From 90517069307560dd775e2e9825b775c058ec9a7b Mon Sep 17 00:00:00 2001 From: Sebastian Stenzel Date: Wed, 23 Feb 2022 12:52:20 +0100 Subject: [PATCH] pass through keycloak config from backend to frontend via /config service --- README.md | 4 +- .../cryptomator/hub/spi/ConfigResource.java | 21 ++--- .../src/main/resources/application.properties | 8 +- backend/src/main/resources/dev-realm.json | 10 +-- frontend/src/common/auth.ts | 7 +- frontend/src/common/config.ts | 2 +- frontend/src/common/vaultconfig.ts | 2 +- installation/k8s-hub.yml | 77 ------------------- 8 files changed, 29 insertions(+), 102 deletions(-) delete mode 100644 installation/k8s-hub.yml diff --git a/README.md b/README.md index b6afc2a6..63966ab3 100644 --- a/README.md +++ b/README.md @@ -32,14 +32,14 @@ During development, Keycloak is started as a Quarkus Dev Service using port 8180 ### Testing rest services via CLI: -First, access the keycloak admin web console and activate direct access grants for the `cryptomator-hub` realm. +First, access the keycloak admin web console and activate direct access grants for the `cryptomator` realm. Then, retrieve an `access_token` from keycloak: ``` export access_token=$(\ curl -X POST http://localhost:8180/auth/realms/cryptomator/protocol/openid-connect/token \ - --user cryptomator-hub:CHANGEME \ + --user cryptomatorhub:CHANGEME \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'username=owner&password=owner&grant_type=password' | jq --raw-output '.access_token' \ ) diff --git a/backend/src/main/java/org/cryptomator/hub/spi/ConfigResource.java b/backend/src/main/java/org/cryptomator/hub/spi/ConfigResource.java index e308a951..3cece755 100644 --- a/backend/src/main/java/org/cryptomator/hub/spi/ConfigResource.java +++ b/backend/src/main/java/org/cryptomator/hub/spi/ConfigResource.java @@ -9,30 +9,31 @@ import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.ws.rs.core.MediaType; -import java.util.StringJoiner; -import java.util.StringTokenizer; @Path("/config") public class ConfigResource { - private static final String KC_REALM_DELIM = "/realms/"; + @Inject + @ConfigProperty(name = "hub.keycloak.public-url", defaultValue = "") + String keycloakUrl; + + @Inject + @ConfigProperty(name = "hub.keycloak.realm", defaultValue = "") + String keycloakRealm; @Inject - @ConfigProperty(name = "quarkus.oidc.auth-server-url", defaultValue = "") - String oidcUrl; + @ConfigProperty(name = "quarkus.oidc.client-id", defaultValue = "") + String keycloakClientId; @PermitAll @GET @Path("/") @Produces(MediaType.APPLICATION_JSON) public ConfigDto getConfig() { - int delimPos = oidcUrl.indexOf(KC_REALM_DELIM); - var kcBaseUrl = oidcUrl.substring(0, delimPos); - var kcRealmName = oidcUrl.substring(delimPos + KC_REALM_DELIM.length()); - return new ConfigDto(kcBaseUrl, kcRealmName); + return new ConfigDto(keycloakUrl, keycloakRealm, keycloakClientId); } - public record ConfigDto(@JsonProperty("keycloakUrl") String keycloakUrl, @JsonProperty("keycloakRealm") String keycloakRealm) { + public record ConfigDto(@JsonProperty("keycloakUrl") String keycloakUrl, @JsonProperty("keycloakRealm") String keycloakRealm, @JsonProperty("keycloakClientId") String keycloakClientId) { } } diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties index 45a834ce..ff651aa5 100644 --- a/backend/src/main/resources/application.properties +++ b/backend/src/main/resources/application.properties @@ -3,10 +3,14 @@ # * or env vars `QUARKUS_HTTP_PORT=8080` # see: https://quarkus.io/guides/config-reference#configuration-sources +# Connection Params for Keycloak Public Client (quarkus.oidc.auth-server-url may use network-private hostname) +hub.keycloak.public-url=http://localhost:8180/auth +hub.keycloak.realm=cryptomator + quarkus.http.port=8080 quarkus.oidc.application-type=service -quarkus.oidc.client-id=cryptomator-hub +quarkus.oidc.client-id=cryptomatorhub # Keycloak dev service %dev.quarkus.keycloak.devservices.realm-path=dev-realm.json @@ -14,7 +18,7 @@ quarkus.oidc.client-id=cryptomator-hub %dev.quarkus.keycloak.devservices.realm-name=cryptomator %dev.quarkus.keycloak.devservices.port=8180 %dev.quarkus.keycloak.devservices.service-name=quarkus-cryptomator-hub -%dev.quarkus.keycloak.devservices.image-name=quay.io/keycloak/keycloak:15.0.2 +%dev.quarkus.keycloak.devservices.image-name=quay.io/keycloak/keycloak:15.1.1 %dev.quarkus.oidc.devui.grant.type=code # OIDC will be mocked during unit tests. Use fake auth url to prevent dev services to start: %test.quarkus.oidc.auth-server-url=http://localhost:43210/dev/null diff --git a/backend/src/main/resources/dev-realm.json b/backend/src/main/resources/dev-realm.json index 137be954..60ddb608 100644 --- a/backend/src/main/resources/dev-realm.json +++ b/backend/src/main/resources/dev-realm.json @@ -25,7 +25,7 @@ "user" ], "client": { - "cryptomator-hub": [ + "cryptomatorhub": [ "vault-owner" ] } @@ -33,7 +33,7 @@ } ], "client": { - "cryptomator-hub": [ + "cryptomatorhub": [ { "name": "vault-owner", "description": "Vault Owner" @@ -62,7 +62,7 @@ ], "scopeMappings": [ { - "client": "cryptomator-hub", + "client": "cryptomatorhub", "roles": [ "user", "admin" @@ -72,7 +72,7 @@ "clientScopeMappings": { "account": [ { - "client": "cryptomator-hub", + "client": "cryptomatorhub", "roles": [ "vault-owner" ] @@ -81,7 +81,7 @@ }, "clients": [ { - "clientId": "cryptomator-hub", + "clientId": "cryptomatorhub", "serviceAccountsEnabled": false, "publicClient": true, "name": "Cryptomator Hub", diff --git a/frontend/src/common/auth.ts b/frontend/src/common/auth.ts index 201e24dc..dbbc7623 100644 --- a/frontend/src/common/auth.ts +++ b/frontend/src/common/auth.ts @@ -6,10 +6,9 @@ class Auth { static async build(cfg: ConfigDto): Promise { const keycloak = newKeycloak({ - - url: `${cfg.keycloakUrl}`, - realm: `${cfg.keycloakRealm}`, - clientId: 'cryptomator-hub', // TODO: read from config + url: cfg.keycloakUrl, + realm: cfg.keycloakRealm, + clientId: cfg.keycloakClientId }); await keycloak.init({ onLoad: 'check-sso', diff --git a/frontend/src/common/config.ts b/frontend/src/common/config.ts index 30ac8f22..c458c16e 100644 --- a/frontend/src/common/config.ts +++ b/frontend/src/common/config.ts @@ -8,7 +8,7 @@ const axios = AxiosStatic.create({ }); export class ConfigDto { - constructor(public keycloakRealm: string, public keycloakUrl: string) { } + constructor(public keycloakRealm: string, public keycloakUrl: string, public keycloakClientId: string) { } } class ConfigWrapper { diff --git a/frontend/src/common/vaultconfig.ts b/frontend/src/common/vaultconfig.ts index 8d9476c2..662b0b5e 100644 --- a/frontend/src/common/vaultconfig.ts +++ b/frontend/src/common/vaultconfig.ts @@ -18,7 +18,7 @@ export class VaultConfig { const kid = `hub+http://localhost:8080/vaults/${vaultId}`; // TODO: read from config const hubConfig: VaultConfigHeaderHub = { - clientId: 'cryptomator-hub', // TODO: read from config + clientId: cfg.keycloakClientId, authEndpoint: `${cfg.keycloakUrl}/realms/${cfg.keycloakRealm}/protocol/openid-connect/auth`, // TODO: read from config tokenEndpoint: `${cfg.keycloakUrl}/realms/${cfg.keycloakRealm}/protocol/openid-connect/token`, // TODO: read from config devicesResourceUrl: 'http://localhost:8080/devices/', // TODO: read from config diff --git a/installation/k8s-hub.yml b/installation/k8s-hub.yml deleted file mode 100644 index 3a21bdfa..00000000 --- a/installation/k8s-hub.yml +++ /dev/null @@ -1,77 +0,0 @@ -# TODO: Remove Comment when publishing -# -# To pull the container from ghcr private repo, you need to `docker login ghcr.io` using a [personal access token](https://github.com/settings/tokens). -# Then run: `kubectl create secret docker-registry ghcr-secret --docker-server=ghcr.io --docker-username= --docker-password= --docker-email=` - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cryptomator-hub - labels: - app: cryptomator-hub -spec: - replicas: 1 - selector: - matchLabels: - app: cryptomator-hub - template: - metadata: - labels: - app: cryptomator-hub - spec: - containers: - - name: cryptomator-hub - image: ghcr.io/cryptomator/hub:latest - resources: - limits: - cpu: 500m - memory: 256Mi - requests: - cpu: 100m - memory: 64Mi - ports: - - containerPort: 8080 - startupProbe: - httpGet: - path: /q/health/started - port: 8080 - failureThreshold: 30 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /q/health/live - port: 8080 - periodSeconds: 10 - timeoutSeconds: 3 - failureThreshold: 1 - env: - - name: HUB_CONFIG_PATH - value: /hub/config.properties - - name: QUARKUS_HTTP_PORT - value: "8080" - - name: QUARKUS_DATASOURCE_JDBC_URL - value: jdbc:h2:file:/hub/db - - name: QUARKUS_OIDC_AUTH_SERVER_URL - value: https://keycloak.example.com/auth - volumeMounts: - - mountPath: /hub - name: hub-data - volumes: - - name: hub-data - emptyDir: {} - imagePullSecrets: # TODO remove when publishing - - name: ghcr-secret ---- -apiVersion: v1 -kind: Service -metadata: - name: cryptomator-hub-service -spec: - selector: - app: cryptomator-hub - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 ---- \ No newline at end of file