Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IS 6.1.0 to 7.0.0 Upgrade and Migration Testing Effort #18481

Closed
melanisilva opened this issue Dec 7, 2023 · 9 comments
Closed

IS 6.1.0 to 7.0.0 Upgrade and Migration Testing Effort #18481

melanisilva opened this issue Dec 7, 2023 · 9 comments
Assignees
Labels

Comments

@melanisilva
Copy link

melanisilva commented Dec 7, 2023

Is your suggestion a test requirement/change or improvement of the test framework? Please describe.

In this effort, there will be 2 phases

  1. Upgrading from IS 6.1.0 to 7.0.0
  2. 7.0.0 migration testing.

🚀 1 - Upgrading from IS 6.1.0 to 7.0.0

In this phase, our priority will be focused on flows associated with those that have experienced migration impacts.
Please find the issues under this label: 7.0.0 migration

Even out of the above-mentioned issues High priority issues will be the ones that have a DB schema change. (As analysed in this sheet )

✅ Step 1: Schema Compatibility

  • execute the DB script provided with the migration guide on your environment

** ⭐️ Note: At this stage, we will exclusively conduct testing with MySQL DB, as only MySQL Schemas are currently accessible.**

✅ Step 2: Binary Transition

Replicate existing configurations from 6.1.0 and add any necessary alterations to the deployment.toml in 7.0.0 to disable new features / changed behaviors by default.

Validate that 7.0.0 deployment works with the old data and existing functionalities continue as expected.

🚀 Phase 2 - 7.0.0 migration testing.

  • TBD

[ 1 ] . https://github.com/wso2/product-is/labels/7.0.0-migration
Supporting Docs : https://www.notion.so/is-playground/Migration-Testing-806dc2258a924134a76cf5f491d3fc91

Related Issues:
#18428

@melanisilva melanisilva added the Type/Test Issues requesting tests label Dec 7, 2023
@melanisilva melanisilva self-assigned this Dec 7, 2023
@aaujayasena aaujayasena changed the title Upgrading from IS 6.1.0 to 7.0.0 and Migration Testing Effort IS 6.1.0 to 7.0.0 Upgrade and Migration Testing Effort Dec 7, 2023
@aaujayasena aaujayasena moved this to In Progress in Identity Server 7.0.0 Dec 7, 2023
@melanisilva
Copy link
Author

melanisilva commented Dec 13, 2023

@shashimalcse As the initial step, we anticipate populating data in the IS 6.1.0 database. To proceed, could you please provide the following information?

  • Scenarios that had database changes
  • Scenarios that had config changes.

@melanisilva
Copy link
Author

Please find the upgrade test execution environment details:

Database: MySQL 8.0.33
OS: Mac
Browser: Version 120.0.6099.71 (Official Build) (arm64)
Secondary User Store: LDAP

CC: @chamathns @shashimalcse

@shashimalcse
Copy link
Contributor

Here is the list of scenarios with database changes (these are based on alter queries in the migration schema):

You can find the exact flow in the mentioned issues.

You can find the config changes from our maintained sheet

@melanisilva
Copy link
Author

melanisilva commented Dec 13, 2023

Update - Data Population.

  • Same IDP Configuration
* Take two 5.10.0 Identity servers, one would act as the federated IDP hence set the hostname of that Identity server as idp.com and add a host entry for it. If you are running the federated IDP also in the same server offset the port by 1.
* Apply the fixes in SLO between tenants does not work when IDP name is different #13465.
* In the federated IDP create two SAML service providers with different "IdP Entity ID Alias”.
* In the service providers created configure the SLO request URL to point to the first IDP.([https://localhost:9443/identity/saml/slo?tenantDomain=carbon.super)[1]](https://localhost:9443/identity/saml/slo?tenantDomain=carbon.super)%5B1%5D)
* On the first Identity server(acting as the local IDP), create two IDPs representing the two service providers created on the federated IDP. 
* On the first Identity server, create two OIDC service providers(app1 and app2) and attach one IDP created in the previous step to one service provider.
* Now login to both service provider app1 and app2, and the logins would work successfully. Both times the user would be redirected to the federated IDP and on the federated IDP side since there is an active session, they would be able to log in automatically(SSO).
  • IDP creation related Data - Created an IDP and verified the existing behavior.
Screenshot 2023-12-14 at 10 39 47
  • Add User - From Console
  • Created standard based OIDC application - Console
  • Add Claim
curl -k --location --request POST 'https://localhost:9443/api/server/v1/claim-dialects/local/claims' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "claimURI": "http://wso2.org/claims/test",
    "displayName": "test",
    "displayOrder": "0",
    "readOnly": false,
    "required": false,
    "supportedByDefault": false,
    "properties": [
        {
            "key": "USER_CUSTOM_ATTRIBUTE",
            "value": "TRUE"
        }
    ],
    "attributeMapping": [
        {
            "mappedAttribute": "test",
            "userstore": "PRIMARY"
        }
    ]
}'
  • Create Group
curl -k --location --request POST 'https://localhost:9443/scim2/Groups' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "displayName": "primary/finance",
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ]
}'

curl -k --location --request POST 'https://localhost:9443/scim2/Groups' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "displayName": "primary/human-resource",
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ]
}
  • Create IDP OIDC
curl -k --location --request POST 'https://localhost:9443/api/server/v1/identity-providers' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "image": "https://localhost:9443/console/libs/themes/default/assets/images/identity-providers/enterprise-idp-illustration.svg",
    "isPrimary": false,
    "roles": {
        "mappings": [],
        "outboundProvisioningRoles": []
    },
    "certificate": {
        "jwksUri": "https://myapp/oauth2/jwks",
        "certificates": [
            ""
        ]
    },
    "claims": {
        "userIdClaim": {
            "uri": ""
        },
        "provisioningClaims": [],
        "roleClaim": {
            "uri": ""
        }
    },
    "name": "oidc-IDP",
    "description": "Authenticate users with Enterprise OIDC connections.",
    "federatedAuthenticators": {
        "defaultAuthenticatorId": "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
        "authenticators": [
            {
                "isEnabled": true,
                "authenticatorId": "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
                "properties": [
                    {
                        "key": "ClientId",
                        "value": "testClientId"
                    },
                    {
                        "key": "ClientSecret",
                        "value": "testClientSecret"
                    },
                    {
                        "key": "OAuth2AuthzEPUrl",
                        "value": "https://myapp/oauth2/authorize"
                    },
                    {
                        "key": "OAuth2TokenEPUrl",
                        "value": "https://myapp/oauth2/token"
                    },
                    {
                        "key": "callbackUrl",
                        "value": "https://localhost:9443/commonauth"
                    }
                ]
            }
        ]
    },
    "homeRealmIdentifier": "",
    "provisioning": {
        "jit": {
            "userstore": "DEFAULT",
            "scheme": "PROVISION_SILENTLY",
            "isEnabled": true
        }
    },
    "isFederationHub": false,
    "templateId": "enterprise-oidc-idp"
}'
  • Create role
curl -k --location --request POST 'https://localhost:9443/scim2/Roles' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "meta": {
        "location": "https://localhost:9443/scim2/Roles/f7cc913d-3ec9-4580-8873-979cdd63a763"
    },
    "displayName": "loginrole",
    "schemas": [
        "urn:ietf:params:scim:schemas:extension:2.0:Role"
    ],
    "id": "f7cc913d-3ec9-4580-8873-979cdd63a763"
}'


curl -k --location --request POST 'https://localhost:9443/scim2/Roles' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "meta": {
        "location": "https://localhost:9443/scim2/Roles/g7cc913d-3ec9-4580-8873-979cdd63a764"
    },
    "displayName": "managerrole",
    "schemas": [
        "urn:ietf:params:scim:schemas:extension:2.0:Role"
    ],
    "id": "g7cc913d-3ec9-4580-8873-979cdd63a764"
}'
  • Create SP SAML
curl -k --location --request POST 'https://localhost:9443/api/server/v1/applications' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
  "name": "sample-app-saml",
  "description": "Configuration for Sample Application with SAML",
  "accessUrl": "https://example.com/login",
  "claimConfiguration": {
    "dialect": "LOCAL",
    "claimMappings": [
      {
        "applicationClaim": "firstname",
        "localClaim": {
          "uri": "http://wso2.org/claims/username"
        }
      }
    ],
    "requestedClaims": [
      {
        "claim": {
          "uri": "http://wso2.org/claims/username"
        },
        "mandatory": false
      }
    ],
    "subject": {
      "claim": {
        "uri": "http://wso2.org/claims/username"
      },
      "includeUserDomain": false,
      "includeTenantDomain": false,
      "useMappedLocalSubject": false
    },
    "role": {
      "mappings": [
        {
          "localRole": "INTERNAL/admin",
          "applicationRole": "Administrator"
        }
      ],
      "includeUserDomain": true,
      "claim": {
        "uri": "http://wso2.org/claims/username"
      }
    }
  },
  "inboundProtocolConfiguration": {
    "saml": {
      "manualConfiguration": {
        "issuer": "example.com",
        "serviceProviderQualifier": "string",
        "assertionConsumerUrls": [
          "www.example.com/acs"
        ],
        "defaultAssertionConsumerUrl": "www.example.com/acs",
        "idpEntityIdAlias": "LOCAL",
        "singleSignOnProfile": {
          "bindings": [
            "HTTP_POST"
          ],
          "enableSignatureValidationForArtifactBinding": false,
          "enableIdpInitiatedSingleSignOn": false,
          "assertion": {
            "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
            "audiences": [
              "https://app.example.com/saml"
            ],
            "recipients": [
              "https://app.example.com/saml"
            ],
            "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1",
            "encryption": {
              "enabled": false,
              "assertionEncryptionAlgorithm": "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
              "keyEncryptionAlgorithm": "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
            }
          }
        },
        "attributeProfile": {
          "enabled": false,
          "alwaysIncludeAttributesInResponse": false
        },
        "singleLogoutProfile": {
          "enabled": true,
          "logoutRequestUrl": "string",
          "logoutResponseUrl": "string",
          "logoutMethod": "BACKCHANNEL",
          "idpInitiatedSingleLogout": {
            "enabled": false,
            "returnToUrls": [
              "string"
            ]
          }
        },
        "requestValidation": {
          "enableSignatureValidation": true,
          "signatureValidationCertAlias": "wso2carbon"
        },
        "enableAssertionQueryProfile": false
      }
    }
  }
}
'
  • Create tenant
curl -k --location --request POST "https://localhost:9443/api/server/v1/tenants" \
  --header 'accept: */*' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
  --data-raw '{
    "domain": "example.com",
    "owners": [
      {
        "username": "johndoe",
        "password": "mysecretpassword",
        "email": "[email protected]",
        "firstname": "John",
        "lastname": "Doe",
        "provisioningMethod": "inline-password",
        "additionalClaims": [
          {
            "claim": "http://wso2.org/claims/mobile",
            "value": "015555555"
          }
        ]
      }
    ]
  }'
  • SCIM Bulk User
curl -k --location --request POST "https://localhost:9443/scim2/Bulk" \
    --header 'Content-Type: application/scim+json' \
    --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
    --data-raw '{
  "failOnErrors": 1,
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
  "Operations": [
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "qwerty",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "john",
        "password": "johnpass"
      }
    },
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "qwerty",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "mary",
        "password": "marypass"
      }
    },
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "qwerty",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "david",
        "password": "davidpass"
      }
    },
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "qwerty",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "michael",
        "password": "michaelpass"
      }
    },
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "ytrewq",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "sarah",
        "password": "sarahpass"
      }
    }
  ]
}'

@melanisilva
Copy link
Author

melanisilva commented Dec 14, 2023

Update - 13th Dec 2023

- ✅ After Data population was able to successfully execute the MySQL Upgrading schema.

- ✅ Tested Below Critical flows

  • Create a User in the Primary User store
  • Register a new application
  • Create a role
  • Update the user created in primary userstore
  • Update the roles
  • Create and update group
  • Admin User Logs in to my account
  • Consumer user Log in to my account (tenant & org)
  • Update Personal info details from my account
  • Configure password recovery
  • Add a secondary userstore under super tenant
  • Add a user for the secondary US and try to update that users roles
  • Set up social connectors (Google)
  • enterprise IDP login
  • Log in to an application (OAuth, SAML)
  • application update
  • private JWT authentication
  • recovery flow

@melanisilva
Copy link
Author

Update

Started Verifying the Migration issues with the Updated DB Schema and the 6.1.0 Binary.

Please find the status from the below sheet.
Upgrading from 6.1 to 7.0 - Issues list

@melanisilva
Copy link
Author

Update 15th Dec 2023

Note that this Effort is Currently on hold due to the IS Beta 4 Test Hackathon (QA Team).
@chamathns

@melanisilva
Copy link
Author

melanisilva commented Jan 2, 2024

Update 02 Jan 2024

Completed the verification of all migration issues involving DB schema changes. The summary of this testing effort is available on this Google Sheet.

Ran Data Population scripts again to work with the updated Upgrade schema.
Screenshot 2024-01-03 at 10 25 44

@isharak isharak added the IceBox label Nov 7, 2024
@isharak
Copy link
Member

isharak commented Nov 7, 2024

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!

@isharak isharak closed this as completed Nov 7, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in Identity Server 7.0.0 Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Done
Development

No branches or pull requests

4 participants