do not run sonar for pull requests and added files to test with keycloak w/ burnettk

.github/workflows/tests.yml

@@ -209,6 +209,9 @@ jobs:
 
       - name: SonarCloud Scan
         uses: sonarsource/sonarcloud-github-action@master
+        # thought about just skipping dependabot, but skipping all pull requests seems better, since none of them will have access to sonarcloud
+        # if: ${{ github.actor != 'dependabot[bot]' }}
+        if: ${{ github.event_name != 'pull_request' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

bin/keycloak_test_secrets.json

@@ -0,0 +1,14 @@
+{
+    "web": {
+        "issuer": "http://localhost:8080/realms/finance",
+        "auth_uri": "http://localhost:8080/realms/finance/protocol/openid-connect/auth",
+        "client_id": "myclient",
+        "client_secret": "OAh6rkjXIiPJDtPOz4459i3VtdlxGcce",
+        "redirect_uris": [
+            "http://localhost:5000/*"
+        ],
+        "userinfo_uri": "http://localhost:8080/realms/finance/protocol/openid-connect/userinfo", 
+        "token_uri": "http://localhost:8080/realms/finance/protocol/openid-connect/token",
+        "token_introspection_uri": "http://localhost:8080/realms/finance/protocol/openid-connect/token/introspect"
+    }
+}

bin/keycloak_test_server.py

@@ -0,0 +1,87 @@
+import json
+import logging
+
+from flask import Flask, g
+from flask_oidc import OpenIDConnect
+import requests
+
+logging.basicConfig(level=logging.DEBUG)
+
+app = Flask(__name__)
+app.config.update({
+    'SECRET_KEY': 'SomethingNotEntirelySecret',
+    'TESTING': True,
+    'DEBUG': True,
+    'OIDC_CLIENT_SECRETS': 'bin/keycloak_test_secrets.json',
+    'OIDC_ID_TOKEN_COOKIE_SECURE': False,
+    'OIDC_REQUIRE_VERIFIED_EMAIL': False,
+    'OIDC_USER_INFO_ENABLED': True,
+    'OIDC_OPENID_REALM': 'flask-demo',
+    'OIDC_SCOPES': ['openid', 'email', 'profile'],
+    'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post'
+})
+
+oidc = OpenIDConnect(app)
+
+
+@app.route('/')
+def hello_world():
+    if oidc.user_loggedin:
+        return ('Hello, %s, <a href="/private">See private</a> '
+                '<a href="/logout">Log out</a>') % \
+            oidc.user_getfield('preferred_username')
+    else:
+        return 'Welcome anonymous, <a href="/private">Log in</a>'
+
+
+@app.route('/private')
+@oidc.require_login
+def hello_me():
+    """Example for protected endpoint that extracts private information from the OpenID Connect id_token.
+       Uses the accompanied access_token to access a backend service.
+    """
+
+    info = oidc.user_getinfo(['preferred_username', 'email', 'sub'])
+
+    username = info.get('preferred_username')
+    email = info.get('email')
+    user_id = info.get('sub')
+
+    if user_id in oidc.credentials_store:
+        try:
+            from oauth2client.client import OAuth2Credentials
+            access_token = OAuth2Credentials.from_json(oidc.credentials_store[user_id]).access_token
+            print('access_token=<%s>' % access_token)
+            headers = {'Authorization': 'Bearer %s' % (access_token)}
+            # YOLO
+            # greeting = requests.get('http://localhost:8080/greeting', headers=headers).text
+        except:
+            print("Could not access greeting-service")
+            greeting = "Hello %s" % username
+    
+    return ("""%s your email is %s and your user_id is %s!
+               <ul>
+                 <li><a href="/">Home</a></li>
+                 <li><a href="//localhost:8080/auth/realms/finance/account?referrer=flask-app&referrer_uri=http://localhost:5000/private&">Account</a></li>
+                </ul>""" %
+            (greeting, email, user_id))
+
+
+@app.route('/api', methods=['POST'])
+@oidc.accept_token(require_token=True, scopes_required=['openid'])
+def hello_api():
+    """OAuth 2.0 protected API endpoint accessible via AccessToken"""
+
+    return json.dumps({'hello': 'Welcome %s' % g.oidc_token_info['sub']})
+
+
+@app.route('/logout')
+def logout():
+    """Performs local logout by removing the session cookie."""
+
+    oidc.logout()
+    return 'Hi, you have been logged out! <a href="/">Return</a>'
+
+
+if __name__ == '__main__':
+    app.run()

bin/start_keycloak

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+function error_handler() {
+  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
+  exit "$2"
+}
+trap 'error_handler ${LINENO} $?' ERR
+set -o errtrace -o errexit -o nounset -o pipefail
+
+docker run -p 8080:8080 -d --rm --name keycloak -e KEYCLOAK_LOGLEVEL=ALL -e ROOT_LOGLEVEL=ALL -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:18.0.0 start-dev
+
+# to export:
+# /opt/keycloak/bin/kc.sh export --dir /tmp/hey --users realm_file
+
+# NOTE: creds - user1 / password
+
+docker cp  bin/finance-realm.json keycloak:/tmp
+docker exec keycloak /opt/keycloak/bin/kc.sh import --file /tmp/finance-realm.json
+docker logs -f keycloak