Merge branch 'update-modules' into develop

center-for-threat-informed-defense · Nov 6, 2024 · 86203ef · 86203ef
2 parents 703750d + 91838a0
commit 86203ef
Show file tree

Hide file tree

Showing 9 changed files with 677 additions and 544 deletions.
diff --git a/app/api/definitions/paths/authn-paths.yml b/app/api/definitions/paths/authn-paths.yml
@@ -64,6 +64,12 @@ paths:
           required: true
           schema:
             type: string
+        - name: iss
+          in: query
+          description: |
+            iss provided by the identity server.
+          schema:
+            type: string
         - name: state
           in: query
           description: |

diff --git a/app/lib/authn-bearer.js b/app/lib/authn-bearer.js
@@ -110,7 +110,8 @@ function verifyClientCredentialsToken(token, decodedHeader, done) {
                 // Make sure the client is allowed to access the REST API
                 // Okta returns the client id in payload.cid
                 // Keycloak returns the client id in payload.clientId
-                clientId = payload.cid || payload.clientId;
+                // Newer versions of keycloak appear to return the client id in payload.client_id
+                clientId = payload.cid || payload.clientId || payload.client_id;
                 const clients = config.serviceAuthn.oidcClientCredentials.clients;
                 const client = clients.find(c => c.clientId === clientId);
                 if (!client) {

diff --git a/app/tests/authn/README.md b/app/tests/authn/README.md
@@ -13,6 +13,7 @@ Note that each test spec is run as a separate mocha job. This is because each sp
 These tests require a keycloak server to be running. The server can be started on Docker with the command:
 
 ```shell
+docker run -p 8080:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin --name keycloak -d quay.io/keycloak/keycloak:26.0.1 start-dev
 docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin --name keycloak -d jboss/keycloak
 ```
 

diff --git a/app/tests/authn/oidc-authn.spec.js b/app/tests/authn/oidc-authn.spec.js
@@ -69,7 +69,7 @@ describe('OIDC User Authentication', function () {
     before(async function() {
         // Configure the test to use OIDC authentication
         process.env.AUTHN_MECHANISM = 'oidc';
-        process.env.AUTHN_OIDC_ISSUER_URL = `http://${ oidcHost }/auth/realms/${ oidcRealm }/.well-known/openid-configuration`;
+        process.env.AUTHN_OIDC_ISSUER_URL = `http://${ oidcHost }/realms/${ oidcRealm }/.well-known/openid-configuration`;
         process.env.AUTHN_OIDC_CLIENT_ID = oidcClientId;
 
         config.reloadConfig();

diff --git a/app/tests/authn/oidc-client-credentials-service.spec.js b/app/tests/authn/oidc-client-credentials-service.spec.js
@@ -24,7 +24,7 @@ const oidcServiceClientSecret = '774ca536-b281-4783-bfed-cc362c39405b';
 const localServerHost = 'localhost';
 const localServerPort = 3000;
 const localServerRedirectUrl = `http://${ localServerHost }:${localServerPort }/api/authn/oidc/*`;
-const jwksUri = `http://${ oidcHost }/auth/realms/${ oidcRealm }/protocol/openid-connect/certs`;
+const jwksUri = `http://${ oidcHost }/realms/${ oidcRealm }/protocol/openid-connect/certs`;
 
 describe('Client Credentials Service Authentication', function () {
     let app;

diff --git a/app/tests/authn/oidc-register.spec.js b/app/tests/authn/oidc-register.spec.js
@@ -68,7 +68,7 @@ describe('OIDC User Account Registration', function () {
     before(async function() {
         // Configure the test to use OIDC authentication
         process.env.AUTHN_MECHANISM = 'oidc';
-        process.env.AUTHN_OIDC_ISSUER_URL = `http://${ oidcHost }/auth/realms/${ oidcRealm }/.well-known/openid-configuration`;
+        process.env.AUTHN_OIDC_ISSUER_URL = `http://${ oidcHost }/realms/${ oidcRealm }/.well-known/openid-configuration`;
         process.env.AUTHN_OIDC_CLIENT_ID = oidcClientId;
 
         config.reloadConfig();

diff --git a/app/tests/shared/keycloak.js b/app/tests/shared/keycloak.js
@@ -11,7 +11,7 @@ async function deleteRealm(basePath, realmName, token) {
     // Delete the realm if it exists
     try {
         await request
-            .delete(`${ basePath }/auth/admin/realms/${ realmName }`)
+            .delete(`${ basePath }/admin/realms/${ realmName }`)
             .set('Authorization', `bearer ${token}`);
         console.info(`Deleted existing realm ${ realmName }`);
     }
@@ -34,7 +34,7 @@ async function createRealm(basePath, realmName, token) {
 
     try {
         await request
-            .post(`${ basePath }/auth/admin/realms`)
+            .post(`${ basePath }/admin/realms`)
             .set('Authorization', `bearer ${token}`)
             .send(realmData);
         console.info(`Created realm ${ realmName }`);
@@ -61,7 +61,7 @@ async function createClient(options, token) {
 
     try {
         await request
-            .post(`${ options.basePath }/auth/admin/realms/${ options.realmName }/clients`)
+            .post(`${ options.basePath }/admin/realms/${ options.realmName }/clients`)
             .set('Authorization', `bearer ${token}`)
             .send(clientData);
         console.info(`Created client ${ options.clientId }`);
@@ -75,7 +75,7 @@ async function createClient(options, token) {
 async function getClient(options, token) {
     try {
         const res = await request
-            .get(`${ options.basePath }/auth/admin/realms/${ options.realmName }/clients?clientId=${ options.clientId }`)
+            .get(`${ options.basePath }/admin/realms/${ options.realmName }/clients?clientId=${ options.clientId }`)
             .set('Authorization', `bearer ${token}`);
 
         if (res.body.length === 1) {
@@ -94,7 +94,7 @@ async function getClient(options, token) {
 async function createClientSecret(basePath, realmName, idOfClient, token) {
     try {
         const res = await request
-            .post(`${ basePath }/auth/admin/realms/${ realmName }/clients/${ idOfClient }/client-secret`)
+            .post(`${ basePath }/admin/realms/${ realmName }/clients/${ idOfClient }/client-secret`)
             .set('Authorization', `bearer ${token}`);
 
         return res.body;
@@ -108,7 +108,7 @@ async function createClientSecret(basePath, realmName, idOfClient, token) {
 async function getClientSecret(basePath, realmName, idOfClient, token) {
     try {
         const res = await request
-            .get(`${ basePath }/auth/admin/realms/${ realmName }/clients/${ idOfClient }/client-secret`)
+            .get(`${ basePath }/admin/realms/${ realmName }/clients/${ idOfClient }/client-secret`)
             .set('Authorization', `bearer ${token}`);
 
         return res.body;
@@ -119,6 +119,19 @@ async function getClientSecret(basePath, realmName, idOfClient, token) {
     }
 }
 
+async function getWellKnownConfiguration(basePath, realmName, token) {
+    try {
+        const res = await request
+            .get(`${ basePath }/realms/${ realmName }/.well-known/openid-configuration`)
+            .set('Authorization', `bearer ${ token }`);
+        console.log(res);
+    }
+    catch (err) {
+        logger.error('Unable to get well known configuration');
+        throw err;
+    }
+}
+
 async function createUser(basePath, realmName, userOptions, token) {
     const userData = {
         email: userOptions.email,
@@ -137,8 +150,8 @@ async function createUser(basePath, realmName, userOptions, token) {
 
     try {
         await request
-            .post(`${ basePath }/auth/admin/realms/${ realmName }/users`)
-            .set('Authorization', `bearer ${token}`)
+            .post(`${ basePath }/admin/realms/${ realmName }/users`)
+            .set('Authorization', `bearer ${ token }`)
             .send(userData);
         console.info(`Added user '${ userOptions.username }' to the realm '${ realmName }' on the Keycloak server`);
     }
@@ -151,7 +164,7 @@ async function createUser(basePath, realmName, userOptions, token) {
 async function getAuthorizationToken(basePath) {
     console.info(`Requesting authorization token from ${ basePath }`);
     const res = await request
-        .post(`${ basePath }/auth/realms/master/protocol/openid-connect/token`)
+        .post(`${ basePath }/realms/master/protocol/openid-connect/token`)
         .send(`client_id=${ adminClientId }`)
         .send(`username=${ defaultAdminUsername }`)
         .send(`password=${ defaultAdminPassword }`)
@@ -189,6 +202,8 @@ exports.addUsersToKeycloak = async function (serverOptions, users) {
         // eslint-disable-next-line no-await-in-loop
         await createUser(serverOptions.basePath, serverOptions.realmName, user, adminAccessToken);
     }
+
+    // await getWellKnownConfiguration(serverOptions.basePath, serverOptions.realmName, adminAccessToken);
 }
 
 exports.addClientToKeycloak = async function(clientOptions) {
@@ -206,7 +221,7 @@ exports.addClientToKeycloak = async function(clientOptions) {
 exports.getAccessTokenToClient = async function(clientOptions) {
     console.info(`Requesting client access token for ${ clientOptions.clientId } from ${ clientOptions.basePath }`);
     const res = await request
-        .post(`${ clientOptions.basePath }/auth/realms/${ clientOptions.realmName }/protocol/openid-connect/token`)
+        .post(`${ clientOptions.basePath }/realms/${ clientOptions.realmName }/protocol/openid-connect/token`)
         .send(`client_id=${ clientOptions.clientId }`)
         .send(`client_secret=${ clientOptions.clientSecret }`)
         .send(`grant_type=client_credentials`);