mirror of
https://github.com/open-metadata/OpenMetadata
synced 2026-05-24 09:39:11 +00:00
0a98f5bf32
* test(playwright): add nightly SSO login spec starting with Okta
Extends Playwright coverage end-to-end for SSO login flows. Today's SSO
coverage (Features/SSOConfiguration.spec.ts) only asserts the config
form UI. This adds a new suite that configures OpenMetadata to an
external identity provider, drives a real login through the provider's
hosted UI, and validates the resulting session against the OM API.
Phase 1 ships Okta only (integrator-9351624.okta.com). Additional
providers (Auth0, Azure, Cognito, SAML, Google) plug into the same
dispatcher by adding a ProviderHelper implementation.
## What's new
- playwright/e2e/Auth/SSOLogin.spec.ts — two-test suite tagged @sso
1. Asserts the SSO sign-in button renders on /signin with the correct
brand label and that the basic-auth form is not shown.
2. Clicks the button, drives the provider's login widget, follows the
OAuth callback, completes first-run self-signup when needed,
lands on /my-data, then verifies the JWT by calling
GET /api/v1/users/loggedInUser and asserting the returned email
matches SSO_USERNAME.
- playwright/utils/ssoAuth.ts — provider-agnostic orchestration:
applyProviderConfig (PUT /api/v1/system/security/config),
restoreBasicAuth, buildAuthContextFromJwt, verifyLoggedInUserMatches.
Composes existing getApiContext/getAuthContext/getToken helpers — no
token extraction or HTTP plumbing is reimplemented.
- playwright/utils/sso-providers/{index,okta}.ts — ProviderHelper
interface plus the Okta Identity Engine widget driver. Defaults the
dev tenant values from the committed openmetadata.yaml snippet so the
spec only needs SSO_USERNAME/SSO_PASSWORD to run locally.
- playwright/constant/ssoAuth.ts — env var key constants,
PROVIDER_BUTTON_TEXT map, and the BASIC_AUTH_CONFIG payload used for
cleanup.
- playwright.config.ts — new 'sso-auth' project matching
playwright/e2e/Auth/**/*.spec.ts with its own serial workers, and
'**/Auth/**' added to the chromium project's testIgnore so these
tests never run in the default suite.
## How provider switching works
beforeAll logs in as admin via basic auth, captures the admin JWT via
getToken(page) BEFORE the swap, then PUTs the Okta config. The admin
JWT survives the provider swap because OM's internal JWKS stays in
publicKeyUrls and the admin user's isAdmin flag is persisted in the DB.
afterAll rebuilds an API context from that JWT and restores basic auth,
making the spec fully idempotent — the same OM instance can run the
suite repeatedly without any manual cleanup.
## Running locally
export SSO_PROVIDER_TYPE=okta
export SSO_USERNAME='<okta-test-user>'
export SSO_PASSWORD='<okta-test-password>'
npx playwright test playwright/e2e/Auth/SSOLogin.spec.ts \
--project=sso-auth --workers=1
Verified end-to-end against integrator-9351624.okta.com — both tests
pass in ~12s on an already-provisioned user, ~14s on first-run
self-signup. Cleanup leaves the server in basic-auth mode.
## Notes for reviewers
- The existing .github/workflows/playwright-sso-tests.yml already wires
up the CI matrix and secret names; this change intentionally does
NOT enable the cron schedule. That lands in a follow-up once one
provider is stable for a few nightly runs.
- OKTA_SSO_CLIENT_ID / OKTA_SSO_DOMAIN / OKTA_SSO_PRINCIPAL_DOMAIN env
vars can override the baked-in dev tenant defaults if a different
Okta tenant is used in CI.
* ci: add dedicated SSO Login Nightly workflow
Adds .github/workflows/playwright-sso-login-nightly.yml, a standalone
workflow that runs the new SSOLogin spec nightly at 03:00 UTC instead
of piggy-backing on playwright-sso-tests.yml.
The existing playwright-sso-tests.yml is left untouched — it still
covers the SSO configuration form UI via SSOConfiguration.spec.ts and
its matrix/secrets wiring is unchanged. The new workflow complements
it with a real end-to-end login round-trip:
- Schedule: cron '0 3 * * *'
- Provider matrix: okta only for Phase 1 (extended as helpers ship)
- Invokes playwright/e2e/Auth/SSOLogin.spec.ts under the new
sso-auth Playwright project with workers=1
- Wires provider credentials via secrets with the existing
{PROVIDER}_SSO_USERNAME / {PROVIDER}_SSO_PASSWORD convention plus
optional OKTA_SSO_CLIENT_ID / OKTA_SSO_DOMAIN /
OKTA_SSO_PRINCIPAL_DOMAIN overrides
- Uses the shared setup-openmetadata-test-environment composite
action, PostgreSQL, ingestion disabled — matching the existing SSO
tests workflow
- Uploads the HTML report as an artifact on every run and cleans up
the docker stack in a final always-run step
* refactor(playwright): simplify ssoAuth helpers
- verifyLoggedInUserMatches now asserts directly on the lowercased
email field instead of building a candidate array and feeding it a
long stringified failure message. The assertion failure already
shows expected vs received, so the wrapper string was just noise.
- Drop buildAuthContextFromJwt — it was a one-line wrapper around
getAuthContext. The spec calls getAuthContext directly now.
* refactor(playwright): address SSO suite review feedback
- Extract OM_BASE_URL from PLAYWRIGHT_TEST_BASE_URL (with the same
http://localhost:8585 default as playwright.config.ts) and export
it from constant/ssoAuth.ts. okta.ts and BASIC_AUTH_CONFIG both
consume it, so callbackUrl, the OM JWKS entry in publicKeyUrls, and
the basic-auth restore payload all match the test target — including
CI runs against non-default hosts.
- Drop PROVIDER_BUTTON_TEXT. It was exported but never imported; the
ProviderHelper.expectedButtonText field is the only source of truth
for the SSO sign-in button label and the spec already reads from it.
- Restore the OM convention adminPrincipals: ['admin'] in the Okta
config (matches conf/openmetadata.yaml's AUTHORIZER_ADMIN_PRINCIPALS
default). The previous code was granting admin to whichever IdP user
ran the suite — verifyLoggedInUserMatches only needs an authenticated
session, not admin, so the elevation was unnecessary. This also drops
the now-unused requireEnv on SSO_USERNAME inside okta.ts; the spec
itself still gates on the env var via test.skip.
- Set workers: 1 on the sso-auth Playwright project. fullyParallel:
false alone wasn't enough — the global workers: 3 on CI could still
fan out across multiple Auth/**/*.spec.ts files in the future. The
explicit limit enforces full isolation as more provider specs land.
* ci: avoid CodeQL "Excessive Secrets Exposure" in SSO Login Nightly
Replaces the dynamic secret lookup
secrets[format('{0}_SSO_USERNAME', upper(matrix.provider))]
with a static reference
secrets.OKTA_SSO_USERNAME
CodeQL flagged the dynamic indexing because GitHub Actions can only
mask & scope secrets that are referenced statically. With a computed
key, the runner has no way to know which single secret is needed and
conservatively materializes EVERY org and repo secret into the step's
environment — even though the test only reads OKTA_SSO_*. Static
references let GitHub expose only the two credentials this step
actually uses.
Phase 1's matrix is okta-only so the change is two lines. The added
inline comment documents the convention for future providers: add a
sibling step gated by `if: matrix.provider == '<provider>'` with that
provider's static secret references — do not bring back the
secrets[format(...)] pattern.
* refactor(playwright): capture/restore real security config in SSO suite
- Snapshot /system/security/config in beforeAll, restore exact payload in
afterAll instead of PUTting a hand-rolled basic-auth baseline (preserves
allowedDomains, forceSecureSessionCookie, adminPrincipals, etc.)
- Strip ldap/saml subtrees from the snapshot: GET returns empty-string
placeholders the PUT validator rejects
- Require OKTA_SSO_{CLIENT_ID,DOMAIN,PRINCIPAL_DOMAIN} via getRequiredEnv;
no more hardcoded tenant defaults
- Fail fast in beforeAll if admin JWT capture returns empty string so the
server is never left stuck in SSO mode
- Shrink Okta provider override to just the fields Okta needs; sibling
authorizer fields come from the captured snapshot
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): extract per-provider composite action
Restructures the nightly workflow so provider credentials stay statically
referenced for CodeQL while making it trivial to add new providers:
- New composite action .github/actions/sso-login-run bundles all shared
setup + test-run logic; pulls non-secret provider config from the
caller's vars context dynamically (${PROVIDER_UPPER}_SSO_*)
- playwright-sso-login-nightly.yml becomes a thin dispatcher with one
real job per provider. Each job declares environment: test so it can
resolve its password via a static secrets.<PROVIDER>_SSO_PASSWORD
reference (no secrets[format(...)] dynamic lookup, CodeQL clean)
- Adding a provider = copy the okta job stanza, swap the secret name,
add the provider to the dispatch input choices, register the helper
in sso-providers/index.ts
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor(playwright): move Okta tenant config to a repo constant
The Okta tenant identifiers (clientId, domain, principalDomain) are
non-secret OAuth public values — visible on the hosted login page
during any sign-in. Keeping them in GitHub environment variables cost
setup friction (5 env vars to configure locally, each a potential typo)
without any security benefit. Move them back to a committed OKTA_TENANT
constant in okta.ts where a reviewer can see exactly which tenant the
suite is exercising.
Net effect:
- Local runs only need SSO_PROVIDER_TYPE, SSO_USERNAME, SSO_PASSWORD.
- The test environment in GH Actions keeps OKTA_SSO_USERNAME (variable)
and OKTA_SSO_PASSWORD (secret); the three tenant variables are no
longer consumed.
- Composite action drops the jq-based dynamic var extraction; the
caller passes sso_username directly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): move timeout-minutes from composite step to job level
Composite actions don't support timeout-minutes on individual steps —
that's a runner job field only. Move the 30-minute test timeout up to
the dispatcher job and bump to 45 minutes to cover docker + maven setup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): consolidate dispatcher + composite action into one file
Collapse the dispatcher workflow + composite action split into a single
~115-line workflow using a strategy matrix and dynamic
vars[format(...)] / secrets[format(...)] credential resolution keyed on
the matrix provider name.
Trade-off:
- CodeQL "Excessive Secrets Exposure" (low severity) will re-flag the
dynamic secret lookup. Accepted in exchange for a single source of
truth and true zero-workflow-churn multi-provider support.
Onboarding a new provider is now:
1. Add its name to the matrix array + dispatch options list.
2. Add <PROVIDER>_SSO_USERNAME (variable) + <PROVIDER>_SSO_PASSWORD
(secret) in the test environment.
3. Register the helper in sso-providers/index.ts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): drop provider-prefix bash step; use case-insensitive lookup
GitHub secret and variable names are case-insensitive, so
format('{0}_SSO_PASSWORD', matrix.provider) with the lowercase matrix
value resolves correctly against the uppercase conventional names like
OKTA_SSO_PASSWORD. That removes the need for a separate "Compute
provider prefix" step and its cross-step env-context plumbing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): drop redundant case-insensitivity comment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ci(sso-login): pin playwright install to 1.57.0 to match package.json
The previous 1.51.1 pin was stale vs. the @playwright/test version in
package.json. The mismatch caused browser cache path divergence — the
install step wrote browsers under 1.51.1's cache and the test run
looked for them under 1.57.0's cache and failed with "browsers not
installed."
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor(playwright): address SSO suite review comments [skip ci]
- Drive Okta tenant (clientId, domain, principalDomain) from env vars,
falling back to the existing nightly tenant values as defaults
- Use redirectToHomePage as the final assertion in the SSO login step
- Document why the /signup vs /my-data branch is conditional
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* saml
* test(playwright): add SAML providers to SSO login nightly
Extend the nightly SSO login matrix with Azure AD SAML and a self-contained
Keycloak SAML fixture (Azure-profile + Google-profile realms), so the suite
exercises the full SAML flow end-to-end without relying on a hosted IdP.
- docker/local-sso/keycloak-saml: Keycloak 26.3.3 compose + pre-imported
realms bound to OM at localhost:8585, port-overridable via
KEYCLOAK_SAML_PORT.
- playwright sso-providers: azure-saml helper (hosted tenant, non-secret
federation metadata committed) and keycloak-saml factory that fetches the
realm's IdP X509 at runtime.
- SSO assertion matches OM's actual SAML sign-in label ("Sign in with
SAML SSO"), since providerName isn't propagated into the store for the
SAML provider branch of getAuthConfig.
- Workflow starts/stops the Keycloak stack only for keycloak-* matrix rows
and injects the fixture credentials inline.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor(playwright): fetch Azure SAML IdP cert at runtime
Drop the committed Azure Federated SSO X509 certificate and the
AZURE_SAML_IDP_CERTIFICATE env fallback from the azure-saml provider.
The cert now comes from Azure's federation metadata XML endpoint at test
start, mirroring how the Keycloak provider resolves its realm cert, so the
suite stays aligned with Azure's ~3-year cert rotations automatically.
- New saml-metadata.ts exporting fetchIdpX509Certificate(descriptorUrl,
label), reused by azure-saml and keycloak-saml.
- azure-saml.buildConfigPayload is now async and pulls the cert from
https://login.microsoftonline.com/<tenantId>/federationmetadata/2007-06/federationmetadata.xml
before building the SAML payload.
- keycloak-saml drops its inline cert-fetching helpers and delegates to
the shared util.
- Trim narration comments across the SSO suite to keep only the
non-obvious rationale.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor(playwright): drop hosted Azure SAML provider
The nightly Keycloak SAML fixture with Azure-profile attribute claims
exercises the same OM SAML code path as the hosted Azure AD tenant. The
hosted provider added external tenant/cert coupling without unique
coverage, so this removes it.
Drops the azure-saml helper, its env keys (AZURE_SAML_TENANT_ID /
AZURE_SAML_PRINCIPAL_DOMAIN), the dispatcher registration, and the
workflow dispatch option. Keycloak Azure/Google realms remain.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test(playwright): cover SSO session lifecycle end-to-end
Extends the SSO login spec beyond "can you log in" to the full session
round-trip: reload survives, same-context tabs inherit auth, sidebar
logout (with modal confirm) lands on /signin, and post-logout refresh
stays signed out.
Adds a describe-scoped userContext/userPage created in beforeAll so
tests 2-6 inherit the IdP-backed session; test 1 keeps its fresh
fixture for the unauthenticated assertion. Cleanup closes the user
context before restoring the server security config.
Verified locally against keycloak-azure-saml and keycloak-google-saml
realms: 6 passed each (was 2).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* remove slow from individual spec
* remove slow from beforeAll
* style(playwright): fix SSOLogin spec prettier issues
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test(playwright): tighten SSO sign-in locator and await logout response
Address Copilot review comments on PR #27164:
- Use button.signin-button to match the pattern in SSOAuthentication.spec.ts.
- Await /api/v1/users/logout POST alongside the /signin navigation in
the logout test to remove the race against the server response.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix
* Update openmetadata-ui/src/main/resources/ui/playwright/e2e/Auth/SSOLogin.spec.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix
* test(playwright): resolve SSO creds via env vars, drop keycloak-google-saml
Route Keycloak credentials through the same `vars[format(...)]` /
`secrets[format(...)]` indirection as Okta via an `env_prefix` matrix
column, removing the hardcoded fixture literals from the workflow.
Password lookup falls back `vars || secrets` so fixture passwords can
live as vars while real provider secrets stay in secrets.
Also drop the keycloak-google-saml variant — same IdP and realm shape
as the Azure variant, so it adds CI cost without meaningful coverage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test(playwright): post SSO login nightly results to Slack
Adds a per-provider Slack notification step mirroring the pattern used
by the postgresql/mysql nightly workflows — reuses the existing
`slack-cli.config.json` and `playwright-slack-report` CLI against the
`results.json` that the global JSON reporter already emits.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(playwright): drop logout response wait in SSO spec
OktaAuthenticator.logout clears tokens locally with no backend call, and
GenericAuthenticator (SAML) hits `GET /auth/logout` — neither triggers
the `POST /api/v1/users/logout` the test was waiting on. The listener
never matched, so `Promise.all` hung past the 180s test timeout even
though the page had already navigated to /signin.
Rely on `waitForURL('**/signin')` + the signin button assertion, which
are the actual cross-provider success signals.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Siddhant <siddhant@MacBook-Pro-457.local>
Co-authored-by: Siddhant <siddhant@MacBook-Pro-529.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Siddhant <siddhant@MacBook-Pro-621.local>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
||
|---|---|---|
| .. | ||
| development | ||
| docker-compose-ingestion | ||
| docker-compose-openmetadata | ||
| docker-compose-quickstart | ||
| images/minimal-ubuntu | ||
| local-sso/keycloak-saml | ||
| mysql | ||
| postgresql | ||
| rdf-store | ||
| openmetadata-start.sh | ||
| openmetadata.yaml | ||
| run_local_docker.sh | ||
| run_local_docker_common.sh | ||
| run_local_docker_rdf.sh | ||
| validate_compose.py | ||