enable jwksuri tests with keycloak (#7396)

Author: vepatel

tests/data/jwt-policy-jwksuri/configmap/nginx-config.yaml

@@ -5,5 +5,3 @@ metadata:
   namespace: nginx-ingress
 data:
   resolver-addresses: "kube-dns.kube-system.svc.cluster.local"
-  http-snippets: |
-    subrequest_output_buffer_size 64k;

tests/data/jwt-policy-jwksuri/policies/jwt-policy-invalid.yaml

@@ -6,5 +6,5 @@ spec:
   jwt:
     realm: MyProductAPI
     token: $$http_token
-    jwksURI: https://login.microsoftonline.com/dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50/discovery/v2.0/keys
+    jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs
     keyCache: 1h

tests/data/jwt-policy-jwksuri/policies/jwt-policy-valid.yaml

@@ -6,5 +6,5 @@ spec:
   jwt:
     realm: MyProductAPI
     token: $http_token
-    jwksURI: https://login.microsoftonline.com/dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50/discovery/v2.0/keys
+    jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs
     keyCache: 1h

tests/suite/test_jwt_policies_jwksuri.py

@@ -1,16 +1,29 @@
+import secrets
 from unittest import mock
 
 import pytest
 import requests
+import yaml
 from settings import TEST_DATA
-from suite.utils.policy_resources_utils import create_policy_from_yaml, delete_policy
-from suite.utils.resources_utils import replace_configmap_from_yaml, wait_before_test
+from suite.utils.policy_resources_utils import delete_policy
+from suite.utils.resources_utils import (
+    create_example_app,
+    create_secret_from_yaml,
+    delete_common_app,
+    delete_secret,
+    replace_configmap_from_yaml,
+    wait_before_test,
+    wait_until_all_pods_are_ready,
+)
 from suite.utils.vs_vsr_resources_utils import (
     create_virtual_server_from_yaml,
     delete_and_create_vs_from_yaml,
     delete_virtual_server,
 )
 
+username = "nginx-user-" + secrets.token_hex(4)
+password = secrets.token_hex(8)
+realm_name = "jwks-example"
 std_vs_src = f"{TEST_DATA}/virtual-server/standard/virtual-server.yaml"
 jwt_pol_valid_src = f"{TEST_DATA}/jwt-policy-jwksuri/policies/jwt-policy-valid.yaml"
 jwt_pol_invalid_src = f"{TEST_DATA}/jwt-policy-jwksuri/policies/jwt-policy-invalid.yaml"
@@ -27,34 +40,136 @@
     f"{TEST_DATA}/jwt-policy-jwksuri/virtual-server/virtual-server-invalid-policy-route-subpath.yaml"
 )
 jwt_cm_src = f"{TEST_DATA}/jwt-policy-jwksuri/configmap/nginx-config.yaml"
-ad_tenant = "dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50"
-client_id = "8a172a83-a630-41a4-9ca6-1e5ef03cd7e7"
+keycloak_src = f"{TEST_DATA}/oidc/keycloak.yaml"
+keycloak_vs_src = f"{TEST_DATA}/oidc/virtual-server-idp.yaml"
 
 
-def get_token(request):
+class KeycloakSetup:
     """
-    get jwt token from azure ad endpoint
+    Attributes:
+        token (str):
     """
+
+    def __init__(self, token):
+        self.token = token
+
+
+@pytest.fixture(scope="class")
+def keycloak_setup(request, kube_apis, test_namespace, ingress_controller_endpoint):
+
+    # Create Keycloak resources and setup Keycloak idp
+
+    secret_name = create_secret_from_yaml(
+        kube_apis.v1, test_namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml"
+    )
+    keycloak_address = "keycloak.example.com"
+    create_example_app(kube_apis, "keycloak", test_namespace)
+    wait_before_test()
+    wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
+    keycloak_vs_name = create_virtual_server_from_yaml(kube_apis.custom_objects, keycloak_vs_src, test_namespace)
+    wait_before_test()
+
+    # Get token
+    url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/realms/master/protocol/openid-connect/token"
+    headers = {"Host": keycloak_address, "Content-Type": "application/x-www-form-urlencoded"}
+    data = {"username": "admin", "password": "admin", "grant_type": "password", "client_id": "admin-cli"}
+
+    response = requests.post(url, headers=headers, data=data, verify=False)
+    admin_token = response.json()["access_token"]
+
+    # Create realm "jwks-example"
+    create_realm_url = (
+        f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/admin/realms"
+    )
+    headers = {"Content-Type": "application/json", "Authorization": f"Bearer {admin_token}", "Host": keycloak_address}
+    payload = {
+        "realm": realm_name,
+        "enabled": True,
+    }
+    response = requests.post(create_realm_url, headers=headers, json=payload, verify=False)
+
+    # Create a user and set credentials
+    create_user_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/admin/realms/{realm_name}/users"
+    headers = {"Content-Type": "application/json", "Authorization": f"Bearer {admin_token}", "Host": keycloak_address}
+    user_payload = {
+        "username": username,
+        "enabled": True,
+        "email": "[email protected]",
+        "emailVerified": True,
+        "firstName": "Jwks",
+        "lastName": "User",
+        "credentials": [{"type": "password", "value": password, "temporary": False}],
+        "requiredActions": [],
+    }
+    response = requests.post(create_user_url, headers=headers, json=user_payload, verify=False)
+
+    # Create a client
+    headers = {"Content-Type": "application/json", "Authorization": f"Bearer {admin_token}", "Host": keycloak_address}
+    create_client_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/admin/realms/{realm_name}/clients"
+    client_payload = {
+        "clientId": "jwks-client",
+        "enabled": True,
+        "protocol": "openid-connect",
+        "publicClient": False,
+        "directAccessGrantsEnabled": True,
+        "standardFlowEnabled": True,
+        "implicitFlowEnabled": False,
+        "serviceAccountsEnabled": True,
+        "authorizationServicesEnabled": True,
+        "clientAuthenticatorType": "client-secret",
+        "redirectUris": ["*"],
+        "webOrigins": ["*"],
+        "attributes": {
+            "access.token.lifespan": "3600",
+            "id.token.lifespan": "3600",
+            "service.accounts.enabled": "true",
+        },
+    }
+    client_resp = requests.post(create_client_url, headers=headers, json=client_payload, verify=False)
+    if client_resp.status_code not in (200, 201):
+        pytest.fail(f"Failed to create client: {client_resp.text}")
+    location = client_resp.headers["Location"]
+    client_id = location.split("/")[-1]
+
+    # Get the client secret
+    get_secret_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/admin/realms/{realm_name}/clients/{client_id}/client-secret"
+    secret_resp = requests.get(get_secret_url, headers=headers, verify=False)
+    secret = secret_resp.json()["value"]
+
     data = {
-        "client_id": f"{client_id}",
-        "scope": ".default",
-        "client_secret": request.config.getoption("--ad-secret"),
-        "grant_type": "client_credentials",
+        "grant_type": "password",
+        "scope": "openid",
+        "client_id": "jwks-client",
+        "client_secret": secret,
+        "username": username,
+        "password": password,
     }
-    ad_response = requests.get(
-        f"https://login.microsoftonline.com/{ad_tenant}/oauth2/token",
+    url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/realms/{realm_name}/protocol/openid-connect/token"
+    response = requests.post(
+        url,
+        headers={"Host": keycloak_address, "Content-Type": "application/x-www-form-urlencoded"},
         data=data,
-        timeout=5,
-        headers={"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Chrome/76.0.3809.100"},
+        verify=False,
     )
 
-    if ad_response.status_code == 200:
-        return ad_response.json()["access_token"]
-    pytest.fail("Unable to request Azure token endpoint")
+    if response.status_code != 200:
+        pytest.fail(f"Failed to get token from Keycloak: {response.text}")
+
+    token = response.json().get("access_token")
+
+    def fin():
+        if request.config.getoption("--skip-fixture-teardown") == "no":
+            print("Delete Keycloak resources")
+            delete_virtual_server(kube_apis.custom_objects, keycloak_vs_name, test_namespace)
+            delete_common_app(kube_apis, "keycloak", test_namespace)
+            delete_secret(kube_apis.v1, secret_name, test_namespace)
+
+    request.addfinalizer(fin)
+
+    return KeycloakSetup(token)
 
 
 @pytest.mark.skip_for_nginx_oss
-@pytest.mark.skip(reason="issues with IdP communication")
 @pytest.mark.policies
 @pytest.mark.parametrize(
     "crd_ingress_controller, virtual_server_setup",
@@ -85,6 +200,7 @@ def test_jwt_policy_jwksuri(
         crd_ingress_controller,
         virtual_server_setup,
         test_namespace,
+        keycloak_setup,
         jwt_virtual_server,
     ):
         """
@@ -96,7 +212,12 @@ def test_jwt_policy_jwksuri(
             ingress_controller_prerequisites.namespace,
             jwt_cm_src,
         )
-        pol_name = create_policy_from_yaml(kube_apis.custom_objects, jwt_pol_valid_src, test_namespace)
+        with open(jwt_pol_valid_src) as f:
+            doc = yaml.safe_load(f)
+        pol_name = doc["metadata"]["name"]
+        doc["spec"]["jwt"]["jwksURI"] = doc["spec"]["jwt"]["jwksURI"].replace("default", test_namespace)
+        kube_apis.custom_objects.create_namespaced_custom_object("k8s.nginx.org", "v1", test_namespace, "policies", doc)
+        print(f"Policy created with name {pol_name}")
         wait_before_test()
 
         print(f"Patch vs with policy: {jwt_virtual_server}")
@@ -106,6 +227,7 @@ def test_jwt_policy_jwksuri(
             jwt_virtual_server,
             virtual_server_setup.namespace,
         )
+        wait_before_test()
         resp_no_token = mock.Mock()
         resp_no_token.status_code == 502
         counter = 0
@@ -118,14 +240,13 @@ def test_jwt_policy_jwksuri(
             wait_before_test()
             counter += 1
 
-        token = get_token(request)
+        token = keycloak_setup.token
 
         resp_valid_token = requests.get(
             virtual_server_setup.backend_1_url,
             headers={"host": virtual_server_setup.vs_host, "token": token},
             timeout=5,
         )
-
         delete_policy(kube_apis.custom_objects, pol_name, test_namespace)
         wait_before_test()
 
@@ -148,6 +269,7 @@ def test_jwt_invalid_policy_jwksuri(
         crd_ingress_controller,
         virtual_server_setup,
         test_namespace,
+        keycloak_setup,
         jwt_virtual_server,
     ):
         """
@@ -159,7 +281,12 @@ def test_jwt_invalid_policy_jwksuri(
             ingress_controller_prerequisites.namespace,
             jwt_cm_src,
         )
-        pol_name = create_policy_from_yaml(kube_apis.custom_objects, jwt_pol_invalid_src, test_namespace)
+        with open(jwt_pol_invalid_src) as f:
+            doc = yaml.safe_load(f)
+        pol_name = doc["metadata"]["name"]
+        doc["spec"]["jwt"]["jwksURI"] = doc["spec"]["jwt"]["jwksURI"].replace("default", test_namespace)
+        kube_apis.custom_objects.create_namespaced_custom_object("k8s.nginx.org", "v1", test_namespace, "policies", doc)
+        print(f"Policy created with name {pol_name}")
         wait_before_test()
 
         print(f"Patch vs with policy: {jwt_virtual_server}")
@@ -176,7 +303,7 @@ def test_jwt_invalid_policy_jwksuri(
             headers={"host": virtual_server_setup.vs_host},
         )
 
-        token = get_token(request)
+        token = keycloak_setup.token
 
         resp2 = requests.get(
             virtual_server_setup.backend_1_url,
@@ -204,6 +331,7 @@ def test_jwt_policy_subroute_jwksuri(
         crd_ingress_controller,
         virtual_server_setup,
         test_namespace,
+        keycloak_setup,
         jwt_virtual_server,
     ):
         """
@@ -215,7 +343,12 @@ def test_jwt_policy_subroute_jwksuri(
             ingress_controller_prerequisites.namespace,
             jwt_cm_src,
         )
-        pol_name = create_policy_from_yaml(kube_apis.custom_objects, jwt_pol_valid_src, test_namespace)
+        with open(jwt_pol_valid_src) as f:
+            doc = yaml.safe_load(f)
+        pol_name = doc["metadata"]["name"]
+        doc["spec"]["jwt"]["jwksURI"] = doc["spec"]["jwt"]["jwksURI"].replace("default", test_namespace)
+        kube_apis.custom_objects.create_namespaced_custom_object("k8s.nginx.org", "v1", test_namespace, "policies", doc)
+        print(f"Policy created with name {pol_name}")
         wait_before_test()
 
         print(f"Patch vs with policy: {jwt_virtual_server}")
@@ -237,7 +370,7 @@ def test_jwt_policy_subroute_jwksuri(
             wait_before_test()
             counter += 1
 
-        token = get_token(request)
+        token = keycloak_setup.token
 
         resp_valid_token = requests.get(
             virtual_server_setup.backend_1_url + "/subpath1",
@@ -265,6 +398,7 @@ def test_jwt_policy_subroute_jwksuri_multiple_vs(
         ingress_controller_prerequisites,
         crd_ingress_controller,
         virtual_server_setup,
+        keycloak_setup,
         test_namespace,
     ):
         """
@@ -276,7 +410,12 @@ def test_jwt_policy_subroute_jwksuri_multiple_vs(
             ingress_controller_prerequisites.namespace,
             jwt_cm_src,
         )
-        pol_name = create_policy_from_yaml(kube_apis.custom_objects, jwt_pol_valid_src, test_namespace)
+        with open(jwt_pol_valid_src) as f:
+            doc = yaml.safe_load(f)
+        pol_name = doc["metadata"]["name"]
+        doc["spec"]["jwt"]["jwksURI"] = doc["spec"]["jwt"]["jwksURI"].replace("default", test_namespace)
+        kube_apis.custom_objects.create_namespaced_custom_object("k8s.nginx.org", "v1", test_namespace, "policies", doc)
+        print(f"Policy created with name {pol_name}")
         wait_before_test()
 
         print(f"Patch first vs with policy: {jwt_vs_route_subpath_src}")
@@ -321,7 +460,7 @@ def test_jwt_policy_subroute_jwksuri_multiple_vs(
             wait_before_test()
             counter += 1
 
-        token = get_token(request)
+        token = keycloak_setup.token
 
         resp_1_valid_token = requests.get(
             virtual_server_setup.backend_1_url + "/subpath1",