sharang
fd5f8ae36f
internal/keycloak/ — Adapter interface with two implementations:
HTTPAdapter pgxpool-style real Admin API client with cached client-
credentials token (auto-refresh, 401 retry).
Mock in-process map for unit tests + dev convenience when
KEYCLOAK_ADMIN_URL is empty. Used by the eachStore harness.
Adapter contract (adapter.go):
CreateOrgAndInvite(ctx, InviteInput) (*InviteResult, error)
Creates a KC organization, an IT_ADMIN user, adds the user as a
member, triggers VERIFY_EMAIL + UPDATE_PASSWORD execute-actions
email. Atomic from the caller's PoV; partial failures surface as
typed errors (ErrOrgConflict, ErrUserConflict, ErrUnauthorized,
ErrUnavailable).
SyncClaims(ctx, userID, Claims) error
Pushes tenant_id / tenant_slug / org_roles / products / plan /
tenant_status into the user's KC attributes — the same shape the
realm's protocol mappers project into JWTs.
Health(ctx) error
Pings /admin/serverinfo; wired into readyz.
Wiring:
POST /v1/tenants now accepts admin_email + admin_name. When set, the
adapter creates the org and invites the user. Response wraps the
tenant with the new TenantCreated{tenant, invite_url} shape so dev
testers can use the action-token URL without waiting for the email.
KC failures DO NOT roll the tenant back — they emit a
keycloak.provision_failed audit event so the operator can resend.
Successful invites emit keycloak.invite_sent.
POST /v1/internal/keycloak/claims resolves a tenant's current claim
bundle. Lookup chain: body.tenant_id → body.tenant_slug →
body.user_attrs.tenant_id → body.user_attrs.tenant_slug. The realm's
protocol mapper calls this at token issuance, or operators on demand.
Config: KEYCLOAK_ADMIN_URL / REALM / CLIENT_ID / CLIENT_SECRET; empty
URL falls back to Mock for dev.
OpenAPI: TenantCreated + Claims schemas added; /v1/internal/keycloak/claims
documented. Contract test extended to cover the new endpoint.
Tests:
internal/keycloak/mock_test.go Mock semantics: conflict surfacing,
FailNext hook, SyncClaims persistence.
internal/server/keycloak_test.go KC provisioning end-to-end via
eachStore: invite_url returned,
mock records, invite_sent audit;
failure path emits provision_failed
but tenant still lands; claims
endpoint resolves via tenant_id /
tenant_slug / user_attrs / 404 / 400.
The real-KC integration test (against a testcontainers-spun KC 26)
lands in a follow-up — gating it behind KEYCLOAK_INTEGRATION=1 + a
slower nightly CI is cleaner than baking 30s+ of KC boot into every PR.
Refs: M4.3
116 lines
3.3 KiB
Go
116 lines
3.3 KiB
Go
package server
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"net/http"
|
|
"time"
|
|
|
|
"gitea.meghsakha.com/platform/tenant-registry/internal/keycloak"
|
|
"gitea.meghsakha.com/platform/tenant-registry/internal/store"
|
|
)
|
|
|
|
// provisionKeycloak is called inside createTenant after the DB insert
|
|
// succeeds. Best-effort: a failure does NOT roll the tenant back. The
|
|
// audit_log captures the error so the operator can heal it later
|
|
// (resending the invite is a one-click in the KC admin UI).
|
|
//
|
|
// Returns the InviteURL so the API response can surface it for dev.
|
|
func (s *Server) provisionKeycloak(ctx context.Context, t *store.Tenant, adminEmail, adminName string) (string, error) {
|
|
if adminEmail == "" {
|
|
// Skip silently — caller chose not to invite anyone yet (sales-led
|
|
// flow, demo tenant, test fixture, etc.).
|
|
return "", nil
|
|
}
|
|
res, err := s.Keycloak.CreateOrgAndInvite(ctx, keycloak.InviteInput{
|
|
TenantID: t.ID,
|
|
Slug: t.Slug,
|
|
Name: t.Name,
|
|
AdminEmail: adminEmail,
|
|
AdminName: adminName,
|
|
})
|
|
if err != nil {
|
|
s.Log.Error("keycloak provision failed",
|
|
"tenant_id", t.ID, "slug", t.Slug, "err", err)
|
|
return "", err
|
|
}
|
|
s.Log.Info("keycloak provisioned",
|
|
"tenant_id", t.ID, "kc_org_id", res.OrganizationID, "kc_user_id", res.UserID)
|
|
return res.InviteURL, nil
|
|
}
|
|
|
|
// kcClaims is POST /v1/internal/keycloak/claims. Called by Keycloak's
|
|
// protocol mapper (or by a dev tester) to fetch the current entitlement
|
|
// bundle for a user. Lookup chain:
|
|
// 1. body.tenant_slug → tenant
|
|
// 2. body.tenant_id → tenant
|
|
// 3. body.user_attrs.tenant_id → tenant
|
|
//
|
|
// At least one must be present.
|
|
type kcClaimsReq struct {
|
|
TenantID string `json:"tenant_id,omitempty"`
|
|
TenantSlug string `json:"tenant_slug,omitempty"`
|
|
UserAttrs map[string]string `json:"user_attrs,omitempty"`
|
|
}
|
|
|
|
func (s *Server) kcClaims(w http.ResponseWriter, r *http.Request) {
|
|
var in kcClaimsReq
|
|
if !decodeJSON(w, r, &in) {
|
|
return
|
|
}
|
|
id := in.TenantID
|
|
if id == "" {
|
|
id = in.UserAttrs["tenant_id"]
|
|
}
|
|
slug := in.TenantSlug
|
|
if slug == "" {
|
|
slug = in.UserAttrs["tenant_slug"]
|
|
}
|
|
if id == "" && slug == "" {
|
|
writeError(w, http.StatusBadRequest, "invalid_input", "tenant_id or tenant_slug required")
|
|
return
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(r.Context(), 2*time.Second)
|
|
defer cancel()
|
|
|
|
var (
|
|
t *store.Tenant
|
|
err error
|
|
)
|
|
if id != "" {
|
|
t, err = s.Store.GetTenant(ctx, id)
|
|
} else {
|
|
t, err = s.Store.GetTenantBySlug(ctx, slug)
|
|
}
|
|
if err != nil {
|
|
if errors.Is(err, store.ErrNotFound) {
|
|
writeError(w, http.StatusNotFound, "not_found", "tenant does not exist")
|
|
return
|
|
}
|
|
writeError(w, http.StatusInternalServerError, "internal", err.Error())
|
|
return
|
|
}
|
|
|
|
products, err := s.Store.ListTenantProducts(ctx, t.ID)
|
|
if err != nil && !errors.Is(err, store.ErrNotFound) {
|
|
writeError(w, http.StatusInternalServerError, "internal", err.Error())
|
|
return
|
|
}
|
|
productKeys := make([]string, 0, len(products))
|
|
for _, p := range products {
|
|
if p.Enabled {
|
|
productKeys = append(productKeys, p.Product)
|
|
}
|
|
}
|
|
|
|
writeJSON(w, http.StatusOK, keycloak.Claims{
|
|
TenantID: t.ID,
|
|
TenantSlug: t.Slug,
|
|
OrgRoles: []string{}, // populated by /v1/users/:id role lookup — out of scope until M5.2
|
|
Products: productKeys,
|
|
Plan: t.Plan,
|
|
TenantStatus: t.Status,
|
|
})
|
|
}
|