chore: improvements to keycloak local development (#26518)

* update keycloak docker image * update realm file with a compatible realm * import realm on start-docker command Since bitnami's image does not support importing directly, the import of the test realm is done in the make file start-docker action * Use official image from quay * updated realm keycloak config * final note about nickname attrib for saml * add admin user * update realm * Updated from master * Updated docs * local typo * use jq for ldap and saml * updated readme
2025-02-25 18:55:24 -06:00 · 2024-07-08 08:16:09 +02:00 · 2024-07-08 08:16:09 +02:00 · 4e32da62fa
commit 4e32da62fa
parent db45c0132e
7 changed files with 2185 additions and 2319 deletions
--- a/server/Makefile
+++ b/server/Makefile
@ -163,6 +163,8 @@ else
  ALL_PACKAGES=$(TE_PACKAGES)
 endif

+CONFIG_FILE_PATH ?= ./config/config.json
+
 all: run ## Alias for 'run'.

 -include config.override.mk
@ -648,38 +650,39 @@ run-job-server: ## Runs the background job server.
 config-ldap: ## Configures LDAP.
 	@echo Setting up configuration for local LDAP

-	@sed -i'' -e 's|"LdapServer": ".*"|"LdapServer": "localhost"|g' ../config/config.json
-	@sed -i'' -e 's|"BaseDN": ".*"|"BaseDN": "dc=mm,dc=test,dc=com"|g' ../config/config.json
-	@sed -i'' -e 's|"BindUsername": ".*"|"BindUsername": "cn=admin,dc=mm,dc=test,dc=com"|g' ../config/config.json
-	@sed -i'' -e 's|"BindPassword": ".*"|"BindPassword": "mostest"|g' ../config/config.json
-	@sed -i'' -e 's|"UserFilter": ".*"|"UserFilter": ""|g' ../config/config.json
-	@sed -i'' -e 's|"GroupFilter": ".*"|"GroupFilter": ""|g' ../config/config.json
-	@sed -i'' -e 's|"GuestFilter": ".*"|"GuestFilter": ""|g' ../config/config.json
-	@sed -i'' -e 's|"FirstNameAttribute": ".*"|"FirstNameAttribute": "cn"|g' ../config/config.json
-	@sed -i'' -e 's|"LastNameAttribute": ".*"|"LastNameAttribute": "sn"|g' ../config/config.json
-	@sed -i'' -e 's|"NicknameAttribute": ".*"|"NicknameAttribute": "cn"|g' ../config/config.json
-	@sed -i'' -e 's|"PositionAttribute": ".*"|"PositionAttribute": "title"|g' ../config/config.json
-	@sed -i'' -e 's|"EmailAttribute": ".*"|"EmailAttribute": "mail"|g' ../config/config.json
-	@sed -i'' -e 's|"UsernameAttribute": ".*"|"UsernameAttribute": "uid"|g' ../config/config.json
-	@sed -i'' -e 's|"IdAttribute": ".*"|"IdAttribute": "uid"|g' ../config/config.json
-	@sed -i'' -e 's|"LoginIdAttribute": ".*"|"LoginIdAttribute": "uid"|g' ../config/config.json
-	@sed -i'' -e 's|"GroupDisplayNameAttribute": ".*"|"GroupDisplayNameAttribute": "cn"|g' ../config/config.json
-	@sed -i'' -e 's|"GroupIdAttribute": ".*"|"GroupIdAttribute": "entryUUID"|g' ../config/config.json
+	# Check if jq is installed
+	@jq --version > /dev/null 2>&1 || (echo "jq is not installed. Please install jq to continue." && exit 1)
+
+	TMPDIR=$(mktemp -d)
+	jq --slurp '.[0] * .[1]' ${CONFIG_FILE_PATH} build/docker/keycloak/ldap.mmsettings.json > ${TMPDIR}/config.json
+	cp ${TMPDIR}/config.json ${CONFIG_FILE_PATH}
+	rm ${TMPDIR}/config.json

 config-saml: ## Configures SAML.
 	@echo Setting up configuration for local SAML with keycloak, please ensure your keycloak is running on http://localhost:8484

-	@cp build/docker/keycloak/keycloak.crt ../config/saml-idp.crt
+	# Check if jq is installed
+	@jq --version > /dev/null 2>&1 || (echo "jq is not installed. Please install jq to continue." && exit 1)

-	@sed -i'' -e 's|"Verify": true|"Verify": false|g' ../config/config.json
-	@sed -i'' -e 's|"Encrypt": true|"Encrypt": false|g' ../config/config.json
-	@sed -i'' -e 's|"SignRequest": true|"SignRequest": false|g' ../config/config.json
-	@sed -i'' -e 's|"IdpURL": ".*"|"IdpURL": "http://localhost:8484/realms/mattermost/protocol/saml"|g' ../config/config.json
-	@sed -i'' -e 's|"IdpDescriptorURL": ".*"|"IdpDescriptorURL": "http://localhost:8484/realms/mattermost"|g' ../config/config.json
-	@sed -i'' -e 's|"IdpMetadataURL": ".*"|"IdpMetadataURL": "http://localhost:8484/realms/mattermost/protocol/saml/descriptor"|g' ../config/config.json
-	@sed -i'' -e 's|"ServiceProviderIdentifier": ".*"|"ServiceProviderIdentifier": "mattermost"|g' ../config/config.json
-	@sed -i'' -e 's|"AssertionConsumerServiceURL": ".*"|"AssertionConsumerServiceURL": "http://localhost:8065/login/sso/saml"|g' ../config/config.json
-	@sed -i'' -e 's|"IdpCertificateFile": ".*"|"IdpCertificateFile": "saml-idp.crt"|g' ../config/config.json
+	@cp build/docker/keycloak/keycloak.crt ./config/saml-idp.crt
+
+	TMPDIR=$(mktemp -d)
+	jq --slurp '.[0] * .[1]' ${CONFIG_FILE_PATH} build/docker/keycloak/saml.mmsettings.json > ${TMPDIR}/config.json
+	cp ${TMPDIR}/config.json ${CONFIG_FILE_PATH}
+	rm ${TMPDIR}/config.json
+
+config-openid: ## Configures OpenID.
+	@echo Setting up configuration for local OpenID with keycloak, please ensure your keycloak is running on http://localhost:8484
+
+	# Check if jq is installed
+	@jq --version > /dev/null 2>&1 || (echo "jq is not installed. Please install jq to continue." && exit 1)
+
+	TMPDIR=$(mktemp -d)
+	jq --slurp '.[0] * .[1]' ${CONFIG_FILE_PATH} build/docker/keycloak/openid.mmsettings.json > ${TMPDIR}/config.json
+	cp ${TMPDIR}/config.json ${CONFIG_FILE_PATH}
+	rm ${TMPDIR}/config.json
+
+	@echo Finished setting up configuration for local OpenID with keycloak

 config-reset: ## Resets the config/config.json file to the default production values.
 	@echo Resetting configuration to production default
--- a/server/build/docker-compose.common.yml
+++ b/server/build/docker-compose.common.yml
@ -116,7 +116,7 @@ services:
      KC_HOSTNAME_STRICT_HTTPS: 'false'
      KC_HTTP_ENABLED: 'true'
    volumes:
-     - "./docker/keycloak:/opt/keycloak/data/import"
+     - "./docker/keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json"
  prometheus:
    image: "prom/prometheus:v2.46.0"
    user: root
--- a/server/build/docker/keycloak/README.md
+++ b/server/build/docker/keycloak/README.md
@ -1,12 +1,39 @@
-Overwrite your SamlSettings section in your config.json file by running `make config-saml` and restarting your server. You will need to set the following `SamlSettings` in order to complete the setup:
- Enable: true
- FirstNameAttribute: "givenName"
- LastNameAttribute: "surname"
+# Keycloak development environment

-Admin Login:
- admin/admin
+## Setting up

-Users:
- homer/password
- marge/password
- lisa/password
+### OpenID
+
+Overwrite your `OpenIdSettings` section in your config.json file by running `make config-openid` and restarting your server.
+
+- [Official OpenID with Keycloak documentation](https://docs.mattermost.com/onboard/sso-openidconnect.html)
+
+### SAML
+
+Overwrite your `SamlSettings` section in your config.json file by running `make config-saml` and restarting your server.
+
+- [Official SAML with Keycloak documentation](https://docs.mattermost.com/onboard/sso-saml-keycloak.html)
+
+### LDAP
+
+Overwrite your `LdapSettings` section in your config.json file by running `make config-ldap` and restarting your server.
+
+- [Official LDAP with Keycloak documentation](https://docs.mattermost.com/onboard/ad-ldap.html)
+
+## Credentials to log in
+
+- **Admin account**, used to log in to the Keycloak Admin UI:
+  - `admin`/`admin`
+
+- **User accounts**, used to log in to Mattermost:
+  - `homer`/`password`
+  - `marge`/`password`
+  - `lisa`/`password`
+
+## Updating the `realm-export.json`
+
+The `realm-export.json` file is automatically imported by the keycloak development container. If you make any modifications to this file or to the base configuration, export it by running a terminal in the container and running:
+
+```bash
+/opt/keycloak/bin/kc.sh export --realm mattermost --users realm_file --file /opt/keycloak/data/import/realm-export.json
+```
--- a/server/build/docker/keycloak/ldap.mmsettings.json
+++ b/server/build/docker/keycloak/ldap.mmsettings.json
@ -0,0 +1,39 @@
+{
+    "LdapSettings": {
+        "Enable": true,
+        "EnableSync": false,
+        "LdapServer": "localhost",
+        "LdapPort": 389,
+        "ConnectionSecurity": "",
+        "BaseDN": "dc=mm,dc=test,dc=com",
+        "BindUsername": "cn=admin,dc=mm,dc=test,dc=com",
+        "BindPassword": "mostest",
+        "UserFilter": "",
+        "GroupFilter": "",
+        "GuestFilter": "",
+        "EnableAdminFilter": false,
+        "AdminFilter": "",
+        "GroupDisplayNameAttribute": "cn",
+        "GroupIdAttribute": "entryUUID",
+        "FirstNameAttribute": "cn",
+        "LastNameAttribute": "sn",
+        "EmailAttribute": "mail",
+        "UsernameAttribute": "uid",
+        "NicknameAttribute": "cn",
+        "IdAttribute": "uid",
+        "PositionAttribute": "title",
+        "LoginIdAttribute": "uid",
+        "PictureAttribute": "",
+        "SyncIntervalMinutes": 60,
+        "SkipCertificateVerification": false,
+        "PublicCertificateFile": "",
+        "PrivateKeyFile": "",
+        "QueryTimeout": 60,
+        "MaxPageSize": 0,
+        "LoginFieldName": "",
+        "LoginButtonColor": "#0000",
+        "LoginButtonBorderColor": "#2389D7",
+        "LoginButtonTextColor": "#2389D7",
+        "Trace": false
+    }
+}
--- a/server/build/docker/keycloak/openid.mmsettings.json
+++ b/server/build/docker/keycloak/openid.mmsettings.json
@ -0,0 +1,14 @@
+{
+    "OpenIdSettings": {
+        "Enable": true,
+        "Secret": "9Y7dykcoA9luTC77XtXxOu9UbNx3rhj6",
+        "Id": "mattermost-openid",
+        "Scope": "profile openid email",
+        "AuthEndpoint": "",
+        "TokenEndpoint": "",
+        "UserAPIEndpoint": "",
+        "DiscoveryEndpoint": "http://localhost:8484/realms/mattermost/.well-known/openid-configuration",
+        "ButtonText": "Login using OpenID",
+        "ButtonColor": "#ffaa4c"
+    }
+}
--- a/server/build/docker/keycloak/realm-export.json
+++ b/server/build/docker/keycloak/realm-export.json
--- a/server/build/docker/keycloak/saml.mmsettings.json
+++ b/server/build/docker/keycloak/saml.mmsettings.json
@ -0,0 +1,38 @@
+{
+    "SamlSettings": {
+        "Enable": true,
+        "EnableSyncWithLdap": false,
+        "EnableSyncWithLdapIncludeAuth": false,
+        "IgnoreGuestsLdapSync": false,
+        "Verify": false,
+        "Encrypt": false,
+        "SignRequest": false,
+        "IdpURL": "http://localhost:8484/realms/mattermost/protocol/saml",
+        "IdpDescriptorURL": "http://localhost:8484/realms/mattermost",
+        "IdpMetadataURL": "http://localhost:8484/realms/mattermost/protocol/saml/descriptor",
+        "ServiceProviderIdentifier": "mattermost",
+        "AssertionConsumerServiceURL": "http://localhost:8065/login/sso/saml",
+        "SignatureAlgorithm": "RSAwithSHA1",
+        "CanonicalAlgorithm": "Canonical1.0",
+        "ScopingIDPProviderId": "",
+        "ScopingIDPName": "",
+        "IdpCertificateFile": "saml-idp.crt",
+        "PublicCertificateFile": "",
+        "PrivateKeyFile": "",
+        "IdAttribute": "uid",
+        "GuestAttribute": "",
+        "EnableAdminAttribute": false,
+        "AdminAttribute": "",
+        "FirstNameAttribute": "givenName",
+        "LastNameAttribute": "surname",
+        "EmailAttribute": "mail",
+        "UsernameAttribute": "uid",
+        "NicknameAttribute": "cn",
+        "LocaleAttribute": "",
+        "PositionAttribute": "title",
+        "LoginButtonText": "SAML",
+        "LoginButtonColor": "#34a28b",
+        "LoginButtonBorderColor": "#2389D7",
+        "LoginButtonTextColor": "#ffffff"
+    }
+}