From 5a6f984222d37e50c8d7c06415ba48e66f45b4ed Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Sat, 1 Jan 2022 17:46:11 +0300 Subject: refactor(ops/keycloak): Split out clients & user-sources Without some kind of physical organisation it's a little difficult to understand whether things are going "in" (supplying users to Keycloak) or "out" (getting auth/user info from Keycloak). Change-Id: I516501081e3448c81c710fcbc79cc68ad2a80f3b Reviewed-on: https://cl.tvl.fyi/c/depot/+/4762 Tested-by: BuildkiteCI Reviewed-by: Profpatsch --- ops/keycloak/clients.tf | 92 +++++++++++++++++++++++++++++++++++++ ops/keycloak/main.tf | 106 ------------------------------------------- ops/keycloak/user_sources.tf | 21 +++++++++ 3 files changed, 113 insertions(+), 106 deletions(-) create mode 100644 ops/keycloak/clients.tf create mode 100644 ops/keycloak/user_sources.tf (limited to 'ops/keycloak') diff --git a/ops/keycloak/clients.tf b/ops/keycloak/clients.tf new file mode 100644 index 000000000000..5f2fd21a3557 --- /dev/null +++ b/ops/keycloak/clients.tf @@ -0,0 +1,92 @@ +# All Keycloak clients, that is applications which authenticate +# through Keycloak. +# +# Includes first-party (i.e. TVL-hosted) and third-party clients. + +resource "keycloak_openid_client" "grafana" { + realm_id = keycloak_realm.tvl.id + client_id = "grafana" + name = "Grafana" + enabled = true + access_type = "CONFIDENTIAL" + standard_flow_enabled = true + base_url = "https://status.tvl.su" + + valid_redirect_uris = [ + "https://status.tvl.su/*", + ] +} + +resource "keycloak_openid_client" "gerrit" { + realm_id = keycloak_realm.tvl.id + client_id = "gerrit" + name = "TVL Gerrit" + enabled = true + access_type = "CONFIDENTIAL" + standard_flow_enabled = true + base_url = "https://cl.tvl.fyi" + description = "TVL's code review tool" + direct_access_grants_enabled = true + exclude_session_state_from_auth_response = false + + valid_redirect_uris = [ + "https://cl.tvl.fyi/*", + ] + + web_origins = [ + "https://cl.tvl.fyi", + ] +} + +resource "keycloak_saml_client" "buildkite" { + realm_id = keycloak_realm.tvl.id + client_id = "https://buildkite.com" + name = "Buildkite" + base_url = "https://buildkite.com/sso/tvl" + + client_signature_required = false + assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume" + + valid_redirect_uris = [ + "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume" + ] +} + +resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" { + realm_id = keycloak_realm.tvl.id + client_id = keycloak_saml_client.buildkite.id + name = "buildkite-email-mapper" + user_attribute = "email" + saml_attribute_name = "email" + saml_attribute_name_format = "Unspecified" +} + +resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" { + realm_id = keycloak_realm.tvl.id + client_id = keycloak_saml_client.buildkite.id + name = "buildkite-name-mapper" + user_attribute = "displayName" + saml_attribute_name = "name" + saml_attribute_name_format = "Unspecified" +} + +resource "keycloak_openid_client" "oauth2_proxy" { + realm_id = keycloak_realm.tvl.id + client_id = "oauth2-proxy" + name = "TVL OAuth2 Proxy" + enabled = true + access_type = "CONFIDENTIAL" + standard_flow_enabled = true + + valid_redirect_uris = [ + "https://login.tvl.fyi/oauth2/callback", + "http://localhost:4774/oauth2/callback", + ] +} + +resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" { + realm_id = keycloak_realm.tvl.id + client_id = keycloak_openid_client.oauth2_proxy.id + name = "oauth2-proxy-audience" + included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id +} diff --git a/ops/keycloak/main.tf b/ops/keycloak/main.tf index c5f8c6b6d736..819267ff96c5 100644 --- a/ops/keycloak/main.tf +++ b/ops/keycloak/main.tf @@ -32,109 +32,3 @@ resource "keycloak_realm" "tvl" { display_name = "The Virus Lounge" default_signature_algorithm = "RS256" } - -resource "keycloak_ldap_user_federation" "tvl_ldap" { - name = "tvl-ldap" - realm_id = keycloak_realm.tvl.id - enabled = true - connection_url = "ldap://localhost" - users_dn = "ou=users,dc=tvl,dc=fyi" - username_ldap_attribute = "cn" - uuid_ldap_attribute = "cn" - rdn_ldap_attribute = "cn" - full_sync_period = 86400 - trust_email = true - - user_object_classes = [ - "inetOrgPerson", - "organizationalPerson", - ] -} - -resource "keycloak_openid_client" "oauth2_proxy" { - realm_id = keycloak_realm.tvl.id - client_id = "oauth2-proxy" - name = "TVL OAuth2 Proxy" - enabled = true - access_type = "CONFIDENTIAL" - standard_flow_enabled = true - - valid_redirect_uris = [ - "https://login.tvl.fyi/oauth2/callback", - "http://localhost:4774/oauth2/callback", - ] -} - -resource "keycloak_openid_audience_protocol_mapper" "oauth2_proxy_audience" { - realm_id = keycloak_realm.tvl.id - client_id = keycloak_openid_client.oauth2_proxy.id - name = "oauth2-proxy-audience" - included_custom_audience = keycloak_openid_client.oauth2_proxy.client_id -} - -resource "keycloak_openid_client" "grafana" { - realm_id = keycloak_realm.tvl.id - client_id = "grafana" - name = "Grafana" - enabled = true - access_type = "CONFIDENTIAL" - standard_flow_enabled = true - base_url = "https://status.tvl.su" - - valid_redirect_uris = [ - "https://status.tvl.su/*", - ] -} - -resource "keycloak_openid_client" "gerrit" { - realm_id = keycloak_realm.tvl.id - client_id = "gerrit" - name = "TVL Gerrit" - enabled = true - access_type = "CONFIDENTIAL" - standard_flow_enabled = true - base_url = "https://cl.tvl.fyi" - description = "TVL's code review tool" - direct_access_grants_enabled = true - exclude_session_state_from_auth_response = false - - valid_redirect_uris = [ - "https://cl.tvl.fyi/*", - ] - - web_origins = [ - "https://cl.tvl.fyi", - ] -} - -resource "keycloak_saml_client" "buildkite" { - realm_id = keycloak_realm.tvl.id - client_id = "https://buildkite.com" - name = "Buildkite" - base_url = "https://buildkite.com/sso/tvl" - - client_signature_required = false - assertion_consumer_post_url = "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume" - - valid_redirect_uris = [ - "https://buildkite.com/sso/~/1531aca5-f49c-4151-8832-a451e758af4c/saml/consume" - ] -} - -resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_email" { - realm_id = keycloak_realm.tvl.id - client_id = keycloak_saml_client.buildkite.id - name = "buildkite-email-mapper" - user_attribute = "email" - saml_attribute_name = "email" - saml_attribute_name_format = "Unspecified" -} - -resource "keycloak_saml_user_attribute_protocol_mapper" "buildkite_name" { - realm_id = keycloak_realm.tvl.id - client_id = keycloak_saml_client.buildkite.id - name = "buildkite-name-mapper" - user_attribute = "displayName" - saml_attribute_name = "name" - saml_attribute_name_format = "Unspecified" -} diff --git a/ops/keycloak/user_sources.tf b/ops/keycloak/user_sources.tf new file mode 100644 index 000000000000..3fde6e07cc91 --- /dev/null +++ b/ops/keycloak/user_sources.tf @@ -0,0 +1,21 @@ +# All user sources, that is services from which Keycloak gets user +# information (either by accessing a system like LDAP or integration +# through protocols like OIDC). + +resource "keycloak_ldap_user_federation" "tvl_ldap" { + name = "tvl-ldap" + realm_id = keycloak_realm.tvl.id + enabled = true + connection_url = "ldap://localhost" + users_dn = "ou=users,dc=tvl,dc=fyi" + username_ldap_attribute = "cn" + uuid_ldap_attribute = "cn" + rdn_ldap_attribute = "cn" + full_sync_period = 86400 + trust_email = true + + user_object_classes = [ + "inetOrgPerson", + "organizationalPerson", + ] +} -- cgit 1.4.1