feat: user management

.cspell.json

@@ -10,6 +10,7 @@
     "camelcase",
     "creds",
     "gitea",
+    "keycloak",
     "kubernetes",
     "oidc",
     "openid",

.vscode/launch.json

@@ -113,41 +113,17 @@
     {
       "type": "node",
       "request": "launch",
-      "name": "Debug Harbor task",
-      "runtimeExecutable": "npm",
-      "runtimeArgs": ["run-script", "tasks:harbor-dev"],
-      "cwd": "${workspaceRoot}",
-      "console": "integratedTerminal",
-      "envFile": "${workspaceFolder}/.env"
-      // "env": {
-      //   "NODE_EXTRA_CA_CERTS": "${workspaceFolder}/.env.ca"
-      // }
-    },
-    {
-      "type": "node",
-      "request": "launch",
-      "name": "Debug Keycloak task",
-      "runtimeExecutable": "npm",
-      "runtimeArgs": ["run-script", "tasks:keycloak-dev"],
-      "cwd": "${workspaceRoot}",
-      "console": "integratedTerminal",
-      "envFile": "${workspaceFolder}/.env",
-      "env": {
-        "NODE_EXTRA_CA_CERTS": "${workspaceFolder}/.env.ca"
-      }
-    },
-    {
-      "type": "node",
-      "request": "launch",
-      "name": "Debug Keycloak operator",
+      "name": "Debug keycloak operator",
       "runtimeExecutable": "npm",
       "runtimeArgs": ["run-script", "operator:keycloak-dev"],
       "cwd": "${workspaceRoot}",
       "console": "integratedTerminal",
       "envFile": "${workspaceFolder}/.env",
       "env": {
-        "NODE_EXTRA_CA_CERTS": "${workspaceFolder}/.env.ca"
-      }
+        "NODE_EXTRA_CA_CERTS": "${workspaceFolder}/.env.ca",
+        "KUBECONFIG": "/path/to/your/kubeconfig.yaml",
+      },
+      "preLaunchTask": "port-forward-keycloak"
     },
     {
       "type": "node",

.vscode/tasks.json

@@ -22,6 +22,17 @@
                 "reveal": "always",
                 "panel": "new"
             }
+        },
+        {
+            "label": "port-forward-keycloak",
+            "type": "shell",
+            "command": "export KUBECONFIG=/path/to/your/kubeconfig.yaml && kubectl -n keycloak port-forward svc/keycloak-operator 8084:80",
+            "problemMatcher": [],
+            "isBackground": true,
+            "presentation": {
+                "reveal": "always",
+                "panel": "new"
+            }
         }
     ]
 }

README.md

@@ -27,7 +27,7 @@ Then start a proxy to the api you wish to target:
 
 - gitea: `k -n gitea port-forward svc/gitea-http 8082:3000 &`
 - harbor: `k -n harbor port-forward svc/harbor-core 8083:80 &`
-- keycloak: `k -n keycloak port-forward svc/keycloak-http 8084:80 &`
+- keycloak: `k -n keycloak port-forward svc/keycloak-operator 8084:80 &`
 
 Or start them all with `bin/start-proxies.sh`
 

package.json

@@ -122,10 +122,6 @@
     "tasks:copy-certs-dev": "ts-node-dev ./src/tasks/otomi/copy-certs.ts",
     "tasks:copy-certs": "node dist/tasks/otomi/copy-certs.js",
     "tasks:copy-certs-argo": "node dist/tasks/otomi/copy-certs-argo.js",
-    "tasks:harbor-dev": "NODE_TLS_REJECT_UNAUTHORIZED=0 ts-node-dev ./src/tasks/harbor/harbor.ts",
-    "tasks:harbor": "node dist/tasks/harbor/harbor.js",
-    "tasks:keycloak-dev": "NODE_TLS_REJECT_UNAUTHORIZED=0 ts-node-dev ./src/tasks/keycloak/keycloak.ts",
-    "tasks:keycloak": "node dist/tasks/keycloak/keycloak.js",
     "tasks:keycloak-users-dev": "NODE_TLS_REJECT_UNAUTHORIZED=0 ts-node-dev ./src/tasks/keycloak/users.ts",
     "tasks:otomi-chart-dev": "NODE_TLS_REJECT_UNAUTHORIZED=0 ts-node-dev ./src/tasks/otomi/otomi-chart.ts",
     "tasks:otomi-chart": "node dist/tasks/otomi/otomi-chart.js",

src/operator/harbor.ts

@@ -257,7 +257,7 @@ async function setupHarbor() {
 
   const config: any = {
     auth_mode: 'oidc_auth',
-    oidc_admin_group: 'admin',
+    oidc_admin_group: 'platform-admin',
     oidc_client_id: 'otomi',
     oidc_client_secret: env.oidcClientSecret,
     oidc_endpoint: env.oidcEndpoint,
@@ -309,7 +309,7 @@ async function getBearerToken(): Promise<HttpBearerAuth> {
       // unauthenticated, so remove and recreate secret
       await k8sApi.deleteNamespacedSecret(systemSecretName, systemNamespace)
       // now, the next call might throw IF:
-      // - authMode oidc was already turned on and an otomi admin accidentally removed the secret
+      // - authMode oidc was already turned on and an platform admin accidentally removed the secret
       // but that is very unlikely, an unresolvable problem and needs a manual db fix
       robotSecret = await createSystemRobotSecret()
     }
@@ -366,7 +366,7 @@ async function processNamespace(namespace: string) {
     const projAdminMember: ProjectMember = {
       roleId: HarborRole.admin,
       memberGroup: {
-        groupName: 'team-admin',
+        groupName: 'all-teams-admin',
         groupType: HarborGroupType.http,
       },
     }
@@ -377,7 +377,7 @@ async function processNamespace(namespace: string) {
     )
     await doApiCall(
       errors,
-      `Associating "project-admin" role for "team-admin" with harbor project "${projectName}"`,
+      `Associating "project-admin" role for "all-teams-admin" with harbor project "${projectName}"`,
       () => memberApi.createProjectMember(projectId, undefined, undefined, projAdminMember),
     )
 

src/operator/keycloak.ts

@@ -23,7 +23,7 @@ import {
   UserRepresentation,
   UsersApi,
 } from '@linode/keycloak-client-node'
-import { forEach } from 'lodash'
+import { forEach, omit } from 'lodash'
 import { custom, Issuer, TokenSet } from 'openid-client'
 import { keycloakRealm } from '../tasks/keycloak/config'
 import {
@@ -36,9 +36,10 @@ import {
   createIdProvider,
   createLoginThemeConfig,
   createRealm,
+  createTeamUser,
   mapTeamsToRoles,
 } from '../tasks/keycloak/realm-factory'
-import { doApiCall, waitTillAvailable } from '../utils'
+import { doApiCall } from '../utils'
 import {
   cleanEnv,
   KEYCLOAK_TOKEN_OFFLINE_MAX_TTL_ENABLED,
@@ -79,8 +80,9 @@ const env = {
   IDP_OIDC_URL: '',
   IDP_CLIENT_ID: '',
   IDP_CLIENT_SECRET: '',
-  IDP_GROUP_OTOMI_ADMIN: '',
   IDP_GROUP_TEAM_ADMIN: '',
+  IDP_GROUP_ALL_TEAMS_ADMIN: '',
+  IDP_GROUP_PLATFORM_ADMIN: '',
   IDP_GROUP_MAPPINGS_TEAMS: {} || undefined,
   IDP_SUB_CLAIM_MAPPER: '',
   IDP_USERNAME_CLAIM_MAPPER: '',
@@ -96,6 +98,7 @@ const env = {
   REDIRECT_URIS: [] as string[],
   TEAM_IDS: [] as string[],
   WAIT_OPTIONS: {},
+  USERS: [],
 }
 
 const kc = new KubeConfig()
@@ -115,8 +118,8 @@ async function runKeycloakUpdater(key: string) {
       !env.IDP_OIDC_URL ||
       !env.IDP_CLIENT_ID ||
       !env.IDP_CLIENT_SECRET ||
-      !env.IDP_GROUP_OTOMI_ADMIN ||
-      !env.IDP_GROUP_TEAM_ADMIN ||
+      !env.IDP_GROUP_PLATFORM_ADMIN ||
+      !env.IDP_GROUP_ALL_TEAMS_ADMIN ||
       !env.IDP_GROUP_MAPPINGS_TEAMS ||
       !env.IDP_SUB_CLAIM_MAPPER ||
       !env.IDP_USERNAME_CLAIM_MAPPER
@@ -168,6 +171,7 @@ async function runKeycloakUpdater(key: string) {
         await keycloakConfigMapChanges().then(async () => {
           await runKeycloakUpdater('addTeam')
         })
+        await manageUsers(env.USERS)
         break
       } catch (error) {
         console.debug('Error could not update configMap', error)
@@ -206,6 +210,7 @@ export default class MyOperator extends Operator {
                 if (data!.IDP_CLIENT_ID) env.IDP_CLIENT_ID = Buffer.from(data!.IDP_CLIENT_ID, 'base64').toString()
                 if (data!.IDP_CLIENT_SECRET)
                   env.IDP_CLIENT_SECRET = Buffer.from(data!.IDP_CLIENT_SECRET, 'base64').toString()
+                env.USERS = JSON.parse(Buffer.from(data!.USERS, 'base64').toString())
                 await runKeycloakUpdater('updateConfig').then(() => {
                   console.log('Updated Config')
                 })
@@ -250,7 +255,8 @@ export default class MyOperator extends Operator {
                 if (env.FEAT_EXTERNAL_IDP === 'true') {
                   env.IDP_ALIAS = data!.IDP_ALIAS
                   env.IDP_OIDC_URL = data!.IDP_OIDC_URL
-                  env.IDP_GROUP_OTOMI_ADMIN = data!.IDP_GROUP_OTOMI_ADMIN
+                  env.IDP_GROUP_PLATFORM_ADMIN = data!.IDP_GROUP_PLATFORM_ADMIN
+                  env.IDP_GROUP_ALL_TEAMS_ADMIN = data!.IDP_GROUP_ALL_TEAMS_ADMIN
                   env.IDP_GROUP_TEAM_ADMIN = data!.IDP_GROUP_TEAM_ADMIN
                   env.IDP_GROUP_MAPPINGS_TEAMS =
                     Object.keys(data!.IDP_GROUP_MAPPINGS_TEAMS).length === 0
@@ -358,7 +364,6 @@ async function keycloakTeamDeleted() {
 }
 
 async function createKeycloakConnection(): Promise<KeycloakConnection> {
-  await waitTillAvailable(env.KEYCLOAK_HOSTNAME_URL, undefined, env.WAIT_OPTIONS)
   const keycloakAddress = env.KEYCLOAK_HOSTNAME_URL
   const basePath = `${keycloakAddress}/admin/realms`
   let token: TokenSet
@@ -446,7 +451,8 @@ async function keycloakRealmProviderConfigurer(api: KeycloakApi) {
     env.TEAM_IDS,
     env.IDP_GROUP_MAPPINGS_TEAMS,
     env.IDP_GROUP_TEAM_ADMIN,
-    env.IDP_GROUP_OTOMI_ADMIN,
+    env.IDP_GROUP_ALL_TEAMS_ADMIN,
+    env.IDP_GROUP_PLATFORM_ADMIN,
     env.KEYCLOAK_REALM,
   )
   const existingRealmRoles = ((await doApiCall(errors, `Getting all roles from realm ${keycloakRealm}`, async () =>
@@ -516,7 +522,8 @@ async function externalIDP(api: KeycloakApi) {
   const idpMappers = createIdpMappers(
     env.IDP_ALIAS,
     env.IDP_GROUP_MAPPINGS_TEAMS,
-    env.IDP_GROUP_OTOMI_ADMIN,
+    env.IDP_GROUP_PLATFORM_ADMIN,
+    env.IDP_GROUP_ALL_TEAMS_ADMIN,
     env.IDP_GROUP_TEAM_ADMIN,
     env.IDP_USERNAME_CLAIM_MAPPER,
     env.IDP_SUB_CLAIM_MAPPER,
@@ -608,7 +615,7 @@ async function internalIdp(api: KeycloakApi, connection: KeycloakConnection) {
         // set realm roles
         const roles: Array<RoleRepresentation> = []
         const existingRole = updatedExistingRealmRoles.find(
-          (el) => el.name === (groupName === 'otomi-admin' ? 'admin' : groupName),
+          (el) => el.name === (groupName === 'otomi-admin' ? 'platform-admin' : groupName),
         ) as RoleRepresentation
         roles.push(existingRole)
         await doApiCall(errors, `Creating role mapping for group ${groupName}`, async () =>
@@ -630,10 +637,10 @@ async function internalIdp(api: KeycloakApi, connection: KeycloakConnection) {
       if (!existingClientRoleMapping) {
         // let team members see other users
         const accessRoles: Array<RoleRepresentation> = [userViewerRole]
-        // both otomi-admin and team-admin role will get access to manage users
-        // so the otomi-admin can login to the 'otomi' realm just like team-admin and see the same
-        if (groupName === 'team-admin') accessRoles.push(userManagementRole)
-        if (groupName === 'otomi-admin') accessRoles.push(realmManagementRole)
+        // both platform-admin and all-teams-admin role will get access to manage users
+        // so the platform-admin can login to the 'otomi' realm just like all-teams-admin and see the same
+        if (groupName === 'all-teams-admin') accessRoles.push(userManagementRole)
+        if (groupName === 'platform-admin') accessRoles.push(realmManagementRole)
         await doApiCall(
           errors,
           `Creating access roles [${accessRoles.map((r) => r.name).join(',')}] mapping for group ${groupName}`,
@@ -655,6 +662,7 @@ async function internalIdp(api: KeycloakApi, connection: KeycloakConnection) {
     api.users.realmUsersGet(keycloakRealm, false, userConf.email),
   )) as UserRepresentation[]
   const existingUser: UserRepresentation = existingUsersByAdminEmail?.[0]
+
   try {
     if (existingUser) {
       await doApiCall(errors, `Updating user ${env.KEYCLOAK_ADMIN}`, async () =>
@@ -700,3 +708,58 @@ async function manageGroups(connection: KeycloakConnection) {
     console.error('Error in manageGroups: ', error)
   }
 }
+
+async function createUpdateUser(api: any, user: any) {
+  const { username, email, firstName, lastName, isPlatformAdmin, isTeamAdmin, teams, teamId } = user
+  const userConf = createTeamUser(username, email, firstName, lastName, isPlatformAdmin, isTeamAdmin, teams, teamId)
+  const existingUsersByUserEmail = (await doApiCall([], `Getting users`, () =>
+    api.users.realmUsersGet(keycloakRealm, false, `${email}`),
+  )) as UserRepresentation[]
+  const existingUser: UserRepresentation = existingUsersByUserEmail?.[0]
+
+  try {
+    if (existingUser) {
+      console.debug(`User with email ${email} already exists, updating user`)
+      const updatedUserConf = existingUser.requiredActions?.includes('UPDATE_PASSWORD')
+        ? userConf
+        : omit(userConf, ['credentials'])
+      await doApiCall(errors, `Updating user ${username}`, async () =>
+        api.users.realmUsersIdPut(keycloakRealm, existingUser.id as string, updatedUserConf),
+      )
+    } else {
+      await doApiCall(errors, `Creating user ${username}`, () => api.users.realmUsersPost(keycloakRealm, userConf))
+    }
+  } catch (error) {
+    console.error('Error in internalIDP: ', error)
+  }
+}
+
+async function deleteUsers(api: any, users: any[]) {
+  try {
+    const { body: keycloakUsers } = await api.users.realmUsersGet(keycloakRealm)
+    const filteredUsers = keycloakUsers.filter((user) => user.username !== 'otomi-admin')
+    const usersToDelete = filteredUsers.filter((user) => !users.some((u) => u.email === user.email))
+
+    await Promise.all(
+      usersToDelete.map(async (user) => {
+        try {
+          await api.users.realmUsersIdDelete(keycloakRealm, user.id)
+          console.debug(`Deleted user ${user.email}`)
+        } catch (error) {
+          console.error(`Error deleting user ${user.email}:`, error)
+        }
+      }),
+    )
+  } catch (error) {
+    console.error('Error fetching users from Keycloak:', error)
+  }
+}
+
+async function manageUsers(users: any[]) {
+  const connection = await createKeycloakConnection()
+  const api = setupKeycloakApi(connection)
+  // Create/Update users in realm 'otomi'
+  await Promise.all(users.map((user) => createUpdateUser(api, user)))
+  // Delete users not in users list
+  await deleteUsers(api, users)
+}

src/tasks/keycloak/config.ts

@@ -58,8 +58,8 @@ export const adminUserCfgTpl = (username: string, password: string): Record<stri
   email: '[email protected]',
   emailVerified: true,
   enabled: true,
-  realmRoles: ['admin'],
-  groups: ['otomi-admin'],
+  realmRoles: ['platformAdmin'],
+  groups: ['platform-admin'],
   credentials: [
     {
       type: 'password',
@@ -70,6 +70,39 @@ export const adminUserCfgTpl = (username: string, password: string): Record<stri
   requiredActions: [],
 })
 
+export const teamUserCfgTpl = (
+  username: string,
+  email: string,
+  firstName: string,
+  lastName: string,
+  isPlatformAdmin: boolean,
+  isTeamAdmin: boolean,
+  teams: string[],
+  teamId: string,
+): Record<string, unknown> => ({
+  username,
+  enabled: true,
+  email,
+  emailVerified: true,
+  firstName,
+  lastName,
+  realmRoles: [...(isPlatformAdmin ? ['platformAdmin'] : []), ...(isTeamAdmin ? ['teamAdmin'] : []), 'teamMember'],
+  groups: [
+    ...(isPlatformAdmin ? ['platform-admin'] : []),
+    ...(isTeamAdmin ? ['team-admin'] : []),
+    `team-${teamId}`,
+    ...(teams.length > 0 ? teams.map((team) => `team-${team}`) : []),
+  ],
+  credentials: [
+    {
+      type: 'password',
+      value: `${username}@APL`,
+      temporary: true,
+    },
+  ],
+  requiredActions: [],
+})
+
 export const realmCfgTpl = (realm: string): Record<string, unknown> => ({
   id: realm,
   realm,