feat(lab-04): FreePBX SSO Integration (OpenLDAP + Keycloak OIDC)

RedjiJB · RedjiJB · commit 9e3b371e7ca8 · 2026-03-01T13:32:20.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -152,3 +152,35 @@ jobs:
       - name: Cleanup
         if: always()
         run: docker compose -f docker/docker-compose.advanced.yml down -v
+
+  lab-04-smoke:
+    name: Lab 04 -- FreePBX SSO Integration (OpenLDAP + Keycloak OIDC)
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install tools
+        run: sudo apt-get install -y curl default-mysql-client netcat-openbsd ldap-utils
+      - name: Validate SSO compose
+        run: docker compose -f docker/docker-compose.sso.yml config -q && echo "SSO compose valid"
+      - name: Start SSO stack
+        run: docker compose -f docker/docker-compose.sso.yml up -d
+      - name: Wait for MariaDB
+        run: timeout 120 bash -c 'until docker exec freepbx-s04-db mysqladmin ping -uroot -pRootLab04! --silent; do sleep 5; done'
+      - name: Wait for OpenLDAP
+        run: timeout 120 bash -c 'until docker exec freepbx-s04-ldap ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapLab04! cn=admin >/dev/null 2>&1; do sleep 5; done'
+      - name: Wait for Keycloak
+        run: timeout 300 bash -c 'until curl -sf http://localhost:8440/realms/master; do sleep 10; done'
+      - name: Wait for Mailhog
+        run: timeout 60 bash -c 'until curl -sf http://localhost:8640/api/v2/messages; do sleep 5; done'
+      - name: Wait for FreePBX web
+        run: timeout 300 bash -c 'until curl -sf http://localhost:8340/admin/config.php; do sleep 10; done'
+      - name: Run Lab 10-04 test script
+        run: bash tests/labs/test-lab-10-04.sh --no-cleanup
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.sso.yml logs
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.sso.yml down -v
diff --git a/docker/docker-compose.sso.yml b/docker/docker-compose.sso.yml
@@ -1,34 +1,195 @@
-# Lab 04 — SSO Integration: freepbx with Keycloak OIDC authentication
----
+# =============================================================================
+# IT-Stack: FreePBX — Lab 04: SSO Integration
+# Module 10 · Phase 3 · Lab 04
+# =============================================================================
+# Services: MariaDB · OpenLDAP · Keycloak · Mailhog · FreePBX
+# Ports:    FreePBX web:8340  SIP:5164  AMI:5039  Keycloak:8440
+#           LDAP:3890  Mailhog:8640
+# Credentials:
+#   DB root:    RootLab04!
+#   FreePBX DB: asteriskuser / AsteriskLab04!
+#   FreePBX UI: admin / Admin04!
+#   Keycloak:   admin / Admin04!
+#   LDAP admin: cn=admin,dc=lab,dc=local / LdapLab04!
+# What's new vs Lab 03:
+#   + OpenLDAP directory (osixia/openldap) with ou=users,ou=groups
+#   + Keycloak 24 dev-mode with LDAP user federation
+#   + FreePBX LDAP_ENABLED + LDAP_HOST env wiring
+#   + Keycloak it-stack realm + freepbx OIDC client (created via API in test)
+# =============================================================================
+
+name: it-stack-freepbx-lab04
+
 services:
-  freepbx:
-    image: tiredofit/freepbx:16
-    container_name: it-stack-freepbx
+
+  # ── MariaDB ──────────────────────────────────────────────────────────────
+  freepbx-s04-db:
+    image: mariadb:10.11
+    container_name: freepbx-s04-db
     restart: unless-stopped
-    ports:
-      - "5060:$firstPort"
     environment:
-      - IT_STACK_ENV=lab-04-sso
-      - KEYCLOAK_URL=
-      - KEYCLOAK_REALM=
-      - KEYCLOAK_CLIENT_ID=freepbx
-      - KEYCLOAK_CLIENT_SECRET=
+      MYSQL_ROOT_PASSWORD: RootLab04!
+      MYSQL_DATABASE: asterisk
+      MYSQL_USER: asteriskuser
+      MYSQL_PASSWORD: AsteriskLab04!
+    volumes:
+      - freepbx-s04-db-data:/var/lib/mysql
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-uroot", "-pRootLab04!", "--silent"]
+      interval: 10s
+      timeout: 5s
+      retries: 15
     networks:
-      - it-stack-net
+      - freepbx-s04-net
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: "0.5"
 
-  # Local Keycloak for SSO lab (replace with lab-id1 in real env)
-  keycloak:
-    image: quay.io/keycloak/keycloak:24
-    container_name: it-stack-freepbx-keycloak
+  # ── OpenLDAP ─────────────────────────────────────────────────────────────
+  freepbx-s04-ldap:
+    image: osixia/openldap:1.5.0
+    container_name: freepbx-s04-ldap
+    restart: unless-stopped
+    environment:
+      LDAP_ORGANISATION: "IT-Stack Lab"
+      LDAP_DOMAIN: lab.local
+      LDAP_ADMIN_PASSWORD: LdapLab04!
+      LDAP_CONFIG_PASSWORD: ConfigLab04!
+      LDAP_BASE_DN: dc=lab,dc=local
+      LDAP_READONLY_USER: "true"
+      LDAP_READONLY_USER_USERNAME: readonly
+      LDAP_READONLY_USER_PASSWORD: ReadOnly04!
+    ports:
+      - "3890:389"
+    volumes:
+      - freepbx-s04-ldap-data:/var/lib/ldap
+      - freepbx-s04-ldap-config:/etc/ldap/slapd.d
+    healthcheck:
+      test: ["CMD-SHELL", "ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapLab04! cn=admin > /dev/null 2>&1 || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 15
+    networks:
+      - freepbx-s04-net
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+          cpus: "0.25"
+
+  # ── Keycloak ─────────────────────────────────────────────────────────────
+  freepbx-s04-kc:
+    image: quay.io/keycloak/keycloak:24.0.3
+    container_name: freepbx-s04-kc
+    restart: unless-stopped
     command: start-dev
     environment:
       KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: admin
+      KEYCLOAK_ADMIN_PASSWORD: Admin04!
+      KC_HEALTH_ENABLED: "true"
+      KC_DB: dev-file
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+      KC_HTTP_ENABLED: "true"
     ports:
-      - "8080:8080"
+      - "8440:8080"
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:8080/realms/master || exit 1"]
+      interval: 15s
+      timeout: 10s
+      retries: 20
+      start_period: 30s
     networks:
-      - it-stack-net
+      - freepbx-s04-net
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: "1.0"
 
+  # ── Mailhog ──────────────────────────────────────────────────────────────
+  freepbx-s04-mail:
+    image: mailhog/mailhog:latest
+    container_name: freepbx-s04-mail
+    restart: unless-stopped
+    ports:
+      - "8640:8025"
+    networks:
+      - freepbx-s04-net
+    deploy:
+      resources:
+        limits:
+          memory: 128M
+          cpus: "0.1"
+
+  # ── FreePBX ──────────────────────────────────────────────────────────────
+  freepbx-s04-app:
+    image: tiredofit/freepbx:16
+    container_name: freepbx-s04-app
+    restart: unless-stopped
+    depends_on:
+      freepbx-s04-db:
+        condition: service_healthy
+      freepbx-s04-ldap:
+        condition: service_healthy
+    ports:
+      - "8340:80"
+      - "5164:5060/udp"
+      - "5164:5060/tcp"
+      - "5039:5038"
+    environment:
+      DB_HOST: freepbx-s04-db
+      DB_PORT: "3306"
+      DB_NAME: asterisk
+      DB_USER: asteriskuser
+      DB_PASS: AsteriskLab04!
+      DB_ROOT_PASSWORD: RootLab04!
+      ADMIN_PASSWORD: Admin04!
+      WEBROOT: /var/www/html
+      # LDAP integration for directory sync and user authentication
+      LDAP_ENABLED: "TRUE"
+      LDAP_HOST: freepbx-s04-ldap
+      LDAP_PORT: "389"
+      LDAP_ADMIN_DN: cn=admin,dc=lab,dc=local
+      LDAP_ADMIN_PASS: LdapLab04!
+      LDAP_BASE_DN: dc=lab,dc=local
+      # Keycloak OIDC references (admin UI SSO)
+      KEYCLOAK_URL: http://freepbx-s04-kc:8080
+      KEYCLOAK_REALM: it-stack
+      KEYCLOAK_CLIENT_ID: freepbx
+      # Mail relay
+      SMTP_HOST: freepbx-s04-mail
+      SMTP_PORT: "1025"
+      VOICEMAIL_DOMAIN: lab.local
+    volumes:
+      - freepbx-s04-data:/data
+      - freepbx-s04-recordings:/var/spool/asterisk/monitor
+      - freepbx-s04-moh:/var/lib/asterisk/moh
+      - freepbx-s04-voicemail:/var/spool/asterisk/voicemail
+      - freepbx-s04-logs:/var/log/asterisk
+    networks:
+      - freepbx-s04-net
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: "1.0"
+
+# ── Networks ─────────────────────────────────────────────────────────────────
 networks:
-  it-stack-net:
+  freepbx-s04-net:
+    name: freepbx-s04-net
     driver: bridge
+
+# ── Volumes ──────────────────────────────────────────────────────────────────
+volumes:
+  freepbx-s04-db-data:
+  freepbx-s04-ldap-data:
+  freepbx-s04-ldap-config:
+  freepbx-s04-data:
+  freepbx-s04-recordings:
+  freepbx-s04-moh:
+  freepbx-s04-voicemail:
+  freepbx-s04-logs:
diff --git a/tests/labs/test-lab-10-04.sh b/tests/labs/test-lab-10-04.sh
@@ -52,19 +52,113 @@ info "Phase 3: Functional Tests (Lab 04 — SSO Integration)"
 #     fail "Health endpoint not reachable"
 # fi
 
-warn "Functional tests for Lab 10-04 pending implementation"
+# ── 3a: Keycloak realm + OIDC client ─────────────────────────────────────────
+info "Creating it-stack realm and freepbx OIDC client via Keycloak API..."
 
-# ── PHASE 4: Cleanup ──────────────────────────────────────────────────────────
-info "Phase 4: Cleanup"
-docker compose -f "${COMPOSE_FILE}" down -v --remove-orphans
-info "Cleanup complete"
+KC_TOKEN=$(curl -sf -X POST "http://localhost:8440/realms/master/protocol/openid-connect/token" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "grant_type=password&client_id=admin-cli&username=admin&password=Admin04!" \
+  | grep -o '"access_token":"[^"]*' | cut -d'"' -f4 || echo "")
+
+if [ -n "${KC_TOKEN}" ]; then
+  pass "Keycloak admin token obtained"
+else
+  fail "Failed to get Keycloak admin token"
+  KC_TOKEN=""
+fi
+
+if [ -n "${KC_TOKEN}" ]; then
+  HTTP_STATUS=$(curl -sf -o /dev/null -w "%{http_code}" \
+    -X POST "http://localhost:8440/admin/realms" \
+    -H "Authorization: Bearer ${KC_TOKEN}" \
+    -H "Content-Type: application/json" \
+    -d '{"realm":"it-stack","enabled":true,"displayName":"IT-Stack Lab"}' || echo "000")
+  if [ "${HTTP_STATUS}" = "201" ] || [ "${HTTP_STATUS}" = "409" ]; then
+    pass "Keycloak it-stack realm created (status: ${HTTP_STATUS})"
+  else
+    fail "Failed to create it-stack realm (status: ${HTTP_STATUS})"
+  fi
+fi
+
+if [ -n "${KC_TOKEN}" ]; then
+  HTTP_STATUS=$(curl -sf -o /dev/null -w "%{http_code}" \
+    -X POST "http://localhost:8440/admin/realms/it-stack/clients" \
+    -H "Authorization: Bearer ${KC_TOKEN}" \
+    -H "Content-Type: application/json" \
+    -d '{"clientId":"freepbx","enabled":true,"protocol":"openid-connect","publicClient":false,"redirectUris":["http://localhost:8340/*"]}' || echo "000")
+  if [ "${HTTP_STATUS}" = "201" ] || [ "${HTTP_STATUS}" = "409" ]; then
+    pass "Keycloak freepbx OIDC client created (status: ${HTTP_STATUS})"
+  else
+    fail "Failed to create freepbx OIDC client (status: ${HTTP_STATUS})"
+  fi
+fi
+
+if curl -sf "http://localhost:8440/realms/it-stack/.well-known/openid-configuration" | grep -q 'issuer'; then
+  pass "Keycloak OIDC discovery endpoint returns issuer"
+else
+  fail "Keycloak OIDC discovery endpoint missing issuer"
+fi
+
+# ── 3b: LDAP integration ──────────────────────────────────────────────────────
+info "Testing LDAP integration..."
+
+if docker exec freepbx-s04-ldap ldapsearch -x -H ldap://localhost \
+     -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapLab04! \
+     '(objectClass=*)' dn 2>/dev/null | grep -q 'dn:'; then
+  pass "LDAP base DC dc=lab,dc=local has entries"
+else
+  fail "LDAP base DC search returned no entries"
+fi
+
+if docker exec freepbx-s04-app curl -sf http://freepbx-s04-kc:8080/realms/master > /dev/null 2>&1; then
+  pass "Keycloak reachable from FreePBX container"
+else
+  fail "Keycloak not reachable from FreePBX container"
+fi
+
+if docker exec freepbx-s04-app env | grep -q 'LDAP_ENABLED=TRUE'; then
+  pass "LDAP_ENABLED=TRUE set in FreePBX container"
+else
+  fail "LDAP_ENABLED not set in FreePBX container"
+fi
+
+if docker exec freepbx-s04-app env | grep -q 'LDAP_HOST=freepbx-s04-ldap'; then
+  pass "LDAP_HOST correctly set to freepbx-s04-ldap"
+else
+  fail "LDAP_HOST not set correctly in FreePBX container"
+fi
+
+# ── 3c: VoIP ports ────────────────────────────────────────────────────────────
+if nc -z localhost 5164 2>/dev/null; then
+  pass "SIP port 5164 reachable"
+else
+  warn "SIP port 5164 not yet reachable (FreePBX may still be initializing)"
+fi
+
+if nc -z localhost 5039 2>/dev/null; then
+  pass "AMI port 5039 reachable"
+else
+  warn "AMI port 5039 not yet reachable"
+fi
+
+# ── 3d: All 5 containers running ──────────────────────────────────────────────
+for svc in freepbx-s04-db freepbx-s04-ldap freepbx-s04-kc freepbx-s04-mail freepbx-s04-app; do
+  if docker ps --format '{{.Names}}' | grep -q "^${svc}$"; then
+    pass "Container ${svc} running"
+  else
+    fail "Container ${svc} not running"
+  fi
+done
 
 # ── Results ───────────────────────────────────────────────────────────────────
 echo ""
-echo -e "${CYAN}======================================${NC}"
-echo -e " Lab ${LAB_ID} Complete"
-echo -e " ${GREEN}PASS: ${PASS}${NC} | ${RED}FAIL: ${FAIL}${NC}"
-echo -e "${CYAN}======================================${NC}"
+echo -e "${CYAN}============================================================${NC}"
+echo -e "  Lab ${LAB_ID} Complete"
+echo -e "  ${GREEN}PASS: ${PASS}${NC} | ${RED}FAIL: ${FAIL}${NC}"
+echo -e "${CYAN}============================================================${NC}"
+
+# Cleanup
+docker compose -f "${COMPOSE_FILE}" down -v --remove-orphans 2>/dev/null || true
 
 if [ "${FAIL}" -gt 0 ]; then
     exit 1
