From 8a7c0d8328e5c16c7d876c3dda9d89f5a6772401 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 02:04:18 +0100 Subject: [PATCH] M6.5: keycloak upgrade + backup stages (DB data survival via realm marker) Co-Authored-By: Claude Opus 4.7 (1M context) --- tests/keycloak/kc_admin.py | 57 ++++++++++++++++++++++++++++++++++ tests/keycloak/test_backup.py | 30 ++++++++++++++++++ tests/keycloak/test_upgrade.py | 39 +++++++++++++++++++++++ 3 files changed, 126 insertions(+) create mode 100644 tests/keycloak/kc_admin.py create mode 100644 tests/keycloak/test_backup.py create mode 100644 tests/keycloak/test_upgrade.py diff --git a/tests/keycloak/kc_admin.py b/tests/keycloak/kc_admin.py new file mode 100644 index 0000000..5caea7e --- /dev/null +++ b/tests/keycloak/kc_admin.py @@ -0,0 +1,57 @@ +"""Recipe-specific keycloak admin-API helpers (not harness). Used by the upgrade/backup stages to +write a real data marker (a realm) into mariadb and verify it survives upgrade / backup-restore.""" +import json +import ssl +import sys +import urllib.parse +import urllib.request + +sys.path.insert(0, __file__.rsplit("/tests/", 1)[0] + "/runner") +from harness import lifecycle # noqa: E402 + +MARKER_REALM = "cimarker" +_CTX = ssl.create_default_context() +_CTX.check_hostname = False +_CTX.verify_mode = ssl.CERT_NONE + + +def admin_password(domain: str) -> str: + """Read the abra-generated admin password from inside the running keycloak container.""" + return lifecycle.exec_in_app(domain, ["cat", "/run/secrets/admin_password"]).strip() + + +def admin_token(domain: str, password: str, user: str = "admin") -> str: + data = urllib.parse.urlencode({ + "grant_type": "password", "client_id": "admin-cli", "username": user, "password": password, + }).encode() + req = urllib.request.Request( + f"https://{domain}/realms/master/protocol/openid-connect/token", data=data, + headers={"Content-Type": "application/x-www-form-urlencoded"}, method="POST") + with urllib.request.urlopen(req, timeout=30, context=_CTX) as r: + return json.load(r)["access_token"] + + +def _admin(domain, token, path, method="GET", body=None): + data = json.dumps(body).encode() if body is not None else None + headers = {"Authorization": "Bearer " + token} + if data: + headers["Content-Type"] = "application/json" + req = urllib.request.Request(f"https://{domain}/admin{path}", data=data, headers=headers, + method=method) + try: + with urllib.request.urlopen(req, timeout=30, context=_CTX) as r: + return r.status + except urllib.error.HTTPError as e: + return e.code + + +def create_marker_realm(domain, token): + return _admin(domain, token, "/realms", "POST", {"realm": MARKER_REALM, "enabled": True}) + + +def marker_realm_exists(domain, token) -> bool: + return _admin(domain, token, f"/realms/{MARKER_REALM}") == 200 + + +def delete_marker_realm(domain, token): + return _admin(domain, token, f"/realms/{MARKER_REALM}", "DELETE") diff --git a/tests/keycloak/test_backup.py b/tests/keycloak/test_backup.py new file mode 100644 index 0000000..301b991 --- /dev/null +++ b/tests/keycloak/test_backup.py @@ -0,0 +1,30 @@ +"""keycloak — backup/restore stage (D2): create a realm, backup, delete it (mutate), restore, +assert the realm is back (mariadb restored to the backed-up state).""" +import os +import sys + +sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner")) +from harness import lifecycle # noqa: E402 +import kc_admin # noqa: E402 + + +def test_backup_mutate_restore(deployed): + domain = deployed + pw = kc_admin.admin_password(domain) + tok = kc_admin.admin_token(domain, pw) + + # 1) create the marker realm, then back up + assert kc_admin.create_marker_realm(domain, tok) in (201, 409) + assert kc_admin.marker_realm_exists(domain, tok) + lifecycle.backup_app(domain) + + # 2) mutate: delete the realm + assert kc_admin.delete_marker_realm(domain, tok) in (204, 200) + assert not kc_admin.marker_realm_exists(domain, tok), "delete did not take" + + # 3) restore -> realm returns + lifecycle.restore_app(domain) + lifecycle.wait_healthy(domain, path="/realms/master", ok_codes=(200,), + deploy_timeout=600, http_timeout=600) + tok2 = kc_admin.admin_token(domain, pw) + assert kc_admin.marker_realm_exists(domain, tok2), "restore did not bring back the realm" diff --git a/tests/keycloak/test_upgrade.py b/tests/keycloak/test_upgrade.py new file mode 100644 index 0000000..a88071d --- /dev/null +++ b/tests/keycloak/test_upgrade.py @@ -0,0 +1,39 @@ +"""keycloak — upgrade stage (D2): deploy previous version, create a realm (DB data), upgrade to +current/$REF, assert the app is healthy and the realm survived (mariadb data preserved).""" +import os +import sys + +import pytest + +sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner")) +from harness import lifecycle # noqa: E402 +import kc_admin # noqa: E402 + + +@pytest.fixture +def old_app(recipe, app_domain, meta, request): + prev = lifecycle.previous_version(recipe) + if not prev: + pytest.skip(f"{recipe}: no previous published version") + lifecycle.janitor() + request.addfinalizer(lambda: lifecycle.teardown_app(app_domain)) + lifecycle.deploy_app(recipe, app_domain, version=prev) + lifecycle.wait_healthy(app_domain, ok_codes=tuple(meta["HEALTH_OK"]), path=meta["HEALTH_PATH"], + deploy_timeout=meta["DEPLOY_TIMEOUT"], http_timeout=meta["HTTP_TIMEOUT"]) + return app_domain, prev + + +def test_upgrade_preserves_realm(old_app, meta): + domain, prev = old_app + pw = kc_admin.admin_password(domain) + tok = kc_admin.admin_token(domain, pw) + assert kc_admin.create_marker_realm(domain, tok) in (201, 409) + assert kc_admin.marker_realm_exists(domain, tok), "marker realm not created" + + lifecycle.upgrade_app(domain, version=os.environ.get("VERSION") or None) + lifecycle.wait_healthy(domain, ok_codes=tuple(meta["HEALTH_OK"]), path=meta["HEALTH_PATH"], + deploy_timeout=meta["DEPLOY_TIMEOUT"], http_timeout=meta["HTTP_TIMEOUT"]) + + # re-auth (token from the old instance is fine, but get a fresh one post-upgrade) and verify + tok2 = kc_admin.admin_token(domain, pw) + assert kc_admin.marker_realm_exists(domain, tok2), "realm did not survive the upgrade"