Skip to content

Commit

Permalink
Add tests for authorization
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlesarnal
carlesarnal committed Jan 31, 2025
1 parent 39b1e2d commit 35264bb
Show file tree
Hide file tree
Showing 14 changed files with 427 additions and 106 deletions.
1 change: 1 addition & 0 deletions operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ public class EnvironmentVariables {
public static final String APICURIO_AUTH_ROLES_DEVELOPER = "APICURIO_AUTH_ROLES_DEVELOPER";
public static final String APICURIO_AUTH_ROLES_READONLY = "APICURIO_AUTH_ROLES_READONLY";
public static final String APICURIO_AUTH_ADMIN_OVERRIDE_ENABLED = "APICURIO_AUTH_ADMIN_OVERRIDE_ENABLED";
public static final String APICURIO_AUTH_ADMIN_OVERRIDE_ROLE = "APICURIO_AUTH_ADMIN_OVERRIDE_ROLE";
public static final String APICURIO_AUTH_ADMIN_OVERRIDE_FROM = "APICURIO_AUTH_ADMIN_OVERRIDE_FROM";
public static final String APICURIO_AUTH_ADMIN_OVERRIDE_TYPE = "APICURIO_AUTH_ADMIN_OVERRIDE_TYPE";
public static final String APICURIO_AUTH_ADMIN_OVERRIDE_CLAIM = "APICURIO_AUTH_ADMIN_OVERRIDE_CLAIM";
Expand Down
7 changes: 5 additions & 2 deletions ...r/controller/src/main/java/io/apicurio/registry/operator/feat/security/AdminOverride.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,13 @@ public static void configureAdminOverride(AdminOverrideSpec adminOverrideSpec, M
return;
}

if (Boolean.parseBoolean(adminOverrideSpec.getEnabled())) {
if (adminOverrideSpec.getEnabled() != null && adminOverrideSpec.getEnabled()) {
env.put(EnvironmentVariables.APICURIO_AUTH_ADMIN_OVERRIDE_ENABLED,
createEnvVar(EnvironmentVariables.APICURIO_AUTH_ADMIN_OVERRIDE_ENABLED,
adminOverrideSpec.getEnabled()));
adminOverrideSpec.getEnabled().toString()));

putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_ADMIN_OVERRIDE_ROLE,
adminOverrideSpec.getRole());

putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_ADMIN_OVERRIDE_FROM,
adminOverrideSpec.getFrom());
Expand Down
11 changes: 7 additions & 4 deletions operator/controller/src/main/java/io/apicurio/registry/operator/feat/security/Auth.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,15 @@ public static void configureAuth(AuthSpec authSpec, Deployment deployment, Map<S
putIfNotBlank(env, EnvironmentVariables.APICURIO_UI_AUTH_OIDC_LOGOUT_URL, authSpec.getLogoutURL());
putIfNotBlank(env, EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL,
authSpec.getAuthServerUrl());
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_ANONYMOUS_READ_ACCESS_ENABLED,
authSpec.getAnonymousReads().toString());

if (authSpec.getBasicAuth() != null && Boolean.parseBoolean(authSpec.getBasicAuth().getEnabled())) {
if (authSpec.getAnonymousReads() != null && authSpec.getAnonymousReads()) {
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_ANONYMOUS_READ_ACCESS_ENABLED,
authSpec.getAnonymousReads().toString());
}

if (authSpec.getBasicAuth() != null && authSpec.getBasicAuth().getEnabled()) {
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED,
authSpec.getBasicAuth().getEnabled());
authSpec.getBasicAuth().getEnabled().toString());
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_CACHE_EXPIRATION,
authSpec.getBasicAuth().getCacheExpiration());
}
Expand Down
33 changes: 22 additions & 11 deletions operator/controller/src/main/java/io/apicurio/registry/operator/feat/security/Authz.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,18 +26,29 @@ public static void configureAuthz(AuthzSpec authzSpec, Map<String, EnvVar> env)
return;
}

if (Boolean.parseBoolean(authzSpec.getEnabled())) {
env.put(EnvironmentVariables.APICURIO_AUTH_ROLE_BASED_AUTHORIZATION, createEnvVar(
EnvironmentVariables.APICURIO_AUTH_ROLE_BASED_AUTHORIZATION, authzSpec.getEnabled()));

putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_OWNER_ONLY_AUTHORIZATION,
authzSpec.getOwnerOnly());
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_OWNER_ONLY_AUTHORIZATION_LIMIT_GROUP_ACCESS,
authzSpec.getGroupAccess());
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_AUTHENTICATED_READ_ACCESS_ENABLED,
authzSpec.getReadAccess());
if (authzSpec.getEnabled()) {
env.put(EnvironmentVariables.APICURIO_AUTH_ROLE_BASED_AUTHORIZATION,
createEnvVar(EnvironmentVariables.APICURIO_AUTH_ROLE_BASED_AUTHORIZATION,
authzSpec.getEnabled().toString()));

if (authzSpec.getGroupAccess() != null && authzSpec.getGroupAccess()) {
putIfNotBlank(env,
EnvironmentVariables.APICURIO_AUTH_OWNER_ONLY_AUTHORIZATION_LIMIT_GROUP_ACCESS,
authzSpec.getGroupAccess().toString());
}

if (authzSpec.getOwnerOnly() != null && authzSpec.getOwnerOnly()) {
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_OWNER_ONLY_AUTHORIZATION,
authzSpec.getOwnerOnly().toString());
}

if (authzSpec.getReadAccess() != null && authzSpec.getReadAccess()) {
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_AUTHENTICATED_READ_ACCESS_ENABLED,
authzSpec.getReadAccess().toString());
}

putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_ROLE_SOURCE, authzSpec.getRoleSource());
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_ROLES_ADMIN, authzSpec.getDeveloperRole());
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_ROLES_ADMIN, authzSpec.getAdminRole());
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_ROLES_DEVELOPER,
authzSpec.getDeveloperRole());
putIfNotBlank(env, EnvironmentVariables.APICURIO_AUTH_ROLES_READONLY,
Expand Down
67 changes: 21 additions & 46 deletions .../registry/operator/it/KeycloakITTest.java → ...urio/registry/operator/it/AuthITTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,73 +2,41 @@

import io.apicurio.registry.operator.EnvironmentVariables;
import io.apicurio.registry.operator.api.v1.ApicurioRegistry3;
import io.fabric8.kubernetes.api.model.HasMetadata;
import io.fabric8.kubernetes.client.utils.Serialization;
import io.apicurio.registry.operator.api.v1.spec.auth.AuthSpec;
import io.quarkus.test.junit.QuarkusTest;
import org.awaitility.Awaitility;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.time.Duration;
import java.util.List;

import static io.apicurio.registry.operator.api.v1.ContainerNames.REGISTRY_APP_CONTAINER_NAME;
import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_APP;
import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_UI;
import static io.apicurio.registry.operator.resource.ResourceFactory.deserialize;
import static io.apicurio.registry.operator.resource.app.AppDeploymentResource.getContainerFromDeployment;
import static org.assertj.core.api.Assertions.assertThat;
import static org.awaitility.Awaitility.await;

@QuarkusTest
public class KeycloakITTest extends ITBase {

private static final Logger log = LoggerFactory.getLogger(KeycloakITTest.class);

@BeforeAll
public static void init() {
Awaitility.setDefaultTimeout(Duration.ofSeconds(60));
}
public class AuthITTest extends BaseAuthTest {

/**
* In this test, Keycloak is deployed using a self-signed certificate with the hostname set to the ingress
* value. TLS verification is disabled at the Apicurio Registry level, so even in that case the deployment
* works.
*/
@Test
void testKeycloakPlain() {
void testAuthTlsNoVerification() {
// Preparation, deploy Keycloak
List<HasMetadata> resources = Serialization
.unmarshal(KeycloakITTest.class.getResourceAsStream("/k8s/examples/auth/keycloak.yaml"));

createResources(resources, "Keycloak");

await().ignoreExceptions().untilAsserted(() -> {
assertThat(client.apps().deployments().withName("keycloak").get().getStatus().getReadyReplicas())
.isEqualTo(1);
});

createKeycloakDNSResolution("simple-keycloak.apps.cluster.example",
"keycloak." + namespace + ".svc.cluster.local");
ApicurioRegistry3 registry = prepareInfra("/k8s/examples/auth/keycloak.yaml",
"k8s/examples/auth/simple-with_keycloak.apicurioregistry3.yaml");
AuthSpec authSpec = registry.getSpec().getApp().getAuth();

// Deploy Registry
var registry = deserialize("k8s/examples/auth/simple-with_keycloak.apicurioregistry3.yaml",
ApicurioRegistry3.class);

registry.getMetadata().setNamespace(namespace);

var appAuthSpec = registry.getSpec().getApp().getAuth();

Assertions.assertEquals("registry-api", appAuthSpec.getAppClientId());
Assertions.assertEquals("apicurio-registry", appAuthSpec.getUiClientId());
Assertions.assertEquals(true, appAuthSpec.getEnabled());
Assertions.assertEquals("registry-api", authSpec.getAppClientId());
Assertions.assertEquals("apicurio-registry", authSpec.getUiClientId());
Assertions.assertEquals(true, authSpec.getEnabled());
Assertions.assertEquals("https://simple-keycloak.apps.cluster.example/realms/registry",
appAuthSpec.getAuthServerUrl());
Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getRedirectURI());
Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getLogoutURL());
authSpec.getAuthServerUrl());
Assertions.assertEquals("https://simple-ui.apps.cluster.example", authSpec.getRedirectURI());
Assertions.assertEquals("https://simple-ui.apps.cluster.example", authSpec.getLogoutURL());

Assertions.assertEquals("https://simple-ui.apps.cluster.example", authSpec.getLogoutURL());

client.resource(registry).create();

Expand Down Expand Up @@ -101,5 +69,12 @@ void testKeycloakPlain() {
+ "https://simple-ui.apps.cluster.example");
assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
.contains(EnvironmentVariables.OIDC_TLS_VERIFICATION + "=" + "none");

assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()).contains(
EnvironmentVariables.APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED + "=" + "true");
assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue()).contains(
EnvironmentVariables.APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_CACHE_EXPIRATION + "=" + "25");
assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
.contains(EnvironmentVariables.APICURIO_AUTH_ANONYMOUS_READ_ACCESS_ENABLED + "=" + "true");
}
}
50 changes: 14 additions & 36 deletions ...gistry/operator/it/KeycloakTLSITTest.java → ...o/registry/operator/it/AuthTLSITTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@

import io.apicurio.registry.operator.EnvironmentVariables;
import io.apicurio.registry.operator.api.v1.ApicurioRegistry3;
import io.fabric8.kubernetes.api.model.HasMetadata;
import io.fabric8.kubernetes.client.utils.Serialization;
import io.apicurio.registry.operator.api.v1.spec.auth.AuthSpec;
import io.quarkus.test.junit.QuarkusTest;
import org.awaitility.Awaitility;
import org.junit.jupiter.api.Assertions;
Expand All @@ -13,20 +12,17 @@
import org.slf4j.LoggerFactory;

import java.time.Duration;
import java.util.List;

import static io.apicurio.registry.operator.api.v1.ContainerNames.REGISTRY_APP_CONTAINER_NAME;
import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_APP;
import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_UI;
import static io.apicurio.registry.operator.resource.ResourceFactory.deserialize;
import static io.apicurio.registry.operator.resource.app.AppDeploymentResource.getContainerFromDeployment;
import static org.assertj.core.api.Assertions.assertThat;
import static org.awaitility.Awaitility.await;

@QuarkusTest
public class KeycloakTLSITTest extends ITBase {
public class AuthTLSITTest extends BaseAuthTest {

private static final Logger log = LoggerFactory.getLogger(KeycloakTLSITTest.class);
private static final Logger log = LoggerFactory.getLogger(AuthTLSITTest.class);

@BeforeAll
public static void init() {
Expand All @@ -39,36 +35,18 @@ public static void init() {
* Quarkus application using the custom resource.
*/
@Test
void testKeycloakTLS() {
// Preparation, deploy Keycloak
List<HasMetadata> resources = Serialization
.unmarshal(KeycloakTLSITTest.class.getResourceAsStream("/k8s/examples/auth/keycloak.yaml"));

createResources(resources, "Keycloak");

await().ignoreExceptions().untilAsserted(() -> {
assertThat(client.apps().deployments().withName("keycloak").get().getStatus().getReadyReplicas())
.isEqualTo(1);
});

createKeycloakDNSResolution("simple-keycloak.apps.cluster.example",
"keycloak." + namespace + ".svc.cluster.local");

// Deploy Registry
var registry = deserialize("k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml",
ApicurioRegistry3.class);

registry.getMetadata().setNamespace(namespace);

var appAuthSpec = registry.getSpec().getApp().getAuth();

Assertions.assertEquals("registry-api", appAuthSpec.getAppClientId());
Assertions.assertEquals("apicurio-registry", appAuthSpec.getUiClientId());
Assertions.assertEquals(true, appAuthSpec.getEnabled());
void testAuthTlsVerification() {
ApicurioRegistry3 registry = prepareInfra("/k8s/examples/auth/keycloak.yaml",
"k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml");
AuthSpec authSpec = registry.getSpec().getApp().getAuth();

Assertions.assertEquals("registry-api", authSpec.getAppClientId());
Assertions.assertEquals("apicurio-registry", authSpec.getUiClientId());
Assertions.assertEquals(true, authSpec.getEnabled());
Assertions.assertEquals("https://simple-keycloak.apps.cluster.example/realms/registry",
appAuthSpec.getAuthServerUrl());
Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getRedirectURI());
Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getLogoutURL());
authSpec.getAuthServerUrl());
Assertions.assertEquals("https://simple-ui.apps.cluster.example", authSpec.getRedirectURI());
Assertions.assertEquals("https://simple-ui.apps.cluster.example", authSpec.getLogoutURL());

client.resource(registry).create();

Expand Down
Loading

0 comments on commit 35264bb

Please sign in to comment.