From 1246086ab5a69d603323c4bdd9cfb48a5a1f260b Mon Sep 17 00:00:00 2001 From: WorkClub Automation Date: Thu, 5 Mar 2026 19:22:37 +0100 Subject: [PATCH] fix(infra): add privileges and fix Keycloak configuration for auth Update realm-export.json with fixed UUID endianness, correct passwords, mappers, and SSL configuration. Add ALTER DEFAULT PRIVILEGES for app_admin in PostgreSQL init.sh to ensure proper role permissions. Co-authored-by: Sisyphus --- infra/keycloak/realm-export.json | 70 +++++++++++++++++--------------- infra/postgres/init.sh | 8 ++++ 2 files changed, 45 insertions(+), 33 deletions(-) diff --git a/infra/keycloak/realm-export.json b/infra/keycloak/realm-export.json index e0fd743..de38363 100644 --- a/infra/keycloak/realm-export.json +++ b/infra/keycloak/realm-export.json @@ -10,7 +10,7 @@ "offlineSessionIdleTimeout": 2592000, "accessCodeLifespan": 60, "accessCodeLifespanUserAction": 300, - "sslRequired": "external", + "sslRequired": "none", "registrationAllowed": false, "loginWithEmailAllowed": true, "duplicateEmailsAllowed": false, @@ -50,7 +50,7 @@ "config": { "user.attribute": "clubs", "claim.name": "clubs", - "jsonType.label": "JSON", + "jsonType.label": "String", "id.token.claim": "true", "access.token.claim": "true", "userinfo.token.claim": "true", @@ -105,13 +105,37 @@ "config": { "user.attribute": "clubs", "claim.name": "clubs", - "jsonType.label": "JSON", + "jsonType.label": "String", "id.token.claim": "true", "access.token.claim": "true", "userinfo.token.claim": "true", "multivalued": "false", "aggregate.attrs": "false" } + }, + { + "name": "workclub-api-audience", + "protocol": "openid-connect", + "protocolMapper": "oidc-hardcoded-claim-mapper", + "consentRequired": false, + "config": { + "claim.name": "aud", + "claim.value": "workclub-api", + "jsonType.label": "String", + "access.token.claim": "true", + "id.token.claim": "false", + "userinfo.token.claim": "false" + } + }, + { + "name": "sub-claim", + "protocol": "openid-connect", + "protocolMapper": "oidc-sub-mapper", + "consentRequired": false, + "config": { + "access.token.claim": "true", + "introspection.token.claim": "true" + } } ], "defaultClientScopes": [ @@ -138,16 +162,12 @@ "firstName": "Admin", "lastName": "User", "attributes": { - "clubs": ["{\"club-1-uuid\": \"admin\", \"club-2-uuid\": \"member\"}"] + "clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda"] }, "credentials": [ { "type": "password", - "hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=", - "salt": "KqJ5J5J5J5J5J5J5J5J5Jw==", - "hashIterations": 210000, - "algorithm": "pbkdf2-sha512", - "createdDate": 1709478000000, + "value": "testpass123", "temporary": false } ], @@ -161,16 +181,12 @@ "firstName": "Manager", "lastName": "User", "attributes": { - "clubs": ["{\"club-1-uuid\": \"manager\"}"] + "clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383"] }, "credentials": [ { "type": "password", - "hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=", - "salt": "KqJ5J5J5J5J5J5J5J5J5Jw==", - "hashIterations": 210000, - "algorithm": "pbkdf2-sha512", - "createdDate": 1709478000000, + "value": "testpass123", "temporary": false } ], @@ -184,16 +200,12 @@ "firstName": "Member", "lastName": "One", "attributes": { - "clubs": ["{\"club-1-uuid\": \"member\", \"club-2-uuid\": \"member\"}"] + "clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda"] }, "credentials": [ { "type": "password", - "hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=", - "salt": "KqJ5J5J5J5J5J5J5J5J5Jw==", - "hashIterations": 210000, - "algorithm": "pbkdf2-sha512", - "createdDate": 1709478000000, + "value": "testpass123", "temporary": false } ], @@ -207,16 +219,12 @@ "firstName": "Member", "lastName": "Two", "attributes": { - "clubs": ["{\"club-1-uuid\": \"member\"}"] + "clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383"] }, "credentials": [ { "type": "password", - "hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=", - "salt": "KqJ5J5J5J5J5J5J5J5J5Jw==", - "hashIterations": 210000, - "algorithm": "pbkdf2-sha512", - "createdDate": 1709478000000, + "value": "testpass123", "temporary": false } ], @@ -230,16 +238,12 @@ "firstName": "Viewer", "lastName": "User", "attributes": { - "clubs": ["{\"club-1-uuid\": \"viewer\"}"] + "clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383"] }, "credentials": [ { "type": "password", - "hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=", - "salt": "KqJ5J5J5J5J5J5J5J5J5Jw==", - "hashIterations": 210000, - "algorithm": "pbkdf2-sha512", - "createdDate": 1709478000000, + "value": "testpass123", "temporary": false } ], diff --git a/infra/postgres/init.sh b/infra/postgres/init.sh index 7eb5f83..e89152a 100755 --- a/infra/postgres/init.sh +++ b/infra/postgres/init.sh @@ -12,6 +12,14 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-E ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO workclub; EOSQL +# Create app_admin role for RLS bypass (used by SeedDataService) +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "workclub" <<-EOSQL + CREATE ROLE app_admin; + GRANT app_admin TO workclub WITH INHERIT FALSE, SET TRUE; + ALTER DEFAULT PRIVILEGES FOR ROLE workclub IN SCHEMA public GRANT ALL ON TABLES TO app_admin; + ALTER DEFAULT PRIVILEGES FOR ROLE workclub IN SCHEMA public GRANT ALL ON SEQUENCES TO app_admin; +EOSQL + # Create Keycloak database psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL CREATE USER keycloak WITH PASSWORD 'keycloakpass';