test: adding e2e test for oidc authentication flow (#273)

Signed-off-by: Kush Sharma <thekushsharma@gmail.com>

Author: kushsharma

.goreleaser.yml

@@ -56,7 +56,7 @@ dockers:
     dockerfile: Dockerfile
     image_templates:
       - "docker.io/raystack/{{.ProjectName}}:latest"
-      - "docker.io/raystack/{{.ProjectName}}:{{ .Version }}"
+      - "docker.io/raystack/{{.ProjectName}}:{{ .Tag }}"
       - "docker.io/raystack/{{.ProjectName}}:{{ .Tag }}-amd64"
   - goos: linux
     goarch: arm64

README.md

@@ -12,7 +12,7 @@ Shield is a cloud native role-based authorization aware system. With Shield, you
 
 ## Key Features
 
-Discover why users choose Shield as their authorization proxy
+Discover why users choose Shield as their authorization server
 
 - **Authentication**: It supports multiple authentication strategies like Email OTP, Social Login(Google/Github) for human users and API keys, RSA JWT based for machine users.
 - **Authorization**: Policies bind a user to its access level. It assigns various roles to users/groups that determine their access to various resources
@@ -87,7 +87,7 @@ docker pull raystack/shield:latest
 To pull a specific version:
 
 ```
-docker pull raystack/shield:v0.3.2
+docker pull raystack/shield:v0.6.2-arm64
 ```
 
 If you like to have a shell alias that runs the latest version of shield from docker whenever you type `shield`:

cmd/root.go

@@ -10,9 +10,9 @@ import (
 func New(cliConfig *Config) *cli.Command {
 	var cmd = &cli.Command{
 		Use:   "shield <command> <subcommand> [flags]",
-		Short: "A cloud native role-based authorization aware reverse-proxy service",
+		Short: "A cloud native role-based authorization server",
 		Long: heredoc.Doc(`
-			A cloud native role-based authorization aware reverse-proxy service.`),
+			A cloud native role-based authorization server.`),
 		SilenceUsage:  true,
 		SilenceErrors: true,
 		Annotations: map[string]string{

docs/docs/installation.md

@@ -56,7 +56,7 @@ $ docker pull raystack/shield
 To pull a specific version:
 
 ```sh
-$ docker pull raystack/shield:v0.5.1
+$ docker pull raystack/shield:v0.6.2-arm64
 ```
 
 To run the docker image with minimum configurations:

docs/docs/introduction.md

@@ -17,11 +17,14 @@ Shield by Raystack is a role-based cloud-native user management system and autho
 
 Here are the steps to work with Shield.
 
-1. Configure policies: This step involves definition of resource types that will exist in the connected backend. User can also configure the roles and permissions that exist.
-
-2. Configure rules: This step involves defining the authorization(via authz middleware) and resource creation(via hook) for each path in the backend.
-
-3. Making Shield proxy request: User can now hit at the shield server followed by the url path.
+1. Configure shield: Shield has various tuning parameters that can be configured to suit the needs of the organization. 
+This includes the configuration of the database, OIDC provider, email provider, etc.
+2. Configure policies: This step involves definition of resource types that will exist in the connected backend. 
+A resource is a protected backend service for example an order management service or user picture library. User can 
+also configure the roles and permissions to be assigned to the users.
+3. Connecting frontend: Shield provides a set of APIs that can be used by the frontend to authenticate, authorize and
+manage users. The frontend can be a web application, mobile application or any other application that can make HTTP
+requests.
 
 ## Key Features
 
@@ -47,7 +50,7 @@ You can manage relation creation, checking authorization on a resource and much
 
 ### Admin Portal
 
-Besides HTTP APIs and CLI tool, Shield provides an provides an out-of-the-box UI for admins to configure SSO for the clients and manage roles, users, groups and organisations in one place.
+Besides HTTP APIs and CLI tool, Shield provides an out-of-the-box UI for admins to configure SSO for the clients and manage roles, users, groups and organisations in one place.
 
 ## Where to go from here
 

go.mod

@@ -30,6 +30,7 @@ require (
 	github.com/mcuadros/go-defaults v1.2.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/newrelic/go-agent v3.20.2+incompatible
+	github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282
 	github.com/ory/dockertest v3.3.5+incompatible
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/pkg/errors v0.9.1
@@ -56,8 +57,10 @@ require (
 
 require (
 	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/oklog/run v1.1.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 )
 
 require (

go.sum

@@ -1136,6 +1136,7 @@ github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
@@ -1756,6 +1757,8 @@ github.com/newrelic/go-agent v3.20.2+incompatible/go.mod h1:a8Fv1b/fYhFSReoTU6HD
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
+github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282 h1:TQMyrpijtkFyXpNI3rY5hsZQZw+paiH+BfAlsb81HBY=
+github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282/go.mod h1:rW25Kyd08Wdn3UVn0YBsDTSvReu0jqpmJKzxITPSjks=
 github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
@@ -2297,6 +2300,7 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
@@ -3124,6 +3128,8 @@ gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/telebot.v3 v3.0.0/go.mod h1:7rExV8/0mDDNu9epSrDm/8j22KLaActH1Tbee6YjzWg=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=

internal/api/v1beta1/user.go

@@ -498,6 +498,7 @@ func transformUserToPB(usr user.User) (*shieldv1beta1.User, error) {
 		Email:     usr.Email,
 		Name:      usr.Name,
 		Metadata:  metaData,
+		State:     usr.State.String(),
 		CreatedAt: timestamppb.New(usr.CreatedAt),
 		UpdatedAt: timestamppb.New(usr.UpdatedAt),
 	}, nil

test/e2e/regression/authentication_test.go

@@ -0,0 +1,169 @@
+package e2e_test
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/golang/protobuf/jsonpb"
+
+	"github.com/oauth2-proxy/mockoidc"
+	"github.com/raystack/shield/config"
+	"github.com/raystack/shield/core/authenticate"
+	"github.com/raystack/shield/pkg/logger"
+	"github.com/raystack/shield/pkg/server"
+	shieldv1beta1 "github.com/raystack/shield/proto/v1beta1"
+	"github.com/raystack/shield/test/e2e/testbench"
+	"github.com/stretchr/testify/suite"
+)
+
+type AuthenticationRegressionTestSuite struct {
+	suite.Suite
+	testBench      *testbench.TestBench
+	apiPort        int
+	mockOIDCServer *mockoidc.MockOIDC
+	callbackPort   int
+}
+
+func (s *AuthenticationRegressionTestSuite) SetupSuite() {
+	wd, err := os.Getwd()
+	s.Require().Nil(err)
+	testDataPath := path.Join("file://", wd, fixturesDir)
+
+	apiPort, err := testbench.GetFreePort()
+	s.Require().NoError(err)
+	grpcPort, err := testbench.GetFreePort()
+	s.Require().NoError(err)
+	s.apiPort = apiPort
+	callbackPort, err := testbench.GetFreePort()
+	s.Require().NoError(err)
+	s.callbackPort = callbackPort
+
+	s.mockOIDCServer, err = mockoidc.Run()
+	s.Require().NoError(err)
+
+	// mock callback host
+
+	appConfig := &config.Shield{
+		Log: logger.Config{
+			Level: "error",
+		},
+		App: server.Config{
+			Host: "localhost",
+			Port: apiPort,
+			GRPC: server.GRPCConfig{
+				Port:           grpcPort,
+				MaxRecvMsgSize: 2 << 10,
+				MaxSendMsgSize: 2 << 10,
+			},
+			ResourcesConfigPath: path.Join(testDataPath, "resource"),
+			Authentication: authenticate.Config{
+				Session: authenticate.SessionConfig{
+					HashSecretKey:  "hash-secret-should-be-32-chars--",
+					BlockSecretKey: "hash-secret-should-be-32-chars--",
+				},
+				Token: authenticate.TokenConfig{
+					RSAPath: "testdata/jwks.json",
+					Issuer:  "shield",
+				},
+				OIDCConfig: map[string]authenticate.OIDCConfig{
+					"mock": {
+						ClientID:     s.mockOIDCServer.Config().ClientID,
+						ClientSecret: s.mockOIDCServer.Config().ClientSecret,
+						IssuerUrl:    s.mockOIDCServer.Issuer(),
+					},
+				},
+				OIDCCallbackHost: fmt.Sprintf("http://localhost:%d/callback", s.callbackPort),
+			},
+		},
+	}
+
+	s.testBench, err = testbench.Init(appConfig)
+	s.Require().NoError(err)
+}
+
+func (s *AuthenticationRegressionTestSuite) TearDownSuite() {
+	err := s.testBench.Close()
+	s.Require().NoError(err)
+	err = s.mockOIDCServer.Shutdown()
+	s.Require().NoError(err)
+}
+
+func (s *AuthenticationRegressionTestSuite) TestUserSession() {
+	ctx := context.Background()
+	s.Run("1. return authenticate strategies of oidc", func() {
+		authStrategyResp, err := s.testBench.Client.ListAuthStrategies(ctx, &shieldv1beta1.ListAuthStrategiesRequest{})
+		s.Assert().NoError(err)
+		s.Assert().Equal("mock", authStrategyResp.GetStrategies()[0].GetName())
+	})
+	s.Run("2. authenticate a user successfully using oidc and create a session via cookies", func() {
+		// start registration flow
+		authResp, err := s.testBench.Client.Authenticate(ctx, &shieldv1beta1.AuthenticateRequest{
+			StrategyName: "mock",
+			Redirect:     false,
+			ReturnTo:     "",
+			Email:        mockoidc.DefaultUser().Email,
+		})
+		s.Assert().NoError(err)
+		s.Assert().NotNil(authResp.Endpoint)
+
+		// mock oidc code
+		parsedEndpoint, err := url.Parse(authResp.Endpoint)
+		s.Assert().NoError(err)
+		mockAuth0Code := "012345"
+		s.mockOIDCServer.QueueCode(mockAuth0Code)
+
+		// prepare mock callback server
+		callbackMux := http.NewServeMux()
+		callbackMux.Handle("/callback", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			code := r.URL.Query().Get("code")
+			state := r.URL.Query().Get("state")
+			s.Assert().Equal(mockAuth0Code, code)
+			s.Assert().Equal(parsedEndpoint.Query().Get("state"), state)
+			w.WriteHeader(http.StatusOK)
+		}))
+		srv := &http.Server{
+			Addr:    fmt.Sprintf("localhost:%d", s.callbackPort),
+			Handler: callbackMux,
+		}
+		// clean up callback server
+		defer srv.Shutdown(ctx)
+		go func() {
+			if err := srv.ListenAndServe(); err != http.ErrServerClosed {
+				s.Assert().NoError(err)
+			}
+		}()
+
+		// start session in oidc server
+		endpointRes, err := http.Get(authResp.Endpoint)
+		s.Assert().NoError(err)
+		s.Assert().Equal(http.StatusOK, endpointRes.StatusCode)
+
+		// callback to shield and get valid cookies
+		authCallbackFinalResp, err := http.Get(fmt.Sprintf("http://localhost:%d/v1beta1/auth/callback?code=%s&state=%s",
+			s.apiPort, mockAuth0Code, parsedEndpoint.Query().Get("state")))
+		s.Assert().NoError(err)
+		s.Assert().Equal(http.StatusOK, authCallbackFinalResp.StatusCode)
+		s.Assert().Equal("sid", authCallbackFinalResp.Cookies()[0].Name)
+
+		// verify if session is created
+		getUserReq, _ := http.NewRequest("GET", fmt.Sprintf("http://localhost:%d/v1beta1/users/self", s.apiPort), nil)
+		getUserReq.AddCookie(authCallbackFinalResp.Cookies()[0])
+
+		userResp, err := http.DefaultClient.Do(getUserReq)
+		s.Assert().NoError(err)
+		s.Assert().Equal(http.StatusOK, userResp.StatusCode)
+
+		user := &shieldv1beta1.GetCurrentUserResponse{}
+		s.Assert().NoError(jsonpb.Unmarshal(userResp.Body, user))
+		s.Assert().Equal(mockoidc.DefaultUser().Email, user.GetUser().Email)
+	})
+}
+
+func TestEndToEndAuthenticationRegressionTestSuite(t *testing.T) {
+	suite.Run(t, new(AuthenticationRegressionTestSuite))
+}