Use tls in oauth providers and rabbitmq

(cherry picked from commit 6bf27a2)

# Conflicts:
#	selenium/bin/gen-env-file
#	selenium/test/authnz-msg-protocols/env.local
#	selenium/test/multi-oauth/env.local.devkeycloak
#	selenium/test/multi-oauth/env.local.prodkeycloak
#	selenium/test/oauth/env.local.keycloak

Author: MarcialRosales

.github/workflows/test-authnz.yaml

@@ -24,8 +24,8 @@ on:
       - 'deps/rabbitmq_auth_/**'
       - 'deps/rabbitmq_mqtt/**'
       - 'deps/rabbitmq_management/selenium/full-suite-authnz-messaging'
-      - 'deps/rabbitmq_management/selenium/suites/authnz-messaging'
-      - 'deps/rabbitmq_management/selenium/test/authnz-msg-protocols'
+      - 'deps/rabbitmq_management/selenium/suites/authnz-messaging/**'
+      - 'deps/rabbitmq_management/selenium/test/authnz-msg-protocols/**'
       - .github/workflows/test-authnz.yaml
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -95,7 +95,9 @@ jobs:
       run: |
         RABBITMQ_DOCKER_IMAGE=bazel/packaging/docker-image:rabbitmq-amd64 \
          ${SELENIUM_DIR}/run-suites.sh full-suite-authnz-messaging
-
+        mkdir -p /tmp/full-suite-authnz-messaging
+        mv /tmp/selenium/* /tmp/full-suite-authnz-messaging
+        
     - name: Upload Test Artifacts
       if: always()
       uses: actions/[email protected]

.github/workflows/test-management-ui-for-pr.yaml

@@ -75,11 +75,7 @@ jobs:
             ${SELENIUM_DIR}/run-suites.sh
         mkdir -p /tmp/full-suite
         mv /tmp/selenium/* /tmp/full-suite
-        mkdir -p /tmp/full-suite/logs
-        mv ${SELENIUM_DIR}/logs/* /tmp/full-suite/logs
-        mkdir -p /tmp/full-suite/screens
-        mv ${SELENIUM_DIR}/screens/* /tmp/full-suite/screens
-
+        
     - name: Upload Test Artifacts
       if: always()
       uses: actions/[email protected]

.github/workflows/test-management-ui.yaml

@@ -90,11 +90,7 @@ jobs:
             ADDON_PROFILES=cluster ${SELENIUM_DIR}/run-suites.sh short-suite-management-ui
         mkdir -p /tmp/short-suite
         mv /tmp/selenium/* /tmp/short-suite
-        mkdir -p /tmp/short-suite/logs
-        mv ${SELENIUM_DIR}/logs/* /tmp/short-suite/logs
-        mkdir -p /tmp/short-suite/screens
-        mv ${SELENIUM_DIR}/screens/* /tmp/short-suite/screens
-
+        
     - name: Upload Test Artifacts
       if: always()
       uses: actions/[email protected]

selenium/.gitignore

@@ -7,3 +7,10 @@ suites/screens/*
 test/oauth/*/h2/*.trace.db
 test/oauth/*/h2/*.lock.db
 */target/*
+tls-gen
+test/*/certs/*.pem
+test/*/certs/*.p12
+test/*/certs/*.jks
+test/*/*/*.pem
+test/*/*/*.p12
+test/*/*/*.jks

selenium/amqp10-roundtriptest/src/main/java/com/rabbitmq/amqp1_0/RoundTripTest.java

@@ -15,15 +15,45 @@ public class RoundTripTest {
   public static String getEnv(String property, String defaultValue) {
     return System.getenv(property) == null ? defaultValue : System.getenv(property);
   }
+  public static String getEnv(String property) {
+    String value = System.getenv(property);
+    if (value == null) {
+      throw new IllegalArgumentException("Missing env variable " + property);
+    }
+    return value;
+  }
   public static void main(String args[]) throws Exception {
     String hostname = getEnv("RABBITMQ_HOSTNAME", "localhost");
     String port = getEnv("RABBITMQ_AMQP_PORT", "5672");
     String scheme = getEnv("RABBITMQ_AMQP_SCHEME", "amqp");
+    String uri = scheme + "://" + hostname + ":" + port;
     String username = args.length > 0 ? args[0] : getEnv("RABBITMQ_AMQP_USERNAME", "guest");
     String password = args.length > 1 ? args[1] : getEnv("RABBITMQ_AMQP_PASSWORD", "guest");
-    String uri = scheme + "://" + hostname + ":" + port;
+    
+    boolean usemtls = Boolean.parseBoolean(getEnv("AMQP_USE_MTLS", "false"));
+    String certsLocation = getEnv("RABBITMQ_CERTS");
+    
+    if ("amqps".equals(scheme)) {
+      List<String> connectionParams = new ArrayList<String>();
+
+      connectionParams.add("transport.trustStoreLocation=" + certsLocation + "/truststore.jks");
+      connectionParams.add("transport.trustStorePassword=foobar");
+      connectionParams.add("transport.verifyHost=true");  
+      connectionParams.add("transport.trustAll=true");    
 
-    System.out.println("AMQPS Roundrip using uri " + uri);
+      if (usemtls) {
+        connectionParams.add("amqp.saslMechanisms=EXTERNAL");
+        connectionParams.add("transport.keyStoreLocation=" + certsLocation + "/client_rabbitmq.jks");
+        connectionParams.add("transport.keyStorePassword=foobar");
+        connectionParams.add("transport.keyAlias=client-rabbitmq-tls");
+      }
+      if (!connectionParams.isEmpty()) {
+        uri = uri + "?" + String.join("&", connectionParams);       
+        System.out.println("Using AMQP URI " + uri);
+      }
+    }
+
+    assertNotNull(uri);
 
     Hashtable<Object, Object> env = new Hashtable<>();
     env.put(Context.INITIAL_CONTEXT_FACTORY, "org.apache.qpid.jms.jndi.JmsInitialContextFactory");
@@ -33,12 +63,11 @@ public static void main(String args[]) throws Exception {
     env.put("jms.requestTimeout", 5);
     javax.naming.Context context = new javax.naming.InitialContext(env);
 
-    assertNotNull(uri);
-
     ConnectionFactory factory = (ConnectionFactory) context.lookup("myFactoryLookup");
     Destination queue = (Destination) context.lookup("myQueueLookup");
 
-    try (Connection connection = factory.createConnection(username, password)) {
+    try (Connection connection = 
+                      createConnection(factory, usemtls, username, password)) {
       connection.start();
 
       Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
@@ -56,5 +85,12 @@ public static void main(String args[]) throws Exception {
 
       assertEquals(message.getText(), receivedMessage.getText());
     }
+  }  
+  private static Connection createConnection(ConnectionFactory factory, 
+      boolean usemtls, String username, String password) throws jakarta.jms.JMSException {
+    if (usemtls) {
+      return factory.createConnection();      
+    }
+    return factory.createConnection(username, password);
   }
 }

selenium/bin/components/devkeycloak

@@ -9,6 +9,9 @@ init_devkeycloak() {
   print "> DEVKEYCLOAK_CONFIG_DIR: ${DEVKEYCLOAK_CONFIG_DIR}"
   print "> DEVKEYCLOAK_URL: ${DEVKEYCLOAK_URL}"
   print "> DEVKEYCLOAK_DOCKER_IMAGE: ${KEYCLOAK_DOCKER_IMAGE}"
+
+  generate-ca-server-client-kpi devkeycloak $DEVKEYCLOAK_CONFIG_DIR
+
 }
 ensure_devkeycloak() {
   if docker ps | grep devkeycloak &> /dev/null; then

selenium/bin/components/fakeportal

@@ -1,3 +1,10 @@
+#!/usr/bin/env bash
+
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [[ ! -z "${DEBUG}" ]]; then
+  set -x
+fi
 
 ensure_fakeportal() {
   if docker ps | grep fakeportal &> /dev/null; then
@@ -9,7 +16,7 @@ ensure_fakeportal() {
 
 init_fakeportal() {
   FAKEPORTAL_URL=${FAKEPORTAL_URL:-http://fakeportal:3000}
-  FAKEPORTAL_DIR=${SCRIPT}/../fakeportal
+  FAKEPORTAL_DIR=${SCRIPT}/../../fakeportal
   CLIENT_ID="${CLIENT_ID:-rabbit_idp_user}"
   CLIENT_SECRET="${CLIENT_SECRET:-rabbit_idp_user}"
   RABBITMQ_HOST=${RABBITMQ_HOST:-proxy:9090}
@@ -44,6 +51,8 @@ start_fakeportal() {
     --env UAA_URL="${UAA_URL_FOR_FAKEPORTAL}" \
     --env CLIENT_ID="${CLIENT_ID}" \
     --env CLIENT_SECRET="${CLIENT_SECRET}" \
+    --env NODE_EXTRA_CA_CERTS=/etc/uaa/ca_uaa_certificate.pem \
+    -v ${TEST_CONFIG_PATH}/uaa:/etc/uaa \
     -v ${FAKEPORTAL_DIR}:/code/fakeportal \
     mocha-test:${mocha_test_tag} run fakeportal
 

selenium/bin/components/fakeproxy

@@ -1,4 +1,10 @@
+#!/usr/bin/env bash
 
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [[ ! -z "${DEBUG}" ]]; then
+  set -x
+fi
 
 ensure_fakeproxy() {
   if docker ps | grep fakeproxy &> /dev/null; then
@@ -10,7 +16,7 @@ ensure_fakeproxy() {
 
 init_fakeproxy() {
   FAKEPROXY_URL=${FAKEPROXY_URL:-http://fakeproxy:9090}
-  FAKEPROXY_DIR=${SCRIPT}/../fakeportal
+  FAKEPROXY_DIR=${SCRIPT}/../../fakeportal
   CLIENT_ID="${CLIENT_ID:-rabbit_idp_user}"
   CLIENT_SECRET="${CLIENT_SECRET:-rabbit_idp_user}"
   RABBITMQ_HOST_FOR_FAKEPROXY=${RABBITMQ_HOST_FOR_FAKEPROXY:-rabbitmq:15672}
@@ -43,6 +49,8 @@ start_fakeproxy() {
     --env UAA_URL="${UAA_URL_FOR_FAKEPROXY}" \
     --env CLIENT_ID="${CLIENT_ID}" \
     --env CLIENT_SECRET="${CLIENT_SECRET}" \
+    --env NODE_EXTRA_CA_CERTS=/etc/uaa/ca_uaa_certificate.pem \
+    -v ${TEST_CONFIG_PATH}/uaa:/etc/uaa \
     -v ${FAKEPROXY_DIR}:/code/fakeportal \
     mocha-test:${mocha_test_tag} run fakeproxy
 

selenium/bin/components/keycloak

@@ -17,6 +17,9 @@ init_keycloak() {
   print "> KEYCLOAK_CONFIG_DIR: ${KEYCLOAK_CONFIG_DIR}"
   print "> KEYCLOAK_URL: ${KEYCLOAK_URL}"
   print "> KEYCLOAK_DOCKER_IMAGE: ${KEYCLOAK_DOCKER_IMAGE}"
+
+  generate-ca-server-client-kpi keycloak $KEYCLOAK_CONFIG_DIR
+
 }
 start_keycloak() {
   begin "Starting keycloak ..."
@@ -44,7 +47,7 @@ start_keycloak() {
     --https-certificate-file=/opt/keycloak/data/import/server_keycloak_certificate.pem \
     --https-certificate-key-file=/opt/keycloak/data/import/server_keycloak_key.pem
 
-  wait_for_oidc_endpoint keycloak $KEYCLOAK_URL $MOUNT_KEYCLOAK_CONF_DIR/ca_certificate.pem
+  wait_for_oidc_endpoint keycloak $KEYCLOAK_URL $MOUNT_KEYCLOAK_CONF_DIR/ca_keycloak_certificate.pem
   end "Keycloak is ready"
 
   print " Note: If you modify keycloak configuration. Make sure to run the following command to export the configuration."

selenium/bin/components/prodkeycloak

@@ -16,6 +16,9 @@ init_prodkeycloak() {
   print "> PRODKEYCLOAK_CONFIG_DIR: ${PRODKEYCLOAK_CONFIG_DIR}"
   print "> PRODKEYCLOAK_URL: ${PRODKEYCLOAK_URL}"
   print "> KEYCLOAK_DOCKER_IMAGE: ${KEYCLOAK_DOCKER_IMAGE}"
+
+    generate-ca-server-client-kpi prodkeycloak $PRODKEYCLOAK_CONFIG_DIR
+
 }
 start_prodkeycloak() {
   begin "Starting prodkeycloak ..."