fix(infra): add privileges and fix Keycloak configuration for auth
Update realm-export.json with fixed UUID endianness, correct passwords, mappers, and SSL configuration. Add ALTER DEFAULT PRIVILEGES for app_admin in PostgreSQL init.sh to ensure proper role permissions. Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This commit is contained in:
WorkClub Automation
@@ -10,7 +10,7 @@
|
|||||||
"offlineSessionIdleTimeout": 2592000,
|
"offlineSessionIdleTimeout": 2592000,
|
||||||
"accessCodeLifespan": 60,
|
"accessCodeLifespan": 60,
|
||||||
"accessCodeLifespanUserAction": 300,
|
"accessCodeLifespanUserAction": 300,
|
||||||
"sslRequired": "external",
|
"sslRequired": "none",
|
||||||
"registrationAllowed": false,
|
"registrationAllowed": false,
|
||||||
"loginWithEmailAllowed": true,
|
"loginWithEmailAllowed": true,
|
||||||
"duplicateEmailsAllowed": false,
|
"duplicateEmailsAllowed": false,
|
||||||
@@ -50,7 +50,7 @@
|
|||||||
"config": {
|
"config": {
|
||||||
"user.attribute": "clubs",
|
"user.attribute": "clubs",
|
||||||
"claim.name": "clubs",
|
"claim.name": "clubs",
|
||||||
"jsonType.label": "JSON",
|
"jsonType.label": "String",
|
||||||
"id.token.claim": "true",
|
"id.token.claim": "true",
|
||||||
"access.token.claim": "true",
|
"access.token.claim": "true",
|
||||||
"userinfo.token.claim": "true",
|
"userinfo.token.claim": "true",
|
||||||
@@ -105,13 +105,37 @@
|
|||||||
"config": {
|
"config": {
|
||||||
"user.attribute": "clubs",
|
"user.attribute": "clubs",
|
||||||
"claim.name": "clubs",
|
"claim.name": "clubs",
|
||||||
"jsonType.label": "JSON",
|
"jsonType.label": "String",
|
||||||
"id.token.claim": "true",
|
"id.token.claim": "true",
|
||||||
"access.token.claim": "true",
|
"access.token.claim": "true",
|
||||||
"userinfo.token.claim": "true",
|
"userinfo.token.claim": "true",
|
||||||
"multivalued": "false",
|
"multivalued": "false",
|
||||||
"aggregate.attrs": "false"
|
"aggregate.attrs": "false"
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "workclub-api-audience",
|
||||||
|
"protocol": "openid-connect",
|
||||||
|
"protocolMapper": "oidc-hardcoded-claim-mapper",
|
||||||
|
"consentRequired": false,
|
||||||
|
"config": {
|
||||||
|
"claim.name": "aud",
|
||||||
|
"claim.value": "workclub-api",
|
||||||
|
"jsonType.label": "String",
|
||||||
|
"access.token.claim": "true",
|
||||||
|
"id.token.claim": "false",
|
||||||
|
"userinfo.token.claim": "false"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "sub-claim",
|
||||||
|
"protocol": "openid-connect",
|
||||||
|
"protocolMapper": "oidc-sub-mapper",
|
||||||
|
"consentRequired": false,
|
||||||
|
"config": {
|
||||||
|
"access.token.claim": "true",
|
||||||
|
"introspection.token.claim": "true"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"defaultClientScopes": [
|
"defaultClientScopes": [
|
||||||
@@ -138,16 +162,12 @@
|
|||||||
"firstName": "Admin",
|
"firstName": "Admin",
|
||||||
"lastName": "User",
|
"lastName": "User",
|
||||||
"attributes": {
|
"attributes": {
|
||||||
"clubs": ["{\"club-1-uuid\": \"admin\", \"club-2-uuid\": \"member\"}"]
|
"clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda"]
|
||||||
},
|
},
|
||||||
"credentials": [
|
"credentials": [
|
||||||
{
|
{
|
||||||
"type": "password",
|
"type": "password",
|
||||||
"hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=",
|
"value": "testpass123",
|
||||||
"salt": "KqJ5J5J5J5J5J5J5J5J5Jw==",
|
|
||||||
"hashIterations": 210000,
|
|
||||||
"algorithm": "pbkdf2-sha512",
|
|
||||||
"createdDate": 1709478000000,
|
|
||||||
"temporary": false
|
"temporary": false
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
@@ -161,16 +181,12 @@
|
|||||||
"firstName": "Manager",
|
"firstName": "Manager",
|
||||||
"lastName": "User",
|
"lastName": "User",
|
||||||
"attributes": {
|
"attributes": {
|
||||||
"clubs": ["{\"club-1-uuid\": \"manager\"}"]
|
"clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383"]
|
||||||
},
|
},
|
||||||
"credentials": [
|
"credentials": [
|
||||||
{
|
{
|
||||||
"type": "password",
|
"type": "password",
|
||||||
"hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=",
|
"value": "testpass123",
|
||||||
"salt": "KqJ5J5J5J5J5J5J5J5J5Jw==",
|
|
||||||
"hashIterations": 210000,
|
|
||||||
"algorithm": "pbkdf2-sha512",
|
|
||||||
"createdDate": 1709478000000,
|
|
||||||
"temporary": false
|
"temporary": false
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
@@ -184,16 +200,12 @@
|
|||||||
"firstName": "Member",
|
"firstName": "Member",
|
||||||
"lastName": "One",
|
"lastName": "One",
|
||||||
"attributes": {
|
"attributes": {
|
||||||
"clubs": ["{\"club-1-uuid\": \"member\", \"club-2-uuid\": \"member\"}"]
|
"clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda"]
|
||||||
},
|
},
|
||||||
"credentials": [
|
"credentials": [
|
||||||
{
|
{
|
||||||
"type": "password",
|
"type": "password",
|
||||||
"hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=",
|
"value": "testpass123",
|
||||||
"salt": "KqJ5J5J5J5J5J5J5J5J5Jw==",
|
|
||||||
"hashIterations": 210000,
|
|
||||||
"algorithm": "pbkdf2-sha512",
|
|
||||||
"createdDate": 1709478000000,
|
|
||||||
"temporary": false
|
"temporary": false
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
@@ -207,16 +219,12 @@
|
|||||||
"firstName": "Member",
|
"firstName": "Member",
|
||||||
"lastName": "Two",
|
"lastName": "Two",
|
||||||
"attributes": {
|
"attributes": {
|
||||||
"clubs": ["{\"club-1-uuid\": \"member\"}"]
|
"clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383"]
|
||||||
},
|
},
|
||||||
"credentials": [
|
"credentials": [
|
||||||
{
|
{
|
||||||
"type": "password",
|
"type": "password",
|
||||||
"hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=",
|
"value": "testpass123",
|
||||||
"salt": "KqJ5J5J5J5J5J5J5J5J5Jw==",
|
|
||||||
"hashIterations": 210000,
|
|
||||||
"algorithm": "pbkdf2-sha512",
|
|
||||||
"createdDate": 1709478000000,
|
|
||||||
"temporary": false
|
"temporary": false
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
@@ -230,16 +238,12 @@
|
|||||||
"firstName": "Viewer",
|
"firstName": "Viewer",
|
||||||
"lastName": "User",
|
"lastName": "User",
|
||||||
"attributes": {
|
"attributes": {
|
||||||
"clubs": ["{\"club-1-uuid\": \"viewer\"}"]
|
"clubs": ["64e05b5e-ef45-81d7-f2e8-3d14bd197383"]
|
||||||
},
|
},
|
||||||
"credentials": [
|
"credentials": [
|
||||||
{
|
{
|
||||||
"type": "password",
|
"type": "password",
|
||||||
"hashedSaltedValue": "oZz2L6ynBvAQJ9dqF5dZ3q5J5L5yJ5J5J5J5J5J5J5I=",
|
"value": "testpass123",
|
||||||
"salt": "KqJ5J5J5J5J5J5J5J5J5Jw==",
|
|
||||||
"hashIterations": 210000,
|
|
||||||
"algorithm": "pbkdf2-sha512",
|
|
||||||
"createdDate": 1709478000000,
|
|
||||||
"temporary": false
|
"temporary": false
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
|
|||||||
@@ -12,6 +12,14 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-E
|
|||||||
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO workclub;
|
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO workclub;
|
||||||
EOSQL
|
EOSQL
|
||||||
|
|
||||||
|
# Create app_admin role for RLS bypass (used by SeedDataService)
|
||||||
|
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "workclub" <<-EOSQL
|
||||||
|
CREATE ROLE app_admin;
|
||||||
|
GRANT app_admin TO workclub WITH INHERIT FALSE, SET TRUE;
|
||||||
|
ALTER DEFAULT PRIVILEGES FOR ROLE workclub IN SCHEMA public GRANT ALL ON TABLES TO app_admin;
|
||||||
|
ALTER DEFAULT PRIVILEGES FOR ROLE workclub IN SCHEMA public GRANT ALL ON SEQUENCES TO app_admin;
|
||||||
|
EOSQL
|
||||||
|
|
||||||
# Create Keycloak database
|
# Create Keycloak database
|
||||||
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
|
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
|
||||||
CREATE USER keycloak WITH PASSWORD 'keycloakpass';
|
CREATE USER keycloak WITH PASSWORD 'keycloakpass';
|
||||||
|
|||||||
Reference in New Issue
Block a user