feat(keycloak): M4.3 — Admin API adapter + claim resolver

internal/keycloak/ — Adapter interface with two implementations: HTTPAdapter pgxpool-style real Admin API client with cached client- credentials token (auto-refresh, 401 retry). Mock in-process map for unit tests + dev convenience when KEYCLOAK_ADMIN_URL is empty. Used by the eachStore harness. Adapter contract (adapter.go): CreateOrgAndInvite(ctx, InviteInput) (*InviteResult, error) Creates a KC organization, an IT_ADMIN user, adds the user as a member, triggers VERIFY_EMAIL + UPDATE_PASSWORD execute-actions email. Atomic from the caller's PoV; partial failures surface as typed errors (ErrOrgConflict, ErrUserConflict, ErrUnauthorized, ErrUnavailable). SyncClaims(ctx, userID, Claims) error Pushes tenant_id / tenant_slug / org_roles / products / plan / tenant_status into the user's KC attributes — the same shape the realm's protocol mappers project into JWTs. Health(ctx) error Pings /admin/serverinfo; wired into readyz. Wiring: POST /v1/tenants now accepts admin_email + admin_name. When set, the adapter creates the org and invites the user. Response wraps the tenant with the new TenantCreated{tenant, invite_url} shape so dev testers can use the action-token URL without waiting for the email. KC failures DO NOT roll the tenant back — they emit a keycloak.provision_failed audit event so the operator can resend. Successful invites emit keycloak.invite_sent. POST /v1/internal/keycloak/claims resolves a tenant's current claim bundle. Lookup chain: body.tenant_id → body.tenant_slug → body.user_attrs.tenant_id → body.user_attrs.tenant_slug. The realm's protocol mapper calls this at token issuance, or operators on demand. Config: KEYCLOAK_ADMIN_URL / REALM / CLIENT_ID / CLIENT_SECRET; empty URL falls back to Mock for dev. OpenAPI: TenantCreated + Claims schemas added; /v1/internal/keycloak/claims documented. Contract test extended to cover the new endpoint. Tests: internal/keycloak/mock_test.go Mock semantics: conflict surfacing, FailNext hook, SyncClaims persistence. internal/server/keycloak_test.go KC provisioning end-to-end via eachStore: invite_url returned, mock records, invite_sent audit; failure path emits provision_failed but tenant still lands; claims endpoint resolves via tenant_id / tenant_slug / user_attrs / 404 / 400. The real-KC integration test (against a testcontainers-spun KC 26) lands in a follow-up — gating it behind KEYCLOAK_INTEGRATION=1 + a slower nightly CI is cleaner than baking 30s+ of KC boot into every PR. Refs: M4.3
2026-05-19 13:24:41 +02:00
parent ffab866c87
commit bb2c638fb4
20 changed files with 1134 additions and 26 deletions
@@ -0,0 +1,115 @@
+package server
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"time"
+
+	"gitea.meghsakha.com/platform/tenant-registry/internal/keycloak"
+	"gitea.meghsakha.com/platform/tenant-registry/internal/store"
+)
+
+// provisionKeycloak is called inside createTenant after the DB insert
+// succeeds. Best-effort: a failure does NOT roll the tenant back. The
+// audit_log captures the error so the operator can heal it later
+// (resending the invite is a one-click in the KC admin UI).
+//
+// Returns the InviteURL so the API response can surface it for dev.
+func (s *Server) provisionKeycloak(ctx context.Context, t *store.Tenant, adminEmail, adminName string) (string, error) {
+	if adminEmail == "" {
+		// Skip silently — caller chose not to invite anyone yet (sales-led
+		// flow, demo tenant, test fixture, etc.).
+		return "", nil
+	}
+	res, err := s.Keycloak.CreateOrgAndInvite(ctx, keycloak.InviteInput{
+		TenantID:   t.ID,
+		Slug:       t.Slug,
+		Name:       t.Name,
+		AdminEmail: adminEmail,
+		AdminName:  adminName,
+	})
+	if err != nil {
+		s.Log.Error("keycloak provision failed",
+			"tenant_id", t.ID, "slug", t.Slug, "err", err)
+		return "", err
+	}
+	s.Log.Info("keycloak provisioned",
+		"tenant_id", t.ID, "kc_org_id", res.OrganizationID, "kc_user_id", res.UserID)
+	return res.InviteURL, nil
+}
+
+// kcClaims is POST /v1/internal/keycloak/claims. Called by Keycloak's
+// protocol mapper (or by a dev tester) to fetch the current entitlement
+// bundle for a user. Lookup chain:
+//  1. body.tenant_slug   → tenant
+//  2. body.tenant_id     → tenant
+//  3. body.user_attrs.tenant_id → tenant
+//
+// At least one must be present.
+type kcClaimsReq struct {
+	TenantID   string            `json:"tenant_id,omitempty"`
+	TenantSlug string            `json:"tenant_slug,omitempty"`
+	UserAttrs  map[string]string `json:"user_attrs,omitempty"`
+}
+
+func (s *Server) kcClaims(w http.ResponseWriter, r *http.Request) {
+	var in kcClaimsReq
+	if !decodeJSON(w, r, &in) {
+		return
+	}
+	id := in.TenantID
+	if id == "" {
+		id = in.UserAttrs["tenant_id"]
+	}
+	slug := in.TenantSlug
+	if slug == "" {
+		slug = in.UserAttrs["tenant_slug"]
+	}
+	if id == "" && slug == "" {
+		writeError(w, http.StatusBadRequest, "invalid_input", "tenant_id or tenant_slug required")
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), 2*time.Second)
+	defer cancel()
+
+	var (
+		t   *store.Tenant
+		err error
+	)
+	if id != "" {
+		t, err = s.Store.GetTenant(ctx, id)
+	} else {
+		t, err = s.Store.GetTenantBySlug(ctx, slug)
+	}
+	if err != nil {
+		if errors.Is(err, store.ErrNotFound) {
+			writeError(w, http.StatusNotFound, "not_found", "tenant does not exist")
+			return
+		}
+		writeError(w, http.StatusInternalServerError, "internal", err.Error())
+		return
+	}
+
+	products, err := s.Store.ListTenantProducts(ctx, t.ID)
+	if err != nil && !errors.Is(err, store.ErrNotFound) {
+		writeError(w, http.StatusInternalServerError, "internal", err.Error())
+		return
+	}
+	productKeys := make([]string, 0, len(products))
+	for _, p := range products {
+		if p.Enabled {
+			productKeys = append(productKeys, p.Product)
+		}
+	}
+
+	writeJSON(w, http.StatusOK, keycloak.Claims{
+		TenantID:     t.ID,
+		TenantSlug:   t.Slug,
+		OrgRoles:     []string{}, // populated by /v1/users/:id role lookup — out of scope until M5.2
+		Products:     productKeys,
+		Plan:         t.Plan,
+		TenantStatus: t.Status,
+	})
+}