d7c62b15f1
- Declare a new confidential client 'eticket' (PKCE S256, standard
flow only) in the realm import JSON for fresh installs.
- Add a generic ensure_client helper to sync.sh that creates a
client with sane defaults if missing, then applies the URIs via
set_client_uris on every run for idempotent reconciliation.
- Wire the new client up with its four redirect URIs:
https://ticket.e-cosplay.fr/api/auth/login/sso/validate
https://cos.local/api/auth/login/sso/validate
https://ticket.e-cosplay.fr/connection/sso/check
https://cos.local/connection/sso/check
and matching webOrigins / post-logout URIs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
240 lines
8.7 KiB
Bash
Executable File
240 lines
8.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# =============================================================
|
|
# E-Cosplay Keycloak — idempotent sync script
|
|
# =============================================================
|
|
# Run by the keycloak-init container on every `docker compose up`.
|
|
# Fully idempotent: re-running only applies missing config.
|
|
#
|
|
# Re-sync after editing this file:
|
|
# docker compose up -d keycloak-init --force-recreate
|
|
#
|
|
# Required env vars (set in docker-compose.yml):
|
|
# KC_SERVER, KC_ADMIN, KC_ADMIN_PASSWORD
|
|
# SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_FROM_DISPLAY_NAME,
|
|
# SMTP_USER, SMTP_PASSWORD
|
|
# LOGIN_THEME
|
|
# ECOSPLAY_GROUPS (space-separated list)
|
|
# ADMIN_USER_USERNAME, ADMIN_USER_PASSWORD,
|
|
# ADMIN_USER_FIRSTNAME, ADMIN_USER_LASTNAME
|
|
# =============================================================
|
|
|
|
set -euo pipefail
|
|
|
|
KC=/opt/keycloak/bin/kcadm.sh
|
|
|
|
log() { printf '\n\033[1;36m== %s ==\033[0m\n' "$*"; }
|
|
info() { printf ' %s\n' "$*"; }
|
|
warn() { printf ' \033[1;33m! %s\033[0m\n' "$*"; }
|
|
|
|
# -------------------------------------------------------------
|
|
# Wait for Keycloak and authenticate
|
|
# -------------------------------------------------------------
|
|
log "Waiting for Keycloak at ${KC_SERVER}"
|
|
until $KC config credentials \
|
|
--server "$KC_SERVER" \
|
|
--realm master \
|
|
--user "$KC_ADMIN" \
|
|
--password "$KC_ADMIN_PASSWORD" >/dev/null 2>&1; do
|
|
info "not ready yet, retrying in 5s..."
|
|
sleep 5
|
|
done
|
|
info "Keycloak ready."
|
|
|
|
# -------------------------------------------------------------
|
|
# Helpers
|
|
# -------------------------------------------------------------
|
|
realm_exists() {
|
|
$KC get "realms/$1" >/dev/null 2>&1
|
|
}
|
|
|
|
user_id() {
|
|
# $1 = realm, $2 = username
|
|
$KC get users -r "$1" -q username="$2" --fields id 2>/dev/null \
|
|
| sed -n 's/.*"id"[ ]*:[ ]*"\([^"]*\)".*/\1/p' \
|
|
| head -n1
|
|
}
|
|
|
|
group_id() {
|
|
# $1 = realm, $2 = group name (top level only)
|
|
$KC get "group-by-path/$2" -r "$1" --fields id 2>/dev/null \
|
|
| sed -n 's/.*"id"[ ]*:[ ]*"\([^"]*\)".*/\1/p' \
|
|
| head -n1
|
|
}
|
|
|
|
ensure_group() {
|
|
# $1 = realm, $2 = group name
|
|
if [ -n "$(group_id "$1" "$2")" ]; then
|
|
info "= group $2 ($1)"
|
|
else
|
|
$KC create groups -r "$1" -s name="$2" >/dev/null
|
|
info "+ group $2 ($1)"
|
|
fi
|
|
}
|
|
|
|
ensure_user() {
|
|
# $1=realm $2=username $3=password $4=firstname $5=lastname
|
|
if [ -n "$(user_id "$1" "$2")" ]; then
|
|
info "= user $2 ($1)"
|
|
return
|
|
fi
|
|
$KC create users -r "$1" \
|
|
-s username="$2" \
|
|
-s email="$2" \
|
|
-s firstName="$4" \
|
|
-s lastName="$5" \
|
|
-s enabled=true \
|
|
-s emailVerified=true \
|
|
-s 'requiredActions=["CONFIGURE_TOTP"]' >/dev/null
|
|
$KC set-password -r "$1" --username "$2" --new-password "$3"
|
|
info "+ user $2 ($1)"
|
|
}
|
|
|
|
ensure_user_in_group() {
|
|
# $1=realm $2=username $3=group
|
|
local uid gid
|
|
uid=$(user_id "$1" "$2")
|
|
gid=$(group_id "$1" "$3")
|
|
if [ -z "$uid" ]; then warn "skip group bind: user $2 missing in $1"; return; fi
|
|
if [ -z "$gid" ]; then warn "skip group bind: group $3 missing in $1"; return; fi
|
|
$KC update "users/$uid/groups/$gid" -r "$1" -n >/dev/null 2>&1 || true
|
|
info " $2 -> group $3 ($1)"
|
|
}
|
|
|
|
ensure_user_realm_role() {
|
|
# $1=realm $2=username $3=role
|
|
$KC add-roles -r "$1" --uusername "$2" --rolename "$3" >/dev/null 2>&1 || true
|
|
info " $2 -> realm role $3 ($1)"
|
|
}
|
|
|
|
ensure_user_client_role() {
|
|
# $1=realm $2=username $3=client $4=role
|
|
$KC add-roles -r "$1" --uusername "$2" --cclientid "$3" --rolename "$4" >/dev/null 2>&1 || true
|
|
info " $2 -> client role $3/$4 ($1)"
|
|
}
|
|
|
|
client_internal_id() {
|
|
# $1=realm $2=clientId
|
|
$KC get clients -r "$1" -q clientId="$2" --fields id 2>/dev/null \
|
|
| sed -n 's/.*"id"[ ]*:[ ]*"\([^"]*\)".*/\1/p' \
|
|
| head -n1
|
|
}
|
|
|
|
rename_client() {
|
|
# $1=realm $2=oldClientId $3=newClientId
|
|
local cid
|
|
cid=$(client_internal_id "$1" "$2")
|
|
if [ -n "$cid" ]; then
|
|
$KC update "clients/$cid" -r "$1" -s "clientId=$3" >/dev/null
|
|
info " renamed client $2 -> $3 ($1)"
|
|
fi
|
|
}
|
|
|
|
set_client_uris() {
|
|
# $1=realm $2=clientId $3=redirectUris(json) $4=webOrigins(json) $5=postLogoutUris(##-separated)
|
|
local cid
|
|
cid=$(client_internal_id "$1" "$2")
|
|
if [ -z "$cid" ]; then
|
|
warn "client $2 not found in $1, skipping URI sync"
|
|
return
|
|
fi
|
|
$KC update "clients/$cid" -r "$1" \
|
|
-s "redirectUris=$3" \
|
|
-s "webOrigins=$4" \
|
|
-s "attributes.\"post.logout.redirect.uris\"=$5" >/dev/null
|
|
info " client $2 URIs synced ($1)"
|
|
}
|
|
|
|
ensure_client() {
|
|
# $1=realm $2=clientId $3=name $4=description $5=secret
|
|
# $6=redirectUris(json) $7=webOrigins(json) $8=postLogoutUris(##-separated)
|
|
if [ -n "$(client_internal_id "$1" "$2")" ]; then
|
|
info "= client $2 ($1)"
|
|
return
|
|
fi
|
|
$KC create clients -r "$1" \
|
|
-s "clientId=$2" \
|
|
-s "name=$3" \
|
|
-s "description=$4" \
|
|
-s 'protocol=openid-connect' \
|
|
-s 'enabled=true' \
|
|
-s 'publicClient=false' \
|
|
-s "secret=$5" \
|
|
-s 'standardFlowEnabled=true' \
|
|
-s 'implicitFlowEnabled=false' \
|
|
-s 'directAccessGrantsEnabled=false' \
|
|
-s 'serviceAccountsEnabled=false' \
|
|
-s 'frontchannelLogout=true' \
|
|
-s "redirectUris=$6" \
|
|
-s "webOrigins=$7" \
|
|
-s "attributes.\"post.logout.redirect.uris\"=$8" \
|
|
-s 'attributes."pkce.code.challenge.method"=S256' >/dev/null
|
|
info "+ client $2 ($1)"
|
|
}
|
|
|
|
# =============================================================
|
|
# Master realm: SMTP, theme, locale
|
|
# =============================================================
|
|
log "Configuring master realm (SMTP, theme, locale)"
|
|
$KC update realms/master \
|
|
-s "smtpServer.host=${SMTP_HOST}" \
|
|
-s "smtpServer.port=${SMTP_PORT}" \
|
|
-s "smtpServer.from=${SMTP_FROM}" \
|
|
-s "smtpServer.fromDisplayName=${SMTP_FROM_DISPLAY_NAME}" \
|
|
-s "smtpServer.auth=true" \
|
|
-s "smtpServer.starttls=true" \
|
|
-s "smtpServer.ssl=false" \
|
|
-s "smtpServer.user=${SMTP_USER}" \
|
|
-s "smtpServer.password=${SMTP_PASSWORD}" \
|
|
-s "loginTheme=${LOGIN_THEME}" \
|
|
-s "internationalizationEnabled=true" \
|
|
-s 'supportedLocales=["fr"]' \
|
|
-s "defaultLocale=fr"
|
|
info "master realm updated"
|
|
|
|
# =============================================================
|
|
# Master realm: global Keycloak admin user
|
|
# =============================================================
|
|
log "Ensuring global Keycloak admin user in master realm"
|
|
ensure_user master "$ADMIN_USER_USERNAME" "$ADMIN_USER_PASSWORD" "$ADMIN_USER_FIRSTNAME" "$ADMIN_USER_LASTNAME"
|
|
ensure_user_realm_role master "$ADMIN_USER_USERNAME" admin
|
|
|
|
# =============================================================
|
|
# Ecosplay realm: groups + application admin user
|
|
# =============================================================
|
|
if realm_exists ecosplay; then
|
|
log "Ensuring groups on ecosplay realm"
|
|
for grp in $ECOSPLAY_GROUPS; do
|
|
ensure_group ecosplay "$grp"
|
|
done
|
|
|
|
log "Ensuring application admin user in ecosplay realm"
|
|
ensure_user ecosplay "$ADMIN_USER_USERNAME" "$ADMIN_USER_PASSWORD" "$ADMIN_USER_FIRSTNAME" "$ADMIN_USER_LASTNAME"
|
|
ensure_user_client_role ecosplay "$ADMIN_USER_USERNAME" realm-management realm-admin
|
|
ensure_user_in_group ecosplay "$ADMIN_USER_USERNAME" super_admin_asso
|
|
ensure_user_in_group ecosplay "$ADMIN_USER_USERNAME" superadmin
|
|
|
|
log "Reconciling ecosplay_web client"
|
|
# Legacy rename: dash -> underscore (if migrated from older import)
|
|
rename_client ecosplay ecosplay-web ecosplay_web
|
|
set_client_uris ecosplay ecosplay_web \
|
|
'["https://www.e-cosplay.fr/oauth/keycloak","https://cos.local/oauth/keycloak"]' \
|
|
'["https://www.e-cosplay.fr","https://cos.local"]' \
|
|
'https://www.e-cosplay.fr/*##https://cos.local/*'
|
|
|
|
log "Reconciling eticket client"
|
|
ensure_client ecosplay eticket "E-Ticket" \
|
|
"Application billetterie ticket.e-cosplay.fr" \
|
|
"change-me-in-admin-console" \
|
|
'["https://ticket.e-cosplay.fr/api/auth/login/sso/validate","https://cos.local/api/auth/login/sso/validate","https://ticket.e-cosplay.fr/connection/sso/check","https://cos.local/connection/sso/check"]' \
|
|
'["https://ticket.e-cosplay.fr","https://cos.local"]' \
|
|
'https://ticket.e-cosplay.fr/*##https://cos.local/*'
|
|
set_client_uris ecosplay eticket \
|
|
'["https://ticket.e-cosplay.fr/api/auth/login/sso/validate","https://cos.local/api/auth/login/sso/validate","https://ticket.e-cosplay.fr/connection/sso/check","https://cos.local/connection/sso/check"]' \
|
|
'["https://ticket.e-cosplay.fr","https://cos.local"]' \
|
|
'https://ticket.e-cosplay.fr/*##https://cos.local/*'
|
|
else
|
|
warn "ecosplay realm not found — will be imported on next boot"
|
|
fi
|
|
|
|
log "Sync complete"
|