Merge pull request #213 from bci-oss/feature/reconfigure-keycloak

feat: reconfigure keycloak
eclipse-tractusx · Dec 1, 2023 · 486c3a2 · 486c3a2
2 parents e1675f8 + b6ee441
commit 486c3a2
Show file tree

Hide file tree

Showing 7 changed files with 5 additions and 218 deletions.
diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml
@@ -76,7 +76,7 @@ jobs:
         run: ct lint --validate-maintainers=false --target-branch ${{ github.event.repository.default_branch }} --config charts/chart-testing-config.yaml
 
       - name: Run chart-testing (install)
-        run: ct install --charts charts/registry --config charts/chart-testing-config.yaml
+        run: ct install --charts charts/registry --config charts/chart-testing-config.yaml --helm-extra-set-args "--set registry.authentication=false"
         if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'
 
       - name: Upload test report

diff --git a/charts/registry/Chart.yaml b/charts/registry/Chart.yaml
@@ -26,7 +26,7 @@ sources:
   - https://github.com/eclipse-tractusx/sldt-digital-twin-registry
 
 type: application
-version: 0.3.28
+version: 0.3.29
 appVersion: 0.3.19
 
 dependencies:

diff --git a/charts/registry/config/default-realm-import.json b/charts/registry/config/default-realm-import.json
@@ -591,129 +591,6 @@
     "nodeReRegistrationTimeout" : 0,
     "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ],
     "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
-  }, {
-    "id" : "f1c5d623-0c0a-4d33-92b0-adaa9436cb04",
-    "clientId" : "default-client",
-    "name" : "",
-    "description" : "",
-    "rootUrl" : "",
-    "adminUrl" : "",
-    "baseUrl" : "",
-    "surrogateAuthRequired" : false,
-    "enabled" : true,
-    "alwaysDisplayInConsole" : false,
-    "clientAuthenticatorType" : "client-secret",
-    "secret" : "wJcfhf5uXynRcAHy5Ua9KAwM4EhsFvC1",
-    "redirectUris" : [ "http://localhost" ],
-    "webOrigins" : [ ],
-    "notBefore" : 0,
-    "bearerOnly" : false,
-    "consentRequired" : false,
-    "standardFlowEnabled" : true,
-    "implicitFlowEnabled" : true,
-    "directAccessGrantsEnabled" : true,
-    "serviceAccountsEnabled" : true,
-    "authorizationServicesEnabled" : true,
-    "publicClient" : false,
-    "frontchannelLogout" : true,
-    "protocol" : "openid-connect",
-    "attributes" : {
-      "oidc.ciba.grant.enabled" : "true",
-      "client.secret.creation.time" : "1680192891",
-      "backchannel.logout.session.required" : "true",
-      "post.logout.redirect.uris" : "+",
-      "oauth2.device.authorization.grant.enabled" : "true",
-      "display.on.consent.screen" : "false",
-      "backchannel.logout.revoke.offline.tokens" : "false"
-    },
-    "authenticationFlowBindingOverrides" : { },
-    "fullScopeAllowed" : true,
-    "nodeReRegistrationTimeout" : -1,
-    "protocolMappers" : [ {
-      "id" : "d2482667-e3c9-4cb0-871f-fd00268a0edd",
-      "name" : "Client Host",
-      "protocol" : "openid-connect",
-      "protocolMapper" : "oidc-usersessionmodel-note-mapper",
-      "consentRequired" : false,
-      "config" : {
-        "user.session.note" : "clientHost",
-        "userinfo.token.claim" : "true",
-        "id.token.claim" : "true",
-        "access.token.claim" : "true",
-        "claim.name" : "clientHost",
-        "jsonType.label" : "String"
-      }
-    }, {
-      "id" : "0a8028dc-37b8-41bd-8532-f2345ef48427",
-      "name" : "Client ID",
-      "protocol" : "openid-connect",
-      "protocolMapper" : "oidc-usersessionmodel-note-mapper",
-      "consentRequired" : false,
-      "config" : {
-        "user.session.note" : "clientId",
-        "userinfo.token.claim" : "true",
-        "id.token.claim" : "true",
-        "access.token.claim" : "true",
-        "claim.name" : "clientId",
-        "jsonType.label" : "String"
-      }
-    }, {
-      "id" : "c072cc3a-399e-44f8-8186-a330b8123976",
-      "name" : "Client IP Address",
-      "protocol" : "openid-connect",
-      "protocolMapper" : "oidc-usersessionmodel-note-mapper",
-      "consentRequired" : false,
-      "config" : {
-        "user.session.note" : "clientAddress",
-        "userinfo.token.claim" : "true",
-        "id.token.claim" : "true",
-        "access.token.claim" : "true",
-        "claim.name" : "clientAddress",
-        "jsonType.label" : "String"
-      }
-    }, {
-      "id" : "2ef856d5-53a4-4120-adb6-f8f2d41e1af1",
-      "name" : "bpn",
-      "protocol" : "openid-connect",
-      "protocolMapper" : "oidc-usermodel-attribute-mapper",
-      "consentRequired" : false,
-      "config" : {
-        "aggregate.attrs" : "false",
-        "userinfo.token.claim" : "true",
-        "multivalued" : "false",
-        "user.attribute" : "bpn",
-        "id.token.claim" : "true",
-        "access.token.claim" : "true",
-        "claim.name" : "bpn"
-      }
-    } ],
-    "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "email" ],
-    "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ],
-    "authorizationSettings" : {
-      "allowRemoteResourceManagement" : true,
-      "policyEnforcementMode" : "ENFORCING",
-      "resources" : [ {
-        "name" : "Default Resource",
-        "type" : "urn:Cl4-CX-DigitalTwin:resources:default",
-        "ownerManagedAccess" : false,
-        "attributes" : { },
-        "_id" : "d6e665e8-d14b-406c-9af9-1ff54e156e1a",
-        "uris" : [ "/*" ]
-      } ],
-      "policies" : [ {
-        "id" : "6893fcc4-591e-4f40-96bc-026da34c9a47",
-        "name" : "Default Permission",
-        "description" : "A permission that applies to the default resource type",
-        "type" : "resource",
-        "logic" : "POSITIVE",
-        "decisionStrategy" : "UNANIMOUS",
-        "config" : {
-          "defaultResourceType" : "urn:Cl4-CX-DigitalTwin:resources:default"
-        }
-      } ],
-      "scopes" : [ ],
-      "decisionStrategy" : "UNANIMOUS"
-    }
   }, {
     "id" : "18f280c7-2d5a-43ae-a022-5c440b988f15",
     "clientId" : "realm-management",

diff --git a/charts/registry/templates/tests/test-connection.yaml b/charts/registry/templates/tests/test-connection.yaml
@@ -37,26 +37,11 @@ spec:
         - name: test-output
           mountPath: /tests/output
       env:
-        - name: CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              name: test-credentials
-              key: clientId
-        - name: CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: test-credentials
-              key: clientSecret
         - name: AAS_REGISTRY_API_URL
           valueFrom:
             secretKeyRef:
               name: test-credentials
               key: aasRegistryUrl
-        - name: AUTH_SERVER_TOKEN_URL
-          valueFrom:
-            secretKeyRef:
-              name: test-credentials
-              key: authServerTokenUrl
   volumes:
     - name: test-script
       configMap:

diff --git a/charts/registry/templates/tests/test-credentials.yaml b/charts/registry/templates/tests/test-credentials.yaml
@@ -23,7 +23,4 @@ metadata:
   name: test-credentials
 type: Opaque
 data:
-  clientId: {{ "default-client" | b64enc }}
-  clientSecret: {{ "wJcfhf5uXynRcAHy5Ua9KAwM4EhsFvC1" | b64enc }}
-  authServerTokenUrl: {{ "http://registry-keycloak/realms/default-realm/protocol/openid-connect/token" | b64enc }}
   aasRegistryUrl: {{ printf "http://cx-%s-registry-svc:8080" .Release.Name | b64enc }}
diff --git a/charts/registry/templates/tests/test-script-configmap.yaml b/charts/registry/templates/tests/test-script-configmap.yaml
@@ -40,88 +40,19 @@ data:
       aas_registry_api_url: "{tavern.env_vars.AAS_REGISTRY_API_URL}"
       decoded_shell_id: 20062250-6b6e-4eba-bf90-7720ddc855e9
       encoded_shell_id: MjAwNjIyNTAtNmI2ZS00ZWJhLWJmOTAtNzcyMGRkYzg1NWU5
-  stage_auth.yaml: |
-    ---
-    name: Authentication stage
-    description:
-      Reusable test stage for authentication
-
-    variables:
-      auth:
-        client_id: "{tavern.env_vars.CLIENT_ID}"
-        client_secret: "{tavern.env_vars.CLIENT_SECRET}"
-        auth_server_token_url: "{tavern.env_vars.AUTH_SERVER_TOKEN_URL}"
-
-    stages:
-      - id: request_auth_token
-        name: Request token
-        request:
-          url: "{auth.auth_server_token_url:s}"
-          headers:
-            Accept: "*/*"
-            Content-Type: "application/x-www-form-urlencoded"
-          data:
-            grant_type: "client_credentials"
-            client_id: "{auth.client_id:s}"
-            client_secret: "{auth.client_secret:s}"
-          method: POST
-        response:
-          status_code: 200
-          headers:
-            content-type: application/json
-          save:
-            json:
-              access_token: access_token
   test_api.tavern.yaml: |
-    ---
-    test_name: Test APIs are protected with authentication
-
-    includes:
-      - !include common.yaml
-      - !include stage_auth.yaml
-
-    stages:
-      - name: Test get shell descriptors without access token
-        request:
-          url: "{aas_registry_api_url:s}/api/v3.0/shell-descriptors"
-          method: GET
-        response:
-          status_code: 401
-
-      - type: ref
-        id: request_auth_token
-
-      - name: Authenticated request
-        request:
-          url: "{aas_registry_api_url:s}/api/v3.0/shell-descriptors"
-          method: GET
-          headers:
-            Content-Type: application/json
-            Authorization: "Bearer {access_token}"
-            Edc-Bpn: "default-tenant"
-        response:
-          status_code: 200
-          headers:
-            content-type: application/json
-
-    ---
     test_name: Test create, read, update and delete of a shell descriptor
 
     includes:
       - !include common.yaml
-      - !include stage_auth.yaml
 
     stages:
-      - type: ref
-        id: request_auth_token
-
       - name: Create shell descriptor expect success
         request:
           url: "{aas_registry_api_url:s}/api/v3.0/shell-descriptors"
           method: POST
           headers:
             Content-Type: application/json
-            Authorization: "Bearer {access_token}"
             Edc-Bpn: "default-tenant"
           json: 
             id: "{decoded_shell_id:s}"
@@ -137,7 +68,6 @@ data:
           method: GET
           headers:
             Content-Type: application/json
-            Authorization: "Bearer {access_token}"
             Edc-Bpn: "default-tenant"
         response:
           status_code: 200
@@ -157,7 +87,6 @@ data:
           method: PUT
           headers:
             Content-Type: application/json
-            Authorization: "Bearer {access_token}"
             Edc-Bpn: "default-tenant"
           json: 
             id: "{decoded_shell_id:s}"
@@ -171,7 +100,6 @@ data:
           method: DELETE
           headers:
             Content-Type: application/json
-            Authorization: "Bearer {access_token}"
             Edc-Bpn: "default-tenant"
         response:
           status_code: 204
diff --git a/charts/registry/values.yaml b/charts/registry/values.yaml
@@ -23,7 +23,7 @@
 enablePostgres: true
 # enables the default keycloak identity provider
 # relies on a postgres instance
-enableKeycloak: true
+enableKeycloak: false
 
 registry:
   image:
@@ -104,8 +104,8 @@ keycloak:
     # database: default-database
     existingSecret: keycloak-database-credentials
   auth:
-    adminUser: admin
-    adminPassword: "admin"
+    adminUser:
+    adminPassword:
   service:
     type: ClusterIP
   extraVolumes: