feat: Phase 4 Lab 04 — SSO Integration (Keycloak + OpenLDAP)

RedjiJB · RedjiJB · commit d661fd58111d · 2026-03-02T16:04:57.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -183,4 +183,47 @@ run: bash tests/labs/test-lab-20-01.sh
 
       - name: Cleanup
         if: always()
-        run: docker compose -f docker/docker-compose.advanced.yml down -v
+        run: docker compose -f docker/docker-compose.advanced.yml down -v
+
+  lab-04-smoke:
+    name: Lab 04 -- Graylog SSO Integration (Keycloak OIDC + OpenLDAP)
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install tools
+        run: sudo apt-get install -y curl netcat-openbsd ldap-utils
+
+      - name: Validate SSO compose
+        run: docker compose -f docker/docker-compose.sso.yml config -q && echo "SSO compose valid"
+
+      - name: Start SSO stack
+        run: docker compose -f docker/docker-compose.sso.yml up -d
+
+      - name: Wait for MongoDB
+        run: timeout 60 bash -c 'until docker exec graylog-s04-mongo mongosh --eval "db.adminCommand(\"ping\")" >/dev/null 2>&1; do sleep 5; done'
+
+      - name: Wait for Elasticsearch
+        run: timeout 120 bash -c 'until docker exec graylog-s04-es curl -sf http://localhost:9200/_cluster/health | grep -q "green\|yellow"; do sleep 10; done'
+
+      - name: Wait for OpenLDAP
+        run: timeout 120 bash -c 'until docker exec graylog-s04-ldap ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapLab04! cn=admin >/dev/null 2>&1; do sleep 5; done'
+
+      - name: Wait for Keycloak
+        run: timeout 300 bash -c 'until curl -sf http://localhost:8534/realms/master; do sleep 10; done'
+
+      - name: Wait for Graylog
+        run: timeout 300 bash -c 'until curl -sf http://localhost:9030/api | grep -qi "cluster_id\|version"; do sleep 15; done'
+
+      - name: Run Lab 20-04 test script
+        run: bash tests/labs/test-lab-20-04.sh --no-cleanup
+
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.sso.yml logs
+
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.sso.yml down -v
diff --git a/docker/docker-compose.sso.yml b/docker/docker-compose.sso.yml
@@ -1,34 +1,185 @@
-# Lab 04 — SSO Integration: graylog with Keycloak OIDC authentication
----
+# =============================================================================
+# IT-Stack: Graylog — Lab 04: SSO Integration
+# Module 20 · Phase 4 · Lab 04
+# =============================================================================
+# Services: MongoDB · Elasticsearch · OpenLDAP · Keycloak · Graylog
+# Ports:    Web:9030  Keycloak:8534  LDAP:3899  Syslog:1517/UDP  GELF:12204/UDP
+# Credentials:
+#   Graylog:    admin / GraylogLab04!
+#   Keycloak:   admin / Admin04!
+#   LDAP admin: cn=admin,dc=lab,dc=local / LdapLab04!
+# What's new vs Lab 03:
+#   + OpenLDAP directory for LDAP user federation
+#   + Keycloak 24 dev-mode as OIDC IdP (it-stack realm)
+#   + Graylog LDAP auth env vars (GRAYLOG_LDAP_*)
+#   + Keycloak OIDC discovery endpoint tested in Lab 04
+# =============================================================================
+
+name: it-stack-graylog-lab04
+
 services:
-  graylog:
-    image: graylog/graylog:5.2
-    container_name: it-stack-graylog
+
+  # ── MongoDB ────────────────────────────────────────────────────────────────
+  graylog-s04-mongo:
+    image: mongo:6.0
+    container_name: graylog-s04-mongo
+    restart: unless-stopped
+    volumes:
+      - graylog-s04-mongo-data:/data/db
+    healthcheck:
+      test: ["CMD", "mongosh", "--eval", "db.adminCommand('ping')"]
+      interval: 10s
+      timeout: 5s
+      retries: 15
+    networks:
+      - graylog-s04-net
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: "0.5"
+
+  # ── Elasticsearch (Graylog requires ES 7.x) ─────────────────────────────
+  graylog-s04-es:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.12
+    container_name: graylog-s04-es
     restart: unless-stopped
-    ports:
-      - "9000:$firstPort"
     environment:
-      - IT_STACK_ENV=lab-04-sso
-      - KEYCLOAK_URL=
-      - KEYCLOAK_REALM=
-      - KEYCLOAK_CLIENT_ID=graylog
-      - KEYCLOAK_CLIENT_SECRET=
+      discovery.type: single-node
+      ES_JAVA_OPTS: "-Xms512m -Xmx512m"
+      xpack.security.enabled: "false"
+    volumes:
+      - graylog-s04-es-data:/usr/share/elasticsearch/data
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:9200/_cluster/health || exit 1"]
+      interval: 15s
+      timeout: 10s
+      retries: 20
+      start_period: 40s
     networks:
-      - it-stack-net
+      - graylog-s04-net
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: "1.0"
 
-  # Local Keycloak for SSO lab (replace with lab-id1 in real env)
-  keycloak:
-    image: quay.io/keycloak/keycloak:24
-    container_name: it-stack-graylog-keycloak
+  # ── OpenLDAP ───────────────────────────────────────────────────────────────
+  graylog-s04-ldap:
+    image: osixia/openldap:1.5.0
+    container_name: graylog-s04-ldap
+    restart: unless-stopped
+    environment:
+      LDAP_ORGANISATION: "IT-Stack Lab"
+      LDAP_DOMAIN: lab.local
+      LDAP_ADMIN_PASSWORD: LdapLab04!
+      LDAP_CONFIG_PASSWORD: ConfigLab04!
+      LDAP_BASE_DN: dc=lab,dc=local
+      LDAP_READONLY_USER: "true"
+      LDAP_READONLY_USER_USERNAME: readonly
+      LDAP_READONLY_USER_PASSWORD: ReadOnly04!
+    ports:
+      - "3899:389"
+    volumes:
+      - graylog-s04-ldap-data:/var/lib/ldap
+      - graylog-s04-ldap-config:/etc/ldap/slapd.d
+    healthcheck:
+      test: ["CMD-SHELL", "ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapLab04! cn=admin > /dev/null 2>&1 || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 15
+    networks:
+      - graylog-s04-net
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+          cpus: "0.25"
+
+  # ── Keycloak ───────────────────────────────────────────────────────────────
+  graylog-s04-kc:
+    image: quay.io/keycloak/keycloak:24.0.3
+    container_name: graylog-s04-kc
+    restart: unless-stopped
     command: start-dev
     environment:
       KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: admin
+      KEYCLOAK_ADMIN_PASSWORD: Admin04!
+      KC_HEALTH_ENABLED: "true"
+      KC_DB: dev-file
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+      KC_HTTP_ENABLED: "true"
+    ports:
+      - "8534:8080"
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:8080/realms/master || exit 1"]
+      interval: 15s
+      timeout: 10s
+      retries: 20
+      start_period: 30s
+    networks:
+      - graylog-s04-net
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: "1.0"
+
+  # ── Graylog ────────────────────────────────────────────────────────────────
+  graylog-s04-app:
+    image: graylog/graylog:5.2
+    container_name: graylog-s04-app
+    restart: unless-stopped
+    depends_on:
+      graylog-s04-mongo:
+        condition: service_healthy
+      graylog-s04-es:
+        condition: service_healthy
+      graylog-s04-ldap:
+        condition: service_healthy
     ports:
-      - "8080:8080"
+      - "9030:9000"
+      - "1517:1514/udp"
+      - "12204:12201/udp"
+    environment:
+      GRAYLOG_PASSWORD_SECRET: GraylogPasswordSecret04Lab!
+      GRAYLOG_ROOT_PASSWORD_SHA2: "9b1d86bc83a03c988d3edaf7f7f5c0ff4e1f6de580289d62ba7b7e37c7ea45dc"
+      GRAYLOG_HTTP_EXTERNAL_URI: http://localhost:9030/
+      GRAYLOG_ELASTICSEARCH_HOSTS: http://graylog-s04-es:9200
+      GRAYLOG_MONGODB_URI: mongodb://graylog-s04-mongo/graylog
+      # LDAP configuration
+      GRAYLOG_LDAP_CONNECTION_URI: ldap://graylog-s04-ldap:389
+      GRAYLOG_LDAP_BASE_DN: dc=lab,dc=local
+      GRAYLOG_LDAP_SEARCH_BASE: dc=lab,dc=local
+      GRAYLOG_LDAP_SEARCH_PATTERN: "(uid={0})"
+      GRAYLOG_LDAP_DISPLAY_NAME_ATTRIBUTE: cn
+      GRAYLOG_LDAP_SYSTEM_USERNAME: cn=admin,dc=lab,dc=local
+      GRAYLOG_LDAP_SYSTEM_PASSWORD: LdapLab04!
+      # Keycloak OIDC reference
+      KEYCLOAK_URL: http://graylog-s04-kc:8080
+      KEYCLOAK_REALM: it-stack
+      KEYCLOAK_CLIENT_ID: graylog
+    volumes:
+      - graylog-s04-app-data:/usr/share/graylog/data
     networks:
-      - it-stack-net
+      - graylog-s04-net
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+          cpus: "1.0"
 
+# ── Networks ───────────────────────────────────────────────────────────────────
 networks:
-  it-stack-net:
+  graylog-s04-net:
+    name: graylog-s04-net
     driver: bridge
+
+# ── Volumes ────────────────────────────────────────────────────────────────────
+volumes:
+  graylog-s04-mongo-data:
+  graylog-s04-es-data:
+  graylog-s04-ldap-data:
+  graylog-s04-ldap-config:
+  graylog-s04-app-data:
diff --git a/tests/labs/test-lab-20-04.sh b/tests/labs/test-lab-20-04.sh
