Add OpenID authentication support using a KeyCloak server

api/agent.go

@@ -363,7 +363,7 @@ func NewControllerWrapper(config *loadtest.Config, controllerConfig interface{},
 
 	creds, err := getUserCredentials(config.UsersConfiguration.UsersFilePath, config)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error getting user credentials from file: %w", err)
 	}
 
 	modAdmins := 0
@@ -373,7 +373,7 @@ func NewControllerWrapper(config *loadtest.Config, controllerConfig interface{},
 
 	err = createCustomEmoji(config)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error creating custom emoji from config: %w", err)
 	}
 	mlog.Info("Custom emoji created")
 
@@ -383,6 +383,7 @@ func NewControllerWrapper(config *loadtest.Config, controllerConfig interface{},
 		username := fmt.Sprintf("%s-%d", namePrefix, id)
 		email := fmt.Sprintf("%s-%[email protected]", namePrefix, id)
 		password := "testPass123$"
+		authenticationType := userentity.AuthenticationTypeMattermost
 
 		if modAdmins > 0 && id%modAdmins == 0 {
 			username = ""
@@ -395,15 +396,30 @@ func NewControllerWrapper(config *loadtest.Config, controllerConfig interface{},
 			username = creds[id].username
 			email = creds[id].email
 			password = creds[id].password
+
+			// Check if the user has a custom authentication type. Custom authentication types are
+			// specified by prepending the username with the authentication type followed by a colon.
+			// Example: "openid:[email protected] user1password"
+			if usernameParts := strings.Split(username, ":"); len(usernameParts) > 1 {
+				authenticationType = usernameParts[0]
+				username = usernameParts[1]
+
+				// Fix the email as well
+				if emailParts := strings.Split(email, ":"); len(emailParts) > 1 {
+					email = emailParts[1]
+				}
+			}
 		}
 
 		ueConfig := userentity.Config{
-			ServerURL:    config.ConnectionConfiguration.ServerURL,
-			WebSocketURL: config.ConnectionConfiguration.WebSocketURL,
-			Username:     username,
-			Email:        email,
-			Password:     password,
+			ServerURL:          config.ConnectionConfiguration.ServerURL,
+			WebSocketURL:       config.ConnectionConfiguration.WebSocketURL,
+			AuthenticationType: authenticationType,
+			Username:           username,
+			Email:              email,
+			Password:           password,
 		}
+
 		store, err := memstore.New(&memstore.Config{
 			MaxStoredPosts:          250,
 			MaxStoredUsers:          500,
@@ -413,11 +429,11 @@ func NewControllerWrapper(config *loadtest.Config, controllerConfig interface{},
 			MaxStoredReactions:      10,
 		})
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error creating memory store: %w", err)
 		}
 
 		if err := store.SetServerVersion(serverVersion); err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error setting server version: %w", err)
 		}
 
 		ueSetup := userentity.Setup{
@@ -527,7 +543,7 @@ func createCustomEmoji(config *loadtest.Config) error {
 	}
 	sysadmin := createSysAdmin(adminStore, config)
 	if err := sysadmin.Login(); err != nil {
-		return err
+		return fmt.Errorf("error login as sysadmin: %w", err)
 	}
 
 	emoji := &model.Emoji{

deployment/config.go

@@ -51,6 +51,8 @@ type Config struct {
 	ExternalDBSettings ExternalDBSettings
 	// External bucket connection settings.
 	ExternalBucketSettings ExternalBucketSettings
+	// ExternalAuthProviderSettings contains the settings for configuring an external auth provider.
+	ExternalAuthProviderSettings ExternalAuthProviderSettings
 	// URL from where to download Mattermost release.
 	// This can also point to a local binary path if the user wants to run loadtest
 	// on a custom build. The path should be prefixed with "file://". In that case,
@@ -87,6 +89,11 @@ type Config struct {
 	// This can also point to a local file if prefixed with "file://".
 	// In such case, the dump file will be uploaded to the app servers.
 	DBDumpURI string `default:""`
+	// DBExtraSQL are optional URIs to SQL files containing SQL statements to be applied
+	// to the Mattermost database.
+	// The file is expected to be gzip compressed.
+	// This can also point to a local file if prefixed with "file://".
+	DBExtraSQL []string `default:"[]"`
 	// An optional host name that will:
 	//   - Override the SiteUrl
 	//   - Point to the proxy IP via a new entry in the server's /etc/hosts file
@@ -114,6 +121,8 @@ type StorageSizes struct {
 	Job int `default:"50"`
 	// Size, in GiB, for the storage of the elasticsearch instances
 	ElasticSearch int `default:"20"`
+	// Size, in GiB, for the storage of the keycloak instances
+	KeyCloak int `default:"10"`
 }
 
 // PyroscopeSettings contains flags to enable/disable the profiling
@@ -179,6 +188,43 @@ type ExternalBucketSettings struct {
 	AmazonS3SSE             bool   `default:"false"`
 }
 
+// ExternalAuthProviderSettings contains the necessary data
+// to configure an external auth provider.
+type ExternalAuthProviderSettings struct {
+	// Enabled is set to true if the external auth provider should be enabled.
+	Enabled bool `default:"false"`
+	// DevelopmentMode is set to true if the keycloak instance should be started in development mode.
+	DevelopmentMode bool `default:"true"`
+	// KeycloakVersion is the version of keycloak to deploy.
+	KeycloakVersion string `default:"24.0.2"`
+	// KeycloakInstanceType is the type of the EC2 instance for keycloak.
+	InstanceType string `default:"c5.xlarge"`
+	// KeycloakAdminUser is the username of the keycloak admin interface (admin on the master realm)
+	KeycloakAdminUser string `default:"mmuser" validate:"notempty"`
+	// KeycloakAdminPassword is the password of the keycloak admin interface (admin on the master realm)
+	KeycloakAdminPassword string `default:"mmpass" validate:"notempty"`
+	// KeycloakRealmFilePath is the path to the realm file to be uploaded to the keycloak instance.
+	// If empty, a default realm file will be used.
+	KeycloakRealmFilePath string `default:""`
+	// KeycloakDBDumpURI
+	// An optional URI to a keycloak database dump file to be uploaded on environment
+	// creation.
+	// The file is expected to be gzip compressed.
+	// This can also point to a local file if prefixed with "file://".
+	KeycloakDBDumpURI string `default:""`
+	// GenerateUsersCount is the number of users to generate in the keycloak instance.
+	GenerateUsersCount int `default:"0" validate:"range:[0,)"`
+	// KeycloakRealmName is the name of the realm to be used in Mattermost. Must exist in the keycloak instance.
+	// It is used when creating users and to properly set the OpenID configuration in Mattermost.
+	KeycloakRealmName string `default:"mattermost"`
+	// KeycloakClientID is the client id to be used in Mattermost from the above realm.
+	// Must exist in the keycloak instance
+	KeycloakClientID string `default:"mattermost-openid"`
+	// KeycloakClientSecret is the client secret from the above realm to be used in Mattermost.
+	// Must exist in the keycloak instance
+	KeycloakClientSecret string `default:"qbdUj4dacwfa5sIARIiXZxbsBFoopTyf"`
+}
+
 // ElasticSearchSettings contains the necessary data
 // to configure an ElasticSearch instance to be deployed
 // and provisioned.

deployment/terraform/agent.go

@@ -24,7 +24,9 @@ func (t *Terraform) generateLoadtestAgentConfig() (*loadtest.Config, error) {
 		return nil, err
 	}
 	url := t.output.Instances[0].PrivateIP + ":8065"
-	if t.output.HasProxy() {
+	if t.config.SiteURL != "" {
+		url = t.config.SiteURL
+	} else if t.output.HasProxy() {
 		url = t.output.Proxy.PrivateIP
 	}
 
@@ -129,6 +131,27 @@ func (t *Terraform) configureAndRunAgents(extAgent *ssh.ExtAgent) error {
 			batch = append(batch, uploadInfo{srcData: strings.Join(splitFiles[i], "\n"), dstPath: dstUsersFilePath, msg: "Uploading list of users credentials"})
 		}
 
+		// If SiteURL is set, update /etc/hosts to point to the correct IP
+		if t.config.SiteURL != "" {
+			output, err := t.Output()
+			if err != nil {
+				return err
+			}
+
+			// The new entry in /etc/hosts will make SiteURL point to:
+			// - The first instance's IP if there's a single node
+			// - The proxy's IP if there's more than one node
+			ip := output.Instances[0].PrivateIP
+			if output.HasProxy() {
+				ip = output.Proxy.PrivateIP
+			}
+
+			proxyHost := fmt.Sprintf("%s %s\n", ip, t.config.SiteURL)
+			appHostsFile := fmt.Sprintf(appHosts, proxyHost)
+
+			batch = append(batch, uploadInfo{srcData: appHostsFile, dstPath: "/etc/hosts", msg: "Updating /etc/hosts to point to the correct IP"})
+		}
+
 		if err := uploadBatch(sshc, batch); err != nil {
 			return fmt.Errorf("batch upload failed: %w", err)
 		}