feat(keycloak): M4.3 — Admin API adapter + claim resolver
internal/keycloak/ — Adapter interface with two implementations:
HTTPAdapter pgxpool-style real Admin API client with cached client-
credentials token (auto-refresh, 401 retry).
Mock in-process map for unit tests + dev convenience when
KEYCLOAK_ADMIN_URL is empty. Used by the eachStore harness.
Adapter contract (adapter.go):
CreateOrgAndInvite(ctx, InviteInput) (*InviteResult, error)
Creates a KC organization, an IT_ADMIN user, adds the user as a
member, triggers VERIFY_EMAIL + UPDATE_PASSWORD execute-actions
email. Atomic from the caller's PoV; partial failures surface as
typed errors (ErrOrgConflict, ErrUserConflict, ErrUnauthorized,
ErrUnavailable).
SyncClaims(ctx, userID, Claims) error
Pushes tenant_id / tenant_slug / org_roles / products / plan /
tenant_status into the user's KC attributes — the same shape the
realm's protocol mappers project into JWTs.
Health(ctx) error
Pings /admin/serverinfo; wired into readyz.
Wiring:
POST /v1/tenants now accepts admin_email + admin_name. When set, the
adapter creates the org and invites the user. Response wraps the
tenant with the new TenantCreated{tenant, invite_url} shape so dev
testers can use the action-token URL without waiting for the email.
KC failures DO NOT roll the tenant back — they emit a
keycloak.provision_failed audit event so the operator can resend.
Successful invites emit keycloak.invite_sent.
POST /v1/internal/keycloak/claims resolves a tenant's current claim
bundle. Lookup chain: body.tenant_id → body.tenant_slug →
body.user_attrs.tenant_id → body.user_attrs.tenant_slug. The realm's
protocol mapper calls this at token issuance, or operators on demand.
Config: KEYCLOAK_ADMIN_URL / REALM / CLIENT_ID / CLIENT_SECRET; empty
URL falls back to Mock for dev.
OpenAPI: TenantCreated + Claims schemas added; /v1/internal/keycloak/claims
documented. Contract test extended to cover the new endpoint.
Tests:
internal/keycloak/mock_test.go Mock semantics: conflict surfacing,
FailNext hook, SyncClaims persistence.
internal/server/keycloak_test.go KC provisioning end-to-end via
eachStore: invite_url returned,
mock records, invite_sent audit;
failure path emits provision_failed
but tenant still lands; claims
endpoint resolves via tenant_id /
tenant_slug / user_attrs / 404 / 400.
The real-KC integration test (against a testcontainers-spun KC 26)
lands in a follow-up — gating it behind KEYCLOAK_INTEGRATION=1 + a
slower nightly CI is cleaner than baking 30s+ of KC boot into every PR.
Refs: M4.3
This commit is contained in:
@@ -1,7 +1,7 @@
|
||||
// Package server wires the HTTP surface for tenant-registry.
|
||||
//
|
||||
// All routes are registered in NewRouter; per-concern handlers live in
|
||||
// peer files (tenants.go, catalog.go, apikeys.go, audit.go).
|
||||
// peer files (tenants.go, catalog.go, apikeys.go, audit.go, keycloak.go).
|
||||
package server
|
||||
|
||||
import (
|
||||
@@ -9,14 +9,16 @@ import (
|
||||
"net/http"
|
||||
|
||||
"gitea.meghsakha.com/platform/tenant-registry/internal/config"
|
||||
"gitea.meghsakha.com/platform/tenant-registry/internal/keycloak"
|
||||
"gitea.meghsakha.com/platform/tenant-registry/internal/store"
|
||||
)
|
||||
|
||||
// Server bundles the dependencies every handler needs.
|
||||
type Server struct {
|
||||
Cfg *config.Config
|
||||
Log *slog.Logger
|
||||
Store store.Store
|
||||
Cfg *config.Config
|
||||
Log *slog.Logger
|
||||
Store store.Store
|
||||
Keycloak keycloak.Adapter // never nil — main wires Mock when KC env is unset
|
||||
}
|
||||
|
||||
// NewRouter builds the http.Handler with logging middleware applied.
|
||||
@@ -34,9 +36,7 @@ func NewRouter(s *Server) http.Handler {
|
||||
mux.HandleFunc("POST /v1/tenants/{id}/activate", s.activateTenant)
|
||||
mux.HandleFunc("POST /v1/tenants/{id}/cancel", s.cancelTenant)
|
||||
|
||||
// entitlements — top-level path so it doesn't conflict with
|
||||
// /v1/tenants/by-slug/{slug} (Go 1.22 ServeMux can't disambiguate
|
||||
// /v1/tenants/{id}/products vs /v1/tenants/by-slug/{slug=products}).
|
||||
// entitlements
|
||||
mux.HandleFunc("GET /v1/entitlements", s.listTenantProducts)
|
||||
|
||||
// catalog
|
||||
@@ -44,8 +44,7 @@ func NewRouter(s *Server) http.Handler {
|
||||
mux.HandleFunc("POST /v1/catalog/request", s.catalogRequest)
|
||||
mux.HandleFunc("POST /v1/catalog/trial-request", s.catalogTrialRequest)
|
||||
|
||||
// api keys — same disambiguation: list lives at /v1/api-keys?tenant_id=X
|
||||
// instead of /v1/tenants/{id}/api-keys.
|
||||
// api keys
|
||||
mux.HandleFunc("POST /v1/api-keys", s.createAPIKey)
|
||||
mux.HandleFunc("GET /v1/api-keys", s.listAPIKeys)
|
||||
mux.HandleFunc("DELETE /v1/api-keys/{id}", s.revokeAPIKey)
|
||||
@@ -55,6 +54,12 @@ func NewRouter(s *Server) http.Handler {
|
||||
mux.HandleFunc("POST /v1/audit", s.appendAudit)
|
||||
mux.HandleFunc("GET /v1/audit", s.listAudit)
|
||||
|
||||
// keycloak claims refresh — the URL the protocol mapper would call at
|
||||
// token issuance to grab the up-to-date entitlement bundle. Today the
|
||||
// dev realm projects user attributes (set by SyncClaims) — this is
|
||||
// the "pull" complement for when the realm is reconfigured to fetch.
|
||||
mux.HandleFunc("POST /v1/internal/keycloak/claims", s.kcClaims)
|
||||
|
||||
return logRequest(s.Log)(mux)
|
||||
}
|
||||
|
||||
@@ -67,5 +72,9 @@ func (s *Server) readyz(w http.ResponseWriter, r *http.Request) {
|
||||
writeError(w, http.StatusServiceUnavailable, "store_unavailable", err.Error())
|
||||
return
|
||||
}
|
||||
if err := s.Keycloak.Health(r.Context()); err != nil {
|
||||
writeError(w, http.StatusServiceUnavailable, "keycloak_unavailable", err.Error())
|
||||
return
|
||||
}
|
||||
writeJSON(w, http.StatusOK, map[string]string{"status": "ready"})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user