chore: improvements to keycloak local development (#26518)

* update keycloak docker image * update realm file with a compatible realm * import realm on start-docker command Since bitnami's image does not support importing directly, the import of the test realm is done in the make file start-docker action * Use official image from quay * updated realm keycloak config * final note about nickname attrib for saml * add admin user * update realm * Updated from master * Updated docs * local typo * use jq for ldap and saml * updated readme
2025-02-25 18:55:24 -06:00 · 2024-07-08 08:16:09 +02:00 · 2024-07-08 08:16:09 +02:00 · 4e32da62fa
commit 4e32da62fa
parent db45c0132e
7 changed files with 2185 additions and 2319 deletions
--- a/server/Makefile
+++ b/server/Makefile
@ -163,6 +163,8 @@ else
  ALL_PACKAGES=$(TE_PACKAGES)
 endif
 CONFIG_FILE_PATH ?= ./config/config.json
 all: run ## Alias for 'run'.
 -include config.override.mk
@ -648,38 +650,39 @@ run-job-server: ## Runs the background job server.
 config-ldap: ## Configures LDAP.
 	@echo Setting up configuration for local LDAP
-	@sed -i'' -e 's|"LdapServer": ".*"|"LdapServer": "localhost"|g' ../config/config.json
+	# Check if jq is installed
-	@sed -i'' -e 's|"BaseDN": ".*"|"BaseDN": "dc=mm,dc=test,dc=com"|g' ../config/config.json
+	@jq --version > /dev/null 2>&1 || (echo "jq is not installed. Please install jq to continue." && exit 1)
-	@sed -i'' -e 's|"BindUsername": ".*"|"BindUsername": "cn=admin,dc=mm,dc=test,dc=com"|g' ../config/config.json
+
-	@sed -i'' -e 's|"BindPassword": ".*"|"BindPassword": "mostest"|g' ../config/config.json
+	TMPDIR=$(mktemp -d)
-	@sed -i'' -e 's|"UserFilter": ".*"|"UserFilter": ""|g' ../config/config.json
+	jq --slurp '.[0] * .[1]' ${CONFIG_FILE_PATH} build/docker/keycloak/ldap.mmsettings.json > ${TMPDIR}/config.json
-	@sed -i'' -e 's|"GroupFilter": ".*"|"GroupFilter": ""|g' ../config/config.json
+	cp ${TMPDIR}/config.json ${CONFIG_FILE_PATH}
-	@sed -i'' -e 's|"GuestFilter": ".*"|"GuestFilter": ""|g' ../config/config.json
+	rm ${TMPDIR}/config.json
 	@sed -i'' -e 's|"FirstNameAttribute": ".*"|"FirstNameAttribute": "cn"|g' ../config/config.json
 	@sed -i'' -e 's|"LastNameAttribute": ".*"|"LastNameAttribute": "sn"|g' ../config/config.json
 	@sed -i'' -e 's|"NicknameAttribute": ".*"|"NicknameAttribute": "cn"|g' ../config/config.json
 	@sed -i'' -e 's|"PositionAttribute": ".*"|"PositionAttribute": "title"|g' ../config/config.json
 	@sed -i'' -e 's|"EmailAttribute": ".*"|"EmailAttribute": "mail"|g' ../config/config.json
 	@sed -i'' -e 's|"UsernameAttribute": ".*"|"UsernameAttribute": "uid"|g' ../config/config.json
 	@sed -i'' -e 's|"IdAttribute": ".*"|"IdAttribute": "uid"|g' ../config/config.json
 	@sed -i'' -e 's|"LoginIdAttribute": ".*"|"LoginIdAttribute": "uid"|g' ../config/config.json
 	@sed -i'' -e 's|"GroupDisplayNameAttribute": ".*"|"GroupDisplayNameAttribute": "cn"|g' ../config/config.json
 	@sed -i'' -e 's|"GroupIdAttribute": ".*"|"GroupIdAttribute": "entryUUID"|g' ../config/config.json
 config-saml: ## Configures SAML.
 	@echo Setting up configuration for local SAML with keycloak, please ensure your keycloak is running on http://localhost:8484
-	@cp build/docker/keycloak/keycloak.crt ../config/saml-idp.crt
+	# Check if jq is installed
 	@jq --version > /dev/null 2>&1 || (echo "jq is not installed. Please install jq to continue." && exit 1)
-	@sed -i'' -e 's|"Verify": true|"Verify": false|g' ../config/config.json
+	@cp build/docker/keycloak/keycloak.crt ./config/saml-idp.crt
-	@sed -i'' -e 's|"Encrypt": true|"Encrypt": false|g' ../config/config.json
+
-	@sed -i'' -e 's|"SignRequest": true|"SignRequest": false|g' ../config/config.json
+	TMPDIR=$(mktemp -d)
-	@sed -i'' -e 's|"IdpURL": ".*"|"IdpURL": "http://localhost:8484/realms/mattermost/protocol/saml"|g' ../config/config.json
+	jq --slurp '.[0] * .[1]' ${CONFIG_FILE_PATH} build/docker/keycloak/saml.mmsettings.json > ${TMPDIR}/config.json
-	@sed -i'' -e 's|"IdpDescriptorURL": ".*"|"IdpDescriptorURL": "http://localhost:8484/realms/mattermost"|g' ../config/config.json
+	cp ${TMPDIR}/config.json ${CONFIG_FILE_PATH}
-	@sed -i'' -e 's|"IdpMetadataURL": ".*"|"IdpMetadataURL": "http://localhost:8484/realms/mattermost/protocol/saml/descriptor"|g' ../config/config.json
+	rm ${TMPDIR}/config.json
-	@sed -i'' -e 's|"ServiceProviderIdentifier": ".*"|"ServiceProviderIdentifier": "mattermost"|g' ../config/config.json
+
-	@sed -i'' -e 's|"AssertionConsumerServiceURL": ".*"|"AssertionConsumerServiceURL": "http://localhost:8065/login/sso/saml"|g' ../config/config.json
+config-openid: ## Configures OpenID.
-	@sed -i'' -e 's|"IdpCertificateFile": ".*"|"IdpCertificateFile": "saml-idp.crt"|g' ../config/config.json
+	@echo Setting up configuration for local OpenID with keycloak, please ensure your keycloak is running on http://localhost:8484
 	# Check if jq is installed
 	@jq --version > /dev/null 2>&1 || (echo "jq is not installed. Please install jq to continue." && exit 1)
 	TMPDIR=$(mktemp -d)
 	jq --slurp '.[0] * .[1]' ${CONFIG_FILE_PATH} build/docker/keycloak/openid.mmsettings.json > ${TMPDIR}/config.json
 	cp ${TMPDIR}/config.json ${CONFIG_FILE_PATH}
 	rm ${TMPDIR}/config.json
 	@echo Finished setting up configuration for local OpenID with keycloak
 config-reset: ## Resets the config/config.json file to the default production values.
 	@echo Resetting configuration to production default
--- a/server/build/docker-compose.common.yml
+++ b/server/build/docker-compose.common.yml
@ -116,7 +116,7 @@ services:
      KC_HOSTNAME_STRICT_HTTPS: 'false'
      KC_HTTP_ENABLED: 'true'
    volumes:
-     - "./docker/keycloak:/opt/keycloak/data/import"
+     - "./docker/keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json"
  prometheus:
    image: "prom/prometheus:v2.46.0"
    user: root
--- a/server/build/docker/keycloak/README.md
+++ b/server/build/docker/keycloak/README.md
@ -1,12 +1,39 @@
-Overwrite your SamlSettings section in your config.json file by running `make config-saml` and restarting your server. You will need to set the following `SamlSettings` in order to complete the setup:
+# Keycloak development environment
 - Enable: true
 - FirstNameAttribute: "givenName"
 - LastNameAttribute: "surname"
-Admin Login:
+## Setting up
 - admin/admin
-Users:
+### OpenID
- homer/password
+
- marge/password
+Overwrite your `OpenIdSettings` section in your config.json file by running `make config-openid` and restarting your server.
- lisa/password
+
 - [Official OpenID with Keycloak documentation](https://docs.mattermost.com/onboard/sso-openidconnect.html)
 ### SAML
 Overwrite your `SamlSettings` section in your config.json file by running `make config-saml` and restarting your server.
 - [Official SAML with Keycloak documentation](https://docs.mattermost.com/onboard/sso-saml-keycloak.html)
 ### LDAP
 Overwrite your `LdapSettings` section in your config.json file by running `make config-ldap` and restarting your server.
 - [Official LDAP with Keycloak documentation](https://docs.mattermost.com/onboard/ad-ldap.html)
 ## Credentials to log in
 - **Admin account**, used to log in to the Keycloak Admin UI:
  - `admin`/`admin`
 - **User accounts**, used to log in to Mattermost:
  - `homer`/`password`
  - `marge`/`password`
  - `lisa`/`password`
 ## Updating the `realm-export.json`
 The `realm-export.json` file is automatically imported by the keycloak development container. If you make any modifications to this file or to the base configuration, export it by running a terminal in the container and running:
 ```bash
 /opt/keycloak/bin/kc.sh export --realm mattermost --users realm_file --file /opt/keycloak/data/import/realm-export.json
 ```
--- a/server/build/docker/keycloak/ldap.mmsettings.json
+++ b/server/build/docker/keycloak/ldap.mmsettings.json
@ -0,0 +1,39 @@
 {
    "LdapSettings": {
        "Enable": true,
        "EnableSync": false,
        "LdapServer": "localhost",
        "LdapPort": 389,
        "ConnectionSecurity": "",
        "BaseDN": "dc=mm,dc=test,dc=com",
        "BindUsername": "cn=admin,dc=mm,dc=test,dc=com",
        "BindPassword": "mostest",
        "UserFilter": "",
        "GroupFilter": "",
        "GuestFilter": "",
        "EnableAdminFilter": false,
        "AdminFilter": "",
        "GroupDisplayNameAttribute": "cn",
        "GroupIdAttribute": "entryUUID",
        "FirstNameAttribute": "cn",
        "LastNameAttribute": "sn",
        "EmailAttribute": "mail",
        "UsernameAttribute": "uid",
        "NicknameAttribute": "cn",
        "IdAttribute": "uid",
        "PositionAttribute": "title",
        "LoginIdAttribute": "uid",
        "PictureAttribute": "",
        "SyncIntervalMinutes": 60,
        "SkipCertificateVerification": false,
        "PublicCertificateFile": "",
        "PrivateKeyFile": "",
        "QueryTimeout": 60,
        "MaxPageSize": 0,
        "LoginFieldName": "",
        "LoginButtonColor": "#0000",
        "LoginButtonBorderColor": "#2389D7",
        "LoginButtonTextColor": "#2389D7",
        "Trace": false
    }
 }
--- a/server/build/docker/keycloak/openid.mmsettings.json
+++ b/server/build/docker/keycloak/openid.mmsettings.json
@ -0,0 +1,14 @@
 {
    "OpenIdSettings": {
        "Enable": true,
        "Secret": "9Y7dykcoA9luTC77XtXxOu9UbNx3rhj6",
        "Id": "mattermost-openid",
        "Scope": "profile openid email",
        "AuthEndpoint": "",
        "TokenEndpoint": "",
        "UserAPIEndpoint": "",
        "DiscoveryEndpoint": "http://localhost:8484/realms/mattermost/.well-known/openid-configuration",
        "ButtonText": "Login using OpenID",
        "ButtonColor": "#ffaa4c"
    }
 }
--- a/server/build/docker/keycloak/realm-export.json
+++ b/server/build/docker/keycloak/realm-export.json
--- a/server/build/docker/keycloak/saml.mmsettings.json
+++ b/server/build/docker/keycloak/saml.mmsettings.json
@ -0,0 +1,38 @@
 {
    "SamlSettings": {
        "Enable": true,
        "EnableSyncWithLdap": false,
        "EnableSyncWithLdapIncludeAuth": false,
        "IgnoreGuestsLdapSync": false,
        "Verify": false,
        "Encrypt": false,
        "SignRequest": false,
        "IdpURL": "http://localhost:8484/realms/mattermost/protocol/saml",
        "IdpDescriptorURL": "http://localhost:8484/realms/mattermost",
        "IdpMetadataURL": "http://localhost:8484/realms/mattermost/protocol/saml/descriptor",
        "ServiceProviderIdentifier": "mattermost",
        "AssertionConsumerServiceURL": "http://localhost:8065/login/sso/saml",
        "SignatureAlgorithm": "RSAwithSHA1",
        "CanonicalAlgorithm": "Canonical1.0",
        "ScopingIDPProviderId": "",
        "ScopingIDPName": "",
        "IdpCertificateFile": "saml-idp.crt",
        "PublicCertificateFile": "",
        "PrivateKeyFile": "",
        "IdAttribute": "uid",
        "GuestAttribute": "",
        "EnableAdminAttribute": false,
        "AdminAttribute": "",
        "FirstNameAttribute": "givenName",
        "LastNameAttribute": "surname",
        "EmailAttribute": "mail",
        "UsernameAttribute": "uid",
        "NicknameAttribute": "cn",
        "LocaleAttribute": "",
        "PositionAttribute": "title",
        "LoginButtonText": "SAML",
        "LoginButtonColor": "#34a28b",
        "LoginButtonBorderColor": "#2389D7",
        "LoginButtonTextColor": "#ffffff"
    }
 }