oidc: add pingidentity support (#1307)

* oidc: refactor local OIDC compose setup

- Move auth services into a dedicated compose overlay.
- Share OIDC configuration across the local Keycloak and PingFederate setup.

* oidc: refactor local OIDC auth workflow

- Support local Keycloak and PingFederate OIDC flows in
compose, tests, token helpers, middleware, and smoke tests.

* oidc: scope related logic under oidc/

* oidc: add oidc request/response data

- we can use this to debug and verify what each provider expects/returns

* admin: wait for Kafka topic metadata propagation and add unit test coverage

Author: nosahama

.env.example

@@ -10,3 +10,37 @@ DOCKER_COMPOSE=docker-compose
 
 COVERAGE_FILE=.coverage.${PYTHON_VERSION}
 PYTEST_ARGS=--cov=karapace --cov-append --numprocesses 4 --log-file=/opt/test-tmp/test-logs/unit-tests-pytest.${PYTHON_VERSION}.log --showlocals
+
+# Default OIDC settings for the local Keycloak auth stack.
+OIDC_PROVIDER=keycloak
+OIDC_REALM=karapace
+OIDC_JWKS_ENDPOINT_URL=http://keycloak:8080/realms/karapace/protocol/openid-connect/certs
+OIDC_ALLOW_INSECURE_JWKS=true
+OIDC_EXPECTED_ISSUER=http://keycloak:8080/realms/karapace
+OIDC_EXPECTED_AUDIENCE=karapace-audience
+OIDC_SUB_CLAIM_NAME=sub
+OIDC_CLIENT_ID=karapace-client
+OIDC_TOKEN_URL=http://keycloak:8080/realms/karapace/protocol/openid-connect/token
+OIDC_SCOPE=openid
+OIDC_VERIFY_TLS=true
+OIDC_ROLES_CLAIM_PATH=resource_access.karapace-client.roles
+OIDC_METHOD_ROLES={"GET": ["schema:read", "subject:read"], "POST": ["schema:write", "subject:write"], "PUT": ["config_subject:update","config_global:update"], "DELETE": ["schema:delete", "subject:delete"]}
+
+# Optional PingFederate overrides.
+# Uncomment these to run Karapace against the local PingFederate profile instead of Keycloak.
+# PING_IDENTITY_DEVOPS_USER=<your-ping-devops-user>
+# PING_IDENTITY_DEVOPS_KEY=<your-ping-devops-key>
+# OIDC_PROVIDER=pingfederate
+# OIDC_JWKS_ENDPOINT_URL=https://pingfederate:9031/pf/JWKS
+# OIDC_ALLOW_INSECURE_JWKS=true
+# OIDC_EXPECTED_ISSUER=https://pingfederate:9031
+# OIDC_EXPECTED_AUDIENCE=karapace-audience
+# OIDC_SUB_CLAIM_NAME=client_id
+# OIDC_CLIENT_ID=karapace-client
+# OIDC_REALM=karapace
+# OIDC_CLIENT_SECRET=karapace-secret
+# OIDC_TOKEN_URL=https://pingfederate:9031/as/token.oauth2
+# OIDC_SCOPE=openid
+# OIDC_VERIFY_TLS=false
+# OIDC_ROLES_CLAIM_PATH=roles
+# OIDC_METHOD_ROLES={"GET": ["schema:read", "subject:read"], "POST": ["schema:write", "subject:write"], "PUT": ["config_subject:update","config_global:update"], "DELETE": ["schema:delete", "subject:delete"]}

GNUmakefile

@@ -1,24 +1,48 @@
-SHELL := /usr/bin/env bash
-
 ifneq ($(wildcard .env),)
 	include .env
 endif
 
 VENV_DIR ?= $(CURDIR)/venv
 PYTEST_ARGS ?=
+OIDC_PROVIDER ?= keycloak
 DOCKER_COMPOSE ?= docker compose
+DOCKER_COMPOSE_STANDARD ?= $(DOCKER_COMPOSE) -f container/compose.yml
+DOCKER_COMPOSE_AUTH ?= $(DOCKER_COMPOSE) -f container/compose.yml -f container/compose-auth.yml --profile auth
+DOCKER_COMPOSE_AUTH_PINGFEDERATE ?= $(DOCKER_COMPOSE) -f container/compose.yml -f container/compose-auth.yml --profile auth --profile pingfederate
+DOCKER_CONTAINERS ?= \
+	karapace-cli \
+	karapace-schema-registry \
+	karapace-schema-registry-follower \
+	karapace-rest-proxy \
+	kafka \
+	prometheus \
+	grafana \
+	statsd-exporter \
+	opentelemetry-collector \
+	jaeger \
+	karapace-schema-registry-authn-only \
+	karapace-rest-proxy-oidc \
+	karapace-rest-proxy-no-forward \
+	karapace-schema-registry-basic \
+	karapace-rest-proxy-basic \
+	keycloak \
+	pingfederate
 PIP      ?= pip3 --disable-pip-version-check --no-input --require-virtualenv
 PYTHON   ?= python3
 PYTHON_VERSION ?= 3.12
 KARAPACE_VERSION ?= 5.0.3
 RUNNER_UID ?=
 RUNNER_GID ?=
 COVERAGE_FILE ?= .coverage.${PYTHON_VERSION}
-KARAPACE_CLI   ?= $(DOCKER_COMPOSE) -f container/compose.yml run --rm karapace-cli
+KARAPACE_CLI   ?= $(DOCKER_COMPOSE_STANDARD) run --rm karapace-cli
+KARAPACE_CLI_EXEC ?= $(DOCKER_COMPOSE_STANDARD) exec -T karapace-cli
 CERTS_FOLDER ?= /opt/karapace/certs
 
 # Export variables needed by docker compose
-export PYTHON_VERSION KARAPACE_VERSION RUNNER_UID RUNNER_GID COVERAGE_FILE PYTEST_ARGS
+export PYTHON_VERSION KARAPACE_VERSION RUNNER_UID RUNNER_GID COVERAGE_FILE
+export OIDC_JWKS_ENDPOINT_URL OIDC_ALLOW_INSECURE_JWKS OIDC_EXPECTED_ISSUER OIDC_EXPECTED_AUDIENCE OIDC_SUB_CLAIM_NAME OIDC_CLIENT_ID OIDC_ROLES_CLAIM_PATH OIDC_METHOD_ROLES
+export OIDC_PROVIDER OIDC_TOKEN_URL OIDC_CLIENT_SECRET OIDC_SCOPE OIDC_VERIFY_TLS OIDC_REALM KEYCLOAK_URL
+export PING_IDENTITY_DEVOPS_USER PING_IDENTITY_DEVOPS_KEY
 
 define PIN_VERSIONS_COMMAND
 pip install pip-tools && \
@@ -27,6 +51,13 @@ pip install pip-tools && \
 	python -m piptools compile --upgrade --extra typing -o /karapace/requirements/requirements-typing.txt /karapace/pyproject.toml
 endef
 
+define RUN_E2E_TESTS_IN_DOCKER_COMMAND
+rm -fr runtime/*; \
+sleep 10; \
+$1 exec -T karapace-cli $(PYTHON) -m pytest -s -vvv $(PYTEST_ARGS) tests/e2e/; \
+rm -fr runtime/*
+endef
+
 export PATH   := $(VENV_DIR)/bin:$(PATH)
 export PS4    := \e[0m\e[32m==> \e[0m
 export LC_ALL := C
@@ -73,7 +104,7 @@ venv/.deps-dev: venv/.make
 	touch '$(@)'
 
 
-.PHONY: test
+.PHONY: tests
 tests: unit-tests integration-tests
 
 .PHONY: unit-tests
@@ -103,7 +134,6 @@ cleanest: cleaner
 	rm -fr '$(VENV_DIR)'
 
 .PHONY: requirements
-requirements:
 requirements:
 	$(PIP) install --upgrade pip setuptools pip-tools
 	$(PIP) install .[dev,typing]
@@ -114,56 +144,108 @@ pin-requirements:
 
 .PHONY: stop-karapace-docker-resources
 stop-karapace-docker-resources:
-	$(DOCKER_COMPOSE) -f container/compose.yml down -v --remove-orphans
+	$(DOCKER_COMPOSE_STANDARD) down -v --remove-orphans || true
+	$(DOCKER_COMPOSE_AUTH_PINGFEDERATE) down -v --remove-orphans || true
+	docker rm -f $(DOCKER_CONTAINERS) >/dev/null 2>&1 || true
 
-.PHONY: start-karapace-docker-resources
-start-karapace-docker-resources:
-start-karapace-docker-resources:
+.PHONY: prepare-docker-resources
+prepare-docker-resources:
 	touch .coverage.${PYTHON_VERSION} || sudo touch .coverage.${PYTHON_VERSION}
 	chown ${RUNNER_UID}:${RUNNER_GID} .coverage.${PYTHON_VERSION} 2>/dev/null || sudo chown ${RUNNER_UID}:${RUNNER_GID} .coverage.${PYTHON_VERSION}
 	mkdir -p test-tmp.${PYTHON_VERSION} || sudo mkdir -p test-tmp.${PYTHON_VERSION}
 	chown -R ${RUNNER_UID}:${RUNNER_GID} test-tmp.${PYTHON_VERSION} 2>/dev/null || sudo chown -R ${RUNNER_UID}:${RUNNER_GID} test-tmp.${PYTHON_VERSION}
-	$(DOCKER_COMPOSE) -f container/compose.yml up -d --build --wait --detach
+
+.PHONY: start-karapace-docker-resources
+start-karapace-docker-resources: prepare-docker-resources
+	$(DOCKER_COMPOSE_STANDARD) up -d --build --wait --detach
+
+.PHONY: start-karapace-docker-auth-resources
+start-karapace-docker-auth-resources: prepare-docker-resources
+	$(DOCKER_COMPOSE_AUTH) up -d --build --wait
+
+.PHONY: start-karapace-docker-auth-pingfederate-resources
+start-karapace-docker-auth-pingfederate-resources: prepare-docker-resources
+	$(DOCKER_COMPOSE_AUTH_PINGFEDERATE) up -d --build --wait
+
+.PHONY: provision-pingfederate-oidc
+provision-pingfederate-oidc: start-karapace-docker-auth-pingfederate-resources
+	$(DOCKER_COMPOSE_AUTH_PINGFEDERATE) exec -T karapace-cli $(PYTHON) /opt/karapace/bin/oidc/provision_pingfederate_oidc.py
+
+.PHONY: print-keycloak-oidc-token
+print-keycloak-oidc-token: start-karapace-docker-auth-resources
+	$(DOCKER_COMPOSE_AUTH) exec -T karapace-cli env -u OIDC_CLIENT_SECRET \
+		OIDC_PROVIDER="keycloak" \
+		KEYCLOAK_URL="http://keycloak:8080" \
+		OIDC_REALM="karapace" \
+		OIDC_CLIENT_ID="karapace-client" \
+		OIDC_TOKEN_URL="http://keycloak:8080/realms/karapace/protocol/openid-connect/token" \
+		OIDC_SCOPE="openid" \
+		OIDC_VERIFY_TLS="true" \
+		OIDC_ALLOW_INSECURE_JWKS="true" \
+		$(PYTHON) /opt/karapace/bin/oidc/get_oidc_token.py
+
+.PHONY: print-pingfederate-oidc-token
+print-pingfederate-oidc-token: start-karapace-docker-auth-pingfederate-resources
+	$(DOCKER_COMPOSE_AUTH_PINGFEDERATE) exec -T karapace-cli \
+		$(PYTHON) /opt/karapace/bin/oidc/provision_pingfederate_oidc.py >/dev/null
+	$(DOCKER_COMPOSE_AUTH_PINGFEDERATE) exec -T karapace-cli env -u OIDC_CLIENT_SECRET \
+		OIDC_PROVIDER="pingfederate" \
+		OIDC_SUB_CLAIM_NAME="client_id" \
+		OIDC_CLIENT_ID="karapace-client" \
+		OIDC_CLIENT_SECRET="karapace-secret" \
+		OIDC_TOKEN_URL="https://pingfederate:9031/as/token.oauth2" \
+		OIDC_SCOPE="openid" \
+		OIDC_VERIFY_TLS="false" \
+		OIDC_ALLOW_INSECURE_JWKS="true" \
+		$(PYTHON) /opt/karapace/bin/oidc/get_oidc_token.py
 
 .PHONY: smoke-test-schema-registry
-smoke-test-schema-registry: start-karapace-docker-resources
-	$(KARAPACE_CLI) /opt/karapace/bin/smoke-test-schema-registry.sh
+smoke-test-schema-registry: stop-karapace-docker-resources start-karapace-docker-auth-resources
+	$(DOCKER_COMPOSE_AUTH) exec -T karapace-cli /opt/karapace/bin/smoke-test-schema-registry.sh
 
 .PHONY: smoke-test-rest-proxy
-smoke-test-rest-proxy: start-karapace-docker-resources
-	$(KARAPACE_CLI) /opt/karapace/bin/smoke-test-rest-proxy.sh
+smoke-test-rest-proxy: stop-karapace-docker-resources start-karapace-docker-resources
+	$(KARAPACE_CLI_EXEC) /opt/karapace/bin/smoke-test-rest-proxy.sh
 
 .PHONY: unit-tests-in-docker
 unit-tests-in-docker: start-karapace-docker-resources
 	rm -fr runtime/*
-	$(KARAPACE_CLI) $(PYTHON) -m pytest -s -vvv $(PYTEST_ARGS) tests/unit/
+	$(KARAPACE_CLI_EXEC) $(PYTHON) -m pytest -s -vvv $(PYTEST_ARGS) tests/unit/
 	rm -fr runtime/*
 
 .PHONY: e2e-tests-in-docker
-e2e-tests-in-docker: export COMPOSE_PROFILES = e2e
-e2e-tests-in-docker: stop-karapace-docker-resources start-karapace-docker-resources
-	rm -fr runtime/*
-	sleep 10
-	$(KARAPACE_CLI) $(PYTHON) -m pytest -s -vvv $(PYTEST_ARGS) tests/e2e/
-	rm -fr runtime/*
+e2e-tests-in-docker: stop-karapace-docker-resources start-karapace-docker-auth-resources
+	$(call RUN_E2E_TESTS_IN_DOCKER_COMMAND,$(DOCKER_COMPOSE_AUTH))
+
+.PHONY: e2e-tests-in-docker-keycloak
+e2e-tests-in-docker-keycloak: export OIDC_PROVIDER=keycloak
+e2e-tests-in-docker-keycloak: stop-karapace-docker-resources start-karapace-docker-auth-pingfederate-resources
+	$(DOCKER_COMPOSE_AUTH_PINGFEDERATE) stop pingfederate >/dev/null 2>&1 || true
+	$(call RUN_E2E_TESTS_IN_DOCKER_COMMAND,$(DOCKER_COMPOSE_AUTH_PINGFEDERATE))
+
+.PHONY: e2e-tests-in-docker-pingfederate
+e2e-tests-in-docker-pingfederate: export OIDC_PROVIDER=pingfederate
+e2e-tests-in-docker-pingfederate: stop-karapace-docker-resources provision-pingfederate-oidc
+	$(DOCKER_COMPOSE_AUTH_PINGFEDERATE) stop keycloak >/dev/null 2>&1 || true; \
+	$(call RUN_E2E_TESTS_IN_DOCKER_COMMAND,$(DOCKER_COMPOSE_AUTH_PINGFEDERATE))
 
 .PHONY: integration-tests-in-docker
 integration-tests-in-docker: start-karapace-docker-resources
 	rm -fr runtime/*
 	sleep 10
-	$(KARAPACE_CLI) $(PYTHON) -m pytest -s -vvv $(PYTEST_ARGS) tests/integration/
+	$(KARAPACE_CLI_EXEC) $(PYTHON) -m pytest -s -vvv $(PYTEST_ARGS) tests/integration/
 	rm -fr runtime/*
 
 .PHONY: type-check-mypy-in-docker
 type-check-mypy-in-docker: start-karapace-docker-resources
-	$(KARAPACE_CLI) $(PYTHON) -m mypy src/karapace
+	$(KARAPACE_CLI_EXEC) $(PYTHON) -m mypy src/karapace
 
 .PHONY: cli
 cli: start-karapace-docker-resources
 	$(KARAPACE_CLI) bash
 
 .PHONY: generate-sr-https-certs
- generate-sr-https-certs:
+generate-sr-https-certs:
 	$(info ====> Generating self-signed certificates <====)
 	$(KARAPACE_CLI) mkcert -key-file $(CERTS_FOLDER)/key.pem -cert-file $(CERTS_FOLDER)/cert.pem \
 		localhost \
@@ -178,6 +260,6 @@ cli: start-karapace-docker-resources
 curl-sr-https: header ?= 'Content-Type: application/vnd.schemaregistry.v1+json'
 curl-sr-https:
 	$(info ====> Sending HTTPS $(method) request with data to $(url) <====)
-	$(KARAPACE_CLI) curl -i -X $(method) --location $(url) --cacert /opt/karapace/certs/ca/rootCA.pem \
+	$(KARAPACE_CLI) curl -i -X $(method) --location $(url) --cacert $(CERTS_FOLDER)/ca/rootCA.pem \
 		--header $(header) \
 		--data '$(data)'

README.rst

@@ -722,7 +722,8 @@ Below here is an example of karapace OpenId connect config ::
    sasl_oauthbearer_method_roles: dict[str, list[str]] = {"GET": [], "POST": [], "PUT": [], "DELETE": []}
 
 
-Below here is an example of karapace OpenId connect docker config ::
+Below here is an example of karapace OpenId connect docker config using the local
+Keycloak defaults in ``container/compose.yml`` ::
 
     KARAPACE_SASL_OAUTHBEARER_AUTHENTICATION_ENABLED: True
     KARAPACE_SASL_OAUTHBEARER_JWKS_ENDPOINT_URL: http://keycloak:8080/realms/karapace/protocol/openid-connect/certs
@@ -769,6 +770,12 @@ and get a token like below. ::
 
 Note : client id and client secret can be retrieved from Oidc provider
 
+The helper script ``bin/oidc/get_oidc_token.py`` supports both providers. For local Keycloak::
+
+  OIDC_PROVIDER=keycloak python3 bin/oidc/get_oidc_token.py
+
+For PingFederate examples, see ``container/oidc/pingidentity/README.md``.
+
 Response of the above curl should be a access token, and other scope and expiry details.
 Export the token into ACCESS_TOKEN variable::