feat: user management (#1740)

Co-authored-by: Sander Rodenhuis <[email protected]>
Co-authored-by: Jehoszafat Zimnowoda <[email protected]>

Author: 3 people

chart/apl/values.yaml

@@ -111,6 +111,8 @@ otomi: {}
 #   clientSecret: ''
 #   issuer: ''
 #   # IDP group id used to identify global admin
-#   adminGroupID: ''
+#   platformAdminGroupID: ''
+#   # IDP group id used to identify all teams admin
+#   allTeamsAdminGroupID: ''
 #   # IDP group id used to identify team admin
 #   teamAdminGroupID: ''

helmfile.d/snippets/defaults.yaml

@@ -1265,6 +1265,7 @@ environments:
           hasExternalIDP: false
           isMultitenant: true
           nodeSelector: {}
+        users: []
         e2e:
           enabled: false
           upgrade:

helmfile.d/snippets/env.gotmpl

@@ -50,6 +50,9 @@ environments:
     {{- end }}
   {{- end }}
 {{- end }}
+{{- if eq (exec "bash" (list "-c" "( test -f $ENV_DIR/env/secrets.users.yaml && echo 'true' ) || echo 'false'") | trim) "true" }}
+      - {{ $ENV_DIR }}/env/secrets.users.yaml{{ $ext }}
+{{- end }}
 {{- if eq (exec "bash" (list "-c" "( test -f $ENV_DIR/env/secrets.settings.yaml && echo 'true' ) || echo 'false'") | trim) "true" }}
       - {{ $ENV_DIR }}/env/secrets.settings.yaml{{ $ext }}
 {{- end }}

package-lock.json

@@ -23,6 +23,7 @@
     "envalid": "7.3.1",
     "express": "4.18.1",
     "fs-extra": "9.1.0",
+    "generate-password": "^1.7.1",
     "ignore-walk": "3.0.4",
     "lodash": "4.17.21",
     "node-fetch": "2.6.7",

package.json

@@ -22,6 +22,7 @@ describe('Bootstrapping values', () => {
     apps: { 'cert-manager': { issuer: 'custom-ca' } },
     cluster: { name: 'bla', provider: 'dida' },
   }
+  const users = [{ id: 'user1', initialPassword: 'existing-password' }, { id: 'user2' }]
   const secrets = { secret: 'true', deep: { nested: 'secret' } }
   const ageKeys = { publicKey: 'agePublicKey', privateKey: 'agePrivateKey' }
   const kmsValues = {
@@ -241,6 +242,11 @@ describe('Bootstrapping values', () => {
   })
   describe('processing values', () => {
     const generatedSecrets = { gen: 'x' }
+    const generatedPassword = 'generated-password'
+    const usersWithPasswords = [
+      { id: 'user1', initialPassword: 'existing-password' },
+      { id: 'user2', initialPassword: generatedPassword },
+    ]
     const ca = { a: 'cert' }
     const mergedValues = merge(cloneDeep(values), cloneDeep(secrets))
     const mergedSecretsWithCa = merge(cloneDeep(secrets), cloneDeep(ca))
@@ -262,6 +268,7 @@ describe('Bootstrapping values', () => {
         terminal,
         validateValues: jest.fn().mockReturnValue(true),
         writeValues: jest.fn(),
+        generatePassword: jest.fn().mockReturnValue(generatedPassword),
       }
     })
     describe('Creating CA', () => {
@@ -335,10 +342,15 @@ describe('Bootstrapping values', () => {
         expect(res).toEqual(mergedValues)
       })
       it('should merge original with generated values and write them to env dir', async () => {
-        const writtenValues = merge(cloneDeep(values), cloneDeep(mergedSecretsWithGenAndCa))
-        deps.loadYaml.mockReturnValue(values)
+        const writtenValues = merge(
+          cloneDeep(values),
+          cloneDeep(mergedSecretsWithGenAndCa),
+          cloneDeep({ users: usersWithPasswords }),
+        )
+        deps.loadYaml.mockReturnValue({ ...values, users })
         deps.getStoredClusterSecrets.mockReturnValue(secrets)
         deps.generateSecrets.mockReturnValue(generatedSecrets)
+        deps.generatePassword.mockReturnValue(generatedPassword)
         await processValues(deps)
         expect(deps.writeValues).toHaveBeenNthCalledWith(2, writtenValues)
       })

src/cmd/bootstrap.test.ts

@@ -1,5 +1,6 @@
 import { copy, pathExists } from 'fs-extra'
 import { copyFile, mkdir, readFile, writeFile } from 'fs/promises'
+import { generate as generatePassword } from 'generate-password'
 import { cloneDeep, get, merge } from 'lodash'
 import { pki } from 'node-forge'
 import path from 'path'
@@ -252,6 +253,7 @@ export const processValues = async (
     generateSecrets,
     createK8sSecret,
     createCustomCA,
+    generatePassword,
   },
 ): Promise<Record<string, any> | undefined> => {
   const d = deps.terminal(`cmd:${cmdName}:processValues`)
@@ -287,8 +289,21 @@ export const processValues = async (
   }
   // merge existing secrets over newly generated ones to keep them
   const allSecrets = merge(cloneDeep(caSecrets), cloneDeep(storedSecrets), cloneDeep(generatedSecrets))
+  // generate initial passwords for users if they don't have one
+  const users = get(originalInput, 'users', [])
+  for (const user of users) {
+    if (!user.initialPassword) {
+      user.initialPassword = deps.generatePassword({
+        length: 16,
+        numbers: true,
+        symbols: true,
+        lowercase: true,
+        uppercase: true,
+      })
+    }
+  }
   // we have generated all we need, now store everything by merging the original values over all the secrets
-  await deps.writeValues(merge(cloneDeep(allSecrets), cloneDeep(originalInput)))
+  await deps.writeValues(merge(cloneDeep(allSecrets), cloneDeep(originalInput), cloneDeep({ users })))
   // and do some context dependent post processing:
   if (deps.isChart) {
     // to support potential failing chart install we store secrets on cluster

src/cmd/bootstrap.ts

@@ -191,14 +191,17 @@ export const writeValues = async (inValues: Record<string, any>, overwrite = fal
     'databases',
     'files',
     'bootstrap',
+    'users',
   ]
   const secretSettings = omit(secrets, fieldsToOmit)
   const license = { license: values?.license }
   const settings = omit(plainValues, fieldsToOmit)
+  const users = { users: values?.users }
   // and write to their files
   const promises: Promise<void>[] = []
   if (settings) promises.push(writeValuesToFile(`${env.ENV_DIR}/env/settings.yaml`, settings, overwrite))
   if (license) promises.push(writeValuesToFile(`${env.ENV_DIR}/env/secrets.license.yaml`, license, overwrite))
+  if (users) promises.push(writeValuesToFile(`${env.ENV_DIR}/env/secrets.users.yaml`, users, overwrite))
   if (secretSettings || overwrite)
     promises.push(writeValuesToFile(`${env.ENV_DIR}/env/secrets.settings.yaml`, secretSettings, overwrite))
   if (plainValues.cluster || overwrite)

src/common/values.ts

@@ -7,3 +7,10 @@ otomi:
 apps:
   metrics-server:
     enabled: false
+users:
+  - email: [email protected]
+    firstName: platform
+    lastName: admin
+    isPlatformAdmin: true
+    isTeamAdmin: false
+    teams: []

tests/bootstrap/input.yaml

@@ -0,0 +1,22 @@
+users:
+    - email: [email protected]
+      firstName: platform
+      lastName: admin
+      isPlatformAdmin: true
+      isTeamAdmin: true
+      teams: ['demo']
+      initialPassword: 'platform-admin-password'
+    - email: [email protected]
+      firstName: team
+      lastName: admin
+      isPlatformAdmin: false
+      isTeamAdmin: true
+      teams: ['demo']
+      initialPassword: 'team-admin-password'
+    - email: [email protected]
+      firstName: team
+      lastName: member
+      isPlatformAdmin: false
+      isTeamAdmin: false
+      teams: ['demo']
+      initialPassword: 'team-member-password'

tests/fixtures/env/secrets.users.yaml

@@ -56,10 +56,11 @@ obj:
                 thanos: my-clusterid-thanos
         type: linode
 oidc:
-    adminGroupID: someAdminGroupID
+    platformAdminGroupID: someAdminGroupID
     clientID: someClientID
     issuer: https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
     subClaimMapper: oid
+    allTeamsAdminGroupID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
     teamAdminGroupID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 otomi:
     additionalClusters:

tests/fixtures/env/settings.yaml

@@ -302,3 +302,7 @@ changes:
     deletions:
       - 'teamConfig.{team}.managedMonitoring.prometheus'
       - 'apps.grafana.resources.downloadDashboards'
+  - version: 30
+    relocations:
+      - 'oidc.adminGroupID': 'oidc.platformAdminGroupID'
+      - 'oidc.teamAdminGroupID': 'oidc.allTeamsAdminGroupID'

values-changes.yaml

@@ -1307,7 +1307,6 @@ definitions:
                     - value
     required:
       - name
-
   sealedsecret:
     type: object
     description: Define location of code to build
@@ -1341,7 +1340,6 @@ definitions:
       - type
       - encryptedData
       - name
-
   workload:
     type: object
     description: Define location of the application's manifests or chart
@@ -1435,6 +1433,37 @@ definitions:
     required:
       - name
       - url
+  user:
+    type: object
+    description: A user in keycloak, who can be a platform admin, a team admin, or a team member.
+    properties:
+      email:
+        $ref: '#/definitions/email'
+        x-secret: ''
+      firstName:
+        type: string
+        x-secret: ''
+      lastName:
+        type: string
+        x-secret: ''
+      isPlatformAdmin:
+        type: boolean
+        x-secret: ''
+      isTeamAdmin:
+        type: boolean
+        x-secret: ''
+      teams:
+        type: array
+        items:
+          type: string
+          x-secret: ''
+      initialPassword:
+        type: string
+        x-secret: ''
+    required:
+      - email
+      - firstName
+      - lastName
 
 properties:
   alerts:
@@ -2896,7 +2925,9 @@ properties:
       clientSecret:
         type: string
         x-secret: ''
-      adminGroupID:
+      platformAdminGroupID:
+        $ref: '#/definitions/wordCharacterPattern'
+      allTeamsAdminGroupID:
         $ref: '#/definitions/wordCharacterPattern'
       teamAdminGroupID:
         $ref: '#/definitions/wordCharacterPattern'
@@ -3221,5 +3252,9 @@ properties:
             type: string
       helm:
         type: object
+  users:
+    type: array
+    items:
+      $ref: '#/definitions/user'
 required:
   - cluster

values-schema.yaml

@@ -18,6 +18,15 @@
 {{- $k := $c | get "keycloak" }}
 {{- $doms := tpl (readFile "../../helmfile.d/snippets/domains.gotmpl") $v | fromYaml }}
 {{- $joinTpl := readFile "../../helmfile.d/utils/joinListWithSep.gotmpl" }}
+{{ $users := list }}
+{{- range $user := $v.users }}
+  {{ $groups := list }}
+  {{- if $user.isPlatformAdmin }}{{ $groups = append $groups "platform-admin" }}{{ end }}
+  {{- if $user.isTeamAdmin }}{{ $groups = append $groups "team-admin" }}{{ end }}
+  {{- range $team := $user.teams }}{{ $groups = append $groups (print "team-" $team) }}{{ end }}
+  {{- $users = append $users (dict "email" $user.email "firstName" $user.firstName "lastName" $user.lastName "initialPassword" $user.initialPassword "groups" $groups) }}
+{{- end }}
+{{- $users := $users | toJson }}
 
 resources:
   - apiVersion: v1
@@ -29,6 +38,7 @@ resources:
       KEYCLOAK_ADMIN: {{ .Values.apps.keycloak.adminUsername | b64enc }}
       KEYCLOAK_ADMIN_PASSWORD: {{ $k.adminPassword | b64enc }}
       KEYCLOAK_CLIENT_SECRET: {{ $k.idp.clientSecret | b64enc }}
+      USERS: {{ $users | b64enc }}
       {{- if $v.otomi.hasExternalIDP }}
       IDP_CLIENT_ID: {{ $oi.clientID | b64enc}}
       IDP_CLIENT_SECRET: {{ $oi.clientSecret | b64enc }}
@@ -56,8 +66,10 @@ resources:
       {{- with $oi | get "subClaimMapper" nil }}
       IDP_SUB_CLAIM_MAPPER: {{ . }}{{ end }}
       IDP_GROUP_MAPPINGS_TEAMS: '{{ $teamsMapping | toJson }}'
-      {{- with $oi | get "adminGroupID" nil }}
-      IDP_GROUP_apl_ADMIN: {{ . }}{{ end }}
+      {{- with $oi | get "platformAdminGroupID" nil }}
+      IDP_GROUP_PLATFORM_ADMIN: {{ . }}{{ end }}
+      {{- with $oi | get "allTeamsAdminGroupID" nil }}
+      IDP_GROUP_ALL_TEAMS_ADMIN: {{ . }}{{ end }}
       {{- with $oi | get "teamAdminGroupID" nil }}
       IDP_GROUP_TEAM_ADMIN: {{ . }}{{ end }}
       IDP_OIDC_URL: {{ $oi.issuer }}

values/apl-keycloak-operator/apl-keycloak-operator-raw.gotmpl

@@ -42,8 +42,10 @@ env:
   {{- with $o | get "subClaimMapper" nil }}
   IDP_SUB_CLAIM_MAPPER: {{ . }}{{ end }}
   IDP_GROUP_MAPPINGS_TEAMS: '{{ $teamsMapping | toJson }}'
-  {{- with $o | get "adminGroupID" nil }}
-  IDP_GROUP_OTOMI_ADMIN: {{ . }}{{ end }}
+  {{- with $o | get "platformAdminGroupID" nil }}
+  IDP_GROUP_PLATFORM_ADMIN: {{ . }}{{ end }}
+  {{- with $o | get "allTeamsAdminGroupID" nil }}
+  IDP_GROUP_ALL_TEAMS_ADMIN: {{ . }}{{ end }}
   {{- with $o | get "teamAdminGroupID" nil }}
   IDP_GROUP_TEAM_ADMIN: {{ . }}{{ end }}
   IDP_OIDC_URL: {{ $o.issuer }}