[QA] 2.1.0 Testplan - Githubissues

jnweiger commented 3 years ago

Setup

Test instances:

https://oc1080-oidc-200-20210915.jw-qa.owncloud.works (with kopano IDP, for comparison with released version 2.0.0)
- users: admin/admin, aaliyah abernathy/secret
https://oc1080-oidc-210rc2-20211110.jw-qa.owncloud.works (with kopano IDP and PR #183)
- users: admin/admin, aaliyah abernathy/secret

Setup details (click to view)

Automated setup script: https://github.com/owncloud-docker/compose-playground/blob/master/examples/hetzner-deploy/make_openidconnect_test.sh References: * https://github.com/owncloud/docs/issues/2855#issuecomment-719944884 * https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/ * https://github.com/owncloud/openidconnect/issues/66#issuecomment-679093440 * https://github.com/owncloud/openidconnect/issues/66#issuecomment-708217650 * https://github.com/owncloud/openidconnect/issues/66#issuecomment-709999406 * https://github.com/owncloud/QA/blob/master/Mobile/GenericTPs/OIDC.md * https://github.com/owncloud/QA/blob/master/Server/Test_Plan_OAuth2.md * https://github.com/owncloud/QA/blob/master/Server/Test_Plan_Pluggable_Auth.md

Testplan

Test Case	Description	Expected	Result	Comments
Installation
Fresh install	`occ app:enable openidconnect`	app gets enabled	:heavy_check_mark:
Fresh install	disable/enable via admin web gui	app gets disabled/enabled	:heavy_check_mark:
Update from 1.0.0	disable, unpack new tar, enable via admin web gui	app gets enabled	:heavy_check_mark:	`occ upgrade` is needed. #135
User flow
Correct OIDC URL	Set a correct OIDC URL	Connection set to the URL	:heavy_check_mark:	as per INIT.bashrc
Enter correct iDP credentials	1. Set a correct OIDC URL 2. Enter correct credentials	Authorization is requested	:heavy_check_mark:
Authorization	Authorize permissions and session	iDP finishes web browser and redirects to the client	:heavy_check_mark:
Cancel login process	1. Set a correct OIDC URL 2. In iDP, cancel login process	Back to client	:heavy_check_mark:	Error in OpenIdConnect:Error: access_denied Description: consent denied
Logout	1. Complete login process in a OIDC server 2. Logout in the idP	Session logged out. Needed credentials again to enter the account	:heavy_check_mark:	Stranded at kopano-url, oc-url would be better
Request flow
Check `openid-configuration` request	Enter an URL of OIDC server	The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received	:heavy_check_mark:
`register` endpoint available	In case the server supports Dynamic Client Registration, `register` endpoint is requested	Client id and secret id (not mandatory) is retrieved	:heavy_check_mark:
idP flow	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing	:heavy_check_mark:	/signin/v1/chooseaccount /signin/v1/identifier /signin/v1/consent http://localhost:44155/
idP flow with dynamic client registration	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing using client id and secret id granted by register endpoint
Redirection	Authorize session in idP	Web browser redirects correctly to the client and with session opened	:heavy_check_mark:
Token Renewal	Wait till session time is exceed	`token` endoint is requested with refresh token to get a new token. This must be transparent for the client	:no_entry:	Expeted logging not seen ( 01-22 09:10:46:385 [ info sync.httplogger ]: ... \"expires_in\": 600\n}\n]" 01-22 09:21:03:624 [ info sync.credentials.http ]: Refreshing token 01-22 09:21:03:759 [ info sync.httplogger ]: ... Request: POST ... /konnect/v1/token) -> https://github.com/owncloud/openidconnect/issues/182
ClientId/SecretiD renewal	Wait till clientId/SecretId granted by register endpoint, expire	New ClientId/SecretId must be granted to request new tokens	:kangaroo:	renewal seen after 10 minutes. See log example below https://github.com/owncloud/openidconnect/issues/132#issuecomment-768982643
Migration
Basic -> OIDC	1. Login in basic auth server 2. Enable maintenance mode and upgrade to OIDC 3. add `'token_auth_enforced' => true` to config.php 4. Disable maintenance mode;	Client continues working in basic auth, until user logs out, then oidc starts.	:heavy_check_mark:	Discussion of expected behaviour in https://github.com/owncloud/openidconnect/issues/136
OAuth2 -> OIDC	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode	Token not valid anymore, and user must re-authenticate against new OIDC	:heavy_check_mark: :
OAuth2 -> OIDC + OAuth2	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC, keeping Oauth2 enabled 3. Disable maintenance mode	Token remains valid. Must re-login to start using OIDC	:heavy_check_mark: :

Android

Openidconnect: 2.1.0RC2 Device: Google Pixel 2 Android version: 11

Test Case	Description	Expected	Result	Comments
User flow
Correct OIDC URL	Set a correct OIDC URL	Connection set to the URL	:heavy_check_mark:
Enter correct iDP credentials	1. Set a correct OIDC URL 2. Enter correct credentials	Authorization is requested	:heavy_check_mark:
Authorization	Authorize permissions and session	iDP finishes web browser and redirects to the client	:heavy_check_mark:
Cancel login process	1. Set a correct OIDC URL 2. In iDP, cancel login process	Back to client	:heavy_check_mark:
Logout	1. Complete login process in a OIDC server 2. Logout in the idP	Session logged out. Needed credentials again to enter the account	NA
Request flow
Check `openid-configuration` request	Enter an URL of OIDC server	The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received	:heavy_check_mark:
`register` endpoint available	In case the server supports Dynamic Client Registration, `register` endpoint is requested	Client id and secret id (not mandatory) is retrieved	:heavy_check_mark:
idP flow	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing	:heavy_check_mark:
idP flow with dynamic client registration	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing using client id and secret id granted by register endpoint	:heavy_check_mark:
Redirection	Authorize session in idP	Web browser redirects correctly to the client and with session opened	:heavy_check_mark:
Renewal	Wait till session time is exceed	`token` endoint is requested with refresh token to get a new token. This must be transparent for the client	NA	Pending of client/secret renewal
ClientId/SecretId renewal	Wait till clientId/SecretId granted by register endpoint, expire	New ClientId/SecretId must be granted to request new tokens	NA	Android does not support yet
Migration
Basic -> OIDC	1. Login in basic auth server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode 4. Force re-login	User must re-authenticate against new OIDC	:heavy_check_mark:
OAuth2 -> OIDC	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode	Token not valid anymore, and user must re-authenticate against new OIDC	:heavy_check_mark:

iOS

Openidconnect: 2.1.0RC2 Device: iPhoneXR iOS version: 15.0

Test Case	Description	Expected	Result	Comments
User flow
Correct OIDC URL	Set a correct OIDC URL	Connection set to the URL	:heavy_check_mark:
Enter correct iDP credentials	1. Set a correct OIDC URL 2. Enter correct credentials	Authorization is requested	:heavy_check_mark:
Authorization	Authorize permissions and session	iDP finishes web browser and redirects to the client	:heavy_check_mark:
Cancel login process	1. Set a correct OIDC URL 2. In iDP, cancel login process	Back to client	:heavy_check_mark:
Logout	1. Complete login process in a OIDC server 2. Logout in the idP	Session logged out. Needed credentials again to enter the account	NA
Request flow
Check `openid-configuration` request	Enter an URL of OIDC server	The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received	:heavy_check_mark:
`register` endpoint available	In case the server supports Dynamic Client Registration, `register` endpoint is requested	Client id and secret id (not mandatory) is retrieved	:heavy_check_mark:
idP flow	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing	:heavy_check_mark:
idP flow with dynamic client registration	Enter credentials in iDP	The `authorize` endpoint is requested after authorizing using client id and secret id granted by register endpoint	:heavy_check_mark:
Redirection	Authorize session in idP	Web browser redirects correctly to the client and with session opened	:heavy_check_mark:
Renewal	Wait till session time is exceed	`token` endpoint is requested with refresh token to get a new token. This must be transparent for the client	NA	Pending of client/secret renewal
ClientId/SecretId renewal	Wait till clientId/SecretId granted by register endpoint, expire	New ClientId/SecretId must be granted to request new tokens	NA
Migration
Basic -> OIDC	1. Login in basic auth server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode 4. Force re-login	User must re-authenticate against new OIDC	NA	Not supported. Link
OAuth2 -> OIDC	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode	Token not valid anymore, and user must re-authenticate against new OIDC	:heavy_check_mark:

jnweiger commented 3 years ago

changelog testing

[x] #148 [Security] Bump phpseclib/phpseclib from 2.0.29 to 2.0.31 -> actually 2.0.33
[ ] #150 [Enhancement] AutoProvisioning based on a Provisioning Claim
[ ] #151 [Enhancement] Autoprovisionining based on claim
[x] #155 [Bugfix] Use random_bytes for uid and password generation
[x] #167 [Enhancement] Add db as additional settings storage backend
[ ] - PKCE Flow challenge was not used - #170

jnweiger commented 3 years ago

Test Plan for #167

[x] Add no settings at all
- [x] Enable app. Test login
- [x] Expected behaviour: App fails the same way as previous release:
  - [x] openid-connect => array(), leads to "Error, the provider URL has not been set"
  - [x] no openid-connect key in config: Alternative Login buttons (e.g. Kopano) are not shown.
[x] Add no settings to DB
- [x] Add valid settings to config.php (default way, not altered)
- [x] Remove any existing config settings in DB
  - mysql -h db --user=owncloud --password=owncloud owncloud
  - select * from oc_appconfig where appid='openidconnect' no configkey 'openid-connect'
- [x] Enable app. Test login
- [x] Expected behaviour: Login should work
[x] Add invalid settings to DB
- [x] Add valid settings to config.php (default way, not altered)
- [x] Add settings to DB as stated in Readme (https://github.com/owncloud/openidconnect#settings-in-database) but use a malformed JSON string e.g.
  - insert into oc_appconfig set appid='openidconnect', configkey='openid-connect', configvalue='{}'
  - update oc_appconfig set configvalue='{ "foo: 42 }' where configkey='openid-connect';
- [x] Enable app. Test login
- [x] Expected behaviour:
  - [x] Login should work
  - [x] ownCloud.log should contain an error message, see https://github.com/owncloud/openidconnect/blob/fd9ae9e09a670c5473b349247239e84dc0bb82f5/lib/Client.php#L102
[x] Add valid settings to DB
- [x] Add settings to DB as stated in Readme (https://github.com/owncloud/openidconnect#settings-in-database)
  - update oc_appconfig set configvalue='{ "provider-url": "https://konnect-oidc-210rc2-20211031.jw-qa.owncloud.works", "client-id": "ownCloud", "client-secret": "ownCloud", "loginButtonName": "Kopano", "autoRedirectOnLoginPage": false, "redirect-url": "https://oc1080-oidc-210rc2-20211031.jw-qa.owncloud.works/index.php/apps/openidconnect/redirect", "mode": "userid", "search-attribute": "preferred_username" }' where configkey='openid-connect';
- [x] Enable app. Test login
- [x] Expected behaviour: Login should work

jesmrec commented 3 years ago

@jnweiger no objections from my side. Regular uses cases working fine, and known restrictions are still there, but no blockers.

owncloud / openidconnect

[QA] 2.1.0 Testplan #179

Setup

Testplan

Android

iOS

changelog testing

Test Plan for #167