Adding Dex as a mock OIDC server and IDP (#111)

molecule/default/prepare.yml

@@ -0,0 +1,10 @@
+---
+- name: Prepare
+  hosts: molecule
+  gather_facts: false
+  vars_files:
+    - vars/vars.yml
+
+  tasks:
+    - name: Configure Dex OIDC instance
+      ansible.builtin.include_tasks: ../dex-config.yaml

molecule/default/vars/vars.yml

@@ -1,7 +1,7 @@
 tas_single_node_oidc_issuers:
-  - issuer: "https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer"
-    url: "https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer"
-    client_id: trusted-artifact-signer
+  - issuer: "http://dex-idp:5556/dex"
+    url: "http://dex-idp:5556/dex"
+    client_id: example-app
     type: email
 tas_single_node_base_hostname: myrhtas
 tas_single_node_cockpit:

molecule/default/verify.yml

@@ -7,6 +7,10 @@
   vars_files:
     - vars/vars.yml
   tasks:
+
+    - name: Adding Dex instance to RHTAS network
+      ansible.builtin.shell: podman network connect rhtas dex-idp
+
     - name: Get IP of the current node
       # The tasks below run locally, so their ansible_ssh_host is 127.0.0.1
       ansible.builtin.set_fact:
@@ -33,9 +37,9 @@
         recreate: true
         env:
           BASE_HOSTNAME: "{{ tas_single_node_base_hostname }}"
-          USERNAME: "jdoe"
-          PASSWORD: "secure"
+          EMAIL: "[email protected]"
           KEYCLOAK_URL: "https://{{ tas_single_node_oidc_issuers[0].url | urlsplit('hostname') }}"
+          OIDC_ISSUER_URL: "http://dex-idp:5556/dex"
         # NOTE: we can't add hosts with the etc_hosts parameter, because we would need to template
         # the dictionary keys for it and Ansible doesn't do that
         cmd_args:
@@ -47,6 +51,8 @@
           - "tuf.{{ tas_single_node_base_hostname }}:{{ node_ip }}"
           - "--add-host"
           - "tsa.{{ tas_single_node_base_hostname }}:{{ node_ip }}"
+          - "--add-host"
+          - "dex-idp:{{ node_ip }}"
         volume:
           - "{{ test_dir_path }}:/mnt:z"
         entrypoint: /bin/bash

molecule/dex-config.yaml

@@ -0,0 +1,31 @@
+---
+- name: Check if Podman is available
+  ansible.builtin.package:
+    name: podman
+    state: present
+
+- name: Create Dex config directory
+  ansible.builtin.file:
+    path: "/etc/dex/config"
+    state: directory
+    mode: "0755"
+
+- name: Copy Dex config over
+  ansible.builtin.copy:
+    src: "../../vm-testing/dex-config.yaml"
+    dest: "/etc/dex/config/dex.yaml"
+    mode: "0644"
+
+- name: Run Dex container
+  ansible.builtin.shell: |
+      podman run -d \
+      --name dex-idp \
+      -p 5556:5556 \
+      -v /etc/dex/config/dex.yaml:/etc/dex/cfg/dex.yaml:Z \
+      quay.io/asiek/dexidp:v2.32.0 \
+      dex serve /etc/dex/cfg/dex.yaml
+
+- name: Dex container health check
+  ansible.builtin.shell: curl http://127.0.0.1:5556/dex/healthz
+  retries: 3
+  delay: 5

molecule/user_provided/prepare.yml

@@ -6,6 +6,9 @@
   vars_files:
     - vars/vars.yml
   tasks:
+    - name: Configure Dex OIDC instance
+      ansible.builtin.include_tasks: ../dex-config.yaml
+
     - name: Install Redis and MariaDB
       ansible.builtin.yum:
         name: 

molecule/user_provided/vars/vars.yml

@@ -1,7 +1,7 @@
 tas_single_node_oidc_issuers:
-  - issuer: "https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer"
-    url: "https://keycloak-keycloak-system.apps.platform-sts.pcbk.p1.openshiftapps.com/auth/realms/trusted-artifact-signer"
-    client_id: trusted-artifact-signer
+  - issuer: "http://dex-idp:5556/dex"
+    url: "http://dex-idp:5556/dex"
+    client_id: example-app
     type: email
 tas_single_node_base_hostname: myrhtas
 tas_single_node_cockpit:

vm-testing/dex-config.yaml

@@ -0,0 +1,38 @@
+issuer: http://dex-idp:5556/dex
+
+storage:
+  type: memory
+
+web:
+  http: 0.0.0.0:5556
+
+staticClients:
+- id: example-app
+  redirectURIs:
+  - 'http://dex-idp:5556/callback'
+  name: 'Example App'
+  secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+
+connectors:
+- type: mockCallback
+  id: mock
+  name: Example
+
+enablePasswordDB: true
+
+staticPasswords:
+- email: "[email protected]"
+  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+  username: "admin"
+  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+
+oauth2:
+  responseTypes: ["code"]
+  alwaysShowLoginScreen: true
+  skipApprovalScreen: true
+  passwordConnection: mock
+
+expiry:
+  signingKeys: "24h"
+  idTokens: "1m"
+  authRequests: "24h"

vm-testing/test/test-sign-blob.sh

@@ -13,31 +13,44 @@ cp "${BASE_HOSTNAME}".pem /etc/pki/ca-trust/source/anchors/
 update-ca-trust
 
 # set up cosign env
-export KEYCLOAK_REALM=trusted-artifact-signer
 export TUF_URL=https://tuf.$BASE_HOSTNAME
-export OIDC_ISSUER_URL=$KEYCLOAK_URL/auth/realms/$KEYCLOAK_REALM
+export OIDC_ISSUER_URL=$OIDC_ISSUER_URL
 export COSIGN_FULCIO_URL=https://fulcio.$BASE_HOSTNAME
 export COSIGN_REKOR_URL=https://rekor.$BASE_HOSTNAME
 export COSIGN_TSA_URL=https://tsa.$BASE_HOSTNAME/api/v1/timestamp
 export COSIGN_MIRROR=$TUF_URL
 export COSIGN_ROOT=$TUF_URL/root.json
-export COSIGN_OIDC_CLIENT_ID=$KEYCLOAK_REALM
+export COSIGN_OIDC_CLIENT_ID=example-app
 export COSIGN_OIDC_ISSUER=$OIDC_ISSUER_URL
 export COSIGN_CERTIFICATE_OIDC_ISSUER=$OIDC_ISSUER_URL
 export COSIGN_YES="true"
 export SIGSTORE_FULCIO_URL=$COSIGN_FULCIO_URL
 export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER
 export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL
 export REKOR_REKOR_SERVER=$COSIGN_REKOR_URL
+export [email protected]
 
-TOKEN="$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=${USERNAME}" -d "password=${PASSWORD}" -d "grant_type=password" -d "scope=openid" -d "client_id=${KEYCLOAK_REALM}" "${OIDC_ISSUER_URL}"/protocol/openid-connect/token |  sed -E 's/.*"access_token":"([^"]*).*/\1/')"
+AUTHTOKEN="$(curl -Lis "http://dex-idp:5556/dex/auth/mock?client_id=example-app&scope=openid%20email&redirect_uri=http://dex-idp:5556/callback&response_type=code" | grep -oP "code=\K[^&]+")"
+export AUTHTOKEN
+
+if [ -z "${AUTHTOKEN}" ]; then
+  echo "Error: Unable to fetch authorization code."
+  exit 1
+fi
+
+TOKEN="$(curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code" -d "code=${AUTHTOKEN}" -d "redirect_uri=http://dex-idp:5556/callback" -d "client_id=example-app" -d "client_secret=ZXhhbXBsZS1hcHAtc2VjcmV0" "http://dex-idp:5556/dex/token" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')"
 export TOKEN
 
+if [ -z "${TOKEN}" ]; then
+  echo "Error: Unable to fetch access code."
+  exit 1
+fi
+
 env
 cosign initialize
 
 echo "testing" > to-sign
 
 cosign --verbose sign-blob to-sign --bundle signed.bundle --identity-token="${TOKEN}" --timestamp-server-url="${COSIGN_TSA_URL}" --rfc3161-timestamp=timestamp.txt
 
-cosign --verbose verify-blob --certificate-identity="${USERNAME}"@redhat.com --bundle signed.bundle to-sign --rfc3161-timestamp=timestamp.txt --use-signed-timestamps
+cosign --verbose verify-blob --certificate-identity="${EMAIL}" --bundle signed.bundle to-sign --rfc3161-timestamp=timestamp.txt --use-signed-timestamps