Marmelator/persistence-service
1
0
Fork 0
Code Issues Pull Requests 17 Actions Packages Projects Releases 1.1k Wiki Activity

RED-4515: Create realm on create tenant

Browse Source
This commit is contained in:
deiflaender 2023-03-23 15:53:50 +01:00 committed by Timo Bejan
parent 710a2f88ac
commit e69a988e39
6 changed files with 128 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/multitenacy/HeaderBasedKeycloakRealmResolver.java vendored
View File

@ -49,6 +49,7 @@ public class HeaderBasedKeycloakRealmResolver implements KeycloakConfigResolver
var config = MagicConverter.convert(adapterConfig, AdapterConfig.class);
config.setRealm(tenant);
config.setResource(tenant);
return KeycloakDeploymentBuilder.build(config);
}

65
persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/TenantManagementService.java
View File

@ -9,7 +9,6 @@ import java.net.URI;
import java.net.URISyntaxException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.util.HashMap;
import java.util.List;
import java.util.Set;
import java.util.UUID;
@ -22,7 +21,6 @@ import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.RolesRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.postgresql.util.PSQLException;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.liquibase.LiquibaseProperties;
@ -32,6 +30,7 @@ import org.springframework.jdbc.datasource.SingleConnectionDataSource;
import org.springframework.stereotype.Service;
import com.iqser.red.keycloak.commons.KeyCloakAdminClientService;
import com.iqser.red.keycloak.commons.KeyCloakSettings;
import com.iqser.red.service.persistence.management.v1.processor.exception.ConflictException;
import com.iqser.red.service.persistence.management.v1.processor.exception.NotFoundException;
import com.iqser.red.service.persistence.management.v1.processor.migration.AsyncMigrationStarterService;
@ -79,6 +78,7 @@ public class TenantManagementService {
private final GeneralConfigurationService generalConfigurationService;
private final KeyCloakRoleManagerService keyCloakRoleManagerService;
private final KeyCloakAdminClientService keycloak;
private final KeyCloakSettings keyCloakSettings;
public TenantManagementService(EncryptionDecryptionService encryptionService,
@ -88,7 +88,7 @@ public class TenantManagementService {
AsyncMigrationStarterService asyncMigrationStarterService,
GeneralConfigurationService generalConfigurationService,
KeyCloakRoleManagerService keyCloakRoleManagerService,
KeyCloakAdminClientService keycloak) {
KeyCloakAdminClientService keycloak, KeyCloakSettings keyCloakSettings) {
this.encryptionService = encryptionService;
this.liquibaseProperties = liquibaseProperties;
@ -98,6 +98,7 @@ public class TenantManagementService {
this.generalConfigurationService = generalConfigurationService;
this.keyCloakRoleManagerService = keyCloakRoleManagerService;
this.keycloak = keycloak;
this.keyCloakSettings = keyCloakSettings;
}
@ -164,6 +165,7 @@ public class TenantManagementService {
tenantRepository.save(tenantEntity);
createRealm(tenantRequest.getTenantId());
Thread.sleep(30_000);
generalConfigurationService.initGeneralConfiguration(tenantRequest.getTenantId());
keyCloakRoleManagerService.updateRoles(tenantRequest.getTenantId());
@ -183,25 +185,38 @@ public class TenantManagementService {
redaction.setEnabled(true);
var redactionClient = new ClientRepresentation();
redactionClient.setId("redaction");
redactionClient.setEnabled(true);
redactionClient.setName("redaction");
redactionClient.setClientId("redaction");
redactionClient.setStandardFlowEnabled(true);
redactionClient.setImplicitFlowEnabled(true);
redactionClient.setDirectAccessGrantsEnabled(true);
var swaggerClient = new ClientRepresentation();
swaggerClient.setEnabled(true);
swaggerClient.setName("swagger-ui-client");
swaggerClient.setClientId("swagger-ui-client");
swaggerClient.setStandardFlowEnabled(true);
swaggerClient.setImplicitFlowEnabled(false);
swaggerClient.setDirectAccessGrantsEnabled(false);
swaggerClient.setServiceAccountsEnabled(true);
swaggerClient.setAuthorizationServicesEnabled(true);
swaggerClient.setSecret("OsloImWinter!23");
var redactionSystemClient = new ClientRepresentation();
redactionSystemClient.setId("redaction-system");
redactionSystemClient.setEnabled(true);
redactionSystemClient.setName("redaction-system");
redactionSystemClient.setSecret("Gc0WcXOPcefzLyRJ5BiYk169V7VvzXxT");
redactionSystemClient.setDirectAccessGrantsEnabled(true);
redactionSystemClient.setStandardFlowEnabled(true);
redactionSystemClient.setImplicitFlowEnabled(true);
redactionSystemClient.setDirectAccessGrantsEnabled(true);
redaction.setClients(List.of(redactionClient, redactionSystemClient));
redactionSystemClient.setName(keyCloakSettings.getClientId());
redactionSystemClient.setClientId(keyCloakSettings.getClientId());
redactionSystemClient.setSecret(keyCloakSettings.getClientSecret());
swaggerClient.setStandardFlowEnabled(true);
swaggerClient.setImplicitFlowEnabled(true);
swaggerClient.setDirectAccessGrantsEnabled(true);
swaggerClient.setServiceAccountsEnabled(true);
swaggerClient.setAuthorizationServicesEnabled(true);
redaction.setClients(List.of(redactionClient, redactionSystemClient, swaggerClient));
var redUserRole = new RoleRepresentation();
redUserRole.setComposite(true);
redUserRole.setName(RED_USER_ROLE);
@ -230,18 +245,18 @@ public class TenantManagementService {
credentialRepresentation.setType("password");
credentialRepresentation.setValue("OsloImWinter!23");
var defaultUser = new UserRepresentation();
defaultUser.setUsername("manageradmin");
defaultUser.setCredentials(List.of(credentialRepresentation));
defaultUser.setEmailVerified(true);
defaultUser.setRealmRoles(List.of(RED_USER_ROLE, RED_MANAGER_ROLE, RED_ADMIN_ROLE, RED_USER_ADMIN_ROLE, "uma_authorization", "offline_access"));
var clientRoles = new HashMap<String, List<String>>();
clientRoles.put("account", List.of("manage-account", "view-profile"));
defaultUser.setClientRoles(clientRoles);
defaultUser.setEnabled(true);
redaction.setUsers(List.of(defaultUser));
// var defaultUser = new UserRepresentation();
// defaultUser.setUsername("manageradmin");
// defaultUser.setCredentials(List.of(credentialRepresentation));
// defaultUser.setEmailVerified(true);
// defaultUser.setRealmRoles(List.of(RED_USER_ROLE, RED_MANAGER_ROLE, RED_ADMIN_ROLE, RED_USER_ADMIN_ROLE, "uma_authorization", "offline_access"));
//
// var clientRoles = new HashMap<String, List<String>>();
// clientRoles.put("account", List.of("manage-account", "view-profile"));
//
// defaultUser.setClientRoles(clientRoles);
// defaultUser.setEnabled(true);
// redaction.setUsers(List.of(defaultUser));
keycloak.getAdminClient().realms().create(redaction);
}

6
persistence-service-v1/persistence-service-server-v1/src/main/resources/application.yml
View File

@ -131,15 +131,15 @@ bucket4j:
keycloak:
sslRequired: none
auth-server-url: https://red-staging.iqser.cloud/auth
realm: redaction
resource: redaction
realm: master
resource: redaction-system
disableTrustManager: true
useResourceRoleMappings: true
enabled: true
commons:
keycloak:
applicationClientId: ${keycloak.resource:redaction}
applicationClientId: ${keycloak.resource:redaction-system}
clientId: ${keycloak.client.id}
clientSecret: ${keycloak.client.secret}
realm: ${keycloak.realm}

13
persistence-service-v1/persistence-service-server-v1/src/test/java/com/iqser/red/service/peristence/v1/server/integration/utils/AbstractPersistenceServerServiceTest.java
View File

@ -120,8 +120,6 @@ public abstract class AbstractPersistenceServerServiceTest {
@MockBean
protected RedactionLogMergeService redactionLogMergeService;
@MockBean
protected KeyCloakAdminClientService keyCloakAdminClientService;
@MockBean
protected PDFTronClient pdfTronRedactionClient;
@Autowired
protected ApplicationConfigClient appConfigClient;
@ -232,7 +230,7 @@ public abstract class AbstractPersistenceServerServiceTest {
TenantContext.setTenantId("redaction");
when(keyCloakAdminClientService.getAdminClient()).thenReturn(KeyCloakTestContainer.getInstance().getKeycloakAdminClient());
// when(keyCloakAdminClientService.getAdminClient()).thenReturn(KeyCloakTestContainer.getInstance().getKeycloakAdminClient());
userService.evictUserCache();
var allUsers = userService.getAllUsers();
@ -432,14 +430,13 @@ public abstract class AbstractPersistenceServerServiceTest {
var connectionStringDetails = "?serverTimezone=UTC&cachePrepStmts=true&useServerPrepStmts=true&rewriteBatchedStatements=true";
var kcInstance = KeyCloakTestContainer.getInstance();
TestPropertyValues.of("spring.redis.port=" + redisContainer.getFirstMappedPort(),
"multitenancy.master.datasource.url=" + postgreSQLContainerMaster.getJdbcUrl() + connectionStringDetails,
"multitenancy.master.datasource.username=" + postgreSQLContainerMaster.getUsername(),
"multitenancy.master.datasource.password=" + postgreSQLContainerMaster.getPassword()).applyTo(configurableApplicationContext.getEnvironment());
"multitenancy.master.datasource.password=" + postgreSQLContainerMaster.getPassword(), "keycloak.auth-server-url=" + kcInstance.getAuthServerUrl(), "commons.keycloak.serverUrl=" + kcInstance.getAuthServerUrl()).applyTo(configurableApplicationContext.getEnvironment());
var kcInstance = KeyCloakTestContainer.getInstance();
TestPropertyValues.of("keycloak.auth-server-url=" + kcInstance.getAuthServerUrl());
}
}
@ -464,7 +461,7 @@ public abstract class AbstractPersistenceServerServiceTest {
var instance = KeyCloakTestContainer.getInstance();
when(cloakAdminClientService.getAdminClient()).thenReturn(instance.getKeycloakAdminClient());
// when(cloakAdminClientService.getAdminClient()).thenReturn(instance.getKeycloakAdminClient());
keycloakSpringBootProperties.setAuthServerUrl(instance.getAuthServerUrl());
keyCloakSettings.setServerUrl(instance.getAuthServerUrl());

90
persistence-service-v1/persistence-service-server-v1/src/test/java/com/iqser/red/service/peristence/v1/server/integration/utils/KeyCloakTestContainer.java
View File

@ -1,9 +1,13 @@
package com.iqser.red.service.peristence.v1.server.integration.utils;
import java.util.ArrayList;
import java.util.List;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.testcontainers.containers.PostgreSQLContainer;
import org.keycloak.representations.idm.RoleRepresentation;
import dasniko.testcontainers.keycloak.KeycloakContainer;
@ -26,35 +30,91 @@ public class KeyCloakTestContainer {
keycloak.start();
var adminClient = keycloak.getKeycloakAdminClient();
var redaction = new RealmRepresentation();
redaction.setId("redaction");
redaction.setRealm("redaction");
redaction.setEnabled(true);
adminClient.realms().create(redaction);
var redaction = adminClient.realm("master");
var redactionRealm = adminClient.realm("redaction");
var redactionClient = new ClientRepresentation();
redactionClient.setId("redaction");
redactionClient.setEnabled(true);
redactionClient.setName("redaction");
redactionClient.setStandardFlowEnabled(true);
redactionClient.setImplicitFlowEnabled(true);
redactionClient.setDirectAccessGrantsEnabled(true);
redactionRealm.clients().create(redactionClient);
var redactionSystemClient = new ClientRepresentation();
//
// RoleRepresentation createRealm = new RoleRepresentation();
// createRealm.setName("create-realm");
//
// RoleRepresentation viewRealm = new RoleRepresentation();
// viewRealm.setName("view-realm");
//
// RoleRepresentation manageRealm = new RoleRepresentation();
// manageRealm.setName("manage-realm");
//
// RoleRepresentation manageUsers = new RoleRepresentation();
// manageUsers.setName("manage-users");
//
// RoleRepresentation manageClients = new RoleRepresentation();
// manageClients.setName("manage-clients");
// RolesRepresentation rolesRepresentation = new RolesRepresentation();
// rolesRepresentation.setRealm(List.of(createRealm));
// redaction.setRoles(rolesRepresentation);
redactionSystemClient.setId("redaction-system");
redactionSystemClient.setEnabled(true);
redactionSystemClient.setName("redaction-system");
redactionSystemClient.setSecret("redaction-system");
redactionSystemClient.setServiceAccountsEnabled(true);
redactionSystemClient.setDirectAccessGrantsEnabled(true);
redactionSystemClient.setStandardFlowEnabled(true);
redactionSystemClient.setImplicitFlowEnabled(true);
redactionSystemClient.setDirectAccessGrantsEnabled(true);
redactionRealm.clients().create(redactionSystemClient);
redaction.clients().create(redactionClient);
redaction.clients().create(redactionSystemClient);
RealmResource myRealm = adminClient.realm("master");
String userId = myRealm.clients().get("redaction-system").getServiceAccountUser().getId();
UserResource serviceAccountUser = myRealm.users().get(userId);
// ClientRepresentation clientThatOwnsRole = myRealm.clients()
// .findByClientId("realm-management").get(0);
ClientRepresentation clientThatOwnsRole = myRealm.clients()
.findByClientId("master-realm").get(0);
String clientIdOfRoleOwner = clientThatOwnsRole.getId();
ClientResource clientResourceOfRoleOwner = myRealm.clients().get(clientIdOfRoleOwner);
// myRealm.clients().get(clientIdOfRoleOwner).roles().list();
// List<RoleRepresentation> rolesToAssign = new ArrayList<>();
//
// rolesToAssign.add(clientResourceOfRoleOwner.roles().get("view-users").toRepresentation());
// rolesToAssign.add(clientResourceOfRoleOwner.roles().get("manage-realm").toRepresentation());
// rolesToAssign.add(clientResourceOfRoleOwner.roles().get("create-realm").toRepresentation());
//
// myRealm.clients().get(clientIdOfRoleOwner).roles().list().forEach(role -> {
// serviceAccountUser.roles().clientLevel(clientIdOfRoleOwner).add(role);
// });
List<RoleRepresentation> roles = new ArrayList<>();
roles.addAll(myRealm.clients().get(clientIdOfRoleOwner).roles().list());
// roles.add(myRealm.roles().get("create-realm").toRepresentation());
serviceAccountUser.roles().clientLevel(clientIdOfRoleOwner).add(roles);
serviceAccountUser.roles().realmLevel().add(List.of(myRealm.roles().get("create-realm").toRepresentation()));
// System.out.println(KeycloakBuilder.builder()
// .serverUrl(keycloak.getAuthServerUrl())
// .realm("management")
// .clientId("redaction-system")
// .clientSecret("redaction-system")
// .grantType(OAuth2Constants.CLIENT_CREDENTIALS)
// .resteasyClient(new ResteasyClientBuilderImpl().connectionTTL(2, TimeUnit.SECONDS)
// .hostnameVerification(ResteasyClientBuilder.HostnameVerificationPolicy.ANY)
// .connectionPoolSize(10)
// .disableTrustManager()
// .build())
// .build()
// .realm("management")
// .toRepresentation());
}

8
persistence-service-v1/persistence-service-server-v1/src/test/resources/application.yml
View File

@ -118,15 +118,15 @@ multitenancy:
keycloak:
enabled: true
sslRequired: none
realm: redaction
resource: redaction
realm: master
resource: master
disableTrustManager: true
useResourceRoleMappings: true
commons:
keycloak:
application-client-id: redaction
realm: redaction
application-client-id: redaction-system
realm: master
client-id: redaction-system
client-secret: redaction-system