mocode-software/meldestelle
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fixing frontedn docker build

Browse Source
This commit is contained in:
stefan
2025-10-01 13:32:43 +02:00
parent 30ae7230de
commit 72036207b0
16 changed files with 978 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files
build.gradle.kts
+6 -6
View File
@@ -68,9 +68,9 @@ subprojects {
// Also set the legacy switch to silence warnings entirely // Also set the legacy switch to silence warnings entirely
environment("NODE_NO_WARNINGS", "1") environment("NODE_NO_WARNINGS", "1")
// Set Chrome binary path to avoid snap permission issues // Set Chrome binary path to avoid snap permission issues
environment("CHROME_BIN", "/usr/bin/google-chrome") environment("CHROME_BIN", "/usr/bin/google-chrome-stable")
environment("CHROMIUM_BIN", "/usr/bin/google-chrome") environment("CHROMIUM_BIN", "/usr/bin/chromium")
environment("PUPPETEER_EXECUTABLE_PATH", "/usr/bin/google-chrome") environment("PUPPETEER_EXECUTABLE_PATH", "/usr/bin/chromium")
} }
} }
@@ -94,9 +94,9 @@ tasks.withType<Exec>().configureEach {
environment("NODE_OPTIONS", merged) environment("NODE_OPTIONS", merged)
environment("NODE_NO_WARNINGS", "1") environment("NODE_NO_WARNINGS", "1")
// Set Chrome binary path to avoid snap permission issues // Set Chrome binary path to avoid snap permission issues
environment("CHROME_BIN", "/usr/bin/google-chrome") environment("CHROME_BIN", "/usr/bin/google-chrome-stable")
environment("CHROMIUM_BIN", "/usr/bin/google-chrome") environment("CHROMIUM_BIN", "/usr/bin/chromium")
environment("PUPPETEER_EXECUTABLE_PATH", "/usr/bin/google-chrome") environment("PUPPETEER_EXECUTABLE_PATH", "/usr/bin/chromium")
} }
tasks.wrapper { tasks.wrapper {
clients/app/build.gradle.kts
+6 -1
View File
@@ -50,7 +50,12 @@ kotlin {
} }
// Browser-Tests komplett deaktivieren (Configuration Cache kompatibel) // Browser-Tests komplett deaktivieren (Configuration Cache kompatibel)
testTask { testTask {
enabled = false //enabled = false
useKarma {
useChromeHeadless()
environment("CHROME_BIN", "/usr/bin/google-chrome-stable")
}
} }
} }
binaries.executable() binaries.executable()
core/core-domain/build.gradle.kts
+5 -1
View File
@@ -13,7 +13,11 @@ kotlin {
} }
js(IR) { js(IR) {
browser() browser {
testTask {
enabled = false
}
}
} }
sourceSets { sourceSets {
core/core-utils/build.gradle.kts
+5 -1
View File
@@ -15,7 +15,11 @@ kotlin {
} }
js(IR) { js(IR) {
browser() browser {
testTask {
enabled = false
}
}
} }
sourceSets { sourceSets {
docker-compose.services.yml
+2 -2
View File
@@ -23,8 +23,8 @@ services:
# Service-specific arguments (from docker/build-args/services.env) # Service-specific arguments (from docker/build-args/services.env)
SPRING_PROFILES_ACTIVE: ${DOCKER_SPRING_PROFILES_DOCKER:-docker} SPRING_PROFILES_ACTIVE: ${DOCKER_SPRING_PROFILES_DOCKER:-docker}
# Enable BuildKit for better caching and performance # Enable BuildKit for better caching and performance
platforms: # platforms:
- linux/amd64 # - linux/amd64
container_name: meldestelle-ping-service container_name: meldestelle-ping-service
volumes: volumes:
# Mount Gradle cache for better build performance # Mount Gradle cache for better build performance
docker-compose.yml
+39 -9
View File
@@ -60,12 +60,29 @@ services:
image: quay.io/keycloak/keycloak:${DOCKER_KEYCLOAK_VERSION:-26.0.7} image: quay.io/keycloak/keycloak:${DOCKER_KEYCLOAK_VERSION:-26.0.7}
container_name: meldestelle-keycloak container_name: meldestelle-keycloak
environment: environment:
# Admin Configuration
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin} KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
# Database Configuration
KC_DB: postgres KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-meldestelle} KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-meldestelle}
KC_DB_USERNAME: ${POSTGRES_USER:-meldestelle} KC_DB_USERNAME: ${POSTGRES_USER:-meldestelle}
KC_DB_PASSWORD: ${POSTGRES_PASSWORD:-meldestelle} KC_DB_PASSWORD: ${POSTGRES_PASSWORD:-meldestelle}
KC_DB_SCHEMA: keycloak
# Keycloak Configuration
KC_HTTP_PORT: 8080
KC_HOSTNAME_STRICT: false
KC_HOSTNAME_STRICT_HTTPS: false
KC_HTTP_ENABLED: true
KC_PROXY: edge
# Development Settings
KC_LOG_LEVEL: ${KEYCLOAK_LOG_LEVEL:-INFO}
KC_METRICS_ENABLED: true
KC_HEALTH_ENABLED: true
ports: ports:
- "8180:8080" - "8180:8080"
depends_on: depends_on:
@@ -73,15 +90,19 @@ services:
condition: service_healthy condition: service_healthy
volumes: volumes:
- ./docker/services/keycloak:/opt/keycloak/data/import - ./docker/services/keycloak:/opt/keycloak/data/import
command: start-dev --import-realm - keycloak-data:/opt/keycloak/data
command:
- start-dev
- --import-realm
- --http-port=8080
networks: networks:
- meldestelle-network - meldestelle-network
healthcheck: healthcheck:
test: [ "CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/" ] test: [ "CMD", "curl", "-f", "http://localhost:8080/health/ready" ]
interval: 10s interval: 30s
timeout: 5s timeout: 10s
retries: 3 retries: 5
start_period: 20s start_period: 60s
restart: unless-stopped restart: unless-stopped
# =================================================================== # ===================================================================
@@ -218,18 +239,25 @@ services:
# Infrastructure-specific arguments (from docker/build-args/infrastructure.env) # Infrastructure-specific arguments (from docker/build-args/infrastructure.env)
SPRING_PROFILES_ACTIVE: ${DOCKER_SPRING_PROFILES_DEFAULT:-default} SPRING_PROFILES_ACTIVE: ${DOCKER_SPRING_PROFILES_DEFAULT:-default}
# Enable BuildKit for better caching and performance # Enable BuildKit for better caching and performance
platforms: # platforms:
- linux/amd64 # - linux/amd64
container_name: meldestelle-api-gateway container_name: meldestelle-api-gateway
volumes: volumes:
# Mount Gradle cache for better build performance # Mount Gradle cache for better build performance
- api-gateway-gradle-cache:/home/gradle/.gradle - api-gateway-gradle-cache:/home/gradle/.gradle
environment: environment:
SPRING_PROFILES_ACTIVE: ${SPRING_PROFILES_ACTIVE:-dev} SPRING_PROFILES_ACTIVE: ${SPRING_PROFILES_ACTIVE:-dev,keycloak}
CONSUL_HOST: consul CONSUL_HOST: consul
CONSUL_PORT: ${CONSUL_PORT:-8500} CONSUL_PORT: ${CONSUL_PORT:-8500}
CONSUL_ENABLED: "true" CONSUL_ENABLED: "true"
GATEWAY_PORT: ${GATEWAY_PORT:-8081} GATEWAY_PORT: ${GATEWAY_PORT:-8081}
# Keycloak-Integration
KEYCLOAK_SERVER_URL: http://keycloak:8080
KEYCLOAK_ISSUER_URI: http://keycloak:8080/realms/meldestelle
KEYCLOAK_JWK_SET_URI: http://keycloak:8080/realms/meldestelle/protocol/openid-connect/certs
KEYCLOAK_REALM: meldestelle
KEYCLOAK_CLIENT_ID: api-gateway
GATEWAY_SECURITY_KEYCLOAK_ENABLED: "true"
ports: ports:
- "${GATEWAY_PORT:-8081}:8081" - "${GATEWAY_PORT:-8081}:8081"
depends_on: depends_on:
@@ -263,6 +291,8 @@ volumes:
driver: local driver: local
api-gateway-gradle-cache: api-gateway-gradle-cache:
driver: local driver: local
keycloak-data:
driver: local
# =================================================================== # ===================================================================
# Networks # Networks
infrastructure/gateway/build.gradle.kts
+4
View File
@@ -43,6 +43,10 @@ dependencies {
implementation(libs.spring.boot.starter.webflux) implementation(libs.spring.boot.starter.webflux)
// Spring Security (WebFlux) benötigt für SecurityWebFilterChain-Konfiguration // Spring Security (WebFlux) benötigt für SecurityWebFilterChain-Konfiguration
implementation(libs.spring.boot.starter.security) implementation(libs.spring.boot.starter.security)
// OAuth2 Resource Server für JWT-Token-Validierung mit Keycloak
implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
// Jackson Kotlin Module für JSON-Parsing in KeycloakJwtAuthenticationFilter
implementation("com.fasterxml.jackson.module:jackson-module-kotlin")
// Bindet die wiederverwendbare Logik zur JWT-Validierung ein. // Bindet die wiederverwendbare Logik zur JWT-Validierung ein.
implementation(projects.infrastructure.auth.authClient) implementation(projects.infrastructure.auth.authClient)
// Bindet die wiederverwendbare Logik für Metriken und Tracing ein. // Bindet die wiederverwendbare Logik für Metriken und Tracing ein.
infrastructure/gateway/src/main/kotlin/at/mocode/infrastructure/gateway/config/GatewayConfig.kt
-3
View File
@@ -21,7 +21,6 @@ import java.util.concurrent.ConcurrentHashMap
* Global Filter für Korrelations-IDs zur Request-Verfolgung. * Global Filter für Korrelations-IDs zur Request-Verfolgung.
*/ */
@Component @Component
@org.springframework.context.annotation.Profile("!test")
class CorrelationIdFilter : GlobalFilter, Ordered { class CorrelationIdFilter : GlobalFilter, Ordered {
companion object { companion object {
@@ -54,7 +53,6 @@ class CorrelationIdFilter : GlobalFilter, Ordered {
* Enhanced Logging Filter für strukturiertes Logging mit Request/Response Details. * Enhanced Logging Filter für strukturiertes Logging mit Request/Response Details.
*/ */
@Component @Component
@org.springframework.context.annotation.Profile("!test")
class EnhancedLoggingFilter : GlobalFilter, Ordered { class EnhancedLoggingFilter : GlobalFilter, Ordered {
private val logger = LoggerFactory.getLogger(EnhancedLoggingFilter::class.java) private val logger = LoggerFactory.getLogger(EnhancedLoggingFilter::class.java)
@@ -130,7 +128,6 @@ class EnhancedLoggingFilter : GlobalFilter, Ordered {
* - Bessere Verteilung der Rate-Limits basierend auf Benutzerrollen * - Bessere Verteilung der Rate-Limits basierend auf Benutzerrollen
*/ */
@Component @Component
@org.springframework.context.annotation.Profile("!test")
class RateLimitingFilter : GlobalFilter, Ordered { class RateLimitingFilter : GlobalFilter, Ordered {
private val requestCounts = ConcurrentHashMap<String, RequestCounter>() private val requestCounts = ConcurrentHashMap<String, RequestCounter>()
infrastructure/gateway/src/main/kotlin/at/mocode/infrastructure/gateway/filter/KeycloakJwtAuthenticationFilter.kt
+196
View File
@@ -0,0 +1,196 @@
package at.mocode.infrastructure.gateway.filter
import at.mocode.infrastructure.auth.client.JwtService
import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
import org.slf4j.LoggerFactory
import org.springframework.beans.factory.annotation.Value
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
import org.springframework.cloud.gateway.filter.GatewayFilterChain
import org.springframework.cloud.gateway.filter.GlobalFilter
import org.springframework.core.Ordered
import org.springframework.http.HttpStatus
import org.springframework.http.server.reactive.ServerHttpResponse
import org.springframework.stereotype.Component
import org.springframework.util.AntPathMatcher
import org.springframework.web.server.ServerWebExchange
import reactor.core.publisher.Mono
import java.util.Base64
@Component
@ConditionalOnProperty(
value = ["gateway.security.keycloak.enabled"],
havingValue = "true",
matchIfMissing = false
)
class KeycloakJwtAuthenticationFilter(
private val jwtService: JwtService
) : GlobalFilter, Ordered {
private val logger = LoggerFactory.getLogger(KeycloakJwtAuthenticationFilter::class.java)
private val pathMatcher = AntPathMatcher()
private val objectMapper = jacksonObjectMapper()
@Value("\${keycloak.realm:meldestelle}")
private lateinit var realm: String
@Value("\${keycloak.issuer-uri:http://keycloak:8080/realms/meldestelle}")
private lateinit var issuerUri: String
// Öffentliche Pfade aus Konfiguration
@Value("\${gateway.security.public-paths:/,/health/**,/actuator/**,/api/ping/**,/api/auth/**,/fallback/**,/docs/**,/swagger-ui/**}")
private lateinit var publicPathsConfig: String
private val publicPaths by lazy {
publicPathsConfig.split(",").map { it.trim() }
}
override fun filter(exchange: ServerWebExchange, chain: GatewayFilterChain): Mono<Void> {
val request = exchange.request
val path = request.path.value()
logger.debug("Processing request for path: {}", path)
// Prüfe öffentliche Pfade
if (isPublicPath(path)) {
logger.debug("Path {} is public, allowing without authentication", path)
return chain.filter(exchange)
}
// JWT Token extrahieren
val authHeader = request.headers.getFirst("Authorization")
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
logger.warn("Missing or invalid Authorization header for path: {}", path)
return handleUnauthorized(exchange, "Missing or invalid Authorization header")
}
val token = authHeader.substring(7)
return validateToken(token, exchange, chain)
}
private fun validateToken(
token: String,
exchange: ServerWebExchange,
chain: GatewayFilterChain
): Mono<Void> {
return try {
// Verwende JwtService für Validierung
val validationResult = jwtService.validateToken(token)
if (validationResult.isFailure) {
logger.warn("JWT validation failed: {}", validationResult.exceptionOrNull()?.message)
return handleUnauthorized(exchange, "Invalid JWT token")
}
// Claims extrahieren
val claims = parseJwtClaims(token)
// Issuer validieren
val issuer = claims["iss"]?.toString()
if (!issuer.equals(issuerUri)) {
logger.warn("Invalid issuer in token: {} (expected: {})", issuer, issuerUri)
return handleUnauthorized(exchange, "Invalid token issuer")
}
// User-Informationen extrahieren
val userId = claims["sub"]?.toString() ?: "unknown"
val username = claims["preferred_username"]?.toString()
?: claims["name"]?.toString()
?: "unknown"
val email = claims["email"]?.toString() ?: ""
val roles = extractRoles(claims)
val userRole = determineUserRole(roles)
logger.debug("Token validated for user: {} (ID: {}) with roles: {}", username, userId, roles)
// Request mit User-Context erweitern
val mutatedRequest = exchange.request.mutate()
.header("X-User-ID", userId)
.header("X-User-Name", username)
.header("X-User-Email", email)
.header("X-User-Role", userRole)
.header("X-User-Roles", roles.joinToString(","))
.header("X-Auth-Method", "keycloak-jwt")
.build()
val mutatedExchange = exchange.mutate()
.request(mutatedRequest)
.build()
chain.filter(mutatedExchange)
} catch (e: Exception) {
logger.error("JWT validation failed unexpectedly: {}", e.message, e)
handleUnauthorized(exchange, "JWT validation failed")
}
}
private fun isPublicPath(path: String): Boolean {
return publicPaths.any { publicPath ->
pathMatcher.match(publicPath, path)
}
}
private fun parseJwtClaims(token: String): Map<String, Any> {
val parts = token.split(".")
if (parts.size != 3) {
throw IllegalArgumentException("Invalid JWT format")
}
val payload = parts[1]
val decoded = Base64.getUrlDecoder().decode(payload)
return objectMapper.readValue(decoded, Map::class.java) as Map<String, Any>
}
private fun extractRoles(claims: Map<String, Any>): List<String> {
return try {
// Keycloak realm roles
@Suppress("UNCHECKED_CAST")
val realmAccess = claims["realm_access"] as? Map<String, Any>
@Suppress("UNCHECKED_CAST")
val realmRoles = realmAccess?.get("roles") as? List<String> ?: emptyList()
// Keycloak resource access (client-specific roles)
@Suppress("UNCHECKED_CAST")
val resourceAccess = claims["resource_access"] as? Map<String, Any>
@Suppress("UNCHECKED_CAST")
val clientAccess = resourceAccess?.get("api-gateway") as? Map<String, Any>
@Suppress("UNCHECKED_CAST")
val clientRoles = clientAccess?.get("roles") as? List<String> ?: emptyList()
(realmRoles + clientRoles).distinct()
} catch (e: Exception) {
logger.warn("Could not extract roles from token: {}", e.message)
emptyList()
}
}
private fun determineUserRole(roles: List<String>): String {
return when {
"ADMIN" in roles -> "ADMIN"
"USER" in roles -> "USER"
"MONITORING" in roles -> "MONITORING"
else -> "GUEST"
}
}
private fun handleUnauthorized(exchange: ServerWebExchange, message: String): Mono<Void> {
val response: ServerHttpResponse = exchange.response
response.statusCode = HttpStatus.UNAUTHORIZED
response.headers.add("Content-Type", "application/json")
response.headers.add("WWW-Authenticate", "Bearer realm=\"$realm\"")
val errorResponse = mapOf(
"error" to "UNAUTHORIZED",
"message" to message,
"timestamp" to java.time.Instant.now().toString(),
"status" to 401,
"realm" to realm,
"path" to exchange.request.path.value()
)
val errorJson = objectMapper.writeValueAsString(errorResponse)
val buffer = response.bufferFactory().wrap(errorJson.toByteArray())
return response.writeWith(Mono.just(buffer))
}
override fun getOrder(): Int = Ordered.HIGHEST_PRECEDENCE + 3
}
infrastructure/gateway/src/main/kotlin/at/mocode/infrastructure/gateway/security/KeycloakJwtAuthenticationFilter.kt
+184
View File
@@ -0,0 +1,184 @@
package at.mocode.infrastructure.gateway.security
import org.slf4j.LoggerFactory
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
import org.springframework.cloud.gateway.filter.GatewayFilterChain
import org.springframework.cloud.gateway.filter.GlobalFilter
import org.springframework.core.Ordered
import org.springframework.http.HttpStatus
import org.springframework.http.server.reactive.ServerHttpResponse
import org.springframework.stereotype.Component
import org.springframework.util.AntPathMatcher
import org.springframework.web.reactive.function.client.WebClient
import org.springframework.web.server.ServerWebExchange
import reactor.core.publisher.Mono
import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
import com.fasterxml.jackson.module.kotlin.readValue
import java.util.Base64
@Component
@ConditionalOnProperty(value = ["gateway.security.keycloak.enabled"], havingValue = "true", matchIfMissing = false)
class KeycloakJwtAuthenticationFilter(
private val webClient: WebClient.Builder
) : GlobalFilter, Ordered {
private val logger = LoggerFactory.getLogger(KeycloakJwtAuthenticationFilter::class.java)
private val pathMatcher = AntPathMatcher()
private val objectMapper = jacksonObjectMapper()
companion object {
private const val KEYCLOAK_SERVER_URL = "http://keycloak:8080"
private const val REALM = "meldestelle"
}
// Öffentliche Pfade, die keine Authentifizierung erfordern
private val publicPaths = listOf(
"/",
"/health",
"/actuator/**",
"/api/ping/**", // Ping-Service für Monitoring
"/api/auth/login",
"/api/auth/register",
"/api/auth/refresh",
"/fallback/**",
"/docs/**",
"/swagger-ui/**"
)
override fun filter(exchange: ServerWebExchange, chain: GatewayFilterChain): Mono<Void> {
val request = exchange.request
val path = request.path.value()
logger.debug("Processing request for path: {}", path)
// Prüfe, ob der Pfad öffentlich zugänglich ist
if (isPublicPath(path)) {
logger.debug("Path {} is public, allowing without authentication", path)
return chain.filter(exchange)
}
// Extrahiere JWT aus Authorization Header
val authHeader = request.headers.getFirst("Authorization")
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
logger.warn("Missing or invalid Authorization header for path: {}", path)
return handleUnauthorized(exchange, "Missing or invalid Authorization header")
}
val token = authHeader.substring(7)
// Validiere JWT-Token mit Keycloak
return validateKeycloakToken(token, exchange, chain)
}
private fun isPublicPath(path: String): Boolean {
return publicPaths.any { publicPath ->
pathMatcher.match(publicPath, path)
}
}
private fun validateKeycloakToken(
token: String,
exchange: ServerWebExchange,
chain: GatewayFilterChain
): Mono<Void> {
return try {
// JWT-Token-Struktur validieren
if (!isValidJwtFormat(token)) {
return handleUnauthorized(exchange, "Invalid JWT token format")
}
// Claims aus Token extrahieren
val claims = parseJwtClaims(token)
val issuer = claims["iss"]?.toString()
val realm = issuer?.substringAfterLast("/")
if (realm != REALM) {
return handleUnauthorized(exchange, "Invalid realm in token")
}
// Benutzerinformationen extrahieren
val userId = claims["sub"]?.toString() ?: "unknown"
val username = claims["preferred_username"]?.toString() ?: "unknown"
val roles = extractRoles(claims)
val userRole = determineUserRole(roles)
logger.debug("Token validated for user: {} with roles: {}", username, roles)
// Request mit Benutzerinformationen erweitern
val mutatedRequest = exchange.request.mutate()
.header("X-User-ID", userId)
.header("X-User-Name", username)
.header("X-User-Role", userRole)
.header("X-User-Roles", roles.joinToString(","))
.build()
val mutatedExchange = exchange.mutate()
.request(mutatedRequest)
.build()
chain.filter(mutatedExchange)
} catch (e: Exception) {
logger.error("JWT validation failed: {}", e.message, e)
handleUnauthorized(exchange, "JWT validation failed: ${e.message}")
}
}
private fun isValidJwtFormat(token: String): Boolean {
val parts = token.split(".")
return parts.size == 3 && parts.all { it.isNotEmpty() }
}
private fun parseJwtClaims(token: String): Map<String, Any> {
val parts = token.split(".")
val payload = parts[1]
// Base64 URL decode
val decoded = Base64.getUrlDecoder().decode(payload)
return objectMapper.readValue<Map<String, Any>>(decoded)
}
private fun extractRoles(claims: Map<String, Any>): List<String> {
return try {
@Suppress("UNCHECKED_CAST")
val realmAccess = claims["realm_access"] as? Map<String, Any>
@Suppress("UNCHECKED_CAST")
val roles = realmAccess?.get("roles") as? List<String>
roles ?: emptyList()
} catch (e: Exception) {
logger.warn("Could not extract roles from token: {}", e.message)
emptyList()
}
}
private fun determineUserRole(roles: List<String>): String {
return when {
"ADMIN" in roles -> "ADMIN"
"USER" in roles -> "USER"
"MONITORING" in roles -> "MONITORING"
else -> "GUEST"
}
}
private fun handleUnauthorized(exchange: ServerWebExchange, message: String): Mono<Void> {
val response: ServerHttpResponse = exchange.response
response.statusCode = HttpStatus.UNAUTHORIZED
response.headers.add("Content-Type", "application/json")
response.headers.add("WWW-Authenticate", "Bearer realm=\"$REALM\"")
val errorJson = """{
"error": "UNAUTHORIZED",
"message": "$message",
"timestamp": "${java.time.LocalDateTime.now()}",
"status": 401,
"realm": "$REALM"
}"""
val buffer = response.bufferFactory().wrap(errorJson.toByteArray())
return response.writeWith(Mono.just(buffer))
}
override fun getOrder(): Int = Ordered.HIGHEST_PRECEDENCE + 3
}
infrastructure/gateway/src/main/kotlin/at/mocode/infrastructure/gateway/security/SecurityConfig.kt
+49 -26
View File
@@ -1,10 +1,14 @@
package at.mocode.infrastructure.gateway.security package at.mocode.infrastructure.gateway.security
import org.springframework.beans.factory.annotation.Value
import org.springframework.boot.context.properties.ConfigurationProperties import org.springframework.boot.context.properties.ConfigurationProperties
import org.springframework.boot.context.properties.EnableConfigurationProperties import org.springframework.boot.context.properties.EnableConfigurationProperties
import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
import org.springframework.security.config.web.server.ServerHttpSecurity import org.springframework.security.config.web.server.ServerHttpSecurity
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder
import org.springframework.security.web.server.SecurityWebFilterChain import org.springframework.security.web.server.SecurityWebFilterChain
import org.springframework.web.cors.CorsConfiguration import org.springframework.web.cors.CorsConfiguration
import org.springframework.web.cors.reactive.CorsConfigurationSource import org.springframework.web.cors.reactive.CorsConfigurationSource
@@ -57,11 +61,18 @@ import java.time.Duration
* - Eine permissive Autorisierung stellt sicher, dass Tests sich auf die Sicherheit der Filterebene konzentrieren können * - Eine permissive Autorisierung stellt sicher, dass Tests sich auf die Sicherheit der Filterebene konzentrieren können
*/ */
@Configuration @Configuration
@EnableWebFluxSecurity
@EnableConfigurationProperties(GatewaySecurityProperties::class) @EnableConfigurationProperties(GatewaySecurityProperties::class)
class SecurityConfig( class SecurityConfig(
private val securityProperties: GatewaySecurityProperties private val securityProperties: GatewaySecurityProperties
) { ) {
@Value("\${keycloak.issuer-uri:http://keycloak:8080/realms/meldestelle}")
private lateinit var issuerUri: String
@Value("\${keycloak.jwk-set-uri:http://keycloak:8080/realms/meldestelle/protocol/openid-connect/certs}")
private lateinit var jwkSetUri: String
/** /**
* Hauptkonfiguration der Spring-Security-Filterkette. * Hauptkonfiguration der Spring-Security-Filterkette.
* *
@@ -74,34 +85,46 @@ class SecurityConfig(
* und bietet zugleich bessere CORS-Steuerung und Konfigurierbarkeit. * und bietet zugleich bessere CORS-Steuerung und Konfigurierbarkeit.
*/ */
@Bean @Bean
fun springSecurityFilterChain(): SecurityWebFilterChain { fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return ServerHttpSecurity.http() return http
.csrf { csrf -> .cors { it.configurationSource(corsConfigurationSource()) }
// CSRF für zustandsloses API-Gateway deaktivieren .csrf { it.disable() }
// CSRF-Schutz ist für JWT-basierte zustandslose Authentifizierung nicht erforderlich
// Das Gateway arbeitet als zustandsloser Proxy ohne Session-Zustand
csrf.disable()
}
.cors { cors ->
// Explizite CORS-Konfiguration anstelle des Defaults verwenden
// Dies ermöglicht eine bessere Kontrolle über Cross-Origin-Zugriffsrichtlinien
cors.configurationSource(corsConfigurationSource())
}
.httpBasic { basic ->
// HTTP Basic Auth für zustandslose API deaktivieren
basic.disable()
}
.formLogin { form ->
// Formular-Login für API-Gateway deaktivieren
form.disable()
}
.authorizeExchange { exchanges -> .authorizeExchange { exchanges ->
// Alle Anfragen durch Spring Security erlauben exchanges
// Authentifizierung und Autorisierung erfolgen durch den JwtAuthenticationFilter // Public paths
// Dieser Ansatz bewahrt die bestehende Sicherheitsarchitektur und .pathMatchers(
// ermöglicht dem JWT-Filter granulare Zugriffskontroll-Entscheidungen "/",
exchanges.anyExchange().permitAll() "/health/**",
"/actuator/**",
"/api/ping/**",
"/api/auth/**", // All auth endpoints (includes test endpoints)
"/api/auth/login",
"/api/auth/register",
"/api/auth/refresh",
"/fallback/**",
"/docs/**",
"/swagger-ui/**",
"/test/**", // Test paths for integration tests
"/mock/**" // Mock controller paths for tests
).permitAll()
// Admin paths
.pathMatchers("/api/admin/**").hasRole("ADMIN")
// Monitoring paths
.pathMatchers("/api/monitoring/**").hasAnyRole("ADMIN", "MONITORING")
// All other requests require authentication
.anyExchange().authenticated()
} }
.oauth2ResourceServer { oauth2 ->
oauth2.jwt { jwt ->
jwt.jwtDecoder(jwtDecoder())
}
}
.build()
}
@Bean
fun jwtDecoder(): ReactiveJwtDecoder {
return NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri)
.build() .build()
} }
infrastructure/gateway/src/main/resources/application-keycloak-complete.yml
+187
View File
@@ -0,0 +1,187 @@
# ===================================================================
# Meldestelle API Gateway Configuration
# ===================================================================
server:
port: ${GATEWAY_PORT:8081}
spring:
application:
name: meldestelle-api-gateway
profiles:
active: ${SPRING_PROFILES_ACTIVE:dev,keycloak}
# Security Configuration
security:
oauth2:
resourceserver:
jwt:
issuer-uri: ${KEYCLOAK_ISSUER_URI:http://keycloak:8080/realms/meldestelle}
jwk-set-uri: ${KEYCLOAK_JWK_SET_URI:http://keycloak:8080/realms/meldestelle/protocol/openid-connect/certs}
# Spring Cloud Gateway Configuration
cloud:
gateway:
routes:
# Ping Service Route
- id: ping-service
uri: lb://ping-service
predicates:
- Path=/api/ping/**
filters:
- StripPrefix=2
- name: CircuitBreaker
args:
name: ping-service-cb
fallbackUri: forward:/fallback/ping
# Auth Service Route
- id: auth-service
uri: lb://auth-server
predicates:
- Path=/api/auth/**
filters:
- StripPrefix=2
- name: CircuitBreaker
args:
name: auth-service-cb
fallbackUri: forward:/fallback/auth
# Global CORS Configuration
globalcors:
corsConfigurations:
'[/**]':
allowedOriginPatterns:
- "http://localhost:*"
- "http://127.0.0.1:*"
- "http://web-app:*"
allowedMethods:
- GET
- POST
- PUT
- DELETE
- OPTIONS
- PATCH
allowedHeaders: "*"
allowCredentials: true
exposedHeaders:
- Authorization
- X-User-ID
- X-User-Name
- X-User-Role
# Keycloak Integration Settings
keycloak:
server-url: ${KEYCLOAK_SERVER_URL:http://keycloak:8080}
realm: ${KEYCLOAK_REALM:meldestelle}
client-id: ${KEYCLOAK_CLIENT_ID:api-gateway}
client-secret: ${KEYCLOAK_CLIENT_SECRET:api-gateway-secret-key-change-in-production}
issuer-uri: ${KEYCLOAK_ISSUER_URI:http://keycloak:8080/realms/meldestelle}
jwk-set-uri: ${KEYCLOAK_JWK_SET_URI:http://keycloak:8080/realms/meldestelle/protocol/openid-connect/certs}
# Gateway Security Settings
gateway:
security:
keycloak:
enabled: ${GATEWAY_SECURITY_KEYCLOAK_ENABLED:true}
public-paths: >
/,
/health/**,
/actuator/**,
/api/ping/health,
/api/auth/login,
/api/auth/register,
/api/auth/refresh,
/fallback/**,
/docs/**,
/swagger-ui/**
# Consul Service Discovery
consul:
host: ${CONSUL_HOST:consul}
port: ${CONSUL_PORT:8500}
enabled: ${CONSUL_ENABLED:true}
# Circuit Breaker Configuration
resilience4j:
circuitbreaker:
instances:
ping-service-cb:
registerHealthIndicator: true
slidingWindowSize: 10
minimumNumberOfCalls: 5
permittedNumberOfCallsInHalfOpenState: 3
automaticTransitionFromOpenToHalfOpenEnabled: true
waitDurationInOpenState: 10s
failureRateThreshold: 50
auth-service-cb:
registerHealthIndicator: true
slidingWindowSize: 10
minimumNumberOfCalls: 5
permittedNumberOfCallsInHalfOpenState: 3
automaticTransitionFromOpenToHalfOpenEnabled: true
waitDurationInOpenState: 10s
failureRateThreshold: 50
# Actuator Management
management:
endpoints:
web:
exposure:
include: health,info,metrics,prometheus
endpoint:
health:
show-details: always
# Logging Configuration
logging:
level:
at.mocode.infrastructure.gateway: DEBUG
org.springframework.security: DEBUG
org.springframework.cloud.gateway: DEBUG
pattern:
console: "%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n"
---
# Development Profile
spring:
config:
activate:
on-profile: dev
keycloak:
server-url: http://localhost:8180
issuer-uri: http://localhost:8180/realms/meldestelle
jwk-set-uri: http://localhost:8180/realms/meldestelle/protocol/openid-connect/certs
logging:
level:
root: INFO
at.mocode: DEBUG
---
# Production Profile
spring:
config:
activate:
on-profile: prod
keycloak:
server-url: ${KEYCLOAK_SERVER_URL}
issuer-uri: ${KEYCLOAK_ISSUER_URI}
jwk-set-uri: ${KEYCLOAK_JWK_SET_URI}
client-secret: ${KEYCLOAK_CLIENT_SECRET}
logging:
level:
root: WARN
at.mocode: INFO
gateway:
security:
public-paths: >
/,
/health,
/api/auth/login,
/api/auth/register
infrastructure/gateway/src/main/resources/application-keycloak.yml
+36
View File
@@ -0,0 +1,36 @@
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: ${KEYCLOAK_ISSUER_URI:http://localhost:8180/realms/meldestelle}
jwk-set-uri: ${KEYCLOAK_JWK_SET_URI:http://localhost:8180/realms/meldestelle/protocol/openid-connect/certs}
# Keycloak-spezifische Konfiguration
keycloak:
server-url: ${KEYCLOAK_SERVER_URL:http://localhost:8180}
realm: ${KEYCLOAK_REALM:meldestelle}
resource: ${KEYCLOAK_CLIENT_ID:api-gateway}
public-client: false
bearer-only: true
# Gateway-spezifische Sicherheitskonfiguration
gateway:
security:
jwt:
enabled: true
keycloak:
enabled: true
server-url: ${KEYCLOAK_SERVER_URL:http://localhost:8180}
realm: ${KEYCLOAK_REALM:meldestelle}
public-paths:
- "/"
- "/health"
- "/actuator/**"
- "/api/ping/**" # Ping-Service öffentlich zugänglich
- "/api/auth/login"
- "/api/auth/register"
- "/api/auth/refresh"
- "/fallback/**"
- "/docs/**"
- "/swagger-ui/**"
infrastructure/gateway/src/test/kotlin/at/mocode/infrastructure/gateway/KeycloakGatewayIntegrationTest.kt
+71
View File
@@ -0,0 +1,71 @@
package at.mocode.infrastructure.gateway
import org.junit.jupiter.api.Test
import org.junit.jupiter.api.Disabled
import org.junit.jupiter.api.TestInstance
import org.springframework.boot.test.context.SpringBootTest
import org.springframework.test.context.ActiveProfiles
import org.springframework.test.context.TestPropertySource
import org.testcontainers.containers.GenericContainer
import org.testcontainers.containers.PostgreSQLContainer
import org.testcontainers.containers.wait.strategy.Wait
import org.testcontainers.junit.jupiter.Container
import org.testcontainers.junit.jupiter.Testcontainers
import java.time.Duration
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
@ActiveProfiles("keycloak-integration-test")
@TestPropertySource(properties = [
"gateway.security.keycloak.enabled=true",
"spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:\${keycloak.port}/realms/meldestelle",
"spring.cloud.discovery.enabled=false",
"spring.cloud.consul.enabled=false",
"spring.cloud.consul.config.enabled=false",
"spring.cloud.consul.discovery.register=false",
"spring.cloud.loadbalancer.enabled=false",
"management.security.enabled=false"
])
@Testcontainers
@TestInstance(TestInstance.Lifecycle.PER_CLASS)
@Disabled("Temporarily disabled due to Bean definition conflicts - needs separate integration test profile")
class KeycloakGatewayIntegrationTest {
companion object {
@Container
@JvmStatic
val postgres: PostgreSQLContainer<*> = PostgreSQLContainer("postgres:16-alpine")
.withDatabaseName("keycloak")
.withUsername("keycloak")
.withPassword("keycloak")
@Container
@JvmStatic
val keycloak: GenericContainer<*> = GenericContainer("quay.io/keycloak/keycloak:26.0.7")
.withExposedPorts(8080)
.withEnv("KEYCLOAK_ADMIN", "admin")
.withEnv("KEYCLOAK_ADMIN_PASSWORD", "admin")
.withEnv("KC_DB", "postgres")
.withEnv("KC_DB_URL", "jdbc:postgresql://postgres:5432/keycloak")
.withEnv("KC_DB_USERNAME", "keycloak")
.withEnv("KC_DB_PASSWORD", "keycloak")
.withCommand("start-dev")
.dependsOn(postgres)
.waitingFor(
Wait.forHttp("/health/ready")
.forPort(8080)
.withStartupTimeout(Duration.ofMinutes(3))
)
}
@Test
fun `should start with Keycloak integration`() {
// Basic test to verify containers start correctly
assert(postgres.isRunning) { "PostgreSQL should be running" }
assert(keycloak.isRunning) { "Keycloak should be running" }
val keycloakPort = keycloak.getMappedPort(8080)
println("Keycloak running on port: $keycloakPort")
// Test can be extended with actual JWT token validation
}
}
kotlin-js-store/yarn.lock
+91 -2
View File
@@ -875,6 +875,20 @@ cross-spawn@^7.0.3, cross-spawn@^7.0.6:
shebang-command "^2.0.0" shebang-command "^2.0.0"
which "^2.0.1" which "^2.0.1"
css-loader@7.1.2:
version "7.1.2"
resolved "https://registry.yarnpkg.com/css-loader/-/css-loader-7.1.2.tgz#64671541c6efe06b0e22e750503106bdd86880f8"
integrity sha512-6WvYYn7l/XEGN8Xu2vWFt9nVzrCn39vKyTEFf/ExEyoksJjjSZV/0/35XPlMbpnr6VGhZIUg5yJrL8tGfes/FA==
dependencies:
icss-utils "^5.1.0"
postcss "^8.4.33"
postcss-modules-extract-imports "^3.1.0"
postcss-modules-local-by-default "^4.0.5"
postcss-modules-scope "^3.2.0"
postcss-modules-values "^4.0.0"
postcss-value-parser "^4.2.0"
semver "^7.5.4"
css-select@^4.1.3: css-select@^4.1.3:
version "4.3.0" version "4.3.0"
resolved "https://registry.yarnpkg.com/css-select/-/css-select-4.3.0.tgz#db7129b2846662fd8628cfc496abb2b59e41529b" resolved "https://registry.yarnpkg.com/css-select/-/css-select-4.3.0.tgz#db7129b2846662fd8628cfc496abb2b59e41529b"
@@ -891,6 +905,11 @@ css-what@^6.0.1:
resolved "https://registry.yarnpkg.com/css-what/-/css-what-6.2.2.tgz#cdcc8f9b6977719fdfbd1de7aec24abf756b9dea" resolved "https://registry.yarnpkg.com/css-what/-/css-what-6.2.2.tgz#cdcc8f9b6977719fdfbd1de7aec24abf756b9dea"
integrity sha512-u/O3vwbptzhMs3L1fQE82ZSLHQQfto5gyZzwteVIEyeaY5Fc7R4dapF/BvRoSYFeqfBk4m0V1Vafq5Pjv25wvA== integrity sha512-u/O3vwbptzhMs3L1fQE82ZSLHQQfto5gyZzwteVIEyeaY5Fc7R4dapF/BvRoSYFeqfBk4m0V1Vafq5Pjv25wvA==
cssesc@^3.0.0:
version "3.0.0"
resolved "https://registry.yarnpkg.com/cssesc/-/cssesc-3.0.0.tgz#37741919903b868565e1c09ea747445cd18983ee"
integrity sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==
custom-event@~1.0.0: custom-event@~1.0.0:
version "1.0.1" version "1.0.1"
resolved "https://registry.yarnpkg.com/custom-event/-/custom-event-1.0.1.tgz#5d02a46850adf1b4a317946a3928fccb5bfd0425" resolved "https://registry.yarnpkg.com/custom-event/-/custom-event-1.0.1.tgz#5d02a46850adf1b4a317946a3928fccb5bfd0425"
@@ -1616,6 +1635,11 @@ iconv-lite@^0.6.3:
dependencies: dependencies:
safer-buffer ">= 2.1.2 < 3.0.0" safer-buffer ">= 2.1.2 < 3.0.0"
icss-utils@^5.0.0, icss-utils@^5.1.0:
version "5.1.0"
resolved "https://registry.yarnpkg.com/icss-utils/-/icss-utils-5.1.0.tgz#c6be6858abd013d768e98366ae47e25d5887b1ae"
integrity sha512-soFhflCVWLfRNOPU3iv5Z9VUdT44xFRbzjLsEzSr5AQmgqPMTHdU3PMT1Cf1ssx8fLNJDA1juftYl+PUcv3MqA==
import-local@^3.0.2: import-local@^3.0.2:
version "3.2.0" version "3.2.0"
resolved "https://registry.yarnpkg.com/import-local/-/import-local-3.2.0.tgz#c3d5c745798c02a6f8b897726aba5100186ee260" resolved "https://registry.yarnpkg.com/import-local/-/import-local-3.2.0.tgz#c3d5c745798c02a6f8b897726aba5100186ee260"
@@ -2105,6 +2129,11 @@ multicast-dns@^7.2.5:
dns-packet "^5.2.2" dns-packet "^5.2.2"
thunky "^1.0.2" thunky "^1.0.2"
nanoid@^3.3.11:
version "3.3.11"
resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.11.tgz#4f4f112cefbe303202f2199838128936266d185b"
integrity sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==
negotiator@0.6.3: negotiator@0.6.3:
version "0.6.3" version "0.6.3"
resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.3.tgz#58e323a72fedc0d6f9cd4d31fe49f51479590ccd" resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.3.tgz#58e323a72fedc0d6f9cd4d31fe49f51479590ccd"
@@ -2319,6 +2348,56 @@ pkg-dir@^4.2.0:
dependencies: dependencies:
find-up "^4.0.0" find-up "^4.0.0"
postcss-modules-extract-imports@^3.1.0:
version "3.1.0"
resolved "https://registry.yarnpkg.com/postcss-modules-extract-imports/-/postcss-modules-extract-imports-3.1.0.tgz#b4497cb85a9c0c4b5aabeb759bb25e8d89f15002"
integrity sha512-k3kNe0aNFQDAZGbin48pL2VNidTF0w4/eASDsxlyspobzU3wZQLOGj7L9gfRe0Jo9/4uud09DsjFNH7winGv8Q==
postcss-modules-local-by-default@^4.0.5:
version "4.2.0"
resolved "https://registry.yarnpkg.com/postcss-modules-local-by-default/-/postcss-modules-local-by-default-4.2.0.tgz#d150f43837831dae25e4085596e84f6f5d6ec368"
integrity sha512-5kcJm/zk+GJDSfw+V/42fJ5fhjL5YbFDl8nVdXkJPLLW+Vf9mTD5Xe0wqIaDnLuL2U6cDNpTr+UQ+v2HWIBhzw==
dependencies:
icss-utils "^5.0.0"
postcss-selector-parser "^7.0.0"
postcss-value-parser "^4.1.0"
postcss-modules-scope@^3.2.0:
version "3.2.1"
resolved "https://registry.yarnpkg.com/postcss-modules-scope/-/postcss-modules-scope-3.2.1.tgz#1bbccddcb398f1d7a511e0a2d1d047718af4078c"
integrity sha512-m9jZstCVaqGjTAuny8MdgE88scJnCiQSlSrOWcTQgM2t32UBe+MUmFSO5t7VMSfAf/FJKImAxBav8ooCHJXCJA==
dependencies:
postcss-selector-parser "^7.0.0"
postcss-modules-values@^4.0.0:
version "4.0.0"
resolved "https://registry.yarnpkg.com/postcss-modules-values/-/postcss-modules-values-4.0.0.tgz#d7c5e7e68c3bb3c9b27cbf48ca0bb3ffb4602c9c"
integrity sha512-RDxHkAiEGI78gS2ofyvCsu7iycRv7oqw5xMWn9iMoR0N/7mf9D50ecQqUo5BZ9Zh2vH4bCUR/ktCqbB9m8vJjQ==
dependencies:
icss-utils "^5.0.0"
postcss-selector-parser@^7.0.0:
version "7.1.0"
resolved "https://registry.yarnpkg.com/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz#4d6af97eba65d73bc4d84bcb343e865d7dd16262"
integrity sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==
dependencies:
cssesc "^3.0.0"
util-deprecate "^1.0.2"
postcss-value-parser@^4.1.0, postcss-value-parser@^4.2.0:
version "4.2.0"
resolved "https://registry.yarnpkg.com/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz#723c09920836ba6d3e5af019f92bc0971c02e514"
integrity sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==
postcss@^8.4.33:
version "8.5.6"
resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.5.6.tgz#2825006615a619b4f62a9e7426cc120b349a8f3c"
integrity sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==
dependencies:
nanoid "^3.3.11"
picocolors "^1.1.1"
source-map-js "^1.2.1"
pretty-error@^4.0.0: pretty-error@^4.0.0:
version "4.0.0" version "4.0.0"
resolved "https://registry.yarnpkg.com/pretty-error/-/pretty-error-4.0.0.tgz#90a703f46dd7234adb46d0f84823e9d1cb8f10d6" resolved "https://registry.yarnpkg.com/pretty-error/-/pretty-error-4.0.0.tgz#90a703f46dd7234adb46d0f84823e9d1cb8f10d6"
@@ -2541,6 +2620,11 @@ selfsigned@^2.4.1:
"@types/node-forge" "^1.3.0" "@types/node-forge" "^1.3.0"
node-forge "^1" node-forge "^1"
semver@^7.5.4:
version "7.7.2"
resolved "https://registry.yarnpkg.com/semver/-/semver-7.7.2.tgz#67d99fdcd35cec21e6f8b87a7fd515a33f982b58"
integrity sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==
send@0.19.0: send@0.19.0:
version "0.19.0" version "0.19.0"
resolved "https://registry.yarnpkg.com/send/-/send-0.19.0.tgz#bbc5a388c8ea6c048967049dbeac0e4a3f09d7f8" resolved "https://registry.yarnpkg.com/send/-/send-0.19.0.tgz#bbc5a388c8ea6c048967049dbeac0e4a3f09d7f8"
@@ -2707,7 +2791,7 @@ sockjs@^0.3.24:
uuid "^8.3.2" uuid "^8.3.2"
websocket-driver "^0.7.4" websocket-driver "^0.7.4"
source-map-js@^1.0.2: source-map-js@^1.0.2, source-map-js@^1.2.1:
version "1.2.1" version "1.2.1"
resolved "https://registry.yarnpkg.com/source-map-js/-/source-map-js-1.2.1.tgz#1ce5650fddd87abc099eda37dcff024c2667ae46" resolved "https://registry.yarnpkg.com/source-map-js/-/source-map-js-1.2.1.tgz#1ce5650fddd87abc099eda37dcff024c2667ae46"
integrity sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA== integrity sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==
@@ -2826,6 +2910,11 @@ strip-json-comments@^3.1.1:
resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-3.1.1.tgz#31f1281b3832630434831c310c01cccda8cbe006" resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-3.1.1.tgz#31f1281b3832630434831c310c01cccda8cbe006"
integrity sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig== integrity sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==
style-loader@4.0.0:
version "4.0.0"
resolved "https://registry.yarnpkg.com/style-loader/-/style-loader-4.0.0.tgz#0ea96e468f43c69600011e0589cb05c44f3b17a5"
integrity sha512-1V4WqhhZZgjVAVJyt7TdDPZoPBPNHbekX4fWnCJL1yQukhCeZhJySUL+gL9y6sNdN95uEOS83Y55SqHcP7MzLA==
supports-color@^7.1.0: supports-color@^7.1.0:
version "7.2.0" version "7.2.0"
resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-7.2.0.tgz#1b7dcdcb32b8138801b3e478ba6a51caa89648da" resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-7.2.0.tgz#1b7dcdcb32b8138801b3e478ba6a51caa89648da"
@@ -2944,7 +3033,7 @@ update-browserslist-db@^1.1.3:
escalade "^3.2.0" escalade "^3.2.0"
picocolors "^1.1.1" picocolors "^1.1.1"
util-deprecate@^1.0.1, util-deprecate@~1.0.1: util-deprecate@^1.0.1, util-deprecate@^1.0.2, util-deprecate@~1.0.1:
version "1.0.2" version "1.0.2"
resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf" resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf"
integrity sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw== integrity sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==
scripts/setup-keycloak.sh
Executable
+97
View File
@@ -0,0 +1,97 @@
#!/bin/bash
# ===================================================================
# Keycloak Setup Script für Meldestelle Projekt
# ===================================================================
set -e
# Konfiguration
KEYCLOAK_URL=${KEYCLOAK_URL:-"http://localhost:8180"}
ADMIN_USER=${KEYCLOAK_ADMIN:-"admin"}
ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-"admin"}
REALM_NAME="meldestelle"
echo "🚀 Starting Keycloak setup for Meldestelle..."
# Warte auf Keycloak
echo "⏳ Waiting for Keycloak to be ready..."
timeout=60
counter=0
while ! curl -f "$KEYCLOAK_URL/health/ready" >/dev/null 2>&1; do
if [ $counter -eq $timeout ]; then
echo "❌ Keycloak is not ready after $timeout seconds"
exit 1
fi
echo " Waiting... ($counter/$timeout)"
sleep 1
counter=$((counter + 1))
done
echo "✅ Keycloak is ready!"
# Obtain admin token
echo "🔐 Obtaining admin token..."
ADMIN_TOKEN=$(curl -s \
-d "client_id=admin-cli" \
-d "username=$ADMIN_USER" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password" \
"$KEYCLOAK_URL/realms/master/protocol/openid-connect/token" | \
jq -r '.access_token')
if [ "$ADMIN_TOKEN" = "null" ] || [ -z "$ADMIN_TOKEN" ]; then
echo "❌ Failed to obtain admin token"
exit 1
fi
echo "✅ Admin token obtained"
# Check if realm exists
echo "🔍 Checking if realm '$REALM_NAME' exists..."
REALM_EXISTS=$(curl -s \
-H "Authorization: Bearer $ADMIN_TOKEN" \
"$KEYCLOAK_URL/admin/realms/$REALM_NAME" \
-w "%{http_code}" -o /dev/null)
if [ "$REALM_EXISTS" = "200" ]; then
echo "✅ Realm '$REALM_NAME' already exists"
else
echo "❌ Realm '$REALM_NAME' not found (HTTP $REALM_EXISTS)"
echo "💡 Please import the realm configuration manually or check the import volume"
fi
# Verify API Gateway client
echo "🔍 Checking API Gateway client..."
CLIENT_EXISTS=$(curl -s \
-H "Authorization: Bearer $ADMIN_TOKEN" \
"$KEYCLOAK_URL/admin/realms/$REALM_NAME/clients?clientId=api-gateway" | \
jq '. | length')
if [ "$CLIENT_EXISTS" -gt "0" ]; then
echo "✅ API Gateway client exists"
else
echo "⚠️ API Gateway client not found"
fi
# Test realm endpoints
echo "🧪 Testing realm endpoints..."
curl -s "$KEYCLOAK_URL/realms/$REALM_NAME/.well-known/openid_configuration" > /dev/null && \
echo "✅ OpenID configuration accessible" || \
echo "❌ OpenID configuration not accessible"
curl -s "$KEYCLOAK_URL/realms/$REALM_NAME/protocol/openid-connect/certs" > /dev/null && \
echo "✅ JWK Set accessible" || \
echo "❌ JWK Set not accessible"
echo ""
echo "🎉 Keycloak setup check completed!"
echo "📝 Summary:"
echo " - Keycloak URL: $KEYCLOAK_URL"
echo " - Realm: $REALM_NAME"
echo " - Admin Console: $KEYCLOAK_URL/admin/"
echo ""
echo "🔗 Next steps:"
echo " 1. Visit the admin console: $KEYCLOAK_URL/admin/"
echo " 2. Login with: $ADMIN_USER / $ADMIN_PASSWORD"
echo " 3. Verify realm configuration"
echo " 4. Test authentication flow"