feat: use kcadm.sh to configure keycloak (#5)

Author: kingluo

.github/workflows/test.yml

@@ -34,7 +34,15 @@ jobs:
 
       - name: script
         run: |
-          sudo docker run --rm --name keycloak -d -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -v $PWD/t/test-realm-keycloak-18.0.2.json:/opt/keycloak/data/import/realm.json quay.io/keycloak/keycloak:18.0.2 start-dev --import-realm
+          sudo docker run --rm --name keycloak -d -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:18.0.2 start-dev
           sleep 30
+
+          # configure keycloak for test
+          wget https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -O jq
+          chmod +x jq
+          docker cp jq keycloak:/usr/bin/
+          docker cp t/kcadm_configure.sh keycloak:/tmp/
+          docker exec keycloak bash /tmp/kcadm_configure.sh
+
           export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$PATH
           make test

Makefile

@@ -51,7 +51,6 @@ install:
 	$(INSTALL) saml.so $(INST_LIBDIR)/
 	$(INSTALL) -d $(INST_LUADIR)/resty/saml/xsd/
 	$(INSTALL) xsd/* $(INST_LUADIR)/resty/saml/xsd/
-	$(INSTALL) t/lib/keycloak.lua $(INST_LUADIR)/resty/saml/
 
 deps/:
 	luarocks install --lua-dir=$(LUAJIT_DIR) rockspec/lua-resty-saml-main-0-0.rockspec --tree=deps --only-deps --local

t/kcadm_configure.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+export PATH=/opt/keycloak/bin:$PATH
+
+kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin
+
+kcadm.sh create realms -s realm=test -s enabled=true
+
+kcadm.sh create users -r test -s username=test -s enabled=true
+kcadm.sh set-password -r test --username test --new-password test
+
+sp_cert="MIIDgjCCAmqgAwIBAgIUOnf+MXKVU2zfIVaPz5dl0NTwPM4wDQYJKoZIhvcNAQENBQAwUTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRcwFQYDVQQKDA5sdWEtcmVzdHktc2FtbDEZMBcGA1UEAwwQc2VydmljZS1wcm92aWRlcjAgFw0xOTA1MDgwMTIyMDZaGA8yMTE4MDQxNDAxMjIwNlowUTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRcwFQYDVQQKDA5sdWEtcmVzdHktc2FtbDEZMBcGA1UEAwwQc2VydmljZS1wcm92aWRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLOj3YA5OGWqwV/GojID2AeuPfj3dTFOWFajXk4mc0vUBE10ovgkUfqdj2wye2Qu1ox1joFgMjaUcK/prXFBLFq+RLiR6lMUyi2PvCZ8tdYRjeYVtshNsZSZNDTJCgnguuKL+dDoSy/bTNX+ZJMnMctN1wf+Ui6Sxlcos+cTO57fOoaim+Thl26/DJHNTQXM+hJiUIuoAQlzHpuS6VBxlypIRH/RuR7+b14IO33V68MkzXI4fNi6INkfy2uEXDMT72az8j/xK+361CQAHkQDN8jbpWlRYHeirh4mygQ8QLhQkGwppmHhrUYD7BubyqXwSBSvQSyAVkfUeAaDab3ucsCAwEAAaNQME4wHQYDVR0OBBYEFPbRiK9OxGCZeNUViinNQ4P5ZOf0MB8GA1UdIwQYMBaAFPbRiK9OxGCZeNUViinNQ4P5ZOf0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQENBQADggEBAD0MvA3mk+u3CBDFwPtT9tI8HPSaYXS0HZ3EVXe4WcU3PYFpZzK0x6qr+a7mB3tbpHYXl49V7uxcIOD2aHLvKonKRRslyTiw4UvLOhSSByrArUGleI0wyr1BXAJArippiIhqrTDybvPpFC45x45/KtrckeM92NOlttlQyd2yW0qSd9gAnqkDu2kvjLlGh9ZYnT+yHPjUuWcxDL66P3za6gc+GhVOtsOemdYNAErhuxiGVNHrtq2dfSedqcxtCpavMYzyGhqzxr9Lt43fpQeXeS/7JVFoC2y9buyOz9HIbQ6/02HIoenDoP3xfqvAY1emixgbV4iwm3SWzG8pSTxvwuM="
+
+clients=("sp" "sp2")
+rootUrls=("http://127.0.0.1:8088" "http://127.0.0.2:8099")
+
+for i in ${!clients[@]}; do
+	kcadm.sh create clients -r test -s clientId=${clients[$i]} -s enabled=true
+
+	id=$(kcadm.sh get clients -r test --fields id,clientId 2>/dev/null | jq -r '.[] | select(.clientId=='\"${clients[$i]}\"') | .id')
+
+	kcadm.sh update clients/${id} -r test -s protocol=saml -s frontchannelLogout=true -s rootUrl=${rootUrls[$i]} -s 'redirectUris=["/acs"]' -s 'attributes={"saml.server.signature":"true", "saml.authnstatement":"true", "saml.signature.algorithm":"RSA_SHA256", "saml.client.signature":"true", "saml.force.post.binding":"false", "saml_single_logout_service_url_redirect":"/sls", "saml.signing.certificate":'\"${sp_cert}\"'}'
+done

t/lib/read_cert.lua

@@ -0,0 +1,29 @@
+local _M = {}
+
+local function split(text, chunk_size)
+    local s = {}
+    for i=1, #text, chunk_size do
+        s[#s+1] = text:sub(i, i + chunk_size - 1)
+    end
+    return s
+end
+
+function _M.read_cert(str)
+    local t = split(str, 64)
+    table.insert(t, 1, "-----BEGIN CERTIFICATE-----")
+    table.insert(t, "-----END CERTIFICATE-----")
+    return string.format(table.concat(t, "\n"))
+end
+
+local function read_whole_file(file)
+    local f = assert(io.open(file, "rb"))
+    local content = f:read("*all")
+    f:close()
+    return content
+end
+
+function _M.read_cert_file(file)
+    return _M.read_cert(read_whole_file(file))
+end
+
+return _M

t/saml.t

@@ -43,11 +43,9 @@ _EOC_
         end
         local sp_private_key = "-----BEGIN PRIVATE KEY-----\\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCzo92AOThlqsF\\nfxqIyA9gHrj3493UxTlhWo15OJnNL1ARNdKL4JFH6nY9sMntkLtaMdY6BYDI2lHC\\nv6a1xQSxavkS4kepTFMotj7wmfLXWEY3mFbbITbGUmTQ0yQoJ4Lrii/nQ6Esv20z\\nV/mSTJzHLTdcH/lIuksZXKLPnEzue3zqGopvk4ZduvwyRzU0FzPoSYlCLqAEJcx6\\nbkulQcZcqSER/0bke/m9eCDt91evDJM1yOHzYuiDZH8trhFwzE+9ms/I/8Svt+tQ\\nkAB5EAzfI26VpUWB3oq4eJsoEPEC4UJBsKaZh4a1GA+wbm8ql8EgUr0EsgFZH1Hg\\nGg2m97nLAgMBAAECggEBAJXT0sjadS7/97c5g8nxvMmbt32ItyOfMLusrqSuILSM\\nEBO8hpvoczSRorFd2GCr8Ty0meR0ORHBwCJ9zpV821gtQzX/7UfLmSX1zUC11u1D\\nSnYV56+PwxYTZtCpo+RyRyIrXR6MiFjnPfDAWAXqgKY8I5jqSotiJMJz2hC9UPoV\\ni56tHYXGCjtUAJrvG8FZM46TNL67nQ3ASWb5IH4cOqkgkKAJ/rZLrrMoL/HYpePr\\nn2MxlvT+TgdXebxo3rngu3pLRmLsfyV9eCLoOiP/oNAxTEA35EQQlnVfZOIEit8L\\nuvBYJYfYuXlxb96nQnOLqO/PrydwpXK9h1NtDvq3K2ECgYEA/i5ebOejoXORkFGx\\nDyYwkTczkh7QE328LSUVIiVGh4K1zFeYtj4mYYTeQMbzhlLAf9tGAZyZmvN52/ja\\niFLnI5lObNBooIfAYe3RAzUHGYraY7R1XutdOMjlP9tqjQ55y/xij/tu9qHT4fEz\\naQQPJ8D5sFbB5NgjxC8rlQ/WiLECgYEAxDNss4aMNhvL2+RTda72RMt99BS8PWEZ\\n/sdzzvu2zIJYFjBlCZ3Yd3vLhA/0MQXogMIcJofu4u2edZQVFSw4aHfnHFQCr45B\\n1QdDhZ8zoludEevgnLdSBzNakEJ63C8AQSkjIck4IaEmW+8G7fswpWGuVDBuHQZm\\nPBBcgz84CTsCgYBi8VvSWs0IYPtNyW757azEKk/J1nK605v3mtLCKu5se4YXGBYb\\nAtBf75+waYGMTRQf8RQsNnBYr+REq3ctz8+nvNqZYvsHWjCaLj/JVs//slxWqX1y\\nyH3OR+1tURUF+ZeRvxoC4CYOnWnkLscLXwgjOmw3p13snfI2QQJfEP460QKBgCzD\\nLsGmqMaPgOsiJIhs6nK3mnzdXjUCulOOXbWTaBkwg7hMQkD3ajOYYs42dZfZqTn3\\nD0UbLj1HySc6KbUy6YusD2Y/JH25DvvzNEyADd+01xkHn68hg+1wofDXugASGRTE\\ntec3aT8C7SV8WzBgZrDUoFlE01p740dA1Fp9SeORAoGBAIEa6LBIXuxb13xdOPDQ\\nFLaOQvmDCZeEwy2RAIOhG/1KGv+HYoCv0mMb4UXE1d65TOOE9QZLGUXksFfPc/ya\\nOP1vdjF/HN3DznxQ421GdPDYVIfp7edxZstNtGMYcR/SBwoIcvwaA5c2woMHbeju\\n+rbxDQL4gIT1lqn71w/8uoIJ\\n-----END PRIVATE KEY-----"
         local sp_cert = "-----BEGIN CERTIFICATE-----\\nMIIDgjCCAmqgAwIBAgIUOnf+MXKVU2zfIVaPz5dl0NTwPM4wDQYJKoZIhvcNAQEN\\nBQAwUTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRcwFQYDVQQKDA5sdWEt\\ncmVzdHktc2FtbDEZMBcGA1UEAwwQc2VydmljZS1wcm92aWRlcjAgFw0xOTA1MDgw\\nMTIyMDZaGA8yMTE4MDQxNDAxMjIwNlowUTELMAkGA1UEBhMCVVMxDjAMBgNVBAgM\\nBVRleGFzMRcwFQYDVQQKDA5sdWEtcmVzdHktc2FtbDEZMBcGA1UEAwwQc2Vydmlj\\nZS1wcm92aWRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMLOj3YA\\n5OGWqwV/GojID2AeuPfj3dTFOWFajXk4mc0vUBE10ovgkUfqdj2wye2Qu1ox1joF\\ngMjaUcK/prXFBLFq+RLiR6lMUyi2PvCZ8tdYRjeYVtshNsZSZNDTJCgnguuKL+dD\\noSy/bTNX+ZJMnMctN1wf+Ui6Sxlcos+cTO57fOoaim+Thl26/DJHNTQXM+hJiUIu\\noAQlzHpuS6VBxlypIRH/RuR7+b14IO33V68MkzXI4fNi6INkfy2uEXDMT72az8j/\\nxK+361CQAHkQDN8jbpWlRYHeirh4mygQ8QLhQkGwppmHhrUYD7BubyqXwSBSvQSy\\nAVkfUeAaDab3ucsCAwEAAaNQME4wHQYDVR0OBBYEFPbRiK9OxGCZeNUViinNQ4P5\\nZOf0MB8GA1UdIwQYMBaAFPbRiK9OxGCZeNUViinNQ4P5ZOf0MAwGA1UdEwQFMAMB\\nAf8wDQYJKoZIhvcNAQENBQADggEBAD0MvA3mk+u3CBDFwPtT9tI8HPSaYXS0HZ3E\\nVXe4WcU3PYFpZzK0x6qr+a7mB3tbpHYXl49V7uxcIOD2aHLvKonKRRslyTiw4UvL\\nOhSSByrArUGleI0wyr1BXAJArippiIhqrTDybvPpFC45x45/KtrckeM92NOlttlQ\\nyd2yW0qSd9gAnqkDu2kvjLlGh9ZYnT+yHPjUuWcxDL66P3za6gc+GhVOtsOemdYN\\nAErhuxiGVNHrtq2dfSedqcxtCpavMYzyGhqzxr9Lt43fpQeXeS/7JVFoC2y9buyO\\nz9HIbQ6/02HIoenDoP3xfqvAY1emixgbV4iwm3SWzG8pSTxvwuM=\\n-----END CERTIFICATE-----"
-        local idp_cert = "-----BEGIN CERTIFICATE-----\\nMIIClzCCAX8CBgGCz342szANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDAR0ZXN0\\nMB4XDTIyMDgyNDEwNTM1MVoXDTMyMDgyNDEwNTUzMVowDzENMAsGA1UEAwwEdGVz\\ndDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJNr3lNFphVhJO7pbV2L\\nxlC9JzsBeK1unsxFN+v4BytN8E68uyKhgdwUZDKfU/3uGcRz5KW6zzBg2J6gH9SZ\\nGK91Q9nX0FxFHgUFseuuSrVOOg4/xHUEYUuugdM/Qjs4+j20hLo6aHrg1+VFtP8L\\n+7Sj6cG7qUMB2eWGiiMVc5nJ2cUkpjA/+qsiQhE96iC4It8pfjhfSHbMJ8oeYSNW\\nUYZ1upw1HGWN2M35gBZRwYfMcTy7H73RHPjwbqld5IILS8IW622FwnOc91WYJRid\\nY7+wBXo9nwOC56J7UQogBIlwBF6Y2gtUDkn+56xSFg5nbqZXIbJOsLpfi2kXPg/m\\n6sUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAaHyt7Wzv22pJsALI7TUYJMVMzbhU\\n7cBayGT5XvVJz303GOYqYrYGP1c9FZmov3R5/5wt1bgmAgXABiOOrRQ9kuPPRxKE\\n5LJ6rnlK6NYfPYpOMlX127Dh5b7FaArbHUHDO2omMjEQAa9jTw4pkj8BOlufe2gi\\nWIjAUYkJ1cx5+vW1DzyL7Lb8nmGZDGS0SEfhdpHhXHJ2kBN9LXmSZwQsy0e0TbE0\\nOLiSymnsfEOHzQP5HBoVJEfe+e5/Nt8eeQIfgUUZ46fw+Yg2ERcOMmU+CS8Peys1\\nkrk11jZ4dqqDi+seW6C9Q59Cp5IqDsm4G62NALfZqInY+xTMVWQ9rCL+CA==\\n-----END CERTIFICATE-----"
         local idp_uri = "http://127.0.0.1:8080/realms/test/protocol/saml"
         default_opts = {
             idp_uri = idp_uri,
-            idp_cert = idp_cert,
             login_callback_uri = "/acs",
             logout_uri = "/logout",
             logout_callback_uri = "/sls",
@@ -70,7 +68,22 @@ _EOC_
                     sp_issuer = "sp2"
                 end
                 if samls[sp_issuer] == nil then
-                    local opts = setmetatable({sp_issuer = sp_issuer}, {__index = default_opts})
+                    if idp_cert == nil then
+                        local http = require "resty.http"
+                        local httpc = http.new()
+                        local uri = "http://127.0.0.1:8080/realms/test/protocol/saml/descriptor"
+                        local res, err = httpc:request_uri(uri, { method = "GET" })
+                        if err then
+                            ngx.log(ngx.ERR, err)
+                            ngx.exit(500)
+                        end
+
+                        local read_cert = require "read_cert"
+                        local cert = res.body:match("<ds:X509Certificate>(.-)</ds:X509Certificate>")
+                        idp_cert = read_cert.read_cert(cert)
+                    end
+
+                    local opts = setmetatable({sp_issuer = sp_issuer, idp_cert = idp_cert}, {__index = default_opts})
                     ngx.log(ngx.INFO, "create sp_issuer=", sp_issuer)
                     local saml = require("resty.saml").new(opts)
                     samls[sp_issuer] = saml