Skip to content

Commit 96d7694

Browse files
committed
Add keycloak to test env & OIDC list provider test
1 parent 07cfe9a commit 96d7694

9 files changed

Lines changed: 763 additions & 1 deletion

File tree

ci/configure_v5.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,5 @@ done
1111
1212
# So we fail if the server isn't up yet:
1313
curl -o /dev/null -fs -X OPTIONS http://localhost > /dev/null
14+
/scripts/fetch_certificate
1415
CONFIGURE
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
#!/bin/sh
2+
3+
# This script retrieves a certificate from the keycloak OIDC provider
4+
# and puts it to a trusted operating system store.
5+
# It is needed to communicate with the provider via SSL for validating ID tokens
6+
7+
openssl s_client \
8+
-showcerts \
9+
-connect keycloak:8443 \
10+
-servername keycloak \
11+
</dev/null | \
12+
openssl x509 \
13+
-outform PEM \
14+
>/etc/ssl/certs/keycloak.pem
15+
16+
hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
17+
18+
ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0"
Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
#!/usr/bin/env bash
2+
3+
KEYCLOAK_SERVICE_NAME="keycloak"
4+
5+
# Note: the single arg is a nameref, which this function sets to an array
6+
# containing items of the form "KEY=VAL".
7+
function _hydrate_keycloak_env_args() {
8+
local -n arr=$1
9+
local keycloak_items
10+
11+
readarray -t keycloak_items < <(
12+
set -o pipefail
13+
# Note: This prints all lines that look like:
14+
# KEYCLOAK_XXX=someval
15+
docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} printenv | awk '/KEYCLOAK/'
16+
)
17+
18+
# shellcheck disable=SC2034
19+
arr=(
20+
"${keycloak_items[@]}"
21+
"PROVIDER_URI=https://keycloak:8443/auth/realms/master"
22+
"PROVIDER_INTERNAL_URI=http://keycloak:8080/auth/realms/master/protocol/openid-connect"
23+
"PROVIDER_ISSUER=http://keycloak:8080/auth/realms/master"
24+
"ID_TOKEN_USER_PROPERTY=preferred_username"
25+
)
26+
}
27+
28+
# The arguments must be unexpanded variable names. Eg:
29+
#
30+
# _create_keycloak_user '$APP_USER' '$APP_PW' '$APP_EMAIL'
31+
#
32+
# This is because those variables are not available to this script. They are
33+
# available to bash commands run via "docker-compose exec keycloak bash
34+
# -c...", since they're defined in the docker-compose.yml.
35+
function _create_keycloak_user() {
36+
local user_var=$1
37+
local pw_var=$2
38+
local email_var=$3
39+
40+
docker-compose exec -T \
41+
${KEYCLOAK_SERVICE_NAME} \
42+
bash -c "/scripts/create_user \"$user_var\" \"$pw_var\" \"$email_var\""
43+
}
44+
45+
function create_keycloak_users() {
46+
echo "Defining keycloak client"
47+
48+
docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} /scripts/create_client
49+
50+
echo "Creating user 'alice' in Keycloak"
51+
52+
# Note: We want to pass the bash command thru without expansion here.
53+
# shellcheck disable=SC2016
54+
_create_keycloak_user \
55+
'$KEYCLOAK_APP_USER' \
56+
'$KEYCLOAK_APP_USER_PASSWORD' \
57+
'$KEYCLOAK_APP_USER_EMAIL'
58+
59+
echo "Creating second user 'bob' in Keycloak"
60+
61+
# Note: We want to pass the bash command thru without expansion here.
62+
# shellcheck disable=SC2016
63+
_create_keycloak_user \
64+
'$KEYCLOAK_SECOND_APP_USER' \
65+
'$KEYCLOAK_SECOND_APP_USER_PASSWORD' \
66+
'$KEYCLOAK_SECOND_APP_USER_EMAIL'
67+
68+
echo "Creating user in Keycloak that will not exist in conjur"
69+
70+
# Note: We want to pass the bash command thru without expansion here.
71+
# shellcheck disable=SC2016
72+
_create_keycloak_user \
73+
'$KEYCLOAK_NON_CONJUR_APP_USER' \
74+
'$KEYCLOAK_NON_CONJUR_APP_USER_PASSWORD' \
75+
'$KEYCLOAK_NON_CONJUR_APP_USER_EMAIL'
76+
}
77+
78+
function wait_for_keycloak_server() {
79+
docker-compose exec -T \
80+
${KEYCLOAK_SERVICE_NAME} /scripts/wait_for_server
81+
}
82+
83+
function fetch_keycloak_certificate() {
84+
# there's a dep on the docker-compose.yml volumes.
85+
# Fetch SSL cert to communicate with keycloak (OIDC provider).
86+
echo "Initialize keycloak certificate in conjur server"
87+
docker-compose exec -T \
88+
conjur /oauth/keycloak/scripts/fetch_certificate
89+
}

0 commit comments

Comments
 (0)