Merge pull request #6402 from espoon-voltti/keycloak-cleanup

Keycloak-siivousta

apigw/src/app.ts

@@ -156,14 +156,15 @@ export function apiRouter(config: Config, redisClient: RedisClient) {
     router.use('/citizen/auth/sfi', citizenSfiIntegration.router)
   }
 
-  if (!config.keycloakCitizen)
-    throw new Error('Missing Keycloak SAML configuration (citizen)')
-  const keycloakCitizenIntegration = createKeycloakCitizenIntegration(
-    citizenSessions,
-    config.keycloakCitizen,
-    redisClient
-  )
-  router.use('/citizen/auth/keycloak', keycloakCitizenIntegration.router)
+  let keycloakCitizenIntegration: SamlIntegration | undefined = undefined
+  if (config.keycloakCitizen) {
+    keycloakCitizenIntegration = createKeycloakCitizenIntegration(
+      citizenSessions,
+      config.keycloakCitizen,
+      redisClient
+    )
+    router.use('/citizen/auth/keycloak', keycloakCitizenIntegration.router)
+  }
 
   router.all(
     '/employee/auth/ad/*',
@@ -207,14 +208,15 @@ export function apiRouter(config: Config, redisClient: RedisClient) {
     router.use('/employee/auth/sfi', employeeSfiIntegration.router)
   }
 
-  if (!config.keycloakEmployee)
-    throw new Error('Missing Keycloak SAML configuration (employee)')
-  const keycloakEmployeeIntegration = createKeycloakEmployeeIntegration(
-    employeeSessions,
-    config.keycloakEmployee,
-    redisClient
-  )
-  router.use('/employee/auth/keycloak', keycloakEmployeeIntegration.router)
+  let keycloakEmployeeIntegration: SamlIntegration | undefined = undefined
+  if (config.keycloakEmployee) {
+    keycloakEmployeeIntegration = createKeycloakEmployeeIntegration(
+      employeeSessions,
+      config.keycloakEmployee,
+      redisClient
+    )
+    router.use('/employee/auth/keycloak', keycloakEmployeeIntegration.router)
+  }
 
   router.use(
     '/application/auth/saml',
@@ -262,7 +264,9 @@ export function apiRouter(config: Config, redisClient: RedisClient) {
             return citizenSfiIntegration.logout(req, res)
           break
         case 'keycloak-citizen':
-          return keycloakCitizenIntegration.logout(req, res)
+          if (keycloakCitizenIntegration)
+            return keycloakCitizenIntegration.logout(req, res)
+          break
         case 'citizen-weak':
         case 'dev':
         case undefined:
@@ -292,7 +296,9 @@ export function apiRouter(config: Config, redisClient: RedisClient) {
             return employeeSfiIntegration.logout(req, res)
           break
         case 'keycloak-employee':
-          return keycloakEmployeeIntegration.logout(req, res)
+          if (keycloakEmployeeIntegration)
+            return keycloakEmployeeIntegration.logout(req, res)
+          break
         case 'dev':
           // no need for special handling
           break

apigw/src/shared/config.ts

@@ -447,24 +447,6 @@ function createLocalDevelopmentOverrides(): Partial<EnvVariables> {
         SFI_SAML_PUBLIC_CERT: ['config/test-cert/dummy-idp.pem'],
         SFI_SAML_PRIVATE_CERT: 'config/test-cert/saml-private.pem',
 
-        EVAKA_SAML_CALLBACK_URL:
-          'http://localhost:9099/api/employee/auth/ad/login/callback',
-        EVAKA_SAML_ENTRYPOINT:
-          'http://localhost:8080/auth/realms/evaka/protocol/saml',
-        EVAKA_SAML_ISSUER: 'evaka',
-        EVAKA_SAML_PUBLIC_CERT: ['config/test-cert/keycloak-local.pem'],
-        EVAKA_SAML_PRIVATE_CERT: 'config/test-cert/saml-private.pem',
-
-        EVAKA_CUSTOMER_SAML_CALLBACK_URL:
-          'http://localhost:9099/api/citizen/auth/keycloak/login/callback',
-        EVAKA_CUSTOMER_SAML_ENTRYPOINT:
-          'http://localhost:8080/auth/realms/evaka-customer/protocol/saml',
-        EVAKA_CUSTOMER_SAML_ISSUER: 'evaka-customer',
-        EVAKA_CUSTOMER_SAML_PUBLIC_CERT: [
-          'config/test-cert/keycloak-local.pem'
-        ],
-        EVAKA_CUSTOMER_SAML_PRIVATE_CERT: 'config/test-cert/saml-private.pem',
-
         DIGITRANSIT_API_ENABLED: false
       }
     : {}

compose/README.md

@@ -178,12 +178,6 @@ git push --delete origin playwright-test
 To dump local database run `./db.sh dump` and restore it with `./db.sh restore`.
 Optional dump name can be given to script, example `./db.sh dump my.dump`.
 
-## Keycloak
-
-Keycloak admin login from <http://localhost:8080/auth/admin/master/console/> with credentials `admin:admin`.
-
-Evaka-customer realm (<http://localhost:9099/api/application/auth/evaka-customer/login?RelayState=%2F>) has pre-configured user with credentials `[email protected]:test123`.
-
 ## Troubleshooting
 
 ### Database

compose/docker-compose.e2e-tests.yml

@@ -25,7 +25,6 @@ services:
       HEADLESS: ${HEADLESS:-true}
       DEBUG: ${DEBUG:-}
     depends_on:
-      - keycloak
       - evaka-proxy
       - api-gw
       - evaka-srv

compose/docker-compose.e2e.yml

@@ -33,7 +33,6 @@ services:
     depends_on:
       - api-gw
       - evaka-srv
-      - keycloak
       - s3-mock
 
   api-gw:
@@ -61,8 +60,6 @@ services:
       REDIS_PORT: ${EVAKA_REDIS_PORT}
       REDIS_DISABLE_SECURITY: "true"
       JWT_PRIVATE_KEY: /home/evaka/test-cert/jwt_private_key.pem
-      EVAKA_CUSTOMER_SAML_PUBLIC_CERT: /home/evaka/test-cert/keycloak-local.pem
-      EVAKA_CUSTOMER_SAML_PRIVATE_CERT: /home/evaka/test-cert/saml-private.pem
       ENABLE_DEV_API: "true"
       PRETTY_LOGS: "false"
 

compose/docker-compose.yml

@@ -61,58 +61,11 @@ services:
       timeout: 5s
       retries: 5
 
-  keycloak:
-    image: ghcr.io/espoon-voltti/evaka/keycloak:${TAG:-master}
-    build:
-      context: ../keycloak/
-      cache_from:
-        - ghcr.io/espoon-voltti/evaka/keycloak:cache-${CACHE_TAG:-master}
-        - ghcr.io/espoon-voltti/evaka/keycloak:cache-master
-    ports:
-      - "8080:8080"
-    environment:
-      # Initial admin user via environment, required when running with a container
-      # https://www.keycloak.org/server/configuration#_creating_the_initial_admin_user
-      KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: admin
-
-      # Configuration options
-      # https://www.keycloak.org/server/all-config?f=config
-      # Database
-      KC_DB_URL: "jdbc:postgresql://db/keycloak?user=postgres&password=postgres"
-      # Hostname v2
-      KC_HOSTNAME:  "http://${KEYCLOAK_HOST:-localhost}:8080/auth/"
-      KC_HOSTNAME_STRICT: "false"
-      # HTTP(S)
-      KC_HTTP_ENABLED: "true"
-      # Logging
-      #KC_LOG_LEVEL: "debug"
-    entrypoint: /configuration/entrypoint.sh
-    command: ["start", "--optimized", "--log-console-output=json"]
-    volumes:
-      - ../keycloak/compose-resources/configuration:/configuration
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/auth/health"]
-      interval: 2s
-      timeout: 5s
-      retries: 5
-      start_period: 5s
-    depends_on:
-      - smtp
-      - db
-      - dummy-suomifi
-
   smtp:
     image: mailhog/mailhog
     ports:
       - "8025:8025"
 
-  dummy-suomifi:
-    build:
-      context: ../keycloak/dummy-suomifi
-    ports:
-      - "9000:9000"
-
   dummy-idp:
     build:
       context: ../dummy-idp

keycloak/docker-compose.yml

@@ -52,13 +52,6 @@ services:
     depends_on:
       - smtp
       - keycloak-postgres
-      - dummy-suomifi
-
-  dummy-suomifi:
-    build:
-      context: dummy-suomifi
-    ports:
-      - "9000:9000"
 
 volumes:
   postgres_data: