update for new permission checking of notification module

.env.template

@@ -42,6 +42,10 @@ REPLICATION_BACKEND_PUBLIC_KEY=
 # random secret used for token encryption (replication-backend)
 REPLICATION_BACKEND_JWT_SECRET=
 
+# Keycloak service account for replication-backend permission checks
+REPLICATION_BACKEND_KEYCLOAK_CLIENT_ID=aam-backend
+REPLICATION_BACKEND_KEYCLOAK_CLIENT_SECRET=
+
 # Sentry configuration (app, replication-backend and aam-backend)
 SENTRY_DSN=
 SENTRY_DSN_REPLICATION_BACKEND=

docker-compose.yml

@@ -66,6 +66,10 @@ services:
       SENTRY_ENABLED: ${SENTRY_ENABLED}
       SENTRY_INSTANCE_NAME: ${INSTANCE_NAME}.${INSTANCE_DOMAIN}
       SENTRY_ENVIRONMENT: ${SENTRY_ENVIRONMENT}
+      KEYCLOAK_ADMIN_BASE_URL: https://${KEYCLOAK_URL}
+      KEYCLOAK_REALM: ${INSTANCE_NAME}
+      KEYCLOAK_ADMIN_CLIENT_ID: ${REPLICATION_BACKEND_KEYCLOAK_CLIENT_ID:-aam-backend}
+      KEYCLOAK_ADMIN_CLIENT_SECRET: ${REPLICATION_BACKEND_KEYCLOAK_CLIENT_SECRET}
       PORT: 5984
     restart: unless-stopped
     profiles:
@@ -81,6 +85,7 @@ services:
       - external_web
     depends_on:
       - couchdb-with-permissions
+      - replication-backend
       - aam-backend-service-db
       - rabbitmq
     volumes:

scripts/enable-backend.sh

@@ -51,6 +51,9 @@ RENDER_API_CLIENT_ID_DEV=$(bws secret -t "$BWS_ACCESS_TOKEN" get "b53d7a1d-220e-
 RENDER_API_CLIENT_SECRET_DEV=$(bws secret -t "$BWS_ACCESS_TOKEN" get "83a8e38b-fc22-461f-91a0-b22700712b62" | jq -r .value)
 SENTRY_AUTH_TOKEN=$(bws secret -t "$BWS_ACCESS_TOKEN" get "b9a3e1eb-3925-4ed6-93f4-b2270073c82c" | jq -r .value)
 SENTRY_DSN_BACKEND=$(bws secret -t "$BWS_ACCESS_TOKEN" get "a858a580-9643-4330-8667-b2270073d7a6" | jq -r .value)
+KEYCLOAK_HOST=$(bws secret -t "$BWS_ACCESS_TOKEN" get "3db87144-76c9-4690-8f59-b22600c8c927" | jq -r .value)
+KEYCLOAK_PASSWORD=$(bws secret -t "$BWS_ACCESS_TOKEN" get "c5f42f09-b1c8-43a8-ae75-b22600c8f2e5" | jq -r .value)
+KEYCLOAK_USER=$(bws secret -t "$BWS_ACCESS_TOKEN" get "fbe4ba07-538d-49e2-92dd-b22600c8d9d2" | jq -r .value)
 
 chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
 
@@ -130,6 +133,68 @@ generate_password() {
   done
 }
 
+getKeycloakToken() {
+  token=$(curl -s -L "https://$KEYCLOAK_HOST/realms/master/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode username="$KEYCLOAK_USER" --data-urlencode password="$KEYCLOAK_PASSWORD" --data-urlencode grant_type=password --data-urlencode client_id=admin-cli)
+  token=${token#*\"access_token\":\"}
+  token=${token%%\"*}
+}
+
+createKeycloakBackendClient() {
+  local realm="$1"
+
+  getKeycloakToken
+
+  # create the aam-backend client (confidential, service account enabled)
+  clientResponse=$(curl -s -D - -o /dev/null -X POST "https://$KEYCLOAK_HOST/admin/realms/$realm/clients" \
+    -H "Authorization: Bearer $token" \
+    -H "Content-Type: application/json" \
+    -d '{
+      "clientId": "aam-backend",
+      "enabled": true,
+      "clientAuthenticatorType": "client-secret",
+      "serviceAccountsEnabled": true,
+      "publicClient": false,
+      "standardFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "protocol": "openid-connect"
+    }')
+
+  # extract client UUID from Location header
+  location=$(echo "$clientResponse" | grep -i "^location:")
+  clientUuid=$(echo "$location" | sed -n 's#.*\([a-f0-9]\{8\}-[a-f0-9]\{4\}-[a-f0-9]\{4\}-[a-f0-9]\{4\}-[a-f0-9]\{12\}\).*#\1#p')
+
+  if [ -z "$clientUuid" ]; then
+    echo "ERROR: Failed to create aam-backend client in Keycloak realm '$realm'."
+    return 1
+  fi
+
+  echo "Created aam-backend client: $clientUuid"
+
+  # get client secret
+  clientSecret=$(curl -s -L "https://$KEYCLOAK_HOST/admin/realms/$realm/clients/$clientUuid/client-secret" \
+    -H "Authorization: Bearer $token" | jq -r .value)
+
+  # get the service account user
+  serviceAccountUserId=$(curl -s -L "https://$KEYCLOAK_HOST/admin/realms/$realm/clients/$clientUuid/service-account-user" \
+    -H "Authorization: Bearer $token" | jq -r .id)
+
+  # get the realm-management client UUID
+  realmMgmtClientUuid=$(curl -s -L "https://$KEYCLOAK_HOST/admin/realms/$realm/clients?clientId=realm-management" \
+    -H "Authorization: Bearer $token" | jq -r '.[0].id')
+
+  # get the manage-realm role from realm-management client
+  manageRealmRole=$(curl -s -L "https://$KEYCLOAK_HOST/admin/realms/$realm/clients/$realmMgmtClientUuid/roles/manage-realm" \
+    -H "Authorization: Bearer $token")
+
+  # assign manage-realm role to the service account
+  curl -s -X POST "https://$KEYCLOAK_HOST/admin/realms/$realm/users/$serviceAccountUserId/role-mappings/clients/$realmMgmtClientUuid" \
+    -H "Authorization: Bearer $token" \
+    -H "Content-Type: application/json" \
+    -d "[$manageRealmRole]"
+
+  echo "Assigned manage-realm role to aam-backend service account."
+}
+
 ##############################
 # script
 ##############################
@@ -182,6 +247,8 @@ setEnv CRYPTO_CONFIGURATION_SECRET "$password" "$path/config/aam-backend-service
 setEnv SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUERURI "https://keycloak.aam-digital.com/realms/$instance" "$path/config/aam-backend-service/application.env"
 setEnv SPRING_DATASOURCE_USERNAME "$(getVar "$path/.env" COUCHDB_USER)" "$path/config/aam-backend-service/application.env"
 setEnv SPRING_DATASOURCE_PASSWORD "$(getVar "$path/.env" COUCHDB_PASSWORD)" "$path/config/aam-backend-service/application.env"
+setEnv AAMREPLICATIONBACKENDCLIENTCONFIGURATION_BASICAUTHUSERNAME "$(getVar "$path/.env" COUCHDB_USER)" "$path/config/aam-backend-service/application.env"
+setEnv AAMREPLICATIONBACKENDCLIENTCONFIGURATION_BASICAUTHPASSWORD "$(getVar "$path/.env" COUCHDB_PASSWORD)" "$path/config/aam-backend-service/application.env"
 setEnv COUCHDBCLIENTCONFIGURATION_BASICAUTHUSERNAME "$(getVar "$path/.env" COUCHDB_USER)" "$path/config/aam-backend-service/application.env"
 setEnv COUCHDBCLIENTCONFIGURATION_BASICAUTHPASSWORD "$(getVar "$path/.env" COUCHDB_PASSWORD)" "$path/config/aam-backend-service/application.env"
 setEnv SQSCLIENTCONFIGURATION_BASICAUTHUSERNAME "$(getVar "$path/.env" COUCHDB_USER)" "$path/config/aam-backend-service/application.env"
@@ -195,6 +262,10 @@ setEnv SENTRY_AUTH_TOKEN "$SENTRY_AUTH_TOKEN" "$path/config/aam-backend-service/
 setEnv SENTRY_DSN "$SENTRY_DSN_BACKEND" "$path/config/aam-backend-service/application.env"
 setEnv SENTRY_SERVER_NAME "$instance.$DOMAIN" "$path/config/aam-backend-service/application.env"
 
+# create aam-backend Keycloak client for permission checks
+createKeycloakBackendClient "$instance"
+setEnv REPLICATION_BACKEND_KEYCLOAK_CLIENT_SECRET "$clientSecret" "$path/.env"
+
 setEnv COMPOSE_PROFILES "full-stack" "$path/.env"
 
 (cd "$path" && docker compose up -d)