feat(infra): Keycloak with mock DigiD/eHerkenning/eIDAS/medewerker realms (closes #3)
Add infra/keycloak/docker-compose.yml (Keycloak 26.1, dev mode, --import-realm) with four realms imported at boot (infra/keycloak/realms/*.json): digid, eherkenning, eidas, medewerker. Each has a public big-portal OIDC client (standard flow + direct access grants) and test users; protocol mappers inject the identifying claims (bsn / kvk / eidas_id) and medewerker realm roles. Add `make keycloak-up/keycloak-smoke/keycloak-down`; keycloak-smoke runs infra/keycloak/check_realms.py (password-grant login per realm, asserts the claim). Document credentials in docs/synthetic-data.md and a runbook. Verified: `make keycloak-smoke` green — all four realms log in and return the expected claims (bsn 123456782, kvk 12345678, eidas_id FR/NL..., role behandelaar). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
60
infra/keycloak/check_realms.py
Normal file
60
infra/keycloak/check_realms.py
Normal file
@@ -0,0 +1,60 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Smoke-check the Keycloak realms: each realm's OIDC login works (password grant)
|
||||
and returns its expected identifying claim. Stdlib only. Exits non-zero on failure.
|
||||
"""
|
||||
import base64, json, sys, urllib.error, urllib.parse, urllib.request
|
||||
|
||||
BASE = "http://localhost:8180"
|
||||
CLIENT = "big-portal"
|
||||
PWD = "test123"
|
||||
|
||||
# realm, user, claim ("__roles__" => check realm_access.roles), expected-contains
|
||||
CHECKS = [
|
||||
("digid", "jan-burger", "bsn", "123456782"),
|
||||
("eherkenning", "acme-ondernemer", "kvk", "12345678"),
|
||||
("eidas", "pierre-dupont", "eidas_id", "FR/NL"),
|
||||
("medewerker", "merel-behandelaar", "__roles__", "behandelaar"),
|
||||
]
|
||||
|
||||
|
||||
def decode(jwt):
|
||||
p = jwt.split(".")[1]
|
||||
p += "=" * (-len(p) % 4)
|
||||
return json.loads(base64.urlsafe_b64decode(p))
|
||||
|
||||
|
||||
def grant(realm, user):
|
||||
data = urllib.parse.urlencode({
|
||||
"grant_type": "password", "client_id": CLIENT,
|
||||
"username": user, "password": PWD, "scope": "openid",
|
||||
}).encode()
|
||||
req = urllib.request.Request(
|
||||
f"{BASE}/realms/{realm}/protocol/openid-connect/token", data=data,
|
||||
headers={"Content-Type": "application/x-www-form-urlencoded"})
|
||||
with urllib.request.urlopen(req, timeout=20) as r:
|
||||
return json.loads(r.read())
|
||||
|
||||
|
||||
def main():
|
||||
ok = True
|
||||
for realm, user, claim, expect in CHECKS:
|
||||
try:
|
||||
at = decode(grant(realm, user)["access_token"])
|
||||
if claim == "__roles__":
|
||||
val = at.get("realm_access", {}).get("roles", [])
|
||||
good = expect in val
|
||||
else:
|
||||
val = at.get(claim)
|
||||
good = val is not None and expect in str(val)
|
||||
print(f"{realm:12} {user:18} login OK | {claim} = {val} "
|
||||
f"[{'OK' if good else 'UNEXPECTED'}]")
|
||||
ok = ok and good
|
||||
except urllib.error.HTTPError as e:
|
||||
ok = False
|
||||
print(f"{realm:12} {user:18} LOGIN FAILED {e.code}: {e.read()[:200]!r}")
|
||||
print("keycloak smoke OK" if ok else "keycloak smoke FAILED")
|
||||
sys.exit(0 if ok else 1)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user