/user/yk.mtst/メモ/2018/11/03/keycloak検証環境構築

前提環境

• git
• docker
• docker-compose

構築メモ

インストール

インストールするディレクトリを作成

$ mkdir keycloak
$ cd keycloak

https://gist.github.com/sahya/16993f37ba55e10f8bc40ee5fe4b0757  のdocker-compose.ymlを持ってくる

$ wget https://gist.githubusercontent.com/sahya/16993f37ba55e10f8bc40ee5fe4b0757/raw/b2cb9407643765c4c0f83f52abdca73890a8c8bc/docker-compose.yml

weseek/growi-docker-composeに依存しているのでclone

$ git clone https://github.com/weseek/growi-docker-compose.git growi

ドメインを置き換え

$ sed -i 's/example.com/keycloak-eval1.infra-workshop.tech/' docker-compose.yml

ワイルドカード（*.keycloak-eval1.infra-workshop.tech）の証明書を適当に作成

$ mkdir certs
$ cd certs
$ openssl genrsa 2048 > wildcard.keycloak-eval1.infra-workshop.tech.key
$ openssl req -new -key wildcard.keycloak-eval1.infra-workshop.tech.key > wildcard.keycloak-eval1.infra-workshop.tech.csr
$ openssl x509 -days 3650 -req -signkey wildcard.keycloak-eval1.infra-workshop.tech.key <wildcard.keycloak-eval1.infra-workshop.tech.csr > wildcard.keycloak-eval1.infra-workshop.tech.crt
$ cd ..

コンテナ起動

$ docker-compose up -d

ログを眺めながら起動完了を待つ

$ docker-compose logs -f

適当に名前解決を設定してブラウザでアクセス

https://sts.keycloak-eval1.infra-workshop.tech 
https://wiki.keycloak-eval1.infra-workshop.tech 
https://wp.keycloak-eval1.infra-workshop.tech 

GrowiのSAML認証

https://qiita.com/sahya/items/d8ad66aadcf587c6f0a3  を参考に設定

Growiからのログイン時に以下でエラー
https://github.com/keycloak/keycloak/blob/4.0.0.Final/services/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java#L135 

growiapp              | [2018-11-03T08:12:01.455Z]  INFO: express/87 on e3610efbe7c7: ::ffff:172.18.0.3 <-- GET /pas
sport/saml?_csrf=vAGfeN8B-cgW20eiqjgfbGq-Xt2Z8Oq4CnWw HTTP/1.1 302 0 https://wiki.keycloak-eval1.infra-workshop.tech
/login Chrome 70.0 Windows 10.0.0 2.614875 ms (req_id=6aed2f8d-89e6-4acf-828e-8ab3e8b7e5c6)

ESC[36mkeycloak              |ESC[0m ESC[0mESC[31m08:12:09,696 ERROR [org.keycloak.protocol.saml.SamlService] (defau
lt task-46) request validation failed: org.keycloak.common.VerificationException: SigAlg was null
ESC[36mkeycloak              |ESC[0m    at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(Saml
ProtocolUtils.java:135)

→クライアント署名が必須をオフとすることで解消

keycloakイメージ操作

参考：https://hub.docker.com/r/jboss/keycloak/ 

ログレベルをDEBUGに変更

docker exec keycloak ./keycloak/bin/jboss-cli.sh --connect --command='/subsystem=logging/logger=org.keycloak:write-attribute(name=level,value=DEBUG)'

keycloakアップグレード手順確認

参考：https://keycloak-documentation.openstandia.jp/master/ja_JP/upgrading/index.html 

keycloakを停止してDBダンプを取得

$ docker-compose stop keycloak
$ docker-compose exec kcdb mysqldump -uroot -proot --all-databases | gzip > kcdb.dump.`date +%Y%m%d_%H%M%S`.gz

docker-compose.ymlを編集

$ vi docker-compose.yml

新しいkeycloakをビルドして起動

$ docker-compose up -d keycloak

動作確認

カスタムkeycloakイメージ作成

Dockerfile
FROM maven:3-jdk-8 AS builder

RUN git clone https://github.com/wadahiro/keycloak-discord.git
RUN cd keycloak-discord;mvn package

FROM jboss/keycloak:4.5.0.Final

COPY --from=builder keycloak-discord/ear/target/keycloak-discord.ear /opt/jboss/keycloak/standalone/deployments/

Discord連携検証（プロトタイプ版）

• deployログ

keycloak              | 17:25:14,709 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-4) WFLYSRV0027: Starting deployment of "keycloak-discord.ear" (runtime-name: "keycloak-discord.ear")
keycloak              | 17:25:14,715 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-6) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war")
keycloak              | 17:25:14,755 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0006: Undertow HTTPS listener https listening on 0.0.0.0:8443
keycloak              | 17:25:14,777 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-7) WFLYSRV0207: Starting subdeployment (runtime-name: "keycloak-discord-ejb.jar")
keycloak              | 17:25:14,825 WARN  [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-discord.ear" is using a private module ("org.keycloak.keycloak-server-spi-private") which may be changed or removed in future versions without notice.
keycloak              | 17:25:14,825 WARN  [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-discord.ear" is using a private module ("org.keycloak.keycloak-services") which may be changed or removed in future versions without notice.
keycloak              | 17:25:14,828 WARN  [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-discord.ear" is using a private module ("org.keycloak.keycloak-saml-core-public") which may be changed or removed in future versions without notice.
keycloak              | 17:25:14,829 WARN  [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-discord.ear" is using a private module ("org.bouncycastle") which may be changed or removed in future versions without notice.
keycloak              | 17:25:14,829 WARN  [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.keycloak-discord.ear" is using a private module ("com.google.guava") which may be changed or removed in future versions without notice.
keycloak              | 17:25:14,855 INFO  [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-2) Deploying Keycloak provider: keycloak-discord-ejb.jar
keycloak              | 17:25:15,196 WARN  [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max send buffer in the OS correctly (e.g. net.core.wmem_max on Linux)
keycloak              | 17:25:15,196 WARN  [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the receive buffer of socket MulticastSocket was set to 20.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max receive buffer in the OS correctly (e.g. net.core.rmem_max on Linux)
keycloak              | 17:25:15,196 WARN  [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max send buffer in the OS correctly (e.g. net.core.wmem_max on Linux)
keycloak              | 17:25:15,197 WARN  [org.jgroups.protocols.UDP] (ServerService Thread Pool -- 50) JGRP000015: the receive buffer of socket MulticastSocket was set to 25.00MB, but the OS only allocated 212.99KB. This might lead to performance problems. Please set your max receive buffer in the OS correctly (e.g. net.core.rmem_max on Linux)

• IdPへのリストアップ
• [ ] Discord認証設定画面
• adminのThemaを変更
• Discord認証設定画面への遷移を確認
• Discoad側設定
  • Discordアプリケーション作成
    https://discordapp.com/developers/applications/  で作成
  • OAuth2画面でリダイレクトURLを追加
  • サーバーID確認
    参考：https://support.discordapp.com/hc/ja/articles/206346498-ユーザー-サーバー-メッセージIDはどこで見つけられる- 
    今回はテスト用のサーバーを作成して使用
• Discord認証設定
• Discode認証によるログイン
  Growiログイン->Keycloakログイン->Discodeログイン->Keycloakユーザ登録->Growiユーザ登録

パフォーマンス可視化

サーバのパフォーマンスを見るためにCockpitを導入

参照：https://wiki.infra-workshop.tech/user/yk.mtst/%E3%83%A1%E3%83%A2/2018/11/04/Cockpit%E5%B0%8E%E5%85%A5

TODO: 本体を参考にSeleniumとArquillianで結合テスト

参考：https://wiki.infra-workshop.tech/user/yk.mtst/%E3%83%A1%E3%83%A2/2018/11/04/Java2EE%E3%81%AE%E7%B5%90%E5%90%88%E3%83%86%E3%82%B9%E3%83%88%E8%87%AA%E5%8B%95%E5%8C%96