opendev/system-config
Code Issues Proposed changes
fd55aa261d
system-config/testinfra/test_keycloak.py

33 lines
1.2 KiB
Python
Raw Normal View History

Add a keycloak server This adds a keycloak server so we can start experimenting with it. It's based on the docker-compose file Matthieu made for Zuul (see https://review.opendev.org/819745 ) We should be able to configure a realm and federate with openstackid and other providers as described in the opendev auth spec. However, I am unable to test federation with openstackid due its inability to configure an oauth app at "localhost". Therefore, we will need an actual deployed system to test it. This should allow us to do so. It will also allow use to connect realms to the newly available Zuul admin api on opendev. It should be possible to configure the realm the way we want, then export its configuration into a JSON file and then have our playbooks or the docker-compose file import it. That would allow us to drive change to the configuration of the system through code review. Because of the above limitation with openstackid, I think we should regard the current implementation as experimental. Once we have a realm configuration that we like (which we will create using the GUI), we can chose to either continue to maintain the config with the GUI and appropriate file backups, or switch to a gitops model based on an export. My understanding is that all the data (realms configuration and session) are kept in an H2 database. This is probably sufficient for now and even production use with Zuul, but we should probably switch to mariadb before any heavy (eg gerrit, etc) production use. This is a partial implementation of https://docs.opendev.org/opendev/infra-specs/latest/specs/central-auth.html We can re-deploy with a new domain when it exists. Change-Id: I2e069b1b220dbd3e0a5754ac094c2b296c141753 Co-Authored-By: Matthieu Huin <mhuin@redhat.com>
2021-11-30 13:03:12 -08:00
# Copyright 2018 Red Hat, Inc.
# Copyright 2021 Acme Gating, LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
testinfra_hosts = ['keycloak01.opendev.org']
def test_keycloak_listening(host):
keycloak = host.socket("tcp://127.0.0.1:8080")
assert keycloak.is_listening
Correct keycloak proxy config Some extra steps are needed to use keycloak with a reverse proxy. This adjusts the apache config to send the required headers and the keycloak server config to use them. Since the openid configuration json page is constructed entirely from these headers (and not from static configuration), this is a good test that the entire system is working. Change-Id: I662dc85836d640cb732f12f39e9a61607767fcf3
2021-12-04 10:49:11 -08:00
def test_keycloak_openid_config(host):
# This tests the proxy config since the output is determined by
# the proxy headers and is not hard-coded configuration.
cmd = host.run('curl --insecure '
'--resolve keycloak.opendev.org:443:127.0.0.1 '
'https://keycloak.opendev.org/auth/realms/master'
'/.well-known/openid-configuration')
assert ('"issuer":"https://keycloak.opendev.org/auth/realms/master"'
in cmd.stdout)
Copy Permalink