From b763f183f770a628fb9f338b8f52ba8185bccaa7 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Tue, 28 Dec 2021 15:38:33 +0300
Subject: fix(ops/keycloak): redefine buildkite client, correctly this time

This client definition was previously nonsense. What happened is that
I accidentally imported the client as an OIDC client, which Keycloak
accepted because apparently those are the same entities on the API
level, and that ended up getting mangled into some broken hybrid shape
by Terraform.

This sets up the Buildkite provider again but with the correct
SAML configuration this time.

Change-Id: Id7ba318984d2fcc9e2ca91ed45ccbfd227278bbe
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4731
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: tazjin <mail@tazj.in>
---
 ops/keycloak/main.tf | 41 ++++++++++++++++++++++++++---------------
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf
index 7e9dd4b5b9..c5f8c6b6d7 100644
--- a/ops/keycloak/main.tf
+++ b/ops/keycloak/main.tf
@@ -107,23 +107,34 @@ resource "keycloak_openid_client" "gerrit" {
   ]
 }
 
-resource "keycloak_openid_client" "buildkite" {
-  realm_id                                 = keycloak_realm.tvl.id
-  client_id                                = "https://buildkite.com"
-  name                                     = "Buildkite"
-  enabled                                  = true
-  access_type                              = "CONFIDENTIAL"
-  standard_flow_enabled                    = true
-  base_url                                 = "https://buildkite.com/sso/tvl"
-  direct_access_grants_enabled             = false
-  exclude_session_state_from_auth_response = false
-  backchannel_logout_session_required      = false
+resource "keycloak_saml_client" "buildkite" {
+  realm_id  = keycloak_realm.tvl.id
+  client_id = "https://buildkite.com"
+  name      = "Buildkite"
+  base_url  = "https://buildkite.com/sso/tvl"
+
+  client_signature_required   = false
+  assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
 
   valid_redirect_uris = [
-    "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume",
+    "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume"
   ]
+}
 
-  web_origins = [
-    "https://buildkite.com",
-  ]
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" {
+  realm_id                   = keycloak_realm.tvl.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-email-mapper"
+  user_attribute             = "email"
+  saml_attribute_name        = "email"
+  saml_attribute_name_format = "Unspecified"
+}
+
+resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" {
+  realm_id                   = keycloak_realm.tvl.id
+  client_id                  = keycloak_saml_client.buildkite.id
+  name                       = "buildkite-name-mapper"
+  user_attribute             = "displayName"
+  saml_attribute_name        = "name"
+  saml_attribute_name_format = "Unspecified"
 }
-- 
cgit 1.4.1