platform/tenant-registry
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d4e8042b9406fc493379563714bc8a9fb4c01a5f
tenant-registry/internal/keycloak/adapter.go
T
sharang d4e8042b94
ci / image (pull_request) Has been skipped
Details
ci / shared (pull_request) Successful in 6s
Details
ci / test (pull_request) Successful in 1m36s
Details
feat(keycloak): M4.3 — Admin API adapter + claim resolver 
internal/keycloak/ — Adapter interface with two implementations:
  HTTPAdapter  cached client-credentials token; CreateOrgAndInvite +
               SyncClaims + Health against the real KC Admin API.
  Mock         in-process map for unit tests + dev convenience when
               KEYCLOAK_ADMIN_URL is empty. Used by the eachStore harness.

POST /v1/tenants now accepts admin_email + admin_name. When set, the
adapter creates a KC organization, invites the user as IT_ADMIN, and
triggers VERIFY_EMAIL + UPDATE_PASSWORD. Response wraps the tenant
with TenantCreated{tenant, invite_url}. KC failures DO NOT roll the
tenant back — they emit a keycloak.provision_failed audit event.
Successful invites emit keycloak.invite_sent.

POST /v1/internal/keycloak/claims resolves a tenant's current claim
bundle (tenant_id, slug, products, plan, status). Lookup chain:
body.tenant_id → body.tenant_slug → user_attrs.tenant_id →
user_attrs.tenant_slug.

Config: KEYCLOAK_ADMIN_URL / REALM / CLIENT_ID / CLIENT_SECRET;
empty URL falls back to Mock.

Tests:
  internal/keycloak/mock_test.go     conflict surfacing, FailNext hook,
                                     SyncClaims persistence.
  internal/keycloak/client_test.go   HTTPAdapter against an in-process
                                     stub KC: health, full create-org-
                                     and-invite, conflict, token-cache,
                                     401 retry, ErrUnavailable.
  internal/server/keycloak_test.go   eachStore integration: provisions
                                     via mock; failure path emits
                                     provision_failed audit; claims
                                     endpoint via every lookup variant
                                     + 404 + 400.

OpenAPI extended with TenantCreated + Claims schemas and the new
claims endpoint. Contract test asserts the new path.

CI: include internal/keycloak/... in the test package list so
HTTPAdapter coverage counts. Total project line coverage: 71.6%.

Refs: M4.3
2026-05-19 13:47:03 +02:00

80 lines
3.3 KiB
Go
Raw Blame History

// Package keycloak adapts the Keycloak Admin API to the tenant-registry's
// language of "tenants" and "IT_ADMIN invites".
//
// The Adapter interface is the seam: tenant-registry handlers depend on
// it, never on the concrete HTTP client. Tests use Mock; production uses
// HTTPAdapter against the real KC at the configured base URL.
//
// Required Keycloak features (verified against KC 26):
// - Organizations feature enabled in the realm (organizationsEnabled: true)
// - Realm roles: BREAKPILOT_ADMIN, SUPPORT_ENGINEER, SALES_REP
// - Group `/IT_ADMIN` (used as the org_role marker for invited users)
//
// All errors are wrapped with %w so callers can errors.Is them against
// ErrUnauthorized / ErrOrgConflict / ErrUserConflict.
package keycloak
import (
"context"
"errors"
)
// Sentinel errors.
var (
ErrUnauthorized = errors.New("keycloak: admin auth failed")
ErrOrgConflict = errors.New("keycloak: organization already exists")
ErrUserConflict = errors.New("keycloak: user already exists")
ErrUnavailable = errors.New("keycloak: unreachable")
)
// InviteInput captures the per-tenant onboarding event from POST /v1/tenants.
// The adapter creates a Keycloak organization, invites the IT_ADMIN, and
// stores the (TenantID, OrganizationID) link back in the caller's Tenant.
type InviteInput struct {
TenantID string // the tenant_registry id; stored as KC org attribute "tenant_id"
Slug string // becomes the KC org alias
Name string // human-readable org name
AdminEmail string // IT_ADMIN to invite (required)
AdminName string // optional display name
}
// InviteResult is what the adapter produces. OrganizationID is what the
// tenant-registry stores so it can later assert tenants.id ↔ kc.org_id 1:1.
type InviteResult struct {
OrganizationID string
UserID string
// InviteURL is what the user clicks to set their password. In dev (no
// Stalwart yet) we surface it in the response so testers can use it
// directly. In prod it's emailed by Keycloak and we discard it.
InviteURL string
}
// Claims is the tenant-scoped claim bundle the protocol-mapper would push
// into a JWT at token issuance. Returned by Adapter.ClaimsFor so the user-
// attributes can be refreshed on subscription change.
type Claims struct {
TenantID string `json:"tenant_id"`
TenantSlug string `json:"tenant_slug"`
OrgRoles []string `json:"org_roles"`
Products []string `json:"products"`
Plan string `json:"plan"`
TenantStatus string `json:"tenant_status"`
}
// Adapter is the shape tenant-registry handlers code against. HTTPAdapter
// is the real one; Mock satisfies the same surface for tests.
type Adapter interface {
// CreateOrgAndInvite is the M4.3 happy path. Atomic from the caller's
// PoV: either both org+user land or neither does.
CreateOrgAndInvite(ctx context.Context, in InviteInput) (*InviteResult, error)
// SyncClaims pushes the current Claims into the user's Keycloak
// attributes. Called whenever entitlements change (M4.2 catalog/trial
// flows, M14.x cancel, M12.x trial transitions).
SyncClaims(ctx context.Context, userID string, c Claims) error
// Health pings the admin endpoint. Used by readyz and the cluster cold-
// start sequence (INFRASTRUCTURE.md §10 scenario F).
Health(ctx context.Context) error
}
Reference in New Issue View Git Blame Copy Permalink