|
|
|
#!/bin/bash
|
|
|
|
die() { echo >&2 "keycloak: ERROR: $@" ; exit 1 ; }
|
|
|
|
info() { echo >&2 "keycloak: $@" ; }
|
|
|
|
|
|
|
|
DIRNAME="$(dirname $0)"
|
|
|
|
cd "$DIRNAME"
|
|
|
|
source ../env.production
|
|
|
|
source ./env.production
|
|
|
|
source "../env.smtp" 2>/dev/null
|
|
|
|
|
|
|
|
SECRETS="../data/keycloak/env.secrets"
|
|
|
|
|
|
|
|
if [ -r "$SECRETS" ]; then
|
|
|
|
docker-compose up -d || die "keycloak: unable to start container"
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
|
|
|
docker-compose down 2>/dev/null
|
|
|
|
|
|
|
|
KEYCLOAK_ADMIN_PASSWORD="$(openssl rand -hex 8)"
|
|
|
|
echo "Keycloak admin password $KEYCLOAK_ADMIN_PASSWORD"
|
|
|
|
|
|
|
|
mkdir -p "$(dirname "$SECRETS")"
|
|
|
|
cat <<EOF > "$SECRETS"
|
|
|
|
# DO NOT CHECK IN
|
|
|
|
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
|
|
|
|
EOF
|
|
|
|
|
|
|
|
docker-compose up -d || die "unable to start keycloak"
|
|
|
|
echo "sleeping a minute while keycloak initializes..."
|
|
|
|
sleep 30
|
|
|
|
|
|
|
|
|
|
|
|
info "logging into server"
|
|
|
|
docker-compose exec keycloak \
|
|
|
|
/opt/keycloak/bin/kcadm.sh \
|
|
|
|
config credentials \
|
|
|
|
--server http://localhost:8080/ \
|
|
|
|
--user admin \
|
|
|
|
--password "$KEYCLOAK_ADMIN_PASSWORD" \
|
|
|
|
--realm master \
|
|
|
|
|| die "unable to login"
|
|
|
|
|
|
|
|
|
|
|
|
info "Create a new realm for '$REALM'"
|
|
|
|
docker-compose exec keycloak \
|
|
|
|
/opt/keycloak/bin/kcadm.sh \
|
|
|
|
create realms \
|
|
|
|
-s "realm=$REALM" \
|
|
|
|
-s enabled=true \
|
|
|
|
|| die "unable to create realm"
|
|
|
|
|
|
|
|
|
|
|
|
# https://github.com/hedgedoc/hedgedoc/issues/56
|
|
|
|
info "Fix up a id bug"
|
|
|
|
docker-compose exec -T keycloak \
|
|
|
|
/opt/keycloak/bin/kcadm.sh \
|
|
|
|
create client-scopes \
|
|
|
|
-r "$REALM" \
|
|
|
|
-f - <<EOF || die "unable to create mapping"
|
|
|
|
{
|
|
|
|
"name": "id",
|
|
|
|
"protocol": "openid-connect",
|
|
|
|
"attributes": {
|
|
|
|
"include.in.token.scope": "true",
|
|
|
|
"display.on.consent.screen": "true"
|
|
|
|
},
|
|
|
|
"protocolMappers": [
|
|
|
|
{
|
|
|
|
"name": "id",
|
|
|
|
"protocol": "openid-connect",
|
|
|
|
"protocolMapper": "oidc-usermodel-property-mapper",
|
|
|
|
"consentRequired": false,
|
|
|
|
"config": {
|
|
|
|
"user.attribute": "id",
|
|
|
|
"id.token.claim": "true",
|
|
|
|
"access.token.claim": "true",
|
|
|
|
"jsonType.label": "String",
|
|
|
|
"userinfo.token.claim": "true"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
EOF
|
|
|
|
|
|
|
|
if [ -n "$SMTP_SERVER" ]; then
|
|
|
|
info "configuring email"
|
|
|
|
docker-compose exec -T keycloak \
|
|
|
|
/opt/keycloak/bin/kcadm.sh update "realms/$REALM" \
|
|
|
|
-f - <<EOF || die "unable to configure email"
|
|
|
|
{
|
|
|
|
"resetPasswordAllowed": "true",
|
|
|
|
"smtpServer" : {
|
|
|
|
"auth" : "true",
|
|
|
|
"starttls" : "true",
|
|
|
|
"user" : "$SMTP_USER",
|
|
|
|
"password" : "$SMTP_PASSWORD",
|
|
|
|
"port" : "$SMTP_PORT",
|
|
|
|
"host" : "$SMTP_SERVER",
|
|
|
|
"from" : "keycloak@$DOMAIN_NAME",
|
|
|
|
"fromDisplayName" : "Keycloak @ $DOMAIN_NAME",
|
|
|
|
"ssl" : "false"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
EOF
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
info "Create an admin user in realm"
|
|
|
|
docker-compose exec -T keycloak \
|
|
|
|
/opt/keycloak/bin/kcadm.sh \
|
|
|
|
create users \
|
|
|
|
-o \
|
|
|
|
--fields id,username \
|
|
|
|
-r "$REALM" \
|
|
|
|
-s username=admin \
|
|
|
|
-s enabled=true \
|
|
|
|
-s 'credentials=[{"type":"'$KEYCLOAK_ADMIN_PASSWORD'","value":"admin","temporary":false}]' \
|
|
|
|
|| die "$REALM: unable to create admin user"
|