mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-27 08:04:14 +00:00
4f0dadbf38
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
193 lines
7.6 KiB
Nix
193 lines
7.6 KiB
Nix
# This tests Keycloak: it starts the service, creates a realm with an
|
|
# OIDC client and a user, and simulates the user logging in to the
|
|
# client using their Keycloak login.
|
|
|
|
let
|
|
certs = import ./common/acme/server/snakeoil-certs.nix;
|
|
frontendUrl = "https://${certs.domain}";
|
|
|
|
keycloakTest =
|
|
databaseType:
|
|
import ./make-test-python.nix (
|
|
{ pkgs, ... }:
|
|
let
|
|
initialAdminPassword = "h4Iho\"JFn't2>iQIR9";
|
|
adminPasswordFile = pkgs.writeText "admin-password" "${initialAdminPassword}";
|
|
in
|
|
{
|
|
name = "keycloak";
|
|
meta = with pkgs.lib.maintainers; {
|
|
maintainers = [ talyz ];
|
|
};
|
|
|
|
nodes = {
|
|
keycloak =
|
|
{ config, ... }:
|
|
{
|
|
virtualisation.memorySize = 2047;
|
|
|
|
security.pki.certificateFiles = [
|
|
certs.ca.cert
|
|
];
|
|
|
|
networking.extraHosts = ''
|
|
127.0.0.1 ${certs.domain}
|
|
'';
|
|
|
|
services.keycloak = {
|
|
enable = true;
|
|
settings = {
|
|
hostname = certs.domain;
|
|
};
|
|
inherit initialAdminPassword;
|
|
sslCertificate = "${certs.${certs.domain}.cert}";
|
|
sslCertificateKey = "${certs.${certs.domain}.key}";
|
|
database = {
|
|
type = databaseType;
|
|
username = "bogus";
|
|
name = "also bogus";
|
|
passwordFile = "${pkgs.writeText "dbPassword" ''wzf6\"vO"Cb\nP>p#6;c&o?eu=q'THE'''H''''E''}";
|
|
};
|
|
plugins = with config.services.keycloak.package.plugins; [
|
|
keycloak-discord
|
|
keycloak-metrics-spi
|
|
];
|
|
};
|
|
environment.systemPackages = with pkgs; [
|
|
htmlq
|
|
jq
|
|
];
|
|
};
|
|
};
|
|
|
|
testScript =
|
|
let
|
|
client = {
|
|
clientId = "test-client";
|
|
name = "test-client";
|
|
redirectUris = [ "urn:ietf:wg:oauth:2.0:oob" ];
|
|
};
|
|
|
|
user = {
|
|
firstName = "Chuck";
|
|
lastName = "Testa";
|
|
username = "chuck.testa";
|
|
email = "chuck.testa@example.com";
|
|
};
|
|
|
|
password = "password1234";
|
|
|
|
realm = {
|
|
enabled = true;
|
|
realm = "test-realm";
|
|
clients = [ client ];
|
|
users = [
|
|
(
|
|
user
|
|
// {
|
|
enabled = true;
|
|
credentials = [
|
|
{
|
|
type = "password";
|
|
temporary = false;
|
|
value = password;
|
|
}
|
|
];
|
|
}
|
|
)
|
|
];
|
|
};
|
|
|
|
realmDataJson = pkgs.writeText "realm-data.json" (builtins.toJSON realm);
|
|
|
|
jqCheckUserinfo = pkgs.writeText "check-userinfo.jq" ''
|
|
if {
|
|
"firstName": .given_name,
|
|
"lastName": .family_name,
|
|
"username": .preferred_username,
|
|
"email": .email
|
|
} != ${builtins.toJSON user} then
|
|
error("Wrong user info!")
|
|
else
|
|
empty
|
|
end
|
|
'';
|
|
in
|
|
''
|
|
keycloak.start()
|
|
keycloak.wait_for_unit("keycloak.service")
|
|
keycloak.wait_for_open_port(443)
|
|
keycloak.wait_until_succeeds("curl -sSf ${frontendUrl}")
|
|
|
|
### Realm Setup ###
|
|
|
|
# Get an admin interface access token
|
|
keycloak.succeed("""
|
|
curl -sSf -d 'client_id=admin-cli' \
|
|
-d 'username=admin' \
|
|
-d "password=$(<${adminPasswordFile})" \
|
|
-d 'grant_type=password' \
|
|
'${frontendUrl}/realms/master/protocol/openid-connect/token' \
|
|
| jq -r '"Authorization: bearer " + .access_token' >admin_auth_header
|
|
""")
|
|
|
|
# Register the metrics SPI
|
|
keycloak.succeed(
|
|
"""${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt""",
|
|
"""KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password "$(<${adminPasswordFile})" """,
|
|
"""KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'""",
|
|
"""curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'"""
|
|
)
|
|
|
|
# Publish the realm, including a test OIDC client and user
|
|
keycloak.succeed(
|
|
"curl -sSf -H @admin_auth_header -X POST -H 'Content-Type: application/json' -d @${realmDataJson} '${frontendUrl}/admin/realms/'"
|
|
)
|
|
|
|
# Generate and save the client secret. To do this we need
|
|
# Keycloak's internal id for the client.
|
|
keycloak.succeed(
|
|
"curl -sSf -H @admin_auth_header '${frontendUrl}/admin/realms/${realm.realm}/clients?clientId=${client.name}' | jq -r '.[].id' >client_id",
|
|
"curl -sSf -H @admin_auth_header -X POST '${frontendUrl}/admin/realms/${realm.realm}/clients/'$(<client_id)'/client-secret' | jq -r .value >client_secret",
|
|
)
|
|
|
|
|
|
### Authentication Testing ###
|
|
|
|
# Start the login process by sending an initial request to the
|
|
# OIDC authentication endpoint, saving the returned page. Tidy
|
|
# up the HTML (XmlStarlet is picky) and extract the login form
|
|
# post url.
|
|
keycloak.succeed(
|
|
"curl -sSf -c cookie '${frontendUrl}/realms/${realm.realm}/protocol/openid-connect/auth?client_id=${client.name}&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=openid+email&response_type=code&response_mode=query&nonce=qw4o89g3qqm' >login_form",
|
|
"htmlq '#kc-form-login' --attribute action --filename login_form --output form_post_url"
|
|
)
|
|
|
|
# Post the login form and save the response. Once again tidy up
|
|
# the HTML, then extract the authorization code.
|
|
keycloak.succeed(
|
|
"curl -sSf -L -b cookie -d 'username=${user.username}' -d 'password=${password}' -d 'credentialId=' \"$(<form_post_url)\" >auth_code_html",
|
|
"htmlq '#code' --attribute value --filename auth_code_html --output auth_code"
|
|
)
|
|
|
|
# Exchange the authorization code for an access token.
|
|
keycloak.succeed(
|
|
"curl -sSf -d grant_type=authorization_code -d code=$(<auth_code) -d client_id=${client.name} -d client_secret=$(<client_secret) -d redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob '${frontendUrl}/realms/${realm.realm}/protocol/openid-connect/token' | jq -r '\"Authorization: bearer \" + .access_token' >auth_header"
|
|
)
|
|
|
|
# Use the access token on the OIDC userinfo endpoint and check
|
|
# that the returned user info matches what we initialized the
|
|
# realm with.
|
|
keycloak.succeed(
|
|
"curl -sSf -H @auth_header '${frontendUrl}/realms/${realm.realm}/protocol/openid-connect/userinfo' | jq -f ${jqCheckUserinfo}"
|
|
)
|
|
'';
|
|
}
|
|
);
|
|
in
|
|
{
|
|
postgres = keycloakTest "postgresql";
|
|
mariadb = keycloakTest "mariadb";
|
|
mysql = keycloakTest "mysql";
|
|
}
|