feat: upgrade Keycloak to version 20

2022-11-05 19:38:13 +01:00 · 2022-11-05 19:38:13 +01:00 · 40224635ab
parent cc182d932b
commit 40224635ab
13 changed files with 68 additions and 99 deletions
--- a/security-c4po-angular/src/environments/environment.prod.ts
+++ b/security-c4po-angular/src/environments/environment.prod.ts
@ -2,7 +2,7 @@ export const environment = {
  production: true,
  // keycloak
-  keycloakURL: 'http://localhost:8888/auth',
+  keycloakURL: 'http://localhost:8080/auth',
  keycloakrealm: 'c4po_realm_local',
  keycloakclientId: 'c4po_local',
--- a/security-c4po-angular/src/environments/environment.ts
+++ b/security-c4po-angular/src/environments/environment.ts
@ -7,7 +7,7 @@ export const environment = {
  production: false,
  // keycloak
-  keycloakURL: 'http://localhost:8888/auth',
+  keycloakURL: 'http://localhost:8080/auth',
  keycloakrealm: 'c4po_realm_local',
  keycloakclientId: 'c4po_local',
--- a/security-c4po-api/build.gradle.kts
+++ b/security-c4po-api/build.gradle.kts
@ -91,6 +91,7 @@ dependencies {
 	testImplementation("org.springframework.restdocs:spring-restdocs-webtestclient")
 	testImplementation("com.github.spotbugs:spotbugs-annotations:4.1.2")
 	testApi("org.testcontainers:junit-jupiter:1.15.2")
    testImplementation("com.github.dasniko:testcontainers-keycloak:2.3.0")
 }
 jacoco {
--- a/security-c4po-api/security-c4po-api.postman_collection.json
+++ b/security-c4po-api/security-c4po-api.postman_collection.json
@ -175,12 +175,12 @@
 						"method": "GET",
 						"header": [],
 						"url": {
-							"raw": "http://localhost:8888/auth/realms/c4po_realm_local/.well-known/openid-configuration",
+							"raw": "http://localhost:8080/auth/realms/c4po_realm_local/.well-known/openid-configuration",
 							"protocol": "http",
 							"host": [
 								"localhost"
 							],
-							"port": "8888",
+							"port": "8080",
 							"path": [
 								"auth",
 								"realms",
@ -235,12 +235,12 @@
 							]
 						},
 						"url": {
-							"raw": "http://localhost:8888/auth/realms/c4po_realm_local/protocol/openid-connect/token",
+							"raw": "http://localhost:8080/auth/realms/c4po_realm_local/protocol/openid-connect/token",
 							"protocol": "http",
 							"host": [
 								"localhost"
 							],
-							"port": "8888",
+							"port": "8080",
 							"path": [
 								"auth",
 								"realms",
--- a/security-c4po-api/src/main/resources/application-DEV.properties
+++ b/security-c4po-api/src/main/resources/application-DEV.properties
@ -1,7 +1,7 @@
 ## IdentityProvider (Keycloak) ##
-spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8888/auth/realms/c4po_realm_local
+spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/auth/realms/c4po_realm_local
 keycloakhost=localhost
-keycloak.client.url=http://localhost:8888/
+keycloak.client.url=http://localhost:8080/
 ## Database (MONGODB) Config ##
 spring.data.mongodb.host=localhost
--- a/security-c4po-api/src/main/resources/application-TEST.properties
+++ b/security-c4po-api/src/main/resources/application-TEST.properties
@ -1,6 +1,4 @@
 ## IdentityProvider (Keycloak) ##
 spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:9999/auth/realms/c4po_realm_local
 keycloakhost=localhost
 keycloak.client.url=http://localhost:9999
 keycloak.client.realm.path=auth/realms/c4po_realm_local/
--- a/security-c4po-api/src/main/resources/application.properties
+++ b/security-c4po-api/src/main/resources/application.properties
@ -16,9 +16,9 @@ spring.data.mongodb.database=c4po
 spring.data.mongodb.auto-index-creation=true
 ## IdentityProvider (Keycloak) ##
-spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8888/auth/realms/c4po_realm_local
+spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/auth/realms/c4po_realm_local
 keycloakhost=localhost
-keycloak.client.url=http://localhost:8888
+keycloak.client.url=http://localhost:8080
 keycloak.client.realm.path=auth/realms/c4po_realm_local/
 ## Total number of pentests listet in the OWASP testing guide
--- a/security-c4po-api/src/test/kotlin/com/securityc4po/api/BaseContainerizedTest.kt
+++ b/security-c4po-api/src/test/kotlin/com/securityc4po/api/BaseContainerizedTest.kt
@ -5,46 +5,48 @@ import com.github.dockerjava.api.model.ExposedPort
 import com.github.dockerjava.api.model.PortBinding
 import com.github.dockerjava.api.model.Ports
 import com.nimbusds.jwt.JWTParser
 import dasniko.testcontainers.keycloak.KeycloakContainer
 import org.junit.jupiter.api.TestInstance
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.cloud.contract.wiremock.AutoConfigureWireMock
 import org.springframework.http.HttpEntity
 import org.springframework.http.HttpHeaders
 import org.springframework.http.MediaType
-import org.springframework.test.context.ActiveProfiles
+import org.springframework.test.context.DynamicPropertyRegistry
 import org.springframework.test.context.DynamicPropertySource
 import org.springframework.test.context.TestPropertySource
 import org.springframework.util.LinkedMultiValueMap
 import org.springframework.web.client.RestTemplate
 import org.testcontainers.shaded.com.fasterxml.jackson.databind.ObjectMapper
 import org.testcontainers.containers.GenericContainer
 import org.testcontainers.containers.wait.strategy.Wait
 import org.testcontainers.images.builder.ImageFromDockerfile
 import org.testcontainers.shaded.com.fasterxml.jackson.databind.ObjectMapper
 import org.testcontainers.utility.DockerImageName
 import org.testcontainers.utility.MountableFile
 import java.nio.file.Paths
@TestInstance(TestInstance.Lifecycle.PER_CLASS)
@AutoConfigureWireMock(port = 0)
-@TestPropertySource(properties = [
+@TestPropertySource(
-    "spring.data.mongodb.port=27017",
+    properties = [
-    "spring.data.mongodb.authentication-database=admin",
+        "spring.data.mongodb.port=27017",
-    "spring.data.mongodb.password=test",
+        "spring.data.mongodb.authentication-database=admin",
-    "spring.data.mongodb.username=testuser",
+        "spring.data.mongodb.password=test",
-    "MONGO_DB_MAX_CONNECTION_IDLE_TIME=PT25M",
+        "spring.data.mongodb.username=testuser",
-    "DATA_REFRESH_THRESHOLD_DURATION=PT30M",
+        "MONGO_DB_MAX_CONNECTION_IDLE_TIME=PT25M",
-    "CLEANUP_BATCH_SIZE_FOR_SELECTING_EXPIRED_USERS=100"
+        "DATA_REFRESH_THRESHOLD_DURATION=PT30M",
-])
+        "CLEANUP_BATCH_SIZE_FOR_SELECTING_EXPIRED_USERS=100"
    ]
 )
 abstract class BaseContainerizedTest {
    @Value("\${keycloakhost}")
    var keycloakhost: String? = null
    companion object {
-        val mongoDbContainer = KGenericContainer(ImageFromDockerfile("c4poapibasecontainerizedtest").withDockerfileFromBuilder {
+        val mongoDbContainer = KGenericContainer(
-            it.from("mongo:4.4.6")
+            ImageFromDockerfile("c4poapibasecontainerizedtest").withDockerfileFromBuilder {
-            it.env("MONGO_INITDB_ROOT_USERNAME", "root")
+                it.from("mongo:latest")
-            it.env("MONGO_INITDB_ROOT_PASSWORD", "cjwkbencowepoc324pon2mop3mp4")
+                it.env("MONGO_INITDB_ROOT_USERNAME", "root")
-            it.env("MONGO_INITDB_DATABASE", "admin")
+                it.env("MONGO_INITDB_ROOT_PASSWORD", "cjwkbencowepoc324pon2mop3mp4")
-            it.add("insert-mongodb-user.js", "/docker-entrypoint-initdb.d")
+                it.env("MONGO_INITDB_DATABASE", "admin")
-        }.withFileFromPath("insert-mongodb-user.js", Paths.get(MountableFile.forClasspathResource("insert-mongodb-user.js", 700).resolvedPath))
+                it.add("insert-mongodb-user.js", "/docker-entrypoint-initdb.d")
            }.withFileFromPath("insert-mongodb-user.js", Paths.get(MountableFile.forClasspathResource("insert-mongodb-user.js", 700).resolvedPath))
        ).apply {
            withCreateContainerCmdModifier {
                it.hostConfig?.withPortBindings(PortBinding(Ports.Binding.bindPort(27017), ExposedPort(27017)))
@ -52,28 +54,29 @@ abstract class BaseContainerizedTest {
            start()
        }
-        val keycloakContainer = KGenericContainerFromImage(DockerImageName.parse("jboss/keycloak:11.0.3")).apply {
+        val keycloakContainer: KeycloakContainer = KeycloakContainer("quay.io/keycloak/keycloak:20.0.0")
-            withEnv("KEYCLOAK_USER", "admin")
+            .withAdminUsername("admin")
-            withEnv("KEYCLOAK_PASSWORD", "admin")
+            .withAdminPassword("admin")
-            withEnv("KEYCLOAK_IMPORT", "/tmp/realm.json")
+            .withContextPath("/auth")
-            withEnv("DB_VENDOR", "h2")
+            .withRealmImportFile("realm-export.json")
-            withCreateContainerCmdModifier {
+            .waitingFor(
-                it.hostConfig?.withPortBindings(PortBinding(Ports.Binding.bindPort(8888), ExposedPort(8080)))
+                Wait.forHttp("/auth")
-            }
+            )
-            withCopyFileToContainer(MountableFile.forClasspathResource("realm-export.json", 700), "/tmp/realm.json")
+
-            start()
+        @DynamicPropertySource
-            println("== Inserting users must wait until Keycloak is started completely ==")
+        @JvmStatic
-            execInContainer("sh", "/opt/jboss/create-keycloak-user.sh")
+        fun jwtValidationProperties(registry: DynamicPropertyRegistry) {
            registry.add("spring.security.oauth2.resourceserver.jwt.issuer-uri") { keycloakContainer.authServerUrl + "/realms/c4po_realm_local" }
            keycloakContainer.start()
        }
    }
    var token = "n/a"
    var tokenAdmin = "n/a"
    var tokenUser = "n/a"
    var keycloakHost: String? = null
    fun getAccessToken(username: String, password: String, clientId: String, realm: String): String {
        keycloakHost = "http://" + keycloakhost + ":" + keycloakContainer.getMappedPort(8080)
        val restTemplate = RestTemplate()
        val headers = HttpHeaders()
        headers.contentType = MediaType.APPLICATION_FORM_URLENCODED
@ -84,8 +87,11 @@ abstract class BaseContainerizedTest {
        map.add("password", password)
        map.add("grant_type", "password")
        map.add("client_secret", "secret")
-        val responseString = restTemplate.postForObject("$keycloakHost/auth/realms/$realm/protocol/openid-connect/token",
+        val responseString = restTemplate.postForObject(
-            HttpEntity<Any>(map, headers), String::class.java)
+            keycloakContainer.authServerUrl + "/realms/$realm/protocol/openid-connect/token",
            HttpEntity<Any>(map, headers),
            String::class.java
        )
        val token = ObjectMapper().readValue(responseString, KeyCloakToken::class.java)
        return token.access_token!!
    }
--- a/security-c4po-api/src/test/resources/script_local
+++ b/security-c4po-api/src/test/resources/script_local
@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 cd keycloak/bin
 sleep 20
-./kcadm.sh config credentials --server http://localhost:8888/auth --realm master --user admin --password admin
+./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password admin
 USERID=$(./kcadm.sh create users -r c4po_realm_local -s username=test_admin \
 -s email=testadmin@test.de \
--- a/security-c4po-cfg/cfg/keycloak.env
+++ b/security-c4po-cfg/cfg/keycloak.env
@ -1,9 +0,0 @@
 # cfg for local keycloak
 DB_VENDOR=postgres
 DB_ADDR=c4po-keycloak-postgress
 DB_PORT=5432
 DB_USER=c4po_kc_local
 DB_PASSWORD=Test1234!
 KEYCLOAK_USER=admin
 KEYCLOAK_PASSWORD=admin
 KEYCLOAK_IMPORT=/tmp/c4po_realm_export.json
--- a/security-c4po-cfg/cfg/keycloakdb.env
+++ b/security-c4po-cfg/cfg/keycloakdb.env
@ -1,4 +0,0 @@
 # database.env
 POSTGRES_USER=c4po_kc_local
 POSTGRES_PASSWORD=Test1234!
 POSTGRES_DB=keycloak
--- a/security-c4po-cfg/docker-compose.yml
+++ b/security-c4po-cfg/docker-compose.yml
@ -5,23 +5,11 @@ volumes:
  c4po-db:
 services:
  # Database
  c4po-keycloak-postgres:
    container_name: c4po-keycloak-postgres
    image: postgres:latest
    env_file:
      - cfg/keycloakdb.env
    ports:
      - 5433:5432
    volumes:
      - /volumes/keycloak/data/:/var/lib/postgres/data
    networks:
      - c4po
  c4po-db:
    image: mongo:latest
    container_name: c4po-db
    volumes:
-      - /volumes/mongodb/data/:/db/data
+      - ./volumes/mongodb/data/:/db/data
    deploy:
      resources:
        limits:
@ -30,20 +18,15 @@ services:
      - 27017:27017
    networks:
      - c4po
-  # Authentity Provider
+  # Authentication Provider
  c4po-keycloak:
    container_name: c4po-keycloak
-    depends_on:
+    image: quay.io/keycloak/keycloak:20.0.0
      - c4po-keycloak-postgres
    links:
      - c4po-keycloak-postgres
    image: jboss/keycloak:11.0.3
    volumes:
-      - /cfg/c4po_realm_export.json/:/tmp/c4po_realm_export.json
+      - ./cfg/c4po_realm_export.json/:/opt/keycloak/data/import/c4po_realm_export.json
    ports:
-      - 8888:8080
+      - 8080:8080
-    env_file:
+    entrypoint: /opt/keycloak/bin/kc.sh start-dev --import-realm --http-relative-path=/auth
      - cfg/keycloak.env
    networks:
      - c4po
  # Services
@ -53,8 +36,6 @@ services:
    container_name: c4po-angular
    depends_on:
      - c4po-keycloak
    links:
      - c4po-keycloak
    deploy:
      resources:
        limits:
@ -63,7 +44,6 @@ services:
      - 4200:4200
    networks:
      - c4po
  c4po-api:
    build: '../security-c4po-api'
    image: security-c4po-api:latest
@ -73,9 +53,6 @@ services:
    depends_on:
      - c4po-db
      - c4po-keycloak
    links:
      - c4po-db
      - c4po-keycloak
    deploy:
      resources:
        limits: