DONOTMERGE: Setup test container automation

.env

@@ -0,0 +1,14 @@
+# This is the docker-compose environment file.
+# Copy it to .env or use --env-file=env.example on docker-compose command.
+# REGISTRY=quay.io/ftrivino
+# REGISTRY=localhost/sssd
+REGISTRY=quay.io/sssd
+TAG=latest
+
+#PLUGIN_ARCHIVE=archive/refs/heads
+#PLUGIN_TAG=http_https
+PLUGIN_ARCHIVE=archive/refs/tags
+PLUGIN_TAG=kc19_intg
+PLUGIN_VER=0.0.1
+PLUGIN_DIR=scim-keycloak-user-storage-spi-${PLUGIN_TAG}
+PLUGIN_JAR=scim-user-spi-0.0.1-SNAPSHOT.jar

.github/workflows/docker-compose.yml

@@ -0,0 +1,25 @@
+name: docker-compose-integration-tests
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  docker:
+    timeout-minutes: 10
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v1
+
+    - name: Start containers
+      run: docker-compose -f "docker-compose.yml" up -d --build
+
+    - name: Install dependencies
+      run: |
+        pip install -r src/install/requirements.txt
+
+    - name: Stop containers
+      if: always()
+      run: docker-compose -f "docker-compose.yml" down

.gitignore

@@ -11,3 +11,9 @@ src/ipa-tuura/scimv2bridge/migrations/
 
 # In-tree build files
 *~
+
+# env files with secrets
+env.secrets
+
+# keycloak container plugin files
+data/keycloak

Makefile

@@ -0,0 +1,40 @@
+include .env
+
+up: datadir plugin
+	docker-compose up --detach --no-recreate
+
+up-gating:
+	docker-compose -f docker-compose.gating.yaml up --no-recreate --detach
+
+stop:
+	docker-compose stop
+
+down: stop
+	docker-compose -f docker-compose.gating.yaml \
+	-f docker-compose.yml down
+
+datadir:
+ifeq (,$(wildcard data/keycloak))
+	mkdir -p data/keycloak
+endif
+
+container:
+	$(MAKE) -C src
+
+plugin: datadir
+ifeq (,$(wildcard data/keycloak/$(PLUGIN_JAR)))
+	cd data/keycloak && \
+	wget https://github.com/justin-stephenson/scim-keycloak-user-storage-spi/${PLUGIN_ARCHIVE}/$(PLUGIN_TAG).tar.gz && \
+	tar zxvf $(PLUGIN_TAG).tar.gz && \
+	pushd $(PLUGIN_DIR) && \
+	mvn clean package && \
+	mv target/$(PLUGIN_JAR) ../ && \
+	chown 994:994 ../${PLUGIN_JAR}
+endif
+
+bridge:
+	source ./env.containers && \
+	bash -c "src/install/setup_bridge.sh"
+
+clean:
+	rm -rf data/keycloak/*

README.md

@@ -100,3 +100,97 @@ make html
 ```
 
 The generated documentation will be available at `$IPA_TUURA/doc/_build/html/` folder.
+
+
+### Testing
+
+Provided is a docker-compose.yml container based test environment.  Running this
+environment on a system will provide the containers needed for testing some of the
+basic features of ipa-tuura:
+
+* ipa-tuura running SCIMv2 Bridge
+* Keycloak running with the SCIMv2 User Storage plugin
+* FreeIPA to provide IPA service
+* LDAP container to provide LDAP service
+* DNS container to provide static DNS for the test environment
+* Nextcloud to provide End to End application authentication testing
+
+
+First Install required packages needed to run container test environment:
+
+```bash
+sudo dnf -y install podman docker-compose podman-docker \
+                    java-17-openjdk-headless maven dnsmasq
+```
+
+Start podman service:
+
+```bash
+sudo systemctl start podman
+```
+
+Clone this repository:
+
+```bash
+git clone https://github.com/freeipa/ipa-tuura
+cd ipa-tuura
+```
+
+Set SELinux boolean:
+
+```bash
+sudo setsebool -P container_manage_cgroup true
+```
+
+OPTIONAL: Note if you want to setup your local DNS to resolve the container
+hostnames, you can follow these steps:
+
+```bash
+sudo cp data/configs/nm_enable_dnsmasq.conf /etc/NetworkManager/conf.d/
+sudo cp data/configs/nm_zone_test.conf /etc/NetworkManager/dnsmasq.d/
+sudo systemctl disable --now systemd-resolved
+sudo mv /etc/resolv.conf /etc/resolv.conf.ipa-tuura-backup
+sudo systemctl reload NetworkManager
+```
+
+Start containers:
+
+```bash
+sudo make up
+sudo make bridge
+```
+
+Note that `make bridge` runs `src/install/setup_bridge.sh` which allows you to
+override the keycloak and/or ipa-tuura hostnames if you wish to use this elsewhere.
+To do this, just set variables before manually running the script:
+
+```bash
+export KC_HOSTNAME=<keycloak server hostname>
+export TUURA_HOSTNAME=<ipa-tuura server hostname>
+bash src/install/setup_bridge.sh
+```
+
+Note that the container names all start with "kite-" which stands for Keycloak
+Integration Test Environment.  Each container is named after the service it
+provides to make access easier.
+
+Now you can access the containers with either:
+
+```bash
+sudo podman exec -it kite-<service> bash
+```
+
+Or for some containers, you can access with ssh.  To do so, lookup IP from 
+docker-compose.yml file.
+
+```bash
+ssh root@<IP>
+```
+
+To run Keycloak or IPA commands, you can alias the commands like this:
+
+```bash
+alias kcadm='sudo podman exec -it kite-keycloak /opt/keycloak/bin/kcadm.sh'
+alias ipa='sudo podman exec -it kite-ipa ipa'
+```
+

data/configs/dnsmasq.conf

@@ -0,0 +1,33 @@
+# dnsmasq configuration for sssd containers
+#
+# This makes sure that all machines are accessible through DNS including
+# SRV and PTR records.
+
+log-queries
+log-facility=-
+local=/test/
+
+# These zones have their own DNS server
+server=/ipa.test/172.16.100.10
+server=/ad.test/172.16.200.10
+
+# Add A records for LDAP and client machines
+address=/master.ldap.test/172.16.100.20
+address=/client.test/172.16.100.40
+address=/master.keycloak.test/172.16.100.70
+address=/master.nextcloud.test/172.16.100.12
+address=/master.mariadb.test/172.16.100.13
+address=/bridge.ipa.test/172.16.100.100
+
+# Add SRV record for LDAP
+srv-host=_ldap._tcp.ldap.test,master.ldap.test,389
+
+# Add PTR records for all machines
+ptr-record=10.100.16.172.in-addr.arpa,master.ipa.test
+ptr-record=12.100.16.172.in-addr.arpa,master.nextcloud.test
+ptr-record=13.100.16.172.in-addr.arpa,master.mariadb.test
+ptr-record=20.100.16.172.in-addr.arpa,master.ldap.test
+ptr-record=40.100.16.172.in-addr.arpa,client.test
+ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test
+ptr-record=100.100.16.172.in-addr.arpa,bridge.ipa.test
+ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test

data/configs/nm_enable_dnsmasq.conf

@@ -0,0 +1,2 @@
+[main]
+dns=dnsmasq

data/configs/nm_zone_test.conf

@@ -0,0 +1,6 @@
+# dnsmasq configuration for sssd-ci
+#
+# This makes sure that all machines are accessible through DNS including
+# SRV and PTR records.
+
+server=/test/172.16.100.2

data/configs/openssl_ca.cfg

@@ -0,0 +1,16 @@
+[req]
+default_bits = 4096
+default_md = sha256
+encrypt_key = no
+prompt = no
+utf8 = yes
+distinguished_name = distinguished_name
+x509_extensions = ca_extensions
+
+[ distinguished_name ]
+
+[ ca_extensions ]
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:TRUE
+keyUsage = keyCertSign,cRLSign
+subjectKeyIdentifier=hash

data/configs/openssl_sign_ca.ext

@@ -0,0 +1,4 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:TRUE
+keyUsage = keyCertSign,cRLSign
+subjectKeyIdentifier=hash

data/configs/openssl_sign_service.ext

@@ -0,0 +1,4 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectKeyIdentifier=hash

docker-compose.gating.yaml

@@ -0,0 +1,118 @@
+services:
+  dns:
+    restart: always
+    image: ${REGISTRY}/ci-dns:${TAG}
+    container_name: dns
+    env_file: ./env.containers
+    volumes:
+    - ./data/configs/dnsmasq.conf:/etc/dnsmasq.conf
+    cap_add:
+    - NET_RAW
+    - NET_ADMIN
+    - SYS_CHROOT
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.2
+  ipa:
+    image: ${REGISTRY}/ci-ipa:${TAG}
+    container_name: ipa
+    hostname: master.ipa.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    - SYS_CHROOT
+    - NET_ADMIN
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.10
+
+  bridge:
+    #image: localhost/ipa-tuura/base:latest
+    #image: quay.io/ftrivino/bridge-prod
+    image: quay.io/ftrivino/bridge-devel
+    container_name: bridge
+    hostname: bridge.ipa.test
+    dns: 172.16.100.2
+    #command: /usr/sbin/httpd -DFOREGROUND
+    command: python3 manage.py runserver 0.0.0.0:8000
+    env_file:
+    - ./env.containers
+    - ./env.secrets
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - SYS_CHROOT
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    ports:
+    - 8005:8000
+    - 3501:3500
+    - 4701:81
+    - 4430:443
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.100
+
+  keycloak:
+    image: ${REGISTRY}/ci-keycloak:${TAG}
+    container_name: keycloak
+    hostname: master.keycloak.test
+    dns: 172.16.100.2
+    env_file:
+    - ./env.containers
+    - ./env.secrets
+    volumes:
+    - ./data/keycloak/scim-user-spi-${PLUGIN_VER}-SNAPSHOT.jar:/opt/keycloak/providers/scim.jar
+    #- ./data/keycloak/rootCA.crt:/etc/pki/ca-trust/source/anchors/rootCA.crt
+    #- ./data/keycloak/server.crt:/data/certs/master.keycloak.test.crt
+    #- ./data/keycloak/server.key:/data/certs/master.keycloak.test.key
+    #- ./data/keycloak/server.keystore:/data/certs/master.keycloak.test.keystore
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - SYS_CHROOT
+    - NET_ADMIN
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    ports:
+    - 8080:8080
+    - 8443:8443
+    - 9090:9090
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.70
+
+networks:
+  sssd:
+    name: sssd-ci
+    driver: bridge
+    ipam:
+     config:
+       - subnet: 172.16.100.0/24
+         gateway: 172.16.100.1
+     options:
+        driver: host-local