chore(KeycloakHelper): Add Keycloak user and group creation / deletion in bulk and requireEnv util function (#55)

* Add keycloak configuration helper function

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Introduce requireEnv util

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Add bulk creation and deletion methods

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Revert deletion change

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Do not delete default users and groups

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Update changelog

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Fix type

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

* Bump package version

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

---------

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Author: dzemanov

docs/api/deployment/keycloak-helper.md

@@ -14,8 +14,8 @@ import { KeycloakHelper } from "@red-hat-developer-hub/e2e-test-utils/keycloak";
 new KeycloakHelper(options?: KeycloakDeploymentOptions)
 ```
 
-| Parameter | Type | Description |
-|-----------|------|-------------|
+| Parameter | Type                        | Description                       |
+| --------- | --------------------------- | --------------------------------- |
 | `options` | `KeycloakDeploymentOptions` | Optional deployment configuration |
 
 ## Properties
@@ -102,6 +102,22 @@ async connect(config: KeycloakConnectionConfig): Promise<void>
 
 Connect to an existing Keycloak instance.
 
+### `createUsersAndGroups()`
+
+```typescript
+async createUsersAndGroups(realm: string, options?: { users?: KeycloakUserConfig[]; groups?: KeycloakGroupConfig[]; }): Promise<void>
+```
+
+Create new users and groups in a realm.
+
+### `deleteUsersAndGroups()`
+
+```typescript
+async deleteUsersAndGroups(realm: string, options?: { users?: Array<KeycloakUserConfig | string>; groups?: Array<KeycloakGroupConfig | string> }): Promise<void>
+```
+
+Delete users and groups from a realm.
+
 ### `createRealm()`
 
 ```typescript
@@ -175,6 +191,10 @@ async deleteUser(realm: string, username: string): Promise<void>
 
 Delete a user.
 
+::: warning
+Deleting default Keycloak users (see DEFAULT_USERS in [constants](https://github.com/redhat-developer/rhdh-e2e-test-utils/blob/main/src/deployment/keycloak/constants.ts), e.g. `test1`, `test2`) is **not permitted** and will throw an error.
+:::
+
 ### `deleteGroup()`
 
 ```typescript
@@ -183,6 +203,10 @@ async deleteGroup(realm: string, groupName: string): Promise<void>
 
 Delete a group.
 
+::: warning
+Deleting default Keycloak groups (see `DEFAULT_GROUPS` in [constants](https://github.com/redhat-developer/rhdh-e2e-test-utils/blob/main/src/deployment/keycloak/constants.ts), e.g. `developers`, `admins`, `viewers`) is **not permitted** and will throw an error.
+:::
+
 ### `deleteRealm()`
 
 ```typescript

docs/changelog.md

@@ -2,7 +2,18 @@
 
 All notable changes to this project will be documented in this file.
 
-## [1.1.17] - Current
+## [1.1.18] - Current
+
+### Added
+
+- **KeycloakHelper.createUsersAndGroups(realm: string, options?: { users?: KeycloakUserConfig[]; groups?: KeycloakGroupConfig[];})**: Create users and groups in a realm.
+- **KeycloakHelper.deleteUsersAndGroups(realm: string, options?: { users?: Array<KeycloakUserConfig | string>; groups?: Array<KeycloakGroupConfig | string>;})**: Delete users and groups in a realm by their usernames / names or by their KeycloakConfigs. Intended for user and group cleanup in bulk.
+
+### Fixed
+
+- **KeycloakHelper.deleteUser** and **KeycloakHelper.deleteGroup**: Default Keycloak users/groups (see `DEFAULT_USERS` / `DEFAULT_GROUPS`) can no longer be deleted; attempting to delete them throws an error.
+
+## [1.1.17]
 
 ### Added
 
@@ -14,7 +25,7 @@ All notable changes to this project will be documented in this file.
 
 - **Duplicate plugin when no user `dynamic-plugins.yaml` (Keycloak auth, PR build)**: When the workspace had no `dynamic-plugins.yaml`, auto-generated config (with OCI URL) was merged with auth config (with local path). Because merge used exact `package` string match, the same plugin appeared twice and the backend failed with `ExtensionPoint with ID 'keycloak.transformer' is already registered`. The merge now uses a normalized plugin key so OCI and local path for the same logical plugin are deduplicated; the metadata-derived entry (e.g. OCI URL) wins.
 
-## [1.1.15] - Current
+## [1.1.15]
 
 ### Added
 
@@ -228,7 +239,7 @@ All notable changes to this project will be documented in this file.
 1. **Update imports** - No changes required
 2. **Configure authentication** - Use the new `auth` option:
    ```typescript
-   await rhdh.configure({ auth: 'keycloak' });
+   await rhdh.configure({ auth: "keycloak" });
    ```
 3. **Keycloak auto-deployment** - Keycloak is now automatically deployed unless `SKIP_KEYCLOAK_DEPLOYMENT=true`
 
@@ -245,6 +256,6 @@ After (1.1.x):
 
 ```typescript
 // Keycloak is auto-deployed and configured
-await rhdh.configure({ auth: 'keycloak' });
+await rhdh.configure({ auth: "keycloak" });
 await rhdh.deploy();
 ```

docs/guide/deployment/authentication.md

@@ -152,16 +152,18 @@ No additional environment variables required.
 
 ### Keycloak Auth
 
-These are automatically set by `KeycloakHelper.configureForRHDH()`:
-
-| Variable | Description |
-|----------|-------------|
-| `KEYCLOAK_BASE_URL` | Keycloak instance URL |
-| `KEYCLOAK_REALM` | Realm name |
-| `KEYCLOAK_CLIENT_ID` | OIDC client ID |
-| `KEYCLOAK_CLIENT_SECRET` | OIDC client secret |
-| `KEYCLOAK_METADATA_URL` | OIDC discovery URL |
-| `KEYCLOAK_LOGIN_REALM` | Login realm name |
+These are automatically set by `KeycloakHelper.configureForRHDH()` or populated from global workspace in the vault:
+
+| Variable                        | Description           |
+| ------------------------------- | --------------------- |
+| `KEYCLOAK_BASE_URL`             | Keycloak instance URL |
+| `KEYCLOAK_REALM`                | Realm name            |
+| `KEYCLOAK_CLIENT_ID`            | OIDC client ID        |
+| `KEYCLOAK_CLIENT_SECRET`        | OIDC client secret    |
+| `KEYCLOAK_METADATA_URL`         | OIDC discovery URL    |
+| `KEYCLOAK_LOGIN_REALM`          | Login realm name      |
+| `VAULT_KEYCLOAK_ADMIN_USERNAME` | Admin username        |
+| `VAULT_KEYCLOAK_ADMIN_PASSWORD` | Admin password        |
 
 ### GitHub Auth
 

docs/guide/deployment/keycloak-deployment.md

@@ -92,7 +92,7 @@ await keycloak.configureForRHDH({
     clientId: "my-client",
     clientSecret: "my-secret",
   },
-  groups: ["developers", "admins"],
+  groups: [{ name: "developers" }, { name: "admins" }],
   users: [
     { username: "user1", password: "pass1", groups: ["developers"] },
     { username: "user2", password: "pass2", groups: ["admins"] },
@@ -156,6 +156,18 @@ const users = await keycloak.getUsers("rhdh");
 
 // Delete user
 await keycloak.deleteUser("rhdh", "username");
+
+// Create multiple users
+await keycloak.createUsersAndGroups("rhdh", {
+  users: [
+    { username: "user1", password: "pass1" },
+    { username: "user2", password: "pass2", groups: ["developers"] },
+  ],
+});
+
+// Delete multiple users - by objects or by usernames
+await keycloak.deleteUsersAndGroups("rhdh", { users });
+await keycloak.deleteUsersAndGroups("rhdh", { users: ["user1", "user2"] });
 ```
 
 ### Group Management
@@ -169,6 +181,15 @@ const groups = await keycloak.getGroups("rhdh");
 
 // Delete group
 await keycloak.deleteGroup("rhdh", "testers");
+
+// Create multiple groups
+await keycloak.createUsersAndGroups("rhdh", {
+  groups: [{ name: "admins" }, { name: "viewers" }],
+});
+
+// Delete multiple groups - by objects or by group names
+await keycloak.deleteUsersAndGroups("rhdh", { groups });
+await keycloak.deleteUsersAndGroups("rhdh", { groups: ["admins", "viewers"] });
 ```
 
 ### Using getUsers and getGroupsOfUser in tests

docs/overlay/reference/environment-variables.md

@@ -215,13 +215,10 @@ test.beforeAll(async ({ rhdh }) => {
 ### Validating Required Variables
 
 ```typescript
+import { requireEnv } from "@red-hat-developer-hub/e2e-test-utils/utils";
+
 test.beforeAll(async ({ rhdh }) => {
-  const requiredVars = ["VAULT_API_KEY", "VAULT_SECRET"];
-  for (const varName of requiredVars) {
-    if (!process.env[varName]) {
-      throw new Error(`Required variable ${varName} is not set`);
-    }
-  }
+  requireEnv("VAULT_API_KEY", "VAULT_SECRET");
 
   await rhdh.configure({ auth: "keycloak" });
   await rhdh.deploy();

docs/tutorials/keycloak-oidc-testing.md

@@ -66,8 +66,8 @@ test.beforeAll(async ({ rhdh }) => {
   // Connect to existing Keycloak
   await keycloak.connect({
     baseUrl: process.env.KEYCLOAK_BASE_URL!,
-    username: "admin",
-    password: "admin123",
+    username: process.env.VAULT_KEYCLOAK_ADMIN_USERNAME!,
+    password: process.env.VAULT_KEYCLOAK_ADMIN_PASSWORD!,
   });
 
   // Create admin user
@@ -90,6 +90,56 @@ test.beforeAll(async ({ rhdh }) => {
 });
 ```
 
+## Creating Custom Users and Groups in Bulk
+
+```typescript
+import { KeycloakHelper } from "@red-hat-developer-hub/e2e-test-utils/keycloak";
+import type {
+  KeycloakGroupConfig,
+  KeycloakUserConfig,
+} from "@red-hat-developer-hub/e2e-test-utils/keycloak";
+
+const TEST_GROUPS: KeycloakGroupConfig[] = [
+  { name: "writers" },
+  { name: "readers" },
+];
+
+const TEST_USERS: Record<string, KeycloakUserConfig> = {
+  reader: {
+    username: "catalog-reader",
+    password: crypto.randomUUID().substring(0, 21).replaceAll("-", "0"),
+    groups: ["readers"],
+  },
+  writer: {
+    username: "catalog-writer",
+    password: crypto.randomUUID().substring(0, 21).replaceAll("-", "0"),
+    groups: ["writers"],
+  },
+};
+
+test.beforeAll(async ({ rhdh }) => {
+  const keycloak = new KeycloakHelper();
+  await keycloak.connect({
+    baseUrl: process.env.KEYCLOAK_BASE_URL!,
+    username: process.env.VAULT_KEYCLOAK_ADMIN_USERNAME!,
+    password: process.env.VAULT_KEYCLOAK_ADMIN_PASSWORD!,
+  });
+  await keycloak.createUsersAndGroups(process.env.KEYCLOAK_REALM!, {
+    users: Object.values(TEST_USERS),
+    groups: TEST_GROUPS,
+  });
+
+  await rhdh.configure({ auth: "keycloak" });
+  await rhdh.deploy();
+});
+
+test.describe("Writer access", () => {
+  test.beforeEach(async ({ page, loginHelper }) => {
+    await page.goto("/");
+    await loginHelper.loginAsKeycloakUser(TEST_USERS.writer.username, TEST_USERS.writer.password);
+  });
+```
+
 ## Testing Role-Based Access
 
 ```typescript
@@ -160,8 +210,8 @@ test.afterAll(async () => {
   const keycloak = new KeycloakHelper();
   await keycloak.connect({
     baseUrl: process.env.KEYCLOAK_BASE_URL!,
-    username: "admin",
-    password: "admin123",
+    username: process.env.VAULT_KEYCLOAK_ADMIN_USERNAME!,
+    password: process.env.VAULT_KEYCLOAK_ADMIN_PASSWORD!,
   });
 
   // Cleanup custom users
@@ -170,6 +220,27 @@ test.afterAll(async () => {
 });
 ```
 
+## Cleanup in Bulk
+
+```typescript
+import { KeycloakHelper } from "@red-hat-developer-hub/e2e-test-utils/keycloak";
+
+test.afterAll(async () => {
+  const keycloak = new KeycloakHelper();
+  await keycloak.connect({
+    baseUrl: process.env.KEYCLOAK_BASE_URL!,
+    username: process.env.VAULT_KEYCLOAK_ADMIN_USERNAME!,
+    password: process.env.VAULT_KEYCLOAK_ADMIN_PASSWORD!,
+  });
+
+  // Cleanup custom users and groups
+  await keycloak.deleteUsersAndGroups("rhdh", {
+    users: TEST_USERS,
+    groups: TEST_GROUPS,
+  });
+});
+```
+
 ## Best Practices
 
 1. **Use default users for simple tests** - `test1`, `test2`

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@red-hat-developer-hub/e2e-test-utils",
-  "version": "1.1.17",
+  "version": "1.1.18",
   "description": "Test utilities for RHDH E2E tests",
   "license": "Apache-2.0",
   "repository": {

src/deployment/keycloak/deployment.ts

@@ -270,6 +270,28 @@ export class KeycloakHelper {
     }
   }
 
+  /**
+   * Create users and groups in a realm.
+   */
+  async createUsersAndGroups(
+    realm: string,
+    options: {
+      users?: KeycloakUserConfig[];
+      groups?: KeycloakGroupConfig[];
+    },
+  ): Promise<void> {
+    await this._ensureAdminClient();
+    const { groups = [], users = [] } = options;
+
+    for (const group of groups) {
+      await this.createGroup(realm, group);
+    }
+
+    for (const user of users) {
+      await this.createUser(realm, user);
+    }
+  }
+
   /**
    * Get all users in a realm
    */
@@ -324,6 +346,12 @@ export class KeycloakHelper {
    * Delete a user from a realm
    */
   async deleteUser(realm: string, username: string): Promise<void> {
+    if (DEFAULT_USERS.some((u) => u.username === username)) {
+      throw new Error(
+        `Deleting default Keycloak user "${username}" is not permitted.`,
+      );
+    }
+
     await this._ensureAdminClient();
     this._adminClient!.setConfig({ realmName: realm });
 
@@ -338,6 +366,12 @@ export class KeycloakHelper {
    * Delete a group from a realm
    */
   async deleteGroup(realm: string, groupName: string): Promise<void> {
+    if (DEFAULT_GROUPS.some((g) => g.name === groupName)) {
+      throw new Error(
+        `Deleting default Keycloak group "${groupName}" is not permitted.`,
+      );
+    }
+
     await this._ensureAdminClient();
     this._adminClient!.setConfig({ realmName: realm });
 
@@ -349,6 +383,33 @@ export class KeycloakHelper {
     }
   }
 
+  /**
+   * Delete users and groups from a realm.
+   */
+  async deleteUsersAndGroups(
+    realm: string,
+    options: {
+      users?: Array<KeycloakUserConfig | string>;
+      groups?: Array<KeycloakGroupConfig | string>;
+    },
+  ): Promise<void> {
+    await this._ensureAdminClient();
+    const { groups = [], users = [] } = options;
+
+    const usernames = users.map((u) =>
+      typeof u === "string" ? u : u.username,
+    );
+    const groupNames = groups.map((g) => (typeof g === "string" ? g : g.name));
+
+    for (const username of usernames) {
+      await this.deleteUser(realm, username);
+    }
+
+    for (const groupName of groupNames) {
+      await this.deleteGroup(realm, groupName);
+    }
+  }
+
   /**
    * Delete a realm
    */