From 4c6dfa1378c22d2ebb4b8e271d2e000f98d2a2c2 Mon Sep 17 00:00:00 2001
From: BjornMagnussonXA <bjorn.magnusson@est.tech>
Date: Wed, 27 Apr 2022 16:03:01 +0200
Subject: [PATCH] Added test of client role to JWT tests

Issue-ID: NONRTRIC-744
Signed-off-by: BjornMagnussonXA <bjorn.magnusson@est.tech>
Change-Id: I6bbb5a05cecbfe5e3cbacdc8eb9bea6ae655e073
---
 test/auto-test/FTC1100.sh                       |   6 +-
 test/common/istio_api_functions.sh              |  17 +++-
 test/common/keycloak_api_functions.sh           | 108 ++++++++++++++++--------
 test/simulator-group/istio/ap-role-snippet.yaml |   3 +
 4 files changed, 92 insertions(+), 42 deletions(-)
 create mode 100644 test/simulator-group/istio/ap-role-snippet.yaml

diff --git a/test/auto-test/FTC1100.sh b/test/auto-test/FTC1100.sh
index 82bb8dd3..090481ac 100755
--- a/test/auto-test/FTC1100.sh
+++ b/test/auto-test/FTC1100.sh
@@ -106,6 +106,8 @@ if [ $USE_ISTIO -eq 1 ]; then
     keycloak_api_create_confidential_client     nrtrealm   icsc
     keycloak_api_generate_client_secret         nrtrealm   icsc
     keycloak_api_get_client_secret              nrtrealm   icsc
+    keycloak_api_create_client_roles            nrtrealm   icsc nrtrole
+    keycloak_api_map_client_roles               nrtrealm   icsc nrtrole
 
     keycloak_api_get_client_token               nrtrealm   icsc
 
@@ -119,13 +121,13 @@ if [ $USE_ISTIO -eq 1 ]; then
     istio_auth_policy_by_issuer         $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY
 
     istio_req_auth_by_jwksuri           $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
-    istio_auth_policy_by_realm          $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
+    istio_auth_policy_by_realm          $PROD_STUB_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm icsc nrtrole
 
     istio_req_auth_by_jwks              $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY "$KUBE_PROXY_ISTIO_JWKS_KEYS"
     istio_auth_policy_by_issuer         $CR_APP_NAME $KUBE_SIM_NAMESPACE KUBEPROXY
 
     istio_req_auth_by_jwksuri           $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
-    istio_auth_policy_by_realm          $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm
+    istio_auth_policy_by_realm          $CR_APP_NAME $KUBE_SIM_NAMESPACE nrtrealm icsc nrtrole
 
     ics_configure_sec nrtrealm icsc $ICS_SEC
 
diff --git a/test/common/istio_api_functions.sh b/test/common/istio_api_functions.sh
index 2afc3f9c..1eb73360 100644
--- a/test/common/istio_api_functions.sh
+++ b/test/common/istio_api_functions.sh
@@ -189,11 +189,11 @@ istio_req_auth_by_jwks() {
 }
 
 # Authorization policy - by realm
-# args: <app> <namespace> <realam>
+# args: <app> <namespace> <realam> [<client-id> <client-role>]
 istio_auth_policy_by_realm() {
 	__log_conf_start $@
-    if [ $# -ne 3 ]; then
-        __print_err "<app> <namespace> <realam>" $@
+    if [ $# -ne 3 ] && [ $# -ne 5 ]; then
+        __print_err "<app> <namespace> <realam> [<client-id> <client-role>]" $@
         return 1
     fi
 	name="ap-realm-"$3"-"$1"-"$2
@@ -208,6 +208,17 @@ istio_auth_policy_by_realm() {
 		__log_conf_fail_general "Cannot substitute yaml: $inputfile"
 		return 1
 	fi
+	if [ $# -gt 3 ]; then
+		export  ISTIO_TEMPLATE_REPLACE_AP_CLIENT=$4
+		export  ISTIO_TEMPLATE_REPLACE_AP_ROLE=$5
+		inputfile=$SIM_GROUP/$ISTIO_COMPOSE_DIR/ap-role-snippet.yaml
+		envsubst < $inputfile >> $outputfile
+		if [ $? -ne 0 ]; then
+			__log_conf_fail_general "Cannot substitute yaml: $inputfile"
+			return 1
+		fi
+	fi
+
 	kubectl $KUBECONF apply -f $outputfile &> tmp/kubeerr
 	if [ $? -ne 0 ]; then
 		__log_conf_fail_general "Cannot apply yaml: $outputfile"
diff --git a/test/common/keycloak_api_functions.sh b/test/common/keycloak_api_functions.sh
index 828dcb39..7f49595b 100644
--- a/test/common/keycloak_api_functions.sh
+++ b/test/common/keycloak_api_functions.sh
@@ -280,41 +280,6 @@ __execute_curl_to_keycloak() {
 	return 0
 }
 
-# # Excute a curl cmd towards the keycloak and check the response code is 2XX.
-# # args: <command-file>
-# # resp: <returned-payload> if return code is 0 otherwise <error-info>
-# __execute_curl_to_keycloak2() {
-
-#     # TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
-#     # echo "(${BASH_LINENO[0]}) - ${TIMESTAMP}: ${FUNCNAME[0]}" $@ >> $HTTPLOG
-# 	proxyflag=""
-# 	if [ ! -z "$KUBE_PROXY_PATH" ]; then
-# 		if [ $KUBE_PROXY_HTTPX == "http" ]; then
-# 			proxyflag=" --proxy $KUBE_PROXY_PATH"
-# 		else
-# 			proxyflag=" --proxy-insecure --proxy $KUBE_PROXY_PATH"
-# 		fi
-# 	fi
-# 	__cmd="curl -skw %{http_code} $proxyflag "$(< $1)
-# 	echo " CMD: $__cmd" >> $HTTPLOG
-# 	res=$(curl -skw %{http_code} $proxyflag $(< $1))
-# 	echo " RESP: $res" >> $HTTPLOG
-# 	retcode=$?
-#     if [ $retcode -ne 0 ]; then
-#         __log_conf_fail_general " Fatal error when executing curl, response: "$retcode
-#         echo "$res"
-# 		return 1
-#     fi
-#     status=${res:${#res}-3}
-# 	if [ $status -lt 200 ] && [ $status -gt 299 ]; then
-# 		__log_conf_fail_status_code "2XX" $status
-# 		echo "$res"
-# 		return 1
-# 	fi
-# 	echo ${res:0:${#res}-3}
-# 	return 0
-# }
-
 # Excute a curl cmd towards the keycloak and check the response code is 2XX.
 # args: <operation> <url> <token> <json>
 # resp: <returned-payload> if return code is 0 otherwise <error-info>
@@ -464,11 +429,11 @@ __keycloak_api_get_service_account_id() {
 	TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
 	echo "(${BASH_LINENO[0]}) - ${TIMESTAMP}: ${FUNCNAME[0]}" $@ >> $HTTPLOG
 
-	res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/clients$2/service-account-user" "$__KEYCLOAK_ADMIN_TOKEN")
+	res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/clients/$2/service-account-user" "$__KEYCLOAK_ADMIN_TOKEN")
 	if [ $? -ne 0 ]; then
 		return 1
 	fi
-	echo $res | jq -r '.[0].id'
+	echo $res | jq -r '.id'
 	return 0
 }
 
@@ -543,6 +508,75 @@ keycloak_api_create_client_roles() {
 	return 0
 }
 
+# Get client role id
+# args: <realm-name> <service-account-name> <client-name> <role-name>
+__get_client_available_role_id() {
+	res=$(__execute_curl_to_keycloak2 GET "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$1/users/$2/role-mappings/clients/$3/available" "$__KEYCLOAK_ADMIN_TOKEN")
+	if [ $? -ne 0 ]; then
+		__log_conf_fail_general " Fatal error when getting availiable client role id, response: "$?
+		return 1
+	fi
+    __client_role_id=$(echo $res | jq  -r '.[] | select(.name=="'$4'") | .id ')
+    echo $__client_role_id
+    return 0
+}
+
+# Map roles to a client
+# args: <realm-name> <client-name> <role>+
+keycloak_api_map_client_roles() {
+	__log_conf_start $@
+	__c_id=$(__keycloak_api_get_client_id $1 $2)
+	if [ $? -ne 0 ]; then
+		__log_conf_fail_general " Fatal error when getting client id, response: "$?
+		return 1
+	fi
+	__sa_id=$(__keycloak_api_get_service_account_id $1 $__c_id)
+	if [ $? -ne 0 ]; then
+		__log_conf_fail_general " Fatal error when getting service account id, response: "$?
+		return 1
+	fi
+	__realm=$1
+	shift; shift;
+	__json="["
+	__cntr=0
+    while [ $# -gt 0 ]; do
+        __client_role_id=$(__get_client_available_role_id $__realm $__sa_id $__c_id $1)
+        if [ $? -ne 0 ]; then
+			__log_conf_fail_general " Fatal error when getting client role id, response: "$?
+			return 1
+        fi
+        __role='{"name":"'$1'","id":"'$__client_role_id'","composite": false,"clientRole": true}'
+        if [ $__cntr -gt 0 ]; then
+            __json=$__json","
+        fi
+        __json=$__json$__role
+        let __cntr=__cntr+1
+        shift
+    done
+    __json=$__json"]"
+
+	res=$(__execute_curl_to_keycloak2 POST "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$__realm/users/$__sa_id/role-mappings/clients/$__c_id" "$__KEYCLOAK_ADMIN_TOKEN" "$__json")
+	if [ $? -ne 0 ]; then
+		__log_conf_fail_general " Fatal error when mapping client roles, response: "$?
+		return 1
+	fi
+
+
+
+
+    # while [ $# -gt 0 ]; do
+	# 	__json='{"name":"'$1'"}'
+	# 	res=$(__execute_curl_to_keycloak2 POST "$KEYCLOAK_SERVICE_PATH$KEYCLOAK_REALM_URL_PREFIX/$__realm/clients/$__c_id/roles" "$__KEYCLOAK_ADMIN_TOKEN" "$__json")
+	# 	if [ $? -ne 0 ]; then
+	# 		__log_conf_fail_general " Fatal error when adding client role, response: "$?
+	# 		return 1
+	# 	fi
+	# 	shift
+	# done
+	__log_conf_ok
+	return 0
+}
+
 # Get a client token
 # args: <realm-name> <client-name>
 keycloak_api_get_client_token() {
diff --git a/test/simulator-group/istio/ap-role-snippet.yaml b/test/simulator-group/istio/ap-role-snippet.yaml
new file mode 100644
index 00000000..0107a4f6
--- /dev/null
+++ b/test/simulator-group/istio/ap-role-snippet.yaml
@@ -0,0 +1,3 @@
+      when:
+      - key: request.auth.claims[resource_access][${ISTIO_TEMPLATE_REPLACE_AP_CLIENT}][roles]
+        values: ["${ISTIO_TEMPLATE_REPLACE_AP_ROLE}"]
-- 
2.16.6