mirror of
https://github.com/status-im/spiff-arena.git
synced 2025-01-28 10:45:07 +00:00
cd7c413da2
1e831706 Merge pull request #146 from sartography/test_arena_push df95dccf fixed conflicts and updated usage of active task status w/ burnettk 33b81894 Merge pull request #145 from sartography/feature/remove-task-data-from-active-task 7e1ce35c remove task_data column b9cd1c06 Merge pull request #144 from sartography/feature/lib-updates-and-mypy 5e09e28d fix mypy 68485ab4 use fork of sqlalchemy-stubs 872480db Merge remote-tracking branch 'origin/main' into feature/lib-updates-and-mypy 18a892f6 work in progress 84344d53 Pause/resume process instances (#2) 53652cff Merge commit '4a48d9cccd1ca8619b3dbef3c10bcce667c9d9e0' 9ea3def2 lint c05b5181 Merge remote-tracking branch 'origin/main' into feature/lib-updates-and-mypy b2a75f60 Merge commit 'c661100e03eef762cb51b02be1b309ec47be7002' 3ddaa5d0 lib updates and mypy 30d04282 Merge commit '4fdb0f3ec4b3b6a68cc2e56ed84ffb6dc2743068' a961b2a1 Merge commit '81746ee508f6ab0ffe757856d9a3d5d855db2560' 10651984 Merge commit '8f8b4717990eb86c6bfd2f309ef064152c51b452' 59b90fba Merge branch 'main' of github.com:sartography/spiff-arena 577e0fe3 Merge commit 'a166df83031cb88d223e5c75ae8db8c896622821' 11d40241 Merge commit '106e2ca7214aec4dba965ccb3f94b0658acaa2b2' 1fcc935e Merge commit '9781908243408ed221f2b0131a00b8a9612f81f3' e9734bff Merge commit '64e7049c9a0a4360101a155a41ce64ae692acd3c' 28239aa4 Merge commit 'aa22f4b397a899fa06d06c2e9127ca98d9eb909a' 8b184a5c Merge commit '4f0f5b1ece069ec56f8eb4154d61334a321749a1' bd1effc6 Merge commit 'b4975660431c275ce736e0431b98c39548200af1' eafa4f61 Merge commit 'c9bd62250452403550ae1bf1d27547d4796dd316' 50d9a0c3 Merge commit '9be0517531543655a35023af17b76dbb41eab93e' 34e98b77 Merge commit 'a1a01ad25a1ef60b879dede6f037f0fff3381ae4' c8d0cb8a Merge commit 'bee232a55a82054e629f48f0333495b61a7da7d1' 00478271 Merge commit '71e189afbc127b574cca8d02fc31b2e65aff0d52' 657fbad9 Merge commit 'f21d0ef3a98458deb347fb2a51fab0b5b41f7fe2' c91c279e Merge commit '93dbce681ec89bc45479748aaae06ddd92b64da4' b95a1af9 Merge commit '48918b00428e777ea29d351662467c0ac4e34a36' afea9254 pre-commit updates e3bc3b76 Merge main, resolve conflicts 2e317da8 Updaging the jinja processing so it doesn't leave a bunch of blank lines in the markdown that has strong feelings about white space. Updating the front end to render markdown formatted instructions. And adding a little css love to tables that are generated in Markdown. git-subtree-dir: spiffworkflow-backend git-subtree-split: 1e831706a1f7ed841e343537cfe1dc05d5eedaca
77 lines
6.4 KiB
Bash
Executable File
77 lines
6.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
function error_handler() {
|
|
>&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
|
|
exit "$2"
|
|
}
|
|
trap 'error_handler ${LINENO} $?' ERR
|
|
set -o errtrace -o errexit -o nounset -o pipefail
|
|
|
|
if ! docker network inspect spiffworkflow > /dev/null 2>&1; then
|
|
docker network create spiffworkflow
|
|
fi
|
|
docker rm keycloak 2>/dev/null || echo 'no keycloak container found'
|
|
docker run \
|
|
-p 7002:8080 \
|
|
-d \
|
|
--network=spiffworkflow \
|
|
--name keycloak \
|
|
-e KEYCLOAK_LOGLEVEL=ALL \
|
|
-e ROOT_LOGLEVEL=ALL \
|
|
-e KEYCLOAK_ADMIN=admin \
|
|
-e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:18.0.2 start-dev \
|
|
-Dkeycloak.profile.feature.token_exchange=enabled \
|
|
-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
|
|
|
|
docker cp bin/spiffworkflow-realm.json keycloak:/tmp
|
|
|
|
sleep 10
|
|
docker exec keycloak /opt/keycloak/bin/kc.sh import --file /tmp/spiffworkflow-realm.json || echo ''
|
|
|
|
echo 'imported realms'
|
|
|
|
if [ "${TURN_OFF_SSL:-}" == "true" ]; then
|
|
docker exec -it keycloak /opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin
|
|
docker exec -it keycloak /opt/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE
|
|
docker exec -it keycloak /opt/keycloak/bin/kcadm.sh update realms/spiffworkflow -s sslRequired=NONE
|
|
echo 'turned off SSL requirement'
|
|
fi
|
|
|
|
docker stop keycloak
|
|
docker start keycloak
|
|
|
|
|
|
# to export:
|
|
# /opt/keycloak/bin/kc.sh export --dir /tmp/hey --users realm_file
|
|
# change any js policies to role policies - just copy the config of one and change the type to role
|
|
# https://github.com/keycloak/keycloak/issues/11664#issuecomment-1111062102
|
|
#
|
|
# if docker exec commands fail below then attempt to import by adding a new realm in the webui
|
|
|
|
# NOTE: creds - user1 / password
|
|
|
|
#### Example resource_set call
|
|
# GET /realms/quarkus/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=%2Fapi%2Fusers%2Fme HTTP/1.1..Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjZklBRE5feHhDSm1Wa1d5Ti1QTlhFRXZNVVdzMnI2OEN4dG1oRUROelhVIn0.eyJleHAiOjE2NTcxMzgzNzAsImlhdCI6MTY1NzEzODA3MCwianRpIjoiY2I1OTc0OTAtYzJjMi00YTFkLThkNmQtMzBkOGU5YzE1YTNlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0MzI3OS9yZWFsbXMvcXVhcmt1cyIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI5NDhjNTllYy00NmVkLTRkOTktYWE0My0wMjkwMDAyOWI5MzAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJiYWNrZW5kLXNlcnZpY2UiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiXX0sInJlc291cmNlX2FjY2VzcyI6eyJiYWNrZW5kLXNlcnZpY2UiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImNsaWVudEhvc3QiOiIxNzIuMTcuMC4xIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJjbGllbnRJZCI6ImJhY2tlbmQtc2VydmljZSIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1iYWNrZW5kLXNlcnZpY2UiLCJjbGllbnRBZGRyZXNzIjoiMTcyLjE3LjAuMSIsImVtYWlsIjoic2VydmljZS1hY2NvdW50LWJhY2tlbmQtc2VydmljZUBwbGFjZWhvbGRlci5vcmcifQ.VRcdoJQO5KWeDFprl6g21Gp9lAqLH1GUAegZPslI9lcL7wdEDLauleTs7cr9ODvXpBbbWVZirP445H3bIfEpyZ2UiKeoEYB6WvR2r_hIHCbNGrV9klkCVjQSuCtdB-Zf3OWHXctz_warlNXF4i4VLtkettlxeGRTVpqT-_lO-y2PhHVNe7imEcnceoKWZQe-Z0JBAJ1Gs2_mj_vgL8V2ZKAd7x0uuAcNyqo4Kmvqh75vkhIuGYAbWfY--wdv8cuphNpbKCGoz27n-D_Im8tW00B1_twctwXo8yfZHp46o1yERbTCS1Xu_eBFufKB21au6omxneyKSD47AfHLR_ymvg..Host: localhost:43279..Connection: Keep-Alive....
|
|
# #
|
|
# T 127.0.0.1:43279 -> 127.0.0.1:39282 [AP] #127
|
|
# HTTP/1.1 200 OK..Referrer-Policy: no-referrer..X-Frame-Options: SAMEORIGIN..Strict-Transport-Security: max-age=31536000; includeSubDomains..Cache-Control: no-cache..X-Content-Type-Options: nosniff..X-XSS-Protection: 1; mode=block..Content-Type: application/json..content-length: 236....[{"name":"usersme","owner":{"id":"0ac5df91-e044-4051-bd03-106a3a5fb9cc","name":"backend-service"},"ownerManagedAccess":false,"displayName":"usersme","attributes":{},"_id":"179611c3-be58-4ba2-95b2-4aacda3cc0f1","uris":["/api/users/me"]}]
|
|
# #
|
|
# T 127.0.0.1:39282 -> 127.0.0.1:43279 [AP] #128
|
|
# POST /realms/quarkus/protocol/openid-connect/token HTTP/1.1..Authorization: Basic YmFja2VuZC1zZXJ2aWNlOnNlY3JldA==..Content-Length: 1231..Content-Type: application/x-www-form-urlencoded; charset=UTF-8..Host: localhost:43279..Connection: Keep-Alive....
|
|
# #
|
|
# T 127.0.0.1:39282 -> 127.0.0.1:43279 [AP] #129
|
|
# audience=backend-service&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&permission=179611c3-be58-4ba2-95b2-4aacda3cc0f1&subject_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjZklBRE5feHhDSm1Wa1d5Ti1QTlhFRXZNVVdzMnI2OEN4dG1oRUROelhVIn0.eyJleHAiOjE2NTcxMzgzNzYsImlhdCI6MTY1NzEzODA3NiwiYXV0aF90aW1lIjoxNjU3MTM4MDc2LCJqdGkiOiI0ZjMyYzljNS05NzY3LTQ0YzAtOTBlNi1kZmJhNjFmMmJmNDgiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjQzMjc5L3JlYWxtcy9xdWFya3VzIiwic3ViIjoiZWI0MTIzYTMtYjcyMi00Nzk4LTlhZjUtODk1N2Y4MjM2NTdhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYmFja2VuZC1zZXJ2aWNlIiwibm9uY2UiOiI5SklBc2RhIiwic2Vzc2lvbl9zdGF0ZSI6IjBlZTVkNjRmLWYxM2EtNDg1Yy1hNzBhLTJmMDA0YjQ3MWIwNyIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1c2VyIl19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiMGVlNWQ2NGYtZjEzYS00ODVjLWE3MGEtMmYwMDRiNDcxYjA3IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbGljZSJ9.Jjz0GYaApd_b05YOSe_Eq0tsFQk7qd-vGgIyjdeeEJAAA5xhS2f_DMpwiBLAPibk-gFnGf5CuLynA0z5bxE5vlbQHX9-aKxH8AEixDFkUsnfn7PN1NQtiG-Jj5cfuLxOShy2X2EOScZVTdRc9PgO_Xsb7ltDrtwtQ6eKOYVt-mqd7PR3cWJHjTldh4tiibjrKPccyZNBNC3W03pno3WLRVaG09Kotcsj1e5oS0safAcxACa3CSfchnY88E7Qwi1mva2F4X-gUar5-Zn2yT2iu8vqH3BCHzz8frAsYv1dOougRBaMfayLiFgKo7ZjsOI8OfPDSm7PEOMFEgHEHIloiw
|
|
# ##
|
|
# T 127.0.0.1:43279 -> 127.0.0.1:39282 [AP] #131
|
|
# HTTP/1.1 403 Forbidden..Referrer-Policy: no-referrer..X-Frame-Options: SAMEORIGIN..Strict-Transport-Security: max-age=31536000; includeSubDomains..Cache-Control: no-store..X-Content-Type-Options: nosniff..Pragma: no-cache..X-XSS-Protection: 1; mode=block..Content-Type: application/json..content-length: 62....{"error":"access_denied","error_description":"not_authorized"}
|
|
########
|
|
|
|
#### quarkus for example
|
|
# https://quarkus.io/guides/security-keycloak-authorization
|
|
# from that guide, we ultimately found that we hit GET /resource_set described at:
|
|
# https://github.com/keycloak/keycloak-documentation/blob/main/authorization_services/topics/service-protection-resources-api-papi.adoc
|
|
# when we get the resource, we just hit the token endpoint and provide the resource and scope, and token will say pass or fail.
|
|
# More info:
|
|
# * https://stackoverflow.com/a/58861610/6090676
|
|
# * https://github.com/keycloak/keycloak/discussions/10044
|