Setup Keycloak Server and Set Secret

medizininformatik-initiative · Jan 10, 2025 · 0ba3bc9 · 0ba3bc9
1 parent b358a77
commit 0ba3bc9
Show file tree

Hide file tree

Showing 5 changed files with 123 additions and 20 deletions.
diff --git a/.github/scripts/keycloak-client.sh b/.github/scripts/keycloak-client.sh
diff --git a/.github/scripts/setup-keycloak.sh b/.github/scripts/setup-keycloak.sh
@@ -0,0 +1,108 @@
+#!/bin/bash
+set -euo pipefail
+
+TOKEN=$(curl -v http://localhost:8080/realms/master/protocol/openid-connect/token \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "grant_type=password" \
+  -d "client_id=admin-cli" \
+  -d "username=admin" \
+  -d "password=admin" | jq -r '.access_token')
+echo "token: ${TOKEN}"
+
+# create realm
+curl -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d '{
+       "realm": "fts",
+       "enabled": true,
+       "displayName": "FTS",
+       "displayNameHtml": "<div class=\"kc-logo-text\">FTS</div>",
+       "sslRequired": "external",
+       "registrationAllowed": false,
+       "loginWithEmailAllowed": true,
+       "duplicateEmailsAllowed": false,
+       "resetPasswordAllowed": true,
+       "editUsernameAllowed": false,
+       "bruteForceProtected": true
+     }' \
+     "http://localhost:8080/admin/realms"
+
+
+REALMS=$(curl  -H "Authorization: Bearer ${TOKEN}" http://localhost:8080/admin/realms)
+
+# create client
+echo "Create client fts-client"
+curl -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d '{
+       "clientId": "fts-client",
+       "name": "FTS Client",
+       "enabled": true,
+       "clientAuthenticatorType": "client-secret",
+       "protocol": "openid-connect",
+       "standardFlowEnabled": true,
+       "serviceAccountsEnabled": true,
+       "publicClient": false,
+       "redirectUris": [
+         "http://localhost:8080/*"
+       ],
+       "webOrigins": [
+         "http://localhost:8080"
+       ],
+       "attributes": {
+         "access.token.lifespan": "1800"
+       }
+     }' \
+     "http://localhost:8080/admin/realms/fts/clients"
+
+
+
+
+CLIENT_ID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" http://localhost:8080/admin/realms/fts/clients | jq -r '.[] | select(.clientId == "fts-client") | .id')
+echo "id of client with client_id FTSnext: ${CLIENT_ID}"
+
+# add & assign role
+curl -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d '{
+       "name": "client",
+       "description": "Role for FTS operations",
+       "composite": false,
+       "clientRole": true
+     }' \
+     "http://localhost:8080/admin/realms/fts/clients/${CLIENT_ID}/roles"
+
+ROLE_ID=$(curl  -H "Authorization: Bearer ${TOKEN}" http://localhost:8080/admin/realms/fts/clients/${CLIENT_ID}/roles | jq -r '.[0].id')
+echo "Role ID: ${ROLE_ID}"
+
+SERVICE_ACCOUNT_USER_ID=$(curl -H "Authorization: Bearer ${TOKEN}" \
+     "http://localhost:8080/admin/realms/fts/clients/${CLIENT_ID}/service-account-user" | jq -r '.id')
+echo "SERVICE_ACCOUNT_USER_ID: ${SERVICE_ACCOUNT_USER_ID}"
+echo "CLIENT_ID: ${CLIENT_ID}"
+
+curl -H "Authorization: Bearer ${TOKEN}" http://localhost:8080/admin/realms/fts/users/${SERVICE_ACCOUNT_USER_ID}/role-mappings
+
+p="{
+              \"id\": \"${ROLE_ID}\",
+              \"description\": \"Role for FTS operations\",
+              \"composite\": false,
+              \"clientRole\": true
+            }"
+echo
+echo "data: ${p}"
+
+curl -v -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d "[{
+            \"id\": \"${ROLE_ID}\",
+            \"name\": \"client\",
+            \"description\": \"Role for FTS operations\",
+            \"composite\": false,
+            \"clientRole\": true,
+            \"containerId\": \"${CLIENT_ID}\"
+          }]" \
+     "http://localhost:8080/admin/realms/fts/users/${SERVICE_ACCOUNT_USER_ID}/role-mappings/clients/${CLIENT_ID}"
+
+
+SECRET=$(curl -X POST -H "Authorization: Bearer ${TOKEN}" http://localhost:8080/admin/realms/fts/clients/${CLIENT_ID}/client-secret | jq -r '.value')
+sed -i "s/            client-secret: .*/            client-secret: ${SECRET}/" "../../clinical-domain-agent/application-auth:oauth2.yaml"
diff --git a/.github/test/Makefile b/.github/test/Makefile
@@ -58,3 +58,6 @@ clean-rd-hds-and-gpas-db:
 
 openapi-specs:
 	../scripts/openapi-specs.sh ${AGENT}
+
+setup-keycloak:
+	../scripts/setup-keycloak.sh
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -13,6 +13,7 @@ jobs:
     env:
       MAVEN_ARGS: -B -T1C -Dfts.retryTimeout=false
       GITHUB_TOKEN: ${{ github.token }}
+      KEYCLOAK_VERSION: 26.0.7
     runs-on: ubuntu-24.04
     strategy:
       max-parallel: 6
@@ -36,6 +37,14 @@ jobs:
         java-version: 21
         cache: 'maven'
 
+    - name: Setup keycloak
+      if: matrix.auth == 'oauth2'
+      working-directory: .github/test
+      run: |
+        docker run -d -p 8080:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:${KEYCLOAK_VERSION} start-dev
+        docker ps
+        make setup-keycloak
+
     - name: Run Tests
       run: mvn ${MAVEN_ARGS} verify --also-make --projects ${{ matrix.agent }} -Dspring.profiles.active=auth:${{ matrix.auth }}
 

diff --git a/clinical-domain-agent/application-auth:oauth2.yaml b/clinical-domain-agent/application-auth:oauth2.yaml
@@ -8,7 +8,7 @@ security:
   auth:
     oauth2:
       issuer: http://localhost:8080/realms/fts
-      client-id: FTSnext
+      client-id: fts-client
 
 spring:
   security:
@@ -17,8 +17,8 @@ spring:
         registration:
           agent:
             authorization-grant-type: client_credentials
-            client-id: FTSnext
-            client-secret: vX0F07OWCO83XxLTgpPrXm7eUwxxUHY5
+            client-id: fts-client
+            client-secret: 5HHaaKxPoE18R3iAoEgVocTQyySdMQ7l
             provider: keycloak
         provider:
           keycloak: