[KIECLOUD-612] [ELYTRON] - SSO UndertowDeploymentInfoService is missi…

…ng jboss.security.security-domain.other (#511) Signed-off-by: spolti <fspolti@redhat.com>
jboss-container-images · Dec 22, 2021 · 39e3179 · 39e3179
1 parent 76986bf
commit 39e3179
Show file tree

Hide file tree

Showing 4 changed files with 178 additions and 6 deletions.
diff --git a/jboss-eap-config-openshift/EAP7.4.0/added/standalone-openshift.xml b/jboss-eap-config-openshift/EAP7.4.0/added/standalone-openshift.xml
@@ -257,6 +257,7 @@
                     <realm name="local" role-mapper="super-user-mapper"/>
                 </security-domain>
                 <!-- ##KIE_LDAP_SECURITY_DOMAIN## -->
+                <!-- ##KIE_SSO_SECURITY_DOMAIN## -->
             </security-domains>
             <security-realms>
                 <identity-realm name="local" identity="$local"/>
@@ -268,6 +269,7 @@
                 <!-- ##KIE_LDAP_REALM## -->
                 <!-- ##KIE_FAILOVER_REALM## -->
                 <!-- ##KIE_DISTRIBUTED_REALM## -->
+                <!-- ##KIE_SSO_CUSTOM_REALM## -->
             </security-realms>
             <mappers>
                 <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
@@ -288,6 +290,7 @@
                 <!-- ##KIE_ROLE_DECODER## -->
                 <simple-role-decoder name="groups-to-roles" attribute="groups"/>
                 <!-- ##AUTH_ROLE_MAPPER## -->
+                <!-- ##KIE_SSO_CONSTANT_REALM_MAPPER## -->
             </mappers>
             <permission-sets>
                 <permission-set name="login-permission">
@@ -316,6 +319,8 @@
                         </mechanism>
                     </mechanism-configuration>
                 </http-authentication-factory>
+                <!-- ##KIE_SSO_HTTP_AUTHENTICATION_FACTORY## -->
+                <!-- ##KIE_SSO_MECHANISM_FACTORY## -->
                 <provider-http-server-mechanism-factory name="global"/>
             </http>
             <sasl>

diff --git a/jboss-kie-wildfly-common/added/launch/jboss-kie-wildfly-elytron.sh b/jboss-kie-wildfly-common/added/launch/jboss-kie-wildfly-elytron.sh
@@ -44,6 +44,7 @@ function configure() {
     configure_elytron_role_mapping
     configure_ldap_sec_domain
     configure_new_identity_attributes
+    configure_rhsso
     configure_role_decoder
     update_activemq_domain
     update_jboss_web_xml
@@ -84,8 +85,11 @@ function configure_role_decoder() {
 }
 
 function update_security_domain() {
-   if [ "${SSO_URL}x" == "x" ]; then
-       # undertow subsystem
+   if [ "${SSO_URL}x" != "x" ]; then
+   # undertow subsystem
+        sed -i "s|<!-- ##HTTP_APPLICATION_SECURITY_DOMAIN## -->|<application-security-domain name=\"other\" http-authentication-factory=\"keycloak-http-authentication\"/>\n\
+                        <!-- ##HTTP_APPLICATION_SECURITY_DOMAIN## -->|" $CONFIG_FILE
+   else
         sed -i "s|<!-- ##HTTP_APPLICATION_SECURITY_DOMAIN## -->|<application-security-domain name=\"other\" security-domain=\"$(get_security_domain)\"/>\n\
                         <!-- ##HTTP_APPLICATION_SECURITY_DOMAIN## -->|" $CONFIG_FILE
    fi
@@ -136,13 +140,62 @@ EOF
     fi
 }
 
+function configure_rhsso(){
+     if [ "${SSO_URL}x" != "x" ]; then
+        configure_rhsso_custom_realm
+        configure_rhsso_security_domain
+        configure_rhsso_constant_realm_mapper
+        configure_rhsso_aggregate_http_server_mechanism_factory
+        configure_rhsso_http_authentication_factory
+     fi
+}
+
+function configure_rhsso_custom_realm() {
+    local custom_realm="<custom-realm name=\"KeycloakOIDCRealm\" module=\"org.keycloak.keycloak-wildfly-elytron-oidc-adapter\" class-name=\"org.keycloak.adapters.elytron.KeycloakSecurityRealm\"/>"
+    sed -i "s|<!-- ##KIE_SSO_CUSTOM_REALM## -->|${custom_realm}|" $CONFIG_FILE
+}
+
+function configure_rhsso_security_domain() {
+    local sec_domain="<security-domain name=\"KeycloakDomain\" default-realm=\"KeycloakOIDCRealm\" permission-mapper=\"default-permission-mapper\" security-event-listener=\"local-audit\">\n\
+                        <realm name=\"KeycloakOIDCRealm\"/>\n\
+                    </security-domain>"
+    sed -i "s|<!-- ##KIE_SSO_SECURITY_DOMAIN## -->|${sec_domain}|" $CONFIG_FILE
+}
+
+function configure_rhsso_constant_realm_mapper() {
+    local constant_realm_mapper="<constant-realm-mapper name=\"keycloak-oidc-realm-mapper\" realm-name=\"KeycloakOIDCRealm\"/>"
+    sed -i "s|<!-- ##KIE_SSO_CONSTANT_REALM_MAPPER## -->|${constant_realm_mapper}|" $CONFIG_FILE
+}
+
+function configure_rhsso_aggregate_http_server_mechanism_factory() {
+    local aggregate_http_server_mechanism_factory="<aggregate-http-server-mechanism-factory name=\"keycloak-http-server-mechanism-factory\">\n\
+                    <http-server-mechanism-factory name=\"keycloak-oidc-http-server-mechanism-factory\"/>\n\
+                    <http-server-mechanism-factory name=\"global\"/>\n\
+                </aggregate-http-server-mechanism-factory>\n\
+                <service-loader-http-server-mechanism-factory name=\"keycloak-oidc-http-server-mechanism-factory\" module=\"org.keycloak.keycloak-wildfly-elytron-oidc-adapter\"/>"
+    sed -i "s|<!-- ##KIE_SSO_MECHANISM_FACTORY## -->|${aggregate_http_server_mechanism_factory}|" $CONFIG_FILE
+}
+
+function configure_rhsso_http_authentication_factory() {
+    local http_auth_factory="<http-authentication-factory name=\"keycloak-http-authentication\" security-domain=\"$(get_security_domain)\" http-server-mechanism-factory=\"keycloak-http-server-mechanism-factory\">\n\
+                    <mechanism-configuration>\n\
+                        <mechanism mechanism-name=\"KEYCLOAK\">\n\
+                            <mechanism-realm realm-name=\"KeycloakOIDCRealm\" realm-mapper=\"keycloak-oidc-realm-mapper\"/>\n\
+                        </mechanism>\n\
+                    </mechanism-configuration>\n\
+                </http-authentication-factory>"
+    sed -i "s|<!-- ##KIE_SSO_HTTP_AUTHENTICATION_FACTORY## -->|${http_auth_factory}|" $CONFIG_FILE
+}
+
 function get_security_domain() {
     local sec_domain="ApplicationDomain"
     if [ "${AUTH_LDAP_URL}x" != "x" ]; then
         sec_domain="KIELdapSecurityDomain"
         if [ "${AUTH_LDAP_LOGIN_FAILOVER^^}" == "TRUE" ]; then
             sec_domain="KIELdapWithFailOverSecDomain"
         fi
+    elif [ "${SSO_URL}x" != "x" ]; then
+        sec_domain="KeycloakDomain"
     fi
     echo ${sec_domain}
 }

diff --git a/jboss-kie-wildfly-common/tests/bats/jboss-kie-wildfly-elytron.bats b/jboss-kie-wildfly-common/tests/bats/jboss-kie-wildfly-elytron.bats
@@ -12,7 +12,7 @@ cp $BATS_TEST_DIRNAME/../../../jboss-eap-config-openshift/EAP7.4.0/added/standal
 source $BATS_TEST_DIRNAME/../../added/launch/jboss-kie-wildfly-elytron.sh
 
 teardown() {
-    rm -rf $JBOSS_HOMEs
+    rm -rf $JBOSS_HOME
 }
 
 @test "[KIE Server] test if the default kie-fs-realm is correctly added for rhpam" {
@@ -175,17 +175,18 @@ teardown() {
     [ "${expected}" = "${result}" ]
 }
 
+
 @test "test if the correct sso application domain is set on the config file" {
     export SSO_URL="http://test"
     update_security_domain
 
-    expected="<application-security-domain name=\"other\" security-domain=\"ApplicationDomain\"/>"
+    expected="<application-security-domain name=\"other\" security-domain=\"KeycloakDomain\"/>
+<application-security-domain name=\"other\" http-authentication-factory=\"keycloak-http-authentication\"/>"
     result=$(xmllint --xpath "//*[local-name()='application-security-domain']" $CONFIG_FILE)
 
     echo "expected: ${expected}"
     echo "result  : ${result}"
     [ "${expected}" = "${result}" ]
-
 }
 
 
@@ -736,6 +737,17 @@ teardown() {
 }
 
 
+@test "test if the get_security_domain function returns the expected value when sso url is set" {
+    SSO_URL="http://sso=url"
+    result=$(get_security_domain)
+    expected="KeycloakDomain"
+    echo "result  : ${result}"
+    echo "expected: ${expected}"
+
+   [ "${expected}" = "${result}" ]
+}
+
+
 @test "test if the get_ldap_realm function returns the expected default value" {
     result=$(get_ldap_realm)
     expected="KIELdapRealm"
@@ -960,3 +972,82 @@ teardown() {
     echo "result_aggregate_role_mapper  : ${result_aggregate_role_mapper}"
     [ "${expected_aggregate_role_mapper}" = "${result_aggregate_role_mapper}" ]
 }
+
+
+@test "test if rhsso custom-realm is correctly added" {
+    configure_rhsso_custom_realm
+
+    expected="<custom-realm name=\"KeycloakOIDCRealm\" module=\"org.keycloak.keycloak-wildfly-elytron-oidc-adapter\" class-name=\"org.keycloak.adapters.elytron.KeycloakSecurityRealm\"/>"
+    result="$(xmllint --xpath "//*[local-name()='custom-realm']" $CONFIG_FILE)"
+
+    echo "expected: ${expected}"
+    echo "result  : ${result}"
+    [ "${expected}" = "${result}" ]
+}
+
+
+@test "test if rhsso security-domain is correctly added" {
+    configure_rhsso_security_domain
+
+    expected="<security-domain name=\"KeycloakDomain\" default-realm=\"KeycloakOIDCRealm\" permission-mapper=\"default-permission-mapper\" security-event-listener=\"local-audit\">
+                        <realm name=\"KeycloakOIDCRealm\"/>
+                    </security-domain>"
+    result="$(xmllint --xpath "//*[local-name()='security-domain'][3]" $CONFIG_FILE)"
+
+    echo "expected: ${expected}"
+    echo "result  : ${result}"
+    [ "${expected}" = "${result}" ]
+}
+
+
+@test "test if rhsso constant realm mapper is correctly added" {
+    configure_rhsso_constant_realm_mapper
+
+    expected="<constant-realm-mapper name=\"keycloak-oidc-realm-mapper\" realm-name=\"KeycloakOIDCRealm\"/>"
+    result="$(xmllint --xpath "//*[local-name()='constant-realm-mapper'][2]" $CONFIG_FILE)"
+
+    echo "expected: ${expected}"
+    echo "result  : ${result}"
+    [ "${expected}" = "${result}" ]
+}
+
+
+@test "test if rhsso factory mechanism are correctly added" {
+    configure_rhsso_aggregate_http_server_mechanism_factory
+
+    expected="<aggregate-http-server-mechanism-factory name=\"keycloak-http-server-mechanism-factory\">
+                    <http-server-mechanism-factory name=\"keycloak-oidc-http-server-mechanism-factory\"/>
+                    <http-server-mechanism-factory name=\"global\"/>
+                </aggregate-http-server-mechanism-factory>"
+    result="$(xmllint --xpath "//*[local-name()='aggregate-http-server-mechanism-factory']" $CONFIG_FILE)"
+
+    expected_service_loader="<service-loader-http-server-mechanism-factory name=\"keycloak-oidc-http-server-mechanism-factory\" module=\"org.keycloak.keycloak-wildfly-elytron-oidc-adapter\"/>"
+    result_service_loader="$(xmllint --xpath "//*[local-name()='service-loader-http-server-mechanism-factory']" $CONFIG_FILE)"
+
+    echo "expected: ${expected}"
+    echo "result  : ${result}"
+    [ "${expected}" = "${result}" ]
+
+    echo "expected_service_loader: ${expected_service_loader}"
+    echo "result_service_loader  : ${result_service_loader}"
+    [ "${expected_service_loader}" = "${result_service_loader}" ]
+}
+
+
+@test "test if rhsso http authentication factory is correctly added" {
+    SSO_URL="http://sso-url"
+    configure_rhsso_http_authentication_factory
+
+    expected="<http-authentication-factory name=\"keycloak-http-authentication\" security-domain=\"KeycloakDomain\" http-server-mechanism-factory=\"keycloak-http-server-mechanism-factory\">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name=\"KEYCLOAK\">
+                            <mechanism-realm realm-name=\"KeycloakOIDCRealm\" realm-mapper=\"keycloak-oidc-realm-mapper\"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>"
+    result="$(xmllint --xpath "//*[local-name()='http-authentication-factory'][3]" $CONFIG_FILE)"
+
+    echo "expected: ${expected}"
+    echo "result  : ${result}"
+    [ "${expected}" = "${result}" ]
+}
diff --git a/tests/features/common/kie-common.feature b/tests/features/common/kie-common.feature
@@ -1,4 +1,11 @@
-@rhdm-7/rhdm-kieserver-rhel8 @rhpam-7/rhpam-kieserver-rhel8 @rhdm-7/rhdm-decisioncentral-rhel8 @rhpam-7/rhpam-businesscentral-rhel8 @rhpam-7/rhpam-businesscentral-monitoring-rhel8 @rhpam-7/rhpam-dashbuilder-rhel8 @rhpam-7/rhpam-controller-rhel8 @rhdm-7/rhdm-controller-rhel8
+@rhdm-7/rhdm-kieserver-rhel8
+@rhpam-7/rhpam-kieserver-rhel8
+@rhdm-7/rhdm-decisioncentral-rhel8
+@rhpam-7/rhpam-businesscentral-rhel8
+@rhpam-7/rhpam-businesscentral-monitoring-rhel8
+@rhpam-7/rhpam-dashbuilder-rhel8
+@rhpam-7/rhpam-controller-rhel8
+@rhdm-7/rhdm-controller-rhel8
 Feature: RHPAM and RHDM common tests
 
   Scenario: Ensure the openjdk8 packages are not installed on container.
@@ -277,6 +284,22 @@ Feature: RHPAM and RHDM common tests
      And container log should contain External authentication/authorization enabled, skipping the embedded users creation.
      And container log should contain Make sure to configure KIE_ADMIN_USER user to access the application with the roles kie-server,rest-all,admin,kiemgmt,Administrators,user
 
+  Scenario: Check if elytron is correctly configured when SSO is enabled.
+    When container is started with env
+      | variable                   | value         |
+      | SSO_URL                    | http://url    |
+    Then file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <custom-realm name="KeycloakOIDCRealm" module="org.keycloak.keycloak-wildfly-elytron-oidc-adapter" class-name="org.keycloak.adapters.elytron.KeycloakSecurityRealm"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <security-domain name="KeycloakDomain" default-realm="KeycloakOIDCRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit">
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <realm name="KeycloakOIDCRealm"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <constant-realm-mapper name="keycloak-oidc-realm-mapper" realm-name="KeycloakOIDCRealm"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <aggregate-http-server-mechanism-factory name="keycloak-http-server-mechanism-factory">
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <http-server-mechanism-factory name="keycloak-oidc-http-server-mechanism-factory"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <service-loader-http-server-mechanism-factory name="keycloak-oidc-http-server-mechanism-factory" module="org.keycloak.keycloak-wildfly-elytron-oidc-adapter"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <http-authentication-factory name="keycloak-http-authentication" security-domain="KeycloakDomain" http-server-mechanism-factory="keycloak-http-server-mechanism-factory">
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <mechanism mechanism-name="KEYCLOAK">
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <mechanism-realm realm-name="KeycloakOIDCRealm" realm-mapper="keycloak-oidc-realm-mapper"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <application-security-domain name="other" http-authentication-factory="keycloak-http-authentication"/>
+
   Scenario: KIECLOUD-274 Prepare PAM/DM images to accept the logger category configuration
     When container is started with env
       | variable          | value                                            |