Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11956 Commits
49 Branches
313 Tags
344 MiB
 
 
 
 
 
 
Tree: c870fcca8a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c870fcca8a'
${ noResults }
seaweedfs/test/s3/iam/setup_keycloak.sh

206 lines
6.8 KiB
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
KEYCLOAK_IMAGE="quay.io/keycloak/keycloak:26.0.7"
CONTAINER_NAME="keycloak-iam-test"
KEYCLOAK_PORT="8080"
KEYCLOAK_URL="http://localhost:${KEYCLOAK_PORT}"
# Realm and test fixtures expected by tests
REALM_NAME="seaweedfs-test"
CLIENT_ID="seaweedfs-s3"
CLIENT_SECRET="seaweedfs-s3-secret"
ROLE_ADMIN="s3-admin"
ROLE_READONLY="s3-read-only"
ROLE_READWRITE="s3-read-write"
declare -A USERS
USERS=(
[admin-user]=admin123
[read-user]=read123
[write-user]=write123
)
echo -e "${BLUE}🔧 Setting up Keycloak realm and users for SeaweedFS S3 IAM testing...${NC}"
echo "Keycloak URL: ${KEYCLOAK_URL}"
ensure_container() {
# Prefer any already running Keycloak container to avoid port conflicts
if docker ps --format '{{.Names}}' | grep -q '^keycloak$'; then
CONTAINER_NAME="keycloak"
echo -e "${GREEN}✅ Using existing container '${CONTAINER_NAME}'${NC}"
return 0
fi
if docker ps --format '{{.Names}}' | grep -q "^${CONTAINER_NAME}$"; then
echo -e "${GREEN}✅ Using existing container '${CONTAINER_NAME}'${NC}"
return 0
fi
echo -e "${YELLOW}🐳 Starting Keycloak container (${KEYCLOAK_IMAGE})...${NC}"
docker rm -f "${CONTAINER_NAME}" >/dev/null 2>&1 || true
docker run -d --name "${CONTAINER_NAME}" -p "${KEYCLOAK_PORT}:8080" \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin \
-e KC_HTTP_ENABLED=true \
-e KC_HOSTNAME_STRICT=false \
-e KC_HOSTNAME_STRICT_HTTPS=false \
-e KC_HEALTH_ENABLED=true \
"${KEYCLOAK_IMAGE}" start-dev >/dev/null
}
wait_ready() {
echo -e "${YELLOW}⏳ Waiting for Keycloak to be ready...${NC}"
for i in $(seq 1 120); do
if curl -sf "${KEYCLOAK_URL}/health/ready" >/dev/null; then
echo -e "${GREEN}✅ Keycloak health check passed${NC}"
return 0
fi
if curl -sf "${KEYCLOAK_URL}/realms/master" >/dev/null; then
echo -e "${GREEN}✅ Keycloak master realm accessible${NC}"
return 0
fi
sleep 2
done
echo -e "${RED}❌ Keycloak did not become ready in time${NC}"
exit 1
}
kcadm() {
docker exec -i "${CONTAINER_NAME}" /opt/keycloak/bin/kcadm.sh "$@"
}
admin_login() {
kcadm config credentials --server "${KEYCLOAK_URL}" --realm master --user admin --password admin >/dev/null
}
ensure_realm() {
if kcadm get realms | grep -q '"realm": *"'${REALM_NAME}'"'; then
echo -e "${GREEN}✅ Realm '${REALM_NAME}' already exists${NC}"
else
echo -e "${YELLOW}📝 Creating realm '${REALM_NAME}'...${NC}"
kcadm create realms -s realm="${REALM_NAME}" -s enabled=true >/dev/null
echo -e "${GREEN}✅ Realm created${NC}"
fi
}
ensure_client() {
local id
id=$(kcadm get clients -r "${REALM_NAME}" -q clientId="${CLIENT_ID}" | jq -r '.[0].id // empty')
if [[ -n "${id}" ]]; then
echo -e "${GREEN}✅ Client '${CLIENT_ID}' already exists${NC}"
else
echo -e "${YELLOW}📝 Creating client '${CLIENT_ID}'...${NC}"
kcadm create clients -r "${REALM_NAME}" \
-s clientId="${CLIENT_ID}" \
-s protocol=openid-connect \
-s publicClient=false \
-s serviceAccountsEnabled=true \
-s directAccessGrantsEnabled=true \
-s standardFlowEnabled=true \
-s implicitFlowEnabled=false \
-s secret="${CLIENT_SECRET}" >/dev/null
echo -e "${GREEN}✅ Client created${NC}"
fi
}
ensure_role() {
local role="$1"
if kcadm get roles -r "${REALM_NAME}" | jq -r '.[].name' | grep -qx "${role}"; then
echo -e "${GREEN}✅ Role '${role}' exists${NC}"
else
echo -e "${YELLOW}📝 Creating role '${role}'...${NC}"
kcadm create roles -r "${REALM_NAME}" -s name="${role}" >/dev/null
fi
}
ensure_user() {
local username="$1" password="$2"
local uid
uid=$(kcadm get users -r "${REALM_NAME}" -q username="${username}" | jq -r '.[0].id // empty')
if [[ -z "${uid}" ]]; then
echo -e "${YELLOW}📝 Creating user '${username}'...${NC}"
uid=$(kcadm create users -r "${REALM_NAME}" \
-s username="${username}" \
-s enabled=true \
-s email="${username}@seaweedfs.test" \
-s emailVerified=true \
-s firstName="${username}" \
-s lastName="User" \
-i)
else
echo -e "${GREEN}✅ User '${username}' exists${NC}"
fi
echo -e "${YELLOW}🔑 Setting password for '${username}'...${NC}"
kcadm set-password -r "${REALM_NAME}" --userid "${uid}" --new-password "${password}" --temporary=false >/dev/null
}
assign_role() {
local username="$1" role="$2"
local uid rid
uid=$(kcadm get users -r "${REALM_NAME}" -q username="${username}" | jq -r '.[0].id')
rid=$(kcadm get roles -r "${REALM_NAME}" | jq -r ".[] | select(.name==\"${role}\") | .id")
# Check if role already assigned
if kcadm get "users/${uid}/role-mappings/realm" -r "${REALM_NAME}" | jq -r '.[].name' | grep -qx "${role}"; then
echo -e "${GREEN}✅ User '${username}' already has role '${role}'${NC}"
return 0
fi
echo -e "${YELLOW}➕ Assigning role '${role}' to '${username}'...${NC}"
kcadm add-roles -r "${REALM_NAME}" --uid "${uid}" --rolename "${role}" >/dev/null
}
main() {
command -v docker >/dev/null || { echo -e "${RED}❌ Docker is required${NC}"; exit 1; }
command -v jq >/dev/null || { echo -e "${RED}❌ jq is required${NC}"; exit 1; }
ensure_container
wait_ready
admin_login
ensure_realm
ensure_client
ensure_role "${ROLE_ADMIN}"
ensure_role "${ROLE_READONLY}"
ensure_role "${ROLE_READWRITE}"
for u in "${!USERS[@]}"; do
ensure_user "$u" "${USERS[$u]}"
done
assign_role admin-user "${ROLE_ADMIN}"
assign_role read-user "${ROLE_READONLY}"
assign_role write-user "${ROLE_READWRITE}"
# Validate the setup by testing one user authentication
echo -e "${YELLOW}🔍 Validating setup by testing admin-user authentication...${NC}"
sleep 2
local validation_result=$(curl -s -w "%{http_code}" -X POST "http://localhost:${KEYCLOAK_PORT}/realms/${REALM_NAME}/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password" \
-d "client_id=${CLIENT_ID}" \
-d "client_secret=${CLIENT_SECRET}" \
-d "username=admin-user" \
-d "password=admin123" \
-d "scope=openid profile email" \
-o /tmp/auth_test_response.json)
if [[ "${validation_result: -3}" == "200" ]]; then
echo -e "${GREEN}✅ Authentication validation successful${NC}"
else
echo -e "${RED}❌ Authentication validation failed with HTTP ${validation_result: -3}${NC}"
echo -e "${YELLOW}Response body:${NC}"
cat /tmp/auth_test_response.json 2>/dev/null || echo "No response body"
echo -e "${YELLOW}This may indicate a setup issue that needs to be resolved${NC}"
fi
rm -f /tmp/auth_test_response.json
echo -e "${GREEN}✅ Keycloak test realm '${REALM_NAME}' configured${NC}"
}
main "$@"