Generated keycloat client secret #4191

Author: lorriborri

sechub-developertools/README.adoc

@@ -24,7 +24,7 @@ Look into
 for an example how you can simply implement a feature.
 ====
 
-===== Build
+==== Build
 Inside sechub root folder execute:
 
 [source, bash]
@@ -36,7 +36,7 @@ This will build
 `/sechub-developertools/build/libs/sechub-developertools-0.0.0.jar`
 
 
-===== Start
+==== Start
 [source, bash]
 ----
 export SECHUB_ADMIN_APITOKEN=int-test_superadmin-pwd
@@ -48,3 +48,25 @@ export SECHUB_ADMIN_SERVER_PORT=8443
 java -jar ./sechub-developertools/build/libs/sechub-developertools-0.0.0.jar
 ----
 
+=== Local Keycloak Server (as docker container)
+
+LocalTestKeycloakStarter is a simple keycloak server starter for local development. (starting docker)
+It is not intended to be used in production!
+
+==== Start
+
+Keycloak is by default started on http://localhost:8080.
+If you do not set a port, admin and an admin password, the values are generated randomly and can be taken from the /build/tmp/keycloak_container_<port>.info file.
+This will generate a keycloak oauth properties file for your local sechub server. Add -Dspring.profiles.active=local to your spring properties to use the generated properties file.
+
+[source, bash]
+----
+./gradlew runLocalTestKeycloakStarter
+----
+
+==== Stop
+
+[source, bash]
+----
+./gradlew stopLocalTestKeycloakStarter
+----

sechub-developertools/build.gradle

@@ -26,6 +26,7 @@ dependencies {
 }
 
 task importEclipseProjectsNeedingOpenApiFile(type: Exec){
+
     workingDir "$rootDir"
     commandLine './gradlew', ':sechub-systemtest:cleanEclipse',':sechub-systemtest:eclipse', ':sechub-api-java:cleanEclipse',':sechub-api-java:eclipse', ':sechub-pds-tools:cleanEclipse',':sechub-pds-tools:eclipse',':sechub-examples:example-sechub-api-java:cleanEclipse',':sechub-examples:example-sechub-api-java:eclipse','-Dsechub.build.stage=all'
 }
@@ -44,4 +45,27 @@ if (!secHubBuildStage.providesGeneratedOpenApiFile()){
     tasks.eclipse.dependsOn(importEclipseProjectsNeedingOpenApiFile)
 }
 
+tasks.register('runLocalTestKeycloakStarter', JavaExec) {
+    group = "Keycloak"
+    description = "Run LocalTestKeycloakStarter with optional arguments (use -PkeycloakArgs=\"8081 myadmin mypass\")"
+    classpath = sourceSets.main.runtimeClasspath
+    mainClass = 'com.mercedesbenz.sechub.developertools.container.keycloak.LocalTestKeycloakStarter'
+    if (project.hasProperty('keycloakArgs')) {
+        args project.property('keycloakArgs').split("\\s+")
+    }
+}
 
+tasks.register('stopLocalTestKeycloakStarter', Delete) {
+    group = "Keycloak"
+    description = "delete the .info file to stop the running keycloak instance (use -PkeycloakPort=8081)"
+    def port = project.hasProperty('keycloakPort') ? project.property('keycloakPort') : '8080'
+    def infoFile = file("$rootDir/sechub-developertools/build/tmp/keycloak_container_${port}.info")
+    doFirst {
+        if (infoFile.exists()) {
+            println "Stopping Keycloak by deleting info file: ${infoFile.absolutePath}"
+            infoFile.delete()
+        } else {
+            println "No Keycloak instance is running on port ${port}, nothing to stop."
+        }
+    }
+}

sechub-developertools/scripts/container/keycloak/application-local-test-keycloak-template.yaml

@@ -0,0 +1,31 @@
+sechub:
+  security:
+    server:
+      modes: oauth2, classic
+      oauth2:
+        mode: opaque-token
+        opaque-token:
+          introspection-uri: http://localhost:8080/realms/web-ui-server-local/protocol/openid-connect/token/introspect
+          client-id: web-ui-server-local
+          client-secret: n8Ka5Wnkl
+          max-cache-duration: 300s
+    login:
+      enabled: true
+      login-page: /login
+      redirect-uri: http://localhost:3000
+      modes: oauth2, classic
+      oauth2:
+        client-id: web-ui-server-local
+        client-secret: ${SECHUB_SECURITY_SERVER_OAUTH2_CLIENT_SECRET}
+        provider: keycloak
+        redirect-uri: https://localhost:8443/login/oauth2/code/keycloak
+        issuer-uri: http://localhost:8080/realms/web-ui-server-local
+        authorization-uri: http://localhost:8080/realms/web-ui-server-local/protocol/openid-connect/auth
+        token-uri: http://localhost:8080/realms/web-ui-server-local/protocol/openid-connect/token
+        user-info-uri: http://localhost:8080/realms/web-ui-server-local/protocol/openid-connect/userinfo
+        jwk-set-uri: http://localhost:8080/realms/web-ui-server-local/protocol/openid-connect/certs
+      classic:
+        cookie-age-seconds: 3600
+    encryption:
+      secret-key: aB3xYz8KpL9mQw2VcT1sNj7FuW4vEp0Z
+    minimumTokenValidity: 24h

sechub-developertools/scripts/container/keycloak/sechub-int-keycloak-realm.json

@@ -809,7 +809,7 @@
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "clientAuthenticatorType": "client-secret",
-      "secret": "**********",
+      "secret": "${SECHUB_SECURITY_SERVER_OAUTH2_CLIENT_SECRET}",
       "redirectUris": [
         "*"
       ],

sechub-developertools/scripts/container/keycloak/start.sh

@@ -10,11 +10,13 @@ function usage() {
 # setting default values for keycloak admin user and password
 export KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN:-admin}
 export KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-admin}
+export SECHUB_SECURITY_SERVER_OAUTH2_CLIENT_SECRET=${SECHUB_SECURITY_SERVER_OAUTH2_CLIENT_SECRET:-$(uuidgen)}
 
 echo  "${KEYCLOAK_ADMIN}:${KEYCLOAK_ADMIN_PASSWORD}"
 addEnv "DATABASE_START_MODE=server"
 addEnv "KEYCLOAK_ADMIN=$KEYCLOAK_ADMIN"
 addEnv "KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD"
+addEnv "SECHUB_SECURITY_SERVER_OAUTH2_CLIENT_SECRET=$SECHUB_SECURITY_SERVER_OAUTH2_CLIENT_SECRET"
 
 defineContainerPort 8080
 if [[ -z "$1" ]]; then
@@ -32,3 +34,15 @@ ensureImageBuild
 ensureContainerNotRunning
 
 startContainer
+
+# Copy keycloak properties as local sechub-server properties using envsubst
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+local_template="${script_dir}/application-local-test-keycloak-template.yaml"
+sechub_properties_local_keycloak="${script_dir}/../../../../sechub-server/src/main/resources/application-local-test-keycloak-gen.${USER}.yaml"
+
+if [ -f "${sechub_properties_local_keycloak}" ]; then
+    echo "Removing existing local Keycloak properties file: ${sechub_properties_local_keycloak}"
+    rm -f "${sechub_properties_local_keycloak}"
+fi
+
+envsubst < "${local_template}" > "${sechub_properties_local_keycloak}"

sechub-developertools/src/main/java/com/mercedesbenz/sechub/developertools/container/keycloak/KeycloakTestContainer.java

@@ -4,6 +4,7 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.nio.file.Paths;
 
 import com.mercedesbenz.sechub.developertools.container.BashScriptContainerLaunchConfig;
 import com.mercedesbenz.sechub.developertools.container.BashScriptContainerLauncher;
@@ -24,7 +25,12 @@ public KeycloakTestContainer(int testPort, String admin, String password) {
     }
 
     private static Path resolveScript(String scriptName) {
-        return Path.of("../scripts", "container", "keycloak", scriptName).toAbsolutePath().normalize();
+        // Resolve the script path relative to the class location
+        // It should not matter where the TestContainer is executed from
+        String classLocation = KeycloakTestContainer.class.getProtectionDomain().getCodeSource().getLocation().getPath();
+        Path classPath = Paths.get(classLocation).getParent();
+
+        return classPath.resolve(Paths.get("../../../scripts/container/keycloak", scriptName)).normalize();
     }
 
     public void start() throws Exception {

sechub-server/.gitignore

@@ -3,4 +3,5 @@
 
 # Ignore local property files
 application-local.*.yaml
-application-local.*.yml
+application-local.*.yml
+application-local-test-keycloak-gen.*.yaml

sechub-server/src/main/resources/application-local.yml

@@ -7,4 +7,6 @@
 spring:
   config:
     import:
-      - optional:classpath:application-local.${USER}.yml
+      - optional:classpath:application-local.${USER}.yml
+      - optional:classpath:application-local.${USER}.yaml
+      - optional:classpath:application-local-test-keycloak-gen.${USER}.yaml