Add integration test for Identity

ci/docker-compose.yml

@@ -11,7 +11,7 @@ services:
     environment:
       DATABASE_URL: postgres://postgres@pg/postgres
       CONJUR_DATA_KEY: Bd4+A1QnELGC1Fb5/KauFlVez981OoYblbyfNOCavuQ=
-      CONJUR_AUTHENTICATORS: authn,authn-oidc/keycloak,authn-oidc/okta-2
+      CONJUR_AUTHENTICATORS: authn,authn-oidc/keycloak,authn-oidc/okta
       CONJUR_FEATURE_PKCE_SUPPORT_ENABLED: 'true'
     volumes:
     # The files add the endpoint /dev to Conjur. This endpoint allows us to carry out typical development tasks such as fetching
@@ -38,6 +38,11 @@ services:
       - OKTA_PROVIDER_URI=$OKTA_PROVIDER_URI
       - OKTA_USERNAME=$OKTA_USERNAME
       - OKTA_PASSWORD=$OKTA_PASSWORD
+      - IDENTITY_CLIENT_ID=$IDENTITY_CLIENT_ID
+      - IDENTITY_CLIENT_SECRET=$IDENTITY_CLIENT_SECRET
+      - IDENTITY_PROVIDER_URI=$IDENTITY_PROVIDER_URI
+      - IDENTITY_USERNAME=$IDENTITY_USERNAME
+      - IDENTITY_PASSWORD=$IDENTITY_PASSWORD
     command: bash -c "cd ${PWD}/..; make install; sleep infinity"
     working_dir: ${PWD}/..
     restart: on-failure

ci/identity/users.template.yml

@@ -1,7 +1,12 @@
 # Users with permission to authenticate
-- !user {{ IDENTITY_USERNAME }}
+- !user {{ .IDENTITY_USERNAME }}
 
 - !grant
   members:
-    - !user {{ IDENTITY_USERNAME }}
+    - !user {{ .IDENTITY_USERNAME }}
   role: !group conjur/authn-oidc/identity/authenticatable
+
+- !permit
+  role: !user {{ .IDENTITY_USERNAME }}
+  privilege: [ read, update, create ]
+  resource: !policy root

ci/okta/policy.yml

@@ -5,7 +5,7 @@
       id: authn-oidc
       body:
         - !policy
-          id: okta-2
+          id: okta
           body:
           - !webservice
 

ci/okta/users.yml

@@ -8,7 +8,7 @@
     - !user [email protected]
     - !user [email protected]
     - !user [email protected]
-  role: !group conjur/authn-oidc/okta-2/authenticatable
+  role: !group conjur/authn-oidc/okta/authenticatable
 
 - !permit
   role: !user [email protected]

ci/secrets.yml

@@ -0,0 +1,23 @@
+ci:
+  OKTA_CLIENT_ID: !var ci/okta/app/client-id
+  OKTA_CLIENT_SECRET: !var ci/okta/app/client-secret
+  OKTA_PROVIDER_URI: !var ci/okta/app/provider-uri
+  OKTA_USERNAME: !var ci/okta/user/assigned/username
+  OKTA_PASSWORD: !var ci/okta/user/assigned/password
+
+  IDENTITY_CLIENT_ID: !var ci/identity/app/client-id
+  IDENTITY_CLIENT_SECRET: !var ci/identity/app/client-secret
+  IDENTITY_PROVIDER_URI: !var ci/identity/app/provider-uri
+
+development:
+  OKTA_CLIENT_ID: !var dev/okta/app/client-id
+  OKTA_CLIENT_SECRET: !var dev/okta/app/client-secret
+  OKTA_PROVIDER_URI: !var dev/okta/app/provider-uri
+  OKTA_USERNAME: !var dev/okta/user/assigned/username
+  OKTA_PASSWORD: !var dev/okta/user/assigned/password
+
+  IDENTITY_CLIENT_ID: !var dev/identity/app/client-id
+  IDENTITY_CLIENT_SECRET: !var dev/identity/app/client-secret
+  IDENTITY_PROVIDER_URI: !var dev/identity/app/provider-uri
+  # IDENTITY_USERNAME: [email protected]
+  # IDENTITY_PASSWORD: password

cmd/integration/oidc_integration_test.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"strings"
 	"testing"
+	"text/template"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -147,7 +148,7 @@ func testLogout(t *testing.T, tmpDir string, conjurCLI *conjurCLI, aoc authnOidc
 
 		stdOut, stdErr, err = conjurCLI.Run("login", "-i", "not_in_conjur", "-p", "not_in_conjur")
 		assert.Error(t, err)
-		assert.Contains(t, stdErr, "Unable to authenticate")
+		assert.NotEmpty(t, stdErr)
 
 		// Check that the netrc file is not modified
 		info, err = os.Stat(tmpDir + "/.netrc")
@@ -169,13 +170,14 @@ func testLogout(t *testing.T, tmpDir string, conjurCLI *conjurCLI, aoc authnOidc
 	})
 }
 
-func RunOIDCIntegrationTests(t *testing.T) {
+func TestOIDCIntegration(t *testing.T) {
 	TestCases := []struct {
 		description     string
 		oidcConnection  oidcConnection
 		oidcCredentials oidcCredentials
 		authnOidcConfig authnOidcConfig
 		envVars         []string
+		beforeFunc      func() error
 	}{
 		{
 			description: "conjur cli user authenticates with keycloak",
@@ -207,7 +209,7 @@ func RunOIDCIntegrationTests(t *testing.T) {
 				password: os.Getenv("OKTA_PASSWORD"),
 			},
 			authnOidcConfig: authnOidcConfig{
-				serviceID:    "okta-2",
+				serviceID:    "okta",
 				claimMapping: "preferred_username",
 				policyUser:   os.Getenv("OKTA_USERNAME"),
 			},
@@ -219,6 +221,55 @@ func RunOIDCIntegrationTests(t *testing.T) {
 				"OKTA_PASSWORD",
 			},
 		},
+		{
+			description: "conjur cli user authenticates with identity",
+			oidcConnection: oidcConnection{
+				providerURI:  os.Getenv("IDENTITY_PROVIDER_URI"),
+				clientID:     os.Getenv("IDENTITY_CLIENT_ID"),
+				clientSecret: os.Getenv("IDENTITY_CLIENT_SECRET"),
+			},
+			oidcCredentials: oidcCredentials{
+				username: os.Getenv("IDENTITY_USERNAME"),
+				password: os.Getenv("IDENTITY_PASSWORD"),
+			},
+			authnOidcConfig: authnOidcConfig{
+				serviceID:    "identity",
+				claimMapping: "email",
+				policyUser:   os.Getenv("IDENTITY_USERNAME"),
+			},
+			envVars: []string{
+				"IDENTITY_PROVIDER_URI",
+				"IDENTITY_CLIENT_ID",
+				"IDENTITY_CLIENT_SECRET",
+				"IDENTITY_USERNAME",
+				"IDENTITY_PASSWORD",
+			},
+			beforeFunc: func() error {
+				tmp, err := template.ParseFiles("../../ci/identity/users.template.yml")
+				if err != nil {
+					return err
+				}
+
+				err = os.Remove("../../ci/identity/users.yml")
+				if err != nil {
+					return err
+				}
+
+				file, err := os.Create("../../ci/identity/users.yml")
+				if err != nil {
+					return err
+				}
+
+				defer file.Close()
+
+				err = tmp.Execute(file, map[string]string{"IDENTITY_USERNAME": os.Getenv("IDENTITY_USERNAME")})
+				if err != nil {
+					return err
+				}
+
+				return nil
+			},
+		},
 	}
 
 	for _, tc := range TestCases {
@@ -233,6 +284,11 @@ func RunOIDCIntegrationTests(t *testing.T) {
 			err := hasValidVariables(tc.envVars)
 			assert.Nil(t, err)
 
+			if tc.beforeFunc != nil {
+				err := tc.beforeFunc()
+				assert.Nil(t, err)
+			}
+
 			setupAuthenticator(account, tc.oidcConnection, tc.authnOidcConfig)
 
 			testLogin(t, account, tmpDir, conjurCLI, tc.oidcCredentials, tc.authnOidcConfig)

dev/start

@@ -127,7 +127,7 @@ EOL
   if [ "$ENABLE_OIDC_OKTA" = true ]; then
     echo "Setting up Conjur for OIDC (Okta)"
     docker-compose exec cli-dev bash -c 'conjur logout
-conjur init --force-netrc --force -u http://conjur -i -a dev -t oidc --service-id okta-2
+conjur init --force-netrc --force -u http://conjur -i -a dev -t oidc --service-id okta
 conjur login -i $OKTA_USERNAME -p $OKTA_PASSWORD'
   elif [ "$ENABLE_OIDC_KEYCLOAK" = true ]; then
     echo "Setting up Conjur for OIDC (Keycloak)"
@@ -264,7 +264,7 @@ function generate_identity_policy() {
   echo "Generating policy for AuthnOIDC V2 service 'identity' and user '$IDENTITY_USERNAME'"
   policy_dir="../ci/identity"
   rm -f "$policy_dir/users.yml"
-  sed -e "s#{{ IDENTITY_USERNAME }}#$IDENTITY_USERNAME#g" "$policy_dir/users.template.yml" > "$policy_dir/users.yml"
+  sed -e "s#{{ .IDENTITY_USERNAME }}#$IDENTITY_USERNAME#g" "$policy_dir/users.template.yml" > "$policy_dir/users.yml"
 }
 
 check_environment_variables() {
@@ -292,8 +292,8 @@ enable_oidc_authenticators() {
   fi
 
   if [[ $ENABLE_OIDC_OKTA = true ]]; then
-    echo "Configuring Okta as OpenID provider for manual testing"
-    enabled_authenticators="$enabled_authenticators,authn-oidc/okta-2"
+    echo "Configuring OKTA as OpenID provider for manual testing"
+    enabled_authenticators="$enabled_authenticators,authn-oidc/okta"
   fi
 
   if [[ $ENABLE_OIDC_IDENTITY = true ]]; then