feat(lab-04): FreeIPA SSO — Keycloak LDAP federation, user sync, OIDC discovery

RedjiJB · RedjiJB · commit f01ff9101ffe · 2026-02-28T15:19:30.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -154,4 +154,29 @@ jobs:
       - name: ShellCheck test script
         run: |
           sudo apt-get install -y shellcheck -qq
-          shellcheck tests/labs/test-lab-01-03.sh
+          shellcheck tests/labs/test-lab-01-03.sh
+
+  lab-04-smoke:
+    name: Lab 04 — Keycloak LDAP Federation (syntax check only)
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate SSO compose (pull images only — FreeIPA is privileged)
+        run: |
+          echo "NOTE: FreeIPA Lab 04 requires privileged + full IPA init (~5min); runs on real VMs"
+          docker compose -f docker/docker-compose.sso.yml pull --quiet
+          echo "Images pulled OK"
+
+      - name: Validate compose config
+        run: docker compose -f docker/docker-compose.sso.yml config -q
+
+      - name: Verify test script syntax
+        run: bash -n tests/labs/test-lab-01-04.sh
+
+      - name: ShellCheck test script
+        run: |
+          sudo apt-get install -y shellcheck -qq
+          shellcheck tests/labs/test-lab-01-04.sh
diff --git a/docker/docker-compose.sso.yml b/docker/docker-compose.sso.yml
@@ -1,34 +1,106 @@
-# Lab 04 — SSO Integration: freeipa with Keycloak OIDC authentication
----
 services:
+
+  # ── FreeIPA identity directory ────────────────────────────────────
   freeipa:
-    image: freeipa/freeipa-server:rocky-9
-    container_name: it-stack-freeipa
-    restart: unless-stopped
+    image: freeipa/freeipa-server:fedora-41
+    container_name: freeipa-lab04
+    hostname: ipa.lab.local
+    privileged: true
+    tty: true
+    stdin_open: true
+    environment:
+      IPA_SERVER_IP: 172.20.0.10
+      IPA_SERVER_HOSTNAME: ipa.lab.local
+    command:
+      - ipa-server-install
+      - --unattended
+      - --realm=LAB.LOCAL
+      - --domain=lab.local
+      - --ds-password=Lab04Password!
+      - --admin-password=Lab04Password!
+      - --no-ntp
+      - --no-host-dns
+      - --setup-dns
+      - --auto-forwarders
+    volumes:
+      - freeipa-sso:/data
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
     ports:
-      - "389:$firstPort"
+      - "389:389"
+      - "636:636"
+      - "88:88/tcp"
+      - "88:88/udp"
+    networks:
+      ipa-sso-net:
+        ipv4_address: 172.20.0.10
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=0
+    healthcheck:
+      test: ["CMD", "ipa", "user-find", "--all"]
+      interval: 30s
+      timeout: 10s
+      retries: 20
+      start_period: 240s
+
+  # ── Keycloak backing DB (internal) ────────────────────────────────
+  kc-db:
+    image: postgres:16-alpine
     environment:
-      - IT_STACK_ENV=lab-04-sso
-      - KEYCLOAK_URL=
-      - KEYCLOAK_REALM=
-      - KEYCLOAK_CLIENT_ID=freeipa
-      - KEYCLOAK_CLIENT_SECRET=
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: kcadmin
+      POSTGRES_PASSWORD: Lab04Password!
     networks:
-      - it-stack-net
+      - kc-db-net
+    volumes:
+      - kc-db-sso:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U kcadmin -d keycloak"]
+      interval: 5s
+      timeout: 3s
+      retries: 20
 
-  # Local Keycloak for SSO lab (replace with lab-id1 in real env)
+  # ── Keycloak (will be configured to federate FreeIPA LDAP) ────────
   keycloak:
-    image: quay.io/keycloak/keycloak:24
-    container_name: it-stack-freeipa-keycloak
+    image: quay.io/keycloak/keycloak:24.0
     command: start-dev
+    depends_on:
+      kc-db:
+        condition: service_healthy
     environment:
-      KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_BOOTSTRAP_ADMIN_USERNAME: admin
+      KC_BOOTSTRAP_ADMIN_PASSWORD: Lab04Password!
+      KC_DB: postgres
+      KC_DB_URL: "jdbc:postgresql://kc-db:5432/keycloak"
+      KC_DB_USERNAME: kcadmin
+      KC_DB_PASSWORD: Lab04Password!
+      KC_HTTP_PORT: "8080"
+      KC_HOSTNAME_STRICT: "false"
+      KC_PROXY: edge
     ports:
       - "8080:8080"
     networks:
-      - it-stack-net
+      - ipa-sso-net
+      - kc-db-net
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:8080/health/ready || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 30
+      start_period: 60s
 
 networks:
-  it-stack-net:
+  ipa-sso-net:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 172.20.0.0/24
+  kc-db-net:
     driver: bridge
+    internal: true
+
+volumes:
+  freeipa-sso:
+  kc-db-sso:
diff --git a/tests/labs/test-lab-01-04.sh b/tests/labs/test-lab-01-04.sh
@@ -1,71 +1,130 @@
 #!/usr/bin/env bash
-# test-lab-01-04.sh — Lab 01-04: SSO Integration
-# Module 01: FreeIPA LDAP/Kerberos identity provider
-# freeipa with Keycloak OIDC/SAML authentication
+# test-lab-01-04.sh — FreeIPA Lab 04: Keycloak LDAP Federation with FreeIPA
+# Tests: FreeIPA LDAP reachable, Keycloak federation component, user sync,
+#        OIDC discovery, FreeIPA user visible in Keycloak after sync
+# NOTE: Requires privileged container — full test runs on real VMs.
+#       CI runs syntax check + ShellCheck only.
 set -euo pipefail
 
-LAB_ID="01-04"
-LAB_NAME="SSO Integration"
-MODULE="freeipa"
-COMPOSE_FILE="docker/docker-compose.sso.yml"
-PASS=0
-FAIL=0
+PASS=0; FAIL=0
+KC_PASS="${KC_PASS:-Lab04Password!}"
+KC_URL="http://localhost:8080"
+IPA_HOST="localhost"
+REALM="it-stack"
 
-# ── Colors ────────────────────────────────────────────────────────────────────
-RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'
-CYAN='\033[0;36m'; NC='\033[0m'
+pass()  { ((++PASS)); echo "  [PASS] $1"; }
+fail()  { ((++FAIL)); echo "  [FAIL] $1"; }
+warn()  { echo "  [WARN] $1"; }
+header(){ echo; echo "=== $1 ==="; }
 
-pass() { echo -e "${GREEN}[PASS]${NC} $1"; ((PASS++)); }
-fail() { echo -e "${RED}[FAIL]${NC} $1"; ((FAIL++)); }
-info() { echo -e "${CYAN}[INFO]${NC} $1"; }
-warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
+kc_token() {
+  curl -sf -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
+    -d "client_id=admin-cli&grant_type=password&username=admin&password=${KC_PASS}" \
+    | grep -o '"access_token":"[^"]*"' | cut -d'"' -f4
+}
 
-echo -e "${CYAN}======================================${NC}"
-echo -e "${CYAN} Lab ${LAB_ID}: ${LAB_NAME}${NC}"
-echo -e "${CYAN} Module: ${MODULE}${NC}"
-echo -e "${CYAN}======================================${NC}"
-echo ""
+header "1. FreeIPA LDAP Port Reachable"
+if nc -z -w 5 "$IPA_HOST" 389 2>/dev/null; then
+  pass "FreeIPA LDAP port 389 reachable"
+else
+  fail "FreeIPA LDAP port 389 not reachable"
+fi
 
-# ── PHASE 1: Setup ────────────────────────────────────────────────────────────
-info "Phase 1: Setup"
-docker compose -f "${COMPOSE_FILE}" up -d
-info "Waiting 30s for ${MODULE} to initialize..."
-sleep 30
+header "2. FreeIPA Anonymous LDAP Bind"
+if ldapsearch -x -H "ldap://$IPA_HOST:389" -b "dc=lab,dc=local" "(objectClass=organizationalUnit)" dn 2>/dev/null | grep -q "numEntries"; then
+  pass "Anonymous LDAP query returns OUs"
+else
+  warn "Anonymous bind may be disabled (normal for hardened IPA)"
+fi
 
-# ── PHASE 2: Health Checks ────────────────────────────────────────────────────
-info "Phase 2: Health Checks"
+header "3. FreeIPA Admin LDAP Bind"
+if ldapwhoami -x -H "ldap://$IPA_HOST:389" \
+  -D "uid=admin,cn=users,cn=accounts,dc=lab,dc=local" \
+  -w "$KC_PASS" 2>/dev/null | grep -q "dn:"; then
+  pass "Admin LDAP bind successful"
+else
+  warn "Admin LDAP bind failed (FreeIPA may not be fully initialised)"
+fi
 
-if docker compose -f "${COMPOSE_FILE}" ps | grep -q "running\|Up"; then
-    pass "Container is running"
+header "4. Users OU Exists in FreeIPA"
+USERS_OU=$(ldapsearch -x -H "ldap://$IPA_HOST:389" \
+  -D "uid=admin,cn=users,cn=accounts,dc=lab,dc=local" -w "$KC_PASS" \
+  -b "cn=users,cn=accounts,dc=lab,dc=local" "(objectClass=person)" uid 2>/dev/null | grep "uid:" | head -5)
+[[ -n "$USERS_OU" ]] && pass "FreeIPA users found in cn=users,cn=accounts" || fail "Users OU empty or unreachable"
+
+header "5. Keycloak Health"
+if curl -sf "$KC_URL/health/ready" | grep -q '"status":"UP"'; then
+  pass "Keycloak /health/ready UP"
 else
-    fail "Container is not running"
+  fail "Keycloak not ready"; exit 1
 fi
 
-# ── PHASE 3: Functional Tests ─────────────────────────────────────────────────
-info "Phase 3: Functional Tests (Lab 04 — SSO Integration)"
+header "6. Keycloak Admin Auth + Realm Setup"
+TOKEN=$(kc_token)
+[[ -n "$TOKEN" ]] && pass "Admin token obtained" || { fail "Admin auth failed"; exit 1; }
+curl -sf -X POST "$KC_URL/admin/realms" \
+  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
+  -d "{\"realm\":\"$REALM\",\"enabled\":true}" -o /dev/null \
+  && pass "Realm '$REALM' created/exists" || warn "Realm may already exist"
 
-# TODO: Add module-specific functional tests here
-# Example:
-# if curl -sf http://localhost:389/health > /dev/null 2>&1; then
-#     pass "Health endpoint responds"
-# else
-#     fail "Health endpoint not reachable"
-# fi
+header "7. Create LDAP Federation Component (Keycloak → FreeIPA)"
+TOKEN=$(kc_token)
+LDAP_BODY="{
+  \"name\": \"freeipa-ldap\",
+  \"providerId\": \"ldap\",
+  \"providerType\": \"org.keycloak.storage.UserStorageProvider\",
+  \"config\": {
+    \"vendor\": [\"rhds\"],
+    \"connectionUrl\": [\"ldap://freeipa:389\"],
+    \"bindDn\": [\"uid=admin,cn=users,cn=accounts,dc=lab,dc=local\"],
+    \"bindCredential\": [\"$KC_PASS\"],
+    \"usersDn\": [\"cn=users,cn=accounts,dc=lab,dc=local\"],
+    \"usernameLDAPAttribute\": [\"uid\"],
+    \"rdnLDAPAttribute\": [\"uid\"],
+    \"uuidLDAPAttribute\": [\"ipaUniqueID\"],
+    \"userObjectClasses\": [\"inetOrgPerson,organizationalPerson\"],
+    \"editMode\": [\"READ_ONLY\"],
+    \"syncRegistrations\": [\"false\"],
+    \"enabled\": [\"true\"]
+  }
+}"
+STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$KC_URL/admin/realms/$REALM/components" \
+  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "$LDAP_BODY")
+[[ "$STATUS" =~ ^(201|409)$ ]] && pass "LDAP federation component created (HTTP $STATUS)" || fail "LDAP federation failed (HTTP $STATUS)"
 
-warn "Functional tests for Lab 01-04 pending implementation"
+header "8. Trigger User Sync from FreeIPA"
+TOKEN=$(kc_token)
+COMP_ID=$(curl -sf "$KC_URL/admin/realms/$REALM/components?type=org.keycloak.storage.UserStorageProvider" \
+  -H "Authorization: Bearer $TOKEN" | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
+if [[ -n "$COMP_ID" ]]; then
+  SYNC=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
+    "$KC_URL/admin/realms/$REALM/user-storage/$COMP_ID/sync?action=triggerFullSync" \
+    -H "Authorization: Bearer $TOKEN")
+  [[ "$SYNC" =~ ^(200|204)$ ]] && pass "Full sync triggered (HTTP $SYNC)" || warn "Sync returned HTTP $SYNC"
+else
+  fail "LDAP federation component not found for sync"
+fi
 
-# ── PHASE 4: Cleanup ──────────────────────────────────────────────────────────
-info "Phase 4: Cleanup"
-docker compose -f "${COMPOSE_FILE}" down -v --remove-orphans
-info "Cleanup complete"
+header "9. FreeIPA Users Visible in Keycloak"
+TOKEN=$(kc_token)
+sleep 5  # allow sync to complete
+USERS=$(curl -sf "$KC_URL/admin/realms/$REALM/users?max=50" -H "Authorization: Bearer $TOKEN")
+ADMIN_USER=$(echo "$USERS" | grep -c '"username":"admin"' || true)
+[[ "$ADMIN_USER" -gt 0 ]] && pass "FreeIPA admin user synced into Keycloak" || fail "FreeIPA users not synced"
+TOTAL=$(echo "$USERS" | grep -o '"username"' | wc -l)
+[[ "$TOTAL" -gt 0 ]] && pass "Keycloak has $TOTAL users after LDAP sync" || fail "No users after sync"
 
-# ── Results ───────────────────────────────────────────────────────────────────
-echo ""
-echo -e "${CYAN}======================================${NC}"
-echo -e " Lab ${LAB_ID} Complete"
-echo -e " ${GREEN}PASS: ${PASS}${NC} | ${RED}FAIL: ${FAIL}${NC}"
-echo -e "${CYAN}======================================${NC}"
+header "10. OIDC Discovery for it-stack Realm"
+DISC=$(curl -sf "$KC_URL/realms/$REALM/.well-known/openid-configuration")
+echo "$DISC" | grep -q '"token_endpoint"' && pass "OIDC discovery: token_endpoint present" || fail "OIDC discovery failed"
+echo "$DISC" | grep -q '"authorization_endpoint"' && pass "OIDC discovery: authorization_endpoint present" || fail "Missing authorization_endpoint"
 
-if [ "${FAIL}" -gt 0 ]; then
-    exit 1
-fi
+header "11. JWKS Endpoint"
+JWKS_URL=$(echo "$DISC" | grep -o '"jwks_uri":"[^"]*"' | cut -d'"' -f4)
+curl -sf "$JWKS_URL" | grep -q '"keys"' && pass "JWKS endpoint returns signing keys" || fail "JWKS endpoint failed"
+
+echo
+echo "═══════════════════════════════════════"
+echo " Lab 01-04 Results: $PASS passed, $FAIL failed"
+echo "═══════════════════════════════════════"
+[[ "$FAIL" -eq 0 ]]
