8000 Enable jwksuri tests with keycloak by vepatel · Pull Request #7396 · nginx/kubernetes-ingress · GitHub
[go: up one dir, main page]
Skip to content

Enable jwksuri tests with keycloak #7396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Feb 24, 2025
Merged

Enable jwksuri tests with keycloak #7396

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e9abc97
enable jwksuri tests with keycloak
vepatel Feb 24, 2025
c47ee6a
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Feb 24, 2025
8f5a2d1
Merge branch 'main' into tests/update-jwksuri-keycloak
vepatel Feb 24, 2025
281d5e9
override pre-commit hook linting
vepatel Feb 24, 2025
4e60ff1
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Feb 24, 2025
8000
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions tests/data/jwt-policy-jwksuri/configmap/nginx-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,3 @@ metadata:
namespace: nginx-ingress
data:
resolver-addresses: "kube-dns.kube-system.svc.cluster.local"
http-snippets: |
subrequest_output_buffer_size 64k;
2 changes: 1 addition & 1 deletion tests/data/jwt-policy-jwksuri/policies/jwt-policy-invalid.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,5 @@ spec:
jwt:
realm: MyProductAPI
token: $$http_token
jwksURI: https://login.microsoftonline.com/dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50/discovery/v2.0/keys
jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs
keyCache: 1h
2 changes: 1 addition & 1 deletion tests/data/jwt-policy-jwksuri/policies/jwt-policy-valid.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,5 @@ spec:
jwt:
realm: MyProductAPI
token: $http_token
jwksURI: https://login.microsoftonline.com/dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50/discovery/v2.0/keys
jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs
keyCache: 1h
193 changes: 166 additions & 27 deletions tests/suite/test_jwt_policies_jwksuri.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,29 @@
import secrets
from unittest import mock

import pytest
import requests
import yaml
from settings import TEST_DATA
from suite.utils.policy_resources_utils import create_policy_from_ya 10BC0 ml, delete_policy
from suite.utils.resources_utils import replace_configmap_from_yaml, wait_before_test
from suite.utils.policy_resources_utils import delete_policy
from suite.utils.resources_utils import (
create_example_app,
create_secret_from_yaml,
delete_common_app,
delete_secret,
replace_configmap_from_yaml,
wait_before_test,
wait_until_all_pods_are_ready,
)
from suite.utils.vs_vsr_resources_utils import (
create_virtual_server_from_yaml,
delete_and_create_vs_from_yaml,
delete_virtual_server,
)

username = "nginx-user-" + secrets.token_hex(4)
password = secrets.token_hex(8)
realm_name = "jwks-example"
std_vs_src = f"{TEST_DATA}/virtual-server/standard/virtual-server.yaml"
jwt_pol_valid_src = f"{TEST_DATA}/jwt-policy-jwksuri/policies/jwt-policy-valid.yaml"
jwt_pol_invalid_src = f"{TEST_DATA}/jwt-policy-jwksuri/policies/jwt-policy-invalid.yaml"
Expand All @@ -27,34 +40,136 @@
f"{TEST_DATA}/jwt-policy-jwksuri/virtual-server/virtual-server-invalid-policy-route-subpath.yaml"
)
jwt_cm_src = f"{TEST_DATA}/jwt-policy-jwksuri/configmap/nginx-config.yaml"
ad_tenant = "dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50"
client_id = "8a172a83-a630-41a4-9ca6-1e5ef03cd7e7"
keycloak_src = f"{TEST_DATA}/oidc/keycloak.yaml"
keycloak_vs_src = f"{TEST_DATA}/oidc/virtual-server-idp.yaml"


def get_token(request):
class KeycloakSetup:
"""
get jwt token from azure ad endpoint
Attributes:
token (str):
"""

def __init__(self, token):
self.token = token


@pytest.fixture(scope="class")
def keycloak_setup(request, kube_apis, test_namespace, ingress_controller_endpoint):

# Create Keycloak resources and setup Keycloak idp

secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml"
)
keycloak_address = "keycloak.example.com"
create_example_app(kube_apis, "keycloak", test_namespace)
wait_before_test()
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
keycloak_vs_name = create_virtual_server_from_yaml(kube_apis.custom_objects, keycloak_vs_src, test_namespace)
wait_before_test()

# Get token
url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/realms/master/protocol/openid-connect/token"
headers = {"Host": keycloak_address, "Content-Type": "application/x-www-form-urlencoded"}
data = {"username": "admin", "password": "admin", "grant_type": "password", "client_id": "admin-cli"}

response = requests.post(url, headers=headers, data=data, verify=False)
admin_token = response.json()["access_token"]

# Create realm "jwks-example"
create_realm_url = (
f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/admin/realms"
)
headers = {"Content-Type": "application/json", "Authorization": f"Bearer {admin_token}", "Host": keycloak_address}
payload = {
"realm": realm_name,
"enabled": True,
}
response = requests.post(create_realm_url, headers=headers, json=payload, verify=False)

# Create a user and set credentials
create_user_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/admin/realms/{realm_name}/users"
headers = {"Content-Type": "application/json", "Authorization": f"Bearer {admin_token}", "Host": keycloak_address}
user_payload = {
"username": username,
"enabled": True,
"email": "jwks.user@example.com",
"emailVerified": True,
"firstName": "Jwks",
"lastName": "User",
"credentials": [{"type": "password", "value": password, "temporary": False}],
"requiredActions": [],
}
response = requests.post(create_user_url, headers=headers, json=user_payload, verify=False)

# Create a client
headers = {"Content-Type": "application/json", "Authorization": f"Bearer {admin_token}", "Host": keycloak_address}
create_client_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/admin/realms/{realm_name}/clients"
client_payload = {
"clientId": "jwks-client",
"enabled": True,
"protocol": "openid-connect",
"publicClient": False,
"directAccessGrantsEnabled": True,
"standardFlowEnabled": True,
"implicitFlowEnabled": False,
"serviceAccountsEnabled": True,
"authorizationServicesEnabled": True,
"clientAuthenticatorType": "client-secret",
"redirectUris": ["*"],
"webOrigins": ["*"],
"attributes": {
"access.token.lifespan": "3600",
"id.token.lifespan": "3600",
"service.accounts.enabled": "true",
},
}
client_resp = requests.post(create_client_url, headers=headers, json=client_payload, verify=False)
if client_resp.status_code not in (200, 201):
pytest.fail(f"Failed to create client: {client_resp.text}")
location = client_resp.headers["Location"]
client_id = location.split("/")[-1]

# Get the client secret
get_secret_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/admin/realms/{realm_name}/clients/{client_id}/client-secret"
secret_resp = requests.get(get_secret_url, headers=headers, verify=False)
secret = secret_resp.json()["value"]

data = {
"client_id": f"{client_id}",
"scope": ".default",
"client_secret": request.config.getoption("--ad-secret"),
"grant_type": "client_credentials",
"grant_type": "password",
"scope": "openid",
"client_id": "jwks-client",
"client_secret": secret,
"username": username,
"password": password,
}
ad_response = requests.get(
f"https://login.microsoftonline.com/{ad_tenant}/oauth2/token",
url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/realms/{realm_name}/protocol/openid-connect/token"
response = requests.post(
url,
headers={"Host": keycloak_address, "Content-Type": "application/x-www-form-urlencoded"},
data=data,
timeout=5,
headers={"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Chrome/76.0.3809.100"},
verify=False,
)

if ad_response.status_code == 200:
return ad_response.json()["access_token"]
pytest.fail("Unable to request Azure token endpoint")
if response.status_code != 200:
pytest.fail(f"Failed to get token from Keycloak: {response.text}")

token = response.json().get("access_token")

def fin():
if request.config.getoption("--skip-fixture-teardown") == "no":
print("Delete Keycloak resources")
delete_virtual_server(kube_apis.custom_objects, keycloak_vs_name, test_namespace)
delete_common_app(kube_apis, "keycloak", test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)

request.addfinalizer(fin)

return KeycloakSetup(token)


@pytest.mark.skip_for_nginx_oss
@pytest.mark.skip(reason="issues with IdP communication")
@pytest.mark.policies
@pytest.mark.parametrize(
"crd_ingress_controller, virtual_server_setup",
Expand Down Expand Up @@ -85,6 +200,7 @@ def test_jwt_policy_jwksuri(
crd_ingress_controller,
virtual_server_setup,
test_namespace,
keycloak_setup,
jwt_virtual_server,
):
"""
Expand All @@ -96,7 +212,12 @@ def test_jwt_policy_jwksuri(
ingress_controller_prerequisites.namespace,
jwt_cm_src,
)
pol_name = create_policy_from_yaml(kube_apis.custom_objects, jwt_pol_valid_src, test_namespace)
with open(jwt_pol_valid_src) as f:
doc = yaml.safe_load(f)
pol_name = doc["metadata"]["name"]
doc["spec"]["jwt"]["jwksURI"] = doc["spec"]["jwt"]["jwksURI"].replace("default", test_namespace)
kube_apis.custom_objects.create_namespaced_custom_object("k8s.nginx.org", "v1", test_namespace, "policies", doc)
print(f"Policy created with name {pol_name}")
wait_before_test()

print(f"Patch vs with policy: {jwt_virtual_server}")
Expand All @@ -106,6 +227,7 @@ def test_jwt_policy_jwksuri(
jwt_virtual_server,
virtual_server_setup.namespace,
)
wait_before_test()
resp_no_token = mock.Mock()
resp_no_token.status_code == 502
counter = 0
Expand All @@ -118,14 +240,13 @@ def test_jwt_policy_jwksuri(
wait_before_test()
counter += 1

token = get_token(request)
token = keycloak_setup.token

resp_valid_token = requests.get(
virtual_server_setup.backend_1_url,
headers={"host": virtual_server_setup.vs_host, "token": token},
timeout=5,
)

delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
wait_before_test()

Expand All @@ -148,6 +269,7 @@ def test_jwt_invalid_policy_jwksuri(
crd_ingress_controller,
virtual_server_setup,
test_namespace,
keycloak_setup,
jwt_virtual_server,
):
"""
Expand All @@ -159,7 +281,12 @@ def test_jwt_invalid_policy_jwksuri(
ingress_controller_prerequisites.namespace,
jwt_cm_src,
)
pol_name = create_policy_from_yaml(kube_apis.custom_objects, jwt_pol_invalid_src, test_namespace)
with open(jwt_pol_invalid_src) as f:
doc = yaml.safe_load(f)
pol_name = doc["metadata"]["name"]
doc["spec"]["jwt"]["jwksURI"] = doc["spec"]["jwt"]["jwksURI"].replace("default", test_namespace)
kube_apis.custom_objects.create_namespaced_custom_object("k8s.nginx.org", "v1", test_namespace, "policies", doc)
print(f"Policy created with name {pol_name}")
wait_before_test()

print(f"Patch vs with policy: {jwt_virtual_server}")
Expand All @@ -176,7 +303,7 @@ def test_jwt_invalid_policy_jwksuri(
headers={"host": virtual_server_setup.vs_host},
)

token = get_token(request)
token = keycloak_setup.token

resp2 = requests.get(
virtual_server_setup.backend_1_url,
Expand Down Expand Up @@ -204,6 +331,7 @@ def test_jwt_policy_subroute_jwksuri(
crd_ingress_controller,
virtual_server_setup,
test_namespace,
keycloak_setup,
jwt_virtual_server,
):
"""
Expand All @@ -215,7 +343,12 @@ def test_jwt_policy_subroute_jwksuri(
ingress_controller_prerequisites.namespace,
jwt_cm_src,
)
pol_name = create_policy_from_yaml(kube_apis.custom_objects, jwt_pol_valid_src, test_namespace)
with open(jwt_pol_valid_src) as f:
doc = yaml.safe_load(f)
pol_name = doc["metadata"]["name"]
doc["spec"]["jwt"]["jwksURI"] = doc["spec"]["jwt"]["jwksURI"].replace("default", test_namespace)
kube_apis.custom_objects.create_namespaced_custom_object("k8s.nginx.org", "v1", test_namespace, "policies", doc)
print(f"Policy created with name {pol_name}")
wait_before_test()

print(f"Patch vs with policy: {jwt_virtual_server}")
Expand All @@ -237,7 +370,7 @@ def test_jwt_policy_subroute_jwksuri(
wait_before_test()
counter += 1

token = get_token(request)
token = keycloak_setup.token

resp_valid_token = requests.get(
virtual_server_setup.backend_1_url + "/subpath1",
Expand Down Expand Up @@ -265,6 +398,7 @@ def test_jwt_policy_subroute_jwksuri_multiple_vs(
ingress_controller_prerequisites,
crd_ingress_controller,
virtual_server_setup,
keycloak_setup,
test_namespace,
):
"""
Expand All @@ -276,7 +410,12 @@ def test_jwt_policy_subroute_jwksuri_multiple_vs(
ingress_controller_prerequisites.namespace,
jwt_cm_src,
)
pol_name = create_policy_from_yaml(kube_apis.custom_objects, jwt_pol_valid_src, test_namespace)
with open(jwt_pol_valid_src) as f:
doc = yaml.safe_load(f)
pol_name = doc["metadata"]["name"]
doc["spec"]["jwt"]["jwksURI"] = doc["spec"]["jwt"]["jwksURI"].replace("default", test_namespace)
kube_apis.custom_objects.create_namespaced_custom_object("k8s.nginx.org", "v1", test_namespace, "policies", doc)
print(f"Policy created with name {pol_name}")
wait_before_test()

print(f"Patch first vs with policy: {jwt_vs_route_subpath_src}")
Expand Down Expand Up @@ -321,7 +460,7 @@ def test_jwt_policy_subroute_jwksuri_multiple_vs(
wait_before_test()
counter += 1

token = get_token(request)
token = keycloak_setup.token

resp_1_valid_token = requests.get(
virtual_server_setup.backend_1_url + "/subpath1",
Expand Down
Loading
0