Release (#13)

* Eoepca 910 um keycloak develop an identity api based on keycloak api (#9) * feat: keycloak_client methods added for identity_api * feat: added scopes crud (for future?) and fixes on permissions and policies cruds * Merge (#10) * Update docker compose * Fix keycloak client constructor * Update README.md * Update docker compose * Add nginx config * Change nginx * Add realm admin role * Remove auth keycloak client (#11) * Add dummy service demo * Add dummy-service nginx * Update demos * Update nginx configs * Update gatekeeper config * feat: added register_general_policy function * fix: small fix in register_general_policy * fix: one more fix * feat: added delete permissions * feat: added create client function * Add gatekeeper cookie name --------- Co-authored-by: flaviorosadme <[email protected]> Co-authored-by: flaviorosadme <[email protected]>
EOEPCA · Nov 9, 2023 · fc0c5d7 · fc0c5d7
1 parent 2c8b779
commit fc0c5d7
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 219 deletions.
diff --git a/demos/nginx_auth_req.conf b/demos/nginx_auth_req.conf
@@ -2,121 +2,27 @@
 
       #listen 443 default ssl;
       listen 80;
-      server_name resource-server-gatekeeper;
+      server_name gatekeeper;
       add_header Strict-Transport-Security max-age=2592000;
       resolver 127.0.0.11;
       proxy_busy_buffers_size 64k;
       proxy_buffers 8 32k;
       proxy_buffer_size 32k;
 
       location / {
-        root /data/www;
-        proxy_pass http://spring-boot-oauth2-resource-server:7072;
-        auth_request /oauth/authorize;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Scheme $scheme;
-        proxy_set_header X-Forwarded-Host $host:80;
-        proxy_set_header X-Forwarded-Port 80;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_connect_timeout 1;
-        proxy_read_timeout 30;
-        proxy_send_timeout 30;
-        proxy_http_version 1.1;
-        # pass information via X-User and X-Email headers to backend,
-        # requires running with --set-xauthrequest flag
-        auth_request_set $user   $upstream_http_x_auth_request_user;
-        auth_request_set $email  $upstream_http_x_auth_request_email;
-        proxy_set_header X-User  $user;
-        proxy_set_header X-Email $email;
-        # if you enabled --pass-access-token, this will pass the token to the backend
-        auth_request_set $token  $upstream_http_x_auth_request_access_token;
-        proxy_set_header X-Access-Token $token;
-        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
-        auth_request_set $auth_cookie $upstream_http_set_cookie;
-        add_header Set-Cookie $auth_cookie;
-        # When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
-        # limit and so the OAuth2 Proxy splits these into multiple parts.
-        # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
-        # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
-        auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
-        # Extract the Cookie attributes from the first Set-Cookie header and append them
-        # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
-        if ($auth_cookie ~* "(; .*)") {
-            set $auth_cookie_name_0 $auth_cookie;
-            set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
-        }
-        # Send both Set-Cookie headers now if there was a second part
-        if ($auth_cookie_name_upstream_1) {
-            add_header Set-Cookie $auth_cookie_name_0;
-            add_header Set-Cookie $auth_cookie_name_1;
-        }
+        auth_request /auth;
       }
 
-      location = /oauth/authorize {
+      location ^~ /auth {
         internal;
-        #proxy_method POST;
-        proxy_pass http://resource-server-gatekeeper:3001/;
-        #proxy_set_header X-Real-IP $remote_addr;
-        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        #proxy_set_header X-Scheme $scheme;
-        #proxy_set_header X-Forwarded-Port 80;
-        #proxy_set_header X-Forwarded-Server $host;
+        proxy_pass http://gatekeeper:3000/$request_uri;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Uri $request_uri;
-        #proxy_set_header X-Original-Method $request_method;
-        #proxy_set_header X-Scheme $scheme;
-        proxy_set_header Content-Length "";
-        proxy_pass_request_body off;
-        proxy_intercept_errors on;
-        error_page 303 = @handle_redirect;
+        proxy_set_header X-Forwarded-Method $request_method;
+        proxy_set_header X-Forwarded-URI $request_uri;
       }
 
-      location @handle_redirect {
-        set $redirect_location 'http://resource-server-gatekeeper:3001/$upstream_http_location';
-        proxy_pass $redirect_location;
-        proxy_intercept_errors on;
-        error_page 301 302 303 307 = @handle_redirect_auth;
-     }
-
-     location @handle_redirect_auth {
-        set $auth_redirect_location '$upstream_http_location';
-        proxy_pass $auth_redirect_location;
-     }
-
-#       location /oauth/ {
-#         expires -1;
-#         proxy_pass       http://gatekeeper:3000$request_uri;
-#         proxy_set_header Host                    $host;
-#         proxy_set_header X-Real-IP               $remote_addr;
-#         proxy_set_header X-Scheme                $scheme;
-#         proxy_set_header X-Auth-Request-Redirect $request_uri;
-#         proxy_set_header X-Forwarded-Proto $scheme;
-#         # or, if you are handling multiple domains:
-#         # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
-#       }
-
-#       location @handle_redirect {
-#           set $saved_redirect_location '$upstream_http_location';
-#           add_header X-debug "$saved_redirect_location";
-#           proxy_pass $saved_redirect_location;
-#       }
-
-#       location = /oauth/logout {
-#         # Sign-out mutates the session, only allow POST requests
-#         if ($request_method != POST) {
-#             return 405;
-#         }
-#         expires -1;
-#         proxy_pass http://gatekeeper:3000/oauth/logout;
-#         proxy_set_header Host $host;
-#         proxy_set_header X-Real-IP $remote_addr;
-#         proxy_set_header X-Scheme $scheme;
-#         proxy_set_header X-Forwarded-Proto $scheme;
-#         proxy_set_header X-Auth-Request-Redirect /oauth/logout;
-#       }
 
-    }
+    }
diff --git a/demos/nginx_proxy.conf b/demos/nginx_proxy.conf
@@ -1,40 +1,23 @@
-#     upstream docker-resource-server-gatekeeper {
-#         server resource-server-gatekeeper;
-#     }
-#
-#     upstream docker-echo-gatekeeper {
-#         server echo-gatekeeper;
-#     }
-
     server {
 
-      #listen                   443 default ssl;
-      listen                    80;
-      server_name               gatekeeper;
-      #ssl_certificate          /etc/letsencrypt/live/auth.proxy.develop.eoepca.org/fullchain.pem;
-      #ssl_certificate_key      /etc/letsencrypt/live/auth.proxy.develop.eoepca.org/privkey.pem;
-      add_header                Strict-Transport-Security max-age=2592000;
-      resolver                  127.0.0.11;
+      #listen 443 default ssl;
+      listen 80;
+      server_name gatekeeper;
+      add_header Strict-Transport-Security max-age=2592000;
+      resolver 127.0.0.11;
       proxy_busy_buffers_size 64k;
       proxy_buffers 8 32k;
       proxy_buffer_size 32k;
 
-
       location / {
-        #proxy_pass       http://echo-gatekeeper:3000;
-        proxy_pass       http://resource-server-gatekeeper:3001;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Scheme $scheme;
-        proxy_set_header X-Forwarded-Host $host:80;
-        proxy_set_header X-Forwarded-Port 80;
-        proxy_set_header X-Forwarded-Server $host;
+        #proxy_pass http://echo-gatekeeper:3000/$request_uri;
+        proxy_pass http://resource-server-gatekeeper:3001/$request_uri;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
         proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_connect_timeout 1;
-        proxy_read_timeout 30;
-        proxy_send_timeout 30;
-        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Method $request_method;
+        proxy_set_header X-Forwarded-URI $request_uri;
       }
 
-    }
+    }
diff --git a/docker-compose.development.yml b/docker-compose.development.yml
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -6,17 +6,16 @@ services:
 #        networks:
 #            - eoepca_network
 #        environment:
-#            - IDENTITY_AUTH_SERVER_URL=http://keycloak:8080
-#            - IDENTITY_RESOURCE_SERVER_ENDPOINT=http://keycloak-springboot-demo:7070
-#        restart: on-failure
-#    identity-manager:
-#        image: um-identity-manager
-#        container_name: um-identity-manager
-#        networks:
-#            - eoepca_network
-#        ports:
-#            - '4200:4200'
+#            - AUTH_SERVER_URL=http://keycloak:8080
 #        restart: on-failure
+    identity-manager:
+        image: um-identity-manager
+        container_name: um-identity-manager
+        networks:
+            - eoepca_network
+        ports:
+            - '4200:4200'
+        restart: on-failure
     identity-api:
         image: um-identity-api
         container_name: um-identity-api
@@ -28,7 +27,6 @@ services:
             - AUTH_SERVER_URL=http://keycloak:8080/
             - ADMIN_PASSWORD=admin
             - REALM=master
-            - RESOURCE_SERVER_ENDPOINT=http://spring-boot-oauth2-resource-server:7071
         restart: on-failure
     keycloak:
         image: quay.io/keycloak/keycloak:22.0.3

diff --git a/gatekeeper.yml b/gatekeeper.yml
@@ -1,13 +1,14 @@
 discovery-url: http://keycloak:8080/realms/demo
 client-id: gatekeeper
-client-secret: k0ciMZSAQR0IYoDM34LtHeqnki7GCs5t
+client-secret: Oj5bPfRNJyerALL60eFyQuZBCNj9woXR
 encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
 upstream-url: http://spring-boot-oauth2-resource-server:7072
-secure-cookie: false
 enable-request-id: true
 enable-refresh-tokens: true
 enable-login-handler: true
 enable-uma: true
+secure-cookie: false
+cookie-access-name: auth_user_id
 enable-logout-redirect: true
 enable-metrics: true
 enable-logging: true

diff --git a/identityutils/keycloak_client.py b/identityutils/keycloak_client.py
@@ -211,6 +211,15 @@ def register_user_policy(self, policy, client_id):
         return raise_error_from_response(
             data_raw, KeycloakPostError, expected_codes=[201, 409], skip_exists=True
         )
+
+    def register_general_policy(self, policy, client_id, policy_type):
+        _client_id = self.keycloak_admin.get_client_id(client_id)
+        params_path = {"realm-name": self.realm, "id": _client_id}
+        url = urls_patterns.URL_ADMIN_CLIENT_AUTHZ + "/policy/" + policy_type + "?max=-1"
+        data_raw = self.keycloak_admin.raw_post(url.format(**params_path), data=json.dumps(policy))
+        return raise_error_from_response(
+            data_raw, KeycloakPostError, expected_codes=[201, 409], skip_exists=True
+        )
 
     def assign_resources_permissions(self, permissions, client_id):
         if not isinstance(permissions, list):
@@ -481,3 +490,15 @@ def delete_client_scopes(self, client_id, scope_id):
         return raise_error_from_response(
             data_raw
         )
+
+    def delete_resource_permissions(self, client_id, permission_id):
+        _client_id = self.keycloak_admin.get_client_id(client_id)
+        params_path = {"realm-name": self.realm, "id": _client_id}
+        url = urls_patterns.URL_ADMIN_CLIENT_AUTHZ + "/permission/resource/" + permission_id
+        data_raw = self.keycloak_admin.raw_delete(url.format(**params_path))
+        return raise_error_from_response(
+            data_raw
+        )
+
+    def create_client(self, payload):
+        return self.keycloak_admin.create_client(payload=payload)