Merge pull request #3813 from uselagoon/lagoon-cli-client

feat: add lagoon-cli keycloak client
uselagoon · Oct 14, 2024 · 55cb752 · 55cb752
2 parents f4f39e2 + 1a6e557
commit 55cb752
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 0 deletions.
diff --git a/services/keycloak/lagoon-realm-base-import.json b/services/keycloak/lagoon-realm-base-import.json
@@ -424,6 +424,7 @@
         }
       ],
       "lagoon-ui": [],
+      "lagoon-cli": [],
       "service-api": []
     }
   },
@@ -3195,6 +3196,61 @@
         "microprofile-jwt"
       ]
     },
+    {
+      "clientId": "lagoon-cli",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "redirectUris": [
+        "http://127.0.0.1"
+      ],
+      "webOrigins": [
+        "*"
+      ],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": -1,
+      "protocolMappers": [
+        {
+          "name": "Lagoon User ID",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "lagoon-uid",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "lagoon.user_id",
+            "jsonType.label": "int"
+          }
+        }
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "roles",
+        "profile",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "address",
+        "phone",
+        "offline_access",
+        "microprofile-jwt"
+      ]
+    },
     {
       "clientId": "realm-management",
       "name": "${client_realm-management}",

diff --git a/services/keycloak/startup-scripts/00-configure-lagoon.sh b/services/keycloak/startup-scripts/00-configure-lagoon.sh
@@ -643,6 +643,20 @@ function service-api_add_view-users_permission {
 	fi
 }
 
+function add_lagoon-cli_client {
+    local lagoon_cli_client=$( /opt/keycloak/bin/kcadm.sh get -r lagoon clients?clientId=lagoon-cli --config $CONFIG_PATH | jq -r '.[0]["id"] // false')
+    if [ "$lagoon_cli_client" != "false" ]; then
+        echo "lagoon-cli already exists"
+        return 0
+    fi
+
+    echo Creating client lagoon-cli
+    echo '{"clientId": "lagoon-cli", "publicClient": true, "webOrigins": ["*"], "redirectUris": ["http://127.0.0.1"]}' | /opt/keycloak/bin/kcadm.sh create clients --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -f -
+    echo Creating mapper for lagoon-cli "lagoon-uid"
+    CLIENT_ID=$(/opt/keycloak/bin/kcadm.sh get  -r lagoon clients?clientId=lagoon-cli --config $CONFIG_PATH | jq -r '.[0]["id"]')
+    echo '{"protocol":"openid-connect","config":{"id.token.claim":"true","access.token.claim":"true","userinfo.token.claim":"true","user.attribute":"lagoon-uid","claim.name":"lagoon.user_id","jsonType.label":"int","multivalued":""},"name":"Lagoon User ID","protocolMapper":"oidc-usermodel-attribute-mapper"}' | /opt/keycloak/bin/kcadm.sh create -r ${KEYCLOAK_REALM:-master} clients/$CLIENT_ID/protocol-mappers/models --config $CONFIG_PATH -f -
+}
+
 ##################
 # Initialization #
 ##################
@@ -677,6 +691,7 @@ function configure_keycloak {
     remove_deleteall_permissions_scopes
     add_update_platform_viewer_permissions
     service-api_add_view-users_permission
+    add_lagoon-cli_client
 
     # always run last
     sync_client_secrets