Skip to content

Commit

Permalink
[7.17] Update OIDC test fixture (#89526) (#89556)
Browse files Browse the repository at this point in the history
This commit updates the OIDC test fixture to use the latest demo docker image
from https://connect2id.com.  As part of this change some of the docker image demo 
login has changed from prior versions and the test code is updated accordingly. 

fixes #89477
reverts #89478 / e949dff.
  • Loading branch information
jakelandis authored Aug 23, 2022
1 parent 31fe12a commit 1fbe8fe
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 58 deletions.
3 changes: 0 additions & 3 deletions x-pack/qa/oidc-op-tests/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,4 @@ tasks.named("processJavaRestTestResources").configure {
tasks.named("javaRestTest").configure {
// OpenID Connect fixture does not support aarm64
onlyIf { Architecture.current() == Architecture.X64 }

// AwaitsFix: https://github.com/elastic/elasticsearch/issues/89477
enabled = false
}
Original file line number Diff line number Diff line change
Expand Up @@ -214,58 +214,27 @@ private String authenticateAtOP(URI opAuthUri) throws Exception {
assertThat(initResponse.getAsString("type"), equalTo("auth"));
final String sid = initResponse.getAsString("sid");
// Actually authenticate the user with ldapAuth
HttpPost loginHttpPost = new HttpPost(LOGIN_API + "authenticateSubject?cacheBuster=" + randomAlphaOfLength(8));
HttpPost loginHttpPost = new HttpPost(
LOGIN_API + "authenticateSubject?cacheBuster=" + randomAlphaOfLength(8) + "&authSessionId=" + sid
);
String loginJson = "{" + "\"username\":\"alice\"," + "\"password\":\"secret\"" + "}";
configureJsonRequest(loginHttpPost, loginJson);
JSONObject loginJsonResponse = execute(httpClient, loginHttpPost, context, response -> {
execute(httpClient, loginHttpPost, context, response -> {
assertHttpOk(response.getStatusLine());
return parseJsonResponse(response);
});
// Get the consent screen
HttpPut consentFetchHttpPut = new HttpPut(
LOGIN_API + "updateAuthRequest" + "/" + sid + "?cacheBuster=" + randomAlphaOfLength(8)
);
String consentFetchJson = "{"
+ "\"sub\": \""
+ loginJsonResponse.getAsString("id")
+ "\","
+ "\"acr\": \"http://loa.c2id.com/basic\","
+ "\"amr\": [\"pwd\"],"
+ "\"data\": {"
+ "\"email\": \""
+ loginJsonResponse.getAsString("email")
+ "\","
+ "\"name\": \""
+ loginJsonResponse.getAsString("name")
+ "\""
+ "}"
+ "}";
configureJsonRequest(consentFetchHttpPut, consentFetchJson);
JSONObject consentFetchResponse = execute(httpClient, consentFetchHttpPut, context, response -> {

HttpPut consentHttpPut = new HttpPut(LOGIN_API + "updateAuthRequest" + "/" + sid + "?cacheBuster=" + randomAlphaOfLength(8));
String consentJson = "{" + "\"claims\":[\"name\", \"email\"]," + "\"scope\":[\"openid\"]" + "}";
configureJsonRequest(consentHttpPut, consentJson);
JSONObject jsonConsentResponse = execute(httpClient, consentHttpPut, context, response -> {
assertHttpOk(response.getStatusLine());
return parseJsonResponse(response);
});
if (consentFetchResponse.getAsString("type").equals("consent")) {
// If needed, submit the consent
HttpPut consentHttpPut = new HttpPut(
LOGIN_API + "updateAuthRequest" + "/" + sid + "?cacheBuster=" + randomAlphaOfLength(8)
);
String consentJson = "{" + "\"claims\":[\"name\", \"email\"]," + "\"scope\":[\"openid\"]" + "}";
configureJsonRequest(consentHttpPut, consentJson);
JSONObject jsonConsentResponse = execute(httpClient, consentHttpPut, context, response -> {
assertHttpOk(response.getStatusLine());
return parseJsonResponse(response);
});
assertThat(jsonConsentResponse.getAsString("type"), equalTo("response"));
JSONObject parameters = (JSONObject) jsonConsentResponse.get("parameters");
return parameters.getAsString("uri");
} else if (consentFetchResponse.getAsString("type").equals("response")) {
JSONObject parameters = (JSONObject) consentFetchResponse.get("parameters");
return parameters.getAsString("uri");
} else {
fail("Received an invalid response from the OP");
return null;
}
assertThat(jsonConsentResponse.getAsString("type"), equalTo("response"));
JSONObject parameters = (JSONObject) jsonConsentResponse.get("parameters");
return parameters.getAsString("uri");

}
}

Expand Down
21 changes: 10 additions & 11 deletions x-pack/test/idp-fixture/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -154,17 +154,16 @@ services:
- ./idp/shibboleth-idp/metadata:/opt/shibboleth-idp/metadata
- ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini

# c2id/c2id-server image is no longer available
# oidc-provider:
# image: "c2id/c2id-server:9.5"
# depends_on:
# - http-proxy
# ports:
# - "8080"
# expose:
# - "8080"
# volumes:
# - ./oidc/override.properties:/etc/c2id/override.properties
oidc-provider:
image: "c2id/c2id-server-demo:12.16.1"
depends_on:
- http-proxy
ports:
- "8080"
expose:
- "8080"
volumes:
- ./oidc/override.properties:/etc/c2id/override.properties

http-proxy:
image: "nginx:latest"
Expand Down
2 changes: 2 additions & 0 deletions x-pack/test/idp-fixture/oidc/override.properties
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,5 @@ op.issuer=http://oidc-provider:8080/c2id
op.authz.endpoint=http://oidc-provider:8080/c2id-login/
op.reg.apiAccessTokenSHA256=d1c4fa70d9ee708d13cfa01daa0e060a05a2075a53c5cc1ad79e460e96ab5363
jose.jwkSer=RnVsbCBrZXk6CnsKICAia2V5cyI6IFsKICAgIHsKICAgICAgInAiOiAiLXhhN2d2aW5tY3N3QXU3Vm1mV2loZ2o3U3gzUzhmd2dFSTdMZEVveW5FU1RzcElaeUY5aHc0NVhQZmI5VHlpbzZsOHZTS0F5RmU4T2lOalpkNE1Ra0ttYlJzTmxxR1Y5VlBoWF84UG1JSm5mcGVhb3E5YnZfU0k1blZHUl9zYUUzZE9sTEE2VWpaS0lsRVBNb0ZuRlZCMUFaUU9qQlhRRzZPTDg2eDZ2NHMwIiwKICAgICAgImt0eSI6ICJSU0EiLAogICAgICAicSI6ICJ2Q3pDQUlpdHV0MGx1V0djQloyLUFabURLc1RxNkkxcUp0RmlEYkIyZFBNQVlBNldOWTdaWEZoVWxsSjJrT2ZELWdlYjlkYkN2ODBxNEwyajVZSjZoOTBUc1NRWWVHRlljN1lZMGdCMU5VR3l5cXctb29QN0EtYlJmMGI3b3I4ajZJb0hzQTZKa2JranN6c3otbkJ2U2RmUURlZkRNSVc3Ni1ZWjN0c2hsY2MiLAogICAgICAiZCI6ICJtbFBOcm1zVVM5UmJtX1I5SElyeHdmeFYzZnJ2QzlaQktFZzRzc1ZZaThfY09lSjV2U1hyQV9laEtwa2g4QVhYaUdWUGpQbVlyd29xQzFVUksxUkZmLVg0dG10emV2OUVHaU12Z0JCaEF5RkdTSUd0VUNla2x4Q2dhb3BpMXdZSU1Bd0M0STZwMUtaZURxTVNCWVZGeHA5ZWlJZ2pwb05JbV9lR3hXUUs5VHNnYmk5T3lyc1VqaE9KLVczN2JVMEJWUU56UXpxODhCcGxmNzM3VmV1dy1FeDZaMk1iWXR3SWdfZ0JVb0JEZ0NrZkhoOVE4MElYcEZRV0x1RzgwenFrdkVwTHZ0RWxLbDRvQ3BHVnBjcmFUOFNsOGpYc3FDT1k0dnVRT19LRVUzS2VPNUNJbHd4eEhJYXZjQTE5cHFpSWJ5cm1LbThxS0ZEWHluUFJMSGFNZ1EiLAogICAgICAiZSI6ICJBUUFCIiwKICAgICAgImtpZCI6ICJyc2EzODRfMjA0OCIsCiAgICAgICJxaSI6ICJzMldTamVrVDl3S2JPbk9neGNoaDJPY3VubzE2Y20wS281Z3hoUWJTdVMyMldfUjJBR2ZVdkRieGF0cTRLakQ3THo3X1k2TjdTUkwzUVpudVhoZ1djeXgyNGhrUGppQUZLNmlkYVZKQzJqQmgycEZTUDVTNXZxZ0lsME12eWY4NjlwdkN4S0NzaGRKMGdlRWhveE93VkRPYXJqdTl2Zm9IQV90LWJoRlZrUnciLAogICAgICAiZHAiOiAiQlJhQTFqYVRydG9mTHZBSUJBYW1OSEVhSm51RU9zTVJJMFRCZXFuR1BNUm0tY2RjSG1OUVo5WUtqb2JpdXlmbnhGZ0piVDlSeElBRG0ySkpoZEp5RTN4Y1dTSzhmSjBSM1Jick1aT1dwako0QmJTVzFtU1VtRnlKTGxib3puRFhZR2RaZ1hzS0o1UkFrRUNQZFBCY3YwZVlkbk9NYWhfZndfaFZoNjRuZ2tFIiwKICAgICAgImFsZyI6ICJSU0EzODQiLAogICAgICAiZHEiOiAiUFJoVERKVlR3cDNXaDZfWFZrTjIwMUlpTWhxcElrUDN1UTYyUlRlTDNrQ2ZXSkNqMkZPLTRxcVRIQk0tQjZJWUVPLXpoVWZyQnhiMzJ1djNjS2JDWGFZN3BJSFJxQlFEQWQ2WGhHYzlwc0xqNThXd3VGY2RncERJYUFpRjNyc3NUMjJ4UFVvYkJFTVdBalV3bFJrNEtNTjItMnpLQk5FR3lIcDIzOUpKdnpVIiwKICAgICAgIm4iOiAidUpDWDVDbEZpM0JnTXBvOWhRSVZ2SDh0Vi1jLTVFdG5OeUZxVm91R3NlNWwyUG92MWJGb0tsRllsU25YTzNWUE9KRWR3azNDdl9VT0UtQzlqZERYRHpvS3Z4RURaTVM1TDZWMFpIVEJoNndIOV9iN3JHSlBxLV9RdlNkejczSzZxbHpGaUtQamRvdTF6VlFYTmZfblBZbnRnQkdNRUtBc1pRNGp0cWJCdE5lV0h0MF9UM001cEktTV9KNGVlRWpCTW95TkZuU2ExTEZDVmZRNl9YVnpjelp1TlRGMlh6UmdRWkFmcmJGRXZ6eXR1TzVMZTNTTXFrUUFJeDhFQmkwYXVlRUNqNEQ4cDNVNXFVRG92NEF2VnRJbUZlbFJvb1pBMHJtVW1KRHJ4WExrVkhuVUpzaUF6ZW9TLTNBSnV1bHJkMGpuNjJ5VjZHV2dFWklZMVNlZVd3IgogICAgfQogIF0KfQo
op.authz.alwaysPromptForConsent=true
op.authz.alwaysPromptForAuth=true

0 comments on commit 1fbe8fe

Please sign in to comment.