feat(lab-04): Keycloak SSO hub — OIDC/SAML clients, ROPC, refresh, introspection, MailHog

RedjiJB · RedjiJB · commit e382c732f46a · 2026-02-28T15:19:28.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -181,4 +181,34 @@ jobs:
 
       - name: Cleanup
         if: always()
-        run: docker compose -f docker/docker-compose.advanced.yml down -v
+        run: docker compose -f docker/docker-compose.advanced.yml down -v
+
+  lab-04-smoke:
+    name: Lab 04 — Full OIDC/SAML Hub (ROPC, refresh, introspection, SAML)
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install tools
+        run: sudo apt-get install -y netcat-openbsd curl
+
+      - name: Start SSO stack (keycloak + db + oidc-test-app + mailhog)
+        run: docker compose -f docker/docker-compose.sso.yml up -d
+
+      - name: Wait for Keycloak
+        run: timeout 200 bash -c 'until curl -sf http://localhost:8080/health/ready | grep -q UP; do sleep 5; done'
+
+      - name: Run Lab 02-04 test script
+        env:
+          KC_PASS: "Lab04Password!"
+        run: bash tests/labs/test-lab-02-04.sh
+
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.sso.yml logs
+
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.sso.yml down -v
diff --git a/docker/docker-compose.sso.yml b/docker/docker-compose.sso.yml
@@ -1,34 +1,76 @@
-# Lab 04 — SSO Integration: keycloak with Keycloak OIDC authentication
----
 services:
-  keycloak:
-    image: quay.io/keycloak/keycloak:24
-    container_name: it-stack-keycloak
-    restart: unless-stopped
-    ports:
-      - "8080:$firstPort"
+
+  # ── Keycloak DB (internal) ─────────────────────────────────────────
+  keycloak-db:
+    image: postgres:16-alpine
     environment:
-      - IT_STACK_ENV=lab-04-sso
-      - KEYCLOAK_URL=
-      - KEYCLOAK_REALM=
-      - KEYCLOAK_CLIENT_ID=keycloak
-      - KEYCLOAK_CLIENT_SECRET=
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: kcadmin
+      POSTGRES_PASSWORD: Lab04Password!
     networks:
-      - it-stack-net
+      - kc-db-net
+    volumes:
+      - kc-db-sso:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U kcadmin -d keycloak"]
+      interval: 5s
+      timeout: 3s
+      retries: 20
 
-  # Local Keycloak reference instance for SSO lab (replace with lab-id1 in real env)
-  keycloak-sso:
-    image: quay.io/keycloak/keycloak:24
-    container_name: it-stack-keycloak-sso
+  # ── Keycloak SSO hub ───────────────────────────────────────────────
+  keycloak:
+    image: quay.io/keycloak/keycloak:24.0
     command: start-dev
+    depends_on:
+      keycloak-db:
+        condition: service_healthy
     environment:
-      KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_BOOTSTRAP_ADMIN_USERNAME: admin
+      KC_BOOTSTRAP_ADMIN_PASSWORD: Lab04Password!
+      KC_DB: postgres
+      KC_DB_URL: "jdbc:postgresql://keycloak-db:5432/keycloak"
+      KC_DB_USERNAME: kcadmin
+      KC_DB_PASSWORD: Lab04Password!
+      KC_HTTP_PORT: "8080"
+      KC_HOSTNAME_STRICT: "false"
+      KC_PROXY: edge
+      # Enable all required features for lab
+      KC_FEATURES: token-exchange,admin-fine-grained-authz
     ports:
       - "8080:8080"
     networks:
-      - it-stack-net
+      - kc-app-net
+      - kc-db-net
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:8080/health/ready || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 30
+      start_period: 60s
+
+  # ── Test OIDC client app (simulates resource server) ──────────────
+  oidc-test-app:
+    image: traefik/whoami:latest
+    networks:
+      - kc-app-net
+    ports:
+      - "9000:80"
+
+  # ── MailHog for email verification flows ──────────────────────────
+  mailhog:
+    image: mailhog/mailhog:latest
+    ports:
+      - "1025:1025"
+      - "8025:8025"
+    networks:
+      - kc-app-net
 
 networks:
-  it-stack-net:
+  kc-app-net:
+    driver: bridge
+  kc-db-net:
     driver: bridge
+    internal: true
+
+volumes:
+  kc-db-sso:
diff --git a/tests/labs/test-lab-02-04.sh b/tests/labs/test-lab-02-04.sh
@@ -1,71 +1,142 @@
 #!/usr/bin/env bash
-# test-lab-02-04.sh — Lab 02-04: SSO Integration
-# Module 02: Keycloak OAuth2/OIDC/SAML SSO provider
-# keycloak with Keycloak OIDC/SAML authentication
+# test-lab-02-04.sh — Keycloak Lab 04: Full OIDC/SAML SSO Hub
+# Tests: realm config, OIDC client flows, SAML metadata, ROPC grant,
+#        refresh tokens, JWT decode, token introspection, MailHog email
 set -euo pipefail
 
-LAB_ID="02-04"
-LAB_NAME="SSO Integration"
-MODULE="keycloak"
-COMPOSE_FILE="docker/docker-compose.sso.yml"
-PASS=0
-FAIL=0
-
-# ── Colors ────────────────────────────────────────────────────────────────────
-RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
-CYAN='\033[0;36m'; NC='\033[0m'
-
-pass() { echo -e "${GREEN}[PASS]${NC} $1"; ((PASS++)); }
-fail() { echo -e "${RED}[FAIL]${NC} $1"; ((FAIL++)); }
-info() { echo -e "${CYAN}[INFO]${NC} $1"; }
-warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
-
-echo -e "${CYAN}======================================${NC}"
-echo -e "${CYAN} Lab ${LAB_ID}: ${LAB_NAME}${NC}"
-echo -e "${CYAN} Module: ${MODULE}${NC}"
-echo -e "${CYAN}======================================${NC}"
-echo ""
-
-# ── PHASE 1: Setup ────────────────────────────────────────────────────────────
-info "Phase 1: Setup"
-docker compose -f "${COMPOSE_FILE}" up -d
-info "Waiting 30s for ${MODULE} to initialize..."
-sleep 30
-
-# ── PHASE 2: Health Checks ────────────────────────────────────────────────────
-info "Phase 2: Health Checks"
-
-if docker compose -f "${COMPOSE_FILE}" ps | grep -q "running\|Up"; then
-    pass "Container is running"
+PASS=0; FAIL=0
+KC_PASS="${KC_PASS:-Lab04Password!}"
+KC_URL="http://localhost:8080"
+REALM="it-stack"
+
+pass()  { ((++PASS)); echo "  [PASS] $1"; }
+fail()  { ((++FAIL)); echo "  [FAIL] $1"; }
+warn()  { echo "  [WARN] $1"; }
+header(){ echo; echo "=== $1 ==="; }
+
+kc_token() {
+  curl -sf -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
+    -d "client_id=admin-cli&grant_type=password&username=admin&password=${KC_PASS}" \
+    | grep -o '"access_token":"[^"]*"' | cut -d'"' -f4
+}
+
+header "1. Keycloak Health"
+if curl -sf "$KC_URL/health/ready" | grep -q '"status":"UP"'; then
+  pass "Keycloak /health/ready UP"
+else
+  fail "Keycloak not ready"; exit 1
+fi
+
+header "2. Admin Authentication"
+TOKEN=$(kc_token)
+[[ -n "$TOKEN" ]] && pass "Admin token from master realm" || { fail "Admin auth failed"; exit 1; }
+
+header "3. Realm Creation + Config"
+curl -sf -X POST "$KC_URL/admin/realms" \
+  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
+  -d "{\"realm\":\"$REALM\",\"enabled\":true,\"displayName\":\"IT-Stack\",
+       \"bruteForceProtected\":true,\"ssoSessionMaxLifespan\":86400}" \
+  -o /dev/null && pass "Realm '$REALM' created" || warn "Realm may exist"
+
+TOKEN=$(kc_token)
+REALM_INFO=$(curl -sf "$KC_URL/admin/realms/$REALM" -H "Authorization: Bearer $TOKEN")
+echo "$REALM_INFO" | grep -q '"enabled":true' && pass "Realm is enabled" || fail "Realm not enabled"
+echo "$REALM_INFO" | grep -q '"bruteForceProtected":true' && pass "Brute force protection enabled" || fail "Brute force not enabled"
+
+header "4. OIDC Client (confidential + service account + ROPC)"
+TOKEN=$(kc_token)
+STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$KC_URL/admin/realms/$REALM/clients" \
+  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
+  -d "{\"clientId\":\"oidc-client\",\"secret\":\"$KC_PASS\",\"publicClient\":false,
+       \"serviceAccountsEnabled\":true,\"directAccessGrantsEnabled\":true,
+       \"redirectUris\":[\"http://localhost:9000/*\"],\"enabled\":true}")
+[[ "$STATUS" =~ ^(201|409)$ ]] && pass "OIDC client 'oidc-client' ready (HTTP $STATUS)" || fail "OIDC client failed (HTTP $STATUS)"
+
+header "5. SAML Client Registration"
+TOKEN=$(kc_token)
+STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$KC_URL/admin/realms/$REALM/clients" \
+  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
+  -d "{\"clientId\":\"saml-client\",\"protocol\":\"saml\",
+       \"redirectUris\":[\"http://localhost:9001/*\"],\"enabled\":true}")
+[[ "$STATUS" =~ ^(201|409)$ ]] && pass "SAML client 'saml-client' ready (HTTP $STATUS)" || fail "SAML client failed (HTTP $STATUS)"
+
+header "6. Test User Creation"
+TOKEN=$(kc_token)
+STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$KC_URL/admin/realms/$REALM/users" \
+  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
+  -d "{\"username\":\"labuser\",\"enabled\":true,\"email\":\"labuser@lab.local\",
+       \"emailVerified\":true,\"firstName\":\"Lab\",\"lastName\":\"User\",
+       \"credentials\":[{\"type\":\"password\",\"value\":\"$KC_PASS\",\"temporary\":false}]}")
+[[ "$STATUS" =~ ^(201|409)$ ]] && pass "User 'labuser' ready (HTTP $STATUS)" || fail "User creation failed (HTTP $STATUS)"
+
+header "7. Client Credentials Grant (OAuth2 M2M)"
+SA_TOKEN=$(curl -sf -X POST "$KC_URL/realms/$REALM/protocol/openid-connect/token" \
+  -d "client_id=oidc-client&client_secret=${KC_PASS}&grant_type=client_credentials" \
+  | grep -o '"access_token":"[^"]*"' | cut -d'"' -f4)
+[[ -n "$SA_TOKEN" ]] && pass "Client credentials grant: access token obtained" || fail "Client credentials grant failed"
+
+header "8. JWT Structure + Claims"
+IFS='.' read -ra P <<< "$SA_TOKEN"
+[[ "${#P[@]}" -eq 3 ]] && pass "JWT has 3 parts (header.payload.sig)" || fail "Invalid JWT structure"
+if [[ "${#P[@]}" -eq 3 ]]; then
+  PAD=$(( 4 - ${#P[1]} % 4 )); [[ "$PAD" -lt 4 ]] && P[1]+=$(printf '%0.s=' $(seq 1 $PAD))
+  PAYLOAD=$(echo "${P[1]}" | base64 -d 2>/dev/null || true)
+  for claim in iss exp iat; do
+    echo "$PAYLOAD" | grep -q "\"$claim\"" && pass "JWT claim '$claim' present" || fail "JWT missing '$claim'"
+  done
+fi
+
+header "9. Resource Owner Password Credentials (user login)"
+ROPC=$(curl -sf -X POST "$KC_URL/realms/$REALM/protocol/openid-connect/token" \
+  -d "client_id=oidc-client&client_secret=${KC_PASS}&grant_type=password&username=labuser&password=${KC_PASS}" \
+  2>/dev/null || echo "{}")
+echo "$ROPC" | grep -q '"access_token"' && pass "ROPC grant: user token obtained" || fail "ROPC grant failed"
+REFRESH=$(echo "$ROPC" | grep -o '"refresh_token":"[^"]*"' | cut -d'"' -f4 || true)
+
+header "10. Token Refresh"
+if [[ -n "$REFRESH" ]]; then
+  REFRESHED=$(curl -sf -X POST "$KC_URL/realms/$REALM/protocol/openid-connect/token" \
+    -d "client_id=oidc-client&client_secret=${KC_PASS}&grant_type=refresh_token&refresh_token=${REFRESH}" \
+    | grep -o '"access_token":"[^"]*"' | cut -d'"' -f4 || true)
+  [[ -n "$REFRESHED" ]] && pass "Token refresh succeeded" || fail "Token refresh failed"
 else
-    fail "Container is not running"
+  fail "No refresh token to test"
 fi
 
-# ── PHASE 3: Functional Tests ─────────────────────────────────────────────────
-info "Phase 3: Functional Tests (Lab 04 — SSO Integration)"
-
-# TODO: Add module-specific functional tests here
-# Example:
-# if curl -sf http://localhost:8080/health > /dev/null 2>&1; then
-#     pass "Health endpoint responds"
-# else
-#     fail "Health endpoint not reachable"
-# fi
-
-warn "Functional tests for Lab 02-04 pending implementation"
-
-# ── PHASE 4: Cleanup ──────────────────────────────────────────────────────────
-info "Phase 4: Cleanup"
-docker compose -f "${COMPOSE_FILE}" down -v --remove-orphans
-info "Cleanup complete"
-
-# ── Results ───────────────────────────────────────────────────────────────────
-echo ""
-echo -e "${CYAN}======================================${NC}"
-echo -e " Lab ${LAB_ID} Complete"
-echo -e " ${GREEN}PASS: ${PASS}${NC} | ${RED}FAIL: ${FAIL}${NC}"
-echo -e "${CYAN}======================================${NC}"
-
-if [ "${FAIL}" -gt 0 ]; then
-    exit 1
+header "11. Token Introspection"
+TOKEN=$(kc_token)
+INTRO=$(curl -sf -X POST "$KC_URL/realms/$REALM/protocol/openid-connect/token/introspect" \
+  -u "oidc-client:${KC_PASS}" -d "token=${SA_TOKEN}" | grep -o '"active":[a-z]*')
+echo "$INTRO" | grep -q '"active":true' && pass "Token introspection: active=true" || fail "Token not active"
+
+header "12. OIDC Discovery"
+DISC=$(curl -sf "$KC_URL/realms/$REALM/.well-known/openid-configuration")
+for f in token_endpoint authorization_endpoint jwks_uri userinfo_endpoint introspection_endpoint; do
+  echo "$DISC" | grep -q "\"$f\"" && pass "Discovery: $f present" || fail "Discovery missing $f"
+done
+
+header "13. SAML Metadata Endpoint"
+SAML_META=$(curl -sf "$KC_URL/realms/$REALM/protocol/saml/descriptor")
+echo "$SAML_META" | grep -q "EntityDescriptor\|IDPSSODescriptor" \
+  && pass "SAML metadata XML returned" || fail "SAML metadata not available"
+
+header "14. Client List (verify both OIDC + SAML present)"
+TOKEN=$(kc_token)
+CLIENTS=$(curl -sf "$KC_URL/admin/realms/$REALM/clients" -H "Authorization: Bearer $TOKEN")
+echo "$CLIENTS" | grep -q '"oidc-client"' && pass "OIDC client visible in realm" || fail "OIDC client not found"
+echo "$CLIENTS" | grep -q '"saml-client"' && pass "SAML client visible in realm" || fail "SAML client not found"
+
+header "15. MailHog Email Sink"
+if curl -sf http://localhost:8025/ -o /dev/null; then
+  pass "MailHog UI accessible (:8025)"
+  curl -sf http://localhost:8025/api/v2/messages | grep -q '"total"' \
+    && pass "MailHog API v2 messages endpoint works" || fail "MailHog API failed"
+else
+  fail "MailHog not accessible"
 fi
+
+echo
+echo "═══════════════════════════════════════"
+echo " Lab 02-04 Results: $PASS passed, $FAIL failed"
+echo "═══════════════════════════════════════"
+[[ "$FAIL" -eq 0 ]]
