[6.15] RHBK support (#17338) (#17532)

Make changes so RHSSO tests become parametrized and work for both RHSSO and RHBK
SatelliteQE · Feb 7, 2025 · b8e1fe3 · b8e1fe3
1 parent a8d7ecf
commit b8e1fe3
Show file tree

Hide file tree

Showing 7 changed files with 170 additions and 97 deletions.
diff --git a/conf/rhbk.yaml.template b/conf/rhbk.yaml.template
@@ -0,0 +1,15 @@
+# section for RHBK integration
+RHBK:
+  # RHBK Hostname
+  HOST_NAME:  # update with rhbk host name
+  # RHBK port, 8443 by default
+  HOST_PORT:  # update with rhbk host name
+  # RHBK Host Url
+  HOST_URL:  # update with rhbk environment url
+  # RHBK Host Admin of Realm
+  RHBK_USER: sat_admin
+  # RHBK Host Admin Password
+  RHBK_PASSWORD:  # update with password
+  # RHBK Host Realm
+  REALM: satqe
+  TOTP_SECRET:  # update with the totp secret token
diff --git a/pytest_fixtures/component/satellite_auth.py b/pytest_fixtures/component/satellite_auth.py
@@ -14,17 +14,22 @@
     LDAP_ATTR,
     LDAP_SERVER_TYPE,
 )
-from robottelo.hosts import IPAHost, SSOHost
+from robottelo.hosts import IPAHost, RHBKHost, RHSSOHost
+from robottelo.logging import logger
 from robottelo.utils.datafactory import gen_string
 from robottelo.utils.installer import InstallerCommand
 
 LOGGEDOUT = 'Logged out.'
 
 
 @pytest.fixture(scope='module')
-def default_sso_host(module_target_sat):
+def default_sso_host(request, module_target_sat):
     """Returns default sso host"""
-    return SSOHost(module_target_sat)
+    if hasattr(request, 'param') and request.param:
+        logger.info("Using RHBK host for SSO")
+        return RHBKHost(module_target_sat)
+    logger.info("Using RHSSO host for SSO")
+    return RHSSOHost(module_target_sat)
 
 
 @pytest.fixture(scope='module')
@@ -287,8 +292,16 @@ def auth_data(request, ad_data, ipa_data):
 
 
 @pytest.fixture(scope='module')
-def enroll_configure_rhsso_external_auth(module_target_sat):
+def enroll_configure_rhsso_external_auth(request, module_target_sat):
     """Enroll the Satellite6 Server to an RHSSO Server."""
+    if hasattr(request, 'param') and request.param:
+        uri = f'https://{settings.rhbk.host_name}:{settings.rhbk.host_port}'
+        password = settings.rhbk.rhbk_password
+        realm = settings.rhbk.realm
+    else:
+        uri = f'https://{settings.rhsso.host_name}:443'
+        password = settings.rhsso.rhsso_password
+        realm = settings.rhsso.realm
     if settings.robottelo.rhel_source == "ga":
         module_target_sat.register_to_cdn()
     # keycloak-httpd-client-install needs lxml but it's not an rpm dependency + is not documented
@@ -302,18 +315,18 @@ def enroll_configure_rhsso_external_auth(module_target_sat):
     # if target directory not given it is installing in /usr/local/lib64
     assert (
         module_target_sat.execute(
-            f'openssl s_client -connect {settings.rhsso.host_name}:443 -showcerts </dev/null 2>/dev/null| '
+            f'openssl s_client -connect {uri} -showcerts </dev/null 2>/dev/null| '
             f'sed "/BEGIN CERTIFICATE/,/END CERTIFICATE/!d" > {CERT_PATH}/rh-sso.crt'
         ).status
         == 0
     )
     assert (
         module_target_sat.execute(
-            f'echo {settings.rhsso.rhsso_password} | keycloak-httpd-client-install \
+            f'echo {password} | keycloak-httpd-client-install \
                 --app-name foreman-openidc \
-                --keycloak-server-url {settings.rhsso.host_url} \
+                --keycloak-server-url {uri} \
                 --keycloak-admin-username "admin" \
-                --keycloak-realm "{settings.rhsso.realm}" \
+                --keycloak-realm "{realm}" \
                 --keycloak-admin-realm master \
                 --keycloak-auth-role root-admin -t openidc -l /users/extlogin --force'
         ).status
@@ -323,7 +336,7 @@ def enroll_configure_rhsso_external_auth(module_target_sat):
         module_target_sat.execute(
             f'satellite-installer --foreman-keycloak true '
             f"--foreman-keycloak-app-name 'foreman-openidc' "
-            f"--foreman-keycloak-realm '{settings.rhsso.realm}' ",
+            f"--foreman-keycloak-realm '{realm}' ",
             timeout=1000000,
         ).status
         == 0
@@ -336,7 +349,7 @@ def enable_external_auth_rhsso(
     enroll_configure_rhsso_external_auth, default_sso_host, module_target_sat
 ):
     """register the satellite with RH-SSO Server for single sign-on"""
-    client_id = default_sso_host.get_rhsso_client_id()
+    client_id = default_sso_host.get_sso_client_id()
     default_sso_host.create_mapper(GROUP_MEMBERSHIP_MAPPER, client_id)
     audience_mapper = copy.deepcopy(AUDIENCE_MAPPER)
     audience_mapper['config']['included.client.audience'] = audience_mapper['config'][
@@ -380,17 +393,22 @@ def configure_realm(module_target_sat, default_ipa_host):
 
 
 @pytest.fixture(scope="module")
-def rhsso_setting_setup(module_target_sat):
+def rhsso_setting_setup(request, module_target_sat):
     """Update the RHSSO setting and revert it in cleanup"""
+    if hasattr(request, 'param') and request.param:
+        uri = f'{settings.rhbk.host_url}'
+        realm = settings.rhbk.realm
+    else:
+        uri = settings.rhsso.host_url
+        realm = settings.rhsso.realm
     rhhso_settings = {
         'authorize_login_delegation': True,
         'authorize_login_delegation_auth_source_user_autocreate': 'External',
         'login_delegation_logout_url': f'https://{module_target_sat.hostname}/users/extlogout',
         'oidc_algorithm': 'RS256',
         'oidc_audience': [f'{module_target_sat.hostname}-foreman-openidc'],
-        'oidc_issuer': f'{settings.rhsso.host_url}/auth/realms/{settings.rhsso.realm}',
-        'oidc_jwks_url': f'{settings.rhsso.host_url}/auth/realms'
-        f'/{settings.rhsso.realm}/protocol/openid-connect/certs',
+        'oidc_issuer': f'{uri}/auth/realms/{realm}',
+        'oidc_jwks_url': f'{uri}/auth/realms/{realm}/protocol/openid-connect/certs',
     }
     for setting_name, setting_value in rhhso_settings.items():
         # replace entietes field with targetsat.api

diff --git a/robottelo/config/validators.py b/robottelo/config/validators.py
@@ -304,6 +304,18 @@
             must_exist=True,
         ),
     ],
+    rhbk=[
+        Validator(
+            'rhbk.host_name',
+            'rhbk.host_port',
+            'rhbk.host_url',
+            'rhbk.rhbk_user',
+            'rhbk.rhbk_password',
+            'rhbk.realm',
+            'rhbk.totp_secret',
+            must_exist=True,
+        ),
+    ],
     remotedb=[
         Validator(
             'remotedb.server',

diff --git a/robottelo/constants/__init__.py b/robottelo/constants/__init__.py
@@ -198,6 +198,8 @@
 VALID_GPG_KEY_BETA_FILE = "valid_gpg_key_beta.txt"
 
 KEY_CLOAK_CLI = "/opt/rh/rh-sso7/root/usr/share/keycloak/bin/kcadm.sh"
+# this symlink needs to be created manually on the RHBK instance; default path is something version-specific like /opt/rhbk-24.0.6/bin/kcadm.sh
+RHBK_CLI = "/bin/kcadm.sh"
 
 RPM_TO_UPLOAD = "which-2.19-6.el6.x86_64.rpm"
 SRPM_TO_UPLOAD = "which-2.19-6.el6.src.rpm"