freeipa/ipatests/pytest_ipa/integration/create_bridge.py
Scott Poore 899530bd40 ipatests: add keycloak user login to ipa test
Adding test case to test_sso.py to cover login to IPA client as Keycloak
user without relying on external IdP.

create_bridge.py:
- getkeytab in setup_scim_server to allow bridge to use IPA API.
- fix unintstall to remove plugin by version instead of main

test_sso.py:
- add keycloak_add_user function
- add test_ipa_login_with_sso_user

tasks.py:
- add set_user_password to only set password for ipa users

Fixes: https://pagure.io/freeipa/issue/9250
Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-10-20 08:48:53 -04:00

184 lines
6.8 KiB
Python

import re
import textwrap
from ipatests.pytest_ipa.integration import tasks
def setup_scim_server(host, version="main"):
dir = "/opt/ipa-tuura"
password = host.config.admin_password
tasks.install_packages(host, ["unzip", "java-11-openjdk-headless",
"openssl", "maven", "wget", "git",
"firefox", "xorg-x11-server-Xvfb",
"python3-pip"])
# Download ipa-tuura project
url = "https://github.com/freeipa/ipa-tuura"
host.run_command(["git", "clone", "-b", f"{version}", f"{url}", f"{dir}"])
# Prepare SSSD config
host.run_command(["python", "./prepare_sssd.py"],
cwd=f"{dir}/src/install")
# Get keytab for scim bridge service
master = host.domain.hosts_by_role("master")[0].hostname
princ = f"admin@{host.domain.realm}"
ktfile = "/root/scim.keytab"
sendpass = f"{password}\n{password}"
tasks.kdestroy_all(host)
tasks.kinit_admin(host)
host.run_command(["ipa-getkeytab", "-s", master, "-p", princ,
"-P", "-k", ktfile], stdin_text=sendpass)
host.run_command(["kinit", "-k", "-t", ktfile, princ])
# Install django requirements
django_reqs = f"{dir}/src/install/requirements.txt"
host.run_command(["pip", "install", "-r", f"{django_reqs}"])
# Prepare models and database
host.run_command(["python", "manage.py", "makemigrations", "ipatuura"],
cwd=f"{dir}/src/ipa-tuura")
host.run_command(["python", "manage.py", "migrate"],
cwd=f"{dir}/src/ipa-tuura")
# Add necessary admin vars to bashrc
env_vars = textwrap.dedent(f"""
export DJANGO_SUPERUSER_PASSWORD={password}
export DJANGO_SUPERUSER_USERNAME=scim
export DJANGO_SUPERUSER_EMAIL=scim@{host.domain.name}
""")
tasks.backup_file(host, '/etc/bashrc')
content = host.get_file_contents('/etc/bashrc', encoding='utf-8')
new_content = content + f"\n{env_vars}"
host.put_file_contents('/etc/bashrc', new_content)
host.run_command(['bash'])
# Create django admin
host.run_command(["python", "manage.py", "createsuperuser",
"--scim_username", "scim", "--noinput"],
cwd=f"{dir}/src/ipa-tuura")
# Open allowed hosts to any for testing
regex = r"^(ALLOWED_HOSTS) .*$"
replace = r"\1 = ['*']"
settings_file = f"{dir}/src/ipa-tuura/root/settings.py"
settings = host.get_file_contents(settings_file, encoding='utf-8')
new_settings = re.sub(regex, replace, settings, flags=re.MULTILINE)
host.put_file_contents(settings_file, new_settings)
# Setup keycloak service and config files
contents = textwrap.dedent(f"""
DJANGO_SUPERUSER_USERNAME=scim
DJANGO_SUPERUSER_PASSWORD={password}
DJANGO_SUPERUSER_EMAIL=scim@{host.domain.name}
""")
host.put_file_contents("/etc/sysconfig/scim", contents)
manage = f"{dir}/src/ipa-tuura/manage.py"
contents = textwrap.dedent(f"""
[Unit]
Description=SCIMv2 Bridge Server
After=network.target
[Service]
Type=idle
WorkingDirectory={dir}/src/ipa-tuura/
EnvironmentFile=/etc/sysconfig/scim
# Fix this later
# User=scim
# Group=scim
ExecStart=/usr/bin/python {manage} runserver 0.0.0.0:8000
TimeoutStartSec=600
TimeoutStopSec=600
[Install]
WantedBy=multi-user.target
""")
host.put_file_contents("/etc/systemd/system/scim.service", contents)
host.run_command(["systemctl", "daemon-reload"])
host.run_command(["systemctl", "start", "scim"])
def setup_keycloak_scim_plugin(host, bridge_server):
dir = "/opt/keycloak"
password = host.config.admin_password
# Install needed packages
tasks.install_packages(host, ["unzip", "java-11-openjdk-headless",
"openssl", "maven"])
# Add necessary admin vars to bashrc
env_vars = textwrap.dedent(f"""
export KEYCLOAK_PATH={dir}
""")
content = host.get_file_contents('/etc/bashrc', encoding='utf-8')
new_content = content + f"\n{env_vars}"
host.put_file_contents('/etc/bashrc', new_content)
host.run_command(['bash'])
# Download keycloak plugin
zipfile = "scim-keycloak-user-storage-spi/archive/refs/tags/0.1.zip"
url = f"https://github.com/justin-stephenson/{zipfile}"
dest = "/tmp/keycloak-scim-plugin.zip"
host.run_command(["wget", "-O", dest, url])
# Unzip keycloak plugin
host.run_command(["unzip", dest, "-d", "/tmp"])
# Install plugin
host.run_command(["./redeploy-plugin.sh"],
cwd="/tmp/scim-keycloak-user-storage-spi-0.1")
# Fix ownership of plugin files
host.run_command(["chown", "-R", "keycloak:keycloak", dir])
# Restore SELinux contexts
host.run_command(["restorecon", "-R", f"{dir}"])
# Rerun Keycloak build step and restart to pickup plugin
# This relies on the KC_* vars set in /etc/bashrc from create_keycloak.py
host.run_command(['su', '-', 'keycloak', '-c',
'/opt/keycloak/bin/kc.sh build'])
host.run_command(["systemctl", "restart", "keycloak"])
host.run_command(["/opt/keycloak/bin/kc.sh", "show-config"])
# Login to keycloak as admin
kcadmin_sh = "/opt/keycloak/bin/kcadm.sh"
kcadmin = [kcadmin_sh, "config", "credentials", "--server",
f"https://{host.hostname}:8443/auth/",
"--realm", "master", "--user", "admin",
"--password", password]
tasks.run_repeatedly(host, kcadmin, timeout=60)
# Configure SCIM User Storage to point to Bridge server
provider_type = "org.keycloak.storage.UserStorageProvider"
host.run_command([kcadmin_sh, "create", "components",
"-r", "master",
"-s", "name=scimprov",
"-s", "providerId=scim",
"-s", f"providerType={provider_type}",
"-s", "parentId=master",
"-s", f'config.scimurl=["{bridge_server}:8000"]',
"-s", 'config.loginusername=["scim"]',
"-s", f'config.loginpassword=["{password}"]'])
def uninstall_scim_server(host):
host.run_command(["systemctl", "stop", "scim"], raiseonerr=False)
host.run_command(["rm", "-rf", "/opt/ipa-tuura",
"/etc/sysconfig/scim",
"/etc/systemd/system/scim.service",
"/tmp/scim-keycloak-user-storage-spi-0.1",
"/tmp/keycloak-scim-plugin.zip",
"/root/scim.keytab"])
host.run_command(["systemctl", "daemon-reload"])
tasks.restore_files(host)
def uninstall_scim_plugin(host):
host.run_command(["rm", "-rf",
"/tmp/scim-keycloak-user-storage-spi-0.1",
"/tmp/keycloak-scim-plugin.zip"])