Page MenuHomeSoftware Heritage

Programmatically set up keycloak client for hedgedoc
Needs ReviewPublic

Authored by olasd on Feb 2 2021, 3:15 PM.

Details

Reviewers
None
Group Reviewers
Reviewers
Summary

Depends on D4994

Test Plan

incomplete/untested so far

Diff Detail

Repository
rSPSITE puppet-swh-site
Branch
keycloak-hedgedoc-full
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 18955
Build 29372: arc lint + arc unit

Event Timeline

olasd requested review of this revision.Feb 2 2021, 3:15 PM
olasd created this revision.

I think you should be able to add the id scope by overriding the default_client_scopes in client settings.
The protocol mapper could also be created the following way.

keycloak::resources::protocol_mappers::id:
  resource_name: id
  type: oidc-usermodel-property-mapper
  claim_name: id
  user_attribute: id

hedgedoc:
  settings:
    public_client: false
    default_client_scopes:
      - profile
      - email
      - roles
      - web-origins
      - id
    redirect_uris:
      # Should match letsencrypt::certificates.hedgedoc.domains
      - https://hedgedoc.softwareheritage.org/*
    secret: some-secret
  protocol_mappers:
    - "%{alias('keycloak::resources::protocol_mappers::id')}"

I need to update my pupperware environment so I can not confirm it is working at the moment.

So after (painfully) manage to get my pupperware environment functional again, I could configure the hedgedoc client properly using the following diff:

diff --git a/data/common/common.yaml b/data/common/common.yaml
index ff78d092..0db1c3cd 100644
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -3070,6 +3070,12 @@ keycloak::resources::protocol_mappers::groups:
     claim_name: groups
     full_path: true
 
+keycloak::resources::protocol_mappers::id:
+  resource_name: id
+  type: oidc-usermodel-property-mapper
+  claim_name: id
+  user_attribute: id
+
 keycloak::resources::flows::direct_grant_no_otp:
   name: direct_grant_no_otp
   description: Direct grant flow without conditional OTP
@@ -3091,6 +3097,8 @@ keycloak::resources::realms:
       verify_email: true
     flows:
       - "%{alias('keycloak::resources::flows::direct_grant_no_otp')}"
+    client_scopes:
+      id: {}
     clients:
       swh-web:
         settings:
@@ -3104,6 +3112,21 @@ keycloak::resources::realms:
         protocol_mappers:
           - "%{alias('keycloak::resources::protocol_mappers::audience')}"
           - "%{alias('keycloak::resources::protocol_mappers::groups')}"
+      hedgedoc:
+        settings:
+          public_client: false
+          default_client_scopes:
+            - profile
+            - email
+            - roles
+            - web-origins
+            - id
+          redirect_uris:
+            # Should match letsencrypt::certificates.hedgedoc.domains
+            - https://hedgedoc.softwareheritage.org/*
+          secret: some-secret
+        protocol_mappers:
+          - "%{alias('keycloak::resources::protocol_mappers::id')}"
   SoftwareHeritageStaging:
     settings:
       display_name: Software Heritage (Staging)
diff --git a/site-modules/profile/manifests/keycloak/resources.pp b/site-modules/profile/manifests/keycloak/resources.pp
index 84caa91e..6f1ab624 100644
--- a/site-modules/profile/manifests/keycloak/resources.pp
+++ b/site-modules/profile/manifests/keycloak/resources.pp
@@ -66,6 +66,19 @@ class profile::keycloak::resources {
       }
     }
 
+    $client_scopes = pick($realm_data['client_scopes'], {})
+
+    $client_scopes.each |$client_scope_name, $client_scope_settings| {
+
+      $client_scope_id = fqdn_uuid("${realm_name}.${client_scope_name}")
+
+      keycloak_client_scope {"${client_scope_name} on ${realm_name}":
+        ensure => present,
+        id => $client_scope_id,
+        *  => $client_scope_settings,
+      }
+    }
+
     $clients = pick($realm_data['clients'], {})
     $realm_client_common_settings = deep_merge($client_common_settings,
                                                pick($realm_data['client_settings'], {}))

Below is the relevant octocatalog-diff output

14:21 $ bin/octocatalog-diff --octocatalog-diff-args --no-truncate-details -t staging kelvingrove.internal.softwareheritage.org
Found host kelvingrove.internal.softwareheritage.org
Cloning into '/tmp/swh-ocd.ZVkv3jvy/environments/production/data/private'...
done.
Cloning into '/tmp/swh-ocd.ZVkv3jvy/environments/staging/data/private'...
done.
*** Running octocatalog-diff on host kelvingrove.internal.softwareheritage.org
I, [2021-02-03T14:21:53.420292 #744366]  INFO -- : Catalogs compiled for kelvingrove.internal.softwareheritage.org
I, [2021-02-03T14:21:53.636103 #744366]  INFO -- : Diffs computed for kelvingrove.internal.softwareheritage.org
diff origin/production/kelvingrove.internal.softwareheritage.org current/kelvingrove.internal.softwareheritage.org
*******************************************
+ Keycloak_client[hedgedoc on SoftwareHeritage] =>
   parameters =>
      "client_id": "hedgedoc"
      "default_client_scopes": ["profile", "email", "roles", "web-origins", "id"]
      "ensure": "present"
      "id": "8000e76f-b23a-5736-aceb-5116ec28debe"
      "login_theme": "swh"
      "optional_client_scopes": ["microprofile-jwt", "offline_access"]
      "public_client": false
      "realm": "SoftwareHeritage"
      "redirect_uris": ["https://hedgedoc.softwareheritage.org/*"]
      "secret": "some-secret"
*******************************************
+ Keycloak_client_protocol_mapper[id for 8000e76f-b23a-5736-aceb-5116ec28debe on SoftwareHeritage] =>
   parameters =>
      "claim_name": "id"
      "client": "8000e76f-b23a-5736-aceb-5116ec28debe"
      "ensure": "present"
      "id": "bf7afedc-b33c-58df-a672-36c59b72cd2e"
      "realm": "SoftwareHeritage"
      "resource_name": "id"
      "type": "oidc-usermodel-property-mapper"
      "user_attribute": "id"
*******************************************
+ Keycloak_client_scope[id on SoftwareHeritage] =>
   parameters =>
      "ensure": "present"
      "id": "75f94bdc-5223-5490-a9a8-c8ef902c8351"
      "realm": "SoftwareHeritage"
      "resource_name": "id"
*******************************************