diff --git a/.env b/.env index 803b0a30..57db476f 100644 --- a/.env +++ b/.env @@ -1,4 +1,12 @@ # This is the docker-compose environment file. # Copy it to .env or use --env-file=env.example on docker-compose command. -REGISTRY=quay.io/ftrivino +# REGISTRY=quay.io/ftrivino +# REGISTRY=localhost/sssd +REGISTRY=quay.io/sssd TAG=latest + +#PLUGIN_TAG=kc19_intg +PLUGIN_TAG=http_https +PLUGIN_VER=0.0.1 +PLUGIN_DIR=scim-keycloak-user-storage-spi-${PLUGIN_TAG} +PLUGIN_JAR=scim-user-spi-0.0.1-SNAPSHOT.jar diff --git a/.gitignore b/.gitignore index 2148630a..a4ad989c 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,9 @@ src/ipa-tuura/scimv2bridge/migrations/ # In-tree build files *~ + +# env files with secrets +env.secrets + +# keycloak container plugin files +data/keycloak diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..cd82d712 --- /dev/null +++ b/Makefile @@ -0,0 +1,44 @@ +include .env + +up: datadir plugin + docker-compose up --detach --no-recreate + +up-gating: + docker-compose -f docker-compose.gating.yaml up --no-recreate --detach + +up-samba: + docker-compose -f docker-compose.samba.yaml up --no-recreate --detach + +stop: + docker-compose stop + +down: stop + docker-compose -f docker-compose.samba.yaml \ + -f docker-compose.gating.yaml \ + -f docker-compose.yml down + +datadir: +ifeq (,$(wildcard data/keycloak)) + mkdir -p data/keycloak +endif + +container: + $(MAKE) -C src + +plugin: datadir +ifeq (,$(wildcard data/keycloak/$(PLUGIN_JAR))) + cd data/keycloak && \ + wget https://github.com/justin-stephenson/scim-keycloak-user-storage-spi/archive/refs/heads/$(PLUGIN_TAG).tar.gz && \ + tar zxvf $(PLUGIN_TAG).tar.gz && \ + pushd $(PLUGIN_DIR) && \ + mvn clean package && \ + mv target/$(PLUGIN_JAR) ../ && \ + chown 994:994 ../${PLUGIN_JAR} +endif + +bridge: + source ./env.containers && \ + bash -c "src/install/setup_bridge.sh" + +clean: + rm -rf data/keycloak/* diff --git a/README.md b/README.md index 7038cb61..bbc1cc55 100644 --- a/README.md +++ b/README.md @@ -100,3 +100,97 @@ make html ``` The generated documentation will be available at `$IPA_TUURA/doc/_build/html/` folder. + + +### Testing + +Provided is a docker-compose.yml container based test environment. Running this +environment on a system will provide the containers needed for testing some of the +basic features of ipa-tuura: + +* ipa-tuura running SCIMv2 Bridge +* Keycloak running with the SCIMv2 User Storage plugin +* FreeIPA to provide IPA service +* LDAP container to provide LDAP service +* DNS container to provide static DNS for the test environment +* Nextcloud to provide End to End application authentication testing + + +First Install required packages needed to run container test environment: + +```bash +sudo dnf -y install podman docker-compose podman-docker \ + java-17-openjdk-headless maven dnsmasq +``` + +Start podman service: + +```bash +sudo systemctl start podman +``` + +Clone this repository: + +```bash +git clone https://github.com/freeipa/ipa-tuura +cd ipa-tuura +``` + +Set SELinux boolean: + +```bash +sudo setsebool -P container_manage_cgroup true +``` + +OPTIONAL: Note if you want to setup your local DNS to resolve the container +hostnames, you can follow these steps: + +```bash +sudo cp data/configs/nm_enable_dnsmasq.conf /etc/NetworkManager/conf.d/ +sudo cp data/configs/nm_zone_test.conf /etc/NetworkManager/dnsmasq.d/ +sudo systemctl disable --now systemd-resolved +sudo mv /etc/resolv.conf /etc/resolv.conf.ipa-tuura-backup +sudo systemctl reload NetworkManager +``` + +Start containers: + +```bash +sudo make up +sudo make bridge +``` + +Note that `make bridge` runs `src/install/setup_bridge.sh` which allows you to +override the keycloak and/or ipa-tuura hostnames if you wish to use this elsewhere. +To do this, just set variables before manually running the script: + +```bash +export KC_HOSTNAME= +export TUURA_HOSTNAME= +bash src/install/setup_bridge.sh +``` + +Note that the container names all start with "kite-" which stands for Keycloak +Integration Test Environment. Each container is named after the service it +provides to make access easier. + +Now you can access the containers with either: + +```bash +sudo podman exec -it kite- bash +``` + +Or for some containers, you can access with ssh. To do so, lookup IP from +docker-compose.yml file. + +```bash +ssh root@ +``` + +To run Keycloak or IPA commands, you can alias the commands like this: + +```bash +alias kcadm='sudo podman exec -it kite-keycloak /opt/keycloak/bin/kcadm.sh' +alias ipa='sudo podman exec -it kite-ipa ipa' +``` + diff --git a/data/configs/dnsmasq.conf b/data/configs/dnsmasq.conf index 477f3e34..1edf4506 100644 --- a/data/configs/dnsmasq.conf +++ b/data/configs/dnsmasq.conf @@ -9,19 +9,25 @@ local=/test/ # These zones have their own DNS server server=/ipa.test/172.16.100.10 -server=/samba.test/172.16.100.30 server=/ad.test/172.16.200.10 # Add A records for LDAP and client machines address=/master.ldap.test/172.16.100.20 address=/client.test/172.16.100.40 +address=/master.keycloak.test/172.16.100.70 +address=/master.nextcloud.test/172.16.100.12 +address=/master.mariadb.test/172.16.100.13 +address=/bridge.ipa.test/172.16.100.100 # Add SRV record for LDAP srv-host=_ldap._tcp.ldap.test,master.ldap.test,389 # Add PTR records for all machines ptr-record=10.100.16.172.in-addr.arpa,master.ipa.test +ptr-record=12.100.16.172.in-addr.arpa,master.nextcloud.test +ptr-record=13.100.16.172.in-addr.arpa,master.mariadb.test ptr-record=20.100.16.172.in-addr.arpa,master.ldap.test -ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test ptr-record=40.100.16.172.in-addr.arpa,client.test +ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test +ptr-record=100.100.16.172.in-addr.arpa,bridge.ipa.test ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test diff --git a/docker-compose.gating.yaml b/docker-compose.gating.yaml new file mode 100644 index 00000000..e9c0c453 --- /dev/null +++ b/docker-compose.gating.yaml @@ -0,0 +1,117 @@ +services: + dns: + restart: always + image: ${REGISTRY}/ci-dns:${TAG} + container_name: dns + env_file: ./env.containers + volumes: + - ./data/configs/dnsmasq.conf:/etc/dnsmasq.conf + cap_add: + - NET_RAW + - NET_ADMIN + - SYS_CHROOT + security_opt: + - apparmor=unconfined + - label=disable + - seccomp=unconfined + networks: + sssd: + ipv4_address: 172.16.100.2 + ipa: + image: ${REGISTRY}/ci-ipa:${TAG} + container_name: ipa + hostname: master.ipa.test + dns: 172.16.100.2 + env_file: ./env.containers + volumes: + - ./shared:/shared:rw + cap_add: + - SYS_ADMIN + - SYS_PTRACE + - AUDIT_WRITE + - AUDIT_CONTROL + - SYS_CHROOT + - NET_ADMIN + security_opt: + - apparmor=unconfined + - label=disable + - seccomp=unconfined + networks: + sssd: + ipv4_address: 172.16.100.10 + + bridge: + #image: quay.io/idmops/bridge:latest + #image: localhost/ipa-tuura/base:latest + image: quay.io/ftrivino/bridge-prod + #image: quay.io/ftrivino/ipatuura-prod + container_name: bridge + hostname: bridge.ipa.test + dns: 172.16.100.2 + command: /usr/sbin/httpd -DFOREGROUND + #command: /sbin/init + env_file: ./env.containers + volumes: + - ./shared:/shared:rw + cap_add: + - SYS_ADMIN + - SYS_PTRACE + - SYS_CHROOT + - AUDIT_WRITE + - AUDIT_CONTROL + security_opt: + - apparmor=unconfined + - label=disable + - seccomp=unconfined + ports: + - 8005:8000 + - 3501:3500 + - 4701:81 + - 4430:443 + networks: + sssd: + ipv4_address: 172.16.100.100 + + keycloak: + image: ${REGISTRY}/ci-keycloak:${TAG} + #image: quay.io/keycloak/keycloak:19.0.1 + container_name: keycloak + hostname: master.keycloak.test + dns: 172.16.100.2 + #command: start --auto-build + env_file: ./env.containers + volumes: + - ./data/keycloak/scim-user-spi-${PLUGIN_VER}-SNAPSHOT.jar:/opt/keycloak/providers/scim.jar + #- ./env.containers:/etc/keycloak.env + #- ./data/keycloak/server.crt:/opt/keycloak/conf/server.crt + #- ./data/keycloak/server.key:/opt/keycloak/conf/server.key + #- ./data/keycloak/server.keystore:/opt/keycloak/conf/server.keystore + cap_add: + - SYS_ADMIN + - SYS_PTRACE + - SYS_CHROOT + - NET_ADMIN + - AUDIT_WRITE + - AUDIT_CONTROL + security_opt: + - apparmor=unconfined + - label=disable + - seccomp=unconfined + #ports: + #- 8443:8443 + #- 8080:8080 + #- 9090:9090 + networks: + sssd: + ipv4_address: 172.16.100.70 + +networks: + sssd: + name: sssd-ci + driver: bridge + ipam: + config: + - subnet: 172.16.100.0/24 + gateway: 172.16.100.1 + options: + driver: host-local diff --git a/docker-compose.yml b/docker-compose.yml index 401b7c30..7ea294f8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,7 @@ services: dns: restart: always - image: ${REGISTRY}/ci-dns:latest + image: ${REGISTRY}/ci-dns:${TAG} container_name: dns env_file: ./env.containers volumes: @@ -14,7 +14,7 @@ services: - label=disable - seccomp=unconfined networks: - sssd: + ipa-tuura: ipv4_address: 172.16.100.2 ipa: @@ -29,33 +29,65 @@ services: - SYS_ADMIN - SYS_PTRACE - AUDIT_WRITE + - AUDIT_CONTROL + - SYS_CHROOT + - NET_ADMIN security_opt: - apparmor=unconfined - label=disable - seccomp=unconfined networks: - sssd: + ipa-tuura: ipv4_address: 172.16.100.10 + ipa-tuura: + #image: quay.io/idmops/bridge:latest + image: localhost/ipa-tuura/base:latest + container_name: ipa-tuura + hostname: ipa-tuura.bridge.test + dns: 172.16.100.2 + env_file: ./env.containers + volumes: + - ./shared:/shared:rw + cap_add: + - SYS_ADMIN + - SYS_PTRACE + - SYS_CHROOT + - NET_ADMIN + - AUDIT_WRITE + - AUDIT_CONTROL + security_opt: + - apparmor=unconfined + - label=disable + - seccomp=unconfined + networks: + ipa-tuura: + ipv4_address: 172.16.100.14 + keycloak: - image: ${REGISTRY}/keycloak:${TAG} + image: ${REGISTRY}/ci-keycloak:${TAG} + #image: quay.io/keycloak/keycloak:${KC_TAG} container_name: keycloak hostname: master.keycloak.test dns: 172.16.100.2 env_file: ./env.containers volumes: - - ./shared:/shared:rw + - ./data/keycloak/scim-user-spi-${PLUGIN_VER}-SNAPSHOT.jar:/opt/keycloak/providers/scim.jar cap_add: - SYS_ADMIN - SYS_PTRACE + - SYS_CHROOT + - NET_ADMIN - AUDIT_WRITE + - AUDIT_CONTROL security_opt: - apparmor=unconfined - label=disable - seccomp=unconfined networks: - sssd: - ipv4_address: 172.16.100.11 + ipa-tuura: + ipv4_address: 172.16.100.70 + nextcloud: image: ${REGISTRY}/nextcloud:${TAG} container_name: nextcloud @@ -68,13 +100,15 @@ services: - SYS_ADMIN - SYS_PTRACE - AUDIT_WRITE + - AUDIT_CONTROL security_opt: - apparmor=unconfined - label=disable - seccomp=unconfined networks: - sssd: + ipa-tuura: ipv4_address: 172.16.100.12 + mariadb: image: ${REGISTRY}/mariadb:${TAG} container_name: mariadb @@ -87,13 +121,15 @@ services: - SYS_ADMIN - SYS_PTRACE - AUDIT_WRITE + - AUDIT_CONTROL security_opt: - apparmor=unconfined - label=disable - seccomp=unconfined networks: - sssd: + ipa-tuura: ipv4_address: 172.16.100.13 + ldap: image: ${REGISTRY}/ci-ldap:${TAG} container_name: ldap @@ -103,39 +139,27 @@ services: volumes: - ./shared:/shared:rw cap_add: - - SYS_PTRACE - - AUDIT_WRITE - security_opt: - - apparmor=unconfined - - label=disable - - seccomp=unconfined - networks: - sssd: - ipv4_address: 172.16.100.20 - client: - image: ${REGISTRY}/ci-client:${TAG} - container_name: client - hostname: client.test - dns: 172.16.100.2 - env_file: ./env.containers - volumes: - - ./shared:/shared:rw - cap_add: - SYS_ADMIN - SYS_PTRACE + - SYS_CHROOT + - NET_ADMIN - AUDIT_WRITE + - AUDIT_CONTROL security_opt: - apparmor=unconfined - label=disable - seccomp=unconfined networks: - sssd: - ipv4_address: 172.16.100.40 + ipa-tuura: + ipv4_address: 172.16.100.20 + networks: - sssd: - name: sssd-ci + ipa-tuura: + name: ipa-tuura-ci driver: bridge ipam: config: - subnet: 172.16.100.0/24 gateway: 172.16.100.1 + options: + driver: host-local diff --git a/env.containers b/env.containers index 87a732e7..604ae46d 100644 --- a/env.containers +++ b/env.containers @@ -1,2 +1,17 @@ # Environment variables set in all started containers CONTAINER=yes +KEYCLOAK_ADMIN=admin +KEYCLOAK_ADMIN_PASSWORD=Secret123 +KC_LOG_LEVEL=TRACE,org.apache.http.wire:debug +#KC_LOG_LEVEL=DEBUG +KC_HOSTNAME=master.keycloak.test +KC_HOSTNAME_PORT=8443 +KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/server.crt +KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/server.key +KC_HTTPS_TRUST_STORE_FILE=/opt/keycloak/conf/server.keystore +KC_HTTPS_TRUST_STORE_PASSWORD=Secret123 +KC_HTTP_RELATIVE_PATH=/auth + +if [ -f env.secrets ]; then + source env.secrets +fi