Update OIDC test fixture (elastic#89526)

This commit updates the OIDC test fixture to use the latest demo docker image from https://connect2id.com. As part of this change some of the docker image demo login has changed from prior versions and the test code is updated accordingly. fixes elastic#89477 reverts elastic#89478 / e949dff.
jakelandis · Aug 23, 2022 · 4226bcc · 4226bcc
1 parent 4353ecb
commit 4226bcc
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 56 deletions.
diff --git a/x-pack/qa/oidc-op-tests/build.gradle b/x-pack/qa/oidc-op-tests/build.gradle
@@ -21,7 +21,4 @@ tasks.named("processJavaRestTestResources").configure {
 tasks.named("javaRestTest").configure {
   // OpenID Connect fixture does not support aarm64
   onlyIf { Architecture.current() == Architecture.X64 }
-
-  // AwaitsFix: https://github.com/elastic/elasticsearch/issues/89477
-  enabled = false
 }
diff --git a/...sts/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/oidc/C2IdOpTestCase.java b/...sts/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/oidc/C2IdOpTestCase.java
@@ -136,59 +136,30 @@ protected String authenticateAtOP(URI opAuthUri) throws Exception {
             assertThat(initResponse.getAsString("type"), equalTo("auth"));
             final String sid = initResponse.getAsString("sid");
             // Actually authenticate the user with ldapAuth
-            HttpPost loginHttpPost = new HttpPost(C2ID_LOGIN_API + "authenticateSubject?cacheBuster=" + randomAlphaOfLength(8));
+            HttpPost loginHttpPost = new HttpPost(
+                C2ID_LOGIN_API + "authenticateSubject?cacheBuster=" + randomAlphaOfLength(8) + "&authSessionId=" + sid
+            );
             String loginJson = """
                 {"username":"alice","password":"secret"}""";
             configureJsonRequest(loginHttpPost, loginJson);
-            JSONObject loginJsonResponse = execute(httpClient, loginHttpPost, context, response -> {
+            execute(httpClient, loginHttpPost, context, response -> {
                 assertHttpOk(response.getStatusLine());
                 return parseJsonResponse(response);
             });
-            // Get the consent screen
-            HttpPut consentFetchHttpPut = new HttpPut(
+
+            HttpPut consentHttpPut = new HttpPut(
                 C2ID_LOGIN_API + "updateAuthRequest" + "/" + sid + "?cacheBuster=" + randomAlphaOfLength(8)
             );
-            String consentFetchJson = """
-                {
-                  "sub": "%s",
-                  "acr": "http://loa.c2id.com/basic",
-                  "amr": [ "pwd" ],
-                  "data": {
-                    "email": "%s",
-                    "name": "%s"
-                  }
-                }""".formatted(
-                loginJsonResponse.getAsString("id"),
-                loginJsonResponse.getAsString("email"),
-                loginJsonResponse.getAsString("name")
-            );
-            configureJsonRequest(consentFetchHttpPut, consentFetchJson);
-            JSONObject consentFetchResponse = execute(httpClient, consentFetchHttpPut, context, response -> {
+            String consentJson = """
+                {"claims":["name", "email"],"scope":["openid"]}""";
+            configureJsonRequest(consentHttpPut, consentJson);
+            JSONObject jsonConsentResponse = execute(httpClient, consentHttpPut, context, response -> {
                 assertHttpOk(response.getStatusLine());
                 return parseJsonResponse(response);
             });
-            if (consentFetchResponse.getAsString("type").equals("consent")) {
-                // If needed, submit the consent
-                HttpPut consentHttpPut = new HttpPut(
-                    C2ID_LOGIN_API + "updateAuthRequest" + "/" + sid + "?cacheBuster=" + randomAlphaOfLength(8)
-                );
-                String consentJson = """
-                    {"claims":["name", "email"],"scope":["openid"]}""";
-                configureJsonRequest(consentHttpPut, consentJson);
-                JSONObject jsonConsentResponse = execute(httpClient, consentHttpPut, context, response -> {
-                    assertHttpOk(response.getStatusLine());
-                    return parseJsonResponse(response);
-                });
-                assertThat(jsonConsentResponse.getAsString("type"), equalTo("response"));
-                JSONObject parameters = (JSONObject) jsonConsentResponse.get("parameters");
-                return parameters.getAsString("uri");
-            } else if (consentFetchResponse.getAsString("type").equals("response")) {
-                JSONObject parameters = (JSONObject) consentFetchResponse.get("parameters");
-                return parameters.getAsString("uri");
-            } else {
-                fail("Received an invalid response from the OP");
-                return null;
-            }
+            assertThat(jsonConsentResponse.getAsString("type"), equalTo("response"));
+            JSONObject parameters = (JSONObject) jsonConsentResponse.get("parameters");
+            return parameters.getAsString("uri");
         }
     }
 

diff --git a/x-pack/test/idp-fixture/docker-compose.yml b/x-pack/test/idp-fixture/docker-compose.yml
@@ -161,17 +161,16 @@ services:
       - ./idp/shibboleth-idp/metadata:/opt/shibboleth-idp/metadata
       - ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini
 
-# c2id/c2id-server image is no longer available
-#  oidc-provider:
-#    image: "c2id/c2id-server:9.5"
-#    depends_on:
-#      - http-proxy
-#    ports:
-#      - "8080"
-#    expose:
-#      - "8080"
-#    volumes:
-#      - ./oidc/override.properties:/etc/c2id/override.properties
+  oidc-provider:
+    image: "c2id/c2id-server-demo:12.16.1"
+    depends_on:
+      - http-proxy
+    ports:
+      - "8080"
+    expose:
+      - "8080"
+    volumes:
+      - ./oidc/override.properties:/etc/c2id/override.properties
 
   http-proxy:
     image: "nginx:latest"

diff --git a/x-pack/test/idp-fixture/oidc/override.properties b/x-pack/test/idp-fixture/oidc/override.properties
@@ -2,3 +2,5 @@ op.issuer=http://oidc-provider:8080/c2id
 op.authz.endpoint=http://oidc-provider:8080/c2id-login/
 op.reg.apiAccessTokenSHA256=d1c4fa70d9ee708d13cfa01daa0e060a05a2075a53c5cc1ad79e460e96ab5363
 jose.jwkSer=RnVsbCBrZXk6CnsKICAia2V5cyI6IFsKICAgIHsKICAgICAgInAiOiAiLXhhN2d2aW5tY3N3QXU3Vm1mV2loZ2o3U3gzUzhmd2dFSTdMZEVveW5FU1RzcElaeUY5aHc0NVhQZmI5VHlpbzZsOHZTS0F5RmU4T2lOalpkNE1Ra0ttYlJzTmxxR1Y5VlBoWF84UG1JSm5mcGVhb3E5YnZfU0k1blZHUl9zYUUzZE9sTEE2VWpaS0lsRVBNb0ZuRlZCMUFaUU9qQlhRRzZPTDg2eDZ2NHMwIiwKICAgICAgImt0eSI6ICJSU0EiLAogICAgICAicSI6ICJ2Q3pDQUlpdHV0MGx1V0djQloyLUFabURLc1RxNkkxcUp0RmlEYkIyZFBNQVlBNldOWTdaWEZoVWxsSjJrT2ZELWdlYjlkYkN2ODBxNEwyajVZSjZoOTBUc1NRWWVHRlljN1lZMGdCMU5VR3l5cXctb29QN0EtYlJmMGI3b3I4ajZJb0hzQTZKa2JranN6c3otbkJ2U2RmUURlZkRNSVc3Ni1ZWjN0c2hsY2MiLAogICAgICAiZCI6ICJtbFBOcm1zVVM5UmJtX1I5SElyeHdmeFYzZnJ2QzlaQktFZzRzc1ZZaThfY09lSjV2U1hyQV9laEtwa2g4QVhYaUdWUGpQbVlyd29xQzFVUksxUkZmLVg0dG10emV2OUVHaU12Z0JCaEF5RkdTSUd0VUNla2x4Q2dhb3BpMXdZSU1Bd0M0STZwMUtaZURxTVNCWVZGeHA5ZWlJZ2pwb05JbV9lR3hXUUs5VHNnYmk5T3lyc1VqaE9KLVczN2JVMEJWUU56UXpxODhCcGxmNzM3VmV1dy1FeDZaMk1iWXR3SWdfZ0JVb0JEZ0NrZkhoOVE4MElYcEZRV0x1RzgwenFrdkVwTHZ0RWxLbDRvQ3BHVnBjcmFUOFNsOGpYc3FDT1k0dnVRT19LRVUzS2VPNUNJbHd4eEhJYXZjQTE5cHFpSWJ5cm1LbThxS0ZEWHluUFJMSGFNZ1EiLAogICAgICAiZSI6ICJBUUFCIiwKICAgICAgImtpZCI6ICJyc2EzODRfMjA0OCIsCiAgICAgICJxaSI6ICJzMldTamVrVDl3S2JPbk9neGNoaDJPY3VubzE2Y20wS281Z3hoUWJTdVMyMldfUjJBR2ZVdkRieGF0cTRLakQ3THo3X1k2TjdTUkwzUVpudVhoZ1djeXgyNGhrUGppQUZLNmlkYVZKQzJqQmgycEZTUDVTNXZxZ0lsME12eWY4NjlwdkN4S0NzaGRKMGdlRWhveE93VkRPYXJqdTl2Zm9IQV90LWJoRlZrUnciLAogICAgICAiZHAiOiAiQlJhQTFqYVRydG9mTHZBSUJBYW1OSEVhSm51RU9zTVJJMFRCZXFuR1BNUm0tY2RjSG1OUVo5WUtqb2JpdXlmbnhGZ0piVDlSeElBRG0ySkpoZEp5RTN4Y1dTSzhmSjBSM1Jick1aT1dwako0QmJTVzFtU1VtRnlKTGxib3puRFhZR2RaZ1hzS0o1UkFrRUNQZFBCY3YwZVlkbk9NYWhfZndfaFZoNjRuZ2tFIiwKICAgICAgImFsZyI6ICJSU0EzODQiLAogICAgICAiZHEiOiAiUFJoVERKVlR3cDNXaDZfWFZrTjIwMUlpTWhxcElrUDN1UTYyUlRlTDNrQ2ZXSkNqMkZPLTRxcVRIQk0tQjZJWUVPLXpoVWZyQnhiMzJ1djNjS2JDWGFZN3BJSFJxQlFEQWQ2WGhHYzlwc0xqNThXd3VGY2RncERJYUFpRjNyc3NUMjJ4UFVvYkJFTVdBalV3bFJrNEtNTjItMnpLQk5FR3lIcDIzOUpKdnpVIiwKICAgICAgIm4iOiAidUpDWDVDbEZpM0JnTXBvOWhRSVZ2SDh0Vi1jLTVFdG5OeUZxVm91R3NlNWwyUG92MWJGb0tsRllsU25YTzNWUE9KRWR3azNDdl9VT0UtQzlqZERYRHpvS3Z4RURaTVM1TDZWMFpIVEJoNndIOV9iN3JHSlBxLV9RdlNkejczSzZxbHpGaUtQamRvdTF6VlFYTmZfblBZbnRnQkdNRUtBc1pRNGp0cWJCdE5lV0h0MF9UM001cEktTV9KNGVlRWpCTW95TkZuU2ExTEZDVmZRNl9YVnpjelp1TlRGMlh6UmdRWkFmcmJGRXZ6eXR1TzVMZTNTTXFrUUFJeDhFQmkwYXVlRUNqNEQ4cDNVNXFVRG92NEF2VnRJbUZlbFJvb1pBMHJtVW1KRHJ4WExrVkhuVUpzaUF6ZW9TLTNBSnV1bHJkMGpuNjJ5VjZHV2dFWklZMVNlZVd3IgogICAgfQogIF0KfQo
+op.authz.alwaysPromptForConsent=true
+op.authz.alwaysPromptForAuth=true