Migrate ssl package to new test framework#48407
Conversation
23d6ff7 to
5ec8a92
Compare
5ec8a92 to
7af881a
Compare
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.authz.PolicyEvaluationTest# |
7af881a to
84b352b
Compare
84b352b to
6158ce0
Compare
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.authz.PolicyEvaluationTest# |
|
@shawkins Could you please review and merge this? |
|
@michalvavrik Can you please rebase? |
6158ce0 to
9c94801
Compare
done |
|
Will this need to align to #48785 |
|
AFAICT it will still work, there will just be some merge conflicts. |
There was a problem hiding this comment.
Pull request overview
Migrates the legacy Arquillian-based ssl tests to the new test framework, moving coverage for SMTP(S) truststore/hostname verification and ssl-required behavior into tests/base and wiring the new package into the JUnit suite.
Changes:
- Removed legacy Arquillian SSL tests and suite entries (
testsuite/.../ssl,base-suite,fips-suite). - Added new
org.keycloak.tests.ssltest package (email over SMTPS + hostname policy scenarios, andssl-requiredHTTP/TLS behavior). - Added SSL test resources (SMTP server cert PEM) and registered the new test package in
Base2TestSuite.
Reviewed changes
Copilot reviewed 13 out of 15 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| testsuite/integration-arquillian/tests/base/testsuites/fips-suite | Removes legacy TrustStoreEmailTest from FIPS suite list. |
| testsuite/integration-arquillian/tests/base/testsuites/base-suite | Removes legacy ssl group from Arquillian base suite. |
| testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/ssl/TrustStoreEmailTest.java | Deletes legacy Arquillian truststore email tests. |
| testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/ssl/TLSTest.java | Deletes legacy Arquillian TLS/ssl-required test. |
| tests/base/src/test/resources/org/keycloak/tests/ssl/smtp-server.pem | Adds SMTP server certificate intended for truststore-paths PEM loading. |
| tests/base/src/test/java/org/keycloak/tests/suites/Base2TestSuite.java | Adds org.keycloak.tests.ssl to the new test suite package list. |
| tests/base/src/test/java/org/keycloak/tests/ssl/AbstractSslEmailTest.java | Introduces shared SMTPS+verify-email test base using GreenMail + shared keystore config. |
| tests/base/src/test/java/org/keycloak/tests/ssl/TrustStoreEmailTest.java | New SMTPS verify-email success + wrong-hostname failure tests. |
| tests/base/src/test/java/org/keycloak/tests/ssl/TrustStoreEmailAnyHostnameTest.java | New hostname-policy-ANY test where hostname mismatch should succeed. |
| tests/base/src/test/java/org/keycloak/tests/ssl/TrustStoreEmailUntrustedCertTest.java | New untrusted-certificate (empty truststore) failure test. |
| tests/base/src/test/java/org/keycloak/tests/ssl/TrustStoreEmailUntrustedCertAnyHostnameTest.java | New “untrusted cert + ANY hostname policy” failure test (currently mixes STARTTLS/SMTPS). |
| tests/base/src/test/java/org/keycloak/tests/ssl/TrustStoreEmailPlainAuthTest.java | New plain SMTP auth verify-email flow test. |
| tests/base/src/test/java/org/keycloak/tests/ssl/TlsSslRequiredTest.java | New ssl-required behavior test for HTTP allowed/rejected depending on realm setting. |
| static class StarttlsEmailRealmConfig implements RealmConfig { | ||
| @Override | ||
| public RealmBuilder configure(RealmBuilder realm) { | ||
| realm.verifyEmail(true); | ||
| realm.build().setSmtpServer(starttlsSmtpConfig()); | ||
| return realm; | ||
| } | ||
|
|
||
| private static Map<String, String> starttlsSmtpConfig() { | ||
| return Map.of("from", FROM, "host", HOST, "port", PORT_SSL, "starttls", "true"); | ||
| } |
There was a problem hiding this comment.
StarttlsEmailRealmConfig sets starttls=true while also using PORT_SSL (SMTPS port) and the test starts an SMTPS server via AbstractSslEmailTest.createSmtpsServer(). This mixes STARTTLS and SMTPS and will cause the email send to fail for the wrong reason (protocol mismatch), so the test does not actually validate the “untrusted cert even with ANY hostname policy” scenario.
Align the realm SMTP configuration with the server you start (e.g., use ssl=true + PORT_SSL for SMTPS, or start an SMTP server configured for STARTTLS on the non-SSL port).
The original test also used starttls=true, it started with SMTP, then upgraded. The DefaultEmailSenderProvider.setupTruststore() sets mail.smtp.ssl.trust=* when hostname policy is ANY, which tells JavaMail to trust all server certificates regardless of the truststore. So yes, with STARTTLS capable mail server (like SubEthaSMTP used by the original test) it failed. But it is not very useful because it just verifies Jakarta Mail implementation that behaves differently for STARTTLS and differently for SSL=TRUE. What use is it if untrusted certificate is rejected for STARTTLS=TRUE but allowed for SSL=TRUE? IMO that is useless assertion. Either it is a bug in Keycloak, or we should assert success with the SSL=TRUE, so I reworked this test after Copilet comment to show "pass scenario" instead.
There was a problem hiding this comment.
9c94801 to
bf7aeb4
Compare
e3673e6 to
d1d2db9
Compare
shawkins
left a comment
There was a problem hiding this comment.
I think what you did with the mail sever makes sense. As long as the cert ends up untrusted, we get the same assertion.
test06VerifyEmailOpportunisticEncryptionWithAnyHostnamePolicy
That seems like an odd name for the legacy test as it implies encryption was still being used. I agree with your new naming testVerifyEmailWithPlainSmtpAuth.
On the naming of the test classes in general, it would probably read better to drop the TrustStore prefix - in particular testVerifyEmailWithPlainSmtpAuth would pass without a truststore set. But this isn't a blocker for me.
* Closes: keycloak#47812 Signed-off-by: Michal Vavřík <michal.vavrik@aol.com>
d1d2db9 to
f247970
Compare
I've dropped the |
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.adapter.servlet.SAMLServletAdapterTest#salesPostSigEmailTestKeycloak CI - Adapter IT Strict Cookies org.keycloak.testsuite.adapter.servlet.SAMLServletAdapterTest#testReloginWithInvalidAuthSessionCookieKeycloak CI - Adapter IT Strict Cookies |
|
maybe let's merge it to avoid conflicts with the other PR from Stian @vmuzikar ? |
|
Merging based on @shawkins' review. |
test01VerifyEmailWithSslWrongCertificateEmailUntrustedCertTest#testVerifyEmailWithUntrustedCerttest02VerifyEmailWithSslWrongCertificateAndAnyHostnamePolicyEmailUntrustedCertAnyHostnameTest#testEmailSucceedsWithSslAndAnyHostnamePolicyDespiteEmptyTruststoredue to #48407 (comment)test03erifyEmailWithSslWrongHostnameEmailTest#testVerifyEmailWithSslWrongHostnametest04VerifyEmailWithSslEnabledEmailTest#testVerifyEmailWithSslEnabledtest05VerifyEmailWithSslWrongHostnameButAnyHostnamePolicyEmailAnyHostnameTest#testVerifyEmailWithSslWrongHostnameSucceedstest06VerifyEmailOpportunisticEncryptionWithAnyHostnamePolicyEmailPlainAuthTest#testVerifyEmailWithPlainSmtpAuth