Merge pull request #83 from matskiv/INTLY-2377-redirect

INTLY-2377 adding support for browser auth flow redirect
integr8ly · Jul 30, 2019 · 78620a2 · 78620a2
2 parents a4d17b0 + 589c6d7
commit 78620a2
Show file tree

Hide file tree

Showing 13 changed files with 575 additions and 34 deletions.
diff --git a/Makefile b/Makefile
@@ -4,7 +4,7 @@ CONSUMER_NAMESPACES=${NAMESPACE}
 PROJECT=keycloak-operator
 REG=quay.io
 SHELL=/bin/bash
-TAG=v1.7.3
+TAG=v1.7.4
 PKG=github.com/integr8ly/keycloak-operator
 TEST_DIRS?=$(shell sh -c "find $(TOP_SRC_DIRS) -name \\*_test.go -exec dirname {} \\; | sort | uniq")
 TEST_POD_NAME=keycloak-operator-test

diff --git a/deploy/crds/KeycloakRealm_crd.yaml b/deploy/crds/KeycloakRealm_crd.yaml
@@ -26,6 +26,8 @@ spec:
               type: string
             createOnly:
               type: boolean
+            browserRedirectorIdentityProvider:
+              type: string
             identityProviders:
               type: array
               items:

diff --git a/deploy/examples/keycloakRealm_OpenShift4_IDP.json b/deploy/examples/keycloakRealm_OpenShift4_IDP.json
@@ -0,0 +1,102 @@
+{
+    "apiVersion": "aerogear.org/v1alpha1",
+    "kind": "KeycloakRealm",
+    "metadata": {
+      "name": "arealm"
+    },
+    "spec": {
+        "createOnly": true,
+        "id": "arealm",
+        "realm": "arealm",
+        "displayName": "arealm",
+        "enabled": true,
+        "eventsListeners": ["metrics-listener"],
+        "users": [
+            {
+                "username": "admin",
+                "outputSecret": "admin-credentials",
+                "password": "admin",
+                "enabled": true,
+                "emailVerified": false,
+                "firstName": "",
+                "lastName": "",
+                "email": "",
+                "realmRoles": [
+                    "offline_access",
+                    "uma_authorization"
+                ],
+                "clientRoles": {
+                    "account": [
+                        "manage-account",
+                        "view-profile"
+                    ],
+                    "realm-management": [
+                        "manage-users"
+                    ]
+                }
+            },
+            {
+                "username": "test",
+                "outputSecret": "test-credentials",
+                "enabled": true,
+                "realmRoles": [
+                    "offline_access",
+                    "uma_authorization"
+                ],
+                "clientRoles": {
+                    "account": [
+                        "manage-account",
+                        "view-profile"
+                    ]
+                }
+
+            }
+        ],
+        "clients": [
+            {
+                "name": "mobile",
+                "clientId": "mobile-test",
+                "publicClient": true,
+                "outputSecret": "mobile-client",
+                "webOrigins": [
+                    "http://localhost:8100",
+                    "*"
+                ],
+                "redirectUris": [
+                    "http://localhost:*"
+                ],
+                "standardFlowEnabled": true,
+                "enabled": true
+            },
+            {
+                "name": "server",
+                "outputSecret": "server-client",
+                "clientId": "server-test",
+                "bearerOnly": true,
+                "baseURL": "https://keycloak.com",
+                "standardFlowEnabled": true,
+                "enabled": true
+            }
+        ],
+        "identityProviders": [
+            {
+                "alias": "openshift-v4",
+                "providerId": "openshift-v4",
+                "enabled": true,
+                "trustEmail": false,
+                "storeToken": true,
+                "addReadTokenRoleOnCreate": true,
+                "firstBrokerLoginFlowAlias": "first broker login",
+                "config": {
+                    "baseUrl": "https://openshift.default.svc.cluster.local",
+                    "clientId": "keycloak-openshift-auth-client",
+                    "clientSecret": "from_oauthClient_OpenShift4_IDP",
+                    "useJwksUrl": "true",
+                    "disableUserInfo": "",
+                    "hideOnLoginPage": "",
+                    "defaultScope": "user:full"
+                }
+            }
+        ]
+    }
+  }
diff --git a/deploy/examples/oauthClient_OpenShift4_IDP.json b/deploy/examples/oauthClient_OpenShift4_IDP.json
@@ -0,0 +1,12 @@
+{
+    "apiVersion": "oauth.openshift.io/v1",
+    "grantMethod": "auto",
+    "kind": "OAuthClient",
+    "metadata": {
+        "name": "keycloak-openshift-auth-client"
+    },
+    "redirectURIs": [
+        "https://{KEYCLOAK-ROUTE-CHANGE-ME}/auth/realms/openshift/broker/openshift-v4/endpoint"
+    ],
+    "secret": "from_oauthClient_OpenShift4_IDP"
+}
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: keycloak-operator
-          image: quay.io/integreatly/keycloak-operator:v1.7.3
+          image: quay.io/integreatly/keycloak-operator:v1.7.4
           ports:
           - containerPort: 60000
             name: metrics

diff --git a/deploy/test-pod.yaml b/deploy/test-pod.yaml
@@ -6,7 +6,7 @@ spec:
   restartPolicy: Never
   containers:
   - name: keycloak-operator-test
-    image: quay.io/integreatly/keycloak-operator:v1.7.3
+    image: quay.io/integreatly/keycloak-operator:v1.7.4
     imagePullPolicy: Always
     command: ["/go-test.sh"]
     env:

diff --git a/pkg/apis/aerogear/v1alpha1/types.go b/pkg/apis/aerogear/v1alpha1/types.go
@@ -75,6 +75,8 @@ type KeycloakRealm struct {
 
 type KeycloakRealmSpec struct {
 	CreateOnly bool `json:"createOnly,omitempty"`
+	// Alias of the Identity Provider that will be used to setup "Identity Provider Redirector" for browser based authentication
+	BrowserRedirectorIdentityProvider string `json:"browserRedirectorIdentityProvider,omitempty"`
 	*KeycloakApiRealm
 }
 
@@ -171,6 +173,27 @@ type KeycloakProtocolMapper struct {
 	Config          map[string]string `json:"config"`
 }
 
+type AuthenticationExecutionInfo struct {
+	Alias                string   `json:"alias,omitempty"`
+	AuthenticationConfig string   `json:"authenticationConfig,omitempty"`
+	AuthenticationFlow   bool     `json:"authenticationFlow,omitempty"`
+	Configurable         bool     `json:"configurable,omitempty"`
+	DisplayName          string   `json:"displayName,omitempty"`
+	FlowID               string   `json:"flowId,omitempty"`
+	ID                   string   `json:"id,omitempty"`
+	Index                int32    `json:"index,omitempty"`
+	Level                int32    `json:"level,omitempty"`
+	ProviderID           string   `json:"providerId,omitempty"`
+	Requirement          string   `json:"requirement,omitempty"`
+	RequirementChoices   []string `json:"requirementChoices,omitempty"`
+}
+
+type AuthenticatorConfig struct {
+	Alias  string            `json:"alias,omitempty"`
+	Config map[string]string `json:"config,omitempty"`
+	ID     string            `json:"id,omitempty"`
+}
+
 type KeycloakClient struct {
 	*KeycloakApiClient
 	OutputSecret *string `json:"outputSecret, omitempty"`

diff --git a/pkg/apis/aerogear/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/aerogear/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/keycloak/client.go b/pkg/keycloak/client.go
@@ -99,6 +99,10 @@ func (c *Client) CreateUserClientRole(role *v1alpha1.KeycloakUserClientRole, rea
 	)
 }
 
+func (c *Client) CreateAuthenticatorConfig(authenticatorConfig *v1alpha1.AuthenticatorConfig, realmName, executionID string) error {
+	return c.create(authenticatorConfig, fmt.Sprintf("realms/%s/authentication/executions/%s/config", realmName, executionID), "AuthenticatorConfig")
+}
+
 func (c *Client) DeleteUserClientRole(role *v1alpha1.KeycloakUserClientRole, realmName, clientID, userId string) error {
 	err := c.delete(
 		fmt.Sprintf("realms/%s/users/%s/role-mappings/clients/%s", realmName, userId, clientID),
@@ -285,6 +289,15 @@ func (c *Client) GetIdentityProvider(alias string, realmName string) (*v1alpha1.
 	return result.(*v1alpha1.KeycloakIdentityProvider), err
 }
 
+func (c *Client) GetAuthenticatorConfig(configID, realmName string) (*v1alpha1.AuthenticatorConfig, error) {
+	result, err := c.get(fmt.Sprintf("realms/%s/authentication/config/%s", realmName, configID), "AuthenticatorConfig", func(body []byte) (T, error) {
+		authenticatorConfig := &v1alpha1.AuthenticatorConfig{}
+		err := json.Unmarshal(body, authenticatorConfig)
+		return authenticatorConfig, err
+	})
+	return result.(*v1alpha1.AuthenticatorConfig), err
+}
+
 // Generic put function for updating Keycloak resources
 func (c *Client) update(obj T, resourcePath, resourceName string) error {
 	jsonValue, err := json.Marshal(obj)
@@ -334,6 +347,10 @@ func (c *Client) UpdateIdentityProvider(specIdentityProvider *v1alpha1.KeycloakI
 	return c.update(specIdentityProvider, fmt.Sprintf("realms/%s/identity-provider/instances/%s", realmName, specIdentityProvider.Alias), "identity provider")
 }
 
+func (c *Client) UpdateAuthenticatorConfig(authenticatorConfig *v1alpha1.AuthenticatorConfig, realmName string) error {
+	return c.update(authenticatorConfig, fmt.Sprintf("realms/%s/authentication/config/%s", realmName, authenticatorConfig.ID), "AuthenticatorConfig")
+}
+
 // Generic delete function for deleting Keycloak resources
 func (c *Client) delete(resourcePath, resourceName string, obj T) error {
 	req, err := http.NewRequest(
@@ -394,6 +411,11 @@ func (c *Client) DeleteIdentityProvider(alias string, realmName string) error {
 	return err
 }
 
+func (c *Client) DeleteAuthenticatorConfig(configID, realmName string) error {
+	err := c.delete(fmt.Sprintf("realms/%s/authentication/config/%s", realmName, configID), "AuthenticatorConfig", nil)
+	return err
+}
+
 // Generic list function for listing Keycloak resources
 func (c *Client) list(resourcePath, resourceName string, unMarshalListFunc func(body []byte) (T, error)) (T, error) {
 	req, err := http.NewRequest(
@@ -514,6 +536,18 @@ func (c *Client) ListAvailableUserClientRoles(realmName, clientID, userID string
 	return objects.([]*v1alpha1.KeycloakUserClientRole), err
 }
 
+func (c *Client) ListAuthenticationExecutionsForFlow(flowAlias, realmName string) ([]*v1alpha1.AuthenticationExecutionInfo, error) {
+	result, err := c.list(fmt.Sprintf("realms/%s/authentication/flows/%s/executions", realmName, flowAlias), "AuthenticationExecution", func(body []byte) (T, error) {
+		var authenticationExecutions []*v1alpha1.AuthenticationExecutionInfo
+		err := json.Unmarshal(body, &authenticationExecutions)
+		return authenticationExecutions, err
+	})
+	if err != nil {
+		return nil, err
+	}
+	return result.([]*v1alpha1.AuthenticationExecutionInfo), err
+}
+
 func (c *Client) Ping() error {
 	u := c.URL + "/auth/"
 	req, err := http.NewRequest("GET", u, nil)
@@ -630,6 +664,13 @@ type KeycloakInterface interface {
 	ListUserClientRoles(realmName, clientID, userID string) ([]*v1alpha1.KeycloakUserClientRole, error)
 	ListAvailableUserClientRoles(realmName, clientID, userID string) ([]*v1alpha1.KeycloakUserClientRole, error)
 	DeleteUserClientRole(role *v1alpha1.KeycloakUserClientRole, realmName, clientID, userID string) error
+
+	ListAuthenticationExecutionsForFlow(flowAlias, realmName string) ([]*v1alpha1.AuthenticationExecutionInfo, error)
+
+	CreateAuthenticatorConfig(authenticatorConfig *v1alpha1.AuthenticatorConfig, realmName, executionID string) error
+	GetAuthenticatorConfig(configID, realmName string) (*v1alpha1.AuthenticatorConfig, error)
+	UpdateAuthenticatorConfig(authenticatorConfig *v1alpha1.AuthenticatorConfig, realmName string) error
+	DeleteAuthenticatorConfig(configID, realmName string) error
 }
 
 //go:generate moq -out keycloakClientFactory_moq.go . KeycloakClientFactory