Added test of client role to JWT tests
Issue-ID: NONRTRIC-744
Signed-off-by: BjornMagnussonXA <bjorn.magnusson@est.tech>
Change-Id: I6bbb5a05cecbfe5e3cbacdc8eb9bea6ae655e073
diff --git a/test/auto-test/FTC1100.sh b/test/auto-test/FTC1100.sh
index 82bb8dd..090481a 100755
--- a/test/auto-test/FTC1100.sh
+++ b/test/auto-test/FTC1100.sh
@@ -106,6 +106,8 @@
keycloak_api_create_confidential_client nrtrealm icsc
keycloak_api_generate_client_secret nrtrealm icsc
keycloak_api_get_client_secret nrtrealm icsc
+ keycloak_api_create_client_roles nrtrealm icsc nrtrole
+ keycloak_api_map_client_roles nrtrealm icsc nrtrole
keycloak_api_get_client_token nrtrealm icsc
@@ -119,13 +121,13 @@
istio_auth_policy_by_issuer $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY
istio_req_auth_by_jwksuri $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
- istio_auth_policy_by_realm $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
+ istio_auth_policy_by_realm $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm icsc nrtrole
istio_req_auth_by_jwks $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS"
istio_auth_policy_by_issuer $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY
istio_req_auth_by_jwksuri $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
- istio_auth_policy_by_realm $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
+ istio_auth_policy_by_realm $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm icsc nrtrole
ics_configure_sec nrtrealm icsc $ICS_SEC
diff --git a/test/common/istio_api_functions.sh b/test/common/istio_api_functions.sh
index 2afc3f9..1eb7336 100644
--- a/test/common/istio_api_functions.sh
+++ b/test/common/istio_api_functions.sh
@@ -189,11 +189,11 @@
}
# Authorization policy - by realm
-# args: <app> <namespace> <realam>
+# args: <app> <namespace> <realam> [<client-id> <client-role>]
istio_auth_policy_by_realm() {
__log_conf_start $@
- if [ $# -ne 3 ]; then
- __print_err "<app> <namespace> <realam>" $@
+ if [ $# -ne 3 ] && [ $# -ne 5 ]; then
+ __print_err "<app> <namespace> <realam> [<client-id> <client-role>]" $@
return 1
fi
name="ap-realm-"$3"-"$1"-"$2
@@ -208,6 +208,17 @@
__log_conf_fail_general "Cannot substitute yaml: $inputfile"
return 1
fi
+ if [ $# -gt 3 ]; then
+ export ISTIO_TEMPLATE_REPLACE_AP_CLIENT=$4
+ export ISTIO_TEMPLATE_REPLACE_AP_ROLE=$5
+ inputfile=$SIM_GROUP/$ISTIO_COMPOSE_DIR/ap-role-snippet.yaml
+ envsubst < $inputfile >> $outputfile
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general "Cannot substitute yaml: $inputfile"
+ return 1
+ fi
+ fi
+
kubectl $KUBECONF apply -f $outputfile &> tmp/kubeerr
if [ $? -ne 0 ]; then
__log_conf_fail_general "Cannot apply yaml: $outputfile"
diff --git a/test/common/keycloak_api_functions.sh b/test/common/keycloak_api_functions.sh
index 828dcb3..7f49595 100644
--- a/test/common/keycloak_api_functions.sh
+++ b/test/common/keycloak_api_functions.sh
@@ -280,41 +280,6 @@
return 0
}
-# # Excute a curl cmd towards the keycloak and check the response code is 2XX.
-# # args: <command-file>
-# # resp: <returned-payload> if return code is 0 otherwise <error-info>
-# __execute_curl_to_keycloak2() {
-
-# # TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
-# # echo "(${BASH_LINENO[0]}) - ${TIMESTAMP}: ${FUNCNAME[0]}" $@ >> $HTTPLOG
-# proxyflag=""
-# if [ ! -z "$KUBE_PROXY_PATH" ]; then
-# if [ $KUBE_PROXY_HTTPX == "http" ]; then
-# proxyflag=" --proxy $KUBE_PROXY_PATH"
-# else
-# proxyflag=" --proxy-insecure --proxy $KUBE_PROXY_PATH"
-# fi
-# fi
-# __cmd="curl -skw %{http_code} $proxyflag "$(< $1)
-# echo " CMD: $__cmd" >> $HTTPLOG
-# res=$(curl -skw %{http_code} $proxyflag $(< $1))
-# echo " RESP: $res" >> $HTTPLOG
-# retcode=$?
-# if [ $retcode -ne 0 ]; then
-# __log_conf_fail_general " Fatal error when executing curl, response: "$retcode
-# echo "$res"
-# return 1
-# fi
-# status=${res:${#res}-3}
-# if [ $status -lt 200 ] && [ $status -gt 299 ]; then
-# __log_conf_fail_status_code "2XX" $status
-# echo "$res"
-# return 1
-# fi
-# echo ${res:0:${#res}-3}
-# return 0
-# }
-
# Excute a curl cmd towards the keycloak and check the response code is 2XX.
# args: <operation> <url> <token> <json>
# resp: <returned-payload> if return code is 0 otherwise <error-info>
@@ -464,11 +429,11 @@
TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
echo "(${BASH_LINENO[0]}) - ${TIMESTAMP}: ${FUNCNAME[0]}" $@ >> $HTTPLOG
- res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/clients$2/service-account-user" "$__KEYCLOAK_ADMIN_TOKEN")
+ res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/clients/$2/service-account-user" "$__KEYCLOAK_ADMIN_TOKEN")
if [ $? -ne 0 ]; then
return 1
fi
- echo $res | jq -r '.[0].id'
+ echo $res | jq -r '.id'
return 0
}
@@ -543,6 +508,75 @@
return 0
}
+# Get client role id
+# args: <realm-name> <service-account-name> <client-name> <role-name>
+__get_client_available_role_id() {
+ res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/users/$2/role-mappings/clients/$3/available" "$__KEYCLOAK_ADMIN_TOKEN")
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general " Fatal error when getting availiable client role id, response: "$?
+ return 1
+ fi
+ __client_role_id=$(echo $res | jq -r '.[] | select(.name=="'$4'") | .id ')
+ echo $__client_role_id
+ return 0
+}
+
+# Map roles to a client
+# args: <realm-name> <client-name> <role>+
+keycloak_api_map_client_roles() {
+ __log_conf_start $@
+ __c_id=$(__keycloak_api_get_client_id $1 $2)
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general " Fatal error when getting client id, response: "$?
+ return 1
+ fi
+ __sa_id=$(__keycloak_api_get_service_account_id $1 $__c_id)
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general " Fatal error when getting service account id, response: "$?
+ return 1
+ fi
+ __realm=$1
+ shift; shift;
+ __json="["
+ __cntr=0
+ while [ $# -gt 0 ]; do
+ __client_role_id=$(__get_client_available_role_id $__realm $__sa_id $__c_id $1)
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general " Fatal error when getting client role id, response: "$?
+ return 1
+ fi
+ __role='{"name":"'$1'","id":"'$__client_role_id'","composite": false,"clientRole": true}'
+ if [ $__cntr -gt 0 ]; then
+ __json=$__json","
+ fi
+ __json=$__json$__role
+ let __cntr=__cntr+1
+ shift
+ done
+ __json=$__json"]"
+
+ res=$(__execute_curl_to_keycloak2 POST "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$__realm/users/$__sa_id/role-mappings/clients/$__c_id" "$__KEYCLOAK_ADMIN_TOKEN" "$__json")
+ if [ $? -ne 0 ]; then
+ __log_conf_fail_general " Fatal error when mapping client roles, response: "$?
+ return 1
+ fi
+
+
+
+
+ # while [ $# -gt 0 ]; do
+ # __json='{"name":"'$1'"}'
+ # res=$(__execute_curl_to_keycloak2 POST "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$__realm/clients/$__c_id/roles" "$__KEYCLOAK_ADMIN_TOKEN" "$__json")
+ # if [ $? -ne 0 ]; then
+ # __log_conf_fail_general " Fatal error when adding client role, response: "$?
+ # return 1
+ # fi
+ # shift
+ # done
+ __log_conf_ok
+ return 0
+}
+
# Get a client token
# args: <realm-name> <client-name>
keycloak_api_get_client_token() {
diff --git a/test/simulator-group/istio/ap-role-snippet.yaml b/test/simulator-group/istio/ap-role-snippet.yaml
new file mode 100644
index 0000000..0107a4f
--- /dev/null
+++ b/test/simulator-group/istio/ap-role-snippet.yaml
@@ -0,0 +1,3 @@
+ when:
+ - key: request.auth.claims[resource_access][${ISTIO_TEMPLATE_REPLACE_AP_CLIENT}][roles]
+ values: ["${ISTIO_TEMPLATE_REPLACE_AP_ROLE}"]