Skip to content

Commit 2eee359

Browse files
authored
Merge pull request #207 from cyberark/feature/ONYX-17901
Added operation calls for authenticating and fetching authentication …
2 parents 9eda55c + 2dab6d5 commit 2eee359

20 files changed

Lines changed: 969 additions & 2 deletions

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
99
- Nothing should go in this section, please add to the latest unreleased version
1010
(and update the corresponding date), or add a new version.
1111

12+
## [5.3.9] - 2022-05-12
13+
14+
### Changed
15+
- Adding operation call to fetch authentication providers
16+
[cyberark/conjur-api-ruby#206](https://github.com/cyberark/conjur-api-ruby/pull/206)
17+
1218
## [5.3.8] - 2022-04-26
1319

1420
### Changed

ci/configure_v5.sh

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
#!/bin/bash -e
22

3+
source ./ci/oauth/keycloak/keycloak_functions.sh
4+
35
cat << "CONFIGURE" | docker exec -i $(docker-compose ps -q conjur_5) bash
46
set -e
57
@@ -12,3 +14,6 @@ done
1214
# So we fail if the server isn't up yet:
1315
curl -o /dev/null -fs -X OPTIONS http://localhost > /dev/null
1416
CONFIGURE
17+
18+
fetch_keycloak_certificate
19+
create_keycloak_users

ci/oauth/keycloak/create_client

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
#!/bin/sh
2+
3+
4+
keycloak/bin/kcreg.sh config credentials \
5+
--server http://localhost:8080/auth \
6+
--realm master \
7+
--user "$KEYCLOAK_USER" \
8+
--password "$KEYCLOAK_PASSWORD"
9+
10+
keycloak/bin/kcreg.sh create \
11+
-s clientId="$KEYCLOAK_CLIENT_ID" \
12+
-s "redirectUris=[\"$KEYCLOAK_REDIRECT_URI\"]" \
13+
-s "secret=$KEYCLOAK_CLIENT_SECRET"
14+
15+
# Enable direct access to get an id token with username & password
16+
keycloak/bin/kcreg.sh update conjurClient -s directAccessGrantsEnabled=true
17+
18+
keycloak/bin/kcreg.sh get "$KEYCLOAK_CLIENT_ID" | jq '.secret'

ci/oauth/keycloak/create_user

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
#!/bin/sh
2+
3+
echo "login as admin with user $KEYCLOAK_USER"
4+
5+
keycloak/bin/kcadm.sh config credentials \
6+
--server http://localhost:8080/auth \
7+
--realm master \
8+
--user "$KEYCLOAK_USER" \
9+
--password "$KEYCLOAK_PASSWORD"
10+
11+
echo "creating user $1 with email $3"
12+
13+
keycloak/bin/kcadm.sh create users \
14+
-s username="$1" \
15+
-s email="$3" \
16+
-s enabled=true
17+
18+
echo "setting password of user $1 to $2"
19+
keycloak/bin/kcadm.sh set-password \
20+
--username "$1" \
21+
-p "$2"
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
#!/bin/sh
2+
3+
# This script retrieves a certificate from the keycloak OIDC provider
4+
# and puts it to a trusted operating system store.
5+
# It is needed to communicate with the provider via SSL for validating ID tokens
6+
7+
openssl s_client \
8+
-showcerts \
9+
-connect keycloak:8443 \
10+
-servername keycloak \
11+
</dev/null | \
12+
openssl x509 \
13+
-outform PEM \
14+
>/etc/ssl/certs/keycloak.pem
15+
16+
hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
17+
18+
ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0"
Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
#!/usr/bin/env bash
2+
3+
KEYCLOAK_SERVICE_NAME="keycloak"
4+
5+
# Note: the single arg is a nameref, which this function sets to an array
6+
# containing items of the form "KEY=VAL".
7+
function _hydrate_keycloak_env_args() {
8+
local -n arr=$1
9+
local keycloak_items
10+
11+
readarray -t keycloak_items < <(
12+
set -o pipefail
13+
# Note: This prints all lines that look like:
14+
# KEYCLOAK_XXX=someval
15+
docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} printenv | awk '/KEYCLOAK/'
16+
)
17+
18+
# shellcheck disable=SC2034
19+
arr=(
20+
"${keycloak_items[@]}"
21+
"PROVIDER_URI=https://keycloak:8443/auth/realms/master"
22+
"PROVIDER_INTERNAL_URI=http://keycloak:8080/auth/realms/master/protocol/openid-connect"
23+
"PROVIDER_ISSUER=http://keycloak:8080/auth/realms/master"
24+
"ID_TOKEN_USER_PROPERTY=preferred_username"
25+
)
26+
}
27+
28+
# The arguments must be unexpanded variable names. Eg:
29+
#
30+
# _create_keycloak_user '$APP_USER' '$APP_PW' '$APP_EMAIL'
31+
#
32+
# This is because those variables are not available to this script. They are
33+
# available to bash commands run via "docker-compose exec keycloak bash
34+
# -c...", since they're defined in the docker-compose.yml.
35+
function _create_keycloak_user() {
36+
local user_var=$1
37+
local pw_var=$2
38+
local email_var=$3
39+
40+
docker-compose exec -T \
41+
${KEYCLOAK_SERVICE_NAME} \
42+
bash -c "/scripts/create_user \"$user_var\" \"$pw_var\" \"$email_var\""
43+
}
44+
45+
function create_keycloak_users() {
46+
echo "Defining keycloak client"
47+
48+
docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} /scripts/create_client
49+
50+
echo "Creating user 'alice' in Keycloak"
51+
52+
# Note: We want to pass the bash command thru without expansion here.
53+
# shellcheck disable=SC2016
54+
_create_keycloak_user \
55+
'$KEYCLOAK_APP_USER' \
56+
'$KEYCLOAK_APP_USER_PASSWORD' \
57+
'$KEYCLOAK_APP_USER_EMAIL'
58+
}
59+
60+
function wait_for_keycloak_server() {
61+
docker-compose exec -T \
62+
${KEYCLOAK_SERVICE_NAME} /scripts/wait_for_server
63+
}
64+
65+
function fetch_keycloak_certificate() {
66+
# there's a dep on the docker-compose.yml volumes.
67+
# Fetch SSL cert to communicate with keycloak (OIDC provider).
68+
echo "Initialize keycloak certificate in conjur server"
69+
docker-compose exec -T \
70+
conjur_5 /scripts/fetch_certificate
71+
}

0 commit comments

Comments
 (0)