Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set up Keycloak and integrate with API #632

Closed
wants to merge 251 commits into from
Closed

Set up Keycloak and integrate with API #632

wants to merge 251 commits into from

Conversation

karlhorky
Copy link
Contributor

@karlhorky karlhorky commented Sep 19, 2018
edited
Loading

Merging blocked on #575 and #627 because this contains commits from those PRs.

To use, (re)build containers:

docker-compose down
rm build/{api,keycloak,keycloak-db,local-api-data-watcher-pusher}
make build/api
make build/keycloak
make build/keycloak-db
make build/local-api-data-watcher-pusher

TODO:

  • Fork keycloak-admin-client to https://github.com/amazeeio/keycloak-admin-client
  • Fix security warnings
  • Merge create group upstream into fork. Done: amazeeio/keycloak-admin-client#1
  • Add keycloak-admin-client dependency to API
  • Switch to keycloak-admin instead of using our fork
  • Wait on Keycloak startup (~20 seconds) before accepting API requests
  • addProject mutation creates Keycloak group
  • updateProject with a new name renames Keycloak group
  • updateProject with a new customer deletes Keycloak users with customer-only project access from the Keycloak group
  • updateProject with a new customer adds Keycloak users with customer-only project access to the Keycloak group
  • deleteProject deletes Keycloak group
  • deleteAllProjects deletes all corresponding Keycloak groups
  • addUser mutation creates Keycloak user
  • addUserToProject adds a Keycloak user to a group
  • removeUserFromProject deletes a Keycloak user from a group
  • removeAllUsersFromAllProjects deletes all Keycloak users from all groups
  • addUserToCustomer adds a Keycloak user to the groups corresponding to the customer's projects
  • removeUserFromCustomer deletes a Keycloak user from the groups corresponding to the customer's projects
  • removeAllUsersFromAllCustomers deletes all Keycloak users from the groups corresponding to all customers' projects
  • Update of users
  • Delete of users
  • Move truncation code to each DAO file and add Keycloak deletion commands
  • Make user.email column unique
  • Require email to be passed to user creation command
  • Adapt addUser mutations in api-data.gql to also specify email
  • Configure the environment variables
  • Pull request to override config after auth Ability to set realmName (and maybe other settings) after first authentication keycloak/keycloak-nodejs-admin-client#3
  • Resolve any issues with short 60s token timeout (maybe this isn't a problem? or if it is, we can use the refresh_token)
  • Fix bug with user email updating causing loss of group membership
  • If User has been created from GitLab Sync system, add provided Gitlab UserID and Username as Identity Provider Links in Keycloak for the gitlab identity provider
  • Fix Flow types in all API -> DAO files
  • Migrate to better folder structure for resolvers, SQL files, Keycloak files

Maybe:

  • Fix broken tests in keycloak-admin-client, open PR Using the keycloak-admin module instead
  • Change the config path back to the default $HOME/.keycloak/kcadm.config (see 3080d6c)
  • Improve token refresh (currently setInterval) to use refresh token to get new token
  • Move API authentication to Keycloak
  • Move rest of Users implementation to Keycloak

Nope:

  • deleteCustomer deletes all Keycloak groups corresponding to customer projects Don't need to do this because deleteCustomer only deletes customers without any projects assigned to them

Closes #620

Get a 60 second admin token

$ curl -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d 'username=admin&password=admin&client_id=admin-cli&grant_type=password' \
    http://localhost:8088/auth/realms/master/protocol/openid-connect/token
{"access_token":"<access token>","expires_in":60,"refresh_expires_in":1800,"refresh_token":"<refresh token>","token_type":"bearer","not-before-policy":0,"session_state":"c22cd523-4467-4068-8524-88f7a23261c9","scope":"profile email"}

GET users

$ curl -v -X GET \
    -H 'Authorization: Bearer <access token>' http://localhost:8088/auth/admin/realms/lagoon/users
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8088 (#0)
> GET /auth/admin/realms/lagoon/users HTTP/1.1
> Host: localhost:8088
> User-Agent: curl/7.54.0
> Accept: */*
> Authorization: Bearer <access token>
>
< HTTP/1.1 200 OK
< Connection: keep-alive
< Cache-Control: no-cache
< Content-Type: application/json
< Content-Length: 326
< Date: Wed, 19 Sep 2018 15:01:53 GMT
<
* Connection #0 to host localhost left intact
[{"id":"2c6cf0a8-c07d-42af-bce6-ec4ebdd4aa59","createdTimestamp":1537365502713,"username":"user","enabled":true,"totp":false,"emailVerified":false,"disableableCredentialTypes":["password"],"requiredActions":[],"notBefore":0,"access":{"manageGroupMembership":true,"view":true,"mapRoles":true,"impersonate":true,"manage":true}}]%

Ref: https://stackoverflow.com/questions/48507224/cant-access-keycloak-rest-api-methods-404

@karlhorky
Rename files to prepare for splitting up
bc58d78
@karlhorky
Split views and migrations into own files
642e886
@karlhorky
Mark stored procedures as deprecated
b5e2cff
@karlhorky
Change from unusual 7 space indentation to 2
bff7104
@karlhorky
Merge branch 'convert-graphql-snakecase-fields-to-camelcase' of githu…
3457ccd 
…b.com:amazeeio/lagoon into user-model
@karlhorky
Format, add back missing semicolon
4f9b013
@karlhorky
Document permissions view and example data
b0fc31a
@karlhorky
Improve alignment
61da6fa
@karlhorky
Fix comment text
957088a
@karlhorky
Align block vertically
15bd2fa
@karlhorky
Update views for users
b09a37d
@karlhorky
Add migration to drop legacy view
2e39e17
@karlhorky
Make syntax of stored procedure calls consistent
2ec4ad7 
MariaDB doesn't care which way you do it, so let's just do it with the
parentheses in case we ever need parameters later.

> In current releases of MariaDB, CALL p() and CALL p are equivalent.

Ref: https://mariadb.com/kb/en/library/call/
@karlhorky
Improve clarity of comments and messages
49a9b74
@karlhorky
Truncate new tables
fb5756f
@karlhorky
Add missing semicolon
960d37f
@karlhorky
Shorten long name, add missing calls
4c3be1a
@karlhorky
Make code more concise and DRY
44a6809
@karlhorky
Move commented code
1d6935a
@karlhorky
Refactor JWT, tokens, permissions for user IDs
75f75bb 
To accept user IDs instead of SSH keys
@karlhorky
Add migration for orphaned SSH keys (no user)
aef8817 
This loops through all orphaned SSH keys (SSH keys without a related user in
user_ssh_key) and:

1. Creates a user
2. Creates a row in the user_ssh_key key to map the new user to the SSH key
3. Migrates all existing customer permissions to customer_user
4. Migrates all existing project permissions to project_user
@karlhorky
Improve function name, simplify
186b7c2
@karlhorky
Improve file name
a2a6a74
@karlhorky
Finish refactoring ssh keys to belong to users
d70432a 
- Move SSH key DAO functions to user.js, refactor
- Add new user DAO functions
- Rewrite stored procedures to use Knex
- Update old GraphQL queries
- Add new GraphQL queries
- Add userBySshKeys query
@karlhorky
Fix parameter
22e7ad7
@karlhorky
Fix duplicate query
59a9ade
@karlhorky
Fix argument name
2fc257a
@karlhorky
Parse curl JSON with jq
49a715c
@karlhorky
Use number instead of string
880e55a
@karlhorky
Merge branch 'master' of github.com:amazeeio/lagoon into user-model
e8e3547
Schnitzel and others added 26 commits October 7, 2018 13:40
@Schnitzel
email is mandatory
1d744f7
@Schnitzel
correct auth url for lagoon routes
57591d3
@Schnitzel
configure keycloak to run behind reverse proxy
408e741
@Schnitzel
sleep to give keycloak some time to configure itself
18c615c
@Schnitzel
sleep even more
4dcf264
@Schnitzel
debugging
0979671
@Schnitzel
change-database.sh has moved in the newest keycloak version
779293a
@Schnitzel
better startup bash
13ba847
@Schnitzel
handle parallel webhook sending of gitlab for new group
9d55206
@Schnitzel
handle up to four webhooks at the same time
2111881
@Schnitzel
add gitlab links to users in keycloak
32b285e
@Schnitzel
remove footer, add logout link
efb3a1b
@Schnitzel
support for default gitlab ssh privatekey
2a08de7
@Schnitzel
better time display and timezone handling
217c43f
@Schnitzel
fix sidebar icon overlapping
bc560fe
@Schnitzel
show user on all pages
084b97f
@Schnitzel
give lagoonadmin role 'admin' at initial config
977b154
@Schnitzel
if user has role admin, don't load permissions as they maybe don't ev…
4a35e7f 
…en have a lagoon uid
@Schnitzel
update ELK and searchguard
3e761b2
@Schnitzel
enable global tenant for testing
ef88323
@Schnitzel
define timeFieldName in created index-patterns
ed3aee8
@Schnitzel
Revert "enable global tenant for testing"
1e44b99 
This reverts commit ef88323.
@karlhorky
Add newly-recreated users to same groups
7951a94 
If changing the email in the updateUser mutation
@karlhorky
Improve deletion of users for updateUsers mutation
6223f68 
- Don't perform any Keycloak operations if the email hasn't changed
- Log the username instead of the id
@karlhorky
Switch back to main keycloak-admin library
a9d3b5c
@karlhorky
Fix Flow typing issues
9c8e7a1
@karlhorky karlhorky mentioned this pull request Oct 9, 2018
Merged
3 tasks
@karlhorky
Copy link
Contributor Author

Merged into #675 to collaborate better with rest of team. Will continue from there.

@karlhorky karlhorky closed this Oct 9, 2018
@karlhorky karlhorky deleted the keycloak-setup-and-integration-GOV-27 branch October 9, 2018 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Connect Lagoon API with Keycloak
4 participants
@karlhorky @rocketeerbkw @Schnitzel @twardnw