Use tls in oauth providers and rabbitmq

(cherry picked from commit 6bf27a2) # Conflicts: # selenium/bin/gen-env-file # selenium/test/authnz-msg-protocols/env.local # selenium/test/multi-oauth/env.local.devkeycloak # selenium/test/multi-oauth/env.local.prodkeycloak # selenium/test/oauth/env.local.keycloak
rabbitmq · Nov 14, 2024 · 5d79eb0 · 5d79eb0
1 parent 2c0725f
commit 5d79eb0
Show file tree

Hide file tree

Showing 66 changed files with 525 additions and 426 deletions.
diff --git a/.github/workflows/test-authnz.yaml b/.github/workflows/test-authnz.yaml
@@ -24,8 +24,8 @@ on:
       - 'deps/rabbitmq_auth_/**'
       - 'deps/rabbitmq_mqtt/**'
       - 'deps/rabbitmq_management/selenium/full-suite-authnz-messaging'
-      - 'deps/rabbitmq_management/selenium/suites/authnz-messaging'
-      - 'deps/rabbitmq_management/selenium/test/authnz-msg-protocols'
+      - 'deps/rabbitmq_management/selenium/suites/authnz-messaging/**'
+      - 'deps/rabbitmq_management/selenium/test/authnz-msg-protocols/**'
       - .github/workflows/test-authnz.yaml
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -95,7 +95,9 @@ jobs:
       run: |
         RABBITMQ_DOCKER_IMAGE=bazel/packaging/docker-image:rabbitmq-amd64 \
          ${SELENIUM_DIR}/run-suites.sh full-suite-authnz-messaging
-
+        mkdir -p /tmp/full-suite-authnz-messaging
+        mv /tmp/selenium/* /tmp/full-suite-authnz-messaging
+        
     - name: Upload Test Artifacts
       if: always()
       uses: actions/[email protected]

diff --git a/.github/workflows/test-management-ui-for-pr.yaml b/.github/workflows/test-management-ui-for-pr.yaml
@@ -75,11 +75,7 @@ jobs:
             ${SELENIUM_DIR}/run-suites.sh
         mkdir -p /tmp/full-suite
         mv /tmp/selenium/* /tmp/full-suite
-        mkdir -p /tmp/full-suite/logs
-        mv ${SELENIUM_DIR}/logs/* /tmp/full-suite/logs
-        mkdir -p /tmp/full-suite/screens
-        mv ${SELENIUM_DIR}/screens/* /tmp/full-suite/screens
-
+        
     - name: Upload Test Artifacts
       if: always()
       uses: actions/[email protected]

diff --git a/.github/workflows/test-management-ui.yaml b/.github/workflows/test-management-ui.yaml
@@ -90,11 +90,7 @@ jobs:
             ADDON_PROFILES=cluster ${SELENIUM_DIR}/run-suites.sh short-suite-management-ui
         mkdir -p /tmp/short-suite
         mv /tmp/selenium/* /tmp/short-suite
-        mkdir -p /tmp/short-suite/logs
-        mv ${SELENIUM_DIR}/logs/* /tmp/short-suite/logs
-        mkdir -p /tmp/short-suite/screens
-        mv ${SELENIUM_DIR}/screens/* /tmp/short-suite/screens
-
+        
     - name: Upload Test Artifacts
       if: always()
       uses: actions/[email protected]

diff --git a/selenium/.gitignore b/selenium/.gitignore
@@ -7,3 +7,10 @@ suites/screens/*
 test/oauth/*/h2/*.trace.db
 test/oauth/*/h2/*.lock.db
 */target/*
+tls-gen
+test/*/certs/*.pem
+test/*/certs/*.p12
+test/*/certs/*.jks
+test/*/*/*.pem
+test/*/*/*.p12
+test/*/*/*.jks
diff --git a/selenium/amqp10-roundtriptest/src/main/java/com/rabbitmq/amqp1_0/RoundTripTest.java b/selenium/amqp10-roundtriptest/src/main/java/com/rabbitmq/amqp1_0/RoundTripTest.java
@@ -15,15 +15,45 @@ public class RoundTripTest {
   public static String getEnv(String property, String defaultValue) {
     return System.getenv(property) == null ? defaultValue : System.getenv(property);
   }
+  public static String getEnv(String property) {
+    String value = System.getenv(property);
+    if (value == null) {
+      throw new IllegalArgumentException("Missing env variable " + property);
+    }
+    return value;
+  }
   public static void main(String args[]) throws Exception {
     String hostname = getEnv("RABBITMQ_HOSTNAME", "localhost");
     String port = getEnv("RABBITMQ_AMQP_PORT", "5672");
     String scheme = getEnv("RABBITMQ_AMQP_SCHEME", "amqp");
+    String uri = scheme + "://" + hostname + ":" + port;
     String username = args.length > 0 ? args[0] : getEnv("RABBITMQ_AMQP_USERNAME", "guest");
     String password = args.length > 1 ? args[1] : getEnv("RABBITMQ_AMQP_PASSWORD", "guest");
-    String uri = scheme + "://" + hostname + ":" + port;
+
+    boolean usemtls = Boolean.parseBoolean(getEnv("AMQP_USE_MTLS", "false"));
+    String certsLocation = getEnv("RABBITMQ_CERTS");
+
+    if ("amqps".equals(scheme)) {
+      List<String> connectionParams = new ArrayList<String>();
+
+      connectionParams.add("transport.trustStoreLocation=" + certsLocation + "/truststore.jks");
+      connectionParams.add("transport.trustStorePassword=foobar");
+      connectionParams.add("transport.verifyHost=true");  
+      connectionParams.add("transport.trustAll=true");    
 
-    System.out.println("AMQPS Roundrip using uri " + uri);
+      if (usemtls) {
+        connectionParams.add("amqp.saslMechanisms=EXTERNAL");
+        connectionParams.add("transport.keyStoreLocation=" + certsLocation + "/client_rabbitmq.jks");
+        connectionParams.add("transport.keyStorePassword=foobar");
+        connectionParams.add("transport.keyAlias=client-rabbitmq-tls");
+      }
+      if (!connectionParams.isEmpty()) {
+        uri = uri + "?" + String.join("&", connectionParams);       
+        System.out.println("Using AMQP URI " + uri);
+      }
+    }
+
+    assertNotNull(uri);
 
     Hashtable<Object, Object> env = new Hashtable<>();
     env.put(Context.INITIAL_CONTEXT_FACTORY, "org.apache.qpid.jms.jndi.JmsInitialContextFactory");
@@ -33,12 +63,11 @@ public static void main(String args[]) throws Exception {
     env.put("jms.requestTimeout", 5);
     javax.naming.Context context = new javax.naming.InitialContext(env);
 
-    assertNotNull(uri);
-
     ConnectionFactory factory = (ConnectionFactory) context.lookup("myFactoryLookup");
     Destination queue = (Destination) context.lookup("myQueueLookup");
 
-    try (Connection connection = factory.createConnection(username, password)) {
+    try (Connection connection = 
+                      createConnection(factory, usemtls, username, password)) {
       connection.start();
 
       Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
@@ -56,5 +85,12 @@ public static void main(String args[]) throws Exception {
 
       assertEquals(message.getText(), receivedMessage.getText());
     }
+  }  
+  private static Connection createConnection(ConnectionFactory factory, 
+      boolean usemtls, String username, String password) throws jakarta.jms.JMSException {
+    if (usemtls) {
+      return factory.createConnection();      
+    }
+    return factory.createConnection(username, password);
   }
 }
diff --git a/selenium/bin/components/devkeycloak b/selenium/bin/components/devkeycloak
@@ -9,6 +9,9 @@ init_devkeycloak() {
   print "> DEVKEYCLOAK_CONFIG_DIR: ${DEVKEYCLOAK_CONFIG_DIR}"
   print "> DEVKEYCLOAK_URL: ${DEVKEYCLOAK_URL}"
   print "> DEVKEYCLOAK_DOCKER_IMAGE: ${KEYCLOAK_DOCKER_IMAGE}"
+
+  generate-ca-server-client-kpi devkeycloak $DEVKEYCLOAK_CONFIG_DIR
+
 }
 ensure_devkeycloak() {
   if docker ps | grep devkeycloak &> /dev/null; then

diff --git a/selenium/bin/components/fakeportal b/selenium/bin/components/fakeportal
@@ -1,3 +1,10 @@
+#!/usr/bin/env bash
+
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [[ ! -z "${DEBUG}" ]]; then
+  set -x
+fi
 
 ensure_fakeportal() {
   if docker ps | grep fakeportal &> /dev/null; then
@@ -9,7 +16,7 @@ ensure_fakeportal() {
 
 init_fakeportal() {
   FAKEPORTAL_URL=${FAKEPORTAL_URL:-http://fakeportal:3000}
-  FAKEPORTAL_DIR=${SCRIPT}/../fakeportal
+  FAKEPORTAL_DIR=${SCRIPT}/../../fakeportal
   CLIENT_ID="${CLIENT_ID:-rabbit_idp_user}"
   CLIENT_SECRET="${CLIENT_SECRET:-rabbit_idp_user}"
   RABBITMQ_HOST=${RABBITMQ_HOST:-proxy:9090}
@@ -44,6 +51,8 @@ start_fakeportal() {
     --env UAA_URL="${UAA_URL_FOR_FAKEPORTAL}" \
     --env CLIENT_ID="${CLIENT_ID}" \
     --env CLIENT_SECRET="${CLIENT_SECRET}" \
+    --env NODE_EXTRA_CA_CERTS=/etc/uaa/ca_uaa_certificate.pem \
+    -v ${TEST_CONFIG_PATH}/uaa:/etc/uaa \
     -v ${FAKEPORTAL_DIR}:/code/fakeportal \
     mocha-test:${mocha_test_tag} run fakeportal
 

diff --git a/selenium/bin/components/fakeproxy b/selenium/bin/components/fakeproxy
@@ -1,4 +1,10 @@
+#!/usr/bin/env bash
 
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [[ ! -z "${DEBUG}" ]]; then
+  set -x
+fi
 
 ensure_fakeproxy() {
   if docker ps | grep fakeproxy &> /dev/null; then
@@ -10,7 +16,7 @@ ensure_fakeproxy() {
 
 init_fakeproxy() {
   FAKEPROXY_URL=${FAKEPROXY_URL:-http://fakeproxy:9090}
-  FAKEPROXY_DIR=${SCRIPT}/../fakeportal
+  FAKEPROXY_DIR=${SCRIPT}/../../fakeportal
   CLIENT_ID="${CLIENT_ID:-rabbit_idp_user}"
   CLIENT_SECRET="${CLIENT_SECRET:-rabbit_idp_user}"
   RABBITMQ_HOST_FOR_FAKEPROXY=${RABBITMQ_HOST_FOR_FAKEPROXY:-rabbitmq:15672}
@@ -43,6 +49,8 @@ start_fakeproxy() {
     --env UAA_URL="${UAA_URL_FOR_FAKEPROXY}" \
     --env CLIENT_ID="${CLIENT_ID}" \
     --env CLIENT_SECRET="${CLIENT_SECRET}" \
+    --env NODE_EXTRA_CA_CERTS=/etc/uaa/ca_uaa_certificate.pem \
+    -v ${TEST_CONFIG_PATH}/uaa:/etc/uaa \
     -v ${FAKEPROXY_DIR}:/code/fakeportal \
     mocha-test:${mocha_test_tag} run fakeproxy
 

diff --git a/selenium/bin/components/keycloak b/selenium/bin/components/keycloak
@@ -17,6 +17,9 @@ init_keycloak() {
   print "> KEYCLOAK_CONFIG_DIR: ${KEYCLOAK_CONFIG_DIR}"
   print "> KEYCLOAK_URL: ${KEYCLOAK_URL}"
   print "> KEYCLOAK_DOCKER_IMAGE: ${KEYCLOAK_DOCKER_IMAGE}"
+
+  generate-ca-server-client-kpi keycloak $KEYCLOAK_CONFIG_DIR
+
 }
 start_keycloak() {
   begin "Starting keycloak ..."
@@ -44,7 +47,7 @@ start_keycloak() {
     --https-certificate-file=/opt/keycloak/data/import/server_keycloak_certificate.pem \
     --https-certificate-key-file=/opt/keycloak/data/import/server_keycloak_key.pem
 
-  wait_for_oidc_endpoint keycloak $KEYCLOAK_URL $MOUNT_KEYCLOAK_CONF_DIR/ca_certificate.pem
+  wait_for_oidc_endpoint keycloak $KEYCLOAK_URL $MOUNT_KEYCLOAK_CONF_DIR/ca_keycloak_certificate.pem
   end "Keycloak is ready"
 
   print " Note: If you modify keycloak configuration. Make sure to run the following command to export the configuration."

diff --git a/selenium/bin/components/prodkeycloak b/selenium/bin/components/prodkeycloak
@@ -16,6 +16,9 @@ init_prodkeycloak() {
   print "> PRODKEYCLOAK_CONFIG_DIR: ${PRODKEYCLOAK_CONFIG_DIR}"
   print "> PRODKEYCLOAK_URL: ${PRODKEYCLOAK_URL}"
   print "> KEYCLOAK_DOCKER_IMAGE: ${KEYCLOAK_DOCKER_IMAGE}"
+
+    generate-ca-server-client-kpi prodkeycloak $PRODKEYCLOAK_CONFIG_DIR
+
 }
 start_prodkeycloak() {
   begin "Starting prodkeycloak ..."

diff --git a/selenium/bin/components/rabbitmq b/selenium/bin/components/rabbitmq
@@ -1,6 +1,9 @@
 
 #!/usr/bin/env bash
 
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+
 init_rabbitmq() {
   RABBITMQ_CONFIG_DIR=${TEST_CONFIG_DIR}
   RABBITMQ_DOCKER_IMAGE=${RABBITMQ_DOCKER_IMAGE:-rabbitmq}
@@ -10,6 +13,13 @@ init_rabbitmq() {
   [[ -z "${OAUTH_SERVER_CONFIG_BASEDIR}" ]] || print "> OAUTH_SERVER_CONFIG_BASEDIR: ${OAUTH_SERVER_CONFIG_BASEDIR}"
   [[ -z "${OAUTH_SERVER_CONFIG_DIR}" ]] || print "> OAUTH_SERVER_CONFIG_DIR: ${OAUTH_SERVER_CONFIG_DIR}"
 
+  if [[ ! -d "${RABBITMQ_CONFIG_DIR}/certs" ]]; then 
+    mkdir ${RABBITMQ_CONFIG_DIR}/certs
+  fi 
+  generate-ca-server-client-kpi rabbitmq $RABBITMQ_CONFIG_DIR/certs
+  generate-server-keystore-if-required rabbitmq $RABBITMQ_CONFIG_DIR/certs
+  generate-client-keystore-if-required rabbitmq $RABBITMQ_CONFIG_DIR/certs
+  generate-truststore-if-required rabbitmq $RABBITMQ_CONFIG_DIR/certs
 }
 
 start_rabbitmq() {
@@ -157,7 +167,7 @@ start_docker_rabbitmq() {
   if [ -f ${RABBITMQ_CONFIG_DIR}/enabled_plugins ]; then
       cp ${RABBITMQ_CONFIG_DIR}/enabled_plugins $CONF_DIR/rabbitmq
   fi
-  if [ -d ${RABBITMQ_CONFIG_DIR}/certs ]; then
+  if [ -d "${RABBITMQ_CONFIG_DIR}/certs" ]; then      
       cp -r ${RABBITMQ_CONFIG_DIR}/certs $CONF_DIR/rabbitmq
   fi
   if [ -d ${RABBITMQ_CONFIG_DIR}/imports ]; then
@@ -175,10 +185,10 @@ start_docker_rabbitmq() {
     -p 15672:15672 \
     -p 15671:15671 \
     -v $CONF_DIR/rabbitmq/:/etc/rabbitmq \
-    -v $CONF_DIR/rabbitmq/:/var/rabbitmq \
+    -v $CONF_DIR/rabbitmq/imports:/var/rabbitmq/imports \
     -v ${TEST_DIR}:/config \
     ${RABBITMQ_DOCKER_IMAGE}
-
+    
   wait_for_message rabbitmq "Server startup complete"
   end "RabbitMQ ready"
 }
diff --git a/selenium/bin/components/uaa b/selenium/bin/components/uaa
@@ -16,6 +16,9 @@ init_uaa() {
   print "> UAA_CONFIG_DIR: ${UAA_CONFIG_DIR}"
   print "> UAA_URL: ${UAA_URL}"
   print "> UAA_DOCKER_IMAGE: ${UAA_DOCKER_IMAGE}"
+
+  generate-ca-server-client-kpi uaa $UAA_CONFIG_DIR
+  generate-server-keystore-if-required uaa $UAA_CONFIG_DIR
 }
 start_uaa() {
   begin "Starting UAA ..."
@@ -34,12 +37,13 @@ start_uaa() {
     --detach \
     --name uaa \
     --net ${DOCKER_NETWORK} \
-    --publish 8080:8080 \
-    --mount "type=bind,source=$MOUNT_UAA_CONF_DIR,target=/uaa" \
+    --publish 8443:8443 \
+    -v ${MOUNT_UAA_CONF_DIR}:/uaa \
+    -v ${UAA_CONFIG_DIR}/server.xml:/layers/paketo-buildpacks_apache-tomcat/catalina-base/conf/server.xml \
     --env UAA_CONFIG_PATH="/uaa" \
-    --env JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom" \
+    --env JAVA_OPTS="-Djava.security.policy=unlimited -Djava.security.egd=file:/dev/./urandom" \
     ${UAA_DOCKER_IMAGE}
-
+   
   wait_for_oidc_endpoint uaa $UAA_URL
   end "UAA is ready"
 }
diff --git a/selenium/bin/gen-env-file b/selenium/bin/gen-env-file
@@ -1,7 +1,10 @@
 #!/usr/bin/env bash
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-#set -x
+if [[ ! -z "${DEBUG}" ]]; then
+  set -x
+fi
+
 
 ENV_FILE="/tmp/rabbitmq/.env"
 FIND_PATH=$1
@@ -13,6 +16,11 @@ generate_env_file() {
   mkdir -p $parentdir
   echo "#!/usr/bin/env bash" > $ENV_FILE
   echo "set -u" >> $ENV_FILE
+<<<<<<< HEAD
+=======
+  echo "export SELENIUM=${SCRIPT}/.." >> $ENV_FILE
+  echo "export TEST_CONFIG_PATH=${FIND_PATH}" >> $ENV_FILE
+>>>>>>> 6bf27a212f (Use tls in oauth providers and rabbitmq)
 
   declare -a FILE_ARRAY
   for f in $($SCRIPT/find-template-files $FIND_PATH "env")