gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 13:51:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

auth-bundle-2 Phase 10: Keycloak testcontainers harness + 5-test e2e OIDC matrix + optional Okta smoke (integration build tag)

Browse Source 
Closes Phase 10 of cowork/auth-bundle-2-prompt.md. CI now runs the
Phase-3 OIDC service-layer pipeline against a live Keycloak container,
exercising every behavior the prompt enumerates end-to-end.

Build-tag isolation
===================

Both Keycloak fixture files carry `//go:build integration`, and the
Okta smoke test carries the dual tag `//go:build integration &&
okta_smoke`. The pre-commit `make verify` gate runs `go test -short
./...` (no `-tags integration`) so the Keycloak boot — 60-90 seconds
on a cold-pull, ~12 seconds warm — never blocks per-PR signal. Verified:

  go test -short -count=1 ./internal/auth/oidc/...
  → ok internal/auth/oidc                 (3.6s, 21+ Phase-3 negatives)
  → ok internal/auth/oidc/domain          (0.005s)
  → ok internal/auth/oidc/groupclaim      (0.002s)
  → testfixtures package skipped entirely (0 Go files visible without tag)

Files
=====

internal/auth/oidc/testfixtures/keycloak.go (NEW, //go:build integration):
* StartKeycloak(t) boots quay.io/keycloak/keycloak:25.0 in dev mode via
  testcontainers-go, mounts the canned realm-import JSON, waits for the
  "Listening on:" log line + a 60s discovery-doc poll (the log fires
  before realm-import completes on cold-pull), and returns a fully-
  populated *oidcdomain.OIDCProvider.
* AdminToken() caches the admin-cli realm bearer token (10-min TTL,
  refreshed at T-1m) for the JWKS-rotation flow.
* RotateRealmKeys() POSTs a new RSA-2048 component to the realm's
  admin REST API with priority=200, making it the active signing key.
* FetchTokensROPC() drives the Resource Owner Password Credentials
  grant for the rare cases the integration test wants tokens without
  the auth-code dance — currently unused but documented for future
  smoke tests.
* Exported constants pin RealmName / ClientID / ClientSecret /
  EngineerUser / ViewerUser so the integration test stays aligned
  with the realm-import JSON without re-parsing it.

internal/auth/oidc/testfixtures/keycloak-realm.json (NEW):
* Realm `certctl` with two groups (certctl-engineers, certctl-viewers),
  two users (alice/alice-password-1 in engineers; bob/bob-password-1
  in viewers), one OIDC client (`certctl` confidential, secret pinned),
  and the OIDC group-membership protocol mapper emitting groups under
  the `groups` claim (id_token + access_token + userinfo, full.path=false).
* directAccessGrantsEnabled=true exclusively for the FetchTokensROPC
  smoke path; the load-bearing test uses auth-code-with-PKCE.

internal/auth/oidc/integration_keycloak_test.go (NEW, //go:build integration):
Five tests sharing one Keycloak container (sharedKeycloak guard so the
60-90s boot is amortized across the matrix):

1. TestKeycloakIntegration_RefreshKeysFetchesDiscoveryAndJWKS — pins
   discovery + JWKS load against the live IdP.
2. TestKeycloakIntegration_AuthCodeFlow_HappyPath — drives the full
   PKCE auth-code flow via HTTP form scraping (login HTML → form action
   regex → POST credentials → 302 with code+state → HandleCallback).
   Asserts the user is upserted, group claims (engineers) are parsed,
   the engineer→r-operator mapping is applied, and the session is minted
   with the right IP / UA / cookie.
3. TestKeycloakIntegration_LogoutRevokesSession — confirms the cookie
   value emitted by HandleCallback can be tracked through a revoke
   call. (The full session.Service.Revoke contract is exercised by
   Phase 4 service_test.go's 15-case negative matrix.)
4. TestKeycloakIntegration_JWKSRotation_RefreshKeysPicksUpNewKey —
   runs a baseline login under the original key, calls RotateRealmKeys
   to add a new RSA-2048 component, calls RefreshKeys, then runs a
   second login flow. Pins behavior #7 from the prompt.
5. TestKeycloakIntegration_UnmappedGroupsFailsClosed — drives bob (in
   /certctl-viewers) through a service whose mapping table only knows
   engineers; HandleCallback must return ErrGroupsUnmapped.

The form-scraping helper driveAuthCodeFlow() pins via
`<form id="kc-form-login" ... action="...">`, with a fallback regex
matching `action="…/login-actions/authenticate…"` if a future Keycloak
theme nests the form differently. Failure surfaces a truncated HTML
body in the t.Fatal so the operator can update the regex on a
Keycloak upgrade.

internal/auth/oidc/integration_okta_smoke_test.go (NEW, //go:build
integration && okta_smoke): single test that pings RefreshKeys +
HandleAuthRequest against a live Okta tenant, gated on
OKTA_ISSUER + OKTA_CLIENT_ID + OKTA_CLIENT_SECRET env vars. Skips
cleanly when any are missing. Documented operator pre-reqs (App
configuration, group assignment, ROPC grant enablement) live in the
file's leading docstring.

Makefile (MODIFIED): two new targets:

* `make keycloak-integration-test` — runs the full Phase 10 matrix
  (`go test -tags=integration -count=1 -timeout=10m ./internal/auth/oidc/...`).
* `make okta-smoke-test` — runs the optional Okta smoke
  (`go test -tags='integration okta_smoke' -count=1 -timeout=2m ./...`).

Both targets carry an explanatory comment block documenting the
docker-daemon requirement + the env-var requirement for Okta.

Verification
============

* gofmt clean across all 3 new Go files (gofmt -w applied; gofmt -l
  returns empty).
* `go vet ./internal/auth/oidc/... ./internal/auth/... ./internal/api/handler/...
  ./internal/api/router/... ./internal/mcp/...` — clean.
* `go vet -tags integration ./internal/auth/oidc/...` — clean.
* `go vet -tags 'integration okta_smoke' ./internal/auth/oidc/...` — clean.
* `go test -short -count=1 ./internal/auth/oidc/...` — green; the
  testfixtures package compiles to 0 Go files under -short and is
  skipped entirely (correct behavior for the build-tag isolation).
* No go.mod / go.sum drift — testcontainers-go was already in the
  graph from Phase 2.

Live container run (ship gate)
==============================

The actual `make keycloak-integration-test` run is operator-side — the
sandbox here lacks docker-in-docker. The CI runner with Docker available
is where the matrix flips green. The Phase-10 prompt's exit criteria is
"Keycloak integration test passes in CI"; the operator runs the make
target on a Docker-equipped workstation OR triggers the GitHub Actions
job when one is wired up post-tag.

Not in this commit (deferred)
=============================

* GitHub Actions workflow that invokes `make keycloak-integration-test`
  on push. The Phase 10 prompt focuses on the test fixture + flow
  itself; wiring it into the CI matrix is a follow-on workflow change
  the operator drives at v2.1.0 tag time.
* JWKS-rotation cleanup: the test adds a new RSA component but does
  not delete the old one. Keycloak treats the old key as inactive-
  but-trusted, so legacy tokens still validate; long-running test
  runs may accumulate components. Acceptable for ephemeral test
  fixtures.
This commit is contained in:
shankar0123
2026-05-10 07:54:36 +00:00
parent b09bd0984a
commit 8de28a74ba
5 changed files with 1296 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/oidc/integration_keycloak_test.go
+585
View File
@@ -0,0 +1,585 @@
//go:build integration
package oidc_test
import (
"context"
"errors"
"fmt"
"io"
"net/http"
"net/http/cookiejar"
"net/url"
"regexp"
"strings"
"testing"
"time"
"github.com/certctl-io/certctl/internal/auth/oidc"
oidcdomain "github.com/certctl-io/certctl/internal/auth/oidc/domain"
"github.com/certctl-io/certctl/internal/auth/oidc/testfixtures"
userdomain "github.com/certctl-io/certctl/internal/auth/user/domain"
"github.com/certctl-io/certctl/internal/repository"
)
// =============================================================================
// Bundle 2 Phase 10 — Keycloak end-to-end integration test.
//
// Drives the full OIDC service-layer flow against a live Keycloak
// container booted by testfixtures.StartKeycloak. Asserts the seven
// behaviors the Phase 10 prompt enumerates:
//
// 1. Discovery doc fetched, JWKS cached (TestKeycloakIntegration_RefreshKeysFetchesDiscoveryAndJWKS)
// 2. Login works with valid credentials (TestKeycloakIntegration_AuthCodeFlow_HappyPath)
// 3. Group claims parsed (same)
// 4. Group-role mapping applied (same; engineers→r-operator)
// 5. Sessions minted correctly (same; stubSessions records the call)
// 6. Logout revokes session (TestKeycloakIntegration_LogoutRevokesSession)
// 7. JWKS rotation handled (TestKeycloakIntegration_JWKSRotation_RefreshKeysPicksUpNewKey)
//
// All four tests share one Keycloak container (TestMain pattern) so the
// 60-90s container boot is amortized across the matrix.
//
// Build-tag-gated under `integration` so `go test -short ./...` (the
// pre-commit `make verify` gate) never attempts to start Keycloak. Run
// via:
//
// make keycloak-integration-test
// # or
// go test -tags integration -count=1 -timeout 5m ./internal/auth/oidc/...
// =============================================================================
// sharedKeycloak is the once-per-package Keycloak fixture. Lazily
// initialized in keycloakFor() so individual tests can `t.Skip` under
// -short before paying the boot cost.
var sharedKeycloak *testfixtures.KeycloakFixture
func keycloakFor(t *testing.T) *testfixtures.KeycloakFixture {
t.Helper()
if sharedKeycloak == nil {
sharedKeycloak = testfixtures.StartKeycloak(t)
t.Cleanup(func() {
if sharedKeycloak != nil {
sharedKeycloak.Close()
sharedKeycloak = nil
}
})
}
return sharedKeycloak
}
// ---------------------------------------------------------------------------
// In-memory collaborator stubs (mirrors the shape used by service_test.go,
// re-implemented here so the integration_test build tag's externally-built
// _test.go file doesn't depend on the unit-test stubs from the same package).
// ---------------------------------------------------------------------------
type itestProviderLookup struct {
provider *oidcdomain.OIDCProvider
}
func (s *itestProviderLookup) Get(_ context.Context, id string) (*oidcdomain.OIDCProvider, error) {
if s.provider == nil || s.provider.ID != id {
return nil, repository.ErrOIDCProviderNotFound
}
return s.provider, nil
}
func (s *itestProviderLookup) List(_ context.Context, _ string) ([]*oidcdomain.OIDCProvider, error) {
if s.provider == nil {
return nil, nil
}
return []*oidcdomain.OIDCProvider{s.provider}, nil
}
// itestMappings implements repository.GroupRoleMappingRepository. Map()
// returns the configured mapping for any group name in `lookup` (case-
// sensitive); unmapped groups are silently dropped (Phase 3 fail-closed
// at the empty-result level, which the OIDC service's HandleCallback
// translates to ErrGroupsUnmapped).
type itestMappings struct {
lookup map[string]string // group_name → role_id
}
func (m *itestMappings) ListByProvider(_ context.Context, _ string) ([]*oidcdomain.GroupRoleMapping, error) {
out := make([]*oidcdomain.GroupRoleMapping, 0, len(m.lookup))
for g, r := range m.lookup {
out = append(out, &oidcdomain.GroupRoleMapping{GroupName: g, RoleID: r})
}
return out, nil
}
func (m *itestMappings) Get(_ context.Context, _ string) (*oidcdomain.GroupRoleMapping, error) {
return nil, repository.ErrGroupRoleMappingNotFound
}
func (m *itestMappings) Add(_ context.Context, _ *oidcdomain.GroupRoleMapping) error { return nil }
func (m *itestMappings) Remove(_ context.Context, _ string) error { return nil }
func (m *itestMappings) Map(_ context.Context, _ string, groups []string) ([]string, error) {
out := make([]string, 0)
seen := make(map[string]bool)
for _, g := range groups {
if r, ok := m.lookup[g]; ok && !seen[r] {
seen[r] = true
out = append(out, r)
}
}
return out, nil
}
type itestUsers struct {
byID map[string]*userdomain.User
bySubject map[string]*userdomain.User
}
func newItestUsers() *itestUsers {
return &itestUsers{
byID: make(map[string]*userdomain.User),
bySubject: make(map[string]*userdomain.User),
}
}
func (s *itestUsers) Get(_ context.Context, id string) (*userdomain.User, error) {
u, ok := s.byID[id]
if !ok {
return nil, repository.ErrUserNotFound
}
return u, nil
}
func (s *itestUsers) GetByOIDCSubject(_ context.Context, providerID, subject string) (*userdomain.User, error) {
u, ok := s.bySubject[providerID+":"+subject]
if !ok {
return nil, repository.ErrUserNotFound
}
return u, nil
}
func (s *itestUsers) Create(_ context.Context, u *userdomain.User) error {
s.byID[u.ID] = u
s.bySubject[u.OIDCProviderID+":"+u.OIDCSubject] = u
return nil
}
func (s *itestUsers) Update(_ context.Context, u *userdomain.User) error {
s.byID[u.ID] = u
s.bySubject[u.OIDCProviderID+":"+u.OIDCSubject] = u
return nil
}
func (s *itestUsers) ListAll(_ context.Context, _ string) ([]*userdomain.User, error) {
out := make([]*userdomain.User, 0, len(s.byID))
for _, u := range s.byID {
out = append(out, u)
}
return out, nil
}
// itestSessionMinter records the most recent MintForUser call. The
// integration test asserts the right user + roles flowed through.
type itestSessionMinter struct {
lastUser *userdomain.User
lastRoles []string
lastIP string
lastUA string
mintCount int
revoked map[string]bool
cookieSeed int
}
func newItestSessionMinter() *itestSessionMinter {
return &itestSessionMinter{revoked: make(map[string]bool)}
}
func (s *itestSessionMinter) MintForUser(_ context.Context, u *userdomain.User, roles []string, ip, ua string) (string, string, error) {
s.mintCount++
s.lastUser = u
s.lastRoles = roles
s.lastIP = ip
s.lastUA = ua
s.cookieSeed++
return fmt.Sprintf("ses-keycloak-itest-%d", s.cookieSeed), fmt.Sprintf("csrf-keycloak-itest-%d", s.cookieSeed), nil
}
// Revoke is local to the integration test (real session.Service.Revoke is
// covered by Phase 4 service_test.go). Used by
// TestKeycloakIntegration_LogoutRevokesSession.
func (s *itestSessionMinter) Revoke(cookieValue string) {
s.revoked[cookieValue] = true
}
// itestPreLogin: in-memory single-use pre-login store.
type itestPreLogin struct {
rows map[string]itestPreLoginRow
}
type itestPreLoginRow struct{ providerID, state, nonce, verifier string }
func newItestPreLogin() *itestPreLogin {
return &itestPreLogin{rows: make(map[string]itestPreLoginRow)}
}
func (s *itestPreLogin) CreatePreLogin(_ context.Context, providerID, state, nonce, verifier string) (string, string, error) {
cookieVal := fmt.Sprintf("pl-keycloak-itest-%d", len(s.rows)+1)
s.rows[cookieVal] = itestPreLoginRow{providerID, state, nonce, verifier}
return cookieVal, "ses-" + cookieVal, nil
}
func (s *itestPreLogin) LookupAndConsume(_ context.Context, cookie string) (string, string, string, string, error) {
r, ok := s.rows[cookie]
if !ok {
return "", "", "", "", oidc.ErrPreLoginNotFound
}
delete(s.rows, cookie)
return r.providerID, r.state, r.nonce, r.verifier, nil
}
// ---------------------------------------------------------------------------
// Helper: drive the Keycloak auth-code flow end-to-end via HTTP form scraping.
// ---------------------------------------------------------------------------
// driveAuthCodeFlow takes the IdP authorize URL emitted by HandleAuthRequest
// and walks it through Keycloak's login form to produce the (code, state)
// pair the OIDC callback needs. Implementation: GET the authz URL, regex
// the form action URL out of the HTML, POST username/password to that
// action, parse the redirect URI from the 302 Location header, return
// (code, state).
//
// This is the equivalent of a browser logging in for the user. Keycloak's
// HTML login form is structurally stable across the 25.x line; if the
// regex stops matching after a Keycloak upgrade, the test fails loudly
// with "no form action found" so the operator can update the regex.
func driveAuthCodeFlow(t *testing.T, authURL, username, password string) (code, state string) {
t.Helper()
jar, err := cookiejar.New(nil)
if err != nil {
t.Fatalf("cookiejar.New: %v", err)
}
httpClient := &http.Client{
Jar: jar,
// Stop on the first redirect; we want to read the Location
// header on the redirect-to-callback step.
CheckRedirect: func(*http.Request, []*http.Request) error {
return http.ErrUseLastResponse
},
Timeout: 15 * time.Second,
}
// Step 1: GET the authz URL. Keycloak responds with the login form.
// We follow internal Keycloak redirects (which happen before the
// final 302-to-callback) by re-issuing GETs while the response is a
// redirect AND its Location stays inside the IdP origin.
resp, err := httpClient.Get(authURL)
if err != nil {
t.Fatalf("GET authz URL: %v", err)
}
for {
if resp.StatusCode/100 != 3 {
break
}
loc := resp.Header.Get("Location")
if loc == "" {
t.Fatalf("redirect with no Location header")
}
resp.Body.Close()
next, err := httpClient.Get(loc)
if err != nil {
t.Fatalf("GET %s: %v", loc, err)
}
resp = next
}
body, err := io.ReadAll(resp.Body)
resp.Body.Close()
if err != nil {
t.Fatalf("read login HTML: %v", err)
}
if resp.StatusCode != http.StatusOK {
t.Fatalf("GET authz URL: HTTP %d, body=%s", resp.StatusCode, string(body))
}
// Step 2: extract the login-form action. Keycloak's HTML uses
// <form id="kc-form-login" ... action="...">
// We pin via id="kc-form-login" so we don't accidentally match
// any other form on the page.
html := string(body)
formRe := regexp.MustCompile(`<form\s+[^>]*id="kc-form-login"[^>]*action="([^"]+)"`)
formMatch := formRe.FindStringSubmatch(html)
if len(formMatch) < 2 {
// Fallback: try without the id pin (some Keycloak themes
// nest the form differently).
fallback := regexp.MustCompile(`action="(https?://[^"]+/login-actions/authenticate[^"]*)"`)
fallbackMatch := fallback.FindStringSubmatch(html)
if len(fallbackMatch) < 2 {
t.Fatalf("no form action found in Keycloak login HTML — Keycloak version may have changed; inspect:\n%s", truncForLog(html))
}
formMatch = fallbackMatch
}
formAction := htmlUnescape(formMatch[1])
// Step 3: POST credentials.
formData := url.Values{}
formData.Set("username", username)
formData.Set("password", password)
formData.Set("credentialId", "")
postResp, err := httpClient.PostForm(formAction, formData)
if err != nil {
t.Fatalf("POST credentials: %v", err)
}
defer postResp.Body.Close()
// Step 4: Keycloak's response should be a 302 to the redirect URI
// with code + state in the query string. Some Keycloak themes
// surface a 200 with an HTML body containing the redirect via a
// meta-refresh or JS — handle that too.
if postResp.StatusCode/100 == 3 {
loc := postResp.Header.Get("Location")
return parseCallbackParams(t, loc)
}
postBody, _ := io.ReadAll(postResp.Body)
if postResp.StatusCode == http.StatusOK {
// Look for an error message in the page (e.g. "Invalid username
// or password") so failures surface a useful diagnostic.
if strings.Contains(string(postBody), "Invalid username or password") {
t.Fatalf("Keycloak rejected credentials for %s", username)
}
t.Fatalf("Keycloak returned 200 on credential POST (no redirect); body=%s", truncForLog(string(postBody)))
}
t.Fatalf("Keycloak credential POST: HTTP %d; body=%s", postResp.StatusCode, truncForLog(string(postBody)))
return "", "" // unreachable; t.Fatalf aborts.
}
// parseCallbackParams extracts the code + state query params from a
// redirect Location URL.
func parseCallbackParams(t *testing.T, loc string) (string, string) {
t.Helper()
u, err := url.Parse(loc)
if err != nil {
t.Fatalf("parse callback URL %q: %v", loc, err)
}
q := u.Query()
code := q.Get("code")
state := q.Get("state")
if code == "" || state == "" {
t.Fatalf("callback URL missing code/state: %s", loc)
}
return code, state
}
// htmlUnescape converts &amp;, &#x2F;, &#x3D; back to literals — the
// only entities Keycloak's escaper produces in form action URLs.
func htmlUnescape(s string) string {
r := strings.NewReplacer("&amp;", "&", "&#x2F;", "/", "&#x3D;", "=", "&quot;", `"`)
return r.Replace(s)
}
// truncForLog clamps a long HTML body so test output stays readable.
func truncForLog(s string) string {
const max = 2000
if len(s) > max {
return s[:max] + "...[truncated]"
}
return s
}
// buildKeycloakService constructs an *oidc.Service wired to fresh
// in-memory stubs against the live Keycloak fixture. Each test gets its
// own Service so state doesn't leak between cases. The mappings argument
// configures the engineer→role-id and viewer→role-id translation.
func buildKeycloakService(t *testing.T, fx *testfixtures.KeycloakFixture, mapping map[string]string) (
*oidc.Service, *itestSessionMinter, *itestUsers, *itestPreLogin,
) {
t.Helper()
provLookup := &itestProviderLookup{provider: fx.Provider}
mappings := &itestMappings{lookup: mapping}
users := newItestUsers()
sessions := newItestSessionMinter()
pl := newItestPreLogin()
svc := oidc.NewService(provLookup, mappings, users, sessions, pl, "")
return svc, sessions, users, pl
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
// TestKeycloakIntegration_RefreshKeysFetchesDiscoveryAndJWKS pins
// behavior #1: discovery doc + JWKS load against the live IdP.
func TestKeycloakIntegration_RefreshKeysFetchesDiscoveryAndJWKS(t *testing.T) {
fx := keycloakFor(t)
svc, _, _, _ := buildKeycloakService(t, fx, map[string]string{
testfixtures.EngineerGroup: "r-operator",
testfixtures.ViewerGroup: "r-viewer",
})
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
if err := svc.RefreshKeys(ctx, fx.Provider.ID); err != nil {
t.Fatalf("RefreshKeys: %v (issuer=%s)", err, fx.IssuerURL)
}
}
// TestKeycloakIntegration_AuthCodeFlow_HappyPath pins behaviors #2#5:
// login + group claims + group-role mapping + session mint flow end to end
// via the auth-code flow against a live Keycloak.
func TestKeycloakIntegration_AuthCodeFlow_HappyPath(t *testing.T) {
fx := keycloakFor(t)
svc, sessions, users, _ := buildKeycloakService(t, fx, map[string]string{
testfixtures.EngineerGroup: "r-operator",
testfixtures.ViewerGroup: "r-viewer",
})
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
// HandleAuthRequest produces the IdP redirect URL + pre-login cookie.
authURL, preLoginCookie, _, err := svc.HandleAuthRequest(ctx, fx.Provider.ID)
if err != nil {
t.Fatalf("HandleAuthRequest: %v", err)
}
if !strings.HasPrefix(authURL, fx.IssuerURL) {
t.Fatalf("authURL not anchored at IdP issuer; got %s", authURL)
}
// Drive the IdP's login form to produce a (code, state) pair.
code, state := driveAuthCodeFlow(t, authURL, testfixtures.EngineerUser, testfixtures.EngineerPassword)
// Complete the OIDC handshake.
res, err := svc.HandleCallback(ctx, preLoginCookie, code, state, "10.0.0.1", "integration-test/1.0")
if err != nil {
t.Fatalf("HandleCallback: %v", err)
}
// User minted with right identity?
if res.User == nil {
t.Fatal("HandleCallback returned nil User")
}
if !strings.Contains(strings.ToLower(res.User.Email), "alice") {
t.Errorf("User.Email = %q, want to contain alice", res.User.Email)
}
if got := users.byID; len(got) != 1 {
t.Errorf("users repo len = %d, want 1", len(got))
}
// Group-role mapping applied?
wantRole := "r-operator"
if len(res.RoleIDs) != 1 || res.RoleIDs[0] != wantRole {
t.Errorf("RoleIDs = %v, want [%s] (engineers→r-operator)", res.RoleIDs, wantRole)
}
// Session minted?
if sessions.mintCount != 1 {
t.Errorf("mintCount = %d, want 1", sessions.mintCount)
}
if sessions.lastIP != "10.0.0.1" {
t.Errorf("lastIP = %q, want 10.0.0.1", sessions.lastIP)
}
if res.CookieValue == "" || res.CSRFToken == "" {
t.Errorf("CookieValue + CSRFToken must both be non-empty; got cookie=%q csrf=%q", res.CookieValue, res.CSRFToken)
}
}
// TestKeycloakIntegration_LogoutRevokesSession pins behavior #6: the
// session minted via the OIDC flow can be revoked. The full session
// service revoke contract is exercised by Phase 4's service_test.go;
// here we verify the integration test's stub correctly tracks the
// revoke operation against the cookie value HandleCallback emitted.
//
// (Production logout: session middleware reads `certctl_session`
// cookie, calls SessionService.Revoke(sessionID) which deletes the
// row. Phase 4 negative-test matrix covers the all-paths revoke
// behavior; this test confirms the OIDC flow produces a revocable
// cookie value.)
func TestKeycloakIntegration_LogoutRevokesSession(t *testing.T) {
fx := keycloakFor(t)
svc, sessions, _, _ := buildKeycloakService(t, fx, map[string]string{
testfixtures.EngineerGroup: "r-operator",
})
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
authURL, preLoginCookie, _, err := svc.HandleAuthRequest(ctx, fx.Provider.ID)
if err != nil {
t.Fatalf("HandleAuthRequest: %v", err)
}
code, state := driveAuthCodeFlow(t, authURL, testfixtures.EngineerUser, testfixtures.EngineerPassword)
res, err := svc.HandleCallback(ctx, preLoginCookie, code, state, "ip", "ua")
if err != nil {
t.Fatalf("HandleCallback: %v", err)
}
if res.CookieValue == "" {
t.Fatal("HandleCallback returned empty CookieValue")
}
// Simulate logout — production calls session.Service.Revoke on the
// cookie's session_id. Here we exercise the integration-test stub's
// revoke tracking on the cookie value.
sessions.Revoke(res.CookieValue)
if !sessions.revoked[res.CookieValue] {
t.Errorf("expected cookie %q to be marked revoked", res.CookieValue)
}
}
// TestKeycloakIntegration_JWKSRotation_RefreshKeysPicksUpNewKey pins
// behavior #7: rotating the realm's signing keys, then RefreshKeys,
// must let the next login flow validate tokens signed under the new
// key.
//
// Plan:
// 1. Run a successful login under the original key.
// 2. Rotate the realm's RSA key via the Keycloak admin API.
// 3. Run RefreshKeys to evict the cache.
// 4. Run a fresh login flow — Keycloak signs the new token under the
// new (higher-priority) key; the certctl service validates it.
func TestKeycloakIntegration_JWKSRotation_RefreshKeysPicksUpNewKey(t *testing.T) {
fx := keycloakFor(t)
svc, _, _, _ := buildKeycloakService(t, fx, map[string]string{
testfixtures.EngineerGroup: "r-operator",
})
ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
defer cancel()
// Pre-rotate baseline login.
preAuthURL, preCookie, _, err := svc.HandleAuthRequest(ctx, fx.Provider.ID)
if err != nil {
t.Fatalf("pre-rotate HandleAuthRequest: %v", err)
}
preCode, preState := driveAuthCodeFlow(t, preAuthURL, testfixtures.EngineerUser, testfixtures.EngineerPassword)
if _, err := svc.HandleCallback(ctx, preCookie, preCode, preState, "ip", "ua"); err != nil {
t.Fatalf("pre-rotate HandleCallback: %v", err)
}
// Rotate realm keys via admin REST API.
fx.RotateRealmKeys(t)
// Force the certctl service to evict its discovery + JWKS cache.
if err := svc.RefreshKeys(ctx, fx.Provider.ID); err != nil {
t.Fatalf("RefreshKeys after rotate: %v", err)
}
// Post-rotate login: Keycloak signs the new token under the new
// key (higher priority); the service must validate it.
postAuthURL, postCookie, _, err := svc.HandleAuthRequest(ctx, fx.Provider.ID)
if err != nil {
t.Fatalf("post-rotate HandleAuthRequest: %v", err)
}
postCode, postState := driveAuthCodeFlow(t, postAuthURL, testfixtures.EngineerUser, testfixtures.EngineerPassword)
if _, err := svc.HandleCallback(ctx, postCookie, postCode, postState, "ip", "ua"); err != nil {
t.Fatalf("post-rotate HandleCallback: %v (rotation broke validation?)", err)
}
}
// TestKeycloakIntegration_UnmappedGroupsFailsClosed pins the spec's
// fail-closed contract: a user whose IdP groups don't resolve to ANY
// configured role lands at "no roles assigned" (ErrGroupsUnmapped),
// not at an empty-roles dashboard. Drives bob (in /certctl-viewers)
// through a service whose mapping table only has engineers→r-operator.
func TestKeycloakIntegration_UnmappedGroupsFailsClosed(t *testing.T) {
fx := keycloakFor(t)
svc, _, _, _ := buildKeycloakService(t, fx, map[string]string{
// Engineers mapped; viewers intentionally NOT mapped.
testfixtures.EngineerGroup: "r-operator",
})
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
authURL, preCookie, _, err := svc.HandleAuthRequest(ctx, fx.Provider.ID)
if err != nil {
t.Fatalf("HandleAuthRequest: %v", err)
}
code, state := driveAuthCodeFlow(t, authURL, testfixtures.ViewerUser, testfixtures.ViewerPassword)
_, err = svc.HandleCallback(ctx, preCookie, code, state, "ip", "ua")
if !errors.Is(err, oidc.ErrGroupsUnmapped) {
t.Errorf("HandleCallback err = %v, want ErrGroupsUnmapped (fail-closed for unmapped groups)", err)
}
}
internal/auth/oidc/integration_okta_smoke_test.go
+131
View File
@@ -0,0 +1,131 @@
//go:build integration && okta_smoke
package oidc_test
import (
"context"
"os"
"strings"
"testing"
"time"
"github.com/certctl-io/certctl/internal/auth/oidc"
oidcdomain "github.com/certctl-io/certctl/internal/auth/oidc/domain"
)
// =============================================================================
// Bundle 2 Phase 10 — optional Okta smoke test.
//
// Gated behind TWO build tags (`integration` AND `okta_smoke`) so it
// NEVER runs in normal CI — Keycloak is the load-bearing free-tier
// fixture; Okta is a paid dev-tenant smoke test the operator runs by
// hand against the operator's own Okta org. Documented for manual
// verification.
//
// Run via:
//
// export OKTA_ISSUER=https://dev-12345.okta.com/oauth2/default
// export OKTA_CLIENT_ID=0oa…
// export OKTA_CLIENT_SECRET=…
// export OKTA_USERNAME=tester@example.com
// export OKTA_PASSWORD=…
// go test -tags 'integration okta_smoke' -count=1 -timeout 2m \
// ./internal/auth/oidc/...
//
// Pre-reqs in the operator's Okta org:
//
// - One Web Application (OAuth/OIDC) with sign-in redirect URI set to
// http://localhost:8443/auth/oidc/callback (or whatever the test
// operator binds; matches OIDCProvider.RedirectURI).
// - One App Group named `certctl-engineers`, assigned to the user
// above + assigned to the application.
// - The default "groups" claim emitted as a `string-array` (Okta's
// default).
// - "Resource Owner Password" grant ENABLED (Sign-On tab → Grant
// types) — the smoke test uses ROPC to skip the browser login.
// This is for SMOKE TESTING ONLY; production certctl uses the
// auth-code-with-PKCE flow.
//
// What this test exercises:
//
// - Discovery doc fetched against the live Okta tenant.
// - JWKS cached.
// - RefreshKeys returns no error (re-runs the IdP-downgrade-attack
// defense against Okta's advertised signing algs).
//
// What this test does NOT exercise:
//
// - The full auth-code flow (Okta requires a browser session +
// consent screen for the auth-code path; the Keycloak fixture is
// where that flow lives).
// - JWKS rotation (requires admin-level access to Okta's signing
// key admin REST endpoints; out of scope for a smoke test).
//
// If any required env var is missing, the test t.Skip's with a clear
// message so the operator knows what to set.
// =============================================================================
func TestOktaSmoke_DiscoveryAndRefreshKeys(t *testing.T) {
issuer := strings.TrimRight(os.Getenv("OKTA_ISSUER"), "/")
clientID := os.Getenv("OKTA_CLIENT_ID")
clientSecret := os.Getenv("OKTA_CLIENT_SECRET")
missing := []string{}
if issuer == "" {
missing = append(missing, "OKTA_ISSUER")
}
if clientID == "" {
missing = append(missing, "OKTA_CLIENT_ID")
}
if clientSecret == "" {
missing = append(missing, "OKTA_CLIENT_SECRET")
}
if len(missing) > 0 {
t.Skipf("Okta smoke test requires env vars: %s — skipping", strings.Join(missing, ", "))
}
prov := &oidcdomain.OIDCProvider{
ID: "op-okta-smoke",
TenantID: "t-default",
Name: "Okta (smoke)",
IssuerURL: issuer,
ClientID: clientID,
ClientSecretEncrypted: []byte(clientSecret), // plaintext-passthrough; encryption-at-rest covered elsewhere
RedirectURI: "http://localhost:8443/auth/oidc/callback",
GroupsClaimPath: "groups",
GroupsClaimFormat: oidcdomain.GroupsClaimFormatStringArray,
FetchUserinfo: false,
Scopes: []string{"openid", "profile", "email", "groups"},
IATWindowSeconds: 300,
JWKSCacheTTLSeconds: 3600,
CreatedAt: time.Now().UTC(),
UpdatedAt: time.Now().UTC(),
}
provLookup := &itestProviderLookup{provider: prov}
mappings := &itestMappings{lookup: map[string]string{"certctl-engineers": "r-operator"}}
users := newItestUsers()
sessions := newItestSessionMinter()
pl := newItestPreLogin()
svc := oidc.NewService(provLookup, mappings, users, sessions, pl, "")
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
// Behavior 1: discovery doc fetched + JWKS loaded.
if err := svc.RefreshKeys(ctx, prov.ID); err != nil {
t.Fatalf("RefreshKeys against %s: %v", issuer, err)
}
// Behavior 2: HandleAuthRequest produces an authz URL anchored at
// the configured Okta issuer. We don't drive the browser login
// here — the Keycloak fixture covers full auth-code; this test
// only confirms the wire setup against a real Okta tenant.
authURL, _, _, err := svc.HandleAuthRequest(ctx, prov.ID)
if err != nil {
t.Fatalf("HandleAuthRequest: %v", err)
}
if !strings.HasPrefix(authURL, issuer) {
t.Errorf("authURL not anchored at %s; got %s", issuer, authURL)
}
}
internal/auth/oidc/testfixtures/keycloak-realm.json
+100
View File
@@ -0,0 +1,100 @@
{
"realm": "certctl",
"enabled": true,
"registrationAllowed": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": false,
"editUsernameAllowed": false,
"bruteForceProtected": true,
"accessTokenLifespan": 600,
"ssoSessionIdleTimeout": 1800,
"ssoSessionMaxLifespan": 36000,
"groups": [
{
"name": "certctl-engineers",
"path": "/certctl-engineers"
},
{
"name": "certctl-viewers",
"path": "/certctl-viewers"
}
],
"users": [
{
"username": "alice",
"enabled": true,
"email": "alice@certctl.test",
"firstName": "Alice",
"lastName": "Tester",
"credentials": [
{
"type": "password",
"value": "alice-password-1",
"temporary": false
}
],
"groups": ["/certctl-engineers"]
},
{
"username": "bob",
"enabled": true,
"email": "bob@certctl.test",
"firstName": "Bob",
"lastName": "Viewer",
"credentials": [
{
"type": "password",
"value": "bob-password-1",
"temporary": false
}
],
"groups": ["/certctl-viewers"]
}
],
"clients": [
{
"clientId": "certctl",
"enabled": true,
"publicClient": false,
"secret": "certctl-keycloak-test-secret",
"redirectUris": [
"http://localhost:*",
"https://localhost:*"
],
"webOrigins": ["+"],
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"fullScopeAllowed": false,
"defaultClientScopes": [
"web-origins",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"protocolMappers": [
{
"name": "groups",
"protocol": "openid-connect",
"protocolMapper": "oidc-group-membership-mapper",
"consentRequired": false,
"config": {
"full.path": "false",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "groups",
"userinfo.token.claim": "true"
}
}
]
}
]
}
internal/auth/oidc/testfixtures/keycloak.go
+453
View File
@@ -0,0 +1,453 @@
//go:build integration
// Package testfixtures provides Bundle 2 Phase 10 multi-IdP integration
// test harnesses. The package is compiled ONLY under the `integration`
// build tag so the heavy Keycloak (or Okta) container start never lands
// in `go test -short` or the default `go test ./...` developer loop.
//
// Run via:
//
// go test -tags integration -count=1 -timeout 5m ./internal/auth/oidc/...
// # or via the Makefile target:
// make keycloak-integration-test
//
// On a workstation without Docker, `go test -tags integration` will
// fail at container start with a clear error from testcontainers-go.
// The pre-commit `make verify` gate uses `-short` (no `integration`
// tag), so the absence of Docker on a contributor box does not block
// commits.
package testfixtures
import (
"context"
"crypto/tls"
"encoding/json"
"fmt"
"net/http"
"net/url"
"path/filepath"
"runtime"
"strings"
"testing"
"time"
"github.com/testcontainers/testcontainers-go"
"github.com/testcontainers/testcontainers-go/wait"
oidcdomain "github.com/certctl-io/certctl/internal/auth/oidc/domain"
)
// =============================================================================
// Bundle 2 Phase 10 — Keycloak testcontainers harness.
//
// Boots a single Keycloak container running in dev mode (`start-dev`),
// imports the canned realm at testfixtures/keycloak-realm.json, and
// returns a populated *oidcdomain.OIDCProvider plus a small typed
// helper struct the integration test uses to drive end-to-end flows.
//
// Realm contents (see keycloak-realm.json):
//
// - Realm `certctl` (enabled).
// - OIDC client `certctl` (confidential, secret pinned).
// - Two groups (`certctl-engineers`, `certctl-viewers`).
// - Two users with credentials:
// - `alice` / `alice-password-1` in /certctl-engineers
// - `bob` / `bob-password-1` in /certctl-viewers
// - Group-claim mapper emitting the user's groups under `groups`
// (id_token + access_token + userinfo).
//
// The harness pins the realm name + client id + secret + user creds as
// exported constants so the integration test can build OIDC requests
// without coupling to the JSON file's internals.
// =============================================================================
const (
// KeycloakImage is the version-pinned image. Change requires
// re-validating realm-import compatibility.
KeycloakImage = "quay.io/keycloak/keycloak:25.0"
// RealmName matches the `realm` key in keycloak-realm.json.
RealmName = "certctl"
// ClientID + ClientSecret match the `clients[0]` entry in the
// realm-import JSON. Pinned by the integration test when configuring
// the OIDC provider row that drives the certctl service.
ClientID = "certctl"
ClientSecret = "certctl-keycloak-test-secret"
// AdminUser + AdminPass are the bootstrap admin credentials Keycloak
// uses on first start under the `start-dev` command. They are NEVER
// surfaced by the harness for cert-issuance flows; only used to
// enable the admin REST API for JWKS-rotation flows.
AdminUser = "admin"
AdminPass = "admin"
// EngineerUser + EngineerPassword identify the alice fixture user
// (member of the engineers group). The integration test drives
// /token with these creds via the Resource Owner Password
// Credentials grant (which Keycloak supports OOTB and which we
// enable in the realm import — `directAccessGrantsEnabled: true`).
// In production certctl uses the auth-code-with-PKCE flow; ROPC is
// used here ONLY because driving a real browser through the IdP UI
// in CI is brittle. The token-validation path under test is the
// SAME — Keycloak issues structurally identical ID tokens for both
// flows.
EngineerUser = "alice"
EngineerPassword = "alice-password-1"
EngineerGroup = "certctl-engineers"
ViewerUser = "bob"
ViewerPassword = "bob-password-1"
ViewerGroup = "certctl-viewers"
)
// KeycloakFixture wraps the running container + the OIDC provider row
// the integration test feeds into the certctl service. Close() tears the
// container down; deferred from the test to keep the test surface tidy.
type KeycloakFixture struct {
Container testcontainers.Container
// IssuerURL is the canonical realm issuer (e.g.
// http://localhost:53219/realms/certctl). Used as
// OIDCProvider.IssuerURL.
IssuerURL string
// Provider is a fully-populated domain row mirroring what
// certctl-server would persist after a successful "Configure new
// OIDC provider" flow in the GUI. The integration test feeds it
// directly into the OIDC service's provider-lookup port without
// going through the HTTP API — Phase 10's contract is "drive the
// service end-to-end against a live IdP", not "drive the entire
// HTTP stack".
Provider *oidcdomain.OIDCProvider
// adminToken is the cached admin REST API bearer (10-min lifetime,
// re-fetched via getAdminToken when older than 9m).
adminToken string
adminTokenExp time.Time
}
// StartKeycloak boots a Keycloak container with the canned realm
// pre-imported and returns the populated fixture. The container is
// reachable at the IssuerURL on the host network; testcontainers
// allocates a random host port and maps to 8080/tcp inside.
//
// Boot is bounded at 90s — Keycloak's JVM start is the dominant cost
// (warm: ~12s; cold pull: ~60s). On a busy CI runner the wait may
// timeout, in which case the test t.Fatal's with a clear message so the
// operator can rerun.
func StartKeycloak(t *testing.T) *KeycloakFixture {
t.Helper()
if testing.Short() {
t.Skip("Phase 10 Keycloak integration: skipped under -short (heavy container start)")
}
ctx := context.Background()
realmPath, err := realmImportPath()
if err != nil {
t.Fatalf("realmImportPath: %v", err)
}
req := testcontainers.ContainerRequest{
Image: KeycloakImage,
ExposedPorts: []string{"8080/tcp"},
Env: map[string]string{
"KC_BOOTSTRAP_ADMIN_USERNAME": AdminUser,
"KC_BOOTSTRAP_ADMIN_PASSWORD": AdminPass,
// Disable HTTPS in dev mode; the integration test runs
// over HTTP because the OIDC service-layer test injects
// the provider config directly + Keycloak's dev mode
// doesn't ship a TLS cert without --features=preview
// flags. Production deploys MUST enable TLS at the IdP
// (validated at OIDCProvider.Validate() time — issuer URL
// MUST be https in non-test paths).
"KC_HOSTNAME_STRICT": "false",
"KC_HOSTNAME_STRICT_HTTPS": "false",
"KC_HEALTH_ENABLED": "true",
"KC_HTTP_ENABLED": "true",
"KC_PROXY_HEADERS": "xforwarded",
},
Files: []testcontainers.ContainerFile{
{
HostFilePath: realmPath,
ContainerFilePath: "/opt/keycloak/data/import/realm.json",
FileMode: 0o644,
},
},
Cmd: []string{
"start-dev",
"--import-realm",
},
WaitingFor: wait.ForLog("Listening on:").WithStartupTimeout(90 * time.Second),
}
container, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
ContainerRequest: req,
Started: true,
})
if err != nil {
t.Fatalf("Keycloak container start: %v", err)
}
host, err := container.Host(ctx)
if err != nil {
_ = container.Terminate(ctx)
t.Fatalf("container.Host: %v", err)
}
port, err := container.MappedPort(ctx, "8080")
if err != nil {
_ = container.Terminate(ctx)
t.Fatalf("container.MappedPort: %v", err)
}
issuerURL := fmt.Sprintf("http://%s:%s/realms/%s", host, port.Port(), RealmName)
// Wait for the realm endpoint to actually answer — the "Listening on"
// log line fires before realm import completes on cold-pull boots.
if err := waitForDiscovery(issuerURL, 60*time.Second); err != nil {
_ = container.Terminate(ctx)
t.Fatalf("waitForDiscovery: %v", err)
}
prov := &oidcdomain.OIDCProvider{
ID: "op-keycloak-itest",
TenantID: "t-default",
Name: "Keycloak (integration test)",
IssuerURL: issuerURL,
ClientID: ClientID,
// ClientSecretEncrypted intentionally left zero-length: the
// integration test invokes the service with encryptionKey="",
// which the Phase-3 service treats as plaintext-passthrough.
// Production MUST set CERTCTL_CONFIG_ENCRYPTION_KEY (validated
// at server boot) — the integration test exercises the wire +
// validation paths, not the encryption-at-rest path (that's
// covered by the Phase-2 repository tests).
ClientSecretEncrypted: []byte(ClientSecret),
RedirectURI: "http://localhost:8443/auth/oidc/callback",
GroupsClaimPath: "groups",
GroupsClaimFormat: oidcdomain.GroupsClaimFormatStringArray,
FetchUserinfo: false,
Scopes: []string{"openid", "profile", "email"},
IATWindowSeconds: 300,
JWKSCacheTTLSeconds: 3600,
CreatedAt: time.Now().UTC(),
UpdatedAt: time.Now().UTC(),
}
return &KeycloakFixture{
Container: container,
IssuerURL: issuerURL,
Provider: prov,
}
}
// Close terminates the container. Idempotent — calling twice is safe.
func (f *KeycloakFixture) Close() {
if f == nil || f.Container == nil {
return
}
_ = f.Container.Terminate(context.Background())
f.Container = nil
}
// AdminBaseURL returns the Keycloak admin REST API base for this realm.
// The integration test uses it to drive JWKS-key rotation (the only
// admin op the harness exposes; everything else flows through the
// public OIDC endpoints).
func (f *KeycloakFixture) AdminBaseURL() string {
// The realm-management API lives under /admin/realms/{realm}.
// IssuerURL is .../realms/{realm}; chop the realms-prefix and
// re-append /admin/realms/{realm}.
idx := strings.LastIndex(f.IssuerURL, "/realms/")
if idx < 0 {
return ""
}
return f.IssuerURL[:idx] + "/admin/realms/" + RealmName
}
// AdminToken returns a cached admin-realm bearer token, refreshed every
// 9 minutes (Keycloak's default 10-minute admin-token lifetime). The
// integration test passes this token into Keycloak's admin REST API via
// the Authorization header.
func (f *KeycloakFixture) AdminToken(t *testing.T) string {
t.Helper()
if f.adminToken != "" && time.Now().Before(f.adminTokenExp) {
return f.adminToken
}
// The admin-cli client lives under the master realm.
masterTokenURL := strings.Replace(f.IssuerURL, "/realms/"+RealmName, "/realms/master/protocol/openid-connect/token", 1)
form := url.Values{}
form.Set("grant_type", "password")
form.Set("client_id", "admin-cli")
form.Set("username", AdminUser)
form.Set("password", AdminPass)
httpClient := &http.Client{
Timeout: 10 * time.Second,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS12},
},
}
resp, err := httpClient.PostForm(masterTokenURL, form)
if err != nil {
t.Fatalf("admin-cli token: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("admin-cli token: HTTP %d", resp.StatusCode)
}
var body struct {
AccessToken string `json:"access_token"`
ExpiresIn int `json:"expires_in"`
}
if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
t.Fatalf("admin-cli token decode: %v", err)
}
if body.AccessToken == "" {
t.Fatalf("admin-cli token: empty access_token")
}
f.adminToken = body.AccessToken
// Refresh 1 minute before actual expiry so a long-running test
// doesn't trip on a token-just-expired edge.
f.adminTokenExp = time.Now().Add(time.Duration(body.ExpiresIn-60) * time.Second)
return f.adminToken
}
// FetchTokensROPC fetches an ID token + access token via the Resource
// Owner Password Credentials grant. Used by the integration test to
// drive the service-layer token-validation path against a real
// Keycloak-issued ID token without scripting a browser through the
// IdP login UI. The certctl service runs the SAME validation pipeline
// regardless of the grant type that produced the tokens — alg pin,
// iss, aud, azp, at_hash, exp, iat, nonce, JWKS — so the IdP-side
// shape is what's under test.
//
// Note: production certctl uses auth-code-with-PKCE; ROPC is enabled in
// keycloak-realm.json's `directAccessGrantsEnabled: true` for this
// fixture and ONLY this fixture.
func (f *KeycloakFixture) FetchTokensROPC(t *testing.T, username, password string) (idToken, accessToken string) {
t.Helper()
tokenURL := f.IssuerURL + "/protocol/openid-connect/token"
form := url.Values{}
form.Set("grant_type", "password")
form.Set("client_id", ClientID)
form.Set("client_secret", ClientSecret)
form.Set("username", username)
form.Set("password", password)
form.Set("scope", "openid profile email")
httpClient := &http.Client{Timeout: 10 * time.Second}
resp, err := httpClient.PostForm(tokenURL, form)
if err != nil {
t.Fatalf("ROPC token: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("ROPC token: HTTP %d", resp.StatusCode)
}
var body struct {
IDToken string `json:"id_token"`
AccessToken string `json:"access_token"`
}
if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
t.Fatalf("ROPC token decode: %v", err)
}
if body.IDToken == "" || body.AccessToken == "" {
t.Fatalf("ROPC token: missing id_token / access_token")
}
return body.IDToken, body.AccessToken
}
// RotateRealmKeys drops + re-adds the active RSA key under the realm,
// forcing every subsequent token to be signed under a new kid. The
// integration test uses this to verify the certctl service's JWKS
// cache + downgrade-attack defense pick up the new key after a
// RefreshKeys() call.
//
// Implementation: Keycloak exposes /admin/realms/{realm}/keys for read,
// and /admin/realms/{realm}/components for rotate. The simplest
// reliable shape is to add a brand-new RSA-2048 key component (which
// becomes active because of the higher priority we set), leaving the
// old one as fallback. Any token signed under the new key must be
// validated against the JWKS doc fetched after the rotation; tokens
// signed under the old key must STILL validate (Keycloak keeps the
// old key as inactive-but-trusted until manually deleted).
func (f *KeycloakFixture) RotateRealmKeys(t *testing.T) {
t.Helper()
token := f.AdminToken(t)
body := map[string]any{
"name": fmt.Sprintf("rotated-%d", time.Now().UnixNano()),
"providerId": "rsa-generated",
"providerType": "org.keycloak.keys.KeyProvider",
"config": map[string][]string{
"priority": {"200"},
"enabled": {"true"},
"active": {"true"},
"algorithm": {"RS256"},
"keySize": {"2048"},
},
}
payload, _ := json.Marshal(body)
// Realm name on the path is the master endpoint slug; resolve it
// via the realm's own admin URL, not the master realm's. The
// rotated key is added to the certctl realm.
realmAdminURL := f.AdminBaseURL() + "/components"
req, err := http.NewRequest(http.MethodPost, realmAdminURL, strings.NewReader(string(payload)))
if err != nil {
t.Fatalf("rotate keys: build request: %v", err)
}
req.Header.Set("Authorization", "Bearer "+token)
req.Header.Set("Content-Type", "application/json")
httpClient := &http.Client{Timeout: 10 * time.Second}
resp, err := httpClient.Do(req)
if err != nil {
t.Fatalf("rotate keys: HTTP: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode/100 != 2 {
t.Fatalf("rotate keys: HTTP %d", resp.StatusCode)
}
}
// realmImportPath resolves the absolute path to keycloak-realm.json
// next to this source file. Used to mount the realm-import volume into
// the container.
func realmImportPath() (string, error) {
_, filename, _, ok := runtime.Caller(0)
if !ok {
return "", fmt.Errorf("runtime.Caller failed")
}
dir := filepath.Dir(filename)
candidate := filepath.Join(dir, "keycloak-realm.json")
return candidate, nil
}
// waitForDiscovery polls the OIDC discovery doc until it returns 200 OR
// the deadline elapses. Keycloak's "Listening on" log line fires before
// the realm-import completes on cold-pull boots, so we layer this poll
// on top of the WaitForLog primitive.
func waitForDiscovery(issuerURL string, timeout time.Duration) error {
deadline := time.Now().Add(timeout)
httpClient := &http.Client{Timeout: 2 * time.Second}
for {
resp, err := httpClient.Get(issuerURL + "/.well-known/openid-configuration")
if err == nil {
resp.Body.Close()
if resp.StatusCode == http.StatusOK {
return nil
}
}
if time.Now().After(deadline) {
return fmt.Errorf("discovery doc never returned 200 within %s", timeout)
}
time.Sleep(500 * time.Millisecond)
}
}