Merge pull request #70 from rcbj/feature/issue-67

Create an automated test suite to validate debugger functionality. #67

Author: rcbjBlueMars

.github/workflows/tests.yml

@@ -0,0 +1,53 @@
+name: Selenium Tests
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Start & configure Keycloak and debugger
+        id: configure
+        run: |
+          # Start Docker containers
+          CONFIG_FILE=./env/local.js docker compose -f docker-compose-with-keycloak.yml up -d --build
+          sleep 30
+
+          # Configure client credentials flow
+          KEYCLOAK_ACCESS_TOKEN=$(curl -X POST "http://localhost:8080/realms/master/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=admin-cli" -d "username=keycloak" -d "password=keycloak" -d "grant_type=password" | jq -r '.access_token')
+          curl -X POST "http://localhost:8080/admin/realms" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"realm": "debugger-testing", "enabled": true}'
+          curl -X POST "http://localhost:8080/admin/realms/debugger-testing/client-scopes" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"name": "client-credentials-scope", "protocol": "openid-connect", "attributes": {"display.on.consent.screen": "false", "include.in.token.scope": "true"}}'
+          curl -X POST "http://localhost:8080/admin/realms/debugger-testing/clients" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"clientId": "client-credentials", "protocol": "openid-connect", "publicClient": false, "serviceAccountsEnabled": true, "authorizationServicesEnabled": false, "standardFlowEnabled": false, "directAccessGrantsEnabled": false, "clientAuthenticatorType": "client-secret"}'
+          KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_ID=$(curl "http://localhost:8080/admin/realms/debugger-testing/clients?clientId=client-credentials" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[0].id')
+          KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_CLIENTID=$(curl "http://localhost:8080/admin/realms/debugger-testing/clients?clientId=client-credentials" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[0].clientId')
+          KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_SECRET=$(curl "http://localhost:8080/admin/realms/debugger-testing/clients?clientId=client-credentials" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[0].secret')
+          KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_ID=$(curl "http://localhost:8080/admin/realms/debugger-testing/client-scopes" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[] | select(.name=="client-credentials-scope") | .id')
+          KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_NAME=$(curl "http://localhost:8080/admin/realms/debugger-testing/client-scopes" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[] | select(.name=="client-credentials-scope") | .name')
+          curl -X PUT "http://localhost:8080/admin/realms/debugger-testing/clients/$KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_ID/optional-client-scopes/$KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_ID" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN"
+
+          # Share variables to next steps
+          echo "CLIENT_CREDENTIALS_DISCOVERY_ENDPOINT=http://localhost:8080/realms/debugger-testing/.well-known/openid-configuration" >> $GITHUB_OUTPUT
+          echo "CLIENT_CREDENTIALS_CLIENT_ID=$(echo $KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_CLIENTID)" >> $GITHUB_OUTPUT
+          echo "CLIENT_CREDENTIALS_CLIENT_SECRET=$(echo $KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_SECRET)" >> $GITHUB_OUTPUT
+          echo "CLIENT_CREDENTIALS_SCOPE=$(echo $KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_NAME)" >> $GITHUB_OUTPUT
+
+      - name: Test client credentials flow
+        id: test_client_credentials
+        run: |
+          # Install dependencies
+          cd tests && npm install
+
+          # Test client credentials flow
+          DISCOVERY_ENDPOINT=${{ steps.configure.outputs.CLIENT_CREDENTIALS_DISCOVERY_ENDPOINT }} \
+          CLIENT_ID=${{ steps.configure.outputs.CLIENT_CREDENTIALS_CLIENT_ID }} \
+          CLIENT_SECRET=${{ steps.configure.outputs.CLIENT_CREDENTIALS_CLIENT_SECRET }} \
+          SCOPE=${{ steps.configure.outputs.CLIENT_CREDENTIALS_SCOPE }} \
+          node oauth2_client_credentials.js

.gitignore

@@ -1,2 +1,3 @@
 api/node_modules
 client/node_modules
+node_modules

README.md

@@ -142,6 +142,28 @@ For the other grants and flows, similar steps to the above are used.
 
 See the blog [posts](https://medium.com/@robert.broeckelmann/red-hat-sso-and-3scale-series-d904f2127702) for more information.
 
+## Running tests
+* sudo CONFIG_FILE=./env/local.js docker compose -f docker-compose-with-keycloak.yml up -d --build
+
+* KEYCLOAK_ACCESS_TOKEN=$(curl -X POST "http://localhost:8080/realms/master/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=admin-cli" -d "username=keycloak" -d "password=keycloak" -d "grant_type=password" | jq -r '.access_token')
+* curl -X POST "http://localhost:8080/admin/realms" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"realm": "debugger-testing", "enabled": true}'
+* curl -X POST "http://localhost:8080/admin/realms/debugger-testing/client-scopes" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"name": "client-credentials-scope", "protocol": "openid-connect", "attributes": {"display.on.consent.screen": "false", "include.in.token.scope": "true"}}'
+* curl -X POST "http://localhost:8080/admin/realms/debugger-testing/clients" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"clientId": "client-credentials", "protocol": "openid-connect", "publicClient": false, "serviceAccountsEnabled": true, "authorizationServicesEnabled": false, "standardFlowEnabled": false, "directAccessGrantsEnabled": false, "clientAuthenticatorType": "client-secret"}'
+* KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_ID=$(curl "http://localhost:8080/admin/realms/debugger-testing/clients?clientId=client-credentials" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[0].id')
+* KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_CLIENTID=$(curl "http://localhost:8080/admin/realms/debugger-testing/clients?clientId=client-credentials" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[0].clientId')
+* KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_SECRET=$(curl "http://localhost:8080/admin/realms/debugger-testing/clients?clientId=client-credentials" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[0].secret')
+* KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_ID=$(curl "http://localhost:8080/admin/realms/debugger-testing/client-scopes" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[] | select(.name=="client-credentials-scope") | .id')
+* KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_NAME=$(curl "http://localhost:8080/admin/realms/debugger-testing/client-scopes" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[] | select(.name=="client-credentials-scope") | .name')
+* curl -X PUT "http://localhost:8080/admin/realms/debugger-testing/clients/$KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_ID/optional-client-scopes/$KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_ID" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN"
+
+
+* cd tests && npm install
+* DISCOVERY_ENDPOINT="http://localhost:8080/realms/debugger-testing/.well-known/openid-configuration" \\\
+  CLIENT_ID=$KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_CLIENTID \\\
+  CLIENT_SECRET=$KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_SECRET \\\
+  SCOPE=$KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_NAME \\\
+  node oauth2_client_credentials.js
+
 ## Prerequisites
 
 To run this project you will need to install docker.

docker-compose-with-keycloak.yml

@@ -0,0 +1,56 @@
+version: '3'
+services:
+  postgres:
+    image: postgres:15
+    network_mode: "host"
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: keycloak
+      POSTGRES_DB: keycloak
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:26.1.4
+    command: ["start-dev"]
+    network_mode: "host"
+    environment:
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://localhost:5432/keycloak
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: keycloak
+      KEYCLOAK_ADMIN: keycloak
+      KEYCLOAK_ADMIN_PASSWORD: keycloak
+    depends_on:
+      - postgres
+  
+  api:
+    container_name: api
+    image: rcbj/api
+    environment:
+     - HOST=0.0.0.0
+     - PORT=4000
+     - LOG_LEVEL=debug
+    build:
+      context: api
+      dockerfile: Dockerfile
+    network_mode: "host"
+    depends_on:
+      - keycloak
+  
+  client:
+    container_name: client
+    image: rcbj/client
+    environment:
+      - CONFIG_FILE=./env/local.js
+    build:
+      context: client
+      dockerfile: Dockerfile 
+      args:
+        CONFIG_FILE: ${CONFIG_FILE}
+    network_mode: "host"
+    depends_on:
+      - api
+
+volumes:
+  postgres_data:

run-tests.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Start Docker containers
+CONFIG_FILE=./env/local.js docker compose -f docker-compose-with-keycloak.yml up -d --build
+sleep 30
+
+# Configure client credentials flow
+KEYCLOAK_ACCESS_TOKEN=$(curl -X POST "http://localhost:8080/realms/master/protocol/openid-connect/token" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=admin-cli" -d "username=keycloak" -d "password=keycloak" -d "grant_type=password" | jq -r '.access_token')
+curl -X POST "http://localhost:8080/admin/realms" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"realm": "debugger-testing", "enabled": true}'
+curl -X POST "http://localhost:8080/admin/realms/debugger-testing/client-scopes" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"name": "client-credentials-scope", "protocol": "openid-connect", "attributes": {"display.on.consent.screen": "false", "include.in.token.scope": "true"}}'
+curl -X POST "http://localhost:8080/admin/realms/debugger-testing/clients" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"clientId": "client-credentials", "protocol": "openid-connect", "publicClient": false, "serviceAccountsEnabled": true, "authorizationServicesEnabled": false, "standardFlowEnabled": false, "directAccessGrantsEnabled": false, "clientAuthenticatorType": "client-secret"}'
+KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_ID=$(curl "http://localhost:8080/admin/realms/debugger-testing/clients?clientId=client-credentials" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[0].id')
+KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_CLIENTID=$(curl "http://localhost:8080/admin/realms/debugger-testing/clients?clientId=client-credentials" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[0].clientId')
+KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_SECRET=$(curl "http://localhost:8080/admin/realms/debugger-testing/clients?clientId=client-credentials" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[0].secret')
+KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_ID=$(curl "http://localhost:8080/admin/realms/debugger-testing/client-scopes" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[] | select(.name=="client-credentials-scope") | .id')
+KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_NAME=$(curl "http://localhost:8080/admin/realms/debugger-testing/client-scopes" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN" | jq -r '.[] | select(.name=="client-credentials-scope") | .name')
+curl -X PUT "http://localhost:8080/admin/realms/debugger-testing/clients/$KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_ID/optional-client-scopes/$KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_ID" -H "Authorization: Bearer $KEYCLOAK_ACCESS_TOKEN"
+
+# Install dependencies
+cd tests && npm install
+
+# Test client credentials flow
+DISCOVERY_ENDPOINT="http://localhost:8080/realms/debugger-testing/.well-known/openid-configuration" \
+CLIENT_ID=$KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_CLIENTID \
+CLIENT_SECRET=$KEYCLOAK_CLIENT_CREDENTIALS_CLIENT_SECRET \
+SCOPE=$KEYCLOAK_CLIENT_CREDENTIALS_SCOPE_NAME \
+node oauth2_client_credentials.js

tests/oauth2_client_credentials.js

@@ -0,0 +1,112 @@
+const { Builder, By, until } = require("selenium-webdriver");
+const { Select } = require('selenium-webdriver/lib/select');
+const chrome = require("selenium-webdriver/chrome");
+const jwt = require("jsonwebtoken");
+const assert = require("assert");
+
+async function populateMetadata(driver, discovery_endpoint) {
+  oidc_discovery_endpoint = By.id("oidc_discovery_endpoint");
+  btn_oidc_discovery_endpoint = By.className("btn_oidc_discovery_endpoint");
+  btn_oidc_populate_meta_data = By.className("btn_oidc_populate_meta_data");
+
+  // Wait until page is loaded
+  await driver.wait(until.elementLocated(oidc_discovery_endpoint), 10000);
+  await driver.wait(until.elementIsVisible(driver.findElement(oidc_discovery_endpoint)), 10000);
+
+  // Enter discovery endpoint
+  await driver.findElement(oidc_discovery_endpoint).clear();
+  await driver.findElement(oidc_discovery_endpoint).sendKeys(discovery_endpoint); 
+  await driver.findElement(btn_oidc_discovery_endpoint).click();
+
+  // Populate metadata
+  await driver.wait(until.elementLocated(btn_oidc_populate_meta_data), 10000);
+  await driver.wait(until.elementIsVisible(driver.findElement(btn_oidc_populate_meta_data)), 10000);
+  await driver.executeScript("arguments[0].scrollIntoView({ behavior: 'smooth', block: 'center' });", await driver.findElement(btn_oidc_populate_meta_data));
+  await driver.findElement(btn_oidc_populate_meta_data).click();
+}
+
+async function getAccessToken(driver, client_id, client_secret, scope) {
+  authorization_grant_type = By.id("authorization_grant_type");
+  token_client_id = By.id("token_client_id");
+  token_client_secret = By.id("token_client_secret");
+  token_scope = By.id("token_scope");
+  btn1 = By.className("btn1");
+  token_access_token = By.id("token_access_token");
+  display_token_error_form_textarea1 = By.id("display_token_error_form_textarea1");
+
+  // Select client credential login type
+  await new Select(await driver.findElement(authorization_grant_type)).selectByVisibleText('OAuth2 Client Credential');
+  await driver.wait(until.elementLocated(token_client_id), 10000);
+  await driver.wait(until.elementIsVisible(driver.findElement(token_client_id)), 10000);
+
+  // Submit credentials
+  await driver.findElement(token_client_id).clear();
+  await driver.findElement(token_client_id).sendKeys(client_id);
+  await driver.findElement(token_client_secret).clear();
+  await driver.findElement(token_client_secret).sendKeys(client_secret);
+  await driver.findElement(token_scope).clear();
+  await driver.findElement(token_scope).sendKeys(scope);
+  await driver.findElement(btn1).click();
+
+  // Get access token result
+  async function waitForVisibility(element) {
+    await driver.wait(until.elementLocated(element), 10000);
+    await driver.wait(until.elementIsVisible(driver.findElement(element)), 10000);
+    return element;
+  }
+
+  let visibleAccessTokenElement = await Promise.any([
+    waitForVisibility(token_access_token),
+    waitForVisibility(display_token_error_form_textarea1)
+  ]);
+
+  return await driver.findElement(visibleAccessTokenElement).getAttribute("value");
+}
+
+async function verifyAccessToken(access_token, client_id, scope) {
+  async function compareScopes(scope1, scope2) {
+    scope1 = scope1.split(" ");
+    scope2 = scope2.split(" ");
+
+    return scope2.every(element => scope1.includes(element));
+  }
+
+  let decoded_access_token = jwt.decode(access_token, { complete: true });
+  let response_text = access_token.match(/responseText: (.*)/);
+
+  assert.notStrictEqual(decoded_access_token, null, "Cannot decode access token. Request result: " + (response_text ? response_text[1] : "no response text"));
+  assert.strictEqual(decoded_access_token.payload.client_id, client_id, "Access token client ID does not match client ID.");
+  assert.strictEqual(await compareScopes(decoded_access_token.payload.scope, scope), true, "Access token scope does not match scope.");
+}
+
+async function test() {
+  const options = new chrome.Options();
+  options.addArguments("--headless");
+  options.addArguments("--no-sandbox");
+  const driver = await new Builder().forBrowser("chrome").setChromeOptions(options).build();
+
+  try {
+    const discovery_endpoint = process.env.DISCOVERY_ENDPOINT;
+    const client_id = process.env.CLIENT_ID;
+    const client_secret = process.env.CLIENT_SECRET;
+    const scope = process.env.SCOPE;
+
+    assert(discovery_endpoint, "DISCOVERY_ENDPOINT environment variable is not set.");
+    assert(client_id, "CLIENT_ID environment variable is not set.");
+    assert(client_secret, "CLIENT_SECRET environment variable is not set.");
+    assert(scope, "SCOPE environment variable is not set.");
+
+    await driver.get("http://localhost:3000");
+    await populateMetadata(driver, discovery_endpoint);
+    let access_token = await getAccessToken(driver, client_id, client_secret, scope);
+    await verifyAccessToken(access_token, client_id, scope);
+    console.log("Test completed successfully.")
+  } catch (error) {
+    console.log(error.message);
+    process.exit(1);
+  } finally {
+    await driver.quit();
+  }
+}
+
+test();