chore(ci): remove 3rd keycloak docker image (#9341)

Author: An-DJ

ci/init-plugin-test-service.sh

@@ -42,8 +42,15 @@ after() {
 
     # wait for keycloak ready
     bash -c 'while true; do curl -s localhost:8080 &>/dev/null; ret=$?; [[ $ret -eq 0 ]] && break; sleep 3; done'
-    docker cp ci/kcadm_configure_cas.sh apisix_keycloak_new:/tmp/
-    docker exec apisix_keycloak_new bash /tmp/kcadm_configure_cas.sh
+
+    # install jq
+    wget https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -O jq
+    chmod +x jq
+    docker cp jq apisix_keycloak:/usr/bin/
+
+    # configure keycloak
+    docker exec apisix_keycloak bash /tmp/kcadm_configure_cas.sh
+    docker exec apisix_keycloak bash /tmp/kcadm_configure_university.sh
 }
 
 before() {

ci/pod/docker-compose.plugin.yml

@@ -37,42 +37,26 @@ services:
     networks:
       apisix_net:
 
-
   ## keycloak
   apisix_keycloak:
-    image: sshniro/keycloak-apisix:1.0.0
-    environment:
-      KEYCLOAK_USER: admin
-      KEYCLOAK_PASSWORD: 123456
-    restart: unless-stopped
-    ports:
-      - "8090:8080"
-      - "8443:8443"
-    networks:
-      apisix_net:
-
-  ## keycloak
-  # The keycloak official has two types of docker images:
-  # * legacy WildFly distribution
-  # * new Quarkus based distribution
-  # Here we choose new version, because it's mainstream and
-  # supports kcadm.sh to init the container for test.
-  # The original keycloak service `apisix_keycloak` is
-  # third-party personal customized image and for OIDC test only.
-  # We should unify both containers in future.
-  apisix_keycloak_new:
-    container_name: apisix_keycloak_new
+    container_name: apisix_keycloak
     image: quay.io/keycloak/keycloak:18.0.2
     # use host network because in CAS auth,
     # keycloak needs to send back-channel POST to apisix.
     network_mode: host
     environment:
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/conf/server.crt.pem
+      KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/conf/server.key.pem
     restart: unless-stopped
-    command: ["start-dev", "--http-port 8080"]
+    command: ["start-dev"]
     volumes:
       - /opt/keycloak-protocol-cas-18.0.2.jar:/opt/keycloak/providers/keycloak-protocol-cas-18.0.2.jar
+      - ./ci/pod/keycloak/server.crt.pem:/opt/keycloak/conf/server.crt.pem
+      - ./ci/pod/keycloak/server.key.pem:/opt/keycloak/conf/server.key.pem
+      - ./ci/pod/keycloak/kcadm_configure_cas.sh:/tmp/kcadm_configure_cas.sh
+      - ./ci/pod/keycloak/kcadm_configure_university.sh:/tmp/kcadm_configure_university.sh
 
   ## kafka-cluster
   zookeeper-server1:

ci/kcadm_configure_cas.sh renamed to ci/pod/keycloak/kcadm_configure_cas.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+export PATH=/opt/keycloak/bin:$PATH
+
+kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin
+
+# create realm University
+kcadm.sh create realms -s realm=University -s enabled=true
+
+# create roles `Teacher, Student`
+kcadm.sh create roles -r University -s name=Teacher
+kcadm.sh create roles -r University -s name=Student
+
+# create users `[email protected], [email protected]`
+kcadm.sh create users -r University -s [email protected] -s enabled=true
+kcadm.sh create users -r University -s [email protected] -s enabled=true
+
+# set password
+kcadm.sh set-password -r University --username [email protected] --new-password 123456
+kcadm.sh set-password -r University --username [email protected] --new-password 123456
+
+# bind roles to users
+kcadm.sh add-roles -r University --uusername [email protected] --rolename Teacher
+kcadm.sh add-roles -r University --uusername [email protected] --rolename Student
+
+# create client course_management
+kcadm.sh create clients -r University -s clientId=course_management -s enabled=true -s clientAuthenticatorType=client-secret -s secret=d1ec69e9-55d2-4109-a3ea-befa071579d5
+
+client_id=$(kcadm.sh get clients -r University --fields id,clientId 2>/dev/null | jq -r '.[] | select(.clientId=='\"course_management\"') | .id')
+teacher_id=$(kcadm.sh get roles -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"Teacher\"') | .id')
+student_id=$(kcadm.sh get roles -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"Student\"') | .id')
+
+# update client course_management
+kcadm.sh update clients/${client_id} -r University -s protocol=openid-connect -s standardFlowEnabled=true \
+  -s implicitFlowEnabled=true -s directAccessGrantsEnabled=true -s serviceAccountsEnabled=true \
+  -s authorizationServicesEnabled=true -s 'redirectUris=["*"]' -s 'webOrigins=["*"]'
+
+kcadm.sh update clients/${client_id}/authz/resource-server -r University -s allowRemoteResourceManagement=false -s policyEnforcementMode="ENFORCING"
+
+# create authz-resource with name `course_resource`, uri `/course/*`, scope `DELETE, delete, view, GET`
+kcadm.sh create clients/${client_id}/authz/resource-server/resource -r University -s name=course_resource \
+  -s ownerManagedAccess=false -s uris='["/course/*"]' -s scopes='[{"name": "DELETE"},{"name": "view"},{"name": "GET"},{"name": "delete"}]'
+
+course_resource_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/resource -r University --fields _id,name 2>/dev/null | jq -r '.[] | select(.name=='\"course_resource\"') | ._id')
+DELETE_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"DELETE\"') | .id')
+delete_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"delete\"') | .id')
+GET_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"GET\"') | .id')
+view_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"view\"') | .id')
+
+# create authz-policy `AllowTeacherPolicy, AllowStudentPolicy`
+kcadm.sh create clients/${client_id}/authz/resource-server/policy/role -r University \
+  -s name="AllowTeacherPolicy" -s logic="POSITIVE" -s decisionStrategy="UNANIMOUS" \
+  -s roles='[{"id": '\"${teacher_id}\"'}]'
+
+kcadm.sh create clients/${client_id}/authz/resource-server/policy/role -r University \
+  -s name="AllowStudentPolicy" -s logic="POSITIVE" -s decisionStrategy="UNANIMOUS" \
+  -s roles='[{"id": '\"${student_id}\"'}]'
+
+allow_teacher_policy_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/policy -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"AllowTeacherPolicy\"') | .id')
+allow_student_policy_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/policy -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"AllowStudentPolicy\"') | .id')
+
+# create authz-permission `Delete Course Permission` and `View Course Permission`
+kcadm.sh create clients/${client_id}/authz/resource-server/permission/scope -r University \
+  -s name="Delete Course Permission" -s logic="POSITIVE" -s decisionStrategy="UNANIMOUS" \
+  -s policies='['\"${allow_teacher_policy_id}\"']' \
+  -s scopes='['\"${DELETE_scope_id}\"', '\"${delete_scope_id}\"']' \
+  -s resources='['\"${course_resource_id}\"']'
+
+kcadm.sh create clients/${client_id}/authz/resource-server/permission/scope -r University \
+  -s name="View Course Permission" -s logic="POSITIVE" -s decisionStrategy="AFFIRMATIVE" \
+  -s policies='['\"${allow_teacher_policy_id}\"', '\"${allow_student_policy_id}\"']' \
+  -s scopes='['\"${GET_scope_id}\"', '\"${view_scope_id}\"']' \
+  -s resources='['\"${course_resource_id}\"']'

ci/pod/keycloak/kcadm_configure_university.sh

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUbZfnhty/ZiHPz5Aq8kK5Kr8kcSQwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzA0MTgxMTQzNDJaFw0zMzA0
+MTUxMTQzNDJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC/F4wK7eMTVAKGDMLCXE+Y6REdA5GU6/AakJf3NEKQ
+wCrtrqO+VBPIz445+edf3EEXhjFFGPdU6p0EkF0SMLaMsVBQQJ2qcP6FloIYiyT3
+WCs/gbtdoWq53ucAfWueIyHWsovLc0VhOXm0rhTYg88nMjJ7y6vYkfLMT6qlwASn
+9Tozgjat09fWATbN7yBi4ivVVsKDo2S3jkOyVnYYMjzZO3CSkyUSMl+ZsSesseSK
+A9c2zogfKIU833njraA8blMFfdinEMI/9yceEx57IUjnpY1iWHLSItiZF+LKEpeL
+vp9gpr88ghR85ISusqAqwcmnsdAqjjw7gbPm1DIvUgVBAgMBAAGjUzBRMB0GA1Ud
+DgQWBBRvlz5ZiE2fD9ikPRqpYwsVrxZfxTAfBgNVHSMEGDAWgBRvlz5ZiE2fD9ik
+PRqpYwsVrxZfxTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCX
+5fOeFnX67eHI5dJB8p3U2GS21qykDVLV5ZV+JZfZwXJEygIvr/T9vs772EPxv+0/
+TO0+pGdcVswXq/6BoUFCV0rWWTDP5wTS3sV1ZsSSHil5zEutXuAI1LQGlit6w5xn
+iDURFZw3ZmOFytXKXNbca1ma4yaCZtOwVe3O36GZeOiZFzBYE2DELqy77Nz1E5+3
+jZaDnx0vonV8/hhX6FAPRPQnIXkaEH3BnVQZGD1jxipbFQQtmeeNPELy18MQo30N
+W1wOsbMMouniKUjdT16tdtzJzC+l9pVqRC+8df5PJfN56Uv9Ed6pjytkSF1SvHyJ
+iTWmyxJL9AonUkc5Oiri
+-----END CERTIFICATE-----

ci/pod/keycloak/server.crt.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC/F4wK7eMTVAKG
+DMLCXE+Y6REdA5GU6/AakJf3NEKQwCrtrqO+VBPIz445+edf3EEXhjFFGPdU6p0E
+kF0SMLaMsVBQQJ2qcP6FloIYiyT3WCs/gbtdoWq53ucAfWueIyHWsovLc0VhOXm0
+rhTYg88nMjJ7y6vYkfLMT6qlwASn9Tozgjat09fWATbN7yBi4ivVVsKDo2S3jkOy
+VnYYMjzZO3CSkyUSMl+ZsSesseSKA9c2zogfKIU833njraA8blMFfdinEMI/9yce
+Ex57IUjnpY1iWHLSItiZF+LKEpeLvp9gpr88ghR85ISusqAqwcmnsdAqjjw7gbPm
+1DIvUgVBAgMBAAECggEBAKUrrkGYI2mGePPzPbiP38E02zTv67sEQLJFfwUOp+bE
+I5b0F9agh8VQGghkyKgkEiNKO3YVQVuluvjB66CYeIGdleT4JQ+4wVcoo+ShCN++
+1wr6kMA6kKx+Tb8vqYCzr0ELbSf6x+Jksp0Ixz3qmHixu88jWbNFW89boQ3JrnyZ
+TUgRSRdPoXcxspwcbhy6mMhwUfUSy8Zcck81dBEAjokvzbYh4jtFYMipWqro66KJ
+B9uqQme2J/rN/2PSrA6chI85Wa+JaGOSPDaGNp+DrADjoVZf1tXgzGCsA/lmVtQ0
+8YN4Dh21EjLxz4Dj5GE7RWET4Ejvv1XEih1p+zKne00CgYEA327raCD5Fnr1nGTb
+Q4ZWkcDR6EGSD6JGD0ur+UqqJhirM/5b4iGcsVK5uufb5dwk9+9z0EucXOVq/il0
+vgG2FbgRYM8kx3CDLvMYAqKJ8e5NsGJWwJVq6DsmsO1SaEId+SVFH83RHfG5/ksq
+/DgRg0Wl9FoL7sHchuSIP2QiLrMCgYEA2vHcKsMZk/KGMBHVffY3PUckirIM6vLa
+idMmm0T0HSAdviZRxQGyOnjd93ZhMqFJPTrmHOq0uAxfdFt+oRoHk/pGarBCv76L
+NnPrSnVe1pJOh7Mm7LHLgrAgeM2WW7xz6jZwc8On+9qHK97I/wAnJB8J7DvQJ2hR
+sWCDSbfKtjsCgYEAnVE77tVIjMuGo9dfiuvLiFR7d0yzys43Bg4ByEUKCEjWQoWV
+rGJ+MVxN6YvXCME4RloS8VZLgh0GeG44BJCv5Br2IXO4MbTGqQgAn9pRxkZD7S1Q
+Z8jMvTboxypSG5ZyBDp5sSr5Ulwg2SuT2IKh0gv4DVRZkoJtA41lYTzf1IECgYBd
+3NJGgt20T4S3lu2v0p5b5uQDkdF36CVIcP1cE3OUCPC3VDY5/0ApUSfXryh8TCjZ
+1yZPv086mBNUDuV6q24UQndtxaLYERgdgBSfFzJRSuffxS4qyw40OM2y/HA5Y9FN
+14jeGEMr9cN9S0VgDPC6y5O1cu8J9e8P3BBsyh5dgQKBgHMlIhOJDO/neVnax79X
+d3+5GaiggUnkd27OkYC4LhXEc/QWeHE0ByA0bDhhnsE7IVK2CVC18axOLmEJVy2g
+F6ZtxcpNrlVtF4YaOiRVUcDNnz9gX48efrpdoX2iBSFEd1NRDo/bjkVXI1L08LNf
+BbMB104PadChoGpl5R3NQQsP
+-----END PRIVATE KEY-----

ci/pod/keycloak/server.key.pem

@@ -31,7 +31,7 @@ __DATA__
             local plugin = require("apisix.plugins.authz-keycloak")
             local ok, err = plugin.check_schema({
                                 client_id = "foo",
-                                token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token"
+                                token_endpoint = "https://host.domain/realms/foo/protocol/openid-connect/token"
                             })
             if not ok then
                 ngx.say(err)
@@ -54,7 +54,7 @@ done
             local plugin = require("apisix.plugins.authz-keycloak")
             local ok, err = plugin.check_schema({
                                 client_id = "foo",
-                                discovery = "https://host.domain/auth/realms/foo/.well-known/uma2-configuration"
+                                discovery = "https://host.domain/realms/foo/.well-known/uma2-configuration"
                             })
             if not ok then
                 ngx.say(err)
@@ -78,8 +78,8 @@ done
             local ok, err = plugin.check_schema({
                                 client_id = "foo",
                                 lazy_load_paths = true,
-                                token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token",
-                                resource_registration_endpoint = "https://host.domain/auth/realms/foo/authz/protection/resource_set"
+                                token_endpoint = "https://host.domain/realms/foo/protocol/openid-connect/token",
+                                resource_registration_endpoint = "https://host.domain/realms/foo/authz/protection/resource_set"
                             })
             if not ok then
                 ngx.say(err)
@@ -103,7 +103,7 @@ done
             local ok, err = plugin.check_schema({
                                 client_id = "foo",
                                 lazy_load_paths = true,
-                                discovery = "https://host.domain/auth/realms/foo/.well-known/uma2-configuration"
+                                discovery = "https://host.domain/realms/foo/.well-known/uma2-configuration"
                             })
             if not ok then
                 ngx.say(err)
@@ -125,9 +125,9 @@ done
         content_by_lua_block {
             local plugin = require("apisix.plugins.authz-keycloak")
             local ok, err = plugin.check_schema({
-                                discovery = "https://host.domain/auth/realms/foo/.well-known/uma2-configuration",
-                                token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token",
-                                resource_registration_endpoint = "https://host.domain/auth/realms/foo/authz/protection/resource_set",
+                                discovery = "https://host.domain/realms/foo/.well-known/uma2-configuration",
+                                token_endpoint = "https://host.domain/realms/foo/protocol/openid-connect/token",
+                                resource_registration_endpoint = "https://host.domain/realms/foo/authz/protection/resource_set",
                                 client_id = "University",
                                 client_secret = "secret",
                                 grant_type = "urn:ietf:params:oauth:grant-type:uma-ticket",
@@ -187,7 +187,7 @@ done
     location /t {
         content_by_lua_block {
             local plugin = require("apisix.plugins.authz-keycloak")
-            local ok, err = plugin.check_schema({discovery = "https://host.domain/auth/realms/foo/.well-known/uma2-configuration"})
+            local ok, err = plugin.check_schema({discovery = "https://host.domain/realms/foo/.well-known/uma2-configuration"})
             if not ok then
                 ngx.say(err)
             end
@@ -210,7 +210,7 @@ done
             local plugin = require("apisix.plugins.authz-keycloak")
             local ok, err = plugin.check_schema({
                                 client_id = "foo",
-                                token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token",
+                                token_endpoint = "https://host.domain/realms/foo/protocol/openid-connect/token",
                                 lazy_load_paths = true
                             })
             if not ok then
@@ -238,7 +238,7 @@ done
                  [[{
                         "plugins": {
                             "authz-keycloak": {
-                                "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+                                "token_endpoint": "https://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
                                 "permissions": ["course_resource#delete"],
                                 "client_id": "course_management",
                                 "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
@@ -296,7 +296,7 @@ GET /t
 --- response_body
 false
 --- error_log
-Error while sending authz request to https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token: 18
+Error while sending authz request to https://127.0.0.1:8443/realms/University/protocol/openid-connect/token: 18
 --- error_code: 503
 
 
@@ -311,7 +311,7 @@ Error while sending authz request to https://127.0.0.1:8443/auth/realms/Universi
                  [[{
                         "plugins": {
                             "authz-keycloak": {
-                                "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+                                "token_endpoint": "https://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
                                 "permissions": ["course_resource#delete"],
                                 "client_id": "course_management",
                                 "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
@@ -382,7 +382,7 @@ Request denied: HTTP 401 Unauthorized. Body: {"error":"HTTP 401 Unauthorized"}
                  [[{
                         "plugins": {
                             "authz-keycloak": {
-                                "token_endpoint": "http://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+                                "token_endpoint": "http://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
                                 "client_id": "course_management",
                                 "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
                                 "policy_enforcement_mode": "ENFORCING",
@@ -447,7 +447,7 @@ GET /t
                  [[{
                         "plugins": {
                             "authz-keycloak": {
-                                "token_endpoint": "http://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+                                "token_endpoint": "http://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
                                 "client_id": "course_management",
                                 "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
                                 "policy_enforcement_mode": "ENFORCING",
@@ -515,7 +515,7 @@ Location: http://127.0.0.1/test
                  [[{
                         "plugins": {
                             "authz-keycloak": {
-                                "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+                                "token_endpoint": "https://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
                                 "permissions": ["course_resource#view"],
                                 "client_id": "course_management",
                                 "client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
@@ -587,7 +587,7 @@ true
                  [[{
                         "plugins": {
                             "authz-keycloak": {
-                                "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+                                "token_endpoint": "https://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
                                 "permissions": ["course_resource#view"],
                                 "client_id": "course_management",
                                 "client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",