From aa249ca22a831a9ee5dc02d33905d136df6c57d8 Mon Sep 17 00:00:00 2001 From: Glen Johnson Date: Tue, 12 Sep 2023 15:22:03 -0600 Subject: [PATCH 1/6] Add tinyproxy service --- Jenkinsfile | 300 +++++++++--------- ci/docker-compose.yml | 7 + .../authenticators_oidc/proxy/tinyproxy.conf | 15 + ci/test_suites/authenticators_oidc/test | 2 +- .../features/authn_oidc_proxy.feature | 125 ++++++++ 5 files changed, 298 insertions(+), 151 deletions(-) create mode 100644 ci/test_suites/authenticators_oidc/proxy/tinyproxy.conf create mode 100644 cucumber/authenticators_oidc/features/authn_oidc_proxy.feature diff --git a/Jenkinsfile b/Jenkinsfile index c9e59ababb..9690d46744 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -225,120 +225,120 @@ pipeline { } } - stage('Scan Docker Image') { - when { - expression { params.RUN_ONLY == '' } - } - parallel { - stage("Scan Docker Image for fixable issues") { - steps { - scanAndReport("conjur:${tagWithSHA()}", "HIGH", false) - } - } - stage("Scan Docker image for total issues") { - steps { - scanAndReport("conjur:${tagWithSHA()}", "NONE", true) - } - } - stage("Scan UBI-based Docker Image for fixable issues") { - steps { - scanAndReport("conjur-ubi:${tagWithSHA()}", "HIGH", false) - } - } - stage("Scan UBI-based Docker image for total issues") { - steps { - scanAndReport("conjur-ubi:${tagWithSHA()}", "NONE", true) - } - } - } - } - - // TODO: Add comments explaining which env vars are set here. - stage('Prepare For CodeClimate Coverage Report Submission') { - when { - expression { params.RUN_ONLY == '' } - } - steps { - catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { - script { - ccCoverage.dockerPrep() - sh 'mkdir -p coverage' - env.CODE_CLIMATE_PREPARED = "true" - } - } - } - } - - // Run outside parallel block to avoid external pressure - stage('RSpec - Standard agent tests') { - steps { - sh 'ci/test rspec' - } - } - - // Run outside parallel block to reduce main Jenkins executor load. - stage('Nightly Only') { - when { - expression { params.NIGHTLY } - } - agent { label 'executor-v2-rhel-ee' } - - environment { - CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" - } - - stages { - stage("RSpec - EE FIPS agent tests") { - - steps { - sh(script: 'cat /etc/os-release', label: 'RHEL version') - sh(script: 'docker --version', label: 'Docker version') - addNewImagesToAgent() - unstash 'version_info' - // Catch errors so remaining steps always run. - catchError { - // Run outside parallel block to avoid external pressure - sh "ci/test rspec" - } - } - } + // stage('Scan Docker Image') { + // when { + // expression { params.RUN_ONLY == '' } + // } + // parallel { + // stage("Scan Docker Image for fixable issues") { + // steps { + // scanAndReport("conjur:${tagWithSHA()}", "HIGH", false) + // } + // } + // stage("Scan Docker image for total issues") { + // steps { + // scanAndReport("conjur:${tagWithSHA()}", "NONE", true) + // } + // } + // stage("Scan UBI-based Docker Image for fixable issues") { + // steps { + // scanAndReport("conjur-ubi:${tagWithSHA()}", "HIGH", false) + // } + // } + // stage("Scan UBI-based Docker image for total issues") { + // steps { + // scanAndReport("conjur-ubi:${tagWithSHA()}", "NONE", true) + // } + // } + // } + // } + + // // TODO: Add comments explaining which env vars are set here. + // stage('Prepare For CodeClimate Coverage Report Submission') { + // when { + // expression { params.RUN_ONLY == '' } + // } + // steps { + // catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { + // script { + // ccCoverage.dockerPrep() + // sh 'mkdir -p coverage' + // env.CODE_CLIMATE_PREPARED = "true" + // } + // } + // } + // } + + // // Run outside parallel block to avoid external pressure + // stage('RSpec - Standard agent tests') { + // steps { + // sh 'ci/test rspec' + // } + // } + + // // Run outside parallel block to reduce main Jenkins executor load. + // stage('Nightly Only') { + // when { + // expression { params.NIGHTLY } + // } + // agent { label 'executor-v2-rhel-ee' } + + // environment { + // CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" + // } + + // stages { + // stage("RSpec - EE FIPS agent tests") { + + // steps { + // sh(script: 'cat /etc/os-release', label: 'RHEL version') + // sh(script: 'docker --version', label: 'Docker version') + // addNewImagesToAgent() + // unstash 'version_info' + // // Catch errors so remaining steps always run. + // catchError { + // // Run outside parallel block to avoid external pressure + // sh "ci/test rspec" + // } + // } + // } stage('EE FIPS parallel') { parallel { - stage('EE FIPS agent tests') { - when { - expression { - testShouldRunOnAgent( - params.RUN_ONLY, - runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[0]) - ) - } - } - - steps { - addNewImagesToAgent() - unstash 'version_info' - runConjurTests( - params.RUN_ONLY, - NESTED_ARRAY_OF_TESTS_TO_RUN[0] - ) - } - post { - always { - stash( - name: 'testResultEE', - includes: ''' - cucumber/*/*.*, - container_logs/*/*, - spec/reports/*.xml, - spec/reports-audit/*.xml, - gems/conjur-rack/spec/reports/*.xml, - cucumber/*/features/reports/**/*.xml - ''' - ) - } - } - } + // stage('EE FIPS agent tests') { + // when { + // expression { + // testShouldRunOnAgent( + // params.RUN_ONLY, + // runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[0]) + // ) + // } + // } + + // steps { + // addNewImagesToAgent() + // unstash 'version_info' + // runConjurTests( + // params.RUN_ONLY, + // NESTED_ARRAY_OF_TESTS_TO_RUN[0] + // ) + // } + // post { + // always { + // stash( + // name: 'testResultEE', + // includes: ''' + // cucumber/*/*.*, + // container_logs/*/*, + // spec/reports/*.xml, + // spec/reports-audit/*.xml, + // gems/conjur-rack/spec/reports/*.xml, + // cucumber/*/features/reports/**/*.xml + // ''' + // ) + // } + // } + // } // Run a subset of tests on a second agent to prevent oversubscribing the hardware stage('EE FIPS agent2 tests') { when { @@ -379,45 +379,45 @@ pipeline { } } // Run a subset of tests on a second agent to prevent oversubscribing the hardware - stage('EE FIPS agent3 tests') { - when { - expression { - testShouldRunOnAgent( - params.RUN_ONLY, - runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[2]) - ) - } - } - - agent { label 'executor-v2-rhel-ee' } - - environment { - CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" - } - - steps { - addNewImagesToAgent() - unstash 'version_info' - runConjurTests( - params.RUN_ONLY, - NESTED_ARRAY_OF_TESTS_TO_RUN[2] - ) - } - post { - always { - stash( - name: 'testResultEE3', - includes: ''' - cucumber/*/*.*, - container_logs/*/*, - spec/reports/*.xml, - spec/reports-audit/*.xml, - cucumber/*/features/reports/**/*.xml - ''' - ) - } - } - } + // stage('EE FIPS agent3 tests') { + // when { + // expression { + // testShouldRunOnAgent( + // params.RUN_ONLY, + // runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[2]) + // ) + // } + // } + + // agent { label 'executor-v2-rhel-ee' } + + // environment { + // CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" + // } + + // steps { + // addNewImagesToAgent() + // unstash 'version_info' + // runConjurTests( + // params.RUN_ONLY, + // NESTED_ARRAY_OF_TESTS_TO_RUN[2] + // ) + // } + // post { + // always { + // stash( + // name: 'testResultEE3', + // includes: ''' + // cucumber/*/*.*, + // container_logs/*/*, + // spec/reports/*.xml, + // spec/reports-audit/*.xml, + // cucumber/*/features/reports/**/*.xml + // ''' + // ) + // } + // } + // } } } } diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml index 9b206fce8f..f9b6af8e50 100644 --- a/ci/docker-compose.yml +++ b/ci/docker-compose.yml @@ -228,6 +228,13 @@ services: python /usr/src/jwks/jwks_server.py -p 8090 volumes: - ./jwt/:/usr/src/jwks/ + + tinyproxy: + image: travix/tinyproxy + ports: + - 8888:8888 + volumes: + - ./test_suites/authenticators_oidc/proxy/tinyproxy.conf:/etc/tinyproxy.conf volumes: authn-local: diff --git a/ci/test_suites/authenticators_oidc/proxy/tinyproxy.conf b/ci/test_suites/authenticators_oidc/proxy/tinyproxy.conf new file mode 100644 index 0000000000..20bd8844b4 --- /dev/null +++ b/ci/test_suites/authenticators_oidc/proxy/tinyproxy.conf @@ -0,0 +1,15 @@ +User tinyproxy +Group tinyproxy +Port 8888 +Timeout 600 +DefaultErrorFile "/usr/share/tinyproxy/default.html" +StatHost "tinyproxy.stats" +LogFile "/var/log/tinyproxy/tinyproxy.log" +LogLevel Info +MaxClients 100 +MinSpareServers 5 +MaxSpareServers 20 +StartServers 10 +MaxRequestsPerChild 0 + +ViaProxyName "tinyproxy" diff --git a/ci/test_suites/authenticators_oidc/test b/ci/test_suites/authenticators_oidc/test index e56bf8e909..e3e0b4553d 100755 --- a/ci/test_suites/authenticators_oidc/test +++ b/ci/test_suites/authenticators_oidc/test @@ -58,7 +58,7 @@ function main() { $COMPOSE exec "${parallel_service}" rm "/etc/ssl/certs/$hash.0" || true done - additional_services='ldap-server keycloak' + additional_services='ldap-server keycloak tinyproxy' _run_cucumber_tests authenticators_oidc "$additional_services" \ _hydrate_all_env_args } diff --git a/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature b/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature new file mode 100644 index 0000000000..3af35b92d6 --- /dev/null +++ b/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature @@ -0,0 +1,125 @@ +@authenticators_oidc +Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator + + In this feature we define an OIDC authenticator in policy and perform authentication + with Conjur. In successful scenarios we will also define a variable and permit the user to + execute it, to verify not only that the user can authenticate with the OIDC + Authenticator, but that it can retrieve a secret using the Conjur access token. + + Background: + Given the following environment variables are available: + | context_variable | environment_variable | default_value | + | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | + | oidc_scope | KEYCLOAK_SCOPE | openid | + | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | + | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | + | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | + | oidc_claim_mapping | ID_TOKEN_USER_PROPERTY | preferred_username | + | oidc_redirect_url | KEYCLOAK_REDIRECT_URI | http://conjur:3000/authn-oidc/keycloak2/cucumber/authenticate | + | oidc_ca_cert | KEYCLOAK_CA_CERT | | + + And I load a policy: + """ + - !policy + id: conjur/authn-oidc/keycloak2 + body: + - !webservice + annotations: + description: Authentication service for Keycloak, based on Open ID Connect. Uses the default token TTL of 8 minutes. + - !variable name + - !variable provider-uri + - !variable response-type + - !variable client-id + - !variable client-secret + - !variable claim-mapping + - !variable state + - !variable nonce + - !variable redirect-uri + - !variable provider-scope + - !variable token-ttl + - !variable ca-cert + - !group users + - !permit + role: !group users + privilege: [ read, authenticate ] + resource: !webservice + + - !policy + id: conjur/authn-oidc/keycloak2-long-lived + body: + - !webservice + annotations: + description: Authentication service for Keycloak, based on Open ID Connect. Uses a 2 hour token TTL. + - !variable name + - !variable provider-uri + - !variable response-type + - !variable client-id + - !variable client-secret + - !variable claim-mapping + - !variable state + - !variable nonce + - !variable redirect-uri + - !variable provider-scope + - !variable token-ttl + - !variable ca-cert + - !group users + - !permit + role: !group users + privilege: [ read, authenticate ] + resource: !webservice + + - !user + id: alice + - !grant + role: !group conjur/authn-oidc/keycloak2/users + member: !user alice + - !grant + role: !group conjur/authn-oidc/keycloak2-long-lived/users + member: !user alice + """ + + And I set the following conjur variables: + | variable_id | context_variable | default_value | + | conjur/authn-oidc/keycloak2/provider-uri | oidc_provider_uri | | + | conjur/authn-oidc/keycloak2/client-id | oidc_client_id | | + | conjur/authn-oidc/keycloak2/client-secret | oidc_client_secret | | + | conjur/authn-oidc/keycloak2/claim-mapping | oidc_claim_mapping | | + | conjur/authn-oidc/keycloak2/redirect-uri | oidc_redirect_url | | + | conjur/authn-oidc/keycloak2/response-type | | code | + | conjur/authn-oidc/keycloak2/ca-cert | oidc_ca_cert | | + | conjur/authn-oidc/keycloak2-long-lived/provider-uri | oidc_provider_uri | | + | conjur/authn-oidc/keycloak2-long-lived/client-id | oidc_client_id | | + | conjur/authn-oidc/keycloak2-long-lived/client-secret | oidc_client_secret | | + | conjur/authn-oidc/keycloak2-long-lived/claim-mapping | oidc_claim_mapping | | + | conjur/authn-oidc/keycloak2-long-lived/redirect-uri | oidc_redirect_url | | + | conjur/authn-oidc/keycloak2-long-lived/response-type | | code | + | conjur/authn-oidc/keycloak2-long-lived/token-ttl | | PT2H | + | conjur/authn-oidc/keycloak2-long-lived/ca-cert | oidc_ca_cert | | + # And I set environment variable "http_proxy" to "http://tinyproxy:8888" + # And I set environment variable "https_proxy" to "http://tinyproxy:8888" + # And I set environment variable "HTTPS_PROXY" to "http://tinyproxy:8888" + # And I set environment variable "HTTP_PROXY" to "http://tinyproxy:8888" + + @smoke + Scenario: A valid code to get Conjur access token from webservice with default token TTL + # We want to verify the returned access token is valid for retrieving a secret + Given I have a "variable" resource called "test-variable" + And I permit user "alice" to "execute" it + And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" + And I fetch a code for username "alice" and password "alice" from "keycloak2" + And I set environment variable "http_proxy" to "http://tinyproxy:8888" + And I authenticate via OIDC V2 with code and service-id "keycloak2" + Then user "alice" has been authorized by Conjur for 60 minutes + And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user + + @negative @acceptance + Scenario: A valid code to get Conjur access token from webservice with default token TTL + # We want to verify the returned access token is valid for retrieving a secret + Given I have a "variable" resource called "test-variable" + And I permit user "alice" to "execute" it + And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" + And I fetch a code for username "alice" and password "alice" from "keycloak2" + And I set environment variable "http_proxy" to "http://fakeurl:1234" + And I authenticate via OIDC V2 with code and service-id "keycloak2" + Then user "alice" has been authorized by Conjur for 60 minutes + And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user \ No newline at end of file From 4d32b03b5c673ad43268d26ed6115b0012593269 Mon Sep 17 00:00:00 2001 From: Glen Johnson Date: Fri, 15 Sep 2023 11:18:34 -0600 Subject: [PATCH 2/6] Add scenarios --- Jenkinsfile | 466 +++++++++--------- .../step_definitions/authn_common_steps.rb | 4 + .../features/support/authenticator_helpers.rb | 9 +- cucumber/api/features/support/logs_helpers.rb | 1 + .../features/authn_oidc_proxy.feature | 93 +++- 5 files changed, 330 insertions(+), 243 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 9690d46744..840709477d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -303,204 +303,204 @@ pipeline { // } // } - stage('EE FIPS parallel') { - parallel { - // stage('EE FIPS agent tests') { - // when { - // expression { - // testShouldRunOnAgent( - // params.RUN_ONLY, - // runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[0]) - // ) - // } - // } - - // steps { - // addNewImagesToAgent() - // unstash 'version_info' - // runConjurTests( - // params.RUN_ONLY, - // NESTED_ARRAY_OF_TESTS_TO_RUN[0] - // ) - // } - // post { - // always { - // stash( - // name: 'testResultEE', - // includes: ''' - // cucumber/*/*.*, - // container_logs/*/*, - // spec/reports/*.xml, - // spec/reports-audit/*.xml, - // gems/conjur-rack/spec/reports/*.xml, - // cucumber/*/features/reports/**/*.xml - // ''' - // ) - // } - // } - // } - // Run a subset of tests on a second agent to prevent oversubscribing the hardware - stage('EE FIPS agent2 tests') { - when { - expression { - testShouldRunOnAgent( - params.RUN_ONLY, - runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[1]) - ) - } - } - agent { label 'executor-v2-rhel-ee' } - - environment { - CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" - } - - steps { - addNewImagesToAgent() - unstash 'version_info' - runConjurTests( - params.RUN_ONLY, - NESTED_ARRAY_OF_TESTS_TO_RUN[1] - ) - } - post { - always { - stash( - name: 'testResultEE2', - includes: ''' - cucumber/*/*.*, - container_logs/*/*, - spec/reports/*.xml, - spec/reports-audit/*.xml, - cucumber/*/features/reports/**/*.xml - ''' - ) - } - } - } - // Run a subset of tests on a second agent to prevent oversubscribing the hardware - // stage('EE FIPS agent3 tests') { - // when { - // expression { - // testShouldRunOnAgent( - // params.RUN_ONLY, - // runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[2]) - // ) - // } - // } - - // agent { label 'executor-v2-rhel-ee' } - - // environment { - // CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" - // } - - // steps { - // addNewImagesToAgent() - // unstash 'version_info' - // runConjurTests( - // params.RUN_ONLY, - // NESTED_ARRAY_OF_TESTS_TO_RUN[2] - // ) - // } - // post { - // always { - // stash( - // name: 'testResultEE3', - // includes: ''' - // cucumber/*/*.*, - // container_logs/*/*, - // spec/reports/*.xml, - // spec/reports-audit/*.xml, - // cucumber/*/features/reports/**/*.xml - // ''' - // ) - // } - // } - // } - } - } - } - post { - always { - script { - if (testShouldRunOnAgent(params.RUN_ONLY, runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[0]))) { - dir('ee-test'){ - unstash 'testResultEE' - } - } - if (testShouldRunOnAgent(params.RUN_ONLY, runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[1]))) { - dir('ee-test'){ - unstash 'testResultEE2' - } - } - if (testShouldRunOnAgent(params.RUN_ONLY, runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[2]))) { - dir('ee-test'){ - unstash 'testResultEE3' - } - } - } - - archiveArtifacts( - artifacts: "ee-test/cucumber/*/*.*", - fingerprint: false, - allowEmptyArchive: true - ) - - archiveArtifacts( - artifacts: "ee-test/container_logs/*/*", - fingerprint: false, - allowEmptyArchive: true - ) + // stage('EE FIPS parallel') { + // parallel { + // stage('EE FIPS agent tests') { + // when { + // expression { + // testShouldRunOnAgent( + // params.RUN_ONLY, + // runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[0]) + // ) + // } + // } + + // steps { + // addNewImagesToAgent() + // unstash 'version_info' + // runConjurTests( + // params.RUN_ONLY, + // NESTED_ARRAY_OF_TESTS_TO_RUN[0] + // ) + // } + // post { + // always { + // stash( + // name: 'testResultEE', + // includes: ''' + // cucumber/*/*.*, + // container_logs/*/*, + // spec/reports/*.xml, + // spec/reports-audit/*.xml, + // gems/conjur-rack/spec/reports/*.xml, + // cucumber/*/features/reports/**/*.xml + // ''' + // ) + // } + // } + // } + // // Run a subset of tests on a second agent to prevent oversubscribing the hardware + // stage('EE FIPS agent2 tests') { + // when { + // expression { + // testShouldRunOnAgent( + // params.RUN_ONLY, + // runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[1]) + // ) + // } + // } + // agent { label 'executor-v2-rhel-ee' } + + // environment { + // CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" + // } + + // steps { + // addNewImagesToAgent() + // unstash 'version_info' + // runConjurTests( + // params.RUN_ONLY, + // NESTED_ARRAY_OF_TESTS_TO_RUN[1] + // ) + // } + // post { + // always { + // stash( + // name: 'testResultEE2', + // includes: ''' + // cucumber/*/*.*, + // container_logs/*/*, + // spec/reports/*.xml, + // spec/reports-audit/*.xml, + // cucumber/*/features/reports/**/*.xml + // ''' + // ) + // } + // } + // } + // // Run a subset of tests on a second agent to prevent oversubscribing the hardware + // stage('EE FIPS agent3 tests') { + // when { + // expression { + // testShouldRunOnAgent( + // params.RUN_ONLY, + // runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[2]) + // ) + // } + // } + + // agent { label 'executor-v2-rhel-ee' } + + // environment { + // CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" + // } + + // steps { + // addNewImagesToAgent() + // unstash 'version_info' + // runConjurTests( + // params.RUN_ONLY, + // NESTED_ARRAY_OF_TESTS_TO_RUN[2] + // ) + // } + // post { + // always { + // stash( + // name: 'testResultEE3', + // includes: ''' + // cucumber/*/*.*, + // container_logs/*/*, + // spec/reports/*.xml, + // spec/reports-audit/*.xml, + // cucumber/*/features/reports/**/*.xml + // ''' + // ) + // } + // } + // } + // } + // } + // } + // post { + // always { + // script { + // if (testShouldRunOnAgent(params.RUN_ONLY, runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[0]))) { + // dir('ee-test'){ + // unstash 'testResultEE' + // } + // } + // if (testShouldRunOnAgent(params.RUN_ONLY, runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[1]))) { + // dir('ee-test'){ + // unstash 'testResultEE2' + // } + // } + // if (testShouldRunOnAgent(params.RUN_ONLY, runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[2]))) { + // dir('ee-test'){ + // unstash 'testResultEE3' + // } + // } + // } - publishHTML( - reportDir: 'ee-test/cucumber', - reportFiles: ''' - api/cucumber_results.html, - authenticators_config/cucumber_results.html, - authenticators_azure/cucumber_results.html, - authenticators_ldap/cucumber_results.html, - authenticators_oidc/cucumber_results.html, - authenticators_jwt/cucumber_results.html, - authenticators_status/cucumber_results.html - policy/cucumber_results.html, - rotators/cucumber_results.html - ''', - reportName: 'EE Integration reports', - reportTitles: '', - allowMissing: false, - alwaysLinkToLastBuild: true, - keepAll: true - ) - } - } - } + // archiveArtifacts( + // artifacts: "ee-test/cucumber/*/*.*", + // fingerprint: false, + // allowEmptyArchive: true + // ) + + // archiveArtifacts( + // artifacts: "ee-test/container_logs/*/*", + // fingerprint: false, + // allowEmptyArchive: true + // ) + + // publishHTML( + // reportDir: 'ee-test/cucumber', + // reportFiles: ''' + // api/cucumber_results.html, + // authenticators_config/cucumber_results.html, + // authenticators_azure/cucumber_results.html, + // authenticators_ldap/cucumber_results.html, + // authenticators_oidc/cucumber_results.html, + // authenticators_jwt/cucumber_results.html, + // authenticators_status/cucumber_results.html + // policy/cucumber_results.html, + // rotators/cucumber_results.html + // ''', + // reportName: 'EE Integration reports', + // reportTitles: '', + // allowMissing: false, + // alwaysLinkToLastBuild: true, + // keepAll: true + // ) + // } + // } + // } stage('Run environment tests in parallel') { parallel { - stage('Standard agent tests') { - when { - expression { - testShouldRunOnAgent( - params.RUN_ONLY, - runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[0]) - ) - } - } - - environment { - CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" - } - - steps { - sh(script: 'cat /etc/os-release', label: 'Ubuntu version') - sh(script: 'docker --version', label: 'Docker version') - runConjurTests( - params.RUN_ONLY, - NESTED_ARRAY_OF_TESTS_TO_RUN[0] - ) - } - } + // stage('Standard agent tests') { + // when { + // expression { + // testShouldRunOnAgent( + // params.RUN_ONLY, + // runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[0]) + // ) + // } + // } + + // environment { + // CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" + // } + + // steps { + // sh(script: 'cat /etc/os-release', label: 'Ubuntu version') + // sh(script: 'docker --version', label: 'Docker version') + // runConjurTests( + // params.RUN_ONLY, + // NESTED_ARRAY_OF_TESTS_TO_RUN[0] + // ) + // } + // } // Run a subset of tests on a second agent to prevent oversubscribing the hardware stage('Standard agent2 tests') { @@ -540,45 +540,45 @@ pipeline { } // Run a subset of tests on a second agent to prevent oversubscribing the hardware - stage('Standard agent3 tests') { - when { - expression { - testShouldRunOnAgent( - params.RUN_ONLY, - runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[2]) - ) - } - } - - agent { label 'executor-v2' } - environment { - CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" - } - - steps { - addNewImagesToAgent() - unstash 'version_info' - runConjurTests( - params.RUN_ONLY, - NESTED_ARRAY_OF_TESTS_TO_RUN[2] - ) - } - post { - always { - stash( - name: 'standardTestResult3', - includes: ''' - cucumber/*/*.*, - container_logs/*/*, - spec/reports/*.xml, - spec/reports-audit/*.xml, - cucumber/*/features/reports/**/*.xml, - ci/test_suites/*/output/* - ''' - ) - } - } - } + // stage('Standard agent3 tests') { + // when { + // expression { + // testShouldRunOnAgent( + // params.RUN_ONLY, + // runSpecificTestOnAgent(params.RUN_ONLY, NESTED_ARRAY_OF_TESTS_TO_RUN[2]) + // ) + // } + // } + + // agent { label 'executor-v2' } + // environment { + // CUCUMBER_FILTER_TAGS = "${params.CUCUMBER_FILTER_TAGS}" + // } + + // steps { + // addNewImagesToAgent() + // unstash 'version_info' + // runConjurTests( + // params.RUN_ONLY, + // NESTED_ARRAY_OF_TESTS_TO_RUN[2] + // ) + // } + // post { + // always { + // stash( + // name: 'standardTestResult3', + // includes: ''' + // cucumber/*/*.*, + // container_logs/*/*, + // spec/reports/*.xml, + // spec/reports-audit/*.xml, + // cucumber/*/features/reports/**/*.xml, + // ci/test_suites/*/output/* + // ''' + // ) + // } + // } + // } stage('Azure Authenticator') { when { diff --git a/cucumber/_authenticators_common/features/step_definitions/authn_common_steps.rb b/cucumber/_authenticators_common/features/step_definitions/authn_common_steps.rb index 24a0c2b445..45b8ed6218 100644 --- a/cucumber/_authenticators_common/features/step_definitions/authn_common_steps.rb +++ b/cucumber/_authenticators_common/features/step_definitions/authn_common_steps.rb @@ -74,3 +74,7 @@ @scenario_context.add(variable_hash['context_variable'].to_sym, value) end end + +Given(/^I set environment variable "([^"]*)" to "([^"]*)"$/) do |variable_name, variable_value| + ENV[variable_name] = variable_value +end diff --git a/cucumber/_authenticators_common/features/support/authenticator_helpers.rb b/cucumber/_authenticators_common/features/support/authenticator_helpers.rb index 986c633bcc..61eeb2b273 100644 --- a/cucumber/_authenticators_common/features/support/authenticator_helpers.rb +++ b/cucumber/_authenticators_common/features/support/authenticator_helpers.rb @@ -72,7 +72,8 @@ def load_root_policy(policy) def get(path, options = {}) options = options.merge( method: :get, - url: path + url: path, + proxy: nil ) result = RestClient::Request.execute(options) @response_body = result.body @@ -84,6 +85,9 @@ def get(path, options = {}) end def post(path, payload, options = {}) + options = options.merge( + proxy: nil + ) result = RestClient.post(path, payload, options) @response_body = result.body @http_status = result.code @@ -94,6 +98,9 @@ def post(path, payload, options = {}) end def execute(method, path, payload = {}, options = {}) + options = options.merge( + proxy: nil + ) result = RestClient::Request.execute(method: method, url: path, payload: payload, **options) @response_body = result.body @http_status = result.code diff --git a/cucumber/api/features/support/logs_helpers.rb b/cucumber/api/features/support/logs_helpers.rb index 534a6c972b..26ac9f0dd5 100644 --- a/cucumber/api/features/support/logs_helpers.rb +++ b/cucumber/api/features/support/logs_helpers.rb @@ -32,6 +32,7 @@ def num_matches_since_savepoint(msg) start_line = @saved_num_lines end_line = cur_num_lines + puts "Logs since savepoint: #{File.readlines(LOG_LOCATION)[start_line..end_line]}" File.readlines(LOG_LOCATION)[start_line..end_line].grep(/#{msg}/i).count end diff --git a/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature b/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature index 3af35b92d6..e246d6765c 100644 --- a/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature +++ b/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature @@ -1,10 +1,9 @@ @authenticators_oidc -Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator +Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator through a proxy In this feature we define an OIDC authenticator in policy and perform authentication - with Conjur. In successful scenarios we will also define a variable and permit the user to - execute it, to verify not only that the user can authenticate with the OIDC - Authenticator, but that it can retrieve a secret using the Conjur access token. + with Conjur. Conjur will be accessing the OIDC provider through a proxy determined by + the environment variables: http_proxy, https_proxy, HTTP_PROXY, HTTPS_PROXY. Background: Given the following environment variables are available: @@ -101,7 +100,7 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator # And I set environment variable "HTTP_PROXY" to "http://tinyproxy:8888" @smoke - Scenario: A valid code to get Conjur access token from webservice with default token TTL + Scenario: A valid code to get Conjur access token from webservice with http_proxy set # We want to verify the returned access token is valid for retrieving a secret Given I have a "variable" resource called "test-variable" And I permit user "alice" to "execute" it @@ -112,14 +111,90 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator Then user "alice" has been authorized by Conjur for 60 minutes And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - @negative @acceptance - Scenario: A valid code to get Conjur access token from webservice with default token TTL + @smoke + Scenario: A valid code to get Conjur access token from webservice with HTTP_PROXY set + # We want to verify the returned access token is valid for retrieving a secret + Given I have a "variable" resource called "test-variable" + And I permit user "alice" to "execute" it + And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" + And I fetch a code for username "alice" and password "alice" from "keycloak2" + And I set environment variable "HTTP_PROXY" to "http://tinyproxy:8888" + And I authenticate via OIDC V2 with code and service-id "keycloak2" + Then user "alice" has been authorized by Conjur for 60 minutes + And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user + + @smoke + Scenario: A valid code to get Conjur access token from webservice with https_proxy set # We want to verify the returned access token is valid for retrieving a secret Given I have a "variable" resource called "test-variable" And I permit user "alice" to "execute" it And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" And I fetch a code for username "alice" and password "alice" from "keycloak2" - And I set environment variable "http_proxy" to "http://fakeurl:1234" + And I set environment variable "https_proxy" to "http://tinyproxy:8888" And I authenticate via OIDC V2 with code and service-id "keycloak2" Then user "alice" has been authorized by Conjur for 60 minutes - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user \ No newline at end of file + And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user + + @smoke + Scenario: A valid code to get Conjur access token from webservice with HTTP_PROXY set + # We want to verify the returned access token is valid for retrieving a secret + Given I have a "variable" resource called "test-variable" + And I permit user "alice" to "execute" it + And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" + And I fetch a code for username "alice" and password "alice" from "keycloak2" + And I set environment variable "HTTPS_PROXY" to "http://tinyproxy:8888" + And I authenticate via OIDC V2 with code and service-id "keycloak2" + Then user "alice" has been authorized by Conjur for 60 minutes + And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user + + @negative @acceptance + Scenario: Unauthenticated is raised in case of an invalid HTTPS_PROXY setting + Given I fetch a code for username "alice" and password "alice" from "keycloak2" + When I set environment variable "HTTPS_PROXY" to "https://fakeproxy" + # And I add the secret value "https://keycloak:1234" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" + And I save my place in the log file + And I authenticate via OIDC V2 with code + Then it is a bad request + And The following appears in the log after my savepoint: + """ + Errors::Authentication::OAuth::ProviderDiscoveryFailed + """ + + @negative @acceptance + Scenario: Unauthenticated is raised in case of an invalid https_proxy setting + Given I fetch a code for username "alice" and password "alice" from "keycloak2" + When I set environment variable "https_proxy" to "https://fakeproxy" + # And I add the secret value "https://keycloak:1234" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" + And I save my place in the log file + And I authenticate via OIDC V2 with code + Then it is a bad request + And The following appears in the log after my savepoint: + """ + Errors::Authentication::OAuth::ProviderDiscoveryFailed + """ + + @negative @acceptance + Scenario: Unauthenticated is raised in case of an invalid HTTP_PROXY setting + Given I fetch a code for username "alice" and password "alice" from "keycloak2" + When I set environment variable "HTTP_PROXY" to "http://fakeproxy" + # And I add the secret value "http://keycloak:1234" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" + And I save my place in the log file + And I authenticate via OIDC V2 with code + Then it is a bad request + And The following appears in the log after my savepoint: + """ + Errors::Authentication::OAuth::ProviderDiscoveryFailed + """ + + @negative @acceptance + Scenario: Unauthenticated is raised in case of an invalid http_proxy setting + Given I fetch a code for username "alice" and password "alice" from "keycloak2" + When I set environment variable "http_proxy" to "http://fakeproxy" + # And I add the secret value "http://keycloak:1234" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" + And I save my place in the log file + And I authenticate via OIDC V2 with code + Then it is a bad request + And The following appears in the log after my savepoint: + """ + Errors::Authentication::OAuth::ProviderDiscoveryFailed + """ From 9e319832a5bfa318969e09dc19ed9c5597a6832d Mon Sep 17 00:00:00 2001 From: Glen Johnson Date: Fri, 15 Sep 2023 11:19:34 -0600 Subject: [PATCH 3/6] Remove other tests (temp) --- .../features/authn_oidc.feature | 289 ----------------- .../features/authn_oidc_bad_policy.feature | 227 ------------- .../features/authn_oidc_okta.feature | 51 --- .../features/authn_oidc_performance.feature | 66 ---- .../features/authn_oidc_v2.feature | 301 ------------------ .../features/authn_oidc_with_ldap.feature | 82 ----- .../features/authn_status_oidc.feature | 291 ----------------- .../features/list_authenticators.feature | 96 ------ 8 files changed, 1403 deletions(-) delete mode 100644 cucumber/authenticators_oidc/features/authn_oidc.feature delete mode 100644 cucumber/authenticators_oidc/features/authn_oidc_bad_policy.feature delete mode 100644 cucumber/authenticators_oidc/features/authn_oidc_okta.feature delete mode 100644 cucumber/authenticators_oidc/features/authn_oidc_performance.feature delete mode 100644 cucumber/authenticators_oidc/features/authn_oidc_v2.feature delete mode 100644 cucumber/authenticators_oidc/features/authn_oidc_with_ldap.feature delete mode 100644 cucumber/authenticators_oidc/features/authn_status_oidc.feature delete mode 100644 cucumber/authenticators_oidc/features/list_authenticators.feature diff --git a/cucumber/authenticators_oidc/features/authn_oidc.feature b/cucumber/authenticators_oidc/features/authn_oidc.feature deleted file mode 100644 index a2c5eb8ac6..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc.feature +++ /dev/null @@ -1,289 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator - Hosts can authenticate with OIDC authenticator - - In this feature we define an OIDC authenticator in policy and perform authentication - with Conjur. In successful scenarios we will also define a variable and permit the host to - execute it, to verify not only that the host can authenticate with the OIDC - Authenticator, but that it can retrieve a secret using the Conjur access token. - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_id_token_user_property | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - And I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !variable - id: ca-cert - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - - @smoke - Scenario: A valid id token in header to get Conjur access token - # We want to verify the returned access token is valid for retrieving a secret - Given I have a "variable" resource called "test-variable" - And I permit user "alice" to "execute" it - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the audit log file - When I authenticate via OIDC with id token in header - Then user "alice" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the audit log after my savepoint: - """ - cucumber:user:alice successfully authenticated with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak - """ - - @smoke - Scenario: A valid id token in body to get Conjur access token - # We want to verify the returned access token is valid for retrieving a secret - Given I have a "variable" resource called "test-variable" - And I permit user "alice" to "execute" it - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the audit log file - When I authenticate via OIDC with id token - Then user "alice" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the audit log after my savepoint: - """ - cucumber:user:alice successfully authenticated with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak - """ - - @smoke - Scenario: A valid id token with email as id-token-user-property - Given I extend the policy with: - """ - - !user alice@conjur.net - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice@conjur.net - """ - When I add the secret value "email" to the resource "cucumber:variable:conjur/authn-oidc/keycloak/id-token-user-property" - And I fetch an ID Token for username "alice" and password "alice" - And I authenticate via OIDC with id token - Then user "alice@conjur.net" has been authorized by Conjur - - @smoke - Scenario: Adding a group to keycloak/users group permits users to authenticate - Given I extend the policy with: - """ - - !user bob.somebody - - - !group more-users - - - !grant - role: !group more-users - member: !user bob.somebody - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !group more-users - """ - And I fetch an ID Token for username "bob.somebody" and password "bob" - When I authenticate via OIDC with id token - Then user "bob.somebody" has been authorized by Conjur - - @negative @acceptance - Scenario: Non-existing username in ID token is denied - Given I fetch an ID Token for username "not_in_conjur" and password "not_in_conjur" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::RoleNotFound - """ - And The following appears in the audit log after my savepoint: - """ - cucumber:user:not_in_conjur failed to authenticate with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak - """ - - @negative @acceptance - Scenario: User that is not permitted to webservice in ID token is denied - Given I extend the policy with: - """ - - !user bob.somebody - """ - And I fetch an ID Token for username "bob.somebody" and password "bob" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is forbidden - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::RoleNotAuthorizedOnResource - """ - - @negative @acceptance - Scenario: ID token without value of variable id-token-user-property is denied - When I add the secret value "non_existing_field" to the resource "cucumber:variable:conjur/authn-oidc/keycloak/id-token-user-property" - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::AuthnOidc::IdTokenClaimNotFoundOrEmpty: CONJ00013E Claim 'non_existing_field' not found or empty in ID token. This claim is defined in the id-token-user-property variable. - """ - - @negative @acceptance - Scenario: Missing id token is a bad request - Given I save my place in the log file - When I authenticate via OIDC with no id token - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::RequestBody::MissingRequestParam - """ - And The following appears in the audit log after my savepoint: - """ - cucumber:user:USERNAME_MISSING failed to authenticate with authenticator authn-oidc service - """ - - @negative @acceptance - Scenario: Empty id token is a bad request - Given I save my place in the log file - When I authenticate via OIDC with empty id token - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::RequestBody::MissingRequestParam - """ - And The following appears in the audit log after my savepoint: - """ - cucumber:user:USERNAME_MISSING failed to authenticate with authenticator authn-oidc service - """ - - @negative @acceptance - Scenario: non-existing account in request is denied - Given I save my place in the log file - When I authenticate via OIDC with id token and account "non-existing" - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::AccountNotDefined - """ - And The following appears in the audit log after my savepoint: - """ - non-existing:user:USERNAME_MISSING failed to authenticate with authenticator authn-oidc service - """ - - @negative @acceptance - Scenario: admin user is denied - And I fetch an ID Token for username "admin" and password "admin" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::AdminAuthenticationDenied - """ - And The following appears in the audit log after my savepoint: - """ - cucumber:user:USERNAME_MISSING failed to authenticate with authenticator authn-oidc service - """ - - @smoke - Scenario: provider-uri dynamic change - And I fetch an ID Token for username "alice" and password "alice" - And I authenticate via OIDC with id token - And user "alice" has been authorized by Conjur - # Update provider uri to a different hostname and verify `provider-uri` has changed - When I add the secret value "https://different-provider:8443" to the resource "cucumber:variable:conjur/authn-oidc/keycloak/provider-uri" - And I authenticate via OIDC with id token - Then it is unauthorized - # Check recovery to a valid provider uri - And I revert the value of the resource "cucumber:variable:conjur/authn-oidc/keycloak/provider-uri" - And I fetch an ID Token for username "alice" and password "alice" - And I authenticate via OIDC with id token - Then user "alice" has been authorized by Conjur - - @negative @acceptance - Scenario: Unauthenticated is raised in case of an invalid OIDC Provider hostname - Given I fetch an ID Token for username "alice" and password "alice" - And I authenticate via OIDC with id token - And user "alice" has been authorized by Conjur - # Update provider uri to reachable but invalid hostname - When I add the secret value "http://127.0.0.1.com/" to the resource "cucumber:variable:conjur/authn-oidc/keycloak/provider-uri" - And I save my place in the log file - And I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::OAuth::ProviderDiscoveryFailed - """ - - # This test runs a failing authentication request that is already - # tested in another scenario (User that is not permitted to webservice in ID token is denied). - # We run it again here to verify that we write a message to the audit log - @acceptance - Scenario: Authentication failure is written to the audit log - Given I extend the policy with: - """ - - !user bob.somebody - """ - And I fetch an ID Token for username "bob.somebody" and password "bob" - And I save my place in the audit log file - When I authenticate via OIDC with id token - Then it is forbidden - And The following appears in the audit log after my savepoint: - """ - cucumber:user:bob.somebody failed to authenticate with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak - """ - - @negative @acceptance - Scenario: Request with an existing user ID in URL is responded with not found - Given I save my place in the log file - When I authenticate via OIDC with no id token and user id "alice" in the request - Then it is not found - And The following appears in the log after my savepoint: - """ - ActionController::RoutingError (No route matches [POST] "/authn-oidc/keycloak/cucumber/alice/authenticate") - """ - - @negative @acceptance - Scenario: Request with a non-existing user ID in URL is responded with not found - Given I save my place in the log file - When I authenticate via OIDC with no id token and user id "non-exist" in the request - Then it is not found - And The following appears in the log after my savepoint: - """ - ActionController::RoutingError (No route matches [POST] "/authn-oidc/keycloak/cucumber/non-exist/authenticate") - """ diff --git a/cucumber/authenticators_oidc/features/authn_oidc_bad_policy.feature b/cucumber/authenticators_oidc/features/authn_oidc_bad_policy.feature deleted file mode 100644 index 2c89226a87..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc_bad_policy.feature +++ /dev/null @@ -1,227 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator - Bad authenticator configuration leads to an error - - In this feature we define an OIDC Authenticator with a configuration - mistake. Each test will verify that we fail the authentication in such a case - and log the relevant error for the user to re-configure the authenticator - properly - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_id_token_user_property | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - @negative @acceptance - Scenario: id-token-user-property variable missing in policy is denied - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !variable - id: provider-uri - - - !variable - id: ca-cert - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Conjur::RequiredResourceMissing - """ - - @negative @acceptance - Scenario: provider-uri variable missing in policy is denied - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !variable - id: id-token-user-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Conjur::RequiredResourceMissing - """ - - @negative @acceptance - Scenario: webservice missing in policy is denied - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !variable - id: ca-cert - - - !group users - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::WebserviceNotFound - """ - - @negative @acceptance - Scenario: webservice with read and no authenticate permission in policy is denied - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !variable - id: ca-cert - - - !group users - - - !permit - role: !group users - privilege: [ read ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is forbidden - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::RoleNotAuthorizedOnResource - """ - - @negative @acceptance - Scenario: An authenticator without a service id - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc - body: - - !webservice - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/provider-uri | oidc_provider_uri | - Given I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token and without a service-id - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::AuthnOidc::ServiceIdMissing - """ diff --git a/cucumber/authenticators_oidc/features/authn_oidc_okta.feature b/cucumber/authenticators_oidc/features/authn_oidc_okta.feature deleted file mode 100644 index 6491e3f55b..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc_okta.feature +++ /dev/null @@ -1,51 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator V2 - Users can authenticate with Okta using OIDC - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_uri | OKTA_PROVIDER_URI | | - | oidc_client_id | OKTA_CLIENT_ID | | - | oidc_client_secret | OKTA_CLIENT_SECRET | | - | oidc_redirect_url | OKTA_REDIRECT | http://localhost:3000/authn-oidc/okta/cucumber/authenticate | - | oidc_username | OKTA_USERNAME | | - | oidc_password | OKTA_PASSWORD | | - - And I load a policy and enable an oidc user into group "conjur/authn-oidc/okta/users": - """ - - !policy - id: conjur/authn-oidc/okta - body: - - !webservice - annotations: - description: Authentication service for Okta, based on Open ID Connect. - - - !variable provider-uri - - !variable client-id - - !variable client-secret - - !variable claim-mapping - - !variable state - - !variable nonce - - !variable redirect-uri - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - """ - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/okta/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/okta/client-id | oidc_client_id | | - | conjur/authn-oidc/okta/client-secret | oidc_client_secret | | - | conjur/authn-oidc/okta/claim-mapping | | preferred_username | - | conjur/authn-oidc/okta/redirect-uri | oidc_redirect_url | | - - @smoke - Scenario: Authenticating with Conjur using Okta - Given I retrieve OIDC configuration from the provider endpoint for "okta" - And I authenticate and fetch a code from Okta - When I authenticate via OIDC with code and service_id "okta" - Then the okta user has been authorized by conjur diff --git a/cucumber/authenticators_oidc/features/authn_oidc_performance.feature b/cucumber/authenticators_oidc/features/authn_oidc_performance.feature deleted file mode 100644 index 2b27dcdb3b..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc_performance.feature +++ /dev/null @@ -1,66 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator - Performance tests - - In this feature we test that OIDC Authenticator performance is meeting - the SLA. We run multiple authn-oidc requests in multiple threads and verify - that the average time of a request is no more that the agreed time. - We test both successful requests and unsuccessful requests. - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_id_token_user_property | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - And I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !variable - id: ca-cert - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - - @performance - Scenario: successful requests - And I fetch an ID Token for username "alice" and password "alice" - When I authenticate 1000 times in 10 threads via OIDC with id token - Then The avg authentication request responds in less than 0.75 seconds - - @performance - Scenario: Unsuccessful requests with an invalid token - When I authenticate 1000 times in 10 threads via OIDC with invalid id token - Then The avg authentication request responds in less than 0.75 seconds diff --git a/cucumber/authenticators_oidc/features/authn_oidc_v2.feature b/cucumber/authenticators_oidc/features/authn_oidc_v2.feature deleted file mode 100644 index 4b6daff86e..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc_v2.feature +++ /dev/null @@ -1,301 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator - - In this feature we define an OIDC authenticator in policy and perform authentication - with Conjur. In successful scenarios we will also define a variable and permit the user to - execute it, to verify not only that the user can authenticate with the OIDC - Authenticator, but that it can retrieve a secret using the Conjur access token. - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_claim_mapping | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_redirect_url | KEYCLOAK_REDIRECT_URI | http://conjur:3000/authn-oidc/keycloak2/cucumber/authenticate | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - And I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak2 - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. Uses the default token TTL of 8 minutes. - - !variable name - - !variable provider-uri - - !variable response-type - - !variable client-id - - !variable client-secret - - !variable claim-mapping - - !variable state - - !variable nonce - - !variable redirect-uri - - !variable provider-scope - - !variable token-ttl - - !variable ca-cert - - !group users - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !policy - id: conjur/authn-oidc/keycloak2-long-lived - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. Uses a 2 hour token TTL. - - !variable name - - !variable provider-uri - - !variable response-type - - !variable client-id - - !variable client-secret - - !variable claim-mapping - - !variable state - - !variable nonce - - !variable redirect-uri - - !variable provider-scope - - !variable token-ttl - - !variable ca-cert - - !group users - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user - id: alice - - !grant - role: !group conjur/authn-oidc/keycloak2/users - member: !user alice - - !grant - role: !group conjur/authn-oidc/keycloak2-long-lived/users - member: !user alice - """ - - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/keycloak2/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/keycloak2/client-id | oidc_client_id | | - | conjur/authn-oidc/keycloak2/client-secret | oidc_client_secret | | - | conjur/authn-oidc/keycloak2/claim-mapping | oidc_claim_mapping | | - | conjur/authn-oidc/keycloak2/redirect-uri | oidc_redirect_url | | - | conjur/authn-oidc/keycloak2/response-type | | code | - | conjur/authn-oidc/keycloak2/ca-cert | oidc_ca_cert | | - | conjur/authn-oidc/keycloak2-long-lived/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/keycloak2-long-lived/client-id | oidc_client_id | | - | conjur/authn-oidc/keycloak2-long-lived/client-secret | oidc_client_secret | | - | conjur/authn-oidc/keycloak2-long-lived/claim-mapping | oidc_claim_mapping | | - | conjur/authn-oidc/keycloak2-long-lived/redirect-uri | oidc_redirect_url | | - | conjur/authn-oidc/keycloak2-long-lived/response-type | | code | - | conjur/authn-oidc/keycloak2-long-lived/token-ttl | | PT2H | - | conjur/authn-oidc/keycloak2-long-lived/ca-cert | oidc_ca_cert | | - - @smoke - Scenario: A valid code to get Conjur access token from webservice with default token TTL - # We want to verify the returned access token is valid for retrieving a secret - Given I have a "variable" resource called "test-variable" - And I permit user "alice" to "execute" it - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I fetch a code for username "alice" and password "alice" from "keycloak2" - And I save my place in the audit log file - And I authenticate via OIDC V2 with code and service-id "keycloak2" - Then user "alice" has been authorized by Conjur for 60 minutes - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the audit log after my savepoint: - """ - cucumber:user:alice successfully authenticated with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak2 - """ - - @smoke - Scenario: A valid code to get Conjur access token from webservice with custom token TTL - Given I have a "variable" resource called "test-variable" - And I permit user "alice" to "execute" it - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I fetch a code for username "alice" and password "alice" from "keycloak2-long-lived" - And I save my place in the audit log file - And I authenticate via OIDC V2 with code and service-id "keycloak2-long-lived" - Then user "alice" has been authorized by Conjur for 2 hours - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the audit log after my savepoint: - """ - cucumber:user:alice successfully authenticated with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak2-long-lived - """ - - @smoke - Scenario: A valid code with email as claim mapping - Given I extend the policy with: - """ - - !user alice@conjur.net - - !grant - role: !group conjur/authn-oidc/keycloak2/users - member: !user alice@conjur.net - """ - When I add the secret value "email" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/claim-mapping" - And I fetch a code for username "alice@conjur.net" and password "alice" from "keycloak2" - And I authenticate via OIDC V2 with code - Then user "alice@conjur.net" has been authorized by Conjur - - @smoke - Scenario: Adding a group to keycloak2/users group permits users to authenticate - Given I extend the policy with: - """ - - !user - id: bob.somebody - - !group more-users - - !grant - role: !group more-users - member: !user bob.somebody - - !grant - role: !group conjur/authn-oidc/keycloak2/users - member: !group more-users - """ - And I fetch a code for username "bob@conjur.net" and password "bob" from "keycloak2" - When I authenticate via OIDC V2 with code - Then user "bob.somebody" has been authorized by Conjur - - @negative @acceptance - Scenario: Non-existing username in claim mapping is denied - Given I fetch a code for username "not_in_conjur" and password "not_in_conjur" from "keycloak2" - And I save my place in the log file - When I authenticate via OIDC V2 with code - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::RoleNotFound - """ - - @negative @acceptance - Scenario: User that is not permitted to webservice in claim mapping is denied - Given I extend the policy with: - """ - - !user - id: bob@conjur.net - """ - And I fetch a code for username "bob@conjur.net" and password "bob" from "keycloak2" - And I save my place in the log file - When I authenticate via OIDC V2 with code - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::RoleNotFound - """ - - @negative @acceptance - Scenario: Code without value of variable claim mapping is denied - When I add the secret value "non_existing_field" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/claim-mapping" - And I fetch a code for username "alice@conjur.net" and password "alice" from "keycloak2" - And I save my place in the log file - When I authenticate via OIDC V2 with code - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::AuthnOidc::IdTokenClaimNotFoundOrEmpty: CONJ00013E Claim 'non_existing_field' not found or empty in ID token. This claim is defined in the claim-mapping variable. - """ - - @negative @acceptance - Scenario: Adding a group to keycloak2/users group permits users to authenticate - Given I extend the policy with: - """ - - !user - id: bob - annotations: - authn-oidc/identity: bob.somebody - - !group more-users - - !grant - role: !group more-users - member: !user bob - - !grant - role: !group conjur/authn-oidc/keycloak2/users - member: !group more-users - """ - - @negative @acceptance - Scenario: Missing code is a bad request - Given I save my place in the log file - And I fetch a code for username "alice@conjur.net" and password "alice" from "keycloak2" - When I authenticate via OIDC V2 with no code in the request - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::RequestBody::MissingRequestParam - """ - - @negative @acceptance - Scenario: Empty code is a bad request - Given I save my place in the log file - And I fetch a code for username "alice@conjur.net" and password "alice" from "keycloak2" - When I authenticate via OIDC V2 with code "" - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::RequestBody::MissingRequestParam - """ - - @negative @acceptance - Scenario: Invalid code is a bad request - Given I save my place in the log file - And I fetch a code for username "alice@conjur.net" and password "alice" from "keycloak2" - When I authenticate via OIDC V2 with code "bad-code" - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::AuthnOidc::TokenRetrievalFailed - """ - - @negative @acceptance - Scenario: Bad OIDC provider credentials - Given I save my place in the log file - And I fetch a code for username "alice" and password "notalice" from "keycloak2" - When I authenticate via OIDC V2 with code - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::RequestBody::MissingRequestParam - """ - - @negative @acceptance - Scenario: Non-Existent authenticator is not found - Given I save my place in the log file - And I fetch a code for username "alice" and password "alice" from "keycloak2" - When I authenticate via OIDC V2 with code and service-id "non-exist" - Then it is not found - And The following appears in the log after my savepoint: - """ - Errors::Conjur::RequestedResourceNotFound: CONJ00123E Resource - """ - - @smoke - Scenario: provider-uri dynamic change - And I fetch a code for username "alice" and password "alice" from "keycloak2" - And I authenticate via OIDC V2 with code - And user "alice" has been authorized by Conjur - # Update provider uri to a different hostname and verify `provider-uri` has changed - When I add the secret value "https://different-provider:8443" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" - And I authenticate via OIDC V2 with code - Then it is unauthorized - # Check recovery to a valid provider uri - And I revert the value of the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" - And I fetch a code for username "alice" and password "alice" from "keycloak2" - And I authenticate via OIDC V2 with code - Then user "alice" has been authorized by Conjur - - @negative @acceptance - Scenario: Unauthenticated is raised in case of an invalid OIDC Provider hostname - Given I fetch a code for username "alice" and password "alice" from "keycloak2" - And I authenticate via OIDC V2 with code - And user "alice" has been authorized by Conjur - # Update provider uri to reachable but invalid hostname - When I add the secret value "http://127.0.0.1.com/" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" - And I save my place in the log file - And I authenticate via OIDC V2 with code - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::OAuth::ProviderDiscoveryFailed - """ diff --git a/cucumber/authenticators_oidc/features/authn_oidc_with_ldap.feature b/cucumber/authenticators_oidc/features/authn_oidc_with_ldap.feature deleted file mode 100644 index 37d5ad53ca..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc_with_ldap.feature +++ /dev/null @@ -1,82 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator - Users can authenticate with OIDC & LDAP authenticators - - In this feature we define an OIDC authenticator and LDAP authenticator - in policy and perform authentication with Conjur. This test verifies that the - two authenticators can live side by side without affecting each other. - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_id_token_user_property | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - # Configure OIDC authenticator - And I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - !variable - id: provider-uri - - !variable - id: id-token-user-property - - !variable - id: ca-cert - - !group users - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - !user alice - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - - # Configure LDAP authenticator - And I extend the policy with: - """ - - !policy - id: conjur/authn-ldap/test - body: - - !webservice - - !group clients - - !permit - role: !group clients - privilege: [ read, authenticate ] - resource: !webservice - - !grant - role: !group conjur/authn-ldap/test/clients - member: !user alice - """ - - @acceptance - Scenario: Users can authenticate with 2 authenticators - # We want to verify the returned access token is valid for retrieving a secret - Given I have a "variable" resource called "test-variable" - And I permit user "alice" to "execute" it - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - # Authenticate with authn-oidc - And I fetch an ID Token for username "alice" and password "alice" - When I authenticate via OIDC with id token - Then user "alice" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - # Authenticate with authn-ldap - When I login via LDAP as authorized Conjur user "alice" - And I authenticate via LDAP as authorized Conjur user "alice" using key - Then user "alice" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user diff --git a/cucumber/authenticators_oidc/features/authn_status_oidc.feature b/cucumber/authenticators_oidc/features/authn_status_oidc.feature deleted file mode 100644 index 9f318900bb..0000000000 --- a/cucumber/authenticators_oidc/features/authn_status_oidc.feature +++ /dev/null @@ -1,291 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator - Status Check - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_claim_mapping | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - @smoke - Scenario: A properly configured OIDC authenticator returns a successful response - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !webservice - id: status - annotations: - description: Status service to verify the authenticator is configured correctly - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !variable - id: ca-cert - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: managers - annotations: - description: Group of users who can check the status of the authn-oidc/keycloak authenticator - - - !permit - role: !group managers - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/managers - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_claim_mapping | | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | | - And I login as "alice" - When I GET "/authn-oidc/keycloak/cucumber/status" - Then the HTTP response status code is 200 - And the HTTP response content type is "application/json" - And the authenticator status check succeeds - - @negative @acceptance - Scenario: A non-responsive OIDC provider returns a 500 response - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !webservice - id: status - annotations: - description: Status service to verify the authenticator is configured correctly - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: managers - annotations: - description: Group of users who can check the status of the authn-oidc/keycloak authenticator - - - !permit - role: !group managers - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/managers - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/keycloak/provider-uri | | https://not-responsive.com | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_claim_mapping | | - - And I login as "alice" - When I GET "/authn-oidc/keycloak/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "ProviderDiscoveryFailed: CONJ00011E" - - @negative @acceptance - Scenario: provider-uri variable is missing and a 500 error response is returned - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !webservice - id: status - annotations: - description: Status service to verify the authenticator is configured correctly - - - !variable - id: id-token-user-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: managers - annotations: - description: Group of users who can check the status of the authn-oidc/keycloak authenticator - - - !permit - role: !group managers - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/managers - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_claim_mapping | | - And I login as "alice" - When I GET "/authn-oidc/keycloak/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "RequiredResourceMissing: CONJ00036E" - - @negative @acceptance - Scenario: id-token-user-property variable is missing and a 500 error response is returned - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !webservice - id: status - annotations: - description: Status service to verify the authenticator is configured correctly - - - !variable - id: provider-uri - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: managers - annotations: - description: Group of users who can check the status of the authn-oidc/keycloak authenticator - - - !permit - role: !group managers - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/managers - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | | - And I login as "alice" - When I GET "/authn-oidc/keycloak/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "RequiredResourceMissing: CONJ00036E" - - @negative @acceptance - Scenario: service-id missing and a 500 error response is returned - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc - body: - - !webservice - - - !webservice - id: status - annotations: - description: Status service to verify the authenticator is configured correctly - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: managers - annotations: - description: Group of users who can check the status of the authn-oidc authenticator - - - !permit - role: !group managers - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-oidc/users - member: !user alice - - - !grant - role: !group conjur/authn-oidc/managers - member: !user alice - """ - And I login as "alice" - When I GET "/authn-oidc/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "Errors::Authentication::AuthnOidc::ServiceIdMissing" diff --git a/cucumber/authenticators_oidc/features/list_authenticators.feature b/cucumber/authenticators_oidc/features/list_authenticators.feature deleted file mode 100644 index 9e4b5c76d0..0000000000 --- a/cucumber/authenticators_oidc/features/list_authenticators.feature +++ /dev/null @@ -1,96 +0,0 @@ -@authenticators_oidc -Feature: A user can view the various authenticators they can use. - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_uri | OKTA_PROVIDER_URI | | - - @smoke - Scenario: List readable authenticators - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/oidceast - body: - - !webservice - - !webservice status - - !variable provider-uri - - !variable client-id - - !variable client-secret - - !variable name - - !variable claim-mapping - - !variable nonce - - !variable state - - !group - id: authenticatable - annotations: - description: Users who can authenticate using this authenticator - - !permit - role: !group authenticatable - privilege: [ read, authenticate ] - resource: !webservice - """ - - And I extend the policy with: - """ - - !policy - id: conjur/authn-oidc/okta - body: - - !webservice - - !webservice status - - !variable provider-uri - - !variable name - - !variable client-id - - !variable client-secret - - !variable claim-mapping - - !variable nonce - - !variable state - - !group - id: authenticatable - annotations: - description: Users who can authenticate using this authenticator - - !permit - role: !group authenticatable - privilege: [ read, authenticate ] - resource: !webservice - """ - - And I extend the policy with: - """ - - !group secrets-fetchers - - !group cant-authenticate - - !user - id: alice - annotations: - authn-oidc/oidceast: alice.somebody@cyberark.com - - !user - id: bob - annotations: - authn-oidc/okta: bob.somebody@cyberark.com - - !grant - role: !group cant-authenticate - member: !user bob - - !grant - role: !group secrets-fetchers - member: !user alice - - !grant - role: !group conjur/authn-oidc/oidceast/authenticatable - member: !group secrets-fetchers - """ - - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/oidceast/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/oidceast/client-id | | foo-bar | - | conjur/authn-oidc/oidceast/client-secret | | foo-bar | - | conjur/authn-oidc/oidceast/name | | oidceast | - | conjur/authn-oidc/oidceast/claim-mapping | | preferred_username | - | conjur/authn-oidc/okta/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/okta/client-id | | foo-bar | - | conjur/authn-oidc/okta/client-secret | | foo-bar | - | conjur/authn-oidc/okta/name | | okta | - | conjur/authn-oidc/okta/claim-mapping | | preferred_username | - - Then the list of authenticators contains the service-id "oidceast" - Then the list of authenticators contains the service-id "okta" From 41a01d69050e950f0568717cb930a9533c98d08f Mon Sep 17 00:00:00 2001 From: Glen Johnson Date: Fri, 15 Sep 2023 11:43:05 -0600 Subject: [PATCH 4/6] Restructure --- .../features/authn_oidc_proxy.feature | 32 +++++-------------- 1 file changed, 8 insertions(+), 24 deletions(-) diff --git a/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature b/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature index e246d6765c..c44da3db33 100644 --- a/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature +++ b/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature @@ -94,14 +94,9 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator | conjur/authn-oidc/keycloak2-long-lived/response-type | | code | | conjur/authn-oidc/keycloak2-long-lived/token-ttl | | PT2H | | conjur/authn-oidc/keycloak2-long-lived/ca-cert | oidc_ca_cert | | - # And I set environment variable "http_proxy" to "http://tinyproxy:8888" - # And I set environment variable "https_proxy" to "http://tinyproxy:8888" - # And I set environment variable "HTTPS_PROXY" to "http://tinyproxy:8888" - # And I set environment variable "HTTP_PROXY" to "http://tinyproxy:8888" @smoke Scenario: A valid code to get Conjur access token from webservice with http_proxy set - # We want to verify the returned access token is valid for retrieving a secret Given I have a "variable" resource called "test-variable" And I permit user "alice" to "execute" it And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" @@ -113,7 +108,6 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator @smoke Scenario: A valid code to get Conjur access token from webservice with HTTP_PROXY set - # We want to verify the returned access token is valid for retrieving a secret Given I have a "variable" resource called "test-variable" And I permit user "alice" to "execute" it And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" @@ -125,7 +119,6 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator @smoke Scenario: A valid code to get Conjur access token from webservice with https_proxy set - # We want to verify the returned access token is valid for retrieving a secret Given I have a "variable" resource called "test-variable" And I permit user "alice" to "execute" it And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" @@ -137,7 +130,6 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator @smoke Scenario: A valid code to get Conjur access token from webservice with HTTP_PROXY set - # We want to verify the returned access token is valid for retrieving a secret Given I have a "variable" resource called "test-variable" And I permit user "alice" to "execute" it And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" @@ -149,11 +141,9 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator @negative @acceptance Scenario: Unauthenticated is raised in case of an invalid HTTPS_PROXY setting - Given I fetch a code for username "alice" and password "alice" from "keycloak2" - When I set environment variable "HTTPS_PROXY" to "https://fakeproxy" - # And I add the secret value "https://keycloak:1234" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" + Given I set environment variable "HTTPS_PROXY" to "https://fakeproxy" And I save my place in the log file - And I authenticate via OIDC V2 with code + When I fetch a code for username "alice" and password "alice" from "keycloak2" Then it is a bad request And The following appears in the log after my savepoint: """ @@ -162,11 +152,9 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator @negative @acceptance Scenario: Unauthenticated is raised in case of an invalid https_proxy setting - Given I fetch a code for username "alice" and password "alice" from "keycloak2" - When I set environment variable "https_proxy" to "https://fakeproxy" - # And I add the secret value "https://keycloak:1234" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" + Given I set environment variable "https_proxy" to "https://fakeproxy" And I save my place in the log file - And I authenticate via OIDC V2 with code + When I fetch a code for username "alice" and password "alice" from "keycloak2" Then it is a bad request And The following appears in the log after my savepoint: """ @@ -175,11 +163,9 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator @negative @acceptance Scenario: Unauthenticated is raised in case of an invalid HTTP_PROXY setting - Given I fetch a code for username "alice" and password "alice" from "keycloak2" - When I set environment variable "HTTP_PROXY" to "http://fakeproxy" - # And I add the secret value "http://keycloak:1234" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" + Given I set environment variable "HTTP_PROXY" to "https://fakeproxy" And I save my place in the log file - And I authenticate via OIDC V2 with code + When I fetch a code for username "alice" and password "alice" from "keycloak2" Then it is a bad request And The following appears in the log after my savepoint: """ @@ -188,11 +174,9 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator @negative @acceptance Scenario: Unauthenticated is raised in case of an invalid http_proxy setting - Given I fetch a code for username "alice" and password "alice" from "keycloak2" - When I set environment variable "http_proxy" to "http://fakeproxy" - # And I add the secret value "http://keycloak:1234" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" + Given I set environment variable "http_proxy" to "https://fakeproxy" And I save my place in the log file - And I authenticate via OIDC V2 with code + When I fetch a code for username "alice" and password "alice" from "keycloak2" Then it is a bad request And The following appears in the log after my savepoint: """ From cdf16f675e2b55bb202c241919b733eaf8954efd Mon Sep 17 00:00:00 2001 From: Glen Johnson Date: Fri, 15 Sep 2023 13:14:35 -0600 Subject: [PATCH 5/6] Modify scenarios --- .../features/authn_oidc_proxy.feature | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature b/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature index c44da3db33..5976634799 100644 --- a/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature +++ b/cucumber/authenticators_oidc/features/authn_oidc_proxy.feature @@ -144,8 +144,8 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator Given I set environment variable "HTTPS_PROXY" to "https://fakeproxy" And I save my place in the log file When I fetch a code for username "alice" and password "alice" from "keycloak2" - Then it is a bad request - And The following appears in the log after my savepoint: + # Then it is a bad request + Then The following appears in the log after my savepoint: """ Errors::Authentication::OAuth::ProviderDiscoveryFailed """ @@ -155,30 +155,30 @@ Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator Given I set environment variable "https_proxy" to "https://fakeproxy" And I save my place in the log file When I fetch a code for username "alice" and password "alice" from "keycloak2" - Then it is a bad request - And The following appears in the log after my savepoint: + # Then it is a bad request + Then The following appears in the log after my savepoint: """ Errors::Authentication::OAuth::ProviderDiscoveryFailed """ - @negative @acceptance - Scenario: Unauthenticated is raised in case of an invalid HTTP_PROXY setting - Given I set environment variable "HTTP_PROXY" to "https://fakeproxy" - And I save my place in the log file - When I fetch a code for username "alice" and password "alice" from "keycloak2" - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::OAuth::ProviderDiscoveryFailed - """ + # @negative @acceptance + # Scenario: Unauthenticated is raised in case of an invalid HTTP_PROXY setting + # Given I set environment variable "HTTP_PROXY" to "https://fakeproxy" + # And I save my place in the log file + # When I fetch a code for username "alice" and password "alice" from "keycloak2" + # Then it is a bad request + # And The following appears in the log after my savepoint: + # """ + # Errors::Authentication::OAuth::ProviderDiscoveryFailed + # """ - @negative @acceptance - Scenario: Unauthenticated is raised in case of an invalid http_proxy setting - Given I set environment variable "http_proxy" to "https://fakeproxy" - And I save my place in the log file - When I fetch a code for username "alice" and password "alice" from "keycloak2" - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::OAuth::ProviderDiscoveryFailed - """ + # @negative @acceptance + # Scenario: Unauthenticated is raised in case of an invalid http_proxy setting + # Given I set environment variable "http_proxy" to "https://fakeproxy" + # And I save my place in the log file + # When I fetch a code for username "alice" and password "alice" from "keycloak2" + # Then it is a bad request + # And The following appears in the log after my savepoint: + # """ + # Errors::Authentication::OAuth::ProviderDiscoveryFailed + # """ From b9a40d0a09119436369169e7d0665157824d86b9 Mon Sep 17 00:00:00 2001 From: Glen Johnson Date: Wed, 20 Sep 2023 09:37:01 -0600 Subject: [PATCH 6/6] Prune JWT tests (temp) --- .../features/authn_jwt.feature | 86 -- .../features/authn_jwt_ca_cert.feature | 119 -- .../authn_jwt_check_standard_claims.feature | 501 ------- .../features/authn_jwt_configuration.feature | 470 ------- ...n_jwt_fetch_identity_decoded_token.feature | 288 ---- .../authn_jwt_fetch_identity_from_url.feature | 187 --- .../authn_jwt_fetch_signing_key.feature | 875 ------------ .../authn_jwt_input_validation.feature | 120 -- .../features/authn_jwt_security.feature | 109 -- .../features/authn_jwt_token_schema.feature | 1042 -------------- .../authn_jwt_validate_restrictions.feature | 370 ----- .../features/authn_status_jwt.feature | 1242 ----------------- 12 files changed, 5409 deletions(-) delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt_configuration.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt_fetch_identity_decoded_token.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt_fetch_identity_from_url.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt_input_validation.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt_security.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt_token_schema.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_jwt_validate_restrictions.feature delete mode 100644 cucumber/authenticators_jwt/features/authn_status_jwt.feature diff --git a/cucumber/authenticators_jwt/features/authn_jwt.feature b/cucumber/authenticators_jwt/features/authn_jwt.feature deleted file mode 100644 index e30eee4323..0000000000 --- a/cucumber/authenticators_jwt/features/authn_jwt.feature +++ /dev/null @@ -1,86 +0,0 @@ -@authenticators_jwt -Feature: JWT Authenticator - JWKs Basic sanity - - In this feature we define a JWT authenticator in policy and perform authentication - with Conjur. In successful scenarios we will also define a variable and permit the host to - execute it. - - Background: - Given I initialize JWKS endpoint with file "myJWKs.json" - And I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - - - !host - id: myapp - annotations: - authn-jwt/raw/project_id: myproject - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am the super-user - And I initialize remote JWKS endpoint with file "authn-jwt-general" and alg "RS256" - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-general/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "host" - - @sanity - @negative @acceptance - Scenario: ONYX-8598: Authenticator is not enabled - Given I have a "variable" resource called "test-variable" - And I am using file "authn-jwt-general" and alg "RS256" for remotely issue token: - """ - { - "user":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with non-existing service ID - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00004E 'authn-jwt/non-existing' is not enabled - """ - And The following appears in the audit log after my savepoint: - """ - webservice:conjur/authn-jwt/non-existing: CONJ00004E 'authn-jwt/non-existing' is not enabled - """ - - @negative @acceptance - Scenario: ONYX-8821: Host that doesn't exist is denied - Given I am using file "authn-jwt-general" and alg "RS256" for remotely issue token: - """ - { - "host":"non_existing", - "project_id": "myproject" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00007E 'host/non_existing' not found - """ - And The following appears in the audit log after my savepoint: - """ - cucumber:host:non_existing failed to authenticate with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ diff --git a/cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature b/cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature deleted file mode 100644 index 5bead63997..0000000000 --- a/cucumber/authenticators_jwt/features/authn_jwt_ca_cert.feature +++ /dev/null @@ -1,119 +0,0 @@ -@authenticators_jwt -Feature: JWT Authenticator - ca-cert variable tests - - Validate the authenticator behavior when ca-cert variable is configured. - All tests are using status API for validation. - - Background: - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - !variable jwks-uri - - !webservice status - """ - - @negative @acceptance - Scenario: ONYX-15311: Self-signed jwks-uri no ca-cert variable - Given I initialize JWKS endpoint with file "ca-cert-ONYX-15311.json" - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable to value "https://jwks/ca-cert-ONYX-15311.json" - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error matching "CONJ00087E Failed to fetch JWKS from 'https:\/\/jwks\/ca-cert-ONYX-15311.json'. Reason: '#'" - - @sanity - @acceptance - Scenario: ONYX-15312: Self-signed jwks-uri with valid ca-cert variable value - Given I initialize JWKS endpoint with file "ca-cert-ONYX-15312.json" - And I am the super-user - And I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/ca-cert - """ - And I successfully set authn-jwt "jwks-uri" variable to value "https://jwks/ca-cert-ONYX-15312.json" - And I fetch root certificate from https://jwks endpoint as "self" - And I successfully set authn-jwt "ca-cert" variable value to the "self" certificate - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 200 - And the HTTP response content type is "application/json" - And the authenticator status check succeeds - - @acceptance - Scenario Outline: ONYX-15313/6: Self-signed jwks-uri with ca-cert contains bundle includes the valid certificate - Given I initialize JWKS endpoint with file "ca-cert-ONYX-15313.json" - And I initialize JWKS endpoint with file "ca-cert-ONYX-15316.json" - And I am the super-user - And I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/ca-cert - """ - And I successfully set authn-jwt "jwks-uri" variable to value "" - And I fetch root certificate from https://jwks endpoint as "self" - And I fetch root certificate from https://chained.mycompany.local endpoint as "chained" - And I bundle the next certificates as "bundle": - """ - chained - self - """ - And I successfully set authn-jwt "ca-cert" variable value to the "bundle" certificate - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 200 - And the HTTP response content type is "application/json" - And the authenticator status check succeeds - Examples: - | jwks-uri | - | https://jwks/ca-cert-ONYX-15313.json | - | https://chained.mycompany.local/ca-cert-ONYX-15316.json | - - @negative @acceptance - Scenario: ONYX-15314: Chained jwks-uri no ca-cert variable - Given I initialize JWKS endpoint with file "ca-cert-ONYX-15314.json" - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable to value "https://chained.mycompany.local/ca-cert-ONYX-15314.json" - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error matching "CONJ00087E Failed to fetch JWKS from 'https:\/\/chained.mycompany.local\/ca-cert-ONYX-15314.json'. Reason: '#'" - - @sanity - @acceptance - Scenario: ONYX-15315: Self-signed jwks-uri with valid ca-cert variable value - Given I initialize JWKS endpoint with file "ca-cert-ONYX-15315.json" - And I am the super-user - And I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/ca-cert - """ - And I successfully set authn-jwt "jwks-uri" variable to value "https://chained.mycompany.local/ca-cert-ONYX-15315.json" - And I fetch root certificate from https://chained.mycompany.local endpoint as "chained" - And I successfully set authn-jwt "ca-cert" variable value to the "chained" certificate - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 200 - And the HTTP response content type is "application/json" - And the authenticator status check succeeds - - @acceptance - Scenario: ONYX-15317: Google's jwks-uri no ca-cert variable - Given I am the super-user - And I successfully set authn-jwt "jwks-uri" variable to value "https://www.googleapis.com/oauth2/v3/certs" - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 200 - And the HTTP response content type is "application/json" - And the authenticator status check succeeds - - @sanity - @negative @acceptance - Scenario: ONYX-15318: Microsoft's jwks-uri with invalid ca-cert variable value - Given I am the super-user - And I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/ca-cert - """ - And I successfully set authn-jwt "jwks-uri" variable to value "https://login.microsoftonline.com/common/discovery/v2.0/keys" - And I fetch root certificate from https://chained.mycompany.local endpoint as "chained" - And I successfully set authn-jwt "ca-cert" variable value to the "chained" certificate - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error matching "CONJ00087E Failed to fetch JWKS from 'https:\/\/login.microsoftonline.com\/common\/discovery\/v2.0\/keys'. Reason: '#'" diff --git a/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature b/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature deleted file mode 100644 index 4d002926ee..0000000000 --- a/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature +++ /dev/null @@ -1,501 +0,0 @@ -# Note: This file takes approximately: -# 6m42s to run locally - -@authenticators_jwt -Feature: JWT Authenticator - Check registered claim - - Verify the authenticator works correctly with the registered claims: - - iat - - exp - - nbf - - iss - - aud - - Background: - Given I initialize remote JWKS endpoint with file "authn-jwt-check-standard-claims" and alg "RS256" - And I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: token-app-property - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - - - !policy - id: conjur/authn-jwt/keycloak - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on Keycloak as OIDC provider. - - - !variable - id: provider-uri - - - !variable - id: token-app-property - - - !variable - id: issuer - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - - - !host - id: alice - annotations: - authn-jwt/keycloak/email: alice@conjur.net - - - !grant - role: !group conjur/authn-jwt/keycloak/hosts - member: !host alice - - - !host - id: myapp - annotations: - authn-jwt/raw/project_id: myproject - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/keycloak/token-app-property | host | - | conjur/authn-jwt/raw/token-app-property | host | - - And I have a "variable" resource called "test-variable" - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I permit host "myapp" to "execute" it - And I permit host "alice" to "execute" it - - @acceptance - Scenario: ONYX-8727: Issuer configured with incorrect value, iss claim not exists in token, 200 ok - Given I extend the policy with: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !variable - id: jwks-uri - - - !variable - id: issuer - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-check-standard-claims/RS256 | - | conjur/authn-jwt/raw/issuer | incorrect-value | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with raw service ID - Then host "myapp" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @negative @acceptance - Scenario: ONYX-8714: JWT token with past exp claim value, 401 Error - Given I extend the policy with: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !variable - id: jwks-uri - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-check-standard-claims/RS256 | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "exp": 0 - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with raw service ID - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00016E Token expired - """ - - @negative @acceptance - Scenario: ONYX-8711: Valid JWT token with no exp claim, 401 Error - Given I extend the policy with: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !variable - id: jwks-uri - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-check-standard-claims/RS256 | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue non exp token: - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with raw service ID - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00091E Failed to validate token: mandatory claim 'exp' is missing. - """ - - @negative @acceptance - Scenario: ONYX-8715: JWT token with future iat claim, 401 Error - Given I extend the policy with: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !variable - id: jwks-uri - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-check-standard-claims/RS256 | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "iat": 7624377528 - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with raw service ID - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00035E Failed to decode token (3rdPartyError ='#')> - """ - - @negative @acceptance - Scenario: ONYX-8716: JWT token with future nbf claim, 401 Error - Given I extend the policy with: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !variable - id: jwks-uri - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-check-standard-claims/RS256 | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "nbf": 7624377528 - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with raw service ID - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00035E Failed to decode token (3rdPartyError ='#')> - """ - - @negative @acceptance - Scenario: ONYX-8718: issuer configured but not set, iss claim exists in token, 401 Error - Given I extend the policy with: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !variable - id: jwks-uri - - - !variable - id: issuer - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-check-standard-claims/RS256 | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "iss": "issuer" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/issuer - """ - - @acceptance - Scenario: ONYX-8719: issuer configured but not set, iss claim not exists in token, 200 ok - Given I extend the policy with: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !variable - id: jwks-uri - - - !variable - id: issuer - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-check-standard-claims/RS256 | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/issuer - """ - - @acceptance - Scenario: ONYX-8728: jwks-uri configured with correct value, issuer configured with correct value, iss claim with correct value, 200 OK - Given I extend the policy with: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !variable - id: jwks-uri - - - !variable - id: issuer - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-check-standard-claims/RS256 | - | conjur/authn-jwt/raw/issuer | http://jwks | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "iss": "http://jwks" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with raw service ID - Then host "myapp" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @negative @acceptance - Scenario: ONYX-8728: jwks-uri configured with correct value, issuer configured with wrong value, iss claim with correct value, 401 Error - Given I extend the policy with: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !variable - id: jwks-uri - - - !variable - id: issuer - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-check-standard-claims/RS256 | - | conjur/authn-jwt/raw/issuer | incorrect.com | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "iss": "http://jwks" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00035E Failed to decode token (3rdPartyError ='#')> - """ - - @negative @acceptance - Scenario: ONYX-8728: jwks-uri configured with wrong value, issuer configured with wrong value, iss claim with correct value, 401 Error - Given I extend the policy with: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !variable - id: jwks-uri - - - !variable - id: issuer - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | incorrect.com | - | conjur/authn-jwt/raw/issuer | incorrect.com | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "iss": "http://jwks_py:8090/authn-jwt-check-standard-claims/RS256" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00087E Failed to fetch JWKS from 'incorrect.com' - """ - - @negative @acceptance - Scenario: ONYX-8728: provider-uri configured with wrong value, issuer configured with wrong value, iss claim with correct value, 502 Error - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | token_app_property | ID_TOKEN_USER_PROPERTY | preferred_username | - | issuer | PROVIDER_ISSUER | http://keycloak:8080/auth/realms/master | - | oidc_provider_internal_uri | PROVIDER_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - - And I set the following conjur variables: - | variable_id | default_value | context_variable | - | conjur/authn-jwt/keycloak/provider-uri | incorrect.com | | - | conjur/authn-jwt/keycloak/token-app-property | | token_app_property | - | conjur/authn-jwt/keycloak/issuer | | issuer | - - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the audit log file - When I authenticate via authn-jwt with the ID token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00011E Failed to discover Identity Provider (Provider URI: 'incorrect.com'). Reason: '#' - """ - - @negative @acceptance - Scenario: ONYX-15323: public-keys with invalid issuer variable - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/public-keys - - !variable conjur/authn-jwt/raw/issuer - """ - And I retrieve the public keys from remote JWKS endpoint "authn-jwt-check-standard-claims" and alg "RS256" - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-jwt/raw/public-keys | public_keys | | - | conjur/authn-jwt/raw/issuer | | invalid-issuer | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "iss": "valid-issuer" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00035E Failed to decode token (3rdPartyError ='#')> - """ - - @sanity - @acceptance - Scenario Outline: Audience tests - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/jwks-uri - - !variable conjur/authn-jwt/raw/audience - - - !host - id: aud-test-app - annotations: - authn-jwt/raw/project_id: valid-project-id - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host aud-test-app - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-check-standard-claims/RS256 | - | conjur/authn-jwt/raw/audience | | - - And I am using file "authn-jwt-check-standard-claims" and alg "RS256" for remotely issue token: - """ - { - "project_id":"valid-project-id", - "host":"aud-test-app", - - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is - And The following appears in the log after my savepoint: - """ - - """ - Examples: - | Test | audience | aud | http_code | log | - | ONYX-11154 | valid-audience | "other":"claim" | 401 | CONJ00091E Failed to validate token: mandatory claim 'aud' is missing. | - | ONYX-11156 | valid-audience | "aud":"invalid" | 401 | CONJ00018D Failed to decode the token with the error '#' - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-jwt/keycloak/provider-uri | oidc_provider_external_uri | - - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via authn-jwt with the ID token - Then host "alice" has been authorized by Conjur - - @sanity - @acceptance - Scenario: ONYX-8710: jwks-uri dynamically changed, 401 ERROR resolves 200 OK - Given I initialize remote JWKS endpoint with file "authn-jwt-fetch-signing-key" and alg "RS256" - And I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - - - !host - id: myapp - annotations: - authn-jwt/raw/project_id: myproject - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "token-app-property" variable to value "host" - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | incorrect.com | - | conjur/authn-jwt/raw/token-app-property | host | - - And I have a "variable" resource called "test-variable" - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I permit host "myapp" to "execute" it - And I am using file "authn-jwt-fetch-signing-key" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the audit log file - And I authenticate via authn-jwt with raw service ID - And the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00087E Failed to fetch JWKS from 'incorrect.com' - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks_py:8090/authn-jwt-fetch-signing-key/RS256 | - - And I save my place in the audit log file - When I authenticate via authn-jwt with raw service ID - Then host "myapp" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @negative @acceptance - Scenario: ONYX-8853: jku is unfollowed - security check - Given I initialize JWKS endpoint with file "myFirstJWKs.json" - And I initialize JWKS endpoint "mySecondJWKs.json" with the same kid as "myFirstJWKs.json" - And I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - - - !host - id: myapp - annotations: - authn-jwt/raw/project_id: myproject - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks/myFirstJWKs.json | - | conjur/authn-jwt/raw/token-app-property | host | - - And I issue a JWT token signed with jku with jwks file_name "mySecondJWKs.json": - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00035E Failed to decode token (3rdPartyError ='#') - """ - - @negative @acceptance - Scenario: ONYX-8854: jwk is unfollowed - security check - Given I initialize JWKS endpoint with file "myFirstJWKs.json" - And I initialize JWKS endpoint "localRsaKey.json" with the same kid as "myFirstJWKs.json" - And I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - - - !host - id: myapp - annotations: - authn-jwt/raw/project_id: myproject - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks/myFirstJWKs.json | - | conjur/authn-jwt/raw/token-app-property | host | - - And I issue a JWT token signed with jwk with jwks file_name "localRsaKey.json": - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00035E Failed to decode token (3rdPartyError ='#') - """ - - @negative @acceptance - Scenario: ONYX-8914: provider-uri with untrusted self sign certificate - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/keycloak - body: - - !webservice - - - !variable - id: provider-uri - """ - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/keycloak/provider-uri | https://jwks | - - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via authn-jwt with the ID token - Then the HTTP response status code is 401 - And The following matches the log after my savepoint: - """ - CONJ00011E Failed to discover Identity Provider \(Provider URI: 'https:\/\/jwks'\). Reason: '#' - """ - - @negative @acceptance - Scenario: ONYX-8913: jwks-uri with untrusted self sign certificate - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - """ - And I initialize JWKS endpoint with file "JWKs.json" - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | https://jwks | - - And I issue a JWT token: - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with raw service ID - Then the HTTP response status code is 401 - And The following matches the log after my savepoint: - """ - CONJ00087E Failed to fetch JWKS from 'https:\/\/jwks'. Reason: '#' - """ - - @negative @acceptance - Scenario: ONYX-8856: x5c header claim is ignored - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - """ - And I initialize JWKS endpoint with file "JWKS.json" - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks/JWKS.json | - - And I issue a JWT token signed with self-signed certificate with x5c: - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with raw service ID - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00035E Failed to decode token (3rdPartyError ='#') - """ - - @negative @acceptance - Scenario: ONYX-8855: x5u header claim is ignored - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - """ - And I initialize JWKS endpoint with file "JWKS.json" - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | http://jwks/JWKS.json | - - And I issue a JWT token signed with self-signed certificate with x5u with file name "x5u.pem": - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with raw service ID - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00035E Failed to decode token (3rdPartyError ='#') - """ - - @sanity - @smoke - Scenario: ONYX-15322: public-keys happy path - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - !variable public-keys - - !variable issuer - - !variable token-app-property - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - - - !host - id: myapp - annotations: - authn-jwt/raw/project_id: myproject - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I initialize remote JWKS endpoint with file "public-key-1" and alg "RS256" - And I retrieve the public keys from remote JWKS endpoint "public-key-1" and alg "RS256" - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-jwt/raw/public-keys | public_keys | | - | conjur/authn-jwt/raw/issuer | | valid-issuer | - | conjur/authn-jwt/raw/token-app-property | | host | - - And I am using file "public-key-1" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "iss": "valid-issuer" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then host "myapp" has been authorized by Conjur - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @negative @acceptance - Scenario: ONYX-15325: public-keys value is in invalid format - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - !variable public-keys - - !variable issuer - - !webservice status - """ - And I am the super-user - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-jwt/raw/public-keys | | { } | - | conjur/authn-jwt/raw/issuer | | valid-issuer | - - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00120E Failed to parse 'public-keys': Type can't be blank, Value can't be blank, and Type '' is not a valid public-keys type. Valid types are: jwks" - - @negative @acceptance - Scenario: JWKS URI with bad value and no issuer - Status And Authentication return same error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !host - id: myapp - annotations: - authn-jwt/raw/project_id: myproject - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am the super-user - And I set the following conjur variables: - | variable_id | default_value | - | conjur/authn-jwt/raw/jwks-uri | unknown-host.com | - | conjur/authn-jwt/raw/token-app-property | host | - - And I am using file "authn-jwt-fetch-signing-key" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'unknown-host.com'" - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00087E Failed to fetch JWKS from 'unknown-host.com' - """ diff --git a/cucumber/authenticators_jwt/features/authn_jwt_input_validation.feature b/cucumber/authenticators_jwt/features/authn_jwt_input_validation.feature deleted file mode 100644 index 5a6540c564..0000000000 --- a/cucumber/authenticators_jwt/features/authn_jwt_input_validation.feature +++ /dev/null @@ -1,120 +0,0 @@ -@authenticators_jwt -Feature: JWT Authenticator - Input Validation - - Check scenarios with authentication request - - Background: - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user - id: myuser - annotations: - authn-jwt/raw/project_id: myproject - - - !grant - role: !group conjur/authn-jwt/raw/users - member: !user myuser - """ - And I am the super-user - And I initialize remote JWKS endpoint with file "authn-jwt-input-validation" and alg "RS256" - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-input-validation/RS256" in service "raw" - - @sanity - @negative @acceptance - Scenario: ONYX-8594: Empty Token Given, 401 Error - Given I save my place in the log file - And I am using file "authn-jwt-input-validation" and alg "RS256" for remotely issue non exp token: - """ - {} - """ - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00085E Token is empty or not found. - """ - - @sanity - @negative @acceptance - Scenario: ONYX-8594: Invalid Token Given, 401 Error - Given I save my place in the log file - When I authenticate with string that is not token not-token-string-this-is-ivalid-token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00077E The request body does not contain JWT token - """ - - @sanity - @negative @acceptance - Scenario: ONYX-8594: No Token Given, 400 Error - Given I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 400 - And The following appears in the log after my savepoint: - """ - CONJ00009E Field 'jwt' is missing or empty in request body - """ - - @negative @acceptance - Scenario: ONYX-8579: URL not includes service-id, includes correct account - Given I save my place in the log file - And I am using file "authn-jwt-input-validation" and alg "RS256" for remotely issue non exp token: - """ - { - "project_id": "myproject" - } - """ - When I authenticate via authn-jwt without service id but with myuser account in url - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00004E 'authn-jwt/myuser' is not enabled - """ - - @negative @acceptance - Scenario: ONYX-8579: URL includes valid service id, wrong account name - Given I save my place in the log file - And I am using file "authn-jwt-input-validation" and alg "RS256" for remotely issue token: - """ - { - "project_id": "myproject" - } - """ - When I authenticate via authn-jwt with wrong-account account in url - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00007E 'wrong-account' not found - """ - - @negative @acceptance - Scenario: ONYX-8579: URL includes wrong service id, correct account name - Given I save my place in the log file - And I am using file "authn-jwt-input-validation" and alg "RS256" for remotely issue non exp token: - """ - { - "project_id": "myproject" - } - """ - When I authenticate via authn-jwt using given wrong-id service ID and with myuser account in url - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00004E 'authn-jwt/wrong-id' is not enabled> - """ diff --git a/cucumber/authenticators_jwt/features/authn_jwt_security.feature b/cucumber/authenticators_jwt/features/authn_jwt_security.feature deleted file mode 100644 index 5c7aa4a5c0..0000000000 --- a/cucumber/authenticators_jwt/features/authn_jwt_security.feature +++ /dev/null @@ -1,109 +0,0 @@ -@authenticators_jwt -Feature: JWT Authenticator - Security - - Tests checking that JWT authenticator stands against different attacks and security risks. - Checking different authenticators with different algorithms signing the jwt token. - - Background: - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - - - !host - id: myapp - annotations: - authn-jwt/raw/project_id: myproject - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am the super-user - And I successfully set authn-jwt "token-app-property" variable to value "host" - And I have a "variable" resource called "test-variable" - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I permit host "myapp" to "execute" it - - @negative @acceptance - Scenario: ONYX-8851: None algorithm is unacceptable, 401 ERROR - Given I initialize JWKS endpoint with file "myJWKs.json" - And I successfully set authn-jwt jwks-uri variable with value of "myJWKs.json" endpoint - And I issue none alg JWT token: - """ - { - "namespace_id": "7432059", - "job_id": "1364141408" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00048I Authentication Error: # - """ - - @negative @acceptance - Scenario: ONYX-8852: Test algorithm substitution attack, 401 ERROR - Given I initialize JWKS endpoint with file "myJWKs.json" - And I successfully set authn-jwt jwks-uri variable with value of "myJWKs.json" endpoint - And I issue HMAC JWT token: - """ - { - "namespace_id": "7432059", - "job_id": "1364141408" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00035E Failed to decode token (3rdPartyError ='#')> - """ - - @acceptance - Scenario Outline: ONYX-8858: Algorithms sanity - Given I initialize remote JWKS endpoint with file "ONYX-8858-" and alg "" - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/ONYX-8858-/" in service "raw" - And I am using file "ONYX-8858-" and alg "" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is - And The following appears in the log after my savepoint: - """ - - """ - Examples: - | alg | code | log | - | RS256 | 200 | cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw | - | RS384 | 200 | cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw | - | RS512 | 200 | cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw | - | ES256 | 401 | CONJ00035E Failed to decode token (3rdPartyError ='#')> | - | ES384 | 401 | CONJ00035E Failed to decode token (3rdPartyError ='#')> | - | ES512 | 401 | CONJ00035E Failed to decode token (3rdPartyError ='#')> | - | HS256 | 401 | CONJ00035E Failed to decode token (3rdPartyError ='#')> | - | HS384 | 401 | CONJ00035E Failed to decode token (3rdPartyError ='#')> | - | HS512 | 401 | CONJ00035E Failed to decode token (3rdPartyError ='#')> | diff --git a/cucumber/authenticators_jwt/features/authn_jwt_token_schema.feature b/cucumber/authenticators_jwt/features/authn_jwt_token_schema.feature deleted file mode 100644 index cb422b2bd4..0000000000 --- a/cucumber/authenticators_jwt/features/authn_jwt_token_schema.feature +++ /dev/null @@ -1,1042 +0,0 @@ -@authenticators_jwt -Feature: JWT Authenticator - Token Schema - - Tests checking Enforced Claims and Claim Aliases - - Background: - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - """ - And I am the super-user - And I initialize remote JWKS endpoint with file "authn-jwt-token-schema" and alg "RS256" - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-token-schema/RS256" in service "raw" - And I have a "variable" resource called "test-variable" - And I successfully set authn-jwt "token-app-property" variable to value "host" - - @sanity - @acceptance - Scenario: ONYX-10471 - Enforced Claims Without Claim Aliases. Single enforced claim - 200 OK - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/ref: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "enforced-claims" variable to value "ref" - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I permit host "myapp" to "execute" it - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "ref":"valid", - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then host "myapp" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @acceptance - Scenario: ONYX-10471 - Enforced Claims Without Claim Aliases. Two enforced claims - 200 OK - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/ref: valid-ref - authn-jwt/raw/sub: valid-sub - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "enforced-claims" variable to value "ref,sub" - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I permit host "myapp" to "execute" it - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "ref":"valid-ref", - "sub":"valid-sub", - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then host "myapp" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @negative @acceptance - Scenario: ONYX-10759 - Enforced Claims Without Claim Aliases. Single enforced claim and wrong annotation - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/sub: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "enforced-claims" variable to value "ref" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "ref":"valid", - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00057E Role does not have the required constraints: '["ref"]'> - """ - - @negative @acceptance - Scenario: ONYX-10760 - Enforced Claims Without Claim Aliases. Single enforced claim but not in token - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/ref: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "enforced-claims" variable to value "ref" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00084E Claim 'ref' is missing from JWT token. - """ - - @negative @acceptance - Scenario Outline: ONYX-10470 - Standard claim in mandatory claims - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/ref: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "enforced-claims" variable to value "" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00105E Failed to validate claim: claim name '' is in denylist '["iss", "exp", "nbf", "iat", "jti", "aud"]' - """ - Examples: - | claims | err | - | iss | iss | - | exp, iss | exp | - | exp, branch | exp | - - @negative @acceptance - Scenario Outline: ONYX-10857 - Standard claim in annotation - 401 Error - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00069E Role can't have registered or aliased claim - """ - Examples: - | claim | - | iat | - - @negative @acceptance - Scenario: ONYX-10860 - Enforced claims configured but not populated - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/sub: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "branch:ref" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "ref":"valid", - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/enforced-claims - """ - - @sanity - @acceptance - Scenario: ONYX-10891 - Complex Case - Adding Enforced Claim after host configuration - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/sub: valid-sub - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I permit host "myapp" to "execute" it - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "sub":"valid-sub", - "ref":"valid-ref", - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then host "myapp" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - When I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - """ - And I successfully set authn-jwt "enforced-claims" variable to value "ref" - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00057E Role does not have the required constraints: '["ref"]'> - """ - When I replace the "root" policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/ref: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @sanity - @acceptance - Scenario: ONYX-10472 Unrelated alias - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/project_id: valid-project - authn-jwt/raw/namespace_id: valid-namespace - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "branch:ref" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "valid-project", - "namespace_id": "valid-namespace" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 200 - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @sanity - @acceptance - Scenario: ONYX-10473 Claim aliases with subsequent annotation - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/project_id: valid-project - authn-jwt/raw/branch: valid-branch - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "branch:ref" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "valid-project", - "ref": "valid-branch" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 200 - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @acceptance - Scenario: ONYX-10889 Complex Case - Adding Alias after host configuration - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/ref: valid-branch - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "ref": "valid-branch" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with the JWT token - Then host "myapp" has been authorized by Conjur - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - When I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - """ - And I successfully set authn-jwt "claim-aliases" variable to value "branch:ref" - And I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00069E Role can't have registered or aliased claim - """ - - @sanity - @acceptance - Scenario: ONYX-10705: Enforced Claims and Claim Aliases exist and host annotation are correct - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/branch: valid-branch - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "branch:ref" - And I successfully set authn-jwt "enforced-claims" variable to value "ref" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "ref": "valid-branch" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 200 - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @negative @acceptance - Scenario: ONYX-10816 - Enforced Claims with Claim Aliases. Single enforced claim but not in token - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/branch: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "enforced-claims" variable to value "ref" - And I successfully set authn-jwt "claim-aliases" variable to value "branch:ref" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00084E Claim 'ref (annotation: branch)' is missing from JWT token. Verify that you configured the host with permitted restrictions - """ - - @negative @acceptance - Scenario: ONYX-10874 - Claim being mapped to another claim - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/sub: mysub - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "sub:ref" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "sub":"mysub", - "ref":"mybranch" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00049E Resource restriction 'sub' does not match with the corresponding value in the request - """ - - @negative @acceptance - Scenario: ONYX-10861 - Claim aliases configured but not populated - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/sub: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "ref":"valid", - "host":"myapp" - } - """ - And I successfully set authn-jwt "enforced-claims" variable to value "ref" - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/claim-aliases - """ - - @sanity - @acceptance - Scenario: ONYX-11117: Enforced Claims and Aliases with special allowed characters. Annotations are correct. 200 OK - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/claim.name: claim.name.value # Only Enforce - authn-jwt/raw/claim_ant: claim.ant...value # Map And Enforce - authn-jwt/raw/_: claim_name_value # Only Map - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "claim_ant:claim.ant..., _:claim_name" - And I successfully set authn-jwt "enforced-claims" variable to value "claim.name, claim.ant..." - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "claim.name": "claim.name.value", - "claim.ant...": "claim.ant...value", - "claim_name": "claim_name_value" - } - """ - And I save my place in the audit log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 200 - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @negative @acceptance - Scenario Outline: ONYX-10873 - Broken claim aliases - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/sub: mysub - authn-jwt/raw/ref: myref - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "sub":"mysub", - "ref":"mybranch" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - - """ - Examples: - | aliases | err | - | branch: ref, branch:sub | CONJ00113E Failed to parse claim aliases: annotation name value 'branch' appears more than once | - | branch: sub, job: sub | CONJ00113E Failed to parse claim aliases: claim name value 'sub' appears more than once | - - @negative @acceptance - Scenario Outline: ONYX-10858 - Standard claim alias - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/sub: mysub - authn-jwt/raw/ref: myref - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - - And I successfully set authn-jwt "claim-aliases" variable to value "" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - - """ - { - "host":"myapp", - "sub":"mysub", - "ref":"mybranch" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00105E Failed to validate claim: claim name 'exp' is in denylist '["iss", "exp", "nbf", "iat", "jti", "aud"] - """ - Examples: - | alias | - | branch: exp | - | exp: sub | - - @negative @acceptance - Scenario: ONYX-10862 - Enforced claim invalid variable - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/ref: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "enforced-claims" variable to value "%@^#[{]}$~=-+_?.><&^@*@#*sdhj812ehd" - And I permit host "myapp" to "execute" it - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "ref":"valid", - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00104E Failed to validate claim: claim name '%@^#[{]}$~=-+_?.><&^@*@#*sdhj812ehd' does not match regular expression: '(?-mix:^[a-zA-Z|$|_][a-zA-Z|$|_|\-|0-9|.]*(\/[a-zA-Z|$|_][a-zA-Z|$|_|\-|0-9|.]*)*$)'.> - """ - - @negative @acceptance - Scenario: ONYX-10863 - Claim aliases invalid variable - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/ref: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "aaa: %@^#&^[{]}$~=-+_?.><812ehd" - And I permit host "myapp" to "execute" it - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "ref":"valid", - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00104E Failed to validate claim: claim name '%@^#&^[{]}$~=-+_?.><812ehd' does not match regular expression: '(?-mix:^[a-zA-Z|$|_][a-zA-Z|$|_|\-|0-9|.]*(\/[a-zA-Z|$|_][a-zA-Z|$|_|\-|0-9|.]*)*$)'. - """ - - @acceptance - Scenario: ONYX-10941: Complex Case - Add mapping of mandatory claims after host configuration - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp - annotations: - authn-jwt/raw/ref: valid-ref - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "enforced-claims" variable to value "ref" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "ref": "valid-ref" - } - """ - And I authenticate via authn-jwt with the JWT token - And the HTTP response status code is 200 - And I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - """ - And I successfully set authn-jwt "claim-aliases" variable to value "branch:ref" - And I save my place in the audit log file - And I authenticate via authn-jwt with the JWT token - And the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00057E Role does not have the required constraints: '["branch"]' - """ - And I update the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/branch: valid-ref - """ - And I save my place in the audit log file - And I authenticate via authn-jwt with the JWT token - And the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00069E Role can't have one of these none permitted restrictions '["ref"]' - """ - When I update the policy with: - """ - - !delete - record: !host myapp - """ - And I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/branch: valid-ref - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I save my place in the audit log file - And I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 200 - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @acceptance - Scenario: ONYX-10896: Authn JWT - Complex Case - Changing Aliases after host configuration - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/branch: valid-ref - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "branch:ref" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "ref": "valid-ref" - } - """ - And I authenticate via authn-jwt with the JWT token - And the HTTP response status code is 200 - When I successfully set authn-jwt "claim-aliases" variable to value "job:ref" - And I save my place in the audit log file - And I authenticate via authn-jwt with the JWT token - And the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00084E Claim 'branch' is missing from JWT token. Verify that you configured the host with permitted restrictions. - """ - When I update the policy with: - """ - - !delete - record: !host myapp - """ - And I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/job: valid-ref - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I save my place in the audit log file - And I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 200 - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @sanity - @acceptance - Scenario: ONYX-29842 - Claims With In-Line Namespaces. Single enforced claim - 200 OK - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - - !host - id: myapp-01 - annotations: - authn-jwt/raw/conjur.org/enforced-property: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp-01 - """ - And I successfully set authn-jwt "enforced-claims" variable to value "conjur.org/enforced-property" - And I successfully set authn-jwt "token-app-property" variable to value "conjur.org/host-property" - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I permit host "myapp-01" to "execute" it - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "conjur.org/enforced-property":"valid", - "conjur.org/host-property":"myapp-01" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then host "myapp-01" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp-01 successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @sanity - @acceptance - Scenario: ONYX-13716 Claim Alias nested annotation - 200 OK - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/claim: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "claim:google/claim" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "google":{ - "claim":"valid" - }, - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 200 - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @sanity - @negative @acceptance - Scenario: ONYX-13716 Claim Alias nested annotation - 401 Error Wrong Claim value - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/claim: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "claim:google/claim" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "google":{ - "claim":"not_valid" - }, - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00049E Resource restriction 'claim' does not match with the corresponding value in the request - """ - - @sanity - @acceptance - Scenario: ONYX-13717 Claim Alias and Enforced Claim nested annotation - 200 OK - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/enforced-claims - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/claim: valid_claim - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "enforced-claims" variable to value "google/claim" - And I successfully set authn-jwt "claim-aliases" variable to value "claim:google/claim" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "google":{ - "claim":"valid_claim" - }, - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 200 - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @sanity - @negative @acceptance - Scenario: ONYX-13718 Claim Alias with invalid characters - 401 Error - Given I extend the policy with: - """ - - !variable conjur/authn-jwt/raw/claim-aliases - - - !host - id: myapp - annotations: - authn-jwt/raw/claim: valid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "claim-aliases" variable to value "claim/claim:valid" - And I am using file "authn-jwt-token-schema" and alg "RS256" for remotely issue token: - """ - { - "google":{ - "claim":"valid" - }, - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00114E Failed to parse claim aliases: the claim alias name 'claim/claim' contains '/' - """ diff --git a/cucumber/authenticators_jwt/features/authn_jwt_validate_restrictions.feature b/cucumber/authenticators_jwt/features/authn_jwt_validate_restrictions.feature deleted file mode 100644 index 73b56b491d..0000000000 --- a/cucumber/authenticators_jwt/features/authn_jwt_validate_restrictions.feature +++ /dev/null @@ -1,370 +0,0 @@ -@authenticators_jwt -Feature: JWT Authenticator - Validate restrictions - - Tests to check that host annotations are validated correctly in jwt authenticator. Focusing on checking that only the vendor related annotations are being checked. - - Background: - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group hosts - - - !permit - role: !group hosts - privilege: [ read, authenticate ] - resource: !webservice - """ - And I am the super-user - And I initialize remote JWKS endpoint with file "authn-jwt-validate-restrictions" and alg "RS256" - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-validate-restrictions/RS256" in service "raw" - - @acceptance - Scenario: ONYX-9069: Generals annotations with valid values, one annotation with valid service and valid value, one annotation with invalid service and valid value, 200 OK - Given I have a "variable" resource called "test-variable" - And I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/project_id: myproject - authn-jwt/aud: myaud - authn-jwt/raw/project_id: myproject - authn-jwt/raw/additional_data/group_name: mygroup - authn-jwt/invalid-service/aud: myaud - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "token-app-property" variable to value "host" - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I permit host "myapp" to "execute" it - And I am using file "authn-jwt-validate-restrictions" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "additional_data": - { - "group_name": "mygroup", - "group_id": "group21", - "team_name": "myteam", - "team_id": "team76" - }, - "aud": "myaud" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then host "myapp" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the log after my savepoint: - """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw - """ - - @negative @acceptance - Scenario: ONYX-9112: General annotation and without service specific annotations, 401 Error - And I successfully set authn-jwt "token-app-property" variable to value "host" - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/project_id: myproject - authn-jwt/aud: myaud - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am using file "authn-jwt-validate-restrictions" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject", - "aud": "myaud" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00099E Role must have at least one relevant annotation - """ - - @negative @acceptance - Scenario: ONYX-9070: General annotations with valid values, annotation with correct service and valid value and annotation with correct service and wrong value, 401 Error - And I successfully set authn-jwt "token-app-property" variable to value "host" - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/project_id: right-project-id - authn-jwt/ref: right-ref - authn-jwt/raw/project_id: right-project-id - authn-jwt/raw/ref: wrong-ref - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am using file "authn-jwt-validate-restrictions" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "right-project-id", - "ref": "right-ref" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00049E Resource restriction 'ref' does not match with the corresponding value in the request - """ - - @negative @acceptance - Scenario: ONYX-9068: Host without annotations, 401 Error - And I successfully set authn-jwt "token-app-property" variable to value "host" - Given I extend the policy with: - """ - - !host - id: myapp - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am using file "authn-jwt-validate-restrictions" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "valid-project-id", - "ref": "valid-ref" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00099E Role must have at least one relevant annotation - """ - - @negative @acceptance - Scenario: ONYX-8737: Validate multiple annotations with incorrect values but one, 401 Error - And I successfully set authn-jwt "token-app-property" variable to value "host" - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/sub: invalid-sub - authn-jwt/raw/project_path: invalid-project-path - authn-jwt/raw/project_id: valid-project-id - authn-jwt/raw/ref: invalid-ref - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am using file "authn-jwt-validate-restrictions" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "sub": "valid-sub", - "project_path":"valid-project-path", - "project_id": "valid-project-id", - "ref": "valid-ref" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00049E Resource restriction - """ - - @negative @acceptance - Scenario: ONYX-8736: Validate multiple annotations with incorrect, 401 Error - And I successfully set authn-jwt "token-app-property" variable to value "host" - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/sub: invalid-sub - authn-jwt/raw/project_path: invalid-project-path - authn-jwt/raw/ref: invalid-ref - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am using file "authn-jwt-validate-restrictions" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "sub": "valid-sub", - "project_path":"valid-project-path", - "ref": "valid-ref" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00049E Resource restriction - """ - - @negative @acceptance - Scenario: ONYX-9113: Non existing field annotation, 401 Error - And I successfully set authn-jwt "token-app-property" variable to value "host" - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/non_existing_field: invalid - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am using file "authn-jwt-validate-restrictions" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00084E Claim 'non_existing_field' is missing from JWT token. - """ - - @sanity - @negative @acceptance - Scenario: ONYX-8734: Annotation with empty value - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/custom_claim: - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "token-app-property" variable to value "host" - And I am using file "authn-jwt-validate-restrictions" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "myproject" - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00100E Annotation, 'custom_claim', is empty - """ - - @sanity - @acceptance - Scenario: ONYX-8735: Ignore invalid annotations - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw: invalid - authn-jwt/raw/sub: valid-sub - authn-jwt: invalid - authn-jwt/raw/namespace_id: valid-namespace-id - authn-jwt/raw/project_path: valid-project-path - authn-jwt/raw2/sub: invalid-sub - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I successfully set authn-jwt "token-app-property" variable to value "host" - And I am using file "authn-jwt-validate-restrictions" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "project_id": "valid-project-id", - "sub": "valid-sub", - "namespace_id": "valid-namespace-id", - "project_path": "valid-project-path" - } - """ - And I have a "variable" resource called "test-variable" - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I permit host "myapp" to "execute" it - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then host "myapp" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And the HTTP response status code is 200 - And The following lines appear in the log after my savepoint: - | | - |CONJ00048D Validating resource restriction on request: 'sub' | - |CONJ00048D Validating resource restriction on request: 'namespace_id'| - |CONJ00048D Validating resource restriction on request: 'project_path'| - |CONJ00045D Resource restrictions matched request | - |CONJ00030D Resource restrictions validated | - |CONJ00103D 'validate_restrictions' passed successfully | - - @negative @acceptance - Scenario: ONYX-13722: Annotation with invalid claim path format, 401 Error - And I successfully set authn-jwt "token-app-property" variable to value "host" - Given I extend the policy with: - """ - - !host - id: myapp - annotations: - authn-jwt/raw/sub: valid-sub - authn-jwt/raw/actions[0]: GET - - - !grant - role: !group conjur/authn-jwt/raw/hosts - member: !host myapp - """ - And I am using file "authn-jwt-validate-restrictions" and alg "RS256" for remotely issue token: - """ - { - "host":"myapp", - "sub": "valid-sub", - "actions": ["GET", "POST"] - } - """ - And I save my place in the log file - When I authenticate via authn-jwt with the JWT token - Then the HTTP response status code is 401 - And The following appears in the log after my savepoint: - """ - CONJ00119E Restriction 'actions[0]' is invalid and not representing claim path in the token - """ diff --git a/cucumber/authenticators_jwt/features/authn_status_jwt.feature b/cucumber/authenticators_jwt/features/authn_status_jwt.feature deleted file mode 100644 index 3953407b3f..0000000000 --- a/cucumber/authenticators_jwt/features/authn_status_jwt.feature +++ /dev/null @@ -1,1242 +0,0 @@ -@authenticators_jwt -Feature: JWT Authenticator - Status Check - - Checks status API of JWT authenticator. Status API should return error on each case of misconfiguration in - authenticator or policy that can be found before authentication request. - - Background: - Given I initialize remote JWKS endpoint with file "authn-jwt-configuration" and alg "RS256" - - @sanity - @smoke - Scenario: ONYX-9122: A valid JWT status request, 200 OK - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !variable - id: issuer - - - !variable - id: audience - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "kubernetes.io/user" - And I successfully set authn-jwt "issuer" variable to value "gitlab" - And I successfully set authn-jwt "audience" variable to value "conjur" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 200 - And the HTTP response content type is "application/json" - And the authenticator status check succeeds - - @negative @acceptance - Scenario: ONYX-9138: Signing key is not configured, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: token-app-property - - - !variable - id: issuer - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I successfully set authn-jwt "issuer" variable to value "someIssuer" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00122E Invalid signing key settings: One of the following must be defined: jwks-uri, public-keys, or provider-uri" - - @negative @acceptance - Scenario: Signing key is configured with jwks-uri and provider-uri, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: provider-uri - - - !variable - id: token-app-property - - - !variable - id: issuer - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt jwks-uri variable with value of "myJWKs.json" endpoint - And I successfully set authn-jwt "provider-uri" variable to value "someProvider" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I successfully set authn-jwt "issuer" variable to value "someIssuer" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00122E Invalid signing key settings: jwks-uri and provider-uri cannot be defined simultaneously" - - @negative @acceptance - Scenario: ONYX-9142: User doesn't have permissions on webservice, 403 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt jwks-uri variable with value of "myJWKs.json" endpoint - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 403 - And the authenticator status check fails with error "CONJ00006E 'alice' does not have 'read' privilege on cucumber:webservice:conjur/authn-jwt/raw/status" - - @acceptance @acceptance - Scenario: ONYX-9139: Non existing issuer, and existing Signing key, 200 OK - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 200 - And the HTTP response content type is "application/json" - And the authenticator status check succeeds - - @negative @acceptance - Scenario: ONYX-9140: Non existing issuer and Signing key, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: token-app-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00122E Invalid signing key settings: One of the following must be defined: jwks-uri, public-keys, or provider-uri" - - @negative @acceptance - Scenario: ONYX-9141: Identity is configured but empty, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/token-app-property" - - @negative @acceptance - Scenario: ONYX-9143: Status webservice does not exist, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00005E Webservice 'authn-jwt/raw/status' not found" - - @negative @acceptance - Scenario: ONYX-9569: JWKS-uri is configured but empty, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/jwks-uri" - - @negative @acceptance - Scenario: ONYX-9570: Provider-uri is configured but empty, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: provider-uri - - - !variable - id: token-app-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/provider-uri" - - @negative @acceptance - Scenario: ONYX-9571: Provider-uri is configured with bad value, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: provider-uri - - - !variable - id: token-app-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "provider-uri" variable to value "unknow-host.com" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00011E Failed to discover Identity Provider" - - @negative @acceptance - Scenario: ONYX-9572: JWKS-uri is configured with bad value, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable to value "unknow-host.com" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00087E Failed to fetch JWKS from 'unknow-host.com'" - - @sanity - @negative @acceptance - Scenario: ONYX-9516: Identify-path is configured but empty, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !variable - id: identity-path - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/identity-path>" - - @sanity - @smoke - Scenario: ONYX-9515: Valid status check, identify-path is configured with value, 200 OK - Given I load a policy: - """ - - !policy - id: apps - body: - - !host myuser - - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !variable - id: identity-path - - - !variable - id: issuer - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I successfully set authn-jwt "identity-path" variable to value "apps" - And I successfully set authn-jwt "issuer" variable to value "gitlab" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 200 - And the HTTP response content type is "application/json" - And the authenticator status check succeeds - - @acceptance - Scenario: ONYX-10875: Status works fine with Enforced Claims and Aliases, 200 OK - Given I load a policy: - """ - - !policy - id: apps - body: - - !host myuser - - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !variable - id: enforced-claims - - - !variable - id: claim-aliases - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I successfully set authn-jwt "claim-aliases" variable to value "branch:ref" - And I successfully set authn-jwt "enforced-claims" variable to value "ref" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 200 - And the HTTP response content type is "application/json" - And the authenticator status check succeeds - - @negative @acceptance - Scenario: ONYX-11162: Audience is configured but empty, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !variable - id: audience - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/audience>" - - @negative @acceptance - Scenario: ONYX-10875: claim-aliases configured but secret not populated, 500 Error - Given I load a policy: - """ - - !policy - id: apps - body: - - !host myuser - - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !variable - id: claim-aliases - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/claim-aliases>" - - @negative @acceptance - Scenario: ONYX-10876: enforced-claims configured but secret not populated, 500 Error - Given I load a policy: - """ - - !policy - id: apps - body: - - !host myuser - - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !variable - id: enforced-claims - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/enforced-claims>" - - @negative @acceptance - Scenario: ONYX-10960: enforced-claims configured with invalid value, 500 Error - Given I load a policy: - """ - - !policy - id: apps - body: - - !host myuser - - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !variable - id: enforced-claims - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I successfully set authn-jwt "enforced-claims" variable to value "$@$@#sda//sdasdq23asd32rdf" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "does not match regular expression: '(?-mix:^[a-zA-Z|$|_][a-zA-Z|$|_|\-|0-9|.]*(\/[a-zA-Z|$|_][a-zA-Z|$|_|\-|0-9|.]*)*$)" - - @negative @acceptance - Scenario Outline: ONYX-10958: claim-aliases configured with invalid value, 500 Error - Given I load a policy: - """ - - !policy - id: apps - body: - - !host myuser - - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !variable - id: claim-aliases - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "user" - And I successfully set authn-jwt "claim-aliases" variable to value "" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "" - Examples: - | claim-aliases-value | log | - | SDsas213sda!!A!!$$@#$#:$@$@#sdasdasdq23asd32rdf | does not match regular expression: | - | a/b:bbb | Failed to parse claim aliases: the claim alias name 'a/b' contains '/'. | - - @negative @acceptance - Scenario: ONYX-13997: Identity is configured not according format, 500 Error - Given I load a policy: - """ - - !policy - id: conjur/authn-jwt/raw - body: - - !webservice - annotations: - description: Authentication service for JWT tokens, based on raw JWKs. - - - !variable - id: jwks-uri - - - !variable - id: token-app-property - - - !variable - id: issuer - - - !variable - id: audience - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !webservice - id: status - annotations: - description: Status service to check that the authenticator is configured correctly - - - !group - id: operators - annotations: - description: Group of users who can check the status of the authenticator - - - !permit - role: !group operators - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-jwt/raw/operators - member: - - !user alice - """ - And I am the super-user - And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-configuration/RS256" in service "raw" - And I successfully set authn-jwt "token-app-property" variable to value "a//b" - And I successfully set authn-jwt "issuer" variable to value "gitlab" - And I successfully set authn-jwt "audience" variable to value "conjur" - And I login as "alice" - And I save my place in the log file - When I GET "/authn-jwt/raw/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "Failed to parse 'token-app-property' value. Error:"