#!/bin/bash # Quick SSO Test Script - Tests current SSO setup set -e RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' BASE_URL="${BASE_URL:-http://localhost:8081}" KEYCLOAK_URL="${KEYCLOAK_URL:-http://localhost:8090}" SAML_IDP_URL="${SAML_IDP_URL:-http://localhost:8091}" log() { echo -e "${BLUE}[TEST]${NC} $1"; } pass() { echo -e "${GREEN}[PASS]${NC} $1"; } fail() { echo -e "${RED}[FAIL]${NC} $1"; } warn() { echo -e "${YELLOW}[WARN]${NC} $1"; } echo -e "${BLUE}🧪 Quick SSO Test Suite${NC}\n" # Test 1: Service Health Checks log "Checking service health..." if [ "$(curl -s $BASE_URL/health)" = "healthy" ]; then pass "KMS API is healthy" else fail "KMS API is not healthy" fi if curl -s -f "$KEYCLOAK_URL" > /dev/null; then pass "Keycloak is accessible" else fail "Keycloak is not accessible" fi if curl -s -f "$SAML_IDP_URL/simplesaml" > /dev/null; then pass "SAML IdP admin interface is accessible" elif [ "$(curl -s -o /dev/null -w '%{http_code}' $SAML_IDP_URL/simplesaml)" = "200" ]; then pass "SAML IdP is running (admin interface accessible)" else warn "SAML IdP may not be properly configured" fi # Test 2: OAuth2/OIDC Discovery log "Testing OAuth2/OIDC endpoints..." DISCOVERY_URL="$KEYCLOAK_URL/realms/kms/.well-known/openid-configuration" if curl -s -f "$DISCOVERY_URL" | jq -e '.authorization_endpoint' > /dev/null 2>&1; then pass "OIDC discovery endpoint working" # Extract endpoints AUTH_ENDPOINT=$(curl -s "$DISCOVERY_URL" | jq -r '.authorization_endpoint') TOKEN_ENDPOINT=$(curl -s "$DISCOVERY_URL" | jq -r '.token_endpoint') log " Authorization: $AUTH_ENDPOINT" log " Token: $TOKEN_ENDPOINT" else fail "OIDC discovery endpoint failed" fi # Test 3: SAML Metadata log "Testing SAML endpoints..." SAML_METADATA_URL="$SAML_IDP_URL/simplesaml/saml2/idp/metadata.php" if curl -s -f "$SAML_METADATA_URL" | grep -q "EntityDescriptor"; then pass "SAML metadata endpoint working" # Extract entity ID ENTITY_ID=$(curl -s "$SAML_METADATA_URL" | grep -oP 'entityID="\K[^"]*' | head -1) log " Entity ID: $ENTITY_ID" else fail "SAML metadata endpoint failed" fi # Test 4: KMS API with Header Auth (simulates SSO result) log "Testing KMS API with header authentication..." HEADERS=(-H "X-User-Email: admin@example.com") if curl -s -f "${HEADERS[@]}" "$BASE_URL/api/applications" | jq -e '.count' > /dev/null 2>&1; then pass "KMS API accepts header authentication" APP_COUNT=$(curl -s "${HEADERS[@]}" "$BASE_URL/api/applications" | jq -r '.count') log " Found $APP_COUNT applications" else fail "KMS API header authentication failed" fi # Test 5: Permission System Check log "Testing permission system..." if command -v podman >/dev/null 2>&1; then if PERM_COUNT=$(podman exec kms-postgres psql -U postgres -d kms -t -c "SELECT COUNT(*) FROM available_permissions;" 2>/dev/null); then pass "Permission system accessible" log " Available permissions: $(echo $PERM_COUNT | tr -d ' ')" # Show some example permissions log " Example permissions:" podman exec kms-postgres psql -U postgres -d kms -t -c "SELECT ' ' || scope FROM available_permissions ORDER BY scope LIMIT 5;" 2>/dev/null | while read perm; do log "$perm" done else warn "Could not access permission database" fi else warn "Podman not available - skipping database checks" fi # Test 6: Create Test Application (demonstrates full flow) log "Testing application creation flow..." TEST_APP_DATA='{ "app_id": "sso-test-'$(date +%s)'", "app_link": "https://test.example.com", "type": ["static"], "callback_url": "https://test.example.com/callback", "token_prefix": "TEST", "token_renewal_duration": 604800000000000, "max_token_duration": 2592000000000000, "owner": {"type": "individual", "name": "SSO Test", "owner": "admin@example.com"} }' if NEW_APP=$(curl -s "${HEADERS[@]}" -H "Content-Type: application/json" -d "$TEST_APP_DATA" "$BASE_URL/api/applications" | jq -r '.app_id' 2>/dev/null); then if [ "$NEW_APP" != "null" ] && [ -n "$NEW_APP" ]; then pass "Application creation successful" log " Created app: $NEW_APP" # Test token creation TOKEN_DATA='{"owner": {"type": "individual", "name": "Test Token", "owner": "admin@example.com"}, "permissions": ["app.read"]}' if NEW_TOKEN=$(curl -s "${HEADERS[@]}" -H "Content-Type: application/json" -d "$TOKEN_DATA" "$BASE_URL/api/applications/$NEW_APP/tokens" | jq -r '.token' 2>/dev/null); then if [ "$NEW_TOKEN" != "null" ] && [ -n "$NEW_TOKEN" ]; then pass "Token creation successful" log " Created token: ${NEW_TOKEN:0:20}..." else warn "Token creation failed or returned null" fi else warn "Token creation request failed" fi else warn "Application creation returned null or empty result" fi else warn "Application creation request failed" fi # Summary and Next Steps echo -e "\n${BLUE}📋 Summary & Next Steps:${NC}" echo -e "\n${GREEN}✅ Working Components:${NC}" echo " • KMS API server" echo " • Keycloak OAuth2/OIDC provider" echo " • SAML IdP (SimpleSAMLphp)" echo " • Header authentication (simulating SSO)" echo " • Permission system" echo " • Application & token management" echo -e "\n${YELLOW}🔧 Missing Integrations:${NC}" echo " • OAuth2 callback handler in KMS" echo " • SAML assertion processing in KMS" echo " • Frontend SSO login buttons" echo " • Automatic permission mapping from SSO claims" echo -e "\n${BLUE}🌐 Manual Testing URLs:${NC}" echo " • Keycloak Admin: $KEYCLOAK_URL (admin/admin)" echo " • SAML Admin: $SAML_IDP_URL/simplesaml (admin/secret)" echo " • KMS Frontend: http://localhost:3000" echo " • OAuth2 Test: $KEYCLOAK_URL/realms/kms/protocol/openid-connect/auth?client_id=kms-api&response_type=code&redirect_uri=http://localhost:3000/callback&scope=openid" echo -e "\n${BLUE}🧪 Test Commands:${NC}" echo ' # Test header auth (simulates SSO result)' echo ' curl -H "X-User-Email: admin@example.com" http://localhost:8081/api/applications' echo '' echo ' # Test OAuth2 discovery' echo " curl $KEYCLOAK_URL/realms/kms/.well-known/openid-configuration" echo '' echo ' # Test SAML metadata' echo " curl $SAML_IDP_URL/simplesaml/saml2/idp/metadata.php" echo -e "\n${GREEN}🎉 SSO infrastructure is ready for integration!${NC}"