Use mock oauth2 server in Azure KMS integration tests

Signed-off-by: Robert Young <[email protected]>

Author: robobario

.github/renovate.json

@@ -67,7 +67,10 @@
     },
     {
       "customType": "regex",
-      "fileMatch": ["kroxylicious-integration-tests/src/test/java/io/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidationIT.java"],
+      "fileMatch": [
+        "kroxylicious-integration-tests/src/test/java/io/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidationIT.java",
+        "kroxylicious-kms-providers/kroxylicious-kms-provider-azure-key-vault-kms-test-support/src/main/java/io/kroxylicious/kms/provider/azure/kms/OauthServerContainer.java"
+      ],
       "matchStrings": [
         "DockerImageName\\.parse\\(\"(?<depName>ghcr.io/navikt/mock-oauth2-server):(?<currentValue>\\d+\\.\\d+.\\d+)\"\\)"
       ],

kroxylicious-kms-providers/kroxylicious-kms-provider-azure-key-vault-kms-test-support/pom.xml

@@ -53,11 +53,6 @@
             <groupId>org.testcontainers</groupId>
             <artifactId>testcontainers</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.wiremock</groupId>
-            <artifactId>wiremock</artifactId>
-            <scope>compile</scope>
-        </dependency>
         <dependency>
             <groupId>com.github.nagyesta.lowkey-vault</groupId>
             <artifactId>lowkey-vault-testcontainers</artifactId>

kroxylicious-kms-providers/kroxylicious-kms-provider-azure-key-vault-kms-test-support/src/main/java/io/kroxylicious/kms/provider/azure/kms/AzureKeyVaultKmsTestKmsFacade.java

@@ -35,8 +35,6 @@
 import com.github.nagyesta.lowkeyvault.http.AuthorityOverrideFunction;
 import com.github.nagyesta.lowkeyvault.http.management.LowkeyVaultException;
 import com.github.nagyesta.lowkeyvault.testcontainers.LowkeyVaultContainer;
-import com.github.tomakehurst.wiremock.WireMockServer;
-import com.github.tomakehurst.wiremock.client.WireMock;
 
 import io.kroxylicious.kms.provider.azure.AzureKeyVaultEdek;
 import io.kroxylicious.kms.provider.azure.AzureKeyVaultKmsService;
@@ -50,35 +48,21 @@
 import io.kroxylicious.proxy.config.secret.InlinePassword;
 import io.kroxylicious.proxy.config.tls.Tls;
 import io.kroxylicious.proxy.config.tls.TrustStore;
-import io.kroxylicious.testing.kafka.common.KeytoolCertificateGenerator;
 
 import edu.umd.cs.findbugs.annotations.Nullable;
 
 import static com.github.nagyesta.lowkeyvault.testcontainers.LowkeyVaultContainerBuilder.lowkeyVault;
-import static com.github.tomakehurst.wiremock.client.WireMock.post;
-import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig;
 
 @SuppressWarnings("java:S112")
 public class AzureKeyVaultKmsTestKmsFacade implements TestKmsFacade<AzureKeyVaultConfig, WrappingKey, AzureKeyVaultEdek> {
 
-    public static final String MOCK_AUTH_RESPONSE = """
-            {
-                "access_token": "aaa",
-                "token_type": "Bearer",
-                "expires_in": 3599,
-                "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
-                "refresh_token": "bbb",
-                "id_token": "ccc"
-            }
-            """;
     public static final String TENANT_ID = "identity";
     public static final String KEY_VAULT_NAME = "default";
 
-    private final KeytoolCertificateGenerator entraCertGen = entraCerts();
     @Nullable
     private LowkeyVaultContainer kms;
     @Nullable
-    private WireMockServer entraMock;
+    private OauthServerContainer oauthServer;
 
     protected AzureKeyVaultKmsTestKmsFacade() {
     }
@@ -89,36 +73,26 @@ public boolean isAvailable() {
     }
 
     public void startKms() {
-        this.kms = startVault();
-        this.entraMock = new WireMockServer(wireMockConfig().dynamicPort().keystorePath(entraCertGen.getKeyStoreLocation()).keystorePassword(entraCertGen.getPassword()));
-        entraMock.start();
-        entraMock.stubFor(post("/" + TENANT_ID + "/oauth2/v2.0/token")
-                .willReturn(WireMock.aResponse().withStatus(200).withHeader("Content-type", "application/json").withBody(MOCK_AUTH_RESPONSE)));
-        entraMock.start();
+        this.kms = startKeyVault();
+        this.oauthServer = startMockOauthServer();
     }
 
-    private static KeytoolCertificateGenerator entraCerts() {
-        try {
-            KeytoolCertificateGenerator entraCertGen = new KeytoolCertificateGenerator();
-            entraCertGen.generateSelfSignedCertificateEntry("[email protected]", "example.com", "Engineering", "kroxylicious.io", null, null, "NZ");
-            entraCertGen.generateTrustStore(entraCertGen.getCertFilePath(), "website");
-            return entraCertGen;
-        }
-        catch (Exception e) {
-            throw new TestKmsFacadeException(e);
-        }
+    private static OauthServerContainer startMockOauthServer() {
+        OauthServerContainer oauthServerContainer = new OauthServerContainer();
+        oauthServerContainer.start();
+        return oauthServerContainer;
     }
 
     public void stopKms() {
         if (kms != null) {
             kms.stop();
         }
-        if (entraMock != null) {
-            entraMock.stop();
+        if (oauthServer != null) {
+            oauthServer.stop();
         }
     }
 
-    public LowkeyVaultContainer startVault() {
+    public static LowkeyVaultContainer startKeyVault() {
         String image = "nagyesta/lowkey-vault:4.0.0";
         final DockerImageName imageName = DockerImageName.parse("mirror.gcr.io/" + image)
                 .asCompatibleSubstituteFor(DockerImageName.parse(image));
@@ -141,7 +115,7 @@ public AzureKeyVaultConfig getKmsServiceConfig() {
         if (kms == null) {
             throw new IllegalStateException("kms is not initialized");
         }
-        if (entraMock == null) {
+        if (oauthServer == null) {
             throw new IllegalStateException("entraMock is not initialized");
         }
         URI defaultVaultBaseUrl = URI.create(kms.getDefaultVaultBaseUrl());
@@ -153,10 +127,12 @@ public AzureKeyVaultConfig getKmsServiceConfig() {
             }
             TrustStore vaultTrust = new TrustStore(tempFile.getAbsolutePath(), new InlinePassword(kms.getDefaultKeyStorePassword()), defaultKeyStore.getType());
             Tls vaultTls = new Tls(null, vaultTrust, null, null);
-            TrustStore entraTrust = new TrustStore(entraCertGen.getTrustStoreLocation(), new InlinePassword(entraCertGen.getPassword()), defaultKeyStore.getType());
+            TrustStore entraTrust = new TrustStore(oauthServer.getTrustStoreLocation(), new InlinePassword(oauthServer.getTrustStorePassword()),
+                    oauthServer.getTrustStoreType());
             Tls entraTls = new Tls(null, entraTrust, null, null);
             return new AzureKeyVaultConfig(
-                    new EntraIdentityConfig(URI.create(entraMock.baseUrl()), TENANT_ID, new InlinePassword("abc"), new InlinePassword("def"), null, entraTls),
+                    new EntraIdentityConfig(oauthServer.getBaseUri(), TENANT_ID, new InlinePassword("abc"), new InlinePassword("def"), null,
+                            entraTls),
                     KEY_VAULT_NAME, defaultVaultBaseUrl.getHost(), null, defaultVaultBaseUrl.getPort(), vaultTls);
         }
         catch (Exception e) {
@@ -257,4 +233,5 @@ private static HttpClient createHttpClient(String clientAuthority, String contai
             }
         }
     }
+
 }

kroxylicious-kms-providers/kroxylicious-kms-provider-azure-key-vault-kms-test-support/src/main/java/io/kroxylicious/kms/provider/azure/kms/OauthServerContainer.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.kms.provider.azure.kms;
+
+import java.net.URI;
+import java.time.Duration;
+
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.wait.strategy.LogMessageWaitStrategy;
+import org.testcontainers.utility.DockerImageName;
+import org.testcontainers.utility.MountableFile;
+
+import io.kroxylicious.kms.service.TestKmsFacadeException;
+import io.kroxylicious.testing.kafka.common.KeytoolCertificateGenerator;
+
+class OauthServerContainer extends GenericContainer<OauthServerContainer> {
+
+    private static final DockerImageName DOCKER_IMAGE_NAME = DockerImageName.parse("ghcr.io/navikt/mock-oauth2-server:3.0.0");
+    private static final String LOCALHOST = "localhost";
+    private static final String CERT_FILE_MOUNT_PATH = "/etc/custom-certs";
+    private final KeytoolCertificateGenerator certs;
+    private static final int INTERNAL_PORT = 8080;
+
+    private static KeytoolCertificateGenerator entraCerts() {
+        try {
+            KeytoolCertificateGenerator entraCertGen = new KeytoolCertificateGenerator();
+            entraCertGen.generateSelfSignedCertificateEntry("[email protected]", LOCALHOST, "Engineering", "kroxylicious.io", null, null, "NZ");
+            entraCertGen.generateTrustStore(entraCertGen.getCertFilePath(), "website");
+            return entraCertGen;
+        }
+        catch (Exception e) {
+            throw new TestKmsFacadeException(e);
+        }
+    }
+
+    OauthServerContainer() {
+        super(DOCKER_IMAGE_NAME);
+        this.certs = entraCerts();
+        LogMessageWaitStrategy strategy = new LogMessageWaitStrategy().withRegEx(".*started server on address.*");
+        strategy.withStartupTimeout(Duration.ofSeconds(10));
+        setWaitStrategy(strategy);
+        withExposedPorts(INTERNAL_PORT);
+        withEnv("SERVER_PORT", Integer.toString(INTERNAL_PORT));
+        String config = """
+                    {
+                    "httpServer" : {
+                        "type" : "NettyWrapper",
+                        "ssl" : {
+                            "keyPassword" : "%s",
+                            "keystoreFile" : "%s",
+                            "keystoreType" : "%s",
+                            "keystorePassword" : "%s"
+                        }
+                    }
+                }
+                """.formatted(certs.getPassword(), CERT_FILE_MOUNT_PATH, certs.getKeyStoreType(), certs.getPassword());
+        withEnv("JSON_CONFIG", config);
+        withEnv("LOG_LEVEL", "DEBUG"); // required to for the startup message to be logged.
+        withCopyFileToContainer(MountableFile.forHostPath(certs.getKeyStoreLocation()), CERT_FILE_MOUNT_PATH);
+    }
+
+    @Override
+    public void start() {
+        super.start();
+    }
+
+    public String getTrustStoreLocation() {
+        return certs.getTrustStoreLocation();
+    }
+
+    public String getTrustStorePassword() {
+        return certs.getPassword();
+    }
+
+    public String getTrustStoreType() {
+        return certs.getTrustStoreType();
+    }
+
+    public URI getBaseUri() {
+        Integer mappedPort = getMappedPort(INTERNAL_PORT);
+        if (mappedPort == null) {
+            throw new IllegalStateException("oauth mock - mappedPort is null for " + INTERNAL_PORT);
+        }
+        return URI.create("https://" + LOCALHOST + ":" + mappedPort);
+    }
+}