Spsh 543: Client für Swagger mit längeren Timeouts (#572)

* SPSH-543: Added a test client into the KC Config

* SPSH-543: Configured swagger to use the test client-id for KC in the dev environment, and updated some unit-tests

* SPSH-543: Fixed the unit tests for health-controller

* SPSH-543: Set the DEPLOY_STAGE value for local & dev environments & PR Review

charts/dbildungs-iam-server/config/config.json

@@ -19,7 +19,8 @@
     "ADMIN_REALM_NAME": "SPSH",
     "REALM_NAME": "SPSH",
     "ADMIN_CLIENT_ID": "spsh-admin",
-    "CLIENT_ID": "spsh"
+    "CLIENT_ID": "spsh",
+    "TEST_CLIENT_ID": "spsh-test"
   },
   "REDIS": {
     "HOST": "dbildungs-iam-server-redis",

charts/dbildungs-iam-server/templates/configmap.yaml

@@ -8,7 +8,7 @@ metadata:
 data:
   config-json: |-
     {{ .Files.Get "config/config.json" | nindent 4 }}
-  NODE_ENV: {{ .Values.environment | quote }}
+  NODE_ENV: "prod"
   DEPLOY_STAGE: {{ .Values.environment | quote }}
   DB_NAME: {{ .Values.database.name | quote }}
   KC_BASE_URL: "https://{{ .Values.keycloakHostname }}"

charts/dbildungs-iam-server/values.yaml

@@ -18,7 +18,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
 
 restartPolicy: Always
-environment: prod
+environment: dev
 
 database:
   name: "dbildungs_iam_server"

config/config.json

@@ -26,7 +26,8 @@
         "REALM_NAME": "SPSH",
         "CLIENT_ID": "spsh",
         "CLIENT_SECRET": "YDp6fYkbUcj4ZkyAOnbAHGQ9O72htc5M",
-        "ADMIN_SECRET": "44abDqJk2qgwRbpGfO0VZx7DpXeFsm7R"
+        "ADMIN_SECRET": "44abDqJk2qgwRbpGfO0VZx7DpXeFsm7R",
+        "TEST_CLIENT_ID": "spsh-test"
     },
     "REDIS": {
         "HOST": "localhost",

config/dev-realm-spsh.json

@@ -320,6 +320,7 @@
       "admin-cli": [],
       "spsh-admin": [],
       "account-console": [],
+      "spsh-test": [],
       "broker": [
         {
           "id": "e3b83cee-0556-4164-b94b-723f60f85a8c",
@@ -1005,7 +1006,116 @@
         "offline_access",
         "microprofile-jwt"
       ]
-    }
+    },
+    {
+        "id": "4767cf23-bccc-4c71-b130-3d5a2aca2d08",
+        "clientId": "spsh-test",
+        "name": "Schulportal SH Test",
+        "description": "",
+        "rootUrl": "https://localhost:8099",
+        "adminUrl": "",
+        "baseUrl": "https://localhost:8099/",
+        "surrogateAuthRequired": false,
+        "enabled": true,
+        "alwaysDisplayInConsole": false,
+        "clientAuthenticatorType": "client-secret",
+        "secret": "YDp6fYkbUcj4ZkyAOnbAHGQ9O72htc5M",
+        "redirectUris": [
+           "https://127.0.0.1:8099/*",
+			"http://127.0.0.1:9090/*",
+			"http://localhost:9090/*",
+			"/*"
+        ],
+        "webOrigins": [
+          "+"
+        ],
+        "notBefore": 0,
+        "bearerOnly": false,
+        "consentRequired": false,
+        "standardFlowEnabled": true,
+        "implicitFlowEnabled": false,
+        "directAccessGrantsEnabled": true,
+        "serviceAccountsEnabled": true,
+        "publicClient": false,
+        "frontchannelLogout": true,
+        "protocol": "openid-connect",
+        "attributes": {
+            "access.token.lifespan": "7200",
+		    "oidc.ciba.grant.enabled": "false",
+			"client.secret.creation.time": "1696586327",
+            "backchannel.logout.session.required": "true",
+			"oauth2.device.authorization.grant.enabled": "false",
+			"display.on.consent.screen": "false",
+			"backchannel.logout.revoke.offline.tokens": "false",
+			"acr.loa.map": "{\"silver\":\"10\",\"gold\":\"20\"}",
+			"default.acr.values": "0"
+        },
+        "authenticationFlowBindingOverrides": {
+            "browser": "2e19a392-6bf3-4ea4-a599-ac39bcdfd827"
+        },
+        "fullScopeAllowed": true,
+        "nodeReRegistrationTimeout": -1,
+        "protocolMappers": [
+          {
+            "id": "435d1bfd-af68-4c12-ae0a-5f1d921ab30f",
+            "name": "Client IP Address",
+            "protocol": "openid-connect",
+            "protocolMapper": "oidc-usersessionmodel-note-mapper",
+            "consentRequired": false,
+            "config": {
+              "user.session.note": "clientAddress",
+              "userinfo.token.claim": "true",
+              "id.token.claim": "true",
+              "access.token.claim": "true",
+              "claim.name": "clientAddress",
+              "jsonType.label": "String"
+            }
+          },
+          {
+            "id": "c5e3b59b-a130-4942-83ce-cd65f1c4e1b0",
+            "name": "Client Host",
+            "protocol": "openid-connect",
+            "protocolMapper": "oidc-usersessionmodel-note-mapper",
+            "consentRequired": false,
+            "config": {
+              "user.session.note": "clientHost",
+              "userinfo.token.claim": "true",
+              "id.token.claim": "true",
+              "access.token.claim": "true",
+              "claim.name": "clientHost",
+              "jsonType.label": "String"
+            }
+          },
+          {
+            "id": "b62e15e5-8399-4cea-9be8-dd783eda45dc",
+            "name": "Client ID",
+            "protocol": "openid-connect",
+            "protocolMapper": "oidc-usersessionmodel-note-mapper",
+            "consentRequired": false,
+            "config": {
+              "user.session.note": "client_id",
+              "userinfo.token.claim": "true",
+              "id.token.claim": "true",
+              "access.token.claim": "true",
+              "claim.name": "client_id",
+              "jsonType.label": "String"
+            }
+          }
+        ],
+        "defaultClientScopes": [
+          "web-origins",
+          "acr",
+          "roles",
+          "profile",
+          "email"
+        ],
+        "optionalClientScopes": [
+          "address",
+          "phone",
+          "offline_access",
+          "microprofile-jwt"
+        ]
+      }
   ],
   "clientScopes": [
     {

src/modules/health/health.controller.spec.ts

@@ -29,6 +29,7 @@ describe('HealthController', () => {
         REALM_NAME: '',
         CLIENT_ID: '',
         CLIENT_SECRET: '',
+        TEST_CLIENT_ID: '',
     };
     let redisHealthIndicator: RedisHealthIndicator;
     let configService: DeepMocked<ConfigService>;

src/modules/keycloak-administration/keycloak-instance-config.ts

@@ -12,6 +12,7 @@ export class KeycloakInstanceConfig implements KeycloakConfig {
         public REALM_NAME: string,
         public CLIENT_ID: string,
         public CLIENT_SECRET: string,
+        public TEST_CLIENT_ID: string,
     ) {}
 
     public static fromConfigService(): Provider {
@@ -28,6 +29,7 @@ export class KeycloakInstanceConfig implements KeycloakConfig {
                     keycloakConfig.REALM_NAME,
                     keycloakConfig.CLIENT_ID,
                     keycloakConfig.CLIENT_SECRET,
+                    keycloakConfig.TEST_CLIENT_ID,
                 );
             },
             inject: [ConfigService],

src/server/main.ts

@@ -51,12 +51,13 @@ async function bootstrap(): Promise<void> {
     } else {
         redirectUrl = `http://localhost:${port}/docs/oauth2-redirect.html`;
     }
-
+    console.log('Envi: ' + process.env['DEPLOY_STAGE']);
     SwaggerModule.setup('docs', app, SwaggerModule.createDocument(app, swagger), {
         swaggerOptions: {
             persistAuthorization: false,
             initOAuth: {
-                clientId: keycloakConfig.CLIENT_ID,
+                clientId:
+                    process.env['DEPLOY_STAGE'] === 'dev' ? keycloakConfig.TEST_CLIENT_ID : keycloakConfig.CLIENT_ID,
                 clientSecret: keycloakConfig.CLIENT_SECRET,
                 realm: keycloakConfig.REALM_NAME,
                 usePkceWithAuthorizationCodeGrant: true,

src/shared/config/config.loader.spec.ts

@@ -36,6 +36,7 @@ describe('configloader', () => {
                     ADMIN_REALM_NAME: 'master',
                     REALM_NAME: 'schulportal',
                     CLIENT_ID: 'schulportal',
+                    TEST_CLIENT_ID: 'schulportal-test',
                 },
                 REDIS: {
                     HOST: 'localhost',
@@ -117,6 +118,7 @@ describe('configloader', () => {
                     CLIENT_ID: 'schulportal',
                     ADMIN_SECRET: 'geheimer Admin',
                     CLIENT_SECRET: 'geheimer client',
+                    TEST_CLIENT_ID: 'schulportal-test',
                 },
                 REDIS: {
                     HOST: 'localhost',
@@ -178,6 +180,7 @@ describe('configloader', () => {
                     ADMIN_REALM_NAME: '',
                     REALM_NAME: '',
                     CLIENT_ID: '',
+                    TEST_CLIENT_ID: '',
                 },
             };
 

src/shared/config/keycloak.config.ts

@@ -28,4 +28,8 @@ export class KeycloakConfig {
     @IsString()
     @IsNotEmpty()
     public readonly CLIENT_SECRET!: string;
+
+    @IsString()
+    @IsNotEmpty()
+    public readonly TEST_CLIENT_ID!: string;
 }

test/config.test.json

@@ -24,7 +24,8 @@
         "REALM_NAME": "SPSH",
         "CLIENT_ID": "spsh",
         "ADMIN_SECRET": "44abDqJk2qgwRbpGfO0VZx7DpXeFsm7R",
-        "CLIENT_SECRET": "YDp6fYkbUcj4ZkyAOnbAHGQ9O72htc5M"
+        "CLIENT_SECRET": "YDp6fYkbUcj4ZkyAOnbAHGQ9O72htc5M",
+        "TEST_CLIENT_ID": "spsh-test"
     },
     "REDIS": {
         "HOST": "localhost",

test/utils/keycloak-config-test.module.ts

@@ -46,6 +46,7 @@ export class KeycloakConfigTestModule implements OnModuleDestroy {
                             keycloakConfig.REALM_NAME,
                             keycloakConfig.CLIENT_ID,
                             keycloakConfig.CLIENT_SECRET,
+                            keycloakConfig.TEST_CLIENT_ID,
                         );
                     },
                     inject: [ConfigService],