Add oic auth e2e

Jenkinsfile

@@ -122,7 +122,7 @@ for (int i = 0; i < splits.size(); i++) {
           retryCounts = retryCounts + 1 // increment the retry count before allocating a node in case it fails
           node(nodeLabel) {
             checkout scm
-            def image = skipImageBuild ? docker.image('jenkins/ath') : docker.build('jenkins/ath', '--build-arg uid="$(id -u)" --build-arg gid="$(id -g)" ./src/main/resources/ath-container/')
+            def image = skipImageBuild ? docker.image('jenkins/ath') : docker.build('jenkins/ath', '--build-arg uid="$(id -u)" --build-arg gid="$(id -g)" --build-arg dockergid="$(getent group docker | cut -d: -f3)" ./src/main/resources/ath-container/')
             sh 'mkdir -p target/ath-reports && chmod a+rwx target/ath-reports'
             def cwd = pwd()
             image.inside("-v /var/run/docker.sock:/var/run/docker.sock -v '${cwd}/target/ath-reports:/reports:rw' --shm-size 2g") {

pom.xml

@@ -314,6 +314,28 @@
       <version>2.1.3</version>
       <scope>test</scope>
     </dependency>
+    <!--
+    testcontainers
+    keycloak testcontainer
+    libraries needed for keycloak client
+    -->
+    <dependency>
+      <groupId>com.github.dasniko</groupId>
+      <artifactId>testcontainers-keycloak</artifactId>
+      <version>3.4.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.annotation</groupId>
+      <artifactId>jakarta.annotation-api</artifactId>
+      <version>2.1.1</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.xml.bind</groupId>
+      <artifactId>jakarta.xml.bind-api</artifactId>
+      <version>3.0.1</version>
+    </dependency>
   </dependencies>
 
   <dependencyManagement>
@@ -386,6 +408,16 @@ and
         <artifactId>httpcore</artifactId>
         <version>4.4.16</version>
       </dependency>
+      <!--
+      Version needed for keycloak testcontainer.
+      As that dependency is test scope, the version used is the one coming from org.gitlab4j:gitlab4j-api, which is
+      older
+      -->
+      <dependency>
+        <groupId>jakarta.ws.rs</groupId>
+        <artifactId>jakarta.ws.rs-api</artifactId>
+        <version>3.1.0</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 

src/main/java/org/jenkinsci/test/acceptance/po/OicAuthSecurityRealm.java

@@ -0,0 +1,44 @@
+package org.jenkinsci.test.acceptance.po;
+
+/**
+ * Security Realm provided by oic-auth plugin
+ */
+@Describable("Login with Openid Connect")
+public class OicAuthSecurityRealm extends SecurityRealm {
+
+    public OicAuthSecurityRealm(GlobalSecurityConfig context, String path) {
+        super(context, path);
+    }
+
+    public void configureClient(String clientId, String clientSecret) {
+        control("clientId").set(clientId);
+        control("clientSecret").set(clientSecret);
+    }
+
+    public void setAutomaticConfiguration(String wellKnownEndpoint) {
+        control(by.radioButton("Automatic configuration")).click();
+        control("wellKnownOpenIDConfigurationUrl").set(wellKnownEndpoint);
+    }
+
+    public void setLogoutFromOpenidProvider(boolean logout) {
+        Control check = control(by.checkbox("Logout from OpenID Provider"));
+        if (logout) {
+            check.check();
+        } else {
+            check.uncheck();
+        }
+    }
+
+    public void setPostLogoutUrl(String postLogoutUrl) {
+        control("postLogoutRedirectUrl").set(postLogoutUrl);
+    }
+
+    public void setUserFields(String userNameFieldName, String emailFieldName, String fullNameFieldName, String groupsFieldName) {
+        clickButton("User fields");
+        waitFor(by.path("/securityRealm/groupsFieldName"));
+        control("userNameField").set(userNameFieldName);
+        control("emailFieldName").set(emailFieldName);
+        control("fullNameFieldName").set(fullNameFieldName);
+        control("groupsFieldName").set(groupsFieldName);
+    }
+}

src/main/java/org/jenkinsci/test/acceptance/po/WhoAmI.java

@@ -0,0 +1,11 @@
+package org.jenkinsci.test.acceptance.po;
+
+/**
+ * Who Am I page in Jenkins
+ */
+public class WhoAmI extends ContainerPageObject {
+
+    public WhoAmI(ContainerPageObject parent) {
+        super(parent, parent.url("whoAmI/"));
+    }
+}

src/main/java/org/jenkinsci/test/acceptance/utils/keycloack/KeycloakUtils.java

@@ -0,0 +1,94 @@
+package org.jenkinsci.test.acceptance.utils.keycloack;
+
+import java.net.URL;
+
+import org.jenkinsci.test.acceptance.po.CapybaraPortingLayerImpl;
+import org.jenkinsci.test.acceptance.utils.ElasticTime;
+import org.openqa.selenium.WebDriver;
+import jakarta.inject.Inject;
+
+public class KeycloakUtils extends CapybaraPortingLayerImpl {
+
+    @Inject
+    public WebDriver driver;
+    @Inject
+    public ElasticTime time;
+
+    public KeycloakUtils() {
+        super(null);
+    }
+
+    public void open(URL url) {
+        visit(url);
+    }
+
+    public void login(String user) {
+        login(user, user);
+    }
+
+    public void login(String user, String passwd) {
+        waitFor(by.id("username"), 5);
+        find(by.id("username")).sendKeys(user);
+        find(by.id("password")).sendKeys(passwd);
+        find(by.id("kc-login")).click();
+    }
+
+
+    public User getCurrentUser(String keycloakUrl, String realm) {
+        driver.get(String.format("%s/realms/%s/account", keycloakUrl, realm));
+
+        waitFor(by.id("username"), 5);
+        String username = find(by.id("username")).getDomProperty("value");
+        String email = find(by.id("email")).getDomProperty("value");
+        String firstName = find(by.id("firstName")).getDomProperty("value");
+        String lastName = find(by.id("lastName")).getDomProperty("value");
+
+
+        return new User(null /* id not available in this page*/, username, email, firstName, lastName);
+    }
+
+    public void logout(User user) {
+        final String caption = user.getFirstName() + " " + user.getLastName();
+        waitFor(by.button(caption), 5);
+        clickButton(caption);
+        waitFor(by.button("Sign out"));
+        clickButton("Sign out");
+    }
+
+    public static class User {
+
+        private final String id;
+        private final String userName;
+        private final String email;
+        private final String firstName;
+        private final String lastName;
+
+        public User(String id, String userName, String email, String firstName, String lastName) {
+            this.id = id;
+            this.userName = userName;
+            this.email = email;
+            this.firstName = firstName;
+            this.lastName = lastName;
+        }
+
+        public String getId() {
+            return id;
+        }
+
+        public String getUserName() {
+            return userName;
+        }
+
+        public String getEmail() {
+            return email;
+        }
+
+        public String getFirstName() {
+            return firstName;
+        }
+
+        public String getLastName() {
+            return lastName;
+        }
+    }
+}

src/main/resources/ath-container/Dockerfile

@@ -37,6 +37,13 @@ RUN install -m 0755 -d /etc/apt/keyrings \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
+# Despite the docker SUID hack below, test-containers accesses /var/run/docker.sock directly and so we can not rely on the SUID hack.
+# Rather take the docker user group as an arg and make the ath-user a member of that group
+# we retain the suid workaround as this method requires a local build of the container
+# we need to do this before we install docker so that any files have the correct permission
+ARG dockergid=1002
+RUN groupadd docker -g $dockergid
+
 # Docker installation according to https://docs.docker.com/engine/install/ubuntu/
 ARG DOCKER_BUILDX_VERSION=0.16.2
 ARG DOCKER_VERSION=27.1.2
@@ -84,10 +91,11 @@ EXPOSE 5942
 
 RUN deluser --remove-home ubuntu \
   && groupadd ath-user -g $gid \
-  && useradd ath-user -l -c 'ATH User' -u $uid -g $gid -m -d /home/ath-user -s /bin/bash
+  && useradd ath-user -l -c 'ATH User' -u $uid -g $gid -G docker -m -d /home/ath-user -s /bin/bash
 
-# Set SUID and SGID for docker binary so it can communicate with mapped socket its uid:gid we can not control. Alternative
-# approach used for this is adding ath-user to the group of /var/run/docker.sock but that require root permission we do not
+# Set SUID and SGID for docker binary so it can communicate with mapped socket its uid:gid we can not control. This alternative
+# approach is used as adding ath-user to the group of /var/run/docker.sock is a build time option and any published container may
+# not match what is needed, and changing this at runtime would require root permission we do not
 # have in ENTRYPOINT as the container is started as ath-user.
 RUN chmod ug+s /usr/bin/docker*