From ace9e8d873be02dc4ab96be444d4ab759aabda7a Mon Sep 17 00:00:00 2001 From: Steve Breker Date: Wed, 9 Oct 2024 16:50:06 -0700 Subject: [PATCH] Fixed base url config in realm and app.yml --- .github/workflows/oidc-integration-test.yml | 4 +- docker/docker-compose.keycloak.yml | 3 +- docker/etc/keycloak/realm.json | 20 +-- test/etc/keycloak/realm.json | 129 ++++++++++++++++++++ test/etc/oidc/arOidcPlugin/config/app.yml | 70 +++++++++++ 5 files changed, 214 insertions(+), 12 deletions(-) create mode 100644 test/etc/keycloak/realm.json create mode 100644 test/etc/oidc/arOidcPlugin/config/app.yml diff --git a/.github/workflows/oidc-integration-test.yml b/.github/workflows/oidc-integration-test.yml index eb5a67b958..c8a265be45 100644 --- a/.github/workflows/oidc-integration-test.yml +++ b/.github/workflows/oidc-integration-test.yml @@ -22,6 +22,8 @@ jobs: run: | sudo sysctl -w vm.max_map_count=262144 docker compose -p ci up -d percona elasticsearch gearmand + - name: Set CI-specific Realm File + run: echo "REALM_FILE=../test/etc/keycloak/realm.json" >> $GITHUB_ENV - name: Launch Keycloak service run: | docker compose -p ci -f ${{ github.workspace }}/docker/docker-compose.keycloak.yml up -d @@ -86,7 +88,7 @@ jobs: --demo \ --no-confirmation - name: Update OIDC plugin app.yml file - run: sudo cp docker/etc/oidc/arOidcPlugin/config/app.yml plugins/arOidcPlugin/config + run: sudo cp test/etc/oidc/arOidcPlugin/config/app.yml plugins/arOidcPlugin/config - name: Update factories.yml to use oidcUser run: | sudo sed -i 's/class: myUser/class: oidcUser/' config/factories.yml diff --git a/docker/docker-compose.keycloak.yml b/docker/docker-compose.keycloak.yml index 399d5d4701..2ee2ee18f3 100644 --- a/docker/docker-compose.keycloak.yml +++ b/docker/docker-compose.keycloak.yml @@ -12,4 +12,5 @@ services: ports: - 8080:8080 volumes: - - .etc/keycloak/realm.json:/opt/keycloak/data/import/realm.json:ro + #- .etc/keycloak/realm.json:/opt/keycloak/data/import/realm.json:ro + - ${REALM_FILE:-./etc/keycloak/realm.json}:/opt/keycloak/data/import/realm.json:ro diff --git a/docker/etc/keycloak/realm.json b/docker/etc/keycloak/realm.json index 0f22dc4ff2..35237da548 100644 --- a/docker/etc/keycloak/realm.json +++ b/docker/etc/keycloak/realm.json @@ -17,13 +17,13 @@ "clientId": "atom", "name": "atom", "enabled": true, - "rootUrl": "http://docker-atom:63001", - "adminUrl": "http://docker-atom:63001", - "baseUrl": "http://docker-atom:63001", + "rootUrl": "http://127.0.0.1:63001", + "adminUrl": "http://127.0.0.1:63001", + "baseUrl": "http://127.0.0.1:63001", "clientAuthenticatorType": "client-secret", "secret": "example-secret", - "redirectUris": ["http://docker-atom:63001/*"], - "webOrigins": ["http://docker-atom:63001"], + "redirectUris": ["http://127.0.0.1:63001/*"], + "webOrigins": ["http://127.0.0.1:63001"], "standardFlowEnabled": true, "serviceAccountsEnabled": true, "authorizationServicesEnabled": true, @@ -81,13 +81,13 @@ "clientId": "atom-secondary", "name": "atom-secondary", "enabled": true, - "rootUrl": "http://docker-atom:63001", - "adminUrl": "http://docker-atom:63001", - "baseUrl": "http://docker-atom:63001", + "rootUrl": "http://127.0.0.1:63001", + "adminUrl": "http://127.0.0.1:63001", + "baseUrl": "http://127.0.0.1:63001", "clientAuthenticatorType": "client-secret", "secret": "example-secret", - "redirectUris": ["http://docker-atom:63001/*"], - "webOrigins": ["http://docker-atom:63001"], + "redirectUris": ["http://127.0.0.1:63001/*"], + "webOrigins": ["http://127.0.0.1:63001"], "standardFlowEnabled": true, "serviceAccountsEnabled": true, "authorizationServicesEnabled": true, diff --git a/test/etc/keycloak/realm.json b/test/etc/keycloak/realm.json new file mode 100644 index 0000000000..4689dffc57 --- /dev/null +++ b/test/etc/keycloak/realm.json @@ -0,0 +1,129 @@ +[ + { + "id": "demo", + "realm": "demo", + "sslRequired": "none", + "enabled": true, + "eventsEnabled": true, + "eventsExpiration": 900, + "adminEventsEnabled": true, + "adminEventsDetailsEnabled": true, + "attributes": { + "adminEventsExpiration": "900" + }, + "clients": [ + { + "id": "atom", + "clientId": "atom", + "name": "atom", + "enabled": true, + "rootUrl": "http://127.0.0.1", + "adminUrl": "http://127.0.0.1", + "baseUrl": "http://127.0.0.1", + "clientAuthenticatorType": "client-secret", + "secret": "example-secret", + "redirectUris": ["http://127.0.0.1/*"], + "webOrigins": ["http://127.0.0.1"], + "standardFlowEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false + } + ], + "users": [ + { + "id": "demo", + "email": "demo@example.com", + "username": "demo", + "enabled": true, + "emailVerified": true, + "credentials": [ + { + "temporary": false, + "type": "password", + "value": "demo" + } + ], + "realmRoles": [ + "atom-admin", + "atom-editor" + ] + } + ], + "roles": { + "realm": [ + { + "name": "atom-admin", + "description": "Admin role for AtoM" + }, + { + "name": "atom-editor", + "description": "Editor role for AtoM" + } + ] + } + }, + { + "id": "secondary", + "realm": "secondary", + "sslRequired": "none", + "enabled": true, + "eventsEnabled": true, + "eventsExpiration": 900, + "adminEventsEnabled": true, + "adminEventsDetailsEnabled": true, + "attributes": { + "adminEventsExpiration": "900" + }, + "clients": [ + { + "id": "atom-secondary", + "clientId": "atom-secondary", + "name": "atom-secondary", + "enabled": true, + "rootUrl": "http://127.0.0.1", + "adminUrl": "http://127.0.0.1", + "baseUrl": "http://127.0.0.1", + "clientAuthenticatorType": "client-secret", + "secret": "example-secret", + "redirectUris": ["http://127.0.0.1/*"], + "webOrigins": ["http://127.0.0.1"], + "standardFlowEnabled": true, + "serviceAccountsEnabled": true, + "authorizationServicesEnabled": true, + "publicClient": false + } + ], + "users": [ + { + "id": "support", + "email": "support@example.com", + "username": "support", + "enabled": true, + "emailVerified": true, + "credentials": [ + { + "temporary": false, + "type": "password", + "value": "support" + } + ], + "realmRoles": [ + "atom-admin" + ] + } + ], + "roles": { + "realm": [ + { + "name": "atom-admin", + "description": "Admin role for AtoM" + }, + { + "name": "atom-editor", + "description": "Editor role for AtoM" + } + ] + } + } +] diff --git a/test/etc/oidc/arOidcPlugin/config/app.yml b/test/etc/oidc/arOidcPlugin/config/app.yml new file mode 100644 index 0000000000..39a8ba3158 --- /dev/null +++ b/test/etc/oidc/arOidcPlugin/config/app.yml @@ -0,0 +1,70 @@ +## OIDC Plugin configuration. +all: + oidc: + providers: + demo: + url: 'http://keycloak:8080/realms/demo' + client_id: 'atom' + client_secret: 'example-secret' + send_oidc_logout: true + enable_refresh_token_use: true + server_cert: false + set_groups_from_attributes: true + user_groups: + administrator: + attribute_value: 'atom-admin' + group_id: 100 + editor: + attribute_value: 'atom-editor' + group_id: 101 + contributor: + attribute_value: 'atom-contributor' + group_id: 102 + translator: + attribute_value: 'atom-translator' + group_id: 103 + scopes: + - 'openid' + - 'profile' + - 'email' + roles_source: 'access-token' + roles_path: + - 'realm_access' + - 'roles' + user_matching_source: 'oidc-email' + auto_create_atom_user: true + secondary: + url: 'http://keycloak:8080/realms/secondary' + client_id: 'atom-secondary' + client_secret: 'example-secret' + send_oidc_logout: true + enable_refresh_token_use: true + server_cert: false + set_groups_from_attributes: true + user_groups: + administrator: + attribute_value: 'atom-admin' + group_id: 100 + editor: + attribute_value: 'atom-editor' + group_id: 101 + contributor: + attribute_value: 'atom-contributor' + group_id: 102 + translator: + attribute_value: 'atom-translator' + group_id: 103 + scopes: + - 'openid' + - 'profile' + - 'email' + roles_source: 'access-token' + roles_path: + - 'realm_access' + - 'roles' + user_matching_source: 'oidc-email' + auto_create_atom_user: true + primary_provider_name: primary + provider_query_param_name: secondary + redirect_url: 'http://127.0.0.1/index.php/oidc/login' + logout_redirect_url: 'http://127.0.0.1'