Use TLS + truststore with Keycloak for API OIDC tests

Signed-off-by: Michael Edgar <[email protected]>

api/src/main/java/com/github/streamshub/console/api/security/OidcTenantConfigResolver.java

@@ -2,7 +2,9 @@
 
 import java.io.File;
 import java.io.FileOutputStream;
+import java.io.IOException;
 import java.io.OutputStream;
+import java.io.UncheckedIOException;
 import java.security.KeyStore;
 import java.util.List;
 import java.util.Optional;
@@ -37,7 +39,7 @@ public class OidcTenantConfigResolver implements TenantConfigResolver {
     Logger logger;
 
     @Inject
-    @ConfigProperty(name = "console.work-path", defaultValue = "${java.io.tmpdir}")
+    @ConfigProperty(name = "console.work-path")
     String workPath;
 
     @Inject
@@ -75,24 +77,27 @@ Optional<TlsConfiguration> getTlsConfiguration() {
     }
 
     void configureTruststore(KeyStore truststore) {
-        String filename = "%s%s%s-truststore.%s".formatted(
-                workPath,
-                File.separator,
-                UUID.randomUUID().toString(),
-                truststore.getType()
-        );
-        File file = new File(filename);
+        File workDir = new File(workPath);
+        File truststoreFile;
+
+        try {
+            truststoreFile = File.createTempFile("oidc-provider-trust", "." + truststore.getType(), workDir);
+            truststoreFile.deleteOnExit();
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+
         String secret = UUID.randomUUID().toString();
 
-        try (OutputStream out = new FileOutputStream(file)) {
+        try (OutputStream out = new FileOutputStream(truststoreFile)) {
             truststore.store(out, secret.toCharArray());
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
 
         // No default provided, set to empty to avoid NPE
         oidcConfig.tls.trustStoreProvider = Optional.empty();
-        oidcConfig.tls.setTrustStoreFile(file.toPath());
+        oidcConfig.tls.setTrustStoreFile(truststoreFile.toPath());
         oidcConfig.tls.setTrustStorePassword(secret);
         // Future: map the certificate alias if provided
         // oidcConfig.tls.setTrustStoreCertAlias(null);

api/src/main/resources/application.properties

@@ -68,6 +68,7 @@ quarkus.arc.exclude-types=io.apicurio.registry.rest.JacksonDateTimeCustomizer
 quarkus.index-dependency.strimzi-api.group-id=io.strimzi
 quarkus.index-dependency.strimzi-api.artifact-id=api
 
+console.work-path=${java.io.tmpdir}
 console.kafka.admin.request.timeout.ms=10000
 console.kafka.admin.default.api.timeout.ms=10000
 

api/src/test/java/com/github/streamshub/console/kafka/systemtest/deployment/KeycloakResourceManager.java

@@ -1,8 +1,10 @@
 package com.github.streamshub.console.kafka.systemtest.deployment;
 
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.UncheckedIOException;
+import java.nio.file.Files;
 import java.time.Duration;
 import java.util.Map;
 
@@ -12,6 +14,8 @@
 import org.testcontainers.containers.wait.strategy.Wait;
 import org.testcontainers.images.builder.Transferable;
 
+import com.github.streamshub.console.test.TlsHelper;
+
 import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
 
 public class KeycloakResourceManager implements QuarkusTestResourceLifecycleManager {
@@ -29,26 +33,56 @@ public Map<String, String> start() {
             throw new UncheckedIOException(ioe);
         }
 
+        int port = 8443;
+        TlsHelper tls = TlsHelper.newInstance();
+        String keystorePath = "/opt/keycloak/keystore.p12";
+
         keycloak = new GenericContainer<>("quay.io/keycloak/keycloak:26.0")
                 .withLogConsumer(new Slf4jLogConsumer(LoggerFactory.getLogger("systemtests.keycloak"), true))
-                .withExposedPorts(8080)
+                .withExposedPorts(port)
                 .withEnv(Map.of(
                         "KC_BOOTSTRAP_ADMIN_USERNAME", "admin",
                         "KC_BOOTSTRAP_ADMIN_PASSWORD", "admin",
                         "PROXY_ADDRESS_FORWARDING", "true"))
+                .withCopyToContainer(
+                        Transferable.of(tls.getKeyStoreBytes()),
+                        keystorePath)
                 .withCopyToContainer(
                         Transferable.of(realmConfig),
                         "/opt/keycloak/data/import/console-realm.json")
-                .withCommand("start", "--hostname=localhost", "--http-enabled=true", "--import-realm")
-                .waitingFor(Wait.forHttp("/realms/console-authz").withStartupTimeout(Duration.ofMinutes(1)));
+                .withCommand(
+                        "start",
+                        "--hostname=localhost",
+                        "--http-enabled=false",
+                        "--https-key-store-file=%s".formatted(keystorePath),
+                        "--https-key-store-password=%s".formatted(String.copyValueOf(tls.getPassphrase())),
+                        "--import-realm"
+                )
+                .waitingFor(Wait.forHttps("/realms/console-authz")
+                        .allowInsecure()
+                        .withStartupTimeout(Duration.ofMinutes(1)));
+
+        File truststoreFile;
+
+        try {
+            truststoreFile = File.createTempFile("oidc-provider-trust", "." + tls.getTrustStore().getType());
+            //truststoreFile.deleteOnExit();
+            Files.write(truststoreFile.toPath(), tls.getTrustStoreBytes());
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
 
         keycloak.start();
 
-        String urlTemplate = "http://localhost:%d/realms/console-authz";
-        var oidcUrl = urlTemplate.formatted(keycloak.getMappedPort(8080));
+        String urlTemplate = "https://localhost:%d/realms/console-authz";
+        var oidcUrl = urlTemplate.formatted(keycloak.getMappedPort(port));
         return Map.of(
                 "console.test.oidc-url", oidcUrl,
-                "console.test.oidc-issuer", urlTemplate.formatted(8080));
+                "console.test.oidc-host", "localhost:%d".formatted(port),
+                "console.test.oidc-issuer", urlTemplate.formatted(port),
+                "quarkus.tls.\"oidc-provider-trust\".trust-store.jks.path", truststoreFile.getAbsolutePath(),
+                "quarkus.tls.\"oidc-provider-trust\".trust-store.jks.password", String.copyValueOf(tls.getPassphrase())
+        );
     }
 
     @Override

api/src/test/java/com/github/streamshub/console/kafka/systemtest/utils/TokenUtils.java

@@ -4,25 +4,41 @@
 import java.io.StringReader;
 import java.net.URI;
 import java.net.http.HttpClient;
+import java.net.http.HttpClient.Version;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.util.UUID;
 
+import javax.net.ssl.SSLContext;
+
+import jakarta.enterprise.inject.spi.CDI;
 import jakarta.json.Json;
 import jakarta.json.JsonObject;
 import jakarta.json.JsonReader;
 import jakarta.ws.rs.core.HttpHeaders;
 
 import org.eclipse.microprofile.config.Config;
 
+import io.quarkus.tls.TlsConfigurationRegistry;
 import io.restassured.http.Header;
 
 public class TokenUtils {
 
     final String tokenEndpoint;
+    final String tokenEndpointHost;
+    final SSLContext tls;
 
     public TokenUtils(Config config) {
         this.tokenEndpoint = config.getValue("console.test.oidc-url", String.class) + "/protocol/openid-connect/token";
+        this.tokenEndpointHost = config.getValue("console.test.oidc-host", String.class);
+
+        var tlsRegistry = CDI.current().select(TlsConfigurationRegistry.class).get();
+
+        try {
+            tls = tlsRegistry.get("oidc-provider-trust").get().createSSLContext();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
     }
 
     public Header authorizationHeader(String username) {
@@ -47,11 +63,14 @@ public JsonObject getTokenObject(String username) {
                 + "password=%1$s-password&"
                 + "client_id=console-client", username);
 
-        HttpClient client = HttpClient.newBuilder().build();
+        HttpClient client = HttpClient.newBuilder()
+                .sslContext(tls)
+                .version(Version.HTTP_1_1)
+                .build();
 
         HttpRequest request = HttpRequest.newBuilder()
                 .uri(URI.create(tokenEndpoint))
-                .header("Host", "localhost:8080")
+                .header("Host", tokenEndpointHost)
                 .header("Content-Type", "application/x-www-form-urlencoded")
                 .POST(HttpRequest.BodyPublishers.ofString(form))
                 .build();