Skip to content

Cypress13 testing frame work for OIDC and SAML #81

Cypress13 testing frame work for OIDC and SAML

Cypress13 testing frame work for OIDC and SAML #81

name: Snapshot based E2E OIDC tests workflow
on:
pull_request:
branches: [ '**' ]
env:
OPENSEARCH_VERSION: '3.0.0'
KEYCLOAK_VERSION: '21.0.1'
TEST_KEYCLOAK_CLIENT_SECRET: 'oacHfNaXyy81r2uHq1A9RY4ASryre4rZ'
CI: 1
# avoid warnings like "tput: No value for $TERM and no -T specified"
TERM: xterm
PLUGIN_NAME: opensearch-security
jobs:
tests:
name: Run Cypress E2E OIDC tests
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest ]
runs-on: ${{ matrix.os }}
steps:
- name: Set up JDK
uses: actions/setup-java@v1
with:
java-version: 11
- name: Checkout Branch
uses: actions/checkout@v3
- name: Set env
run: |
opensearch_version=$(node -p "require('./package.json').opensearchDashboards.version")
plugin_version=$(node -p "require('./package.json').version")
echo "OPENSEARCH_VERSION=$opensearch_version" >> $GITHUB_ENV
echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
shell: bash
# Setup and Run Keycloak
- name: Get and run Keycloak on Linux
if: ${{ runner.os == 'Linux' }}
run: |
echo "Downloading Keycloak ${{ env.KEYCLOAK_VERSION }}"
wget https://github.com/keycloak/keycloak/releases/download/${{ env.KEYCLOAK_VERSION }}/keycloak-${{ env.KEYCLOAK_VERSION }}.tar.gz
echo "Unpacking Keycloak"
tar -xzf keycloak-${{ env.KEYCLOAK_VERSION }}.tar.gz
export KEYCLOAK_ADMIN=admin
export KEYCLOAK_ADMIN_PASSWORD=admin
cd keycloak-${{ env.KEYCLOAK_VERSION }}/bin
chmod +x kc.sh
echo "Starting keycloak"
./kc.sh start-dev --http-enabled=true --hostname-strict-https=false --http-host=localhost --http-relative-path /auth --health-enabled=true &
timeout 300 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:8080/auth/health)" != "200" ]]; do sleep 5; done'
chmod +x kcadm.sh
echo "Creating client"
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password admin
CID=$(./kcadm.sh create clients -r master -s clientId=opensearch -s secret="${{ env.TEST_KEYCLOAK_CLIENT_SECRET }}" -s 'attributes."access.token.lifespan"=60' -s 'redirectUris=["http://localhost:5603/auth/openid/login", "http://localhost:5601", "http://localhost:5601/auth/openid/login"]' -i)
./kcadm.sh get clients/$CID/installation/providers/keycloak-oidc-keycloak-json > tmp
echo "Getting client secret for dashboards configuration purpose"
CLIENT_SECRET=$(grep -o '"secret" : "[^"]*' tmp | grep -o '[^"]*$')
echo "KEYCLOAK_CLIENT_SECRET=$CLIENT_SECRET" >> $GITHUB_ENV
echo "The client secret is: $CLIENT_SECRET"
echo "Creating client mapper"
./kcadm.sh create clients/$CID/protocol-mappers/models -r master -s 'config."id.token.claim"=true' -s 'config."multivalued"=true' -s 'config."claim.name"="roles"' -s 'config."userinfo.token.claim"=true' -s 'config."access.token.claim"=true' -s 'name=rolemapper' -s 'protocolMapper=oidc-usermodel-realm-role-mapper' -s "protocol=openid-connect"
- name: Download security plugin and create setup scripts
uses: ./.github/actions/download-plugin
with:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
# Download OpenSearch
- name: Download OpenSearch for Linux
uses: peternied/download-file@v2
if: ${{ runner.os == 'Linux' }}
with:
url: https://artifacts.opensearch.org/snapshots/core/opensearch/${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/opensearch-min-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT-linux-x64-latest.tar.gz
# Extract downloaded tar/zip
- name: Extract downloaded tar
if: ${{ runner.os == 'Linux' }}
run: |
tar -xzf opensearch-*.tar.gz
rm -f opensearch-*.tar.gz
shell: bash
# Install the security plugin
- name: Install Plugin into OpenSearch for Linux
if: ${{ runner.os == 'Linux'}}
run: |
chmod +x ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/bin/opensearch-plugin
/bin/bash -c "yes | ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/bin/opensearch-plugin install file:$(pwd)/opensearch-security.zip"
shell: bash
# Add OIDC Configuration
- name: Injecting OIDC Configuration for Linux
if: ${{ runner.os == 'Linux'}}
run: |
echo "Injecting OIDC configuration"
cd ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/config/opensearch-security/
wget -O yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
chmod +x yq
yq -i ".config.dynamic.authc.openid_auth_domain.http_enabled = true" config.yml
yq -i ".config.dynamic.authc.openid_auth_domain.transport_enabled = true" config.yml
yq -i ".config.dynamic.authc.openid_auth_domain.order = 1" config.yml
yq -i ".config.dynamic.authc.openid_auth_domain.http_authenticator.type = \"openid\"" config.yml
yq -i ".config.dynamic.authc.openid_auth_domain.http_authenticator.challenge = false" config.yml
yq -i ".config.dynamic.authc.openid_auth_domain.http_authenticator.config.subject_key = \"preferred_username\"" config.yml
yq -i ".config.dynamic.authc.openid_auth_domain.http_authenticator.config.roles_key = \"roles\"" config.yml
yq -i ".config.dynamic.authc.openid_auth_domain.http_authenticator.config.openid_connect_url = \"http://localhost:8080/auth/realms/master/.well-known/openid-configuration\"" config.yml
yq -i ".config.dynamic.authc.openid_auth_domain.authentication_backend.type = \"noop\"" config.yml
cd ../../..
# Run any configuration scripts
- name: Run Setup Script for Linux
if: ${{ runner.os == 'Linux' }}
run: |
echo "running linux setup"
chmod +x ./setup.sh
./setup.sh
shell: bash
# Run OpenSearch
- name: Run OpenSearch with plugin on Linux
if: ${{ runner.os == 'Linux'}}
run: |
/bin/bash -c "./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/bin/opensearch &"
shell: bash
# Give the OpenSearch process some time to boot up before sending any requires, might need to increase the default time!
- name: Sleep while OpenSearch starts
uses: peternied/action-sleep@v1
with:
seconds: 30
# Verify that the server is operational
- name: Check OpenSearch Running on Linux
if: ${{ runner.os != 'Windows'}}
run: curl https://localhost:9200/_cat/plugins -u 'admin:admin' -k -v
shell: bash
- if: always()
run: cat ./opensearch-${{ env.OPENSEARCH_VERSION }}-SNAPSHOT/logs/opensearch.log
shell: bash
# OSD bootstrap
- name: Run Dashboard with Security Dashboards Plugin
uses: ./.github/actions/install-dashboards
with:
plugin_name: security-dashboards-plugin
# Configure the Dashboard for OIDC setup
- name: Configure and Run OpenSearch Dashboards with Cypress Test Cases
if: ${{ runner.os == 'Linux' }}
run: |
cd ./OpenSearch-Dashboards
echo 'server.host: "localhost"' >> ./config/opensearch_dashboards.yml
echo 'opensearch.hosts: ["https://localhost:9200"]' >> ./config/opensearch_dashboards.yml
echo 'opensearch.ssl.verificationMode: none' >> ./config/opensearch_dashboards.yml
echo 'opensearch.username: "kibanaserver"' >> ./config/opensearch_dashboards.yml
echo 'opensearch.password: "kibanaserver"' >> ./config/opensearch_dashboards.yml
echo 'opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]' >> ./config/opensearch_dashboards.yml
echo 'opensearch_security.multitenancy.enabled: true' >> ./config/opensearch_dashboards.yml
echo 'opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]' >> ./config/opensearch_dashboards.yml
echo 'opensearch_security.readonly_mode.roles: ["kibana_read_only"]' >> ./config/opensearch_dashboards.yml
echo 'opensearch_security.cookie.secure: false' >> ./config/opensearch_dashboards.yml
echo 'opensearch_security.openid.connect_url: "http://127.0.0.1:8080/auth/realms/master/.well-known/openid-configuration"' >> ./config/opensearch_dashboards.yml
echo 'opensearch_security.openid.client_id: "opensearch"' >> ./config/opensearch_dashboards.yml
echo 'opensearch_security.openid.client_secret: "${{ env.TEST_KEYCLOAK_CLIENT_SECRET }}"'>> ./config/opensearch_dashboards.yml
echo 'opensearch_security.auth.type: ["openid"]' >> ./config/opensearch_dashboards.yml
echo 'opensearch_security.auth.multiple_auth_enabled: true' >> ./config/opensearch_dashboards.yml
echo 'opensearch_security.ui.openid.login.buttonname: "OIDC"' >> ./config/opensearch_dashboards.yml
echo 'home.disableWelcomeScreen: true' >> ./config/opensearch_dashboards.yml
echo 'HERE IS THE DASHBOARD CONFIG'
cat ./config/opensearch_dashboards.yml
nohup yarn start --no-base-path --no-watch &
sleep 600
- name: Run Cypress
run : |
yarn add cypress --save-dev
yarn cypress:run --browser chrome --headless --spec '.cypress/e2e/oidc/*.js'