Add OpenID authentication support using a KeyCloak server

api/agent.go

@@ -363,7 +363,7 @@ func NewControllerWrapper(config *loadtest.Config, controllerConfig interface{},
 
 	creds, err := getUserCredentials(config.UsersConfiguration.UsersFilePath, config)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error getting user credentials from file: %w", err)
 	}
 
 	modAdmins := 0
@@ -373,7 +373,7 @@ func NewControllerWrapper(config *loadtest.Config, controllerConfig interface{},
 
 	err = createCustomEmoji(config)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error creating custom emoji from config: %w", err)
 	}
 	mlog.Info("Custom emoji created")
 
@@ -383,6 +383,7 @@ func NewControllerWrapper(config *loadtest.Config, controllerConfig interface{},
 		username := fmt.Sprintf("%s-%d", namePrefix, id)
 		email := fmt.Sprintf("%s-%d@example.com", namePrefix, id)
 		password := "testPass123$"
+		authenticationType := userentity.AuthenticationTypeMattermost
 
 		if modAdmins > 0 && id%modAdmins == 0 {
 			username = ""
@@ -395,15 +396,30 @@ func NewControllerWrapper(config *loadtest.Config, controllerConfig interface{},
 			username = creds[id].username
 			email = creds[id].email
 			password = creds[id].password
+
+			// Check if the user has a custom authentication type. Custom authentication types are
+			// specified by prepending the username with the authentication type followed by a colon.
+			// Example: "openid:user1@test.mattermost.com user1password"
+			if strings.Contains(username, ":") {
+				usernameParts := strings.Split(username, ":")
+				authenticationType = usernameParts[0]
+				username = usernameParts[1]
+
+				// Fix the email as well
+				emailParts := strings.Split(email, ":")
+				email = emailParts[1]
+			}
 		}
 
 		ueConfig := userentity.Config{
-			ServerURL:    config.ConnectionConfiguration.ServerURL,
-			WebSocketURL: config.ConnectionConfiguration.WebSocketURL,
-			Username:     username,
-			Email:        email,
-			Password:     password,
+			ServerURL:          config.ConnectionConfiguration.ServerURL,
+			WebSocketURL:       config.ConnectionConfiguration.WebSocketURL,
+			AuthenticationType: authenticationType,
+			Username:           username,
+			Email:              email,
+			Password:           password,
 		}
+
 		store, err := memstore.New(&memstore.Config{
 			MaxStoredPosts:          250,
 			MaxStoredUsers:          500,
@@ -413,11 +429,11 @@ func NewControllerWrapper(config *loadtest.Config, controllerConfig interface{},
 			MaxStoredReactions:      10,
 		})
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error creating memory store: %w", err)
 		}
 
 		if err := store.SetServerVersion(serverVersion); err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error setting server version: %w", err)
 		}
 
 		ueSetup := userentity.Setup{
@@ -527,7 +543,7 @@ func createCustomEmoji(config *loadtest.Config) error {
 	}
 	sysadmin := createSysAdmin(adminStore, config)
 	if err := sysadmin.Login(); err != nil {
-		return err
+		return fmt.Errorf("error login as sysadmin: %w", err)
 	}
 
 	emoji := &model.Emoji{

deployment/config.go

@@ -51,6 +51,8 @@ type Config struct {
 	ExternalDBSettings ExternalDBSettings
 	// External bucket connection settings.
 	ExternalBucketSettings ExternalBucketSettings
+	// ExternalAuthProviderSettings contains the settings for configuring an external auth provider.
+	ExternalAuthProviderSettings ExternalAuthProviderSettings
 	// URL from where to download Mattermost release.
 	// This can also point to a local binary path if the user wants to run loadtest
 	// on a custom build. The path should be prefixed with "file://". In that case,
@@ -114,6 +116,8 @@ type StorageSizes struct {
 	Job int `default:"50"`
 	// Size, in GiB, for the storage of the elasticsearch instances
 	ElasticSearch int `default:"20"`
+	// Size, in GiB, for the storage of the keycloak instances
+	KeyCloak int `default:"10"`
 }
 
 // PyroscopeSettings contains flags to enable/disable the profiling
@@ -179,6 +183,44 @@ type ExternalBucketSettings struct {
 	AmazonS3SSE             bool   `default:"false"`
 }
 
+// ExternalAuthProviderSettings contains the necessary data
+// to configure an external auth provider.
+type ExternalAuthProviderSettings struct {
+	// Enabled is set to true if the external auth provider should be enabled.
+	Enabled bool `default:"false"`
+	// DevelopmentMode is set to true if the keycloak instance should be started in development mode.
+	DevelopmentMode bool `default:"true"`
+	// KeycloakVersion is the version of keycloak to deploy.
+	KeycloakVersion string `default:"24.0.2"`
+	// KeycloakInstanceType is the type of the EC2 instance for keycloak.
+	InstanceType string `default:"c5.xlarge"`
+	// KeycloakAdminUser is the username of the keycloak admin interface (admin on the master realm)
+	KeycloakAdminUser string `default:"mmuser" validate:"notempty"`
+	// KeycloakAdminPassword is the password of the keycloak admin interface (admin on the master realm)
+	KeycloakAdminPassword string `default:"mmpass" validate:"notempty"`
+	// KeycloakRealmFilePath is the path to the realm file to be uploaded to the keycloak instance.
+	// If empty, a default realm file will be used.
+	KeycloakRealmFilePath string `default:""`
+	// KeycloakDBDumpURI
+	// An optional URI to a keycloak database dump file to be uploaded on environment
+	// creation.
+	// The file is expected to be the h2 folder gzip compressed.
+	// This can also point to a local file if prefixed with "file://".
+	// In such case, the dump file will be uploaded to the app servers.
+	KeycloakDBDumpURI string `default:""`
+	// GenerateUsersCount is the number of users to generate in the keycloak instance.
+	GenerateUsersCount int `default:"0" validate:"range:[0,)"`
+	// KeycloakRealmName is the name of the realm to be used in Mattermost. Must exist in the keycloak instance.
+	// Is used when creating users and to properly set the OpenID configuration in Mattermost.
+	KeycloakRealmName string `default:"mattermost"`
+	// KeycloakClientID is the client id to be used in Mattermost from the above realm.
+	// Must exist in the keycloak instance
+	KeycloakClientID string `default:"mattermost-openid"`
+	// KeycloakClientSecret is the client secret from the above realm to be used in Mattermost.
+	// Must exist in the keycloak instance
+	KeycloakClientSecret string `default:"qbdUj4dacwfa5sIARIiXZxbsBFoopTyf"`
+}
+
 // ElasticSearchSettings contains the necessary data
 // to configure an ElasticSearch instance to be deployed
 // and provisioned.

deployment/terraform/agent.go

@@ -129,6 +129,27 @@ func (t *Terraform) configureAndRunAgents(extAgent *ssh.ExtAgent) error {
 			batch = append(batch, uploadInfo{srcData: strings.Join(splitFiles[i], "\n"), dstPath: dstUsersFilePath, msg: "Uploading list of users credentials"})
 		}
 
+		// If SiteURL is set, update /etc/hosts to point to the correct IP
+		if t.config.SiteURL != "" {
+			output, err := t.Output()
+			if err != nil {
+				return err
+			}
+
+			// The new entry in /etc/hosts will make SiteURL point to:
+			// - The first instance's IP if there's a single node
+			// - The proxy's IP if there's more than one node
+			ip := output.Instances[0].PrivateIP
+			if output.HasProxy() {
+				ip = output.Proxy.PrivateIP
+			}
+
+			proxyHost := fmt.Sprintf("%s %s\n", ip, t.config.SiteURL)
+			appHostsFile := fmt.Sprintf(appHosts, proxyHost)
+
+			batch = append(batch, uploadInfo{srcData: appHostsFile, dstPath: "/etc/hosts", msg: "Updating /etc/hosts to point to the correct IP"})
+		}
+
 		if err := uploadBatch(sshc, batch); err != nil {
 			return fmt.Errorf("batch upload failed: %w", err)
 		}

deployment/terraform/assets/cluster.tf

@@ -701,3 +701,80 @@ resource "null_resource" "s3_dump" {
     command = "aws --profile ${var.aws_profile} s3 cp ${var.s3_bucket_dump_uri} s3://${aws_s3_bucket.s3bucket[0].id} --recursive"
   }
 }
+
+// Keycloak
+resource "aws_instance" "keycloak" {
+  tags = {
+    Name = "${var.cluster_name}-keycloak"
+  }
+
+  connection {
+    # The default username for our AMI
+    type = "ssh"
+    user = "ubuntu"
+    host = self.public_ip
+  }
+
+  ami           = var.aws_ami
+  instance_type = var.keycloak_instance_type
+  count         = var.keycloak_enabled ? 1 : 0
+  key_name      = aws_key_pair.key.id
+
+  vpc_security_group_ids = [
+    aws_security_group.keycloak[0].id,
+  ]
+
+  root_block_device {
+    volume_size = var.block_device_sizes_keycloak
+    volume_type = var.block_device_type
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "set -o errexit",
+      "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for cloud-init...'; sleep 1; done",
+      "sudo apt-get -y update",
+      "sudo apt-get install unzip openjdk-17-jre postgresql postgresql-contrib -y",
+      "sudo mkdir -p /opt/keycloak",
+      "sudo curl -O -L --output-dir /opt/keycloak https://github.com/keycloak/keycloak/releases/download/${var.keycloak_version}/keycloak-${var.keycloak_version}.zip",
+      "sudo unzip /opt/keycloak/keycloak-${var.keycloak_version}.zip -d /opt/keycloak",
+      "sudo mkdir -p /opt/keycloak/keycloak-${var.keycloak_version}/data/import",
+      "sudo chown -R ubuntu:ubuntu /opt/keycloak",
+    ]
+  }
+}
+
+resource "aws_security_group" "keycloak" {
+  count       = var.keycloak_enabled ? 1 : 0
+  name        = "${var.cluster_name}-keycloak-security-group"
+  description = "KeyCloak security group for loadtest cluster ${var.cluster_name}"
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = local.private_ip != "" ? ["${local.public_ip}/32", "${local.private_ip}/32"] : ["${local.public_ip}/32"]
+  }
+
+  // To access keycloak
+  ingress {
+    from_port   = 8443
+    to_port     = 8443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 8080
+    to_port     = 8080
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}