first funcitonal plugin

Author: klinux

.gitignore

@@ -1,3 +1,5 @@
+gocd/plugins/
+
 # Intellij files
 .idea/
 

CHANGELOG.md

@@ -1,10 +1,4 @@
-## 1.1.0 - 2020-06-11
-
-Switching the Okta client ID variable for secure to plain text one. The client ID is present in the authentication and refresh tokens requests to Okta. Having it encrypted resulted in bad requests which is now no longer the case.
-
-- Fix for the Okta Client ID [#6](https://github.com/szamfirov/gocd-okta-oauth-authorization-plugin/pull/6)
-
-## 1.0.0 - 2018-03-12
+## 1.0.0 - 2020-11-13
 
 Initial release of plugin
 

INSTALL.md

@@ -13,44 +13,25 @@ on Windows.
 
 ## Configuration
 
-###  Configure Okta API Issuer
-
-1. Sign in to Okta [API credentials](https://developer.okta.com/signup/)
-2. Click on **_API_** _>_ **_Authorization Servers_**
-3. Click on **_default_** as that will be your Authorization Server 
-4. Navigate to **_Scopes_** _>_ **_Add Scope_**
-5. Create a scope with name _groups_ and select `Include in public metadata`
-6. Navigate to **_Claims_** _>_ **_Add Claim_**
-7. Create a claim with name _groups_ as following:
-    1. Choose the `Token type` to be: _ID Token_
-    2. Select `Value type`: _Groups_
-    3. Set the `Filter` to: _Regex_ and value: `.*` (there is a dot in there)
-
-###  Configure Okta Application
-
-1. Sign in to Okta [API credentials](https://developer.okta.com/signup/)
-2. Click on **_Applications_** and from there **_Add Application_**.
-3. Select type `Web`.
-4. Fill in the `Login redirect URI` as follows: `https://{your_base_url}/go/plugin/cd.go.authorization.keycloak/authenticate`
-5. Click **_Save_** and afterwards change the `Initiate login URI` to: `https://{your_base_url}/go/plugin/cd.go.authorization.keycloak/login`
-
-### Create Authorization Configuration
-
-1. Login to `GoCD server` as admin and navigate to **_Admin_** _>_ **_Security_** _>_ **_Authorization Configuration_**.
-2. Click on **_Add_** to create new authorization configuration.
-    1. Specify `id` for auth config.
-    2. Select `Okta oauth authorization plugin for GoCD` for **_Plugin id_**
-    3. Specify your Okta API Issuer: `https://{your_okta_url}/oauth2/default`
-    4. Specify **_Client ID_** and **_Client Secret_** that come from the Application.
-    5. Save your configuration and you'll be redirected to GoCD login page.
-3. Click on the Okta button and you should be logged in.
+###  Configure Keycloak API Issuer
+
+1. Sign in Keycloak Console
+2. Select the realm that you want to configure. Ex. **Master**
+3. Click in **Clients** menu 
+4. Click **Add** button
+5. On the form insert the client name
+6. On the next page, set this configs:
+    1. In **Access Type** select **Confidential**
+    2. In **Valid Redirect URIs** insert the URL of GoCD, ex.: **http://localhost:8153**
+    3. In **Credentials** tab copy value of **Secret**
 
 ### Create Role Configuration
 
-1. Login to `GoCD server` as admin and navigate to **_Admin_** _>_ **_Security_** _>_ **_Role Configuration_**.
-2. Click on **_Add_** to create new role configuration.
-    1. Select `Plugin Role` as the type of role.
-    2. Specify the name of the role in `Role name`.
-    3. _(Optional)_ Use `Okta Groups` to choose which groups will use this role.
-    4. _(Optional)_ Use `Okta Users` to choose which users will use this role.
-3. All your users matching the criteria will have this role associated with their account in GoCD.
+1. Sign in Keycloak Console
+2. Select the realm that you want to configure. Ex. **Master**
+3. Click in **Roles** menu
+    1. Click **Add Role** button
+    2. Insert the name of **Role** and it description
+    3. Save the **Role**
+    4. Select the user that you want to configure this role
+    5. Select **Role Mappings** tab and select tht **Role** created

gocd/Makefile

@@ -0,0 +1,14 @@
+.PHONY: help
+help:
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / { printf "\033[36m%-30s\033[0m %s\n", $$1, $$2 }' $(MAKEFILE_LIST)
+.DEFAULT_GOAL := help
+
+# DOCKER TASKS
+start: ## Run servers to develop test
+	mkdir -p ./plugins/external
+	cp ../build/libs/*.jar ./plugins/external
+	docker-compose up -d
+
+stop: ## Stop servers
+	rm -rf ./plugins
+	docker-compose down

gocd/docker-compose.yaml

@@ -0,0 +1,19 @@
+version: '3'
+
+services:
+  keycloak:
+      image: jboss/keycloak:11.0.3
+      environment:
+        ROOT_LOGLEVEL: INFO
+        KEYCLOAK_USER: admin
+        KEYCLOAK_PASSWORD: admin
+        DB_VENDOR: h2
+      ports:
+        - 8080:8080
+  gocd:
+    image: gocd/gocd-server:v20.9.0
+    volumes:
+      - ./plugins:/godata/plugins
+    ports:
+      - 8153:8153
+      - 8154:8154

src/main/java/cd/go/authorization/keycloak/KeycloakApiClient.java

@@ -56,19 +56,20 @@ public void verifyConnection() throws Exception {
 
     public String authorizationServerUrl(String callbackUrl) throws Exception {
         LOG.debug("[KeycloakApiClient] Generating Keycloak oauth url.");
+        String realm = keycloakConfiguration.keycloakRealm();
 
         return HttpUrl.parse(keycloakConfiguration.keycloakEndpoint())
                 .newBuilder()
                 .addPathSegments("auth")
                 .addPathSegments("realms")
-                .addPathSegments("master")
+                .addPathSegments(realm)
                 .addPathSegments("protocol")
                 .addPathSegments("openid-connect")
                 .addPathSegments("auth")
                 .addQueryParameter("client_id", keycloakConfiguration.clientId())
                 .addQueryParameter("redirect_uri", callbackUrl)
                 .addQueryParameter("response_type", "code")
-                .addQueryParameter("scope", "openid profile email groups")
+                .addQueryParameter("scope", "openid profile email roles")
                 .addQueryParameter("state", UUID.randomUUID().toString())
                 .addQueryParameter("nonce", UUID.randomUUID().toString())
                 .build().toString();
@@ -81,12 +82,13 @@ public TokenInfo fetchAccessToken(Map<String, String> params) throws Exception {
         }
 
         LOG.debug("[KeycloakApiClient] Fetching access token using authorization code.");
+        String realm = keycloakConfiguration.keycloakRealm();
 
         final String accessTokenUrl = HttpUrl.parse(keycloakConfiguration.keycloakEndpoint())
                 .newBuilder()
                 .addPathSegments("auth")
                 .addPathSegments("realms")
-                .addPathSegments("master")
+                .addPathSegments(realm)
                 .addPathSegments("protocol")
                 .addPathSegments("openid-connect")
                 .addPathSegments("token")
@@ -112,12 +114,13 @@ public KeycloakUser userProfile(TokenInfo tokenInfo) throws Exception {
         validateTokenInfo(tokenInfo);
 
         LOG.debug("[KeycloakApiClient] Fetching user profile using access token.");
+        String realm = keycloakConfiguration.keycloakRealm();
 
         final String userProfileUrl = HttpUrl.parse(keycloakConfiguration.keycloakEndpoint())
                 .newBuilder()
                 .addPathSegments("auth")
                 .addPathSegments("realms")
-                .addPathSegments("master")
+                .addPathSegments(realm)
                 .addPathSegments("protocol")
                 .addPathSegments("openid-connect")
                 .addPathSegments("userinfo")

src/main/java/cd/go/authorization/keycloak/executors/GetPluginIconRequestExecutor.java

@@ -42,6 +42,6 @@ private String getContentType() {
     }
 
     private String getIcon() {
-        return "/keycloak.svg";
+        return "/keycloak.png";
     }
 }

src/main/java/cd/go/authorization/keycloak/models/KeycloakConfiguration.java

@@ -33,6 +33,11 @@ public class KeycloakConfiguration implements Validatable {
     @ProfileField(key = "KeycloakEndpoint", required = true, secure = false)
     private String keycloakEndpoint;
 
+    @Expose
+    @SerializedName("KeycloakRealm")
+    @ProfileField(key = "KeycloakRealm", required = true, secure = false)
+    private String keycloakRealm;
+
     @Expose
     @SerializedName("ClientId")
     @ProfileField(key = "ClientId", required = true, secure = false)
@@ -58,6 +63,10 @@ public String keycloakEndpoint() {
         return keycloakEndpoint;
     }
 
+    public String keycloakRealm() {
+        return keycloakRealm;
+    }
+
     public String clientId() {
         return clientId;
     }

src/main/resources/auth-config.template.html

@@ -97,6 +97,18 @@
         <span class="form_error form-error" ng-class="{'is-visible': GOINPUTNAME[KeycloakEndpoint].$error.server}" ng-show="GOINPUTNAME[KeycloakEndpoint].$error.server">{{GOINPUTNAME[KeycloakEndpoint].$error.server}}</span>
     </div>
 
+    <div class="form_item_block">
+        <label ng-class="{'is-invalid-label': GOINPUTNAME[KeycloakRealm].$error.server}">Keycloak Realm:<span class='asterix'>*</span>
+            <div class="tooltip-info">
+              <span class="tooltip-content">
+                Your Keycloak Realm.
+              </span>
+            </div>
+        </label>
+        <input ng-class="{'is-invalid-input': GOINPUTNAME[KeycloakRealm].$error.server}" type="text" ng-model="KeycloakRealm" ng-required="true"/>
+        <span class="form_error form-error" ng-class="{'is-visible': GOINPUTNAME[KeycloakRealm].$error.server}" ng-show="GOINPUTNAME[KeycloakRealm].$error.server">{{GOINPUTNAME[KeycloakRealm].$error.server}}</span>
+    </div>
+
     <div class="form_item_block">
         <label ng-class="{'is-invalid-label': GOINPUTNAME[ClientId].$error.server}">Keycloak Client ID:<span class='asterix'>*</span>
             <div class="tooltip-info">