Start testing authentication with Keycloak. Fixes #86

kiwitcms · Jun 23, 2021 · 88260f7 · 88260f7
1 parent f23c9d7
commit 88260f7
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 2 deletions.
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -36,17 +36,26 @@ jobs:
       run: |
         make ${{ matrix.command }}
 
+    - name: Setup - start and configure Keycloak server
+      if: matrix.command == 'docker-image'
+      run: |
+        ./testing/start_keycloak.sh
 
     - name: Sanity test - boot the docker image
       if: matrix.command == 'docker-image'
       run: |
-        docker-compose -f docker-compose.testing up -d
+        docker-compose -f docker-compose.testing --env-file /tmp/kc.env up -d
         sleep 5
 
         IP_ADDRESS=`docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' web`
         echo "--- testing.example.bg: $IP_ADDRESS --"
         sudo sh -c "echo '$IP_ADDRESS    testing.example.bg' >> /etc/hosts"
 
+        KC_ADDRESS=`docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' keycloak_server`
+        echo "--- kc.example.bg: $KC_ADDRESS --"
+        # Kiwi TCMS container needs to know how to resolve the Keycloak server address
+        docker exec -u 0 -i web /bin/bash -c "echo '$KC_ADDRESS    kc.example.bg' >> /etc/hosts"
+
     - name: Sanity test - initial configuration
       if: matrix.command == 'docker-image'
       run: |
@@ -64,7 +73,7 @@ jobs:
 
     - name: Archive page.html
       if: matrix.command == 'docker-image'
-      uses: actions/upload-artifact@v1
+      uses: actions/upload-artifact@v2
       with:
         name: page.html
         path: page.html
@@ -123,7 +132,23 @@ jobs:
         docker exec -i web /Kiwi/manage.py ldap_sync_users
         cat testing/ldap.py | docker exec -i web /Kiwi/manage.py shell
 
+    - name: Sanity test - Keycloak login
+      if: matrix.command == 'docker-image'
+      run: |
+        robot testing/keycloak.robot
+
+        # TODO: validate users in DB after KC login
+        cat testing/ldap.py | docker exec -i web /Kiwi/manage.py shell
+
+    - name: Archive Keycloak JSON files
+      if: matrix.command == 'docker-image'
+      uses: actions/upload-artifact@v2
+      with:
+        name: kc-json-files
+        path: ./*.json
+
     - name: Sanity test - shut down the docker image
       if: matrix.command == 'docker-image'
       run: |
+        docker kill keycloak_server
         docker-compose -f docker-compose.testing down
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@ build/
 dist/
 *.egg-info/
 *.pyc
+*.json
diff --git a/docker-compose.testing b/docker-compose.testing
@@ -8,6 +8,7 @@ services:
         ports:
             - 389:389
             - 636:636
+
     db:
         container_name: db
         image: centos/postgresql-12-centos7

diff --git a/test_settings.py b/test_settings.py
@@ -1,4 +1,5 @@
 # pylint: disable=undefined-variable
+import os
 
 # enable additional authentication backends
 # so we can perform some sanity testing
@@ -7,6 +8,7 @@
     'social_core.backends.fedora.FedoraOpenId',
     'social_core.backends.github.GithubAppAuth',
     'social_core.backends.github.GithubOAuth2',
+    'social_core.backends.keycloak.KeycloakOAuth2',
 
     'social_auth_kerberos.backend.KerberosAuth',
 
@@ -24,3 +26,12 @@
 LDAP_AUTH_URL = "ldap://openldap_server:389"
 LDAP_AUTH_USE_TLS = True
 LDAP_AUTH_SEARCH_BASE = "ou=People,dc=example,dc=com"
+
+
+SOCIAL_AUTH_KEYCLOAK_KEY = 'kiwitcms-web-app'
+SOCIAL_AUTH_KEYCLOAK_SECRET = os.environ["KC_CLIENT_SECRET"]
+SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = os.environ["KC_PUBLIC_KEY"]
+SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = \
+    "http://kc.example.bg:8080/auth/realms/kiwi/protocol/openid-connect/auth"
+SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = \
+    "http://kc.example.bg:8080/auth/realms/kiwi/protocol/openid-connect/token"
diff --git a/testing/start_keycloak.sh b/testing/start_keycloak.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+
+docker network create enterprise_default || echo "Moving on"
+
+docker run --rm -d -p 8080:8080 --name keycloak_server \
+    --network=enterprise_default \
+    -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak
+
+sleep 10
+
+KC_ADDRESS=`docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' keycloak_server`
+
+if [ -z "$(grep kc.example.bg /etc/hosts)" ]; then
+    echo "--- kc.example.bg: $IP_ADDRESS --"
+    sudo sh -c "echo '$KC_ADDRESS    kc.example.bg' >> /etc/hosts"
+fi
+
+docker exec -i keycloak_server \
+    /opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth \
+        --realm master --user admin --password admin
+
+docker exec -i keycloak_server \
+    /opt/jboss/keycloak/bin/kcadm.sh create realms -s realm=kiwi -s enabled=true
+
+docker exec -i keycloak_server \
+    /opt/jboss/keycloak/bin/kcadm.sh create clients \
+        -r kiwi -s clientId=kiwitcms-web-app -s enabled=true -s protocol=openid-connect \
+        -s attributes='{"user.info.response.signature.alg": "RS256"}' \
+        -s publicClient=false -s rootUrl=https://testing.example.bg:8443 -o > kc_client.json
+KC_CLIENT_ID=`cat kc_client.json | jq -r '.id'`
+
+docker exec -i keycloak_server \
+    /opt/jboss/keycloak/bin/kcadm.sh create clients/$KC_CLIENT_ID/protocol-mappers/models \
+    -r kiwi -s name="Audience Mapper" -s protocol=openid-connect \
+    -s protocolMapper=oidc-audience-mapper \
+    -s config='{"included.client.audience": "kiwitcms-web-app"}'
+
+docker exec -i keycloak_server \
+    /opt/jboss/keycloak/bin/kcadm.sh get keys -r kiwi > kc_realm_keys.json
+KC_PUBLIC_KEY=`cat kc_realm_keys.json | jq -r '.keys | .[] | select(.algorithm | contains("RS256")) | .publicKey'`
+
+docker exec -i keycloak_server \
+    /opt/jboss/keycloak/bin/kcadm.sh get clients/$KC_CLIENT_ID/client-secret -r kiwi > kc_client_secret.json
+KC_CLIENT_SECRET=`cat kc_client_secret.json | jq -r '.value'`
+
+echo "KC_PUBLIC_KEY=\"$KC_PUBLIC_KEY\"" > /tmp/kc.env
+echo "KC_CLIENT_SECRET=\"$KC_CLIENT_SECRET\"" >> /tmp/kc.env
+
+docker exec -i keycloak_server \
+    /opt/jboss/keycloak/bin/kcadm.sh create users -r kiwi -s username=kc_bot -s enabled=false
+
+docker exec -i keycloak_server \
+    /opt/jboss/keycloak/bin/kcadm.sh create users -r kiwi -s username=kc_atodorov -s enabled=true \
+        -s email=atodorov@kc.example.bg -o --fields id > kc_atodorov.json
+
+cat kc_atodorov.json
+KC_USER_ID=`cat kc_atodorov.json | jq -r ".id"`
+
+docker exec -i keycloak_server \
+    /opt/jboss/keycloak/bin/kcadm.sh update users/$KC_USER_ID/reset-password \
+        -r kiwi -s type=password -s value=h3llo-w0rld -s temporary=false -n