Merge pull request #294 from kbss-cvut/keycloak-migration-doc

Keycloak migration

Author: blcham

.gitignore

@@ -8,3 +8,8 @@ junit.xml
 .DS_store
 
 .env
+
+# terraform
+.terraform/
+terraform.tfstate
+terraform.tfstate.backup

config/index.js

@@ -34,3 +34,5 @@ export const BASENAME = getEnv("BASENAME", "");
 export const EXTENSIONS = getEnv("EXTENSIONS", "");
 export const APP_INFO = getEnv("APP_INFO", "© KBSS at FEE CTU in Prague, 2024");
 export const ANALYTICS_URL = getEnv("ANALYTICS_URL", "");
+
+export const AUTHENTICATION = getEnv("AUTHENTICATION", "");

deploy/keycloak-auth/.migration/dc-keycloak-config--init-roles.yml

@@ -0,0 +1,18 @@
+services:
+  keycloak-config:
+    image: hashicorp/terraform:light
+    working_dir: /workspace
+    volumes:
+      - ./keycloak-config:/workspace
+    depends_on:
+      - auth-server
+    entrypoint: ["/bin/sh", "-c"]
+    environment:
+      - TF_VAR_kc_admin_user=${KC_ADMIN_USER}
+      - TF_VAR_kc_admin_password=${KC_ADMIN_PASSWORD}
+      - TF_VAR_kc_realm=record-manager
+      - TF_VAR_kc_url=http://auth-server:8080/
+    command: >
+      "until nc -z auth-server 8080; do sleep 1; done &&
+       terraform init &&
+       terraform apply -auto-approve"

deploy/keycloak-auth/docker-compose.yml

@@ -142,24 +142,6 @@ services:
     depends_on:
       - auth-server-db
 
-  keycloak-config:
-    image: hashicorp/terraform:light
-    working_dir: /workspace
-    volumes:
-      - ./keycloak-config:/workspace
-    depends_on:
-      - auth-server
-    entrypoint: ["/bin/sh", "-c"]
-    environment:
-      - TF_VAR_kc_admin_user=${KC_ADMIN_USER}
-      - TF_VAR_kc_admin_password=${KC_ADMIN_PASSWORD}
-      - TF_VAR_kc_realm=record-manager
-      - TF_VAR_kc_url=http://auth-server:8080/
-    command: >
-      "until nc -z auth-server 8080; do sleep 1; done &&
-       terraform init &&
-       terraform apply -auto-approve"
-
 volumes:
   db-server:
   auth-server:

deploy/keycloak-auth/keycloak-config/.terraform.lock.hcl

@@ -0,0 +1,80 @@
+# Define the role groups and their associated roles
+variable "role_groups" {
+  type = map(list(string))
+  default = {
+    admin-role-group = [
+      "read-all-records-role",
+      "write-all-records-role",
+      "read-organization-records-role",
+      "write-organization-records-role",
+      "complete-records-role",
+      "reject-records-role",
+      "publish-records-role",
+      "import-codelists-role",
+      "comment-record-questions-role",
+      "read-all-users-role",
+      "write-all-users-role",
+      "read-organization-users-role",
+      "write-organization-users-role",
+      "read-organization-role",
+      "write-organization-role",
+      "read-all-organizations-role",
+      "write-all-organizations-role",
+      "read-action-history-role",
+      "read-statistics-role"
+    ]
+    data-collection-coordinator-role-group = [
+      "read-all-users-role",
+      "write-all-users-role",
+      "read-organization-users-role",
+      "write-organization-users-role",
+      "read-organization-role",
+      "write-organization-role",
+      "read-all-organizations-role",
+      "write-all-organizations-role",
+      "read-organization-records-role",
+      "write-organization-records-role",
+      "comment-record-questions-role",
+      "complete-records-role"
+    ]
+    organization-manager-role-group = [
+      "read-organization-role",
+      "write-organization-role",
+      "read-organization-users-role",
+      "write-organization-users-role",
+      "read-organization-records-role",
+      "write-organization-records-role",
+      "comment-record-questions-role"
+    ]
+    entry-clerk-role-group = [
+      "read-organization-role",
+      "read-organization-records-role",
+      "comment-record-questions-role"
+    ]
+    reviewer-role-group = [
+      "complete-records-role",
+      "comment-record-questions-role"
+    ]
+  }
+}
+
+# Create the groups
+resource "keycloak_group" "role_groups" {
+  for_each = var.role_groups
+
+  realm_id = var.kc_realm
+  name     = each.key
+}
+
+# Assign ALL roles to each group in a single resource
+resource "keycloak_group_roles" "group_role_assignments" {
+  for_each = var.role_groups
+
+  realm_id = var.kc_realm
+  group_id = keycloak_group.role_groups[each.key].id
+
+  role_ids = [
+    for role_name in each.value :
+    keycloak_role.realm_roles[role_name].id
+  ]
+}

deploy/keycloak-auth/keycloak-config/groups_and_mapping.tf

@@ -1,18 +1,25 @@
 variable "roles" {
   type = map(string)
   default = {
-    rm-delete-all-records         = ""
-    rm-edit-users                = ""
-    rm-impersonate               = ""
-    rm-edit-all-records           = ""
-    rm-view-organization-records = ""
-    rm-complete-records           = ""
-    rm-edit-organization-records = ""
-    rm-view-all-records           = ""
-    rm-delete-organization-records = ""
-    rm-publish-records            = ""
-    rm-import-codelists           = ""
-    rm-reject-records             = ""
+    read-all-records-role                 = "",
+    write-all-records-role                = "",
+    read-organization-records-role        = "",
+    write-organization-records-role       = "",
+    complete-records-role                 = "",
+    reject-records-role                   = "",
+    publish-records-role                  = "",
+    import-codelists-role                 = "",
+    comment-record-questions-role         = "",
+    read-all-users-role                   = "",
+    write-all-users-role                  = "",
+    read-organization-users-role          = "",
+    write-organization-users-role         = "",
+    read-organization-role                = "",
+    write-organization-role               = "",
+    read-all-organizations-role           = "",
+    write-all-organizations-role          = "",
+    read-action-history-role              = "",
+    read-statistics-role                  = ""
   }
 }
 
@@ -22,4 +29,4 @@ resource "keycloak_role" "realm_roles" {
   realm_id    = var.kc_realm
   name        = each.key
   description = length(each.value) > 0 ? each.value : null
-}
+}

deploy/keycloak-auth/keycloak-config/role-groups.tf

@@ -8,7 +8,7 @@ import PropTypes from "prop-types";
 const InstitutionSelector = ({ currentUser, user, onInstitutionSelected, generateInstitutionsOptions }) => {
   const { i18n } = useI18n();
 
-  return canSelectInstitution(currentUser) ? (
+  return canSelectInstitution(currentUser, user) ? (
     <HorizontalInput
       type="select"
       name="institution"

deploy/keycloak-auth/keycloak-config/roles.tf

@@ -238,7 +238,7 @@ class User extends React.Component {
                   type="text"
                   name="firstName"
                   label={`${this.i18n("user.first-name")}*`}
-                  disabled={!canWriteUserInfo(currentUser, user)}
+                  disabled={isUsingOidcAuth() || !canWriteUserInfo(currentUser, user)}
                   value={user.firstName}
                   labelWidth={3}
                   inputWidth={8}
@@ -250,7 +250,7 @@ class User extends React.Component {
                   type="text"
                   name="lastName"
                   label={`${this.i18n("user.last-name")}*`}
-                  disabled={!canWriteUserInfo(currentUser, user)}
+                  disabled={isUsingOidcAuth() || !canWriteUserInfo(currentUser, user)}
                   value={user.lastName}
                   labelWidth={3}
                   inputWidth={8}
@@ -277,7 +277,7 @@ class User extends React.Component {
                   type="email"
                   name="emailAddress"
                   label={`${this.i18n("users.email")}*`}
-                  disabled={!canWriteUserInfo(currentUser, user)}
+                  disabled={isUsingOidcAuth() || !canWriteUserInfo(currentUser, user)}
                   value={user.emailAddress}
                   labelWidth={3}
                   inputWidth={8}