feat(keycloak): M4.3 — Admin API adapter + claim resolver
internal/keycloak/ — Adapter interface with two implementations:
HTTPAdapter pgxpool-style real Admin API client with cached client-
credentials token (auto-refresh, 401 retry).
Mock in-process map for unit tests + dev convenience when
KEYCLOAK_ADMIN_URL is empty. Used by the eachStore harness.
Adapter contract (adapter.go):
CreateOrgAndInvite(ctx, InviteInput) (*InviteResult, error)
Creates a KC organization, an IT_ADMIN user, adds the user as a
member, triggers VERIFY_EMAIL + UPDATE_PASSWORD execute-actions
email. Atomic from the caller's PoV; partial failures surface as
typed errors (ErrOrgConflict, ErrUserConflict, ErrUnauthorized,
ErrUnavailable).
SyncClaims(ctx, userID, Claims) error
Pushes tenant_id / tenant_slug / org_roles / products / plan /
tenant_status into the user's KC attributes — the same shape the
realm's protocol mappers project into JWTs.
Health(ctx) error
Pings /admin/serverinfo; wired into readyz.
Wiring:
POST /v1/tenants now accepts admin_email + admin_name. When set, the
adapter creates the org and invites the user. Response wraps the
tenant with the new TenantCreated{tenant, invite_url} shape so dev
testers can use the action-token URL without waiting for the email.
KC failures DO NOT roll the tenant back — they emit a
keycloak.provision_failed audit event so the operator can resend.
Successful invites emit keycloak.invite_sent.
POST /v1/internal/keycloak/claims resolves a tenant's current claim
bundle. Lookup chain: body.tenant_id → body.tenant_slug →
body.user_attrs.tenant_id → body.user_attrs.tenant_slug. The realm's
protocol mapper calls this at token issuance, or operators on demand.
Config: KEYCLOAK_ADMIN_URL / REALM / CLIENT_ID / CLIENT_SECRET; empty
URL falls back to Mock for dev.
OpenAPI: TenantCreated + Claims schemas added; /v1/internal/keycloak/claims
documented. Contract test extended to cover the new endpoint.
Tests:
internal/keycloak/mock_test.go Mock semantics: conflict surfacing,
FailNext hook, SyncClaims persistence.
internal/server/keycloak_test.go KC provisioning end-to-end via
eachStore: invite_url returned,
mock records, invite_sent audit;
failure path emits provision_failed
but tenant still lands; claims
endpoint resolves via tenant_id /
tenant_slug / user_attrs / 404 / 400.
The real-KC integration test (against a testcontainers-spun KC 26)
lands in a follow-up — gating it behind KEYCLOAK_INTEGRATION=1 + a
slower nightly CI is cleaner than baking 30s+ of KC boot into every PR.
Refs: M4.3
This commit is contained in:
@@ -34,12 +34,16 @@ make build # compile to ./bin/tenant-registry
|
||||
|
||||
Env vars (override at the shell):
|
||||
|
||||
| Var | Default | Purpose |
|
||||
| Var | Default | Purpose |
|
||||
|---|---|---|
|
||||
| `APP_ENV` | `dev` | one of `dev`, `stage`, `prod` |
|
||||
| `ADDR` | `:8090` | listen address (avoids Keycloak's :8080) |
|
||||
| `KEYCLOAK_ISSUER` | `http://localhost:8080/realms/breakpilot-dev` | OIDC issuer URL |
|
||||
| `DATABASE_URL` | empty (in-memory store in skeleton) | Postgres DSN, wired up in the M4.1 schema PR |
|
||||
| `APP_ENV` | `dev` | one of `dev`, `stage`, `prod` |
|
||||
| `ADDR` | `:8090` | listen address (avoids Keycloak's :8080) |
|
||||
| `KEYCLOAK_ISSUER` | `http://localhost:8080/realms/breakpilot-dev` | OIDC issuer URL (the JWT signer) |
|
||||
| `DATABASE_URL` | empty (in-memory store fallback) | Postgres DSN; service uses Memory when empty |
|
||||
| `KEYCLOAK_ADMIN_URL` | empty (Mock adapter used in dev) | KC base URL for the Admin API |
|
||||
| `KEYCLOAK_REALM` | `breakpilot-dev` | Realm name for Admin API calls |
|
||||
| `KEYCLOAK_CLIENT_ID` | empty | Service-account client id (Admin) |
|
||||
| `KEYCLOAK_CLIENT_SECRET` | empty | Service-account client secret |
|
||||
|
||||
## Endpoints
|
||||
|
||||
@@ -76,6 +80,37 @@ The service picks its store based on `DATABASE_URL`:
|
||||
|
||||
Both implementations pass the same test harness (`internal/server/server_test.go` → `eachStore`).
|
||||
|
||||
|
||||
|
||||
## Keycloak adapter (M4.3)
|
||||
|
||||
`internal/keycloak` is the seam between tenant-registry and Keycloak. The
|
||||
`Adapter` interface has two implementations:
|
||||
|
||||
| Implementation | When used |
|
||||
|---|---|
|
||||
| `Mock` | Default in dev when `KEYCLOAK_ADMIN_URL` is empty |
|
||||
| `HTTPAdapter` | Real KC Admin API client; activated when KC env vars are populated |
|
||||
|
||||
`POST /v1/tenants` now accepts `admin_email` and `admin_name`. When set, the
|
||||
adapter creates a Keycloak organization (alias = the tenant slug), invites
|
||||
the user as the IT_ADMIN, and triggers the verify-email + set-password
|
||||
flow. The response body includes `invite_url` so dev testers can use it
|
||||
without waiting for the email — production discards it.
|
||||
|
||||
**KC failures are non-fatal.** The tenant row still lands; a
|
||||
`keycloak.provision_failed` audit event captures the error so the operator
|
||||
can resend the invite from the KC UI.
|
||||
|
||||
`POST /v1/internal/keycloak/claims` resolves a tenant's current entitlement
|
||||
bundle (tenant_id, slug, products, plan, status). The realm's protocol
|
||||
mapper calls this at token-issuance time (or whenever user attributes
|
||||
need a refresh).
|
||||
|
||||
For production, provision a service-account client in the realm with the
|
||||
`realm-management:manage-users` + `manage-organizations` roles. Drop its
|
||||
credentials in Infisical at `/{env}/tenant-registry/KEYCLOAK_CLIENT_*`.
|
||||
|
||||
## Schema migrations (M4.1)
|
||||
|
||||
```bash
|
||||
|
||||
Reference in New Issue
Block a user