diff --git a/galaxy_ng/app/dynaconf_hooks.py b/galaxy_ng/app/dynaconf_hooks.py index 70c0f2992d..6deb06945d 100755 --- a/galaxy_ng/app/dynaconf_hooks.py +++ b/galaxy_ng/app/dynaconf_hooks.py @@ -94,23 +94,11 @@ def configure_keycloak(settings: Dynaconf) -> Dict[str, Any]: SOCIAL_AUTH_KEYCLOAK_KEY = settings.get("SOCIAL_AUTH_KEYCLOAK_KEY", default=None) SOCIAL_AUTH_KEYCLOAK_SECRET = settings.get("SOCIAL_AUTH_KEYCLOAK_SECRET", default=None) SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = settings.get("SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY", default=None) - KEYCLOAK_PROTOCOL = settings.get("KEYCLOAK_PROTOCOL", default="https") + KEYCLOAK_PROTOCOL = settings.get("KEYCLOAK_PROTOCOL", default=None) KEYCLOAK_HOST = settings.get("KEYCLOAK_HOST", default=None) KEYCLOAK_PORT = settings.get("KEYCLOAK_PORT", default=None) KEYCLOAK_REALM = settings.get("KEYCLOAK_REALM", default=None) - # https://www.keycloak.org/server/all-config - # In prior versions of keycloak, the auth and token url paths began - # with /auth. In newer versions, that substring no longer exists. - # There is a setting which can re-add that substring to make - # a newer system operate similar to the old. - KEYCLOAK_KC_HTTP_RELATIVE_PATH = settings.get("KEYCLOAK_KC_HTTP_RELATIVE_PATH", default="") - - SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = \ - settings.get("SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL", default=None) - SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = \ - settings.get("SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL", default=None) - # Add settings if Social Auth values are provided if all( [ @@ -134,39 +122,21 @@ def configure_keycloak(settings: Dynaconf) -> Dict[str, Any]: ) data["KEYCLOAK_HOST_LOOPBACK"] = settings.get("KEYCLOAK_HOST_LOOPBACK", default=None) data["KEYCLOAK_URL"] = f"{KEYCLOAK_PROTOCOL}://{KEYCLOAK_HOST}:{KEYCLOAK_PORT}" - - auth_url_str = "{keycloak}{prefix}/realms/{realm}/protocol/openid-connect/auth/" - - if SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL is not None: - data["SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL"] = SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL - else: + auth_url_str = "{keycloak}/auth/realms/{realm}/protocol/openid-connect/auth/" + data["SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL"] = auth_url_str.format( + keycloak=data["KEYCLOAK_URL"], realm=KEYCLOAK_REALM + ) + if data["KEYCLOAK_HOST_LOOPBACK"]: + loopback_url = "{protocol}://{host}:{port}".format( + protocol=KEYCLOAK_PROTOCOL, host=data["KEYCLOAK_HOST_LOOPBACK"], port=KEYCLOAK_PORT + ) data["SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL"] = auth_url_str.format( - keycloak=data["KEYCLOAK_URL"], - realm=KEYCLOAK_REALM, - prefix=KEYCLOAK_KC_HTTP_RELATIVE_PATH + keycloak=loopback_url, realm=KEYCLOAK_REALM ) - if data["KEYCLOAK_HOST_LOOPBACK"]: - loopback_url = "{protocol}://{host}:{port}".format( - protocol=KEYCLOAK_PROTOCOL, - host=data["KEYCLOAK_HOST_LOOPBACK"], - port=KEYCLOAK_PORT - ) - data["SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL"] = auth_url_str.format( - keycloak=loopback_url, - realm=KEYCLOAK_REALM, - prefix=KEYCLOAK_KC_HTTP_RELATIVE_PATH - ) - - if SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL is not None: - data['SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL'] = SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL - else: - data[ - "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL" - ] = ( - f"{data['KEYCLOAK_URL']}{KEYCLOAK_KC_HTTP_RELATIVE_PATH}/realms/" - f"{KEYCLOAK_REALM}/protocol/openid-connect/token/" - ) + data[ + "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL" + ] = f"{data['KEYCLOAK_URL']}/auth/realms/{KEYCLOAK_REALM}/protocol/openid-connect/token/" data["SOCIAL_AUTH_LOGIN_REDIRECT_URL"] = settings.get( "SOCIAL_AUTH_LOGIN_REDIRECT_URL", default="/ui/" diff --git a/galaxy_ng/tests/unit/app/test_dynaconf_hooks.py b/galaxy_ng/tests/unit/app/test_dynaconf_hooks.py index 6d11e8ca7e..a9a1253a91 100644 --- a/galaxy_ng/tests/unit/app/test_dynaconf_hooks.py +++ b/galaxy_ng/tests/unit/app/test_dynaconf_hooks.py @@ -2,7 +2,6 @@ import pytest from galaxy_ng.app.dynaconf_hooks import post as post_hook -from galaxy_ng.app.dynaconf_hooks import configure_keycloak class SuperDict(dict): @@ -70,16 +69,6 @@ def validate(*args, **kwargs): "validators": SuperValidator(), } -BASE_KEYCLOAK_SETTINGS = { - "BASE_DIR": "templates", - "SOCIAL_AUTH_KEYCLOAK_KEY": "key123", - "SOCIAL_AUTH_KEYCLOAK_SECRET": "secret123", - "SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY": "pubkey123", - "KEYCLOAK_HOST": "mykeycloak", - "KEYCLOAK_PORT": 1337, - "KEYCLOAK_REALM": "aap", -} - @pytest.mark.parametrize( "do_stuff, extra_settings, expected_results", @@ -320,7 +309,9 @@ def validate(*args, **kwargs): ], ) def test_dynaconf_hooks_authentication_backends_and_classes( - do_stuff, extra_settings, expected_results + do_stuff, + extra_settings, + expected_results ): # skip test this way ... @@ -346,78 +337,3 @@ def test_dynaconf_hooks_authentication_backends_and_classes( print(e) """ assert new_settings.get(key) == val - - -@pytest.mark.parametrize( - "do_stuff, extra_settings, expected_results", - [ - ( - True, - {}, - { - "INSTALLED_APPS": ["social_django", "dynaconf_merge_unique"], - "KEYCLOAK_URL": "https://mykeycloak:1337", - "SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL": - "https://mykeycloak:1337/realms/aap/protocol/openid-connect/auth/", - "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL": - "https://mykeycloak:1337/realms/aap/protocol/openid-connect/token/", - "GALAXY_AUTH_KEYCLOAK_ENABLED": True, - "GALAXY_FEATURE_FLAGS__external_authentication": True, - "GALAXY_TOKEN_EXPIRATION": 1440, - }, - ), - ( - True, - { - "KEYCLOAK_KC_HTTP_RELATIVE_PATH": "/auth", - "KEYCLOAK_PROTOCOL": "http", - "GALAXY_TOKEN_EXPIRATION": 0, - }, - { - "INSTALLED_APPS": ["social_django", "dynaconf_merge_unique"], - "KEYCLOAK_URL": "http://mykeycloak:1337", - "SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL": - "http://mykeycloak:1337/auth/realms/aap/protocol/openid-connect/auth/", - "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL": - "http://mykeycloak:1337/auth/realms/aap/protocol/openid-connect/token/", - "GALAXY_AUTH_KEYCLOAK_ENABLED": True, - "GALAXY_FEATURE_FLAGS__external_authentication": True, - "GALAXY_TOKEN_EXPIRATION": 0, - }, - ), - ( - True, - { - "SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL": - "httpZ://mykeycloAk:1339/auth__/realms/aap/protocol/openid-connect/auth/", - "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL": - "httpZ://mykeycloAk:1339/auth__/realms/aap/protocol/openid-connect/token/", - }, - { - "SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL": - "httpZ://mykeycloAk:1339/auth__/realms/aap/protocol/openid-connect/auth/", - "SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL": - "httpZ://mykeycloAk:1339/auth__/realms/aap/protocol/openid-connect/token/", - }, - ), - - ], -) -def test_dynaconf_hook_configure_keycloak(do_stuff, extra_settings, expected_results): - # skip test this way ... - if not do_stuff: - return - - xsettings = SuperDict() - xsettings.update(copy.deepcopy(BASE_KEYCLOAK_SETTINGS)) - if extra_settings: - xsettings.update(copy.deepcopy(extra_settings)) - - # don't allow the downstream to edit this data ... - xsettings.immutable = True - - # run the function and get the result ... - new_settings = configure_keycloak(xsettings) - - for key, val in expected_results.items(): - assert new_settings.get(key) == val diff --git a/profiles/base/pulp_config.env b/profiles/base/pulp_config.env index bc7f7aaa1d..ba8a425220 100644 --- a/profiles/base/pulp_config.env +++ b/profiles/base/pulp_config.env @@ -35,3 +35,6 @@ HUB_TEST_MARKS=deployment_standalone or all # role content workaround .. PULP_ANSIBLE_BASE_ROLES_REQUIRE_VIEW=false + +# Disable DAB RESOURCE SYNC to avoid debugging messages +PULP_RESOURCE_SERVER_SYNC_ENABLED=false diff --git a/profiles/community/pulp_config.env b/profiles/community/pulp_config.env index 72c1baf130..a8ba7c8245 100644 --- a/profiles/community/pulp_config.env +++ b/profiles/community/pulp_config.env @@ -34,3 +34,6 @@ PULP_GALAXY_CONTAINER_SIGNING_SERVICE='@none None' # Integration test settings HUB_TEST_AUTHENTICATION_BACKEND="community" HUB_TEST_MARKS="deployment_community" + +# Disable DAB RESOURCE SYNC to avoid debugging messages +PULP_RESOURCE_SERVER_SYNC_ENABLED=false diff --git a/profiles/dab/pulp_config.env b/profiles/dab/pulp_config.env index 74dca7af4c..27d8fd8fea 100644 --- a/profiles/dab/pulp_config.env +++ b/profiles/dab/pulp_config.env @@ -26,3 +26,6 @@ PULP_ALLOW_LOCAL_RESOURCE_MANAGEMENT=false # role content workaround .. PULP_ANSIBLE_BASE_ROLES_REQUIRE_VIEW=false + +# Disable DAB RESOURCE SYNC to avoid debugging messages +PULP_RESOURCE_SERVER_SYNC_ENABLED=false diff --git a/profiles/dab_jwt/pulp_config.env b/profiles/dab_jwt/pulp_config.env index d7765d668e..b354e7307c 100644 --- a/profiles/dab_jwt/pulp_config.env +++ b/profiles/dab_jwt/pulp_config.env @@ -26,3 +26,6 @@ PULP_ALLOW_LOCAL_RESOURCE_MANAGEMENT=false # role content workaround .. PULP_ANSIBLE_BASE_ROLES_REQUIRE_VIEW=false + +# Disable DAB RESOURCE SYNC to avoid debugging messages +PULP_RESOURCE_SERVER_SYNC_ENABLED=false diff --git a/profiles/insights/pulp_config.env b/profiles/insights/pulp_config.env index 5bae6eff7a..26356916ee 100644 --- a/profiles/insights/pulp_config.env +++ b/profiles/insights/pulp_config.env @@ -17,3 +17,6 @@ HUB_AUTH_URL={API_PROTOCOL}://{API_HOST}:{INSIGHTS_PROXY_PORT}/auth/realms/redha HUB_API_ROOT={API_PROTOCOL}://{API_HOST}:{INSIGHTS_PROXY_PORT}{PULP_GALAXY_API_PATH_PREFIX} HUB_LOCAL=0 HUB_TEST_MARKS=deployment_cloud or all + +# Disable DAB RESOURCE SYNC to avoid debugging messages +PULP_RESOURCE_SERVER_SYNC_ENABLED=false diff --git a/profiles/keycloak/compose.yaml b/profiles/keycloak/compose.yaml index 87722612a6..d5485093fa 100644 --- a/profiles/keycloak/compose.yaml +++ b/profiles/keycloak/compose.yaml @@ -12,8 +12,7 @@ services: # - "UI_EXTERNAL_LOGIN_URI={API_PROTOCOL}://{API_HOST}:{API_PORT}/login" keycloak: - #image: quay.io/keycloak/keycloak:legacy - image: quay.io/keycloak/keycloak:latest + image: quay.io/keycloak/keycloak:legacy environment: - DB_VENDOR=POSTGRES - DB_ADDR=kc-postgres @@ -21,8 +20,6 @@ services: - DB_USER=keycloak - DB_SCHEMA=public - DB_PASSWORD=keycloak - - KEYCLOAK_ADMIN=admin - - KEYCLOAK_ADMIN_PASSWORD=admin - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=admin ports: @@ -30,7 +27,6 @@ services: depends_on: - kc-postgres - ldap - command: ['start-dev'] kc-postgres: image: "postgres:12" diff --git a/profiles/keycloak/keycloak-playbook.yaml b/profiles/keycloak/keycloak-playbook.yaml index 8ce48db8c6..59072ea4b7 100644 --- a/profiles/keycloak/keycloak-playbook.yaml +++ b/profiles/keycloak/keycloak-playbook.yaml @@ -17,9 +17,7 @@ - name: Create or update AAP Keycloak realm community.general.keycloak_realm: auth_client_id: admin-cli - #auth_keycloak_url: http://keycloak:8080/auth - auth_keycloak_url: http://keycloak:8080 - #auth_keycloak_url: http://localhost:8080 + auth_keycloak_url: http://keycloak:8080/auth auth_realm: master auth_username: admin auth_password: admin @@ -33,8 +31,7 @@ - name: Create or update a Keycloak client community.general.keycloak_client: auth_client_id: admin-cli - #auth_keycloak_url: http://keycloak:8080/auth - auth_keycloak_url: http://keycloak:8080 + auth_keycloak_url: http://keycloak:8080/auth auth_realm: master auth_username: admin auth_password: admin @@ -161,8 +158,7 @@ - name: Create Token for service Keycloak uri: - #url: "http://keycloak:8080/auth/realms/master/protocol/openid-connect/token" - url: "http://keycloak:8080/realms/master/protocol/openid-connect/token" + url: "http://keycloak:8080/auth/realms/master/protocol/openid-connect/token" method: POST body_format: form-urlencoded body: @@ -240,8 +236,7 @@ - name: Create LDAP configuration uri: - #url: "http://keycloak:8080/auth/admin/realms/aap/components" - url: "http://keycloak:8080/admin/realms/aap/components" + url: "http://keycloak:8080/auth/admin/realms/aap/components" method: POST body_format: json body: "{{ ldap_config | to_json }}" @@ -256,8 +251,7 @@ - name: Get components uri: - #url: "http://keycloak:8080/auth/admin/realms/aap/components?parent=aap&type=org.keycloak.storage.UserStorageProvider" - url: "http://keycloak:8080/admin/realms/aap/components?parent=aap&type=org.keycloak.storage.UserStorageProvider" + url: "http://keycloak:8080/auth/admin/realms/aap/components?parent=aap&type=org.keycloak.storage.UserStorageProvider" method: GET status_code: - 200 @@ -308,8 +302,7 @@ - name: Create LDAP group mapping uri: - #url: "http://keycloak:8080/auth/admin/realms/aap/components" - url: "http://keycloak:8080/admin/realms/aap/components" + url: "http://keycloak:8080/auth/admin/realms/aap/components" method: POST body_format: json body: "{{ ldap_group_mapper | to_json }}" @@ -324,8 +317,7 @@ - name: Get group mapper identifier uri: - #url: "http://keycloak:8080/auth/admin/realms/aap/components?parent={{ ldap_id }}&type=org.keycloak.storage.ldap.mappers.LDAPStorageMapper&name=group" - url: "http://keycloak:8080/admin/realms/aap/components?parent={{ ldap_id }}&type=org.keycloak.storage.ldap.mappers.LDAPStorageMapper&name=group" + url: "http://keycloak:8080/auth/admin/realms/aap/components?parent={{ ldap_id }}&type=org.keycloak.storage.ldap.mappers.LDAPStorageMapper&name=group" method: GET status_code: - 200 @@ -341,8 +333,7 @@ - name: Sync LDAP users uri: - #url: "http://keycloak:8080/auth/admin/realms/aap/user-storage/{{ ldap_id }}/sync?action=triggerFullSync" - url: "http://keycloak:8080/admin/realms/aap/user-storage/{{ ldap_id }}/sync?action=triggerFullSync" + url: "http://keycloak:8080/auth/admin/realms/aap/user-storage/{{ ldap_id }}/sync?action=triggerFullSync" method: POST status_code: - 200 @@ -354,8 +345,7 @@ - name: Sync LDAP groups uri: - #url: "http://keycloak:8080/auth/admin/realms/aap/user-storage/{{ ldap_id }}/mappers/{{ keycloak_ldap_group_mapper_id }}/sync?direction=fedToKeycloak" - url: "http://keycloak:8080/admin/realms/aap/user-storage/{{ ldap_id }}/mappers/{{ keycloak_ldap_group_mapper_id }}/sync?direction=fedToKeycloak" + url: "http://keycloak:8080/auth/admin/realms/aap/user-storage/{{ ldap_id }}/mappers/{{ keycloak_ldap_group_mapper_id }}/sync?direction=fedToKeycloak" method: POST status_code: - 200 @@ -373,8 +363,7 @@ client_id: automation-hub state: present auth_client_id: admin-cli - #auth_keycloak_url: http://keycloak:8080/auth - auth_keycloak_url: http://keycloak:8080 + auth_keycloak_url: http://keycloak:8080/auth auth_realm: master auth_username: admin auth_password: admin @@ -390,8 +379,7 @@ client_id: automation-hub state: present auth_client_id: admin-cli - #auth_keycloak_url: http://keycloak:8080/auth - auth_keycloak_url: http://keycloak:8080 + auth_keycloak_url: http://keycloak:8080/auth auth_realm: master auth_username: admin auth_password: admin @@ -399,8 +387,7 @@ - name: Get realm public key uri: - #url: "http://keycloak:8080/auth/realms/aap" - url: "http://keycloak:8080/realms/aap" + url: "http://keycloak:8080/auth/realms/aap" method: GET status_code: - 200 diff --git a/profiles/keycloak/pulp_config.env b/profiles/keycloak/pulp_config.env index ba7d8edf04..6c00a6e8b6 100644 --- a/profiles/keycloak/pulp_config.env +++ b/profiles/keycloak/pulp_config.env @@ -9,7 +9,6 @@ PULP_GALAXY_DEPLOYMENT_MODE=standalone PULP_SOCIAL_AUTH_KEYCLOAK_KEY=automation-hub PULP_SOCIAL_AUTH_KEYCLOAK_SECRET=REALLYWELLKEPTSECRET PULP_SOCIAL_AUTH_LOGIN_REDIRECT_URL={API_PROTOCOL}://{API_HOST}:{API_PORT} -PULP_KEYCLOAK_AUTH_PREFIX="" PULP_KEYCLOAK_PROTOCOL=http PULP_KEYCLOAK_HOST=keycloak PULP_KEYCLOAK_HOST_LOOPBACK=localhost @@ -21,3 +20,6 @@ KEYCLOAK_REDIRECT_URL="{API_PROTOCOL}://{API_HOST}:{API_PORT}/" # Integration test settings HUB_TEST_AUTHENTICATION_BACKEND="keycloak" HUB_TEST_MARKS=deployment_standalone or all or keycloak + +# Disable DAB RESOURCE SYNC to avoid debugging messages +PULP_RESOURCE_SERVER_SYNC_ENABLED=false diff --git a/profiles/ldap/pulp_config.env b/profiles/ldap/pulp_config.env index f18119e197..45d39fd0f9 100644 --- a/profiles/ldap/pulp_config.env +++ b/profiles/ldap/pulp_config.env @@ -31,3 +31,6 @@ PULP_GALAXY_LDAP_LOGGING=true # Integration test settings HUB_TEST_AUTHENTICATION_BACKEND="ldap" HUB_TEST_MARKS=(deployment_standalone or all or ldap) and not iqe_ldap + +# Disable DAB RESOURCE SYNC to avoid debugging messages +PULP_RESOURCE_SERVER_SYNC_ENABLED=false