fix(infra): add privileges and fix Keycloak configuration for auth
Update realm-export.json with fixed UUID endianness, correct passwords, mappers, and SSL configuration. Add ALTER DEFAULT PRIVILEGES for app_admin in PostgreSQL init.sh to ensure proper role permissions. Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This commit is contained in:
WorkClub Automation
@@ -10,7 +10,7 @@
|
||||
"offlineSessionIdleTimeout": 2592000,
|
||||
"accessCodeLifespan": 60,
|
||||
"accessCodeLifespanUserAction": 300,
|
||||
"sslRequired": "external",
|
||||
"sslRequired": "none",
|
||||
"registrationAllowed": false,
|
||||
"loginWithEmailAllowed": true,
|
||||
"duplicateEmailsAllowed": false,
|
||||
@@ -50,7 +50,7 @@
|
||||
"config": {
|
||||
"user.attribute": "clubs",
|
||||
"claim.name": "clubs",
|
||||
"jsonType.label": "JSON",
|
||||
"jsonType.label": "String",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"userinfo.token.claim": "true",
|
||||
@@ -105,13 +105,37 @@
|
||||
"config": {
|
||||
"user.attribute": "clubs",
|
||||
"claim.name": "clubs",
|
||||
"jsonType.label": "JSON",
|
||||
"jsonType.label": "String",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"userinfo.token.claim": "true",
|
||||
"multivalued": "false",
|
||||
"aggregate.attrs": "false"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workclub-api-audience",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-hardcoded-claim-mapper",
|
||||
"consentRequired": false,
|
||||
"config": {
|
||||
"claim.name": "aud",
|
||||
"claim.value": "workclub-api",
|
||||
"jsonType.label": "String",
|
||||
"access.token.claim": "true",
|
||||
"id.token.claim": "false",
|
||||
"userinfo.token.claim": "false"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "sub-claim",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-sub-mapper",
|
||||
"consentRequired": false,
|
||||
"config": {
|
||||
"access.token.claim": "true",
|
||||
"introspection.token.claim": "true"
|
||||
}
|
||||
}
|
||||
],
|
||||
"defaultClientScopes": [
|
||||
@@ -138,16 +162,12 @@
|
||||
"firstName": "Admin",
|
||||
"lastName": "User",
|
||||
"attributes": {
|
||||
"clubs": ["{\"club-1-uuid\": \"admin\", \"club-2-uuid\": \"member\"}"]
|
||||
"clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda"]
|
||||
},
|
||||
"credentials": [
|
||||
{
|
||||
"type": "password",
|
||||
"hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=",
|
||||
"salt": "KqJ5J5J5J5J5J5J5J5J5Jw==",
|
||||
"hashIterations": 210000,
|
||||
"algorithm": "pbkdf2-sha512",
|
||||
"createdDate": 1709478000000,
|
||||
"value": "testpass123",
|
||||
"temporary": false
|
||||
}
|
||||
],
|
||||
@@ -161,16 +181,12 @@
|
||||
"firstName": "Manager",
|
||||
"lastName": "User",
|
||||
"attributes": {
|
||||
"clubs": ["{\"club-1-uuid\": \"manager\"}"]
|
||||
"clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383"]
|
||||
},
|
||||
"credentials": [
|
||||
{
|
||||
"type": "password",
|
||||
"hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=",
|
||||
"salt": "KqJ5J5J5J5J5J5J5J5J5Jw==",
|
||||
"hashIterations": 210000,
|
||||
"algorithm": "pbkdf2-sha512",
|
||||
"createdDate": 1709478000000,
|
||||
"value": "testpass123",
|
||||
"temporary": false
|
||||
}
|
||||
],
|
||||
@@ -184,16 +200,12 @@
|
||||
"firstName": "Member",
|
||||
"lastName": "One",
|
||||
"attributes": {
|
||||
"clubs": ["{\"club-1-uuid\": \"member\", \"club-2-uuid\": \"member\"}"]
|
||||
"clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda"]
|
||||
},
|
||||
"credentials": [
|
||||
{
|
||||
"type": "password",
|
||||
"hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=",
|
||||
"salt": "KqJ5J5J5J5J5J5J5J5J5Jw==",
|
||||
"hashIterations": 210000,
|
||||
"algorithm": "pbkdf2-sha512",
|
||||
"createdDate": 1709478000000,
|
||||
"value": "testpass123",
|
||||
"temporary": false
|
||||
}
|
||||
],
|
||||
@@ -207,16 +219,12 @@
|
||||
"firstName": "Member",
|
||||
"lastName": "Two",
|
||||
"attributes": {
|
||||
"clubs": ["{\"club-1-uuid\": \"member\"}"]
|
||||
"clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383"]
|
||||
},
|
||||
"credentials": [
|
||||
{
|
||||
"type": "password",
|
||||
"hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=",
|
||||
"salt": "KqJ5J5J5J5J5J5J5J5J5Jw==",
|
||||
"hashIterations": 210000,
|
||||
"algorithm": "pbkdf2-sha512",
|
||||
"createdDate": 1709478000000,
|
||||
"value": "testpass123",
|
||||
"temporary": false
|
||||
}
|
||||
],
|
||||
@@ -230,16 +238,12 @@
|
||||
"firstName": "Viewer",
|
||||
"lastName": "User",
|
||||
"attributes": {
|
||||
"clubs": ["{\"club-1-uuid\": \"viewer\"}"]
|
||||
"clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383"]
|
||||
},
|
||||
"credentials": [
|
||||
{
|
||||
"type": "password",
|
||||
"hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=",
|
||||
"salt": "KqJ5J5J5J5J5J5J5J5J5Jw==",
|
||||
"hashIterations": 210000,
|
||||
"algorithm": "pbkdf2-sha512",
|
||||
"createdDate": 1709478000000,
|
||||
"value": "testpass123",
|
||||
"temporary": false
|
||||
}
|
||||
],
|
||||
|
||||
@@ -12,6 +12,14 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-E
|
||||
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO workclub;
|
||||
EOSQL
|
||||
|
||||
# Create app_admin role for RLS bypass (used by SeedDataService)
|
||||
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "workclub" <<-EOSQL
|
||||
CREATE ROLE app_admin;
|
||||
GRANT app_admin TO workclub WITH INHERIT FALSE, SET TRUE;
|
||||
ALTER DEFAULT PRIVILEGES FOR ROLE workclub IN SCHEMA public GRANT ALL ON TABLES TO app_admin;
|
||||
ALTER DEFAULT PRIVILEGES FOR ROLE workclub IN SCHEMA public GRANT ALL ON SEQUENCES TO app_admin;
|
||||
EOSQL
|
||||
|
||||
# Create Keycloak database
|
||||
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
|
||||
CREATE USER keycloak WITH PASSWORD 'keycloakpass';
|
||||
|
||||
Reference in New Issue
Block a user