From 10402f4de03fb5bdaa4db8b61dedd6b237f6d3a0 Mon Sep 17 00:00:00 2001 From: Eneko Date: Fri, 23 Apr 2021 02:33:21 +0200 Subject: [PATCH] Development environment ready and documented --- docker/README.md | 61 +++++++++----- .../keycloak/okupamicoche-realm-export.json | 84 +++++++++---------- docker/synapse/.gitignore | 2 - docker/synapse/{data => }/homeserver.yaml | 4 +- 4 files changed, 82 insertions(+), 69 deletions(-) delete mode 100644 docker/synapse/.gitignore rename docker/synapse/{data => }/homeserver.yaml (93%) diff --git a/docker/README.md b/docker/README.md index 07895d6..68d7d47 100644 --- a/docker/README.md +++ b/docker/README.md @@ -1,30 +1,45 @@ # Okupa mi coche - Docker containers for the backend -Travel management in the valley. - -THIS PROJECT IS IN EARLY DEVELOPMENT - WORK IN PROGRESS (including this README) +Guide for seting up development environment for the backend. ## Setup -### Keycloak -`docker run --name keycloak -p 8080:8080 -p 8443:8443 --mount type=volume,src=https,dst=/etc/x509/https -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin --network=okupamicoche quay.io/keycloak/keycloak:12.0.4` - -### Matrix -https://github.com/matrix-org/synapse/tree/master/docker - -Add synapse in /etc/hosts as localhost alias. - -`docker run -it --rm --mount type=volume,src=synapse-data,dst=/data -e SYNAPSE_SERVER_NAME=synapse -e SYNAPSE_REPORT_STATS=no matrixdotorg/synapse:latest generate` - -`docker run --name synapse --mount type=volume,src=synapse-data,dst=/data -p 8008:8008 --network=okupamicoche matrixdotorg/synapse:latest` +1. Install Docker in local machine +2. Add following line to /etc/hosts +``` +127.0.0.1 okupamicoche-keycloak okupamicoche-synapse +``` +3. Run dockerized Keycloak +``` +cd docker/keycloak +docker run --name okupamicoche-keycloak -p 8080:8080 -p 8443:8443 -v $(pwd)/https:/etc/x509/https \ +-e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin --network=okupamicoche \ +-e KEYCLOAK_IMPORT=/tmp/realm.json -v $(pwd)/okupamicoche-realm-export.json:/tmp/realm.json quay.io/keycloak/keycloak:12.0.4 +``` +4. Go to https://localhost:8443/auth/admin/master/console and login with user=admin pass=admin +5. In Clients -> synapse -> Credentials push Regenerate Secret and copy the secret +6. Open docker/synapse/data/homeserver.yaml and paste the secret to client_secret variable (inside oidc_providers section) +7. Build Synapse container +``` +cd docker/synape +docker build -t okupamicoche-synapse . +``` +8. Generate data folder for Synapse +``` +docker run -it --rm \ + --mount type=volume,src=synapse-data,dst=/data \ + -e SYNAPSE_SERVER_NAME=okupamicoche-synapse \ + -e SYNAPSE_REPORT_STATS=no \ + okupamicoche-synapse generate +``` +9. Run dockerized Synapse +``` +docker run --name okupamicoche-synapse -p 8008:8008 --mount type=volume,src=synapse-data,dst=/data \ +-e SYNAPSE_CONFIG_PATH=/homeserver.yaml \ +-v $(pwd)/homeserver.yaml:/homeserver.yaml --network=okupamicoche okupamicoche-synapse +``` ## Run -`docker restart keycloak` -`docker restart synapse` +`docker start okupamicoche-keycloak` +`docker start okupamicoche-synapse` ## Inspect containter -`docker exec -t -i synapse /bin/bash` - -## Setup using Docker Compose - -sudo chown 991:991 -R synapse-data/ - -Copy ca.pem, root.pem and keycloak.pem to /usr/local/share/ca-certificates in synapse container and run update-ca-certificates \ No newline at end of file +`docker exec -t -i okupamicoche-synapse /bin/bash` diff --git a/docker/keycloak/okupamicoche-realm-export.json b/docker/keycloak/okupamicoche-realm-export.json index 1ba5b12..98da520 100644 --- a/docker/keycloak/okupamicoche-realm-export.json +++ b/docker/keycloak/okupamicoche-realm-export.json @@ -501,8 +501,8 @@ "defaultClientScopes": [ "web-origins", "role_list", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -743,19 +743,18 @@ { "id": "a68779c0-75db-433e-93fd-0a5bcc0601d9", "clientId": "synapse", - "rootUrl": "http://localhost:8008/", - "adminUrl": "http://localhost:8008/", + "rootUrl": "http://okupamicoche-synapse:8008/", + "adminUrl": "http://okupamicoche-synapse:8008/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "secret": "**********", "redirectUris": [ - "http://localhost:8008/*", - "https://okupamicoche-synapse:8448/_synapse/client/oidc/callback" + "http://okupamicoche-synapse:8008/_synapse/client/oidc/callback" ], "webOrigins": [ - "http://localhost:8008" + "http://okupamicoche-synapse:8008" ], "notBefore": 0, "bearerOnly": false, @@ -791,8 +790,8 @@ "defaultClientScopes": [ "web-origins", "role_list", - "profile", "roles", + "profile", "email" ], "optionalClientScopes": [ @@ -896,6 +895,7 @@ "consentRequired": false, "config": { "multivalued": "true", + "userinfo.token.claim": "true", "user.attribute": "foo", "id.token.claim": "true", "access.token.claim": "true", @@ -1289,17 +1289,17 @@ } ], "defaultDefaultClientScopes": [ - "role_list", - "profile", "email", "roles", - "web-origins" + "web-origins", + "role_list", + "profile" ], "defaultOptionalClientScopes": [ - "offline_access", - "address", "phone", - "microprofile-jwt" + "offline_access", + "microprofile-jwt", + "address" ], "browserSecurityHeaders": { "contentSecurityPolicyReportOnly": "", @@ -1330,14 +1330,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-address-mapper", - "oidc-sha256-pairwise-sub-mapper", - "saml-role-list-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", + "oidc-full-name-mapper", + "oidc-address-mapper", "oidc-usermodel-property-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-full-name-mapper" + "oidc-usermodel-attribute-mapper" ] } }, @@ -1377,12 +1377,12 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ + "saml-role-list-mapper", "oidc-address-mapper", + "oidc-full-name-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", - "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", - "saml-role-list-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper" ] @@ -1471,7 +1471,7 @@ "supportedLocales": [], "authenticationFlows": [ { - "id": "348ea7b1-80f0-47cf-8d33-a08c5c6e1f09", + "id": "bcb85566-3957-4e56-8e14-eb221a9a93ce", "alias": "Account verification options", "description": "Method with which to verity the existing account", "providerId": "basic-flow", @@ -1495,7 +1495,7 @@ ] }, { - "id": "e0318ca9-7e45-4c40-a730-38e6ff14e73e", + "id": "7a38fd51-d8c2-4d2f-85fc-d50652a80579", "alias": "Authentication Options", "description": "Authentication options.", "providerId": "basic-flow", @@ -1526,7 +1526,7 @@ ] }, { - "id": "d53c7b49-ed1f-474a-ac5c-305482d67b27", + "id": "45a3f0e7-aaf6-402f-971f-5ca29994e006", "alias": "Browser - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1550,7 +1550,7 @@ ] }, { - "id": "ac15c601-6909-4c50-955d-ee1c2b2f9c92", + "id": "b759fcd6-a460-4024-83fb-53b179f77544", "alias": "Direct Grant - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1574,7 +1574,7 @@ ] }, { - "id": "961d16f4-c350-475e-8005-e33dfc84c7ea", + "id": "3aac1ee1-edbe-4238-bc99-f30bf711c0e8", "alias": "First broker login - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1598,7 +1598,7 @@ ] }, { - "id": "46ab9ef8-f125-48be-a5c5-493f0515b7c0", + "id": "e59a8f9c-f56b-423a-91d3-9833cd107cf3", "alias": "Handle Existing Account", "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId": "basic-flow", @@ -1622,7 +1622,7 @@ ] }, { - "id": "8835098a-dd6e-45ac-ad70-57bf2b133524", + "id": "79937470-7f2e-49e1-86ef-1195f8b10130", "alias": "Reset - Conditional OTP", "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId": "basic-flow", @@ -1646,7 +1646,7 @@ ] }, { - "id": "3223df9d-d6a4-4a22-a36f-e9063a3ccdd0", + "id": "f5c4875a-c375-4a59-b7a5-7ac2c2efde7a", "alias": "User creation or linking", "description": "Flow for the existing/non-existing user alternatives", "providerId": "basic-flow", @@ -1671,7 +1671,7 @@ ] }, { - "id": "2afe27f6-e689-423d-a2a8-0bd7015432e4", + "id": "1df89ef0-c3eb-4e37-94cb-61ff6d39c615", "alias": "Verify Existing Account by Re-authentication", "description": "Reauthentication of existing account", "providerId": "basic-flow", @@ -1695,7 +1695,7 @@ ] }, { - "id": "862a2be3-eae3-43fb-aad7-b8ffe31563e6", + "id": "5f29ce6a-abcb-4087-9d57-d7a2afce6ef0", "alias": "browser", "description": "browser based authentication", "providerId": "basic-flow", @@ -1733,7 +1733,7 @@ ] }, { - "id": "b26051f0-cb8b-4c35-abed-be1bcdc313f5", + "id": "77e7f21f-71ae-4209-9291-e6724aba9dee", "alias": "clients", "description": "Base authentication for clients", "providerId": "client-flow", @@ -1771,7 +1771,7 @@ ] }, { - "id": "a9ab7720-b194-44a3-871a-623a8dd7b0f6", + "id": "d5cb48c7-26cc-48c5-ba75-e718c22bf0c9", "alias": "direct grant", "description": "OpenID Connect Resource Owner Grant", "providerId": "basic-flow", @@ -1802,7 +1802,7 @@ ] }, { - "id": "11dcf751-b389-4f7a-9cb1-c349d5587919", + "id": "c5547006-3abe-4c7f-91ce-d8ed3676272c", "alias": "docker auth", "description": "Used by Docker clients to authenticate against the IDP", "providerId": "basic-flow", @@ -1819,7 +1819,7 @@ ] }, { - "id": "27a49d77-9e15-4f91-9572-97f7bb214718", + "id": "fbf9354a-a8e9-4658-87c0-ef9ab01f2b88", "alias": "first broker login", "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId": "basic-flow", @@ -1844,7 +1844,7 @@ ] }, { - "id": "bd3697e0-c53b-4795-ba24-b3577753c1df", + "id": "7dc8b36e-cf25-46e5-b28e-9df0fb394af6", "alias": "forms", "description": "Username, password, otp and other auth forms.", "providerId": "basic-flow", @@ -1868,7 +1868,7 @@ ] }, { - "id": "2c2b1787-ac08-48da-9aa8-ae13e34de6f7", + "id": "2469f58e-3c54-45a3-b6f1-abdb1ed3fbb5", "alias": "http challenge", "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId": "basic-flow", @@ -1892,7 +1892,7 @@ ] }, { - "id": "b371ea7e-611e-4bc1-81a5-950390f6a545", + "id": "735ece4d-c23e-4a52-8d30-7a2cc774a0aa", "alias": "registration", "description": "registration flow", "providerId": "basic-flow", @@ -1910,7 +1910,7 @@ ] }, { - "id": "43c527b9-2cea-4d97-a46a-f6c1e362aa9f", + "id": "129f743f-920b-4204-a546-26ee8709de5f", "alias": "registration form", "description": "registration form", "providerId": "form-flow", @@ -1948,7 +1948,7 @@ ] }, { - "id": "1a265a7e-dbb1-4998-bf81-ebba63947da7", + "id": "4ce15dcf-0c06-47bf-930d-ef4d85b018b2", "alias": "reset credentials", "description": "Reset credentials for a user if they forgot their password or something", "providerId": "basic-flow", @@ -1986,7 +1986,7 @@ ] }, { - "id": "8ae7480c-9be1-4048-930a-7c1f75539d6e", + "id": "2fc84240-3e96-4780-a576-e016ee9e1350", "alias": "saml ecp", "description": "SAML ECP Profile Authentication Flow", "providerId": "basic-flow", @@ -2005,14 +2005,14 @@ ], "authenticatorConfig": [ { - "id": "6ec25acf-4c76-4aa8-b2ed-f2c15ec849aa", + "id": "2951f36b-7903-4ad3-9b5d-5b4f72a61b04", "alias": "create unique user config", "config": { "require.password.update.after.registration": "false" } }, { - "id": "4b1d97f6-3b0e-47b8-a87a-e8084c800510", + "id": "141914b4-63e4-4d72-b507-e032e65615bf", "alias": "review profile config", "config": { "update.profile.on.first.login": "missing" diff --git a/docker/synapse/.gitignore b/docker/synapse/.gitignore deleted file mode 100644 index 4b97f19..0000000 --- a/docker/synapse/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -data/ -!data/homeserver.yaml \ No newline at end of file diff --git a/docker/synapse/data/homeserver.yaml b/docker/synapse/homeserver.yaml similarity index 93% rename from docker/synapse/data/homeserver.yaml rename to docker/synapse/homeserver.yaml index a8e2687..15ab714 100644 --- a/docker/synapse/data/homeserver.yaml +++ b/docker/synapse/homeserver.yaml @@ -21,7 +21,7 @@ database: args: database: /data/homeserver.db log_config: "/data/okupamicoche-synapse.log.config" -#media_store_path: "/data/media_store" +media_store_path: "/data/media_store" registration_shared_secret: "Y_XNuno*Dh,T2IpHA;i,bWF^fg&x.*t=iEz*@:y5REBMhgCA63" report_stats: false macaroon_secret_key: "6VvBQj_TedGcDDB_z,-qXV1W3:.CXrRG6AWF&4p:~iGNguy&_h" @@ -35,7 +35,7 @@ oidc_providers: idp_name: Keycloak issuer: "https://okupamicoche-keycloak:8443/auth/realms/okupamicoche" client_id: "synapse" - client_secret: "40cf8d3a-f910-4617-b290-7b5b12f6ae87" + client_secret: "2d2b51cf-09ab-44a3-97d8-b7c3c5289c87" scopes: [ "openid", "profile" ] user_mapping_provider: config: