[MM-56732] Update keycloak docker configs and add make command (#26313)

* updating keycloak image
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
Co-authored-by: Ben Schumacher <ben.schumacher@mattermost.com>

server/Makefile

@@ -676,6 +676,21 @@ config-ldap: ## Configures LDAP.
 	@sed -i'' -e 's|"GroupDisplayNameAttribute": ".*"|"GroupDisplayNameAttribute": "cn"|g' ../config/config.json
 	@sed -i'' -e 's|"GroupIdAttribute": ".*"|"GroupIdAttribute": "entryUUID"|g' ../config/config.json
 
+config-saml: ## Configures SAML.
+	@echo Setting up configuration for local SAML with keycloak, please ensure your keycloak is running on http://localhost:8484
+
+	@cp build/docker/keycloak/keycloak.crt ../config/saml-idp.crt
+
+	@sed -i'' -e 's|"Verify": true|"Verify": false|g' ../config/config.json
+	@sed -i'' -e 's|"Encrypt": true|"Encrypt": false|g' ../config/config.json
+	@sed -i'' -e 's|"SignRequest": true|"SignRequest": false|g' ../config/config.json
+	@sed -i'' -e 's|"IdpURL": ".*"|"IdpURL": "http://localhost:8484/realms/mattermost/protocol/saml"|g' ../config/config.json
+	@sed -i'' -e 's|"IdpDescriptorURL": ".*"|"IdpDescriptorURL": "http://localhost:8484/realms/mattermost"|g' ../config/config.json
+	@sed -i'' -e 's|"IdpMetadataURL": ".*"|"IdpMetadataURL": "http://localhost:8484/realms/mattermost/protocol/saml/descriptor"|g' ../config/config.json
+	@sed -i'' -e 's|"ServiceProviderIdentifier": ".*"|"ServiceProviderIdentifier": "mattermost"|g' ../config/config.json
+	@sed -i'' -e 's|"AssertionConsumerServiceURL": ".*"|"AssertionConsumerServiceURL": "http://localhost:8065/login/sso/saml"|g' ../config/config.json
+	@sed -i'' -e 's|"IdpCertificateFile": ".*"|"IdpCertificateFile": "saml-idp.crt"|g' ../config/config.json
+
 config-reset: ## Resets the config/config.json file to the default production values.
 	@echo Resetting configuration to production default
 	rm -f config/config.json

server/build/docker-compose.common.yml

@@ -104,17 +104,19 @@ services:
     networks:
       - mm-test
   keycloak:
-    image: "jboss/keycloak:10.0.2"
+    image: "quay.io/keycloak/keycloak:23.0.7"
     restart: always
-    environment:
-      KEYCLOAK_USER: mmuser
-      KEYCLOAK_PASSWORD: mostest
-      DB_VENDOR: h2
-      KEYCLOAK_IMPORT: /setup/realm.json
+    entrypoint: /opt/keycloak/bin/kc.sh start --import-realm
     networks:
       - mm-test
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_HOSTNAME_STRICT: 'false'
+      KC_HOSTNAME_STRICT_HTTPS: 'false'
+      KC_HTTP_ENABLED: 'true'
     volumes:
-     - "./docker/keycloak:/setup"
+     - "./docker/keycloak:/opt/keycloak/data/import"
   prometheus:
     image: "prom/prometheus:v2.46.0"
     volumes:

server/build/docker/keycloak/README.md

@@ -1,61 +1,12 @@
-To use this keycloak image, we suggest you to use this configuration settings:
+Overwrite your SamlSettings section in your config.json file by running `make config-saml` and restarting your server. You will need to set the following `SamlSettings` in order to complete the setup:
+- Enable: true
+- FirstNameAttribute: "givenName"
+- LastNameAttribute: "surname"
 
-- Enable Login With SAML 2.0: `true`
-- Enable Synchronizing SAML Accounts With AD/LDAP: `true`
-- Override SAML bind data with AD/LDAP information: `false`
-- Identity Provider Metadata URL: empty string
-- SAML SSO URL: `http://localhost:8484/auth/realms/mattermost/protocol/saml`
-- Identity Provider Issuer URL: `http://localhost:8484/auth/realms/mattermost`
-- Identity Provider Public Certificate: The file `keycloak.crt` in this same directory
-- Verify Signature: `true`
-- Service Provider Login URL: `http://localhost:8065/login/sso/saml`
-- Service Provider Identifier: `http://localhost:8065/login/sso/saml`
-- Enable Encryption: `false`
-- Sign Request: `false`
-- Email Attribute: `email`
-- Username Attribute: `username`
-- Id Attribute: `id`
-- First Name Attribute: `firstName`
-- Last Name Attribute: `lastName`
+Admin Login:
+- admin/admin
 
-or overwrite your SamleSettings section with this settings in your config.json file (if you are not using
-database configuration) and restart the server:
-
-```json
-    "SamlSettings": {
-        "Enable": true,
-        "EnableSyncWithLdap": true,
-        "EnableSyncWithLdapIncludeAuth": false,
-        "IgnoreGuestsLdapSync": false,
-        "Verify": true,
-        "Encrypt": false,
-        "SignRequest": false,
-        "IdpUrl": "http://localhost:8484/auth/realms/mattermost/protocol/saml",
-        "IdpDescriptorUrl": "http://localhost:8484/auth/realms/mattermost",
-        "IdpMetadataUrl": "",
-        "ServiceProviderIdentifier": "http://localhost:8065/login/sso/saml",
-        "AssertionConsumerServiceURL": "http://localhost:8065/login/sso/saml",
-        "SignatureAlgorithm": "RSAwithSHA1",
-        "CanonicalAlgorithm": "Canonical1.0",
-        "ScopingIDPProviderId": "",
-        "ScopingIDPName": "",
-        "IdpCertificateFile": "saml-idp.crt",
-        "PublicCertificateFile": "",
-        "PrivateKeyFile": "",
-        "IdAttribute": "id",
-        "GuestAttribute": "",
-        "EnableAdminAttribute": false,
-        "AdminAttribute": "",
-        "FirstNameAttribute": "firstName",
-        "LastNameAttribute": "lastName",
-        "EmailAttribute": "email",
-        "UsernameAttribute": "username",
-        "NicknameAttribute": "",
-        "LocaleAttribute": "",
-        "PositionAttribute": "",
-        "LoginButtonText": "SAML",
-        "LoginButtonColor": "#34a28b",
-        "LoginButtonBorderColor": "#2389D7",
-        "LoginButtonTextColor": "#ffffff"
-    },
-```
+Users:
+- homer/password
+- marge/password
+- lisa/password

server/build/docker/keycloak/keycloak.crt

@@ -1,3 +1,3 @@
 -----BEGIN CERTIFICATE-----
-MIICmzCCAYMCBgFyzt0uTDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAwNjE5MjMxMzIxWhcNMzAwNjE5MjMxNTAxWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2F7Ce+UoGvaSBtuo4ZEPASjDPl2uMK4ADcjDf9LBaVGCEu9Zs2yVIb45F27RrEMQOxph2mpBnKQQajlkIi28ABCxTgWvOhw+w8D+a6g2yphjS8hB5jAcgkw2jkHIKBfyMnjqxZRi33k+7oBhaDKosyCvThKG/QbqC293/ckvBZUJaLEoJn4s0eQoE0oQekXg0Snfhx7JqAqtvrOXtsACb5vbGGLnZIdi9SxcLDAC7mHviU2c7GQKAGVLo4aLYlJnr8by7yIEGvYmnjDx393V8XluKjc/DIsyEP9M4LmStzRRMd81DmZCOg0zx8AXVcqZCsERLOvflvX1bMM7/QtvfAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHCyf7wTY8ZrPcqWuBj6JfD9iw+45dT4ZOAIlPXL5+wwYzdA7kkSfF7GCXLyYD0U6QEB2SA0RFPXU25WfIVMbDP1OyM4oCbzEqQvAeWkTxe0P+ZWgEUfVN9jgv4N9l/oUXiHkvyZi9K1KM8oLK3j1/YSAqBx60P6iS69a49Pry4eb6ab5mZyU/Tp7Ll7wTpdFW1o/pY9GCcX8cEBhfp+Jm2sVGczIF0s/aJ69rtcK1f8wmXOgY2VKx0eQ00wSOtkHvcPPWAmZzlkpYzdPSmMjluWVusA1T4QPOj44dxB+xI62i25BKUlQpWMmKaZX4Zb6QTUAyvDZusySnwMbr20ijE=
+MIICozCCAYsCBgGNzWfMwjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDAptYXR0ZXJtb3N0MB4XDTI0MDIyMTIwNDA0OFoXDTM0MDIyMTIwNDIyOFowFTETMBEGA1UEAwwKbWF0dGVybW9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOnsgNexkO5tbKkFXN+SdMUuLHbqdjZ9/JSnKrYPHLarf8801YDDzV8wI9jjdCCgq+xtKFKWlwU2rGpjPbefDLV1m7CSu0Iq+hNxDiBdX3wkEIK98piDpx+xYGL0aAbXn3nAlqFOWQJLKLM1I65ZmK31YZeVj4Kn01W4WfsvKHoxPjLPwPTug4HB6vaQXqEpzYYYHyuJKvIYNuVwo0WQdaPRXb0poZoYzOnoB6tOFrim6B7/chqtZeXQc7h6/FejBsV59aO5uATI0aAJw1twzjCNIiOeJLB2jlLuIMR3/Yaqr8IRpRXzcRPETpisWNilhV07ZBW0YL9ZwuU4sHWy+iMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAW4I1egm+czdnnZxTtth3cjCmLg/UsalUDKSfFOLAlnbe6TtVhP4DpAl+OaQO4+kdEKemLENPmh4ddaHUjSSbbCQZo8B7IjByEe7x3kQdj2ucQpA4bh0vGZ11pVhk5HfkGqAO+UVNQsyLpTmWXQ8SEbxcw6mlTM4SjuybqaGOva1LBscI158Uq5FOVT6TJaxCt3dQkBH0tK+vhRtIM13pNZ/+SFgecn16AuVdBfjjqXynefrSihQ20BZ3NTyjs/N5J2qvSwQ95JARZrlhfiS++L81u2N/0WWni9cXmHsdTLxRrDZjz2CXBNeFOBRio74klSx8tMK27/2lxMsEC7R+DA==
 -----END CERTIFICATE-----

server/scripts/mirror-docker-images.json

@@ -16,7 +16,8 @@
     "1.4.0": "osixia/openldap:1.4.0@sha256:d5b2f2b816b25a1b57033b34f5d48c91cc3161a7d041811a9032604030bad9db"
   },
   "keycloak": {
-    "10.0.2": "quay.io/keycloak/keycloak:10.0.2@sha256:fa434fd4e96f03242295febb37fb648b9ee271315ba7380d06003b43a42b5195"
+    "10.0.2": "quay.io/keycloak/keycloak:10.0.2@sha256:fa434fd4e96f03242295febb37fb648b9ee271315ba7380d06003b43a42b5195",
+    "23.0.7": "quay.io/keycloak/keycloak:23.0.7@sha256:14e99d6f5dd0516a5bdc82537b732cb85469ecdb15ad7fe5f11ff67521544db8"
   },
   "dejavu": {
     "3.4.2": "appbaseio/dejavu:3.4.2@sha256:8f2f4d45565da53c4235495737fff3921d302955daeb2f53a433c7b0e2044951"