IS 6.1.0 to 7.0.0 Upgrade and Migration Testing Effort

[melanisilva]

Is your suggestion a test requirement/change or improvement of the test framework? Please describe.

In this effort, there will be 2 phases

1. Upgrading from IS 6.1.0 to 7.0.0
2. 7.0.0 migration testing.

🚀 1 - Upgrading from IS 6.1.0 to 7.0.0

In this phase, our priority will be focused on flows associated with those that have experienced migration impacts.
Please find the issues under this label: 7.0.0 migration

Even out of the above-mentioned issues High priority issues will be the ones that have a DB schema change. (As analysed in this sheet )

✅ Step 1: Schema Compatibility

• execute the DB script provided with the migration guide on your environment

** ⭐️ Note: At this stage, we will exclusively conduct testing with MySQL DB, as only MySQL Schemas are currently accessible.**

• ensure functionality remains unaffected by schema changes. ([7.0.0] Migration)

✅ Step 2: Binary Transition

Replicate existing configurations from 6.1.0 and add any necessary alterations to the deployment.toml in 7.0.0 to disable new features / changed behaviors by default.

Validate that 7.0.0 deployment works with the old data and existing functionalities continue as expected.

🚀 Phase 2 - 7.0.0 migration testing.

• TBD

[ 1 ] . https://github.com/wso2/product-is/labels/7.0.0-migration
Supporting Docs : https://www.notion.so/is-playground/Migration-Testing-806dc2258a924134a76cf5f491d3fc91

Related Issues:
#18428

[melanisilva]

@shashimalcse As the initial step, we anticipate populating data in the IS 6.1.0 database. To proceed, could you please provide the following information?

• Scenarios that had database changes
• Scenarios that had config changes.

[melanisilva]

Please find the upgrade test execution environment details:

Database: MySQL 8.0.33
OS: Mac
Browser: Version 120.0.6099.71 (Official Build) (arm64)
Secondary User Store: LDAP

CC: @chamathns @shashimalcse

[shashimalcse]

Here is the list of scenarios with database changes (these are based on alter queries in the migration schema):

• Private JWT authentication | [Migration] Add Private Key JWT changes to Migration client #15582
• Recovery flow | Update IDN_RECOVERY_DATA table and add IDN_RECOVERY_FLOW_DATA table #16576
• Access token | Add new column to the IDN_OAUTH2_ACCESS_TOKEN table and alter the CON_APP_KEY constraint #16976
• Idp creation | Changes done to IDN_SECRET and IDN_SECRET_TYPE data tables #15942
• Same idp configuration | NPE while processing SLO request from federated IDP when the same IDP is configured twice. #15649
• Role | [Migration-Identity DB] Support application roles for Identity Server and support RBAC for apps #16865

You can find the exact flow in the mentioned issues.

You can find the config changes from our maintained sheet

[melanisilva]

Update - Data Population.

• Same IDP Configuration

* Take two 5.10.0 Identity servers, one would act as the federated IDP hence set the hostname of that Identity server as idp.com and add a host entry for it. If you are running the federated IDP also in the same server offset the port by 1.
* Apply the fixes in SLO between tenants does not work when IDP name is different #13465.
* In the federated IDP create two SAML service providers with different "IdP Entity ID Alias”.
* In the service providers created configure the SLO request URL to point to the first IDP.([https://localhost:9443/identity/saml/slo?tenantDomain=carbon.super)[1]](https://localhost:9443/identity/saml/slo?tenantDomain=carbon.super)%5B1%5D)
* On the first Identity server(acting as the local IDP), create two IDPs representing the two service providers created on the federated IDP. 
* On the first Identity server, create two OIDC service providers(app1 and app2) and attach one IDP created in the previous step to one service provider.
* Now login to both service provider app1 and app2, and the logins would work successfully. Both times the user would be redirected to the federated IDP and on the federated IDP side since there is an active session, they would be able to log in automatically(SSO).

• IDP creation related Data - Created an IDP and verified the existing behavior.

• Add User - From Console
• Created standard based OIDC application - Console
• Add Claim

curl -k --location --request POST 'https://localhost:9443/api/server/v1/claim-dialects/local/claims' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "claimURI": "http://wso2.org/claims/test",
    "displayName": "test",
    "displayOrder": "0",
    "readOnly": false,
    "required": false,
    "supportedByDefault": false,
    "properties": [
        {
            "key": "USER_CUSTOM_ATTRIBUTE",
            "value": "TRUE"
        }
    ],
    "attributeMapping": [
        {
            "mappedAttribute": "test",
            "userstore": "PRIMARY"
        }
    ]
}'

• Create Group

curl -k --location --request POST 'https://localhost:9443/scim2/Groups' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "displayName": "primary/finance",
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ]
}'

curl -k --location --request POST 'https://localhost:9443/scim2/Groups' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "displayName": "primary/human-resource",
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ]
}

• Create IDP OIDC

curl -k --location --request POST 'https://localhost:9443/api/server/v1/identity-providers' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "image": "https://localhost:9443/console/libs/themes/default/assets/images/identity-providers/enterprise-idp-illustration.svg",
    "isPrimary": false,
    "roles": {
        "mappings": [],
        "outboundProvisioningRoles": []
    },
    "certificate": {
        "jwksUri": "https://myapp/oauth2/jwks",
        "certificates": [
            ""
        ]
    },
    "claims": {
        "userIdClaim": {
            "uri": ""
        },
        "provisioningClaims": [],
        "roleClaim": {
            "uri": ""
        }
    },
    "name": "oidc-IDP",
    "description": "Authenticate users with Enterprise OIDC connections.",
    "federatedAuthenticators": {
        "defaultAuthenticatorId": "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
        "authenticators": [
            {
                "isEnabled": true,
                "authenticatorId": "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
                "properties": [
                    {
                        "key": "ClientId",
                        "value": "testClientId"
                    },
                    {
                        "key": "ClientSecret",
                        "value": "testClientSecret"
                    },
                    {
                        "key": "OAuth2AuthzEPUrl",
                        "value": "https://myapp/oauth2/authorize"
                    },
                    {
                        "key": "OAuth2TokenEPUrl",
                        "value": "https://myapp/oauth2/token"
                    },
                    {
                        "key": "callbackUrl",
                        "value": "https://localhost:9443/commonauth"
                    }
                ]
            }
        ]
    },
    "homeRealmIdentifier": "",
    "provisioning": {
        "jit": {
            "userstore": "DEFAULT",
            "scheme": "PROVISION_SILENTLY",
            "isEnabled": true
        }
    },
    "isFederationHub": false,
    "templateId": "enterprise-oidc-idp"
}'

• Create role

curl -k --location --request POST 'https://localhost:9443/scim2/Roles' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "meta": {
        "location": "https://localhost:9443/scim2/Roles/f7cc913d-3ec9-4580-8873-979cdd63a763"
    },
    "displayName": "loginrole",
    "schemas": [
        "urn:ietf:params:scim:schemas:extension:2.0:Role"
    ],
    "id": "f7cc913d-3ec9-4580-8873-979cdd63a763"
}'


curl -k --location --request POST 'https://localhost:9443/scim2/Roles' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
    "meta": {
        "location": "https://localhost:9443/scim2/Roles/g7cc913d-3ec9-4580-8873-979cdd63a764"
    },
    "displayName": "managerrole",
    "schemas": [
        "urn:ietf:params:scim:schemas:extension:2.0:Role"
    ],
    "id": "g7cc913d-3ec9-4580-8873-979cdd63a764"
}'

• Create SP SAML

curl -k --location --request POST 'https://localhost:9443/api/server/v1/applications' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
--data '{
  "name": "sample-app-saml",
  "description": "Configuration for Sample Application with SAML",
  "accessUrl": "https://example.com/login",
  "claimConfiguration": {
    "dialect": "LOCAL",
    "claimMappings": [
      {
        "applicationClaim": "firstname",
        "localClaim": {
          "uri": "http://wso2.org/claims/username"
        }
      }
    ],
    "requestedClaims": [
      {
        "claim": {
          "uri": "http://wso2.org/claims/username"
        },
        "mandatory": false
      }
    ],
    "subject": {
      "claim": {
        "uri": "http://wso2.org/claims/username"
      },
      "includeUserDomain": false,
      "includeTenantDomain": false,
      "useMappedLocalSubject": false
    },
    "role": {
      "mappings": [
        {
          "localRole": "INTERNAL/admin",
          "applicationRole": "Administrator"
        }
      ],
      "includeUserDomain": true,
      "claim": {
        "uri": "http://wso2.org/claims/username"
      }
    }
  },
  "inboundProtocolConfiguration": {
    "saml": {
      "manualConfiguration": {
        "issuer": "example.com",
        "serviceProviderQualifier": "string",
        "assertionConsumerUrls": [
          "www.example.com/acs"
        ],
        "defaultAssertionConsumerUrl": "www.example.com/acs",
        "idpEntityIdAlias": "LOCAL",
        "singleSignOnProfile": {
          "bindings": [
            "HTTP_POST"
          ],
          "enableSignatureValidationForArtifactBinding": false,
          "enableIdpInitiatedSingleSignOn": false,
          "assertion": {
            "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
            "audiences": [
              "https://app.example.com/saml"
            ],
            "recipients": [
              "https://app.example.com/saml"
            ],
            "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1",
            "encryption": {
              "enabled": false,
              "assertionEncryptionAlgorithm": "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
              "keyEncryptionAlgorithm": "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
            }
          }
        },
        "attributeProfile": {
          "enabled": false,
          "alwaysIncludeAttributesInResponse": false
        },
        "singleLogoutProfile": {
          "enabled": true,
          "logoutRequestUrl": "string",
          "logoutResponseUrl": "string",
          "logoutMethod": "BACKCHANNEL",
          "idpInitiatedSingleLogout": {
            "enabled": false,
            "returnToUrls": [
              "string"
            ]
          }
        },
        "requestValidation": {
          "enableSignatureValidation": true,
          "signatureValidationCertAlias": "wso2carbon"
        },
        "enableAssertionQueryProfile": false
      }
    }
  }
}
'

• Create tenant

curl -k --location --request POST "https://localhost:9443/api/server/v1/tenants" \
  --header 'accept: */*' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
  --data-raw '{
    "domain": "example.com",
    "owners": [
      {
        "username": "johndoe",
        "password": "mysecretpassword",
        "email": "johndoe@example.com",
        "firstname": "John",
        "lastname": "Doe",
        "provisioningMethod": "inline-password",
        "additionalClaims": [
          {
            "claim": "http://wso2.org/claims/mobile",
            "value": "015555555"
          }
        ]
      }
    ]
  }'

• SCIM Bulk User

curl -k --location --request POST "https://localhost:9443/scim2/Bulk" \
    --header 'Content-Type: application/scim+json' \
    --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
    --data-raw '{
  "failOnErrors": 1,
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
  "Operations": [
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "qwerty",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "john",
        "password": "johnpass"
      }
    },
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "qwerty",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "mary",
        "password": "marypass"
      }
    },
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "qwerty",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "david",
        "password": "davidpass"
      }
    },
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "qwerty",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "michael",
        "password": "michaelpass"
      }
    },
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "ytrewq",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "sarah",
        "password": "sarahpass"
      }
    }
  ]
}'

[melanisilva]

Update - 13th Dec 2023

- ✅ After Data population was able to successfully execute the MySQL Upgrading schema.

- ✅ Tested Below Critical flows

• Create a User in the Primary User store
• Register a new application
• Create a role
• Update the user created in primary userstore
• Update the roles
• Create and update group
• Admin User Logs in to my account
• Consumer user Log in to my account (tenant & org)
• Update Personal info details from my account
• Configure password recovery
• Add a secondary userstore under super tenant
• Add a user for the secondary US and try to update that users roles
• Set up social connectors (Google)
• enterprise IDP login
• Log in to an application (OAuth, SAML)
• application update
• private JWT authentication
• recovery flow

[melanisilva]

Update

Started Verifying the Migration issues with the Updated DB Schema and the 6.1.0 Binary.

Please find the status from the below sheet.
Upgrading from 6.1 to 7.0 - Issues list

[melanisilva]

Update 15th Dec 2023

Note that this Effort is Currently on hold due to the IS Beta 4 Test Hackathon (QA Team).
@chamathns

[melanisilva]

Update 02 Jan 2024

Completed the verification of all migration issues involving DB schema changes. The summary of this testing effort is available on this Google Sheet.

Ran Data Population scripts again to work with the updated Upgrade schema.

[isharak]

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!