92c50d9) surfaced the next layer: 5 of 6 testcontainers-Keycloak integration tests failed with 'oidc: provider is disabled'. Root cause: the OIDCProvider struct literal in internal/auth/oidc/testfixtures/keycloak.go omits the Enabled field. Enabled was added by Audit 2026-05-11 MED-9 (Bundle 2 Fix 13 Phase B); pre-fix the field didn't exist and HandleAuthRequest always proceeded. Post-fix the default zero-value false gates every integration test behind ErrProviderDisabled at service.go L478. Fix: add Enabled: true to the struct literal + inline comment explaining why the field is required for integration tests. The check is the right behavior for production (operator-driven disable kill-switch); just needed to be reflected in the testfixture. Verify (sandbox): go vet -tags=integration ./internal/auth/oidc/... clean. Workstation re-runs 'make keycloak-integration-test' to confirm the 5 affected tests now pass against a real Keycloak 26.x. --- internal/auth/oidc/testfixtures/keycloak.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/internal/auth/oidc/testfixtures/keycloak.go b/internal/auth/oidc/testfixtures/keycloak.go index d794e98..58ab03f 100644 --- a/internal/auth/oidc/testfixtures/keycloak.go +++ b/internal/auth/oidc/testfixtures/keycloak.go @@ -216,6 +216,13 @@ func StartKeycloak(t *testing.T) *KeycloakFixture { Name: "Keycloak (integration test)", IssuerURL: issuerURL, ClientID: ClientID, + // Enabled=true is required for HandleAuthRequest to reach the + // IdP discovery + redirect path. The field was added by Audit + // 2026-05-11 MED-9 (Bundle 2 Fix 13 Phase B); pre-fix providers + // had no enable-flag and HandleAuthRequest always proceeded. + // Default zero-value false would gate all integration tests + // behind ErrProviderDisabled. + Enabled: true, // ClientSecretEncrypted intentionally left zero-length: the // integration test invokes the service with encryptionKey="", // which the Phase-3 service treats as plaintext-passthrough.