Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(keycloak): add seeding data to configuration #800

Closed
wants to merge 17 commits into from
Closed

feat(keycloak): add seeding data to configuration #800

wants to merge 17 commits into from

Conversation

ntruchsess
Copy link
Contributor

@ntruchsess ntruchsess commented Jun 23, 2024
edited
Loading

Description

The keycloak-seeder has been changed to (optionaly) read multiple json-files per realm and seeding-data from it's settings and merge this additional data with the one that is read from json before writing changes to keycloak. This allows to both separate seeding-data of different domains and override values in the keycloak-json by settings being passed as environment-variables (which can be defined via helm-chart).
The following client-properties can now be updated: RootUrl, BaseUrl, AdminUrl, RedirectUrls, Secret. (Before the change those values could only be initially set on creation of the respective entity)
KeecloakSeederSettings have been adjusted accordingly:

  "KeycloakSeeding": {
    "Realms": [
      {
        "Realm": "CX-Central",
        "InstanceName": "test",
        "DataPathes": [
          "realms/CX-Central-realm.json"
        ]
       "Id": "realms internal id",
       "DisplayName" "realms display name",
       ..... further realm configuration
       "Clients": [
       ],
       "IdentityProviders": [
       ],
       .... even further realm configuration...
      }
    ]
  }

Why

seeding e.g. secrets from json-files would uncover confidential data. It also is unflexible - settings defined by environment-variables can e.g. be defined in kubernetes secrets.

Issue

#438

Checklist

Please delete options that are not relevant.

  • I have followed the contributing guidelines
  • I have performed a self-review of my own code
  • I have successfully tested my changes locally
  • I have added tests that prove my changes work
  • I have checked that new and existing tests pass locally with my changes
  • I have commented my code, particularly in hard-to-understand areas

@ntruchsess ntruchsess changed the title feature(keycloak): add seeding data to configuration feat(keycloak): add seeding data to configuration Jun 23, 2024
@ntruchsess ntruchsess force-pushed the feature/438-keycloak-seeding branch from aa5807f to b11b589 Compare June 24, 2024 14:07
@ntruchsess ntruchsess force-pushed the feature/438-keycloak-seeding branch from b11b589 to a853d02 Compare June 24, 2024 14:52
@ntruchsess ntruchsess marked this pull request as ready for review June 24, 2024 14:52
evegufy
evegufy requested changes Jun 24, 2024
View reviewed changes
Copy link
Contributor

@evegufy evegufy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ntruchsess I just tried to import this realm from scratch (not only at upgrade / updating existing realm configuration) and I'm encountering the following error:

{"Timestamp":"2024-06-24T16:12:24.1533063+00:00","Level":"Information","MessageTemplate":"Start seeding","RenderedMessage":"Start seeding"}
{"Timestamp":"2024-06-24T16:12:25.0499479+00:00","Level":"Error","MessageTemplate":"{Message}","RenderedMessage":"\"Not Found: http://centralidp-keycloak/auth/admin/realms/CX-Central\"","Exception":"Flurl.Http.FlurlHttpException: Call failed with status code 404 (Not Found): GET http://centralidp-keycloak/auth/admin/realms/CX-Central\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)","Properties":{"Message":"Not Found: http://centralidp-keycloak/auth/admin/realms/CX-Central","SourceContext":"Program"}}
{"Timestamp":"2024-06-24T16:12:27.7938875+00:00","Level":"Error","MessageTemplate":"{Message}","RenderedMessage":"\"Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\"","Exception":"Flurl.Http.FlurlHttpException: Call failed with status code 400 (Bad Request): DELETE http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)","Properties":{"Message":"Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e","SourceContext":"Program"}}
{"Timestamp":"2024-06-24T16:12:27.7992279+00:00","Level":"Fatal","MessageTemplate":"Unhandled exception","RenderedMessage":"Unhandled exception","Exception":"System.ArgumentException: Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\n ---> Flurl.Http.FlurlHttpException: Call failed with status code 400 (Bad Request): DELETE http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n   --- End of inner exception stack trace ---\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.ErrorHandling.FlurlErrorHandler.<>c__DisplayClass0_0.<ConfigureErrorHandler>b__1(FlurlCall call) in /src/keycloak/Keycloak.ErrorHandling/FlurlErrorHandler.cs:line 51\n   at Flurl.Http.FlurlRequest.RaiseEventAsync(Action`1 syncHandler, Func`2 asyncHandler, FlurlCall call)\n   at Flurl.Http.FlurlRequest.HandleExceptionAsync(FlurlCall call, Exception ex, CancellationToken token)\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Library.KeycloakClient.DeleteRoleByIdAsync(String realm, String roleId, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Library/RolesById/KeycloakClient.cs:line 54\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateAndDeleteRoles(KeycloakClient keycloak, String realm, IEnumerable`1 roles, IEnumerable`1 updateRoles, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 100\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateRealmRoles(String keycloakInstanceName, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 71\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.KeycloakSeeder.Seed(CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/KeecloakSeeder.cs:line 58\n   at Program.<Main>$(String[] args) in /src/keycloak/Keycloak.Seeding/Program.cs:line 86"}
Unhandled exception. System.ArgumentException: Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e
 ---> Flurl.Http.FlurlHttpException: Call failed with status code 400 (Bad Request): DELETE http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e
   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   --- End of inner exception stack trace ---
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.ErrorHandling.FlurlErrorHandler.<>c__DisplayClass0_0.<ConfigureErrorHandler>b__1(FlurlCall call) in /src/keycloak/Keycloak.ErrorHandling/FlurlErrorHandler.cs:line 51
   at Flurl.Http.FlurlRequest.RaiseEventAsync(Action`1 syncHandler, Func`2 asyncHandler, FlurlCall call)
   at Flurl.Http.FlurlRequest.HandleExceptionAsync(FlurlCall call, Exception ex, CancellationToken token)
   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Library.KeycloakClient.DeleteRoleByIdAsync(String realm, String roleId, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Library/RolesById/KeycloakClient.cs:line 54
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateAndDeleteRoles(KeycloakClient keycloak, String realm, IEnumerable`1 roles, IEnumerable`1 updateRoles, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 100
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateRealmRoles(String keycloakInstanceName, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 71
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.KeycloakSeeder.Seed(CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/KeecloakSeeder.cs:line 58
   at Program.<Main>$(String[] args) in /src/keycloak/Keycloak.Seeding/Program.cs:line 86
   at Program.<Main>(String[] args)

The issue is not specific to your change as I tested it also with the previous state but it's relevant now because we want to use the job to setup entire realms not just updating existing ones.

evegufy
evegufy requested changes Jun 24, 2024
View reviewed changes
Copy link
Contributor

@evegufy evegufy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you please also change / rebase the pull request to main, this change isn't meant for our 2.1.0 version

@ntruchsess ntruchsess closed this Jun 25, 2024
@ntruchsess ntruchsess reopened this Jun 25, 2024
@ntruchsess
Copy link
Contributor Author

Hi @ntruchsess I just tried to import this realm from scratch (not only at upgrade / updating existing realm configuration) and I'm encountering the following error:

{"Timestamp":"2024-06-24T16:12:24.1533063+00:00","Level":"Information","MessageTemplate":"Start seeding","RenderedMessage":"Start seeding"}
{"Timestamp":"2024-06-24T16:12:25.0499479+00:00","Level":"Error","MessageTemplate":"{Message}","RenderedMessage":"\"Not Found: http://centralidp-keycloak/auth/admin/realms/CX-Central\"","Exception":"Flurl.Http.FlurlHttpException: Call failed with status code 404 (Not Found): GET http://centralidp-keycloak/auth/admin/realms/CX-Central\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)","Properties":{"Message":"Not Found: http://centralidp-keycloak/auth/admin/realms/CX-Central","SourceContext":"Program"}}
{"Timestamp":"2024-06-24T16:12:27.7938875+00:00","Level":"Error","MessageTemplate":"{Message}","RenderedMessage":"\"Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\"","Exception":"Flurl.Http.FlurlHttpException: Call failed with status code 400 (Bad Request): DELETE http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)","Properties":{"Message":"Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e","SourceContext":"Program"}}
{"Timestamp":"2024-06-24T16:12:27.7992279+00:00","Level":"Fatal","MessageTemplate":"Unhandled exception","RenderedMessage":"Unhandled exception","Exception":"System.ArgumentException: Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\n ---> Flurl.Http.FlurlHttpException: Call failed with status code 400 (Bad Request): DELETE http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n   --- End of inner exception stack trace ---\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.ErrorHandling.FlurlErrorHandler.<>c__DisplayClass0_0.<ConfigureErrorHandler>b__1(FlurlCall call) in /src/keycloak/Keycloak.ErrorHandling/FlurlErrorHandler.cs:line 51\n   at Flurl.Http.FlurlRequest.RaiseEventAsync(Action`1 syncHandler, Func`2 asyncHandler, FlurlCall call)\n   at Flurl.Http.FlurlRequest.HandleExceptionAsync(FlurlCall call, Exception ex, CancellationToken token)\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Library.KeycloakClient.DeleteRoleByIdAsync(String realm, String roleId, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Library/RolesById/KeycloakClient.cs:line 54\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateAndDeleteRoles(KeycloakClient keycloak, String realm, IEnumerable`1 roles, IEnumerable`1 updateRoles, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 100\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateRealmRoles(String keycloakInstanceName, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 71\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.KeycloakSeeder.Seed(CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/KeecloakSeeder.cs:line 58\n   at Program.<Main>$(String[] args) in /src/keycloak/Keycloak.Seeding/Program.cs:line 86"}
Unhandled exception. System.ArgumentException: Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e
 ---> Flurl.Http.FlurlHttpException: Call failed with status code 400 (Bad Request): DELETE http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e
   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   --- End of inner exception stack trace ---
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.ErrorHandling.FlurlErrorHandler.<>c__DisplayClass0_0.<ConfigureErrorHandler>b__1(FlurlCall call) in /src/keycloak/Keycloak.ErrorHandling/FlurlErrorHandler.cs:line 51
   at Flurl.Http.FlurlRequest.RaiseEventAsync(Action`1 syncHandler, Func`2 asyncHandler, FlurlCall call)
   at Flurl.Http.FlurlRequest.HandleExceptionAsync(FlurlCall call, Exception ex, CancellationToken token)
   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Library.KeycloakClient.DeleteRoleByIdAsync(String realm, String roleId, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Library/RolesById/KeycloakClient.cs:line 54
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateAndDeleteRoles(KeycloakClient keycloak, String realm, IEnumerable`1 roles, IEnumerable`1 updateRoles, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 100
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateRealmRoles(String keycloakInstanceName, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 71
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.KeycloakSeeder.Seed(CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/KeecloakSeeder.cs:line 58
   at Program.<Main>$(String[] args) in /src/keycloak/Keycloak.Seeding/Program.cs:line 86
   at Program.<Main>(String[] args)

The issue is not specific to your change as I tested it also with the previous state but it's relevant now because we want to use the job to setup entire realms not just updating existing ones.

I guess (at least one) role that keycloak creates by default is missing in the json. Whenever a realm is being created keycloak implicitly creates roles to manage administrative privileges of that realm. Those realm-management-roles cannot be deleted. What happens is that the seeding-job creates the realm, keycloak creates the management-roles, the seeding-job now queries the realm and calculates the delta to what is defined in json. Whenever a role is existing in keycloak that is not also defined in json the seeding-job tries to delete it. Unfortunally those realm-management-roles are not marked as such so the seeder cannot destinguish in between manually and implicitly created roles. Therefore for a successful import all implicitly created roles must also be defined in the json.

@ntruchsess ntruchsess force-pushed the feature/438-keycloak-seeding branch from 7779e05 to 6937651 Compare June 26, 2024 17:03
@ntruchsess ntruchsess changed the base branch from release/v2.1.0-RC1 to main June 26, 2024 17:04
@ntruchsess ntruchsess force-pushed the feature/438-keycloak-seeding branch 2 times, most recently from 329439f to 7340289 Compare June 26, 2024 17:14
@ntruchsess ntruchsess force-pushed the feature/438-keycloak-seeding branch 2 times, most recently from 949a35c to 43f1688 Compare June 26, 2024 18:24
@ntruchsess
Copy link
Contributor Author

could you please also change / rebase the pull request to main, this change isn't meant for our 2.1.0 version

done

@ntruchsess ntruchsess requested a review from evegufy June 26, 2024 18:46
@eclipse-tractusx eclipse-tractusx deleted a comment from ntruchsess Jun 27, 2024
@evegufy
Copy link
Contributor

evegufy commented Jun 27, 2024

Hi @ntruchsess I just tried to import this realm from scratch (not only at upgrade / updating existing realm configuration) and I'm encountering the following error:

{"Timestamp":"2024-06-24T16:12:24.1533063+00:00","Level":"Information","MessageTemplate":"Start seeding","RenderedMessage":"Start seeding"}
{"Timestamp":"2024-06-24T16:12:25.0499479+00:00","Level":"Error","MessageTemplate":"{Message}","RenderedMessage":"\"Not Found: http://centralidp-keycloak/auth/admin/realms/CX-Central\"","Exception":"Flurl.Http.FlurlHttpException: Call failed with status code 404 (Not Found): GET http://centralidp-keycloak/auth/admin/realms/CX-Central\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)","Properties":{"Message":"Not Found: http://centralidp-keycloak/auth/admin/realms/CX-Central","SourceContext":"Program"}}
{"Timestamp":"2024-06-24T16:12:27.7938875+00:00","Level":"Error","MessageTemplate":"{Message}","RenderedMessage":"\"Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\"","Exception":"Flurl.Http.FlurlHttpException: Call failed with status code 400 (Bad Request): DELETE http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)","Properties":{"Message":"Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e","SourceContext":"Program"}}
{"Timestamp":"2024-06-24T16:12:27.7992279+00:00","Level":"Fatal","MessageTemplate":"Unhandled exception","RenderedMessage":"Unhandled exception","Exception":"System.ArgumentException: Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\n ---> Flurl.Http.FlurlHttpException: Call failed with status code 400 (Bad Request): DELETE http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n   --- End of inner exception stack trace ---\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.ErrorHandling.FlurlErrorHandler.<>c__DisplayClass0_0.<ConfigureErrorHandler>b__1(FlurlCall call) in /src/keycloak/Keycloak.ErrorHandling/FlurlErrorHandler.cs:line 51\n   at Flurl.Http.FlurlRequest.RaiseEventAsync(Action`1 syncHandler, Func`2 asyncHandler, FlurlCall call)\n   at Flurl.Http.FlurlRequest.HandleExceptionAsync(FlurlCall call, Exception ex, CancellationToken token)\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Library.KeycloakClient.DeleteRoleByIdAsync(String realm, String roleId, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Library/RolesById/KeycloakClient.cs:line 54\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateAndDeleteRoles(KeycloakClient keycloak, String realm, IEnumerable`1 roles, IEnumerable`1 updateRoles, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 100\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateRealmRoles(String keycloakInstanceName, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 71\n   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.KeycloakSeeder.Seed(CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/KeecloakSeeder.cs:line 58\n   at Program.<Main>$(String[] args) in /src/keycloak/Keycloak.Seeding/Program.cs:line 86"}
Unhandled exception. System.ArgumentException: Bad Request: http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e
 ---> Flurl.Http.FlurlHttpException: Call failed with status code 400 (Bad Request): DELETE http://centralidp-keycloak/auth/admin/realms/CX-Central/roles-by-id/64dd11f1-0d9a-4da3-a475-ca3fcbc8f90e
   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   --- End of inner exception stack trace ---
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.ErrorHandling.FlurlErrorHandler.<>c__DisplayClass0_0.<ConfigureErrorHandler>b__1(FlurlCall call) in /src/keycloak/Keycloak.ErrorHandling/FlurlErrorHandler.cs:line 51
   at Flurl.Http.FlurlRequest.RaiseEventAsync(Action`1 syncHandler, Func`2 asyncHandler, FlurlCall call)
   at Flurl.Http.FlurlRequest.HandleExceptionAsync(FlurlCall call, Exception ex, CancellationToken token)
   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   at Flurl.Http.FlurlRequest.SendAsync(HttpMethod verb, HttpContent content, CancellationToken cancellationToken, HttpCompletionOption completionOption)
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Library.KeycloakClient.DeleteRoleByIdAsync(String realm, String roleId, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Library/RolesById/KeycloakClient.cs:line 54
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateAndDeleteRoles(KeycloakClient keycloak, String realm, IEnumerable`1 roles, IEnumerable`1 updateRoles, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 100
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.RolesUpdater.UpdateRealmRoles(String keycloakInstanceName, CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/RolesUpdater.cs:line 71
   at Org.Eclipse.TractusX.Portal.Backend.Keycloak.Seeding.BusinessLogic.KeycloakSeeder.Seed(CancellationToken cancellationToken) in /src/keycloak/Keycloak.Seeding/BusinessLogic/KeecloakSeeder.cs:line 58
   at Program.<Main>$(String[] args) in /src/keycloak/Keycloak.Seeding/Program.cs:line 86
   at Program.<Main>(String[] args)

The issue is not specific to your change as I tested it also with the previous state but it's relevant now because we want to use the job to setup entire realms not just updating existing ones.

I guess (at least one) role that keycloak creates by default is missing in the json. Whenever a realm is being created keycloak implicitly creates roles to manage administrative privileges of that realm. Those realm-management-roles cannot be deleted. What happens is that the seeding-job creates the realm, keycloak creates the management-roles, the seeding-job now queries the realm and calculates the delta to what is defined in json. Whenever a role is existing in keycloak that is not also defined in json the seeding-job tries to delete it. Unfortunally those realm-management-roles are not marked as such so the seeder cannot destinguish in between manually and implicitly created roles. Therefore for a successful import all implicitly created roles must also be defined in the json.

As discussed, renaming the default role to the default pattern did solve the issue

evegufy
evegufy requested changes Jun 27, 2024
View reviewed changes
Copy link
Contributor

@evegufy evegufy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that seeding of the (bpn) user attribute via seeding config fails (with error, see logs-from-centralidp-keycloak-realm-seeding-in-centralidp-keycloak-realm-seeding-1-5qw8s.log) for service account users:

used config:

          - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__NAME"
            value: "bpn"
          - name: KEYCLOAKSEEDING__REALMS__0__USERS__1__USERNAME
            value: "service-account-sa-test-2"
          - name: KEYCLOAKSEEDING__REALMS__0__USERS__1__Attributes__0__VALUES__0
            value: TEST2

I tested with a normal user as well, there it worked.

src/keycloak/Keycloak.Seeding/appsettings.json Outdated Show resolved Hide resolved
@ntruchsess ntruchsess requested a review from evegufy June 27, 2024 07:58
evegufy added a commit to eclipse-tractusx/portal-iam that referenced this pull request Jun 27, 2024
@evegufy
fix(cx-central realm): correct name of default role
093a6ad 
to enable import of realm via seeding job, without proper naming of the default role the seeding job runs into error eclipse-tractusx/portal-backend#800 (comment)
@ntruchsess
Copy link
Contributor Author

I noticed that seeding of the (bpn) user attribute via seeding config fails (with error, see logs-from-centralidp-keycloak-realm-seeding-in-centralidp-keycloak-realm-seeding-1-5qw8s.log) for service account users:

used config:

          - name: "KEYCLOAKSEEDING__REALMS__0__USERS__0__Attributes__0__NAME"
            value: "bpn"
          - name: KEYCLOAKSEEDING__REALMS__0__USERS__1__USERNAME
            value: "service-account-sa-test-2"
          - name: KEYCLOAKSEEDING__REALMS__0__USERS__1__Attributes__0__VALUES__0
            value: TEST2

I tested with a normal user as well, there it worked.

this is missing:
- name: KEYCLOAKSEEDING__REALMS__0__USERS__1__Attributes__0__NAME

evegufy
evegufy approved these changes Jun 27, 2024
View reviewed changes
Copy link
Contributor

@evegufy evegufy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested sucessfully 👍
As discussed, please enable user credentials in a separate PR.

evegufy
evegufy requested changes Jun 28, 2024
View reviewed changes
Copy link
Contributor

@evegufy evegufy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to revert the approval as c5b4a10 is causing this error
logs-from-centralidp-keycloak-realm-seeding-in-centralidp-keycloak-realm-seeding-1-wvnxh.log

@ntruchsess ntruchsess requested a review from evegufy July 10, 2024 06:19
@ntruchsess
Copy link
Contributor Author

Need to revert the approval as c5b4a10 is causing this error logs-from-centralidp-keycloak-realm-seeding-in-centralidp-keycloak-realm-seeding-1-wvnxh.log

As discussed - this error was due to invalid configuration that was not compliant with the startup-configuration-checks.

Phil91
Phil91 requested changes Jul 17, 2024
View reviewed changes
Copy link
Member

@Phil91 Phil91 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor finding. But please be aware that in Pr #823 a package version bump is introduced as well. we either need to bump the version in this pr or #823 after merging.

src/keycloak/Keycloak.Seeding/BusinessLogic/SeedDataHandler.cs Outdated Show resolved Hide resolved
@ntruchsess ntruchsess requested a review from Phil91 July 18, 2024 06:58
Phil91
Phil91 previously approved these changes Jul 18, 2024
View reviewed changes
@evegufy
Copy link
Contributor

evegufy commented Jul 18, 2024

Please wait for my approval before merge, I hope I get the final tests soon

@ntruchsess
feature(keycloak): add seeding data to configuration
b1d530b
@ntruchsess
adjust handling of null dictionary-values in seeder-settings
f35056f 
update framework version
@ntruchsess
allow update of existing urls and secret in client
aade9d8
@ntruchsess
remove redundant keycloak notfound error-logging
b9de91a
@ntruchsess
remove ExcludedUserAttributes, add startup-validation
ea22810
@ntruchsess
add credentials to user
614991c
@ntruchsess
allow override of identityproviders urls on update
ccb6ce2
@ntruchsess
create users by partial-import, fix client protocol-mappers
57c986f
@ntruchsess
fix protocolmappers and clientscopes
98cfcf0
@ntruchsess
create clients via partialimport
842adc0
@ntruchsess
fix code smells
8cdcb93
@ntruchsess
allow import of multiple files per realm, fix client-scope updates
6343924
@ntruchsess
add error 500 messages, fix client protocolmapper creation
3aab25b
@ntruchsess
fix keycloak-calls uppercase dictionary keys
9ddee1b
@ntruchsess
fix keycloak api-calls json-serialisation null-value handling
4ea6554
@ntruchsess
remove redundant constructor
91b082d
@ntruchsess ntruchsess force-pushed the feature/438-keycloak-seeding branch from 5a67a80 to 91b082d Compare July 19, 2024 16:53
evegufy added a commit to eclipse-tractusx/portal-iam that referenced this pull request Jul 29, 2024
@evegufy
fix(cx-central realm): correct name of default role
6bf3f9a 
to enable import of realm via seeding job, without proper naming of the default role the seeding job runs into error eclipse-tractusx/portal-backend#800 (comment)
@evegufy evegufy mentioned this pull request Jul 29, 2024
Merged
evegufy added a commit to eclipse-tractusx/portal-iam that referenced this pull request Jul 30, 2024
@evegufy
fix(cx-central realm): correct name of default role
e03dadd 
to enable import of realm via seeding job, without proper naming of the default role the seeding job runs into error eclipse-tractusx/portal-backend#800 (comment)
@catenax-ng catenax-ng closed this by deleting the head repository Jul 31, 2024
@ntruchsess ntruchsess mentioned this pull request Aug 8, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Phil91 Phil91 Phil91 left review comments

@evegufy evegufy Awaiting requested review from evegufy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ntruchsess @evegufy @Phil91 @catenax-ng