Revert keycloak mess

galaxy_ng/app/dynaconf_hooks.py

@@ -94,23 +94,11 @@ def configure_keycloak(settings: Dynaconf) -> Dict[str, Any]:
  SOCIAL_AUTH_KEYCLOAK_KEY = settings.get("SOCIAL_AUTH_KEYCLOAK_KEY", default=None)
  SOCIAL_AUTH_KEYCLOAK_SECRET = settings.get("SOCIAL_AUTH_KEYCLOAK_SECRET", default=None)
  SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = settings.get("SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY", default=None)
- KEYCLOAK_PROTOCOL = settings.get("KEYCLOAK_PROTOCOL", default="https")
+ KEYCLOAK_PROTOCOL = settings.get("KEYCLOAK_PROTOCOL", default=None)
  KEYCLOAK_HOST = settings.get("KEYCLOAK_HOST", default=None)
  KEYCLOAK_PORT = settings.get("KEYCLOAK_PORT", default=None)
  KEYCLOAK_REALM = settings.get("KEYCLOAK_REALM", default=None)
 
- # https://www.keycloak.org/server/all-config
- # In prior versions of keycloak, the auth and token url paths began
- # with /auth. In newer versions, that substring no longer exists.
- # There is a setting which can re-add that substring to make
- # a newer system operate similar to the old.
- KEYCLOAK_KC_HTTP_RELATIVE_PATH = settings.get("KEYCLOAK_KC_HTTP_RELATIVE_PATH", default="")
-
- SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = \
- settings.get("SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL", default=None)
- SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = \
- settings.get("SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL", default=None)
-
  # Add settings if Social Auth values are provided
  if all(
  [
@@ -134,39 +122,21 @@ def configure_keycloak(settings: Dynaconf) -> Dict[str, Any]:
  )
  data["KEYCLOAK_HOST_LOOPBACK"] = settings.get("KEYCLOAK_HOST_LOOPBACK", default=None)
  data["KEYCLOAK_URL"] = f"{KEYCLOAK_PROTOCOL}://{KEYCLOAK_HOST}:{KEYCLOAK_PORT}"
-
- auth_url_str = "{keycloak}{prefix}/realms/{realm}/protocol/openid-connect/auth/"
-
- if SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL is not None:
- data["SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL"] = SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL
- else:
+ auth_url_str = "{keycloak}/auth/realms/{realm}/protocol/openid-connect/auth/"
+ data["SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL"] = auth_url_str.format(
+ keycloak=data["KEYCLOAK_URL"], realm=KEYCLOAK_REALM
+ )
+ if data["KEYCLOAK_HOST_LOOPBACK"]:
+ loopback_url = "{protocol}://{host}:{port}".format(
+ protocol=KEYCLOAK_PROTOCOL, host=data["KEYCLOAK_HOST_LOOPBACK"], port=KEYCLOAK_PORT
+ )
  data["SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL"] = auth_url_str.format(
- keycloak=data["KEYCLOAK_URL"],
- realm=KEYCLOAK_REALM,
- prefix=KEYCLOAK_KC_HTTP_RELATIVE_PATH
+ keycloak=loopback_url, realm=KEYCLOAK_REALM
  )
 
- if data["KEYCLOAK_HOST_LOOPBACK"]:
- loopback_url = "{protocol}://{host}:{port}".format(
- protocol=KEYCLOAK_PROTOCOL,
- host=data["KEYCLOAK_HOST_LOOPBACK"],
- port=KEYCLOAK_PORT
- )
- data["SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL"] = auth_url_str.format(
- keycloak=loopback_url,
- realm=KEYCLOAK_REALM,
- prefix=KEYCLOAK_KC_HTTP_RELATIVE_PATH
- )
-
- if SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL is not None:
- data['SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL'] = SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL
- else:
- data[
- "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL"
- ] = (
- f"{data['KEYCLOAK_URL']}{KEYCLOAK_KC_HTTP_RELATIVE_PATH}/realms/"
- f"{KEYCLOAK_REALM}/protocol/openid-connect/token/"
- )
+ data[
+ "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL"
+ ] = f"{data['KEYCLOAK_URL']}/auth/realms/{KEYCLOAK_REALM}/protocol/openid-connect/token/"
 
  data["SOCIAL_AUTH_LOGIN_REDIRECT_URL"] = settings.get(
  "SOCIAL_AUTH_LOGIN_REDIRECT_URL", default="/ui/"

galaxy_ng/tests/unit/app/test_dynaconf_hooks.py

@@ -2,7 +2,6 @@
 import pytest
 
 from galaxy_ng.app.dynaconf_hooks import post as post_hook
-from galaxy_ng.app.dynaconf_hooks import configure_keycloak
 
 
 class SuperDict(dict):
@@ -70,16 +69,6 @@ def validate(*args, **kwargs):
  "validators": SuperValidator(),
 }
 
-BASE_KEYCLOAK_SETTINGS = {
- "BASE_DIR": "templates",
- "SOCIAL_AUTH_KEYCLOAK_KEY": "key123",
- "SOCIAL_AUTH_KEYCLOAK_SECRET": "secret123",
- "SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY": "pubkey123",
- "KEYCLOAK_HOST": "mykeycloak",
- "KEYCLOAK_PORT": 1337,
- "KEYCLOAK_REALM": "aap",
-}
-
 
 @pytest.mark.parametrize(
  "do_stuff, extra_settings, expected_results",
@@ -320,7 +309,9 @@ def validate(*args, **kwargs):
  ],
 )
 def test_dynaconf_hooks_authentication_backends_and_classes(
- do_stuff, extra_settings, expected_results
+ do_stuff,
+ extra_settings,
+ expected_results
 ):
 
  # skip test this way ...
@@ -346,78 +337,3 @@ def test_dynaconf_hooks_authentication_backends_and_classes(
  print(e)
  """
  assert new_settings.get(key) == val
-
-
-@pytest.mark.parametrize(
- "do_stuff, extra_settings, expected_results",
- [
- (
- True,
- {},
- {
- "INSTALLED_APPS": ["social_django", "dynaconf_merge_unique"],
- "KEYCLOAK_URL": "https://mykeycloak:1337",
- "SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL":
- "https://mykeycloak:1337/realms/aap/protocol/openid-connect/auth/",
- "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL":
- "https://mykeycloak:1337/realms/aap/protocol/openid-connect/token/",
- "GALAXY_AUTH_KEYCLOAK_ENABLED": True,
- "GALAXY_FEATURE_FLAGS__external_authentication": True,
- "GALAXY_TOKEN_EXPIRATION": 1440,
- },
- ),
- (
- True,
- {
- "KEYCLOAK_KC_HTTP_RELATIVE_PATH": "/auth",
- "KEYCLOAK_PROTOCOL": "http",
- "GALAXY_TOKEN_EXPIRATION": 0,
- },
- {
- "INSTALLED_APPS": ["social_django", "dynaconf_merge_unique"],
- "KEYCLOAK_URL": "http://mykeycloak:1337",
- "SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL":
- "http://mykeycloak:1337/auth/realms/aap/protocol/openid-connect/auth/",
- "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL":
- "http://mykeycloak:1337/auth/realms/aap/protocol/openid-connect/token/",
- "GALAXY_AUTH_KEYCLOAK_ENABLED": True,
- "GALAXY_FEATURE_FLAGS__external_authentication": True,
- "GALAXY_TOKEN_EXPIRATION": 0,
- },
- ),
- (
- True,
- {
- "SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL":
- "httpZ://mykeycloAk:1339/auth__/realms/aap/protocol/openid-connect/auth/",
- "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL":
- "httpZ://mykeycloAk:1339/auth__/realms/aap/protocol/openid-connect/token/",
- },
- {
- "SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL":
- "httpZ://mykeycloAk:1339/auth__/realms/aap/protocol/openid-connect/auth/",
- "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL":
- "httpZ://mykeycloAk:1339/auth__/realms/aap/protocol/openid-connect/token/",
- },
- ),
-
- ],
-)
-def test_dynaconf_hook_configure_keycloak(do_stuff, extra_settings, expected_results):
- # skip test this way ...
- if not do_stuff:
- return
-
- xsettings = SuperDict()
- xsettings.update(copy.deepcopy(BASE_KEYCLOAK_SETTINGS))
- if extra_settings:
- xsettings.update(copy.deepcopy(extra_settings))
-
- # don't allow the downstream to edit this data ...
- xsettings.immutable = True
-
- # run the function and get the result ...
- new_settings = configure_keycloak(xsettings)
-
- for key, val in expected_results.items():
- assert new_settings.get(key) == val

profiles/keycloak/compose.yaml

@@ -12,25 +12,21 @@ services:
  # - "UI_EXTERNAL_LOGIN_URI={API_PROTOCOL}://{API_HOST}:{API_PORT}/login"
 
  keycloak:
- #image: quay.io/keycloak/keycloak:legacy
- image: quay.io/keycloak/keycloak:latest
+ image: quay.io/keycloak/keycloak:legacy
  environment:
  - DB_VENDOR=POSTGRES
  - DB_ADDR=kc-postgres
  - DB_DATABASE=keycloak
  - DB_USER=keycloak
  - DB_SCHEMA=public
  - DB_PASSWORD=keycloak
- - KEYCLOAK_ADMIN=admin
- - KEYCLOAK_ADMIN_PASSWORD=admin
  - KEYCLOAK_USER=admin
  - KEYCLOAK_PASSWORD=admin
  ports:
  - 8080:8080
  depends_on:
  - kc-postgres
  - ldap
- command: ['start-dev']
 
  kc-postgres:
  image: "postgres:12"

profiles/keycloak/keycloak-playbook.yaml

@@ -17,9 +17,7 @@
  - name: Create or update AAP Keycloak realm
  community.general.keycloak_realm:
  auth_client_id: admin-cli
- #auth_keycloak_url: http://keycloak:8080/auth
- auth_keycloak_url: http://keycloak:8080
- #auth_keycloak_url: http://localhost:8080
+ auth_keycloak_url: http://keycloak:8080/auth
  auth_realm: master
  auth_username: admin
  auth_password: admin
@@ -33,8 +31,7 @@
  - name: Create or update a Keycloak client
  community.general.keycloak_client:
  auth_client_id: admin-cli
- #auth_keycloak_url: http://keycloak:8080/auth
- auth_keycloak_url: http://keycloak:8080
+ auth_keycloak_url: http://keycloak:8080/auth
  auth_realm: master
  auth_username: admin
  auth_password: admin
@@ -161,8 +158,7 @@
 
  - name: Create Token for service Keycloak
  uri:
- #url: "http://keycloak:8080/auth/realms/master/protocol/openid-connect/token"
- url: "http://keycloak:8080/realms/master/protocol/openid-connect/token"
+ url: "http://keycloak:8080/auth/realms/master/protocol/openid-connect/token"
  method: POST
  body_format: form-urlencoded
  body:
@@ -240,8 +236,7 @@
 
  - name: Create LDAP configuration
  uri:
- #url: "http://keycloak:8080/auth/admin/realms/aap/components"
- url: "http://keycloak:8080/admin/realms/aap/components"
+ url: "http://keycloak:8080/auth/admin/realms/aap/components"
  method: POST
  body_format: json
  body: "{{ ldap_config | to_json }}"
@@ -256,8 +251,7 @@
 
  - name: Get components
  uri:
- #url: "http://keycloak:8080/auth/admin/realms/aap/components?parent=aap&type=org.keycloak.storage.UserStorageProvider"
- url: "http://keycloak:8080/admin/realms/aap/components?parent=aap&type=org.keycloak.storage.UserStorageProvider"
+ url: "http://keycloak:8080/auth/admin/realms/aap/components?parent=aap&type=org.keycloak.storage.UserStorageProvider"
  method: GET
  status_code:
  - 200
@@ -308,8 +302,7 @@
 
  - name: Create LDAP group mapping
  uri:
- #url: "http://keycloak:8080/auth/admin/realms/aap/components"
- url: "http://keycloak:8080/admin/realms/aap/components"
+ url: "http://keycloak:8080/auth/admin/realms/aap/components"
  method: POST
  body_format: json
  body: "{{ ldap_group_mapper | to_json }}"
@@ -324,8 +317,7 @@
 
  - name: Get group mapper identifier
  uri:
- #url: "http://keycloak:8080/auth/admin/realms/aap/components?parent={{ ldap_id }}&type=org.keycloak.storage.ldap.mappers.LDAPStorageMapper&name=group"
- url: "http://keycloak:8080/admin/realms/aap/components?parent={{ ldap_id }}&type=org.keycloak.storage.ldap.mappers.LDAPStorageMapper&name=group"
+ url: "http://keycloak:8080/auth/admin/realms/aap/components?parent={{ ldap_id }}&type=org.keycloak.storage.ldap.mappers.LDAPStorageMapper&name=group"
  method: GET
  status_code:
  - 200
@@ -341,8 +333,7 @@
 
  - name: Sync LDAP users
  uri:
- #url: "http://keycloak:8080/auth/admin/realms/aap/user-storage/{{ ldap_id }}/sync?action=triggerFullSync"
- url: "http://keycloak:8080/admin/realms/aap/user-storage/{{ ldap_id }}/sync?action=triggerFullSync"
+ url: "http://keycloak:8080/auth/admin/realms/aap/user-storage/{{ ldap_id }}/sync?action=triggerFullSync"
  method: POST
  status_code:
  - 200
@@ -354,8 +345,7 @@
 
  - name: Sync LDAP groups
  uri:
- #url: "http://keycloak:8080/auth/admin/realms/aap/user-storage/{{ ldap_id }}/mappers/{{ keycloak_ldap_group_mapper_id }}/sync?direction=fedToKeycloak"
- url: "http://keycloak:8080/admin/realms/aap/user-storage/{{ ldap_id }}/mappers/{{ keycloak_ldap_group_mapper_id }}/sync?direction=fedToKeycloak"
+ url: "http://keycloak:8080/auth/admin/realms/aap/user-storage/{{ ldap_id }}/mappers/{{ keycloak_ldap_group_mapper_id }}/sync?direction=fedToKeycloak"
  method: POST
  status_code:
  - 200
@@ -373,8 +363,7 @@
  client_id: automation-hub
  state: present
  auth_client_id: admin-cli
- #auth_keycloak_url: http://keycloak:8080/auth
- auth_keycloak_url: http://keycloak:8080
+ auth_keycloak_url: http://keycloak:8080/auth
  auth_realm: master
  auth_username: admin
  auth_password: admin
@@ -390,17 +379,15 @@
  client_id: automation-hub
  state: present
  auth_client_id: admin-cli
- #auth_keycloak_url: http://keycloak:8080/auth
- auth_keycloak_url: http://keycloak:8080
+ auth_keycloak_url: http://keycloak:8080/auth
  auth_realm: master
  auth_username: admin
  auth_password: admin
  # loop: "{{ user_list.json}}"
 
  - name: Get realm public key
  uri:
- #url: "http://keycloak:8080/auth/realms/aap"
- url: "http://keycloak:8080/realms/aap"
+ url: "http://keycloak:8080/auth/realms/aap"
  method: GET
  status_code:
  - 200

profiles/keycloak/pulp_config.env

@@ -9,7 +9,6 @@ PULP_GALAXY_DEPLOYMENT_MODE=standalone
 PULP_SOCIAL_AUTH_KEYCLOAK_KEY=automation-hub
 PULP_SOCIAL_AUTH_KEYCLOAK_SECRET=REALLYWELLKEPTSECRET
 PULP_SOCIAL_AUTH_LOGIN_REDIRECT_URL={API_PROTOCOL}://{API_HOST}:{API_PORT}
-PULP_KEYCLOAK_AUTH_PREFIX=""
 PULP_KEYCLOAK_PROTOCOL=http
 PULP_KEYCLOAK_HOST=keycloak
 PULP_KEYCLOAK_HOST_LOOPBACK=localhost