feature Keycloak Auth

docker/secrets/grafana_admin_password.txt

@@ -0,0 +1 @@
+TiB6FRRYW4gjM7xie17mKtTYFOp

docker/secrets/grafana_admin_user.txt

@@ -0,0 +1 @@
+admin

docker/secrets/jwt_secret.txt

@@ -0,0 +1 @@
+ba960b899f72d5ed192b5597d7f4b5b8853d9d641a2dc23c6b1a4b692b20211c

docker/secrets/keycloak_admin_password.txt

@@ -0,0 +1 @@
+XASb7AzVy7G5fEKulE1mNPTy2Sw6pHi

docker/secrets/keycloak_auth_client_secret.txt

@@ -0,0 +1 @@
+s8N3r59JwS0lFsJobKWFJXh9qvdbHgcC6S3fYXYdXFM6eMKkRMtQbxHo0NJKFJC

docker/secrets/keycloak_client_secret.txt

@@ -0,0 +1 @@
+lRo7W15UNy60EFRlvk1XP99MmgrgK2Z97QK9btl9ZPVIVzWcY81Bebp9hpB

docker/secrets/metrics_auth_password.txt

@@ -0,0 +1 @@
+pON4NxxsKPWseVg1gw5PyLNN4YYrj8h

docker/secrets/metrics_auth_username.txt

@@ -0,0 +1 @@
+metrics

docker/secrets/postgres_password.txt

@@ -0,0 +1 @@
+pGnDFSiwacGxfKCtb8VJmTQc9Emlcdow

docker/secrets/postgres_user.txt

@@ -0,0 +1 @@
+meldestelle

docker/secrets/redis_password.txt

@@ -0,0 +1 @@
+p701HhKOnZJ4zbY9dGRvyH9kQTKcsUm

docker/secrets/setup-secrets.sh

@@ -0,0 +1,345 @@
+#!/bin/bash
+
+# ===================================================================
+# Docker Secrets Setup Script - Meldestelle Project
+# ===================================================================
+# This script generates secure secrets for all Docker services
+# Security Features:
+# - Generates cryptographically secure random passwords
+# - Creates JWT secrets with proper length for HMAC512
+# - Sets appropriate file permissions (600) for security
+# - Provides backup functionality
+# - Validates secret file creation
+# ===================================================================
+
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SECRETS_DIR="${SCRIPT_DIR}"
+
+# Logging function
+log() {
+    echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')] $1${NC}"
+}
+
+warn() {
+    echo -e "${YELLOW}[WARNING] $1${NC}"
+}
+
+error() {
+    echo -e "${RED}[ERROR] $1${NC}"
+    exit 1
+}
+
+# Function to generate secure random password
+generate_password() {
+    local length=${1:-32}
+    openssl rand -base64 $((length * 3 / 4)) | tr -d "=+/" | cut -c1-${length}
+}
+
+# Function to generate JWT secret (64 characters for HMAC512)
+generate_jwt_secret() {
+    openssl rand -hex 32
+}
+
+# Function to create secret file with proper permissions
+create_secret_file() {
+    local filename="$1"
+    local content="$2"
+    local filepath="${SECRETS_DIR}/${filename}"
+
+    # Check if file already exists
+    if [[ -f "$filepath" ]]; then
+        warn "Secret file $filename already exists. Use --force to overwrite."
+        return 1
+    fi
+
+    # Create the secret file
+    echo -n "$content" > "$filepath"
+    chmod 600 "$filepath"
+
+    log "Created secret file: $filename"
+    return 0
+}
+
+# Function to backup existing secrets
+backup_secrets() {
+    local backup_dir="${SECRETS_DIR}/backup_$(date +%Y%m%d_%H%M%S)"
+
+    if find "$SECRETS_DIR" -name "*.txt" -type f | grep -q .; then
+        log "Creating backup of existing secrets..."
+        mkdir -p "$backup_dir"
+        find "$SECRETS_DIR" -name "*.txt" -type f -exec cp {} "$backup_dir/" \;
+        log "Backup created in: $backup_dir"
+    fi
+}
+
+# Function to validate secret file
+validate_secret_file() {
+    local filepath="$1"
+    local min_length="$2"
+
+    if [[ ! -f "$filepath" ]]; then
+        error "Secret file does not exist: $filepath"
+    fi
+
+    local content_length=$(wc -c < "$filepath")
+    if [[ $content_length -lt $min_length ]]; then
+        error "Secret file $filepath is too short (${content_length} < ${min_length})"
+    fi
+
+    local permissions=$(stat -c %a "$filepath")
+    if [[ "$permissions" != "600" ]]; then
+        warn "Secret file $filepath has incorrect permissions: $permissions (should be 600)"
+        chmod 600 "$filepath"
+    fi
+}
+
+# Function to generate all secrets
+generate_all_secrets() {
+    local force_overwrite=${1:-false}
+
+    log "Starting secret generation for Meldestelle Docker infrastructure..."
+
+    # Create backup if not forcing overwrite
+    if [[ "$force_overwrite" != "true" ]]; then
+        backup_secrets
+    fi
+
+    # Database secrets
+    log "Generating database secrets..."
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/postgres_user.txt" ]]; then
+        create_secret_file "postgres_user.txt" "meldestelle"
+    fi
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/postgres_password.txt" ]]; then
+        create_secret_file "postgres_password.txt" "$(generate_password 32)"
+    fi
+
+    # Redis secrets
+    log "Generating Redis secrets..."
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/redis_password.txt" ]]; then
+        create_secret_file "redis_password.txt" "$(generate_password 32)"
+    fi
+
+    # Keycloak secrets
+    log "Generating Keycloak secrets..."
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/keycloak_admin_password.txt" ]]; then
+        create_secret_file "keycloak_admin_password.txt" "$(generate_password 32)"
+    fi
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/keycloak_client_secret.txt" ]]; then
+        create_secret_file "keycloak_client_secret.txt" "$(generate_password 64)"
+    fi
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/keycloak_auth_client_secret.txt" ]]; then
+        create_secret_file "keycloak_auth_client_secret.txt" "$(generate_password 64)"
+    fi
+
+    # Grafana secrets
+    log "Generating Grafana secrets..."
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/grafana_admin_user.txt" ]]; then
+        create_secret_file "grafana_admin_user.txt" "admin"
+    fi
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/grafana_admin_password.txt" ]]; then
+        create_secret_file "grafana_admin_password.txt" "$(generate_password 32)"
+    fi
+
+    # JWT secrets
+    log "Generating JWT secrets..."
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/jwt_secret.txt" ]]; then
+        create_secret_file "jwt_secret.txt" "$(generate_jwt_secret)"
+    fi
+
+    # VNC secrets (for desktop app)
+    log "Generating VNC secrets..."
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/vnc_password.txt" ]]; then
+        create_secret_file "vnc_password.txt" "$(generate_password 16)"
+    fi
+
+    # Monitoring secrets
+    log "Generating monitoring secrets..."
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/metrics_auth_username.txt" ]]; then
+        create_secret_file "metrics_auth_username.txt" "metrics"
+    fi
+    if [[ "$force_overwrite" == "true" ]] || ! [[ -f "${SECRETS_DIR}/metrics_auth_password.txt" ]]; then
+        create_secret_file "metrics_auth_password.txt" "$(generate_password 32)"
+    fi
+
+    log "Secret generation completed successfully!"
+}
+
+# Function to validate all secrets
+validate_all_secrets() {
+    log "Validating all secret files..."
+
+    # Define expected secrets with minimum lengths
+    declare -A secrets=(
+        ["postgres_user.txt"]=8
+        ["postgres_password.txt"]=16
+        ["redis_password.txt"]=16
+        ["keycloak_admin_password.txt"]=16
+        ["keycloak_client_secret.txt"]=32
+        ["keycloak_auth_client_secret.txt"]=32
+        ["grafana_admin_user.txt"]=4
+        ["grafana_admin_password.txt"]=16
+        ["jwt_secret.txt"]=64
+        ["vnc_password.txt"]=8
+        ["metrics_auth_username.txt"]=4
+        ["metrics_auth_password.txt"]=16
+    )
+
+    local all_valid=true
+    for secret_file in "${!secrets[@]}"; do
+        local filepath="${SECRETS_DIR}/${secret_file}"
+        local min_length=${secrets[$secret_file]}
+
+        if validate_secret_file "$filepath" "$min_length" 2>/dev/null; then
+            log "✓ $secret_file is valid"
+        else
+            error "✗ $secret_file is invalid or missing"
+            all_valid=false
+        fi
+    done
+
+    if [[ "$all_valid" == "true" ]]; then
+        log "All secret files are valid and properly secured!"
+    else
+        error "Some secret files are invalid. Please regenerate secrets."
+    fi
+}
+
+# Function to create Docker secrets
+create_docker_secrets() {
+    log "Creating Docker secrets..."
+
+    # Get the project name (directory name)
+    local project_name=$(basename "$(dirname "$(dirname "$SCRIPT_DIR")")")
+
+    # Define secrets to create
+    declare -A docker_secrets=(
+        ["postgres_user"]="postgres_user.txt"
+        ["postgres_password"]="postgres_password.txt"
+        ["redis_password"]="redis_password.txt"
+        ["keycloak_admin_password"]="keycloak_admin_password.txt"
+        ["keycloak_client_secret"]="keycloak_client_secret.txt"
+        ["grafana_admin_user"]="grafana_admin_user.txt"
+        ["grafana_admin_password"]="grafana_admin_password.txt"
+        ["jwt_secret"]="jwt_secret.txt"
+    )
+
+    for secret_name in "${!docker_secrets[@]}"; do
+        local secret_file="${docker_secrets[$secret_name]}"
+        local filepath="${SECRETS_DIR}/${secret_file}"
+        local docker_secret_name="${project_name}_${secret_name}"
+
+        # Check if Docker secret already exists
+        if docker secret ls --format "{{.Name}}" | grep -q "^${docker_secret_name}$"; then
+            warn "Docker secret $docker_secret_name already exists"
+        else
+            # Create Docker secret
+            if docker secret create "$docker_secret_name" "$filepath"; then
+                log "Created Docker secret: $docker_secret_name"
+            else
+                error "Failed to create Docker secret: $docker_secret_name"
+            fi
+        fi
+    done
+}
+
+# Function to show usage
+show_usage() {
+    echo "Usage: $0 [OPTIONS]"
+    echo ""
+    echo "Options:"
+    echo "  --help                Show this help message"
+    echo "  --generate           Generate all secret files (default)"
+    echo "  --force              Force overwrite existing secret files"
+    echo "  --validate           Validate existing secret files"
+    echo "  --docker-secrets     Create Docker secrets from files"
+    echo "  --all                Generate files, validate, and create Docker secrets"
+    echo ""
+    echo "Examples:"
+    echo "  $0                   # Generate secrets (skip existing files)"
+    echo "  $0 --force           # Generate secrets (overwrite existing files)"
+    echo "  $0 --validate        # Validate existing secret files"
+    echo "  $0 --all             # Complete setup (generate, validate, docker secrets)"
+}
+
+# Main execution
+main() {
+    local action="generate"
+    local force_overwrite=false
+
+    # Check dependencies
+    if ! command -v openssl &> /dev/null; then
+        error "openssl is required but not installed"
+    fi
+
+    # Parse command line arguments
+    while [[ $# -gt 0 ]]; do
+        case $1 in
+            --help)
+                show_usage
+                exit 0
+                ;;
+            --generate)
+                action="generate"
+                shift
+                ;;
+            --force)
+                force_overwrite=true
+                shift
+                ;;
+            --validate)
+                action="validate"
+                shift
+                ;;
+            --docker-secrets)
+                action="docker-secrets"
+                shift
+                ;;
+            --all)
+                action="all"
+                shift
+                ;;
+            *)
+                error "Unknown option: $1"
+                ;;
+        esac
+    done
+
+    # Ensure secrets directory exists
+    mkdir -p "$SECRETS_DIR"
+
+    # Execute requested action
+    case $action in
+        "generate")
+            generate_all_secrets "$force_overwrite"
+            ;;
+        "validate")
+            validate_all_secrets
+            ;;
+        "docker-secrets")
+            create_docker_secrets
+            ;;
+        "all")
+            generate_all_secrets "$force_overwrite"
+            validate_all_secrets
+            create_docker_secrets
+            ;;
+        *)
+            error "Invalid action: $action"
+            ;;
+    esac
+
+    log "Operation completed successfully!"
+}
+
+# Run main function with all arguments
+main "$@"

docker/secrets/vnc_password.txt

@@ -0,0 +1 @@
+nrscAXfIoOKTAEt

docker/services/keycloak/meldestelle-realm.json.backup

@@ -0,0 +1,294 @@
+{
+  "realm": "meldestelle",
+  "enabled": true,
+  "displayName": "Meldestelle Authentication",
+  "displayNameHtml": "<div class=\"kc-logo-text\"><span>Meldestelle</span></div>",
+  "sslRequired": "external",
+  "registrationAllowed": false,
+  "registrationEmailAsUsername": false,
+  "rememberMe": true,
+  "verifyEmail": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "resetPasswordAllowed": true,
+  "editUsernameAllowed": false,
+  "bruteForceProtected": true,
+  "permanentLockout": false,
+  "maxFailureWaitSeconds": 900,
+  "minimumQuickLoginWaitSeconds": 60,
+  "waitIncrementSeconds": 60,
+  "quickLoginCheckMilliSeconds": 1000,
+  "maxDeltaTimeSeconds": 43200,
+  "failureFactor": 5,
+  "defaultSignatureAlgorithm": "RS256",
+  "offlineSessionMaxLifespan": 5184000,
+  "offlineSessionMaxLifespanEnabled": false,
+  "accessTokenLifespan": 300,
+  "accessTokenLifespanForImplicitFlow": 900,
+  "ssoSessionIdleTimeout": 1800,
+  "ssoSessionMaxLifespan": 36000,
+  "refreshTokenMaxReuse": 0,
+  "accessCodeLifespan": 60,
+  "accessCodeLifespanUserAction": 300,
+  "accessCodeLifespanLogin": 1800,
+  "actionTokenGeneratedByAdminLifespan": 43200,
+  "actionTokenGeneratedByUserLifespan": 300,
+  "oauth2DeviceCodeLifespan": 600,
+  "oauth2DevicePollingInterval": 5,
+  "internationalizationEnabled": true,
+  "supportedLocales": ["de", "en"],
+  "defaultLocale": "de",
+  "roles": {
+    "realm": [
+      {
+        "name": "ADMIN",
+        "description": "Administrator role with full system access",
+        "composite": false,
+        "clientRole": false
+      },
+      {
+        "name": "USER",
+        "description": "Standard user role with limited access",
+        "composite": false,
+        "clientRole": false
+      },
+      {
+        "name": "MONITORING",
+        "description": "Monitoring role for system health checks",
+        "composite": false,
+        "clientRole": false
+      },
+      {
+        "name": "GUEST",
+        "description": "Guest role with minimal access",
+        "composite": false,
+        "clientRole": false
+      }
+    ]
+  },
+  "clients": [
+    {
+      "clientId": "api-gateway",
+      "name": "API Gateway Client",
+      "description": "OAuth2 client for the Meldestelle API Gateway",
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "**********",
+      "redirectUris": [
+        "http://localhost:8081/*",
+        "http://localhost:3000/*",
+        "https://app.meldestelle.at/*"
+      ],
+      "webOrigins": [
+        "http://localhost:8081",
+        "http://localhost:3000",
+        "https://app.meldestelle.at"
+      ],
+      "protocol": "openid-connect",
+      "bearerOnly": false,
+      "publicClient": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": true,
+      "authorizationServicesEnabled": false,
+      "fullScopeAllowed": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "access.token.lifespan": "300",
+        "client.secret.creation.time": "0",
+        "oauth2.device.authorization.grant.enabled": "false",
+        "backchannel.logout.session.required": "true",
+        "backchannel.logout.revoke.offline.tokens": "false"
+      },
+      "protocolMappers": [
+        {
+          "name": "realm-roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "true",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "realm_access.roles",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "name": "client-roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "true",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "resource_access.${client_id}.roles",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "name": "username",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "username",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "preferred_username",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "name": "email",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "email",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "email",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "name": "full-name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-full-name-mapper",
+          "consentRequired": false,
+          "config": {
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "userinfo.token.claim": "true"
+          }
+        }
+      ]
+    },
+    {
+      "clientId": "web-app",
+      "name": "Web Application Client",
+      "description": "Public client for web frontend",
+      "enabled": true,
+      "publicClient": true,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "redirectUris": [
+        "http://localhost:3000/*",
+        "https://app.meldestelle.at/*"
+      ],
+      "webOrigins": [
+        "http://localhost:3000",
+        "https://app.meldestelle.at"
+      ],
+      "protocol": "openid-connect",
+      "attributes": {
+        "pkce.code.challenge.method": "S256"
+      }
+    }
+  ],
+  "users": [
+    {
+      "username": "admin",
+      "enabled": true,
+      "emailVerified": true,
+      "firstName": "System",
+      "lastName": "Administrator",
+      "email": "admin@meldestelle.local",
+      "credentials": [
+        {
+          "type": "password",
+          "value": "Change_Me_In_Production!",
+          "temporary": true
+        }
+      ],
+      "realmRoles": ["ADMIN", "USER"],
+      "clientRoles": {
+        "api-gateway": ["ADMIN"]
+      }
+    }
+  ],
+  "groups": [],
+  "defaultRoles": ["USER", "GUEST"],
+  "requiredCredentials": ["password"],
+  "passwordPolicy": "length(8)",
+  "otpPolicyType": "totp",
+  "otpPolicyAlgorithm": "HmacSHA1",
+  "otpPolicyInitialCounter": 0,
+  "otpPolicyDigits": 6,
+  "otpPolicyLookAheadWindow": 1,
+  "otpPolicyPeriod": 30,
+  "otpSupportedApplications": ["FreeOTP", "Google Authenticator"],
+  "webAuthnPolicyRpEntityName": "meldestelle",
+  "webAuthnPolicySignatureAlgorithms": ["ES256", "RS256"],
+  "smtpServer": {},
+  "eventsEnabled": true,
+  "eventsListeners": ["jboss-logging"],
+  "enabledEventTypes": [
+    "LOGIN",
+    "LOGIN_ERROR",
+    "LOGOUT",
+    "REGISTER",
+    "REGISTER_ERROR",
+    "UPDATE_PASSWORD",
+    "UPDATE_PASSWORD_ERROR"
+  ],
+  "adminEventsEnabled": true,
+  "adminEventsDetailsEnabled": true,
+  "identityProviders": [],
+  "identityProviderMappers": [],
+  "components": {
+    "org.keycloak.keys.KeyProvider": [
+      {
+        "name": "rsa-generated",
+        "providerId": "rsa-generated",
+        "subComponents": {},
+        "config": {
+          "priority": ["100"]
+        }
+      },
+      {
+        "name": "hmac-generated",
+        "providerId": "hmac-generated",
+        "subComponents": {},
+        "config": {
+          "priority": ["100"],
+          "algorithm": ["HS256"]
+        }
+      },
+      {
+        "name": "aes-generated",
+        "providerId": "aes-generated",
+        "subComponents": {},
+        "config": {
+          "priority": ["100"]
+        }
+      }
+    ]
+  },
+  "authenticationFlows": [],
+  "authenticatorConfig": [],
+  "requiredActions": [],
+  "browserFlow": "browser",
+  "registrationFlow": "registration",
+  "directGrantFlow": "direct grant",
+  "resetCredentialsFlow": "reset credentials",
+  "clientAuthenticationFlow": "clients",
+  "dockerAuthenticationFlow": "docker auth",
+  "attributes": {
+    "frontendUrl": "",
+    "acr.loa.map": "{}",
+    "clientOfflineSessionMaxLifespan": "0",
+    "clientSessionIdleTimeout": "0",
+    "clientSessionMaxLifespan": "0",
+    "clientOfflineSessionIdleTimeout": "0"
+  }
+}