Configure keycloak+uaa+oauth2-proxy with tls

Author: MarcialRosales

.gitignore

@@ -11,3 +11,4 @@ tls-gen/*
 conf/entra/rabbitmq.conf
 conf/auth0/rabbitmq.conf
 .DS_Store
+venv

Makefile

@@ -154,3 +154,6 @@ get-jwt-token: ## Get a JWT token from an authorzation server
 start-mqtt-publish: ## publish mqtt message . e.g. make start-mqtt-publish TOKEN=$(bin/jwt_token legacy-token-key private.pem public.pem)
 		@(docker run --rm -it --network rabbitmq_net ruimarinho/mosquitto mosquitto_pub \
 		  -h rabbitmq -u "" -P $(TOKEN) -t test -m hello-world)
+
+clean-certs: ## remove all auto-generated certificates from any oauth provider and rabbitmq 
+	@rm -r conf/*/certs

bin/common

@@ -1,5 +1,8 @@
 #!/usr/bin/env bash
 
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ROOT=$SCRIPT/..
+
 tabs 1
 declare -i PADDING_LEVEL=0
 declare -i STEP=1
@@ -50,33 +53,42 @@ ensure_docker_network() {
   fi
   end "$NETWORK network exists"
 }
+
 function generate-ca-server-client-kpi {
   NAME=$1
   FOLDER=$2
-  TLSGEN_FOLDER=$3
-
+  if [[ ! -f "${FOLDER}/server_${NAME}_key.pem" ]]; then
+	  do_generate-ca-server-client-kpi $1 $2
+  fi
+}
+function do_generate-ca-server-client-kpi {
+  NAME=$1
+  FOLDER=$2
   begin "Generate certs for $NAME"
 
   if [ -d "$NAME" ]; then
     end "SSL Certificates already present under $NAME. Skip SSL generation"
     return
   fi
 
-  if [ ! -d "$SCRIPT/tls-gen" ]; then
-    git clone https://github.com/michaelklishin/tls-gen $TLSGEN_FOLDER
+  if [ ! -d "$ROOT/tls-gen" ]; then
+    git clone https://github.com/michaelklishin/tls-gen $ROOT/tls-gen
   fi
 
   print "Generating CA and Server (localhost and $NAME) PKI under $FOLDER ..."
   mkdir -p $FOLDER
-  cp -r $TLSGEN_FOLDER/* $FOLDER
 
   CUR_DIR=$(pwd)
-  cd $FOLDER/basic
+  cd $ROOT/tls-gen/basic
   make CN=$NAME
-  #make PASSWORD=$PASSWORD
+  #make PASSWORD=foobar
   make verify
   make info
   cd $CUR_DIR
 
+  cp $ROOT/tls-gen/basic/result/ca_certificate.pem $FOLDER/ca_${NAME}_certificate.pem
+  cp $ROOT/tls-gen/basic/result/server_${NAME}_certificate.pem $FOLDER
+  cp $ROOT/tls-gen/basic/result/server_${NAME}_key.pem $FOLDER
+  cp $ROOT/tls-gen/basic/result/server_${NAME}.p12 $FOLDER
   end "SSL Certificates generated for $NAME under $FOLDER"
 }

bin/curl_with_token

@@ -5,4 +5,4 @@ SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 URL=${1:?First parameter must be the url to curl}
 TOKEN=${2:?Second parameter must be the token}
 
-curl -u :$TOKEN $URL
+curl -k -u :$TOKEN $URL

bin/deploy-rabbit

@@ -11,72 +11,72 @@ OAUTH_PROVIDER=${OAUTH_PROVIDER:-$MODE}
 ADVANCED=${ADVANCED:-advanced.config}
 IMAGE_TAG=${IMAGE_TAG:-4.0.2-management}
 IMAGE=${IMAGE:-rabbitmq}
+RABBITMQ_CONF=${RABBITMQ_CONF:-rabbitmq.conf}
 
-CONF_DIR=$SCRIPT/../conf/${MODE}
+if [[ "${MODE}" == "uaa" ]]; then 
+  if [[ -z "${CONF_FILES}" ]]; then 
+    CONF_FILES="rabbitmq.conf,oauth2-only.conf"
+  fi 
+fi 
 
-function generate-ca-server-client-kpi {
-  NAME=$1
+CONF_DIR=$SCRIPT/../conf/${MODE}
+CERTS_DIR=${CONF_DIR}/certs
 
-  if [ -d "$NAME" ]; then
-    echo "SSL Certificates already present under $NAME. Skip SSL generation"
-    return
+function generate-final-conf-dir {
+  FINAL_CONF_DIR=`mktemp -d -t "oauth2"`
+  if [[ -z "${CONF_FILES}" ]]; then
+    for i in $CONF_DIR/*.conf
+    do
+      cp $i $FINAL_CONF_DIR        
+    done
+    cp ${CONF_DIR}/${RABBITMQ_CONF} $FINAL_CONF_DIR 
+  else
+    for i in ${CONF_FILES//,/ }
+    do
+      cp $CONF_DIR/${i}.conf $FINAL_CONF_DIR
+    done
   fi
 
-  if [ ! -d "$SCRIPT/tls-gen" ]; then
-    git clone https://github.com/michaelklishin/tls-gen $SCRIPT/tls-gen
+}
+function generate-tls-certs-if-required {
+  if [[ -f "${CONF_DIR}/requires-tls" && ! -f "${CERTS_DIR}" ]]; then
+    generate-ca-server-client-kpi rabbitmq $CERTS_DIR       
   fi
-
-  echo "Generating CA and Server PKI under $NAME ..."
-  mkdir -p $NAME
-  cp -r $SCRIPT/tls-gen/* $NAME
-
-  CUR_DIR=$(pwd)
-  cd $NAME/basic
-  make CN=localhost
-  #make PASSWORD=$PASSWORD
-  make verify
-  make info
-  cd $CUR_DIR
 }
 
 function deploy {
-  USED_CONFIG=""
-  CERTS_DIR=${CONF_DIR}/certs
-  if [[ -f "${CONF_DIR}/requires-tls" && ! -f "${CERTS_DIR}" ]]; then
-    generate-ca-server-client-kpi $CERTS_DIR
-    cp $CERTS_DIR/basic/testca/cacert.pem $CERTS_DIR
-    cp $CERTS_DIR/basic/server_localhost/key.pem $CERTS_DIR
-    cp $CERTS_DIR/basic/server_localhost/cert.pem $CERTS_DIR
-    EXTRA_PORTS="-p 15671:15671 "
-  fi
-  EXTRA_MOUNTS="-v ${SCRIPT}/../conf/enabled_plugins:/etc/rabbitmq/enabled_plugins "
-  EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${CONF_DIR}:/conf "
+  EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${SCRIPT}/../conf/enabled_plugins:/etc/rabbitmq/enabled_plugins "
+  EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${FINAL_CONF_DIR}:/conf -v ${CERTS_DIR}:/certs "
+  USED_CONFIG="${FINAL_CONF_DIR}/*.conf "
+
+  if [[ -f "${CONF_DIR}/requires-tls" ]]; then 
+    EXTRA_PORTS="-p 15671:15671 "  
+  fi 
+  if [[ "${MODE}" == "oauth2-proxy" ]]; then 
+    EXTRA_MOUNTS="${EXTRA_MOUNTS} -v $SCRIPT/../conf/keycloak/certs:/etc/keycloak/certs "
+  fi 
 
-  if [[ -n "${CONFIG}"  &&  -f "${CONF_DIR}/${CONFIG}" ]]; then
-    USED_CONFIG="${CONF_DIR}/${CONFIG}"
-    EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${USED_CONFIG}:/etc/rabbitmq/rabbitmq.config:ro "
-  elif [ -f "${CONF_DIR}/${CONF:-rabbitmq.conf}" ]; then
-    USED_CONFIG="${CONF_DIR}/${CONF:-rabbitmq.conf}"
-    EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${USED_CONFIG}:/etc/rabbitmq/rabbitmq.conf:ro "
-  fi
   if [[ -n "${ADVANCED}"  && -f "${CONF_DIR}/${ADVANCED}"  ]]; then
     EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${CONF_DIR}/${ADVANCED}:/etc/rabbitmq/advanced.config:ro "
     USED_CONFIG="${USED_CONFIG} ${CONF_DIR}/${ADVANCED}"
   fi
 
-  docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net
-  docker rm -f rabbitmq 2>/dev/null || echo "rabbitmq was not running"
-  echo "running RabbitMQ ($IMAGE:$IMAGE_TAG) with Idp $MODE and configuration file(s) $USED_CONFIG"
+  echo "Running RabbitMQ ($IMAGE:$IMAGE_TAG) with Idp $MODE and configuration file(s) $USED_CONFIG"
   docker run -d --name rabbitmq \
       --net rabbitmq_net \
       -p 15672:15672 \
       -p 5672:5672 \
       -p 5552:5552 \
-      ${EXTRA_PORTS}\
+      --env RABBITMQ_CONFIG_FILES="/conf" \
+      ${EXTRA_PORTS} \
       ${EXTRA_MOUNTS} \
       ${IMAGE}:${IMAGE_TAG}
 }
 
+generate-final-conf-dir
+generate-tls-certs-if-required
+ensure_docker_network
+kill_container_if_exist rabbitmq
 deploy
-wait_for_message rabbitmq "Time to start RabbitMQ"
+wait_for_message rabbitmq "Starting broker... completed"
 print "RabbitMQ is running"

bin/devkeycloak/curl

@@ -9,4 +9,4 @@ CLIENT_SECRET=${3:?Third parameter must be the client_secret}
 
 ACCESS_TOKEN=$($SCRIPT/token ${CLIENT_ID} ${CLIENT_SECRET})
 
-curl -u :$ACCESS_TOKEN $URL
+curl -k -u :$ACCESS_TOKEN $URL

bin/devkeycloak/deploy

@@ -2,11 +2,15 @@
 
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 ROOT=$SCRIPT/../..
+CONF_DIR=${ROOT}/conf/multi-keycloak
+CERTS_DIR=${CONF_DIR}/certs
 
-docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net
-docker rm -f keycloak 2>/dev/null || echo "keycloak was not running"
+ensure_docker_network
+kill_container_if_exist devkeycloak
 
-echo "Running keycloack docker image ..."
+generate-ca-server-client-kpi devkeycloak $CERTS_DIR
+
+echo "Running devkeycloack docker image ..."
 
 docker run \
     --detach \
@@ -15,9 +19,12 @@ docker run \
     --publish 8443:8443 \
     --env KEYCLOAK_ADMIN=admin \
     --env KEYCLOAK_ADMIN_PASSWORD=admin \
-    --mount type=bind,source=${ROOT}/conf/multi-keycloak/dev_import/,target=/opt/keycloak/data/import/ \
-    --mount type=bind,source=${ROOT}/conf/multi-keycloak/certs/,target=/opt/keycloak/certs/ \
+    --mount type=bind,source=${CONF_DIR}/dev_import/,target=/opt/keycloak/data/import/ \
+    --mount type=bind,source=${CERTS_DIR}/,target=/opt/keycloak/certs/ \
      quay.io/keycloak/keycloak:20.0 start-dev --import-realm \
      --https-certificate-file=/opt/keycloak/certs/server_devkeycloak_certificate.pem \
      --https-certificate-key-file=/opt/keycloak/certs/server_devkeycloak_key.pem \
      --hostname=devkeycloak --hostname-admin=devkeycloak --https-port=8443
+
+wait_for_message devkeycloak "Running the server"
+print "devkeycloak is running"

bin/devkeycloak/token

@@ -4,7 +4,7 @@ set -ex
 CLIENT_ID=${1:?First parameter must be client_id}
 CLIENT_SECRET=${2:?Second parameter must be the client_secret}
 
-TOKEN=$(curl --silent --location --request POST 'http://localhost:8081/realms/dev/protocol/openid-connect/token' \
+TOKEN=$(curl -k --silent --location --request POST 'https://localhost:8443/realms/dev/protocol/openid-connect/token' \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode client_id=${CLIENT_ID} \
 --data-urlencode client_secret=${CLIENT_SECRET} \

bin/keycloak/curl

@@ -10,4 +10,4 @@ REALM=${4:?Forth parameter must be the realm}
 
 ACCESS_TOKEN=$($SCRIPT/token ${CLIENT_ID} ${CLIENT_SECRET} ${REALM})
 
-curl -u :$ACCESS_TOKEN $URL
+curl -k -u :$ACCESS_TOKEN $URL

bin/keycloak/deploy

@@ -3,17 +3,15 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 ROOT=$SCRIPT/../..
+CONF_DIR=${ROOT}/conf/keycloak
+CERTS_DIR=${CONF_DIR}/certs
 
 source $SCRIPT/../common
 
 ensure_docker_network
 kill_container_if_exist keycloak
 
-generate-ca-server-client-kpi keycloak $ROOT/conf/keycloak/certs $ROOT/tls-gen
-find $ROOT/conf/keycloak/certs  -mindepth 1 -maxdepth 1 ! -name 'basic' -type f -exec rm -f {} +
-find $ROOT/conf/keycloak/certs -mindepth 1 -maxdepth 1 ! -name "basic" -type d -exec rm -rf {} +
-cp $ROOT/conf/keycloak/certs/basic/result/* $ROOT/conf/keycloak/certs
-rm -rf $ROOT/conf/keycloak/certs/basic
+generate-ca-server-client-kpi keycloak $CERTS_DIR
 
 begin "Running keycloack docker image ..."
 
@@ -25,7 +23,10 @@ docker run \
 		--env KEYCLOAK_ADMIN=admin \
 		--env KEYCLOAK_ADMIN_PASSWORD=admin \
 		--mount type=bind,source=${ROOT}/conf/keycloak/import/,target=/opt/keycloak/data/import/ \
-        --mount type=bind,source=${ROOT}/conf/keycloak/certs/,target=/opt/keycloak/certs/ \
+        --mount type=bind,source=${CERTS_DIR}/,target=/opt/keycloak/certs/ \
 		quay.io/keycloak/keycloak:20.0 start-dev --import-realm \
         --https-certificate-file=/opt/keycloak/certs/server_keycloak_certificate.pem \
         --https-certificate-key-file=/opt/keycloak/certs/server_keycloak_key.pem
+
+wait_for_message keycloak "Running the server"
+print "keycloak is running"

bin/keycloak/token

@@ -5,8 +5,8 @@ CLIENT_ID=${1:?First parameter must be client_id}
 CLIENT_SECRET=${2:?Second parameter must be the client_secret}
 REALM=${3:?Third parameter must be the realm}
 
-URL=http://localhost:8080/realms/${REALM}/protocol/openid-connect/token
-TOKEN=$(curl $URL --silent --location --request POST  \
+URL=https://localhost:8443/realms/${REALM}/protocol/openid-connect/token
+TOKEN=$(curl -k $URL --silent --location --request POST  \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode client_id=${CLIENT_ID} \
 --data-urlencode client_secret=${CLIENT_SECRET} \

bin/oauth2-proxy/deploy

@@ -3,11 +3,21 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 ROOT=$SCRIPT/../..
+CONF_DIR=${ROOT}/conf/oauth2-proxy
+CERTS_DIR=${CONF_DIR}/certs
 
-docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net
+source $SCRIPT/../common
+
+ensure_docker_network
 docker-compose -f $ROOT/conf/oauth2-proxy/compose.yml down 2>/dev/null || echo "oauth2-proxy was not running"
+generate-ca-server-client-kpi oauth2-proxy $CERTS_DIR
 
 echo "Running oauth2-proxy docker image ..."
 
-export OAUTH2_PROXY_COOKIE_SECRET=`python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("ascii"))'`
-docker-compose -f $ROOT/conf/oauth2-proxy/compose.yml up
+export OAUTH2_PROXY_COOKIE_SECRET=`dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_' ; echo`
+docker-compose -f $ROOT/conf/oauth2-proxy/compose.yml up -d
+
+wait_for_message oauth2-proxy-oauth2-proxy-1 "Cookie settings"
+print "oauth2-proxy is running"
+
+

bin/prodkeycloak/curl

@@ -8,4 +8,4 @@ CLIENT_ID=${2:?Second parameter must be client_id}
 CLIENT_SECRET=${3:?Third parameter must be the client_secret}
 ACCESS_TOKEN=$($SCRIPT/token ${CLIENT_ID} ${CLIENT_SECRET})
 
-curl -u :$ACCESS_TOKEN $URL
+curl -k -u :$ACCESS_TOKEN $URL

bin/prodkeycloak/deploy

@@ -2,11 +2,15 @@
 
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 ROOT=$SCRIPT/../..
+CONF_DIR=${ROOT}/conf/multi-keycloak
+CERTS_DIR=${CONF_DIR}/certs
 
-docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net
-docker rm -f keycloak 2>/dev/null || echo "keycloak was not running"
+ensure_docker_network
+kill_container_if_exist prodkeycloak
 
-echo "Running keycloack docker image ..."
+generate-ca-server-client-kpi prodkeycloak $CERTS_DIR
+
+echo "Running prodkeycloak docker image ..."
 
 docker run \
     --detach \
@@ -15,9 +19,12 @@ docker run \
     --publish 8442:8442 \
     --env KEYCLOAK_ADMIN=admin \
     --env KEYCLOAK_ADMIN_PASSWORD=admin \
-    --mount type=bind,source=${ROOT}/conf/multi-keycloak/prod_import/,target=/opt/keycloak/data/import/ \
-    --mount type=bind,source=${ROOT}/conf/multi-keycloak/certs/,target=/opt/keycloak/certs/ \
+    --mount type=bind,source=${CONF_DIR}/prod_import/,target=/opt/keycloak/data/import/ \
+    --mount type=bind,source=${CERTS_DIR}/,target=/opt/keycloak/certs/ \
       quay.io/keycloak/keycloak:20.0 start-dev --import-realm \
      --https-certificate-file=/opt/keycloak/certs/server_prodkeycloak_certificate.pem \
      --https-certificate-key-file=/opt/keycloak/certs/server_prodkeycloak_key.pem \
      --hostname=prodkeycloak --hostname-admin=prodkeycloak --https-port=8442
+
+wait_for_message prodkeycloak "Running the server"
+print "prodkeycloak is running"

bin/prodkeycloak/token

@@ -4,7 +4,7 @@ set -ex
 CLIENT_ID=${1:?First parameter must be client_id}
 CLIENT_SECRET=${2:?Second parameter must be the client_secret}
 
-TOKEN=$(curl --silent --location --request POST 'http://localhost:8082/realms/prod/protocol/openid-connect/token' \
+TOKEN=$(curl -k --silent --location --request POST 'https://localhost:8442/realms/prod/protocol/openid-connect/token' \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode client_id=${CLIENT_ID} \
 --data-urlencode client_secret=${CLIENT_SECRET} \

bin/run-perftest

@@ -6,6 +6,8 @@ if [  -z "$TOKEN" ]; then
   echo "Getting token from UAA ..."
   TOKEN=$(uaac context $CLIENT_ID | awk '/access_token/ { print $2}')
 fi
+echo "Using token ${TOKEN}"
+
 url="amqp://:$TOKEN@rabbitmq:5672/%2F"
 
 shift 1

bin/uaa/curl_url

@@ -6,4 +6,4 @@ URL=${2:?Second parameter must be the url to curl}
 token=$(uaac context $CONTEXT | awk '/access_token/ { print $2}')
 echo "token => $token"
 
-curl -u :$token $URL
+curl -k -u :$token $URL