From 681e8b4b082f0be647974b71ec713401776f27c6 Mon Sep 17 00:00:00 2001
From: Wilfried BARADAT <wilfried.baradat@fun-mooc.fr>
Date: Thu, 19 Oct 2023 17:37:47 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8(keycloak)=20add=20ralph=20client=20fo?=
 =?UTF-8?q?r=20generating=20access=20tokens?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a `ralph` client to `fun-mooc` realm, with the creation of two users.
---
 .circleci/config.yml             |  3 ++
 README.md                        | 12 ++++++-
 bin/realm                        | 54 +++++++++++++++++++++++++++-----
 data/keycloak/clients/ralph.json | 34 ++++++++++++++++++++
 docker-compose.keycloak.yml      |  5 +++
 env.d/keycloak                   | 17 +++++++---
 6 files changed, 113 insertions(+), 12 deletions(-)
 create mode 100644 data/keycloak/clients/ralph.json

diff --git a/.circleci/config.yml b/.circleci/config.yml
index e288943..ce64991 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -85,6 +85,9 @@ jobs:
       - run:
           name: Create external potsie network
           command: docker network create potsie
+      - run:
+          name: Create external ralph network
+          command: docker network create ralph
       - run:
           name: Bootstrap project
           command: make bootstrap
diff --git a/README.md b/README.md
index 3677485..38be3c7 100644
--- a/README.md
+++ b/README.md
@@ -85,11 +85,21 @@ started with the project's `make run`, it can be accessed at
 [http://localhost:8080](http://localhost:8080). Administrator credentials are:
 `admin:pass`.
 
-For now only the `potsie` client has been configured to login to grafana (see
+The `potsie` client has been configured to login to grafana (see
 the [openfun/potsie](https://github.com/openfun/potsie) project) using a
 Keycloak account (it should have been created by the `make bootstrap` command).
 You can login to grafana using the following credentials: `grafana:funfunfun`.
 
+The `ralph` client has been configured with the specific audience `http://localhost:8100` but it can be changed through the Keycloak interface.
+Two users have been created for this client:
+- `ralph_admin:funfunfun` with the scope `all`
+- `ralph_learner:moocmooc` with the scope `statements/read/mine`
+
+To get the access token, you can use the following command:
+```
+curl -X POST -d "grant_type=password" -d "client_id=ralph" -d "client_secret=bcef3562-730d-4575-9e39-63e185f99bca" -d "username=ralph_admin" -d "password=funfunfun" http://localhost:8080/auth/realms/fun-mooc/protocol/openid-connect/token
+```
+
 ## License
 
 This work is released under the MIT license (see [LICENSE](./LICENSE)).
diff --git a/bin/realm b/bin/realm
index 884adc9..12ef783 100755
--- a/bin/realm
+++ b/bin/realm
@@ -6,12 +6,18 @@ set -eo pipefail
 export PATH="/opt/jboss/keycloak/bin/:${PATH}"
 
 declare realm="${DEFAULT_REALM_NAME}"
-declare user="${TEST_USER_NAME}"
-declare password="${TEST_USER_PASSWORD}"
-declare email="${TEST_USER_EMAIL}"
+declare potsie_user="${POTSIE_TEST_USER_NAME}"
+declare potsie_password="${POTSIE_TEST_USER_PASSWORD}"
+declare potsie_email="${POTSIE_TEST_USER_EMAIL}"
 declare client_id="${GRAFANA_CLIENT_ID}"
 declare client_uuid
 declare client_secret="${GRAFANA_CLIENT_SECRET}"
+declare ralph_admin_user="${RALPH_ADMIN_TEST_USER_NAME}"
+declare ralph_admin_password="${RALPH_ADMIN_TEST_USER_PASSWORD}"
+declare ralph_admin_email="${RALPH_ADMIN_TEST_USER_EMAIL}"
+declare ralph_learner_user="${RALPH_LEARNER_TEST_USER_NAME}"
+declare ralph_learner_password="${RALPH_LEARNER_TEST_USER_PASSWORD}"
+declare ralph_learner_email="${RALPH_LEARNER_TEST_USER_EMAIL}"
 
 # Server login
 kcadm.sh config credentials \
@@ -28,7 +34,7 @@ fi
 # And (re-)create it
 kcadm.sh create realms -s realm="${realm}" -s enabled=true
 
-# Create a client along with its roles
+# Create a potsie client along with its roles
 echo "Will create potsie client..."
 kcadm.sh create clients -r "${realm}" -f - < /tmp/config/clients/potsie.json
 client_uuid=$(kcadm.sh get clients -r fun-mooc --fields id -q clientId=potsie --format csv | sed 's/"//g')
@@ -37,7 +43,41 @@ kcadm.sh create "clients/${client_uuid}/roles" -r "${realm}" -s name=editor
 kcadm.sh create "clients/${client_uuid}/roles" -r "${realm}" -s name=viewer
 
 # Create a new user
-kcadm.sh create users -r "${realm}" -s username="${user}" -s email="${email}" -s enabled=true
-kcadm.sh set-password -r "${realm}" --username "${user}" --new-password "${password}"
+kcadm.sh create users -r "${realm}" -s username="${potsie_user}" -s email="${potsie_email}" -s enabled=true
+kcadm.sh set-password -r "${realm}" --username "${potsie_user}" --new-password "${potsie_password}"
 # Add role for potsie client
-kcadm.sh add-roles -r "${realm}" --uusername "${user}" --cclientid "potsie" --rolename "viewer"
+kcadm.sh add-roles -r "${realm}" --uusername "${potsie_user}" --cclientid "potsie" --rolename "viewer"
+
+
+# Create a ralph client along with its roles
+echo "Will create ralph client..."
+kcadm.sh create clients -r "${realm}" -f - < /tmp/config/clients/ralph.json
+client_uuid=$(kcadm.sh get clients -r fun-mooc --fields id -q clientId=ralph --format csv | sed 's/"//g')
+kcadm.sh create "clients/${client_uuid}/roles" -r "${realm}" -s name=all
+kcadm.sh create "clients/${client_uuid}/roles" -r "${realm}" -s name=all/read
+kcadm.sh create "clients/${client_uuid}/roles" -r "${realm}" -s name=state
+kcadm.sh create "clients/${client_uuid}/roles" -r "${realm}" -s name=statements/read
+kcadm.sh create "clients/${client_uuid}/roles" -r "${realm}" -s name=statements/read/mine
+kcadm.sh create "clients/${client_uuid}/roles" -r "${realm}" -s name=statements/write
+
+# Create an audience for this specific client
+kcadm.sh create "clients/${client_uuid}/protocol-mappers/models" -r "${realm}" \
+  -s name=audience-mapping \
+  -s protocol=openid-connect \
+  -s protocolMapper=oidc-audience-mapper \
+  -s 'config."included.custom.audience"=http://localhost:8100' \
+  -s 'config."access.token.claim"=true' \
+  -s 'config."id.token.claim"=false'
+
+
+# Create an admin user
+kcadm.sh create users -r "${realm}" -s username="${ralph_admin_user}" -s email="${ralph_admin_email}" -s enabled=true
+kcadm.sh set-password -r "${realm}" --username "${ralph_admin_user}" --new-password "${ralph_admin_password}"
+# Add role for ralph user
+kcadm.sh add-roles -r "${realm}" --uusername "${ralph_admin_user}" --cclientid "ralph" --rolename "all"
+
+# Create a user that can only read its statements
+kcadm.sh create users -r "${realm}" -s username="${ralph_learner_user}" -s email="${ralph_learner_email}" -s enabled=true
+kcadm.sh set-password -r "${realm}" --username "${ralph_learner_user}" --new-password "${ralph_learner_password}"
+# Add role for ralph user
+kcadm.sh add-roles -r "${realm}" --uusername "${ralph_learner_user}" --cclientid "ralph" --rolename "statements/read/mine"
diff --git a/data/keycloak/clients/ralph.json b/data/keycloak/clients/ralph.json
new file mode 100644
index 0000000..73a96fa
--- /dev/null
+++ b/data/keycloak/clients/ralph.json
@@ -0,0 +1,34 @@
+{
+    "clientId": "ralph",
+    "name": "Ralph",
+    "description": "The ultimate toolbox for your learning analytics",
+    "enabled": true,
+    "rootUrl": "http://localhost:8100",
+    "adminUrl": "http://localhost:8100",
+    "baseUrl": "/",
+    "clientAuthenticatorType": "client-secret",
+    "secret": "bcef3562-730d-4575-9e39-63e185f99bca",
+    "redirectUris": ["http://localhost:8100/whoami"],
+    "webOrigins": ["http://localhost:8100"],
+    "standardFlowEnabled": true,
+    "directAccessGrantsEnabled": true,
+    "fullScopeAllowed": false,
+    "protocol": "openid-connect",
+    "publicClient": false,
+    "protocolMappers": [
+      {
+        "name": "Roles",
+        "protocol": "openid-connect",
+        "protocolMapper": "oidc-usermodel-client-role-mapper",
+        "config": {
+          "claim.name": "roles",
+          "jsonType.label": "String",
+          "usermodel.clientRoleMapping.clientId": "ralph",
+          "userinfo.token.claim": "true",
+          "id.token.claim": "true",
+          "access.token.claim": "true",
+          "multivalued": "true"
+        }
+      }
+    ]
+  }
diff --git a/docker-compose.keycloak.yml b/docker-compose.keycloak.yml
index 7f2b932..2266d6b 100644
--- a/docker-compose.keycloak.yml
+++ b/docker-compose.keycloak.yml
@@ -15,6 +15,9 @@ services:
       potsie:
         aliases:
           - keycloak
+      ralph:
+        aliases:
+          - keycloak
       default:
 
   keycloak_postgres:
@@ -26,3 +29,5 @@ services:
 networks:
   potsie:
     external: true
+  ralph:
+    external: true
diff --git a/env.d/keycloak b/env.d/keycloak
index 5f05a0b..c551fa1 100644
--- a/env.d/keycloak
+++ b/env.d/keycloak
@@ -14,10 +14,19 @@ DB_PASSWORD=password
 KEYCLOAK_USER=admin
 KEYCLOAK_PASSWORD=pass
 
-# Potsie
 DEFAULT_REALM_NAME=fun-mooc
-TEST_USER_NAME=grafana
-TEST_USER_PASSWORD=funfunfun
-TEST_USER_EMAIL=grafana@example.org
+
+# Potsie
+POTSIE_TEST_USER_NAME=grafana
+POTSIE_TEST_USER_PASSWORD=funfunfun
+POTSIE_TEST_USER_EMAIL=grafana@example.org
 GRAFANA_CLIENT_ID=potsie
 GRAFANA_CLIENT_SECRET=fa9e98ee-61a1-4092-8dac-1597da0c1bb0
+
+# Ralph
+RALPH_ADMIN_TEST_USER_NAME=ralph_admin
+RALPH_ADMIN_TEST_USER_PASSWORD=funfunfun
+RALPH_ADMIN_TEST_USER_EMAIL=ralph_admin@example.org
+RALPH_LEARNER_TEST_USER_NAME=ralph_learner
+RALPH_LEARNER_TEST_USER_PASSWORD=moocmooc
+RALPH_LEARNER_TEST_USER_EMAIL=ralph_learner@example.org