[QA] 2.2.0 Testplan - Githubissues

jnweiger commented 2 years ago

Setup

Setup details (click to view)

Automated setup script: github.com/owncloud/QA/tools/hetzner-deploy/make_openidconnect_test.sh - 159.69.182.145 https://oc10110-oidc220rc6-20221024.jw-qa.owncloud.works - 167.235.226.62 https://oc1010-oidc220rc6-20221024.jw-qa.owncloud.works - 49.12.75.160 https://oc1091-oidc220rc6-20221024.jw-qa.owncloud.works - login via 'Kopano' with user: aaliyah_abernathy pass: secret - login via 'Kopano' with user: aaron_beer pass: secret - update setups - 116.203.250.55 https://oc10110-oidc100-20221024.jw-qa.owncloud.works - 49.12.247.185 https://oc10110-oidc211-20221024.jw-qa.owncloud.works Template: https://github.com/owncloud/QA/blob/master/Server/Test_Plan_openidconnect.md References: * https://github.com/owncloud/docs/issues/2855#issuecomment-719944884 * https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/ * https://github.com/owncloud/openidconnect/issues/66#issuecomment-679093440 * https://github.com/owncloud/openidconnect/issues/66#issuecomment-708217650 * https://github.com/owncloud/openidconnect/issues/66#issuecomment-709999406 * https://github.com/owncloud/QA/blob/master/Mobile/GenericTPs/OIDC.md * https://github.com/owncloud/QA/blob/master/Server/Test_Plan_OAuth2.md * https://github.com/owncloud/QA/blob/master/Server/Test_Plan_Pluggable_Auth.md

Testplan

Needs update!

[x] Kopano
[ ] Azure
[x] keycloak

Test Case	Description	Expected	Result	Comments
Installation
Fresh install	`occ app:enable openidconnect`	app gets enabled	:heavy_check_mark:
Fresh install	disable/enable via admin web gui	app gets disabled/enabled	:heavy_check_mark:
Update from 1.0.0	disable, unpack new tar, enable via admin web gui	app gets enabled	:heavy_check_mark:	`occ upgrade` is needed. #135
Update from 2.1.1	same as above, or use `occ market:in -l ...`	app gets enabled XXX	:heavy_check_mark:
User flow
Correct OIDC URL	Set a correct OIDC URL	Connection set to the URL	:heavy_check_mark:	as per INIT.bashrc
Enter correct iDP credentials	1. Set a correct OIDC URL 2. Enter correct credentials	IDP can be accessed. XXX	:heavy_check_mark:
Authorization	Authorize permissions and session	iDP finishes web browser and redirects to ownCloud XXX	:heavy_check_mark:
Cancel login process	1. Set a correct OIDC URL 2. In iDP, cancel login process	Back to client	:no_entry_sign:	Error in OpenIdConnect:Error: access_denied Description: consent denied -> https://github.com/owncloud/core/issues/40403 XXX
Logout	1. Complete login process in a OIDC server 2. Logout in the idP	Session logged out. Needed credentials again to enter the account	:heavy_check_mark:	Stranded at kopano-/keycloak-url, oc-url would be better -> https://github.com/owncloud/openidconnect/issues/276
Request flow
Check `openid-configuration` request	Enter an URL of OIDC server	The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received	:heavy_check_mark:	may be available at both, owncloud and kopano, technically needed at kopano. E.g. https://k-oc1091-oidc220rc5-20220928.jw-qa.owncloud.works/.well-known/openid-configuration
`register` endpoint available	In case the server supports Dynamic Client Registration, `register` endpoint is requested	Client id and secret id (not mandatory) is retrieved	:heavy_check_mark:	XXX keycloak responds with 403. rejected request to client-registration service. Details: Host not trusted.
idP flow	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing	:no_entry:	/signin/v1/chooseaccount /signin/v1/identifier /signin/v1/consent http://localhost:44155/ neither `logon` nor `/signin/` can be found in client log file.
idP flow with dynamic client registration	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing using client id and secret id granted by register endpoint
Redirection	Authorize session in idP	Web browser redirects correctly to the client and with session opened	:heavy_check_mark:
Token Renewal	Wait till session time is exceed	`token` endoint is requested with refresh token to get a new token. This must be transparent for the client	:heavy_check_mark:	01-22 09:10:46:385 [ info sync.httplogger ]: ... \"expires_in\": 600\n}\n]" 01-22 09:21:03:624 [ info sync.credentials.http ]: Refreshing token 01-22 09:21:03:759 [ info sync.httplogger ]: ... Request: POST ... /konnect/v1/token it is 300 sec 2023-01-23
ClientId/SecretiD renewal	Wait till clientId/SecretId granted by register endpoint, expire	New ClientId/SecretId must be granted to request new tokens	:heavy_check_mark:	renewal seen after 5 minutes. See log example below https://github.com/owncloud/openidconnect/issues/132#issuecomment-768982643
Migration
Basic -> OIDC	1. Login in basic auth server 2. Enable maintenance mode and upgrade to OIDC 3. add `'token_auth_enforced' => true` to config.php 4. Disable maintenance mode	Client shows and error and user must re-authenticate against new OIDC	:construction:	`Server replied "599"` after 30 sec.; see also #136
OAuth2 -> OIDC	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode	Token not valid anymore, and user must re-authenticate against new OIDC	:construction:	Unclear expectations: https://github.com/owncloud/openidconnect/issues/66#issuecomment-718560009
OAuth2 -> OIDC + OAuth2	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC, keeping Oauth2 enabled 3. Disable maintenance mode	Token is valid anymore. Must re-authenticate to start using OIDC	:construction:

Android

After releasing 2.16, authentication library will be replaced for a custom implementation. Tests here will be done with such implementation as well

Actually, Android does not support Dynamic Client Registration yet.

Openidconnect: 2.x.x Device: Google Pixel 2 Android version: 11

Test Case	Description	Expected	Result	Comments
User flow
Correct OIDC URL	Set a correct OIDC URL	Connection set to the URL	3.0: :heavy_check_mark:
Enter correct iDP credentials	1. Set a correct OIDC URL 2. Enter correct credentials	Authorization is requested	3.0: :heavy_check_mark:
Authorization	Authorize permissions and session	iDP finishes web browser and redirects to the client	3.0: :heavy_check_mark:
Cancel login process	1. Set a correct OIDC URL 2. In iDP, cancel login process	Back to client	3:0: :construction:		XXX there is no cancel at keycloak
Logout	1. Complete login process in a OIDC server 2. Logout in the idP	Session logged out. Needed credentials again to enter the account	:no_entry:	XXX There is no logout at Android, a new reconnect is automatically logged in, not possible to choose a different user. -> https://github.com/owncloud/android/issues/3872
Request flow
Check `openid-configuration` request	Enter an URL of OIDC server	The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received	:heavy_check_mark:
`register` endpoint available	In case the server supports Dynamic Client Registration, `register` endpoint is requested	Client id and secret id (not mandatory) is retrieved	NA	Android does not support yet
idP flow	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing	:heavy_check_mark:
idP flow with dynamic client registration	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing using client id and secret id granted by register endpoint	NA	Android does not support yet
Redirection	Authorize session in idP	Web browser redirects correctly to the client and with session opened	:heavy_check_mark:
Renewal	Wait till session time is exceed	`token` endoint is requested with refresh token to get a new token. This must be transparent for the client	:no_entry:	XXX The android client prompts with an expired message. User has to confirm manually, to extend the token -> https://github.com/owncloud/android/issues/3873
ClientId/SecretId renewal	Wait till clientId/SecretId granted by register endpoint, expire	New ClientId/SecretId must be granted to request new tokens	NA	Android does not support yet
Migration
Basic -> OIDC	1. Login in basic auth server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode 4. Force re-login	User must re-authenticate against new OIDC	2.16 :construction: New: :construction:
OAuth2 -> OIDC	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode	Token not valid anymore, and user must re-authenticate against new OIDC	2.16 :construction: New :construction:
OAuth2 -> OIDC + OAuth2	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC, keeping Oauth2 enabled 3. Disable maintenance mode	Token is not valid anymore. Must re-authenticate to start using OIDC	2.16 :construction: New: :construction:

Smoke test: 2.16 :construction: New :construction:

iOS

Openidconnect: 2.x.x Device: iPhoneXR iOS version: 14.2

Tested with the current stable 11.4.5 and the new one 11.5, including Dynamic Client Registration

Test Case	Description	Expected	Result	Comments
User flow
Correct OIDC URL	Set a correct OIDC URL	Connection set to the URL	11.4: :construction: 11.5 :construction:
Enter correct iDP credentials	1. Set a correct OIDC URL 2. Enter correct credentials	Authorization is requested	11.4: :construction: 11.5 :construction:
Authorization	Authorize permissions and session	iDP finishes web browser and redirects to the client	11.11 :heavy_check_mark:
Cancel login process	1. Set a correct OIDC URL 2. In iDP, cancel login process	Back to client	11.4: :construction: 11.5 :construction:
Logout	1. Complete login process in a OIDC server 2. Logout in the idP	Session logged out. Needed credentials again to enter the account	NA
Request flow
Check `openid-configuration` request	Enter an URL of OIDC server	The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received	11.4: :construction: 11.5 :construction:
`register` endpoint available	In case the server supports Dynamic Client Registration, `register` endpoint is requested	Client id and secret id (not mandatory) is retrieved	11.4: NA 11.5 :construction:
idP flow	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing	11.4: :construction: 11.5 :construction:
idP flow with dynamic client registration	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing using client id and secret id granted by register endpoint	11.4: NA 11.5 :construction:
Redirection	Authorize session in idP	Web browser redirects correctly to the client and with session opened	11.4: :construction: 11.5 :construction:
Renewal	Wait till session time is exceed	`token` endpoint is requested with refresh token to get a new token. This must be transparent for the client	11.4: 11.5 :construction:
ClientId/SecretId renewal	Wait till clientId/SecretId granted by register endpoint, expire	New ClientId/SecretId must be granted to request new tokens	11.4: NA 11.5 :construction:
Migration
Basic -> OIDC	1. Login in basic auth server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode 4. Force re-login	User must re-authenticate against new OIDC	NA	Not supported. Link
OAuth2 -> OIDC	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode	Token not valid anymore, and user must re-authenticate against new OIDC	11.4 :construction: 11.5 :construction:
OAuth2 -> OIDC + OAuth2	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC, keeping Oauth2 enabled 3. Disable maintenance mode	Token is valid anymore. Must re-authenticate to start using OIDC	11.4: :construction: 11.5 :construction: