Mercurial > hg > thermostat-ng > web-gateway
changeset 160:bd282001a37d
[keycloak] Make setup of keycloak.json easier.
Reviewed-by: jkang
Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2017-May/023208.html
author | Severin Gehwolf <sgehwolf@redhat.com> |
---|---|
date | Fri, 19 May 2017 16:03:47 +0200 |
parents | e0c80817fd11 |
children | 16c078be30b4 |
files | docker/thermostat-keycloak/README.md docker/thermostat-keycloak/get_keycloak_json.sh |
diffstat | 2 files changed, 143 insertions(+), 22 deletions(-) [+] |
line wrap: on
line diff
--- a/docker/thermostat-keycloak/README.md Wed May 24 10:46:40 2017 -0400 +++ b/docker/thermostat-keycloak/README.md Fri May 19 16:03:47 2017 +0200 @@ -2,30 +2,24 @@ # How to Use -## Build image +## Build image (optional) ``` -$ docker build --rm -t thermostat-keycloak . +$ docker build --rm -t icedtea/dev-thermostat-keycloak . ``` ## Run container ``` -$ docker run thermostat-keycloak +$ docker run -d -p 127.0.0.1:8900:8080 icedtea/dev-thermostat-keycloak ``` ## Settings ### Admin Console via Browser -Find the IP address of the docker container via: -``` -$ docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' thermostat-keycloak -``` - -The port is 8080 and the address is /auth. - -E.g. http://172.17.0.2:8080/auth +Visit URL http://127.0.0.1:8900/auth and click on +Administration Console. ### Administative User @@ -56,17 +50,18 @@ ### Run Keycloak server ``` -$ docker run --name thermsotat-keycloak thermostat-keycloak +$ docker run -d -p 127.0.0.1:8900:8080 icedtea/dev-thermostat-keycloak ``` ### Modify Thermostat Web Gateway with Keycloak credentials and services -Use a browser to access the Keycloak server's admin console at E.g. -http://172.17.0.2:8080/auth (use the IP/Port of your container) -Login with the Administrative User Credentials listed above. Via -(Clients -> thermostat-bearer -> Installation, selecet the Format option -'Keycloak OIDC JSON' and download the 'keycloak.json' file into -`image/etc/keycloak.json` +Generate and install keycloak.json file: + +``` +$ ./docker/thermostat-keycloak/get_keycloak_json.sh +Waiting for Keycloak container to become ready ...done. +./docker/thermostat-keycloak/../../distribution/target/image/etc/keycloak.json generated and installed. +``` Modify `/image/etc/gloabl-config.properties` and add the property `file|KEYCLOAK_CONFIG=keycloak.json`. @@ -82,15 +77,13 @@ ### Test via Curl -E.g in a bash script: +For example, in a bash script: ``` -$ RESULT=`curl --data "grant_type=password&client_id=thermostat-web-client&username=tms-user&password=tms-pass" http://172.17.0.2:8080/auth/realms/thermostat/protocol/openid-connect/token` +$ RESULT=`curl -s --data "grant_type=password&client_id=thermostat-web-client&username=tms-user&password=tms-pass" http://127.0.0.1:8900/auth/realms/thermostat/protocol/openid-connect/token` $ TOKEN=`echo $RESULT | sed 's/.*access_token":"//g' | sed 's/".*//g'` $ curl -H "Authorization: bearer $TOKEN" "http://localhost:30000/jvm-gc/0.0.1" ``` - -
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/docker/thermostat-keycloak/get_keycloak_json.sh Fri May 19 16:03:47 2017 +0200 @@ -0,0 +1,128 @@ +#!/bin/bash +# +# Copyright 2012-2017 Red Hat, Inc. +# +# This file is part of Thermostat. +# +# Thermostat is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published +# by the Free Software Foundation; either version 2, or (at your +# option) any later version. +# +# Thermostat is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Thermostat; see the file COPYING. If not see +# <http://www.gnu.org/licenses/>. +# +# Linking this code with other modules is making a combined work +# based on this code. Thus, the terms and conditions of the GNU +# General Public License cover the whole combination. +# +# As a special exception, the copyright holders of this code give +# you permission to link this code with independent modules to +# produce an executable, regardless of the license terms of these +# independent modules, and to copy and distribute the resulting +# executable under terms of your choice, provided that you also +# meet, for each linked independent module, the terms and conditions +# of the license of that module. An independent module is a module +# which is not derived from or based on this code. If you modify +# this code, you may extend this exception to your version of the +# library, but you are not obligated to do so. If you do not wish +# to do so, delete this exception statement from your version. +# + +# +# Utility script for getting the Keycloak JSON +# config from the Thermostat dev container programmatically. +# +#set -x +set -e + +URL="http://127.0.0.1:8900/auth" +REALM="thermostat" +OPENID_CONNECT_JSON_PROVIDER="keycloak-oidc-keycloak-json" +CLIENT_NAME="thermostat-bearer" +TIMEOUT_KEYCLOAK=60 + +find_gw_home() { + this_script="${BASH_SOURCE[0]}" + parent=$(dirname ${this_script}) + echo "${parent}/../../distribution/target/image" +} + +config_path() { + gw_home=$(find_gw_home) + echo "${gw_home}/etc/keycloak.json" +} + +try_connect() { + curl -o /dev/null -w %{http_code} -s -d "client_id=admin-cli" \ + -d "username=tms-admin" \ + -d "password=tms-admin" \ + -d "grant_type=password" \ + "${URL}/realms/master/protocol/openid-connect/token" +} + +wait_for_ready() { + echo -n "Waiting for Keycloak container to become ready ..." + attempts=0 + while [ "$(try_connect)_" != "200_" ]; do + echo -n "." + sleep 1 + if [ ${attempts} -eq ${TIMEOUT_KEYCLOAK} ]; then + echo "failed." + echo "Keycloak container not becoming available." + exit 1 + fi + attempts=$(( $attempts + 1 )) + done + echo "done." +} + +# Get the access token json (including the bearer access token) +access_token_json() { + curl -s -d "client_id=admin-cli" \ + -d "username=tms-admin" \ + -d "password=tms-admin" \ + -d "grant_type=password" \ + "${URL}/realms/master/protocol/openid-connect/token" +} + +# Retrieve the access_token property from the access token JSON +access_token() { + echo $(access_token_json | sed 's|.*"access_token":"\([^"]\+\)".*|\1|g') +} + +# Get the client ID for a given client name +# +# Note: needs to remove "protocolMappers" array, since "id" is not +# unique otherwise. +client_id() { + local clientId="$1" + curl -s \ + -H "Authorization: bearer $t" \ + "${URL}/admin/realms/${REALM}/clients?clientId=${clientId}" | \ + sed 's|\(.*\)"protocolMappers":\[[^]]\+\]\(.*\)|\1\2|g' | \ + sed 's|.*"id":"\([^"]\+\)".*|\1|g' +} + +# Get the Keycloak JSON config for a given client +json_config() { + local id="$1" + curl -o ${JSON_FILE} -s \ + -H "Authorization: bearer $t" \ + "${URL}/admin/realms/${REALM}/clients/${id}/installation/providers/${OPENID_CONNECT_JSON_PROVIDER}" +} + +wait_for_ready + +t=$(access_token) +cid=$(client_id ${CLIENT_NAME}) + +JSON_FILE=$(config_path) +json_config ${cid} +echo "${JSON_FILE} generated and installed."