You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
243 lines
7.5 KiB
243 lines
7.5 KiB
#!/bin/bash
|
|
|
|
# Keycloak Setup Script for CI/CD
|
|
# This script sets up a Keycloak realm with test users and roles for SeaweedFS S3 IAM testing
|
|
|
|
set -e
|
|
|
|
KEYCLOAK_URL="${KEYCLOAK_URL:-http://localhost:8080}"
|
|
ADMIN_USER="${KEYCLOAK_ADMIN:-admin}"
|
|
ADMIN_PASSWORD="${KEYCLOAK_ADMIN_PASSWORD:-admin}"
|
|
REALM_NAME="seaweedfs-test"
|
|
CLIENT_ID="seaweedfs-s3"
|
|
CLIENT_SECRET="seaweedfs-s3-secret"
|
|
|
|
echo "🔧 Setting up Keycloak realm and users for SeaweedFS S3 IAM testing..."
|
|
echo "Keycloak URL: $KEYCLOAK_URL"
|
|
|
|
# Function to get admin access token
|
|
get_admin_token() {
|
|
curl -s -X POST "$KEYCLOAK_URL/realms/master/protocol/openid-connect/token" \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
-d "username=$ADMIN_USER" \
|
|
-d "password=$ADMIN_PASSWORD" \
|
|
-d "grant_type=password" \
|
|
-d "client_id=admin-cli" | jq -r '.access_token'
|
|
}
|
|
|
|
# Function to check if realm exists
|
|
realm_exists() {
|
|
local token=$1
|
|
curl -s -H "Authorization: Bearer $token" \
|
|
"$KEYCLOAK_URL/admin/realms/$REALM_NAME" \
|
|
-o /dev/null -w "%{http_code}" | grep -q "200"
|
|
}
|
|
|
|
# Function to create realm
|
|
create_realm() {
|
|
local token=$1
|
|
echo "📝 Creating realm: $REALM_NAME"
|
|
|
|
local payload=$(jq -n \
|
|
--arg realm "$REALM_NAME" \
|
|
'{
|
|
"realm": $realm,
|
|
"enabled": true,
|
|
"displayName": "SeaweedFS Test Realm",
|
|
"accessTokenLifespan": 3600,
|
|
"sslRequired": "none"
|
|
}')
|
|
|
|
local response=$(curl -s -X POST "$KEYCLOAK_URL/admin/realms" \
|
|
-H "Authorization: Bearer $token" \
|
|
-H "Content-Type: application/json" \
|
|
-d "$payload")
|
|
|
|
if [[ -n "$response" && "$response" != *"error"* ]]; then
|
|
echo "✅ Realm created successfully"
|
|
else
|
|
echo "⚠️ Realm creation response: $response"
|
|
fi
|
|
}
|
|
|
|
# Function to create client
|
|
create_client() {
|
|
local token=$1
|
|
echo "📝 Creating client: $CLIENT_ID"
|
|
|
|
local payload=$(jq -n \
|
|
--arg clientId "$CLIENT_ID" \
|
|
--arg secret "$CLIENT_SECRET" \
|
|
'{
|
|
"clientId": $clientId,
|
|
"enabled": true,
|
|
"publicClient": false,
|
|
"secret": $secret,
|
|
"directAccessGrantsEnabled": true,
|
|
"serviceAccountsEnabled": true,
|
|
"standardFlowEnabled": true,
|
|
"implicitFlowEnabled": false,
|
|
"redirectUris": ["*"],
|
|
"webOrigins": ["*"]
|
|
}')
|
|
|
|
local response=$(curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/clients" \
|
|
-H "Authorization: Bearer $token" \
|
|
-H "Content-Type: application/json" \
|
|
-d "$payload")
|
|
|
|
if [[ -n "$response" && "$response" != *"error"* ]]; then
|
|
echo "✅ Client created successfully"
|
|
else
|
|
echo "⚠️ Client creation response: $response"
|
|
fi
|
|
}
|
|
|
|
# Function to create role
|
|
create_role() {
|
|
local token=$1
|
|
local role_name=$2
|
|
local role_description=$3
|
|
|
|
echo "📝 Creating role: $role_name"
|
|
|
|
local payload=$(jq -n \
|
|
--arg name "$role_name" \
|
|
--arg description "$role_description" \
|
|
'{
|
|
"name": $name,
|
|
"description": $description
|
|
}')
|
|
|
|
local response=$(curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/roles" \
|
|
-H "Authorization: Bearer $token" \
|
|
-H "Content-Type: application/json" \
|
|
-d "$payload")
|
|
|
|
if [[ -n "$response" && "$response" != *"error"* ]]; then
|
|
echo "✅ Role '$role_name' created successfully"
|
|
else
|
|
echo "⚠️ Role creation response: $response"
|
|
fi
|
|
}
|
|
|
|
# Function to create user
|
|
create_user() {
|
|
local token=$1
|
|
local username=$2
|
|
local password=$3
|
|
local email=$4
|
|
local first_name=$5
|
|
local last_name=$6
|
|
local roles=$7
|
|
|
|
echo "📝 Creating user: $username"
|
|
|
|
# Create user
|
|
local user_payload=$(jq -n \
|
|
--arg username "$username" \
|
|
--arg email "$email" \
|
|
--arg firstName "$first_name" \
|
|
--arg lastName "$last_name" \
|
|
--arg password "$password" \
|
|
'{
|
|
"username": $username,
|
|
"email": $email,
|
|
"firstName": $firstName,
|
|
"lastName": $lastName,
|
|
"enabled": true,
|
|
"emailVerified": true,
|
|
"credentials": [{
|
|
"type": "password",
|
|
"value": $password,
|
|
"temporary": false
|
|
}]
|
|
}')
|
|
|
|
local user_response=$(curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/users" \
|
|
-H "Authorization: Bearer $token" \
|
|
-H "Content-Type: application/json" \
|
|
-d "$user_payload")
|
|
|
|
if [[ -n "$user_response" && "$user_response" != *"error"* ]]; then
|
|
echo "✅ User '$username' created successfully"
|
|
else
|
|
echo "⚠️ User creation response: $user_response"
|
|
fi
|
|
|
|
# Get user ID
|
|
local user_id=$(curl -s -H "Authorization: Bearer $token" \
|
|
"$KEYCLOAK_URL/admin/realms/$REALM_NAME/users?username=$username" | \
|
|
jq -r '.[0].id')
|
|
|
|
# Assign roles
|
|
if [ -n "$roles" ]; then
|
|
echo "📝 Assigning roles to $username: $roles"
|
|
IFS=',' read -ra ROLE_ARRAY <<< "$roles"
|
|
for role in "${ROLE_ARRAY[@]}"; do
|
|
# Get role representation
|
|
local role_rep=$(curl -s -H "Authorization: Bearer $token" \
|
|
"$KEYCLOAK_URL/admin/realms/$REALM_NAME/roles/$role")
|
|
|
|
# Assign role to user
|
|
curl -s -X POST "$KEYCLOAK_URL/admin/realms/$REALM_NAME/users/$user_id/role-mappings/realm" \
|
|
-H "Authorization: Bearer $token" \
|
|
-H "Content-Type: application/json" \
|
|
-d "[$role_rep]"
|
|
done
|
|
fi
|
|
}
|
|
|
|
# Main setup process
|
|
main() {
|
|
echo "🚀 Starting Keycloak setup..."
|
|
|
|
# Wait for Keycloak to be ready
|
|
echo "⏳ Waiting for Keycloak to be ready..."
|
|
timeout 120 bash -c "until curl -s $KEYCLOAK_URL/realms/master > /dev/null; do sleep 2; done" || {
|
|
echo "❌ Keycloak is not ready after 120 seconds"
|
|
exit 1
|
|
}
|
|
|
|
# Get admin token
|
|
echo "🔑 Getting admin access token..."
|
|
ADMIN_TOKEN=$(get_admin_token)
|
|
if [ -z "$ADMIN_TOKEN" ] || [ "$ADMIN_TOKEN" = "null" ]; then
|
|
echo "❌ Failed to get admin access token"
|
|
exit 1
|
|
fi
|
|
|
|
# Create realm if it doesn't exist
|
|
if ! realm_exists "$ADMIN_TOKEN"; then
|
|
create_realm "$ADMIN_TOKEN"
|
|
sleep 2
|
|
else
|
|
echo "✅ Realm $REALM_NAME already exists"
|
|
fi
|
|
|
|
# Create client
|
|
create_client "$ADMIN_TOKEN"
|
|
sleep 1
|
|
|
|
# Create roles
|
|
create_role "$ADMIN_TOKEN" "s3-admin" "SeaweedFS S3 Administrator"
|
|
create_role "$ADMIN_TOKEN" "s3-read-only" "SeaweedFS S3 Read-Only User"
|
|
create_role "$ADMIN_TOKEN" "s3-write-only" "SeaweedFS S3 Write-Only User"
|
|
sleep 1
|
|
|
|
# Create test users
|
|
create_user "$ADMIN_TOKEN" "admin-user" "admin123" "admin@seaweedfs.test" "Admin" "User" "s3-admin"
|
|
create_user "$ADMIN_TOKEN" "read-user" "read123" "read@seaweedfs.test" "Read" "User" "s3-read-only"
|
|
create_user "$ADMIN_TOKEN" "write-user" "write123" "write@seaweedfs.test" "Write" "User" "s3-write-only"
|
|
|
|
echo "✅ Keycloak setup completed successfully!"
|
|
echo "🔗 Realm: $KEYCLOAK_URL/realms/$REALM_NAME"
|
|
echo "👥 Test users created:"
|
|
echo " - admin-user (password: admin123) - s3-admin role"
|
|
echo " - read-user (password: read123) - s3-read-only role"
|
|
echo " - write-user (password: write123) - s3-write-only role"
|
|
echo "🔑 Client: $CLIENT_ID (secret: $CLIENT_SECRET)"
|
|
}
|
|
|
|
# Run main function
|
|
main "$@"
|