Centos/RHEL 10 updates

conftest.py

@@ -1,9 +1,6 @@
 #!/usr/bin/python3
 
 import pytest
-from samltest import SamlLoginTest
-from samltest import IdpFactory as SamlIdpFactory
-from samltest import SpFactory as SamlSpFactory
 from oidctest import OidcLoginTest
 from oidctest import IdpFactory as OidcIdpFactory
 from oidctest import SpFactory as OidcSpFactory
@@ -44,6 +41,9 @@ def logout_url(pytestconfig):
 
 @pytest.fixture()
 def saml_test_instance(pytestconfig):
+    from samltest import SamlLoginTest
+    from samltest import IdpFactory as SamlIdpFactory
+    from samltest import SpFactory as SamlSpFactory
     idp_f = SamlIdpFactory(pytestconfig.getoption('idp_type'),
                            pytestconfig.getoption('idp_url'),
                            pytestconfig.getoption('idp_realm'),

setup.sh

@@ -28,12 +28,9 @@ if [ -f /etc/os-release ]; then
 fi
 
 dnf -y install \
-    java-11-openjdk-headless \
     keycloak-httpd-client-install \
-    mod_auth_mellon \
     mod_auth_openidc \
     python3-lxml \
-    python3-lasso \
     python3-requests \
     python3-pytest \
     python3-distro \
@@ -43,6 +40,16 @@ dnf -y install \
     httpd \
     podman
 
+if [ "$ID" = "rhel" -o "$ID" = "centos" ] && [ $VER_MAJOR -lt 10 ]; then
+    dnf -y install \
+        java-11-openjdk-headless \
+        mod_auth_mellon \
+        python3-lasso
+else
+    dnf -y install \
+        java-17-openjdk-headless
+fi
+
 #################
 
 if [ -d /etc/httpd/federation ]; then
@@ -251,7 +258,7 @@ if [ $count -eq 10 ]; then
     exit 1
 fi
 
-for count in {1..10}; do
+for count in {1..3}; do
     $kcadm config credentials --server https://$(hostname):8443/auth/ \
         --realm master --user admin --password Secret123
 
@@ -262,7 +269,7 @@ for count in {1..10}; do
     fi
 done
 
-if [ $count -eq 10 ]; then
+if [ $count -eq 3 ]; then
     echo "----- Begin keycloak container logs for iteration $count"
     podman logs keycloak
     echo "----- End keycloak container logs for iteration $count"
@@ -288,85 +295,93 @@ sed -i 's/localhost.key/web.key/' /etc/httpd/conf.d/example_app_ssl.conf
 
 ################
 
-mkdir -p /var/www/html/mellon_root/private/static/private_static
+mkdir -p /var/www/html/openidc_root/private/static/private_static
 
-cat > /var/www/html/mellon_root/logged_out.html <<EOF
+cat > /var/www/html/openidc_root/logged_out.html <<EOF
 <html>
 <title>Logout</title>
 <p>
 Congratulations, you've been logged out!
 </p>
 <p>
-Now try to <a href="/mellon_root/private/">log back in</a>
+Now try to <a href="/openidc_root/private/">log back in</a>
 </p>
 </html>
 EOF
 
-cat > /var/www/html/mellon_root/private/index.html <<EOF
+cat > /var/www/html/openidc_root/private/index.html <<EOF
 <html><title>Secure</title>Hello there...from SP ...<br>
-<a href="https://$HOSTNAME:60443/mellon_root/mellon/logout?ReturnTo=https://$HOSTNAME:60443/mellon_root/logged_out.html">Log out</a>
+<a href="/openidc_root/private/redirect_uri?logout=https://$(hostname):60443/openidc_root/logged_out.html">Logout</a>
 <hr>
 <pre><!--#printenv --></pre>
 EOF
 
-cat > /etc/httpd/conf.d/mellon_example_app_private.conf <<EOF
-<Directory /var/www/html/mellon_root/private>
+cat > /etc/httpd/conf.d/openidc_example_app_private.conf <<EOF
+<Directory /var/www/html/openidc_root/private>
     Options +Includes
     AddOutputFilter INCLUDES .html
 </Directory>
 EOF
 
-cat > /etc/httpd/conf.d/mellon_example_app_private_static.conf <<EOF
-<Location /mellon_root/private/static>
-    MellonEnable info
-    Require all granted
-</Location>
+cp /var/www/html/openidc_root/private/index.html \
+    /var/www/html/openidc_root/private/static/
+cp /var/www/html/openidc_root/private/index.html \
+    /var/www/html/openidc_root/private/static/private_static/
 
-<Location /mellon_root/private/static/private_static>
-    MellonEnable auth
-    Require valid-user
-</Location>
-EOF
 
-cp /var/www/html/mellon_root/private/index.html \
-    /var/www/html/mellon_root/private/static/
-cp /var/www/html/mellon_root/private/index.html \
-    /var/www/html/mellon_root/private/static/private_static/
+systemctl start httpd
 
 ################
 
-mkdir -p /var/www/html/openidc_root/private/static/private_static
+if [ "$ID" = "rhel" -o "$ID" = "centos" ] && [ $VER_MAJOR -ge 10 ]; then
+    echo "mod_auth_mellon not supported in RHEL-10 and later"
+    echo "Skipping mellon setup"
+    exit 0
+fi
 
-cat > /var/www/html/openidc_root/logged_out.html <<EOF
+mkdir -p /var/www/html/mellon_root/private/static/private_static
+
+cat > /var/www/html/mellon_root/logged_out.html <<EOF
 <html>
 <title>Logout</title>
 <p>
 Congratulations, you've been logged out!
 </p>
 <p>
-Now try to <a href="/openidc_root/private/">log back in</a>
+Now try to <a href="/mellon_root/private/">log back in</a>
 </p>
 </html>
 EOF
 
-cat > /var/www/html/openidc_root/private/index.html <<EOF
+cat > /var/www/html/mellon_root/private/index.html <<EOF
 <html><title>Secure</title>Hello there...from SP ...<br>
-<a href="/openidc_root/private/redirect_uri?logout=https://$(hostname):60443/openidc_root/logged_out.html">Logout</a>
+<a href="https://$HOSTNAME:60443/mellon_root/mellon/logout?ReturnTo=https://$HOSTNAME:60443/mellon_root/logged_out.html">Log out</a>
 <hr>
 <pre><!--#printenv --></pre>
 EOF
 
-cat > /etc/httpd/conf.d/openidc_example_app_private.conf <<EOF
-<Directory /var/www/html/openidc_root/private>
+cat > /etc/httpd/conf.d/mellon_example_app_private.conf <<EOF
+<Directory /var/www/html/mellon_root/private>
     Options +Includes
     AddOutputFilter INCLUDES .html
 </Directory>
 EOF
 
-cp /var/www/html/openidc_root/private/index.html \
-    /var/www/html/openidc_root/private/static/
-cp /var/www/html/openidc_root/private/index.html \
-    /var/www/html/openidc_root/private/static/private_static/
+cat > /etc/httpd/conf.d/mellon_example_app_private_static.conf <<EOF
+<Location /mellon_root/private/static>
+    MellonEnable info
+    Require all granted
+</Location>
+
+<Location /mellon_root/private/static/private_static>
+    MellonEnable auth
+    Require valid-user
+</Location>
+EOF
 
+cp /var/www/html/mellon_root/private/index.html \
+    /var/www/html/mellon_root/private/static/
+cp /var/www/html/mellon_root/private/index.html \
+    /var/www/html/mellon_root/private/static/private_static/
 
 systemctl start httpd

test_khci.sh

@@ -5,113 +5,15 @@
 set -x
 set -e
 
-function run_web_sso_test() {
-    keycloak_realm=$1
-    username=$2
-    password=$3
-
-    py.test-3 --idp-realm $keycloak_realm \
-              --idp-url https://$(hostname):8443 \
-              --sp-url https://$(hostname):60443/mellon_root \
-              --username $username \
-              --password $password \
-              --url https://$(hostname):60443/mellon_root/private \
-              --logout-url=https://$(hostname):60443/mellon_root/private \
-              --junit-xml=result_khci_${keycloak_realm}.xml \
-              -k test_web_sso_post_redirect
-}
-
-function does_realm_exist {
-    keycloak_server=$1
-    keycloak_realm=$2
-    keycloak_password=$3
-
-    TOKEN=$(curl -q -XPOST http://$keycloak_server:8080/auth/realms/master/protocol/openid-connect/token -d"grant_type=password&username=admin&password=$keycloak_password&client_id=admin-cli" | jq '.access_token')
-    exists=$(curl -v -w"%{response_code}" -H"Bearer: $TOKEN" http://$keycloak_server:8080/realms/$keycloak_realm)
-    if [ "$exists" == "200" ]; then
-        return 0;
-    else
-        return 1;
-    fi
-}
-
-
-######## Test 1: #######################################################
-
-echo Secret123 | \
-keycloak-httpd-client-install   \
-    --client-originate-method registration \
-    --client-hostname $(hostname) \
-    --keycloak-server-url https://$(hostname):8443 \
-    --keycloak-admin-username admin \
-    --keycloak-admin-password-file - \
-    --app-name mellon_example_app \
-    --keycloak-realm master \
-    --mellon-root "/mellon_root/" \
-    --mellon-https-port 60443 \
-    --mellon-protected-locations "/mellon_root/private" \
-    --client-type mellon \
-    --force
-
-systemctl restart httpd
-
-# Make sure the WebSSO flow works
-run_web_sso_test master testuser Secret123
-
-######## Test 2: #######################################################
-
-##
-# Test that a new realm is created
-NEW_REALM=khci.test
-set +e
-does_realm_exist localhost $NEW_REALM Secret123
-if [ $? -eq 0 ]; then
-echo "Realm $NEW_REALM not expected to exist"
-exit 1
+if [ -f /etc/os-release ]; then
+    . /etc/os-release
+    VER_MAJOR=$(echo $VERSION_ID|cut -f1 -d.)
+    VER_MINOR=$(echo $VERSION_ID|cut -f2 -d.)
 fi
-set -e
 
-systemctl stop httpd
-
-if [ -d /etc/httpd/federation ]; then
-    mv /etc/httpd/federation /etc/httpd/federation.test1.$(date +%Y%m%d%H%M%S)
-fi
-
-rm -f /etc/httpd/conf.d/mellon_example_app_mellon_keycloak_master.conf
-
-echo Secret123 | \
-keycloak-httpd-client-install   \
-    --client-originate-method registration \
-    --client-hostname $(hostname) \
-    --keycloak-server-url https://$(hostname):8443 \
-    --keycloak-admin-username admin \
-    --keycloak-admin-password-file - \
-    --app-name mellon_example_app \
-    --keycloak-realm $NEW_REALM \
-    --location-root "/mellon_root" \
-    --client-https-port 60443 \
-    --protected-locations "/mellon_root/private" \
-    --client-type mellon \
-    --force
-
-sleep 5
-
-systemctl start httpd
-
-kcadm="podman exec keycloak /opt/keycloak/bin/kcadm.sh"
-
-$kcadm config credentials --server https://$(hostname):8443/auth/ \
-        --realm master --user admin --password Secret123
-
-USERID=$($kcadm get users -r $NEW_REALM | jq -r '.[]|select(.username=="testuser").id')
-if [ -z "$USERID" ]; then
-    $kcadm create users -r $NEW_REALM -s username=testuser -s enabled=true
-    $kcadm set-password -r $NEW_REALM --username testuser --new-password Secret123
+if [ "$ID" = "rhel" -o "$ID" = "centos" ] && [ $VER_MAJOR -lt 10 ]; then
+    ./test_khci_mellon.sh
 fi
 
-sleep 5
-
-# Make sure the WebSSO flow works against the newly created domain
-run_web_sso_test $NEW_REALM testuser Secret123
+./test_khci_oidc.sh
 
-rm -f /etc/httpd/conf.d/mellon_example_app_mellon_keycloak_khci.test.conf