ba024c45be
- Create domain entities in WorkClub.Domain/Entities: Club, Member, WorkItem, Shift, ShiftSignup - Implement enums: SportType, ClubRole, WorkItemStatus - Add ITenantEntity interface for multi-tenancy support - Implement state machine validation on WorkItem with C# 14 switch expressions - Valid transitions: Open→Assigned→InProgress→Review→Done, Review→InProgress (rework) - All invalid transitions throw InvalidOperationException - TDD approach: Write tests first, 12/12 passing - Use required properties with explicit Guid/Guid? for foreign keys - DateTimeOffset for timestamps (timezone-aware, multi-tenant friendly) - RowVersion byte[] for optimistic concurrency control - No navigation properties yet (deferred to EF Core task) - No domain events or validation attributes (YAGNI for MVP)
142 lines
5.0 KiB
Bash
Executable File
142 lines
5.0 KiB
Bash
Executable File
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
# Test script for Keycloak authentication and JWT claims verification
|
|
# This script validates the realm configuration after import
|
|
|
|
KEYCLOAK_URL="${KEYCLOAK_URL:-http://localhost:8080}"
|
|
REALM="workclub"
|
|
CLIENT_ID="workclub-app"
|
|
|
|
# Color output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
NC='\033[0m' # No Color
|
|
|
|
echo "=== Keycloak Authentication Test ==="
|
|
echo "Keycloak URL: $KEYCLOAK_URL"
|
|
echo "Realm: $REALM"
|
|
echo ""
|
|
|
|
# Wait for Keycloak to be ready
|
|
echo "Waiting for Keycloak to be ready..."
|
|
max_attempts=60
|
|
attempt=0
|
|
while ! curl -sf "$KEYCLOAK_URL/health/ready" > /dev/null; do
|
|
attempt=$((attempt + 1))
|
|
if [ $attempt -ge $max_attempts ]; then
|
|
echo -e "${RED}✗ Keycloak failed to become ready after $max_attempts attempts${NC}"
|
|
exit 1
|
|
fi
|
|
echo -n "."
|
|
sleep 2
|
|
done
|
|
echo -e "\n${GREEN}✓ Keycloak is ready${NC}\n"
|
|
|
|
# Test users with expected club memberships
|
|
declare -A USERS=(
|
|
["admin@test.com"]='{"club-1-uuid":"admin","club-2-uuid":"member"}'
|
|
["manager@test.com"]='{"club-1-uuid":"manager"}'
|
|
["member1@test.com"]='{"club-1-uuid":"member","club-2-uuid":"member"}'
|
|
["member2@test.com"]='{"club-1-uuid":"member"}'
|
|
["viewer@test.com"]='{"club-1-uuid":"viewer"}'
|
|
)
|
|
|
|
PASSWORD="testpass123"
|
|
EVIDENCE_DIR=".sisyphus/evidence"
|
|
mkdir -p "$EVIDENCE_DIR"
|
|
|
|
RESULTS_FILE="$EVIDENCE_DIR/task-3-user-auth.txt"
|
|
JWT_FILE="$EVIDENCE_DIR/task-3-jwt-claims.txt"
|
|
|
|
# Clear previous results
|
|
> "$RESULTS_FILE"
|
|
> "$JWT_FILE"
|
|
|
|
echo "Testing authentication for all users..." | tee -a "$RESULTS_FILE"
|
|
echo "=======================================" | tee -a "$RESULTS_FILE"
|
|
echo "" | tee -a "$RESULTS_FILE"
|
|
|
|
success_count=0
|
|
failure_count=0
|
|
|
|
for user in "${!USERS[@]}"; do
|
|
expected_clubs="${USERS[$user]}"
|
|
|
|
echo "Testing: $user" | tee -a "$RESULTS_FILE"
|
|
echo "Expected clubs: $expected_clubs" | tee -a "$RESULTS_FILE"
|
|
|
|
# Request token using direct grant (password grant)
|
|
response=$(curl -s -X POST "$KEYCLOAK_URL/realms/$REALM/protocol/openid-connect/token" \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
-d "grant_type=password" \
|
|
-d "client_id=$CLIENT_ID" \
|
|
-d "username=$user" \
|
|
-d "password=$PASSWORD" \
|
|
2>&1)
|
|
|
|
# Check if token was obtained
|
|
if echo "$response" | jq -e '.access_token' > /dev/null 2>&1; then
|
|
access_token=$(echo "$response" | jq -r '.access_token')
|
|
|
|
# Decode JWT (extract payload, base64 decode)
|
|
payload=$(echo "$access_token" | cut -d. -f2)
|
|
# Add padding if needed for base64
|
|
padding=$((4 - ${#payload} % 4))
|
|
if [ $padding -ne 4 ]; then
|
|
payload="${payload}$(printf '=%.0s' $(seq 1 $padding))"
|
|
fi
|
|
|
|
decoded=$(echo "$payload" | base64 -d 2>/dev/null | jq '.')
|
|
|
|
# Extract clubs claim
|
|
clubs_claim=$(echo "$decoded" | jq -c '.clubs // empty')
|
|
|
|
if [ -z "$clubs_claim" ]; then
|
|
echo -e " ${RED}✗ FAILED: No 'clubs' claim found in JWT${NC}" | tee -a "$RESULTS_FILE"
|
|
failure_count=$((failure_count + 1))
|
|
elif [ "$clubs_claim" == "$expected_clubs" ]; then
|
|
echo -e " ${GREEN}✓ SUCCESS: Clubs claim matches expected value${NC}" | tee -a "$RESULTS_FILE"
|
|
success_count=$((success_count + 1))
|
|
|
|
# Save decoded JWT for first successful user (admin)
|
|
if [ "$user" == "admin@test.com" ]; then
|
|
echo "=== Decoded JWT for admin@test.com ===" > "$JWT_FILE"
|
|
echo "$decoded" | jq '.' >> "$JWT_FILE"
|
|
echo "" >> "$JWT_FILE"
|
|
echo "=== Clubs Claim ===" >> "$JWT_FILE"
|
|
echo "$clubs_claim" | jq '.' >> "$JWT_FILE"
|
|
fi
|
|
else
|
|
echo -e " ${YELLOW}✗ FAILED: Clubs claim mismatch${NC}" | tee -a "$RESULTS_FILE"
|
|
echo " Expected: $expected_clubs" | tee -a "$RESULTS_FILE"
|
|
echo " Got: $clubs_claim" | tee -a "$RESULTS_FILE"
|
|
failure_count=$((failure_count + 1))
|
|
fi
|
|
|
|
echo " Claim type: $(echo "$clubs_claim" | jq -r 'type')" | tee -a "$RESULTS_FILE"
|
|
else
|
|
echo -e " ${RED}✗ FAILED: Could not obtain access token${NC}" | tee -a "$RESULTS_FILE"
|
|
echo " Error: $(echo "$response" | jq -r '.error_description // .error // "Unknown error"')" | tee -a "$RESULTS_FILE"
|
|
failure_count=$((failure_count + 1))
|
|
fi
|
|
|
|
echo "" | tee -a "$RESULTS_FILE"
|
|
done
|
|
|
|
echo "=======================================" | tee -a "$RESULTS_FILE"
|
|
echo "Summary: $success_count passed, $failure_count failed" | tee -a "$RESULTS_FILE"
|
|
echo "" | tee -a "$RESULTS_FILE"
|
|
|
|
if [ $failure_count -eq 0 ]; then
|
|
echo -e "${GREEN}✓ All authentication tests passed!${NC}" | tee -a "$RESULTS_FILE"
|
|
echo "Evidence saved to:" | tee -a "$RESULTS_FILE"
|
|
echo " - $RESULTS_FILE" | tee -a "$RESULTS_FILE"
|
|
echo " - $JWT_FILE" | tee -a "$RESULTS_FILE"
|
|
exit 0
|
|
else
|
|
echo -e "${RED}✗ Some tests failed${NC}" | tee -a "$RESULTS_FILE"
|
|
exit 1
|
|
fi
|