added script to add test keycloak users and moved all keycloak stuff to keycloak directory w/ burnettk

2023-01-19 12:18:05 -05:00 · 2023-01-19 12:18:05 -05:00 · da25a85b78
parent 74c46c9b4e
commit da25a85b78
16 changed files with 3164 additions and 157 deletions
--- a/bin/get_token
+++ b/bin/get_token
@ -22,8 +22,8 @@ set -o errtrace -o errexit -o nounset -o pipefail

 # KEYCLOAK_BASE_URL=http://localhost:7002
 KEYCLOAK_BASE_URL=https://keycloak.dev.spiffworkflow.org
-# BACKEND_BASE_URL=http://localhost:7000
-BACKEND_BASE_URL=https://api.dev.spiffworkflow.org
+BACKEND_BASE_URL=http://localhost:7000
+# BACKEND_BASE_URL=https://api.dev.spiffworkflow.org
 REALM_NAME=spiffworkflow
 USERNAME=${1-fin}
 PASSWORD=${2-fin}
--- a/bin/keycloak_test_secrets.json
+++ b/bin/keycloak_test_secrets.json
@ -1,12 +0,0 @@
-{
-  "web": {
-    "issuer": "http://localhost:8080/realms/finance",
-    "auth_uri": "http://localhost:8080/realms/finance/protocol/openid-connect/auth",
-    "client_id": "myclient",
-    "client_secret": "OAh6rkjXIiPJDtPOz4459i3VtdlxGcce",
-    "redirect_uris": ["http://localhost:5005/*"],
-    "userinfo_uri": "http://localhost:8080/realms/finance/protocol/openid-connect/userinfo",
-    "token_uri": "http://localhost:8080/realms/finance/protocol/openid-connect/token",
-    "token_introspection_uri": "http://localhost:8080/realms/finance/protocol/openid-connect/token/introspect"
-  }
-}
--- a/bin/keycloak_test_server.py
+++ b/bin/keycloak_test_server.py
@ -1,105 +0,0 @@
-# type: ignore
-"""keycloak_test_server."""
-# ./bin/start_keycloak # starts keycloak on 8080
-# pip install flask_oidc
-# pip install itsdangerous==2.0.1
-# python ./bin/keycloak_test_server.py # starts flask on 5005
-import json
-import logging
-
-import requests
-from flask import Flask
-from flask import g
-from flask_oidc import OpenIDConnect
-
-logging.basicConfig(level=logging.DEBUG)
-
-app = Flask(__name__)
-app.config.update(
-    {
-        "SECRET_KEY": "SomethingNotEntirelySecret",
-        "TESTING": True,
-        "DEBUG": True,
-        "OIDC_CLIENT_SECRETS": "bin/keycloak_test_secrets.json",
-        "OIDC_ID_TOKEN_COOKIE_SECURE": False,
-        "OIDC_REQUIRE_VERIFIED_EMAIL": False,
-        "OIDC_USER_INFO_ENABLED": True,
-        "OIDC_OPENID_REALM": "flask-demo",
-        "OIDC_SCOPES": ["openid", "email", "profile"],
-        "OIDC_INTROSPECTION_AUTH_METHOD": "client_secret_post",
-    }
-)
-
-oidc = OpenIDConnect(app)
-
-
-@app.route("/")
-def hello_world():
-    """Hello_world."""
-    if oidc.user_loggedin:
-        return (
-            'Hello, %s, <a href="/private">See private</a> '
-            '<a href="/logout">Log out</a>'
-            % oidc.user_getfield("preferred_username")
-        )
-    else:
-        return 'Welcome anonymous, <a href="/private">Log in</a>'
-
-
-@app.route("/private")
-@oidc.require_login
-def hello_me():
-    """Example for protected endpoint that extracts private information from the OpenID Connect id_token.
-
-    Uses the accompanied access_token to access a backend service.
-    """
-    info = oidc.user_getinfo(["preferred_username", "email", "sub"])
-
-    username = info.get("preferred_username")
-    email = info.get("email")
-    user_id = info.get("sub")
-
-    if user_id in oidc.credentials_store:
-        try:
-            from oauth2client.client import OAuth2Credentials
-
-            access_token = OAuth2Credentials.from_json(
-                oidc.credentials_store[user_id]
-            ).access_token
-            print("access_token=<%s>" % access_token)
-            headers = {"Authorization": "Bearer %s" % (access_token)}
-            # YOLO
-            greeting = requests.get(
-                "http://localhost:8080/greeting", headers=headers
-            ).text
-        except BaseException:
-            print("Could not access greeting-service")
-            greeting = "Hello %s" % username
-
-    return """{} your email is {} and your user_id is {}!
-               <ul>
-                 <li><a href="/">Home</a></li>
-                 <li><a href="//localhost:8080/auth/realms/finance/account?referrer=flask-app&referrer_uri=http://localhost:5005/private&">Account</a></li>
-                </ul>""".format(
-        greeting,
-        email,
-        user_id,
-    )
-
-
-@app.route("/api", methods=["POST"])
-@oidc.accept_token(require_token=True, scopes_required=["openid"])
-def hello_api():
-    """OAuth 2.0 protected API endpoint accessible via AccessToken."""
-    return json.dumps({"hello": "Welcome %s" % g.oidc_token_info["sub"]})
-
-
-@app.route("/logout")
-def logout():
-    """Performs local logout by removing the session cookie."""
-    oidc.logout()
-    return 'Hi, you have been logged out! <a href="/">Return</a>'
-
-
-if __name__ == "__main__":
-    app.run(port=5005)
--- a/bin/test_file_upload
+++ b/bin/test_file_upload
@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-function error_handler() {
-  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
-  exit "$2"
-}
-trap 'error_handler ${LINENO} $?' ERR
-set -o errtrace -o errexit -o nounset -o pipefail
-
-curl -v -F key1=value1 -F upload=@localfilename URL
--- a/bin/test_with_curl
+++ b/bin/test_with_curl
@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-
-function error_handler() {
-  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
-  exit "$2"
-}
-trap 'error_handler ${LINENO} $?' ERR
-set -o errtrace -o errexit -o nounset -o pipefail
-
-if [[ "${1:-}" == "c" ]]; then
-  curl --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{}'
-elif grep -qE '^[0-9]$' <<<"${1:-}" ; then
-  curl --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d "{ \"task_identifier\": \"${1}\"}"
-else
-  ./bin/recreate_db clean
-  curl --silent --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{ "task_identifier": "1", "answer": {"Product Name": "G", "Quantity": "2"}}' | jq .
-  curl --silent --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{ "task_identifier": "1", "answer": {"Sleeve Type": "Short"}}' | jq .
-  curl --silent --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{ "task_identifier": "1", "answer": {"Continue shopping?": "N"}}' | jq .
-  curl --silent --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{ "task_identifier": "1", "answer": {"Shipping Method": "Overnight"}}' | jq .
-  curl --silent --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{ "task_identifier": "1", "answer": {"Shipping Address": "Somewhere"}}' | jq .
-  curl --silent --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{ "task_identifier": "1", "answer": {"Place Order": "Y"}}' | jq .
-  curl --silent --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{ "task_identifier": "1", "answer": {"Card Number": "MY_CARD"}}' | jq .
-  curl --silent --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{ "task_identifier": "2", "answer": {"Was the customer charged?": "Y"}}' | jq .
-  curl --silent --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{ "task_identifier": "1", "answer": {"Was the product available?": "Y"}}' | jq .
-  curl --silent --fail localhost:5000/run_process -H "Content-type: application/json" -X POST -d '{ "task_identifier": "1", "answer": {"Was the order shipped?": "Y"}}' | jq .
-fi
--- a/keycloak/bin/add_test_users_to_keycloak
+++ b/keycloak/bin/add_test_users_to_keycloak
@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+function error_handler() {
+  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
+  exit "$2"
+}
+trap 'error_handler ${LINENO} $?' ERR
+set -o errtrace -o errexit -o nounset -o pipefail
+
+user_file_with_one_email_per_line="${1:-}"
+if [[ -z "${1:-}" ]]; then
+  >&2 echo "usage: $(basename "$0") [user_file_with_one_email_per_line]"
+  exit 1
+fi
+
+KEYCLOAK_BASE_URL=http://localhost:7002
+REALM_NAME=master
+ADMIN_USERNAME="admin"
+ADMIN_PASSWORD="admin"
+SECURE=false
+
+KEYCLOAK_URL=$KEYCLOAK_BASE_URL/realms/$REALM_NAME/protocol/openid-connect/token
+
+if [[ $SECURE = 'y' ]]; then
+	INSECURE=
+else
+	INSECURE=--insecure
+fi
+
+# https://www.appsdeveloperblog.com/keycloak-rest-api-create-a-new-user/
+result=$(curl --fail -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
+  --header 'Content-Type: application/x-www-form-urlencoded' \
+  --data-urlencode "username=${ADMIN_USERNAME}" \
+  --data-urlencode "password=${ADMIN_PASSWORD}" \
+  --data-urlencode 'grant_type=password' \
+  --data-urlencode 'client_id=admin-cli'
+)
+backend_token=$(jq -r '.access_token' <<< "$result")
+
+while read -r user_email; do
+  if [[ -n "$user_email" ]]; then
+    username=$(awk -F '@' '{print $1}' <<<"$user_email")
+    credentials='{"type":"password","value":"'"${username}"'","temporary":false}'
+
+    curl --fail --location --request POST 'http://localhost:7002/admin/realms/spiffworkflow/users' \
+      -H 'Content-Type: application/json' \
+      -H "Authorization: Bearer $backend_token" \
+      --data-raw '{"email":"'"${user_email}"'", "enabled":"true", "username":"'"${username}"'", "credentials":['"${credentials}"']}'
+  fi
+done <"$user_file_with_one_email_per_line"
--- a/keycloak/bin/export_keycloak_realms
+++ b/keycloak/bin/export_keycloak_realms
@ -7,6 +7,8 @@ function error_handler() {
 trap 'error_handler ${LINENO} $?' ERR
 set -o errtrace -o errexit -o nounset -o pipefail

+script_dir="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
+
 realms="$*"
 if [[ -z "$realms" ]]; then
  realms="spiffworkflow-realm"
@ -19,7 +21,7 @@ docker exec keycloak /opt/keycloak/bin/kc.sh export --dir "${docker_container_pa
 docker cp "keycloak:${docker_container_path}" "$local_tmp_dir"

 for realm in $realms ; do
-  cp "${local_tmp_dir}/hey/${realm}.json" bin/
+  cp "${local_tmp_dir}/hey/${realm}.json" "${script_dir}/realm_exports"
 done

 rm -rf "$local_tmp_dir"
--- a/keycloak/bin/realm_exports
+++ b/keycloak/bin/realm_exports
--- a/keycloak/bin/start_keycloak
+++ b/keycloak/bin/start_keycloak
@ -45,7 +45,7 @@ docker run \
  -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled

 script_dir="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
-cp "${script_dir}/spiffworkflow-realm.json" /tmp/spiffworkflow-realm.json
+cp "${script_dir}/../realm_exports/spiffworkflow-realm.json" /tmp/spiffworkflow-realm.json
 spiff_subdomain="unused-for-local-dev"
 perl -pi -e "s/{{SPIFF_SUBDOMAIN}}/${spiff_subdomain}/g" /tmp/spiffworkflow-realm.json
 docker cp /tmp/spiffworkflow-realm.json keycloak:/tmp
--- a/keycloak/bin/wait_for_keycloak
+++ b/keycloak/bin/wait_for_keycloak
--- a/keycloak/realm_exports/finance-realm.json
+++ b/keycloak/realm_exports/finance-realm.json
--- a/keycloak/realm_exports/quarkus-realm.json
+++ b/keycloak/realm_exports/quarkus-realm.json
--- a/keycloak/realm_exports/spiffworkflow-realm.json
+++ b/keycloak/realm_exports/spiffworkflow-realm.json
--- a/keycloak/replicate_resource_set_denied_based_on_uri_with_keycloak/replicate_resource_set_denied_based_on_uri
+++ b/keycloak/replicate_resource_set_denied_based_on_uri_with_keycloak/replicate_resource_set_denied_based_on_uri
--- a/keycloak/replicate_resource_set_denied_based_on_uri_with_keycloak/testing-realm.json
+++ b/keycloak/replicate_resource_set_denied_based_on_uri_with_keycloak/testing-realm.json
--- a/keycloak/test_user_lists/status
+++ b/keycloak/test_user_lists/status
@ -0,0 +1,9 @@
+finance.lead@status.im
+legal.lead@status.im
+program.lead@status.im
+services.lead@status.im
+finance.sme@status.im
+infra.sme@status.im
+legal.sme@status.im
+security.sme@status.im
+