Update demos

EOEPCA · Oct 15, 2023 · 826128b · 826128b
1 parent 421fc27
commit 826128b
Show file tree

Hide file tree

Showing 8 changed files with 98 additions and 103 deletions.
diff --git a/demos/dummy-service/gatekeeper.yml b/demos/dummy-service/gatekeeper.yml
@@ -1,8 +1,10 @@
 discovery-url: http://keycloak:8080/realms/demo
 client-id: dummy-service
-client-secret: 52Bn2RNG6cERxGSB7EYwx9gOQILvkTNg
+client-secret: MppehlyuzZz6tDrSVVjromLNHQVX2HJR
 encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
-upstream-url: http://ades
+#upstream-url: http://ades
+upstream-url: https://dummy-service-open.develop.eoepca.org
+#no-redirects: true
 secure-cookie: false
 enable-request-id: true
 enable-refresh-tokens: true

diff --git a/demos/gatekeeper-echo.yml b/demos/gatekeeper-echo.yml
@@ -1,6 +1,6 @@
 discovery-url: http://keycloak:8080/realms/demo
 client-id: echo
-client-secret: 5v8HKg880cJOKqN8561ti9BFQpuqpijf
+client-secret: IUOg9mvXSVmPyyCmwCJYhfoMw1ERXqsB
 encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
 upstream-url: http://spring-boot-echo:7070
 secure-cookie: false

diff --git a/demos/nginx_auth_req.conf b/demos/nginx_auth_req.conf
@@ -5,9 +5,9 @@
       server_name resource-server-gatekeeper;
       add_header Strict-Transport-Security max-age=2592000;
       resolver 127.0.0.11;
-      proxy_busy_buffers_size 512k;
-      proxy_buffers 4 512k;
-      proxy_buffer_size 256k;
+      proxy_busy_buffers_size 64k;
+      proxy_buffers 8 32k;
+      proxy_buffer_size 32k;
 
       location / {
         root /data/www;

diff --git a/demos/nginx_proxy.conf b/demos/nginx_proxy.conf
@@ -15,9 +15,9 @@
       #ssl_certificate_key      /etc/letsencrypt/live/auth.proxy.develop.eoepca.org/privkey.pem;
       add_header                Strict-Transport-Security max-age=2592000;
       resolver                  127.0.0.11;
-      proxy_busy_buffers_size   512k;
-      proxy_buffers             4 512k;
-      proxy_buffer_size         256k;
+      proxy_busy_buffers_size 64k;
+      proxy_buffers 8 32k;
+      proxy_buffer_size 32k;
 
 
       location / {

diff --git a/identityutils/configuration.py b/identityutils/configuration.py
@@ -17,7 +17,7 @@ def load_configuration(path: os.PathLike | str) -> ConfigParser:
     conf = __load_configuration_file(path)
     # load environment variables related to Keycloak config
     for c in conf['Keycloak'].keys():
-        v = os.environ.get('IDENTITY_' + c.upper().replace("-", "_"))
+        v = os.environ.get(c.upper().replace("-", "_"))
         if v:
             v = v.replace('"', '')
             config['Keycloak'][c] = v

diff --git a/identityutils/keycloak_client.py b/identityutils/keycloak_client.py
@@ -11,12 +11,9 @@
 
 class KeycloakClient:
 
-    def __init__(self, server_url, realm, resource_server_endpoint, username, password):
-        if 'https' not in server_url and '/auth' not in server_url:
-            server_url = server_url
+    def __init__(self, server_url, realm, username, password):
         self.server_url = server_url
         self.realm = realm
-        self.resource_server_endpoint = resource_server_endpoint
         openid_connection = KeycloakOpenIDConnection(
             server_url=self.server_url,
             username=username,
@@ -25,7 +22,6 @@ def __init__(self, server_url, realm, resource_server_endpoint, username, passwo
             timeout=10)
         self.keycloak_admin = KeycloakAdmin(connection=openid_connection)
         self.admin_client = None
-        self.resources_client = None
         self.oauth2_proxy_client = None
         self.keycloak_uma = None
         self.keycloak_uma_openid = None
@@ -125,7 +121,7 @@ def register_aggregated_policy(self, policy, client_id):
         return raise_error_from_response(
             data_raw, KeycloakPostError, expected_codes=[201, 409], skip_exists=True
         )
-    
+
     def register_client_policy(self, policy, client_id):
         policy_type = "client"
         _client_id = self.keycloak_admin.get_client_id(client_id)
@@ -157,8 +153,8 @@ def register_group_policy(self, policy, client_id):
         return raise_error_from_response(
             data_raw, KeycloakPostError, expected_codes=[201, 409], skip_exists=True
         )
-    
-    def register_regex_policy(self, policy, client_id):   
+
+    def register_regex_policy(self, policy, client_id):
         policy_type = "regex"
         _client_id = self.keycloak_admin.get_client_id(client_id)
         params_path = {"realm-name": self.realm, "id": _client_id}
@@ -179,7 +175,7 @@ def register_role_policy(self, policy, client_id):
         return raise_error_from_response(
             data_raw, KeycloakPostError, expected_codes=[201, 409], skip_exists=True
         )
-        
+
 
     def register_time_policy(self,policy, client_id):
         # time can be one of:
@@ -250,19 +246,6 @@ def get_user_token(self, username, password, openid):
         """
         return openid.token(username, password, scope="openid profile")
 
-    def generate_protection_pat(self):
-        """Generate a personal access token
-        """
-        payload = {
-            "grant_type": "client_credentials",
-            "client_id": self.resources_client.get('clientId'),
-            "client_secret": self.resources_client.get('secret'),
-        }
-        connection = ConnectionManager(self.keycloak_uma.connection.base_url)
-        connection.add_param_headers("Content-Type", "application/x-www-form-urlencoded")
-        data_raw = connection.raw_post(self.keycloak_uma.uma_well_known["token_endpoint"], data=payload)
-        return raise_error_from_response(data_raw, KeycloakPostError)
-
     def get_resources(self, client_id):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         return self.keycloak_admin.get_client_authz_resources(_client_id)
@@ -338,24 +321,6 @@ def get_permission_ticket(self, resources: list[str]):
         )
         return raise_error_from_response(data, KeycloakPostError)
 
-    def get_rpt(self, access_token, ticket, limits):
-        payload = {
-            "claim_token_format": "urn:ietf:params:oauth:token-type:jwt",
-            "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
-            "claim_token": access_token,
-            "ticket": ticket,
-            "client_id": self.resources_client.get('clientId'),
-            "client_secret": self.resources_client.get('secret'),
-            "response_permissions_limit": limits
-        }
-        params_path = {
-            "realm-name": self.realm
-        }
-        connection = ConnectionManager(self.keycloak_uma.connection.base_url)
-        connection.add_param_headers("Content-Type", "application/x-www-form-urlencoded")
-        data = connection.raw_post(urls_patterns.URL_TOKEN.format(**params_path), data=payload)
-        return raise_error_from_response(data, KeycloakPostError)
-
     def get_user_id(self, username) -> str:
         return self.keycloak_admin.get_user_id(username)
 
@@ -404,59 +369,26 @@ def register_client(self, options: dict):
             logger.info('Created service account user:\n' + json.dumps(user, indent=2))
         return client
 
-    def __register_resources_client(self, client_id: str):
-        options = {
-            'clientId': client_id,
-            'secret': 'secret',  # TODO changeme
-            'serviceAccountsEnabled': True,
-            'directAccessGrantsEnabled': True,
-            'authorizationServicesEnabled': True,
-            'authorizationSettings': {
-                'allowRemoteResourceManagement': False, # True
-                'policyEnforcementMode': 'ENFORCING'
-            },
-            "bearerOnly": False,
-            'adminUrl': self.resource_server_endpoint,
-            'baseUrl': self.resource_server_endpoint,
-            'redirectUris': [
-                #self.resource_server_endpoint + '/*'
-                '*'
-            ]
-        }
-        self.resources_client = self.register_client(options=options)
-        self.keycloak_uma = KeycloakUMA(connection=KeycloakOpenIDConnection(
-            server_url=self.server_url,
-            realm_name=self.realm,
-            client_id=self.resources_client.get('clientId'),
-            client_secret_key=self.resources_client.get('secret'),
-            verify=self.server_url.startswith('https')
-        ))
-        self.keycloak_uma_openid = KeycloakOpenID(server_url=self.server_url,
-                                                  realm_name=self.realm,
-                                                  client_id=self.resources_client.get('clientId'),
-                                                  client_secret_key=self.resources_client.get('secret'))
-        return self.resources_client
-
     def __get_service_account_user(self, client_id: str):
         data_raw = self.keycloak_admin.connection.raw_get(
             self.server_url + '/admin/realms/' + self.realm + '/clients/' + client_id + '/service-account-user')
         return raise_error_from_response(
             data_raw, KeycloakGetError
         )
-    
+
     def get_policies(self,
-                    resource: str = "",
-                    name: str = "",
-                    scope: str = "",
-                    first: int = 0,
-                    maximum: int = -1,) -> list[str]:
+                     resource: str = "",
+                     name: str = "",
+                     scope: str = "",
+                     first: int = 0,
+                     maximum: int = -1,) -> list[str]:
 
         return self.keycloak_uma.policy_query(resource, name, scope, first, maximum)
-    
+
     def get_client_authz_policies(self, client_id):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         return self.keycloak_admin.get_client_authz_policies(_client_id)
-    
+
     def update_policy(self, policy_id, payload, client_id):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         params_path = {"realm-name": self.realm, "id": _client_id}
@@ -466,19 +398,19 @@ def update_policy(self, policy_id, payload, client_id):
         return raise_error_from_response(
             data_raw, KeycloakPostError
         )
-    
+
     def delete_policy(self, policy_id, client_id):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         return self.keycloak_admin.delete_client_authz_policy(_client_id, policy_id)
-    
+
     def get_client_authz_permissions(self, client_id):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         return self.keycloak_admin.get_client_authz_permissions(_client_id)
 
     def get_client_management_permissions(self, client_id):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         return self.keycloak_admin.get_client_management_permissions(_client_id)
-    
+
     def get_client_resource_permissions(self, client_id):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         params_path = {"realm-name": self.realm, "id": _client_id}
@@ -487,21 +419,21 @@ def get_client_resource_permissions(self, client_id):
         return raise_error_from_response(
             data_raw, KeycloakGetError
         )
-    
+
     #def get_client_authz_scope_permissions(self,client_id, scope_id):
     #    return self.keycloak_admin.get_client_authz_scope_permission(client_id, scope_id)
-    
+
     #def create_client_authz_scope_based_permission(self, client_id, payload):
     #    return self.keycloak_admin.create_client_authz_scope_based_permission(client_id, payload, skip_exists=True)
-    
+
     def create_client_authz_resource_based_permission(self, client_id, payload):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         return self.keycloak_admin.create_client_authz_resource_based_permission(_client_id, payload, skip_exists=True)
 
     def update_client_management_permissions(self, client_id, payload):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         return self.keycloak_admin.update_client_management_permissions(payload, _client_id)
-    
+
     def update_client_authz_resource_permission(self, client_id, payload, permission_id):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         params_path = {"realm-name": self.realm, "id": _client_id}
@@ -510,10 +442,10 @@ def update_client_authz_resource_permission(self, client_id, payload, permission
         return raise_error_from_response(
             data_raw, KeycloakPutError
         )
-    
+
     #def update_client_authz_scope_permission(self, client_id,  payload, scope_id):
     #    return self.keycloak_admin.update_client_authz_scope_permission(payload, client_id, scope_id)
-    
+
     def get_client_scopes(self, client_id, name):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         params_path = {"realm-name": self.realm, "id": _client_id}
@@ -522,7 +454,7 @@ def get_client_scopes(self, client_id, name):
         return raise_error_from_response(
             data_raw, KeycloakGetError
         )
-    
+
     def create_client_scopes(self, client_id, payload):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         params_path = {"realm-name": self.realm, "id": _client_id}
@@ -531,7 +463,7 @@ def create_client_scopes(self, client_id, payload):
         return raise_error_from_response(
             data_raw, KeycloakPostError
         )
-    
+
     def update_client_scopes(self, client_id, scope_id, payload):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         params_path = {"realm-name": self.realm, "id": _client_id}
@@ -540,7 +472,7 @@ def update_client_scopes(self, client_id, scope_id, payload):
         return raise_error_from_response(
             data_raw, KeycloakPutError
         )
-    
+
     def delete_client_scopes(self, client_id, scope_id):
         _client_id = self.keycloak_admin.get_client_id(client_id)
         params_path = {"realm-name": self.realm, "id": _client_id}

diff --git a/infra/README.md b/infra/README.md
@@ -0,0 +1,20 @@
+### Create Sealed secrets
+
+```shell
+export ADMIN_PASSWORD=
+export PROXY_CLIENT_SECRET=
+export PROXY_ENCRYPTION_KEY=
+export KC_DB_PASSWORD=
+export PGPASSWORD=
+export POSTGRES_PASSWORD=${KC_DB_PASSWORD}
+
+kubectl create secret generic identity-api -n um --dry-run --from-literal=ADMIN_PASSWORD=${ADMIN_PASSWORD} -o yaml | kubeseal --controller-name=eoepca-sealed-secrets --controller-namespace=infra --format yaml > identity-api-sealedsecret.yaml
+kubectl create secret generic identity-gatekeeper -n um --dry-run --from-literal=PROXY_CLIENT_SECRET=${PROXY_CLIENT_SECRET} --from-literal=PROXY_ENCRYPTION_KEY=${PROXY_ENCRYPTION_KEY} -o yaml | kubeseal --controller-name=eoepca-sealed-secrets --controller-namespace=infra --format yaml > identity-gatekeeper-sealedsecret.yaml
+kubectl create secret generic identity-keycloak -n um --dry-run --from-literal=KEYCLOAK_ADMIN_PASSWORD=${ADMIN_PASSWORD} --from-literal=KC_DB_PASSWORD=${KC_DB_PASSWORD} -o yaml | kubeseal --controller-name=eoepca-sealed-secrets --controller-namespace=infra --format yaml > identity-keycloak-sealedsecret.yaml
+kubectl create secret generic identity-postgres -n um --dry-run --from-literal=POSTGRES_PASSWORD=${POSTGRES_PASSWORD} --from-literal=PGPASSWORD=${PGPASSWORD} -o yaml | kubeseal --controller-name=eoepca-sealed-secrets --controller-namespace=infra --format yaml > identity-postgres-sealedsecret.yaml
+
+cat identity-api-sealedsecret.yaml | kubeseal --validate --controller-name=eoepca-sealed-secrets --controller-namespace=infra
+cat identity-gatekeeper-sealedsecret.yaml | kubeseal --validate --controller-name=eoepca-sealed-secrets --controller-namespace=infra
+cat identity-keycloak-sealedsecret.yaml | kubeseal --validate --controller-name=eoepca-sealed-secrets --controller-namespace=infra
+cat identity-postgres-sealedsecret.yaml | kubeseal --validate --controller-name=eoepca-sealed-secrets --controller-namespace=infra
+```
diff --git a/infra/dummy-service-ingress.yaml b/infra/dummy-service-ingress.yaml
@@ -0,0 +1,41 @@
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: test
+  name: identity-dummy-service
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      auth_request /auth;
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location ^~ /auth {
+        internal;
+        proxy_pass http://identity-gatekeeper.um.svc.cluster.local:3000/$request_uri;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Method $request_method;
+        proxy_set_header X-Forwarded-URI $request_uri;
+        proxy_busy_buffers_size 64k;
+        proxy_buffers 8 32k;
+        proxy_buffer_size 32k;
+      }
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: identity.dummy-service.develop.eoepca.org
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: dummy-service
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - identity.dummy-service.develop.eoepca.org
+      secretName: identity-dummy-service-tls