Merge pull request #208 from kbss-cvut/202-fine-grained

fine grained access

Author: blcham

deploy/internal-auth/db-server/import/record-manager-app/role-groups.trig

@@ -0,0 +1,32 @@
+@prefix : <http://onto.fel.cvut.cz/ontologies/record-manager/> .
+@prefix rm: <http://onto.fel.cvut.cz/ontologies/record-manager/> .
+@prefix doc: <http://onto.fel.cvut.cz/ontologies/documentation/> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xml: <http://www.w3.org/XML/1998/namespace> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix form: <http://onto.fel.cvut.cz/ontologies/form/> .
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix ufo: <http://onto.fel.cvut.cz/ontologies/ufo/> .
+
+<http://onto.fel.cvut.cz/ontologies/record-manager/role-groups> {
+    rm:admin-role-group rdf:type owl:NamedIndividual, rm:role-group;
+        rm:has-role rm:RM_ADMIN,
+                    rm:RM_USER,
+                    rm:complete-records-role,
+                    rm:delete-organization-records-role,
+                    rm:edit-organization-records-role,
+                    rm:view-organization-records-role,
+                    rm:edit-users-role,
+                    rm:import-codelists-role,
+                    rm:reject-records-role,
+                    rm:delete-all-records-role,
+                    rm:edit-all-records-role,
+                    rm:publish-records-role,
+                    rm:view-all-records-role;
+        rdfs:label "admin-role-group"@en .
+
+    rm:user-role-group rdf:type owl:NamedIndividual, rm:role-group;
+        rm:has-role rm:RM_USER;
+        rdfs:label "user-role-group"@en .
+}

deploy/internal-auth/docker-compose.yml

@@ -83,8 +83,9 @@ services:
       - "7200"
     restart: always
     volumes:
-      - ../shared/db-server/import:/root/graphdb-import:ro
+      - ../shared/db-server/import:/root/graphdb-import
       - db-server:/opt/graphdb/home
+      - ./db-server/import/record-manager-app/role-groups.trig:/root/graphdb-import/record-manager-app/role-groups.trig:ro
 
 volumes:
   db-server:

…keycloak-auth/keycloak/realm-export.json …cloak-auth/auth-server/realm-export.jsondeploy/keycloak-auth/keycloak/realm-export.json renamed to deploy/keycloak-auth/auth-server/realm-export.json deploy/keycloak-auth/keycloak/realm-export.json renamed to deploy/keycloak-auth/auth-server/realm-export.json

@@ -148,10 +148,28 @@ services:
       - "8080"
     volumes:
       - auth-server:/opt/keycloak/data
-      - ./keycloak:/opt/keycloak/data/import
+      - ./auth-server:/opt/keycloak/data/import
     depends_on:
       - auth-server-db
 
+  keycloak-config:
+    image: hashicorp/terraform:light
+    working_dir: /workspace
+    volumes:
+      - ./keycloak-config:/workspace
+    depends_on:
+      - auth-server
+    entrypoint: ["/bin/sh", "-c"]
+    environment:
+      - TF_VAR_kc_admin_user=${KC_ADMIN_USER}
+      - TF_VAR_kc_admin_password=${KC_ADMIN_PASSWORD}
+      - TF_VAR_kc_realm=record-manager
+      - TF_VAR_kc_url=http://auth-server:8080/
+    command: >
+      "until nc -z auth-server 8080; do sleep 1; done &&
+       terraform init &&
+       terraform apply -auto-approve"
+
 volumes:
   db-server:
   auth-server:

deploy/keycloak-auth/docker-compose.yml

@@ -0,0 +1,22 @@
+
+
+variable "groups" {
+  type = list(string)
+
+  default = ["AdminGroup", "UserGroup"]
+}
+
+resource "keycloak_group" "realm_groups" {
+  for_each  = toset(var.groups)
+
+  realm_id = var.kc_realm
+  name     = each.value
+}
+
+resource "keycloak_group_roles" "admin_group_roles" {
+  realm_id = var.kc_realm
+  group_id = keycloak_group.realm_groups["AdminGroup"].id
+
+  role_ids = [for role in keycloak_role.realm_roles : role.id]
+}
+

deploy/keycloak-auth/keycloak-config/groups_and_mapping.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    keycloak = {
+      source  = "keycloak/keycloak"
+      version = ">= 5.0.0"
+    }
+  }
+}
+
+provider "keycloak" {
+  client_id = "admin-cli"
+  username  = var.kc_admin_user
+  password  = var.kc_admin_password
+  url       = var.kc_url
+}

deploy/keycloak-auth/keycloak-config/main.tf

@@ -0,0 +1,25 @@
+variable "roles" {
+  type = map(string)
+  default = {
+    rm-delete-all-records         = ""
+    rm-edit-users                = ""
+    rm-impersonate               = ""
+    rm-edit-all-records           = ""
+    rm-view-organization-records = ""
+    rm-complete-records           = ""
+    rm-edit-organization-records = ""
+    rm-view-all-records           = ""
+    rm-delete-organization-records = ""
+    rm-publish-records            = ""
+    rm-import-codelists           = ""
+    rm-reject-records             = ""
+  }
+}
+
+resource "keycloak_role" "realm_roles" {
+  for_each  = var.roles
+
+  realm_id    = var.kc_realm
+  name        = each.key
+  description = length(each.value) > 0 ? each.value : null
+}

deploy/keycloak-auth/keycloak-config/roles.tf

@@ -0,0 +1,21 @@
+variable "kc_admin_user" {
+  description = "Keycloak username"
+  type        = string
+}
+
+variable "kc_admin_password" {
+  description = "Keycloak password"
+  type        = string
+  sensitive   = true
+}
+
+variable "kc_url" {
+  description = "Keycloak server URL"
+  type        = string
+  default     = "http://localhost:8080"
+}
+
+variable "kc_realm" {
+  description = "Keycloak realm name"
+  type        = string
+}

deploy/keycloak-auth/keycloak-config/variables.tf

@@ -31,6 +31,7 @@
     "react-promise-tracker": "^2.1.1",
     "react-redux": "^7.2.4",
     "react-router-dom": "^5.2.0",
+    "react-select": "^5.8.0",
     "redux": "^4.1.0",
     "redux-devtools-extension": "^2.13.9",
     "redux-thunk": "^2.3.0",