This ticket is about creating integration tests to ensure the authentication and authorization parts of the data-sync-server are actually working against a running keycloak instance. A couple of test cases I can think of are:
* Check that when keycloak is enabled, it is not possible to make unauthenticated requests to the /graphql endpoint * Check that when the [ hasRole() directive |https://github.com/aerogear/data-sync-server/blob/master/sequelize/seeders/memeolist-example-shared.js#L53] is applied to a query/mutation that the user can only perform that query/mutation when they have the correct role. This must be checked for realm roles and client roles. * Check that when the hasRole directive is applied, a user without the appropriate role will be returned an error in the response. (Note that graphql does not use HTTP status codes, it always returns 200 and the error will be found in the response body) * Check that when the hasRole directive is applied to a type's field (e.g. date of birth on a user type) that users without the appropriate role cannot perform any queries/mutations while asking for that field. e.g. getUsers will work but if I ask for getUsers including date of birth, I get an error. * ... probably more
This ticket involves a decent bit of setup in order to run those test cases * Figure out how to spin up keycloak locally and get the server to talk to it. The current integration tests depend on two postgres instances being spun up using docker-compose so it should fit into that setup. * In the integration tests there is a special class called RestartableDataSyncService that can be instantiated with a global config object. You would be able to modify that config object to tell the server to pick up a keycloak config. See the integration_tests for an example * Figure out how to load a sample realm into keycloak that can be used for testing. (ideally this should be possible using a command like npm run keycloak:seed * Figure out how to programmatically perform the login operation and get back a token which can be used to make authenticated requests. * Figure out how to make authenticated requests programmatically. * Check the test cases described * Modify the CircleCI job that runs the integration tests to start a keycloak instance (in the same way that two postgres instances are started) |
|