PG-1967: Basic keycloak test setup on CI

This commit adds a very basic test using keycloak + rpec.

* Keycloak is ran using docker, with a previously generated
  configuration which just gets imported
* The test is written in rspec, for easy extensibility (different
  providers, different testcases)
* For now it's just a simple smoke test to verify that we can log in
  with the validator

One particularly ugly part of this is that we install the seflf signed
certificates systemwide, but the only other option is using
`OAUTH_DEBUG=unsafe`, which changes other behavior and results in tons
of debug output. Trusting this certificate by the system seems like a
more-realstic approach.

Author: dutow

.github/workflows/pgdg-build.yml

@@ -31,13 +31,12 @@ jobs:
 
     - name: Install PG Distribution Postgresql 18
       run: |
-        sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt \
-          $(lsb_release -cs)-pgdg main 18" > /etc/apt/sources.list.d/pgdg.list'
-        sudo wget --quiet -O - \
-          https://www.postgresql.org/media/keys/ACCC4CF8.asc |
-          sudo apt-key add -
-        sudo apt update
-        sudo apt -y install postgresql-18 postgresql-server-dev-18
+        echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main 18" | \
+          sudo tee /etc/apt/sources.list.d/pgdg.list
+        wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | \
+          gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg > /dev/null
+        sudo apt-get update
+        sudo apt-get install -y postgresql-18 postgresql-server-dev-18
 
     - name: Checkout pg_oidc_validator extension
       uses: actions/checkout@v4
@@ -85,9 +84,95 @@ jobs:
       run: |
         cd pg-oidc-validator-pgdg18 && sudo tar -czvf ../pg-oidc-validator-pgdg18.tar.gz .
 
+    - name: Upload tgz artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: pg-oidc-validator-tgz
+        path: pg-oidc-validator-pgdg18.tar.gz
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    needs: [pgxs-build]
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Download built package
+      uses: actions/download-artifact@v4
+      with:
+        name: pg-oidc-validator-deb
+
+    - name: Stop default PostgreSQL
+      run: |
+        sudo systemctl stop postgresql || true
+        sudo systemctl disable postgresql || true
+
+    - name: Install PostgreSQL 18
+      run: |
+        echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main 18" | \
+          sudo tee /etc/apt/sources.list.d/pgdg.list
+        wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | \
+          gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/postgresql.gpg > /dev/null
+        sudo apt-get update
+        sudo apt-get install -y postgresql-18 libpq-oauth
+
+    - name: Install pg_oidc_validator package
+      run: |
+        sudo dpkg -i pg-oidc-validator-pgdg18.deb
+
+    - name: Install test dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y ruby-full ruby-bundler chromium-browser chromium-chromedriver curl net-tools
+
+    - name: Set up Ruby gems
+      run: |
+        cd test
+        bundle config set --local path 'vendor/bundle'
+        bundle install
+
+    - name: Install SSL certificate for psql
+      run: |
+        sudo cp test/keys/crt.pem /usr/local/share/ca-certificates/keycloak-test.crt
+        sudo update-ca-certificates
+
+    - name: Run tests
+      run: |
+        cd test
+        echo "PostgreSQL version:"
+        /usr/lib/postgresql/18/bin/postgres --version
+        echo "Port 5432 status:"
+        sudo netstat -tulpn | grep 5432 || echo "Port 5432 not in use"
+        echo "Chromium version:"
+        chromium-browser --version || echo "Chromium not found"
+        echo "ChromeDriver version:"
+        chromedriver --version || echo "ChromeDriver not found"
+        echo "Running tests..."
+        PGBIN=/usr/lib/postgresql/18/bin bundle exec rspec --format documentation
+
+    - name: Upload test logs on failure
+      if: failure()
+      uses: actions/upload-artifact@v4
+      with:
+        name: test-logs
+        path: |
+          test/postgres.log
+          test/psql_output.log
+          test/selenium_output.log
+          test/pgdata/log/*
+          /var/log/postgresql/*
+        if-no-files-found: ignore
+
+    - name: Download tgz artifact
+      if: "github.repository == 'Percona-Lab/pg_oidc_validator' && github.ref_name == 'main' && (github.event_name == 'push' || github.event_name == 'schedule')"
+      uses: actions/download-artifact@v4
+      with:
+        name: pg-oidc-validator-tgz
+
     - name: Publish release
       uses: ncipollo/release-action@v1
-      # Only try and deploy on merged code
       if: "github.repository == 'Percona-Lab/pg_oidc_validator' && github.ref_name == 'main' && (github.event_name == 'push' || github.event_name == 'schedule')"
       with:
         artifacts: "pg-oidc-validator-pgdg18.tar.gz,pg-oidc-validator-pgdg18.deb"

README.md

@@ -34,7 +34,7 @@ pg_ctl -D <datadir> restart
 
 ### pg_oidc_validator.authn_field
 
-This GUC variable controls which field of the provided JWT token is used for identity mapping. 
+This GUC variable controls which field of the provided JWT token is used for identity mapping.
 By default this is the `sub` claim, as most providers allow the configuration of this claim to provide different user fields.
 
 In some cases however the `sub` claim is fixed to a randomly generated, application specific identifier which is non known before a user first connects to the application.
@@ -84,3 +84,7 @@ Google has some quirks which are currently not supported by the core PostgreSQL
 
 ### Other providers
 Hopefully the information above will give you everything you need to configure _your_ OIDC provider correctly. If you do, [please let us know](https://forums.percona.com/c/postgresql/) how it went!
+
+## Testing
+
+The validator has a basic test suite, documented under [test/README.md](test/README.md).

test/.gitignore

@@ -0,0 +1,5 @@
+/pgdata/
+/postgres.log
+/psql_output.log
+/selenium_output.log
+/vendor/bundle/

test/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+gem 'rspec', '~> 3.12'
+gem 'selenium-webdriver', '~> 4.0'

test/Gemfile.lock

@@ -0,0 +1,39 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    base64 (0.3.0)
+    diff-lcs (1.6.2)
+    logger (1.7.0)
+    rexml (3.4.4)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.7)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.6)
+    rubyzip (3.2.2)
+    selenium-webdriver (4.38.0)
+      base64 (~> 0.2)
+      logger (~> 1.4)
+      rexml (~> 3.2, >= 3.2.5)
+      rubyzip (>= 1.2.2, < 4.0)
+      websocket (~> 1.0)
+    websocket (1.2.11)
+
+PLATFORMS
+  ruby
+  x86_64-linux
+
+DEPENDENCIES
+  rspec (~> 3.12)
+  selenium-webdriver (~> 4.0)
+
+BUNDLED WITH
+   2.6.9

test/README.md

@@ -0,0 +1,43 @@
+# OAuth Device Flow Test
+
+End-to-end test for pg_oidc_validator using Keycloak.
+
+## Prerequisites
+
+- PostgreSQL 18 with pg_oidc_validator installed
+- Docker
+- Ruby with bundler
+- Chrome/Chromium with chromedriver
+
+## Setup
+
+```bash
+bundle install
+
+# Trust the test SSL certificate (required for psql OAuth)
+sudo cp keys/crt.pem /usr/local/share/ca-certificates/keycloak-test.crt
+sudo update-ca-certificates
+```
+
+## Usage
+
+```bash
+# Run all tests
+PGBIN=/path/to/postgres/bin bundle exec rspec
+
+# Run specific test or with options
+PGBIN=/path/to/postgres/bin bundle exec rspec spec/oauth_device_flow_spec.rb
+bundle exec rspec --format documentation
+```
+
+## What it does
+
+This is currently only a basic successful login test.
+
+1. Sets up fresh PostgreSQL cluster with OAuth configuration
+2. Starts Keycloak with pre-configured realm
+3. Initiates psql OAuth device flow connection
+4. Automatically completes authentication using Selenium
+5. Verifies connection works
+
+Auto-cleanup on exit.