diff --git a/cucumber/authenticators_oidc/features/authn_oidc.feature b/cucumber/authenticators_oidc/features/authn_oidc.feature deleted file mode 100644 index a2c5eb8ac6..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc.feature +++ /dev/null @@ -1,289 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator - Hosts can authenticate with OIDC authenticator - - In this feature we define an OIDC authenticator in policy and perform authentication - with Conjur. In successful scenarios we will also define a variable and permit the host to - execute it, to verify not only that the host can authenticate with the OIDC - Authenticator, but that it can retrieve a secret using the Conjur access token. - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_id_token_user_property | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - And I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !variable - id: ca-cert - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - - @smoke - Scenario: A valid id token in header to get Conjur access token - # We want to verify the returned access token is valid for retrieving a secret - Given I have a "variable" resource called "test-variable" - And I permit user "alice" to "execute" it - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the audit log file - When I authenticate via OIDC with id token in header - Then user "alice" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the audit log after my savepoint: - """ - cucumber:user:alice successfully authenticated with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak - """ - - @smoke - Scenario: A valid id token in body to get Conjur access token - # We want to verify the returned access token is valid for retrieving a secret - Given I have a "variable" resource called "test-variable" - And I permit user "alice" to "execute" it - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the audit log file - When I authenticate via OIDC with id token - Then user "alice" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the audit log after my savepoint: - """ - cucumber:user:alice successfully authenticated with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak - """ - - @smoke - Scenario: A valid id token with email as id-token-user-property - Given I extend the policy with: - """ - - !user alice@conjur.net - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice@conjur.net - """ - When I add the secret value "email" to the resource "cucumber:variable:conjur/authn-oidc/keycloak/id-token-user-property" - And I fetch an ID Token for username "alice" and password "alice" - And I authenticate via OIDC with id token - Then user "alice@conjur.net" has been authorized by Conjur - - @smoke - Scenario: Adding a group to keycloak/users group permits users to authenticate - Given I extend the policy with: - """ - - !user bob.somebody - - - !group more-users - - - !grant - role: !group more-users - member: !user bob.somebody - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !group more-users - """ - And I fetch an ID Token for username "bob.somebody" and password "bob" - When I authenticate via OIDC with id token - Then user "bob.somebody" has been authorized by Conjur - - @negative @acceptance - Scenario: Non-existing username in ID token is denied - Given I fetch an ID Token for username "not_in_conjur" and password "not_in_conjur" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::RoleNotFound - """ - And The following appears in the audit log after my savepoint: - """ - cucumber:user:not_in_conjur failed to authenticate with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak - """ - - @negative @acceptance - Scenario: User that is not permitted to webservice in ID token is denied - Given I extend the policy with: - """ - - !user bob.somebody - """ - And I fetch an ID Token for username "bob.somebody" and password "bob" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is forbidden - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::RoleNotAuthorizedOnResource - """ - - @negative @acceptance - Scenario: ID token without value of variable id-token-user-property is denied - When I add the secret value "non_existing_field" to the resource "cucumber:variable:conjur/authn-oidc/keycloak/id-token-user-property" - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::AuthnOidc::IdTokenClaimNotFoundOrEmpty: CONJ00013E Claim 'non_existing_field' not found or empty in ID token. This claim is defined in the id-token-user-property variable. - """ - - @negative @acceptance - Scenario: Missing id token is a bad request - Given I save my place in the log file - When I authenticate via OIDC with no id token - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::RequestBody::MissingRequestParam - """ - And The following appears in the audit log after my savepoint: - """ - cucumber:user:USERNAME_MISSING failed to authenticate with authenticator authn-oidc service - """ - - @negative @acceptance - Scenario: Empty id token is a bad request - Given I save my place in the log file - When I authenticate via OIDC with empty id token - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::RequestBody::MissingRequestParam - """ - And The following appears in the audit log after my savepoint: - """ - cucumber:user:USERNAME_MISSING failed to authenticate with authenticator authn-oidc service - """ - - @negative @acceptance - Scenario: non-existing account in request is denied - Given I save my place in the log file - When I authenticate via OIDC with id token and account "non-existing" - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::AccountNotDefined - """ - And The following appears in the audit log after my savepoint: - """ - non-existing:user:USERNAME_MISSING failed to authenticate with authenticator authn-oidc service - """ - - @negative @acceptance - Scenario: admin user is denied - And I fetch an ID Token for username "admin" and password "admin" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::AdminAuthenticationDenied - """ - And The following appears in the audit log after my savepoint: - """ - cucumber:user:USERNAME_MISSING failed to authenticate with authenticator authn-oidc service - """ - - @smoke - Scenario: provider-uri dynamic change - And I fetch an ID Token for username "alice" and password "alice" - And I authenticate via OIDC with id token - And user "alice" has been authorized by Conjur - # Update provider uri to a different hostname and verify `provider-uri` has changed - When I add the secret value "https://different-provider:8443" to the resource "cucumber:variable:conjur/authn-oidc/keycloak/provider-uri" - And I authenticate via OIDC with id token - Then it is unauthorized - # Check recovery to a valid provider uri - And I revert the value of the resource "cucumber:variable:conjur/authn-oidc/keycloak/provider-uri" - And I fetch an ID Token for username "alice" and password "alice" - And I authenticate via OIDC with id token - Then user "alice" has been authorized by Conjur - - @negative @acceptance - Scenario: Unauthenticated is raised in case of an invalid OIDC Provider hostname - Given I fetch an ID Token for username "alice" and password "alice" - And I authenticate via OIDC with id token - And user "alice" has been authorized by Conjur - # Update provider uri to reachable but invalid hostname - When I add the secret value "http://127.0.0.1.com/" to the resource "cucumber:variable:conjur/authn-oidc/keycloak/provider-uri" - And I save my place in the log file - And I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::OAuth::ProviderDiscoveryFailed - """ - - # This test runs a failing authentication request that is already - # tested in another scenario (User that is not permitted to webservice in ID token is denied). - # We run it again here to verify that we write a message to the audit log - @acceptance - Scenario: Authentication failure is written to the audit log - Given I extend the policy with: - """ - - !user bob.somebody - """ - And I fetch an ID Token for username "bob.somebody" and password "bob" - And I save my place in the audit log file - When I authenticate via OIDC with id token - Then it is forbidden - And The following appears in the audit log after my savepoint: - """ - cucumber:user:bob.somebody failed to authenticate with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak - """ - - @negative @acceptance - Scenario: Request with an existing user ID in URL is responded with not found - Given I save my place in the log file - When I authenticate via OIDC with no id token and user id "alice" in the request - Then it is not found - And The following appears in the log after my savepoint: - """ - ActionController::RoutingError (No route matches [POST] "/authn-oidc/keycloak/cucumber/alice/authenticate") - """ - - @negative @acceptance - Scenario: Request with a non-existing user ID in URL is responded with not found - Given I save my place in the log file - When I authenticate via OIDC with no id token and user id "non-exist" in the request - Then it is not found - And The following appears in the log after my savepoint: - """ - ActionController::RoutingError (No route matches [POST] "/authn-oidc/keycloak/cucumber/non-exist/authenticate") - """ diff --git a/cucumber/authenticators_oidc/features/authn_oidc_bad_policy.feature b/cucumber/authenticators_oidc/features/authn_oidc_bad_policy.feature deleted file mode 100644 index 2c89226a87..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc_bad_policy.feature +++ /dev/null @@ -1,227 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator - Bad authenticator configuration leads to an error - - In this feature we define an OIDC Authenticator with a configuration - mistake. Each test will verify that we fail the authentication in such a case - and log the relevant error for the user to re-configure the authenticator - properly - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_id_token_user_property | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - @negative @acceptance - Scenario: id-token-user-property variable missing in policy is denied - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !variable - id: provider-uri - - - !variable - id: ca-cert - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Conjur::RequiredResourceMissing - """ - - @negative @acceptance - Scenario: provider-uri variable missing in policy is denied - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !variable - id: id-token-user-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Conjur::RequiredResourceMissing - """ - - @negative @acceptance - Scenario: webservice missing in policy is denied - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !variable - id: ca-cert - - - !group users - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::WebserviceNotFound - """ - - @negative @acceptance - Scenario: webservice with read and no authenticate permission in policy is denied - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !variable - id: ca-cert - - - !group users - - - !permit - role: !group users - privilege: [ read ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - And I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token - Then it is forbidden - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::RoleNotAuthorizedOnResource - """ - - @negative @acceptance - Scenario: An authenticator without a service id - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc - body: - - !webservice - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/provider-uri | oidc_provider_uri | - Given I fetch an ID Token for username "alice" and password "alice" - And I save my place in the log file - When I authenticate via OIDC with id token and without a service-id - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::AuthnOidc::ServiceIdMissing - """ diff --git a/cucumber/authenticators_oidc/features/authn_oidc_okta.feature b/cucumber/authenticators_oidc/features/authn_oidc_okta.feature deleted file mode 100644 index 6491e3f55b..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc_okta.feature +++ /dev/null @@ -1,51 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator V2 - Users can authenticate with Okta using OIDC - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_uri | OKTA_PROVIDER_URI | | - | oidc_client_id | OKTA_CLIENT_ID | | - | oidc_client_secret | OKTA_CLIENT_SECRET | | - | oidc_redirect_url | OKTA_REDIRECT | http://localhost:3000/authn-oidc/okta/cucumber/authenticate | - | oidc_username | OKTA_USERNAME | | - | oidc_password | OKTA_PASSWORD | | - - And I load a policy and enable an oidc user into group "conjur/authn-oidc/okta/users": - """ - - !policy - id: conjur/authn-oidc/okta - body: - - !webservice - annotations: - description: Authentication service for Okta, based on Open ID Connect. - - - !variable provider-uri - - !variable client-id - - !variable client-secret - - !variable claim-mapping - - !variable state - - !variable nonce - - !variable redirect-uri - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - """ - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/okta/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/okta/client-id | oidc_client_id | | - | conjur/authn-oidc/okta/client-secret | oidc_client_secret | | - | conjur/authn-oidc/okta/claim-mapping | | preferred_username | - | conjur/authn-oidc/okta/redirect-uri | oidc_redirect_url | | - - @smoke - Scenario: Authenticating with Conjur using Okta - Given I retrieve OIDC configuration from the provider endpoint for "okta" - And I authenticate and fetch a code from Okta - When I authenticate via OIDC with code and service_id "okta" - Then the okta user has been authorized by conjur diff --git a/cucumber/authenticators_oidc/features/authn_oidc_performance.feature b/cucumber/authenticators_oidc/features/authn_oidc_performance.feature deleted file mode 100644 index 2b27dcdb3b..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc_performance.feature +++ /dev/null @@ -1,66 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator - Performance tests - - In this feature we test that OIDC Authenticator performance is meeting - the SLA. We run multiple authn-oidc requests in multiple threads and verify - that the average time of a request is no more that the agreed time. - We test both successful requests and unsuccessful requests. - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_id_token_user_property | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - And I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !variable - id: ca-cert - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - - @performance - Scenario: successful requests - And I fetch an ID Token for username "alice" and password "alice" - When I authenticate 1000 times in 10 threads via OIDC with id token - Then The avg authentication request responds in less than 0.75 seconds - - @performance - Scenario: Unsuccessful requests with an invalid token - When I authenticate 1000 times in 10 threads via OIDC with invalid id token - Then The avg authentication request responds in less than 0.75 seconds diff --git a/cucumber/authenticators_oidc/features/authn_oidc_v2.feature b/cucumber/authenticators_oidc/features/authn_oidc_v2.feature deleted file mode 100644 index 4b6daff86e..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc_v2.feature +++ /dev/null @@ -1,301 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator V2 - Users can authenticate with OIDC authenticator - - In this feature we define an OIDC authenticator in policy and perform authentication - with Conjur. In successful scenarios we will also define a variable and permit the user to - execute it, to verify not only that the user can authenticate with the OIDC - Authenticator, but that it can retrieve a secret using the Conjur access token. - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_claim_mapping | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_redirect_url | KEYCLOAK_REDIRECT_URI | http://conjur:3000/authn-oidc/keycloak2/cucumber/authenticate | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - And I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak2 - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. Uses the default token TTL of 8 minutes. - - !variable name - - !variable provider-uri - - !variable response-type - - !variable client-id - - !variable client-secret - - !variable claim-mapping - - !variable state - - !variable nonce - - !variable redirect-uri - - !variable provider-scope - - !variable token-ttl - - !variable ca-cert - - !group users - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !policy - id: conjur/authn-oidc/keycloak2-long-lived - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. Uses a 2 hour token TTL. - - !variable name - - !variable provider-uri - - !variable response-type - - !variable client-id - - !variable client-secret - - !variable claim-mapping - - !variable state - - !variable nonce - - !variable redirect-uri - - !variable provider-scope - - !variable token-ttl - - !variable ca-cert - - !group users - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !user - id: alice - - !grant - role: !group conjur/authn-oidc/keycloak2/users - member: !user alice - - !grant - role: !group conjur/authn-oidc/keycloak2-long-lived/users - member: !user alice - """ - - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/keycloak2/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/keycloak2/client-id | oidc_client_id | | - | conjur/authn-oidc/keycloak2/client-secret | oidc_client_secret | | - | conjur/authn-oidc/keycloak2/claim-mapping | oidc_claim_mapping | | - | conjur/authn-oidc/keycloak2/redirect-uri | oidc_redirect_url | | - | conjur/authn-oidc/keycloak2/response-type | | code | - | conjur/authn-oidc/keycloak2/ca-cert | oidc_ca_cert | | - | conjur/authn-oidc/keycloak2-long-lived/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/keycloak2-long-lived/client-id | oidc_client_id | | - | conjur/authn-oidc/keycloak2-long-lived/client-secret | oidc_client_secret | | - | conjur/authn-oidc/keycloak2-long-lived/claim-mapping | oidc_claim_mapping | | - | conjur/authn-oidc/keycloak2-long-lived/redirect-uri | oidc_redirect_url | | - | conjur/authn-oidc/keycloak2-long-lived/response-type | | code | - | conjur/authn-oidc/keycloak2-long-lived/token-ttl | | PT2H | - | conjur/authn-oidc/keycloak2-long-lived/ca-cert | oidc_ca_cert | | - - @smoke - Scenario: A valid code to get Conjur access token from webservice with default token TTL - # We want to verify the returned access token is valid for retrieving a secret - Given I have a "variable" resource called "test-variable" - And I permit user "alice" to "execute" it - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I fetch a code for username "alice" and password "alice" from "keycloak2" - And I save my place in the audit log file - And I authenticate via OIDC V2 with code and service-id "keycloak2" - Then user "alice" has been authorized by Conjur for 60 minutes - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the audit log after my savepoint: - """ - cucumber:user:alice successfully authenticated with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak2 - """ - - @smoke - Scenario: A valid code to get Conjur access token from webservice with custom token TTL - Given I have a "variable" resource called "test-variable" - And I permit user "alice" to "execute" it - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - And I fetch a code for username "alice" and password "alice" from "keycloak2-long-lived" - And I save my place in the audit log file - And I authenticate via OIDC V2 with code and service-id "keycloak2-long-lived" - Then user "alice" has been authorized by Conjur for 2 hours - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - And The following appears in the audit log after my savepoint: - """ - cucumber:user:alice successfully authenticated with authenticator authn-oidc service cucumber:webservice:conjur/authn-oidc/keycloak2-long-lived - """ - - @smoke - Scenario: A valid code with email as claim mapping - Given I extend the policy with: - """ - - !user alice@conjur.net - - !grant - role: !group conjur/authn-oidc/keycloak2/users - member: !user alice@conjur.net - """ - When I add the secret value "email" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/claim-mapping" - And I fetch a code for username "alice@conjur.net" and password "alice" from "keycloak2" - And I authenticate via OIDC V2 with code - Then user "alice@conjur.net" has been authorized by Conjur - - @smoke - Scenario: Adding a group to keycloak2/users group permits users to authenticate - Given I extend the policy with: - """ - - !user - id: bob.somebody - - !group more-users - - !grant - role: !group more-users - member: !user bob.somebody - - !grant - role: !group conjur/authn-oidc/keycloak2/users - member: !group more-users - """ - And I fetch a code for username "bob@conjur.net" and password "bob" from "keycloak2" - When I authenticate via OIDC V2 with code - Then user "bob.somebody" has been authorized by Conjur - - @negative @acceptance - Scenario: Non-existing username in claim mapping is denied - Given I fetch a code for username "not_in_conjur" and password "not_in_conjur" from "keycloak2" - And I save my place in the log file - When I authenticate via OIDC V2 with code - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::RoleNotFound - """ - - @negative @acceptance - Scenario: User that is not permitted to webservice in claim mapping is denied - Given I extend the policy with: - """ - - !user - id: bob@conjur.net - """ - And I fetch a code for username "bob@conjur.net" and password "bob" from "keycloak2" - And I save my place in the log file - When I authenticate via OIDC V2 with code - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::Security::RoleNotFound - """ - - @negative @acceptance - Scenario: Code without value of variable claim mapping is denied - When I add the secret value "non_existing_field" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/claim-mapping" - And I fetch a code for username "alice@conjur.net" and password "alice" from "keycloak2" - And I save my place in the log file - When I authenticate via OIDC V2 with code - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::AuthnOidc::IdTokenClaimNotFoundOrEmpty: CONJ00013E Claim 'non_existing_field' not found or empty in ID token. This claim is defined in the claim-mapping variable. - """ - - @negative @acceptance - Scenario: Adding a group to keycloak2/users group permits users to authenticate - Given I extend the policy with: - """ - - !user - id: bob - annotations: - authn-oidc/identity: bob.somebody - - !group more-users - - !grant - role: !group more-users - member: !user bob - - !grant - role: !group conjur/authn-oidc/keycloak2/users - member: !group more-users - """ - - @negative @acceptance - Scenario: Missing code is a bad request - Given I save my place in the log file - And I fetch a code for username "alice@conjur.net" and password "alice" from "keycloak2" - When I authenticate via OIDC V2 with no code in the request - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::RequestBody::MissingRequestParam - """ - - @negative @acceptance - Scenario: Empty code is a bad request - Given I save my place in the log file - And I fetch a code for username "alice@conjur.net" and password "alice" from "keycloak2" - When I authenticate via OIDC V2 with code "" - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::RequestBody::MissingRequestParam - """ - - @negative @acceptance - Scenario: Invalid code is a bad request - Given I save my place in the log file - And I fetch a code for username "alice@conjur.net" and password "alice" from "keycloak2" - When I authenticate via OIDC V2 with code "bad-code" - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::AuthnOidc::TokenRetrievalFailed - """ - - @negative @acceptance - Scenario: Bad OIDC provider credentials - Given I save my place in the log file - And I fetch a code for username "alice" and password "notalice" from "keycloak2" - When I authenticate via OIDC V2 with code - Then it is a bad request - And The following appears in the log after my savepoint: - """ - Errors::Authentication::RequestBody::MissingRequestParam - """ - - @negative @acceptance - Scenario: Non-Existent authenticator is not found - Given I save my place in the log file - And I fetch a code for username "alice" and password "alice" from "keycloak2" - When I authenticate via OIDC V2 with code and service-id "non-exist" - Then it is not found - And The following appears in the log after my savepoint: - """ - Errors::Conjur::RequestedResourceNotFound: CONJ00123E Resource - """ - - @smoke - Scenario: provider-uri dynamic change - And I fetch a code for username "alice" and password "alice" from "keycloak2" - And I authenticate via OIDC V2 with code - And user "alice" has been authorized by Conjur - # Update provider uri to a different hostname and verify `provider-uri` has changed - When I add the secret value "https://different-provider:8443" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" - And I authenticate via OIDC V2 with code - Then it is unauthorized - # Check recovery to a valid provider uri - And I revert the value of the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" - And I fetch a code for username "alice" and password "alice" from "keycloak2" - And I authenticate via OIDC V2 with code - Then user "alice" has been authorized by Conjur - - @negative @acceptance - Scenario: Unauthenticated is raised in case of an invalid OIDC Provider hostname - Given I fetch a code for username "alice" and password "alice" from "keycloak2" - And I authenticate via OIDC V2 with code - And user "alice" has been authorized by Conjur - # Update provider uri to reachable but invalid hostname - When I add the secret value "http://127.0.0.1.com/" to the resource "cucumber:variable:conjur/authn-oidc/keycloak2/provider-uri" - And I save my place in the log file - And I authenticate via OIDC V2 with code - Then it is unauthorized - And The following appears in the log after my savepoint: - """ - Errors::Authentication::OAuth::ProviderDiscoveryFailed - """ diff --git a/cucumber/authenticators_oidc/features/authn_oidc_with_ldap.feature b/cucumber/authenticators_oidc/features/authn_oidc_with_ldap.feature deleted file mode 100644 index 37d5ad53ca..0000000000 --- a/cucumber/authenticators_oidc/features/authn_oidc_with_ldap.feature +++ /dev/null @@ -1,82 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator - Users can authenticate with OIDC & LDAP authenticators - - In this feature we define an OIDC authenticator and LDAP authenticator - in policy and perform authentication with Conjur. This test verifies that the - two authenticators can live side by side without affecting each other. - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_internal_uri | PROVIDER_INTERNAL_URI | http://keycloak:8080/auth/realms/master/protocol/openid-connect | - | oidc_scope | KEYCLOAK_SCOPE | openid | - | oidc_client_id | KEYCLOAK_CLIENT_ID | conjurClient | - | oidc_client_secret | KEYCLOAK_CLIENT_SECRET | 1234 | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_id_token_user_property | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - # Configure OIDC authenticator - And I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - !variable - id: provider-uri - - !variable - id: id-token-user-property - - !variable - id: ca-cert - - !group users - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - !user alice - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_id_token_user_property | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | - - # Configure LDAP authenticator - And I extend the policy with: - """ - - !policy - id: conjur/authn-ldap/test - body: - - !webservice - - !group clients - - !permit - role: !group clients - privilege: [ read, authenticate ] - resource: !webservice - - !grant - role: !group conjur/authn-ldap/test/clients - member: !user alice - """ - - @acceptance - Scenario: Users can authenticate with 2 authenticators - # We want to verify the returned access token is valid for retrieving a secret - Given I have a "variable" resource called "test-variable" - And I permit user "alice" to "execute" it - And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable" - # Authenticate with authn-oidc - And I fetch an ID Token for username "alice" and password "alice" - When I authenticate via OIDC with id token - Then user "alice" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user - # Authenticate with authn-ldap - When I login via LDAP as authorized Conjur user "alice" - And I authenticate via LDAP as authorized Conjur user "alice" using key - Then user "alice" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user diff --git a/cucumber/authenticators_oidc/features/authn_status_oidc.feature b/cucumber/authenticators_oidc/features/authn_status_oidc.feature deleted file mode 100644 index 9f318900bb..0000000000 --- a/cucumber/authenticators_oidc/features/authn_status_oidc.feature +++ /dev/null @@ -1,291 +0,0 @@ -@authenticators_oidc -Feature: OIDC Authenticator - Status Check - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_uri | PROVIDER_URI | https://keycloak:8443/auth/realms/master | - | oidc_claim_mapping | ID_TOKEN_USER_PROPERTY | preferred_username | - | oidc_ca_cert | KEYCLOAK_CA_CERT | | - - @smoke - Scenario: A properly configured OIDC authenticator returns a successful response - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !webservice - id: status - annotations: - description: Status service to verify the authenticator is configured correctly - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !variable - id: ca-cert - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: managers - annotations: - description: Group of users who can check the status of the authn-oidc/keycloak authenticator - - - !permit - role: !group managers - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/managers - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_claim_mapping | | - | conjur/authn-oidc/keycloak/ca-cert | oidc_ca_cert | | - And I login as "alice" - When I GET "/authn-oidc/keycloak/cucumber/status" - Then the HTTP response status code is 200 - And the HTTP response content type is "application/json" - And the authenticator status check succeeds - - @negative @acceptance - Scenario: A non-responsive OIDC provider returns a 500 response - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !webservice - id: status - annotations: - description: Status service to verify the authenticator is configured correctly - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: managers - annotations: - description: Group of users who can check the status of the authn-oidc/keycloak authenticator - - - !permit - role: !group managers - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/managers - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/keycloak/provider-uri | | https://not-responsive.com | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_claim_mapping | | - - And I login as "alice" - When I GET "/authn-oidc/keycloak/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "ProviderDiscoveryFailed: CONJ00011E" - - @negative @acceptance - Scenario: provider-uri variable is missing and a 500 error response is returned - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !webservice - id: status - annotations: - description: Status service to verify the authenticator is configured correctly - - - !variable - id: id-token-user-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: managers - annotations: - description: Group of users who can check the status of the authn-oidc/keycloak authenticator - - - !permit - role: !group managers - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/managers - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/keycloak/id-token-user-property | oidc_claim_mapping | | - And I login as "alice" - When I GET "/authn-oidc/keycloak/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "RequiredResourceMissing: CONJ00036E" - - @negative @acceptance - Scenario: id-token-user-property variable is missing and a 500 error response is returned - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/keycloak - body: - - !webservice - annotations: - description: Authentication service for Keycloak, based on Open ID Connect. - - - !webservice - id: status - annotations: - description: Status service to verify the authenticator is configured correctly - - - !variable - id: provider-uri - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: managers - annotations: - description: Group of users who can check the status of the authn-oidc/keycloak authenticator - - - !permit - role: !group managers - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/users - member: !user alice - - - !grant - role: !group conjur/authn-oidc/keycloak/managers - member: !user alice - """ - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/keycloak/provider-uri | oidc_provider_uri | | - And I login as "alice" - When I GET "/authn-oidc/keycloak/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "RequiredResourceMissing: CONJ00036E" - - @negative @acceptance - Scenario: service-id missing and a 500 error response is returned - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc - body: - - !webservice - - - !webservice - id: status - annotations: - description: Status service to verify the authenticator is configured correctly - - - !variable - id: provider-uri - - - !variable - id: id-token-user-property - - - !group users - - - !permit - role: !group users - privilege: [ read, authenticate ] - resource: !webservice - - - !group - id: managers - annotations: - description: Group of users who can check the status of the authn-oidc authenticator - - - !permit - role: !group managers - privilege: [ read ] - resource: !webservice status - - - !user alice - - - !grant - role: !group conjur/authn-oidc/users - member: !user alice - - - !grant - role: !group conjur/authn-oidc/managers - member: !user alice - """ - And I login as "alice" - When I GET "/authn-oidc/cucumber/status" - Then the HTTP response status code is 500 - And the authenticator status check fails with error "Errors::Authentication::AuthnOidc::ServiceIdMissing" diff --git a/cucumber/authenticators_oidc/features/list_authenticators.feature b/cucumber/authenticators_oidc/features/list_authenticators.feature deleted file mode 100644 index 9e4b5c76d0..0000000000 --- a/cucumber/authenticators_oidc/features/list_authenticators.feature +++ /dev/null @@ -1,96 +0,0 @@ -@authenticators_oidc -Feature: A user can view the various authenticators they can use. - - Background: - Given the following environment variables are available: - | context_variable | environment_variable | default_value | - | oidc_provider_uri | OKTA_PROVIDER_URI | | - - @smoke - Scenario: List readable authenticators - Given I load a policy: - """ - - !policy - id: conjur/authn-oidc/oidceast - body: - - !webservice - - !webservice status - - !variable provider-uri - - !variable client-id - - !variable client-secret - - !variable name - - !variable claim-mapping - - !variable nonce - - !variable state - - !group - id: authenticatable - annotations: - description: Users who can authenticate using this authenticator - - !permit - role: !group authenticatable - privilege: [ read, authenticate ] - resource: !webservice - """ - - And I extend the policy with: - """ - - !policy - id: conjur/authn-oidc/okta - body: - - !webservice - - !webservice status - - !variable provider-uri - - !variable name - - !variable client-id - - !variable client-secret - - !variable claim-mapping - - !variable nonce - - !variable state - - !group - id: authenticatable - annotations: - description: Users who can authenticate using this authenticator - - !permit - role: !group authenticatable - privilege: [ read, authenticate ] - resource: !webservice - """ - - And I extend the policy with: - """ - - !group secrets-fetchers - - !group cant-authenticate - - !user - id: alice - annotations: - authn-oidc/oidceast: alice.somebody@cyberark.com - - !user - id: bob - annotations: - authn-oidc/okta: bob.somebody@cyberark.com - - !grant - role: !group cant-authenticate - member: !user bob - - !grant - role: !group secrets-fetchers - member: !user alice - - !grant - role: !group conjur/authn-oidc/oidceast/authenticatable - member: !group secrets-fetchers - """ - - And I set the following conjur variables: - | variable_id | context_variable | default_value | - | conjur/authn-oidc/oidceast/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/oidceast/client-id | | foo-bar | - | conjur/authn-oidc/oidceast/client-secret | | foo-bar | - | conjur/authn-oidc/oidceast/name | | oidceast | - | conjur/authn-oidc/oidceast/claim-mapping | | preferred_username | - | conjur/authn-oidc/okta/provider-uri | oidc_provider_uri | | - | conjur/authn-oidc/okta/client-id | | foo-bar | - | conjur/authn-oidc/okta/client-secret | | foo-bar | - | conjur/authn-oidc/okta/name | | okta | - | conjur/authn-oidc/okta/claim-mapping | | preferred_username | - - Then the list of authenticators contains the service-id "oidceast" - Then the list of authenticators contains the service-id "okta"