From 87c1807730a8d09c7c5cd67ce7f9bcf8dc06bbf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Mon, 10 Jul 2017 10:50:28 +0200 Subject: [PATCH] it is now possible to use the default user admin to create clients in SSO --- README.md | 26 +++++++++++++++++++++++++- sso.js | 17 +++++++++++++++-- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7a8b451..4fb8503 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ The possible environment variables are explained below: | SSO_HOSTNAME | The hostname of your SSO server or OpenShift route. (Just the hostname, without https:// or a path) | Yes | | SSO_SERVICE_USERNAME | The username we need to use to connect to Red Hat SSO | Yes | | SSO_SERVICE_PASSWORD | The password we need to use to connect to Red Hat SSO | Yes | +| SSO_AUTH_REALM | The realm used to authenticate the service user. Defaults to SSO_REALM if not provided. | No | | SSO_CLIENT_ID | The client id we need to use to connect to Red Hat SSO. In every SSO installation, there is one named `admin-cli`. | Yes | | SHARED_SECRET | A shared secret between 3scale and the webhooks server in order to prevent anyone from submitting webhooks. | No | | WEBHOOKS_MODULES | A coma separated list of modules to load and use as handlers. Two modules are provided with this project: `sso` and `log` | Yes | @@ -53,6 +54,29 @@ Do not forget to enable Webhooks and check `Dashboard actions fire webhooks` ! ![3scale screenshot](doc/img/webhook_screenshot.png) +**Note about the admin/service user:** + +To be able to create clients in Red Hat SSO, you need to provide a valid user with +administrative privileges. + +One way to do so is by setting the `SSO_SERVICE_USERNAME` and `SSO_SERVICE_PASSWORD` +environment variables on the SSO DeploymentConfig as explained above. It will create +user for you with the correct rights. + +If you want to use the built-in `admin` user, it is possible but you have to be aware +that the `admin` user lays in the `master` realm. So you will have to pass the +`SSO_AUTH_REALM` environment variable. + +For instance, if you want to create clients in the `3scale` realm and you want to +use the default `admin` user to do this, you will have to use the following variables: + +``` +SSO_SERVICE_USERNAME=admin +SSO_SERVICE_PASSWORD=secret +SSO_AUTH_REALM=master +SSO_REALM=3scale +``` + ## Developing a module If you plan to develop a module, you will have to export three methods from @@ -111,7 +135,7 @@ run NodeJS locally: ``` export SSO_REALM=3scale -export SSO_HOSTNAME=sso-secure-sso.app.openshift.test +export SSO_HOSTNAME=secure-sso-sso.app.openshift.test export SSO_CLIENT_ID=admin-cli export SSO_SERVICE_USERNAME=cli export SSO_SERVICE_PASSWORD=secret diff --git a/sso.js b/sso.js index d7bf302..864862e 100644 --- a/sso.js +++ b/sso.js @@ -20,6 +20,11 @@ function sso_init() { if (failed) { throw new Error("Missing configuration"); } + + // Handle optional environment variables + if ('SSO_AUTH_REALM' in process.env && process.env.SSO_AUTH_REALM != null) { + config.SSO_AUTH_REALM = process.env.SSO_AUTH_REALM; + } } function sso_register(types) { @@ -210,8 +215,9 @@ function delete_sso_client(access_token, id, error, next) { } function authenticate_to_sso(error, next) { - console.log("Authenticating to SSO (realm = '%s') using the ROPC OAuth flow with %s/%s", config.SSO_REALM, config.SSO_SERVICE_USERNAME, config.SSO_SERVICE_PASSWORD); - req.post(util.format("https://%s/auth/realms/%s/protocol/openid-connect/token", config.SSO_HOSTNAME, config.SSO_REALM), { + var realm = config.SSO_AUTH_REALM || config.SSO_REALM; + console.log("Authenticating to SSO (realm = '%s') using the ROPC OAuth flow with %s/%s", realm, config.SSO_SERVICE_USERNAME, config.SSO_SERVICE_PASSWORD); + req.post(util.format("https://%s/auth/realms/%s/protocol/openid-connect/token", config.SSO_HOSTNAME, realm), { form: { grant_type: "password", client_id: config.SSO_CLIENT_ID, @@ -232,6 +238,13 @@ function authenticate_to_sso(error, next) { return error(err); } } else { + console.log("Error while authenticating to SSO."); + if (config.SSO_AUTH_REALM == null && config.SSO_SERVICE_USERNAME == "admin" && config.SSO_REALM != "master") { + console.log("It looks like you are trying to authenticate with the built-in 'admin'"); + console.log("user but you did not provide the SSO_AUTH_REALM environment variable."); + console.log("Re-try with 'SSO_AUTH_REALM=master' !"); + } + return error(util.format("Got a %d response from SSO while authenticating", response.statusCode)); } });