Add oic auth e2e (#1701)

* Add test for oic-auth plugin

* Retrieve and check the roles from the OICD provider

* Update src/main/java/org/jenkinsci/test/acceptance/po/OicAuthSecurityRealm.java

Co-authored-by: James Nord <[email protected]>

* Apply suggestions

* Add the WhoAmI page

* Fix permissions on the docker socket

TestContainers does not use docker, but talks directly to the docker
socket.  The permissions on this socket come from the host where it is
mapped and the docker groupid may not match what we have in the
container.
So allow th arg to be passed through at build time and add the ath-user
to the docker group so it has the permissions.

We retain the legacy suid on the docker binary as we publish the
container and there is only a single test so far using this
test-containers.  (this can be revistied if required).

* Incremental build

* Remove unused libraries

* Add missing dependencies

* New incremental

* New incremental

* update to 2.476

* document testcontainers requirement

* update keycloak container vie renovate

* s/TestContainers/Testcontainers

Testcontainers is with a lower case c

---------

Co-authored-by: James Nord <[email protected]>
Co-authored-by: Basil Crow <[email protected]>

.github/renovate.json

@@ -81,7 +81,14 @@
       "matchStrings": ["ARG DOCKER_VERSION=(?<currentValue>.*?)\n"],
       "depNameTemplate": "docker",
       "datasourceTemplate": "docker"
+    },
+    {
+      "fileMatch": ["src/test/java/plugins/OicAuthPluginTest.java"],
+      "matchStrings": [".* KEYCLOAK_IMAGE =\n\\s*\"(?<repo>.*?):(?<currentValue>.*?)@(?<currentDigest>sha256:.*?)\";\n"],
+      "depNameTemplate": "{{{repo}}}",
+      "datasourceTemplate": "docker"
     }
+
   ],
   "customDatasources": {
     "firefox": {

docs/BROWSER.md

@@ -69,6 +69,8 @@ If the host running maven is different to the host running Selenium (e.g. `remot
 If this is the case you can specify the address to use using:
     `SELENIUM_PROXY_HOSTNAME=ip.address.of.host mvn install`
 **Important**: this could exposed the proxy wider beyond your machine and expose other internal services, so this should only be used on private or internal networks to prevent any information leak.
+The same issue will also impact any other containers started that the tests that the Browser (rather than Jenkins) needs to access.
+For [Testcontainers](https://testcontainers.com/) you can additionally set `TESTCONTAINERS_HOST_OVERRIDE=ip.address.of.host`
 
 ## Avoid focus steal with Xvnc on Linux
 If you select a real GUI browser, such as Firefox,

docs/DOCKER.md

@@ -71,3 +71,10 @@ It's best explained with an example:
 # Using a custom docker network
 
 If you are using a custom network for the container that executes the testing you may instruct the docker-fixtures to use the same one by setting the env variable `DOCKER_FIXTURES_NETWORK`to specify the network you want your fixtures to connect to. 
+
+# Using Testcontainers with a remote webdriver
+
+If you are using a containerized webdriver (or any other remote webdriver) then any containers launched will not be reachable from the remote web browser.
+This will be an issue for some tests that require the browser interact with the container (e.g. for authentication).
+If this is the case then the `TESTCONTAINERS_HOST_OVERRIDE` should be set to `host.docker.internal` or if the remote browser is non local the IP adddress of your machine.
+

pom.xml

@@ -69,6 +69,16 @@
         <artifactId>commons-io</artifactId>
         <version>2.16.1</version>
       </dependency>
+      <!--
+      Version needed for keycloak testcontainer.
+      As that dependency is test scope, the version used is the one coming from org.gitlab4j:gitlab4j-api, which is
+      older
+      -->
+      <dependency>
+        <groupId>jakarta.ws.rs</groupId>
+        <artifactId>jakarta.ws.rs-api</artifactId>
+        <version>3.1.0</version>
+      </dependency>
       <!-- RequireUpperBoundDeps between Mockito and Selenium -->
       <dependency>
         <groupId>net.bytebuddy</groupId>
@@ -212,6 +222,11 @@ and
       <artifactId>commons-net</artifactId>
       <version>3.11.1</version>
     </dependency>
+    <dependency>
+      <groupId>jakarta.xml.bind</groupId>
+      <artifactId>jakarta.xml.bind-api</artifactId>
+      <version>3.0.1</version>
+    </dependency>
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
@@ -364,6 +379,23 @@ and
       <artifactId>zt-zip</artifactId>
       <version>1.17</version>
     </dependency>
+    <!--
+    testcontainers
+    keycloak testcontainer
+    libraries needed for keycloak client
+    -->
+    <dependency>
+      <groupId>com.github.dasniko</groupId>
+      <artifactId>testcontainers-keycloak</artifactId>
+      <version>3.4.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.annotation</groupId>
+      <artifactId>jakarta.annotation-api</artifactId>
+      <version>2.1.1</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>jakarta.mail</groupId>
       <artifactId>jakarta.mail-api</artifactId>

src/main/java/org/jenkinsci/test/acceptance/po/OicAuthSecurityRealm.java

@@ -0,0 +1,45 @@
+package org.jenkinsci.test.acceptance.po;
+
+/**
+ * Security Realm provided by oic-auth plugin
+ */
+@Describable("Login with Openid Connect")
+public class OicAuthSecurityRealm extends SecurityRealm {
+
+    public OicAuthSecurityRealm(GlobalSecurityConfig context, String path) {
+        super(context, path);
+    }
+
+    public void configureClient(String clientId, String clientSecret) {
+        control("clientId").set(clientId);
+        control("clientSecret").set(clientSecret);
+    }
+
+    public void setAutomaticConfiguration(String wellKnownEndpoint) {
+        control(by.radioButton("Automatic configuration")).click();
+        control("wellKnownOpenIDConfigurationUrl").set(wellKnownEndpoint);
+    }
+
+    public void setLogoutFromOpenidProvider(boolean logout) {
+        Control check = control(by.checkbox("Logout from OpenID Provider"));
+        if (logout) {
+            check.check();
+        } else {
+            check.uncheck();
+        }
+    }
+
+    public void setPostLogoutUrl(String postLogoutUrl) {
+        control("postLogoutRedirectUrl").set(postLogoutUrl);
+    }
+
+    public void setUserFields(
+            String userNameFieldName, String emailFieldName, String fullNameFieldName, String groupsFieldName) {
+        clickButton("User fields");
+        waitFor(by.path("/securityRealm/groupsFieldName"));
+        control("userNameField").set(userNameFieldName);
+        control("emailFieldName").set(emailFieldName);
+        control("fullNameFieldName").set(fullNameFieldName);
+        control("groupsFieldName").set(groupsFieldName);
+    }
+}

src/main/java/org/jenkinsci/test/acceptance/po/WhoAmI.java

@@ -0,0 +1,11 @@
+package org.jenkinsci.test.acceptance.po;
+
+/**
+ * Who Am I page in Jenkins
+ */
+public class WhoAmI extends ContainerPageObject {
+
+    public WhoAmI(ContainerPageObject parent) {
+        super(parent, parent.url("whoAmI/"));
+    }
+}

src/main/java/org/jenkinsci/test/acceptance/utils/keycloack/KeycloakUtils.java

@@ -0,0 +1,92 @@
+package org.jenkinsci.test.acceptance.utils.keycloack;
+
+import jakarta.inject.Inject;
+import java.net.URL;
+import org.jenkinsci.test.acceptance.po.CapybaraPortingLayerImpl;
+import org.jenkinsci.test.acceptance.utils.ElasticTime;
+import org.openqa.selenium.WebDriver;
+
+public class KeycloakUtils extends CapybaraPortingLayerImpl {
+
+    @Inject
+    public WebDriver driver;
+
+    @Inject
+    public ElasticTime time;
+
+    public KeycloakUtils() {
+        super(null);
+    }
+
+    public void open(URL url) {
+        visit(url);
+    }
+
+    public void login(String user) {
+        login(user, user);
+    }
+
+    public void login(String user, String passwd) {
+        waitFor(by.id("username"), 5);
+        find(by.id("username")).sendKeys(user);
+        find(by.id("password")).sendKeys(passwd);
+        find(by.id("kc-login")).click();
+    }
+
+    public User getCurrentUser(String keycloakUrl, String realm) {
+        driver.get(String.format("%s/realms/%s/account", keycloakUrl, realm));
+
+        waitFor(by.id("username"), 5);
+        String username = find(by.id("username")).getDomProperty("value");
+        String email = find(by.id("email")).getDomProperty("value");
+        String firstName = find(by.id("firstName")).getDomProperty("value");
+        String lastName = find(by.id("lastName")).getDomProperty("value");
+
+        return new User(null /* id not available in this page*/, username, email, firstName, lastName);
+    }
+
+    public void logout(User user) {
+        final String caption = user.getFirstName() + " " + user.getLastName();
+        waitFor(by.button(caption), 5);
+        clickButton(caption);
+        waitFor(by.button("Sign out"));
+        clickButton("Sign out");
+    }
+
+    public static class User {
+
+        private final String id;
+        private final String userName;
+        private final String email;
+        private final String firstName;
+        private final String lastName;
+
+        public User(String id, String userName, String email, String firstName, String lastName) {
+            this.id = id;
+            this.userName = userName;
+            this.email = email;
+            this.firstName = firstName;
+            this.lastName = lastName;
+        }
+
+        public String getId() {
+            return id;
+        }
+
+        public String getUserName() {
+            return userName;
+        }
+
+        public String getEmail() {
+            return email;
+        }
+
+        public String getFirstName() {
+            return firstName;
+        }
+
+        public String getLastName() {
+            return lastName;
+        }
+    }
+}