183 lines
6.5 KiB
Bash
Executable File
183 lines
6.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Quick SSO Test Script - Tests current SSO setup
|
|
set -e
|
|
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
BASE_URL="${BASE_URL:-http://localhost:8081}"
|
|
KEYCLOAK_URL="${KEYCLOAK_URL:-http://localhost:8090}"
|
|
SAML_IDP_URL="${SAML_IDP_URL:-http://localhost:8091}"
|
|
|
|
log() { echo -e "${BLUE}[TEST]${NC} $1"; }
|
|
pass() { echo -e "${GREEN}[PASS]${NC} $1"; }
|
|
fail() { echo -e "${RED}[FAIL]${NC} $1"; }
|
|
warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
|
|
|
|
echo -e "${BLUE}🧪 Quick SSO Test Suite${NC}\n"
|
|
|
|
# Test 1: Service Health Checks
|
|
log "Checking service health..."
|
|
|
|
if [ "$(curl -s $BASE_URL/health)" = "healthy" ]; then
|
|
pass "KMS API is healthy"
|
|
else
|
|
fail "KMS API is not healthy"
|
|
fi
|
|
|
|
if curl -s -f "$KEYCLOAK_URL" > /dev/null; then
|
|
pass "Keycloak is accessible"
|
|
else
|
|
fail "Keycloak is not accessible"
|
|
fi
|
|
|
|
if curl -s -f "$SAML_IDP_URL/simplesaml" > /dev/null; then
|
|
pass "SAML IdP admin interface is accessible"
|
|
elif [ "$(curl -s -o /dev/null -w '%{http_code}' $SAML_IDP_URL/simplesaml)" = "200" ]; then
|
|
pass "SAML IdP is running (admin interface accessible)"
|
|
else
|
|
warn "SAML IdP may not be properly configured"
|
|
fi
|
|
|
|
# Test 2: OAuth2/OIDC Discovery
|
|
log "Testing OAuth2/OIDC endpoints..."
|
|
|
|
DISCOVERY_URL="$KEYCLOAK_URL/realms/kms/.well-known/openid-configuration"
|
|
if curl -s -f "$DISCOVERY_URL" | jq -e '.authorization_endpoint' > /dev/null 2>&1; then
|
|
pass "OIDC discovery endpoint working"
|
|
|
|
# Extract endpoints
|
|
AUTH_ENDPOINT=$(curl -s "$DISCOVERY_URL" | jq -r '.authorization_endpoint')
|
|
TOKEN_ENDPOINT=$(curl -s "$DISCOVERY_URL" | jq -r '.token_endpoint')
|
|
|
|
log " Authorization: $AUTH_ENDPOINT"
|
|
log " Token: $TOKEN_ENDPOINT"
|
|
else
|
|
fail "OIDC discovery endpoint failed"
|
|
fi
|
|
|
|
# Test 3: SAML Metadata
|
|
log "Testing SAML endpoints..."
|
|
|
|
SAML_METADATA_URL="$SAML_IDP_URL/simplesaml/saml2/idp/metadata.php"
|
|
if curl -s -f "$SAML_METADATA_URL" | grep -q "EntityDescriptor"; then
|
|
pass "SAML metadata endpoint working"
|
|
|
|
# Extract entity ID
|
|
ENTITY_ID=$(curl -s "$SAML_METADATA_URL" | grep -oP 'entityID="\K[^"]*' | head -1)
|
|
log " Entity ID: $ENTITY_ID"
|
|
else
|
|
fail "SAML metadata endpoint failed"
|
|
fi
|
|
|
|
# Test 4: KMS API with Header Auth (simulates SSO result)
|
|
log "Testing KMS API with header authentication..."
|
|
|
|
HEADERS=(-H "X-User-Email: admin@example.com")
|
|
|
|
if curl -s -f "${HEADERS[@]}" "$BASE_URL/api/applications" | jq -e '.count' > /dev/null 2>&1; then
|
|
pass "KMS API accepts header authentication"
|
|
|
|
APP_COUNT=$(curl -s "${HEADERS[@]}" "$BASE_URL/api/applications" | jq -r '.count')
|
|
log " Found $APP_COUNT applications"
|
|
else
|
|
fail "KMS API header authentication failed"
|
|
fi
|
|
|
|
# Test 5: Permission System Check
|
|
log "Testing permission system..."
|
|
|
|
if command -v podman >/dev/null 2>&1; then
|
|
if PERM_COUNT=$(podman exec kms-postgres psql -U postgres -d kms -t -c "SELECT COUNT(*) FROM available_permissions;" 2>/dev/null); then
|
|
pass "Permission system accessible"
|
|
log " Available permissions: $(echo $PERM_COUNT | tr -d ' ')"
|
|
|
|
# Show some example permissions
|
|
log " Example permissions:"
|
|
podman exec kms-postgres psql -U postgres -d kms -t -c "SELECT ' ' || scope FROM available_permissions ORDER BY scope LIMIT 5;" 2>/dev/null | while read perm; do
|
|
log "$perm"
|
|
done
|
|
else
|
|
warn "Could not access permission database"
|
|
fi
|
|
else
|
|
warn "Podman not available - skipping database checks"
|
|
fi
|
|
|
|
# Test 6: Create Test Application (demonstrates full flow)
|
|
log "Testing application creation flow..."
|
|
|
|
TEST_APP_DATA='{
|
|
"app_id": "sso-test-'$(date +%s)'",
|
|
"app_link": "https://test.example.com",
|
|
"type": ["static"],
|
|
"callback_url": "https://test.example.com/callback",
|
|
"token_prefix": "TEST",
|
|
"token_renewal_duration": 604800000000000,
|
|
"max_token_duration": 2592000000000000,
|
|
"owner": {"type": "individual", "name": "SSO Test", "owner": "admin@example.com"}
|
|
}'
|
|
|
|
if NEW_APP=$(curl -s "${HEADERS[@]}" -H "Content-Type: application/json" -d "$TEST_APP_DATA" "$BASE_URL/api/applications" | jq -r '.app_id' 2>/dev/null); then
|
|
if [ "$NEW_APP" != "null" ] && [ -n "$NEW_APP" ]; then
|
|
pass "Application creation successful"
|
|
log " Created app: $NEW_APP"
|
|
|
|
# Test token creation
|
|
TOKEN_DATA='{"owner": {"type": "individual", "name": "Test Token", "owner": "admin@example.com"}, "permissions": ["app.read"]}'
|
|
|
|
if NEW_TOKEN=$(curl -s "${HEADERS[@]}" -H "Content-Type: application/json" -d "$TOKEN_DATA" "$BASE_URL/api/applications/$NEW_APP/tokens" | jq -r '.token' 2>/dev/null); then
|
|
if [ "$NEW_TOKEN" != "null" ] && [ -n "$NEW_TOKEN" ]; then
|
|
pass "Token creation successful"
|
|
log " Created token: ${NEW_TOKEN:0:20}..."
|
|
else
|
|
warn "Token creation failed or returned null"
|
|
fi
|
|
else
|
|
warn "Token creation request failed"
|
|
fi
|
|
else
|
|
warn "Application creation returned null or empty result"
|
|
fi
|
|
else
|
|
warn "Application creation request failed"
|
|
fi
|
|
|
|
# Summary and Next Steps
|
|
echo -e "\n${BLUE}📋 Summary & Next Steps:${NC}"
|
|
|
|
echo -e "\n${GREEN}✅ Working Components:${NC}"
|
|
echo " • KMS API server"
|
|
echo " • Keycloak OAuth2/OIDC provider"
|
|
echo " • SAML IdP (SimpleSAMLphp)"
|
|
echo " • Header authentication (simulating SSO)"
|
|
echo " • Permission system"
|
|
echo " • Application & token management"
|
|
|
|
echo -e "\n${YELLOW}🔧 Missing Integrations:${NC}"
|
|
echo " • OAuth2 callback handler in KMS"
|
|
echo " • SAML assertion processing in KMS"
|
|
echo " • Frontend SSO login buttons"
|
|
echo " • Automatic permission mapping from SSO claims"
|
|
|
|
echo -e "\n${BLUE}🌐 Manual Testing URLs:${NC}"
|
|
echo " • Keycloak Admin: $KEYCLOAK_URL (admin/admin)"
|
|
echo " • SAML Admin: $SAML_IDP_URL/simplesaml (admin/secret)"
|
|
echo " • KMS Frontend: http://localhost:3000"
|
|
echo " • OAuth2 Test: $KEYCLOAK_URL/realms/kms/protocol/openid-connect/auth?client_id=kms-api&response_type=code&redirect_uri=http://localhost:3000/callback&scope=openid"
|
|
|
|
echo -e "\n${BLUE}🧪 Test Commands:${NC}"
|
|
echo ' # Test header auth (simulates SSO result)'
|
|
echo ' curl -H "X-User-Email: admin@example.com" http://localhost:8081/api/applications'
|
|
echo ''
|
|
echo ' # Test OAuth2 discovery'
|
|
echo " curl $KEYCLOAK_URL/realms/kms/.well-known/openid-configuration"
|
|
echo ''
|
|
echo ' # Test SAML metadata'
|
|
echo " curl $SAML_IDP_URL/simplesaml/saml2/idp/metadata.php"
|
|
|
|
echo -e "\n${GREEN}🎉 SSO infrastructure is ready for integration!${NC}" |