refactor(keycloak): migrate Keycloak plugin to NestJS

Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>

Author: shikanime

apps/server-nestjs/.env-example

@@ -15,6 +15,14 @@ KEYCLOAK_PROTOCOL=http
 KEYCLOAK_CLIENT_ID=dso-console-backend
 # Secret du client Keycloak backend (confidentiel)
 KEYCLOAK_CLIENT_SECRET=client-secret-backend
+# Identifiant de l'administrateur Keycloak
+KEYCLOAK_ADMIN=admin
+# Mot de passe de l'administrateur Keycloak
+KEYCLOAK_ADMIN_PASSWORD=admin
+# Identifiant administrateur Keycloak (utilisé pour l'API admin)
+KEYCLOAK_ADMIN=admin
+# Mot de passe administrateur Keycloak (confidentiel)
+KEYCLOAK_ADMIN_PASSWORD=admin
 # URL de redirection après authentification Keycloak
 KEYCLOAK_REDIRECT_URI=http://localhost:8080
 # Port d'écoute du serveur backend

apps/server-nestjs/.env.docker-example

@@ -16,6 +16,10 @@ KEYCLOAK_PROTOCOL=http
 KEYCLOAK_CLIENT_ID=dso-console-backend
 # Secret du client Keycloak backend (confidentiel)
 KEYCLOAK_CLIENT_SECRET=client-secret-backend
+# Identifiant de l'administrateur Keycloak
+KEYCLOAK_ADMIN=admin
+# Mot de passe de l'administrateur Keycloak
+KEYCLOAK_ADMIN_PASSWORD=admin
 # URL de redirection après authentification Keycloak
 KEYCLOAK_REDIRECT_URI=http://localhost:8080
 # Port d'écoute du serveur dans le réseau Docker

apps/server-nestjs/package.json

@@ -16,9 +16,15 @@
     "start:dev": "nest start --watch",
     "start:debug": "nest start --debug --watch",
     "start:prod": "node dist/main",
-    "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix"
+    "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:cov": "vitest run --coverage",
+    "test:debug": "vitest --inspect"
   },
   "dependencies": {
+    "@casl/ability": "^6.7.1",
+    "@casl/prisma": "^1.5.0",
     "@cpn-console/argocd-plugin": "workspace:^",
     "@cpn-console/gitlab-plugin": "workspace:^",
     "@cpn-console/harbor-plugin": "workspace:^",
@@ -35,10 +41,12 @@
     "@fastify/swagger-ui": "^4.2.0",
     "@gitbeaker/core": "^40.6.0",
     "@gitbeaker/rest": "^40.6.0",
+    "@keycloak/keycloak-admin-client": "^24.0.0",
     "@kubernetes-models/argo-cd": "^2.6.2",
     "@nestjs/common": "^11.0.1",
     "@nestjs/config": "^4.0.2",
     "@nestjs/core": "^11.0.1",
+    "@nestjs/event-emitter": "^3.0.1",
     "@nestjs/platform-express": "^11.0.1",
     "@nestjs/schedule": "^5.0.1",
     "@opentelemetry/api": "^1.9.0",
@@ -59,7 +67,9 @@
     "fastify": "^4.29.1",
     "fastify-keycloak-adapter": "2.3.2",
     "json-2-csv": "^5.5.7",
+    "keycloak-connect": "^25.0.0",
     "mustache": "^4.2.0",
+    "nest-keycloak-connect": "^1.10.1",
     "nestjs-pino": "^4.5.0",
     "pino-http": "^11.0.0",
     "prisma": "^6.0.1",

apps/server-nestjs/src/cpin-module/infrastructure/configuration/configuration.service.ts

@@ -24,7 +24,10 @@ export class ConfigurationService {
   keycloakRealm = process.env.KEYCLOAK_REALM
   keycloakClientId = process.env.KEYCLOAK_CLIENT_ID
   keycloakClientSecret = process.env.KEYCLOAK_CLIENT_SECRET
+  keycloakAdmin = process.env.KEYCLOAK_ADMIN
+  keycloakAdminPassword = process.env.KEYCLOAK_ADMIN_PASSWORD
   keycloakRedirectUri = process.env.KEYCLOAK_REDIRECT_URI
+
   adminsUserId = process.env.ADMIN_KC_USER_ID
     ? process.env.ADMIN_KC_USER_ID.split(',')
     : []

apps/server-nestjs/src/cpin-module/infrastructure/database/prisma.service.ts

@@ -0,0 +1,14 @@
+import type { OnModuleInit, OnModuleDestroy } from '@nestjs/common'
+import { Injectable } from '@nestjs/common'
+import { PrismaClient } from '@prisma/client'
+
+@Injectable()
+export class PrismaService extends PrismaClient implements OnModuleInit, OnModuleDestroy {
+  async onModuleInit() {
+    await this.$connect()
+  }
+
+  async onModuleDestroy() {
+    await this.$disconnect()
+  }
+}

apps/server-nestjs/src/cpin-module/infrastructure/infrastructure.module.ts

@@ -2,13 +2,14 @@ import { Module } from '@nestjs/common'
 
 import { ConfigurationModule } from './configuration/configuration.module'
 import { DatabaseService } from './database/database.service'
+import { PrismaService } from './database/prisma.service'
 import { HttpClientService } from './http-client/http-client.service'
 import { LoggerModule } from './logger/logger.module'
 import { ServerService } from './server/server.service'
 
 @Module({
-  providers: [DatabaseService, HttpClientService, ServerService],
+  providers: [DatabaseService, PrismaService, HttpClientService, ServerService],
   imports: [LoggerModule, ConfigurationModule],
-  exports: [DatabaseService, HttpClientService, ServerService],
+  exports: [DatabaseService, PrismaService, HttpClientService, ServerService],
 })
 export class InfrastructureModule {}

apps/server-nestjs/src/main.module.ts

@@ -1,11 +1,19 @@
 import { Module } from '@nestjs/common'
+import { EventEmitterModule } from '@nestjs/event-emitter'
+import { ScheduleModule } from '@nestjs/schedule'
 
 import { CpinModule } from './cpin-module/cpin.module'
+import { KeycloakModule } from './modules/keycloak/keycloak.module'
 
 // This module only exists to import other module.
 // « One module to rule them all, and in NestJs bind them »
 @Module({
-  imports: [CpinModule],
+  imports: [
+    CpinModule,
+    KeycloakModule,
+    EventEmitterModule.forRoot(),
+    ScheduleModule.forRoot(),
+  ],
   controllers: [],
   providers: [],
 })

apps/server-nestjs/src/modules/iam/decorators/check-policies.decorator.ts

@@ -0,0 +1,15 @@
+import { SetMetadata } from '@nestjs/common'
+import type { AppAbility } from '../factories/casl-ability.factory'
+
+export interface IPolicyHandler {
+  handle: (ability: AppAbility) => boolean
+}
+
+type PolicyHandlerCallback = (ability: AppAbility) => boolean
+
+export type PolicyHandler = IPolicyHandler | PolicyHandlerCallback
+
+export const CHECK_POLICIES_KEY = 'check_policy'
+export function CheckPolicies(...handlers: PolicyHandler[]) {
+  return SetMetadata(CHECK_POLICIES_KEY, handlers)
+}

apps/server-nestjs/src/modules/iam/factories/casl-ability.factory.ts

@@ -0,0 +1,58 @@
+import type { PureAbility } from '@casl/ability'
+import { AbilityBuilder } from '@casl/ability'
+import type { PrismaQuery, Subjects } from '@casl/prisma'
+import { createPrismaAbility } from '@casl/prisma'
+import { Injectable } from '@nestjs/common'
+import type { Project, Environment, User, ProjectMembers } from '@prisma/client'
+
+export type AppAbility = PureAbility<
+  [string, Subjects<{ Project: Project, Environment: Environment, User: User, ProjectMembers: ProjectMembers }>],
+  PrismaQuery
+>
+
+@Injectable()
+export class CaslAbilityFactory {
+  createForUser(user: any) {
+    const { can, build } = new AbilityBuilder<AppAbility>(
+      createPrismaAbility,
+    )
+
+    // If user is not authenticated or doesn't have an ID
+    if (!user || !user.sub) {
+      return build()
+    }
+
+    const userId = user.sub
+
+    // A user can read projects they are a member of (via ProjectMembers)
+    can('read', 'Project', {
+      members: {
+        some: {
+          userId,
+        },
+      },
+    })
+
+    // A project owner can manage everything
+    can('manage', 'Project', {
+      ownerId: userId,
+    })
+
+    // A user can update an environment if the project is not locked
+    // and they are a member of the project
+    can('update', 'Environment', {
+      project: {
+        is: {
+          locked: false,
+          members: {
+            some: {
+              userId,
+            },
+          },
+        },
+      },
+    })
+
+    return build()
+  }
+}

apps/server-nestjs/src/modules/iam/guards/policies.guard.ts

@@ -0,0 +1,36 @@
+import type { CanActivate, ExecutionContext } from '@nestjs/common'
+import { Inject, Injectable } from '@nestjs/common'
+import { Reflector } from '@nestjs/core'
+import { CaslAbilityFactory, type AppAbility } from '../factories/casl-ability.factory'
+import type { PolicyHandler } from '../decorators/check-policies.decorator'
+import { CHECK_POLICIES_KEY } from '../decorators/check-policies.decorator'
+
+@Injectable()
+export class PoliciesGuard implements CanActivate {
+  constructor(
+    @Inject(Reflector) private reflector: Reflector,
+    @Inject(CaslAbilityFactory) private caslAbilityFactory: CaslAbilityFactory,
+  ) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const policyHandlers
+      = this.reflector.get<PolicyHandler[]>(
+        CHECK_POLICIES_KEY,
+        context.getHandler(),
+      ) || []
+
+    const { user } = context.switchToHttp().getRequest()
+    const ability = this.caslAbilityFactory.createForUser(user)
+
+    return policyHandlers.every(handler =>
+      this.execPolicyHandler(handler, ability),
+    )
+  }
+
+  private execPolicyHandler(handler: PolicyHandler, ability: AppAbility) {
+    if (typeof handler === 'function') {
+      return handler(ability)
+    }
+    return handler.handle(ability)
+  }
+}