Test with oauth2-proxy

selenium/bin/components/oauth2-proxy

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+OAUTH2_PROXY_DOCKER_IMAGE=bitnami/oauth2-proxy:7.7.1
+
+ensure_oauth2-proxy() {
+  if docker ps | grep oauth2-proxy &> /dev/null; then
+     print "oauth2-proxy already running ..."
+ else
+   start_oauth2-proxy
+ fi
+}
+init_oauth2-proxy() {
+  KEYCLOAK_CONFIG_PATH=${KEYCLOAK_CONFIG_PATH:-oauth/keycloak}
+  KEYCLOAK_CONFIG_DIR=$(realpath ${TEST_DIR}/${KEYCLOAK_CONFIG_PATH})
+  
+  OAUTH2_PROXY_CONFIG_PATH=${OAUTH2_PROXY_CONFIG_PATH:-oauth/oauth2-proxy}
+  OAUTH2_PROXY_CONFIG_DIR=$(realpath ${TEST_DIR}/${OAUTH2_PROXY_CONFIG_PATH})
+  OAUTH2_PROXY_URL=${OAUTH_PROVIDER_URL}
+
+  print "> KEYCLOAK_CONFIG_DIR: ${KEYCLOAK_CONFIG_DIR}"
+  print "> KEYCLOAK_URL: ${KEYCLOAK_URL}"
+  print "> KEYCLOAK_DOCKER_IMAGE: ${KEYCLOAK_DOCKER_IMAGE}"
+
+  print "> OAUTH2_PROXY_CONFIG_DIR: ${OAUTH2_PROXY_CONFIG_DIR}"
+  print "> OAUTH2_PROXY_URL: ${OAUTH2_PROXY_URL}"
+  print "> OAUTH2_PROXY_DOCKER_IMAGE: ${OAUTH2_PROXY_DOCKER_IMAGE}"
+
+  generate-ca-server-client-kpi oauth2-proxy $OAUTH2_PROXY_CONFIG_DIR
+
+}
+start_oauth2-proxy() {
+  begin "Starting oauth2-proxy ..."
+
+  init_oauth2-proxy
+  kill_container_if_exist oauth2-proxy
+
+  MOUNT_OAUTH2_PROXY_CONF_DIR=$CONF_DIR/oauth2-proxy
+  MOUNT_KEYCLOAK_CONF_DIR=$CONF_DIR/keycloak
+
+  mkdir -p $MOUNT_OAUTH2_PROXY_CONF_DIR
+  mkdir -p $MOUNT_KEYCLOAK_CONF_DIR
+  ${BIN_DIR}/gen-oauth2-proxy-yaml ${OAUTH2_PROXY_CONFIG_DIR} $ENV_FILE $MOUNT_OAUTH2_PROXY_CONF_DIR/alpha-config.yaml
+  print "> EFFECTIVE OAUTH2_PROXY_CONFIG_FILE: $MOUNT_OAUTH2_PROXY_CONF_DIR/alpha-config.yaml"
+  cp ${OAUTH2_PROXY_CONFIG_DIR}/*.pem $MOUNT_OAUTH2_PROXY_CONF_DIR
+  cp ${KEYCLOAK_CONFIG_DIR}/*.pem $MOUNT_KEYCLOAK_CONF_DIR
+
+  docker run \
+		--detach \
+		--name oauth2-proxy \
+    --net ${DOCKER_NETWORK} \
+		--publish 8442:8442 \
+    --env OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_COOKIE_SECRET} \
+    --env OAUTH2_PROXY_EMAIL_DOMAINS="*" \
+    --env OAUTH2_PROXY_COOKIE_DOMAINS="" \
+    --env OAUTH2_PROXY_WHITELIST_DOMAINS="*" \
+    --env OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST="true" \
+    --env OAUTH2_PROXY_COOKIE_CSRF_EXPIRE="5m" \
+    --env OAUTH2_PROXY_REDIRECT_URL="https://oauth2-proxy:8442/oauth2/callback" \
+    --env OAUTH2_PROXY_TLS_KEY_FILE=/etc/oauth2-proxy/certs/server_oauth2-proxy_key.pem \
+    --env OAUTH2_PROXY_TLS_CERT_FILE=/etc/oauth2-proxy/certs/server_oauth2-proxy_certificate.pem \
+		-v ${MOUNT_KEYCLOAK_CONF_DIR}:/etc/keycloak \
+    -v ${MOUNT_OAUTH2_PROXY_CONF_DIR}:/etc/oauth2-proxy \
+		${OAUTH2_PROXY_DOCKER_IMAGE} --alpha-config /etc/oauth2-proxy/alpha-config.yaml --cookie-secure=true 
+
+  wait_for_oidc_endpoint oauth2-proxy $OAUTH2_PROXY_URL $MOUNT_OAUTH2_PROXY_CONF_DIR/ca_oauth2-proxy_certificate.pem
+  end "oauth2-proxy is ready"
+
+}

selenium/bin/gen-oauth2-proxy-yaml

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+#set -x
+
+TEST_PATH=${1:?First parameter is the directory env and config files are relative to}
+ENV_FILE=${2:?Second parameter is a comma-separated list of .env file which has exported template variables}
+FINAL_CONFIG_FILE=${3:?Forth parameter is the name of the final config file. It is relative to where this script is run from}
+
+source $ENV_FILE
+
+parentdir="$(dirname "$FINAL_CONFIG_FILE")"
+mkdir -p $parentdir
+
+echo "" > $FINAL_CONFIG_FILE
+
+for f in $($SCRIPT/find-template-files $TEST_PATH "alpha-config" "yaml")
+do
+  envsubst < $f  >> $FINAL_CONFIG_FILE
+done

selenium/full-suite-management-ui

@@ -10,6 +10,7 @@ authnz-mgt/oauth-idp-initiated-with-uaa-and-prefix-via-proxy.sh
 authnz-mgt/oauth-idp-initiated-with-uaa-and-prefix.sh
 authnz-mgt/oauth-idp-initiated-with-uaa-via-proxy.sh
 authnz-mgt/oauth-idp-initiated-with-uaa.sh
+authnz-mgt/oauth-idp-initiated-with-oauth2-proxy-and-keycloak.sh
 authnz-mgt/oauth-with-keycloak.sh
 authnz-mgt/oauth-with-keycloak-with-verify-none.sh
 authnz-mgt/oauth-with-uaa-down-but-with-basic-auth.sh

selenium/suites/authnz-mgt/oauth-idp-initiated-with-oauth2-proxy-and-keycloak.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+TEST_CASES_PATH=/oauth/with-idp-initiated
+TEST_CONFIG_PATH=/oauth
+PROFILES="oauth2-proxy keycloak keycloak-oauth-provider oauth2-proxy-mgt-oauth-provider tls"
+
+source $SCRIPT/../../bin/suite_template $@
+runWith keycloak oauth2-proxy

selenium/test/oauth/env.docker.keycloak

@@ -1,3 +1,4 @@
 export KEYCLOAK_URL=https://keycloak:8443/realms/test
-export OAUTH_PROVIDER_URL=https://keycloak:8443/realms/test
-export OAUTH_PROVIDER_CA_CERT=/config/oauth/keycloak/ca_keycloak_certificate.pem
+export OAUTH_PROVIDER_URL=${KEYCLOAK_URL}
+export KEYCLOAK_CA_CERT=/config/oauth/keycloak/ca_keycloak_certificate.pem
+export OAUTH_PROVIDER_CA_CERT=${KEYCLOAK_CA_CERT}

selenium/test/oauth/env.docker.oauth2-proxy

@@ -0,0 +1,2 @@
+export OAUTH2_PROXY_URL=https://oauth2-proxy:8442
+export OAUTH2_PROXY_END_SESSION_URL=https://oauth2-proxy:8442/oauth2/sign_out?rd=https://keycloak:8443/realms/test/protocol/openid-connect/logout

selenium/test/oauth/env.local.keycloak

@@ -1,3 +1,4 @@
 export KEYCLOAK_URL=https://localhost:8443/realms/test
-export OAUTH_PROVIDER_URL=https://localhost:8443/realms/test
-export OAUTH_PROVIDER_CA_CERT=selenium/test/oauth/keycloak/ca_keycloak_certificate.pem
+export OAUTH_PROVIDER_URL=${KEYCLOAK_URL}
+export KEYCLOAK_CA_CERT=selenium/test/oauth/keycloak/ca_keycloak_certificate.pem
+export OAUTH_PROVIDER_CA_CERT=${KEYCLOAK_CA_CERT}

selenium/test/oauth/env.local.oauth2-proxy

@@ -0,0 +1,2 @@
+export OAUTH2_PROXY_URL=https://oauth2-proxy:8442
+export OAUTH2_PROXY_END_SESSION_URL=https://localhost:8442/oauth2/sign_out?rd=https://keycloak:8443/realms/test/protocol/openid-connect/logout

selenium/test/oauth/oauth2-proxy/alpha-config.yaml

@@ -0,0 +1,37 @@
+
+server:
+  BindAddress: 0.0.0.0:4180
+  SecureBindAddress: 0.0.0.0:8442
+  TLS: 
+    Key: 
+      FromFile: /etc/oauth2-proxy/server_oauth2-proxy_key.pem
+    Cert: 
+      FromFile: /etc/oauth2-proxy/server_oauth2-proxy_certificate.pem
+
+upstreamConfig:
+  upstreams:
+  - id: rabbitmq
+    path: /
+    uri: ${RABBITMQ_URL}
+injectRequestHeaders:
+- name: Authorization
+  values:
+  - claim: access_token
+    prefix: 'Bearer '
+providers:
+- provider: keycloak-oidc
+  id: keycloak-oidc
+  clientSecret: nt6pmZMeyrgzYgkg2MLgZQZxLveRMW5M
+  clientID: rabbitmq-proxy-client-tls
+  code_challenge_method: S256
+  scope: "email openid profile rabbitmq.tag:administrator"
+  skipClaimsFromProfileURL: true
+  caFiles:
+    - /etc/keycloak/ca_keycloak_certificate.pem
+  oidcConfig:
+    issuerURL: ${KEYCLOAK_URL}
+    insecureSkipNonce: true
+    audienceClaims:
+      - aud
+    emailClaim: sub
+    userIDClaim: user_name

selenium/test/oauth/rabbitmq.keycloak-oauth-provider.conf

@@ -1,2 +1,2 @@
-auth_oauth2.issuer = ${OAUTH_PROVIDER_URL}
-auth_oauth2.https.cacertfile = ${OAUTH_PROVIDER_CA_CERT}
+auth_oauth2.issuer = ${KEYCLOAK_URL}
+auth_oauth2.https.cacertfile = ${KEYCLOAK_CA_CERT}

selenium/test/oauth/rabbitmq.keycloak-verify-none-oauth-provider.conf

@@ -1,2 +1,2 @@
-auth_oauth2.issuer = ${OAUTH_PROVIDER_URL}
+auth_oauth2.issuer = ${KEYCLOAK_URL}
 auth_oauth2.https.peer_verification = verify_none

selenium/test/oauth/rabbitmq.oauth2-proxy-mgt-oauth-provider.conf

@@ -0,0 +1,4 @@
+
+auth_oauth2.end_session_endpoint = ${OAUTH2_PROXY_END_SESSION_URL}
+management.oauth_provider_url = ${OAUTH2_PROXY_URL}
+auth_oauth2.preferred_username_claims.1 = preferred_username